Hi,
My server has a structure like:
o=isp
o=domain1,o=isp
uid=user1,o=domain1,o=isp
uid=user2,o=domain1,o=isp
uid=user3,o=domain1,o=isp
uid=user4,o=domain1,o=isp
o=domain2,o=isp
uid=user1,o=domain2,o=isp
uid=user2,o=domain2,o=isp
uid=user3,o=domain2,o=isp
uid=user4,o=domain2,o=isp
each domain has an attribute administrator (taken from phpQLAdmin, I am using ldap for
qmail-ldap) which has full dn of a uid. For example say the administrator of
o=domain1,o=isp is uid=user1,o=domain1,o=isp, and that of o=domain2,o=isp is
uid=user1,o=domain2,o=isp
Now when I bind as uid=user1,o=domain1,o=isp I must have full write permission for domain1
and all users under it, and if I bind as uid=user1,o=domain2,o=isp I must have write
access to domain2 and so on.
I am looking for a minimum aci that can do this, Preferably one that is applied at o=isp.
I have played with aci and userattr, but seems it's not working. The one I tried is
aci: (target="ldap:///o=*,o=isp";)(targetattr=*) (version 3.0;acl
"manager-write"; allow (all) userattr = "administrator#USERDN";)
I have taken this from the examples in docs, but this is not working as expected.
Thanks for your help,
regards,
raj
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
