I am trying to configure acl in such a way users with attribute allowedService with application name can only login to that particular application.

We have users as follows:

dn: ou=People,dc=prime,dc=ds,dc=geo,dc=com

dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com
uid: user1
allowedService: gitlab

dn: uid=user2,ou=People,dc=prime,dc=ds,dc=geo,dc=com
uid: user2
allowedService: zabbix

dn: uid=user3,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
uid: user3
allowedService: zabbix

We created an user as follows:

dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
cn: gitlab
uid: gitlab

Now in application we given the details as follows:
gitlab configuration
base: ou=People,dc=prime,dc=ds,dc=geo,dc=com
uid: uid
bind_dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
password: password

Now in acl we tried various options as follows:

root@geopc:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.subtree="ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write
olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * auth
olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=gitlab)" by dn.exact="cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" write by self write

But with this no user can able to login. But we change olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write , all users can login.

But actually we need is only the user1 need only to login to gitlab application. And the users user2 and user3 need only to login to zabbix application

Can anyone please help me to configure acl for this. Thanks in advance.

Thanks
Geo