@!@
ldap_base=configRegistry.get('ldap/base')
if configRegistry.get('ldap/server/type') == "master":
	access="write"
else:
	access="read"

uidexcludelist = configRegistry.get('ldap/acl/user/passwordreset/protected/uid','').split(',')

protected_groups = configRegistry.get('ldap/acl/user/passwordreset/protected/gid')
if protected_groups:
	for group in protected_groups.split(','):
		uidexcludelist += configRegistry.get('ldap/acl/user/passwordreset/internal/groupmemberlist/%s' % group, '').split(',')

uidexcludelist.append('*$')

uidexcludestr = ''.join( [ '(uid=%s)' % x.strip() for x in uidexcludelist if x.strip() ] )

grouplist = []
for key in configRegistry.keys():
	if key.startswith('ldap/acl/user/passwordreset/accesslist/groups/'):
		grouplist.append( configRegistry.get(key) )

userfilter = '(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(|%s)))' % uidexcludestr

attr_fallback = 'krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange'
attrlist = configRegistry.get('ldap/acl/user/passwordreset/attributes', attr_fallback)

nestedgroups = configRegistry.is_true('ldap/acl/nestedgroups', False)

if grouplist:
	print '# helpdesk access: grant access to specified groups for password reset'
	print 'access to dn.sub="%(ldap/base)s" filter="%(userfilter)s" attrs="%(attributelist)s"' % { 'ldap/base': configRegistry.get('ldap/base'), 'userfilter': userfilter, 'attributelist': attrlist }
	for dn in grouplist:
		if nestedgroups:
			print '    by set="user & [%s]/uniqueMember*" %s' % (dn, access)
		else:
			print '    by group/univentionGroup/uniqueMember="%s" %s' % (dn, access)
	print '    by * break'
else:
	print '# helpdesk access: grant access to specified groups for password reset'
	print '#                  ==> no group has been specified'
@!@
