Difference between revisions of "Omldapsync HowTo - Six"
(→Appendix A - ldapsync13.schema (OpenLDAP Servers)) |
(→Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)) |
||
Line 189: | Line 189: | ||
== Appendix B - 90Scalix.ldif (Sun ONE Directory Servers) == | == Appendix B - 90Scalix.ldif (Sun ONE Directory Servers) == | ||
− | dn: cn=schema | + | dn: cn=schema |
− | objectClass: top | + | objectClass: top |
− | objectClass: ldapSubentry | + | objectClass: ldapSubentry |
− | objectClass: subschema | + | objectClass: subschema |
− | cn: schema | + | cn: schema |
− | aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0; | + | aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0; |
− | + | acl "anonymous, no acis"; | |
− | + | allow (read, search, compare) userdn = "ldap:///anyone";) | |
− | aci: (targetattr = "*")(version 3.0; | + | aci: (targetattr = "*")(version 3.0; |
− | + | acl "Configuration Administrators Group"; | |
− | + | allow (all) groupdn = "ldap:///cn=Configuration Administrators, | |
− | + | ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) | |
− | aci: (targetattr = "*")(version 3.0; | + | aci: (targetattr = "*")(version 3.0; |
− | + | acl "Configuration Administrator"; | |
− | + | allow (all) userdn = "ldap:///uid=admin,ou=Administrators, | |
− | + | ou=TopologyManagement, o=NetscapeRoot";) | |
− | aci: (targetattr = "*")(version 3.0; | + | aci: (targetattr = "*")(version 3.0; |
− | + | acl "Local Directory Administrators Group "; | |
− | + | allow (all) groupdn = "ldap:///cn=Directory Administrators, | |
− | + | dc=mydomain,dc=net";) | |
− | aci: (targetattr = "*")(version 3.0; | + | aci: (targetattr = "*")(version 3.0; |
− | + | acl "SIE Group"; | |
− | + | allow (all)groupdn = "ldap:///cn=slapd-fubar, | |
− | + | cn=Sun ONE Directory Server, cn=Server Group, | |
− | + | cn=fubar.mydomain.net, ou=mydomain.net, o=NetscapeRoot";) | |
− | modifiersName: cn=directory manager | + | modifiersName: cn=directory manager |
− | modifyTimestamp: 20080205163801Z | + | modifyTimestamp: 20080205163801Z |
− | attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator' | + | attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator' |
− | + | DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. | |
− | + | A user with this flag set to TRUE can access ANY mailbox | |
− | + | on a server through mboxadmin signon. This is usually | |
− | + | only used for migration tools and typically not exposed | |
− | + | through LDAP' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail' | + | attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail' |
− | + | DESC 'As Sanction on Mailbox quota overuse, stop user | |
− | + | from receiving mail. Set to TRUE or FALSE' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.10 NAME 'scalixScalixObject' | + | attributeTypes: ( 1.1.10 NAME 'scalixScalixObject' |
− | + | DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL | |
− | + | object. If this is set to FALSE and the object is matched | |
− | + | by the omldapsync filter, a Contact entry/Internet user is | |
− | + | created. If set to true, a mailbox is setup. For Group/PDL | |
− | + | objects, this must always be set to true.' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress' | + | attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress' |
− | + | DESC 'List of SMTP addresses of user. This is a multi-valued | |
− | + | attribute. The order is important as the first of these values | |
− | + | is used as the outgoing from address of the user.' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry' | + | attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry' |
− | + | DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.12 NAME 'scalixAdministrator' | + | attributeTypes: ( 1.1.12 NAME 'scalixAdministrator' |
− | + | DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, | |
− | + | the user created will have full Scalix admin capabilites.' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail' | + | attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail' |
DESC 'As Sanction on Mailbox quota overuse, stop user from | DESC 'As Sanction on Mailbox quota overuse, stop user from | ||
− | + | sending mail. Set to TRUE or FALSE' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage' | + | attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage' |
− | + | DESC 'Message catalog language for client. This is one of | |
− | + | the Scalix-supported languages found in | |
− | + | /var/opt/scalix/nls/om_langs' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser' | + | attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser' |
− | + | DESC 'As Sanction on Mailbox quota overuse, notify the User | |
− | + | by eMail. Set to TRUE or FALSE' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.11 NAME 'scalixMailnode' | + | attributeTypes: ( 1.1.11 NAME 'scalixMailnode' |
− | + | DESC 'Comma-separated org units for object.s mailnode. | |
− | + | This is the Mailnode name as defined when the Scalix | |
− | + | server was setup. In Multi-server environments, this is | |
− | + | used to select on which server the object is to be created.' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize' | + | attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize' |
− | + | DESC 'mailbox size limit for the user in MB' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass' | + | attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass' |
− | + | DESC 'Class of User Mailbox FULL or LIMITED. This maps to | |
− | + | Premium or Standard users as defined by Scalix User | |
− | + | licensing policy' | |
− | + | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 | |
− | + | SINGLE-VALUE | |
− | + | X-ORIGIN 'user defined' ) | |
− | objectClasses: ( 1.2.10 NAME 'scalixUserClass' | + | objectClasses: ( 1.2.10 NAME 'scalixUserClass' |
− | + | SUP top | |
− | + | STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) | |
− | + | MAY ( scalixAdministrator $ scalixEmailAddress $ | |
− | + | scalixHideUserEntry $ scalixLimitInboundMail $ | |
− | + | scalixLimitMailboxSize $ scalixLimitNotifyUser $ | |
− | + | scalixLimitOutboundMail $ scalixMailboxAdministrator $ | |
− | + | scalixMailboxClass $ scalixServerLanguage ) | |
− | + | X-ORIGIN 'user defined' ) | |
− | objectClasses: ( 1.2.11 NAME 'scalixGroupClass' | + | objectClasses: ( 1.2.11 NAME 'scalixGroupClass' |
− | + | SUP top | |
− | + | STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) | |
− | + | MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) | |
− | + | X-ORIGIN 'user defined' ) | |
− | + | ||
== Appendix C -slapd.conf (OpenLDAP Server) == | == Appendix C -slapd.conf (OpenLDAP Server) == |
Revision as of 15:47, 18 March 2008
Appendix A - ldapsync13.schema (OpenLDAP Servers)
A copy of ldapsync13.schema is provided because the copy included with the Scalix installation was incomplete in earlier releases.
# Copyright (C) 2006 Scalix Corporation. All rights reserved. # OpenLDAP schema extension for Scalix omldapsync attributes # For reference see OpenLDAP 2.1 Administrator's Guide # Installation steps (requires root login): # # 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`) # # 2. Copy this file to OpenLDAP schema sub directory (e.g. etc/openldap/schema) # # 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to: # # a. Extend the schema by appending reference to the 'include' section, # something like the following lines: # # # include schema extension for Scalix omldapsync attributes # include /etc/openldap/schema/ldapsync13.schema # # b. Ensure Scalix omldapsync has sufficient read access to all the data, # usually determined by the type of bind and the dn used. # # c. Ensure Scalix omldapsync has sufficient search limit to return all the # matching entries, usually determined by the 'sizelimit' setting used. # # 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd) # # 5. Fix any error, repeat steps 1 to 4 as necessary. # # 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using # something like the following LDIF lines: # # dn: cn=testuser scalix,dc=my-domain,dc=com # objectClass: inetOrgPerson # cn: testuser scalix # displayName: Testuser Scalix # sn: Scalix # mail: testuser@test.scalix.com # objectClass: scalixUserClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # scalixServerLanguage: ENGLISH # scalixAdministrator: TRUE # scalixMailboxAdministrator: FALSE # scalixEmailAddress: testuser@my-domain.com # scalixEmailAddress: testuser@my-domain.de # scalixLimitMailboxSize: 1024 # scalixLimitOutboundMail: TRUE # scalixLimitInboundMail: FALSE # scalixLimitNotifyUser: TRUE # scalixHideUserEntry: FALSE # scalixMailboxClass: FULL # # dn: cn=testgroup scalix,dc=my-domain,dc=com # objectClass: groupOfNames # cn: testgroup scalix # member: cn=testuser scalix,dc=my-domain,dc=com # objectClass: scalixGroupClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # displayName: Testgroup Scalix # scalixEmailAddress: testgroup@test.scalix.com # scalixHideUserEntry: TRUE # # 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D "" # -w "" cn=*scalix) to check for read access and correct entries were added. # define macro for Scalix root OID objectIdentifier scalixOID 1.3.6.1.4.1.19049 # new attributes to describe an Scalix user or group object # use 1.1.x from Scalix root OID attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' ) DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' ) DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' ) DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' ) DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' ) DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' ) DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' ) DESC 'mailbox size limit for the user in MB' SINGLE-VALUE EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' ) DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' ) DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' ) DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) # auxiliary classes for scalix User and group # use 1.2.x from Scalix root OID objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass' DESC 'Supplemental class containing the Scalix User-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode) MAY ( scalixAdministrator $ scalixMailboxAdministrator $ scalixServerLanguage $ scalixEmailAddress $ scalixLimitMailboxSize $ scalixLimitOutboundMail $ scalixLimitInboundMail $ scalixLimitNotifyUser $ scalixHideUserEntry $ scalixMailboxClass ) ) objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass' DESC 'Supplemental class containing the Scalix Group-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) )
Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)
dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0; acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=mydomain,dc=net";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ldap:///cn=slapd-fubar, cn=Sun ONE Directory Server, cn=Server Group, cn=fubar.mydomain.net, ou=mydomain.net, o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20080205163801Z attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator' DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.10 NAME 'scalixScalixObject' DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object. If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress' DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry' DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.12 NAME 'scalixAdministrator' DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage' DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser' DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.11 NAME 'scalixMailnode' DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize' DESC 'mailbox size limit for the user in MB' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass' DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) objectClasses: ( 1.2.10 NAME 'scalixUserClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( scalixAdministrator $ scalixEmailAddress $ scalixHideUserEntry $ scalixLimitInboundMail $ scalixLimitMailboxSize $ scalixLimitNotifyUser $ scalixLimitOutboundMail $ scalixMailboxAdministrator $ scalixMailboxClass $ scalixServerLanguage ) X-ORIGIN 'user defined' ) objectClasses: ( 1.2.11 NAME 'scalixGroupClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) X-ORIGIN 'user defined' )
Appendix C -slapd.conf (OpenLDAP Server)
This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one.
- This is the main slapd configuration file. See slapd.conf(5) for more
- info on the configuration options.
- Global Directives:
- Features to permit
- allow bind_v2
- Schema and objectClass definitions
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ldapsync13.schema
- Where the pid file is put. The init.d script
- will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
- List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
- Read slapd.conf(5) for possible values
loglevel 256
- Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap moduleload back_bdb
- The maximum number of entries that is returned for a search operation
sizelimit 5000
- The tool-threads parameter sets the actual amount of cpu's that is used
- for indexing.
tool-threads 1
- Specific Backend Directives for bdb:
- Backend specific directives apply to this backend until another
- 'backend' directive occurs
backend bdb checkpoint 512 30
- Specific Backend Directives for 'other':
- Backend specific directives apply to this backend until another
- 'backend' directive occurs
- backend <other>
- Specific Directives for database #1, of type bdb:
- Database specific directives apply to this databasse until another
- 'database' directive occurs
database bdb
- The base of your directory in database #1
suffix "dc=mydomain,dc=net"
- rootdn directive for specifying a superuser on the database. This is needed
- for syncrepl.
rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa
- Where the database file are physically stored for database #1
directory "/var/lib/ldap/mydomain"
- For the Debian package we use 2MB as default but be sure to update this
- value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
- Sven Hartge reported that he had to set this value incredibly high
- to get slapd running at all. See http://bugs.debian.org/303057
- for more information.
- Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
- Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
- Number of lockers
dbconfig set_lk_max_lockers 1500
- Indexing options for database #1
index objectClass eq
- Save the time that the entry gets modified, for database #1
lastmod on
- Where to store the replica logs for database #1
- replogfile /var/lib/ldap/replog
- The userPassword by default can be changed
- by the entry owning it if they are authenticated.
- Others should not be able to see it, except the
- admin entry below
- These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=mydomain,dc=net" write by anonymous auth by self write by * none
- Ensure read access to the base for things like
- supportedSASLMechanisms. Without this you may
- have problems with SASL not knowing what
- mechanisms are available and the like.
- Note that this is covered by the 'access to *'
- ACL below too but if you change that as people
- are wont to do you'll still need this if you
- want SASL (and possible other things) to work
- happily.
access to dn.base="" by * read
- The admin dn has full write access, everyone else
- can read everything.
access to *
by dn="cn=admin,dc=mydomain,dc=net" write by * read
- For Netscape Roaming support, each user gets a roaming
- profile for which they have write access to
- access to dn=".*,ou=Roaming,o=morsnet"
- by dn="cn=admin,dc=mydomain,dc=net" write
- by dnattr=owner write
- Specific Directives for database #2, of type 'other' (can be bdb too):
- Database specific directives apply to this databasse until another
- 'database' directive occurs
- database <other>
- The base of your directory for database #2
- suffix "dc=debian,dc=org"