# Allow LDAPv2 binds allow bind_v2 # LliureX slapd configuration file for dummy # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/courier.schema include /etc/ldap/schema/automount-debian-edu.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/lis.schema include /etc/ldap/schema/sabayon.schema include /etc/ldap/schema/kerberos.schema include /etc/ldap/schema/lliurex.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's # Where the pid file is put. The init.d script # will not stop the server if you change this. idletimeout _@_LDAP_SLAPD_TIMEOUT_@_ pidfile /var/run/slapd/slapd.pid sizelimit unlimited # Read slapd.conf(5) for possible values #loglevel 65535 loglevel _@_LDAP_SLAPD_LOGLEVEL_@_ # TLS/SSL #TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/lliurex-secrets/certs/CA/lliurexCA.crt TLSCertificateFile /etc/lliurex-secrets/certs/ldap/ldap.crt TLSCertificateKeyFile /etc/lliurex-secrets/pki/ldap/ldap.key #TLSCACertificateFile /etc/lliurex-secrets/certs/CA/lliurexCA.crt #TLSCertificateFile /etc/lliurex-secrets/certs/ldap/ldap.crt #TLSCertificateKeyFile /etc/lliurex-secrets/pki/ldap/ldap.key TLSVerifyClient never ##TLSCACertificateFile /var/lib/pyca/Root/cacert.pem ##TLSCertificateKeyFile /var/lib/pyca/ServerCerts/private/cakey.pem ##TLSCertificateFile /var/lib/pyca/ServerCerts/cacert.pem modulepath /usr/lib/ldap moduleload back_bdb moduleload back_monitor #ifneq "_@_LDAP_SRV_MODE_@_" "STANDALONE" # add module to act as replication provider moduleload syncprov #endif defaultsearchbase " _@_LDAP_BASE_DN_@_" #security update_ssf=128 simple_bind=128 backend bdb backend monitor ####################################################################### # ldbm database definitions ####################################################################### # The backend type, ldbm, is the default standard #if LLXTMPL_TESTVAR _@_SRV_HOST_ID_@_ serverID _@_SRV_HOST_ID_@_ #endif database bdb # schemacheck on # Set the database in memory cache size. # # First database suffix " _@_LDAP_BASE_DN_@_" rootdn "cn=admin, _@_LDAP_BASE_DN_@_" # Where the database file are physically stored directory "/var/lib/slapd" checkpoint 512 30 # For the Debian package we use 2MB as default but be sure to update this # # value if you have plenty of RAM dbconfig set_cachesize 0 67108864 0 # # # Sven Hartge reported that he had to set this value incredibly high # # to get slapd running at all. See http://bugs.debian.org/303057 # # for more information. # # # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # # Number of lockers dbconfig set_lk_max_lockers 1500 # Indices to maintain index objectClass pres,eq index cn,sn,ou pres,eq,sub index uid pres,eq,sub index groupType eq index uidNumber eq index gidNumber eq index memberUid eq index default eq #for some clients, even if not used index givenname eq index displayName eq index telephoneNumber eq # Save the time that the entry gets modified lastmod on # Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL # The ssf=128 option is to be used when SL bug 213 and 404 are closed. # ###################################################################################### access to dn.subtree="ou=Students,_@_LDAP_PEOPLE_BASE_DN_@_" attrs=userPassword by dn="cn=admin, _@_LDAP_BASE_DN_@_" write #ifneq "_@_LDAP_SRV_MODE_@_" "STANDALONE" by dn="_@_LDAP_REPLICATOR_CN_@_, _@_LDAP_BASE_DN_@_" read #endif by dn.subtree="ou=Teachers,_@_LDAP_PEOPLE_BASE_DN_@_" write by group/lisAclGroup/member="cn=admins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_" write by anonymous auth by self write by * none access to dn.base="cn=admin, _@_LDAP_BASE_DN_@_" by dn.exact="cn=admin, _@_LDAP_BASE_DN_@_" =wx #ifneq "_@_LDAP_SRV_MODE_@_" "STANDALONE" by dn="_@_LDAP_REPLICATOR_CN_@_, _@_LDAP_BASE_DN_@_" read #endif by * none break access to * by group/lisAclGroup/member="cn=admins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_" write by dn.exact="cn=admin, _@_LDAP_BASE_DN_@_" =w #ifneq "_@_LDAP_SRV_MODE_@_" "STANDALONE" by dn="_@_LDAP_REPLICATOR_CN_@_, _@_LDAP_BASE_DN_@_" read #endif by * none break access to dn.base="cn=nextID,_@_LDAP_VARIABLES_BASE_DN_@_" attrs=gidNumber by dn.exact="cn=smbadmin,_@_LDAP_PEOPLE_BASE_DN_@_" write by * read # Don not give jradmins access to the userPassword attribute of the higher privileged access to dn.exact="cn=smbadmin,_@_LDAP_PEOPLE_BASE_DN_@_" attrs=userPassword by self =wx by anonymous auth by group/lisAclGroup/member="cn=jradmins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_" none by * none access to dn.exact="cn=admin, _@_LDAP_BASE_DN_@_" attrs=userPassword by self =wx by anonymous auth by group/lisAclGroup/member="cn=jradmins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_" none by * none access to attrs=userPassword by self =wx by anonymous auth by set="[cn=admins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_]/member & this" none by group/lisAclGroup/member="cn=jradmins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_" =w by * none access to attrs=shadowLastChange by self =w by set="[cn=admins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_]/member & this" none by group/lisAclGroup/member="cn=jradmins,_@_LDAP_PROFILES_GROUP_BASE_DN_@_" =w by * none # Defaultaccess access to * by * read # Last database.. back-monitor is nice to have. Use 'cn=monitor' as base #database monitor # End of ldapd configuration file #ifneq "_@_LDAP_SRV_MODE_@_" "STANDALONE" # LDAP REPLICATION MASTER CONFIGURATION index entryCSN eq index entryUUID eq include /etc/ldap/slapd-syncrepl.conf #ifeq "_@_LDAP_ACTIVE_MIRROR_@_" "YES" mirrormode on #endif overlay syncprov syncprov-checkpoint 100 10 #endif