I suggest use of "by ssf=64 read" ... ssf applies to not only LDAP over SSL, but Start TLS [RFC 2830] and SASL [RFC 2829].
access to attr=foo by ssf=64 and dn="something" read
Is this possible?
Finally, is there a good explanation of what the stop | continue | break controls do?
Many thanks,
Allan