X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=doc%2Fslapd-config.txt;h=23a8a1c839944150e43ad462320204c27826fdd7;hb=161ed5225e37d91f57f8fe846798308375505efa;hp=41b42f9af7e6c890ed8acd934e96ccb1aa86f72a;hpb=af4fd674ca0c3db5bfaab34a0b852b09da6d4140;p=mirror%2Fuserdir-ldap.git

diff --git a/doc/slapd-config.txt b/doc/slapd-config.txt
index 41b42f9..23a8a1c 100644
--- a/doc/slapd-config.txt
+++ b/doc/slapd-config.txt
@@ -1,49 +1,35 @@
 Most of the configuration of the ldap server has to do with getting correct
 access controls to keep the data safe. Here is a sample:
 
-# Turn on automatic last modification time 
-lastmod on
 
-# Index some things
-index uid eq
-index keyfingerprint eq
-index cn,sn approx,sub,eq
+# only allow plain text auth when we do crypto
+security simple_bind=128
 
-# Administrate 
-#rootdn "uid=admin,ou=users,dc=debian,dc=org"
-#rootpw
+# and the database definition
+include /etc/ldap/userdir-ldap-slapd.conf
 
-# Restrict reading/modification of the password to administration and self
-access to attrs=userpassword,sshrsaauthkey
-        by self write
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by * compare    
+# Overlays are useful to enforce constraints:
 
-access to attrs=emailforward
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by self write
-        by addr=127.0.0.1 read
-        by domain=.*\.debian\.org read
-        by * none
-access to attrs=c,l,loginShell,ircNick
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by self write
-access to attrs=facsimileTelephoneNumber,telephoneNumber,postalAddress,postalC
-ode,loginShell,onvacation,privateSub,latitude,longitude
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by self write
-        by dn="uid=.*,ou=users,dc=debian,dc=org" read
-        by * none
-access to * 
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
+moduleload /usr/lib/ldap/unique.so
+overlay unique
+unique_uri ldap:///ou=users,dc=debian,dc=org?uidNumber,uid,keyFingerPrint?sub
+unique_uri ldap:///ou=groups,dc=debian,dc=org?gidNumber,cn?sub
+
+# Constraints are useful
+moduleload /usr/lib/ldap/constraint.so
+overlay constraint
+constraint_attribute mailContentInspectionAction regex ^([mM][aA][rR][kK][uU][pP]|[bB][lL][aA][cC][kK][hH][oO][lL][eE]|[rR][eE][jJ][eE][cC][tT])$
+constraint_attribute gender regex ^(1|2|9|[mM][aA][lL][eE]|[fF][eE][mM][aA][lL][eE]|[uU][nN][sS][pP][eE][cC][iI][fF][iI][eE][dD])$
 
 # End----------
 
+Note that in more modern versions of slapd, the "by addr" and "by domain"
+syntax has changed and the following should be used instead:
+        by peername.ip=127.0.0.1 read
+        by domain.subtree=debian.org read
+
+
+
 Here is the initial seed file to import and setup the proper entries:
 
 dn: dc=org