You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
198 lines
7.0 KiB
Plaintext
198 lines
7.0 KiB
Plaintext
|
|
# Loading of backend modules - automatically generated
|
|
|
|
modulepath /usr/lib/ldap
|
|
moduleload back_bdb
|
|
moduleload syncprov
|
|
|
|
# This is the main ldapd configuration file. See slapd.conf(5) for more
|
|
# info on the configuration options.
|
|
|
|
# Schema and objectClass definitions
|
|
include /etc/ldap/schema/core.schema
|
|
include /etc/ldap/schema/cosine.schema
|
|
include /etc/ldap/schema/inetorgperson.schema
|
|
# include /etc/ldap/schema/extension.schema
|
|
include /etc/ldap/schema/nis.schema
|
|
#include /etc/ldap/schema/samba.schema
|
|
include /etc/ldap/schema/samba_3.2.schema
|
|
# include /etc/ldap/schema/radius.schema
|
|
# include /etc/ldap/schema/courier-authldap.schema
|
|
# include /etc/ldap/schema/thunderbird.schema
|
|
include /etc/ldap/schema/company.schema
|
|
include /etc/ldap/schema/pgp-keyserver.schema
|
|
|
|
# Schema check allows for forcing entries to
|
|
# match schemas for their objectClasses's
|
|
#schemacheck no
|
|
|
|
|
|
allow bind_anon_dn
|
|
allow update_anon
|
|
|
|
# Where the pid file is put. The init.d script
|
|
# will not stop the server if you change this.
|
|
pidfile /var/run/slapd/slapd.pid
|
|
|
|
# List of arguments that were passed to the server
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
# Where to store the replica logs
|
|
#replogfile /var/lib/ldap/replog
|
|
|
|
# Read slapd.conf(5) for possible values
|
|
loglevel 4095
|
|
#loglevel stats
|
|
# le plus intÃressant
|
|
#loglevel 256
|
|
#loglevel 8
|
|
#loglevel 0
|
|
|
|
#TLSCipherSuite HIGH
|
|
#TLSCertificateFile /etc/ssl/certs/auth.fr.lan.crt
|
|
# TLSCertificateFile /etc/ldap/auth.fr.lan_plus_sj-int-services.crt
|
|
# TLSCertificateKeyFile /etc/ssl/private/auth.fr.lan.key
|
|
#TLSCACertificateFile /etc/ldap/sj-ldap-chain.crt
|
|
# TLSCACertificateFile /etc/ssl/certs/sj-int-services.crt
|
|
# TLSVerifyClient never
|
|
# allow bind_v2
|
|
|
|
# password-hash {SSHA}lolololololololololo
|
|
|
|
# security ssf=128
|
|
|
|
#######################################################################
|
|
# ldbm database definitions
|
|
#######################################################################
|
|
|
|
# The backend type, ldbm, is the default standard
|
|
database bdb
|
|
|
|
# The base of your directory
|
|
suffix "dc=company,dc=lan"
|
|
rootdn "cn=admin,dc=company,dc=lan"
|
|
rootpw {SSHA}yLwpWPrzXwthjmtI+0zEDzBo4wC7UJqf
|
|
|
|
cachesize 50000
|
|
checkpoint 8 15
|
|
dirtyread
|
|
index objectClass,entryCSN,entryUUID eq
|
|
index cn,uid,mail,givenName,memberUid,uidNumber pres,eq
|
|
#sessionlog 0 999999999
|
|
#
|
|
# new 2.3 sync configuration
|
|
overlay syncprov
|
|
syncprov-checkpoint 100 10
|
|
syncprov-sessionlog 100
|
|
|
|
directory /var/lib/ldap
|
|
lockdetect default
|
|
|
|
limits dn="cn=ldapsync,ou=systemusers,dc=company,dc=lan" size=unlimited
|
|
# time=unlimited
|
|
limits users size=unlimited
|
|
|
|
|
|
# Save the time that the entry gets modified
|
|
lastmod on
|
|
|
|
|
|
|
|
## Unix
|
|
access to attrs=shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire
|
|
by self write
|
|
by dn="cn=password,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by * read
|
|
|
|
## User password
|
|
access to attrs=userPassword
|
|
by self write
|
|
by dn="cn=ldapsync,ou=systemusers,dc=company,dc=lan" read
|
|
by dn="cn=lansync,ou=systemusers,dc=company,dc=lan" read
|
|
by dn="cn=password,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read
|
|
by * auth
|
|
|
|
## User customizable field
|
|
access to attrs=personalPhone,userPicture,sshkey,gpgkey
|
|
by self write
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by * read
|
|
|
|
## Change business phone number : sjit, Alexandre, and Bertrand
|
|
access to dn.one="ou=users,dc=company,dc=lan" attrs=businessPhone
|
|
by dn.exact="cn=bdarnaul,ou=users,dc=company,dc=lan" write
|
|
by dn.exact="cn=abuisine,ou=users,dc=company,dc=lan" write
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by * read
|
|
#by group/posixGroup/memberUid="cn=sjit,ou=groups,dc=company,dc=lan" write
|
|
|
|
## Contacts
|
|
access to dn.children="ou=contacts,dc=company,dc=lan"
|
|
by dn.children="ou=users,dc=company,dc=lan" write
|
|
by * read
|
|
|
|
access to dn.regex="ou=contacts,dc=company,dc=lan" attrs=children
|
|
by dn.children="ou=users,dc=company,dc=lan" write
|
|
by users read
|
|
|
|
## CRM
|
|
access to dn.subtree="ou=crm,dc=company,dc=lan"
|
|
by dn.exact="cn=vtiger,ou=systemusers,dc=company,dc=lan" write
|
|
by users read
|
|
|
|
## Samba
|
|
|
|
# Samba password related attributes
|
|
access to attrs=sambaLMPassword,sambaNTPassword,sambaPasswordHistory,sambaPwdHistoryLength,sambaPwdMustChange,sambaPwdLastSet
|
|
by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=password,ou=systemusers,dc=company,dc=lan" write
|
|
by dn.exact="cn=ldapsync,ou=systemusers,dc=company,dc=lan" read
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read
|
|
by self write
|
|
|
|
# Samba machines
|
|
access to dn.subtree="ou=smbmachines,dc=company,dc=lan"
|
|
by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read
|
|
|
|
# Samba domain name
|
|
access to dn.subtree="sambaDomainName=company,dc=company,dc=lan"
|
|
by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" read
|
|
by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read
|
|
|
|
# read/write access to any samba attribute for the samba server
|
|
access to attrs=description,displayName,sambaAcctFlags,sambaAlgorithmicRidBase,sambaBadPasswordCount,sambaBadPasswordTime,sambaBoolOption,sambaDomainName,sambaForceLogoff,sambaGroupType,sambaHomeDrive,sambaHomePath,sambaIntegerOption,sambaKickoffTime,sambaLockoutDuration,sambaLockoutObservationWindow,sambaLockoutThreshold,sambaLogoffTime,sambaLogonHours,sambaLogonScript,sambaLogonTime,sambaLogonToChgPwd,sambaMaxPwdAge,sambaMinPwdAge,sambaMinPwdLength,sambaMungedDial,sambaNextGroupRid,sambaNextRid,sambaNextUserRid,sambaOptionName,sambaPreviousClearTextPassword,sambaPrimaryGroupSID,sambaProfilePath,sambaPwdCanChange,sambaPwdLastSet,sambaPwdMustChange,sambaRefuseMachinePwdChange,sambaSID,sambaSIDList,sambaShareName,sambaStringListOption,sambaStringOption,sambaTrustFlags,sambaUserWorkstations
|
|
by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by dn="cn=admin_ro,ou=systemusers,dc=company,dc=lan" read
|
|
|
|
#access to dn.regex="cn=ntadmin,ou=users,dc=company,dc=lan"
|
|
# by dn.exact="cn=samba,ou=systemusers,dc=company,dc=lan" write
|
|
# by users read
|
|
# by * read
|
|
|
|
# let PGP discover the keystore base DN
|
|
access to dn="cn=pgpServerInfo,dc=company,dc=lan"
|
|
by * read
|
|
|
|
|
|
## PGP keystore: only users of "ou=PGP Users,dc=EXAMPLE,dc=COM" may write
|
|
access to dn.subtree="ou=pgpKeys,dc=company,dc=lan"
|
|
by dn.regex="^cn=([^,]+),ou=users,dc=company,dc=lan$" write
|
|
by self write
|
|
by * read
|
|
|
|
|
|
## Last ACL
|
|
access to *
|
|
by dn="cn=admin_rw,ou=systemusers,dc=company,dc=lan" write
|
|
by * read
|
|
|
|
|