Replaced config->search with get_cfg_value

[gosa.git] / gosa-core / contrib / openldap / slapd.conf

# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

##
## NOTE: This is an example. You should use the template shipped
##       with your distribution and adapt it to your needs.
##

# Schema and objectClass definitions, depending on your
# LDAP setup
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/misc.schema

# These should be present for GOsa.
include         /etc/ldap/schema/gosa/samba3.schema
include         /etc/ldap/schema/gosa/gosystem.schema
include         /etc/ldap/schema/gosa/gofon.schema
include         /etc/ldap/schema/gosa/gofax.schema
include         /etc/ldap/schema/gosa/goto.schema
include         /etc/ldap/schema/gosa/goserver.schema
include         /etc/ldap/schema/gosa/gosa-samba3.schema
include         /etc/ldap/schema/gosa/trust.schema

# Security settings
# Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
#             update_tls, update_transport
#security               update_sasl=128,uptate_tls=128

# Require settings
# Paramters: none, authc, bind, LDAPv3, SASL (strong)
#require                        authc, LDAPv3

# Allow settings
# Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
#             update_anon
#allow                  bind_v2

# Disallow settings
# Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
#             bind_simple, bind_krbv4, tls_authc

# Password hash default value
# Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
password-hash           {CRYPT}

# Search base
defaultsearchbase       dc=gonicus,dc=de

# Where clients are refered to if no
# match is found locally
#referral       ldap://some.other.ldap.server

## TLS setup, needs certificates
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCertificateFile /etc/ssl/certs/slapd.pem
#TLSCertificateKeyFile /etc/ssl/certs/slapd.pem

## SASL setup
#sasl-authz-policy
#sasl-host      gosa.gonicus.local
#sasl-realm     GONICUS.LOCAL
#sasl-regexp    cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
#sasl-secprops  noanonymous

## Kerberos setup
#srvtab         /etc/krb5.keytab.ldap

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        1024

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      back_monitor
#moduleload      back_shell

# Some tuning parameters
#threads                64
#concurrency            32
#conn_max_pending       100
#conn_max_pending_auth  250
#reverse-lookup         off
#sizelimit              1000
#timelimit              30
#idletimeout            30

# Limits
#limits anonymous       size.soft=500 time.soft=5
#limits user            size=none time.soft=30

# Speed up member add/mod/delete operations
sortvals member memberUid roleOccupant

access to dn.base=""
        by * read

access to dn.subtree=cn=Monitor
        by * read

# Access to schema information
#access to dn.subtree=""
#        by * read

# The userPassword/shadow Emtries by default can be
# changed by the entry owning it if they are authenticated.
# Others should not be able to see it, except the admin
# entry below
access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by anonymous auth
        by self write
        by * none 

# Deny access to imap/fax/kerberos admin passwords stored
# in ldap tree
access to attrs=goImapPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by * none 
access to attrs=goKrbPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by * none 
access to attrs=goFaxPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by * none 

# Let servers write last user attribute
access to attrs=gotoLastUser
        by * write

# Samba passwords by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attrs=sambaLmPassword,sambaNtPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by anonymous auth
        by self write
        by * none 

# What trees should be readable, depends on your policy. Either
# use this entry and specify what should be readable, or leave
# the access to * => by * read below untouched
#access to dn="ou=(people|groups)"
#       by * read

# The admin dn has full write access
access to *
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
        by * read
#       by peername="ip=127\.0\.0\.1" read
#       by * none

#######################################################################
# database definitions
#######################################################################

# Monitor backend
database        monitor

# The backend type, ldbm, is the default standard
database        hdb
cachesize 5000
mode              0600

# The base of your directory
suffix          "dc=gonicus,dc=de"
checkpoint      512 720

# Sample password is "tester", generate a new one using the mkpasswd
# utility and put the string after {crypt}
rootdn  "cn=ldapadmin,dc=gonicus,dc=de"
rootpw  {crypt}OuorOLd3VqvC2

# Indexing
index   default                                                sub
index   uid,mail                                               eq
index   gosaSnapshotDN                                         eq
index   gosaSnapshotTimestamp                                  eq,sub
index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
index   cn,sn,givenName,ou                                     pres,eq,sub
index   objectClass                                            pres,eq
index   uidNumber,gidNumber,memberuid                          eq
index   roleOccupant                                           eq
index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq

# Indexing for Kolab
#index  alias                                                   eq,sub
#index  kolabDeleteflag                                         eq
#index  kolabHomeServer                                         eq
#index  member                                                  pres,eq

# Indexing for Samba 3
index   sambaSID                                               eq
index   sambaPrimaryGroupSID                                   eq
index   sambaDomainName                                        eq

# Indexing for DHCP
#index  dhcpHWAddress                                          eq
#index  dhcpClassData                                          eq

# Indexing for DNS
#index  zoneName                                               eq
#index  relativeDomainName                                     eq

# Where the database file are physically stored
directory       "/var/lib/ldap"

# Log modifications and write entryUUID
lastmod on


# Example replication using admin account. This will require taking the
# out put of this database using slapcat(8C), and then importing that into
# the replica using slapadd(8C).

# Replication setup
#replogfile /var/log/ldap-replicalog
#replica host=ldap-2.gonicus.local
#       binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret

# Dummy database for config replication
#database        shell
#suffix          "dc=gonicus,dc=shell"
#search          /etc/ldap/shell/process.pl
#add             /etc/ldap/shell/process.pl

# End of ldapd configuration file