You may be interested in the patch in ITS#3080 if you want your overlay to have global effect.
Hmm, global effect could be interesting,
The patch has been recently committed to HEAD; you may want to start working with HEAD code and experiment with global overlays (should work exactly as database overlays except in selected cases for selected data in the op->o_request structure for write operations.
Could you be more specific as to the exceptions ?
but a way of handling things that are connected with the base object ""(like anonymous bind, root DSE) would be more interesting.
Well, you can (actually I think you MUST) discriminate about the target
inside your calls anyway.
That's a given, would be a poor access control system otherwise.
-- Roland