Hi Jorge ,
Declaring a ACI under Group 1 , will give all the users under
the group ou=Group 1 the rights to modify the users under Group 1.
((target="ldap:///ou=Group 1,ou=People,
o=Slashsupport")(targetattr="*")(version 3.0; acl "selfwriteACI"; allow
(selfwrite) userdn = "ldap:///anyone";; )
So , I guess you will have to create an ACI for each User.
And one more thing I didnt understand about your query was, how you were
able to create an CN under the user jortiz because creating an object
class under an attribute user is not possible. Atleast thats what I
thought. Please advice me on the same.
regards,
Vinu
Jorge Ortiz Claver wrote:
> Hi,
>
> I am trying to create one ACI in my directory server in order to
> resolve the folowing problem:
>
> I have one node "ou=People,o=root" where I am going to create groups
> (not real groups, organizational units) of persons. So, under this
> node I will have entries like:
>
> ou=Group 1,ou=People,o=root
>
> And, under these objects, I will create the user objects and all the
> objects that belong to these users. For example,
>
> uid=jortiz,ou=Group 1,ou=People,o=root
> cn=data1,uid=jortiz,ou=Group 1,ou=People,o=root
> cn=data2,uid=jortiz,ou=Group 1,ou=People,o=root
>
> Now, with this structure, what I want to get is that all the users
> have rigths for all operations in their own node and all the nodes
> under this node. For example, the user 'jortiz' should have access to
> 'uid=jortiz,ou=Group 1,ou=People,o=root' and
> 'cn=data2,uid=jortiz,ou=Group 1,ou=People,o=root'.
>
> I know one way to solve this problem and it is to create an ACI in
> every user object and said in it: let to 'self', write in this object.
> The problem is that I have to mantain one ACI for each user in the
> directory.
>
> What I am looking for is for method to create this ACI in the node
> 'Group' or 'People'.
>
> Is it possible? And, if it is possible, do you know how to implement
> it?
>
> Thank you in advance
>
> Jorge Ortiz Claver
