Hi guys!
I need to create an Apache Directory Server installation with multiple
partitions.
For each partition there should be one or more admin users that can
read/browse/edit only this partition.
Additional the partitions will contain organisational units, where again a
set of users can manage the respective subtree.
If I understood the docs right this should be doable with Prescriptive ACIs.
My first try at an ACI was something like that (in a subentry of
dc=kig1,dc=example,dc=com ):
{
identificationTag "kigAdmin",
precedence 0,
authenticationLevel simple,
itemOrUserFirst itemFirst:
{
protectedItems
{
entry,
allUserAttributeTypes,
allUserAttributeTypesAndValues
}
,
itemPermissions
{
{
precedence 0,
userClasses
{
name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"
}
}
,
grantsAndDenials
{
grantRename,
grantExport,
grantRemove,
grantInvoke,
grantDiscloseOnError,
grantRead,
grantAdd,
grantBrowse,
grantImport,
grantCompare,
grantReturnDN,
grantModify,
grantFilterMatch
}
}
}
}
}
User uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com can bind to the LDAP
server but cannot even browse the subtree, regardless of the
subtreeSpecification value of the accessControlSubentry.
Where do I go wrong?
Thx for your help!
Christoph
