1 | # |
---|
2 | # See slapd.conf(5) for details on configuration options. |
---|
3 | # This file should NOT be world readable. |
---|
4 | # |
---|
5 | |
---|
6 | ####################################################################### |
---|
7 | # Global Directives: |
---|
8 | sizelimit -1 |
---|
9 | timelimit -1 |
---|
10 | threads 16 |
---|
11 | |
---|
12 | # Schema and objectClass definitions |
---|
13 | include /etc/openldap/schema/core.schema |
---|
14 | include /etc/openldap/schema/cosine.schema |
---|
15 | include /etc/openldap/schema/inetorgperson.schema |
---|
16 | include /etc/openldap/schema/nis.schema |
---|
17 | include /etc/openldap/schema/qmailuser.schema |
---|
18 | include /etc/openldap/schema/phpgwaccount.schema |
---|
19 | include /etc/openldap/schema/samba.schema |
---|
20 | include /etc/openldap/schema/phpgwcontact.schema |
---|
21 | |
---|
22 | # Schema check allows for forcing entries to |
---|
23 | # match schemas for their objectClasses's |
---|
24 | schemacheck on |
---|
25 | |
---|
26 | # Read slapd.conf(5) for possible values |
---|
27 | loglevel 0 |
---|
28 | |
---|
29 | checkpoint 512 30 |
---|
30 | |
---|
31 | # Allow LDAPv2 client connections. This is NOT the default. |
---|
32 | allow bind_v2 |
---|
33 | |
---|
34 | # Do not enable referrals until AFTER you have a working directory |
---|
35 | # service AND an understanding of referrals. |
---|
36 | #referral ldap://root.openldap.org |
---|
37 | |
---|
38 | pidfile /var/run/openldap/slapd.pid |
---|
39 | argsfile /var/run/openldap/slapd.args |
---|
40 | |
---|
41 | # Load dynamic backend modules: |
---|
42 | # modulepath /usr/lib/openldap |
---|
43 | # moduleload back_bdb.la |
---|
44 | # moduleload back_ldap.la |
---|
45 | # moduleload back_ldbm.la |
---|
46 | # moduleload back_passwd.la |
---|
47 | # moduleload back_shell.la |
---|
48 | |
---|
49 | # The next three lines allow use of TLS for encrypting connections using a |
---|
50 | # dummy test certificate which you can generate by changing to |
---|
51 | # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on |
---|
52 | # slapd.pem so that the ldap user or group can read it. Your client software |
---|
53 | # may balk at self-signed certificates, however. |
---|
54 | # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt |
---|
55 | # TLSCertificateFile /etc/pki/tls/certs/slapd.pem |
---|
56 | # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem |
---|
57 | |
---|
58 | # Sample security restrictions |
---|
59 | # Require integrity protection (prevent hijacking) |
---|
60 | # Require 112-bit (3DES or better) encryption for updates |
---|
61 | # Require 63-bit encryption for simple bind |
---|
62 | # security ssf=1 update_ssf=112 simple_bind=64 |
---|
63 | |
---|
64 | # Sample access control policy: |
---|
65 | # Root DSE: allow anyone to read it |
---|
66 | # Subschema (sub)entry DSE: allow anyone to read it |
---|
67 | # Other DSEs: |
---|
68 | # Allow self write access |
---|
69 | # Allow authenticated users read access |
---|
70 | # Allow anonymous users to authenticate |
---|
71 | # Directives needed to implement policy: |
---|
72 | # access to dn.base="" by * read |
---|
73 | # access to dn.base="cn=Subschema" by * read |
---|
74 | # access to * |
---|
75 | # by self write |
---|
76 | # by users read |
---|
77 | # by anonymous auth |
---|
78 | # |
---|
79 | # if no access controls are present, the default policy |
---|
80 | # allows anyone and everyone to read anything but restricts |
---|
81 | # updates to rootdn. (e.g., "access to * by * read") |
---|
82 | # |
---|
83 | # rootdn can always read and write EVERYTHING! |
---|
84 | |
---|
85 | ####################################################################### |
---|
86 | # ldbm and/or bdb database definitions |
---|
87 | ####################################################################### |
---|
88 | |
---|
89 | database bdb |
---|
90 | suffix "LDAP_DN" |
---|
91 | rootdn "cn=admin,LDAP_DN" |
---|
92 | # Cleartext passwords, especially for the rootdn, should |
---|
93 | # be avoided. See slappasswd(8) and slapd.conf(5) for details. |
---|
94 | # Use of strong authentication encouraged. |
---|
95 | rootpw LDAP_PWD_MD5 |
---|
96 | |
---|
97 | # The database directory MUST exist prior to running slapd AND |
---|
98 | # should only be accessible by the slapd and slap tools. |
---|
99 | # Mode 700 recommended. |
---|
100 | directory /var/lib/ldap |
---|
101 | |
---|
102 | # Indices to maintain for this database |
---|
103 | #index objectClass eq,pres |
---|
104 | #index ou,cn,mail,surname,givenname eq,pres,sub |
---|
105 | #index uidNumber,gidNumber,loginShell eq,pres |
---|
106 | #index uid,memberUid eq,pres,sub |
---|
107 | #index nisMapName,nisMapEntry eq,pres,sub |
---|
108 | |
---|
109 | # Indexing options for database #1 |
---|
110 | index mail,mailAlternateAddress,objectClass,memberUid,uidNumber,deliveryMode,accountStatus,phpgwAccountType,gidNumber,phpgwAccountStatus,ou pres,eq |
---|
111 | index uid,cn,sn,givenName pres,eq,sub |
---|
112 | |
---|
113 | # Save the time that the entry gets modified, for database #1 |
---|
114 | lastmod on |
---|
115 | |
---|
116 | #access to attrs=userPassword |
---|
117 | # by dn="cn=admin,LDAP_DN" write |
---|
118 | # by anonymous auth |
---|
119 | # by self write |
---|
120 | # by * none |
---|
121 | # |
---|
122 | #access to dn.base="" by * read |
---|
123 | # |
---|
124 | #access to * |
---|
125 | # by dn="cn=admin,LDAP_DN" write |
---|
126 | # by * read |
---|
127 | |
---|
128 | # Replicas of this database |
---|
129 | #replogfile /var/lib/ldap/openldap-master-replog |
---|
130 | #replica host=ldap-1.example.com:389 starttls=critical |
---|
131 | # bindmethod=sasl saslmech=GSSAPI |
---|
132 | # authcId=host/ldap-master.example.com@EXAMPLE.COM |
---|