disable logins with ACLs

[Igor Shmukler <igor.shmukler@gmail.com>]

Hello,

I am trying to disable user logins for expired trial users.
After searching online, finally found a useful thread from this very
list archived http://www.openldap.org/lists/openldap-technical/201111/msg00165.html

I accidentally tried to mess with userPassword hash, but it did not work me.

Since in that thread Michael showed/shared a better way to achieve the
same goal of disabling users with ACLs, I am trying to copy his
method.

I attempted to follow Michael's example. It has not worked yet. Below
is my script:
dn: olcDatabase={3}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
 filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended))
 by dn="cn=config" write by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
 filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended)))
 by self write by anonymous auth
 by dn="cn=admin,dc=directory,dc=apple,dc=com" write
 by dn="cn=config" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
 filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended))
 by dn="cn=config" write
 by * none
olcAccess: {4}to *
 filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended)))
 by self write
 by dn="cn=admin,dc=directory,dc=apple,dc=com" write
 by dn="cn=config" write
 by * read

Currently, ldapmodify(1) is failing with an implementation specific
error, likely due to messed-up syntax or something. The additional
info: <olcAccess> handler exited with 1

Michael's example is not written for OLC, so I managed to do something
wrong. Any ideas?

Thank you,

Igor Shmukler