From 7077dc313852ea63431c8b4476314ede6871e479 Mon Sep 17 00:00:00 2001
From: "Karl O. Pinc" <kop@karlpinc.com>
Date: Wed, 22 Apr 2020 17:43:39 -0500
Subject: [PATCH] Better explanation of when access control processing stops

---
 doc/man/man5/slapd.access.5 | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index 54b71508fb..3f1b2867f6 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -95,6 +95,8 @@ clause matches the accessor's properties, its
 and
 .B <control>
 clauses are evaluated.
+
+.LP
 Access control checking stops at the first match of the
 .B <what>
 and
@@ -110,8 +112,26 @@ clause list is implicitly terminated by a
 	by * none stop
 .fi
 .LP
-clause that results in stopping the access control with no access 
-privileges granted.
+.B <control>
+clause.  This implicit
+.B <control>
+stops access directive evaluation with no more access privileges
+granted to anyone else.
+To stop access directive evaluation only when both
+.B <who>
+and
+.B <what>
+match, add an explicit
+.LP
+.nf
+	by * break
+.fi
+.LP
+to the end of the
+.B <who>
+clause list.
+
+.LP
 Each
 .B <what>
 clause list is implicitly terminated by a
-- 
2.47.3