Hi,<br><br>I seem to have found a workaround (at least for my special case) by using a macro ACI :<br><br>(targetattr=&quot;*&quot;)(target=&quot;ldap:///cn=*,cn=($dn),o=bug&quot;)(version 3.0; acl &quot;Test 2&quot;; allow (all) userdn =&quot;ldap:///o=bug??sub?(nsuniqueid=[$dn])&quot;;)
<br><br>This works for my first post, which is my real life problem, where I want to give right on an object to the user whose nsuniqueid equals the cn of the object's parent.<br><br>For my second post, this workaround does not work, since it is based on a DN component, while I store the information in an attribute not used in the DN (description).
<br><br>Maybe I should file a bug.<br><br>François<br><br><div><span class="gmail_quote">2006/9/25, François Beretti &lt;<a href="mailto:francois.beretti@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
francois.beretti@gmail.com</a>&gt;:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi again,<br><br>since my first post may be complex, I made a much simpler sample, with standard objects.<br><br>I created a root suffix 'o=bug'<br><br>with two ACI:<br>aci: (targetattr=&quot;*&quot;)(version 3.0; acl &quot;Test&quot;; allow (all)userattr =&quot;description#LDAPURL&quot;;)
<br>aci: (targetattr=&quot;*&quot;)(version 3.0; acl &quot;Test&quot;; allow (all)userattr =&quot;parent[1].description#LDAPURL&quot;;)<br><br>Then I added a user, uid=testuser,o=bug<br><br>Then, an organizationalUnit, ou=testparentobject,o=bug
<br>with the description: ldap:///o=bug??sub?(uid=testuser)<br><br>According the ACIs, testuser dhould be able to modify ou=testparentobject and to create child objects under it.<br><br>But he only can modify it.<br><br>

I don't find where I made a mistake.
<br><br>I join you my LDIF files and LDAP commands.<br><br><br>Thank you for your help<br><br>François<br><br><br><br>Here are the LDIF files :<br>---------- o=bug dump ------- <br>dn: o=bug<br>aci: (targetattr != &quot;userPassword&quot;) (version 
3.0; acl &quot;Anonymous access&quot;; allow (read, search, compare)userdn = &quot;ldap:///anyone&quot;;)<br>aci: (targetattr=&quot;*&quot;)(version 3.0; acl &quot;Test&quot;; allow (all)userattr =&quot;description#LDAPURL&quot;;)
<br>aci: (targetattr=&quot;*&quot;)(version 3.0; acl &quot;Test&quot;; allow (all)userattr =&quot;parent[1].description#LDAPURL&quot;;)<br>o: bug<br>objectClass: top<br>objectClass: organization<br><br>dn: uid=testuser,o=bug
<br>uid: testuser<br>givenName: Test<br>objectClass: top<br>objectClass: person<br>objectClass: organizationalPerson<br>objectClass: inetorgperson<br>sn: User<br>cn: Test User<br>userPassword: toto<br><br>dn: ou=testparentobject,o=bug
<br>ou: testparentobject<br>description: ldap:///o=bug??sub?(uid=testuser)<br>objectClass: top<br>objectClass: organizationalunit<br><br><br><br><br>--------- modification command ----------<br>
$ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f object-modification.ldif<br>
modifying entry &quot;ou=testparentobject,o=bug&quot;<br>
$<br>
<br>
--------- creation command -----------<br>
$ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif<br>
adding new entry &quot;ou=testchildobject,ou=testparentobject,o=bug&quot;<br>
ldap_add: Insufficient access (50)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; additional info: Insufficient 'add' privilege to add the entry 'ou=testchildobject,ou=testparentobject,o=bug'.<br>
$<br>
<br>
<br>
<br><br>---------- modification LDIF file ----------------<br>dn: ou=testparentobject,o=bug<br>changetype: modify<br>replace: telephoneNumber<br>telephoneNumber: 0123456789<br><br><br><br><br>---------- creation LDIF file --------------
<br>dn: ou=testchildobject,ou=testparentobject,o=bug<br>objectClass: top<br>objectClass: organizationalUnit<br>ou: testchildobject<br><br><br><br><br><br><br>

</blockquote></div><br>