Dear colleagues,

There's a question I posted on ServerFault (https://serverfault.com/questions/1088252/a-very-simple-olcaccess-rule-doesnt-work), but it seems that asking my question in this mailing list would be a better idea/

So, long story short, I have a domain (let's call it `dc=example,dc=org`) .

The domain has a branch (`ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).

There's a simpleSecurityObject in this domain (`uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).

I need the uid=admin,*** user to have full (manage) access to the ou=users,*** branch, so I added the following olcAccess record: `to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org"`.

It has added to the default set of rules:
```
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break 
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none 
olcAccess: {2}to * by self read by dn="cn=admin,dc=example,dc=org" write by  * none 
olcAccess: {3}to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc= infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" manage 
```

But something seems to be wrong. When I run `ldapsearch -D uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org -W -b ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`, I get the following result:
```
# extended LDIF
#
# LDAPv3
# base <ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
command terminated with exit code 32
```

The object is actually available and `cn=admin,dc=example,dc=org` can see it without any difficulties, so it seems that my access rule is wrong. But what exactly it is?

It seems that the default rule #2 (`{2} to * by self read by dn="cn=admin,dc=example,dc=org" write by * none`) fires up earlier than the rule I added. Does that mean that I should always add my custom rules before it?

And why does this rule has `by * none`? Doesn't it contradict the OpenLDAP documentation? "The default access control policy is allow read by all clients" (https://www.openldap.org/doc/admin24/access-control.html).

Thank you in advance.

With best regards,
V.Melnyk