This actually came from Thomas, so I'll explain as best I can.
Basically, he was trying to set the permissions on the error log file using the nsslapd-errorlog-mode configuration attribute. The default setting is 600. He was setting it to 644 and then rotating the log, but it wasn't changing the permissions from 600. He figured that the log file must be getting its permissions settings from a umask somewhere, not from the nsslapd-errorlog-mode attribute, and he found it in the start script, "umask 077". As soon as he changed the permissions in the start script, the permissions on the logs changed.
So, to summarize, none of the nsslapd-*log-mode configuration attributes work because the file permissions are set manually in the start script.
Created attachment 362142 [details]
58b0496..60c49dd master -> master
Author: Rich Megginson <email@example.com>
Date: Tue Sep 22 15:47:17 2009 -0600
Start script hardcodes file permissions mask to 077 (600), so the nsslapd-*l
Resolves: bug 495522
Bug Description: Start script hardcodes file permissions mask to 077 (600),
Reviewed by: nkinder (Thanks!)
Fix Description: Use umask 002 for the directory server process
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
verified - RHEL 4
# start the directory server in a subshell so that the instance specific
# init config environment will not apply to any other instance
umask 002 # reset umask to allow logs and other files modes to be explicitly set
[ -f /etc/sysconfig/dirsrv-$instance ] && . /etc/sysconfig/dirsrv-$instance
$exec -D $instbase/slapd-$instance -i $pidfile -w $startpidfile