Dear Members,
I have a problem that consists in allow a member of a group to manage accounts that have a value in an attribute.
My organization structure is as the following example:
-Organization
--Branch1
---Branch1-HR
---Branch1-divisionA
---Branch2-divisionB
--Branch2
---Branch2-HR
The way that I figured out to make it work was using Dynamic Lists to group users that have the attribute value.
So I activated the dynlists overlay and configured it.
My OpenLDAP DIT is as showed bellow:
-dc=something,dc=something2,dc=br
--ou=Group
---cn=s-brach1admin-rw
----dn=uid=user3,ou-People,dc=something,dc=something2,dc=br
---cn=branch1-users (dynamic group that contains DN's of users filtered by departmentNumber=divisionA or departmentNumber=divisionB)
----dn=uid=user1,ou-People,dc=something,dc=something2,dc=br
----dn=uid=user2,ou-People,dc=something,dc=something2,dc=br
--ou=People
---uid=user1 (attr: inetorgperson departmentNumber=divisionA)
---uid=user2 (attr: inetorgperson departmentNumber=divisionB)
---uid=user3
So, now, I need an ACL that allow members of cn=s-branch1admin-rw to manage user1, user2 and any other user that is in the dynamic group cn=branch1-users.
I searched the web and didn't found any result that shows exactly how to build this ACL. I tried some ways to write it, specially this two forms:
1) access to dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by set="[cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br]/member*" manage
2) access to dn.children="cn=branch1-users,dc=something,dc=something2,dc=br" by group.exact="cn=s-branch1admin-rw,ou=Group,dc=something,dc=something2,dc=br" manage
And some other forms and any of these appears to work.
So, If someone already did it or know about it, can help me with ACL and Dynamic Groups?
Thanks for the help and for the patience with my long e-mail.
Best regards!
Ivan Athanazio