--On Monday, October 16, 2017 6:05 PM +0200 Ervin Hegedüs <airween(a)gmail.com&gt; wrote: Sure, no problem. :) One way to do it is to have an access line per subtree for those attributes, adding the group permission, with a final access to just userPassword itself limiting off all other access for anything outside of those trees: dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write ... Addtional subtree ACLs with groups for userPassword/shadowLastChange access... olcAccess: {#}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {#}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {#}to * by * read The other option is to use "by * break", which tells slapd to continue processing additional rules. If you do that, you'll need to be particularly careful not to give access beyond what you intended. For that purpose, I added a final ACL rule that says zero access to userPassword prior to the "* by * read" ACL. dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * break olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read ... Additional subtree ACLs with groups ... olcAccess: {#} to userPassword by * none olcAccess: {#}to * by * read --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>