You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
135 lines
3.6 KiB
135 lines
3.6 KiB
# Calculate format=ldap\
|
|
chmod=0640\
|
|
chown=root:ldap\
|
|
append=replace
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/nis.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/misc.schema
|
|
#?sr_samba_set==on||cl_pass_service==samba#
|
|
include /etc/openldap/schema/samba.schema
|
|
#sr_samba_set#
|
|
#?sr_mail_set==on||cl_pass_service==mail#
|
|
include /etc/openldap/schema/mail.schema
|
|
#sr_mail_set#
|
|
schemacheck on
|
|
|
|
pidfile /var/run/openldap/slapd.pid
|
|
argsfile /var/run/openldap/slapd.arg
|
|
|
|
# Уровень отладочных сообщений
|
|
loglevel 0
|
|
allow bind_v2
|
|
modulepath /usr/lib/openldap/modules
|
|
|
|
# Доступ к аттрибуту userPassword
|
|
access to attrs=userPassword
|
|
by self write
|
|
by dn="#-ld_admin_dn-#" write
|
|
|
|
#?sr_samba_set==on||cl_pass_service==samba#
|
|
by dn="#-ld_samba_dn-#" write
|
|
#sr_samba_set#
|
|
|
|
#?sr_unix_set==on||cl_pass_service==unix#
|
|
by dn="#-ld_unix_dn-#" write
|
|
#sr_unix_set#
|
|
|
|
#?sr_mail_set==on||cl_pass_service==mail#
|
|
by dn="#-ld_mail_dn-#" read
|
|
#sr_mail_set#
|
|
|
|
#?sr_jabber_set==on||cl_pass_service==jabber#
|
|
by dn="#-ld_jabber_dn-#" read
|
|
#sr_jabber_set#
|
|
by * auth
|
|
|
|
# Доступ к аттрибутам Samba
|
|
#?sr_samba_set==on||cl_pass_service==samba#
|
|
access to attrs=sambaLMPassword,sambaNTPassword
|
|
by dn="#-ld_admin_dn-#" write
|
|
by dn="#-ld_samba_dn-#" write
|
|
by * none
|
|
#sr_samba_set#
|
|
|
|
# Доступ к пользователю только для просмотра
|
|
access to dn.base="#-ld_bind_dn-#"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by dn="#-ld_bind_dn-#" read
|
|
by * none
|
|
|
|
# Доступ к администратору сервера LDAP
|
|
access to dn.base="#-ld_admin_dn-#"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by * none
|
|
|
|
# Доступ к ветке Samba
|
|
#?sr_samba_set==on||cl_pass_service==samba#
|
|
access to dn.regex=".*#-ld_samba_dn-#$"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by dn="#-ld_samba_dn-#" write
|
|
by dn="#-ld_unix_dn-#" write
|
|
by dn="#-ld_bind_dn-#" read
|
|
by * none
|
|
#sr_samba_set#
|
|
|
|
# Доступ к ветке Unix
|
|
#?sr_unix_set==on||cl_pass_service==unix#
|
|
access to dn.regex=".*#-ld_unix_dn-#$"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by dn="#-ld_samba_dn-#" write
|
|
by dn="#-ld_unix_dn-#" write
|
|
by dn="#-ld_bind_dn-#" read
|
|
by * none
|
|
#sr_unix_set#
|
|
|
|
# Доступ к ветке Mail
|
|
#?sr_mail_set==on||cl_pass_service==mail#
|
|
access to dn.regex=".*#-ld_mail_dn-#$"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by dn="#-ld_mail_dn-#" read
|
|
by * none
|
|
#sr_mail_set#
|
|
|
|
# Доступ к ветке Jabber
|
|
#?sr_jabber_set==on||cl_pass_service==jabber#
|
|
access to dn.regex=".*#-ld_jabber_dn-#$"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by dn="#-ld_jabber_dn-#" read
|
|
by * none
|
|
#sr_jabber_set#
|
|
|
|
# Доступ к остальным веткам сервисов
|
|
access to dn.regex=".*ou=([^,]+),#-ld_services_dn-#$"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by dn.regex="ou=$1,#-ld_services_dn-#" write
|
|
by * none
|
|
|
|
# Закрываем доступ к веткам
|
|
access to dn.regex=".*,#-ld_services_dn-#"
|
|
by dn="#-ld_admin_dn-#" write
|
|
by * none
|
|
|
|
# Доступ ко всем аттрибутам
|
|
access to *
|
|
by dn="#-ld_admin_dn-#" write
|
|
by self write
|
|
by * read
|
|
# Доступ по умолчанию только для чтения
|
|
defaultaccess read
|
|
|
|
# Тип базы данных
|
|
database ldbm
|
|
suffix "#-ld_base_dn-#"
|
|
checkpoint 1024 5
|
|
cachesize 10000
|
|
directory /var/lib/openldap-data
|
|
|
|
index objectClass eq
|
|
index cn pres,sub,eq
|
|
index sn pres,sub,eq
|
|
index uid pres,sub,eq
|
|
index uidNumber eq
|
|
index gidNumber eq
|
|
index default sub |