# site-admins dynamic group specification
dn: cn=3Dsite-admins,ou=3Dgroups,dc=3Dbluewater-aquatics,dc=3Dcom
objectClass: top
objectClass: groupOfURLs
cn: site-admins
memberURL: ldap:///ou=3Dpeople,dc=3Dmysite,dc=3Dcom??
	sub?(authorizedService=3Dsite-admin)

Then, with that dynamic group in place, I was able to use the following
slapd.conf syntax to make the ACL give write access to each user's data
as follows:
	Each user can write their own data
	Each user can read any users data (except passwords)
	Anonymous can AUTH against any password (necessary for auth to work)
	Site Administrators can write anyone's AuthorizedService attributes
	Site Administrators can write anyone's Password
	Anyone can read AuthorizedService attributes

# Controls access to Passwords: Admins Write all, Self Write, anon AUTH,
# else none
access to attrs=3D"userPassword"
        by group/groupOfURLs/memberURL=3D
		"cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write
        by self write
        by anonymous auth
        by * none

# Controls access to authorizedService attributes: Admins Write all,
# else read
access to attrs=3D"authorizedService"
        by group/groupOfURLs/memberURL=3D
		"cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write
        by * read

# Controls access to user records in general (other attributes)
# Site Administrators write all, Self write, anonymous read, else read
access to dn.base=3D"ou=3Dpeople,dc=3Dmysite,dc=3Dcom"
        by group/groupOfURLs/memberURL=3D
		"cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write
        by self write
        by anonymous read
        by * read

# Controls access to group definitions
# Everyone gets read access only, must be rootdn to modify for now.
access to dn.base=3D"ou=3Dgroups,dc=3Dmysite,dc=3Dcom" attrs=3Dchildren
        by * read

# Controls access to everything else
# Site Administrators get write access, Self can write, anonymous read,
# else read
access to *
        by group/groupOfURLs/memberURL=3D
		"cn=3Dsite-admins,ou=3Dgroups,dc=3Dmysite,dc=3Dcom" write
        by self write
        by anonymous read
        by * read
