![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
index ba0c98680dc7163279d432c59ce82ce573fb19c8..73ba870c59151436fbd0ac444fb93687929616e2 100644 (file)
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
-include /etc/ldap/schema/trust.schema
-#include /etc/ldap/schema/krb5-kdc.schema
-
-# These should be present for GOsa. In case of samba3,
-# replace samba.schema and gosa.schema by samba3.schema
-# and gosa+samba3.schema. Don't include both and remember
-# to adjust the indexing and acl stuff below!
-include /etc/ldap/schema/samba.schema
-include /etc/ldap/schema/pureftpd.schema
-include /etc/ldap/schema/gofon.schema
-include /etc/ldap/schema/gosystem.schema
-include /etc/ldap/schema/goto.schema
-include /etc/ldap/schema/gosa+samba3.schema
-include /etc/ldap/schema/gofax.schema
-include /etc/ldap/schema/goserver.schema
-include /etc/ldap/schema/goto-mime.schema
+
+# These should be present for GOsa. Replace all occurencies
+# of samba3 by samba2 for use with GOsa and Samba 2.
+include /etc/ldap/schema/gosa/samba3.schema
+include /etc/ldap/schema/gosa/gosystem.schema
+include /etc/ldap/schema/gosa/goto.schema
+include /etc/ldap/schema/gosa/goserver.schema
+include /etc/ldap/schema/gosa/gosa-samba3.schema
+include /etc/ldap/schema/gosa/trust.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
# Search base
defaultsearchbase dc=gonicus,dc=de
-
# Where clients are refered to if no
# match is found locally
#referral ldap://some.other.ldap.server
# Others should not be able to see it, except the admin
# entry below
access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
- by dn="cn=ldapadmin,dc=gonicus,dc=de" write
by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
by anonymous auth
by self write
@@ -134,15 +125,12 @@ access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChang
# Deny access to imap/fax/kerberos admin passwords stored
# in ldap tree
access to attrs=goImapPassword
- by dn="cn=ldapadmin,dc=gonicus,dc=de" write
by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
by * none
access to attrs=goKrbPassword
- by dn="cn=ldapadmin,dc=gonicus,dc=de" write
by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
by * none
access to attrs=goFaxPassword
- by dn="cn=ldapadmin,dc=gonicus,dc=de" write
by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
by * none
# Others should not be able to see it, except the
# admin entry below
access to attrs=sambaLmPassword,sambaNtPassword
- by dn="cn=ldapadmin,dc=gonicus,dc=de" write
by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
by anonymous auth
by self write
by * none
-# Enable write create access for the terminal admin
-access to dn="ou=incoming,dc=gonicus,dc=de"
- by dn="cn=terminal-admin,dc=gonicus,dc=de" write
- by dn="cn=ldapadmin,dc=gonicus,dc=de" write
- by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
- by * none
-
-access to dn.sub="ou=incoming,dc=gonicus,dc=de"
- by dn="cn=terminal-admin,dc=gonicus,dc=de" write
- by dn="cn=ldapadmin,dc=gonicus,dc=de" write
- by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" write
- by * none
-
# What trees should be readable, depends on your policy. Either
# use this entry and specify what should be readable, or leave
# the access to * => by * read below untouched
# The admin dn has full write access
access to *
- by dn="cn=ldapadmin,dc=gonicus,dc=de" =wrscx
by dn.regex="uid=[^/]+/admin\+(realm=GONICUS.LOCAL)?" =wrscx
by * read
# by peername="ip=127\.0\.0\.1" read