Ah HA! Adding the subentry opened up a tonne of possibilities! Thank you very much for your assistance.
Ibis redibis nunquam per bella peribis On Thu, May 12, 2011 at 7:33 AM, Mike Adamson <[email protected]> wrote: > Hi, > > You need to give the o=US,DC=mydomain,DC=org node an administrativeRole > attribute with a value of accessControlSpecificArea and then create a sub > entry for it like: > > dn: cn=adminSubentry,o=US,dc=mydomain,dc=org > changetype: add > objectclass: top > objectclass: subentry > objectclass: accessControlSubentry > cn: adminSubentry > subtreeSpecification: {} > prescriptiveACI: { > identificationTag "administratorFullAccessACI", > precedence 100, > authenticationLevel simple, > itemOrUserFirst userFirst: { > userClasses { > name { "uid=adminguy,ou=people(,o=US...,DC=org)." } > }, > userPermissions { > { > protectedItems { > entry, allUserAttributeTypesAndValues > }, > grantsAndDenials { > grantAdd, grantDiscloseOnError, grantRead, > grantRemove, grantBrowse, grantExport, grantImport, > grantModify, grantRename, grantReturnDN, > grantCompare, grantFilterMatch, grantInvoke > } > } > } > } > } > > I haven't had much joy applying these things with directory studio, it's > easier to put it all in an ldif file and import it. > > Cheers, > > MikeA > > On 11 May 2011 18:33, Steven Altsman <[email protected]> wrote: > >> Hi All, >> >> Pretty straightforward question, methinks: I have >> o=US,DC=mydomain,DC=org and in there I have >> uid=adminguy,ou=people(,o=US...,DC=org). I want him to admin over >> o=US,DC=mydomain,DC=org. I've got ApacheDS and Eclipse with Directory >> Studio extensions. >> >> Ibis redibis nunquam per bella peribis >> >
