How to give create/modify/delete permissions over a subtree to a GroupOfNames?

[Luis Motta Campos <champs@segula.pt>]

  Hello, list.

  I'm facing a problem here: need to offer create/delete/modify
permissions to a groupOfNames so they can handle users, without allowing
them to handle other things (like groups, for example).

  This is the organization of my ldap now:

  + dc=company, dc=net
    + ou=people, dc=company, dc=net
      + uid=champs, ou=people, dc=company, dc=net
        - objectClass: inetOrgPerson
    + ou=groups, dc=company, dc=net
      + cn=admin, ou=groups, dc=company, dc=net
        - objectClass: groupOfNames
        - member: uid=champs, ou=people, dc=company, dc=net

  And this is the permissions configuration from the slapd.conf:

--------
access to dn.children="dc=company,dc=net"
        by group.exact="cn=admin,ou=Groups,dc=company,dc=net" write
        by self write
        by * none
--------

  This is my .ldaprc:
----
URI ldap://ldap.company.net/
BASE dc=company, dc=net
BINDDN uid=lcampos, ou=people, dc=company, dc=net
----

  I'm sure that I'm using the right user and should have access to the
permissions I've setted up:
----
champs:~/ldiff$ ldapwhoami -xW
Enter LDAP Password:
dn:uid=lcampos,ou=People,dc=company,dc=net
----

  But when I try to use my newly-granted permissions to add an user, get
this:
----
champs:~/ldiff$ ldapadd -xWf apalinkas.ldiff
Enter LDAP Password:
adding new entry "uid=palinkas, ou=People, dc=company, dc=net"
ldap_add: Insufficient access (50)
        additional info: no write access to parent
----

  Maybe someone here could help me figure out what I'm doing wrong? I'm
pretty sure that all this is because I'm doing something stupid somewhere.

  Thanks very much for your help.
-- 
Luis Motta Campos
Segula Technologies Portugal
http://www.segula.pt/