That is a usefull link. Thank you!
I finally manage this way:


access to dn.Subtree="ou=contacts,ou=people,dc=mcm,dc=com"
by dn.Subtree="ou=administradores,ou=people,dc=mcm,dc=com" write
by * read

What I wanted is to create a group of administrator to control everything and a group of normal users with only access control in their groups contacts.

I will also apply the group configuration you send me, thanks!

On Thu, 2009-01-29 at 17:25 +0100, Michael Ströder wrote:
Miguel wrote:
> 
> I m trying to configure the ldap . I have created two groups (contact
> and administradores) within another one (people).
> 
> I would like administradores group to have all the permissions over
> contacts group. I have modified the slapd.conf in this way, but it
> doesn't work:
> 
> access to dn=".*,ou=contacts,ou=people,dc=mcm,dc=com"
>        by dn=".*,ou=administradores,ou=people,dc=mcm,dc=com" write
>        by * read

You should consult the fine FAQ - in particular:

"How do I use groups to manage access control?"

http://www.openldap.org/faq/data/cache/52.html

Ciao, Michael.