slapd ACLs

[Mik J <mikydevel@yahoo.fr>]

Hello,

I'm a bit confused with the ACLs in my slapd.conf considering I have this

access to dn.subtree=""
        by * read

access to attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
        by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" write
        by dn="uid=admin,ou=people,dc=mydomain,dc=org" write
        by self write
        by anonymous auth
        by * none

access to *
        by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" =wrscx
        by self write
        by users read
        by anonymous auth
       by * none


When I do a ldapsearch without authentication, I can see the user's details including the unencrypted password

ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org"
I think that it's because the rule access to dn.subtree="" by * read
With an authenticated user is works as well

ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W

But if I comment these two lines
#access to dn.subtree=""
#        by * read
The search doesn't give me any result

ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W
# search result
search: 2
result: 32 No such object
# numResponses: 1

I would have expected that this command matched
access to *
        by users read

My goal is that only authenticated user would be able to access the ldap directory and users can change their passwords

Does anyone has an idea on how to explain this behavior. ?

Thank you