%set %%dns = {}
%set %%groups = []
%for %%remote in %%accounts.remotes
 %set %%name = %%normalize_family(%%remote)
 %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
%end for
dn: olcDatabase={2}mdb,cn=config
changetype:modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
    by self write
    by anonymous auth
    by * none
olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)"
%for group in %%groups
    by dn="%%group" read
%end for
    by * none
%set %%aclidx = 2
%for %%family, %%remotes in %%dns.items()
 %if %%family == 'all'
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)"
 %else
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
 %end if
    by self read
 %for %%remote in %%remotes
    by dn="%%remote[0]" %slurp
  %if %%remote[1]
read
  %else
write
  %end if
 %end for
  %set %%aclidx += 1
    by * none
%end for