> "uid=serveruser1,ou=ServerUsers,dc=domain,dc=com"
> ==> has access to
> "cn=Project1,ou=Projects,dc=domain,dc=com"
> AND
> "cn=Project2,ou=Projects,dc=domain,dc=com"
> ==> deny access to other entries in "ou=Projects,dc=domain,dc=com"
you could use targetfilter like:
(targetfilter = "(|(cn=Project1)(cn=Project2))"
to restrict application of the aci to these entries and list several
useers in the bind rules, or
you could add na attribute like manager to hese entries, eg:
cn=Project2,ou=Projects,dc=domain,dc=com
...
manager: uid=serveruser1,ou=ServerUsers,dc=domain,dc=com
and create an aci like:
aci: (target="ldap:///dc=domain,dc=com")(targetattr=*)(version 3.0;acl
"manag
er-write"; allow (all) userattr = "manager#USERDN";)
If the attribute you're using is multivalued, it should work defining
several users.
Thanks for the example! Now I'm starting to understand how it works.
-Matti