1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
18 # These should be present for GOsa. Replace all occurencies
19 # of samba3 by samba2 for use with GOsa and Samba 2.
20 include /etc/ldap/schema/gosa/samba3.schema
21 include /etc/ldap/schema/gosa/gosystem.schema
22 include /etc/ldap/schema/gosa/goto.schema
23 include /etc/ldap/schema/gosa/goserver.schema
24 include /etc/ldap/schema/gosa/gosa-samba3.schema
25 include /etc/ldap/schema/gosa/trust.schema
27 # Schema check allows for forcing entries to
28 # match schemas for their objectClasses's
29 schemacheck on
31 # Security settings
32 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
33 # update_tls, update_transport
34 #security update_sasl=128,uptate_tls=128
36 # Require settings
37 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
38 #require authc, LDAPv3
40 # Allow settings
41 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
42 # update_anon
43 #allow bind_v2
45 # Disallow settings
46 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
47 # bind_simple, bind_krbv4, tls_authc
49 # Password hash default value
50 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
51 password-hash {CRYPT}
53 # Search base
54 defaultsearchbase dc=gonicus,dc=de
56 # Where clients are refered to if no
57 # match is found locally
58 #referral ldap://some.other.ldap.server
60 ## TLS setup, needs certificates
61 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
62 #TLSCertificateFile /etc/ssl/certs/slapd.pem
63 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
65 ## SASL setup
66 #sasl-authz-policy
67 #sasl-host gosa.gonicus.local
68 #sasl-realm GONICUS.LOCAL
69 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
70 #sasl-secprops noanonymous
72 ## Kerberos setup
73 #srvtab /etc/krb5.keytab.ldap
75 # Where the pid file is put. The init.d script
76 # will not stop the server if you change this.
77 pidfile /var/run/slapd.pid
79 # List of arguments that were passed to the server
80 argsfile /var/run/slapd.args
82 # Read slapd.conf(5) for possible values
83 loglevel 1024
85 # Where the dynamically loaded modules are stored
86 modulepath /usr/lib/ldap
87 moduleload back_hdb
88 moduleload back_monitor
89 #moduleload back_shell
91 # Some tuning parameters
92 #threads 64
93 #concurrency 32
94 #conn_max_pending 100
95 #conn_max_pending_auth 250
96 #reverse-lookup off
97 #sizelimit 1000
98 #timelimit 30
99 #idletimeout 30
101 # Limits
102 #limits anonymous size.soft=500 time.soft=5
103 #limits user size=none time.soft=30
105 access to dn.base=""
106 by * read
108 access to dn.subtree=cn=Monitor
109 by * read
111 # Access to schema information
112 #access to dn.subtree=""
113 # by * read
115 # The userPassword/shadow Emtries by default can be
116 # changed by the entry owning it if they are authenticated.
117 # Others should not be able to see it, except the admin
118 # entry below
119 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
120 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
121 by anonymous auth
122 by self write
123 by * none
125 # Deny access to imap/fax/kerberos admin passwords stored
126 # in ldap tree
127 access to attrs=goImapPassword
128 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
129 by * none
130 access to attrs=goKrbPassword
131 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
132 by * none
133 access to attrs=goFaxPassword
134 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
135 by * none
137 # Let servers write last user attribute
138 access to attrs=gotoLastUser
139 by * write
141 # Samba passwords by default can be changed
142 # by the entry owning it if they are authenticated.
143 # Others should not be able to see it, except the
144 # admin entry below
145 access to attrs=sambaLmPassword,sambaNtPassword
146 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
147 by anonymous auth
148 by self write
149 by * none
151 # What trees should be readable, depends on your policy. Either
152 # use this entry and specify what should be readable, or leave
153 # the access to * => by * read below untouched
154 #access to dn="ou=(people|groups)"
155 # by * read
157 # The admin dn has full write access
158 access to *
159 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
160 by * read
161 # by peername="ip=127\.0\.0\.1" read
162 # by * none
164 #######################################################################
165 # database definitions
166 #######################################################################
168 # Monitor backend
169 database monitor
171 # The backend type, ldbm, is the default standard
172 database hdb
173 cachesize 5000
174 mode 0600
176 # The base of your directory
177 suffix "dc=gonicus,dc=de"
178 checkpoint 512 720
180 # Sample password is "tester", generate a new one using the mkpasswd
181 # utility and put the string after {crypt}
182 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
183 rootpw {crypt}OuorOLd3VqvC2
185 # Indexing
186 index default sub
187 index uid,mail eq
188 index gosaSnapshotDN eq
189 index gosaSnapshotTimestamp eq,sub
190 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
191 index cn,sn,givenName,ou pres,eq,sub
192 index objectClass pres,eq
193 index uidNumber,gidNumber,memberuid eq
194 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
196 # Indexing for Kolab
197 #index alias eq,sub
198 #index kolabDeleteFlag eq
199 #index kolabHomeServer eq
200 #index member pres,eq
202 # Indexing for Samba 3
203 index sambaSID eq
204 index sambaPrimaryGroupSID eq
205 index sambaDomainName eq
207 # Indexing for DHCP
208 #index dhcpHWAddress eq
209 #index dhcpClassData eq
211 # Indexing for DNS
212 #index zoneName eq
213 #index relativeDomainName eq
215 # Where the database file are physically stored
216 directory "/var/lib/ldap"
218 # Log modifications and write entryUUID
219 lastmod on
222 # Example replication using admin account. This will require taking the
223 # out put of this database using slapcat(8C), and then importing that into
224 # the replica using slapadd(8C).
226 # Replication setup
227 #replogfile /var/log/ldap-replicalog
228 #replica host=ldap-2.gonicus.local
229 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
231 # Dummy database for config replication
232 #database shell
233 #suffix "dc=gonicus,dc=shell"
234 #search /etc/ldap/shell/process.pl
235 #add /etc/ldap/shell/process.pl
237 # End of ldapd configuration file