[Apologies if this arrives twice; I sent it yesterday but I didn't get a copy back from the list, nor is there a copy at www.mail-archive.com.]
I have a slightly unusual access control requirement which I'd appreciate some advice on. In our directory there are bunch of per-project subtrees: ou=project1,ou=projects,... ou=project2,ou=projects,... I've been controlling write access to the subtrees like this: access to dn.regex="ou=([^,]+),ou=projects,..." by group.expand="cn=administrators,ou=$1,ou=projects,..." write by * read where cn=administrators is a groupOfNames. This works well. Now I've been asked to implement the following additional behaviour: If a cn=readers groupOfNames entry is present, allow read-only access to those DNs, allow write access to DNs in cn=administrators, and disallow access to everyone else. But if there is NO cn=readers entry, allow read access to anyone. The first part is a simple extension of what I've already got. But how can I implement the different behaviour with no cn=readers entry? I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to 2.3 if necessary. Thanks in advance. Dave -- ** Dave Holland ** Systems Support -- Special Projects Team ** ** 01223 496923 ** Sanger Institute, Hinxton, Cambridge, UK **
