why does anonymous user could access userPassword attribute of OpenLDAP?

Question

Here is my ACL, openldap is v2.4.4.

acl.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by dn="cn=Manager,dc=ad,dc=pthl,dc=hk" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=Manager,dc=ad,dc=pthl,dc=hk" write by * read

and then I run

 ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif

and I run

 ldapsearch -x -b ou=people,dc=ad,dc=pthl,dc=hk "(&(objectClass=posixAccount)(uid=someone))" -h 172.16.234.11

which returns

# remove some lines
# .....

userPassword:: e1NTSEE1MTJ9MUpGdjcyd0w4aWJZRHd2eHpacVYyb1c4Q1p0Z0JrdDNpdWJDcU9
 pVjhmNVQ2QkgzWVNLQnVmNU03bnVwNFB2Q2NiaHR3UGcxOW51VitLMitaUk9WY2JLT0NOMDROWGlG

Answer 1

After read official docs, I found the root cause, ACL is database-specific, either add front or HDB one. I added them in the wrong place. :(

So the final configure of mine is

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=ad,dc=pthl,dc=hk
olcRootDN: cn=Manager,dc=ad,dc=pthl,dc=hk

#................
#................

# user itself and Manager write, anonymous bind, other deny
olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
  by dn.base="cn=Manager,dc=ad,dc=pthl,dc=hk" write
  by * none
# Manager write, other(both authenticated and anonymous) read.
olcAccess: to *
  by dn.base="cn=Manager,dc=ad,dc=pthl,dc=hk" write
  by * read

And the default access control policy is allow read by all clients. Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.

As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the clauses.