Hello, all. We are still refining how we want to deploy 389 in a multi-tenant environment. To grant access to the admins for each tenant to manage their own external contact lists, we created an ACI as follows: (targetattr = "*") (target = "ldap:///($dn),o=external,dc=ssiservices, dc=biz") (version 3.0;acl "Client Administrators External";allow (all)(groupdn = "ldap:///cn=*ldapadmins,ou=groups,[$dn],o=internal,dc=ssiservices,dc=biz";);) Each tenant has a client number which is prefixed to the ldapadmins group cn so that we don't have thousands of groups with the same cn so, for example, c001ldapadmins, c002ldapadmins. Hence the * in the cn. However, it does not seem to work. Client admins are told they do not have rights to add new objects. If we replace the * with the prefix, e.g., "ldap:///cn=c001ldapadmins,ou=groups,[$dn],o=internal,dc=ssiservices,dc=biz";), it works fine. Is there a way to use wildcards in a groupdn? The literature explicitly says so for userdn but not groupdn. Thanks - John PS - I first tried sending this to 389-users but that mail bounced - John -- John A. Sullivan III Open Source Development Corporation Street Preacher: Are you SAVED?????!!!!!! Educated Skeptic: Saved from WHAT?????!!!!!! Educated Believer: From our selfishness that hurts the ones we love and condemns us to an eternity of hurting each other. http://www.spiritualoutreach.com Christianity that makes sense -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
