i'd like to prevent the dn "cn=foo, ou=services, ou=accounts, dc=example, dc=com" from accessing any part of the tree outside of "ou=test, ou=other, ou=users, ou=accounts, dc=example, dc=com" and "ou=test, ou=other, ou=users, ou=groups, dc=example, dc=com", and would like that dn to have only read access to those two subtrees - the exception being that that user should of course be able/required to authenticate. i'm having trouble constructing a working acl that accomplishes this. one example attempt: dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcAccess olcAccess: to dn.base="" by * read olcAccess: to attrs=userPassword by self write by anonymous auth by * none olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com" by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read by self write by users read by * none olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=groups,dc=ltn,dc=lvc,dc=com" by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read by self write by users read by * none olcAccess: to * by self write by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" none by users read by * none that particular example gets me: dc=com' "(objectclass=groupofnames)" dn | grep -i 'dn:' Enter LDAP Password: No such object (32) what am i missing? thanks -ben