Q: What is the correct way to add olcAccess rules to openLDAP?

I have a new OpenLDAP server and am setting up a new environment. I have a rough layout like this:

dc=example,dc=com
    ou=groups
    ou=accounts
        uid=surfrock66
        uid=ldapbinduser
        uid=surfrock67

I have an ldif file for modifying olcAccess, and the syntax checks and it installs correctly, however I can no longer authenticate with any users.

Here is what I am hoping to accomplish:

  1. My user, for now, is like a Domain Admin that can manage everyting
  2. The ldapbinduser account will be used for binds, meaning it needs to authenticate and read the users and groups (basically the whole directory)
  3. Any user should be able to read their own attributes, authenticate, and change their own password
  4. Everything else is denied.

I am sure that I have the permission order incorrect, but I’m having trouble wrapping my head around it:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to dn.subtree="dc=example,dc=com"
  by dn.one="uid=surfrock66,ou=accounts,dc=example,dc=com" manage
  by dn.one="uid=ldapbinduser,ou=accounts,dc=example,dc=com" read
-
add: olcAccess
olcAccess: {1}to dn.children="ou=accounts,dc=example,dc=com" attrs=userPassword
  by self =xw
  by anonymous auth
  by * none
-
add: olcAccess
olcAccess: {2}to dn.children="ou=accounts,dc=example,dc=com"
  by self read
  by * none

I’ve read this a few times over, but it’s a bit over my head: https://www.openldap.org/doc/admin24/access-control.html I’ve also looked up many examples. My only other though (which I am going to try) is to put rule “1” first, then rule 0, then rule 2? Before I go slinging configs though, I’d love if someone that understands this better could explain where I’m going wrong.