Open Ldap has very flexible and powerful access controls, however they aren't well documented. Sure there is lots of documentation about them, but none of the documentation says anything useful. The most useful part of the documentation I found was the BNF, but as most people soon realise a BNF tells you how, but leaves you n.f.i what is going to happen with a particular grammer.
Anyhow, I'm going to try and explain the access controls I use (which I think covers most of the more advanced features).
Now, lets go over it step by step.
So, this matches anything which has a "userPassword" attribute anywhere in the tree. Simple enough.
This matches the DN of the person doing the accessing against the uniquemember attribute of groupofuniquenames in the ou=!AdminUsers?,ou=Accounts,$BASEDN object and gives them write access.
This is somewhat confusing so lets go over this again. cn=alice,ou=Accounts,$BASEDN wants to modify cn=bob,ou=Accounts,$BASEDN's foo attribute. This looks up the "uniquemember" attribute on ou=!AdminUsers?,ou=Accounts,$BASEDN and checks to see if cn=alice,ou=Accounts,$BASEDN is there, and, if so, lets her modify cn=bob,ou=Accounts,$BASEDN's object.
Adding/Removing people from the uniqueMember relation will grant/revoke their access.
This checks to see if the user doing the access appears in the "owner" attribute of the object being modified. For instance, if cn=charlie,ou=Accounts,$BASEDN wanted to access cn=bob,ou=Accounts,$BASEDN's foo attribute, then this sould check to see if cn=charlie,ou=Accounts,$BASEDN appeared in cn=bob,ou=Accounts,$BASEDN's owner attribute first.
This lets the anonymous user (a user who hasn't yet logged in) authenticate using the password, but they can't read or write it.
This lets the user who matches the dn of the object write to the object. For instance if cn=bob,ou=Accounts,$BASEDN wanted to change his password he could (since the object he is accessing is the object he is coming from).
Noone else must be able to read, or write the password. Fairly simple really.
Right, onto the next access. This matches everything under the domains subtree. Note the use of a regex(7)
Once again, anyone in the !AdminUsers? group can modify this tree.
And, the person that owns this object can modify it.
And, by default anyone can read this.
Now, for everything else in the tree (a catchall). Note that this is just "", it doesn't have to be "."
Admins can write, because admins are power tripping egomaniacs with something to prove.