Various system components need restricted access so using "cn=directory manager" is out of the question.
I set nsslapd-errorlog-level=128 (logs acl processing) to dig more into internals. Here's what I saw:
1.2.11
NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx"
............ cached allow by aci(7)
...
NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx"
.............cached allow by aci(7)
...
1.2.5
NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx"
...........cached allow by aci(7)
.......
NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx"
..........cached context/parent allow
.......
As you can see in 1.2.5, where search returns faster, for first returned entry there is "cached allow by aci(7)" whereas for every next there's "cached context/parent allow". In 1.2.11 however there is "cached allow by aci(7)" for every returned entry. Is this difference of any significance? Am i missing some king of caching in 1.2.11?