Simple question about access controls

[Darcy Kroeker <darcy.kroeker@gmail.com>]

Hi List,

I'm new to openldap and I'm having trouble getting even the most
simple access controls to work.

I have an openldap (2.2.27) server set up (on RH9) and a client (FC3)
set up to authenticate using the ldap. I have created a test user
named testguy.

With the default acls ("access to * by * read") my testguy can
authenticate, but cannot change his password. This is exactly what I
expect.

If I change it to "access to * by * write" then testguy can change his
password with no trouble. Again, exactly what I expect (though it's
not a smart policy).

But if I change the acl to almost anything else, testguy either loses
the ability to authenticate or loses the ability to change password.

For example, here's a rule (still very simple):

access to *
 by self write
 by * read

I believe this should allow testguy to authenticate due to the "by *
read" line, and change password due to the "by self write" line. But
nope. Testguy can still authenticate, but an attempt to change
password gets:

LDAP Password incorrect: try again

The above is using the passwd command. Just to try something else, I
tried using ldappasswd instead, I get:

>ldappasswd -WS -x -v "uid=testguy,ou=people,dc=tcl,dc=com"

ldap_bind: Invalid credentials (49)

As a sanity check, I try the same thing but bind as rootdn instead. It works:

>ldappasswd -WS -x -v -D "cn=manager,dc=tcl,dc=com"
"uid=testguy,ou=People,dc=tcl,dc=com"
...
Result: Success (0)

This is pretty basic stuff so I assume I've got something set up
wrong. But what? What am I missing here? Any clues where to look would
be great.

Thanks,
Darcy