1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
17 include /etc/ldap/schema/trust.schema
18 #include /etc/ldap/schema/krb5-kdc.schema
20 # These should be present for GOsa. In case of samba3,
21 # replace samba.schema and gosa.schema by samba3.schema
22 # and gosa+samba3.schema. Don't include both and remember
23 # to adjust the indexing and acl stuff below!
24 include /etc/ldap/schema/samba.schema
25 include /etc/ldap/schema/pureftpd.schema
26 include /etc/ldap/schema/gofon.schema
27 include /etc/ldap/schema/gosystem.schema
28 include /etc/ldap/schema/goto.schema
29 include /etc/ldap/schema/gosa+samba3.schema
30 include /etc/ldap/schema/gofax.schema
31 include /etc/ldap/schema/goserver.schema
32 include /etc/ldap/schema/goto-mime.schema
34 # Schema check allows for forcing entries to
35 # match schemas for their objectClasses's
36 schemacheck on
38 # Security settings
39 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
40 # update_tls, update_transport
41 #security update_sasl=128,uptate_tls=128
43 # Require settings
44 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
45 #require authc, LDAPv3
47 # Allow settings
48 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
49 # update_anon
50 #allow bind_v2
52 # Disallow settings
53 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
54 # bind_simple, bind_krbv4, tls_authc
56 # Password hash default value
57 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
58 password-hash {CRYPT}
60 # Search base
61 defaultsearchbase dc=gonicus,dc=de
64 # Where clients are refered to if no
65 # match is found locally
66 #referral ldap://some.other.ldap.server
68 ## TLS setup, needs certificates
69 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
70 #TLSCertificateFile /etc/ssl/certs/slapd.pem
71 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
73 ## SASL setup
74 #sasl-authz-policy
75 #sasl-host gosa.gonicus.local
76 #sasl-realm GONICUS.LOCAL
77 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
78 #sasl-secprops noanonymous
80 ## Kerberos setup
81 #srvtab /etc/krb5.keytab.ldap
83 # Where the pid file is put. The init.d script
84 # will not stop the server if you change this.
85 pidfile /var/run/slapd.pid
87 # List of arguments that were passed to the server
88 argsfile /var/run/slapd.args
90 # Read slapd.conf(5) for possible values
91 loglevel 1024
93 # Where the dynamically loaded modules are stored
94 modulepath /usr/lib/ldap
95 moduleload back_hdb
96 moduleload back_monitor
97 #moduleload back_shell
99 # Some tuning parameters
100 #threads 64
101 #concurrency 32
102 #conn_max_pending 100
103 #conn_max_pending_auth 250
104 #reverse-lookup off
105 #sizelimit 1000
106 #timelimit 30
107 #idletimeout 30
109 # Limits
110 #limits anonymous size.soft=500 time.soft=5
111 #limits user size=none time.soft=30
113 access to dn.base=""
114 by * read
116 access to dn.subtree=cn=Monitor
117 by * read
119 # Access to schema information
120 #access to dn.subtree=""
121 # by * read
123 # The userPassword/shadow Emtries by default can be
124 # changed by the entry owning it if they are authenticated.
125 # Others should not be able to see it, except the admin
126 # entry below
127 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
128 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
129 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
130 by anonymous auth
131 by self write
132 by * none
134 # Deny access to imap/fax/kerberos admin passwords stored
135 # in ldap tree
136 access to attrs=goImapPassword
137 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
138 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
139 by * none
140 access to attrs=goKrbPassword
141 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
142 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
143 by * none
144 access to attrs=goFaxPassword
145 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
146 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
147 by * none
149 # Let servers write last user attribute
150 access to attrs=gotoLastUser
151 by * write
153 # Samba passwords by default can be changed
154 # by the entry owning it if they are authenticated.
155 # Others should not be able to see it, except the
156 # admin entry below
157 access to attrs=sambaLmPassword,sambaNtPassword
158 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
159 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
160 by anonymous auth
161 by self write
162 by * none
164 # Enable write create access for the terminal admin
165 access to dn="ou=incoming,dc=gonicus,dc=de"
166 by dn="cn=terminal-admin,dc=gonicus,dc=de" write
167 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
168 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
169 by * none
171 access to dn.sub="ou=incoming,dc=gonicus,dc=de"
172 by dn="cn=terminal-admin,dc=gonicus,dc=de" write
173 by dn="cn=ldapadmin,dc=gonicus,dc=de" write
174 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
175 by * none
177 # What trees should be readable, depends on your policy. Either
178 # use this entry and specify what should be readable, or leave
179 # the access to * => by * read below untouched
180 #access to dn="ou=(people|groups)"
181 # by * read
183 # The admin dn has full write access
184 access to *
185 by dn="cn=ldapadmin,dc=gonicus,dc=de" =wrscx
186 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
187 by * read
188 # by peername="ip=127\.0\.0\.1" read
189 # by * none
191 #######################################################################
192 # database definitions
193 #######################################################################
195 # Monitor backend
196 database monitor
198 # The backend type, ldbm, is the default standard
199 database hdb
200 cachesize 5000
201 mode 0600
203 # The base of your directory
204 suffix "dc=gonicus,dc=de"
205 checkpoint 512 720
207 # Sample password is "tester", generate a new one using the mkpasswd
208 # utility and put the string after {crypt}
209 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
210 rootpw {crypt}OuorOLd3VqvC2
212 # Indexing
213 index default sub
214 index uid,mail eq
215 index gosaSnapshotDN eq
216 index gosaSnapshotTimestamp eq,sub
217 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
218 index cn,sn,givenName,ou pres,eq,sub
219 index objectClass pres,eq
220 index uidNumber,gidNumber,memberuid eq
221 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
223 # Indexing for Kolab
224 #index alias eq,sub
225 #index kolabDeleteFlag eq
226 #index kolabHomeServer eq
227 #index member pres,eq
229 # Indexing for Samba 3
230 index sambaSID eq
231 index sambaPrimaryGroupSID eq
232 index sambaDomainName eq
234 # Indexing for DHCP
235 #index dhcpHWAddress eq
236 #index dhcpClassData eq
238 # Indexing for DNS
239 #index zoneName eq
240 #index relativeDomainName eq
242 # Where the database file are physically stored
243 directory "/var/lib/ldap"
245 # Log modifications and write entryUUID
246 lastmod on
249 # Example replication using admin account. This will require taking the
250 # out put of this database using slapcat(8C), and then importing that into
251 # the replica using slapadd(8C).
253 # Replication setup
254 #replogfile /var/log/ldap-replicalog
255 #replica host=ldap-2.gonicus.local
256 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
258 # Dummy database for config replication
259 #database shell
260 #suffix "dc=gonicus,dc=shell"
261 #search /etc/ldap/shell/process.pl
262 #add /etc/ldap/shell/process.pl
264 # End of ldapd configuration file