Open Ldap has very flexible and powerful access controls, however they aren't well documented. Sure there is lots of documentation about them, but none of the documentation says anything useful. The most useful part of the documentation I found was the BNF, but as most people soon realise a BNF tells you how, but leaves you n.f.i what is going to happen with a particular grammer.
Anyhow, I'm going to try and explain the access controls I use (which I think covers most of the more advanced features).
Some points to note before we start (for good luck):
access to attribute=userPassword
by group/groupofuniquenames/uniquemember="ou=AdminUsers?,ou=Accounts,$BASEDN" write by dnattr=owner write by anonymous auth by self write by * none
access to dn=".*,ou=Domains,$BASEDN"
by group/groupofuniquenames/uniquemember="ou=AdminUsers?,ou=Accounts,$BASEDN" write by dnattr=owner write by * read
access to *
by group/groupOfUniqueNames/uniqueMember="ou=AdminUsers?,ou=Accounts,ou=WAND,o=Waikato University,c=NZ" write by * read
Now, lets go over it step by step.
2 pages link to OpenLdapAccessControls: