# site-admins dynamic group specification dn: cn=3Dsite-admins,ou=3Dgroups,dc=3Dbluewater-aquatics,dc=3Dcom objectClass: top objectClass: groupOfURLs cn: site-admins memberURL: ldap:///ou=3Dpeople,dc=3Dmysite,dc=3Dcom?? sub?(authorizedService=3Dsite-admin) Then, with that dynamic group in place, I was able to use the following slapd.conf syntax to make the ACL give write access to each user's data as follows: Each user can write their own data Each user can read any users data (except passwords) Anonymous can AUTH against any password (necessary for auth to work) Site Administrators can write anyone's AuthorizedService attributes Site Administrators can write anyone's Password Anyone can read AuthorizedService attributes # Controls access to Passwords: Admins Write all, Self Write, anon AUTH, # else none access to attrs=3D"userPassword" by group/groupOfURLs/memberURL=3D "cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write by self write by anonymous auth by * none # Controls access to authorizedService attributes: Admins Write all, # else read access to attrs=3D"authorizedService" by group/groupOfURLs/memberURL=3D "cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write by * read # Controls access to user records in general (other attributes) # Site Administrators write all, Self write, anonymous read, else read access to dn.base=3D"ou=3Dpeople,dc=3Dmysite,dc=3Dcom" by group/groupOfURLs/memberURL=3D "cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write by self write by anonymous read by * read # Controls access to group definitions # Everyone gets read access only, must be rootdn to modify for now. access to dn.base=3D"ou=3Dgroups,dc=3Dmysite,dc=3Dcom" attrs=3Dchildren by * read # Controls access to everything else # Site Administrators get write access, Self can write, anonymous read, # else read access to * by group/groupOfURLs/memberURL=3D "cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write by self write by anonymous read by * read