@!@
from univention.lib.misc import custom_username, custom_groupname

ldap_base=baseConfig['ldap/base']
ldap_port=baseConfig['slapd/port']
if baseConfig['ldap/server/type']=="master":
	usr="write"
else:
	usr="read"

groups_default_domainadmins = custom_groupname('Domain Admins')
users_default_administrator = custom_username('Administrator')

print 'sasl-regexp'
print '    uid=(.*),cn=gssapi,cn=auth'
print '    ldap://0.0.0.0:%s/"%s"??sub?uid=$1' % (ldap_port, ldap_base)
print

print 'access to attrs=userPassword'
print '    by anonymous auth'
print '    by * none break'
print ''

print 'access to dn="cn=admin,%s"' % ( ldap_base )
print '    by self %s' % ( usr )
print '    by * none'
print ''

print 'access to *'
print '    by sockname="PATH=/var/run/slapd/ldapi" %s' % (usr)
if configRegistry['ldap/server/type'] == "slave":
	print '    by dn.base="cn=admin,%s" %s' % ( ldap_base, usr)
print '    by dn.base="uid=%s,cn=users,%s" %s' % ( users_default_administrator, ldap_base, usr)
print '    by * none break'
print ''

print 'access to dn="uid=%s,cn=users,%s"' % ( users_default_administrator, ldap_base )
print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr)
if configRegistry['ldap/server/type'] == "slave":
	print '    by dn.base="cn=admin,%s" %s' % ( ldap_base, usr)
print '    by self %s' % ( usr )
print '    by * read break'
print ''

print 'access to dn="uid=join-backup,cn=users,%s"' % ( ldap_base )
print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr)
if configRegistry['ldap/server/type'] == "slave":
	print '    by dn.base="cn=admin,%s" %s' % ( ldap_base, usr)
print '    by self %s' % ( usr )
print '    by * read break'
print ''

print 'access to dn="uid=join-slave,cn=users,%s"' % ( ldap_base )
print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr)
if configRegistry['ldap/server/type'] == "slave":
	print '    by dn.base="cn=admin,%s" %s' % ( ldap_base, usr)
print '    by self %s' % ( usr )
print '    by * read break'
print ''

print 'access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid'
print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr)
if configRegistry['ldap/server/type'] == "slave":
	print '    by dn.base="cn=admin,%s" %s' % ( ldap_base, usr)
print '    by * read break'
print ''

@!@
