The purpose of a set is to define a specific group of users or other entities that can be referenced in an ACL's by clause. sets allow for the creation of very precise and complex access rules, but they are considered a somewhat experimental and less documented feature. sets are referenced using the set=<setspec> option within the by clause of an ACL rule. An ACL could grant access to members of a specific set, simplifying rule management by only needing to update the set membership rather than numerous ACL entries. sets are a powerful tool when we need to expand the content of an entity's attribute, e.g. when using groups where the attribute value is another dn. 

Unlike the commonly used ACL rules which check whether the entity binding in (user) belongs to the dn defined in the WHO clause, sets are evaluated slightly differently. In order for the access to be granted, the set defined in the WHO clause returns true if it isn't empty.

Example of an ACL rule using sets

The below rule will evaluate if the user dn who is binding in is also John Smith's manager; the user dn must equal uid=mary,ou=people,dc=example,dc=com to return true.

who:

access to dn.exact="uid=john,ou=people,dc=example,dc=com" 
    attrs=carLicense,homePhone,mobile,pager,telephoneNumber
    by set="this/manager & user" write

where:

dn: uid=john,ou=people,dc=example,dc=com
uid: john
objectClass: inetOrgPerson
givenName: John
sn: Smith
cn: john
manager: uid=mary,ou=people,dc=example,dc=com

• this - refers to the target entry from the WHAT clause, in this case uid=john,ou=people,dc=example,dc=com
• / - dereference operator
• this/manager - refers to the contents of the attribute manager on this, in this case uid=mary,ou=people,dc=example,dc=com
• user - refers to the entity that is binding in
• & - conjunction operator
• [ ] - literals

Combining ACLs and sets

Occasionally it might be necessary to filter out who has access to certain entries based on the user's certain attribute value. While it isn't possible to use an attribute filter in the WHO clause with the ACL rules, we can use sets to help us out. 

Both ACLs and sets can be combine. 

When combined, each part of the WHO clause is worked out separately, i.e., both dn.one=dc=example,dc=com  AND set="user/type & [manager]" have to evaluate to true in the below example. 

access to dn.one="ou=personel,dc=example,dc=com" attrs=password
    by dn.one="dc=example,dc=com" set="user/type & [manager]" write

All users whose dns are under dc=example,dc=com and who have an attribute type with a value manager will have access to the attribute password of all entities under ou=personel,dc=example,dc=com

Please see Access Control Lists (ACLs) for more detailed information to learn more about basic ACL usage and rules.

For more details and examples of set usage, please see this OpenLDAP doc and this OpenLAP FAQ.