I have set up a directory structure as follows:
ou=Domains,dc=example,dc=net
o=hostedDomain1.com
mail=user1(a)hostedDomain1.com
mail=user2(a)hostedDomain1.com
mail=user3(a)hostedDomain1.com
o=hostedDomain2.net
mail=user1(a)hostedDomain2.net
mail=user2(a)hostedDomain2.net
mail=user3(a)hostedDomain2.net
o=hostedDomain3.com
...
I would like to allow any mail user to only read the attributes of the
users within their domain. For example, user1(a)hostedDomain1.com can see
user2(a)hostedDomain1.com, but not user2(a)hostedDomain2.net.
I am not allowing anonymous access.
I have allowed access to the Domains OU with this aci entry (placed on
the Domains OU):
aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow
read access to Domains OU";allow (read,search)
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");)
I have placed the following macro aci on the Domains OU without success:
aci:
(targetattr!="userPassword")
(target="ldap:///($dn),ou=Domains,dc=example,dc=net")
(version 3.0;acl "Allow read access to Domain members";allow
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)
As I understand it, the second aci should allow read and search access
to domain ($dn) and all entries below it. However, the behavior that
I'm seeing is that the user can only see down to the domain with no
access to the sub-entries. In other words, user1(a)hostedDomain1.com can
see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see
anything below.
Am I missing something? How can I get this to work properly?
Thanks in advance.