我搞定了。
目录架构:
-dc=myorg,dc=com
-ou=nonprod
-ou=hostdefinitions
-ou=people
-cn=user1
-cn=user2
-ou=prod
-ou=hostdefinitions
用户:
cn=user2
gidNumber=235
homeDirectory=/home/user2
uid=user2
uidNumber=235
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top
cn=user1
gidNumber=234
homeDirectory=/home/user1
uid=user1
uidNumber=234
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top
ACL:
access to dn.subtree="ou=nonprod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" manage
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" none
access to dn.subtree="ou=prod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" none
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" manage
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
access to *
by self write
by anonymous auth