diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 0d7c7214aa49134f761f9c8babdf9f879d21ccb3..571f327721a418b71f16d8ab145e4e49f732654f 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -35,6 +35,8 @@ constraint_attribute description regex {{ slapd.regex }}
   restrict=ldap:///ou=hosts,dc=crans,dc=org??one?(objectClass=device)
 constraint_attribute uid regex ^_
   restrict=ldap:///ou=passwd,dc=crans,dc=org??one?(objectClass=posixAccount)
+constraint_attribute description regex ^.*(\ IN)?\ (TXT|DNAME|AAAA|CNAME)\ .*$
+  restrict=ldap:///ou=dns,dc=crans,dc=org??sub?(objectClass=dNSDomain)
 
 moduleload 		syncprov
 {% endif %}
@@ -136,6 +138,12 @@ access to attrs=userPassword,shadowLastChange
         by anonymous auth
         by * none
 
+access to attrs=loginShell,mail,telephoneNumber
+        by self write
+        by set="[cn=_nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+        by dn="cn=replicator,dc=crans,dc=org" read
+        by * read
+
 # Ensure read access to the base for things like
 # supportedSASLMechanisms.  Without this you may
 # have problems with SASL not knowing what
@@ -166,6 +174,12 @@ access to attrs=userPassword,shadowLastChange
         by dn="cn=replicator,dc=crans,dc=org" read
         by * none
 
+access to attrs=loginShell,mail,telephoneNumber
+        by self write
+        by set="[cn=_nounou,ou=group,dc=crans,dc=org]/memberUid & user/uid" write
+        by dn="cn=replicator,dc=crans,dc=org" read
+        by * read
+
 # Ensure read access to the base for things like
 # supportedSASLMechanisms.  Without this you may
 # have problems with SASL not knowing what