1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
17 #include /etc/ldap/schema/krb5-kdc.schema
18 #include /etc/ldap/schema/trust.schema
20 # These should be present for GOsa. In case of samba3,
21 # replace samba.schema and gosa.schema by samba3.schema
22 # and gosa+samba3.schema. Don't include both and remember
23 # to adjust the indexing and acl stuff below!
24 include /etc/ldap/schema/samba.schema
25 #include /etc/ldap/schema/pureftpd.schema
26 include /etc/ldap/schema/goconfig.schema
27 include /etc/ldap/schema/gohard.schema
28 include /etc/ldap/schema/gofon.schema
29 include /etc/ldap/schema/goto.schema
30 include /etc/ldap/schema/gosa+samba3.schema
31 include /etc/ldap/schema/gofax.schema
32 include /etc/ldap/schema/goserver.schema
33 include /etc/ldap/schema/gofirewall.schema
36 # These should be present for egroupware mail attributes
37 #include /etc/ldap/schema/phpgwaccount.schema
38 #include /etc/ldap/schema/phpgwcontact.schema
40 # These should be present for nagios plugin to work
41 #include /etc/ldap/schema/nagios.schema
43 # Schema check allows for forcing entries to
44 # match schemas for their objectClasses's
45 schemacheck on
47 # Security settings
48 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
49 # update_tls, update_transport
50 #security update_sasl=128,uptate_tls=128
52 # Require settings
53 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
54 #require authc, LDAPv3
56 # Allow settings
57 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
58 # update_anon
59 allow bind_v2
61 # Disallow settings
62 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
63 # bind_simple, bind_krbv4, tls_authc
65 # Password hash default value
66 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
67 password-hash {CRYPT}
69 # Search base
70 defaultsearchbase dc=opensides,dc=be
73 # Where clients are refered to if no
74 # match is found locally
75 #referral ldap://some.other.ldap.server
77 ## TLS setup, needs certificates
78 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
79 #TLSCertificateFile /etc/ssl/certs/slapd.pem
80 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
82 ## SASL setup
83 #sasl-authz-policy
84 #sasl-host gosa.sweatshop.local
85 #sasl-realm sweatshop.LOCAL
86 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=people,dc=opensides,dc=be
87 #sasl-secprops noanonymous
89 ## Kerberos setup
90 #srvtab /etc/krb5.keytab.ldap
92 # Where the pid file is put. The init.d script
93 # will not stop the server if you change this.
94 pidfile /var/run/slapd/slapd.pid
96 # List of arguments that were passed to the server
97 argsfile /var/run/slapd.args
99 # Read slapd.conf(5) for possible values
100 #loglevel 2528
101 #loglevel 384
102 #loglevel 8
104 # Where the dynamically loaded modules are stored
105 modulepath /usr/lib/ldap
106 moduleload back_bdb
107 #moduleload back_shell
109 # Some tuning parameters
110 threads 64
111 concurrency 32
112 conn_max_pending 100
113 conn_max_pending_auth 250
114 reverse-lookup off
115 sizelimit 1000
116 timelimit 30
117 idletimeout 30
119 # Limits
120 #limits anonymous size.soft=500 time.soft=5
121 #limits user size=none time.soft=30
123 #######################################################################
124 # database definitions
125 #######################################################################
127 # The backend type, ldbm, is the default standard
128 database bdb
129 cachesize 5000
130 checkpoint 512 720
131 mode 0600
133 # The base of your directory
134 suffix "dc=opensides,dc=be"
136 # Sample password is "tester", generate a new one using the mkpasswd
137 # utility and put the string after {crypt}
138 rootdn "cn=ldapadmin,dc=opensides,dc=be"
139 rootpw {crypt}2wTonoD6DWM/A
141 # Indexing
142 index default sub
143 index uid,mail eq
144 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
145 index cn,sn,givenName,ou pres,eq,sub
146 index objectClass pres,eq
147 index uidNumber,gidNumber,memberuid eq
148 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
150 # Indexing for Samba 3
151 index sambaSID eq
152 index sambaPrimaryGroupSID eq
153 index sambaDomainName eq
156 # Where the database file are physically stored
157 directory "/var/lib/ldap"
159 # Save the time that the entry gets modified
160 lastmod off
162 # The userPassword/shadow Emtries by default can be
163 # changed by the entry owning it if they are authenticated.
164 # Others should not be able to see it, except the admin
165 # entry below
166 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
167 by dn="cn=ldapadmin,dc=opensides,dc=be" write
168 by anonymous auth
169 by self write
170 by self read
171 by * none
173 # Deny access to imap/fax/kerberos admin passwords stored
174 # in ldap tree
175 access to attrs=goImapPassword
176 by dn="cn=ldapadmin,dc=opensides,dc=be" write
177 by * none
178 access to attrs=goKrbPassword
179 by dn="cn=ldapadmin,dc=opensides,dc=be" write
180 by * none
181 access to attrs=goFaxPassword
182 by dn="cn=ldapadmin,dc=opensides,dc=be" write
183 by * none
185 # Let servers write last user attribute
186 access to attrs=gotoLastUser
187 by * write
189 # Samba passwords by default can be changed
190 # by the entry owning it if they are authenticated.
191 # Others should not be able to see it, except the
192 # admin entry below
193 access to attrs=sambaLmPassword,sambaNtPassword
194 by dn="cn=ldapadmin,dc=opensides,dc=be" write
195 by anonymous auth
196 by self write
197 by self read
198 by * none
200 # Enable write create access for the terminal admin
201 access to dn="ou=incoming,dc=opensides,dc=be"
202 by dn="cn=terminal-admin,dc=opensides,dc=be" write
203 by dn="cn=ldapadmin,dc=opensides,dc=be" write
205 # What trees should be readable, depends on your policy. Either
206 # use this entry and specify what should be readable, or leave
207 # the access to * => by * read below untouched
208 #access to dn="ou=(people|groups)"
209 # by * read
211 # The admin dn has full write access
212 access to *
213 by dn="cn=ldapadmin,dc=opensides,dc=be" =wrscx
214 by * read
216 # Example replication using admin account. This will require taking the
217 # out put of this database using slapcat(8C), and then importing that into
218 # the replica using slapadd(8C).
220 # Replication setup
221 #replogfile /var/log/ldap-replicalog
222 #replica host=ldap-2.sweatshop.local
223 # binddn="cn=replicator,dc=opensides,dc=be bindmethod=simple credentials=secret
225 # Dummy database for config replication
226 #database shell
227 #suffix "dc=opensides,dc=shell"
228 #search /etc/ldap/shell/process.pl
229 #add /etc/ldap/shell/process.pl
231 # End of ldapd configuration file