Excerpts from slapd.access(5) are reported for clarity.

Access directive:

    access to <what>
        [ by <who> <access> [ <control> ] ]+

    [dn[.<dnstyle>]=]<dnpattern>
    filter=<ldapfilter>
    attrs=<attrlist>[ val[.<attrstyle>]=<attrval>]

    <dnstyle>={{exact|base(object)}|regex|one(level)|sub(tree)|children}
    <attrlist>={<attr>|[{!|@}]}[,<attrlist>]
    <attrstyle>={{exact|base(object)}|regex|one(level)|sub(tree)|children}

    *
    anonymous
    users
    self

    dn[.<dnstyle>[,<modifier>]]=<DN>
    dnattr=<attrname>
    group[/<objectclass>[/<attrname>]][.<groupstyle>]=<group>
    peername[.<peernamestyle>]=<peername>
    sockname[.<style>]=<sockname>
    domain[.<domainstyle>[,<modifier>]]=<domain>
    sockurl[.<style>]=<sockurl>
    set[.<setstyle>]=<pattern>

    ssf=<n>
    transport_ssf=<n>
    tls_ssf=<n>
    sasl_ssf=<n>

    aci=<attrname>

    <dnstyle>={{exact|base(object)}|regex|one(level)|sub(tree)|children}
    <groupstyle>={exact|expand}
    <style>={exact|regex|expand}
    <peernamestyle>={<style>|ip|path}
    <domainstyle>={exact|regex|sub(tree)}
    <setstyle>={exact|regex}
    <modifier>={expand}

• All styles now default to exact; it is strongly recommended to not rely on the default, and always specify the desired style, so that future changes do not compromise existing ACLs, and their understanding does not require remembering the defaults.
• The default for <dnstyle> changed from regex to exact.
• The <groupstyle> regex is not supported any more; it defaults to exact. Use expand instead for submatch expansion.
• In detail, a <peernamestyle> of exact requires an exact match of the entire string "IP=<host>:<port>" or "PATH=<path>"; use the new ip and path styles for more specific matches instead of regex.