ACL debug woes.

[Leeman Strout <me@mooluv.com>]

I've been banging my head on ACLs for 2 days now and my biggest problem 
is that there's NO debug info (as far as I can tell.)

I have added the -d 13365 option to get debug output.  All I receive in 
regard to my ACLs is this:

bdb_add: no write access to parent
send_ldap_result: conn=17 op=1 p=3
send_ldap_result: err=50 matched="" text="no write access to parent"

Any suggestions about debugging ACLs?  they *seem* simple enough.


The main thing I am trying to do is address books, and I've worked with 
this: http://www.zytrax.com/books/ldap/ch6/index.html#ex-addressbook a 
whole lot, and it's not helping because I get no information from slapd 
as to what's going on.

An addressbook is located in:
ou=Address Book,uid=X,ou=Y,dc=nodomain
where X is the username, ie: joe
and Y is the domain of the user, ie: test.com


The last attempt with my ACLs:

access to *
        by dn="cn=admin,dc=nodomain" write
        by self write
        by * read

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
        attrs=entry,children,@inetorgperson
    by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" write

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
        attrs=entry
    by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" read


What I want to achieve is that anyone who can bind to the LDAP server 
can read/write their own addressbook.  I also have a domain-wide 
addressbook at "ou=Address Book,ou=Y,dc=nodomain" again where Y is any 
of a number of domains.  I'd like domain user access to this as well, 
but I'll try working on that after user AB's are working.


Any and all help/suggestions would be appreciated.
Leeman Struot