<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=windows-1256"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Dear <span style='color:#1F497D'>Dan</span> ,<span lang=AR-SA dir=RTL style='color:#1F497D'><o:p></o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=AR-SA dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Please read this :<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>we need to run multi domain ldap where each domain will have an admin group who can do everything and the user can change only passwords. We need to know how to write the ACL for such scenario. Each domain will be represented by O=domain and then we will have ou=people and we will have admin group under the groups. Each domain will have this structure.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=AR-SA dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Best regards ,<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Husam <o:p></o:p></p><p class=MsoPlainText dir=RTL><span lang=AR-SA style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] <b>On Behalf Of </b>Dan Lavu<br><b>Sent:</b> Thursday, July 18, 2013 3:31 AM<br><b>To:</b> 'General discussion list for the 389 Directory server project.'<br><b>Subject:</b> Re: [389-users] Manual & help step by step<o:p></o:p></span></p></div></div><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'>They are plenty of step by step instructions to do what you are trying to do. You can refer to the Red Hat documentation or the 389 documentation. <o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><a href="http://directory.fedoraproject.org/wiki/Howto:SSL">http://directory.fedoraproject.org/wiki/Howto:SSL</a><o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'>Also it is normal for the CA certificate to show up in the server tab if you generated the CA certificate on the LDAP server, any certificate with the private key in the database will appear as a server certificate. For example when you export the CA and move it to a second server it will not show up in the server tab then.<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'>In addition, when generating a CSR using the GUI (idm console) you must stick with it, because the CSR will create the key in the db. If you are pursuing the command line using certutil, you must convert the x509 certificates (three files usually, private, public and ca into pkcs12 format. <o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'>Here is a link to understand and configure ACIs. <o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><a href="http://directory.fedoraproject.org/wiki/Howto:AccessControl">http://directory.fedoraproject.org/wiki/Howto:AccessControl</a><o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'>I hope this helps.<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'>Dan<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><b>From:</b> 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] <b>On Behalf Of </b>?????? - ????? -????? - ??????<br><b>Sent:</b> Wednesday, July 17, 2013 7:38 PM<br><b>To:</b> 389-users@lists.fedoraproject.org<br><b>Subject:</b> [389-users] Manual & help step by step<o:p></o:p></p></div></div><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Dear friends,<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Anyone can help me ?<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I have install the directory , on centos <o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I want to make certs and install it on the server <o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I have tried many ways but all not working , one way with p12 , when uploading the certificates it's both appear in the server tab even the CA .<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>The other way with openssl in this case I can't upload the certificate on server tab its only appear on the CA tab .<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Also I want some help setting Acyls <o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Like I want to have many admins each one can control his group no access for the other groups <o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Many thanks in advance .<o:p></o:p></p></div></body></html>