Hi listers, I have ~40 departments in several ou's and I need an ACL to allow access for one user to all but one OU. I do not want to forbid that ou in question and thus implicitly allowing all the others. I want to formulate this explicitly, so I can directly see what is allowed. Moreover the names of the ou's are very similar to each other, something like: ou=aaaa,dc=... ou=abaa,dc=... ou=bbaa,dc=... ou=bbbb,dc=... and suppose I want to disallow access to the ou=abaa. I ended up with two ACLs: the first one to forbid ou=abaa: access to dn.sub=ou=abaa,dc=.... \ attrs=entry by dn=uid=foo,dc=.... none by * break and then allowing access to all ou's with access to dn.regex=ou=[^,]+,dc=... \ attrs=.... by dn=uid=foo,dc=... by * break Is it possible to formulate this with just one ACL ? I tried something like "ou=!abaa" with just the second ACL but failed. Then I tried ou=[^a][^b][^a][^a] but this matches also the ou=bbbb to wich the uid=foo should have access. Thanks, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp(a)kit.edu atis.informatik.kit.edu www.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.