#RISOTTO: do not compare
{% set name_family = 'gnunux' %}
{% set dns = {} %}
{% set groups = [] %}
{{ groups.append('cn=remote_test0,' + ldap_base_dn) }}
{{ groups.append('cn=remote_test1,' + ldap_base_dn) }}
{{ groups.append('cn=remote_test2,' + ldap_base_dn) }}
{{ dns.setdefault(None, []).append(('cn=remote_test0,' + ldap_base_dn, 'read')) }}
{{ dns.setdefault('all', []).append(('cn=remote_test1,' + ldap_base_dn, 'read')) }}
{{ dns.setdefault(name_family, []).append(('cn=remote_test2,' + ldap_base_dn, 'read')) }}
{% for remote in accounts.remotes %}
{% set name = remote|normalize_family %}
{% set family = accounts['remote_' + name]['family_' + name] %}
{{ groups.append(accounts['remote_' + name]['dn_' + name]) }}
{% set right = 'read' %}
{{ dns.setdefault(family, []).append((accounts['remote_' + name]['dn_' + name], right)) }}
{% endfor %}
dn: olcDatabase={2}mdb,cn=config
changetype:modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
    by self write
    by anonymous auth
    by * none
olcAccess: {1}to dn.subtree="{{ ldap_group_dn }}"
{% for group in groups %}
    by dn="{{ group }}" read
{% endfor %}
    by * none
{% set acl = {'idx': 2} %}
{% for family, remotes in dns.items() %}
{% if family != 'all' %}
olcAccess: { {{- acl['idx'] -}} }to dn.subtree="{{ ldap_base_dn|calc_ldapclient_base_dn(family) }}"
    by self read
{% for remote in remotes %}
    by dn="{{ remote[0] }}" {{ remote[1] }}
{% endfor %}
{% if 'all' in dns %}
{% for remote in dns['all'] %}
    by dn="{{ remote[0] }}" {{ remote[1] }}
{% endfor %}
{% endif %}
{% set x=acl.__setitem__('idx', acl['idx'] + 1) %}
    by * none
{% endif %}
{% endfor %}
{% if 'all' in dns %}
olcAccess: { {{- acl['idx'] -}} }to dn.subtree="{{ ldap_account_dn }}"
    by self read
{% for remote in dns['all'] %}
    by dn="{{ remote[0] }}" {{ remote[1] }}
{% endfor %}
    by * none
{% endif %}