Is there a way to set a custom base DN for a user?

[khmarochos]

Hello!

First of all, let me thank the authors, Mr. Smith and Mr. George, for creating, developing and maintaining the useful tool which PLA is.

May I ask for some help?

I have a domain (let's say, dc=example,dc=org).

I also have a phpLDAPadmin instance which purpose is to help me and other users to manage this domain.

I also have a branch somewhere within this domain (let's say, ou=foo,ou=bar,dc=baz,dc=example,dc=org).

I also have a user's account, a simpleSecurityObject (let's say, uid=admin,ou=bar,dc=baz,dc=example,dc=org).

I granted some permissions to this user to let them manage the branch I mentioned before (olcAccess: to dn.subtree="ou=foo,ou=bar,dc=baz,dc=example,dc=org" by dn.exact="uid=admin,ou=bar,dc=baz,dc=example,dc=org" manage).

The problem is that this user can't use phpLDAPadmin, because the OpenLDAP server propagates its base DN (by announcing the namingContext: dc=example,dc=org attribute, I guess), which the user doesn't have access to. So, phpLDAPadmin tries to show the user the contents of dc=example,dc=org, fails and laments that "This base cannot be created with PLA".

How to make phpLDAPadmin showing ou=foo,ou=bar,dc=baz,dc=example,dc=org as the base DN to this user instead of tryig to show them dc=example,dc=org which is not accessible at all?

Or should I grant the user read-only access to each leave from the very top (dc=example,dc=org, dc=baz,dc=example,dc=org, ou=bar,dc=baz,dc=example,dc=org)?

Thank you in advance for any hints.

[leenooks]

No there isnt a way to make a custom base DN for a user. You could give them access to the parent, but not access to the parents attributes or children. This is all done in OpenLDAP itself using ACLs.