# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/rfc2307bis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/sudo.schema
include         /etc/ldap/schema/csc.schema
include         /etc/ldap/schema/misc.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

#Warning: "stats" is *lots* of logging
loglevel       sync
#loglevel      stats config sync acl

modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      syncprov
moduleload      auditlog
moduleload      unique

sizelimit unlimited
timelimit unlimited

# consider local connections encrypted
localssf        128

# map kerberos users to ldap users
sasl-realm      CSCLUB.INTERNAL
sasl-host       auth1.csclub.internal
authz-regexp    "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
                "uid=$1,ou=people,dc=csclub,dc=internal"
authz-regexp    "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
                "cn=ceod,dc=csclub,dc=internal"

access to *
        by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * break

# systems committee get full access
access to *
        by dn="cn=ceod,dc=csclub,dc=internal" write
        by group/group/uniqueMember="cn=syscom,ou=Group,dc=csclub,dc=internal" write
        by * break

# allow office staff to add terms
# the renewal program may do the same
access to attrs=term
        by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
        by dn="cn=renewal,dc=csclub,dc=internal" add
        by * read
access to attrs=nonMemberTerm
        by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
        by dn="cn=renewal,dc=csclub,dc=internal" add
        by * read

# allow users to change their shells
access to attrs=loginShell
        by self write
        by * read

# allow simple authentication
access to attrs=userPassword
        by anonymous auth
        by * none

# allow access to attributes of top; they would otherwise be denied below
access to attrs=@top
        by * read

# default permit
access to *
        by * read

# main database options
# note: the mdb backend has a horrible bug in 2.4.31
#       that causes indexing to destroy the database
database        hdb
suffix          "dc=csclub,dc=internal"
directory       "/var/lib/ldap"
rootdn          cn=root,dc=csclub,dc=internal
index           default eq
index           objectClass
index           entryCSN,entryUUID
index           uid,uidNumber
index           cn,gidNumber
index           uniqueMember,memberUid
index           sudoUser,sudoHost pres,sub,eq
index           term,nonMemberTerm
index           mailLocalAddress
index           modifyTimestamp,createTimestamp

# log all changes to the directory
overlay         auditlog
auditlog        /var/log/ldap/audit.log

# enforce uniqueness of usernames etc.
overlay         unique
unique_uri      ldap:///ou=People,dc=csclub,dc=internal?uid,uidNumber?sub
unique_uri      ldap:///ou=Group,dc=csclub,dc=internal?cn,gidNumber?sub

# this is the master server
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100