Working with an LDAP browser and Access Control Rules, you may come across a situation where you have configured an access control rule for a specific user where you want that user to only have READ access to two different DITs (Directory Information Tree) that does not reside at the same level.

The results you see seems to be wrong as it only shows you the top level of DIT but not the other branch once you log into LDAP browser as that specific user.

Example:

You have a user (that you bind with) as:

<dc com><dc company><cn myuser>
i.e. cn=myuser,dc=company,dc=com

You want this user to only have READ access to the following two DITs.

<dc com><dc company><ou internal>
AND
<dc com><dc company><ou groups><ou internal>

You have access control rules defined as:

set admin-user = {
    user = <dc com><dc company><cn myuser>
    subtree = <dc com><dc company><ou internal>
    perms=read
};

set admin-user = {
    user = <dc com><dc company><cn myuser>
    subtree = <dc com><dc company><ou groups><ou internal>
    perms=read
};

Upon restarting the DSA and connecting via LDAP browser as this 'myuser' you only see the "<dc com><dc company><ou internal>" DIT and nothing else while the expectation would be to also see "<dc com><dc company><ou groups><ou internal>" DIT as well.

Release : 14.1

Component : CA Directory

Nothing is wrong with the above. By default most of the LDAP browsers when a user logs in, performs the initial search with scope of 'one' hence you see only the top branch/DIT.

While logged in as this user, change the search scope to be 'sub-tree' and you will see only those two branches/DITs that you have given READ access to this user. This user will only be able to read information from this two DITs and should have no access to anything else in that particular DSA.