# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

##
## NOTE: This is an example. You should use the template shipped
##       with your distribution and adapt it to your needs.
##

# Schema and objectClass definitions, depending on your
# LDAP setup
include		/etc/ldap/schema/core.schema
include		/etc/ldap/schema/cosine.schema
include 	/etc/ldap/schema/inetorgperson.schema
include 	/etc/ldap/schema/openldap.schema
include		/etc/ldap/schema/nis.schema
include		/etc/ldap/schema/misc.schema

# These should be present for GOsa.
include		/etc/ldap/schema/gosa/samba3.schema
include		/etc/ldap/schema/gosa/gosystem.schema
include		/etc/ldap/schema/gosa/gofon.schema
include		/etc/ldap/schema/gosa/gofax.schema
include		/etc/ldap/schema/gosa/goto.schema
include		/etc/ldap/schema/gosa/goserver.schema
include		/etc/ldap/schema/gosa/gosa-samba3.schema
include		/etc/ldap/schema/gosa/trust.schema

# Security settings
# Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
#             update_tls, update_transport
#security 		update_sasl=128,uptate_tls=128

# Require settings
# Paramters: none, authc, bind, LDAPv3, SASL (strong)
#require			authc, LDAPv3

# Allow settings
# Parameters: none, bind_v2, tls_2_anon, bind_anon_cred, bind_anon_dn,
#             update_anon
#allow			bind_v2

# Disallow settings
# Parameters: bind_anon, bind_simple_unprotected, tls_2_anon,
#             bind_simple, bind_krbv4, tls_authc

# Password hash default value
# Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
password-hash		{CRYPT}

# Search base
defaultsearchbase	dc=gonicus,dc=de

# Where clients are refered to if no
# match is found locally
#referral	ldap://some.other.ldap.server

## TLS setup, needs certificates
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCertificateFile /etc/ssl/certs/slapd.pem
#TLSCertificateKeyFile /etc/ssl/certs/slapd.pem

## SASL setup
#sasl-authz-policy
#sasl-host	gosa.gonicus.local
#sasl-realm	GONICUS.LOCAL
#sasl-regexp	cn=(.*),ou=(.*)	cn=$1,ou=$2,ou=People,dc=gonicus,dc=de
#sasl-secprops	noanonymous

## Kerberos setup
#srvtab		/etc/krb5.keytab.ldap

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile		/var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile	/var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel	1024

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      back_monitor
#moduleload      back_shell

# Some tuning parameters
#threads		64
#concurrency		32
#conn_max_pending	100
#conn_max_pending_auth	250
#reverse-lookup		off
#sizelimit		1000
#timelimit		30
#idletimeout		30

# Limits
#limits	anonymous	size.soft=500 time.soft=5
#limits user		size=none time.soft=30

# Speed up member add/mod/delete operations
sortvals member memberUid roleOccupant

access to dn.base=""
        by * read

access to dn.subtree=cn=Monitor
        by * read

# Access to schema information
#access to dn.subtree=""
#        by * read

# The userPassword/shadow Emtries by default can be
# changed by the entry owning it if they are authenticated.
# Others should not be able to see it, except the admin
# entry below
access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by anonymous auth
	by self write
	by * none 

# Deny access to imap/fax/kerberos admin passwords stored
# in ldap tree
access to attrs=goImapPassword
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by * none 
access to attrs=goKrbPassword
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by * none 
access to attrs=goFaxPassword
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by * none 

# Let servers write last user attribute
access to attrs=gotoLastUser
	by * write

# Samba passwords by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attrs=sambaLmPassword,sambaNtPassword
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
	by anonymous auth
	by self write
	by * none 

# What trees should be readable, depends on your policy. Either
# use this entry and specify what should be readable, or leave
# the access to * => by * read below untouched
#access to dn="ou=(people|groups)"
#	by * read

# The admin dn has full write access
access to *
	by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
	by * read
#	by peername="ip=127\.0\.0\.1" read
#	by * none

#######################################################################
# database definitions
#######################################################################

# Monitor backend
database	monitor

# The backend type, ldbm, is the default standard
database	hdb
cachesize 5000
mode		  0600

# The base of your directory
suffix		"dc=gonicus,dc=de"
checkpoint	512 720

# Sample password is "tester", generate a new one using the mkpasswd
# utility and put the string after {crypt}
rootdn	"cn=ldapadmin,dc=gonicus,dc=de"
rootpw  {crypt}OuorOLd3VqvC2

# Indexing
index   default                                                sub
index   uid,mail                                               eq
index   gosaSnapshotDN                                         eq
index   gosaSnapshotTimestamp                                  eq,sub
index   gosaMailAlternateAddress,gosaMailForwardingAddress     eq
index   cn,sn,givenName,ou                                     pres,eq,sub
index   objectClass                                            pres,eq
index   uidNumber,gidNumber,memberuid                          eq
index   roleOccupant                                           eq
index   gosaSubtreeACL,gosaObject,gosaUser                     pres,eq

# Indexing for Kolab
#index	alias							eq,sub
#index	kolabDeleteflag						eq
#index	kolabHomeServer						eq
#index  member							pres,eq

# Indexing for Samba 3
index   sambaSID                                               eq
index   sambaPrimaryGroupSID                                   eq
index   sambaDomainName                                        eq

# Indexing for DHCP
#index  dhcpHWAddress                                          eq
#index  dhcpClassData                                          eq

# Indexing for DNS
#index  zoneName                                               eq
#index  relativeDomainName                                     eq

# Where the database file are physically stored
directory	"/var/lib/ldap"

# Log modifications and write entryUUID
lastmod on


# Example replication using admin account. This will require taking the
# out put of this database using slapcat(8C), and then importing that into
# the replica using slapadd(8C).

# Replication setup
#replogfile /var/log/ldap-replicalog
#replica host=ldap-2.gonicus.local
#	binddn="cn=replicator,dc=gonicus,dc=de" bindmethod=simple credentials=secret

# Dummy database for config replication
#database        shell
#suffix          "dc=gonicus,dc=shell"
#search          /etc/ldap/shell/process.pl
#add		 /etc/ldap/shell/process.pl

# End of ldapd configuration file