sasl-regexp
    uid=(.*),cn=gssapi,cn=auth
    ldap:///"@%@ldap/base@%@"??sub?uid=$1

# allow authentication 
access to attrs=userPassword
    by anonymous auth
    by * none break

access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword
   by sockname="PATH=/var/run/slapd/ldapi" read
@!@
from univention.lib.misc import custom_groupname

groups_default_domainadmins = custom_groupname('Domain Admins')
ldap_base = configRegistry['ldap/base']
print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" read' % ( groups_default_domainadmins, ldap_base )

if baseConfig['ldap/hostdn']:
	print '   by dn.base="%s" read' % baseConfig['ldap/hostdn']
@!@   by * none

@!@
print 'access to *'
if baseConfig.is_false('ldap/acl/read/anonymous'):
	print '   by users read'
	ldap_acl_read_anonymous_ips = baseConfig.get('ldap/acl/read/ips')
	if ldap_acl_read_anonymous_ips:
		for ip in ldap_acl_read_anonymous_ips.split(','):
			print '   by peername.ip=%s read' % ip
else:
	print '   by * read'
print

if configRegistry.get('ldap/replog', '').lower() in ('true', 'yes'):
	print "replogfile /var/lib/univention-ldap/replog/replog"
@!@
