thanks for your answer but my chiefs are not in a separate group; the
directory looks like this:
| --- cn=group_1 (objectClass = posixGroup, members by attribute
| | ...
| --- cn=group_i
--- uid=person_1 (objectClass ~ inetOrgPerson, groups by attribute
* posixGroup and memberUid(== users' uid) are compulsory to use the
directory for typo3 authentification.
* there is no posixAccount objectClass for the persons' entries as they
have no login account on the server
* I use a "groupesTravail" multivalued attribute instead of the standard
gidNumber as my users may belongs to more than one group (of persons who
work on the same theme)
* the "chiefs" are the persons I want to grant write access to
ou=groups, so they can add or delete a uid when a user registered or
quit some group. Their groupesTravail attribute contains the value 1200.
So, the filter behavior I am trying to get for the <who> clause is:
with hope that it is more clear, and hope that someone has a solution :-)