What could make OpenLDAP ignore access restrictions?

I'm trying to configure a new installation of OpenLDAP (2.6.39) on Arch Linux. I've used the default core packages to install and configure it, however I cannot get it to obey any access control declarations in the settings file.

My /etc/openldap/slapd.conf has just these two declarations that I got from the docs:

access to attr=userPassword
    by self =xw
    by anonymous auth
    by * none

access to *
    by self write
    by users read
    by * none

I've started the service normally and most things seem to work. I can login using pam/nslcd and use phpldapadmin. However the above access restrictions do not seem to be working. From phpldapadmin I was able to see and change the password field for users other that the uid I connected with. The same happens using the command line client (output cropped):

$ ldapsearch -D 'uid=user2,ou=People,dc=example,dc=com' -w 1234 '(uid=user1)'
userPassword:: e1NTSEF9VEZ4K2U1M0JtUEU0NkljdlBPaTBycE41RTh2aXJNeTg=

As you can see I am authenticating using user2 but am able to query the entry for user1 and see the password field.

Other declarations in slapd.conf are clearly in effect, so I'm not editing the wrong file or something like that. I've tried setting draconian rules like access to * by * none as the only rule but am still able to see anything in the directory from any user. I'm placing the access lines at the place in the default configuration where the sample ones were.

How do I make OpenLDAP actually heed the acl's in its config file istead of ignoring them?