# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to dn.subtree="ou=SAM,@SUFFIX@" attrs=userpassword,shadowLastChange
        by dn.exact="@ADMIN@" write
	by group="cn=SAM,ou=Administrators,ou=Access Control,@SUFFIX@" write
        by anonymous auth
        by self write
        by * none