
# Für Memberserver gibt es bisher keine Gruppe á la DC Slave Hosts, die
# abgefragt werden könnte, um den Mitgliedern Zugriff zu erlauben. Aus diesem
# Grund ist manuell eine separate Gruppe "OPSI Depot Servers" zu
# erstellen, die in den ACLs ausgewertet wird und in die die Memberserver
# aufgenommen werden müssen, sollen sie als Depot Server dienen.

access to dn.sub="cn=opsi,@%@ldap/base@%@"
	by dn="cn=admin,@%@ldap/base@%@" write
	by * none break

# Protect attribute opsiHostKey
access to attrs=opsiHostKey
	by dn="cn=admin,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=opsiadmin,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,@%@ldap/base@%@" write
	by * none

# New children can be added to cn=opsi
access to dn="cn=opsi,@%@ldap/base@%@"
	attrs=children
	by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,@%@ldap/base@%@" write
	by * none break

# cn=opsi shall be readable
access to dn="cn=opsi,@%@ldap/base@%@"
	attrs="entryUUID,structuralObjectClass,creatorsName,modifiersName,modifyTimestamp,entryCSN,createTimestamp"
	by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,@%@ldap/base@%@" write
	by * none break

access to dn="cn=opsi,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,@%@ldap/base@%@" write
	by * none break

# Children (one) of cn=opsi shall be of objectClass organizationalRole only
access to dn.one="cn=opsi,@%@ldap/base@%@"
	attrs="@organizationalRole,entry,children,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates"
	filter="(objectClass=organizationalRole)"
	by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,@%@ldap/base@%@" write
	by * none

# children of cn=opsi with the following objectClasses might be added and
# deleted at will
access to dn.regex="^.*,cn=[^,]+,cn=opsi,@%@ldap/base@%@$"
	attrs="entry,children,@opsiNetworkConfig,@opsiGeneralConfig,@organizationalRole,@opsiProduct,@opsiServerProduct,@opsiLocalBootProduct,@opsiNetBootProduct,@opsiProductClass,@opsiDependency,@opsiProductDependency,@opsiProductClassDependency,@opsiConfig,@opsiUnicodeConfig,@opsiBoolConfig,@opsiConfigState,@opsiProductProperty,@opsiUnicodeProductProperty,@opsiBoolProductProperty,@opsiGroup,@opsiHostGroup,@opsiProductGroup,@opsiProductState,@opsiProductPropertyDefinition,@opsiProductOnDepot,@opsiProductOnClient,@opsiProductPropertyState,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates"
	by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,@%@ldap/base@%@" write
	by * none break

# allow write access to Windows Hosts objectClasses opsiHost and opsiClient by
# all possible OPSI Depot/Config Servers
access to filter="(objectClass=univentionWindows)"
	attrs="@opsiHost,@opsiClient,description,macAddress,aRecord,univentionInventoryNumber,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates"
	by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,@%@ldap/base@%@" write
	by * none break

# allow write access to univention Hosts objectClasses opsiHost, opsiDepotserver and opsiConfigserver by self
access to filter="(objectClass=univentionHost)"
	attrs="@opsiHost,@opsiDepotserver,@opsiConfigserver,description,macAddress,aRecord,univentionInventoryNumber"
	by self write
	by * none break

