> access to * by dn="cn=ldapclient,o=toyo,c=sp" read > by * none > ldapsearch -D "cn=ldapclient,o=toyo,c=sp" -x -W "cn=*" > it always appears "Invalid credentials" message If I remember correctly, until you're authenticated, you're "anonymous." So you need "by anonymous auth" or such to allow the password to be checked in the first place. You can try "-d 128" on your slapd to debug ACLs.