memberOf search ACLs

I've recently been trying to lock down Samba4's default ACLs, in it's generated LDAP backend configuration. I have memberOf configured to 'error' on dangling links, which I need for Samba. But I seem to be having some trouble with ACLs. I've attached my full config file, but the key part is: access to dn.base="" by dn=cn=samba-admin,cn=samba manage by anonymous read by * read access to dn.subtree="cn=samba" by anonymous auth access to dn.subtree="${DOMAINDN}" by dn=cn=samba-admin,cn=samba manage by * none If I change the last line to 'by * read', then the error is returned, but otherwise (due apparently to "" being unable to read the entry to validate it's existence). Shouldn't the search operations happen as the rootdn or memberof-dn, or am I missing some other configuration element here? In trying to fix this, I looked at what seemed to by typos in memberof.c, the patch of which I attach, but this didn't help. Any thoughts? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.