It is often useful to know exactly what access an given Kerberos principal has to the directory. There is a remctl command that will return the current access control list for the Kerberos principal used to invoke the command. The command usage is straight forward. First create a ticket cache for the Kerberos principal, and then use the ticket cache to execute the command. The following example uses k5start to obtain the ticket cache.
% k5start -q -U -f /etc/webauth/keytab -- remctl ldap.stanford.edu ldap access Checking access for email@example.com cn=WebAuthGeneral,cn=applications,dc=stanford,dc=edu
The principal webauth/trainmaster.stanford.edu has access to the the WebAuthGeneral bundle of attributes. The details can be examined using the --expand switch.
Note that currently you must specify a physical LDAP server as the target of the remctl command and not the service. For the production servers ldap1 will display the ACLs used by the entire set of replicas.