Hello,

I am trying to configure my openldap server to allow a user to read a list of users only if they have the "host" attribute with a specific value, for instance "csa".  I am using rhel 6, openldap 2.4.23 server.  When I have the following 2 acl's, the user Admin can get the full contents of the 'abc' container:

access to attrs=userPassword
 by dn="uid=0,dc=aa,dc=bb,dc=cc" write
 by * auth

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
 by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc"  read

When I change the 2nd acl as follows, I get no response at all:

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
 by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc"  read

There are a few records in the abc container which have the attribute host with the 'csa' value.  I have tried to give search permission to the entire container and then add the permission of read only to the filter as follows:

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
 by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc"  =cs

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
 by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc"  +r

but I still don't get my list with ldapsearch.  What am I missing here?

Thanks in advance,
Dorit.