https://www.openldap.org/doc/admin24/access-control.html says: Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything. As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses.
"Well", said I and set olcRootDN to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth.
Then I've tried to add an entry with $ sudo ldapadd -Y EXTERNAL -H ldapi:/// ....
and OpenLDAP told that I don't have permission to modify the DB.
I had to grant gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth access to everything in the backend's ACL to make it working.
Is it expected that gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth rootdn does not have full rights without explicit permission or I need to recheck because I could get something wrong (didn't restart slapd or something like that)?