OK, so for an ACL of: access to dn="" by * read access to dn="cn=Subschema" by * read access to * by * write ... the missing entities still don't show.