%set %%name_family = 'gnunux'
%set %%dns = {}
%set %%groups = []
%%groups.append('cn=remote_test0,' + %%ldapclient_base_dn)%slurp
%%groups.append('cn=remote_test1,' + %%ldapclient_base_dn)%slurp
%%groups.append('cn=remote_test2,' + %%ldapclient_base_dn)%slurp
%%dns.setdefault(None, []).append(('cn=remote_test0,' + %%ldapclient_base_dn, 'read'))%slurp
%%dns.setdefault('all', []).append(('cn=remote_test1,' + %%ldapclient_base_dn, 'read'))%slurp
%%dns.setdefault(%%name_family, []).append(('cn=remote_test2,' + %%ldapclient_base_dn, 'read'))%slurp
%for %%remote in %%accounts.remotes
 %set %%name = %%normalize_family(%%remote)
 %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
 %if %%accounts['remote_' + %%name]['read_only_' + %%name]
  %set %%right = 'read'
 %else
  %set %%right = 'write'
 %end if
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%right))%slurp
%end for
dn: olcDatabase={2}mdb,cn=config
changetype:modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
    by self write
    by anonymous auth
    by * none
olcAccess: {1}to dn.subtree="%%ldap_group_dn"
%for group in %%groups
    by dn="%%group" read
%end for
    by * none
%set %%aclidx = 2
%for %%family, %%remotes in %%dns.items()
 %if %%family == 'all'
  %continue
 %end if
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
    by self read
 %for %%remote in %%remotes
    by dn="%%remote[0]" %%remote[1]
 %end for
 %if %%family != 'all' and 'all' in %%dns
  %for %%remote in  %%dns['all']
    by dn="%%remote[0]" %%remote[1]
  %end for
 %end if
 %set %%aclidx += 1
 %if %%family != 'all'
    by * none
 %end if
%end for
%if 'all' in %%dns
olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
    by self read
 %for %%remote in %%dns['all']
    by dn="%%remote[0]" %%remote[1]
 %end for
    by * none
%end if