Hi all,
sorry for this second post.
I have a "supervision" account on all my ldap servers. With the plugin nagios , it check the synchro.  I would like this account read only contextcsn at the top (dc=fr).
And only contextcsn not the other entries.
Quanah helped me (and thanks again) but it not seems to work. It's my bad, I don't see something...

In the log it seems that "supervision" can't access dc=fr and it starts browsing from dc=gouv,dc=fr.
Without rule#3, it's ok because of rule #5.
But with rule#3 it's supposed to match contextCSN ?!

Thanks guys.

PS : "supervision" is in "Comptes Admin"

Here are my ACL  :

# 1) Admin's branch
access to dn.subtree="ou=Comptes Admin,dc=fr"
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read  
    by self auth
    by users auth
    by anonymous auth

# 2) userPassword accessible by all
access to * attrs=userPassword
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
    by users auth
    by anonymous auth
    by * none

# 3) ********* CONTEXTCSN *********
access to dn.base="dc=fr" attrs=entry,children,contextcsn
   by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
   by dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read
   by * none

# 4) Certificate
access to * attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
      by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read  
    by * none


# 5) Branch  dc=gouv,dc=fr
access to dn.subtree="dc=gouv,dc=fr"
    by dn.subtree="ou=Comptes Clients,dc=fr" read
    by dn.subtree="ou=Comptes Admin,dc=fr" write
    by * none


# 6) All the tree
access to *
    by dn.exact="cn=root,dc=fr" write
    by dn.subtree="ou=Comptes Admin,dc=fr" read
    by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
    by self none
    by users none
    by anonymous none
    by * none