When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the what selectors given in the configuration file. Access directives local to the current database are examined first, followed by global access directives. Within this priority, access directives are examined in the order in which they appear in the configuration file. slapd stops with the first what selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.
Next, slapd compares the entity requesting access to the who selectors within the access directive selected above, in the order in which they appear. It stops with the first who selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.
Finally, slapd compares the access granted in the selected access clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.
The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration file. Similarly, if one who selector is more specific than another it should come first in the access directive. The access control examples given in ``Access control examples'' should help make this clear.