X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=userdir-ldap-slapd.conf.in;h=0669580f7d56648b4104cfec9613249a3ebdc27f;hb=04409346418395c9f00c5f4a8244ce1d3512b446;hp=4e4c92a8e10bfc79152b627fc9b0df0cf0bc80b8;hpb=1efd4dde6267910089fcf13b949c7e8ec030d447;p=mirror%2Fuserdir-ldap.git diff --git a/userdir-ldap-slapd.conf.in b/userdir-ldap-slapd.conf.in index 4e4c92a..0669580 100644 --- a/userdir-ldap-slapd.conf.in +++ b/userdir-ldap-slapd.conf.in @@ -7,6 +7,16 @@ suffix "@@DN@@" # Where the database file are physically stored directory "/var/lib/ldap" +moduleload accesslog +overlay accesslog +logdb cn=log +logops writes +logold (objectclass=top) + +moduleload constraint +overlay constraint +constraint_attribute keyfingerprint regex ^([0-9A-F]{40})$ + # Indexing options index gecos,cn,sn,uid,ircNick,hostname,emailForward pres,eq,sub,approx index keyfingerprint,homeDirectory,objectClass,loginShell,supplementaryGid pres,eq @@ -33,7 +43,7 @@ access to * # allow keyring maint to write to the keyFingerPrint attribute # (make an exception for adm for security reasons) access to filter="(!(supplementaryGid=adm))" attrs=keyFingerPrint - by dn="cn=Keyring Maintainers,ou=users,@@DN@@" write + by group="cn=Keyring Maintainers,ou=users,@@DN@@" write by * break # allow users write access to an explicit subset of their fields @@ -59,7 +69,7 @@ access to attrs=sshrsaauthkey access to attrs=activity-pgp,activity-from,dnsZoneEntry,c,l,loginShell,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions by peername.ip=127.0.0.1 read by domain=alioth.debian.org none - by domain.subtree=@@DOMAIN@@ read + by domain.subtree=debian.org read by dn.regex="uid=.*,ou=users,@@DN@@" read by * none @@ -72,3 +82,17 @@ access to attrs=facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCod # rest is globally readable access to * by * read + + +database hdb +directory "/var/lib/ldap-log" +suffix cn=log +# +sizelimit 10000 + +index reqStart eq +access to * + by group="cn=LDAP Administrator,ou=users,@@DN@@" write + by dn="uid=sshdist,ou=users,@@DN@@" read + by * none +