hallo there and thank you for your quick reply...
1)is this the only access list you have used and works fine? cause as i told you i want to add the attributes below,you think they'll work?
# Remember that rootdn has always write access # posixAccount/posixGroup attributes may only be accessible to root/ldapmaster (write) and pamproxy (read) access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid by dn="cn=pamproxy@circuitcat.com,ou=kerberos,dc=circuitcat,dc=com" read
# This is needed so sasl-regexp/GSSAPI works correctly access to attrs=krb5PrincipalName by anonymous auth
# Kerberos attributes may only be accessible to root/ldapmaster access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam by * none
# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable access to attrs=userPassword by anonymous auth
# Write access to common attributes for users access to dn.subtree="ou=people,dc=circuitcat,dc=com" attrs=telephoneNumber,facsimileTelephoneNumber,jpegPhoto,homePhone,homePostalAddress by self write by users read
# Anything else we may have forgotten is writable by admin, and viewable by authenticated users access to dn.subtree="dc=circuitcat,dc=com" by users read
2)i have already re-init heimdal so i think is not the problem...+i had some issues before that got solved by doing the heimdal re-init