Marc Boorshtein wrote:
Sure, lets say you have the below ACI which limits the addition of
entries based on a group(it's been a while since I've worked with
these, so forgive me if the syntax is a bit off)
dn: dc=mydomain,dc=com
subTreeACI: allow#a,m#group:cn=my
dnymaicgroup,ou=groups,dc=mydomain,dc=com
then you would have a group:
dn: cn=my dynamicgroup,ou=groups,dc=mydomain,dc=com
objectClass: groupOfUrls
memberURL: ldap:///dc=mydomain,dc=com??sub?(someAttrb=someVal)
<ldap:///dc=mydomain,dc=com??sub?%28someAttrb=someVal%29>
The combination of the ACI and the dynamic group defenition would in
effect let you limit the permisions based on an attribute value.
I see thanks Mark for this example.
Alex
