Hello!

I'd like to create administrator groups under each OU, so this administrator will be allowed to manage everything in this OU. by default, I'm creating simpleSecurityObject with cn=admin in each administrators group, so OU administrator can login as OU, or if there are more administrators, they can use admin_name@OU as username. This works nice if I have OU on one level. I have no idea, how to do it, if I will have more complicated structure, i.e.:

root +-ou=department1 | +-ou=administrators | +-cn=admin | +-cn=admin2 | +-ou=department2 +-ou=administrators | +-admin | +-ou=subdepartment1 | +-ou=administrators | +-admin +-ou=subdepartment2 | +-ou=administrators | +-admin ...

I can assume that all departments will have unique names. I'd like that each admin will be able login as department (=>admin@department) or as user@department.

Is there any way, to ensure that each ou (with specific objectClass=departement) will have unique name ? Is it possible to construct bind dn, with only department (ou) name ? I'd like to avoid using loginname as: admin2@subdepartment2.departmnt2 if I'm sure that supdepartment2 name is unique. I've tried to do it in two steps: search DN of subdepartment-N as anonymous, than add "cn=admin,ou=administrators" as prefix and then login as right user with password. It works, but it requires read access to all tree for anonymous which may not be acceptable. I've tried to limit annonymous access to only dc and ou attributes, but with such ACL I see only first level of ou.

Thanks in advance!