Comment 12 for bug 538516

@Nathan: yes, rereading the slapd.access manpage I think you're right, the first match will define level of access:

<<Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.>>

Also, given that:
<<Each <who> clause list is implicitly terminated by a "by * none stop" clause that results in stopping the access control with no access privileges granted>>
I think the right way is to completely replace the existing olcAccess: {0} line by
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage break
and remove the new olcAccess: {1} line.

I'll file a new bug about this.