[Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch

Hi *, I'm having a directory with an basedn: dc=foo, dc=bar containing an "sub directory" named "internal": cn=internal, dc=foo, dc=bar Now I want to hide "internal" and its children from most users, with exception of the members of some administrative groups, so I added an ACI to "internal" like this: (targetattr = "*") (version 3.0;acl "hide internal"; deny (read,write,delete,add) (groupdn != "ldap:///cn=admin,cn=internal,dc=foo,dc=bar" and groupdn != "ldap:///cn=configuration administrators,ou=groups, ou=topologymanagement,o=netscaperoot");) Now I have a user cn=manager,cn=internal,dc=foo,dc=bar who is member of the group cn=admin,cn=internal,dc=foo,dc=bar and should be allowed to access "internal" and its children. But this doesn't work: I can't even bind as cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an child of "internal", and so anonymous isn't allowed to access the object for authentication. How can I achieve that it is possible to bind as a user in the hidden sub directory without making it world readable? cheers sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/ Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner