Is that possible to make OpenLDAP provide with different base DNs for different users?
Let me explain what exactly I want to acheive.
I have a domain (let's say, dc=example,dc=org).
I also have a phpLDAPadmin instance which purpose is to help me to manage this domain.
I also have a branch somewhere within this domain (let's say, ou=foo,ou=bar,dc=baz,dc=example,dc=org).
I also have a user (let's say, uid=admin,ou=bar,dc=baz,dc=example,dc=org).
I granted some permissions to this user to let them manage the branch I mentioned before (olcAccess: to dn.subtree="ou=foo,ou=bar,dc=baz,dc=example,dc=org" by dn.exact="uid=admin,ou=bar,dc=baz,dc=example,dc=org" manage).
The problem is that this user can't use phpLDAPadmin, because the OpenLDAP server propagates its base DN (by announcing the namingContext: dc=example,dc=org attribute, I guess), which the user doesn't have access to. So, phpLDAPadmin tries to show the user the contents of dc=example,dc=org, fails and laments that "This base cannot be created with PLA".
How to make phpLDAPadmin showing ou=foo,ou=bar,dc=baz,dc=example,dc=org as the base DN to this user instead of tryig to show them dc=example,dc=org which is not accessible at all?
Is there a way make OpenLDAP announcing with a different namingContext (ou=foo,ou=bar,dc=baz,dc=example,dc=org) to the user?
Or should I forget this idea and grant the user read-only access to each leave from the very top (dc=example,dc=org, dc=baz,dc=example,dc=org, ou=bar,dc=baz,dc=example,dc=org)?
Thank you.
Disclaimer: I have no personal experience with phpLDAPadmin.
I'd recommend to modify the ACLs that the intermediate entries are visible for the user. At least grant read access to pseudo-attribute entry. You should probably do this in sort of a last-catch ACL.