I am searching for several days with an issue that I have with writing an acl.
This is my setup:
The users (user1, user2, user3 ) having the objectClass: posixAccount.
The groups (system-admin and system-passwd) having the objectClass: groupofUniqueNames
User1 is the uniqueMember of cn=system-admin,ou=group,dc=example,dc=net
User2 is the uniqueMember of cn=system-passwd,ou=group,dc=example,dc=net
a) My setup that I want is that users that are member of cn=system-admin can change the userPassword of all users that are located in ou=people,dc=example,dc=net.
b) All users that are member of cn=system-passwd must also be able to change the userPassword of all users in ou=people BUT EXCEPT the users who are member of the group cn=system-admin.
In my example:
a) user1 can change the passwords of the users: user1, user2 and user3 because user1 is member of cn=system-admin.
b) User2 can change passwords of the users: user2 and user3 but not of user1 because user1 is member of cn=system-admin and user2 isn't it.
Building an ACL with this exception is where I don't know howto do that.
Some help is very welcome.
My ACL without b)
access to dn.subtree="ou=people,dc=example,dc=net" attrs=userPassword
by anonymous auth
by self write
by group/groupOfUniqueNames/uniqueMember="cn=system-admin,ou=Group,dc=example,dc=net" write
by * none