/etc/ldap/slapd-squeeze_debian-edu.conf is in debian-edu-config 1.818+deb8u2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 | # Allow LDAPv2 binds
allow bind_v2
# The skolelinux slapd configuration file
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/autofs.schema
include /etc/ldap/schema/inetorgperson.schema
#include /etc/ldap/schema/dhcp.schema
include /etc/ldap/schema/gosa/dhcp.schema
#include /etc/ldap/schema/dnsdomain2.schema
include /etc/ldap/schema/gosa/dnszone.schema
include /etc/ldap/schema/kerberos.schema
include /etc/ldap/schema/ltspclientaux.schema
## gosa:
include /etc/ldap/schema/gosa/samba3.schema
include /etc/ldap/schema/gosa/trust.schema
include /etc/ldap/schema/gosa/gosystem.schema
include /etc/ldap/schema/gosa/gofon.schema
include /etc/ldap/schema/gosa/goto.schema
include /etc/ldap/schema/gosa/gosa-samba3.schema
include /etc/ldap/schema/gosa/gofax.schema
include /etc/ldap/schema/gosa/goserver.schema
include /etc/ldap/schema/gosa/goto-mime.schema
include /etc/ldap/schema/gosa/sudo.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# Read slapd.conf(5) for possible values
#loglevel 65535
loglevel none
rootDSE /etc/ldap/rootDSE-debian-edu.ldif
# TLS/SSL
TLSCACertificateFile /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
TLSCertificateFile /etc/ldap/ssl/slapd.pem
#TLSCACertificateFile /var/lib/pyca/Root/cacert.pem
#TLSCertificateKeyFile /var/lib/pyca/ServerCerts/private/cakey.pem
#TLSCertificateFile /var/lib/pyca/ServerCerts/cacert.pem
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload back_monitor
defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
security update_ssf=128 simple_bind=128
# Access via ldapi/unix socket is assumed to have 128 bit encryption.
# This is required to allow the kerberos and powerdns daemon to
# connect.
localssf 128
backend bdb
backend monitor
#######################################################################
# ldbm database definitions
#######################################################################
# The backend type, ldbm, is the default standard
database bdb
# Set the database in memory cache size.
#
cachesize 4000
#dbnosync
sizelimit 4000
# First database
suffix "dc=skole,dc=skolelinux,dc=no"
rootdn "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
# Where the database file are physically stored
directory "/var/lib/ldap"
# Indices to maintain
index objectClass pres,eq
index cn,sn,ou pres,eq,sub
index uid pres,eq,sub
index krbPrincipalName pres,eq,sub
index uidNumber eq
index gidNumber eq
index memberUid eq
index default eq
#for some clients, even if not used
index givenname eq
index displayName eq
#index telephoneNumber eq
#samba index
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index sambaGroupType eq
index sambaSIDList eq
# PowerDNS index
index associatedDomain pres,eq,sub
index aRecord pres,eq
# ldap2zone index
index zoneName eq
index relativeDomainName eq
# Sudo
index sudoUser eq,sub
# LTSP configuration index (dhcpHWAddress also used by dhcpd)
index macAddress eq
index dhcpHWAddress eq
# libnss-ldapd look for this one. Make sure it is indexed to avoid
# lots of log messages.
index uniqueMember eq
# lwat cron job uses this
index createTimestamp eq
# Save the time that the entry gets modified
lastmod on
# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
#
## map authentication via gssapi on user dn:
authz-regexp "uid=([^,]*),cn=gssapi,cn=auth"
"ldap:///dc=skole,dc=skolelinux,dc=no??sub?(uid=$1)"
## default: no access, but allow members of the ldap-admins group full
## access.
access to *
by group.exact="cn=ldap-admins,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" manage
by * none break
access to dn.base="cn=nextID,ou=variables,dc=skole,dc=skolelinux,dc=no"
attrs=gidNumber
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * read
access to dn.exact="ou=idmap,ou=samba,dc=skole,dc=skolelinux,dc=no"
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * break
access to dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no"
attrs=userPassword
by self ssf=128 =wx
by anonymous ssf=128 auth
by * none
access to attrs=userPassword
by self =wx
by anonymous auth
by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * none
access to attrs=shadowLastChange
by self ssf=128 =w
by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by * none
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
attrs=children,entry
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * none break
#
# Allow samba to add groupmap information to existing groups.
#
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
attrs=objectClass,sambaSID,sambaGroupType,displayName,description,sambaSIDList
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * none break
#
# Allow samba to create/edit posix accounts and posix groups
#
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
attrs=uid,uidNumber,cn,gidNumber,userPassword,memberUid,description,homeDirectory,loginShell,gecos
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * none break
#
# Allow samba to create/edit samba3 accounts (everything missing that has not already been mentioned above
#
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
attrs=sambaAcctFlags
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =rw
by * none break
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
attrs=sambaDomainName
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =rws
by * none break
access to dn.exact="sambaDomainName=*,ou=samba,dc=skole,dc=skolelinux,dc=no"
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =rws
by * none break
#
#
# Ensure samba password hashes.
#
# Restricted access to some samba attributes
# (allow access for admin to don't break old installations)
access to attrs=sambaLMPassword,sambaNTPassword
by self ssf=128 =w
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by * none
access to attrs=sambaPwdLastSet,sambaPwdCanChange
by self ssf=128 =wr
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by * read
# Access to samba attributes; kadmin-service needs to add
# attr=objectClass too, so break:
access to attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdMustChange,sambaAcctFlags,sambaGroupType,sambaPasswordHistory,sambaNextRid
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * read break
access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaLogonHours,sambaBadPasswordCount,sambaBadPasswordTime
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * read
# We store machine-accounts for samba in a private ou visible via NSS
access to dn.sub="ou=netdevices,ou=systems,dc=skole,dc=skolelinux,dc=no"
by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * read
# Control access to kerberos attributes
access to attrs=krbPrincipalKey,krbExtraData
by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
by self read
by * auth
access to attrs=krbPrincipalName,krbLastPwdChange
by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
by * auth
by * read
# Limit access to kerberos data in cn=kerberos. Allow everyone to
# see the objects, as long as the attributes
# krbPrincipalKey,krbLastPwdChange and krbExtraData are hidden.
access to dn.subtree="cn=kerberos,dc=skole,dc=skolelinux,dc=no"
by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
by * read
# Default access; kadmin needs full access:
access to *
by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
by * read
# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
database monitor
# End of ldapd configuration file
|