[tokkee]

tokkee.org

Code

projects / gosa.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Moving finalized
[gosa.git] / gosa-core / contrib / openldap / slapd.conf
1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
3
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ##       with your distribution and adapt it to your needs.
7 ##
8
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include         /etc/ldap/schema/core.schema
12 include         /etc/ldap/schema/cosine.schema
13 include         /etc/ldap/schema/inetorgperson.schema
14 include         /etc/ldap/schema/openldap.schema
15 include         /etc/ldap/schema/nis.schema
16 include         /etc/ldap/schema/misc.schema
17 include   /etc/ldap/schema/trust.schema
18 #include        /etc/ldap/schema/krb5-kdc.schema
19
20 # These should be present for GOsa. In case of samba3,
21 # replace samba.schema and gosa.schema by samba3.schema
22 # and gosa+samba3.schema. Don't include both and remember
23 # to adjust the indexing and acl stuff below!
24 include         /etc/ldap/schema/samba.schema
25 include         /etc/ldap/schema/pureftpd.schema
26 include         /etc/ldap/schema/gofon.schema
27 include         /etc/ldap/schema/gosystem.schema
28 include         /etc/ldap/schema/goto.schema
29 include         /etc/ldap/schema/gosa+samba3.schema
30 include         /etc/ldap/schema/gofax.schema
31 include         /etc/ldap/schema/goserver.schema
32 include         /etc/ldap/schema/goto-mime.schema
33
34 # Schema check allows for forcing entries to
35 # match schemas for their objectClasses's
36 schemacheck             on
37
38 # Security settings
39 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
40 #             update_tls, update_transport
41 #security               update_sasl=128,uptate_tls=128
42
43 # Require settings
44 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
45 #require                        authc, LDAPv3
46
47 # Allow settings
48 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
49 #             update_anon
50 #allow                  bind_v2
51
52 # Disallow settings
53 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
54 #             bind_simple, bind_krbv4, tls_authc
55
56 # Password hash default value
57 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
58 password-hash           {CRYPT}
59
60 # Search base
61 defaultsearchbase       dc=gonicus,dc=de
62
63
64 # Where clients are refered to if no
65 # match is found locally
66 #referral       ldap://some.other.ldap.server
67
68 ## TLS setup, needs certificates
69 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
70 #TLSCertificateFile /etc/ssl/certs/slapd.pem
71 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
72
73 ## SASL setup
74 #sasl-authz-policy
75 #sasl-host      gosa.gonicus.local
76 #sasl-realm     GONICUS.LOCAL
77 #sasl-regexp    cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
78 #sasl-secprops  noanonymous
79
80 ## Kerberos setup
81 #srvtab         /etc/krb5.keytab.ldap
82
83 # Where the pid file is put. The init.d script
84 # will not stop the server if you change this.
85 pidfile         /var/run/slapd.pid
86
87 # List of arguments that were passed to the server
88 argsfile        /var/run/slapd.args
89
90 # Read slapd.conf(5) for possible values
91 loglevel        1024
92
93 # Where the dynamically loaded modules are stored
94 modulepath      /usr/lib/ldap
95 moduleload      back_hdb
96 moduleload      back_monitor
97 #moduleload      back_shell
98
99 # Some tuning parameters
100 #threads                64
101 #concurrency            32
102 #conn_max_pending       100
103 #conn_max_pending_auth  250
104 #reverse-lookup         off
105 #sizelimit              1000
106 #timelimit              30
107 #idletimeout            30
108
109 # Limits
110 #limits anonymous       size.soft=500 time.soft=5
111 #limits user            size=none time.soft=30
112
113 access to dn.base=""
114         by * read
115
116 access to dn.subtree=cn=Monitor
117         by * read
118
119 # Access to schema information
120 #access to dn.subtree=""
121 #        by * read
122
123 # The userPassword/shadow Emtries by default can be
124 # changed by the entry owning it if they are authenticated.
125 # Others should not be able to see it, except the admin
126 # entry below
127 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
128         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
129         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
130         by anonymous auth
131         by self write
132         by * none 
133
134 # Deny access to imap/fax/kerberos admin passwords stored
135 # in ldap tree
136 access to attrs=goImapPassword
137         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
138         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
139         by * none 
140 access to attrs=goKrbPassword
141         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
142         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
143         by * none 
144 access to attrs=goFaxPassword
145         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
146         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
147         by * none 
148
149 # Let servers write last user attribute
150 access to attrs=gotoLastUser
151         by * write
152
153 # Samba passwords by default can be changed
154 # by the entry owning it if they are authenticated.
155 # Others should not be able to see it, except the
156 # admin entry below
157 access to attrs=sambaLmPassword,sambaNtPassword
158         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
159         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
160         by anonymous auth
161         by self write
162         by * none 
163
164 # Enable write create access for the terminal admin
165 access to dn="ou=incoming,dc=gonicus,dc=de"
166         by dn="cn=terminal-admin,dc=gonicus,dc=de" write
167         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
168         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
169         by * none
170
171 access to dn.sub="ou=incoming,dc=gonicus,dc=de"
172         by dn="cn=terminal-admin,dc=gonicus,dc=de" write
173         by dn="cn=ldapadmin,dc=gonicus,dc=de" write
174         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
175         by * none
176
177 # What trees should be readable, depends on your policy. Either
178 # use this entry and specify what should be readable, or leave
179 # the access to * => by * read below untouched
180 #access to dn="ou=(people|groups)"
181 #       by * read
182
183 # The admin dn has full write access
184 access to *
185         by dn="cn=ldapadmin,dc=gonicus,dc=de" =wrscx
186         by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
187         by * read
188 #       by peername="ip=127\.0\.0\.1" read
189 #       by * none
190
191 #######################################################################
192 # database definitions
193 #######################################################################
194
195 # Monitor backend
196 database        monitor
197
198 # The backend type, ldbm, is the default standard
199 database        hdb
200 cachesize 5000
201 mode              0600
202
203 # The base of your directory
204 suffix          "dc=gonicus,dc=de"
205 checkpoint      512 720
206
207 # Sample password is "tester", generate a new one using the mkpasswd
208 # utility and put the string after {crypt}
209 rootdn  "cn=ldapadmin,dc=gonicus,dc=de"
210 rootpw  {crypt}OuorOLd3VqvC2
211
212 # Indexing
213 index   default                                                sub
214 index   uid,mail                                               eq
215 index   gosaSnapshotDN                                         eq
216 index   gosaSnapshotTimestamp                                  eq,sub
217 index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
218 index   cn,sn,givenName,ou                                     pres,eq,sub
219 index   objectClass                                            pres,eq
220 index   uidNumber,gidNumber,memberuid                          eq
221 index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq
222
223 # Indexing for Kolab
224 #index  alias                                                   eq,sub
225 #index  kolabDeleteFlag                                         eq
226 #index  kolabHomeServer                                         eq
227 #index  member                                                  pres,eq
228
229 # Indexing for Samba 3
230 index   sambaSID                                               eq
231 index   sambaPrimaryGroupSID                                   eq
232 index   sambaDomainName                                        eq
233
234 # Indexing for DHCP
235 #index  dhcpHWAddress                                          eq
236 #index  dhcpClassData                                          eq
237
238 # Indexing for DNS
239 #index  zoneName                                               eq
240 #index  relativeDomainName                                     eq
241
242 # Where the database file are physically stored
243 directory       "/var/lib/ldap"
244
245 # Log modifications and write entryUUID
246 lastmod on
247
248
249 # Example replication using admin account. This will require taking the
250 # out put of this database using slapcat(8C), and then importing that into
251 # the replica using slapadd(8C).
252
253 # Replication setup
254 #replogfile /var/log/ldap-replicalog
255 #replica host=ldap-2.gonicus.local
256 #       binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
257
258 # Dummy database for config replication
259 #database        shell
260 #suffix          "dc=gonicus,dc=shell"
261 #search          /etc/ldap/shell/process.pl
262 #add             /etc/ldap/shell/process.pl
263
264 # End of ldapd configuration file
265
GONICUS system administrator (SVN clone)