If you've ever wondered which ACI in LDAP is used for a special ADD/DELETE/MODIFY/SEARCH request you need to enable ACI debugging to get details about this.

Edit/Modify dse.ldif

nsslapd-infolog-area: 128
nsslapd-infolog-level: 1

ACI Logging will be placed at 'errors' file, looks like:

[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  Num of ALLOW Handles:15, DENY handles:0

[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  Processed attr:nswmExtendedUserPrefs for entry:uid=mparis,ou=people,o=vmdomain.tld,o=isp

[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  Evaluating ALLOW aci index:33

[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  ALLOW:Found READ ALLOW in cache

[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -  acl_summary(main): access_allowed(read) on entry/attr(uid=mparis,ou=people,o=vmdomain.tld,o=isp, nswmExtendedUserPrefs) to (uid=msg-admin-redzone.vmdomain.tld-20100927093314,ou=people,o=vmdomain.tld,o=isp) (not proxied) (reason: result cached allow , deciding_aci  "DA anonymous access rights", index 33)