There are a few ways to do this. One approach is illustrated here.
Consider the following DIT layout:
+-dc=example,dc=com
+--cn=adminstrators,dc=example,dc=com
+--cn=fred blogs,dc=example,dc=com
and the following group object (in LDIF format):
dn: cn=adminstrators,dc=example,dc=com
cn: adminstrators of this region
objectclass: groupofNames (important for the group acl feature)
member: cn=fred blogs,dc=example,dc=com
member: cn=somebody else,dc=example,dc=com
One can then grant access to the members of this this group
by adding appropriate by group clause to an access
directive in slapd.conf(5). For instance,
access to dn.children="dc=example,dc=com"
by self write
by group.exact="cn=Administrators,dc=example,dc=com" write
by * auth
Like by dn clauses, one can also use expand the group
name based upon the regular expression matching of the target,
that is, the to dn.regex). For instance,
access to dn.regex="(.+,)?ou=People,(dc=[^,]+,dc=[^,]+)$"
attrs=children,entry,uid
by group.expand="cn=Managers,$2" write
by users read
by * auth
|
The above illustration assumed that the group members are to be found
in the "member" attribute type of the "groupOfNames" object class.
If you need to use a different group object and/or a different
attribute type then use the following slapd.conf (abbreviated)
syntax:
access to <what>
by group/<objectclass>/<attributename>=<DN> <access>
For example:
access to *
by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com" write
In this case, we have an ObjectClass organizationalRole which
contains the administrator DN's in the roleOccupant attribute.
For instance:
dn: cn=Adminstrator,dc=example,dc=com
cn: Adminstrator
objectclass: organizationalRole
roleOccupant: cn=Jane Doe,dc=example,dc=com
Note: the specified member attribute type MUST be of DN or NameAndOptionalUID syntax, and the specified object class SHOULD
allow the attribute type.
|
OpenLDAP Faq-O-Matic : 
How do I use groups to manage access control?