# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

##
## NOTE: This is an example. You should use the template shipped
##       with your distribution and adapt it to your needs.
##

# Schema and objectClass definitions, depending on your
# LDAP setup
include		/etc/ldap/schema/core.schema
include		/etc/ldap/schema/cosine.schema
include 	/etc/ldap/schema/inetorgperson.schema
include 	/etc/ldap/schema/openldap.schema
include		/etc/ldap/schema/nis.schema
include		/etc/ldap/schema/misc.schema
#include	/etc/ldap/schema/krb5-kdc.schema
#include	/etc/ldap/schema/trust.schema

# These should be present for GOsa. In case of samba3,
# replace samba.schema and gosa.schema by samba3.schema
# and gosa+samba3.schema. Don't include both and remember
# to adjust the indexing and acl stuff below!
include		/etc/ldap/schema/samba.schema
include		/etc/ldap/schema/pureftpd.schema
include		/etc/ldap/schema/gofon.schema
include		/etc/ldap/schema/gosystem.schema
include		/etc/ldap/schema/goto.schema
include		/etc/ldap/schema/gosa+samba3.schema
include		/etc/ldap/schema/gofax.schema
include		/etc/ldap/schema/goserver.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck		on

# Security settings
# Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
#             update_tls, update_transport
#security 		update_sasl=128,uptate_tls=128

# Require settings
# Paramters: none, authc, bind, LDAPv3, SASL (strong)
#require			authc, LDAPv3

# Allow settings
# Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
#             update_anon
#allow			bind_v2

# Disallow settings
# Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
#             bind_simple, bind_krbv4, tls_authc

# Password hash default value
# Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
password-hash		{CRYPT}

# Search base
defaultsearchbase	dc=gonicus,dc=de


# Where clients are refered to if no
# match is found locally
#referral	ldap://some.other.ldap.server

## TLS setup, needs certificates
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCertificateFile /etc/ssl/certs/slapd.pem
#TLSCertificateKeyFile /etc/ssl/certs/slapd.pem

## SASL setup
#sasl-authz-policy
#sasl-host	gosa.gonicus.local
#sasl-realm	GONICUS.LOCAL
#sasl-regexp	cn=(.*),ou=(.*)	cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
#sasl-secprops	noanonymous

## Kerberos setup
#srvtab		/etc/krb5.keytab.ldap

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile		/var/run/slapd.pid

# List of arguments that were passed to the server
argsfile	/var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel	1024

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      back_monitor
#moduleload      back_shell

# Some tuning parameters
#threads		64
#concurrency		32
#conn_max_pending	100
#conn_max_pending_auth	250
#reverse-lookup		off
#sizelimit		1000
#timelimit		30
#idletimeout		30

# Limits
#limits	anonymous	size.soft=500 time.soft=5
#limits user		size=none time.soft=30

#######################################################################
# database definitions
#######################################################################

# Monitor backend
database	monitor

access to dn.subtree=cn=Monitor
        by * read

# Access to schema information
access to dn.subtree=""
        by dn="cn=ldapadmin,dc=gonicus,dc=de" read

# The backend type, ldbm, is the default standard
database	bdb
cachesize       5000
checkpoint	512 720
mode		0600

# The base of your directory
suffix		"dc=gonicus,dc=de"

# Sample password is "tester", generate a new one using the mkpasswd
# utility and put the string after {crypt}
rootdn	"cn=ldapadmin,dc=gonicus,dc=de"
rootpw  {crypt}OuorOLd3VqvC2

# Indexing
index   default                                                sub
index   uid,mail                                               eq
index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
index   cn,sn,givenName,ou                                     pres,eq,sub
index   objectClass                                            pres,eq
index   uidNumber,gidNumber,memberuid                          eq
index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq

# Indexing for Samba 3
index   sambaSID                                               eq
index   sambaPrimaryGroupSID                                   eq
index   sambaDomainName                                        eq


# Where the database file are physically stored
directory	"/var/lib/ldap"

# Make mods (writes entryUuid for kolab...)
lastmod on

# The userPassword/shadow Emtries by default can be
# changed by the entry owning it if they are authenticated.
# Others should not be able to see it, except the admin
# entry below
access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
	by dn="cn=ldapadmin,dc=gonicus,dc=de" write
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by anonymous auth
	by self write
	by * none 

# Deny access to imap/fax/kerberos admin passwords stored
# in ldap tree
access to attrs=goImapPassword
	by dn="cn=ldapadmin,dc=gonicus,dc=de" write
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by * none 
access to attrs=goKrbPassword
	by dn="cn=ldapadmin,dc=gonicus,dc=de" write
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by * none 
access to attrs=goFaxPassword
	by dn="cn=ldapadmin,dc=gonicus,dc=de" write
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by * none 

# Let servers write last user attribute
access to attrs=gotoLastUser
	by * write

# Samba passwords by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attrs=sambaLmPassword,sambaNtPassword
	by dn="cn=ldapadmin,dc=gonicus,dc=de" write
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by anonymous auth
	by self write
	by * none 

# Enable write create access for the terminal admin
access to dn="ou=incoming,dc=gonicus,dc=de"
	by dn="cn=terminal-admin,dc=gonicus,dc=de" write
	by dn="cn=ldapadmin,dc=gonicus,dc=de" write
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write

access to dn.sub="ou=incoming,dc=gonicus,dc=de"
	by dn="cn=terminal-admin,dc=gonicus,dc=de" write
	by dn="cn=ldapadmin,dc=gonicus,dc=de" write
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write

# What trees should be readable, depends on your policy. Either
# use this entry and specify what should be readable, or leave
# the access to * => by * read below untouched
#access to dn="ou=(people|groups)"
#	by * read

# The admin dn has full write access
access to *
	by dn="cn=ldapadmin,dc=gonicus,dc=de" =wrscx
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
	by * read
#	by peername="ip=127\.0\.0\.1" read
#	by * none


# Example replication using admin account. This will require taking the
# out put of this database using slapcat(8C), and then importing that into
# the replica using slapadd(8C).

# Replication setup
#replogfile /var/log/ldap-replicalog
#replica host=ldap-2.gonicus.local
#	binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret

# Dummy database for config replication
#database        shell
#suffix          "dc=gonicus,dc=shell"
#search          /etc/ldap/shell/process.pl
#add		 /etc/ldap/shell/process.pl

# End of ldapd configuration file