dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
  by group.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage
  by * read
olcAccess: to attrs=uid,uidNumber,gidNumber,homeDirectory,
 krbPrincipalName,objectClass,structuralObjectClass,entryUUID,
 entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp
  by * read
olcAccess: to attrs=userPassword,userPKCS12,shadowLastChange
  by self write
  by * auth
olcAccess: to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com"
  by dn.exact="cn=kdc,ou=security,dc=kyriasis,dc=com" read
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * none
olcAccess: to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$"
  by dn.exact,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * read
olcAccess: to dn.subtree="ou=hosts,dc=kyriasis,dc=com"
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * read
#olcAccess: to *
  by self write
  by * read
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base=""
  by self write
  by * read
olcAccess: to dn.base="cn=Subschema"
  by * read