[Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch

[Sascha Wilde]

Hi *,

I'm having a directory with an basedn:
  dc=foo, dc=bar
containing an "sub directory" named "internal":
  cn=internal, dc=foo, dc=bar

Now I want to hide "internal" and its children from most users, with
exception of the members of some administrative groups, so I added an
ACI to "internal" like this:

(targetattr = "*") (version 3.0;acl "hide internal";
deny (read,write,delete,add)
(groupdn != "ldap:///cn=admin,cn=internal,dc=foo,dc=bar" and 
 groupdn != "ldap:///cn=configuration administrators,ou=groups,
             ou=topologymanagement,o=netscaperoot");)

Now I have a user cn=manager,cn=internal,dc=foo,dc=bar who is member
of the group cn=admin,cn=internal,dc=foo,dc=bar and should be allowed
to access "internal" and its children.

But this doesn't work: I can't even bind as
cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an
child of "internal", and so anonymous isn't allowed to access the
object for authentication.

How can I achieve that it is possible to bind as a user in the hidden
sub directory without making it world readable?

cheers
sascha
-- 
Sascha Wilde                                      OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück             http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998             http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070606/d09c9eb6/attachment.sig>