For native mode (with domain nodes on the organization tree):
iplanet-am-role-aci-list: o=sesta.com, o=basedn:aci: (target="ldap:///o=sesta.com,o=basedn") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,o=sesta.com,o=basedn) (nsroledn=cn=Top-level Help Desk Admin Role,o=sesta.com,o=basedn)))) (targetattr != "nsroledn") (version 3.0; acl "Organization Admin access allow"; allow (all) roledn = "ldap:///cn=myrole,o=sesta.com,o=basedn";)
For compatibility mode (with domain nodes on a DC Tree):
iplanet-am-role-aci-list: dc=sesta,dc=com:aci: (target="ldap:///dc=sesta,dc=com") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=sesta,dc=com) (nsroledn=cn=Top-level Help Desk Admin Role,dc=sesta,dc=com)))) (targetattr != "nsroledn") (version 3.0; acl "Organization Admin access allow"; allow (all) roledn = "ldap:///cn=myrole,dc=sesta,dc=com";)