1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
18 # These should be present for GOsa. Replace all occurencies
19 # of samba3 by samba2 for use with GOsa and Samba 2.
20 include /etc/ldap/schema/gosa/samba3.schema
21 include /etc/ldap/schema/gosa/gosystem.schema
22 include /etc/ldap/schema/gosa/gofon.schema
23 include /etc/ldap/schema/gosa/goto.schema
24 include /etc/ldap/schema/gosa/goserver.schema
25 include /etc/ldap/schema/gosa/gosa-samba3.schema
26 include /etc/ldap/schema/gosa/trust.schema
28 # Security settings
29 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
30 # update_tls, update_transport
31 #security update_sasl=128,uptate_tls=128
33 # Require settings
34 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
35 #require authc, LDAPv3
37 # Allow settings
38 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
39 # update_anon
40 #allow bind_v2
42 # Disallow settings
43 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
44 # bind_simple, bind_krbv4, tls_authc
46 # Password hash default value
47 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
48 password-hash {CRYPT}
50 # Search base
51 defaultsearchbase dc=gonicus,dc=de
53 # Where clients are refered to if no
54 # match is found locally
55 #referral ldap://some.other.ldap.server
57 ## TLS setup, needs certificates
58 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
59 #TLSCertificateFile /etc/ssl/certs/slapd.pem
60 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
62 ## SASL setup
63 #sasl-authz-policy
64 #sasl-host gosa.gonicus.local
65 #sasl-realm GONICUS.LOCAL
66 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
67 #sasl-secprops noanonymous
69 ## Kerberos setup
70 #srvtab /etc/krb5.keytab.ldap
72 # Where the pid file is put. The init.d script
73 # will not stop the server if you change this.
74 pidfile /var/run/slapd/slapd.pid
76 # List of arguments that were passed to the server
77 argsfile /var/run/slapd/slapd.args
79 # Read slapd.conf(5) for possible values
80 loglevel 1024
82 # Where the dynamically loaded modules are stored
83 modulepath /usr/lib/ldap
84 moduleload back_hdb
85 moduleload back_monitor
86 #moduleload back_shell
88 # Some tuning parameters
89 #threads 64
90 #concurrency 32
91 #conn_max_pending 100
92 #conn_max_pending_auth 250
93 #reverse-lookup off
94 #sizelimit 1000
95 #timelimit 30
96 #idletimeout 30
98 # Limits
99 #limits anonymous size.soft=500 time.soft=5
100 #limits user size=none time.soft=30
102 access to dn.base=""
103 by * read
105 access to dn.subtree=cn=Monitor
106 by * read
108 # Access to schema information
109 #access to dn.subtree=""
110 # by * read
112 # The userPassword/shadow Emtries by default can be
113 # changed by the entry owning it if they are authenticated.
114 # Others should not be able to see it, except the admin
115 # entry below
116 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
117 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
118 by anonymous auth
119 by self write
120 by * none
122 # Deny access to imap/fax/kerberos admin passwords stored
123 # in ldap tree
124 access to attrs=goImapPassword
125 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
126 by * none
127 access to attrs=goKrbPassword
128 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
129 by * none
130 access to attrs=goFaxPassword
131 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
132 by * none
134 # Let servers write last user attribute
135 access to attrs=gotoLastUser
136 by * write
138 # Samba passwords by default can be changed
139 # by the entry owning it if they are authenticated.
140 # Others should not be able to see it, except the
141 # admin entry below
142 access to attrs=sambaLmPassword,sambaNtPassword
143 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
144 by anonymous auth
145 by self write
146 by * none
148 # What trees should be readable, depends on your policy. Either
149 # use this entry and specify what should be readable, or leave
150 # the access to * => by * read below untouched
151 #access to dn="ou=(people|groups)"
152 # by * read
154 # The admin dn has full write access
155 access to *
156 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
157 by * read
158 # by peername="ip=127\.0\.0\.1" read
159 # by * none
161 #######################################################################
162 # database definitions
163 #######################################################################
165 # Monitor backend
166 database monitor
168 # The backend type, ldbm, is the default standard
169 database hdb
170 cachesize 5000
171 mode 0600
173 # The base of your directory
174 suffix "dc=gonicus,dc=de"
175 checkpoint 512 720
177 # Sample password is "tester", generate a new one using the mkpasswd
178 # utility and put the string after {crypt}
179 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
180 rootpw {crypt}OuorOLd3VqvC2
182 # Indexing
183 index default sub
184 index uid,mail eq
185 index gosaSnapshotDN eq
186 index gosaSnapshotTimestamp eq,sub
187 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
188 index cn,sn,givenName,ou pres,eq,sub
189 index objectClass pres,eq
190 index uidNumber,gidNumber,memberuid eq
191 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
193 # Indexing for Kolab
194 #index alias eq,sub
195 #index kolabDeleteflag eq
196 #index kolabHomeServer eq
197 #index member pres,eq
199 # Indexing for Samba 3
200 index sambaSID eq
201 index sambaPrimaryGroupSID eq
202 index sambaDomainName eq
204 # Indexing for DHCP
205 #index dhcpHWAddress eq
206 #index dhcpClassData eq
208 # Indexing for DNS
209 #index zoneName eq
210 #index relativeDomainName eq
212 # Where the database file are physically stored
213 directory "/var/lib/ldap"
215 # Log modifications and write entryUUID
216 lastmod on
219 # Example replication using admin account. This will require taking the
220 # out put of this database using slapcat(8C), and then importing that into
221 # the replica using slapadd(8C).
223 # Replication setup
224 #replogfile /var/log/ldap-replicalog
225 #replica host=ldap-2.gonicus.local
226 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
228 # Dummy database for config replication
229 #database shell
230 #suffix "dc=gonicus,dc=shell"
231 #search /etc/ldap/shell/process.pl
232 #add /etc/ldap/shell/process.pl
234 # End of ldapd configuration file