authz-regexp
    uid=([^,]*),cn=(gssapi|saml),cn=auth
    ldap:///@%@ldap/base@%@??sub?uid=$1

# allow authentication
access to attrs=userPassword
    by anonymous auth
    by * none break

access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword,univentionRadiusPassword
   by sockname="PATH=/var/run/slapd/ldapi" read
@!@
from univention.lib.misc import custom_groupname

groups_default_domainadmins = custom_groupname('Domain Admins')
ldap_base = configRegistry['ldap/base']
print('   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" read' % (groups_default_domainadmins, ldap_base))

if configRegistry['ldap/hostdn']:
    print('   by dn.base="%s" read' % configRegistry['ldap/hostdn'])
@!@   by * none

@!@
if configRegistry.get('ldap/hostdn'):
    print('# Bug #54140: There are systems with a large amount (>50000) of DNS-Zone objects,')
    print('# the following access directive provides a faster access for services which have to')
    print('# read all of them via the machine account (like Bind9 on nodes without samba/AD).')
    print('access to dn.children="cn=dns,%s" filter="(objectClass=dNSZone)"' % configRegistry['ldap/base'])
    print('    by dn="%s" read' % configRegistry['ldap/hostdn'])
    print('    by * +0 break')
@!@
