>
> >
> > olcAccess: {0} to dn.exact=""
> > by * read
> > olcAccess: {1} to dn.exact="cn=Subschema"
> > by * read
>
>
> The above 2 acls generally go on the frontend DB.
>
hmmm, I have everything on {-1}frontend
>
> > olcAccess: {2} to attrs=userPassword,shadowLastChange
> > by ssf=256 self read
> > by ssf=256 anonymous auth
> > by * none break
> >
> > ...
> >
> > olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount)
> > attrs= by ssf=64 dn.exact="yyyy" read
> > by * break
> > olcAccess: {8} to dn.subtree="xxxxxx"
> > by ssf=256 dn.exact="yyyy" search
> > by ssf=256 self read
> > by anonymous
>
> The rest of these acls generally go on the MDB database. Have you
> configured your backend ACLs incorrectly?
>
>
> What exactly is the issue you're trying to report? Your subject doesn't
> really give a solid indication of what the problem is you're having.
>
yyyy is getting the userPassword hash, which I do not want it to have. Of
course I can list 50 attributes which it can have. But it would be nicer if I
could just exclude an attribute.
