|
0 |
# The Debian Edu specific slapd configuration file
|
|
1 |
# Last edit: 2021-08-15
|
|
2 |
|
|
3 |
# Schema and objectClass definitions
|
|
4 |
include /etc/ldap/schema/core.schema
|
|
5 |
include /etc/ldap/schema/cosine.schema
|
|
6 |
include /etc/ldap/schema/nis.schema
|
|
7 |
include /etc/ldap/schema/autofs-debian-edu.schema
|
|
8 |
include /etc/ldap/schema/inetorgperson.schema
|
|
9 |
include /etc/ldap/schema/gosa/dhcp.schema
|
|
10 |
include /etc/ldap/schema/gosa/dnszone.schema
|
|
11 |
include /etc/ldap/schema/kerberos.schema
|
|
12 |
include /etc/ldap/schema/ltspclientaux.schema
|
|
13 |
|
|
14 |
## gosa:
|
|
15 |
include /etc/ldap/schema/gosa/samba3.schema
|
|
16 |
include /etc/ldap/schema/gosa/trust.schema
|
|
17 |
include /etc/ldap/schema/gosa/gosystem.schema
|
|
18 |
include /etc/ldap/schema/gosa/gofon.schema
|
|
19 |
include /etc/ldap/schema/gosa/goto.schema
|
|
20 |
include /etc/ldap/schema/gosa/gosa-samba3.schema
|
|
21 |
include /etc/ldap/schema/gosa/gofax.schema
|
|
22 |
include /etc/ldap/schema/gosa/goserver.schema
|
|
23 |
include /etc/ldap/schema/gosa/goto-mime.schema
|
|
24 |
include /etc/ldap/schema/gosa/sudo.schema
|
|
25 |
|
|
26 |
# Where the pid file is put. The init.d script
|
|
27 |
# will not stop the server if you change this.
|
|
28 |
pidfile /run/slapd/slapd.pid
|
|
29 |
|
|
30 |
# Read slapd.conf(5) for possible values
|
|
31 |
#loglevel 65535
|
|
32 |
loglevel none
|
|
33 |
|
|
34 |
rootDSE /etc/ldap/rootDSE-debian-edu.ldif
|
|
35 |
|
|
36 |
# TLS/SSL
|
|
37 |
TLSCACertificateFile /etc/ssl/certs/Debian-Edu_rootCA.crt
|
|
38 |
TLSCertificateKeyFile /etc/ssl/private/debian-edu-server.key
|
|
39 |
TLSCertificateFile /etc/ssl/certs/debian-edu-server.crt
|
|
40 |
|
|
41 |
modulepath /usr/lib/ldap
|
|
42 |
moduleload back_mdb
|
|
43 |
moduleload back_monitor
|
|
44 |
|
|
45 |
defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
|
|
46 |
security update_ssf=128 simple_bind=128
|
|
47 |
|
|
48 |
# Access via ldapi/unix socket is assumed to have 128 bit encryption.
|
|
49 |
# This is required to allow the kerberos and powerdns daemon to
|
|
50 |
# connect.
|
|
51 |
localssf 128
|
|
52 |
|
|
53 |
backend mdb
|
|
54 |
backend monitor
|
|
55 |
|
|
56 |
#######################################################################
|
|
57 |
# MDB database definitions
|
|
58 |
#######################################################################
|
|
59 |
|
|
60 |
# The backend type, ldbm, is the default standard
|
|
61 |
|
|
62 |
database mdb
|
|
63 |
# Set the database in memory cache size.
|
|
64 |
#
|
|
65 |
#cachesize 4000
|
|
66 |
#dbnosync
|
|
67 |
#sizelimit 4000
|
|
68 |
|
|
69 |
# First database
|
|
70 |
suffix "dc=skole,dc=skolelinux,dc=no"
|
|
71 |
rootdn "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
|
|
72 |
# Where the database file are physically stored
|
|
73 |
directory "/var/lib/ldap"
|
|
74 |
|
|
75 |
# Indices to maintain
|
|
76 |
index objectClass pres,eq
|
|
77 |
index cn,sn,ou pres,eq,sub
|
|
78 |
index uid pres,eq,sub
|
|
79 |
index krbPrincipalName pres,eq,sub
|
|
80 |
index uidNumber eq
|
|
81 |
index gidNumber eq
|
|
82 |
index memberUid eq
|
|
83 |
index default eq
|
|
84 |
#for some clients, even if not used
|
|
85 |
index givenname eq
|
|
86 |
index displayName eq
|
|
87 |
#index telephoneNumber eq
|
|
88 |
|
|
89 |
# ldap2zone index
|
|
90 |
index zoneName eq
|
|
91 |
index relativeDomainName eq
|
|
92 |
|
|
93 |
# Sudo
|
|
94 |
index sudoUser eq,sub
|
|
95 |
|
|
96 |
# LTSP configuration index (dhcpHWAddress also used by dhcpd)
|
|
97 |
index macAddress eq
|
|
98 |
index dhcpHWAddress eq
|
|
99 |
|
|
100 |
# libnss-ldapd look for this one. Make sure it is indexed to avoid
|
|
101 |
# lots of log messages.
|
|
102 |
index uniqueMember eq
|
|
103 |
|
|
104 |
# lwat cron job uses this
|
|
105 |
index createTimestamp eq
|
|
106 |
|
|
107 |
# Save the time that the entry gets modified
|
|
108 |
lastmod on
|
|
109 |
|
|
110 |
## map authentication via gssapi on user dn:
|
|
111 |
authz-regexp "uid=([^,]*),cn=gssapi,cn=auth"
|
|
112 |
"ldap:///dc=skole,dc=skolelinux,dc=no??sub?(uid=$1)"
|
|
113 |
|
|
114 |
## default: no access, but allow members of the ldap-admins group full
|
|
115 |
## access.
|
|
116 |
access to *
|
|
117 |
by group.exact="cn=ldap-admins,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" manage
|
|
118 |
by * none break
|
|
119 |
|
|
120 |
access to attrs=userPassword
|
|
121 |
by self =wx
|
|
122 |
by anonymous auth
|
|
123 |
by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
|
|
124 |
by * none
|
|
125 |
|
|
126 |
access to attrs=shadowLastChange
|
|
127 |
by self ssf=128 =w
|
|
128 |
by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
|
|
129 |
by * none
|
|
130 |
|
|
131 |
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
|
|
132 |
attrs=children,entry
|
|
133 |
by * none break
|
|
134 |
|
|
135 |
# Control access to kerberos attributes
|
|
136 |
access to attrs=krbPrincipalKey,krbExtraData
|
|
137 |
by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
|
|
138 |
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
|
|
139 |
by self read
|
|
140 |
by * auth
|
|
141 |
|
|
142 |
access to attrs=krbPrincipalName,krbLastPwdChange
|
|
143 |
by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
|
|
144 |
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
|
|
145 |
by * auth
|
|
146 |
by * read
|
|
147 |
|
|
148 |
# Limit access to kerberos data in cn=kerberos. Allow everyone to
|
|
149 |
# see the objects, as long as the attributes
|
|
150 |
# krbPrincipalKey,krbLastPwdChange and krbExtraData are hidden.
|
|
151 |
access to dn.subtree="cn=kerberos,dc=skole,dc=skolelinux,dc=no"
|
|
152 |
by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
|
|
153 |
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
|
|
154 |
by * read
|
|
155 |
|
|
156 |
# Default access; kadmin needs full access:
|
|
157 |
access to *
|
|
158 |
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
|
|
159 |
by * read
|
|
160 |
|
|
161 |
# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
|
|
162 |
database monitor
|
|
163 |
|
|
164 |
# End of ldapd configuration file
|