I never figured out how to get any of the val.<type>=<value> restrictions to meet my needs, so I resorted to using sets to accomplish what I wanted. In case anyone else is every trying to do something similar, here is what I ended up with for an ACL statement:
access to dn.regex="uid=.*,ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell by ssf=128 set="(this & user)/loginShell & ([/bin/csh] | [/bin/sh] | ...) write
By doing this, I ensure the user is editing their own entry and that the current value of the loginShell variable is amongst the list of shells I permit people to change away from. I also have an explicit constraint on loginShell:
constraint_attribute loginShell regex ^(/bin/csh|/bin/sh|...)
earlier in the configuration, which limits what users can set their shell to.
Hope this saves some people from the week or so of ACL fun I've been enjoying ;)
Thanks to everyone who posted suggestions!
Mark