@!@
from univention.lib.misc import custom_groupname

ldap_base = configRegistry['ldap/base']
if configRegistry.get('ldap/server/type') == "master":
	usr="write"
else:
	usr="read"

groups_default_domainadmins = custom_groupname('Domain Admins')
groups_default_windowshosts = custom_groupname('Windows Hosts')

nestedGroups = configRegistry.is_true('ldap/acl/nestedgroups', True)

if configRegistry.is_true('ldap/acl/slavepdc', True):
	print 'access to dn.regex="^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention,%s$" filter="(&(objectClass=lock)(!(objectClass=posixAccount)))"' % ldap_base
	if configRegistry['ldap/server/type'] == "slave":
		print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
	if nestedGroups:
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
	else:
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
	print '   by * read break'
		
	print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base
	if configRegistry['ldap/server/type'] == "slave":
		print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
	if nestedGroups:
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
	else:
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
	print '   by * read break'

	print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base
	if configRegistry['ldap/server/type'] == "slave":
		print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
	if nestedGroups:
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
	else:
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
	print '   by * read break'

	print '## to prevent uidNumber=0 modifications'
	print 'access to attrs=uidNumber value=0'
	print '   by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base )
	print '   by * read break'

	print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base )
	if configRegistry['ldap/server/type'] == "slave":
		print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
	if nestedGroups:
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
	else:
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
	print '   by * read break'

	print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts)
	if configRegistry['ldap/server/type'] == "slave":
		print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
	if nestedGroups:
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
	else:
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
	print '   by * read break'

	print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base )
	if configRegistry['ldap/server/type'] == "slave":
		print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
	if nestedGroups:
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
	else:
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
	print '   by * read break'

print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base )
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
print '   by self %s' % ( usr )
print '   by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base )
print '   by * none'

print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base )
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
print '   by self %s' % ( usr )
print '   by * none'

print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaAcctFlags' % ( ldap_base )
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
print '   by * read break'

print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword'
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
print '   by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base )
print '   by * none'

if configRegistry['ldap/server/type'] == "master":
	print 'access to attrs=sambaAcctFlags'
	if nestedGroups:
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
	else:
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
	print '   by * read break'

print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange'
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
print '   by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base )
print '   by * read break'

print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base )
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
print '   by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base )
print '   by * none'

print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base )
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
print '   by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base )
print '   by * none'

print 'access to *'
if configRegistry['ldap/server/type'] == "slave":
	print '   by dn.base="cn=admin,%s" %s' % ( ldap_base, usr )
if nestedGroups:
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
else:
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
if configRegistry.is_false('ldap/acl/read/anonymous'):
	print '   by users read'
	ldap_acl_read_anonymous_ips = configRegistry.get('ldap/acl/read/ips')
	if ldap_acl_read_anonymous_ips:
		for ip in ldap_acl_read_anonymous_ips.split(','):
			print '   by peername.ip=%s read' % ip
else:
	print '   by * read'

if configRegistry.is_true('ldap/replog', False):
	print "replogfile /var/lib/univention-ldap/replog/replog"
@!@
