What am I doing wrong with these olcAccess settings?

To: openldap-technical@openldap.org

Subject: What am I doing wrong with these olcAccess settings?

From: A M <amm.priv2@gmail.com>

Date: Sat, 3 Sep 2016 15:09:39 +0200

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=/xBKPT6HDIfbJCl5ezci7QdzS0pO6OIZNhal0J78rqc=; b=er531EjpY4JJgU6u+290q4vD+9Gxgk2SMcCTXIeGkLyXolpITQCNjalSbMIQx62b6f 83zby3RwkXhQScbcV2UQ90tMITx+WrqWH6v0pt39VuXjmecWbIpNCwdPeY0R2GJLrpqa ABIvYTy/0tqLFEcx+kFUMnByvxpWcjXeweR9Bc/bfIjCF0svIgd3+fQ4DyybM3Fz20Hl +HhJ5A7GlmSZlr8OolnANU5eMhVrrLsHpXqX3S20O1JwCTytJ+FJjpdb0vcMvtN1Z4yX gZUyKnSjxx7bpS09nm6oiKSg0T4Cm2OqkO5oW6qKohrGwoK4VCM91Mt/qXBM5dLHzwgE iGzg==

Hello,

I just need to allow a simple "bind" user to be able the perform the

authenticated searches in the tree, while allowing all other users to

consult their data without being able to modify them. So I have set

the following primitive access rules:

------------------------------
olcAccess: {0}to attrs=userPassword
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by anonymous auth
by * none"

olcAccess: {1}to *
by self read
by dn.base="cn=Manager,dc=example,dc=com" write
by dn="uid=binduser,ou=Users,dc=example,dc=com" read
-------------------------------

With these settings, I can in fact perform authenticated searches as

dn="uid=binduser,ou=Users,dc=example,dc=com" with filter uid=username.

But the weird thing is that all other non-privileged users cannot see

their own data, although I have added "to * by self read"..

What am I missing? Thanks ahead for any comment!

Andy.