1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
17 #include /etc/ldap/schema/krb5-kdc.schema
18 #include /etc/ldap/schema/trust.schema
20 # These should be present for GOsa. In case of samba3,
21 # replace samba.schema and gosa.schema by samba3.schema
22 # and gosa+samba3.schema. Don't include both and remember
23 # to adjust the indexing and acl stuff below!
24 include /etc/ldap/schema/samba.schema
25 include /etc/ldap/schema/pureftpd.schema
26 include /etc/ldap/schema/gohard.schema
27 include /etc/ldap/schema/gofon.schema
28 include /etc/ldap/schema/goto.schema
29 include /etc/ldap/schema/gosa+samba3.schema
30 include /etc/ldap/schema/gofax.schema
31 include /etc/ldap/schema/goserver.schema
33 # Schema check allows for forcing entries to
34 # match schemas for their objectClasses's
35 schemacheck on
37 # Security settings
38 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
39 # update_tls, update_transport
40 #security update_sasl=128,uptate_tls=128
42 # Require settings
43 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
44 #require authc, LDAPv3
46 # Allow settings
47 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
48 # update_anon
49 #allow bind_v2
51 # Disallow settings
52 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
53 # bind_simple, bind_krbv4, tls_authc
55 # Password hash default value
56 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
57 password-hash {CRYPT}
59 # Search base
60 defaultsearchbase dc=gonicus,dc=de
63 # Where clients are refered to if no
64 # match is found locally
65 #referral ldap://some.other.ldap.server
67 ## TLS setup, needs certificates
68 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
69 #TLSCertificateFile /etc/ssl/certs/slapd.pem
70 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
72 ## SASL setup
73 #sasl-authz-policy
74 #sasl-host gosa.gonicus.local
75 #sasl-realm GONICUS.LOCAL
76 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
77 #sasl-secprops noanonymous
79 ## Kerberos setup
80 #srvtab /etc/krb5.keytab.ldap
82 # Where the pid file is put. The init.d script
83 # will not stop the server if you change this.
84 pidfile /var/run/slapd.pid
86 # List of arguments that were passed to the server
87 argsfile /var/run/slapd.args
89 # Read slapd.conf(5) for possible values
90 loglevel 1024
92 # Where the dynamically loaded modules are stored
93 modulepath /usr/lib/ldap
94 moduleload back_bdb
95 moduleload back_monitor
96 #moduleload back_shell
98 # Some tuning parameters
99 #threads 64
100 #concurrency 32
101 #conn_max_pending 100
102 #conn_max_pending_auth 250
103 #reverse-lookup off
104 #sizelimit 1000
105 #timelimit 30
106 #idletimeout 30
108 # Limits
109 #limits anonymous size.soft=500 time.soft=5
110 #limits user size=none time.soft=30
112 #######################################################################
113 # database definitions
114 #######################################################################
116 # Monitor backend
117 database monitor
119 access to dn.subtree=cn=Monitor
120 by * read
122 # Access to schema information
123 access to dn.subtree=""
124 by dn="cn=ldapadmin,dc=gonicus,dc=de" read
126 # The backend type, ldbm, is the default standard
127 database bdb
128 cachesize 5000
129 checkpoint 512 720
130 mode 0600
132 # The base of your directory
133 suffix "dc=gonicus,dc=de"
135 # Sample password is "tester", generate a new one using the mkpasswd
136 # utility and put the string after {crypt}
137 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
138 rootpw {crypt}OuorOLd3VqvC2
140 # Indexing
141 index default sub
142 index uid,mail eq
143 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
144 index cn,sn,givenName,ou pres,eq,sub
145 index objectClass pres,eq
146 index uidNumber,gidNumber,memberuid eq
147 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
149 # Indexing for samba 2
150 #index rid,primaryGroupID eq
152 # Indexing for Samba 3
153 index sambaSID eq
154 index sambaPrimaryGroupSID eq
155 index sambaDomainName eq
158 # Where the database file are physically stored
159 directory "/var/lib/ldap"
161 # Save the time that the entry gets modified
162 lastmod off
164 # The userPassword/shadow Emtries by default can be
165 # changed by the entry owning it if they are authenticated.
166 # Others should not be able to see it, except the admin
167 # entry below
168 #access to attrs=userPassword,pwdLastSet,pwdMustChange,pwdCanChange,shadowMax,shadowExpire
169 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
170 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
171 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
172 by anonymous auth
173 by self write
174 by * none
176 # Deny access to imap/fax/kerberos admin passwords stored
177 # in ldap tree
178 access to attrs=goImapPassword
179 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
180 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
181 by * none
182 access to attrs=goKrbPassword
183 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
184 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
185 by * none
186 access to attrs=goFaxPassword
187 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
188 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
189 by * none
191 # Let servers write last user attribute
192 access to attrs=gotoLastUser
193 by * write
195 # Samba passwords by default can be changed
196 # by the entry owning it if they are authenticated.
197 # Others should not be able to see it, except the
198 # admin entry below
199 access to attrs=lmPassword,ntPassword
200 access to attrs=sambaLmPassword,sambaNtPassword
201 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
202 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
203 by anonymous auth
204 by self write
205 by * none
207 # Enable write create access for the terminal admin
208 access to dn="ou=incoming,dc=gonicus,dc=de"
209 by dn="cn=terminal-admin,dc=gonicus,dc=de" write
210 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
211 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
213 access to dn.sub="ou=incoming,dc=gonicus,dc=de"
214 by dn="cn=terminal-admin,dc=gonicus,dc=de" write
215 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
216 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
218 # What trees should be readable, depends on your policy. Either
219 # use this entry and specify what should be readable, or leave
220 # the access to * => by * read below untouched
221 #access to dn="ou=(people|groups)"
222 # by * read
224 # The admin dn has full write access
225 access to *
226 by dn="cn=ldapadmin,dc=gonicus,dc=de" =wrscx
227 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
228 by * read
229 # by peername="ip=127\.0\.0\.1" read
230 # by * none
233 # Example replication using admin account. This will require taking the
234 # out put of this database using slapcat(8C), and then importing that into
235 # the replica using slapadd(8C).
237 # Replication setup
238 #replogfile /var/log/ldap-replicalog
239 #replica host=ldap-2.gonicus.local
240 # binddn="cn=replicator,dc=gonicus,dc=de bindmethod=simple credentials=secret
242 # Dummy database for config replication
243 #database shell
244 #suffix "dc=gonicus,dc=shell"
245 #search /etc/ldap/shell/process.pl
246 #add /etc/ldap/shell/process.pl
248 # End of ldapd configuration file