Hi, Is it possible to create ACI which allows any change to subtree under bind DN? Here is an example: ou=UnitA, dc=example, dc=com uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group) uid=userA1, ou=UnitA, dc=example, dc=com uid=userA2, ou=UnitA, dc=example, dc=com uid=userA3, ou=UnitA, dc=example, dc=com ou=UnitB, dc=example, dc=com uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group) uid=userB1, ou=UnitB, dc=example, dc=com The idea is that admin could change anything (modify/add/remove attributes) under his 'ou' i.e. adminA has full access to all DNs under ou=UnitA, dc=example, dc=com but no access to ou=UnitB I tried the following ACI: (target="ldap:///($dn)) (targetattr = "*") (version 3.0; acl "Administrator access"; allow (all) roledn="ldap:///cn=Administrator,dc=example,dc=com";;) But AdminA could change anything under ou=UnitB. Any ideas how to fix/change ACI? PS. Please CC me because i'm not on the list. Thanks, -- Ondrej Ivanic (ondrej.ivanic@xxxxxxxxx) -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
