1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
18 # These should be present for GOsa. Replace all occurencies
19 # of samba3 by samba2 for use with GOsa and Samba 2.
20 include /etc/ldap/schema/gosa/samba3.schema
21 include /etc/ldap/schema/gosa/gosystem.schema
22 include /etc/ldap/schema/gosa/goto.schema
23 include /etc/ldap/schema/gosa/goserver.schema
24 include /etc/ldap/schema/gosa/gosa-samba3.schema
25 include /etc/ldap/schema/gosa/trust.schema
27 # Security settings
28 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
29 # update_tls, update_transport
30 #security update_sasl=128,uptate_tls=128
32 # Require settings
33 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
34 #require authc, LDAPv3
36 # Allow settings
37 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
38 # update_anon
39 #allow bind_v2
41 # Disallow settings
42 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
43 # bind_simple, bind_krbv4, tls_authc
45 # Password hash default value
46 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
47 password-hash {CRYPT}
49 # Search base
50 defaultsearchbase dc=gonicus,dc=de
52 # Where clients are refered to if no
53 # match is found locally
54 #referral ldap://some.other.ldap.server
56 ## TLS setup, needs certificates
57 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
58 #TLSCertificateFile /etc/ssl/certs/slapd.pem
59 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
61 ## SASL setup
62 #sasl-authz-policy
63 #sasl-host gosa.gonicus.local
64 #sasl-realm GONICUS.LOCAL
65 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
66 #sasl-secprops noanonymous
68 ## Kerberos setup
69 #srvtab /etc/krb5.keytab.ldap
71 # Where the pid file is put. The init.d script
72 # will not stop the server if you change this.
73 pidfile /var/run/slapd/slapd.pid
75 # List of arguments that were passed to the server
76 argsfile /var/run/slapd/slapd.args
78 # Read slapd.conf(5) for possible values
79 loglevel 1024
81 # Where the dynamically loaded modules are stored
82 modulepath /usr/lib/ldap
83 moduleload back_hdb
84 moduleload back_monitor
85 #moduleload back_shell
87 # Some tuning parameters
88 #threads 64
89 #concurrency 32
90 #conn_max_pending 100
91 #conn_max_pending_auth 250
92 #reverse-lookup off
93 #sizelimit 1000
94 #timelimit 30
95 #idletimeout 30
97 # Limits
98 #limits anonymous size.soft=500 time.soft=5
99 #limits user size=none time.soft=30
101 access to dn.base=""
102 by * read
104 access to dn.subtree=cn=Monitor
105 by * read
107 # Access to schema information
108 #access to dn.subtree=""
109 # by * read
111 # The userPassword/shadow Emtries by default can be
112 # changed by the entry owning it if they are authenticated.
113 # Others should not be able to see it, except the admin
114 # entry below
115 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
116 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
117 by anonymous auth
118 by self write
119 by * none
121 # Deny access to imap/fax/kerberos admin passwords stored
122 # in ldap tree
123 access to attrs=goImapPassword
124 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
125 by * none
126 access to attrs=goKrbPassword
127 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
128 by * none
129 access to attrs=goFaxPassword
130 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
131 by * none
133 # Let servers write last user attribute
134 access to attrs=gotoLastUser
135 by * write
137 # Samba passwords by default can be changed
138 # by the entry owning it if they are authenticated.
139 # Others should not be able to see it, except the
140 # admin entry below
141 access to attrs=sambaLmPassword,sambaNtPassword
142 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
143 by anonymous auth
144 by self write
145 by * none
147 # What trees should be readable, depends on your policy. Either
148 # use this entry and specify what should be readable, or leave
149 # the access to * => by * read below untouched
150 #access to dn="ou=(people|groups)"
151 # by * read
153 # The admin dn has full write access
154 access to *
155 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
156 by * read
157 # by peername="ip=127\.0\.0\.1" read
158 # by * none
160 #######################################################################
161 # database definitions
162 #######################################################################
164 # Monitor backend
165 database monitor
167 # The backend type, ldbm, is the default standard
168 database hdb
169 cachesize 5000
170 mode 0600
172 # The base of your directory
173 suffix "dc=gonicus,dc=de"
174 checkpoint 512 720
176 # Sample password is "tester", generate a new one using the mkpasswd
177 # utility and put the string after {crypt}
178 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
179 rootpw {crypt}OuorOLd3VqvC2
181 # Indexing
182 index default sub
183 index uid,mail eq
184 index gosaSnapshotDN eq
185 index gosaSnapshotTimestamp eq,sub
186 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
187 index cn,sn,givenName,ou pres,eq,sub
188 index objectClass pres,eq
189 index uidNumber,gidNumber,memberuid eq
190 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
192 # Indexing for Kolab
193 #index alias eq,sub
194 #index kolabDeleteFlag eq
195 #index kolabHomeServer eq
196 #index member pres,eq
198 # Indexing for Samba 3
199 index sambaSID eq
200 index sambaPrimaryGroupSID eq
201 index sambaDomainName eq
203 # Indexing for DHCP
204 #index dhcpHWAddress eq
205 #index dhcpClassData eq
207 # Indexing for DNS
208 #index zoneName eq
209 #index relativeDomainName eq
211 # Where the database file are physically stored
212 directory "/var/lib/ldap"
214 # Log modifications and write entryUUID
215 lastmod on
218 # Example replication using admin account. This will require taking the
219 # out put of this database using slapcat(8C), and then importing that into
220 # the replica using slapadd(8C).
222 # Replication setup
223 #replogfile /var/log/ldap-replicalog
224 #replica host=ldap-2.gonicus.local
225 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
227 # Dummy database for config replication
228 #database shell
229 #suffix "dc=gonicus,dc=shell"
230 #search /etc/ldap/shell/process.pl
231 #add /etc/ldap/shell/process.pl
233 # End of ldapd configuration file