Les ACLs :

include         /usr/etc/openldap/schema/core.schema
include         /usr/etc/openldap/schema/cosine.schema
include         /usr/etc/openldap/schema/nis.schema
….
suffix       "dc=mathrice,dc=fr"

# Les ACLs : mot de passe accessible uniquement pour l'authentification
# ou par un utilisateur authentifié pour le modifier
access to dn="uid=.*,ou=login,o=([^\,]+),dc=mathrice,dc=fr" attr=userPassword
       by anonymous auth
       by self write
       by group/groupOfUniqueNames/uniqueMember="cn=ldap,o=admin,dc=mathrice,dc=fr" write
       by group/groupOfUniqueNames/uniqueMember="cn=$1,o=admin,dc=mathrice,dc=fr" write
       by * none

# delegation par branche
access to dn="uid=.*,ou=login,o=([^\,]+),dc=mathrice,dc=fr" attrs=cn,uid,uidNumber, gidNumber,homeDirectory,userPassword,loginShell,gecos,description,mail
       by group/groupOfUniqueNames/uniqueMember="cn=ldap,o=admin,dc=mathrice,dc=fr" write
       by group/groupOfUniqueNames/uniqueMember="cn=$1,o=admin,dc=mathrice,dc=fr" write
       by * read

# idem pour les groupes
access to dn="cn=.*,ou=group,o=([^\,]+),dc=mathrice,dc=fr" \
attrs=cn, gidNumber, memberUid, description
       by group/groupOfUniqueNames/uniqueMember="cn=ldap,o=admin,dc=mathrice,dc=fr" write
       by group/groupOfUniqueNames/uniqueMember="cn=$1,o=admin,dc=mathrice,dc=fr" write
       by * read

access to dn=".*,o=([^\,]+),dc=mathrice,dc=fr"
       by group/groupOfUniqueNames/uniqueMember="cn=ldap,o=admin,dc=mathrice,dc=fr" write
       by group/groupOfUniqueNames/uniqueMember="cn=$1,o=admin,dc=mathrice,dc=fr" write
       by * read

access to dn="cn=.*,o=admin,dc=mathrice,dc=fr"
       by group/groupOfUniqueNames/uniqueMember="cn=ldap,o=admin,dc=mathrice,dc=fr" write
       by * read

access to dn=".*,dc=mathrice,dc=fr"
       by group/groupOfUniqueNames/uniqueMember="cn=ldap,o=admin,dc=mathrice,dc=fr" write
       by * read

SUITE