OpenLDAP ACL causing error code 49

[Matty <matty91@gmail.com>]

I am testing some OpenLDAP ACLs and stumbled on a weird issue. My
configuration has the following ACL defined:

access to *
  by users read
  by peername.ip=1.2.3.4 read
  by * none

When I run the following ldapsearch I get an "Invalid credentials (49)" error:

$ ldapsearch -b 'dc=foo,dc=com' -x -h ldap1 -W -D
'uid=bingo,ou=users,dc=foo,dc=com' '(objectClass=*)'

Enabling the ACL loglevel produces the following:

Nov 16 09:50:02 tulip slapd[17803]: conn=33003 op=0 BIND
dn="uid=bingo,ou=users,dc=foo,dc=com" method=128
Nov 16 09:50:02 tulip slapd[17803]: => acl_get: [2] attr userPassword
Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: access to entry
"uid=bingo,ou=users,dc=foo,dc=com", attr "userPassword" requested
Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: to value by "", (=0)
Nov 16 09:50:02 tulip slapd[17803]: <= check a_dn_pat: users
Nov 16 09:42:24 tulip slapd[17803]: <= check a_peername_path: 1.2.3.4
Nov 16 09:42:24 tulip slapd[17803]: <= check a_dn_pat: *
Nov 16 09:42:24 tulip slapd[17803]: <= acl_mask: [5] applying none(=0) (stop)
Nov 16 09:42:24 tulip slapd[17803]: <= acl_mask: [5] mask: none(=0)
Nov 16 09:42:24 tulip slapd[17803]: => slap_access_allowed: auth
access denied by none(=0)
Nov 16 09:42:24 tulip slapd[17803]: => access_allowed: no more rules

Does anyone happen to know why "acl_mask: to value by" shows ""
instead of the dn of the user passed to the "-D" option? Wireshark
shows the binddn and password being passed to the directory server so
the "" doesn't make a ton of sense. If I add the following ACL to
force anonymous users to auth the search completes without issue:

access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

There must be some subtle item I'm missing here.

Thanks,
- Ryan