authz-regexp
    uid=([^,]*),cn=(gssapi|saml),cn=auth
    ldap:///@%@ldap/base@%@??sub?uid=$1

# allow authentication
access to attrs=userPassword
    by anonymous auth
    by * none break

access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword
   by sockname="PATH=/var/run/slapd/ldapi" read
@!@
from univention.lib.misc import custom_groupname

groups_default_domainadmins = custom_groupname('Domain Admins')
ldap_base = configRegistry['ldap/base']
print('   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" read' % (groups_default_domainadmins, ldap_base))

if configRegistry['ldap/hostdn']:
	print('   by dn.base="%s" read' % configRegistry['ldap/hostdn'])
@!@   by * none
