We have setup of master and slave replication, where we have two users admin(default), authuser and repluser for replication which has full admin privilege. 

 I am trying to create a new user “replmonitor” which I want to give access only to attribute contextCSN . 

Replmonitor user

++++

# replmonitor, ldapprod.com
dn: uid=replmonitor,dc=ldapprod,dc=com
objectClass: simpleSecurityObject
objectClass: account
uid: replmonitor
description: LDAP rreplication monitor
userPassword:: ######################

++++

This is the complete olcaccess for the users in olcDatabase={3}mdb. 

++

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym

 ous auth by dn="cn=admin,dc=ldapprod,dc=com" write by dn="u

 id=authuser,dc=ldapprod,dc=com" write by dn="uid=repluser,d

 c=ldapprod,dc=com" read by * none

olcAccess: {1}to dn.subtree="dc=ldappro,dc=com" by dn="cn=a

 dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,dc=ldapprod,dc=com" write by 

dn="uid=repluser,dc=ldapprod,dc=com" read by * none

olcAccess: {2} to dn.subtree="dc=ldapprod,dc=com" attrs=contextCSN by dn="uid=replmonitor,dc=ldapprod,dc=com" read by * none        =======> newly added

olcLimits: {0}dn.exact="uid=repluser,dc=ldapprod,dc=com" tim

 e.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimite

 d

olcLimits: {1}dn.exact="uid=authuser,dc=ldapprod,dc=com" tim

 e.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimite

 d

olcSecurity: tls=1
++

++++++++++++++++++

[root@devldap cn=config]# ldapsearch -x -H ldaps://10.0.0.1 -D "uid=replmonitor,dc=ldapprod,dc=com" -W  -b "ldapprod,dc=com" contextCSN

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <dc=ldapprod,dc=com> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# search result

search: 2

result: 32 No such object

Please help me, what I am missing here that I am not able to query the ContextCSN . 

Got struck for a complete day.