# Warning: This file is auto-generated and might be overwritten by # univention-baseconfig. # Please edit the files in the following directory instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch # univention-baseconfig überschrieben werden. # Bitte bearbeiten Sie an Stelle dessen die Dateien in # folgendem Verzeichnis: # # /etc/univention/templates/files/etc/ldap/slapd.conf.d/ # include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /usr/share/univention-ldap/schema/samba.schema include /usr/share/univention-ldap/schema/mail.schema include /usr/share/univention-ldap/schema/user.schema include /usr/share/univention-ldap/schema/directory.schema include /usr/share/univention-ldap/schema/policy.schema include /usr/share/univention-ldap/schema/univention.schema include /usr/share/univention-ldap/schema/lock.schema include /usr/share/univention-ldap/schema/custom-attribute.schema include /usr/share/univention-ldap/schema/krb5-kdc.schema include /usr/share/univention-ldap/schema/dhcp.schema include /usr/share/univention-ldap/schema/univention-dhcp.schema include /usr/share/univention-ldap/schema/dnszone.schema include /usr/share/univention-ldap/schema/univention-default.schema include /usr/share/univention-ldap/schema/license.schema include /usr/share/univention-ldap/schema/share.schema include /usr/share/univention-ldap/schema/printer.schema include /usr/share/univention-ldap/schema/automount.schema include /usr/share/univention-ldap/schema/network.schema include /usr/share/univention-ldap/schema/solaris.schema include /usr/share/univention-ldap/schema/courier.schema include /usr/share/univention-ldap/schema/rfc2739.schema include /usr/share/univention-ldap/schema/kolab2.schema include /usr/share/univention-ldap/schema/univention-kolab2.schema include /usr/share/univention-ldap/schema/scalix.schema include /usr/share/univention-ldap/schema/univention-scalix.schema include /usr/share/univention-ldap/schema/univention-syntax.schema include /usr/share/univention-ldap/schema/admin-settings.schema include /usr/share/univention-ldap/schema/template.schema include /usr/share/univention-ldap/schema/univention-ldap-acl.schema include /usr/share/univention-ldap/schema/nagios.schema include /usr/share/univention-ldap/schema/univention-directory.schema include /usr/share/univention-ldap/schema/opsi.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 allow bind_v2 update_anon TLSCertificateFile /etc/univention/ssl/bmaster.domb.local/cert.pem TLSCertificateKeyFile /etc/univention/ssl/bmaster.domb.local/private.key TLSCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem sizelimit 400000 idletimeout 0 attributeoptions "entry-" # database definition modulepath /usr/lib/ldap moduleload back_bdb.so moduleload translog.so database bdb suffix "dc=domb,dc=local" overlay translog translog /var/lib/univention-ldap/listener/listener cachesize 20000 idlcachesize 20000 threads 16 checkpoint 1024 30 index cn,givenName,mail,sn,uid pres,eq,sub,approx index automountInformation,description,displayName,mailAlternativeAddress,mailPrimaryAddress pres,eq,sub index aRecord,dhcpHWAddress,gidNumber,homeDirectory,kolabHomeServer,krb5PrincipalName,macAddress,memberUid,objectClass,ou,uidNumber,uniqueMember,univentionPolicyReference,univentionUDMPropertyCLIName,univentionUDMPropertyDefault,univentionUDMPropertyDeleteObjectClass,univentionUDMPropertyDoNotSearch,univentionUDMPropertyHook,univentionUDMPropertyLayoutOverwritePosition,univentionUDMPropertyLayoutOverwriteTab,univentionUDMPropertyLayoutPosition,univentionUDMPropertyLayoutTabAdvanced,univentionUDMPropertyLayoutTabName,univentionUDMPropertyLdapMapping,univentionUDMPropertyLongDescription,univentionUDMPropertyModule,univentionUDMPropertyMultivalue,univentionUDMPropertyObjectClass,univentionUDMPropertyOptions,univentionUDMPropertyShortDescription,univentionUDMPropertySyntax,univentionUDMPropertyTranslationLongDescription,univentionUDMPropertyTranslationShortDescription,univentionUDMPropertyTranslationTabName,univentionUDMPropertyValueMayChange,univentionUDMPropertyValueRequired,univentionUDMPropertyVersion pres,eq index cNAMERecord,pTRRecord,relativeDomainName,sambaAcctFlags,sambaDomainName,sambaGroupType,sambaPrimaryGroupSID,sambaSID,sambaSIDList,univentionLicenseModule,univentionLicenseObject,univentionNagiosHostname,univentionServerRole,univentionService,zoneName eq index default sub index alias approx limits users time.soft=-1 time.hard=-1 directory "/var/lib/univention-ldap/ldap" lastmod on # Für Memberserver gibt es bisher keine Gruppe á la DC Slave Hosts, die # abgefragt werden könnte, um den Mitgliedern Zugriff zu erlauben. Aus diesem # Grund ist manuell eine separate Gruppe "OPSI Depot Servers" zu # erstellen, die in den ACLs ausgewertet wird und in die die Memberserver # aufgenommen werden müssen, sollen sie als Depot Server dienen. access to dn.sub="cn=opsi,dc=domb,dc=local" by dn="cn=admin,dc=domb,dc=local" write by * none break # Protect attribute opsiHostKey access to attrs=opsiHostKey by dn="cn=admin,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=opsiadmin,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write by * none # New children can be added to cn=opsi access to dn="cn=opsi,dc=domb,dc=local" attrs=children by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write by * none break # cn=opsi shall be readable access to dn="cn=opsi,dc=domb,dc=local" attrs="entryUUID,structuralObjectClass,creatorsName,modifiersName,modifyTimestamp,entryCSN,createTimestamp" by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" read by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" read by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write by * none break access to dn="cn=opsi,dc=domb,dc=local" by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" read by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" read by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write by * none break # Children (one) of cn=opsi shall be of objectClass organizationalRole only access to dn.one="cn=opsi,dc=domb,dc=local" attrs="@organizationalRole,entry,children,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates" filter="(objectClass=organizationalRole)" by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write by * none # children of cn=opsi with the following objectClasses might be added and # deleted at will access to dn.regex="^.*,cn=[^,]+,cn=opsi,dc=domb,dc=local$" attrs="entry,children,@opsiNetworkConfig,@opsiGeneralConfig,@organizationalRole,@opsiProduct,@opsiServerProduct,@opsiLocalBootProduct,@opsiNetBootProduct,@opsiProductClass,@opsiDependency,@opsiProductDependency,@opsiProductClassDependency,@opsiConfig,@opsiUnicodeConfig,@opsiBoolConfig,@opsiConfigState,@opsiProductProperty,@opsiUnicodeProductProperty,@opsiBoolProductProperty,@opsiGroup,@opsiProductState,@opsiProductPropertyDefinition,@opsiProductOnDepot,@opsiProductOnClient,@opsiProductPropertyState,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates" by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write by * none break # allow write access to Windows Hosts objectClasses opsiHost and opsiClient by # all possible OPSI Depot/Config Servers access to filter="(objectClass=univentionWindows)" attrs="@opsiHost,@opsiClient,description,macAddress,aRecord,univentionInventoryNumber,structuralObjectClass,entryCSN,entryUUID,modifyTimestamp,modifiersName,createTimestamp,creatorsName,entryDN,subschemaSubentry,hasSubordinates" by group/univentionGroup/uniqueMember="cn=DC Backup Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=DC Slave Hosts,cn=groups,dc=domb,dc=local" write by group/univentionGroup/uniqueMember="cn=OPSI Depot Servers,cn=groups,dc=domb,dc=local" write by * none break # allow write access to univention Hosts objectClasses opsiHost, opsiDepotserver and opsiConfigserver by self access to filter="(objectClass=univentionHost)" attrs="@opsiHost,@opsiDepotserver,@opsiConfigserver,description,macAddress,aRecord,univentionInventoryNumber" by self write by * none break sasl-regexp uid=(.*),cn=gssapi,cn=auth ldap:///"dc=domb,dc=local"??sub?uid=$1 access to attrs=userPassword by anonymous auth by * none break access to dn="cn=admin,dc=domb,dc=local" by self write by * none access to * by sockname="PATH=/var/run/slapd/ldapi" write by * none break access to dn="uid=Administrator,cn=users,dc=domb,dc=local" by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by dn.base="cn=admin,dc=domb,dc=local" write by self write by * read break access to dn="uid=join-backup,cn=users,dc=domb,dc=local" by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by dn.base="cn=admin,dc=domb,dc=local" write by self write by * read break access to dn="uid=join-slave,cn=users,dc=domb,dc=local" by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by dn.base="cn=admin,dc=domb,dc=local" write by self write by * read break access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by dn.base="cn=admin,dc=domb,dc=local" write by * read break access to dn="cn=admin-settings,cn=univention,dc=domb,dc=local" attrs="entry,children" by users write by * none break access to dn.regex="uid=([^,]+),cn=admin-settings,cn=univention,dc=domb,dc=local" by dn.regex="uid=$1,.*dc=domb,dc=local" write by dn.base="cn=admin,dc=domb,dc=local" write by * none access to attrs="univentionKolabForwardActive,kolabForwardAddress,kolabForwardKeepCopy,kolabForwardUCE,univentionKolabDeliveryToFolderActive,univentionKolabDeliveryToFolderName,kolabDelegate,univentionKolabVacationActive,univentionKolabVacationText,kolabVacationResendInterval,kolabVacationReplyToUCE,kolabVacationAddress,kolabVacationReactDomain,univentionKolabVacationNoReactDomain,kolabInvitationPolicy" by self write by * none break access to dn.regex="^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention,dc=domb,dc=local" filter="(&(objectClass=lock)(!(objectClass=posixAccount)))" by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read break access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,dc=domb,dc=local" attrs=children,entry by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read break access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,dc=domb,dc=local" attrs=univentionLastUsedValue by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read break access to dn.regex="cn=computers,dc=domb,dc=local" attrs=children,entry by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read break access to dn.regex=".*,dc=domb,dc=local" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=Windows Hosts)))" by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read break access to dn.regex=".*,dc=domb,dc=local" filter="(objectClass=sambaDomain)" by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read break access to dn.regex="cn=.*,cn=dc,cn=computers,dc=domb,dc=local" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by self write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" read by * none access to dn.regex="cn=.*,cn=memberserver,cn=computers,dc=domb,dc=local" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by self write by * none access to dn.regex="cn=.*,cn=memberserver,cn=computers,dc=domb,dc=local" attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaAcctFlags by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read break access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=domb,dc=local" read by * none access to dn.base="cn=idmap,cn=univention,dc=domb,dc=local" by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=domb,dc=local" write by * none access to dn.regex=".*,cn=idmap,cn=univention,dc=domb,dc=local" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=domb,dc=local" write by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=domb,dc=local" write by * none access to * by dn.base="cn=admin,dc=domb,dc=local" write by set="user & [cn=Domain Admins,cn=groups,dc=domb,dc=local]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=domb,dc=local" write by * read