4c7c0cc6c71f1f742ea4ffcaa7a9ca70f3a792fb
1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
17 #include /etc/ldap/schema/krb5-kdc.schema
18 #include /etc/ldap/schema/trust.schema
20 # These should be present for GOsa. In case of samba3,
21 # replace samba.schema and gosa.schema by samba3.schema
22 # and gosa+samba3.schema. Don't include both and remember
23 # to adjust the indexing and acl stuff below!
24 include /etc/ldap/schema/samba.schema
25 include /etc/ldap/schema/pureftpd.schema
26 include /etc/ldap/schema/gofon.schema
27 include /etc/ldap/schema/gosystem.schema
28 include /etc/ldap/schema/goto.schema
29 include /etc/ldap/schema/gosa+samba3.schema
30 include /etc/ldap/schema/gofax.schema
31 include /etc/ldap/schema/goserver.schema
32 include /etc/ldap/schema/goto-mime.schema
34 # Schema check allows for forcing entries to
35 # match schemas for their objectClasses's
36 schemacheck on
38 # Security settings
39 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
40 # update_tls, update_transport
41 #security update_sasl=128,uptate_tls=128
43 # Require settings
44 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
45 #require authc, LDAPv3
47 # Allow settings
48 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
49 # update_anon
50 #allow bind_v2
52 # Disallow settings
53 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
54 # bind_simple, bind_krbv4, tls_authc
56 # Password hash default value
57 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
58 password-hash {CRYPT}
60 # Search base
61 defaultsearchbase dc=gonicus,dc=de
64 # Where clients are refered to if no
65 # match is found locally
66 #referral ldap://some.other.ldap.server
68 ## TLS setup, needs certificates
69 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
70 #TLSCertificateFile /etc/ssl/certs/slapd.pem
71 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
73 ## SASL setup
74 #sasl-authz-policy
75 #sasl-host gosa.gonicus.local
76 #sasl-realm GONICUS.LOCAL
77 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
78 #sasl-secprops noanonymous
80 ## Kerberos setup
81 #srvtab /etc/krb5.keytab.ldap
83 # Where the pid file is put. The init.d script
84 # will not stop the server if you change this.
85 pidfile /var/run/slapd.pid
87 # List of arguments that were passed to the server
88 argsfile /var/run/slapd.args
90 # Read slapd.conf(5) for possible values
91 loglevel 1024
93 # Where the dynamically loaded modules are stored
94 modulepath /usr/lib/ldap
95 moduleload back_bdb
96 moduleload back_monitor
97 #moduleload back_shell
99 # Some tuning parameters
100 #threads 64
101 #concurrency 32
102 #conn_max_pending 100
103 #conn_max_pending_auth 250
104 #reverse-lookup off
105 #sizelimit 1000
106 #timelimit 30
107 #idletimeout 30
109 # Limits
110 #limits anonymous size.soft=500 time.soft=5
111 #limits user size=none time.soft=30
113 access to dn.base=""
114 by * read
116 access to dn.subtree=cn=Monitor
117 by * read
119 # Access to schema information
120 #access to dn.subtree=""
121 # by * read
123 # The userPassword/shadow Emtries by default can be
124 # changed by the entry owning it if they are authenticated.
125 # Others should not be able to see it, except the admin
126 # entry below
127 access to attrs=userPassword,userPKCS12,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
128 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
129 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
130 by anonymous auth
131 by self write
132 by * none
133 access to attr=shadowLastChange
134 by self write
135 by * read
137 # Deny access to imap/fax/kerberos admin passwords stored
138 # in ldap tree
139 access to attrs=goImapPassword
140 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
141 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
142 by * none
143 access to attrs=goKrbPassword
144 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
145 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
146 by * none
147 access to attrs=goFaxPassword
148 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
149 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
150 by * none
152 # Let servers write last user attribute
153 access to attrs=gotoLastUser
154 by * write
156 # Samba passwords by default can be changed
157 # by the entry owning it if they are authenticated.
158 # Others should not be able to see it, except the
159 # admin entry below
160 access to attrs=sambaLmPassword,sambaNtPassword
161 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
162 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
163 by anonymous auth
164 by self write
165 by * none
167 # Enable write create access for the terminal admin
168 access to dn="ou=incoming,dc=gonicus,dc=de"
169 by dn="cn=terminal-admin,dc=gonicus,dc=de" write
170 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
171 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
172 by * none
174 access to dn.sub="ou=incoming,dc=gonicus,dc=de"
175 by dn="cn=terminal-admin,dc=gonicus,dc=de" write
176 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
177 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
178 by * none
180 # What trees should be readable, depends on your policy. Either
181 # use this entry and specify what should be readable, or leave
182 # the access to * => by * read below untouched
183 #access to dn="ou=(people|groups)"
184 # by * read
186 # The admin dn has full write access
187 access to *
188 by dn="cn=ldapadmin,dc=gonicus,dc=de" =wrscx
189 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
190 by * read
191 # by peername="ip=127\.0\.0\.1" read
192 # by * none
194 #######################################################################
195 # database definitions
196 #######################################################################
198 # Monitor backend
199 database monitor
201 # The backend type, ldbm, is the default standard
202 database bdb
203 cachesize 5000
204 mode 0600
206 # The base of your directory
207 suffix "dc=gonicus,dc=de"
208 checkpoint 512 720
210 # Sample password is "tester", generate a new one using the mkpasswd
211 # utility and put the string after {crypt}
212 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
213 rootpw {crypt}OuorOLd3VqvC2
215 # Indexing
216 index default sub
217 index uid,mail eq
218 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
219 index cn,sn,givenName,ou pres,eq,sub
220 index objectClass pres,eq
221 index uidNumber,gidNumber,memberuid,macAddress eq
222 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
224 # Indexing for Kolab
225 #index alias eq,sub
226 #index kolabDeleteFlag eq
227 #index kolabHomeServer eq
228 #index member pres,eq
230 # Indexing for Samba 3
231 index sambaSID eq
232 index sambaPrimaryGroupSID eq
233 index sambaDomainName eq
235 # Indexing for DNS/DHCP
236 #index zoneName eq
237 #index relativeDomainName eq
238 #index dhcpHWAddress eq
239 #index dhcpClassData eq
240 #index dhcpPrimaryDN eq
241 #index dhcpSecondaryDN eq
243 # Where the database file are physically stored
244 directory "/var/lib/ldap"
246 # Log modifications and write entryUUID
247 lastmod on
250 # Example replication using admin account. This will require taking the
251 # out put of this database using slapcat(8C), and then importing that into
252 # the replica using slapadd(8C).
254 # Replication setup
255 #replogfile /var/log/ldap-replicalog
256 #replica host=ldap-2.gonicus.local
257 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
259 # Dummy database for config replication
260 #database shell
261 #suffix "dc=gonicus,dc=shell"
262 #search /etc/ldap/shell/process.pl
263 #add /etc/ldap/shell/process.pl
265 # End of ldapd configuration file