dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by dn.exact="cn=admin,{{ base_dn }}" manage
  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
  by * break
olcAccess: {1}to dn.exact=""
  by * read
olcAccess: {2}to dn.base="cn=Subschema"
  by * read

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by dn.exact="cn=admin,{{ base_dn }}" manage
  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
  by * break

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
  by self write
  by anonymous auth
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by dn.exact="{{ admin_dn }}" manage
  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
  by * none
olcAccess: {1}to attrs=shadowLastChange
  by self write
  by * read
olcAccess: {2}to dn.base=""
  by * read
olcAccess: {3}to *
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by dn.exact="{{ admin_dn }}" manage
  by dn.exact="cn=readonly,ou=service-accounts,{{ base_dn }}" read
  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
  by self read
  by * none