<access clause> ::= access to <what> [ by <who> <access> <control> ]+

Well, that was easy: we specify an access target, and then a list of triplets composed of a subject specification, an access rights specification to assign in case the subject matches and a control that specifies what to do after a match. For the time being consider that the control is stop that is the default (and the only possibility in older OpenLDAP versions) and means that all access control processing stops here: no further subjects will be considered in this clause and no other clauses will be considered. In other words, by default, all access control to some item is specified in just one access clause: access rights you forgot to set here cannot be set later, even if a later access clause would seem to include this one. So in most cases you will work from the most specific to the most general. We will see later that this is not the only possibility, but is the most common and most examples are written this way.
jsanchez@openldap.org