aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || asswordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime || id || memberOf || objectclass || inetuserstatus || ou || owner || mail || mailuserstatus || memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost || mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”) (version 3.0; acl “Allow self entry modification”; allow (write) userdn =”ldap:///self”;) aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit|| nsIdleTimeout”) (version 3.0; acl “Allow self entry read search”; allow(read,search) userdn =”ldap:///self”;)
Analysis: Missing all the iplanet-am-* attributes. Since deny is the default if an ACI is not present, all deny ACIs are removed. The ones that allow write are consolidated into a single ACI.