I had to do it this way:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
-
add: olcAccess
olcAccess: {2}to attrs=sshPublicKey,gecos by self write
-
add: olcAccess
olcAccess: {3}to * by dn="cn=admin,dc=example,dc=com" write by * read
You can not have, for example, multiple {2} so you have to delete and then
add. In this case, I was using sudo to do the ldapmodify instead of admin, so
no risk of lockout. What I am wondering is if this is at all like an atomic
transaction: either you can apply the whole LDIF at once or not ... if it
happens in one go you won't get locked out ...