without any real testing, I'm afraid that the rule{0} gives the write access to cn=groupabcadmin to _all_ db, not just the ou=ABC Cumstomer subtree. Em I right?
Hm, yes, that's correct. You'll need to do something like utilize by * break appropriately, or have multiple "access to userPassword" ACLs by group, then a catchall after that.
--Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>