mirror of
https://github.com/YunoHost/yunohost.git
synced 2024-09-03 20:06:10 +02:00
236 lines
7 KiB
Text
236 lines
7 KiB
Text
# OpenLDAP server configuration for YunoHost
|
|
# ------------------------------------------
|
|
#
|
|
# Because of the YunoHost's regen-conf mechanism, it is NOT POSSIBLE to
|
|
# edit the config database using an LDAP request.
|
|
#
|
|
# If you wish to edit the config database, you should edit THIS file
|
|
# and update the config database based on this file.
|
|
#
|
|
# Config database customization:
|
|
# 1. Edit this file as you want.
|
|
# 2. Apply your modifications. For this just run this following command in a shell:
|
|
# $ /usr/share/yunohost/hooks/conf_regen/06-slapd apply_config
|
|
#
|
|
# Note that if you customize this file, YunoHost's regen-conf will NOT
|
|
# overwrite this file. But that also means that you should be careful about
|
|
# upgrades, because they may ship important/necessary changes to this
|
|
# configuration that you will have to propagate yourself.
|
|
|
|
#
|
|
# Main configuration
|
|
#
|
|
dn: cn=config
|
|
objectClass: olcGlobal
|
|
cn: config
|
|
olcConfigFile: /etc/ldap/slapd.conf
|
|
olcConfigDir: /etc/ldap/slapd.d/
|
|
# List of arguments that were passed to the server
|
|
olcArgsFile: /var/run/slapd/slapd.args
|
|
#
|
|
olcAttributeOptions: lang-
|
|
olcAuthzPolicy: none
|
|
olcConcurrency: 0
|
|
olcConnMaxPending: 100
|
|
olcConnMaxPendingAuth: 1000
|
|
olcSizeLimit: 50000
|
|
olcIdleTimeout: 0
|
|
olcIndexSubstrIfMaxLen: 4
|
|
olcIndexSubstrIfMinLen: 2
|
|
olcIndexSubstrAnyLen: 4
|
|
olcIndexSubstrAnyStep: 2
|
|
olcIndexIntLen: 4
|
|
olcListenerThreads: 1
|
|
olcLocalSSF: 71
|
|
# Read slapd.conf(5) for possible values
|
|
olcLogLevel: None
|
|
# Where the pid file is put. The init.d script
|
|
# will not stop the server if you change this.
|
|
olcPidFile: /var/run/slapd/slapd.pid
|
|
olcReverseLookup: FALSE
|
|
olcThreads: 16
|
|
# TLS Support
|
|
olcTLSCertificateFile: /etc/yunohost/certs/yunohost.org/crt.pem
|
|
olcTLSCertificateKeyFile: /etc/yunohost/certs/yunohost.org/key.pem
|
|
olcTLSVerifyClient: never
|
|
olcTLSProtocolMin: 0.0
|
|
# The tool-threads parameter sets the actual amount of cpu's that is used
|
|
# for indexing.
|
|
olcToolThreads: 1
|
|
structuralObjectClass: olcGlobal
|
|
|
|
#
|
|
# Schema and objectClass definitions
|
|
#
|
|
dn: cn=schema,cn=config
|
|
objectClass: olcSchemaConfig
|
|
cn: schema
|
|
|
|
include: file:///etc/ldap/schema/core.ldif
|
|
include: file:///etc/ldap/schema/cosine.ldif
|
|
include: file:///etc/ldap/schema/nis.ldif
|
|
include: file:///etc/ldap/schema/inetorgperson.ldif
|
|
include: file:///etc/ldap/schema/mailserver.ldif
|
|
include: file:///etc/ldap/schema/sudo.ldif
|
|
include: file:///etc/ldap/schema/permission.ldif
|
|
|
|
#
|
|
# Module management
|
|
#
|
|
dn: cn=module{0},cn=config
|
|
objectClass: olcModuleList
|
|
cn: module{0}
|
|
# Where the dynamically loaded modules are stored
|
|
olcModulePath: /usr/lib/ldap
|
|
olcModuleLoad: {0}back_mdb
|
|
olcModuleLoad: {1}memberof
|
|
structuralObjectClass: olcModuleList
|
|
|
|
#
|
|
# Frontend database
|
|
#
|
|
dn: olcDatabase={-1}frontend,cn=config
|
|
objectClass: olcDatabaseConfig
|
|
objectClass: olcFrontendConfig
|
|
olcDatabase: {-1}frontend
|
|
olcAddContentAcl: FALSE
|
|
olcLastMod: TRUE
|
|
olcSchemaDN: cn=Subschema
|
|
# Hashes to be used in generation of user passwords
|
|
olcPasswordHash: {SSHA}
|
|
structuralObjectClass: olcDatabaseConfig
|
|
|
|
#
|
|
# Config database Configuration (#0)
|
|
#
|
|
dn: olcDatabase={0}config,cn=config
|
|
objectClass: olcDatabaseConfig
|
|
olcDatabase: {0}config
|
|
# Give access to root user.
|
|
# This give the possiblity to the admin to customize the LDAP configuration
|
|
olcAccess: {0}to * by * none
|
|
olcAddContentAcl: TRUE
|
|
olcLastMod: TRUE
|
|
olcRootDN: cn=config
|
|
structuralObjectClass: olcDatabaseConfig
|
|
|
|
#
|
|
# Main database Configuration (#1)
|
|
#
|
|
dn: olcDatabase={1}mdb,cn=config
|
|
objectClass: olcDatabaseConfig
|
|
objectClass: olcMdbConfig
|
|
olcDatabase: {1}mdb
|
|
# The base of your directory in database #1
|
|
olcSuffix: dc=yunohost,dc=org
|
|
#
|
|
# The userPassword by default can be changed
|
|
# by the entry owning it if they are authenticated.
|
|
# Others should not be able to see it, except the
|
|
# admin entry below
|
|
# These access lines apply to database #1 only
|
|
olcAccess: {0}to attrs=userPassword,shadowLastChange
|
|
by dn.base="cn=admin,dc=yunohost,dc=org" write
|
|
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
|
|
by anonymous auth
|
|
by self write
|
|
by * none
|
|
#
|
|
# Personnal information can be changed by the entry
|
|
# owning it if they are authenticated.
|
|
# Others should be able to see it.
|
|
olcAccess: {1}to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
|
|
by dn.base="cn=admin,dc=yunohost,dc=org" write
|
|
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
|
|
by self write
|
|
by * read
|
|
#
|
|
# Ensure read access to the base for things like
|
|
# supportedSASLMechanisms. Without this you may
|
|
# have problems with SASL not knowing what
|
|
# mechanisms are available and the like.
|
|
# Note that this is covered by the 'access to *'
|
|
# ACL below too but if you change that as people
|
|
# are wont to do you'll still need this if you
|
|
# want SASL (and possible other things) to work
|
|
# happily.
|
|
olcAccess: {2}to dn.base=""
|
|
by * read
|
|
#
|
|
# The admin dn has full write access, everyone else
|
|
# can read everything.
|
|
olcAccess: {3}to *
|
|
by dn.base="cn=admin,dc=yunohost,dc=org" write
|
|
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
|
|
by group/groupOfNames/member.exact="cn=admin,ou=groups,dc=yunohost,dc=org" write
|
|
by * read
|
|
#
|
|
olcAddContentAcl: FALSE
|
|
# Save the time that the entry gets modified, for database #1
|
|
olcLastMod: TRUE
|
|
# Where the database file are physically stored for database #1
|
|
olcDbDirectory: /var/lib/ldap
|
|
# Checkpoint the BerkeleyDB database periodically in case of system
|
|
# failure and to speed slapd shutdown.
|
|
olcDbCheckpoint: 512 30
|
|
olcDbNoSync: FALSE
|
|
# Indexing options for database #1
|
|
olcDbIndex: objectClass eq
|
|
olcDbIndex: entryUUID eq
|
|
olcDbIndex: entryCSN eq
|
|
olcDbIndex: cn eq
|
|
olcDbIndex: uid eq,sub
|
|
olcDbIndex: uidNumber eq
|
|
olcDbIndex: gidNumber eq
|
|
olcDbIndex: sudoUser eq,sub
|
|
olcDbIndex: member eq
|
|
olcDbIndex: mail eq
|
|
olcDbIndex: memberUid eq
|
|
olcDbIndex: uniqueMember eq
|
|
olcDbIndex: virtualdomain eq
|
|
olcDbIndex: permission eq
|
|
olcDbMaxSize: 104857600
|
|
structuralObjectClass: olcMdbConfig
|
|
|
|
#
|
|
# Configure Memberof Overlay (used for YunoHost permission)
|
|
#
|
|
|
|
# Link user <-> group
|
|
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcMemberOf
|
|
olcOverlay: {0}memberof
|
|
olcMemberOfDangling: error
|
|
olcMemberOfDanglingError: constraintViolation
|
|
olcMemberOfRefInt: TRUE
|
|
olcMemberOfGroupOC: groupOfNamesYnh
|
|
olcMemberOfMemberAD: member
|
|
olcMemberOfMemberOfAD: memberOf
|
|
structuralObjectClass: olcMemberOf
|
|
|
|
# Link permission <-> groupes
|
|
dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcMemberOf
|
|
olcOverlay: {1}memberof
|
|
olcMemberOfDangling: error
|
|
olcMemberOfDanglingError: constraintViolation
|
|
olcMemberOfRefInt: TRUE
|
|
olcMemberOfGroupOC: permissionYnh
|
|
olcMemberOfMemberAD: groupPermission
|
|
olcMemberOfMemberOfAD: permission
|
|
structuralObjectClass: olcMemberOf
|
|
|
|
# Link permission <-> user
|
|
dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcMemberOf
|
|
olcOverlay: {2}memberof
|
|
olcMemberOfDangling: error
|
|
olcMemberOfDanglingError: constraintViolation
|
|
olcMemberOfRefInt: TRUE
|
|
olcMemberOfGroupOC: permissionYnh
|
|
olcMemberOfMemberAD: inheritPermission
|
|
olcMemberOfMemberOfAD: permission
|
|
structuralObjectClass: olcMemberOf
|