I suppose being the newbie - I have to ask the obligatory ACI questions... ;-) I have personal address books...each user would have one - i.e. ou=AddressBook,uid=craig,ou=People,dc=azapple,dc=com ou=AddressBook,uid=jennifer,ou=People,dc=azapple,dc=com and my thinking is that each person can read/write/delete/etc. their own address book, authenticated users can read and anonymous is denied. Thus I created 3 rules and they aren't working because an unauthenticated/anonymous bind still can view them... These are the 3 rules (which are applied to ou=People with the expectation that each address book would inherit)... (targetattr = "*") (target = "ldap:///ou=AddressBook,uid=*,ou=People,dc=azapple,dc=com";) (version 3.0;acl "Personal Address Books Owner";allow (all)(userdn = "ldap:///self";);) (targetattr = "*") (target = "ldap:///ou=AddressBook,uid=*,ou=People,dc=azapple,dc=com";) (version 3.0;acl "Personal Address Books Non Owner";allow (read,compare,search)(userdn = "ldap:///all";);) (targetattr = "") (target = "ldap:///ou=AddressBook,uid=*,ou=People, dc=azapple,dc=com") (version 3.0;acl "Personal Address Books";deny (all)(userdn = "ldap:///anyone";);) are these supposed to be separate rules or combined into 1 rule? and lastly...despite the documentation, I can't get ldapsearch to return the list of ACI's... ./ldapsearch -h localhost -D 'cn=Directory Manager' -w - '(aci=*)' whether I use the ldapsearch client from fedora-ds or the one from openldap-clients Craig
