Yes, you're right. I add sudo and the result run as I expected, it shows content file of ldap.conf. Next step is add access control instructions (aci) and I try it with commands below: 1. sudo dsconf -D 'cn=admin,dc=example,dc=org' ldap://localhost:389 plugin root-dn enable and I get result Enabled plugin 'RootDN Access Control'. 2. sudo ldapmodify -f aci.ldif -x -D 'cn=admin,dc=example,dc=org' -w 1234567890. But the result modifying entry "dc=example,dc=org" ldap_modify: No such object (32). Here's my aci.ldif file: ```bash dn: dc=example,dc=org changetype: modify add: aci aci: (targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");) aci: (targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");) - ``` I also add those steps in my GitHub repo if you would like to check: https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed/blob/main/README.md _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue