@Nathan: yes, rereading the slapd.access manpage I think you're right, the first match will define level of access:
<<Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.>>
Also, given that:
<<Each <who> clause list is implicitly terminated by a "by * none stop" clause that results in stopping the access control with no access privileges granted>>
I think the right way is to completely replace the existing olcAccess: {0} line by
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage break
and remove the new olcAccess: {1} line.
@Nathan: yes, rereading the slapd.access manpage I think you're right, the first match will define level of access:
<<Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.>>
Also, given that: cn=localroot, cn=config manage break
<<Each <who> clause list is implicitly terminated by a "by * none stop" clause that results in stopping the access control with no access privileges granted>>
I think the right way is to completely replace the existing olcAccess: {0} line by
olcAccess: {0}to * by dn.exact=
and remove the new olcAccess: {1} line.
I'll file a new bug about this.