1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
17 include /etc/ldap/schema/trust.schema
18 #include /etc/ldap/schema/krb5-kdc.schema
20 # These should be present for GOsa. In case of samba3,
21 # replace samba.schema and gosa.schema by samba3.schema
22 # and gosa+samba3.schema. Don't include both and remember
23 # to adjust the indexing and acl stuff below!
24 include /etc/ldap/schema/samba.schema
25 include /etc/ldap/schema/pureftpd.schema
26 include /etc/ldap/schema/gofon.schema
27 include /etc/ldap/schema/gosystem.schema
28 include /etc/ldap/schema/goto.schema
29 include /etc/ldap/schema/gosa+samba3.schema
30 include /etc/ldap/schema/gofax.schema
31 include /etc/ldap/schema/goserver.schema
32 include /etc/ldap/schema/goto-mime.schema
34 # Schema check allows for forcing entries to
35 # match schemas for their objectClasses's
36 schemacheck on
38 # Security settings
39 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
40 # update_tls, update_transport
41 #security update_sasl=128,uptate_tls=128
43 # Require settings
44 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
45 #require authc, LDAPv3
47 # Allow settings
48 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
49 # update_anon
50 #allow bind_v2
52 # Disallow settings
53 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
54 # bind_simple, bind_krbv4, tls_authc
56 # Password hash default value
57 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
58 password-hash {CRYPT}
60 # Search base
61 defaultsearchbase dc=gonicus,dc=de
63 # Where clients are refered to if no
64 # match is found locally
65 #referral ldap://some.other.ldap.server
67 ## TLS setup, needs certificates
68 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
69 #TLSCertificateFile /etc/ssl/certs/slapd.pem
70 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
72 ## SASL setup
73 #sasl-authz-policy
74 #sasl-host gosa.gonicus.local
75 #sasl-realm GONICUS.LOCAL
76 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
77 #sasl-secprops noanonymous
79 ## Kerberos setup
80 #srvtab /etc/krb5.keytab.ldap
82 # Where the pid file is put. The init.d script
83 # will not stop the server if you change this.
84 pidfile /var/run/slapd.pid
86 # List of arguments that were passed to the server
87 argsfile /var/run/slapd.args
89 # Read slapd.conf(5) for possible values
90 loglevel 1024
92 # Where the dynamically loaded modules are stored
93 modulepath /usr/lib/ldap
94 moduleload back_hdb
95 moduleload back_monitor
96 #moduleload back_shell
98 # Some tuning parameters
99 #threads 64
100 #concurrency 32
101 #conn_max_pending 100
102 #conn_max_pending_auth 250
103 #reverse-lookup off
104 #sizelimit 1000
105 #timelimit 30
106 #idletimeout 30
108 # Limits
109 #limits anonymous size.soft=500 time.soft=5
110 #limits user size=none time.soft=30
112 access to dn.base=""
113 by * read
115 access to dn.subtree=cn=Monitor
116 by * read
118 # Access to schema information
119 #access to dn.subtree=""
120 # by * read
122 # The userPassword/shadow Emtries by default can be
123 # changed by the entry owning it if they are authenticated.
124 # Others should not be able to see it, except the admin
125 # entry below
126 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
127 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
128 by anonymous auth
129 by self write
130 by * none
132 # Deny access to imap/fax/kerberos admin passwords stored
133 # in ldap tree
134 access to attrs=goImapPassword
135 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
136 by * none
137 access to attrs=goKrbPassword
138 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
139 by * none
140 access to attrs=goFaxPassword
141 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
142 by * none
144 # Let servers write last user attribute
145 access to attrs=gotoLastUser
146 by * write
148 # Samba passwords by default can be changed
149 # by the entry owning it if they are authenticated.
150 # Others should not be able to see it, except the
151 # admin entry below
152 access to attrs=sambaLmPassword,sambaNtPassword
153 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
154 by anonymous auth
155 by self write
156 by * none
158 # What trees should be readable, depends on your policy. Either
159 # use this entry and specify what should be readable, or leave
160 # the access to * => by * read below untouched
161 #access to dn="ou=(people|groups)"
162 # by * read
164 # The admin dn has full write access
165 access to *
166 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
167 by * read
168 # by peername="ip=127\.0\.0\.1" read
169 # by * none
171 #######################################################################
172 # database definitions
173 #######################################################################
175 # Monitor backend
176 database monitor
178 # The backend type, ldbm, is the default standard
179 database hdb
180 cachesize 5000
181 mode 0600
183 # The base of your directory
184 suffix "dc=gonicus,dc=de"
185 checkpoint 512 720
187 # Sample password is "tester", generate a new one using the mkpasswd
188 # utility and put the string after {crypt}
189 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
190 rootpw {crypt}OuorOLd3VqvC2
192 # Indexing
193 index default sub
194 index uid,mail eq
195 index gosaSnapshotDN eq
196 index gosaSnapshotTimestamp eq,sub
197 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
198 index cn,sn,givenName,ou pres,eq,sub
199 index objectClass pres,eq
200 index uidNumber,gidNumber,memberuid eq
201 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
203 # Indexing for Kolab
204 #index alias eq,sub
205 #index kolabDeleteFlag eq
206 #index kolabHomeServer eq
207 #index member pres,eq
209 # Indexing for Samba 3
210 index sambaSID eq
211 index sambaPrimaryGroupSID eq
212 index sambaDomainName eq
214 # Indexing for DHCP
215 #index dhcpHWAddress eq
216 #index dhcpClassData eq
218 # Indexing for DNS
219 #index zoneName eq
220 #index relativeDomainName eq
222 # Where the database file are physically stored
223 directory "/var/lib/ldap"
225 # Log modifications and write entryUUID
226 lastmod on
229 # Example replication using admin account. This will require taking the
230 # out put of this database using slapcat(8C), and then importing that into
231 # the replica using slapadd(8C).
233 # Replication setup
234 #replogfile /var/log/ldap-replicalog
235 #replica host=ldap-2.gonicus.local
236 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
238 # Dummy database for config replication
239 #database shell
240 #suffix "dc=gonicus,dc=shell"
241 #search /etc/ldap/shell/process.pl
242 #add /etc/ldap/shell/process.pl
244 # End of ldapd configuration file