| 1 | # |
|---|
| 2 | # See slapd.conf(5) for details on configuration options. |
|---|
| 3 | # This file should NOT be world readable. |
|---|
| 4 | # |
|---|
| 5 | |
|---|
| 6 | ####################################################################### |
|---|
| 7 | # Global Directives: |
|---|
| 8 | sizelimit -1 |
|---|
| 9 | timelimit -1 |
|---|
| 10 | threads 2 |
|---|
| 11 | |
|---|
| 12 | # Schema and objectClass definitions |
|---|
| 13 | include /etc/openldap/schema/core.schema |
|---|
| 14 | include /etc/openldap/schema/cosine.schema |
|---|
| 15 | include /etc/openldap/schema/inetorgperson.schema |
|---|
| 16 | include /etc/openldap/schema/nis.schema |
|---|
| 17 | # Necessario para o Expresso Livre |
|---|
| 18 | include /etc/ldap/schema/expressolivre.schema |
|---|
| 19 | include /etc/ldap/schema/qmailuser.schema |
|---|
| 20 | include /etc/ldap/schema/phpgwaccount.schema |
|---|
| 21 | include /etc/ldap/schema/samba.schema |
|---|
| 22 | include /etc/ldap/schema/phpgwcontact.schema |
|---|
| 23 | include /etc/ldap/schema/phpgwquotacontrolled.schema |
|---|
| 24 | |
|---|
| 25 | # Read slapd.conf(5) for possible values |
|---|
| 26 | loglevel 256 |
|---|
| 27 | |
|---|
| 28 | # Allow LDAPv2 client connections. This is NOT the default. |
|---|
| 29 | # Necessario para o Expresso |
|---|
| 30 | allow bind_v2 |
|---|
| 31 | |
|---|
| 32 | # Do not enable referrals until AFTER you have a working directory |
|---|
| 33 | # service AND an understanding of referrals. |
|---|
| 34 | #referral ldap://root.openldap.org |
|---|
| 35 | |
|---|
| 36 | pidfile /var/run/openldap/slapd.pid |
|---|
| 37 | argsfile /var/run/openldap/slapd.args |
|---|
| 38 | |
|---|
| 39 | # Load dynamic backend modules: |
|---|
| 40 | # modulepath /usr/lib/openldap |
|---|
| 41 | # moduleload back_bdb.la |
|---|
| 42 | # moduleload back_ldap.la |
|---|
| 43 | # moduleload back_ldbm.la |
|---|
| 44 | # moduleload back_passwd.la |
|---|
| 45 | # moduleload back_shell.la |
|---|
| 46 | |
|---|
| 47 | # The next three lines allow use of TLS for encrypting connections using a |
|---|
| 48 | # dummy test certificate which you can generate by changing to |
|---|
| 49 | # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on |
|---|
| 50 | # slapd.pem so that the ldap user or group can read it. Your client software |
|---|
| 51 | # may balk at self-signed certificates, however. |
|---|
| 52 | # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt |
|---|
| 53 | # TLSCertificateFile /etc/pki/tls/certs/slapd.pem |
|---|
| 54 | # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem |
|---|
| 55 | |
|---|
| 56 | # Sample security restrictions |
|---|
| 57 | # Require integrity protection (prevent hijacking) |
|---|
| 58 | # Require 112-bit (3DES or better) encryption for updates |
|---|
| 59 | # Require 63-bit encryption for simple bind |
|---|
| 60 | # security ssf=1 update_ssf=112 simple_bind=64 |
|---|
| 61 | |
|---|
| 62 | # Sample access control policy: |
|---|
| 63 | # Root DSE: allow anyone to read it |
|---|
| 64 | # Subschema (sub)entry DSE: allow anyone to read it |
|---|
| 65 | # Other DSEs: |
|---|
| 66 | # Allow self write access |
|---|
| 67 | # Allow authenticated users read access |
|---|
| 68 | # Allow anonymous users to authenticate |
|---|
| 69 | # Directives needed to implement policy: |
|---|
| 70 | # access to dn.base="" by * read |
|---|
| 71 | # access to dn.base="cn=Subschema" by * read |
|---|
| 72 | # access to * |
|---|
| 73 | # by self write |
|---|
| 74 | # by users read |
|---|
| 75 | # by anonymous auth |
|---|
| 76 | # |
|---|
| 77 | # if no access controls are present, the default policy |
|---|
| 78 | # allows anyone and everyone to read anything but restricts |
|---|
| 79 | # updates to rootdn. (e.g., "access to * by * read") |
|---|
| 80 | # |
|---|
| 81 | # rootdn can always read and write EVERYTHING! |
|---|
| 82 | |
|---|
| 83 | ####################################################################### |
|---|
| 84 | # ldbm and/or bdb database definitions |
|---|
| 85 | ####################################################################### |
|---|
| 86 | |
|---|
| 87 | database hdb |
|---|
| 88 | suffix "LDAP_DN" |
|---|
| 89 | rootdn "cn=admin,LDAP_DN" |
|---|
| 90 | rootpw LDAP_PWD_MD5 |
|---|
| 91 | |
|---|
| 92 | checkpoint 1024 10 |
|---|
| 93 | # Save the time that the entry gets modified, for database #1 |
|---|
| 94 | lastmod on |
|---|
| 95 | |
|---|
| 96 | # The database directory MUST exist prior to running slapd AND |
|---|
| 97 | # should only be accessible by the slapd and slap tools. |
|---|
| 98 | # Mode 700 recommended. |
|---|
| 99 | directory /var/lib/ldap |
|---|
| 100 | |
|---|
| 101 | # Indices to maintain for this database |
|---|
| 102 | index default sub |
|---|
| 103 | index entryCSN,accountStatus eq |
|---|
| 104 | index objectClass,uidNumber,gidNumber,entryUUID eq,pres |
|---|
| 105 | index sambaSID,sambaPrimaryGroupSID,sambaAcctFlags eq,pres |
|---|
| 106 | index sambaDomainName,sambaSIDList,sambaGroupType eq,pres |
|---|
| 107 | index cn,displayName eq,pres,subany,approx |
|---|
| 108 | index sn,ou,givenName,uid,employeeNumber eq,pres,subany |
|---|
| 109 | index memberUid,mail,mailAlternateAddress,mailForwardingAddress eq,pres,subany |
|---|
| 110 | index phpgwContactOwner,phpgwAccountType,phpgwAccountStatus eq,pres |
|---|
| 111 | index uniqueMember pres |
|---|
| 112 | |
|---|
| 113 | # ACLs basicas |
|---|
| 114 | access to attrs=userPassword |
|---|
| 115 | by dn="cn=admin,LDAP_DN" write |
|---|
| 116 | by anonymous auth |
|---|
| 117 | by self write |
|---|
| 118 | by * none |
|---|
| 119 | |
|---|
| 120 | access to dn.base="" by * read |
|---|
| 121 | |
|---|
| 122 | access to * |
|---|
| 123 | by dn="cn=admin,LDAP_DN" write |
|---|
| 124 | by * read |
|---|
| 125 | |
|---|
