slapd ACLs

Hello, I'm a bit confused with the ACLs in my slapd.conf considering I have this access to dn.subtree=""         by * read access to attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword         by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" write         by dn="uid=admin,ou=people,dc=mydomain,dc=org" write         by self write         by anonymous auth         by * none access to *         by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" =wrscx         by self write         by users read         by anonymous auth        by * none When I do a ldapsearch without authentication, I can see the user's details including the unencrypted password ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org" I think that it's because the rule access to dn.subtree="" by * read With an authenticated user is works as well ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W But if I comment these two lines #access to dn.subtree="" #        by * read The search doesn't give me any result ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W # search result search: 2 result: 32 No such object # numResponses: 1 I would have expected that this command matched access to *         by users read My goal is that only authenticated user would be able to access the ldap directory and users can change their passwords Does anyone has an idea on how to explain this behavior. ? Thank you