olcAccess on OpenLDAP

In order to let users change their own password (and members of admin group) do stuff, I used this ldif file:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess

olcAccess: {3}to attrs=userPassword by self write by anonymous auth by group.exact="cn=admins,ou=Groups,dc=physmed,dc=chudequebec,dc=ca" write by * none

olcAccess: {4}to * by self write by group.exact="cn=admins,ou=Groups,dc=physmed,dc=chudequebec,dc=ca" write by * read

where the  olcDatabase={2}hdb,cn=config line depends on the output of 

ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config 

then

 ldapmodify  -Y EXTERNAL -H ldapi:// -f acl.ldif

can be verifed with:

ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={2}hdb,cn=config "(olcAccess=*)" olcAccess