Poul Etto wrote:

Thank you for all the information, even if it is going a bit far from the
initial question...
To clarify the problem, I will try to show what we are doing, you will find
here attached an image file that goes with following explanation:

There are "u" user accounts on the ldap server
We have a number of "s" services that use LDAP to manage user account.
Each service has particular attributes
Each service must be able to access only it's information
Basic services use only the information contained in the standard LDAP
useraccount
Advanced services have dedicated OUs with special attributes

It is important that each service can accees in RO (no modification) to
only it's information.
That's why we made our LDAP as it is in the attached picture.

To simplify usage of services for each user, we decided to duplicate the
"password" field between the different OUs, that's why I came here to ask
about aliases.

If ever you are sure that there is a cleaner way to do the things (that
isn't too heavy to setup), we will be glad to have more technical and
logical explanations.

Can all be done with appropriate ACLs without aliases. Make sure your services authenticate when binding to slapd.

But I can't tell whether it "isn't too heavy" for you. Of course you would have to dive into the ACLs docs.

Ciao, Michael.