%set %%dns = {}
%for %%remote in %%accounts.remotes
 %set %%name = %%normalize_family(%%remote)
 %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
%end for
dn: olcDatabase={2}mdb,cn=config
changetype:modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
    by self write
    by anonymous auth
    by * none
%set %%aclidx = 1
%for %%family, %%remotes in %%dns.items()
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
    by self read
 %for %%remote in %%remotes
    by dn="%%remote[0]" %slurp
  %if %%remote[1]
read%slurp
  %else
write%slurp
  %end if
 %end for
  %set %%aclidx += 1

    by * none
%end for
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
 %set %%aclidx += 1
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
%end for