new revision of the french languages files

[gosa.git] / contrib / opensides / ldap / slapd.conf

# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

##
## NOTE: This is an example. You should use the template shipped
##       with your distribution and adapt it to your needs.
##

# Schema and objectClass definitions, depending on your
# LDAP setup
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/misc.schema
#include        /etc/ldap/schema/krb5-kdc.schema
#include        /etc/ldap/schema/trust.schema

# These should be present for GOsa. In case of samba3,
# replace samba.schema and gosa.schema by samba3.schema
# and gosa+samba3.schema. Don't include both and remember
# to adjust the indexing and acl stuff below!
include         /etc/ldap/schema/samba.schema
#include                /etc/ldap/schema/pureftpd.schema
include         /etc/ldap/schema/goconfig.schema
include         /etc/ldap/schema/gohard.schema
include         /etc/ldap/schema/gofon.schema
include         /etc/ldap/schema/goto.schema
include         /etc/ldap/schema/gosa+samba3.schema
include         /etc/ldap/schema/gofax.schema
include         /etc/ldap/schema/goserver.schema
include         /etc/ldap/schema/gofirewall.schema


# These should be present for egroupware mail attributes
#include                /etc/ldap/schema/phpgwaccount.schema
#include                /etc/ldap/schema/phpgwcontact.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck             on

# Security settings
# Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
#             update_tls, update_transport
#security               update_sasl=128,uptate_tls=128

# Require settings
# Paramters: none, authc, bind, LDAPv3, SASL (strong)
#require                        authc, LDAPv3

# Allow settings
# Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
#             update_anon
allow                   bind_v2

# Disallow settings
# Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
#             bind_simple, bind_krbv4, tls_authc

# Password hash default value
# Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
password-hash           {CRYPT}

# Search base
defaultsearchbase       dc=ccib,dc=be


# Where clients are refered to if no
# match is found locally
#referral       ldap://some.other.ldap.server

## TLS setup, needs certificates
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCertificateFile /etc/ssl/certs/slapd.pem
#TLSCertificateKeyFile /etc/ssl/certs/slapd.pem

## SASL setup
#sasl-authz-policy
#sasl-host      gosa.sweatshop.local
#sasl-realm     sweatshop.LOCAL
#sasl-regexp    cn=(.*),ou=(.*) cn=$1,ou=$2,ou=people,dc=ccib,dc=be
#sasl-secprops  noanonymous

## Kerberos setup
#srvtab         /etc/krb5.keytab.ldap

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
#loglevel       2528
#loglevel       384
#loglevel       8

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb
#moduleload      back_shell

# Some tuning parameters
threads                 64
concurrency             32
conn_max_pending        100
conn_max_pending_auth   250
reverse-lookup          off
sizelimit               1000
timelimit               30
idletimeout             30

# Limits
#limits anonymous       size.soft=500 time.soft=5
#limits user            size=none time.soft=30

#######################################################################
# database definitions
#######################################################################

# The backend type, ldbm, is the default standard
database        bdb
cachesize       5000
checkpoint      512 720
mode            0600

# The base of your directory
suffix          "dc=ccib,dc=be"

# Sample password is "tester", generate a new one using the mkpasswd
# utility and put the string after {crypt}
rootdn  "cn=ldapadmin,dc=ccib,dc=be"
rootpw  {crypt}2wTonoD6DWM/A

# Indexing
index   default                                                sub
index   uid,mail                                               eq
index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
index   cn,sn,givenName,ou                                     pres,eq,sub
index   objectClass                                            pres,eq
index   uidNumber,gidNumber,memberuid                          eq
index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq

# Indexing for Samba 3
index   sambaSID                                               eq
index   sambaPrimaryGroupSID                                   eq
index   sambaDomainName                                        eq


# Where the database file are physically stored
directory       "/var/lib/ldap"

# Save the time that the entry gets modified
lastmod off

# The userPassword/shadow Emtries by default can be
# changed by the entry owning it if they are authenticated.
# Others should not be able to see it, except the admin
# entry below
access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
        by dn="cn=ldapadmin,dc=ccib,dc=be" write
        by anonymous auth
        by self write
        by self read
        by * none 

# Deny access to imap/fax/kerberos admin passwords stored
# in ldap tree
access to attrs=goImapPassword
        by dn="cn=ldapadmin,dc=ccib,dc=be" write
        by * none 
access to attrs=goKrbPassword
        by dn="cn=ldapadmin,dc=ccib,dc=be" write
        by * none 
access to attrs=goFaxPassword
        by dn="cn=ldapadmin,dc=ccib,dc=be" write
        by * none 

# Let servers write last user attribute
access to attrs=gotoLastUser
        by * write

# Samba passwords by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attrs=sambaLmPassword,sambaNtPassword
        by dn="cn=ldapadmin,dc=ccib,dc=be" write
        by anonymous auth
        by self write
        by self read
        by * none 

# Enable write create access for the terminal admin
access to dn="ou=incoming,dc=ccib,dc=be"
        by dn="cn=terminal-admin,dc=ccib,dc=be" write
        by dn="cn=ldapadmin,dc=ccib,dc=be" write

#access to dn=".*,ou=incoming,dc=ccib,dc=be"
#       by dn="cn=terminal-admin,dc=ccib,dc=be" write
#       by dn="cn=ldapadmin,dc=ccib,dc=be" write

# What trees should be readable, depends on your policy. Either
# use this entry and specify what should be readable, or leave
# the access to * => by * read below untouched
#access to dn="ou=(people|groups)"
#       by * read

# The admin dn has full write access
access to *
        by dn="cn=ldapadmin,dc=ccib,dc=be" =wrscx
        by * read

# Example replication using admin account. This will require taking the
# out put of this database using slapcat(8C), and then importing that into
# the replica using slapadd(8C).

# Replication setup
#replogfile /var/log/ldap-replicalog
#replica host=ldap-2.sweatshop.local
#       binddn="cn=replicator,dc=ccib,dc=be bindmethod=simple credentials=secret

# Dummy database for config replication
#database        shell
#suffix          "dc=ccib,dc=shell"
#search          /etc/ldap/shell/process.pl
#add             /etc/ldap/shell/process.pl

# End of ldapd configuration file