The following access control instructions (ACIs) grant members of the cn=admins,ou=groups,dc=example,dc=com group the following permissions:

  • Add, modify, and delete entries
  • Reset passwords
  • Read operational attributes, such as isMemberOf and password policy state
aci: (targetattr="+")(version 3.0; acl "Administrators can read, search or compare operational attributes";
allow (read,search,compare) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";)
aci: (targetattr="*")(version 3.0; acl "Administrators can add, modify and delete entries";
allow (all) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";)