> 1.1 [...]: I have no idea if this is even possible, let alone how to > achieve it.
Just figured out a part of this. Since ACLs seem to apply to new entries before they are even in the database, I just need to restrict access to 'attrs=entry' to the group manager. Since 'UDBgrpAdmin' is a single-valued attribute, there can be no other value than the DN of the creator. But that still doesn't prevent non-creator DNs in the 'member' attribute... Updated ACLs: <http://openldap.pastebin.com/VCxM7YzL> Regards, Christian Manal
