Page History

...

Edit the config to set the ACLs:

~# ldapvi -h ldapi:// -Y EXTERNAL -b cn=config

Again, search for the entry "olcDatabase={1}mdb,cn=config" (there should be a number in front of it). Replace all "olcAccess" entries with something like this:

The entry "{5}" allows subtree access to a delegated mail domain admin. Replace "<MAILDOMAIN>" with the mail domain and "<MAILDOMAINADMIN>" with the user account of the mail domain admin.

~# ldapvi -h ldapi:// -Y EXTERNAL -b cn=config

  You can duplicate the lines "{0}", "{5}" and "{6}" for every mail domain you host to delegate access to multiple mail admins. Don't forget to increment the numbers if you add more domains later.

olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=<MAILDOMAINADMIN>,ou=<MAILDOMAIN>,dc=example,dc=com" write by * none break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {2}to attrs=shadowLastChange by self write by * read
olcAccess: {3}to dn="dc=example,dc=com" by * read by * auth
olcAccess: {4}to dn.subtree="dc=example,dc=com" by dn="cn=kopanoservice,dc=example,dc=com" read by * none break
olcAccess: {5}to dn.subtree="ou=<MAILDOMAIN>,dc=example,dc=com" by dn="cn=<MAILDOMAINADMIN>,ou=<MAILDOMAIN>,dc=example,dc=com" write by * none break
olcAccess: {6}to dn.subtree="dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" manage break
olcAccess: {7}to * by * none

  You can duplicate the lines "{0}", "{5}" and "{6}" for every mail domain you host to delegate access to multiple mail admins. Don't forget to increment the numbers if you add more domains later.

The entry "{5}" allows subtree access to a delegated mail domain admin. Replace "<MAILDOMAIN>" with the mail domain and "<MAILDOMAINADMIN>" with the user account of the mail domain admin.

Save the config and restart the LDAP server.

...