Hi Dharmin, you might want to work with aci's. One way to achieve what you want : define your admin users in a meaningful ou : your admin ou : dn: ou=myadmins,o=some-root-suffix ou:myadmins objectClass: top objectClass: organizationalunit one of your admins : dn: uid=Serviceadmin,ou=myadmins, o=some-root-suffix givenName: Serviceadmin sn: Serviceadmin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top uid: Serviceadmin cn: Serviceadmin userPassword: some-password define one corresponding aci for every ou dn: ou=myorganizationalunit,o=some-root-suffix aci: (targetattr = "*") (target = "ldap:///ou=myorganizationalunit,o=some-root-suffix") (version 3.0;acl "Admin for myou Access ACI";allow (all)(userdn = "ldap:///uid=Serviceadmin,ou=myadmins, o=some-root-suffix");) ou: myorganizationalunit objectClass: top objectClass: organizationalunit Finetune security in terms of which attributes can be accessed, modified etc. ( targetattr ) allowed operations ( in my example, all operations are allowed ) Hope it gives you an idea, Regards, Joerg 2008/9/10 Dharmin Mandalia <Dharmin.Mandalia at tanganet.net> > Hello > > On our Directory Server, we have different OU's for each department, under > which we have dept users. Is it possible to allow each department admin's to > add/delete/edit user/group/other entries for their own department OU ONLY , > over Directory console, so basically one admin from each department have > full access/rights over user/group/other entries under their dept OU, over > Dir Console. > > If you know how above can be done, please tell me.... > > Appreciate your reply. > > Regards > Dharmin > > > > fedora-directory-users at redhat.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080916/629e8ab9/attachment.html