ACL logging was incomplete (and misleading)

servers/slapd/acl.c

@@ -1766,6 +1766,9 @@ slap_acl_mask(
 				continue;
 			}
 
+			Debug( LDAP_DEBUG_ACL, "<= check a_group_pat: %s\n",
+				b->a_group_pat.bv_val, 0, 0 );
+
 			/* b->a_group is an unexpanded entry name, expanded it should be an 
 			 * entry with objectclass group* and we test to see if odn is one of
 			 * the values in the attribute group
@@ -1853,6 +1856,9 @@ slap_acl_mask(
 			struct berval	bv;
 			char		buf[ACL_BUF_SIZE];
 
+			Debug( LDAP_DEBUG_ACL, "<= check a_set_pat: %s\n",
+				b->a_set_pat.bv_val, 0, 0 );
+
 			if ( b->a_set_style == ACL_STYLE_EXPAND ) {
 				int		tmp_nmatch;
 				regmatch_t	tmp_matches[2],
@@ -1955,6 +1961,9 @@ slap_acl_mask(
 			slap_dynacl_t	*da;
 			slap_access_t	tgrant, tdeny;
 
+			Debug( LDAP_DEBUG_ACL, "<= check a_dynacl\n",
+				0, 0, 0 );
+
 			/* this case works different from the others above.
 			 * since aci's themselves give permissions, we need
 			 * to first check b->a_access_mask, the ACL's access level.
@@ -1978,6 +1987,9 @@ slap_acl_mask(
 			for ( da = b->a_dynacl; da; da = da->da_next ) {
 				slap_access_t	grant, deny;
 
+				Debug( LDAP_DEBUG_ACL, "    <= check a_dynacl: %s\n",
+					da->da_name, 0, 0 );
+
 				(void)( *da->da_mask )( da->da_private, op, e, desc, val, nmatch, matches, &grant, &deny );
 
 				tgrant |= grant;
@@ -2022,6 +2034,9 @@ slap_acl_mask(
 			BerVarray	bvals = NULL;
 			int		ret, stop;
 
+			Debug( LDAP_DEBUG_ACL, "    <= check a_aci_at: %s\n",
+				b->a_aci_at->ad_cname.bv_val, 0, 0 );
+
 			/* this case works different from the others above.
 			 * since aci's themselves give permissions, we need
 			 * to first check b->a_access_mask, the ACL's access level.