Lists of access directives are evaluated in the order they appear in
slapd.conf. When a <what> clause matches the datum whose access is
being evaluated, its <who> clause list is checked. When a <who> clause
matches the accessor's properties, its <access> and <control> clauses
are evaluated. Access control checking stops at the first match of the
<what> and <who> clause, unless otherwise dictated by the <control>
clause. Each <who> clause list is implicitly terminated by a
by * none stop
This is why there needs to be a "by * break" at the end of the access control line - otherwise access will always be denied even if additional ACLs are added to the cn=config tree.
As documented in slapd.access man page:
Lists of access directives are evaluated in the order they appear in
slapd.conf. When a <what> clause matches the datum whose access is
being evaluated, its <who> clause list is checked. When a <who> clause
matches the accessor's properties, its <access> and <control> clauses
are evaluated. Access control checking stops at the first match of the
<what> and <who> clause, unless otherwise dictated by the <control>
clause. Each <who> clause list is implicitly terminated by a
by * none stop
This is why there needs to be a "by * break" at the end of the access control line - otherwise access will always be denied even if additional ACLs are added to the cn=config tree.