My olcAccess attributes on the relevant database are these:
olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell,gecos by self write by anonymous auth by * none
olcAccess: {1}to * by * read
My understanding suggests that the second line should allow any user and
even anonymous to read all attributes but I can't read the loginShell
attribute as anonymous
