Thanks so much! Now I'm looking in http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see what I might do to fix things. Here is the output from the commands you suggested. At least I can tell one is bigger than the other :) ldapsearch -x -D "cn=directory manager" -w mypassword -b o=netscaperoot "aci=*" aci # extended LDIF # # LDAPv3 # base <o=netscaperoot> with scope subtree # filter: aci=* # requesting: aci # # NetscapeRoot dn: o=NetscapeRoot aci: (targetattr="*")(version 3.0; acl "Enable Configuration Administrator Gro up modification"; allow (all) groupdn="ldap:///cn=Configuration Administrator s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl "Default anonymous access"; allow (read, search) userdn="ldap:///anyone";;) aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare) groupdnattr="uniquemember";) aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow (all) gr oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Grou p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # TopologyManagement, NetscapeRoot dn: ou=TopologyManagement, o=NetscapeRoot aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";;) # Global Preferences, hymesruzicka.org, NetscapeRoot dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable anonymous access"; allow(read,sea rch) userdn="ldap:///anyone";;) # UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr = "*")(version 3.0; acl "Allow saving of User Preferences"; a llow (add) userdn = "ldap:///all";;) # uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C o\3DNetsca peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot",o u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C cn\3DServer Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNets capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Grou p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot",ou=UserP references, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=Netsc apeRoot aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable de legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server Gro up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administrati on Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org, NetscapeRoot dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences, ou=hymesruzicka.o rg, o=NetscapeRoot aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to Save Pu blic Views"; allow (all) userdn = "ldap:///all";;) # slapd-trixter, Fedora Directory Server, Server Group, trixter.hymesruzicka. org, hymesruzicka.org, NetscapeRoot dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trixter. hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server , cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=Netsca peRoot";) aci: (targetattr="uniquemember || serverProductName || userpassword || descrip tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable ac cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzic ka.org, o=NetscapeRoot";) # configuration, slapd-trixter, Fedora Directory Server, Server Group, trixte r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server G roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow (all ) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Gr oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot",ou=UserPreferences , ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org, o=Netsc apeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # Fedora Administration Server, Server Group, trixter.hymesruzicka.org, hymes ruzicka.org, NetscapeRoot dn: cn=Fedora Administration Server, cn=Server Group, cn=trixter.hymesruzicka. org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable dele gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora Admin istration Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzic ka.org, o=NetscapeRoot";) # admin-serv-trixter, Fedora Administration Server, Server Group, trixter.hym esruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group, c n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administrat ion Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org , o=NetscapeRoot";) aci: (targetattr="uniquemember || serverProductName || userpassword || descrip tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable ac cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter, cn=Fe dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou= hymesruzicka.org, o=NetscapeRoot";) # configuration, admin-serv-trixter, Fedora Administration Server, Server Gro up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=Netscape Root aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access configu ration"; allow (read, search) groupdn="ldap:///cn=Server Group, cn=trixter.hy mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow (all ) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server, cn =Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRo ot";) # uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C o\3Dnets capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" ,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # search result search: 2 result: 0 Success # numResponses: 17 # numEntries: 16 ldapsearch -x -D "cn=directory manager" -w anotherpassword -b "dc=hymesruzicka,dc=org" "aci=*" aci # extended LDIF # # LDAPv3 # base <dc=hymesruzicka,dc=org> with scope subtree # filter: aci=* # requesting: aci # # hymesruzicka.org dn: dc=hymesruzicka, dc=org aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";;) aci: (targetattr="carLicense || description || displayName || facsimileTelepho neNumber || homePhone || homePostalAddress || initials || jpegPhoto || labele dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddr ess || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertif icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for commo n attributes"; allow (write) userdn="ldap:///self";;) aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka, dc=or g");) # People, hymesruzicka.org dn: ou=People, dc=hymesruzicka, dc=org aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ld ap:///self");) aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "lda p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");) aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(ve rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR M anagers,ou=groups,dc=hymesruzicka, dc=org");) aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(ver sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Ma nagers,ou=groups,dc=hymesruzicka, dc=org");) aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)" )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ld ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");) # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
