Next: Utilization Up: Configuration Previous: Basic Contents
GOsa adds several schemas for the control of certain services and characteristics of users.
The necessary schemas for GOsa are in the package, in the contrib section, they need to be copied in /etc/ldap/schema.
A recommended configuration
of /etc/ldap/slapd.conf is the following one:
| LDAP GOsa Configuration | |
| # Schema and objectClass definitions, basic configuration | |
| include /etc/ldap/schema/core.schema | |
| include /etc/ldap/schema/cosine.schema | |
| include /etc/ldap/schema/inetorgperson.schema | |
| include /etc/ldap/schema/openldap.schema | |
| include /etc/ldap/schema/nis.schema | |
| include /etc/ldap/schema/misc.schema | |
| # These schemes would be present in GOsa. In the case of samba3 | |
| # we must change samba.schema and gosa.schema by samba3.schema | |
| # and gosa+samba3.schema | |
| include /etc/ldap/schema/samba3.schema | |
| include /etc/ldap/schema/pureftpd.schema | |
| include /etc/ldap/schema/gohard.schema | |
| include /etc/ldap/schema/gofon.schema | |
| include /etc/ldap/schema/goto.schema | |
| include /etc/ldap/schema/gosa+samba3.schema | |
| include /etc/ldap/schema/gofax.schema | |
| include /etc/ldap/schema/goserver.schema | |
| # Force entries to match schemas for their ObjectClasses | |
| schemacheck on | |
| # Password hash, type of key encryption | |
| # Can be: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT} | |
| password-hash {CRYPT} | |
| # Default search base. | |
| defaultsearchbase " dc=CHAOSDIMENSION,dc=ORG" | |
| # Used by init scripts to stop and to start the server. | |
| pidfile /var/run/slapd.pid | |
| # Arguments passed to the server. | |
| argsfile /var/run/slapd.args | |
| # Log level information | |
| loglevel 1024 | |
| # Where and which modules to load. | |
| modulepath /usr/lib/ldap | |
| moduleload back_bdb # Berkeley BD version 4 | |
| # Some performance parameters | |
| threads 64 | |
| concurrency 32 | |
| conn_max_pending 100 | |
| conn_max_pending_auth 250 | |
| reverse-lookup off | |
| sizelimit 1000 | |
| timelimit 30 | |
| idletimeout 30 | |
| # specific limitations | |
| limits anonymous size.soft=500 time.soft=5 | |
| # Definitions of the database | |
| database bdb | |
| cachesize 5000 | |
| checkpoint 512 720 | |
| mode 0600 | |
| # The diretory base. | |
| suffix " dc=CHAOSDIMENSION,dc=ORG" | |
| # Here is the definition of the administrator of the directory and his key | |
| # In this example is " tester" | |
| # The crypt key can be extract with | |
| # makepasswd -crypt -clearfrom file_with_user_name | |
rootdn "cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" | |
| rootpw {crypt}OuorOLd3VqvC2 | |
| # That attributes we indexed to make search | |
| index default sub | |
| index uid,mail eq | |
| index gosaMailAlternateAddress,gosaMailForwardingAddress eq | |
| index cn,sn,givenName,ou pres,eq,sub | |
| index objectClass pres,eq | |
| index uidNumber,gidNumber,memberuid eq | |
| index gosaSubtreeACL,gosaObject,gosaUser pres,eq | |
| # Indexing for Samba 3 index sambaSID eq | |
| index sambaPrimaryGroupSID eq | |
| index sambaDomainName eq | |
| # Who can change the user keys | |
| # ,only by the own user if is authenticate | |
| # or by the administrator | |
| access to attr=sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| access to attr=userPassword,shadowMax,shadowExpire | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| # Acess deny to imap keys, fax or kerberos saved in | |
| # LDAP | |
| access to attr=goImapPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by * none | |
| access to attr=goKrbPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by * none | |
| access to attr=goFaxPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by * none | |
| # Permit that server write the LastUser attribute | |
| access to attr=gotoLastUser | |
| by * write | |
| # The samba keys by defect only can be changed | |
| # by the user if has been authenticate. | |
| access to attr=sambaLmPassword,sambaNtPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| # Allow write access for terminal administrator | |
| access to dn=" ou=incoming,dc=CHAOSDIMENSION,dc=ORG" | |
by dn="cn=terminal-admin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| access to dn.subtree=" ou=incoming,dc=CHAOSDIMENSION,dc=ORG" | |
by dn="cn=terminal-admin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| # Directory where is the database | |
| directory " /var/lib/ldap" | |
| # Indicate if we wished to keep the modification last date | |
| lastmod off | |
| # Administrator access | |
| access to * | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" =wrscx | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" =wrscx | |
| by * read | |
| End | |
aescanero AT gmail.com