Don't know if this is the right place for this question, but anyway:
We have an eDir with ~20 k users in a single ou "Users". While keeping them there I would like a means to pick subsets of these (we can call it "Groups") and then let one particular user in the ou=Users see and perhaps modify the members of this subset. This particular user might or might not be a member of the subset. Normally users in the ou=Users should not be able to see each other at all, which is the way things are now.
My first idea was of course to set up dynamic groups and populate them with simple LDAP selections. The dynamic groups work fine but alas, rights to this group obviously mean rights to the MEMBERS of the group.
Next idea was to create orinary static groups and populate them by croning LDAP scripts. But then it appears that rights to a static group does not mean rights to the group members either.
This eDir is used by several external srvices which is why we want to keep the ou structure flat. I just thought that giving a person browse rights to a group would have the same effect as giving browse rights to an ou, but this is apparently not the case.
All I want is to hand out the right to see and maybe modify properties of the students to the few persons that are in charge of them.
Is there another way to accomplish this except creating an ou structure?