On Fri, Sep 27, 2013 at 02:25:24PM +0300, Zeus Panchenko wrote: > have I create dedicated object like: > dn: authorizedService=YYY,uid=AAA,dc=ZZZ > > before configuring the service for the user like: > dn: uid=XXX,authorizedService=YYY,uid=AAA,dc=ZZZ > > or the second one will be enough?
You have to create the branch points before you can add entries under them. That is why I suggested the alternative where both the service name and the uid are part of the RDN: such multi-valued RDNs are unusual, but it might be a convenient structure in this case. > as for the different classes ... I was trying to find it but faced the > problem when the parent record, which contains > objectclass: posixAccount > objectclass: inetOrgPerson > objectclass: organizationalPerson > objectclass: person > objectclass: inetLocalMailRecipient > > was refusing the child creation until the child belongs to that set of > classes :( There must have been some other reason for the error. LDAP servers do not normally restrict what type of entry you can create at a given point in the DIT. The ACLs in force might restrict what you can do, but you have control over those. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
