4 069
contributi
Samba e OpenLDAP: creare un controller di dominio con Debian Lenny: differenze tra le versioni
Vai alla navigazione
Vai alla ricerca
Samba e OpenLDAP: creare un controller di dominio con Debian Lenny (visualizza wikitesto)
Versione delle 08:54, 1 feb 2010
, 1 feb 2010→Configurazione del server LDAP
| Riga 391: | Riga 391: | ||
'''/etc/ldap/sldap.conf''': | '''/etc/ldap/sldap.conf''': | ||
<pre> | <pre> | ||
# | ####################################################################### | ||
# Global Directives: | |||
#sizelimit 20 | |||
timelimit -1 | |||
threads 8 | |||
# Features to permit | |||
allow bind_v2 | allow bind_v2 | ||
# Schema and objectClass definitions | # Schema and objectClass definitions | ||
include /etc/ldap/schema/core.schema | include /etc/ldap/schema/core.schema | ||
include /etc/ldap/schema/cosine.schema | include /etc/ldap/schema/cosine.schema | ||
include /etc/ldap/schema/nis.schema | include /etc/ldap/schema/nis.schema | ||
include /etc/ldap/schema/inetorgperson.schema | include /etc/ldap/schema/inetorgperson.schema | ||
include /etc/ldap/schema/samba.schema | include /etc/ldap/schema/qmailuser.schema | ||
pidfile /var/run/slapd/slapd.pid | include /etc/ldap/schema/samba.schema | ||
argsfile /var/run/slapd/slapd.args | include /etc/ldap/schema/hdb.schema | ||
loglevel | |||
modulepath /usr/lib/ldap | # Where the pid file is put. The init.d script | ||
moduleload back_bdb | # will not stop the server if you change this. | ||
pidfile /var/run/slapd/slapd.pid | |||
# List of arguments that were passed to the server | |||
argsfile /var/run/slapd/slapd.args | |||
# Read slapd.conf(5) for possible values | |||
loglevel none | |||
# Where the dynamically loaded modules are stored | |||
modulepath /usr/lib/ldap | |||
moduleload back_bdb | |||
# The maximum number of entries that is returned for a search operation | |||
sizelimit 500 | sizelimit 500 | ||
# The tool-threads parameter sets the actual amount of cpu's that is used | |||
# for indexing. | |||
tool-threads 1 | tool-threads 1 | ||
backend bdb | |||
####################################################################### | |||
database bdb | # Specific Backend Directives for bdb: | ||
suffix "dc=dominio,dc=local" | # Backend specific directives apply to this backend until another | ||
# 'backend' directive occurs | |||
backend bdb | |||
####################################################################### | |||
# Specific Backend Directives for 'other': | |||
# Backend specific directives apply to this backend until another | |||
# 'backend' directive occurs | |||
#backend <other> | |||
####################################################################### | |||
# Specific Directives for database #1, of type bdb: | |||
# Database specific directives apply to this databasse until another | |||
# 'database' directive occurs | |||
database bdb | |||
# The base of your directory in database #1 | |||
suffix "dc=dominio,dc=local" | |||
# rootdn directive for specifying a superuser on the database. This is needed | |||
# for syncrepl. | |||
rootdn "cn=admin,dc=dominio,dc=local" | rootdn "cn=admin,dc=dominio,dc=local" | ||
rootpw {MD5} | rootpw {MD5}8Fy5aWO9Ks1d5nFGx3aQ3D== | ||
directory "/var/lib/ldap" | |||
# Where the database file are physically stored for database #1 | |||
directory "/var/lib/ldap" | |||
# The dbconfig settings are used to generate a DB_CONFIG file the first | |||
# time slapd starts. | |||
dbconfig set_cachesize 0 2097152 0 | dbconfig set_cachesize 0 2097152 0 | ||
# Number of objects that can be locked at the same time. | |||
dbconfig set_lk_max_objects 1500 | dbconfig set_lk_max_objects 1500 | ||
# Number of locks (both requested and granted) | |||
dbconfig set_lk_max_locks 1500 | dbconfig set_lk_max_locks 1500 | ||
# Number of lockers | |||
dbconfig set_lk_max_lockers 1500 | dbconfig set_lk_max_lockers 1500 | ||
index objectClass eq | |||
index | # Indexing options for database #1 | ||
index | #index objectClass eq | ||
index | index mail,mailAlternateAddress,objectClass,deliveryMode,accountStatus,ou pres,$ | ||
index displayName | index cn pres,sub,eq | ||
index | index sn pres,sub,eq | ||
index sambaSID eq | index uid pres,sub,eq | ||
index sambaPrimaryGroupSID eq | index displayName pres,sub,eq | ||
index sambaDomainName eq | index uidNumber eq | ||
index | index gidNumber eq | ||
index | index memberUID eq | ||
index | index sambaSID eq | ||
index sambaPrimaryGroupSID eq | |||
lastmod on | index sambaDomainName eq | ||
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange | index mailHost eq | ||
by dn="cn=admin,dc=dominio,dc=local" write | index givenName pres,sub,eq | ||
by anonymous auth | index default sub | ||
by self write | |||
by * none | # Password Hash Definition | ||
access to attrs=shadowLastChange, | password-hash {MD5} | ||
# Overlay Unique | |||
overlay unique | |||
unique_uri ldap:///ou=Users,dc=dominio,dc=local?uidNumber,cn?sub | |||
unique_uri ldap:///ou=Groups,dc=dominio,dc=local?gidNumber,cn?sub | |||
# Save the time that the entry gets modified, for database #1 | |||
lastmod on | |||
# Checkpoint the BerkeleyDB database periodically in case of system | |||
# failure and to speed slapd shutdown. | |||
checkpoint 512 30 | |||
# Where to store the replica logs for database #1 | |||
# replogfile /var/lib/ldap/replog | |||
########################################################## | |||
# Configurazione dei permessi per i vari utenti | |||
# del'albero LDAP | |||
############################################################ | |||
# The userPassword by default can be changed | |||
# by the entry owning it if they are authenticated. | |||
# Others should not be able to see it, except the | |||
# admin entry below | |||
# These access lines apply to database #1 only | |||
#access to attrs=userPassword,shadowLastChange | |||
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange$ | |||
by dn="cn=admin,dc=dominio,dc=local" write | |||
by anonymous auth | |||
by self write | |||
by * none | |||
# Everyone must be able to read password expiry attributes, | |||
# if you are not granting rootdn access to workstations. | |||
# Otherwise, the client system won't be able to know if | |||
# user's password has expired, and will prompt him/her to | |||
# change his/her password everytime he/she logs in. | |||
# The owner must also be able to write it when he/she | |||
# changes his/her own password. | |||
access to attrs=shadowLastChange,sambaPwdLastSet,sambaPwdMustChange | |||
by dn="cn=admin,dc=dominio,dc=local" write | |||
by self write | by self write | ||
by * read | by * read | ||
# Ensure read access to the base for things like | |||
# supportedSASLMechanisms. Without this you may | |||
# have problems with SASL not knowing what | |||
# mechanisms are available and the like. | |||
# Note that this is covered by the 'access to *' | |||
# ACL below too but if you change that as people | |||
# are wont to do you'll still need this if you | |||
# want SASL (and possible other things) to work | |||
# happily. | |||
access to dn.base="" by * read | access to dn.base="" by * read | ||
# The admin dn has full write access, everyone else | |||
# can read everything. | |||
access to * | access to * | ||
by dn="cn=admin,dc=dominio,dc=local" write | by dn="cn=admin,dc=dominio,dc=local" write | ||
by * read | by * read | ||
# For Netscape Roaming support, each user gets a roaming | |||
# profile for which they have write access to | |||
#access to dn=".*,ou=Roaming,o=morsnet" | |||
# by dn="cn=admin,dc=dominio,dc=local" write | |||
# by dnattr=owner write | |||
####################################################################### | |||
# Specific Directives for database #2, of type 'other' (can be bdb too): | |||
# Database specific directives apply to this databasse until another | |||
# 'database' directive occurs | |||
#database <other> | |||
# The base of your directory for database #2 | |||
#suffix "dc=debian,dc=org" | |||
</pre> | </pre> | ||
Possiamo far ripartire <tt>slapd</tt> affinché tutte le modifiche apportate siano prese in considerazione. | Possiamo far ripartire <tt>slapd</tt> affinché tutte le modifiche apportate siano prese in considerazione. | ||