Comment 3 for bug 563829

Also, should the edits made to the the olcDatabase={-1}frontend.ldif file include granting
  to dn.base="" by * read'
permissions, too? It appears that that statement exists in (for example) the Hardy version of slapd.conf, but the slapd.conf -> slapd.d conversion migrates it to the olcDatabase={1}hdb.ldif file only.

In slapd 2.4.21-0ubuntu4, the slapd.init.ldif f was edited to include that access in the dn: olcDatabase={-1}frontend,cn=config section (LP#427842), but no attempt was made to get that permission fixed up after a the slapd.conf -> slapd.d conversion.

(LPb#427842 also includes a
  to dn.base="cn=subschema" by * read
permission line. I don't see that line in my old slpad.conf file, but based on the discussion in that bug, I'm wondering if the postinst script should be adding it to the {-1}frontend.ldif file as well?)

Nathan