Hi,

thanks for your answer but my chiefs are not in a separate group; the directory looks like this:

+ dc=example,dc=com | --- ou=groups | | | --- cn=group_1 (objectClass = posixGroup, members by attribute "memberUid") | | ... | --- cn=group_i | --- ou=persons | --- uid=person_1 (objectClass ~ inetOrgPerson, groups by attribute "groupesTravail") | ... --- uid=person_j

* posixGroup and memberUid(== users' uid) are compulsory to use the directory for typo3 authentification. * there is no posixAccount objectClass for the persons' entries as they have no login account on the server * I use a "groupesTravail" multivalued attribute instead of the standard gidNumber as my users may belongs to more than one group (of persons who work on the same theme) * the "chiefs" are the persons I want to grant write access to ou=groups, so they can add or delete a uid when a user registered or quit some group. Their groupesTravail attribute contains the value 1200. So, the filter behavior I am trying to get for the <who> clause is: (&(objectClass=inetOrgPerson)(groupesTravail=1200))

with hope that it is more clear, and hope that someone has a solution :-)

thanks !