Hi,
You need to give the o=US,DC=mydomain,DC=org node an administrativeRole
attribute with a value of accessControlSpecificArea and then create a sub
entry for it like:
dn: cn=adminSubentry,o=US,dc=mydomain,dc=org
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: adminSubentry
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "administratorFullAccessACI",
precedence 100,
authenticationLevel simple,
itemOrUserFirst userFirst: {
userClasses {
name { "uid=adminguy,ou=people(,o=US...,DC=org)." }
},
userPermissions {
{
protectedItems {
entry, allUserAttributeTypesAndValues
},
grantsAndDenials {
grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN,
grantCompare, grantFilterMatch, grantInvoke
}
}
}
}
}
I haven't had much joy applying these things with directory studio, it's
easier to put it all in an ldif file and import it.
Cheers,
MikeA
On 11 May 2011 18:33, Steven Altsman <[email protected]> wrote:
> Hi All,
>
> Pretty straightforward question, methinks: I have
> o=US,DC=mydomain,DC=org and in there I have
> uid=adminguy,ou=people(,o=US...,DC=org). I want him to admin over
> o=US,DC=mydomain,DC=org. I've got ApacheDS and Eclipse with Directory
> Studio extensions.
>
> Ibis redibis nunquam per bella peribis
>
