acl to allow access to specific parts of the tree only for a particular dn

[ben thielsen <bthielsen@safarivideonetworks.com>]

i'd like to prevent the dn "cn=foo, ou=services, ou=accounts, dc=example, dc=com" from accessing any part of the tree outside of "ou=test, ou=other, 
ou=users, ou=accounts, dc=example, dc=com" and "ou=test, ou=other, ou=users, ou=groups, dc=example, dc=com", and would like that dn to have only read 
access to those two subtrees - the exception being that that user should of course be able/required to authenticate.

i'm having trouble constructing a working acl that accomplishes this.

one example attempt:

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base=""
           by * read
olcAccess: to attrs=userPassword
           by self write
           by anonymous auth
           by * none
olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com"
           by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read
           by self write
           by users read
           by * none
olcAccess: to dn.subtree="ou=montage_test,ou=other,ou=users,ou=groups,dc=ltn,dc=lvc,dc=com"
           by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" read
           by self write
           by users read
           by * none
olcAccess: to *
           by self write
           by dn.exact="cn=montage_test,ou=services,ou=accounts,dc=ltn,dc=lvc,dc=com" none
           by users read
           by * none

that particular example gets me:

>ldapsearch -uxLLLWP 3 -H 'ldaps://ldap.ltn.lvc.com' -D 'cn=montage_test, ou=services, ou=accounts, dc=ltn, dc=lvc, dc=com' -b 'dc=ltn, dc=lvc, 
dc=com' "(objectclass=groupofnames)" dn | grep -i 'dn:'
Enter LDAP Password:
No such object (32)

what am i missing?

thanks
-ben