hallo there
and thank you for your quick reply...

1)is this the only access list you have used and works fine?
cause as i told you i want to  add the attributes below,you think they'll work?

# Remember that rootdn has always write access
# posixAccount/posixGroup attributes may only be accessible to root/ldapmaster (write) and pamproxy (read)
access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
    by dn="cn=pamproxy@circuitcat.com,ou=kerberos,dc=circuitcat,dc=com" read

# This is needed so sasl-regexp/GSSAPI works correctly
access to attrs=krb5PrincipalName
    by anonymous auth

# Kerberos attributes may only be accessible to root/ldapmaster
access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
    by * none

# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable
access to attrs=userPassword
    by anonymous auth

# Write access to common attributes for users
access to dn.subtree="ou=people,dc=circuitcat,dc=com" attrs=telephoneNumber,facsimileTelephoneNumber,jpegPhoto,homePhone,homePostalAddress
    by self write
    by users read

# Anything else we may have forgotten is writable by admin, and viewable by authenticated users
access to dn.subtree="dc=circuitcat,dc=com"
    by users read


2)i have already re-init heimdal so i think  is not the problem...+i had some issues before that got solved by doing the heimdal re-init