OpenLDAP config parsing failure

Annoying changes in syntax between versions of OpenLDAP that I didn’t pick up consumed my time at work today. I was beating my head against the wall trying to work out why the slapd config wasn’t being parsed correctly.

Setting the slaptest debug level to -1 reveals all, however:

slapd.conf: line 78: expecting <what> got "attribute"
<access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
<what> ::= * | [dn[.<dnstyle>]=<dn>] [filter=<filter>] [attrs=<attrlist>]
<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>
<attr> ::= <attrname> | entry | children

Under newer versions of OpenLDAP, when defining access controls the attribute definition has been renamed to attrs. This means that your config will mystically stop working and slapd will die in a horrible flaming mess.