Julien Garnier writes:
access to dn.base="" by peername.regex="IP=A.A.A..+" read by peername.regex="IP=127.0.0.1" read by * none
This only sets the access to the entry named "", i.e. the automatically generated entry which the server itself. Doesn't sound like that is what you wants.
access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*)
This sets access to all entries in the people subtree which contain an 'ou' attribute starting with "DIV1". It doesn't say which filter people are allowed to use.
by peername.regex="IP=B\.B\.B\.B" read by * none
You don't give people at A.A.A.* any access to this subtree.
Read man slapd.access(5). It sounds like what you need is something like this:
# hide userPassword, but allow anyone in the related IPs to log in access to attrs=userPassword by peername.ip=A.A.A.0%255.255.255.0 auth by peername.ip=127.0.0.1 auth by peername.ip=B.B.B.B auth by * none
# allow everyone locally read access to everything else, and no access # for others but continue checking other access statements for people at # B.B.B.B access to * by peername.ip=A.A.A.0%255.255.255.0 read by peername.ip=127.0.0.1 read by peername.ip=B.B.B.B none break by * none
# access for folks at B.B.B.B....
# allow them to search with this baseDN access to dn.exact="ou=people,ou=compagnie,ou=com" attrs=entry =s
# allow them to find entries in this subtree matching this filter, # and nothing else: access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*) by * none break by * none
# allow them to search for and read 'ou' (though they can also list # all allowed entry by searching with the "true" filter "(&)": access to attrs=ou by * =sr
# allow them to read everything they find access to attrs=* by * =r