more access control puzzlement

["Eric S. Johansson" <esj@harvee.billerica.ma.us>]

I've encountered a couple more puzzling things with access control.  I'm
trying to control access by IP address and a portion of the hierarchy.  

The rules I want are: 
	provide limited access (specific attributes, limited part of the
 		hierarchy) to a group of machines, 
	show everything to one particular host (within a limited part 
		of the hierarchy), 
	deny everything to everyone else.  

then I need to repeat these rules multiple times each one limiting access
to a different part of the hierarchy.  Last, I need a rule granting access
to a couple of machines for the entire hierarchy.

So reading between the lines, I put in multiple rules and they look like this:

access to dn="*,ou=gems,o=store"  attrs=sn,entry
        by addr="206.34.215.253"                read

access to dn="*,ou=gems,o=store"
        by domain="localhost"                   write

defaultaccess none

what seems to happen is that the first rule is used but the second one is
ignored.  I've tried it different variants with different default access
values and I always seem to get the results specified by the first rule.
It never seems to drop to the second rule.

what am I missing?  When I search for a specific attribute 'sn=bugs10', I
get the following line in the log (-d=128)

=> acl_access_allowed: search access to value "BUGS10" by ""
<= acl_access_allowed: denied by default (no matching by)

if I eliminate the defaultaccess none rule, all the other protections
vanish as I would expect.

--- eric

Eric S Johansson	esj@inguide.com	  esj@harvee.billerica.ma.us
This message was composed almost entirely by NaturallySpeaking.