diff --git a/manifests/init.pp b/manifests/init.pp
index a48b62a..55f2306 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -11,6 +11,7 @@ class wmdeit_ldap (
 	$database,
 	$rootdn, 
 	$rootpw,
+	$starttls = "no",
 
 	$serverid, 
 	$simple_bind_tls = "128",
@@ -92,9 +93,8 @@ class wmdeit_ldap (
 		],
 
 		# let users modify their passwords, and disable read acess to all others
-#		'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
-#		'4 to attrs=userPassword filter=(!(shadowExpire=0))' => [
-		'4 to attrs=userPassword' => [
+		'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
+#		'4 to attrs=userPassword' => [
 			"by self write",
 			"by anonymous auth",
 			"by * none",
@@ -280,7 +280,7 @@ class wmdeit_ldap (
 		$mirrormode=true
 		$syncrepl = $syncrepl_providers.map |Integer $index, $provider| {
 			$i = $index+1
-			"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\" timeout=1"
+			"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=$starttls retry=\"3 60 6 300 30 +\" timeout=1"
 		}
 		$syncrepl_providers.each |Integer $index, $provider| {
 			if $provider[ip] {
@@ -315,9 +315,10 @@ class wmdeit_ldap (
 		ensure => present,
 	} 
 	->
-	openldap::server::overlay { "smbk5pwd on $database":
-		ensure => present,
-	} 
+#	openldap::server::overlay { "smbk5pwd on $database":
+#		ensure => present,
+#	} 
+
 #	openldap::server::overlay { "ppolicy on $database":
 #		ensure => absent,
 #	}