A better way to write this is:
(targetattr = "mycustomattr")(version 3.0; acl "allow admins
mycustomattr"; allow (all) groupdn =
"ldap:///cn=admins,ou=Groups,dc=company,dc=global";)
That's a better rule.
I've tried this and I still can see the attribute without binding (anonymous search).
here you can see the custom attr imasLocalAdminPass
dn: uid=provamaquina01,ou=users,dc=example.net,dc=petratest,dc=proves,dc=global
imasLocalAdminPass: 12345678test
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: imasMaquines
uidNumber: 999999
homeDirectory: /dev/null
gidNumber: 999999
cn: provamaquina01
uid: provamaquina01
entryLevelRights: vn
attributeLevelRights: userPassword:wo, imasLocalAdminPass:rscwo, objectClass:r
scwo, uidNumber:rscwo, homeDirectory:rscwo, gidNumber:rscwo, cn:rscwo, uid:r
scwo
thanks for your time, william.