<quote who="Alina Dubrovska">

Gavin,

Thank you for reply and suggestion about support services! However, I'm looking forward that somebody from the list is familiar with sets syntax for defining an ACL and would be able to determine if ACL like this is correct:

*access to attrs=employeeType,employeeNumber by self write by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write by * read*

Switch on ACL debugging and run slapd by hand to check.

So, we have a parent group (groupOfUniqueNames, "System Administrator") and all members should be granted access permission to modify specific attributes. Then we need to have ability to add new child groups in runtime, so that all child group members would be automatically granted the same set of permissions as parent group. Without modifying slapd.conf and restarting server of course.

Probably there is some important nuance with sets syntax or maybe there is any another alternative solution?

Because as I mentioned, with stated ACL we have performance issues on one OpenLDAP instance and fatal crash on another...

Sets are somewhat experimental.

Well crashes shouldn't happen, so that should be a bug report via http://www.openldap.org/its.

Please read http://www.openldap.org/doc/admin24/troubleshooting.html for submitting proper bug reports.