On May 11, 2012, at 11:10 AM, Uwe Werler wrote: ACLs are irrelevant because nssov sits *within* the overlay stack and does everything as the rootdn. It doesn't make sense to use ACLs in conjunction with nssov anyway. Consider: the pam_ldap and nss_ldap libraries communicate with nssov using a *very* specific protocol that is designed not to disclose information that is cannot be otherwise obtained from the getpw* family function calls. Root users can perform PAM operations as well, but again, the standard UNIX security model will apply here. The protocol used is *not* a general-purpose LDAP protocol. There is, therefore, no danger of unauthorized writes and the information that can be easily read is the same that would be available to any process running in the system. It *does* make sense to use ACLs at the remote database because that uses an LDAP interface and therefore *does* need protection. Hope this helps. -Matt Matthew Hardin Symas - The LDAP Guys http://www.symas.com