Sorry for the confusion caused by editing what I've copied from the real system before which uses a group for several Samba DC instances.
In this example the ACL part should be more simple like this:
access to
dn.subtree="o=example"
attrs=sambaNTPassword
filter="(organizationalStatus=0)"
by dn.exact="uid=samba_dc,o=example" write
by group="cn=slapd Admins,ou=groups,o=example" =sw
by self =w
by * none
Ciao, Michael.
