On 02/06/2014 11:23 AM, Jan Tomasek wrote:
I need user to be able to add subentry bellow his own entry.
In this structure:
dc=cz
ou=People
uid=test1
dc=123 ??
uid=test2
How to write ACI that test1 could add only under his own entry? Sadly
(target = "ldap:///self") is not permited.
Any idea how to write ACI at level of ou=People?
I have found solution:
(targetfilter =
"(&(objectclass=appPassword)(!(objectClass=inetOrgPerson)))") (version
3.0;acl "appPassword parrent (add, delete)";allow (add,delete)(userdn =
"ldap:///parent");)
and one more to hide added entries from everyone except of parent:
(targetattr = "*")(targetfilter = "(objectclass=appPassword)")
(version 3.0;acl "appPassword hide except parent";deny (all)
(userdn ="ldap:///anyone" and not userdn = "ldap:///parent");)
:)
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/