Dear sir, The ACI in fedora directory server can be used to control only search/read/write operations but not BIND operation. This limitation leads to certain deficiencies as below, Suppose for an application that is using ldap for authentication verification, we want to specify that uids belonging to certain group can only authenticate but not the entire spectrum of uids, there is no way to code it in ACI. This is because the application can simply do a BIND operation with UID belonging to any group and corresponding password and gets authenticated. So even though I make groups Iam unable to enforce authentication control.
May I request you to provide BIND control using ACI in future directory server release.
regards murthy
389-devel@lists.fedoraproject.org