slapd.conf - acl question

["Douglas B. Jones" <douglas@gpc.edu>]

Hi,

We are on 2.1.22 and I appear to have an acl problem. I have one access
line (for test purposes) in my slapd.conf file with one db (bdb):

access to attr=sn
	by * read

When I do:

ldapsearch -LLL '(uid=douglas)' sn

I get no results. Here is the log file (I have loglevel set to 128):

Sep 15 09:45:25 c01 slapd[17314]: bdb_initialize: Sleepycat Software:
Berkeley D
B 4.1.25: (December 19, 2002)
Sep 15 09:45:25 c01 slapd[17314]: bdb_db_init: Initializing BDB database
Sep 15 09:45:25 c01 slapd[17418]: slapd starting
Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: search access to
"uid=dougl
as,ou=employee,dc=gpc,dc=edu" "uid" requested
Sep 15 09:45:26 c01 slapd[17418]: => acl_get: [1] check attr uid
Sep 15 09:45:26 c01 slapd[17418]: <= acl_get: done.
Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: no more rules

Any ideas why I get no results? If I stick 'access to * by * read',
I get a result line as I expect:

ldapsearch -LLL '(uid=douglas)' sn
dn: uid=douglas,ou=employee,dc=gpc,dc=edu
sn: Jones

This leads me to believe I have to open all then restrict. I would
rather have it closed and then open up as needed.

I just did another test. In slapd.conf I have:

access to *
	by * read

access to *
	by * none

I would think this would turn everything on then everything off, yet
when I do a ldapsearch, I can see ALL attributes of who I look at.
If I try it with no access line, then the default takes over that gives
read access to anonymous.

My main question is the one at the beginning, why if I have one access
line of:

access to attr=sn by * read

not appear not to work?

Thanks!
Cheers,
Douglas