requesting clarification of use of config backend

[Brian Reichert <reichert@numachi.com>]

I've recently begun to explore the config backend for OpenLDAP 2.3.7, and
and running into what appears to be an ACL issue, but I can't figure out
what I've done wrong, nor how to explore further.

What I think are pertinent snippets from my slapd.conf:

  rootdn          "cn=manager,com=foo"

  database config

  defaultaccess none
  access to dn.subtree="cn=config"
                     by dn.exact="cn=manager,com=foo" write
                     by * read

I created my slapd.d directory:

  # mkdir -p /etc/openldap/slapd.d
  # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  # mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.test
  # chown -R  ldap:ldap  /etc/openldap/slapd.d/
  
slapd.d does seem to be fully populated, and slapd was successfully
restarted.  But, when I attempt to search this database:

  # ldapsearch -x -LLL -D cn=manager,com=foo -w foobar \
      -b cn=config > /var/tmp/ldif.out
  Insufficient access (50)

Does anyone see anything obviously wrong here?  I had several
databases with identical ACLs, which I can search, so I know I have
my credentials right.

Running the server and ldapsearch with '-d -1' doesn't reveal
anything like UNIX permission errors.

Alas, I could not find a manpage for slapd.d, nor slapd-config, so
I'm running blind, here...

I'd appreciate any feedback you folks can provide.

--
Brian Reichert				<reichert@numachi.com>
55 Crystal Ave. #286			Daytime number: (603) 434-6842
Derry NH 03038-1725 USA			BSD admin/developer at large