Dominic Cleal's Blog

Handy OpenDS ACI snippet for reading groups
A little ACI snippet for OpenDS (open source LDAP server from Sun) that allows members of a group to read/search/compare a group and attributes except 'member', only if they are a member of the group itself (or a descendent group).

(targetattr!="member")(version 3.0; acl "Group membership read"; allow (read,search,compare) userattr="member#USERDN";)
(targetattr!="member")(version 3.0; acl "Group membership read"; allow (read,search,compare) userattr="member#GROUPDN";)

Many thanks to Ludovic Poitou for his time and assistance on #opends!