LDAP specific ACL for each users

Question

I'm looking for a way to allow LDAP users to write into a branch that has their names. For example, I want each users A, B, C allowed to write into a cn=A,ou=foo, cn=B,ou=foo, cn=C,ou=foo... Is there a way to do that without writing it explicitly.

Not like that:

access: to subtree="cn=A,ou=foo"
  by dn.exact="uid=A,ou=people" write
access: to subtree="cn=B,ou=foo"
  by dn.exact="uid=B,ou=people" write
...

With a regex maybe?

Answer 1

Something like that will work:

olcAccess: to dn.regex=".+,cn=([^,]+),ou=foo$"
  by dn.exact,expand="uid=$1,ou=people" write
  by users read
  by * none

Each user will have write access to a branch with their name in ou=foo.

Answer 2

I got it working.

Directory Schema:

   -dc=myorg,dc=com
      -ou=nonprod
        -ou=hostdefinitions
      -ou=people
         -cn=user1
         -cn=user2
      -ou=prod
        -ou=hostdefinitions

Users:

cn=user2
gidNumber=235
homeDirectory=/home/user2
uid=user2
uidNumber=235
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top

cn=user1
gidNumber=234
homeDirectory=/home/user1
uid=user1
uidNumber=234
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top

ACLs:

access to dn.subtree="ou=nonprod,dc=myorg,dc=com"
    by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" manage
    by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" none

 access to dn.subtree="ou=prod,dc=myorg,dc=com"
    by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" none
    by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" manage

 access to dn.base="" by * read
 access to dn.base="cn=subschema" by * read

 access to *
    by self write
    by anonymous auth

Answer 3

You don't need to specify this for every user. You just need

access: to * by self write