I think your ACLs are not allowing you to do what you want, but I can't say for sure without knowing how your client is binding to your directory. If you turn on openldap's logging for ACL parsing, you should see the connection and if it was allowed or denied for the given bind. ( 128 (0x80 ACL) access control list processing : see man slapd.conf for details under loglevel ) Give that a try, and then you should be able to relax or adjust your ACLs to allow access. I hope that helps Sellers On Jul 30, 2008, at 10:42 PM, david stackis wrote: > Hi - > > First off, I want to apologize for posting to list when I really > should > have read more. > Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin > Guide....and I'm still scratching my head wondering why this isn't > working. > > Here's my structure... > I have two Groups..."Home", and "Work" > I have two Users..."Me", and "You" These users have passwords > > I can search my LDAP using the rootdn, and I'm able to add to each > of the > Group AddressBooks "Home", and "Group" using the rootdn. What I > can't seem > to do, is have user "Me" or "You" access any of the AddressBooks. > > The user "Me" has access to "Home and "You" has access to "Work" > each have > two different email addresses. > > Again...the rootdn can see everything in Thunderbird...but it's "Me" > and > "You" that seem to have no access/ > Could someone please point me in the right direction. > > I'm also using Apache Directory Studio, and I verified that the four > entries I added...two being place in the "Home" AddressBook, and the > other > two in the "Work" AddressBook. The ACL's I'm using are below...and > further > down is my LDIF I used to create my structure. > > I've tried attrs=userPassword, and attr=userPassword...I've seen > both of > these examples used > > Thank you for any help. > > # ACL1 > access to attrs=userPassword > by self write > by anonymous auth > # ACL2 > access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com" > by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write > # ACL3 > access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read > access to dn.base="" by * read > # ACL4 > access to dn.base="cn=Subschema" by * read > # ACL5 > disallow bind_anon > > The LDIF I used... > # Initialize the suffix entry defined in slapd.conf > # > dn: dc=MyCompany,dc=com > objectclass: top > objectclass: organization > objectclass: dcObject > dc: MyCompany > o: cctr > > # > # Initialize the AddressBooks heirarchy > # > dn: ou=AddressBooks,dc=MyCompany,dc=com > objectclass: top > objectclass: organizationalUnit > ou: AddressBooks > > # > # Define individual address books > # > dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com > objectclass: top > objectclass: organization > o: Home > > dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com > objectclass: top > objectclass: organization > o: Work > > # > # Initialize the Users heirarchy > # > dn: ou=Users,dc=MyCompany,dc=com > objectclass: top > objectclass: organizationalUnit > ou: Users > > # > # Define individual users > # > dn: cn=Me,ou=Users,dc=MyCompany,dc=com > objectclass: top > objectclass: person > cn: Me > sn: My LastName > userPassword: {crypt}XXXXXX > > dn: cn=You,ou=Users,dc=MyCompany,dc=com > objectclass: top > objectclass: person > cn: You > sn: You LastName > userPassword: {crypt}XXXXXX > > # > # Initialize the Groups heirarchy > # > dn: ou=Groups,dc=MyCompany,dc=com > objectclass: top > objectclass: organizationalUnit > ou: Groups > > # > # Group users into separate address books > # > dn: o=Home,ou=Groups,dc=MyCompany,dc=com > objectclass: top > objectclass: groupOfNames > cn: Home > member: cn=Me,ou=Users,dc=MyCompany,dc=com > > dn: o=Work,ou=Groups,dc=ucsb,dc=edu > objectclass: top > objectclass: groupOfNames > cn: Work > member: cn=You,ou=Users,dc=MyCompany,dc=com > > > ------------------- > david stackis > ++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers(a)nitle.org Jabber: csellers(a)nitle.org | AIM: imthewherd