389-Directory/1.3.1.3 B2013.193.1948

I set an ACI to specific user to add,read or modify everything on this OU:

dn: ou=UFRGS,ou=RNP,dc=homolog,dc=rnp

changetype: modify

add: aci

aci: (targetattr="*")(version 3.0;aci "ufrgs add permission";allow (add,read,write,compare) userdn="ldap:///uid=app.ufrgs.w,ou=APLICACOES,ou=RNP,dc=homolog,dc=rnp";)

But when I do a ldapsearch with this user (app.ufrgs.w) on this OU I cant see the userpassword attribute.

dn: uid=teste123,ou=UFRGS,ou=RNP,dc=homolog,dc=rnp

uid: teste123

givenName: teste123

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: ntUser

sn: teste

cn: teste123

ntUserDomainId: teste123

ntUserCreateNewAccount: true

ntUserDeleteAccount: true

I Also tried this kind of ACI:

dn: ou=UFRGS,ou=RNP,dc=homolog,dc=rnp

changetype: modify

add: aci

aci: (targetattr="userPassword")(version 3.0;aci "ufrgs userpass permission";allow (all) userdn="ldap:///uid=app.ufrgs.w,ou=APLICACOES,ou=RNP,dc=homolog,dc=rnp";)

When I do it with "Directory Manager" I can see the userpassword attribute. What I have to do?