Jaap Winius <[email protected]> writes: > Quoting Dieter Kluenter <[email protected]>:
[...] > > This works for a user with attr title=telephonemanager. However, to > demonstrate the flexibility of this set rule... > > access to attrs=telephoneNumber > by set="user/description & [telephonemanager]" write > by users read > > ... this works for a user with attr description=telephonemanager! > > This is cool regardless, but I think my NIU-friend would say that it's > cool because this set rule allows you to give users telephonemanager > privileges without the need to maintain a telephonemanager group. > > Actually, I think this solution can be improved upon significantly. > For example, what if our privileged user had this attribute: > > description: titlemanager telephonemanager addressmanager This is a single value, you actually want a multi valued attribute type. > Can a a set rule be devised to match not only users with a description > value that equals "telephonemanager", but also one that includes it in > a longer string? We would need something like: > > access to attrs=telephoneNumber > by set="user/description & [*telephonemanager*]" write > by users read > > Only, that doesn't work. > > Is this possible? Did you define an index for description? But still I don't think this could work, although I have never tested this. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
