diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..e5494af
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,302 @@
+#x
+
+class wmdelit_ldap (
+	$log_level = 0,
+
+	$configdn = 'cn=admin,cn=config',
+	$configpw = '123',
+	$syncrepl_providers = [
+	],
+
+	$database = "dc=wikimedia,dc=de", 
+	$rootdn = "cn=admin,dc=wikimedia,dc=de",
+	$rootpw = "123",
+
+	$serverid, 
+	$simple_bind_tls = "128",
+
+	$schema_path = '/etc/ldap/schema',
+	$schema = [
+		"samba",
+#		"nis",
+#		"rfc2307bis",
+#		"solaris",
+		"dnszone",
+		"univention",
+		"univention-objecttype",
+		"krb5-kdc",
+		"directory",
+		"policy",
+		"msgpo",
+		"dhcp",
+		"univention-dhcp",
+		"mail",
+#		"automount",
+		"user",
+		"self-service-passwordreset",
+		"univention-saml",
+		"univention-virtual-machine-manager",
+		"nagios",
+		"share",
+		"network",
+		"portal",
+		"univention-default",
+		"univention-app",
+		"univention-object-metadata",
+		"univention-ldap-extension",
+		"license",
+		"ppolicy",
+		"template",
+		"lock",
+		"udm-extension",
+		"custom-attribute",
+		"univention-syntax",
+		"nextcloud",
+		"openproject",
+		"networkaccess",
+
+	],
+	$ssldir = "/etc/ldap/ssl",
+
+	$acls = [
+		# grant accces to domain admins	
+		'to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
+		'to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
+
+		# super acces to local root user	
+		'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
+		
+		# let users modify their passwords
+		'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
+
+
+		'to attrs=entry,children,objectClass,uid by anonymous read by * break',
+
+		'to * by anonymous none by * break',
+
+		'to dn.base="" by * read',
+		'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
+	]
+
+){
+	$clientcert = $facts[clientcert]
+
+	$pubcert = "$ssldir/cert.pem"
+	$privkey = "$ssldir/priv.pem"
+	$cacert = "$ssldir/ca.pem"
+
+	file { "/etc/ldap":
+		ensure => directory
+	} -> 
+
+	# SSL stuff ... copy CA cert and keys  used by puppet agent to
+	# a separate directory and make them accesible by openldap
+	file { "$ssldir":
+		ensure => directory,
+		owner => "openldap",
+		group => "openldap",
+		mode => "0600",
+	} ->
+	file { "$cacert":  # copy CA cert
+		ensure => file,
+		source => "/var/lib/puppet/ssl/certs/ca.pem",
+		owner => "openldap",
+		group => "openldap",
+		mode => "0600",
+	} ->
+	file { "$pubcert":  # copy public key
+		ensure => file,
+		source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
+		owner => "openldap",
+		group => "openldap",
+		mode => "0600",
+	} ->
+	file { "$privkey": # copy private key
+		ensure => file,
+		source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
+		owner => "openldap",
+		group => "openldap",
+		mode => "0600",
+	} ->
+
+	
+	class { 'openldap::server': 
+		ssl_ca => "$cacert",
+		ssl_cert => "$pubcert",
+		ssl_key => "$privkey",
+		ldaps_ifs => ['/'],
+	}  
+
+
+#	openldap::server::globalconf { 'TLSCACertificateFile':
+#		ensure  => present,
+#		value   => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
+#	}
+
+
+#	openldap::server::globalconf { 'TLSCertificateKeyFile':
+#		ensure  => present,
+#		value   => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
+#	} 
+
+#	openldap::server::globalconf { 'TLSCertificateFile':
+#		ensure  => present,
+#		value   => "$ssldir/pubkey.pem" 
+#	} 
+	
+	openldap::server::globalconf { 'LogLevel':
+		ensure  => present,
+		value   => { "LogLevel"=>"$log_level" }
+	} 
+
+
+	
+	openldap::server::globalconf { 'Security':
+		ensure  => present,
+		value   => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
+	} 
+
+#	openldap::server::schema{"nis":
+#		ensure => absent
+
+#	}  
+
+
+	# add schemas
+	$schema.each | $s | {	
+
+		file { "$schema_path/$s.schema":
+			ensure => file,
+			source => "puppet:///downloads/schema/$s.schema",
+
+		}-> 
+		openldap::server::schema { "$s":
+			ensure  => present,
+			path    => "$schema_path/$s.schema",
+		}
+	}
+
+
+	openldap::server::module { 'memberof':
+		ensure => present,
+	}  
+	openldap::server::module { 'syncprov':
+		ensure => present,
+	}  
+
+	package { "heimdal-kdc": 
+		ensure => installed,
+	}->
+	package {"slapd-smbk5pwd":
+		ensure => installed,
+	} ->
+	openldap::server::module { 'smbk5pwd':
+		ensure => present,
+	}  
+
+	openldap::server::globalconf { 'ServerID':
+		ensure  => present,
+		value   => { "ServerID"=>"$serverid" }
+	} 
+
+	openldap::server::globalconf { 'TLSVerifyClient':
+		ensure  => present,
+		value   => { "TLSVerifyClient"=>"never" }
+	} 
+
+
+	# ensure config database is present and dn and pw are set
+	openldap::server::database { 'cn=config':
+		ensure => present,
+		backend => config,
+		rootdn => $configdn,
+		rootpw => $configpw
+	}
+
+	
+	# Build list of syncrepl-entries, store it in $syncrepl
+	if !empty ($syncrepl_providers) {
+		$mirrormode=true
+		$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
+			$i = $index+1
+			"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
+		}
+
+	}
+
+
+	# create the main database
+	openldap::server::database { "$database":
+		ensure => present,
+		rootdn => $rootdn,
+		rootpw => $rootpw,
+		syncrepl => $syncrepl,
+		mirrormode => $mirrormode,
+	} ->
+	openldap::server::overlay { "memberof on $database":
+		ensure => present,
+	} -> 
+	openldap::server::overlay { "syncprov on $database":
+		ensure => present,
+	} ->
+	openldap::server::overlay { "smbk5pwd on $database":
+		ensure => present,
+	}
+
+
+
+##	openldap::server::access { '{0}to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
+#		suffix   => "$database",
+#		ensure => present,
+#	}
+
+#	openldap::server::access { '{1}to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
+#		suffix   => "$database",
+#		ensure => present,
+#	}
+#
+#	openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
+#		suffix   => "$database",
+#		ensure => present,
+##	}
+
+#	openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
+#		suffix   => "$database",
+##		ensure => present,
+#	}
+
+#	openldap::server::access { '{4}to dn.base="" by * read':
+#		suffix   => "$database",
+#		ensure => present,
+#	}
+#
+#	openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
+#		suffix   => "$database",
+#		ensure => present,
+#	}
+#
+	$acls.each |Integer $i, String $acl | {
+
+#		notify {"$i -> $acl":}
+
+		openldap::server::access { "{$i}$acl":
+			suffix   => "$database",
+			ensure => present,
+		}
+
+	}
+
+#	openldap::server::dbindex { 'uid pres,eq':
+#		ensure => present,
+#		suffix => "$database",
+#	}  
+#	openldap::server::dbindex { 'sn eq,approx,sub':
+#		ensure => present,
+#		suffix => "$database",
+#	}  
+
+
+
+}
+
+