Siguiente: Utilización Subir: Configuración Anterior: Básica Índice General
GOsa añade varios esquemas para el control de ciertos servicios y características de los usuarios.
Los esquemas necesarios para GOsa están en el paquete, en la seccion contrib, lo ideal será copiarlos todos a /etc/ldap/schema
Una configuración recomendada
de /etc/ldap/slapd.conf es la siguiente:
| Configuración Específica para GOsa | |
| # Schema and objectClass definitions, configuración básica | |
| include /etc/ldap/schema/core.schema | |
| include /etc/ldap/schema/cosine.schema | |
| include /etc/ldap/schema/inetorgperson.schema | |
| include /etc/ldap/schema/openldap.schema | |
| include /etc/ldap/schema/nis.schema | |
| include /etc/ldap/schema/misc.schema | |
| # Estos esquemas deberían estar presentes en GOsa. En el caso de samba3 | |
| # se deben cambiar samba.schema y gosa.schema por samba3.schema | |
| # y gosa+samba3.schema. | |
| include /etc/ldap/schema/samba3.schema | |
| include /etc/ldap/schema/pureftpd.schema | |
| include /etc/ldap/schema/gohard.schema | |
| include /etc/ldap/schema/gofon.schema | |
| include /etc/ldap/schema/goto.schema | |
| include /etc/ldap/schema/gosa+samba3.schema | |
| include /etc/ldap/schema/gofax.schema | |
| include /etc/ldap/schema/goserver.schema | |
| #Obliga al cumplimiento de los ObjectClass | |
| schemacheck on | |
| # Password hash, tipo de encriptación de la clave | |
| # Puede ser: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT} | |
| password-hash {CRYPT} | |
| # Base de busqueda por defecto | |
| defaultsearchbase " dc=CHAOSDIMENSION,dc=ORG" | |
| #Utilizado por init scripts para parar e iniciar el servidor. | |
| pidfile /var/run/slapd.pid | |
| # Argumentos pasados al servidor. | |
| argsfile /var/run/slapd.args | |
| # Nivel de logs | |
| loglevel 1024 | |
| # Donde y que módulos cargar | |
| modulepath /usr/lib/ldap | |
| moduleload back_bdb # Berkeley BD versión 4 | |
| # Algunos parámetros de rendimiento | |
| threads 64 | |
| concurrency 32 | |
| conn_max_pending 100 | |
| conn_max_pending_auth 250 | |
| reverse-lookup off | |
| sizelimit 1000 | |
| timelimit 30 | |
| idletimeout 30 | |
| # Limitaciones específicas | |
| limits anonymous size.soft=500 time.soft=5 | |
| # Definiciones de la base de datos | |
| database bdb | |
| cachesize 5000 | |
| checkpoint 512 720 | |
| mode 0600 | |
| # La base del directorio | |
| suffix " dc=CHAOSDIMENSION,dc=ORG" | |
| # Aquí definimos al administrador del directorio y su clave | |
| # En este ejemplo es " tester" | |
| # La clave se puede sacar con | |
| # makepasswd -crypt -clearfrom fichero_con_nombre usuario | |
rootdn "cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" | |
| rootpw {crypt}OuorOLd3VqvC2 | |
| # Que atributos indexamos para hacer busquedas | |
| index default sub | |
| index uid,mail eq | |
| index gosaMailAlternateAddress,gosaMailForwardingAddress eq | |
| index cn,sn,givenName,ou pres,eq,sub | |
| index objectClass pres,eq | |
| index uidNumber,gidNumber,memberuid eq | |
| index gosaSubtreeACL,gosaObject,gosaUser pres,eq | |
| # Indexing for Samba 3 index sambaSID eq | |
| index sambaPrimaryGroupSID eq | |
| index sambaDomainName eq | |
| # Quienes pueden cambiar las claves de usuario | |
| # Solo por el propio usuario si está autentificado | |
| # o por el administrador | |
| access to attr=sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| access to attr=userPassword,shadowMax,shadowExpire | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| # Denegar acceso a las claves imap, fax o kerberos guardadas en | |
| # LDAP | |
| access to attr=goImapPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by * none | |
| access to attr=goKrbPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by * none | |
| access to attr=goFaxPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by * none | |
| # Permite que el servidor escriba el atributo LastUser | |
| access to attr=gotoLastUser | |
| by * write | |
| #Las claves samba por defecto pueden ser cambiadas | |
| #por el usuario si se ha autentificado. | |
| access to attr=sambaLmPassword,sambaNtPassword | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| # Permite acceso de escritura para administrador de terminales | |
| access to dn=" ou=incoming,dc=CHAOSDIMENSION,dc=ORG" | |
by dn="cn=terminal-admin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| access to dn.subtree=" ou=incoming,dc=CHAOSDIMENSION,dc=ORG" | |
by dn="cn=terminal-admin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" write | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" write | |
| # Directorio donde se guarda la base de datos | |
| directory " /var/lib/ldap" | |
| # Indicamos si deseamos guardar la fecha de la ultima modificación | |
| lastmod off | |
| # Acceso del administrador | |
| access to * | |
by dn="cn=ldapadmin,dc=CHAOSDIMENSION,dc=ORG" =wrscx | |
by dn.regex="uid=[^{}/]+/admin\+(realm=CHAOSDIMENSION.LOCAL)?" =wrscx | |
| by * read | |
| Fin | |
aescanero AT gmail.com