dn: olcDatabase={2}mdb,cn=config
changetype:modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
    by self write
    by anonymous auth
    by * none
olcAccess: {1}to dn.subtree="ou=users,%%ldap_base_dn"
    by self read
%set %%aclidx = 1
%for %%remote in %%accounts.remotes
 %set %%name = %%normalize_family(%%remote)
    by dn="%%accounts['remote_' + %%name]['dn_' + %%name]" %slurp
 %if %%accounts['remote_' + %%name]['read_only_' + %%name]
read%slurp
 %else
write%slurp
 %end if
%end for

    by * none
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
 %set %%aclidx += 1
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
%end for