Re: ACL and multiple mandatory conditions

[Howard Chu <hyc@symas.com>]

Emmanuel Dreyfus wrote:
> Hello
>
> The goal is to give access to a ressource based on two mandatory
> conditions.
>
> I want user DN to match a rule, and attribute value to match another
> rule, which depends on the user
>
> This yields me two rules. The first one allow a user that has a given ou
> in ouManager set to modify the authorizedService in this ou. I did not
> test the second one yet, but the idea is that the user has a
> serviceManager attribute telling which value of authorizedService he is
> allowed to set.
>
> access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService
>      by set.exact="user/ouManager&  this/-1" write stop
>
> access to attrs.regex=authorizedService val.regex="(.*)"
>      by set="user/serviceManager&  ${v1}" write stop
>
> But I need to perform a AND between the two rules. How can that be done?
Concatenate the terms in the sets.

access to dn.regex="^uid=.+,ou=.+,o=home$"
	 attrs=authorizedService val.regex=(.*)
	by set.expand="(user/ouManager + user/serviceManager) &
		(this/-1 + ${v1})" write

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/