On 02/06/2014 11:23 AM, Jan Tomasek wrote: > I need user to be able to add subentry bellow his own entry. > > In this structure: > > dc=cz > ou=People > uid=test1 > dc=123 ?? > uid=test2 > > How to write ACI that test1 could add only under his own entry? Sadly > (target = "ldap:///self";) is not permited. > > Any idea how to write ACI at level of ou=People? I have found solution: (targetfilter = "(&(objectclass=appPassword)(!(objectClass=inetOrgPerson)))") (version 3.0;acl "appPassword parrent (add, delete)";allow (add,delete)(userdn = "ldap:///parent";);) and one more to hide added entries from everyone except of parent: (targetattr = "*")(targetfilter = "(objectclass=appPassword)") (version 3.0;acl "appPassword hide except parent";deny (all) (userdn ="ldap:///anyone"; and not userdn = "ldap:///parent";);) :) -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
