I am searching for several days with an issue that I have with writing an acl.
This is my setup:

| \
ou=people ou=group
| |
uid=user1 cn=system-admin
uid=user2 cn=system-passwd

The users (user1, user2, user3 ) having the objectClass: posixAccount.
The groups (system-admin and system-passwd) having the objectClass: groupofUniqueNames

User1 is the uniqueMember of cn=system-admin,ou=group,dc=example,dc=net
User2 is the uniqueMember of cn=system-passwd,ou=group,dc=example,dc=net

a) My setup that I want is that users that are member of cn=system-admin can change the userPassword of all users that are located in ou=people,dc=example,dc=net.

b) All users that are member of cn=system-passwd must also be able to change the userPassword of all users in ou=people BUT EXCEPT the users who are member of the group cn=system-admin.

In my example:
a) user1 can change the passwords of the users: user1, user2 and user3 because user1 is member of cn=system-admin.
b) User2 can change passwords of the users: user2 and user3 but not of user1 because user1 is member of cn=system-admin and user2 isn't it.

Building an ACL with this exception is where I don't know howto do that.
Some help is very welcome.

My ACL without b)
access to dn.subtree="ou=people,dc=example,dc=net" attrs=userPassword
by anonymous auth
by self write
by group/groupOfUniqueNames/uniqueMember="cn=system-admin,ou=Group,dc=example,dc=net" write
by * none

Kind regards,