diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 5c6cccab720befd6d6adc6bbf033f5c9df16a728..86053d4046d1b6c086442665559ec3ad0272f612 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -29,6 +29,13 @@ moduleload 		auditlog
 overlay 		auditlog
 auditlog 		/var/log/openldap/auditlog.log
 
+moduleload constraint
+overlay constraint
+constraint_attribute description regex ^(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius)$
+  restrict=ldap:///ou=hosts,dc=crans,dc=org??one?(objectClass=device)
+constraint_attribute uid regex ^_
+  restrict=ldap:///ou=passwd,dc=crans,dc=org??one?(objectClass=posixAccount)
+
 moduleload 		syncprov
 {% endif %}