I try use following aci to allow user to create own subentry but result show insufficient access i try both type but still not work, anyone pls recommend correct aci to do this (target="ldap:///uid=xfs,ou=people,dc=icesolution,dc=com")(targetattr=*) (version 3.0; acl "Create Entry"; allow (add) userattr = "parent[0,1].owner#USERDN";) (target="ldap:///uid=xfs,ou=people,dc=icesolution,dc=com") (targattrfilters="add=objectClass:(objectClass=*)") (version 3.0; acl "Create Entry"; allow (add) (userdn= "ldap:///self") ;) Nattapon, Regards _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/