Hi,
Is it possible to create ACI which allows any change to subtree under
bind DN? Here is an example:
ou=UnitA, dc=example, dc=com
uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group)
uid=userA1, ou=UnitA, dc=example, dc=com
uid=userA2, ou=UnitA, dc=example, dc=com
uid=userA3, ou=UnitA, dc=example, dc=com
ou=UnitB, dc=example, dc=com
uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group)
uid=userB1, ou=UnitB, dc=example, dc=com
The idea is that admin could change anything (modify/add/remove
attributes) under his 'ou' i.e. adminA has full access to all DNs
under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
I tried the following ACI:
(target="ldap:///($dn)) (targetattr = "*")
(version 3.0; acl "Administrator access"; allow (all)
roledn="ldap:///cn=Administrator,dc=example,dc=com";)
But AdminA could change anything under ou=UnitB. Any ideas how to
fix/change ACI?
PS. Please CC me because i'm not on the list.
Thanks,
--
Ondrej Ivanic
(ondrej.ivanic(a)gmail.com)