The following is a sample list of group based ACIs that might be created for an OU that contains employee accounts:

dn: ou=people,ou=internal,dc=example,dc=com

aci: (target = 
"ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr = "* || +") (version 3.0; acl "IP1 read internal people ou"; allow 

aci: (target = 
"ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr != "userpassword || authpassword") (version 3.0; acl "IP2 write internal people"; allow (write) (groupdn="ldap:///cn=ADM-InternalPeopleUpdate,ou=groups,ou=admins,dc=example,dc=com");)

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com")(targetattr = "userpassword || authpassword") (version 3.0; acl "IP3 password update internal people"; allow (write) 

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP4 add internal people"; allow (add) 

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP5 delete internal people"; allow (delete) 

aci: (target = "ldap:///ou=people,ou=internal,dc=example,dc=com") (version 3.0; acl "IP6 move branch internal people"; allow 

In this example, if we wanted to give the help desk the ability to search for user accounts, read user accounts, and reset passwords, we would place the help desk users into the following groups (either directly or, more likely, by creating a help desk group and nesting it into these groups):

  • ADM-InternalPeopleRead
  • ADM-InternalPeoplePwdReset

With descriptive group names, this makes the determination of a user’s rights to the directory intuitively obvious.

One further item to note is that the ACI that grants write access to userPassword (IP3) will need to be used in conjunction with the password-reset privilege before the help desk user can reset an employee’s password. In the Privileges best practices section, there is an example virtual attribute that is used to assign the password-reset privilege to users that are direct or indirect members of the group ADM-PasswordReset.

To enable help desk users to reset the passwords of employees, those help desk users would need to be added to ADM-InternalPeoplePwdReset, which grants write access to userPassword. Then you would need to nest the ADM-InternalPeoplePwdReset group into the ADM-PasswordReset group that is used by that virtual attribute, which will grant those help desk users the password-reset privilege.