diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix
index 2fbd175..be00dea 100644
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -330,6 +330,42 @@ in {
         ];
       };
 
+      "olcDatabase={9}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{9}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=scana11y,dc=com";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to attrs=pgpPublicKey
+              by self write
+              by anonymous read
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+          ''
+            {2}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+
       # "cn=module{0},cn=config" = {
       #   attrs = {
       #     objectClass = "olcModuleList";