# Password change support -- Users ought to be able to change their
# passwords. It is also very nice to have users be able to
# authenticate, so this gives compare access to the password
# attribute.

access to dn=".*o=([^,]+)" attr=userPassword
     by group="cn=ldap-adm,ou=Groups,o=$1" tls_ssf=128 write
     by self write
     by anonymous auth

# Domain access -- Each domain can be managed by the 
# administrator group and the toplevel admin group.

access to dn=".*o=([^,]+),ou=Domains,o=([^,]+)"
     by group="cn=ldap-adm,ou=Groups,o=$2" write
     by group="cn=admin,ou=Groups,o=$1,ou=Domains,o=$2" tls_ssf=128 write
     by users read
     by anonymous read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
access to dn=".*,ou=Roaming,o=([^,]+),ou=Domains,o=([^,]+)"
        by group="cn=ldap-adm,ou=Groups,o=$2" tls_ssf=128 write
        by group="cn=admin,ou=Groups,o=$1,ou=Domains,o=$2" tls_ssf=128 write
	by dnattr=owner write

# User modifyable -- Users can change a few attributes in their
# object, we don't want to be bothered for spelling errors.

access to dn=".*o=([^,]+)" attrs=cn,sn,loginShell
     by group="cn=ldap-adm,ou=Groups,o=$1" tls_ssf=128 write
     by self write
     by users read
     by anonymous read
     
# Root access -- Toplevel admin users have access to the whole
# tree.  Regular users can only see what is under ou=Domains.

access to dn=".*o=([^,]+)"
     by group="cn=ldap-adm,ou=Groups,o=$1" tls_ssf=128 write
     by self write
     by * none

access to *
     by * read