In OpenLDAP I had an access rule using users that are roleOccupants in a specific organizationalRole like this (the example is just a fragment):
olcAccess: to * by group/organizationalRole/roleOccupant.exact="cn=Manager,dc=roles,dc=example,dc=org" write
Unfortunately I'm not able to convert this to an ACI for 389-DS. What I tried without success was:
aci: (targetattr = "*")(version 3.0; acl "Manager test"; allow (all)(userdn="ldap:///cn=Manager,dc=roles,dc=example,dc=org??one?(roleOccupant=*)");)
Tracing the ACI evaluation I see that 389-DS is searching in dc=people,dc=example,dc=org for cn=Manager,dc=roles,dc=example,dc=org as a direct child (one).
But I must admit that I'm overwhelmed by the complexity of the ACIs as described in 1.10. Defining ACI bind rules.
Originally I had thought, I could use roledn=, but with the existing structure no roles are listed by dsidm; it seems it only works for "Netscape Roles" (nsRoleDefinition, etc.).
So is it possible to use by existing role structure for access control in 389-DS?
