linux

In openLDAP, how do I give a user read access to records with a specific departmentNumber attribute value?

There are several similar users:
[email protected],ou=Workers,dc=grrr,dc=local
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
uid: [email protected]
cn: [email protected] ru
mail: [email protected]
sn: Ivanov Ivan Demyanovich
departmentNumber: 432199
All of them match the first four digits departmentNumber=4321*
One of our sites wants users with a departmentNumber starting with 4321 to be able to log into it via LDAP and the rest are not.
Question: how to do it?
Clarification 1: no, the admin of this site will not do filtering on his side. This needs to be done on the LDAP side.
Clarification 2: in ou=Workers there is no further division into ou-s by department number and it is not advisable to do it - the rest of the infrastructure will go to hell (
Theory: Push all such users into one group with handles .. and then how?