Hi, Is it possible to create ACI which allows any change to subtree under bind DN? Here is an example: ou=UnitA, dc=example, dc=com ?uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group) ?uid=userA1, ou=UnitA, dc=example, dc=com ?uid=userA2, ou=UnitA, dc=example, dc=com ?uid=userA3, ou=UnitA, dc=example, dc=com ou=UnitB, dc=example, dc=com ?uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group) ?uid=userB1, ou=UnitB, dc=example, dc=com The idea is that admin could change anything (modify/add/remove attributes) under his 'ou' i.e. adminA has full access to all DNs under ou=UnitA, dc=example, dc=com but no access to ou=UnitB I tried the following ACI: (target="ldap:///($dn)) (targetattr = "*") ? ? (version 3.0; acl "Administrator access"; allow (all) ? ? roledn="ldap:///cn=Administrator,dc=example,dc=com";;) But AdminA could change anything under ou=UnitB. Any ideas how to fix/change ACI? PS. Please CC me because i'm not on the list. Thanks, -- Ondrej Ivanic (ondrej.ivanic at gmail.com)
