Rajkumar S wrote:
Try the Macro ACI feature - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1195760Hi, My server has a structure like: o=isp o=domain1,o=isp uid=user1,o=domain1,o=isp uid=user2,o=domain1,o=isp uid=user3,o=domain1,o=isp uid=user4,o=domain1,o=isp o=domain2,o=isp uid=user1,o=domain2,o=isp uid=user2,o=domain2,o=isp uid=user3,o=domain2,o=isp uid=user4,o=domain2,o=ispeach domain has an attribute administrator (taken from phpQLAdmin, I am using ldap for qmail-ldap) which has full dn of a uid. For example say the administrator of o=domain1,o=isp is uid=user1,o=domain1,o=isp, and that of o=domain2,o=isp is uid=user1,o=domain2,o=ispNow when I bind as uid=user1,o=domain1,o=isp I must have full write permission for domain1 and all users under it, and if I bind as uid=user1,o=domain2,o=isp I must have write access to domain2 and so on.I am looking for a minimum aci that can do this, Preferably one that is applied at o=isp.
I have played with aci and userattr, but seems it's not working. The one I tried isaci: (target="ldap:///o=*,o=isp";)(targetattr=*) (version 3.0;acl "manager-write"; allow (all) userattr = "administrator#USERDN";)I have taken this from the examples in docs, but this is not working as expected.Thanks for your help, regards, raj -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
