# ###### SAMPLE 3 - DIRECTORY with enhanced ACL ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/slapd.pid # enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since example.com # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL Notes # The following additional notes apply for 2.4: # 1. attrs is now used instead of attr (to reduce warning messages) # 2. Removed the ,expand modifier with all regex expressions since # 2.4 rejected some (but not all) ACL's which contained this modifier # 3. 2.4 checking is much more rigorous and rejected ACL 8 since it contained # attributes to be added later # 4. If exact or base contains a regular expression substitution then # the expand keyword must be used # ACL1 access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,]+,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allows creation of entries in own addressbook; no-one else can # access it, needs write access to the ENTRY attribute (ACL5 or ACL6A) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$" attrs=children by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 - only required prior to 2.2 # allow creation of entries in own addressbook; no-one else can # access it, needs write access to the ENTRY attribute (ACL5 or ACL6A) # and the entries CHILDREN (ACL4) #access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$" # attrs=entry # by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL6 - only required prior to 2.2 # allow creation of entries in own addressbook; no-one else can # access it #access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$" # filter=(objectclass=inetorgperson) # by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL6A - 2.2+ replace both ACL5 and ACL6 with this ACL access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$" attrs=entry,@inetorgperson by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=example,dc=com" attrs=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attrs=carlicense,homepostaladdress,homephone by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include objectClass uncomment following # index objectClass eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in slapd.conf reference section cachesize 10000 checkpoint 128 15