# exceptions: pas de restrictions pour administrateurs, applications... access to * by group="cn=ldap-admins,ou=groups,dc=univ-x,dc=fr" write by group="cn=ldap-readers,ou=groups,dc=univ-x,dc=fr" read by * break # aucun accès aux comptes inactifs access to filter="(supannRessourceEtat={COMPTE}I*)" by * none # pas d'authentification pour les comptes suspendus access to filter="(supannRessourceEtat={COMPTE}S*)" attrs=userPassword by * none # sinon: authentification sur userPassword access to attrs=userPassword by self write by anonymous auth by * none # et lecture de tout le reste access to * by * read