contrib/openldap/slapd.conf

   1 # This is the main ldapd configuration file. See slapd.conf(5) for more
   2 # info on the configuration options.
   3
   4 ##
   5 ## NOTE: This is an example. You should use the template shipped
   6 ##       with your distribution and adapt it to your needs.
   7 ##
   8
   9 # Schema and objectClass definitions, depending on your
  10 # LDAP setup
  11 include         /etc/ldap/schema/core.schema
  12 include         /etc/ldap/schema/cosine.schema
  13 include         /etc/ldap/schema/inetorgperson.schema
  14 include         /etc/ldap/schema/openldap.schema
  15 include         /etc/ldap/schema/nis.schema
  16 include         /etc/ldap/schema/misc.schema
  17 #include        /etc/ldap/schema/krb5-kdc.schema
  18 #include        /etc/ldap/schema/trust.schema
  19
  20 # These should be present for GOsa. In case of samba3,
  21 # replace samba.schema and gosa.schema by samba3.schema
  22 # and gosa+samba3.schema. Don't include both and remember
  23 # to adjust the indexing and acl stuff below!
  24 include         /etc/ldap/schema/samba.schema
  25 include         /etc/ldap/schema/pureftpd.schema
  26 include         /etc/ldap/schema/gofon.schema
  27 include         /etc/ldap/schema/gosystem.schema
  28 include         /etc/ldap/schema/goto.schema
  29 include         /etc/ldap/schema/gosa+samba3.schema
  30 include         /etc/ldap/schema/gofax.schema
  31 include         /etc/ldap/schema/goserver.schema
  32 include         /etc/ldap/schema/goto-mime.schema
  33
  34 # Schema check allows for forcing entries to
  35 # match schemas for their objectClasses's
  36 schemacheck             on
  37
  38 # Security settings
  39 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
  40 #             update_tls, update_transport
  41 #security               update_sasl=128,uptate_tls=128
  42
  43 # Require settings
  44 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
  45 #require                        authc, LDAPv3
  46
  47 # Allow settings
  48 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
  49 #             update_anon
  50 #allow                  bind_v2
  51
  52 # Disallow settings
  53 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
  54 #             bind_simple, bind_krbv4, tls_authc
  55
  56 # Password hash default value
  57 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
  58 password-hash           {CRYPT}
  59
  60 # Search base
  61 defaultsearchbase       dc=gonicus,dc=de
  62
  63
  64 # Where clients are refered to if no
  65 # match is found locally
  66 #referral       ldap://some.other.ldap.server
  67
  68 ## TLS setup, needs certificates
  69 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
  70 #TLSCertificateFile /etc/ssl/certs/slapd.pem
  71 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
  72
  73 ## SASL setup
  74 #sasl-authz-policy
  75 #sasl-host      gosa.gonicus.local
  76 #sasl-realm     GONICUS.LOCAL
  77 #sasl-regexp    cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
  78 #sasl-secprops  noanonymous
  79
  80 ## Kerberos setup
  81 #srvtab         /etc/krb5.keytab.ldap
  82
  83 # Where the pid file is put. The init.d script
  84 # will not stop the server if you change this.
  85 pidfile         /var/run/slapd.pid
  86
  87 # List of arguments that were passed to the server
  88 argsfile        /var/run/slapd.args
  89
  90 # Read slapd.conf(5) for possible values
  91 loglevel        1024
  92
  93 # Where the dynamically loaded modules are stored
  94 modulepath      /usr/lib/ldap
  95 moduleload      back_bdb
  96 moduleload      back_monitor
  97 #moduleload      back_shell
  98
  99 # Some tuning parameters
 100 #threads                64
 101 #concurrency            32
 102 #conn_max_pending       100
 103 #conn_max_pending_auth  250
 104 #reverse-lookup         off
 105 #sizelimit              1000
 106 #timelimit              30
 107 #idletimeout            30
 108
 109 # Limits
 110 #limits anonymous       size.soft=500 time.soft=5
 111 #limits user            size=none time.soft=30
 112
 113 #######################################################################
 114 # database definitions
 115 #######################################################################
 116
 117 # Monitor backend
 118 database        monitor
 119
 120 access to dn.subtree=cn=Monitor
 121         by * read
 122
 123 # Access to schema information
 124 access to dn.subtree=""
 125         by dn="cn=ldapadmin,dc=gonicus,dc=de" read
 126
 127 # The backend type, ldbm, is the default standard
 128 database        bdb
 129 cachesize       5000
 130 checkpoint      512 720
 131 mode            0600
 132
 133 # The base of your directory
 134 suffix          "dc=gonicus,dc=de"
 135
 136 # Sample password is "tester", generate a new one using the mkpasswd
 137 # utility and put the string after {crypt}
 138 rootdn  "cn=ldapadmin,dc=gonicus,dc=de"
 139 rootpw  {crypt}OuorOLd3VqvC2
 140
 141 # Indexing
 142 index   default                                                sub
 143 index   uid,mail                                               eq
 144 index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
 145 index   cn,sn,givenName,ou                                     pres,eq,sub
 146 index   objectClass                                            pres,eq
 147 index   uidNumber,gidNumber,memberuid                          eq
 148 index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq
 149
 150 # Indexing for Samba 3
 151 index   sambaSID                                               eq
 152 index   sambaPrimaryGroupSID                                   eq
 153 index   sambaDomainName                                        eq
 154
 155
 156 # Where the database file are physically stored
 157 directory       "/var/lib/ldap"
 158
 159 # Make mods (writes entryUuid for kolab...)
 160 lastmod on
 161
 162 # The userPassword/shadow Emtries by default can be
 163 # changed by the entry owning it if they are authenticated.
 164 # Others should not be able to see it, except the admin
 165 # entry below
 166 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
 167         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
 168         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 169         by anonymous auth
 170         by self write
 171         by * none
 172
 173 # Deny access to imap/fax/kerberos admin passwords stored
 174 # in ldap tree
 175 access to attrs=goImapPassword
 176         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
 177         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 178         by * none
 179 access to attrs=goKrbPassword
 180         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
 181         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 182         by * none
 183 access to attrs=goFaxPassword
 184         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
 185         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 186         by * none
 187
 188 # Let servers write last user attribute
 189 access to attrs=gotoLastUser
 190         by * write
 191
 192 # Samba passwords by default can be changed
 193 # by the entry owning it if they are authenticated.
 194 # Others should not be able to see it, except the
 195 # admin entry below
 196 access to attrs=sambaLmPassword,sambaNtPassword
 197         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
 198         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 199         by anonymous auth
 200         by self write
 201         by * none
 202
 203 # Enable write create access for the terminal admin
 204 access to dn="ou=incoming,dc=gonicus,dc=de"
 205         by dn="cn=terminal-admin,dc=gonicus,dc=de" write
 206         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
 207         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 208
 209 access to dn.sub="ou=incoming,dc=gonicus,dc=de"
 210         by dn="cn=terminal-admin,dc=gonicus,dc=de" write
 211         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
 212         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 213
 214 # What trees should be readable, depends on your policy. Either
 215 # use this entry and specify what should be readable, or leave
 216 # the access to * => by * read below untouched
 217 #access to dn="ou=(people|groups)"
 218 #       by * read
 219
 220 # The admin dn has full write access
 221 access to *
 222         by dn="cn=ldapadmin,dc=gonicus,dc=de" =wrscx
 223         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
 224         by * read
 225 #       by peername="ip=127\.0\.0\.1" read
 226 #       by * none
 227
 228
 229 # Example replication using admin account. This will require taking the
 230 # out put of this database using slapcat(8C), and then importing that into
 231 # the replica using slapadd(8C).
 232
 233 # Replication setup
 234 #replogfile /var/log/ldap-replicalog
 235 #replica host=ldap-2.gonicus.local
 236 #       binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
 237
 238 # Dummy database for config replication
 239 #database        shell
 240 #suffix          "dc=gonicus,dc=shell"
 241 #search          /etc/ldap/shell/process.pl
 242 #add             /etc/ldap/shell/process.pl
 243
 244 # End of ldapd configuration file
 245