# Calculate format=ldap\
chmod=0640\
chown=root:ldap\
append=replace
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/misc.schema
#?sr_samba_set==on||cl_pass_service==samba#
include		/etc/openldap/schema/samba.schema
#sr_samba_set#
#?sr_mail_set==on||cl_pass_service==mail#
include		/etc/openldap/schema/mail.schema
#sr_mail_set#
schemacheck on

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.arg

# Уровень отладочных сообщений
loglevel	0
allow		bind_v2
modulepath	/usr/lib/openldap/modules

# Доступ к аттрибуту userPassword
access to attrs=userPassword
    by self write
    by dn="#-ld_admin_dn-#" write

#?sr_samba_set==on||cl_pass_service==samba#
    by dn="#-ld_samba_dn-#" write
#sr_samba_set#

#?sr_unix_set==on||cl_pass_service==unix#
    by dn="#-ld_unix_dn-#" write
#sr_unix_set#

#?sr_mail_set==on||cl_pass_service==mail#
    by dn="#-ld_mail_dn-#" read
#sr_mail_set#

#?sr_jabber_set==on||cl_pass_service==jabber#
    by dn="#-ld_jabber_dn-#" read
#sr_jabber_set#
    by * auth

# Доступ к аттрибутам Samba
#?sr_samba_set==on||cl_pass_service==samba#
access to attrs=sambaLMPassword,sambaNTPassword
    by dn="#-ld_admin_dn-#" write
    by dn="#-ld_samba_dn-#" write
    by * none
#sr_samba_set#

# Доступ к пользователю только для просмотра
access to dn.base="#-ld_bind_dn-#"
    by dn="#-ld_admin_dn-#" write
    by dn="#-ld_bind_dn-#" read
    by * none

# Доступ к администратору сервера LDAP
access to dn.base="#-ld_admin_dn-#"
    by dn="#-ld_admin_dn-#" write
    by * none

# Доступ к ветке Samba
#?sr_samba_set==on||cl_pass_service==samba#
access to dn.regex=".*#-ld_samba_dn-#$"
    by dn="#-ld_admin_dn-#" write
    by dn="#-ld_samba_dn-#" write
    by dn="#-ld_unix_dn-#" write
    by dn="#-ld_bind_dn-#" read
    by * none
#sr_samba_set#

# Доступ к ветке Unix
#?sr_unix_set==on||cl_pass_service==unix#
access to dn.regex=".*#-ld_unix_dn-#$"
    by dn="#-ld_admin_dn-#" write
    by dn="#-ld_samba_dn-#" write
    by dn="#-ld_unix_dn-#" write
    by dn="#-ld_bind_dn-#" read
    by * none
#sr_unix_set#

# Доступ к ветке Mail
#?sr_mail_set==on||cl_pass_service==mail#
access to dn.regex=".*#-ld_mail_dn-#$"
    by dn="#-ld_admin_dn-#" write
    by dn="#-ld_mail_dn-#" read
    by * none
#sr_mail_set#

# Доступ к ветке Jabber
#?sr_jabber_set==on||cl_pass_service==jabber#
access to dn.regex=".*#-ld_jabber_dn-#$"
    by dn="#-ld_admin_dn-#" write
    by dn="#-ld_jabber_dn-#" read
    by * none
#sr_jabber_set#

# Доступ к остальным веткам сервисов
access to dn.regex=".*ou=([^,]+),#-ld_services_dn-#$"
    by dn="#-ld_admin_dn-#" write
    by dn.regex="ou=$1,#-ld_services_dn-#" write
    by * none

# Закрываем доступ к веткам
access to dn.regex=".*,#-ld_services_dn-#"
    by dn="#-ld_admin_dn-#" write
    by * none

# Доступ ко всем аттрибутам
access to *
    by dn="#-ld_admin_dn-#" write
    by self write
    by * read
# Доступ по умолчанию только для чтения
defaultaccess read

# Тип базы данных
database	ldbm
suffix		"#-ld_base_dn-#"
checkpoint	1024	5
cachesize	10000
directory	/var/lib/openldap-data

index	objectClass	eq
index	cn		pres,sub,eq
index	sn		pres,sub,eq
index	uid		pres,sub,eq
index	uidNumber	eq
index	gidNumber	eq
index	default		sub