Default ACL clause should be "by * none stop" not "by * stop".

That is, default rule should set permissions to none.

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index e256972feea71add23447e9d190a7516004891e0..68353e909a6d64e2ea7b04f1bcda80eef3cbca5b 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -970,8 +970,11 @@ acl_mask(
                }
        }
 
+       /* implicit "by * none" clause */
+       ACL_INIT(*mask);
+
 #ifdef NEW_LOGGING
-       LDAP_LOG(( "aci", LDAP_LEVEL_RESULTS,
+       LDAP_LOG(( "acl", LDAP_LEVEL_RESULTS,
                   "acl_mask: conn %d  no more <who> clauses, returning %d (stop)\n",
                   conn->c_connid, accessmask2str( *mask, accessmaskbuf) ));
 #else