I have client that coredumps with these acl's. When I remove them, the client is getting data from the ldap server and I can see the queries it is doing on the server. I thougt the lines below would give access to ou=Services and below by test, but I guess not. dn: olcDatabase={-1}frontend,cn=config olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none olcAccess: {3} to dn.exact="ou=Services,dc=example,dc=local" attrs="children" by dn.exact="cn=test,ou=Hosts,dc=example,dc=local" ssf=64 read by * break olcAccess: {4} to dn.children="ou=Services,dc=example,dc=local" by dn.exact="cn=test,ou=Hosts,dc=example,dc=local" ssf=64 read olcAccess: {5} to * by * none acl_mask: access to entry "name=asdf,ou=Services,dc=example,dc=local", attr "bla" requested acl_mask: access to entry "ou=Services,dc=example,dc=local", attr "entry" requested I guess I should grep the log for the acl_mask entries not? What would be an adviced procedure to do this? I also do not want to get a huge list of acls for just one client type. Everything below "ou=Services,dc=example,dc=local" is test to read. (No password attributes stored there)