On Thu, 10 May 2018, Ervin Hegedüs wrote: > On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote: > > Is there any way to set up one or more ACL's, where admin1 user > > can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and > > can start to search from there, but he will see the entries only > > from ou=orgunit1 and ou=orgunit2? > > if there isn't any solution with ACL, can I make it some other > way? I mean, back_meta, rewrite, or other overlay solutions...?
An LDAP filter can test the components of an entry's DN with a clause such as: (|(ou:dn:=orgunit1)(ou:dn:=orgunit2)) Note the ":dn" syntax there. Perhaps an ACL using an LDAP filter containing something like that would be part of a solution. Philip Guenther
