## Racine
access to dn.regex="^o=ls$" attrs="entry,children,objectclass"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * read

## Groups
### Ajout d'entrees par les admins
access to dn.regex="^ou=groups,o=ls$" attrs="children,objectclass"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * none

access to dn.regex="^cn=[^,]+,ou=groups,o=ls$" attrs="entry,objectclass"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * none

### Les admins peuvent tout modifier, les authentifies peuvent tout voir
access to dn.regex="^cn=[^,]+,ou=groups,o=ls$"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * none


## Peoples
### Ajout d'entrees par les admins
access to dn.regex="^ou=people,o=ls$" attrs="children,objectclass"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * read

access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="entry,objectclass"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * read


### Les admins peuvent modifier le mot de passe, samba le mettre à jour, les autres peuvent s'en servir pour l'authentification
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="userPassword"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=samba,ou=sysaccounts,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by self write
  by anonymous auth
  by * none

access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="userPassword"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by anonymous auth
  by * none

### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="uid,lsallowedservices,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaAcctFlags,sambaPrimaryGroupSID"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * none

### Les admins peuvent modifier ces attributs, le proprio aussi, samba aussi
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="sambaLMPassword,sambaNTPassword"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by dn="uid=samba,ou=sysaccounts,o=ls" write
  by self write
  by * none

### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="c,cn,jpegPhoto,personalTitle,sn,givenName,postalAddress,postalCode,l,st,telephoneNumber,mobile,fax,mail,description"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by self write
  by users read
  by * read

## Les authentifies peuvent voir les noeuds et les admins peuvent en ajouter
access to * attrs="entry"
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by users read
  by * none

## Le reste
access to *
  by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
  by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
  by * none