I have problems authenticating against this acl[0] with nslcd, if I use[1] authentication is fine. I have the impression the dn.exact is not able to access the password attribute, because getent shows the other attributes. How should I rewrite this so the dn.exact is able to read the password attributes from dn.subtree? [0] olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none continue olcAccess: {3} to dn.subtree="ou=gggg,ou=ffff,ou=eee,dc=ccc,dc=bbb,dc=aaa" by dn.exact="cn=system,ou=dddd,dc=ccc,dc=bbb,dc=aaa" ssf=64 read olcAccess: {4} to * by * none [1] olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none olcAccess: {3} to * by ssf=64 users read by * none