git-svn-id: http://svn.calculate.ru/calculate2/calculate-server/trunk@1665 c91db197-33c1-4113-bf15-f8a5c547ca64develop
parent
05ebf16a7e
commit
d887b95de0
@ -0,0 +1,212 @@
|
||||
# Calculate format=ldap\
|
||||
chmod=0640\
|
||||
chown=root:ldap\
|
||||
append=replace
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
include /etc/openldap/schema/nis.schema
|
||||
include /etc/openldap/schema/inetorgperson.schema
|
||||
include /etc/openldap/schema/misc.schema
|
||||
#?sr_samba_set==on||cl_pass_service==samba#
|
||||
include /etc/openldap/schema/samba.schema
|
||||
#sr_samba_set#
|
||||
#?sr_mail_set==on||cl_pass_service==mail#
|
||||
include /etc/openldap/schema/mail.schema
|
||||
#sr_mail_set#
|
||||
#?pkg(openldap)<2.4#schemacheck on#pkg#
|
||||
|
||||
pidfile /var/run/openldap/slapd.pid
|
||||
argsfile /var/run/openldap/slapd.arg
|
||||
|
||||
# Уровень отладочных сообщений
|
||||
loglevel 0
|
||||
allow bind_v2
|
||||
modulepath /usr/lib/openldap/openldap
|
||||
|
||||
# Доступ к аттрибуту userPassword
|
||||
access to attrs=userPassword
|
||||
by self write
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
#?sr_samba_set==on||cl_pass_service==samba#
|
||||
by dn="#-ld_samba_dn-#" write
|
||||
#sr_samba_set#
|
||||
#?sr_unix_set==on||cl_pass_service==unix#
|
||||
by dn="#-ld_unix_dn-#" write
|
||||
#sr_unix_set#
|
||||
#?sr_mail_set==on||cl_pass_service==mail#
|
||||
by dn="#-ld_mail_dn-#" read
|
||||
#sr_mail_set#
|
||||
#?sr_jabber_set==on||cl_pass_service==jabber#
|
||||
by dn="#-ld_jabber_dn-#" read
|
||||
#sr_jabber_set#
|
||||
#?sr_ftp_set==on||cl_pass_service==ftp#
|
||||
by dn="#-ld_ftp_dn-#" read
|
||||
#sr_ftp_set#
|
||||
#?sr_proxy_set==on||cl_pass_service==proxy#
|
||||
by dn="#-ld_proxy_dn-#" read
|
||||
#sr_proxy_set#
|
||||
#Доступ к аттрибуту password репликатора
|
||||
#?pkg(openldap)>2.4&ld_repl_set==on&ld_repl_id!=#
|
||||
by dn="#-ld_repl_dn-#" write
|
||||
#pkg#
|
||||
by * auth
|
||||
|
||||
# Доступ к аттрибутам Samba
|
||||
#?sr_samba_set==on||cl_pass_service==samba#
|
||||
access to attrs=sambaLMPassword,sambaNTPassword
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_samba_dn-#" write
|
||||
#sr_samba_set#
|
||||
#Доступ к аттрибутам Samba репликатора
|
||||
#?pkg(openldap)>2.4&ld_repl_set==on&sr_samba_set==on&ld_repl_id!=||pkg(openldap)>2.4&ld_repl_set==on&cl_pass_service==samba&ld_repl_id!=#
|
||||
by dn="#-ld_repl_dn-#" write
|
||||
#pkg#
|
||||
#?sr_samba_set==on||cl_pass_service==samba#
|
||||
by * none
|
||||
#sr_samba_set#
|
||||
|
||||
# Доступ к пользователю только для просмотра
|
||||
access to dn.base="#-ld_bind_dn-#"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_bind_dn-#" read
|
||||
by * none
|
||||
|
||||
# Доступ к администратору сервера LDAP
|
||||
access to dn.base="#-ld_admin_dn-#"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by * none
|
||||
|
||||
# Доступ к ветке Samba
|
||||
#?sr_samba_set==on||cl_pass_service==samba#
|
||||
access to dn.regex=".*#-ld_samba_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_samba_dn-#" write
|
||||
by dn="#-ld_unix_dn-#" write
|
||||
#sr_samba_set#
|
||||
#Доступ к ветке Samba репликатора
|
||||
#?pkg(openldap)>2.4&ld_repl_set==on&sr_samba_set==on&ld_repl_id!=||pkg(openldap)>2.4&ld_repl_set==on&cl_pass_service==samba&ld_repl_id!=#
|
||||
by dn="#-ld_repl_dn-#" write
|
||||
#pkg#
|
||||
#?sr_samba_set==on||cl_pass_service==samba#
|
||||
by dn="#-ld_bind_dn-#" read
|
||||
by * none
|
||||
#sr_samba_set#
|
||||
|
||||
# Доступ к ветке Unix
|
||||
#?sr_unix_set==on||cl_pass_service==unix#
|
||||
access to dn.regex=".*#-ld_unix_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_samba_dn-#" write
|
||||
by dn="#-ld_unix_dn-#" write
|
||||
# Доступ к ветке Unix репликатора
|
||||
#?pkg(openldap)>2.4&ld_repl_set==on&sr_unix_set==on&ld_repl_id!=||pkg(openldap)>2.4&ld_repl_set==on&cl_pass_service==unix&ld_repl_id!=#
|
||||
by dn="#-ld_repl_dn-#" write
|
||||
#pkg#
|
||||
#?sr_unix_set==on||cl_pass_service==unix#
|
||||
by dn="#-ld_bind_dn-#" read
|
||||
by * none
|
||||
#sr_unix_set#
|
||||
|
||||
# Доступ к ветке Mail
|
||||
#?sr_mail_set==on||cl_pass_service==mail#
|
||||
access to dn.regex=".*#-ld_mail_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_mail_dn-#" read
|
||||
by * none
|
||||
#sr_mail_set#
|
||||
|
||||
# Доступ к ветке Jabber
|
||||
#?sr_jabber_set==on||cl_pass_service==jabber#
|
||||
access to dn.regex=".*#-ld_jabber_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_jabber_dn-#" read
|
||||
by * none
|
||||
#sr_jabber_set#
|
||||
|
||||
# Доступ к ветке FTP
|
||||
#?sr_ftp_set==on||cl_pass_service==ftp#
|
||||
access to dn.regex=".*#-ld_ftp_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_ftp_dn-#" read
|
||||
by * none
|
||||
#sr_ftp_set#
|
||||
|
||||
# Доступ к ветке LDAP
|
||||
#?pkg(openldap)>2.4&ld_repl_set==on&ld_repl_id!=#
|
||||
access to dn.regex=".*#-ld_ldap_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_repl_dn-#" read
|
||||
by dn="#-ld_bind_dn-#" read
|
||||
by dn="#-ld_mail_dn-#" read
|
||||
by * none
|
||||
#pkg#
|
||||
|
||||
# Доступ к ветке Proxy
|
||||
#?sr_proxy_set==on||cl_pass_service==proxy#
|
||||
access to dn.regex=".*#-ld_proxy_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_proxy_dn-#" read
|
||||
by * none
|
||||
#sr_proxy_set#
|
||||
|
||||
# Доступ к ветке Replication
|
||||
#?pkg(openldap)>2.4&ld_repl_set==on&ld_repl_id!=#
|
||||
access to dn.regex=".*#-ld_repl_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn="#-ld_repl_dn-#" write
|
||||
by dn="#-ld_bind_dn-#" read
|
||||
by dn="#-ld_mail_dn-#" read
|
||||
by * none
|
||||
#pkg#
|
||||
|
||||
# Доступ к остальным веткам сервисов
|
||||
access to dn.regex=".*ou=([^,]+),#-ld_services_dn-#$"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by dn.regex="ou=$1,#-ld_services_dn-#" write
|
||||
by * none
|
||||
|
||||
# Закрываем доступ к веткам
|
||||
access to dn.regex=".*,#-ld_services_dn-#"
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by * none
|
||||
|
||||
# Доступ ко всем аттрибутам
|
||||
access to *
|
||||
by dn="#-ld_admin_dn-#" write
|
||||
by self write
|
||||
by * read
|
||||
# Доступ по умолчанию только для чтения
|
||||
#?pkg(openldap)<2.4#defaultaccess read#pkg#
|
||||
|
||||
# Тип базы данных
|
||||
#?pkg(openldap)<2.4#database ldbm#pkg#
|
||||
#?pkg(openldap)>2.4#database bdb#pkg#
|
||||
suffix "#-ld_base_dn-#"
|
||||
checkpoint 1024 5
|
||||
cachesize 10000
|
||||
directory /var/lib/openldap-data
|
||||
|
||||
# Параметры для репликации
|
||||
#?pkg(openldap)>2.4&ld_repl_set==on&ld_repl_id!=#
|
||||
rootdn "cn=ldaproot,#-ld_base_dn-#"
|
||||
|
||||
#-ld_repl_servers_info-#
|
||||
|
||||
#-ld_repl_servers_ref-#
|
||||
|
||||
overlay syncprov
|
||||
syncprov-checkpoint 100 10
|
||||
syncprov-sessionlog 100
|
||||
|
||||
|
||||
mirrormode on
|
||||
serverID #-ld_repl_id-#
|
||||
#pkg#
|
||||
|
||||
index objectClass eq
|
||||
index cn pres,sub,eq
|
||||
index sn pres,sub,eq
|
||||
index uid pres,sub,eq
|
||||
index uidNumber eq
|
||||
index gidNumber eq
|
||||
index default sub
|
@ -0,0 +1,33 @@
|
||||
# Calculate format=squid append=replace
|
||||
auth_param basic program /usr/libexec/squid/squid_ldap_auth -b "ou=Users,#-ld_proxy_dn-#" -f "(&(uid=%s)(initials=Yes))" -D "#-ld_proxy_dn-#" -W /etc/squid/squid.ldap -h localhost
|
||||
auth_param basic credentialsttl 5 minute
|
||||
external_acl_type ldap_users ttl=300 %LOGIN %PORT /usr/bin/proxy -s "#-ld_proxy_dn-#" -b "#-ld_base_dn-#" -P /etc/squid/squid.ldap
|
||||
acl manager proto cache_object
|
||||
acl localhost src 127.0.0.1/32
|
||||
#-sr_proxy_net_allow_pass-#
|
||||
acl access_port external ldap_users
|
||||
acl purge method PURGE
|
||||
acl CONNECT method CONNECT
|
||||
http_access allow manager localhost
|
||||
http_access deny manager
|
||||
http_access allow purge localhost
|
||||
http_access deny purge
|
||||
http_access deny !access_port
|
||||
http_access allow localnet
|
||||
http_access allow localhost
|
||||
http_access deny all
|
||||
icp_access allow localnet
|
||||
icp_access deny all
|
||||
htcp_access allow localnet
|
||||
htcp_access deny all
|
||||
http_port #-sr_proxy_port-#
|
||||
hierarchy_stoplist cgi-bin ?
|
||||
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %ul %ui %Sh/%<A %mt %et
|
||||
access_log /var/log/squid/access.log squid
|
||||
refresh_pattern ^ftp: 1440 20% 10080
|
||||
refresh_pattern ^gopher: 1440 0% 1440
|
||||
refresh_pattern (cgi-bin|\?) 0 0% 0
|
||||
refresh_pattern . 0 20% 4320
|
||||
icp_port 3130
|
||||
forwarded_for off
|
||||
coredump_dir /var/cache/squid
|
@ -0,0 +1,2 @@
|
||||
# Calculate chmod=0600 chown=squid:squid append=replace
|
||||
#-ld_proxy_pw-#
|
Loading…
Reference in new issue