On Fri, Mar 6, 2009 at 4:45 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:

Which ACL is "This ACL"?

access to dn.subtree="ou=group,dc=mydomain" by set="this/cn & user/uid" write

Have you turned on acl level debugging to see what exactly is occurring when you go to do operations?

Yes, and it is falling right past the above acl and hitting the catchall for the top of the directory for * read.

Also, what OpenLDAP release are you using?

Heh, OpenLDAP 2.4.11. Old I know, I've been meaning to go back to a stable 2.3 for some time, but 2.4.x had certain fixes for the translucent overlay that I needed, which I don't need anymore.

--andy