From 91e87667ac77b0814130822608305c7c689e815f Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 23 Jun 2008 22:58:12 +0200
Subject: [PATCH] Add userdir-ldap-slapd.conf, a snipped to be included in
 slapd.conf to the package.

---
 .bzrignore                 | 14 ++++++++
 debian/changelog           |  4 ++-
 debian/install             |  1 +
 debian/rules               |  4 +++
 doc/slapd-config.txt       | 43 +-----------------------
 userdir-ldap-slapd.conf.in | 68 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 91 insertions(+), 43 deletions(-)
 create mode 100644 .bzrignore
 create mode 100644 userdir-ldap-slapd.conf.in

diff --git a/.bzrignore b/.bzrignore
new file mode 100644
index 0000000..76d8629
--- /dev/null
+++ b/.bzrignore
@@ -0,0 +1,14 @@
+userdir-ldap-slapd.conf
+build
+debian/files
+debian/userdir-ldap
+debian/userdir-ldap.postinst.debhelper
+debian/userdir-ldap.prerm.debhelper
+debian/userdir-ldap.substvars
+doc/ud-generate.8
+doc/ud-gpgimport.8
+doc/ud-info.1
+doc/ud-mailgate.8
+doc/ud-useradd.8
+doc/ud-userimport.8
+doc/ud-xearth.1
diff --git a/debian/changelog b/debian/changelog
index e780fd6..877c91f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,8 +13,10 @@ userdir-ldap (0.3.3X) Xnstable; urgency=low
     these 4 options should be the only ones that exist.
   * Allow setting of gender in ud-mailgate.  Based on patch by Bernhard
     R. Link.
+  * Add userdir-ldap-slapd.conf, a snipped to be included in slapd.conf
+    to the package.
 
- -- Peter Palfrader <weasel@debian.org>  Mon, 09 Jun 2008 22:59:06 +0200
+ -- Peter Palfrader <weasel@debian.org>  Mon, 23 Jun 2008 22:52:36 +0200
 
 userdir-ldap (0.3.32) unstable; urgency=low
 
diff --git a/debian/install b/debian/install
index 9758639..eafe287 100644
--- a/debian/install
+++ b/debian/install
@@ -24,3 +24,4 @@ userdir-ldap.conf etc/userdir-ldap/
 generate.conf etc/userdir-ldap/
 templates/ etc/userdir-ldap/
 userdir-ldap.schema etc/ldap/schema/
+userdir-ldap-slapd.conf etc/ldap/
diff --git a/debian/rules b/debian/rules
index 414f1fc..c868dfc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,6 +6,9 @@
 build:
 	dh_testdir
 	$(MAKE) -C doc
+	# feel free to put dc=debian,dc=org and debian.org into some config file so that this is easier on others who
+	# also use userdir-ldap.
+	sed -e 's/@@DN@@/dc=debian,dc=org/g; s/@@DOMAIN@@/debian.org/g' < userdir-ldap-slapd.conf.in > userdir-ldap-slapd.conf
 	touch build
 
 clean:
@@ -13,6 +16,7 @@ clean:
 	rm -f build
 	find . -name '*.py[co]' -print0 | xargs -0 --no-run-if-empty rm -f
 	$(MAKE) -C doc clean
+	rm -f userdir-ldap-slapd.conf
 	dh_clean
 
 binary-indep: build
diff --git a/doc/slapd-config.txt b/doc/slapd-config.txt
index cdf9191..bf44176 100644
--- a/doc/slapd-config.txt
+++ b/doc/slapd-config.txt
@@ -6,48 +6,7 @@ access controls to keep the data safe. Here is a sample:
 security simple_bind=128
 
 # and the database definition
-database bdb
-
-# Turn on automatic last modification time 
-lastmod on
-
-# Index some things
-index uid eq
-index keyfingerprint eq
-index cn,sn approx,sub,eq
-
-# Administrate 
-#rootdn "uid=admin,ou=users,dc=debian,dc=org"
-#rootpw
-
-# Restrict reading/modification of the password to administration and self
-access to attrs=userpassword,sshrsaauthkey
-        by self write
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by * compare    
-
-access to attrs=emailforward
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by self write
-        by addr=127.0.0.1 read
-        by domain=.*\.debian\.org read
-        by * none
-access to attrs=c,l,loginShell,ircNick
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by self write
-access to attrs=facsimileTelephoneNumber,telephoneNumber,postalAddress,postalC
-ode,loginShell,onvacation,privateSub,latitude,longitude
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
-        by self write
-        by dn="uid=.*,ou=users,dc=debian,dc=org" read
-        by * none
-access to * 
-        by dn="uid=admin,ou=users,dc=debian,dc=org" write
-        by group="uid=admin,ou=users,dc=debian,dc=org" write
+include /etc/ldap/userdir-ldap-slapd.conf
 
 # Overlays are useful to enforce constraints:
 
diff --git a/userdir-ldap-slapd.conf.in b/userdir-ldap-slapd.conf.in
new file mode 100644
index 0000000..9cfda02
--- /dev/null
+++ b/userdir-ldap-slapd.conf.in
@@ -0,0 +1,68 @@
+# The backend type, ldbm, is the default standard
+database bdb
+
+# The base of your directory
+suffix          "@@DN@@"
+
+# Where the database file are physically stored
+directory       "/var/lib/ldap"
+
+# Indexing options
+index uid eq
+index keyfingerprint eq
+index cn,sn sub,eq
+index dnsZoneEntry eq
+index uidNumber eq
+index gidNumber eq
+index ircNick sub,eq
+index c eq
+index gender eq
+index birthDate eq
+
+# Don't limit queries to the default of 500
+sizelimit 10000
+
+# Save the time that the entry gets modified
+lastmod on
+
+# owner writeable
+access to attrs=userPassword,sshrsaauthkey
+	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
+	by dn="uid=sshdist,ou=users,@@DN@@"  write
+	by self write
+	by * compare
+
+# debian readable
+access to attrs=activity-pgp,activity-from,dnsZoneEntry
+	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
+	by dn="uid=sshdist,ou=users,@@DN@@" write
+	by peername.ip=127.0.0.1 read
+	by domain=alioth.debian.org none
+	by domain.subtree=@@DOMAIN@@ read
+	by dn.regex="uid=.*,ou=users,@@DN@@" read
+	by * none
+
+# owner writeable, debian readable, authenticated user readable
+access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist
+	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
+	by dn="uid=sshdist,ou=users,@@DN@@" write
+	by self write
+	by dn.regex="uid=.*,ou=users,@@DN@@" read
+	by peername.ip=127.0.0.1 read
+	by domain=alioth.debian.org none
+	by domain.subtree=@@DOMAIN@@ read
+	by * none
+
+# owner writeable, authenticated user readable
+access to attrs=facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP
+	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
+	by dn="uid=sshdist,ou=users,@@DN@@" write
+	by self write
+	by dn.regex="uid=.*,ou=users,@@DN@@" read
+	by * none
+
+# globally readable
+access to *
+	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
+	by dn="uid=sshdist,ou=users,@@DN@@" write
+	by * read
-- 
2.20.1