@!@
ldap_base=baseConfig['ldap/base']
if baseConfig['ldap/server/type']=="master":
	usr="write"
else:
	usr="read"

password_attributes='krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange'

if baseConfig.has_key('ldap/acl/user/password/change') and baseConfig['ldap/acl/user/password/change'].lower() in ['true', 'yes']:
	print 'access to attrs="%s"' % password_attributes
	print '   by self %s' % ( usr )
	print '   by * none break'

# grant write access to users' own UMC properties
print 'access to attrs="univentionUMCProperty,objectClass"'
print '   by self %s' % usr
print '   by * none break'

@!@
