On Mon, Feb 02, 2009 at 05:59:40PM -0200, Leandro Repolho wrote: Yes. This sort of thing can be done very efficiently using regular expressions. Suppose you have an organisation with DN dc=example,dc=org and OUs under it, then a directive like this will give write access to the user with the name 'cn=admin,ou=people,ou=XXX,dc=example,dc=org': # Allow admin to write all entries inside their own department # access to dn.regex="(ou=[^,]+,dc=example,dc=org)$" by dn.subtree,expand="cn=admin,dc=people,$1" write by * break The regex recognises entries under any OU, and saves the DN of the OU in $1. This is then substituted into the 'by' clause to give access to the right admin. I will be presenting a paper on ACL design at the UKUUG Spring Conference in London, and this is very close to one of the examples. http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/ Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------