Hello,
What you have (below) should work, restricting user 'testUsers' to update only defined 'subtree' DIT (Directory Information Tree):
set admin-user "testUsers OU Read Access" = {
user=<dc "org"><dc "company"><ou "admins"><commonName "testUsers">
subtree = <dc "org"><dc "company"><ou "external"><ou "PrivilegedUsers">
};
One thing to make sure here is you have user defined with 'cn' (commonName) and not with 'uid'. As there are no checks made in Access Control Rules that you define, I have seen this in the past.
e.g. You have above defined but the actual user you login via LDAP browser is "uid=testUsers,ou=admins,dc=company,dc=org". As you can see, defined ACL/ACI looks for 'cn=testUsers' while the actual user is 'uid=testUsers' hence never blocks this user from updating any other DIT values.
-Hitesh