On Fri, Mar 6, 2009 at 4:45 PM, Quanah Gibson-Mount <quanah(a)zimbra.com&gt; wrote: access to dn.subtree="ou=group,dc=mydomain" by set="this/cn & user/uid" write Yes, and it is falling right past the above acl and hitting the catchall for the top of the directory for * read. Heh, OpenLDAP 2.4.11. Old I know, I've been meaning to go back to a stable 2.3 for some time, but 2.4.x had certain fixes for the translucent overlay that I needed, which I don't need anymore. --andy