The aci on cn=monitor references an attribute named "connection" - the aci code warns because this attribute is not in the schema. The effect is that the aci code ignores the aci.
Upstream ticket: https://fedorahosted.org/389/ticket/42
It had been fixed in this commit: commit 0b7a84653e5819f52fc22f3783d9c2a1dc84e941 Date: Fri Oct 15 10:56:45 2010 -0700 Bug 244229 - targetattr not verified against schema when setting an aci https://bugzilla.redhat.com/show_bug.cgi?id=244229 3. An attributeTypes "connection" is added to 01core389.ldif which is referred in an aci of cn=monitor. Note: aci sets on cn=monitor: aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || connection")(versio n 3.0; acl "monitor"; allow( read, search, compare ) userdn = "ldap:///anyone ";) Anonymous search does not return connection and aci: $ ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" connection dn: cn=monitor $ ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" aci dn: cn=monitor But the others: $ ldapsearch -LLLx -h localhost -p 10389 -s base -b "cn=monitor" version dn: cn=monitor version: 389-Directory/1.2.10.rc1.git0ac8d3a B2012.025.2145