<access> ::= [self]{<level>|<priv>}
<level> ::= none | auth | compare | search | read | write
<priv> ::= {=|+|-}{w|r|s|c|x}+

There are two ways to define access in OpenLDAP. The first method (the only available on older versions) is based on the concept of access levels. Each access level is contained in the next. For instance, read access implies search access. The access levels are more or less self-explanatory except for auth that is used to control binding to the directory and was not in older versions of OpenLDAP.

In most cases, access levels are alright and that's what you need. However, there are access policies that cannot be expressed with levels, like the rare case where you want to grant write access but deny any other access. Authentication information like passwords are often like that: you would like to grant the owner write access, grant anonymous users auth and deny any other kind of access. You cannot do that with access levels.

You can, however, using the second method, that is based on discrete privileges: every privilege is granted or denied independently of the others. There are five discrete privileges: w (write), r (read), s (search), c (compare) and x (authenticate) and are denoted by letters.

If you precede your privilege list by =, your privileges will be reset to exactly those given. You can also modify incrementally your provileges by adding (+) or substracting (-) one or more privileges.

But, we said earlier that once a match happens, further analysis is stopped, right? How can we then add or substract privileges incrementally?

Well, we said that was the default case when the facilities explained in the next answer are not used.