directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Adamson <>
Subject Attempt to create generic ACI
Date Mon, 25 Jul 2011 18:00:59 GMT

I am attempting to create a set of generic ACI's that would allow me to give
access to certain subtrees in the DIT by giving roles to a user. On the face
of it this seemed like a simple idea but I'm having a bit of difficulty
getting my head round the options available.

If I have:


and I have a group <role1>

What I want to have is a single ACI declared at the root that would allow
user1 rights to tree1 but not tree2 and user2 rights to tree2 but not tree1
by adding them to group1.

Is this possible or am I going to have to add a separate ACI for each tree?

The driver for this is that I want to be able to have a set of generic ACIs
defined at the root of a tree that provide me with 99% of my access
requirements without having to have each subtree declared as an access
control inner area.


Mike Adamson

View raw message