# base tree
dn: @SUFFIX@
dc: @DC@
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: @DOMAIN@

dn: o=default,@SUFFIX@
o: default
objectClass: organization

dn: ou=accounts,o=default,@SUFFIX@
ou: accounts
objectClass: organizationalUnit

dn: ou=groups,o=default,@SUFFIX@
ou: groups
objectClass: organizationalUnit
description: Container for user accounts

dn: ou=system accounts,o=default,@SUFFIX@
ou: system accounts
objectClass: organizationalUnit
description: Container for System and Services privileged accounts

dn: ou=system groups,o=default,@SUFFIX@
ou: system groups
objectClass: organizationalUnit
description: Container for System and Services privileged groups

dn: ou=hosts,o=default,@SUFFIX@
ou: hosts
objectClass: organizationalUnit
description: Container for Samba machine accounts

dn: ou=idmap,o=default,@SUFFIX@
ou: idmap
objectClass: organizationalUnit
description: Container for Samba Winbind ID mappings

dn: ou=contacts,o=default,@SUFFIX@
ou: contacts
objectClass: organizationalUnit
description: Container for global address book entries

dn: ou=sudoers,o=default,@SUFFIX@
ou: sudoers
objectClass: organizationalUnit
description: Container for sudo related entries

dn: ou=dhcp,o=default,@SUFFIX@
ou: dhcp
objectClass: organizationalUnit
description: Container for DHCP related entries

dn: ou=dns,o=default,@SUFFIX@
ou: dns
objectClass: organizationalUnit
description: Container for DNS related entries

dn: ou=password policies,o=default,@SUFFIX@
ou: password policies
objectClass: organizationalUnit
description: Container for OpenLDAP password policies

dn: cn=default,ou=password policies,o=default,@SUFFIX@
cn: default
objectClass: pwdPolicy
objectClass: namedObject
pwdAttribute: userPassword

# System Accounts
dn: uid=account admin,ou=system accounts,o=default,@SUFFIX@
uid: account admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to administer all users, groups, machines and general accounts

dn: uid=nssldap,ou=system accounts,o=default,@SUFFIX@
uid: nssldap
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Unprivileged account which can be used by nss_ldap for when anonymous searches are disabled

dn: uid=MTA admin,ou=system accounts,o=default,@SUFFIX@
uid: mta admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to administer email related attributes

dn: uid=DHCP Admin,ou=system accounts,o=default,@SUFFIX@
uid: DHCP Admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to administer DHCP related entries and attributes

dn: uid=DHCP Reader,ou=system accounts,o=default,@SUFFIX@
uid: DHCP Reader
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to read entries and attributes under ou=dhcp

dn: uid=DNS Admin,ou=system accounts,o=default,@SUFFIX@
uid: DNS Admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to administer DNS related entries and attributes

dn: uid=DNS Reader,ou=system accounts,o=default,@SUFFIX@
uid: DNS Reader
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to read entries and attributes under ou=dns

dn: uid=Sudo Admin,ou=system accounts,o=default,@SUFFIX@
uid: Sudo Admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to administer Sudo related entries and attributes

dn: uid=Address Book Admin,ou=system accounts,o=default,@SUFFIX@
uid: Address Book Admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to administer global Address Book related entries and attributes

dn: uid=LDAP Admin,ou=system accounts,o=default,@SUFFIX@
uid: LDAP Admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: @ldapadmin_password@
description: Account used to administer all parts of the Directory

dn: uid=LDAP Replicator,ou=system accounts,o=default,@SUFFIX@
uid: LDAP Replicator
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used by consumer servers for replication

dn: uid=LDAP Monitor,ou=system accounts,o=default,@SUFFIX@
uid: LDAP Monitor
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to read cn=monitor entries

dn: uid=Idmap Admin,ou=system accounts,o=default,@SUFFIX@
uid: Idmap Admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used to administer Samba Winbind ID mapping related entries and attributes

dn: uid=EGW Admin,ou=system accounts,o=default,@SUFFIX@
uid: EGW Admin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Account used by eGroupWare

# Groups associated with system accounts
dn: cn=LDAP Admins,ou=system groups,o=default,@SUFFIX@
cn: LDAP Admins
objectClass: groupOfNames
description: Members can administer all parts of the Directory
owner: uid=LDAP Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=LDAP Admin,ou=system accounts,o=default,@SUFFIX@

dn: cn=Account Admins,ou=system groups,o=default,@SUFFIX@
cn: Account Admins
objectClass: groupOfNames
description: Members can administer all user, group and machine accounts
owner: uid=Account Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=Account Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=EGW Admin,ou=system accounts,o=default,@SUFFIX@

dn: cn=Sudo Admins,ou=system groups,o=default,@SUFFIX@
cn: Sudo Admins
objectClass: groupOfNames
description: Members can administer ou=sudoers entries and attributes
owner: uid=Sudo Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=Sudo Admin,ou=system accounts,o=default,@SUFFIX@

dn: cn=DNS Admins,ou=system groups,o=default,@SUFFIX@
cn: DNS Admins
objectClass: groupOfNames
description: Members can administer ou=DNS entries and attributes
owner: uid=DNS Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=DNS Admin,ou=system accounts,o=default,@SUFFIX@

dn: cn=DNS Readers,ou=system groups,o=default,@SUFFIX@
cn: DNS Readers
objectClass: groupOfNames
description: Members can read entries and attributes under ou=dns
owner: uid=DNS Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=DNS Reader,ou=system accounts,o=default,@SUFFIX@

dn: cn=DHCP Admins,ou=system groups,o=default,@SUFFIX@
cn: DHCP Admins
objectClass: groupOfNames
description: Members can administer ou=DHCP entries and attributes
owner: uid=DHCP Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=DHCP Admin,ou=system accounts,o=default,@SUFFIX@

dn: cn=DHCP Readers,ou=system groups,o=default,@SUFFIX@
cn: DHCP Readers
objectClass: groupOfNames
description: Members can read entries and attributes under ou=dhcp
owner: uid=DHCP Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=DHCP Reader,ou=system accounts,o=default,@SUFFIX@

dn: cn=Address Book Admins,ou=system groups,o=default,@SUFFIX@
cn: Address Book Admins
objectClass: groupOfNames
description: Members can administer ou=Address Book entries and attributes
owner: uid=Address Book Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=Address Book Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=EGW Admin,ou=system accounts,o=default,@SUFFIX@

dn: cn=LDAP Replicators,ou=system groups,o=default,@SUFFIX@
cn: LDAP Replicators
objectClass: groupOfNames
description: Members can be used for syncrepl replication
owner: uid=LDAP Replicator,ou=system accounts,o=default,@SUFFIX@
member: uid=LDAP Replicator,ou=system accounts,o=default,@SUFFIX@

dn: cn=MTA Admins,ou=system groups,o=default,@SUFFIX@
cn: MTA Admins
objectClass: groupOfNames
description: Members can administer email related attributes
owner: uid=MTA Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=MTA Admin,ou=system accounts,o=default,@SUFFIX@

dn: cn=LDAP Monitors,ou=system groups,o=default,@SUFFIX@
cn: LDAP Monitors
objectClass: groupOfNames
description: Members can read the cn=monitor backend
owner: uid=LDAP Monitor,ou=system accounts,o=default,@SUFFIX@
member: uid=LDAP Monitor,ou=system accounts,o=default,@SUFFIX@

dn: cn=Idmap Admins,ou=system groups,o=default,@SUFFIX@
cn: Idmap Admins
objectClass: groupOfNames
description: Members can administer ou=Idmap entries and attributes
owner: uid=Idmap Admin,ou=system accounts,o=default,@SUFFIX@
member: uid=Idmap Admin,ou=system accounts,o=default,@SUFFIX@