I want to create couple of Admin users who have access to create/delete users on a particular group/Organization Unit. For example,

User: uid=testadmin, ou=people, dc=my,dc=net

Should have access to create new users/delete users under


I tried with below ACI but did not work

(target = "ldap:///ou=People,dc=my,dc=net")(targetattr = "*") (version 3.0;acl "testadmin Permissions";allow (proxy)(userdn = "ldap:///uid=testadmin,ou=people,dc=my,dc=net");)

I am able to add administrative users from the Directory Server console, but this user data is not stored in ldif files and only stored in binary database at /var/lib/dirsrv/slap-ldap/db/. Only problem is these users have full power and I am not sure how to restrict their access.

  • 847
  • 3
  • 14
  • 31

2 Answers2


Well Answer turn to be very simple and logical. In order to provide an ACI for a specific OU. In this case, the user sm has all rights under the directory ou=Support Group.

 (targetattr = "*") 
(target = "ldap:///ou=Support Group,dc=my,dc=net") 
(version 3.0;
acl "sm aci";
allow (all)
(userdn = "ldap:///uid=sm,ou=Support Group,dc=my,dc=net")

target: specifies where to apply the rule.

targetattr: Could be used to limit the access to various attributes of the entry. Such as you the "sm" user not to have access to change password such thing you could specify here.

allow (): specifies the permission

the last one userdn (Bind Rule): Specifies who has the rights. In this way you can easily give away access to other users to manage their own groups User credentials.

  • 847
  • 3
  • 14
  • 31

Tested it will work perfectly:-

(targetattr = "*") (target = "ldap:///ou=linux,dc=pramod,dc=com")(version 3.0;acl "pramod aci";
allow (write)(userdn = "ldap:///uid=pkumar,ou=linux,dc=pramod,dc=com")

As per this acl user pkumar is able to modify all attributes of all Distinguished Name(dn) belonging to Organizational Unit(ou) linux. If you want to give full rights just change (write) to (all). If you want to give the rights on base dn just remove ou=linux from target.

  • 3,507
  • 1
  • 15
  • 28