serverID %(serverid)s
moduleload back_%(database)s
moduleload memberof
%(include_directives)s
loglevel %(loglevel)s
#allow bind_v2
database %(database)s
directory "%(directory)s"
suffix "%(suffix)s"
rootdn "%(rootdn)s"
rootpw "%(rootpw)s"
TLSCACertificateFile "%(cafile)s"
TLSCertificateFile "%(servercert)s"
TLSCertificateKeyFile "%(serverkey)s"
authz-regexp
  "gidnumber=%(root_gid)s\\+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth"
  "%(rootdn)s"

index  objectClass                   eq
index  uid,sudoUser                  eq,sub
index  entryCSN,entryUUID            eq
index  cn,mail                       eq
index  gidNumber,uidNumber           eq
index  member,memberUid,uniqueMember eq
index  virtualdomain                 eq

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=yunohost,dc=org" write
        by dn.exact="gidNumber=%(root_gid)s+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth" write
        by anonymous auth
        by self write
        by * none

# Personnal information can be changed by the entry
# owning it if they are authenticated.
# Others should be able to see it.
access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
        by dn="cn=admin,dc=yunohost,dc=org" write
        by dn.exact="gidNumber=%(root_gid)s+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth" write
        by self write
        by * read

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible ldap_files things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=yunohost,dc=org" write
        by dn.exact="gidNumber=%(root_gid)s+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth" write
        by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
        by * read

# Configure Memberof Overlay (used for Yunohost permission)

# Link user <-> group
#dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
overlay                 memberof
memberof-group-oc       groupOfNamesYnh
memberof-member-ad      member
memberof-memberof-ad    memberOf
memberof-dangling       error
memberof-refint         TRUE

# Link permission <-> groupes
#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
overlay                 memberof
memberof-group-oc       permissionYnh
memberof-member-ad      groupPermission
memberof-memberof-ad    permission
memberof-dangling       error
memberof-refint         TRUE

# Link permission <-> user
#dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
overlay                 memberof
memberof-group-oc       permissionYnh
memberof-member-ad      inheritPermission
memberof-memberof-ad    permission
memberof-dangling       error
memberof-refint         TRUE