A bug was found (thanks Andrew!) in the ACL subsystem which allowed users more access than specified by the ACLs. Testers using of 2.0-beta tarball should apply the following patch: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/acl.c.diff?r1=1.27.2.7&r2=1.27.2.8