i'd like to prevent the dn "cn=foo, ou=services, ou=accounts, dc=example, dc=com" from accessing any part of the tree outside of "ou=test, ou=other, ou=users, ou=accounts, dc=example, dc=com" and "ou=test, ou=other, ou=users, ou=groups, dc=example, dc=com", and would like that dn to have only read access to those two subtrees - the exception being that that user should of course be able/required to authenticate.

i'm having trouble constructing a working acl that accomplishes this.

one example attempt:

dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcAccess olcAccess: to dn.base="" by * read olcAccess: to attrs=userPassword by self write by anonymous auth by * none olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com" by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read by self write by users read by * none olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=groups,dc=ltn,dc=lvc,dc=com" by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read by self write by users read by * none olcAccess: to * by self write by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" none by users read by * none

that particular example gets me:

ldapsearch -uxLLLWP 3 -H 'ldaps://ldap.ltn.lvc.com' -D 'cn=montage_test, ou=services, ou=accounts, dc=ltn, dc=lvc, dc=com' -b 'dc=ltn, dc=lvc,

dc=com' "(objectclass=groupofnames)" dn | grep -i 'dn:' Enter LDAP Password: No such object (32)

what am i missing?

thanks -ben