diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database
index 64c8b1a872..4513a531cb 100644
--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database
+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database
@@ -2,6 +2,17 @@
 modulepath	/usr/lib/ldap
 moduleload	back_@%@ldap/database/type@%@.so
 @!@
+import ldap
+
+def print_checked_base(confpart):
+	if not ldap.dn.is_dn(configRegistry['ldap/base']):
+		import sys
+		errmsg = '#Error: ucr key ‘ldap/base’ is not a valid dn!'
+		print >>sys.stderr, errmsg
+		print errmsg
+		print '#', # quote the following template line
+	print confpart
+
 if configRegistry.get('ldap/translogfile'):
 	print "moduleload\ttranslog.so"
 if configRegistry.is_true('ldap/k5pwd', True):
@@ -16,7 +27,7 @@ print 'moduleload\tconstraint.so'
 
 print '\n'
 print 'database\t%(ldap/database/type)s' % configRegistry
-print 'suffix\t\t"%(ldap/base)s"' % configRegistry
+print_checked_base('suffix\t\t"%(ldap/base)s"' % configRegistry)
 
 print ''
 if configRegistry.get('ldap/translogfile'):
@@ -114,11 +125,11 @@ for key in configRegistry.get('ldap/limits', '').split(';'):
 
 print
 if configRegistry['ldap/server/type'] == "master":
-	print 'rootdn\t\t"cn=admin,%(ldap/base)s"' % configRegistry
+	print_checked_base('rootdn\t\t"cn=admin,%(ldap/base)s"' % configRegistry)
 elif configRegistry['ldap/server/type'] == "slave":
-	print 'rootdn\t\t"cn=update,%s"'%configRegistry['ldap/base']
+	print_checked_base('rootdn\t\t"cn=update,%s"'%configRegistry['ldap/base'])
 	print 'include\t\t/etc/ldap/rootpw.conf'
-	print 'updatedn\t"cn=update,%s"'%configRegistry["ldap/base"]
+	print_checked_base('updatedn\t"cn=update,%s"'%configRegistry["ldap/base"])
 	if configRegistry.is_true("ldap/online/master", True):
 		print 'updateref\tldap://%s:%s'% (configRegistry["ldap/master"], configRegistry.get("ldap/master/port", 7389))
 @!@
diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
index 3d7aecd147..17e8441162 100644
--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
@@ -1,5 +1,15 @@
 @!@
 from univention.lib.misc import custom_username, custom_groupname
+import ldap
+
+def print_checked_base(confpart):
+	if not ldap.dn.is_dn(configRegistry['ldap/base']):
+		import sys
+		errmsg = '#Error: ucr key ‘ldap/base’ is not a valid dn!'
+		print >>sys.stderr, errmsg
+		print errmsg
+		print '#', # quote the following template line
+	print confpart
 
 ldap_base = configRegistry['ldap/base']
 ldap_port = configRegistry['slapd/port']
@@ -10,7 +20,7 @@ users_default_administrator = custom_username('Administrator')
 
 print 'authz-regexp'
 print '    uid=([^,]*),cn=(gssapi|saml),cn=auth'
-print '    ldap:///%s??sub?uid=$1' % (ldap_base,)
+print_checked_base('    ldap:///%s??sub?uid=$1' % (ldap_base,))
 print
 
 print 'access to attrs=uid value=root by * none stop'
@@ -20,7 +30,7 @@ print '    by anonymous auth'
 print '    by * none break'
 print ''
 
-print 'access to dn="cn=admin,%s"' % (ldap_base)
+print_checked_base('access to dn="cn=admin,%s"' % (ldap_base))
 print '    by self %s' % (usr)
 print '    by * none'
 print ''
@@ -28,39 +38,39 @@ print ''
 print 'access to *'
 print '    by sockname="PATH=/var/run/slapd/ldapi" %s' % (usr)
 if configRegistry['ldap/server/type'] == "slave":
-	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)
-print '    by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr)
+	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))
+print_checked_base('    by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr))
 print '    by * none break'
 print ''
 
-print 'access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base)
-print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)
+print_checked_base('access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base))
+print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))
 if configRegistry['ldap/server/type'] == "slave":
-	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)
+	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))
 print '    by self %s' % (usr)
 print '    by * +0 break'
 print ''
 
-print 'access to dn="uid=join-backup,cn=users,%s"' % (ldap_base)
-print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)
+print_checked_base('access to dn="uid=join-backup,cn=users,%s"' % (ldap_base))
+print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))
 if configRegistry['ldap/server/type'] == "slave":
-	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)
+	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))
 print '    by self %s' % (usr)
 print '    by * +0 break'
 print ''
 
-print 'access to dn="uid=join-slave,cn=users,%s"' % (ldap_base)
-print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)
+print_checked_base('access to dn="uid=join-slave,cn=users,%s"' % (ldap_base))
+print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))
 if configRegistry['ldap/server/type'] == "slave":
-	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)
+	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))
 print '    by self %s' % (usr)
 print '    by * +0 break'
 print ''
 
 print 'access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid'
-print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)
+print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))
 if configRegistry['ldap/server/type'] == "slave":
-	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)
+	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))
 print '    by * +0 break'
 print ''
 
diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal
index 9927ab2603..bba9c02e78 100644
--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal
+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal
@@ -1,9 +1,25 @@
-access to dn="cn=portal,cn=univention,@%@ldap/base@%@" attrs=children
-	by dn.onelevel="cn=dc,cn=computers,@%@ldap/base@%@" write
-	by dn.onelevel="cn=memberserver,cn=computers,@%@ldap/base@%@" write
+@!@
+import ldap
+
+def print_checked_base(confpart):
+	if not ldap.dn.is_dn(configRegistry['ldap/base']):
+		import sys
+		errmsg = '#Error: ucr key ‘ldap/base’ is not a valid dn!'
+		print >>sys.stderr, errmsg
+		print errmsg
+		print '#', # quote the following template line
+	print confpart
+
+print_checked_base(
+'''
+access to dn="cn=portal,cn=univention,%(base)s" attrs=children
+	by dn.onelevel="cn=dc,cn=computers,%(base)s" write
+	by dn.onelevel="cn=memberserver,cn=computers,%(base)s" write
 	by * +0 break
 
-access to dn.children="cn=portal,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal
-	by dn.onelevel="cn=dc,cn=computers,@%@ldap/base@%@" write
-	by dn.onelevel="cn=memberserver,cn=computers,@%@ldap/base@%@" write
+access to dn.children="cn=portal,cn=univention,%(base)s" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal
+	by dn.onelevel="cn=dc,cn=computers,%(base)s" write
+	by dn.onelevel="cn=memberserver,cn=computers,%(base)s" write
 	by * +0 break
+''' % {'base': configRegistry['ldap/base']}
+@!@