How to debug self write not working?

[Dax Kelson <dax@gurulabs.com>]

When trying to change my password with "passwd", I don't match my ACL for 
write self.

It *looks* like the passwd/pam_ldap is binding as me to try to do the
update, here is a "grep bind" on debug out from slapd -d 129 during a
passwd change attempt.  I'm using 2.0.22 on the server.


do_bind
do_bind: version=3 dn="" method=128
do_bind: v3 anonymous bind
do_bind
do_bind: version=3 dn="" method=128
do_bind: v3 anonymous bind
do_bind
do_bind: version=3 dn="uid=dkelson,ou=People,dc=example,dc=com" method=128
do_bind: v3 bind: "uid=dkelson,ou=People,dc=example,dc=com" to 
"uid=dkelson,ou=People,dc=example,dc=com"
do_bind
do_bind: version=3 dn="" method=128
do_bind: v3 anonymous bind
do_bind
do_bind: version=3 dn="uid=dkelson,ou=People,dc=example,dc=com" method=128
do_bind: v3 bind: "uid=dkelson,ou=People,dc=example,dc=com" to "uid=dkelson,ou=People,dc=example,dc=com"
do_unbind


Here is the ACL debug output where it fails:

=> access_allowed: write access to "uid=dkelson,ou=People,dc=example,dc=com" "userPassword" requested
=> dnpat: [1]  nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=dkelson,ou=People,dc=example,dc=com attr: userPassword
=> acl_mask: access to entry "uid=dkelson,ou=People,dc=example,dc=com", 
attr "userPassword" requested
=> acl_mask: to all values by "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: write access denied by read (=rscx)

My ACLs look like:

access to dn="" by * read

access to *
        by self write
        by users read
        by anonymous auth

Any and all help greatly appreciated,
Dax