Hi im trying to get an openldap server (2.3.) running with acl restricting access to special attributes tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid... so i added this access rule to my slapd.conf : .. access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read .. after restarting slapd I checked the result of ldapsearch but it returns nothing : ldapsearch -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -b "ou=people,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <ou=people,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 0 Success accessing the attributes by ldapcompare works fine : ldapcompare -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -W "uid=kheine,ou=people,dc=example,dc=com" telephoneNumber:1234 returns TRUE so the rule seems to work for comparing, but not for searching entries in ou=people i searched in the archives for more examples of using "attrs" and "dn.subtree", but found only configs where it seems to work this way the admin guide (2.3.) itself shows this possibility on "6.3 Access Control" so i can not find the reason why my configuration is not working. Please help me finding an approach to solve this problem, thanks for every advice ___________________________________ NOCC, http://nocc.sourceforge.net