Comment 2 for bug 559070

As documented in slapd.access man page:

       Lists of access directives are evaluated in the order they appear in
       slapd.conf. When a <what> clause matches the datum whose access is
       being evaluated, its <who> clause list is checked. When a <who> clause
       matches the accessor's properties, its <access> and <control> clauses
       are evaluated. Access control checking stops at the first match of the
       <what> and <who> clause, unless otherwise dictated by the <control>
       clause. Each <who> clause list is implicitly terminated by a

            by * none stop

This is why there needs to be a "by * break" at the end of the access control line - otherwise access will always be denied even if additional ACLs are added to the cn=config tree.