Hi everyone!

For compatibility reasons I had to change the way I store my user's password in LDAP from SSHA to plaintext and now I want to try to restrict the access to some attributes while I find a better solution.
My ldap tree is something like this:

dc=domain,dc=com
    cn=freeradius
    cn=diradmin
    cn=readonly
    cn=user1
    o=company1
        cn=admins_company1 (member: uid=user1 and uid=user6)
        ou=users
            uid=user1
            uid=user2
        ou=groups
            cn=company1_group1
            cn=company1_group2
    o=company2
        cn=admins_company2
        ou=users
            uid=user3
            uid=user4
        ou=groups
            cn=company2_group1
            cn=company2_group2
    o=company3
        cn=admins_company3
        ou=users
            uid=user5
            uid=user6
        ou=groups
            cn=company2_group1
            cn=company2_group2

    o=user1subtree
        ou=users
            uid=user15
            uid=user62
        ou=groups
            cn=group1
            cn=group2

HERE THE PERMISSION I WANT TO GRANT

all the users can modify their own attributes
user cn=freeradius is used by freeradius to auth the users on the 802.11x wi-fi. It should read all the tree including the userPassword attribute
user cn=diradmin is the rootdn
cn=readonly can read the whole tree but not the userPassword attribute
cn=user1 can read the whole directory (not the userPassword attribute) and write in his own subtree (o=user1subtree)
uid=user1 and uid=user6 are company1's administrators, so they can write in whole o=company1 subtree

the number of companies changes often and so I can't statically define an ACL for accessing a subtree



I wrote the following ACL (but is the first time) are them correct or I'm missing something?
The regex is expensive (any search in the tree takes a lot of time) but works, how can I optimize it?

{0}to attrs=userPassword by self =xw by dn="cn=freeradius,dc=domain,dc=com" read by anonymous auth by * none
{1}to attrs=shadowLastChange by self write by * read
{2}to dn.subtree="o=user1subtree,dc=domain,dc=com" by dn="cn=user1,dc=domain,dc=com" write
{3}to dn.regex="o=(.+),dc=domain,dc=com$" by group.expand="cn=admins_$1,o=$1,dc=domain,dc=com" write by dn="cn=user1,dc=domain,dc=com" read by dn="cn=freeradius,dc=domain,dc=com" read  by self write
{4}to * by dn="cn=user1,dc=domain,dc=com" read by dn="cn=freeradius,dc=domain,dc=com" read by * read by self write by anonymous auth


Thanks!
--

Alberto Aldrigo