We have an LDAP document (uses base DN)… this gives us a large LDAP directory (accessed using DWA drop-down when addressing email). The issue… 1/2 our users should not be seeing the other 1/2. e.g. base DN is dc=testco, dc=com and the two groups are dc=employees,dc=testco, dc=com and dc=vendors,dc=testco, dc=com. The vendors should only see the vendors entries and/or a directory called TestCo Vendors. I know that a search filter on these will provide the correct results. Is another directory (directory catalogs based on these LDAP filters) or directories required? …the good news → the employees were registered using /Employees/Testco and the vendors were registered using /Vendors/Testco. I’m assuming this means that an ACL entry using these would restrict them from seeing in drop-down. Thoughts?
Subject: Use different LDAP Base for each community…
Here’s a potential solution, however it relies on the segregation of employees and vendors on different servers:On the servers which service the employees create a DA LDAP record and set the base to dc=employees,dc=testco,dc=com
On the servers which service the employees create a DA LDAP record and set the base to dc=vendors,dc=testco,dc=com
Using ACLs which differentiate based on the user’s name is NOT going to work since a single identity is used by the Domino server–anonymous or the username/pwd configured in the LDAP DA doc–when performing the search on behalf of the user .
Hope this helps.
-smd
Subject: RE: Use different LDAP Base for each community…
Excellent… sounds simple! I just need to create a new (not same replica ID) for 2nd cluster used for vendors. We created cluster #1 for employees and cluster#2 for vendors for added control. This is a great example… many thanks.
Subject: RE: Use different LDAP Base for each community…
OK… can we take this 1 step further? Can we make the default directory employees so that searches are only on employees. If vendors are needed, the user could select from the directory dropdown and select TestCo Vendors (assuming this has to be a directory catalog with aggregate info (from LDAP). Any idea what the objectclass for the MailFile attribute is? I found the attribute # but no OC?!? in the Domino LDAP Schema Db.