Univention Bugzilla – Attachment 3059 Details for
Bug 21433
Join weiterer dc schlägt fehl, wenn opsi4ucs-ldap installiert ist _und_ opsi-pcs angelegt sind
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
/etc/ldap/slapd.conf
slapd.conf (text/plain), 17.39 KB, created by
Gerd Wilhelm
on 2011-02-21 10:17:16 CET
(
hide
)
Description:
/etc/ldap/slapd.conf
Filename:
MIME Type:
Creator:
Gerd Wilhelm
Created:
2011-02-21 10:17:16 CET
Size:
17.39 KB
patch
obsolete
># Warning: This file is auto-generated and might be overwritten by ># univention-baseconfig. ># Please edit the files in the following directory instead: ># Warnung: Diese Datei wurde automatisch generiert und kann durch ># univention-baseconfig überschrieben werden. ># Bitte bearbeiten Sie an Stelle dessen die Dateien in ># folgendem Verzeichnis: ># ># /etc/univention/templates/files/etc/ldap/slapd.conf.d/ ># > >include /etc/ldap/schema/core.schema >include /etc/ldap/schema/cosine.schema >include /etc/ldap/schema/nis.schema >include /etc/ldap/schema/inetorgperson.schema >include /usr/share/univention-ldap/schema/samba.schema >include /usr/share/univention-ldap/schema/mail.schema >include /usr/share/univention-ldap/schema/user.schema >include /usr/share/univention-ldap/schema/directory.schema >include /usr/share/univention-ldap/schema/policy.schema >include /usr/share/univention-ldap/schema/univention.schema >include /usr/share/univention-ldap/schema/lock.schema >include /usr/share/univention-ldap/schema/custom-attribute.schema >include /usr/share/univention-ldap/schema/krb5-kdc.schema >include /usr/share/univention-ldap/schema/dhcp.schema >include /usr/share/univention-ldap/schema/univention-dhcp.schema >include /usr/share/univention-ldap/schema/dnszone.schema >include /usr/share/univention-ldap/schema/univention-default.schema >include /usr/share/univention-ldap/schema/license.schema >include /usr/share/univention-ldap/schema/share.schema >include /usr/share/univention-ldap/schema/printer.schema >include /usr/share/univention-ldap/schema/automount.schema >include /usr/share/univention-ldap/schema/network.schema >include /usr/share/univention-ldap/schema/solaris.schema >include /usr/share/univention-ldap/schema/courier.schema >include /usr/share/univention-ldap/schema/rfc2739.schema >include /usr/share/univention-ldap/schema/kolab2.schema >include /usr/share/univention-ldap/schema/univention-kolab2.schema >include /usr/share/univention-ldap/schema/scalix.schema >include /usr/share/univention-ldap/schema/univention-scalix.schema >include /usr/share/univention-ldap/schema/univention-syntax.schema >include /usr/share/univention-ldap/schema/admin-settings.schema >include /usr/share/univention-ldap/schema/template.schema >include /usr/share/univention-ldap/schema/univention-ldap-acl.schema >include /usr/share/univention-ldap/schema/nagios.schema >include /usr/share/univention-ldap/schema/univention-directory.schema > >include /usr/share/univention-ldap/schema/opsi.schema > > >pidfile /var/run/slapd/slapd.pid >argsfile /var/run/slapd/slapd.args >loglevel 0 >allow bind_v2 update_anon > >TLSCertificateFile /etc/univention/ssl/bmaster.domb.local/cert.pem >TLSCertificateKeyFile /etc/univention/ssl/bmaster.domb.local/private.key >TLSCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem > >sizelimit 400000 > >idletimeout 0 > >attributeoptions "entry-" > ># database definition >modulepath /usr/lib/ldap >moduleload back_bdb.so >moduleload translog.so > > >database bdb >suffix "dc=domb,dc=local" > >overlay translog >translog /var/lib/univention-ldap/listener/listener > > >cachesize 20000 >idlcachesize 20000 >threads 16 > >checkpoint 1024 30 >index cn,givenName,mail,sn,uid pres,eq,sub,approx >index automountInformation,description,displayName,mailAlternativeAddress,mailPrimaryAddress pres,eq,sub >index aRecord,dhcpHWAddress,gidNumber,homeDirectory,kolabHomeServer,krb5PrincipalName,macAddress,memberUid,objectClass,ou,uidNumber,uniqueMember,univentionPolicyReference,univentionUDMPropertyCLIName,univentionUDMPropertyDefault,univentionUDMPropertyDeleteObjectClass,univentionUDMPropertyDoNotSearch,univentionUDMPropertyHook,univentionUDMPropertyLayoutOverwritePosition,univentionUDMPropertyLayoutOverwriteTab,univentionUDMPropertyLayoutPosition,univentionUDMPropertyLayoutTabAdvanced,univentionUDMPropertyLayoutTabName,univentionUDMPropertyLdapMapping,univentionUDMPropertyLongDescription,univentionUDMPropertyModule,univentionUDMPropertyMultivalue,univentionUDMPropertyObjectClass,univentionUDMPropertyOptions,univentionUDMPropertyShortDescription,univentionUDMPropertySyntax,univentionUDMPropertyTranslationLongDescription,univentionUDMPropertyTranslationShortDescription,univentionUDMPropertyTranslationTabName,univentionUDMPropertyValueMayChange,univentionUDMPropertyValueRequired,univentionUDMPropertyVersion pres,eq >index cNAMERecord,pTRRecord,relativeDomainName,sambaAcctFlags,sambaDomainName,sambaGroupType,sambaPrimaryGroupSID,sambaSID,sambaSIDList,univentionLicenseModule,univentionLicenseObject,univentionNagiosHostname,univentionServerRole,univentionService,zoneName eq >index default sub >index alias approx > > >limits users time.soft=-1 time.hard=-1 > > > >directory "/var/lib/univention-ldap/ldap" >lastmod on > ># Für Memberserver gibt es bisher keine Gruppe á la DC Slave Hosts, die ># abgefragt werden könnte, um den Mitgliedern Zugriff zu erlauben. Aus diesem ># Grund ist manuell eine separate Gruppe "OPSI Depot Servers" zu ># erstellen, die in den ACLs ausgewertet wird und in die die Memberserver ># aufgenommen werden müssen, sollen sie als Depot Server dienen. > >access to dn.sub="cn=opsi,dc=domb,dc=local" > by dn="cn=admin,dc=domb,dc=local" write > by * none break > ># Protect attribute opsiHostKey >access to attrs=opsiHostKey > by dn="cn=admin,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=opsiadmin,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write > by * none > ># New children can be added to cn=opsi >access to dn="cn=opsi,dc=domb,dc=local" > attrs=children > by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write > by * none break > ># cn=opsi shall be readable >access to dn="cn=opsi,dc=domb,dc=local" > attrs="entryUUID,structuralObjectClass,creatorsName,modifiersName,modifyTimestamp,entryCSN,createTimestamp" > by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" read > by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" read > by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write > by * none break > >access to dn="cn=opsi,dc=domb,dc=local" > by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" read > by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" read > by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write > by * none break > ># Children (one) of cn=opsi shall be of objectClass organizationalRole only >access to dn.one="cn=opsi,dc=domb,dc=local" > attrs="@organizationalRole,entry,children,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates" > filter="(objectClass=organizationalRole)" > by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write > by * none > ># children of cn=opsi with the following objectClasses might be added and ># deleted at will >access to dn.regex="^.*,cn=[^,]+,cn=opsi,dc=domb,dc=local$" > attrs="entry,children,@opsiNetworkConfig,@opsiGeneralConfig,@organizationalRole,@opsiProduct,@opsiServerProduct,@opsiLocalBootProduct,@opsiNetBootProduct,@opsiProductClass,@opsiDependency,@opsiProductDependency,@opsiProductClassDependency,@opsiConfig,@opsiUnicodeConfig,@opsiBoolConfig,@opsiConfigState,@opsiProductProperty,@opsiUnicodeProductProperty,@opsiBoolProductProperty,@opsiGroup,@opsiProductState,@opsiProductPropertyDefinition,@opsiProductOnDepot,@opsiProductOnClient,@opsiProductPropertyState,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates" > by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write > by * none break > ># allow write access to Windows Hosts objectClasses opsiHost and opsiClient by ># all possible OPSI Depot/Config Servers >access to filter="(objectClass=univentionWindows)" > attrs="@opsiHost,@opsiClient,description,macAddress,aRecord,univentionInventoryNumber,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates" > by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write > by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write > by * none break > ># allow write access to univention Hosts objectClasses opsiHost, opsiDepotserver and opsiConfigserver by self >access to filter="(objectClass=univentionHost)" > attrs="@opsiHost,@opsiDepotserver,@opsiConfigserver,description,macAddress,aRecord,univentionInventoryNumber" > by self write > by * none break > >sasl-regexp > uid=(.*),cn=gssapi,cn=auth > ldap:///"dc=domb,dc=local"??sub?uid=$1 > >access to attrs=userPassword > by anonymous auth > by * none break > >access to dn="cn=admin,dc=domb,dc=local" > by self write > by * none > >access to * > by sockname="PATH=/var/run/slapd/ldapi" write > by * none break > >access to dn="uid=Administrator,cn=users,dc=domb,dc=local" > by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by dn.base="cn=admin,dc=domb,dc=local" write > by self write > by * read break > >access to dn="uid=join-backup,cn=users,dc=domb,dc=local" > by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by dn.base="cn=admin,dc=domb,dc=local" write > by self write > by * read break > >access to dn="uid=join-slave,cn=users,dc=domb,dc=local" > by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by dn.base="cn=admin,dc=domb,dc=local" write > by self write > by * read break > >access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid > by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by dn.base="cn=admin,dc=domb,dc=local" write > by * read break > > > > >access to dn="cn=admin-settings,cn=univention,dc=domb,dc=local" attrs="entry,children" > by users write > by * none break > >access to dn.regex="uid=([^,]+),cn=admin-settings,cn=univention,dc=domb,dc=local" > by dn.regex="uid=$1,.*dc=domb,dc=local" write > by dn.base="cn=admin,dc=domb,dc=local" write > by * none > > >access to attrs="univentionKolabForwardActive,kolabForwardAddress,kolabForwardKeepCopy,kolabForwardUCE,univentionKolabDeliveryToFolderActive,univentionKolabDeliveryToFolderName,kolabDelegate,univentionKolabVacationActive,univentionKolabVacationText,kolabVacationResendInterval,kolabVacationReplyToUCE,kolabVacationAddress,kolabVacationReactDomain,univentionKolabVacationNoReactDomain,kolabInvitationPolicy" > by self write > by * none break > >access to dn.regex="^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention,dc=domb,dc=local" filter="(&(objectClass=lock)(!(objectClass=posixAccount)))" > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read break >access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,dc=domb,dc=local" attrs=children,entry > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read break >access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,dc=domb,dc=local" attrs=univentionLastUsedValue > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read break >access to dn.regex="cn=computers,dc=domb,dc=local" attrs=children,entry > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read break >access to dn.regex=".*,dc=domb,dc=local" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=Windows Hosts)))" > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read break >access to dn.regex=".*,dc=domb,dc=local" filter="(objectClass=sambaDomain)" > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read break >access to dn.regex="cn=.*,cn=dc,cn=computers,dc=domb,dc=local" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by self write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" read > by * none >access to dn.regex="cn=.*,cn=memberserver,cn=computers,dc=domb,dc=local" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by self write > by * none >access to dn.regex="cn=.*,cn=memberserver,cn=computers,dc=domb,dc=local" attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaAcctFlags > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read break >access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=domb,dc=local" read > by * none >access to dn.base="cn=idmap,cn=univention,dc=domb,dc=local" > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=domb,dc=local" write > by * none >access to dn.regex=".*,cn=idmap,cn=univention,dc=domb,dc=local" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write > by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=domb,dc=local" write > by * none >access to * > by dn.base="cn=admin,dc=domb,dc=local" write > by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write > by dn.base="uid=root,cn=users,dc=domb,dc=local" write > by * read >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3059">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 21433
:
3001
|
3057
|
3058
| 3059