acl confusion in proxy server config

[Ron Peterson <rpeterso@mtholyoke.edu>]

I have a proxy server ('ldap' backend) sitting in front of a master
directory.

The DNs on my master directory are UUIDs + ou + domain, e.g. myid=1234...89,dc=yada,dc=com.

Each object has a (unique) username attrbute.

Logging in on the proxy server involves mapping the username to the DN

rwm-rewriteMap ldap uid2DN "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub" binddn="uid=..." credentials="xxx"

rwm-rewriteContext  bindDN
rwm-rewriteRule     "^uid=([a-z0-9_]{3,24}),ou=zzz"
                    "${uid2DN(myusername=$1)}"
                    ":@I"

I would like anyone logging in as themselves to be able to read their
own attributes.  I'm having trouble doing this.  'Self' doesn't seem to
work because of the mapping going on, e.g.

access to dn.sub="ou=vpn"
       by self read
       by anonymous auth
       by * non

Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested
Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com", (read(=rscxd))
Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self
Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous
Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: *
Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop)
Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0)
Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access denied by none(=0

I think 'self' doesn't match because
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com
(is my thinking correct on this?)

How do I allow a user to read their own attributes in this situation?

-Ron-