\documentclass[10pt,a4paper]{article}
\usepackage[english]{babel}
\usepackage[T1]{fontenc}
\usepackage[utf8x]{inputenc}
\usepackage{array}
\usepackage{ae}
\usepackage{tikz}
\usetikzlibrary{trees,fit,shapes,calc,external}
\tikzset{external/force remake}
\tikzexternalize

\def\dn#1{\texttt{#1}}

\newenvironment{entry}[1]{%
  \begin{tabular}[t]{@{}l@{}}
    \dn{#1}
    \\[.1\baselineskip] \phantom{cn=}%
    \begin{tabular}{@{}>{\ttfamily\bgroup}l<{\egroup:}@{~}%
                       >{\sffamily\bgroup}l<{\egroup}@{}}%
}{%
    \end{tabular}
  \end{tabular}
}

\tikzstyle{ldaptree} = [%
  anchor=west,
  grow via three points={one child at (1cm,-1.5\baselineskip) and two children at (1cm,-1.5\baselineskip) and (1cm,-3\baselineskip)},
  growth parent anchor=south west,
  edge from parent path={($(\tikzparentnode.south west)+(2.5ex,0)$) |- (\tikzchildnode.mid west)
},
  edge from parent/.style = {draw=black!20}
]


\tikzstyle{entry} = [line width=1pt,dashed,rounded corners]
\tikzstyle{manager} = [entry,fill=red!30,draw=red]
\tikzstyle{service} = [entry,fill=blue!30,draw=blue]
\tikzstyle{vdomain} = [entry,fill=green!30,draw=green]
\tikzstyle{valias} = [vdomain]
\tikzstyle{vuser} = [vdomain]
\tikzstyle{dn} = [font=\ttfamily]
\tikzstyle{ACL} = [line width=1.5pt,fill=none,solid]

\pgfdeclarelayer{background}
\pgfdeclarelayer{foreground}
\pgfsetlayers{background,main,foreground}


\def\noSSHA{%
  \tikz[baseline,anchor=text,inner sep=0,outer sep=0]
    \node [anchor=text,service,ACL,cross out,draw opacity=.75]
      {\{SSHA\}xxxxxx};
}

\thispagestyle{empty}
\begin{document}


\centering
\tikzsetnextfilename{ldap-trimmed}
\begin{tikzpicture}[ldaptree]
  \node[dn] { {o=mailhosting,dc=fripost,dc=org} }
    child {
      node[dn] { ou=managers } 
      child {
        node[manager] (gustav) {
          \begin{entry}{cn=gustav}
            userPassword & \{SSHA\}xxxxxx
          \end{entry}
        }
      } 
      child [missing] {}
      child {
        node[manager] (ljo) {
          \begin{entry}{cn=ljo}
            userPassword & \dots
          \end{entry}
        }
      }
    }
    child [missing] {}
    child [missing] {}
    child [missing] {}
    child [missing] {}
    child {
      node[dn] { ou=services } 
      child {
        node[service] (SMTP) {
          \begin{entry}{cn=SMTP}
            userPassword & \{SSHA\}xxxxxx
          \end{entry}
        }
      } 
      child [missing] {}
      child {
        node[service] (SASLauth) {
          \begin{entry}{cn=SASLauth}
            userPassword & \dots
          \end{entry}
        }
      } 
    }
    child [missing] {}
    child [missing] {}
    child [missing] {}
    child [missing] {}
    child {
      node[dn] (virtual) { ou=virtual }
      child {
        node[vdomain] {
          \begin{entry}{dc=fripost.org}
            isActive & TRUE
          \end{entry}
        } [every child node/.style={yshift=-\baselineskip}]
        child
        {
          node[valias] {
            \begin{entry}{mailTarget=user@fripost.org}
              mailLocalAddress & user-alias \\
              isActive & TRUE 
            \end{entry}
          }
        }
        child [missing] {}
        child 
        { node[valias] { \dn{mailTarget=\dots} } 
        }
        child [missing] {}
        child 
        {
          node[vuser] (user-fripost-org) {
            \begin{entry}{uid=user}
              userPassword & \noSSHA \\
              isactive & TRUE 
            \end{entry}
          }
        }
        child [missing] {}
        child 
        { node[vuser] { \dn{uid=\dots} } 
        }
      }
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child [missing] {}
      child {
        node[vdomain] (example-org) {
          \begin{entry}{dc=example.org}
            owner & \texttt{uid=user,dc=fripost.org,ou=virtual,\dots} \\
            isActive & TRUE
          \end{entry}
        } [every child node/.style={yshift=-\baselineskip}]
        child 
          {
          node[valias] {
            \begin{entry}{mailTarget=user@fripost.org}
              mailLocalAddress & user \\
              isActive & TRUE
            \end{entry}
          }
        }
        child [missing] {}
        child 
        { node[valias] { \dn{mailTarget=\dots} } 
        }
        child 
        { node[vuser] (example-org-uid-etc) { \dn{uid=\dots} } 
        }
      }
    };

\begin{pgfonlayer}{background}
  \node[fit=(example-org)(example-org-uid-etc),inner sep=3pt,
        fill=yellow!50, opacity=.3, rounded corners, draw, dashed]
    (example-org-fit) {};

  \node[fit=(virtual)(example-org-fit),inner sep=3pt,
        fill=yellow!50, opacity=.3, rounded corners, draw, dashed]
    (virtual-fit) {};
\end{pgfonlayer}
\tikzset{trim left=0,trim right=(virtual-fit.east)}

\draw[->,manager,ACL]
    (gustav.north east)
    .. controls +(0:5cm) and +(45:4cm) ..
    (virtual-fit.north east)
    node[pos=.3,above,sloped] {read, write};
\draw[->,manager,ACL]
    (ljo.north east)
    .. controls +(0:5cm) and +(45:4cm) ..
    (virtual-fit.north east);

\draw[->,vuser,ACL]
    (user-fripost-org.north east)
    .. controls +(45:3cm) and +(45:3cm) ..
    (example-org-fit.north east)
    node[pos=.5,above,sloped] {read, write};

\draw[->,vuser,ACL]
    (user-fripost-org.north west)
    .. controls +(135:1cm) and +(180:3cm) ..
    ($(user-fripost-org.mid west)+(2em,-\baselineskip)$)
    node[pos=.5,above,sloped] {write};

\draw[->,service,ACL]
    (SMTP.north west)
    .. controls +(180:6cm) and +(180:5cm) ..
    (virtual-fit.west)
    node[pos=.45,above,sloped] {read};
\draw[->,service,ACL]
    (SASLauth.north west)
    .. controls +(180:5cm) and +(180:4cm) ..
    (virtual-fit.west);
\end{tikzpicture}

\end{document}