I have tried to export my DIT as LDIF so I can send it, but with no
success. I simply exported the tree, connecting as the admin (so that
there are no problems with ACI), with the filter (objectClass=*) and
with the scope set to subtree. The only information in the exported ldif
is one entry (the access control subentry) and then it stops. There is
no trace of my structure, so I will try to describe it again. The
structure (and the ideea) is simple:
I want my members to be able to have their own private address books. To
achive this, I simply added in each member (ex. cn=Joan Baez) a subentry
(ou=contacts). In there, I then added some sample contacts
(cn=Contact1); so the structure is simply: member-contacts-contact1...
What I would like to do is bind with a member and see that he indeed has
access not only to his own entry, but to all the sub entries in his
entry (so he evidently has access to his own address book).
This was my only idea as to how I could implement a private address
book, not in a completely inelegant structure. I first though this to be
the default behavior of ACI, that is when I gave access to an entry I
implicitly gave access to it's substructure as well, but it seems not to
be so.
One solution would of course be to define a subtree, with the entry of
the member as a root and spanning a couple of levels down, and then give
the user access to that. But to do this, I have to define the subtree
relative to the root of the user with which I bind, so that I only have
to define one rule for all the members, as opposed to defining each
subtree by hand, for each member, and then defining a rule for every
member, which will be completely unpractical of course. There is a way
to reference the entry of the member with which I bind (the 'This
Entry'), but, seeing the docs are a little behind, I have no idea how to
work with this entry and then define a subtree with it as the root.
Now if this is not actually possible (I'm really hoping that's not the
case), how would I go about structuring my users so that they can access
their address books only? I could split the address book from the user,
but I'd rather not, until I've exhausted all other options.
I have thought about another possible solution (if this is of any
interest) by simply defining a groupOfNames or groupOfUniqueNames as the
address book, but this type of entry seems to be unreadable by an email
client (it should be, but it's not), so I cannot use it.
Thank you for your answers. Eugen.
--
Eugen Paraschiv, Java Developer
AZOTH Ltd
Grigore Alexandrescu 52
Bucharest, 010626, Romania
Tel: +40728-896170;
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
