diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 92b4c43..35c3fb7 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -1121,7 +1121,7 @@ slap_acl_mask(
 	AccessControlState	*state,
 	slap_access_t	access )
 {
-	int		i;
+	int		i, implNone;
 	Access		*b;
 #ifdef LDAP_DEBUG
 	char		accessmaskbuf[ACCESSMASK_MAXLEN];
@@ -1152,6 +1152,7 @@ slap_acl_mask(
 
 	b = a->acl_access;
 	i = 1;
+	implNone = 1;
 
 	for ( ; b != NULL; b = b->a_next, i++ ) {
 		slap_mask_t oldmask, modmask;
@@ -1648,6 +1649,21 @@ slap_acl_mask(
 			}
 
 			if ( rc != 0 ) {
+				Debug( LDAP_DEBUG_ACL, "<= check a_group_pat: membership evaluation failed: \"%s\" (rc: %d)\n",
+					ldap_err2string(rc), rc, 0 );
+
+				if( ACL_IS_ADDITIVE(b->a_access_mask) || ACL_IS_SUBTRACTIVE(b->a_access_mask) ) {
+					Debug( LDAP_DEBUG_ACL,
+						"<= acl_mask: [%d] ignoring incremental privileges %s (%s)\n",
+						i, accessmask2str( b->a_access_mask, accessmaskbuf, 1 ), 
+						b->a_type == ACL_CONTINUE
+							? "continue"
+							: b->a_type == ACL_BREAK
+								? "break"
+								: "stop" );
+					implNone = 0;
+					goto byClauseDone;
+				}
 				continue;
 			}
 		}
@@ -1872,6 +1888,7 @@ slap_acl_mask(
 			"<= acl_mask: [%d] mask: %s\n",
 			i, accessmask2str(*mask, accessmaskbuf, 1), 0 );
 
+byClauseDone:
 		if( b->a_type == ACL_CONTINUE ) {
 			continue;
 
@@ -1884,7 +1901,8 @@ slap_acl_mask(
 	}
 
 	/* implicit "by * none" clause */
-	ACL_INIT(*mask);
+	if ( implNone ) 
+		ACL_INIT(*mask);
 
 	Debug( LDAP_DEBUG_ACL,
 		"<= acl_mask: no more <who> clauses, returning %s (stop)\n",