# Loading of backend modules - automatically generated modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov # This is the main ldapd configuration file. See slapd.conf(5) for more # info on the configuration options. # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema # include /etc/ldap/schema/extension.schema include /etc/ldap/schema/nis.schema #include /etc/ldap/schema/samba.schema include /etc/ldap/schema/samba_3.2.schema # include /etc/ldap/schema/radius.schema # include /etc/ldap/schema/courier-authldap.schema # include /etc/ldap/schema/thunderbird.schema include /etc/ldap/schema/company.schema include /etc/ldap/schema/pgp-keyserver.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's #schemacheck no allow bind_anon_dn allow update_anon # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Where to store the replica logs #replogfile /var/lib/ldap/replog # Read slapd.conf(5) for possible values loglevel 4095 #loglevel stats # le plus intÃressant #loglevel 256 #loglevel 8 #loglevel 0 #TLSCipherSuite HIGH #TLSCertificateFile /etc/ssl/certs/auth.fr.lan.crt # TLSCertificateFile /etc/ldap/auth.fr.lan_plus_sj-int-services.crt # TLSCertificateKeyFile /etc/ssl/private/auth.fr.lan.key #TLSCACertificateFile /etc/ldap/sj-ldap-chain.crt # TLSCACertificateFile /etc/ssl/certs/sj-int-services.crt # TLSVerifyClient never # allow bind_v2 # password-hash {SSHA}lolololololololololo # security ssf=128 ####################################################################### # ldbm database definitions ####################################################################### # The backend type, ldbm, is the default standard database bdb # The base of your directory suffix "dc=company,dc=lan" rootdn "cn=admin,dc=company,dc=lan" rootpw {SSHA}yLwpWPrzXwthjmtI+0zEDzBo4wC7UJqf cachesize 50000 checkpoint 8 15 dirtyread index objectClass,entryCSN,entryUUID eq index cn,uid,mail,givenName,memberUid,uidNumber pres,eq #sessionlog 0 999999999 # # new 2.3 sync configuration overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 directory /var/lib/ldap lockdetect default limits dn="cn=ldapsync,ou=systemusers,dc=company,dc=lan" size=unlimited # time=unlimited limits users size=unlimited # Save the time that the entry gets modified lastmod on ## Unix access to attrs=shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire by self write by dn="cn=password,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by * read ## User password access to attrs=userPassword by self write by dn="cn=ldapsync,ou=systemusers,dc=company,dc=lan" read by dn="cn=lansync,ou=systemusers,dc=company,dc=lan" read by dn="cn=password,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read by * auth ## User customizable field access to attrs=personalPhone,userPicture,sshkey,gpgkey by self write by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by * read ## Change business phone number : sjit, Alexandre, and Bertrand access to dn.one="ou=users,dc=company,dc=lan" attrs=businessPhone by dn.exact="cn=bdarnaul,ou=users,dc=company,dc=lan" write by dn.exact="cn=abuisine,ou=users,dc=company,dc=lan" write by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by * read #by group/posixGroup/memberUid="cn=sjit,ou=groups,dc=company,dc=lan" write ## Contacts access to dn.children="ou=contacts,dc=company,dc=lan" by dn.children="ou=users,dc=company,dc=lan" write by * read access to dn.regex="ou=contacts,dc=company,dc=lan" attrs=children by dn.children="ou=users,dc=company,dc=lan" write by users read ## CRM access to dn.subtree="ou=crm,dc=company,dc=lan" by dn.exact="cn=vtiger,ou=systemusers,dc=company,dc=lan" write by users read ## Samba # Samba password related attributes access to attrs=sambaLMPassword,sambaNTPassword,sambaPasswordHistory,sambaPwdHistoryLength,sambaPwdMustChange,sambaPwdLastSet by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write by dn="cn=password,ou=systemusers,dc=company,dc=lan" write by dn.exact="cn=ldapsync,ou=systemusers,dc=company,dc=lan" read by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read by self write # Samba machines access to dn.subtree="ou=smbmachines,dc=company,dc=lan" by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read # Samba domain name access to dn.subtree="sambaDomainName=company,dc=company,dc=lan" by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" read by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read # read/write access to any samba attribute for the samba server access to attrs=description,displayName,sambaAcctFlags,sambaAlgorithmicRidBase,sambaBadPasswordCount,sambaBadPasswordTime,sambaBoolOption,sambaDomainName,sambaForceLogoff,sambaGroupType,sambaHomeDrive,sambaHomePath,sambaIntegerOption,sambaKickoffTime,sambaLockoutDuration,sambaLockoutObservationWindow,sambaLockoutThreshold,sambaLogoffTime,sambaLogonHours,sambaLogonScript,sambaLogonTime,sambaLogonToChgPwd,sambaMaxPwdAge,sambaMinPwdAge,sambaMinPwdLength,sambaMungedDial,sambaNextGroupRid,sambaNextRid,sambaNextUserRid,sambaOptionName,sambaPreviousClearTextPassword,sambaPrimaryGroupSID,sambaProfilePath,sambaPwdCanChange,sambaPwdLastSet,sambaPwdMustChange,sambaRefuseMachinePwdChange,sambaSID,sambaSIDList,sambaShareName,sambaStringListOption,sambaStringOption,sambaTrustFlags,sambaUserWorkstations by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read #access to dn.regex="cn=ntadmin,ou=users,dc=company,dc=lan" # by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write # by users read # by * read # let PGP discover the keystore base DN access to dn="cn=pgpServerInfo,dc=company,dc=lan" by * read ## PGP keystore: only users of "ou=PGP Users,dc=EXAMPLE,dc=COM" may write access to dn.subtree="ou=pgpKeys,dc=company,dc=lan" by dn.regex="^cn=([^,]+),ou=users,dc=company,dc=lan$" write by self write by * read ## Last ACL access to * by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write by * read