Thank you,
I've found a way to achieve exactly what I wanted:
# self may write subentries no one else may read... access to dn.regex="^(.+,)+uid=([^,]+),ou=people,dc=example,dc=com$" by dn.regex="^uid=$2,ou=people,dc=example,dc=com$$" write # all may read family contacts (self may write) access to dn.one="ou=people,dc=example,dc=com" by self write by users read access to dn.base="ou=people,dc=example,dc=com" by users read access to dn.base="dc=example,dc=com" by users read
Okay, that's not what you did, but I've found an explanation of the regex-usage while searching for the self.level{<number>} syntax. Well, it's in the man pages of slapd.access and I should have looked there earlier, but I just didn't expect the possibility to use captures.
Cheers, Wolfgang