(ITS#6804) 'self' access modifier only works for first entry

[djpohly@gmail.com]

Full_Name: Devin J. Pohly
Version: 2.4.23
OS: Linux
URL: http://openldap.pastebin.com/gvswpxLX
Submission from: (NULL) (98.235.33.55)


Description:
I have set up an LDAP directory which contains users and flat groups
(groupOfNames/member style).  I want to use the access controls to only allow
users to see their own groups and membership, so I defined the following
controls:

access to dn.onelevel="ou=group,o=org" attrs=entry
    by dnattr=member read
access to dn.onelevel="ou=group,o=org" attrs=member
    by dnattr=member selfread

Steps to reproduce:
1. Start a new instance of OpenLDAP with the slapd.conf file provided at
<http://openldap.pastebin.com/gvswpxLX> and an empty database.
2. Get grouptest.ldif from <http://openldap.pastebin.com/X1DUyGmf> and add it to
the directory:
ldapadd -x -H $LDAPURI -D uid=admin,o=org -w admin -f grouptest.ldif
This creates two users, foo and bar, and two groups, g1 and g2.  Each user is in
both groups.
3. Compare the outputs of:
ldapsearch -x -H $LDAPURI -D uid=foo,ou=user,o=org -w foo -b ou=group,o=org
ldapsearch -x -H $LDAPURI -D uid=bar,ou=user,o=org -w bar -b ou=group,o=org

Expected results:
Foo's query shows "member: foo" for both g1 and g2.  Bar's query shows "member:
bar" for both g1 and g2.

Actual results:
Foo's query shows "member: foo" for both g1 and g2.  Bar's query does not show
any member attributes.

Note: Changing the order in which the users are listed changes the behavior;
only the first user listed matches 'self'.  Changing the 'selfread' privilege to
'read' behaves correctly: both queries display both users' memberships in the
groups.  So the problem lies somewhere in the way the 'self' modifier is
implemented.