[Fedora-directory-users] Macro ACI not working as expected

I have set up a directory structure as follows: ou=Domains,dc=example,dc=net o=hostedDomain1.com mail=user1(a)hostedDomain1.com mail=user2(a)hostedDomain1.com mail=user3(a)hostedDomain1.com o=hostedDomain2.net mail=user1(a)hostedDomain2.net mail=user2(a)hostedDomain2.net mail=user3(a)hostedDomain2.net o=hostedDomain3.com ... I would like to allow any mail user to only read the attributes of the users within their domain. For example, user1(a)hostedDomain1.com can see user2(a)hostedDomain1.com, but not user2(a)hostedDomain2.net. I am not allowing anonymous access. I have allowed access to the Domains OU with this aci entry (placed on the Domains OU): aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow read access to Domains OU";allow (read,search) (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");) I have placed the following macro aci on the Domains OU without success: aci: (targetattr!="userPassword") (target="ldap:///($dn),ou=Domains,dc=example,dc=net") (version 3.0;acl "Allow read access to Domain members";allow (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) As I understand it, the second aci should allow read and search access to domain ($dn) and all entries below it. However, the behavior that I'm seeing is that the user can only see down to the domain with no access to the sub-entries. In other words, user1(a)hostedDomain1.com can see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see anything below. Am I missing something? How can I get this to work properly? Thanks in advance.