I've uploaded a quick workaround to check the above acl, it can be downloaded from here:

ftp://ftp.openldap.org/incoming/its7347.patch

=> Test result: It works for me.

In the sense of the ITS title it's just a half-way workaround: It addresses only subtractive ACLs, additive ACLs are not addressed.

A clean solution, separating the bitmasks is of course preferable.

In my opinion ITS#6900 should be closed.