BobM53, That would be needed regardless of what front end my users log in with, in my case I was looking for them to access the DIT via the DSCC/DCC, which is not possible. Regardless, thank you for your reply, it is reassuring to know I am headed in the right direction.
I am now looking towards installing something else like Apache Directory Studio, or some other GUI for users to manage the directory.
I will most likely create one or more ACI's to build groups, adding members to those groups as needed; each group being allowed to perform functions such as create users, lockout users, add/modify hosts, etc.
I will most likely follow the steps outlined in:
Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?
> Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?
Use RBAC pfexec (or old-school sudo) to elevate privileges from ordinary accounts? Perhaps not to full root, but to specific actions (sudo, pfexec) or predefined RBAC profiles (for commands, SMF operator/management access, etc.)
Ultimately you can forbid direct root logins, downright to making it a role account (instead of a user account) as may be default in Solaris 11 since OpenSolaris days?
Or do it old-school - whoever uses the root account last, generates a new password, writes it down on paper scrib and stores it in a safe-box accessible only by admins? This usually works for systems where root is only for console use, and the locked safe-box is nearby...