> HI! > > Is it possible to specify the <what> clause in an ACL with a set?
No. > We have several applications and for each application there's a specific > AUXILIARY object class for application-specific user attributes. > > So for each application I add ACLs like this: > > access to > dn.onelevel="ou=Users,dc=example,dc=org" > attrs=@app1User > by dn.subtree="cn=app1,ou=Systems,dc=example,dc=org" read > by * break > > Obviously I'd like to have one ACL which references an attribute > specifying > the auxiliary object class in the app's system entry. Is that possible? I'm not sure I understand your question: is it that you would like to have something like attrs=<attr> with <attr> depending on the contents of the entry, or of another entry resulting from the evaluation of some expression? p.