Difference between revisions of "Omldapsync HowTo - Six"
From Scalix Wiki
(→Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)) |
(→Appendix C -slapd.conf (OpenLDAP Server)) |
||
Line 314: | Line 314: | ||
This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one. | This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one. | ||
− | # This is the main slapd configuration file. See slapd.conf(5) for more | + | # This is the main slapd configuration file. See slapd.conf(5) for more |
− | # info on the configuration options. | + | # info on the configuration options. |
− | + | ||
− | ####################################################################### | + | ####################################################################### |
− | # Global Directives: | + | # Global Directives: |
− | + | ||
− | # Features to permit | + | # Features to permit |
− | #allow bind_v2 | + | #allow bind_v2 |
− | + | ||
− | # Schema and objectClass definitions | + | # Schema and objectClass definitions |
− | include /etc/ldap/schema/core.schema | + | include /etc/ldap/schema/core.schema |
− | include /etc/ldap/schema/cosine.schema | + | include /etc/ldap/schema/cosine.schema |
− | include /etc/ldap/schema/nis.schema | + | include /etc/ldap/schema/nis.schema |
− | include /etc/ldap/schema/inetorgperson.schema | + | include /etc/ldap/schema/inetorgperson.schema |
− | include /etc/ldap/schema/ldapsync13.schema | + | include /etc/ldap/schema/ldapsync13.schema |
− | + | ||
− | # Where the pid file is put. The init.d script | + | # Where the pid file is put. The init.d script |
− | # will not stop the server if you change this. | + | # will not stop the server if you change this. |
− | pidfile /var/run/slapd/slapd.pid | + | pidfile /var/run/slapd/slapd.pid |
− | + | ||
− | # List of arguments that were passed to the server | + | # List of arguments that were passed to the server |
− | argsfile /var/run/slapd/slapd.args | + | argsfile /var/run/slapd/slapd.args |
− | + | ||
− | # Read slapd.conf(5) for possible values | + | # Read slapd.conf(5) for possible values |
− | loglevel 256 | + | loglevel 256 |
− | + | ||
− | # Where the dynamically loaded modules are stored | + | # Where the dynamically loaded modules are stored |
− | modulepath /usr/lib/ldap | + | modulepath /usr/lib/ldap |
− | moduleload back_bdb | + | moduleload back_bdb |
− | + | ||
− | # The maximum number of entries that is returned for a search operation | + | # The maximum number of entries that is returned for a search operation |
− | sizelimit 5000 | + | sizelimit 5000 |
− | + | ||
− | # The tool-threads parameter sets the actual amount of cpu's that is used | + | # The tool-threads parameter sets the actual amount of cpu's that is used |
− | # for indexing. | + | # for indexing. |
− | tool-threads 1 | + | tool-threads 1 |
− | + | ||
− | ####################################################################### | + | ####################################################################### |
− | # Specific Backend Directives for bdb: | + | # Specific Backend Directives for bdb: |
− | # Backend specific directives apply to this backend until another | + | # Backend specific directives apply to this backend until another |
− | # 'backend' directive occurs | + | # 'backend' directive occurs |
− | backend bdb | + | backend bdb |
− | checkpoint 512 30 | + | checkpoint 512 30 |
− | + | ||
− | ####################################################################### | + | ####################################################################### |
− | # Specific Backend Directives for 'other': | + | # Specific Backend Directives for 'other': |
− | # Backend specific directives apply to this backend until another | + | # Backend specific directives apply to this backend until another |
− | # 'backend' directive occurs | + | # 'backend' directive occurs |
− | #backend <other> | + | #backend <other> |
− | + | ||
− | ####################################################################### | + | ####################################################################### |
− | # Specific Directives for database #1, of type bdb: | + | # Specific Directives for database #1, of type bdb: |
− | # Database specific directives apply to this databasse until another | + | # Database specific directives apply to this databasse until another |
− | # 'database' directive occurs | + | # 'database' directive occurs |
− | database bdb | + | database bdb |
− | + | ||
− | # The base of your directory in database #1 | + | # The base of your directory in database #1 |
− | suffix "dc=mydomain,dc=net" | + | suffix "dc=mydomain,dc=net" |
− | + | ||
− | # rootdn directive for specifying a superuser on the database. This is needed | + | # rootdn directive for specifying a superuser on the database. This is needed |
− | # for syncrepl. | + | # for syncrepl. |
− | rootdn "cn=admin,dc=mydomain,dc=net" | + | rootdn "cn=admin,dc=mydomain,dc=net" |
− | rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa | + | rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa |
− | + | ||
− | + | # Where the database file are physically stored for database #1 | |
− | # Where the database file are physically stored for database #1 | + | directory "/var/lib/ldap/mydomain" |
− | directory "/var/lib/ldap/mydomain" | + | |
− | + | # For the Debian package we use 2MB as default but be sure to update this | |
− | # For the Debian package we use 2MB as default but be sure to update this | + | # value if you have plenty of RAM |
− | # value if you have plenty of RAM | + | dbconfig set_cachesize 0 2097152 0 |
− | dbconfig set_cachesize 0 2097152 0 | + | |
− | + | # Sven Hartge reported that he had to set this value incredibly high | |
− | # Sven Hartge reported that he had to set this value incredibly high | + | # to get slapd running at all. See http://bugs.debian.org/303057 |
− | # to get slapd running at all. See http://bugs.debian.org/303057 | + | # for more information. |
− | # for more information. | + | |
− | + | # Number of objects that can be locked at the same time. | |
− | # Number of objects that can be locked at the same time. | + | dbconfig set_lk_max_objects 1500 |
− | dbconfig set_lk_max_objects 1500 | + | # Number of locks (both requested and granted) |
− | # Number of locks (both requested and granted) | + | dbconfig set_lk_max_locks 1500 |
− | dbconfig set_lk_max_locks 1500 | + | # Number of lockers |
− | # Number of lockers | + | dbconfig set_lk_max_lockers 1500 |
− | dbconfig set_lk_max_lockers 1500 | + | |
− | + | # Indexing options for database #1 | |
− | # Indexing options for database #1 | + | index objectClass eq |
− | index objectClass eq | + | |
− | + | # Save the time that the entry gets modified, for database #1 | |
− | # Save the time that the entry gets modified, for database #1 | + | lastmod on |
− | lastmod on | + | |
− | + | # Where to store the replica logs for database #1 | |
− | # Where to store the replica logs for database #1 | + | # replogfile /var/lib/ldap/replog |
− | # replogfile /var/lib/ldap/replog | + | |
− | + | # The userPassword by default can be changed | |
− | # The userPassword by default can be changed | + | # by the entry owning it if they are authenticated. |
− | # by the entry owning it if they are authenticated. | + | # Others should not be able to see it, except the |
− | # Others should not be able to see it, except the | + | # admin entry below |
− | # admin entry below | + | # These access lines apply to database #1 only |
− | # These access lines apply to database #1 only | + | access to attrs=userPassword,shadowLastChange |
− | access to attrs=userPassword,shadowLastChange | + | by dn="cn=admin,dc=mydomain,dc=net" write |
− | + | by anonymous auth | |
− | + | by self write | |
− | + | by * none | |
− | + | ||
− | + | # Ensure read access to the base for things like | |
− | # Ensure read access to the base for things like | + | # supportedSASLMechanisms. Without this you may |
− | # supportedSASLMechanisms. Without this you may | + | # have problems with SASL not knowing what |
− | # have problems with SASL not knowing what | + | # mechanisms are available and the like. |
− | # mechanisms are available and the like. | + | # Note that this is covered by the 'access to *' |
− | # Note that this is covered by the 'access to *' | + | # ACL below too but if you change that as people |
− | # ACL below too but if you change that as people | + | # are wont to do you'll still need this if you |
− | # are wont to do you'll still need this if you | + | # want SASL (and possible other things) to work |
− | # want SASL (and possible other things) to work | + | # happily. |
− | # happily. | + | access to dn.base="" by * read |
− | access to dn.base="" by * read | + | |
− | + | # The admin dn has full write access, everyone else | |
− | # The admin dn has full write access, everyone else | + | # can read everything. |
− | # can read everything. | + | access to * |
− | access to * | + | by dn="cn=admin,dc=mydomain,dc=net" write |
− | + | by * read | |
− | + | ||
− | + | # For Netscape Roaming support, each user gets a roaming | |
− | # For Netscape Roaming support, each user gets a roaming | + | # profile for which they have write access to |
− | # profile for which they have write access to | + | #access to dn=".*,ou=Roaming,o=morsnet" |
− | #access to dn=".*,ou=Roaming,o=morsnet" | + | # by dn="cn=admin,dc=mydomain,dc=net" write |
− | # by dn="cn=admin,dc=mydomain,dc=net" write | + | # by dnattr=owner write |
− | # by dnattr=owner write | + | |
− | + | ####################################################################### | |
− | ####################################################################### | + | # Specific Directives for database #2, of type 'other' (can be bdb too): |
− | # Specific Directives for database #2, of type 'other' (can be bdb too): | + | # Database specific directives apply to this databasse until another |
− | # Database specific directives apply to this databasse until another | + | # 'database' directive occurs |
− | # 'database' directive occurs | + | #database <other> |
− | #database <other> | + | |
− | + | # The base of your directory for database #2 | |
− | # The base of your directory for database #2 | + | #suffix "dc=debian,dc=org" |
− | #suffix "dc=debian,dc=org" | + |
Latest revision as of 15:50, 18 March 2008
Appendix A - ldapsync13.schema (OpenLDAP Servers)
A copy of ldapsync13.schema is provided because the copy included with the Scalix installation was incomplete in earlier releases.
# Copyright (C) 2006 Scalix Corporation. All rights reserved. # OpenLDAP schema extension for Scalix omldapsync attributes # For reference see OpenLDAP 2.1 Administrator's Guide # Installation steps (requires root login): # # 1. Stop OpenLDAP slapd server (e.g. kill -INT `cat /var/run/slapd.pid`) # # 2. Copy this file to OpenLDAP schema sub directory (e.g. etc/openldap/schema) # # 3. Edit OpenLDAP slapd.conf file (e.g. /etc/openldap/slapd.conf) to: # # a. Extend the schema by appending reference to the 'include' section, # something like the following lines: # # # include schema extension for Scalix omldapsync attributes # include /etc/openldap/schema/ldapsync13.schema # # b. Ensure Scalix omldapsync has sufficient read access to all the data, # usually determined by the type of bind and the dn used. # # c. Ensure Scalix omldapsync has sufficient search limit to return all the # matching entries, usually determined by the 'sizelimit' setting used. # # 4. Start OpenLDAP slapd server (e.g. /usr/sbin/slapd) # # 5. Fix any error, repeat steps 1 to 4 as necessary. # # 6. Test add (e.g. /usr/bin/ldapadd -D "cn=Manager,dc=my-domain,dc=com") using # something like the following LDIF lines: # # dn: cn=testuser scalix,dc=my-domain,dc=com # objectClass: inetOrgPerson # cn: testuser scalix # displayName: Testuser Scalix # sn: Scalix # mail: testuser@test.scalix.com # objectClass: scalixUserClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # scalixServerLanguage: ENGLISH # scalixAdministrator: TRUE # scalixMailboxAdministrator: FALSE # scalixEmailAddress: testuser@my-domain.com # scalixEmailAddress: testuser@my-domain.de # scalixLimitMailboxSize: 1024 # scalixLimitOutboundMail: TRUE # scalixLimitInboundMail: FALSE # scalixLimitNotifyUser: TRUE # scalixHideUserEntry: FALSE # scalixMailboxClass: FULL # # dn: cn=testgroup scalix,dc=my-domain,dc=com # objectClass: groupOfNames # cn: testgroup scalix # member: cn=testuser scalix,dc=my-domain,dc=com # objectClass: scalixGroupClass # scalixScalixObject: TRUE # scalixMailnode: ou1,ou2 # displayName: Testgroup Scalix # scalixEmailAddress: testgroup@test.scalix.com # scalixHideUserEntry: TRUE # # 7. Test search (e.g. /usr/bin/ldapsearch -b "dc=my-domain,dc=com" -x -D "" # -w "" cn=*scalix) to check for read access and correct entries were added. # define macro for Scalix root OID objectIdentifier scalixOID 1.3.6.1.4.1.19049 # new attributes to describe an Scalix user or group object # use 1.1.x from Scalix root OID attributetype ( scalixOID:1.1.10 NAME ( 'scalixScalixObject' ) DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.11 NAME ( 'scalixMailnode' ) DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.12 NAME ( 'scalixAdministrator' ) DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.13 NAME ( 'scalixMailboxAdministrator' ) DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.14 NAME ( 'scalixServerLanguage' ) DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.15 NAME ( 'scalixEmailAddress' ) DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( scalixOID:1.1.16 NAME ( 'scalixLimitMailboxSize' ) DESC 'mailbox size limit for the user in MB' SINGLE-VALUE EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( scalixOID:1.1.17 NAME ( 'scalixLimitOutboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.18 NAME ( 'scalixLimitInboundMail' ) DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.19 NAME ( 'scalixLimitNotifyUser' ) DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.20 NAME ( 'scalixHideUserEntry' ) DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SINGLE-VALUE EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributetype ( scalixOID:1.1.21 NAME ( 'scalixMailboxClass' ) DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SINGLE-VALUE EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) # auxiliary classes for scalix User and group # use 1.2.x from Scalix root OID objectclass ( scalixOID:1.2.10 NAME 'scalixUserClass' DESC 'Supplemental class containing the Scalix User-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode) MAY ( scalixAdministrator $ scalixMailboxAdministrator $ scalixServerLanguage $ scalixEmailAddress $ scalixLimitMailboxSize $ scalixLimitOutboundMail $ scalixLimitInboundMail $ scalixLimitNotifyUser $ scalixHideUserEntry $ scalixMailboxClass ) ) objectclass ( scalixOID:1.2.11 NAME 'scalixGroupClass' DESC 'Supplemental class containing the Scalix Group-related attributes' AUXILIARY MUST ( scalixScalixObject $ scalixMailnode ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) )
Appendix B - 90Scalix.ldif (Sun ONE Directory Servers)
dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0; acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group "; allow (all) groupdn = "ldap:///cn=Directory Administrators, dc=mydomain,dc=net";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ldap:///cn=slapd-fubar, cn=Sun ONE Directory Server, cn=Server Group, cn=fubar.mydomain.net, ou=mydomain.net, o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20080205163801Z attributeTypes: ( 1.1.13 NAME 'scalixMailboxAdministrator' DESC 'Boolean TRUE or FALSE for Mailbox Admin capability. A user with this flag set to TRUE can access ANY mailbox on a server through mboxadmin signon. This is usually only used for migration tools and typically not exposed through LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.18 NAME 'scalixLimitInboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from receiving mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.10 NAME 'scalixScalixObject' DESC 'boolean TRUE or FALSE for creating scalix mailbox/PDL object. If this is set to FALSE and the object is matched by the omldapsync filter, a Contact entry/Internet user is created. If set to true, a mailbox is setup. For Group/PDL objects, this must always be set to true.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.15 NAME 'scalixEmailAddress' DESC 'List of SMTP addresses of user. This is a multi-valued attribute. The order is important as the first of these values is used as the outgoing from address of the user.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.20 NAME 'scalixHideUserEntry' DESC 'Hide User Entry from Addressbook. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.12 NAME 'scalixAdministrator' DESC 'Boolean TRUE or FALSE for admin capability. If set to TRUE, the user created will have full Scalix admin capabilites.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.17 NAME 'scalixLimitOutboundMail' DESC 'As Sanction on Mailbox quota overuse, stop user from sending mail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.14 NAME 'scalixServerLanguage' DESC 'Message catalog language for client. This is one of the Scalix-supported languages found in /var/opt/scalix/nls/om_langs' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.19 NAME 'scalixLimitNotifyUser' DESC 'As Sanction on Mailbox quota overuse, notify the User by eMail. Set to TRUE or FALSE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.11 NAME 'scalixMailnode' DESC 'Comma-separated org units for object.s mailnode. This is the Mailnode name as defined when the Scalix server was setup. In Multi-server environments, this is used to select on which server the object is to be created.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.16 NAME 'scalixLimitMailboxSize' DESC 'mailbox size limit for the user in MB' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.1.21 NAME 'scalixMailboxClass' DESC 'Class of User Mailbox FULL or LIMITED. This maps to Premium or Standard users as defined by Scalix User licensing policy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) objectClasses: ( 1.2.10 NAME 'scalixUserClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( scalixAdministrator $ scalixEmailAddress $ scalixHideUserEntry $ scalixLimitInboundMail $ scalixLimitMailboxSize $ scalixLimitNotifyUser $ scalixLimitOutboundMail $ scalixMailboxAdministrator $ scalixMailboxClass $ scalixServerLanguage ) X-ORIGIN 'user defined' ) objectClasses: ( 1.2.11 NAME 'scalixGroupClass' SUP top STRUCTURAL MUST ( scalixMailnode $ scalixScalixObject ) MAY ( displayName $ scalixEmailAddress $ scalixHideUserEntry ) X-ORIGIN 'user defined' )
Appendix C -slapd.conf (OpenLDAP Server)
This is a sample slapd.conf file taken from OpenLAP version 2.3.35 running on Ubuntu 7.1 (Gutsy Gibbon). Your slapd.conf file may be more or less complex than this one.
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ldapsync13.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 256 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 5000 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=mydomain,dc=net" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=mydomain,dc=net" rootpw {SSHA}EGBbPLdQg0o5RoUQBwIQBkymApuC/YFa # Where the database file are physically stored for database #1 directory "/var/lib/ldap/mydomain" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mydomain,dc=net" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=mydomain,dc=net" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=mydomain,dc=net" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"