Made it more foolproof

[gosa.git] / gosa-core / contrib / openldap / slapd.conf

# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

##
## NOTE: This is an example. You should use the template shipped
##       with your distribution and adapt it to your needs.
##

# Schema and objectClass definitions, depending on your
# LDAP setup
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/misc.schema

# These should be present for GOsa. Replace all occurencies
# of samba3 by samba2 for use with GOsa and Samba 2.
include         /etc/ldap/schema/gosa/samba3.schema
include         /etc/ldap/schema/gosa/gosystem.schema
include         /etc/ldap/schema/gosa/goto.schema
include         /etc/ldap/schema/gosa/gosa-samba3.schema
include         /etc/ldap/schema/gosa/trust.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck             on

# Security settings
# Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
#             update_tls, update_transport
#security               update_sasl=128,uptate_tls=128

# Require settings
# Paramters: none, authc, bind, LDAPv3, SASL (strong)
#require                        authc, LDAPv3

# Allow settings
# Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
#             update_anon
#allow                  bind_v2

# Disallow settings
# Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
#             bind_simple, bind_krbv4, tls_authc

# Password hash default value
# Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
password-hash           {CRYPT}

# Search base
defaultsearchbase       dc=gonicus,dc=de

# Where clients are refered to if no
# match is found locally
#referral       ldap://some.other.ldap.server

## TLS setup, needs certificates
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCertificateFile /etc/ssl/certs/slapd.pem
#TLSCertificateKeyFile /etc/ssl/certs/slapd.pem

## SASL setup
#sasl-authz-policy
#sasl-host      gosa.gonicus.local
#sasl-realm     GONICUS.LOCAL
#sasl-regexp    cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
#sasl-secprops  noanonymous

## Kerberos setup
#srvtab         /etc/krb5.keytab.ldap

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        1024

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      back_monitor
#moduleload      back_shell

# Some tuning parameters
#threads                64
#concurrency            32
#conn_max_pending       100
#conn_max_pending_auth  250
#reverse-lookup         off
#sizelimit              1000
#timelimit              30
#idletimeout            30

# Limits
#limits anonymous       size.soft=500 time.soft=5
#limits user            size=none time.soft=30

access to dn.base=""
        by * read

access to dn.subtree=cn=Monitor
        by * read

# Access to schema information
#access to dn.subtree=""
#        by * read

# The userPassword/shadow Emtries by default can be
# changed by the entry owning it if they are authenticated.
# Others should not be able to see it, except the admin
# entry below
access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by anonymous auth
        by self write
        by * none 

# Deny access to imap/fax/kerberos admin passwords stored
# in ldap tree
access to attrs=goImapPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by * none 
access to attrs=goKrbPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by * none 
access to attrs=goFaxPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by * none 

# Let servers write last user attribute
access to attrs=gotoLastUser
        by * write

# Samba passwords by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attrs=sambaLmPassword,sambaNtPassword
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
        by anonymous auth
        by self write
        by * none 

# What trees should be readable, depends on your policy. Either
# use this entry and specify what should be readable, or leave
# the access to * => by * read below untouched
#access to dn="ou=(people|groups)"
#       by * read

# The admin dn has full write access
access to *
        by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
        by * read
#       by peername="ip=127\.0\.0\.1" read
#       by * none

#######################################################################
# database definitions
#######################################################################

# Monitor backend
database        monitor

# The backend type, ldbm, is the default standard
database        hdb
cachesize 5000
mode              0600

# The base of your directory
suffix          "dc=gonicus,dc=de"
checkpoint      512 720

# Sample password is "tester", generate a new one using the mkpasswd
# utility and put the string after {crypt}
rootdn  "cn=ldapadmin,dc=gonicus,dc=de"
rootpw  {crypt}OuorOLd3VqvC2

# Indexing
index   default                                                sub
index   uid,mail                                               eq
index   gosaSnapshotDN                                         eq
index   gosaSnapshotTimestamp                                  eq,sub
index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
index   cn,sn,givenName,ou                                     pres,eq,sub
index   objectClass                                            pres,eq
index   uidNumber,gidNumber,memberuid                          eq
index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq

# Indexing for Kolab
#index  alias                                                   eq,sub
#index  kolabDeleteFlag                                         eq
#index  kolabHomeServer                                         eq
#index  member                                                  pres,eq

# Indexing for Samba 3
index   sambaSID                                               eq
index   sambaPrimaryGroupSID                                   eq
index   sambaDomainName                                        eq

# Indexing for DHCP
#index  dhcpHWAddress                                          eq
#index  dhcpClassData                                          eq

# Indexing for DNS
#index  zoneName                                               eq
#index  relativeDomainName                                     eq

# Where the database file are physically stored
directory       "/var/lib/ldap"

# Log modifications and write entryUUID
lastmod on


# Example replication using admin account. This will require taking the
# out put of this database using slapcat(8C), and then importing that into
# the replica using slapadd(8C).

# Replication setup
#replogfile /var/log/ldap-replicalog
#replica host=ldap-2.gonicus.local
#       binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret

# Dummy database for config replication
#database        shell
#suffix          "dc=gonicus,dc=shell"
#search          /etc/ldap/shell/process.pl
#add             /etc/ldap/shell/process.pl

# End of ldapd configuration file