On Fri, Sep 27, 2013 at 02:25:24PM +0300, Zeus Panchenko wrote:
have I create dedicated object like:
dn: authorizedService=YYY,uid=AAA,dc=ZZZ
before configuring the service for the user like:
dn: uid=XXX,authorizedService=YYY,uid=AAA,dc=ZZZ
or the second one will be enough?
You have to create the branch points before you can add entries under
them. That is why I suggested the alternative where both the service
name and the uid are part of the RDN: such multi-valued RDNs are
unusual, but it might be a convenient structure in this case.
as for the different classes ... I was trying to find it but faced
the
problem when the parent record, which contains
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: inetLocalMailRecipient
was refusing the child creation until the child belongs to that set of
classes :(
There must have been some other reason for the error. LDAP servers do
not normally restrict what type of entry you can create at a given
point in the DIT. The ACLs in force might restrict what you can do,
but you have control over those.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
|
http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------