"uid=serveruser1,ou=ServerUsers,dc=domain,dc=com"
==> has access to
"cn=Project1,ou=Projects,dc=domain,dc=com"
AND
"cn=Project2,ou=Projects,dc=domain,dc=com"
==> deny access to other entries in "ou=Projects,dc=domain,dc=com"
you could use targetfilter like:
(targetfilter = "(|(cn=Project1)(cn=Project2))"
to restrict application of the aci to these entries and list several
useers in the bind rules, or
you could add na attribute like manager to hese entries, eg:
cn=Project2,ou=Projects,dc=domain,dc=com
...
manager: uid=serveruser1,ou=ServerUsers,dc=domain,dc=com
and create an aci like:
aci: (target="ldap:///dc=domain,dc=com";)(targetattr=*)(version 3.0;acl
"manag
er-write"; allow (all) userattr = "manager#USERDN";)
If the attribute you're using is multivalued, it should work defining
several users.
Thanks for the example! Now I'm starting to understand how it works.
-Matti
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
