authz-regexp
    uid=([^,]*),cn=(gssapi|saml|oauthbearer),cn=auth
    ldap:///@%@ldap/base@%@??sub?uid=$1

# allow authentication
access to attrs=userPassword
    by anonymous auth
    by * none break

access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword,univentionRadiusPassword
   by sockname="PATH=/var/run/slapd/ldapi" read
@!@
from univention.lib.misc import custom_groupname

groups_default_domainadmins = custom_groupname('Domain Admins')
ldap_base = configRegistry['ldap/base']
print('   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" read' % (groups_default_domainadmins, ldap_base))

if configRegistry['ldap/hostdn']:
    print('   by dn.base="%s" read' % configRegistry['ldap/hostdn'])
print('   by * none')
print('')

if configRegistry.get('ldap/hostdn'):
    print('# Bug #54140: There are systems with a large amount (>50000) of DNS-Zone objects,')
    print('# the following access directive provides a faster access for services which have to')
    print('# read all of them via the machine account (like Bind9 on nodes without samba/AD).')
    print('access to dn.children="cn=dns,%s" filter="(objectClass=dNSZone)"' % configRegistry['ldap/base'])
    print('    by dn="%s" read' % configRegistry['ldap/hostdn'])
    print('    by * +0 break')
    print('')

print('access to filter="(&(univentionObjectType=settings/data)(cn=umc))" attrs=univentionData')
print('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" read' % (groups_default_domainadmins, ldap_base))
print('    by set="user/objectClass & ([univentionDomainController] | [univentionMemberServer])" read')
print('    by * none')
print('')

@!@
