1 # This is the main ldapd configuration file. See slapd.conf(5) for more
2 # info on the configuration options.
4 ##
5 ## NOTE: This is an example. You should use the template shipped
6 ## with your distribution and adapt it to your needs.
7 ##
9 # Schema and objectClass definitions, depending on your
10 # LDAP setup
11 include /etc/ldap/schema/core.schema
12 include /etc/ldap/schema/cosine.schema
13 include /etc/ldap/schema/inetorgperson.schema
14 include /etc/ldap/schema/openldap.schema
15 include /etc/ldap/schema/nis.schema
16 include /etc/ldap/schema/misc.schema
18 # These should be present for GOsa. Replace all occurencies
19 # of samba3 by samba2 for use with GOsa and Samba 2.
20 include /etc/ldap/schema/gosa/samba3.schema
21 include /etc/ldap/schema/gosa/gosystem.schema
22 include /etc/ldap/schema/gosa/goto.schema
23 include /etc/ldap/schema/gosa/gosa-samba3.schema
24 include /etc/ldap/schema/gosa/trust.schema
26 # Schema check allows for forcing entries to
27 # match schemas for their objectClasses's
28 schemacheck on
30 # Security settings
31 # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
32 # update_tls, update_transport
33 #security update_sasl=128,uptate_tls=128
35 # Require settings
36 # Paramters: none, authc, bind, LDAPv3, SASL (strong)
37 #require authc, LDAPv3
39 # Allow settings
40 # Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
41 # update_anon
42 #allow bind_v2
44 # Disallow settings
45 # Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
46 # bind_simple, bind_krbv4, tls_authc
48 # Password hash default value
49 # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
50 password-hash {CRYPT}
52 # Search base
53 defaultsearchbase dc=gonicus,dc=de
55 # Where clients are refered to if no
56 # match is found locally
57 #referral ldap://some.other.ldap.server
59 ## TLS setup, needs certificates
60 #TLSCipherSuite HIGH:MEDIUM:+SSLv2
61 #TLSCertificateFile /etc/ssl/certs/slapd.pem
62 #TLSCertificateKeyFile /etc/ssl/certs/slapd.pem
64 ## SASL setup
65 #sasl-authz-policy
66 #sasl-host gosa.gonicus.local
67 #sasl-realm GONICUS.LOCAL
68 #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
69 #sasl-secprops noanonymous
71 ## Kerberos setup
72 #srvtab /etc/krb5.keytab.ldap
74 # Where the pid file is put. The init.d script
75 # will not stop the server if you change this.
76 pidfile /var/run/slapd.pid
78 # List of arguments that were passed to the server
79 argsfile /var/run/slapd.args
81 # Read slapd.conf(5) for possible values
82 loglevel 1024
84 # Where the dynamically loaded modules are stored
85 modulepath /usr/lib/ldap
86 moduleload back_hdb
87 moduleload back_monitor
88 #moduleload back_shell
90 # Some tuning parameters
91 #threads 64
92 #concurrency 32
93 #conn_max_pending 100
94 #conn_max_pending_auth 250
95 #reverse-lookup off
96 #sizelimit 1000
97 #timelimit 30
98 #idletimeout 30
100 # Limits
101 #limits anonymous size.soft=500 time.soft=5
102 #limits user size=none time.soft=30
104 access to dn.base=""
105 by * read
107 access to dn.subtree=cn=Monitor
108 by * read
110 # Access to schema information
111 #access to dn.subtree=""
112 # by * read
114 # The userPassword/shadow Emtries by default can be
115 # changed by the entry owning it if they are authenticated.
116 # Others should not be able to see it, except the admin
117 # entry below
118 access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
119 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
120 by anonymous auth
121 by self write
122 by * none
124 # Deny access to imap/fax/kerberos admin passwords stored
125 # in ldap tree
126 access to attrs=goImapPassword
127 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
128 by * none
129 access to attrs=goKrbPassword
130 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
131 by * none
132 access to attrs=goFaxPassword
133 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
134 by * none
136 # Let servers write last user attribute
137 access to attrs=gotoLastUser
138 by * write
140 # Samba passwords by default can be changed
141 # by the entry owning it if they are authenticated.
142 # Others should not be able to see it, except the
143 # admin entry below
144 access to attrs=sambaLmPassword,sambaNtPassword
145 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
146 by anonymous auth
147 by self write
148 by * none
150 # What trees should be readable, depends on your policy. Either
151 # use this entry and specify what should be readable, or leave
152 # the access to * => by * read below untouched
153 #access to dn="ou=(people|groups)"
154 # by * read
156 # The admin dn has full write access
157 access to *
158 by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
159 by * read
160 # by peername="ip=127\.0\.0\.1" read
161 # by * none
163 #######################################################################
164 # database definitions
165 #######################################################################
167 # Monitor backend
168 database monitor
170 # The backend type, ldbm, is the default standard
171 database hdb
172 cachesize 5000
173 mode 0600
175 # The base of your directory
176 suffix "dc=gonicus,dc=de"
177 checkpoint 512 720
179 # Sample password is "tester", generate a new one using the mkpasswd
180 # utility and put the string after {crypt}
181 rootdn "cn=ldapadmin,dc=gonicus,dc=de"
182 rootpw {crypt}OuorOLd3VqvC2
184 # Indexing
185 index default sub
186 index uid,mail eq
187 index gosaSnapshotDN eq
188 index gosaSnapshotTimestamp eq,sub
189 index gosaMailAlternateAddress,gosaMailForwardingAddress eq
190 index cn,sn,givenName,ou pres,eq,sub
191 index objectClass pres,eq
192 index uidNumber,gidNumber,memberuid eq
193 index gosaSubtreeACL,gosaObject,gosaUser pres,eq
195 # Indexing for Kolab
196 #index alias eq,sub
197 #index kolabDeleteFlag eq
198 #index kolabHomeServer eq
199 #index member pres,eq
201 # Indexing for Samba 3
202 index sambaSID eq
203 index sambaPrimaryGroupSID eq
204 index sambaDomainName eq
206 # Indexing for DHCP
207 #index dhcpHWAddress eq
208 #index dhcpClassData eq
210 # Indexing for DNS
211 #index zoneName eq
212 #index relativeDomainName eq
214 # Where the database file are physically stored
215 directory "/var/lib/ldap"
217 # Log modifications and write entryUUID
218 lastmod on
221 # Example replication using admin account. This will require taking the
222 # out put of this database using slapcat(8C), and then importing that into
223 # the replica using slapadd(8C).
225 # Replication setup
226 #replogfile /var/log/ldap-replicalog
227 #replica host=ldap-2.gonicus.local
228 # binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret
230 # Dummy database for config replication
231 #database shell
232 #suffix "dc=gonicus,dc=shell"
233 #search /etc/ldap/shell/process.pl
234 #add /etc/ldap/shell/process.pl
236 # End of ldapd configuration file