Similarly, other ACLs after this one may grant access to cn=log. Your current ACL only grants read access to the group ldap-admins. It doesn't specify rights for other users. Explicitly deny access to others like this
I tried that as well and got the same result. Also, the man page says that each "access to" stanza is implicitly terminated by a "by * none", so specifying this seems to be unnecessary.
Absolutely. My bad.
Jonathan