diff --git a/manifests/init.pp b/manifests/init.pp
index ebb4dc5..848a0a7 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -68,25 +68,60 @@ class wmdeit_ldap (
 	],
 	$ssldir = "/etc/ldap/ssl",
 
-	$acls = [
-		# grant accces to domain admins	
-		'to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
-		'to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
+	$acl = {
+		# Super access to local root user	
+		'0 to *' => [
+			'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
+			'by * break',
+		],
+		# Admin rights for members of Admin group
+		'1 to *' => [
+			"by set=\"user & [cn=Admins,ou=Groups,$database]/member\" write",
+			'by * break'
+		],
+		# let users modify their passwords, and disable read acess to all others
+		'2 to attrs=userPassword,sambaNTPassword' => [
+			"by self write",
+			"by anonymous auth",
+			"by * none",
+		],
+		# let users read all
+		'3 to *' => [
+		        "by anonymous break",	
+			"by * read",
+		],
+		"4 to dn.subtree=\"$database\" attrs=entry,objectClass" => [
+		        "by anonymous read",
+			"by * break",
+		],
+		'5 to *' => [
+		        "by * none",	
+		]
+
+
+	},
+
+
+	#	'by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break'
 
 		# super acces to local root user	
-		'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
+	#	'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
+		# grant accces to domain admins	
+	#		'to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
+	#		'to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
+	#		'to *  by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break',
+	#		'to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
+
 		
-		# let users modify their passwords
-		'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
+	# let users modify their passwords
+	#	'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
 
+	#	'to attrs=entry,children,objectClass,uid by anonymous read by * break',
 
-		'to attrs=entry,children,objectClass,uid by anonymous read by * break',
+	#	'to * by anonymous none by * break',
 
-		'to * by anonymous none by * break',
-
-		'to dn.base="" by * read',
-		'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
-	]
+	#	'to dn.base="" by * read',
+	#	'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
 
 ){
 	$clientcert = $facts[clientcert]
@@ -263,33 +298,48 @@ class wmdeit_ldap (
 		rootpw => $rootpw,
 #		syncrepl => $syncrepl,
 		mirrormode => $mirrormode,
-	} #->
-#	openldap::server::overlay { "memberof on $database":
-#		ensure => present,
-#	} -> 
+	} 
+	->
+	openldap::server::overlay { "memberof on $database":
+		ensure => present,
+	} 
+#	-> 
 #	openldap::server::overlay { "syncprov on $database":
 #		ensure => present,
-#	} ->
-#	openldap::server::overlay { "smbk5pwd on $database":
-#		ensure => present,
-#	}
+#	} 
+	->
+	openldap::server::overlay { "smbk5pwd on $database":
+		ensure => present,
+	}
 
-#	$acls.each |Integer $i, String $acl | {
+#	$acls.each |Integer $i, $acl | {
+#		notify{"Set ACL $i $acl":}
 #		openldap::server::access { "{$i}$acl":
+#		openldap::server::access { "$i on $database":
 #			suffix   => "$database",
 #			ensure => present,
+#			access => $acl['access'],
+#			what => $acl['to'],
 #		}
 #	}
+#
+
+	openldap::server::access_wrapper { $database :
+		acl => $acl,
+	}
+
+
 
 #'''''##################################################################################################
 #
 #
 
-##	openldap::server::access { '{0}to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
+#	openldap::server::access { '{0}to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database':
 #		suffix   => "$database",
+#		access => '{0}to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
 #		ensure => present,
 #	}
-
+#
 #	openldap::server::access { '{1}to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
 #		suffix   => "$database",
 #		ensure => present,