access control after upgrade

[Aaron Thoreson <aaront@midco.net>]

( DB MOCKUP )
dc=local,dc=net
 |
ou=accounts
 |	|
 |	|
 |	ou=corporate
 |
ou=subscriber
( /DB MOCKUP )

-----------------------
These controls worked perfectly in 2.0.22:

access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
        by dn="cn=corpuser,dc=local,dc=net" write
        by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
        by dn="cn=subuser,dc=local,dc=net" write
        by anonymous read
access to *
        by dn="cn=Manager,dc=local,dc=net" write
        by self write
        by anonymous read

In this way, I could have an admin that could manage the corporate 
entries, and a seperate admin to manage the subscriber entries.

In 2.3.11, 'cn=corpuser,dc=local,dc=net' can only read itself and can't 
update anything under "ou=corporate,ou=accounts,dc=local,dc=net"  I've 
tried varying degrees of dn.subtree and dn.exact etc.

The only difference between the old config and the new one is this:

access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
        by dn="cn=corpuser,dc=local,dc=net" write
        by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
        by dn="cn=subuser,dc=local,dc=net" write
        by anonymous read
access to *
        by dn="cn=Syncuser,dc=local,dc=net" read

The Manager line in the old config was admittedly unnecessary, but I put 
Syncuser in its place for synrepl replication ( which is working great! 
).  Is this Syncuser overrunning the permissions of the two subtree 
managers?

I've read slapd.access a fair bit and it seems everythings geared toward 
reading attributes of a one OU directory.

--
Aaron Thoreson
aaront@midco.net