gosa-core/contrib/openldap/slapd.conf

   1 # This is the main ldapd configuration file. See slapd.conf(5) for more
   2 # info on the configuration options.
   3
   4 ##
   5 ## NOTE: This is an example. You should use the template shipped
   6 ##       with your distribution and adapt it to your needs.
   7 ##
   8
   9 # Schema and objectClass definitions, depending on your
  10 # LDAP setup
  11 include         /etc/ldap/schema/core.schema
  12 include         /etc/ldap/schema/cosine.schema
  13 include         /etc/ldap/schema/inetorgperson.schema
  14 include         /etc/ldap/schema/openldap.schema
  15 include         /etc/ldap/schema/nis.schema
  16 include         /etc/ldap/schema/misc.schema
  17 include         /etc/ldap/schema/trust.schema
  18 #include        /etc/ldap/schema/krb5-kdc.schema
  19
  20 # These should be present for GOsa. In case of samba3,
  21 # replace samba.schema and gosa.schema by samba3.schema
  22 # and gosa+samba3.schema. Don't include both and remember
  23 # to adjust the indexing and acl stuff below!
  24 include         /etc/ldap/schema/samba.schema
  25 include         /etc/ldap/schema/pureftpd.schema
  26 include         /etc/ldap/schema/gofon.schema
  27 include         /etc/ldap/schema/gosystem.schema
  28 include         /etc/ldap/schema/goto.schema
  29 include         /etc/ldap/schema/gosa+samba3.schema
  30 include         /etc/ldap/schema/gofax.schema
  31 include         /etc/ldap/schema/goserver.schema
  32 include         /etc/ldap/schema/goto-mime.schema
  33
  34 # Schema check allows for forcing entries to
  35 # match schemas for their objectClasses's
  36 schemacheck             on
  37
  38 # Security settings
  39 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
  40 #             update_tls, update_transport
  41 #security               update_sasl=128,uptate_tls=128
  42
  43 # Require settings
  44 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
  45 #require                        authc, LDAPv3
  46
  47 # Allow settings
  48 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
  49 #             update_anon
  50 #allow                  bind_v2
  51
  52 # Disallow settings
  53 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
  54 #             bind_simple, bind_krbv4, tls_authc
  55
  56 # Password hash default value
  57 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
  58 password-hash           {CRYPT}
  59
  60 # Search base
  61 defaultsearchbase       dc=gonicus,dc=de
  62
  63 # Where clients are refered to if no
  64 # match is found locally
  65 #referral       ldap://some.other.ldap.server
  66
  67 ## TLS setup, needs certificates
  68 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
  69 #TLSCertificateFile /etc/ssl/certs/slapd.pem
  70 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
  71
  72 ## SASL setup
  73 #sasl-authz-policy
  74 #sasl-host      gosa.gonicus.local
  75 #sasl-realm     GONICUS.LOCAL
  76 #sasl-regexp    cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
  77 #sasl-secprops  noanonymous
  78
  79 ## Kerberos setup
  80 #srvtab         /etc/krb5.keytab.ldap
  81
  82 # Where the pid file is put. The init.d script
  83 # will not stop the server if you change this.
  84 pidfile         /var/run/slapd.pid
  85
  86 # List of arguments that were passed to the server
  87 argsfile        /var/run/slapd.args
  88
  89 # Read slapd.conf(5) for possible values
  90 loglevel        1024
  91
  92 # Where the dynamically loaded modules are stored
  93 modulepath      /usr/lib/ldap
  94 moduleload      back_hdb
  95 moduleload      back_monitor
  96 #moduleload      back_shell
  97
  98 # Some tuning parameters
  99 #threads                64
 100 #concurrency            32
 101 #conn_max_pending       100
 102 #conn_max_pending_auth  250
 103 #reverse-lookup         off
 104 #sizelimit              1000
 105 #timelimit              30
 106 #idletimeout            30
 107
 108 # Limits
 109 #limits anonymous       size.soft=500 time.soft=5
 110 #limits user            size=none time.soft=30
 111
 112 access to dn.base=""
 113         by * read
 114
 115 access to dn.subtree=cn=Monitor
 116         by * read
 117
 118 # Access to schema information
 119 #access to dn.subtree=""
 120 #        by * read
 121
 122 # The userPassword/shadow Emtries by default can be
 123 # changed by the entry owning it if they are authenticated.
 124 # Others should not be able to see it, except the admin
 125 # entry below
 126 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
 127         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 128         by anonymous auth
 129         by self write
 130         by * none
 131
 132 # Deny access to imap/fax/kerberos admin passwords stored
 133 # in ldap tree
 134 access to attrs=goImapPassword
 135         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 136         by * none
 137 access to attrs=goKrbPassword
 138         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 139         by * none
 140 access to attrs=goFaxPassword
 141         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 142         by * none
 143
 144 # Let servers write last user attribute
 145 access to attrs=gotoLastUser
 146         by * write
 147
 148 # Samba passwords by default can be changed
 149 # by the entry owning it if they are authenticated.
 150 # Others should not be able to see it, except the
 151 # admin entry below
 152 access to attrs=sambaLmPassword,sambaNtPassword
 153         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
 154         by anonymous auth
 155         by self write
 156         by * none
 157
 158 # What trees should be readable, depends on your policy. Either
 159 # use this entry and specify what should be readable, or leave
 160 # the access to * => by * read below untouched
 161 #access to dn="ou=(people|groups)"
 162 #       by * read
 163
 164 # The admin dn has full write access
 165 access to *
 166         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
 167         by * read
 168 #       by peername="ip=127\.0\.0\.1" read
 169 #       by * none
 170
 171 #######################################################################
 172 # database definitions
 173 #######################################################################
 174
 175 # Monitor backend
 176 database        monitor
 177
 178 # The backend type, ldbm, is the default standard
 179 database        hdb
 180 cachesize 5000
 181 mode              0600
 182
 183 # The base of your directory
 184 suffix          "dc=gonicus,dc=de"
 185 checkpoint      512 720
 186
 187 # Sample password is "tester", generate a new one using the mkpasswd
 188 # utility and put the string after {crypt}
 189 rootdn  "cn=ldapadmin,dc=gonicus,dc=de"
 190 rootpw  {crypt}OuorOLd3VqvC2
 191
 192 # Indexing
 193 index   default                                                sub
 194 index   uid,mail                                               eq
 195 index   gosaSnapshotDN                                         eq
 196 index   gosaSnapshotTimestamp                                  eq,sub
 197 index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
 198 index   cn,sn,givenName,ou                                     pres,eq,sub
 199 index   objectClass                                            pres,eq
 200 index   uidNumber,gidNumber,memberuid                          eq
 201 index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq
 202
 203 # Indexing for Kolab
 204 #index  alias                                                   eq,sub
 205 #index  kolabDeleteFlag                                         eq
 206 #index  kolabHomeServer                                         eq
 207 #index  member                                                  pres,eq
 208
 209 # Indexing for Samba 3
 210 index   sambaSID                                               eq
 211 index   sambaPrimaryGroupSID                                   eq
 212 index   sambaDomainName                                        eq
 213
 214 # Indexing for DHCP
 215 #index  dhcpHWAddress                                          eq
 216 #index  dhcpClassData                                          eq
 217
 218 # Indexing for DNS
 219 #index  zoneName                                               eq
 220 #index  relativeDomainName                                     eq
 221
 222 # Where the database file are physically stored
 223 directory       "/var/lib/ldap"
 224
 225 # Log modifications and write entryUUID
 226 lastmod on
 227
 228
 229 # Example replication using admin account. This will require taking the
 230 # out put of this database using slapcat(8C), and then importing that into
 231 # the replica using slapadd(8C).
 232
 233 # Replication setup
 234 #replogfile /var/log/ldap-replicalog
 235 #replica host=ldap-2.gonicus.local
 236 #       binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
 237
 238 # Dummy database for config replication
 239 #database        shell
 240 #suffix          "dc=gonicus,dc=shell"
 241 #search          /etc/ldap/shell/process.pl
 242 #add             /etc/ldap/shell/process.pl
 243
 244 # End of ldapd configuration file
 245