Rajkumar S wrote: > Hi, > > My server has a structure like: > > o=isp > o=domain1,o=isp > uid=user1,o=domain1,o=isp > uid=user2,o=domain1,o=isp > uid=user3,o=domain1,o=isp > uid=user4,o=domain1,o=isp > o=domain2,o=isp > uid=user1,o=domain2,o=isp > uid=user2,o=domain2,o=isp > uid=user3,o=domain2,o=isp > uid=user4,o=domain2,o=isp > > each domain has an attribute administrator (taken from phpQLAdmin, I > am using ldap for qmail-ldap) which has full dn of a uid. For example > say the administrator of o=domain1,o=isp is uid=user1,o=domain1,o=isp, > and that of o=domain2,o=isp is uid=user1,o=domain2,o=isp > > Now when I bind as uid=user1,o=domain1,o=isp I must have full write > permission for domain1 and all users under it, and if I bind as > uid=user1,o=domain2,o=isp I must have write access to domain2 and so on. > > I am looking for a minimum aci that can do this, Preferably one that > is applied at o=isp. Try the Macro ACI feature - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1195760 > > I have played with aci and userattr, but seems it's not working. The > one I tried is > > aci: (target="ldap:///o=*,o=isp";)(targetattr=*) (version 3.0;acl > "manager-write"; allow (all) userattr = "administrator#USERDN";) > > I have taken this from the examples in docs, but this is not working > as expected. > > Thanks for your help, > > regards, > > raj > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060511/d5007bb5/attachment.bin
