So, in the end, it was literally the "ou" attribute that I needed to grant read access to.

Just in case anyone else needs to do something similar in the future …

Regards

Philip

On Tue, 23 Oct 2018 at 23:05, Quanah Gibson-Mount quanah@symas.com wrote:

Hi Philip,

--On Tuesday, October 23, 2018 2:21 PM +0100 Philip Colmer philip.colmer@linaro.org wrote:

...

Yes, I can run slapd in debug mode but this is a production system so that means scheduling a maintenance window in several weeks' time. I was rather hoping to have a solution in place sooner than that thanks to the kind support of this list but, if I don't have it, I'll figure it out for myself.

I don't know the answer off the top of my head, but I would imagine you could set up a test/dev server fairly quickly to figure this out? Should be pretty straight forward. If you have the cn=config database enabled, you could change the loglevel to ACL on the fly (just to note).

Warm regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com