De Debian Wiki :
Since version 2.4.23-3 the configuration of OpenLDAP has been changed to /etc/ldap/slapd.d by default.
Então, o OpenLDAP permite se configurar dinamicamente através da árvore 'cn = config' .
Você pode listar o DN em cn = config e ver algo assim:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config dn
...
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
...
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}hdb'
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=nodomain" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=nodomain" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=nodomain
olcRootPW: {SSHA}_skip_
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
O atributo oclAccess é o que você precisa.
Vamos adicionar novas regras de ACL ao banco de dados dc = nodomain .
Crie um arquivo ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.base="cn=test,dc=nodomain" by * read
Vu a la:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/test.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}hdb'
...
olcAccess: {3}to dn.base="cn=test,dc=nodomain" by * read