Ondrej Ivanič wrote: > Hi, > > Is it possible to create ACI which allows any change to subtree under > bind DN? Here is an example: > > ou=UnitA, dc=example, dc=com > uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group) > uid=userA1, ou=UnitA, dc=example, dc=com > uid=userA2, ou=UnitA, dc=example, dc=com > uid=userA3, ou=UnitA, dc=example, dc=com > ou=UnitB, dc=example, dc=com > uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group) > uid=userB1, ou=UnitB, dc=example, dc=com > > The idea is that admin could change anything (modify/add/remove > attributes) under his 'ou' i.e. adminA has full access to all DNs > under ou=UnitA, dc=example, dc=com but no access to ou=UnitB > > I tried the following ACI: > (target="ldap:///($dn)) (targetattr = "*") > (version 3.0; acl "Administrator access"; allow (all) > roledn="ldap:///cn=Administrator,dc=example,dc=com";;) > > But AdminA could change anything under ou=UnitB. Any ideas how to > fix/change ACI? > I don't think that ACI will work - a macro ACI requires the use of ($dn) or [$dn] in both the target and the bind rule. Start with http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html > PS. Please CC me because i'm not on the list. > > Thanks, > -- > Ondrej Ivanic > (ondrej.ivanic@xxxxxxxxx) > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
