> access to * > by * read Yes, it works. The problem is that if this line does not appear at the end of the file, I get the 'entry' attribute issue. Is this rule always required ? I'm frightened to forget one of the above rules in the ACL definition and that some important attributes could therefore be read by anyone... I've tried to reduce this final rule to access to * by * search and it fails. Thanks, Emmanuel.