uri_gr1@tut.by writes:
I tested ACLs below: (...) But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is restricted to all.
Sorry, I forgot to quote the gidNumber values. Literal values in sets are quoted with [].
Also you asked for another access than you actually wanted. Read man slapd.access: Only the first "to" clause which matches what you want to access, is used. Your first "access" clause hid all the others, since they had the same "to". Similarly, in the chosen "to" clause, only the first "by" clause which matches who is accessing, is used.
There are keywords to avoid these rules ("break", "continue", "stop"), but you don't need them for this.
So, let me try again (still untested, hope I'm getting it right this time) -
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & ([10003] | [10007] | [10008])" write by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write by * none
BTW, do you really Bind as e.g. "cn=seller,ou=Groups,dc=tut,dc=by", or is that the name of a group like it looks like?
Is it posible to write some acls like: by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
Not directly, but that's in practice what the "set" ACLs emulate: by set.exact="self/objectClass & [posixAccount]" set.exact="self/gidNumber & [10008]" (with multiple rules in a "to" and "by" clause there is an implicit "and" between them.)
Sets are still marked "experimental" though. And they are less efficient than rules that have logic better built in. They are described here in the FAQ: http://www.openldap.org/faq/data/cache/1133.html