olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read
The above 2 acls generally go on the frontend DB.
hmmm, I have everything on {-1}frontend
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
...
olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount) attrs= by ssf=64 dn.exact="yyyy" read by * break olcAccess: {8} to dn.subtree="xxxxxx" by ssf=256 dn.exact="yyyy" search by ssf=256 self read by anonymous
The rest of these acls generally go on the MDB database. Have you configured your backend ACLs incorrectly?
What exactly is the issue you're trying to report? Your subject doesn't really give a solid indication of what the problem is you're having.
yyyy is getting the userPassword hash, which I do not want it to have. Of course I can list 50 attributes which it can have. But it would be nicer if I could just exclude an attribute.