Another approach may be to view the dyngroup overlay as a proxy, and just
configure an identity for it to use. So you can explicitly give it access
to whatever attributes it needs to see.
This would certainly work for me, and is I think, what I was trying to ask for originally, except I said the rootdn, when I should have said a proxy ID. ;) Then I could just add
access to suprivilegroup by dyngroupID compare
and be happy.
This already you have now in HEAD. I fear you'd rather need to add
access to suprivilegroup by dyngroupID __READ__
and be (un)happy...
p.