Hi, I want to hide an attribute to members of a group by each other but allowing these members to see this attribute of all other users. So I use this ACLs: olcAccess: {0}to filter=(memberof=cn=group,ou=special,o=abc.net) attrs=PrivateAttr by group.exact="cn=group,ou=special,o=abc.net" none by * break olcAccess: {1}to attrs=PrivateAttr by group.exact="cn=group,ou=special,o=abc.net" ssf=128 read olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {3}to * by * read uid=user1,ou=people,o=abc.net <http://abc.net/> and uid=user2,ou=people,o=abc.net <http://abc.net/> are both members of cn=group,ou=special,o=abc.net <http://abc.net/> and the memberOf overlay seems to work also the filter in acl#0: dn: uid=user1,ou=people,o=abc.net memberOf: cn=group,ou=special,o=abc.net dn: uid=user2,ou=people,o=abc.net memberOf: cn=group,ou=special,o=abc.net but if user2 searches for PrivateAttr of user1 it gets the attribute. can anyone give me a hint what’s wrong? many thanks, christian here the log: Jan 25 09:16:56 openldap1 slapd[58851]: => mdb_entry_get: found entry: "uid=user2,ou=people,o=abc.net" Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: search access to "o=abc.net" "entry" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_get: [4] attr entry Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: access to entry "o=abc.net", attr "entry" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: to all values by "uid=user2,ou=people,o=abc.net", (=0) Jan 25 09:16:56 openldap1 slapd[58851]: <= check a_dn_pat: * Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] mask: read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => slap_access_allowed: search access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: search access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: search access to "uid=user1,ou=people,o=abc.net" "uid" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_get: [4] attr uid Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: access to entry "uid=user1,ou=people,o=abc.net", attr "uid" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: to value by "uid=user2,ou=people,o=abc.net", (=0) Jan 25 09:16:56 openldap1 slapd[58851]: <= check a_dn_pat: * Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] mask: read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => slap_access_allowed: search access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: search access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: read access to "uid=user1,ou=people,o=abc.net" "entry" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_get: [4] attr entry Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: access to entry "uid=user1,ou=people,o=abc.net", attr "entry" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: to all values by "uid=user2,ou=people,o=abc.net", (=0) Jan 25 09:16:56 openldap1 slapd[58851]: <= check a_dn_pat: * Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] mask: read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => slap_access_allowed: read access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: read access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: result not in cache (PrivateAttr) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: read access to "uid=user1,ou=people,o=abc.net" "PrivateAttr" requested Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: search access to "uid=user1,ou=people,o=abc.net" "memberOf" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_get: [2] attr PrivateAttr Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: access to entry "uid=user1,ou=people,o=abc.net", attr "PrivateAttr" requested Jan 25 09:16:56 openldap1 slapd[58851]: => acl_mask: to value by "uid=user2,ou=people,o=abc.net", (=0) Jan 25 09:16:56 openldap1 slapd[58851]: <= check a_group_pat: cn=group,ou=special,o=abc.net Jan 25 09:16:56 openldap1 slapd[58851]: => mdb_entry_get: found entry: "cn=group,ou=special,o=abc.net" Jan 25 09:16:56 openldap1 slapd[58851]: <= check a_authz.sai_ssf: ACL 128 > OP 256 Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 25 09:16:56 openldap1 slapd[58851]: <= acl_mask: [1] mask: read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => slap_access_allowed: read access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: => access_allowed: read access granted by read(=rscxd) Jan 25 09:16:56 openldap1 slapd[58851]: connection_read(35): no connection!