I have again trouble understanding ACLs: Consider the following schema: objectclass ( acmeLDAP:4.2 NAME 'acmeUserLimits' DESC 'Limits for acme Users' SUP top AUXILIARY MAY ( limitMaxUserProc $ limitMaxCpuTime $ limitMaxOpenFiles $ limitMaxCorefileSize $ limitMaxStackSize $ limitMaxMemorySize $ limitMaxVirtualMemory $ limitMaxDatasegSize $ limitMaxPipeSize $ limitMaxFileLocks $ userAttrChanged ) ) and the following ACL: [...] access to dn.subtree="ou=people,ou=unix,dc=acme,dc=org" attrs=limitMaxUserProc,limitMaxCpuTime,limitMaxOpenFiles,limitMaxCorefileSize,limitMaxStackSize,limitMaxMemorySize,limitMaxVirtualMemory,limitMaxDatasegSize,limitMaxPipeSize,limitMaxFileLocks,userAttrChanged by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" write by self read by * none [...] This one works, it lets users authenticate, and restricts access to the attributes mentioned. Now as the attribute list is a bit long, I thought I could replace it with the short hand notation: access to dn.subtree="ou=people,ou=unix,dc=acme,dc=org" attrs=@acmeUserLimits (since all listet attributes are only in acmeUserLimits). Unfortunatly this does not work, it blocks users from loggin in (via ssh). One time I got the message "Permissions on the password database may be too restrictive." Obviously the shorthand notation affects other attributes as well. But looking at the object class definition, I don't see why. Can any one enlighten me about this? Isaac