# start 61ucsschool_presettings

@!@
# -*- coding: utf-8 -*-
import os.path

aclset = '''
# grant at least read access to school Replica Directory Nodes to operational attributes, if not limited later on
access to attrs="structuralObjectClass,entryUUID,creatorsName,createTimestamp,entryCSN,modifiersName,modifyTimestamp"
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd break
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd break
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd break
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd break
	by * +0 break

# Replica Directory Nodes und Managed Nodes duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)" attrs=@sambaDomain
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# grant write access to Replica Directory Nodes and Managed Nodes for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)" attrs=entry,@univentionApp,@univentionObject
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry,@organizationalRole,@univentionObject
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

'''
if os.path.exists('/var/lib/univention-ldap/local-schema/univention-virtual-machine-manager.schema'):
	aclset += '''
# Replica Directory Nodes and Managed Nodes require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)" attrs=entry,@univentionVirtualMachine,@univentionObject
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)" attrs=entry,@univentionVirtualMachineCloudConnection,@univentionVirtualMachineHostOC,@univentionObject
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * +0 break
'''

aclset += '''

# Replica Directory Nodes und Managed Nodes benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@" attrs=children,@organizationalRole,@sambaIdmapEntry,@sambaSidEntry
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Replica Directory Nodes und Managed Nodes benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@sambaUnixIdPool,@sambaIdmapEntry,@sambaSidEntry,@organizationalRole
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Replica Directory Nodes und Managed Nodes benoetigen nicht alle Container
access to dn.subtree="cn=backup,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=printers,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=networks,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.regex="^(cn=printeruris,)?cn=cups,cn=univention,@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * +0 break

access to dn.regex="^(.*,)?cn=(cups|ppolicy|packages|services|templates|admin-settings|default containers|saml-serviceprovider),cn=univention,@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# prevent replication of username and email counter objects to Replica Directory Nodes and Managed Nodes
access to dn.children="cn=unique-usernames,cn=ucsschool,cn=univention,@%@ldap/base@%@"
	by set="user/univentionObjectType & [computers/domaincontroller_slave]" none
	by set="user/univentionObjectType & [computers/memberserver]" none
	by * +0 break

access to dn.children="cn=unique-email,cn=ucsschool,cn=univention,@%@ldap/base@%@"
	by set="user/univentionObjectType & [computers/domaincontroller_slave]" none
	by set="user/univentionObjectType & [computers/memberserver]" none
	by * +0 break

'''

if configRegistry.get('server/role') == 'domaincontroller_master':
    print("# enforce constrains on LDAP level as well as on UDM level to prevent undesired results due to racing conditions")
    # print("overlay              constraint")  # This overlay is already used by UCS, and the LDAP server will complain if it is included again
    print("constraint_attribute ucsschoolLegalGuardian count 4")
    print("constraint_attribute ucsschoolLegalWard count 10")
    print()
    print("overlay           refint")
    print("refint_attributes ucsschoolLegalGuardian")  # We use slapo-refint instead of the memberof-refint option below (same as with uniqueMember/memberOf)
    print("refint_attributes ucsschoolLegalWard")  # We use slapo-refint instead of the memberof-refint option below (same as with uniqueMember/memberOf)
    print()

if configRegistry.get('server/role') in ('domaincontroller_master', 'domaincontroller_backup', 'domaincontroller_slave'):
    # We skip the moduleload here, because ITS#6030 blocks loading modules multiple times. But we can use them multiple times with different configs.
    print("overlay                  memberof")
    print("memberof-group-oc        ucsschoolStudent")
    print("memberof-member-ad       ucsschoolLegalGuardian")
    print("memberof-memberof-ad     ucsschoolLegalWard")
    print("memberof-dangling        ignore")
    print("memberof-refint          false")
    print()
    print()

if configRegistry.get('server/role') in ('domaincontroller_master', 'domaincontroller_backup'):
	print(aclset)
else:
	print('# no ACL required on Replica Directory Node')
@!@

# end 61ucsschool_presettings
