@!@
ldap_base = configRegistry['ldap/base']
usr = 'write' if configRegistry.get('ldap/server/type') == "master" else 'read'

password_attributes = 'krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange'

if configRegistry.is_true('ldap/acl/user/password/change'):
    print('access to attrs="%s"' % password_attributes)
    print('   by self %s' % (usr))
    print('   by * none break')
    print('')

print('# grant write access to users own UMC properties')
print('access to attrs="univentionUMCProperty" filter="objectClass=person"')
print('   by self %s' % usr)
print('   by * none break')
print('access to filter="objectClass=person" attrs=objectClass value=univentionPerson')
print('   by self %s' % usr)
print('   by * none break')
print('')
@!@
