Or maybe it's not so complicated and I don't know how. ;)

This is what I'm trying to accomplish:

Users who are a member of the group 'cn=support'
can perform ALL operations on 'userPassword',
except on targets which are a member of group 'cn=admins' or 'cn=bosses'. 

Is this possible?  I can't figure out how.  Thanks in advance!
--BO