I have set up a directory structure as follows: ou=Domains,dc=example,dc=net o=hostedDomain1.com mail=user1 at hostedDomain1.com mail=user2 at hostedDomain1.com mail=user3 at hostedDomain1.com o=hostedDomain2.net mail=user1 at hostedDomain2.net mail=user2 at hostedDomain2.net mail=user3 at hostedDomain2.net o=hostedDomain3.com ... I would like to allow any mail user to only read the attributes of the users within their domain. For example, user1 at hostedDomain1.com can see user2 at hostedDomain1.com, but not user2 at hostedDomain2.net. I am not allowing anonymous access. I have allowed access to the Domains OU with this aci entry (placed on the Domains OU): aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow read access to Domains OU";allow (read,search) (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net";);) I have placed the following macro aci on the Domains OU without success: aci: (targetattr!="userPassword") (target="ldap:///($dn),ou=Domains,dc=example,dc=net") (version 3.0;acl "Allow read access to Domain members";allow (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) As I understand it, the second aci should allow read and search access to domain ($dn) and all entries below it. However, the behavior that I'm seeing is that the user can only see down to the domain with no access to the sub-entries. In other words, user1 at hostedDomain1.com can see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see anything below. Am I missing something? How can I get this to work properly? Thanks in advance.
