We've got LDAP ACLs to restrict who can make changes to a group, like this one:

to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/owner/member & user" write by users none by * none

so that both direct owners and people in groups that are owners can modify the group they own.

This works really well but now I want to list all of the groups that a DN matches against as an owner.

For direct owners, that is simple enough, but where someone is in a group and that group is an owner, it becomes trickier.

Is there a way of performing an LDAP search that does the equivalent of the ACL (or something like it) to tell me which groups can be written to for a given DN?

Regards

Philip