Rajkumar S wrote:
Hi,
My server has a structure like:
o=isp
o=domain1,o=isp
uid=user1,o=domain1,o=isp
uid=user2,o=domain1,o=isp
uid=user3,o=domain1,o=isp
uid=user4,o=domain1,o=isp
o=domain2,o=isp
uid=user1,o=domain2,o=isp
uid=user2,o=domain2,o=isp
uid=user3,o=domain2,o=isp
uid=user4,o=domain2,o=isp
each domain has an attribute administrator (taken from phpQLAdmin, I
am using ldap for qmail-ldap) which has full dn of a uid. For example
say the administrator of o=domain1,o=isp is uid=user1,o=domain1,o=isp,
and that of o=domain2,o=isp is uid=user1,o=domain2,o=isp
Now when I bind as uid=user1,o=domain1,o=isp I must have full write
permission for domain1 and all users under it, and if I bind as
uid=user1,o=domain2,o=isp I must have write access to domain2 and so on.
I am looking for a minimum aci that can do this, Preferably one that
is applied at o=isp.
Try the Macro ACI feature -
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1195760
I have played with aci and userattr, but seems it's not working. The
one I tried is
aci: (target="ldap:///o=*,o=isp")(targetattr=*) (version 3.0;acl
"manager-write"; allow (all) userattr = "administrator#USERDN";)
I have taken this from the examples in docs, but this is not working
as expected.
Thanks for your help,
regards,
raj
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users