ACI, userattr question

[rajkumars at asianetindia.com (Rajkumar S)]

Hi,

My server has a structure like:

o=isp
   o=domain1,o=isp
      uid=user1,o=domain1,o=isp
      uid=user2,o=domain1,o=isp
      uid=user3,o=domain1,o=isp
      uid=user4,o=domain1,o=isp
   o=domain2,o=isp
      uid=user1,o=domain2,o=isp
      uid=user2,o=domain2,o=isp
      uid=user3,o=domain2,o=isp
      uid=user4,o=domain2,o=isp

each domain has an attribute administrator (taken from phpQLAdmin, I am using ldap for 
qmail-ldap)  which has full dn of a uid. For example say the administrator of 
o=domain1,o=isp is uid=user1,o=domain1,o=isp, and that of o=domain2,o=isp is 
uid=user1,o=domain2,o=isp

Now when I bind as uid=user1,o=domain1,o=isp I must have full write permission for domain1 
and all users under it, and if I bind as uid=user1,o=domain2,o=isp I must have write 
access to domain2 and so on.

I am looking for a minimum aci that can do this, Preferably one that is applied at o=isp.

I have played with aci and userattr, but seems it's not working. The one I tried is

aci: (target="ldap:///o=*,o=isp";)(targetattr=*) (version 3.0;acl
"manager-write"; allow (all) userattr = "administrator#USERDN";)

I have taken this from the examples in docs, but this is not working as expected.

Thanks for your help,

regards,

raj