# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
access to dn.base=""
	by * read

access to dn.subtree="cn=monitor"
	by * read

# The admin dn has full write access, everyone else
# needs further checking
access to dn.subtree="@SUFFIX@"
	by dn.exact="cn=admin,@SUFFIX@" write
	by group/groupOfUniqueNames/uniqueMember="cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,@SUFFIX@" write
	by group/groupOfUniqueNames/uniqueMember="cn=Replicants,ou=Groups,ou=Access Control,@SUFFIX@" write
	by * break