ACL check to allow a user to search with a filter should be the following:

For each field used in the filter, check if there is an ACL with the exact same name in one of the tabs in the categories of all searched objectTypes. If there is one (or several), the user need read rights on those in the searched base. If there is none, the user need read rights on all fields from all tabs from all searched objectTypes in the searched base.

Limitations:

• This means a user with read rights on fooBar in ou=a,dc=root and ou=b,dc=root won’t be able so search for (fooBar=a*) in dc=root
• It may be slow to search for fields in all the tabs of all the categories, we may need an index to speed that up
• If a user miss a read right on a field/tab, he won’t be able to search on LDAP operational attribute which FD is not aware of