108 lines
3.2 KiB
Plaintext
108 lines
3.2 KiB
Plaintext
# This is the main slapd configuration file. See slapd.conf(5) for more
|
|
# info on the configuration options.
|
|
|
|
include /etc/ldap/schema/core.schema
|
|
include /etc/ldap/schema/cosine.schema
|
|
include /etc/ldap/schema/rfc2307bis.schema
|
|
include /etc/ldap/schema/inetorgperson.schema
|
|
include /etc/ldap/schema/sudo.schema
|
|
include /etc/ldap/schema/csc.schema
|
|
include /etc/ldap/schema/misc.schema
|
|
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
#Warning: "stats" is *lots* of logging
|
|
loglevel sync
|
|
#loglevel stats config sync acl
|
|
|
|
modulepath /usr/lib/ldap
|
|
moduleload back_hdb
|
|
moduleload syncprov
|
|
moduleload auditlog
|
|
moduleload unique
|
|
|
|
sizelimit unlimited
|
|
timelimit unlimited
|
|
|
|
# consider local connections encrypted
|
|
localssf 128
|
|
|
|
# map kerberos users to ldap users
|
|
sasl-realm CSCLUB.INTERNAL
|
|
authz-regexp "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
|
"uid=$1,ou=people,dc=csclub,dc=internal"
|
|
authz-regexp "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
|
"cn=ceod,dc=csclub,dc=internal"
|
|
|
|
access to *
|
|
by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
|
by * break
|
|
|
|
# systems committee get full access
|
|
access to *
|
|
by dn="cn=ceod,dc=csclub,dc=internal" write
|
|
by group/group/uniqueMember="cn=syscom,ou=Group,dc=csclub,dc=internal" write
|
|
by * break
|
|
|
|
# allow office staff to add terms
|
|
# the renewal program may do the same
|
|
access to attrs=term
|
|
by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
|
|
by dn="cn=renewal,dc=csclub,dc=internal" add
|
|
by * read
|
|
access to attrs=nonMemberTerm
|
|
by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
|
|
by dn="cn=renewal,dc=csclub,dc=internal" add
|
|
by * read
|
|
|
|
# allow users to change their shells
|
|
access to attrs=loginShell
|
|
by self write
|
|
by * read
|
|
|
|
# allow simple authentication
|
|
access to attrs=userPassword
|
|
by anonymous auth
|
|
by * none
|
|
|
|
# allow access to attributes of top; they would otherwise be denied below
|
|
access to attrs=@top
|
|
by * read
|
|
|
|
# default permit
|
|
access to *
|
|
by * read
|
|
|
|
# main database options
|
|
# note: the mdb backend has a horrible bug in 2.4.31
|
|
# that causes indexing to destroy the database
|
|
database hdb
|
|
suffix "dc=csclub,dc=internal"
|
|
directory "/var/lib/ldap"
|
|
rootdn cn=root,dc=csclub,dc=internal
|
|
index default eq
|
|
index objectClass
|
|
index entryCSN,entryUUID
|
|
index uid,uidNumber
|
|
index cn,gidNumber
|
|
index uniqueMember,memberUid
|
|
index sudoUser,sudoHost pres,sub,eq
|
|
index term,nonMemberTerm
|
|
index mailLocalAddress
|
|
index modifyTimestamp,createTimestamp
|
|
|
|
# log all changes to the directory
|
|
overlay auditlog
|
|
auditlog /var/log/ldap/audit.log
|
|
|
|
# enforce uniqueness of usernames etc.
|
|
overlay unique
|
|
unique_uri ldap:///ou=People,dc=csclub,dc=internal?uid,uidNumber?sub
|
|
unique_uri ldap:///ou=Group,dc=csclub,dc=internal?cn,gidNumber?sub
|
|
|
|
# this is the master server
|
|
overlay syncprov
|
|
syncprov-checkpoint 100 10
|
|
syncprov-sessionlog 100
|