1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
18 # These should be present for GOsa. Replace all occurencies
19 # of samba3 by samba2 for use with GOsa and Samba 2.
20 include /etc/ldap/schema/gosa/samba3.schema
21 include /etc/ldap/schema/gosa/gosystem.schema
22 include /etc/ldap/schema/gosa/gofon.schema
23 include /etc/ldap/schema/gosa/gofax.schema
24 include /etc/ldap/schema/gosa/goto.schema
25 include /etc/ldap/schema/gosa/goserver.schema
26 include /etc/ldap/schema/gosa/gosa-samba3.schema
27 include /etc/ldap/schema/gosa/trust.schema
29 # Security settings
30 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
31 # update_tls, update_transport
32 #security update_sasl=128,uptate_tls=128
34 # Require settings
35 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
36 #require authc, LDAPv3
38 # Allow settings
39 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
40 # update_anon
41 #allow bind_v2
43 # Disallow settings
44 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
45 # bind_simple, bind_krbv4, tls_authc
47 # Password hash default value
48 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
49 password-hash {CRYPT}
51 # Search base
52 defaultsearchbase dc=gonicus,dc=de
54 # Where clients are refered to if no
55 # match is found locally
56 #referral ldap://some.other.ldap.server
58 ## TLS setup, needs certificates
59 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
60 #TLSCertificateFile /etc/ssl/certs/slapd.pem
61 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
63 ## SASL setup
64 #sasl-authz-policy
65 #sasl-host gosa.gonicus.local
66 #sasl-realm GONICUS.LOCAL
67 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
68 #sasl-secprops noanonymous
70 ## Kerberos setup
71 #srvtab /etc/krb5.keytab.ldap
73 # Where the pid file is put. The init.d script
74 # will not stop the server if you change this.
75 pidfile /var/run/slapd/slapd.pid
77 # List of arguments that were passed to the server
78 argsfile /var/run/slapd/slapd.args
80 # Read slapd.conf(5) for possible values
81 loglevel 1024
83 # Where the dynamically loaded modules are stored
84 modulepath /usr/lib/ldap
85 moduleload back_hdb
86 moduleload back_monitor
87 #moduleload back_shell
89 # Some tuning parameters
90 #threads 64
91 #concurrency 32
92 #conn_max_pending 100
93 #conn_max_pending_auth 250
94 #reverse-lookup off
95 #sizelimit 1000
96 #timelimit 30
97 #idletimeout 30
99 # Limits
100 #limits anonymous size.soft=500 time.soft=5
101 #limits user size=none time.soft=30
103 access to dn.base=""
104 by * read
106 access to dn.subtree=cn=Monitor
107 by * read
109 # Access to schema information
110 #access to dn.subtree=""
111 # by * read
113 # The userPassword/shadow Emtries by default can be
114 # changed by the entry owning it if they are authenticated.
115 # Others should not be able to see it, except the admin
116 # entry below
117 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
118 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
119 by anonymous auth
120 by self write
121 by * none
123 # Deny access to imap/fax/kerberos admin passwords stored
124 # in ldap tree
125 access to attrs=goImapPassword
126 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
127 by * none
128 access to attrs=goKrbPassword
129 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
130 by * none
131 access to attrs=goFaxPassword
132 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
133 by * none
135 # Let servers write last user attribute
136 access to attrs=gotoLastUser
137 by * write
139 # Samba passwords by default can be changed
140 # by the entry owning it if they are authenticated.
141 # Others should not be able to see it, except the
142 # admin entry below
143 access to attrs=sambaLmPassword,sambaNtPassword
144 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
145 by anonymous auth
146 by self write
147 by * none
149 # What trees should be readable, depends on your policy. Either
150 # use this entry and specify what should be readable, or leave
151 # the access to * => by * read below untouched
152 #access to dn="ou=(people|groups)"
153 # by * read
155 # The admin dn has full write access
156 access to *
157 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
158 by * read
159 # by peername="ip=127\.0\.0\.1" read
160 # by * none
162 #######################################################################
163 # database definitions
164 #######################################################################
166 # Monitor backend
167 database monitor
169 # The backend type, ldbm, is the default standard
170 database hdb
171 cachesize 5000
172 mode 0600
174 # The base of your directory
175 suffix "dc=gonicus,dc=de"
176 checkpoint 512 720
178 # Sample password is "tester", generate a new one using the mkpasswd
179 # utility and put the string after {crypt}
180 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
181 rootpw {crypt}OuorOLd3VqvC2
183 # Indexing
184 index default sub
185 index uid,mail eq
186 index gosaSnapshotDN eq
187 index gosaSnapshotTimestamp eq,sub
188 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
189 index cn,sn,givenName,ou pres,eq,sub
190 index objectClass pres,eq
191 index uidNumber,gidNumber,memberuid eq
192 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
194 # Indexing for Kolab
195 #index alias eq,sub
196 #index kolabDeleteflag eq
197 #index kolabHomeServer eq
198 #index member pres,eq
200 # Indexing for Samba 3
201 index sambaSID eq
202 index sambaPrimaryGroupSID eq
203 index sambaDomainName eq
205 # Indexing for DHCP
206 #index dhcpHWAddress eq
207 #index dhcpClassData eq
209 # Indexing for DNS
210 #index zoneName eq
211 #index relativeDomainName eq
213 # Where the database file are physically stored
214 directory "/var/lib/ldap"
216 # Log modifications and write entryUUID
217 lastmod on
220 # Example replication using admin account. This will require taking the
221 # out put of this database using slapcat(8C), and then importing that into
222 # the replica using slapadd(8C).
224 # Replication setup
225 #replogfile /var/log/ldap-replicalog
226 #replica host=ldap-2.gonicus.local
227 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
229 # Dummy database for config replication
230 #database shell
231 #suffix "dc=gonicus,dc=shell"
232 #search /etc/ldap/shell/process.pl
233 #add /etc/ldap/shell/process.pl
235 # End of ldapd configuration file