Commit | Line | Data |
---|---|---|
0e333c05 | 1 | ##VERSION: $Id: 7ee49247d1dbf52d4bb8e0b1a180f2411aa3628a-20160107214650$ |
d9898ee8 | 2 | # |
0e333c05 | 3 | # Copyright 2000-2016 Double Precision, Inc. See COPYING for |
d9898ee8 | 4 | # distribution information. |
5 | # | |
6 | # Do not alter lines that begin with ##, they are used when upgrading | |
7 | # this configuration. | |
8 | # | |
9 | # authldaprc created from authldaprc.dist by sysconftool | |
10 | # | |
11 | # DO NOT INSTALL THIS FILE with world read permissions. This file | |
12 | # might contain the LDAP admin password! | |
13 | # | |
14 | # This configuration file specifies LDAP authentication parameters | |
15 | # | |
16 | # The format of this file must be as follows: | |
17 | # | |
18 | # field[spaces|tabs]value | |
19 | # | |
20 | # That is, the name of the field, followed by spaces or tabs, followed by | |
21 | # field value. No trailing spaces. | |
22 | # | |
0e333c05 CE |
23 | # Changes to this file take effect immediately. |
24 | # | |
d9898ee8 | 25 | # Here are the fields: |
26 | ||
27 | ##NAME: LOCATION:1 | |
28 | # | |
29 | # Location of your LDAP server(s). If you have multiple LDAP servers, | |
30 | # you can list them separated by commas and spaces, and they will be tried in | |
31 | # turn. | |
32 | ||
33 | LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com | |
34 | ||
35 | ##NAME: LDAP_PROTOCOL_VERSION:0 | |
36 | # | |
37 | # Which version of LDAP protocol to use | |
38 | ||
39 | LDAP_PROTOCOL_VERSION 3 | |
40 | ||
41 | ##NAME: LDAP_BASEDN:0 | |
42 | # | |
43 | # Look for authentication here: | |
44 | ||
45 | LDAP_BASEDN o=example, c=com | |
46 | ||
47 | ##NAME: LDAP_BINDDN:0 | |
48 | # | |
49 | # You may or may not need to specify the following. Because you've got | |
50 | # a password here, authldaprc should not be world-readable!!! | |
51 | ||
52 | LDAP_BINDDN cn=administrator, o=example, c=com | |
53 | LDAP_BINDPW toto | |
54 | ||
55 | ##NAME: LDAP_TIMEOUT:0 | |
56 | # | |
57 | # Timeout for LDAP search and connection | |
58 | ||
59 | LDAP_TIMEOUT 5 | |
60 | ||
61 | ##NAME: LDAP_AUTHBIND:0 | |
62 | # | |
63 | # Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND | |
64 | # the password is validated by rebinding with the supplied userid and password. | |
65 | # If rebind succeeds, this is considered to be an authenticated request. This | |
66 | # does not support CRAM-MD5 authentication, which requires clearPassword. | |
67 | # Additionally, if LDAP_AUTHBIND is 1 then password changes are done under | |
68 | # the credentials of the user themselves, not LDAP_BINDDN/BINDPW | |
69 | # | |
70 | # LDAP_AUTHBIND 1 | |
71 | ||
b0322a85 CE |
72 | ##NAME: LDAP_INITBIND:1 |
73 | # | |
0e333c05 | 74 | # Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN. |
b0322a85 CE |
75 | # If your LDAP server allows access without a bind, or you want to authenticate |
76 | # using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and | |
77 | # need not write the LDAP-Admin passwort into this file. | |
0e333c05 | 78 | # |
b0322a85 CE |
79 | LDAP_INITBIND 1 |
80 | ||
d9898ee8 | 81 | ##NAME: LDAP_MAIL:0 |
82 | # | |
83 | # Here's the field on which we query | |
84 | ||
85 | LDAP_MAIL mail | |
86 | ||
87 | ##NAME: LDAP_FILTER:0 | |
88 | # | |
89 | # This LDAP filter will be ANDed with the query for the field defined above | |
90 | # in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER | |
91 | # defined to be "(objectClass=CourierMailAccount)" the query that is performed | |
92 | # will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))" | |
93 | # | |
94 | # LDAP_FILTER (objectClass=CourierMailAccount) | |
95 | ||
96 | ##NAME: LDAP_DOMAIN:0 | |
97 | # | |
0e333c05 | 98 | # The following default domain will be appended, if not explicitly specified. |
d9898ee8 | 99 | # |
100 | # LDAP_DOMAIN example.com | |
101 | ||
102 | ##NAME: LDAP_GLOB_IDS:0 | |
103 | # | |
104 | # The following two variables can be used to set everybody's uid and gid. | |
105 | # This is convenient if your LDAP specifies a bunch of virtual mail accounts | |
106 | # The values can be usernames or userids: | |
107 | # | |
108 | # LDAP_GLOB_UID vmail | |
109 | # LDAP_GLOB_GID vmail | |
110 | ||
111 | ##NAME: LDAP_HOMEDIR:0 | |
112 | # | |
113 | # We will retrieve the following attributes | |
114 | # | |
115 | # The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it | |
116 | ||
117 | LDAP_HOMEDIR homeDirectory | |
118 | ||
119 | ##NAME: LDAP_MAILROOT:0 | |
120 | # | |
121 | # If homeDirectory is not an absolute path, define the root of the | |
122 | # relative paths in LDAP_MAILROOT | |
123 | # | |
124 | # LDAP_MAILROOT /var/mail | |
125 | ||
126 | ||
127 | ##NAME: LDAP_MAILDIR:0 | |
128 | # | |
129 | # The MAILDIR attribute is OPTIONAL, and specifies the location of the | |
130 | # mail directory. If not specified, ./Maildir will be used | |
131 | ||
132 | LDAP_MAILDIR mailbox | |
133 | ||
134 | ##NAME: LDAP_DEFAULTDELIVERY:0 | |
135 | # | |
136 | # Courier mail server only: optional attribute specifies custom mail delivery | |
137 | # instructions for this account (if defined) -- essentially overrides | |
138 | # DEFAULTDELIVERY from ${sysconfdir}/courierd | |
139 | ||
140 | LDAP_DEFAULTDELIVERY defaultDelivery | |
141 | ||
142 | ##NAME: LDAP_MAILDIRQUOTA:0 | |
143 | # | |
144 | # The following variable, if defined, specifies the field containing the | |
145 | # maildir quota, see README.maildirquota for more information | |
146 | # | |
147 | # LDAP_MAILDIRQUOTA quota | |
148 | ||
149 | ||
150 | ##NAME: LDAP_FULLNAME:0 | |
151 | # | |
152 | # FULLNAME is optional, specifies the user's full name | |
153 | ||
154 | LDAP_FULLNAME cn | |
155 | ||
156 | ##NAME: LDAP_PW:0 | |
157 | # | |
158 | # CLEARPW is the clear text password. CRYPT is the crypted password. | |
159 | # ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and | |
160 | # libhmac.a is available, CRAM authentication will be possible! | |
161 | ||
162 | LDAP_CLEARPW clearPassword | |
163 | LDAP_CRYPTPW userPassword | |
164 | ||
165 | ##NAME: LDAP_IDS:0 | |
166 | # | |
167 | # Uncomment the following, and modify as appropriate, if your LDAP database | |
168 | # stores individual userids and groupids. Otherwise, you must uncomment | |
169 | # LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID | |
170 | # specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must | |
171 | # be defined as attributes for everyone. | |
172 | # | |
173 | # LDAP_UID uidNumber | |
174 | # LDAP_GID gidNumber | |
175 | ||
176 | ||
177 | ##NAME: LDAP_AUXOPTIONS:0 | |
178 | # | |
179 | # Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of | |
180 | # comma-separated "ATTRIBUTE=NAME" pairs. These names are additional | |
0e333c05 | 181 | # attributes that define various per-account "options", as given in |
d9898ee8 | 182 | # INSTALL's description of the OPTIONS setting. |
183 | # | |
184 | # Each ATTRIBUTE specifies an LDAP attribute name. If it is present, | |
185 | # the attribute value gets placed in the OPTIONS variable, with the name | |
186 | # NAME. For example: | |
187 | # | |
188 | # LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap | |
189 | # | |
190 | # Then, if an LDAP record contains the following attributes: | |
191 | # | |
192 | # shared: domain1 | |
193 | # disableimap: 0 | |
194 | # | |
195 | # Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0" | |
196 | # | |
197 | # NOTE: ** no spaces in this setting **, the above example has exactly | |
198 | # one tab character after LDAP_AUXOPTIONS | |
199 | ||
200 | ||
201 | ##NAME: LDAP_ENUMERATE_FILTER:0 | |
202 | # | |
d9898ee8 | 203 | # Optional custom filter used when enumerating accounts for authenumerate, |
204 | # in order to compile a list of accounts for shared folders. If present, | |
205 | # this filter will be used instead of LDAP_FILTER. | |
206 | # | |
207 | # LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1))) | |
208 | ||
209 | ||
210 | ##NAME: LDAP_DEREF:0 | |
211 | # | |
212 | # Determines how aliases are handled during a search. This option is available | |
213 | # only with OpenLDAP 2.0 | |
214 | # | |
215 | # LDAP_DEREF can be one of the following values: | |
216 | # never, searching, finding, always. If not specified, aliases are | |
217 | # never dereferenced. | |
218 | ||
219 | LDAP_DEREF never | |
220 | ||
221 | ##NAME: LDAP_TLS:0 | |
222 | # | |
223 | # Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is | |
224 | # when the server accepts a normal LDAP connection on port 389 which | |
225 | # the client then requests 'upgrading' to TLS, and is equivalent to the | |
226 | # -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not | |
227 | # set this option. | |
228 | # | |
229 | # For additional LDAP-related options, see the authdaemonrc config file. | |
230 | ||
231 | LDAP_TLS 0 | |
232 | ||
233 | ##NAME: LDAP_EMAILMAP:0 | |
234 | # | |
235 | # The following optional settings, if enabled, result in an extra LDAP | |
236 | # lookup to first locate a handle for an E-mail address, then a second lookup | |
237 | # on that handle to get the actual authentication record. You'll need | |
238 | # to uncomment these settings to enable an email handle lookup. | |
239 | # | |
240 | # The E-mail address must be of the form user@realm, and this is plugged | |
241 | # into the following search string. "@user@" and "@realm@" are placeholders | |
242 | # for the user and the realm portions of the login ID. | |
243 | # | |
244 | # LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@)) | |
245 | ||
246 | ##NAME: LDAP_EMAILMAP_BASEDN:0 | |
247 | # | |
248 | # Specify the basedn for the email lookup. The default is LDAP_BASEDN. | |
249 | # | |
250 | # LDAP_EMAILMAP_BASEDN o=emailmap, c=com | |
251 | ||
252 | ||
253 | ##NAME: LDAP_EMAILMAP_ATTRIBUTE:0 | |
254 | # | |
255 | # The attribute which holds the handle. The contents of this attribute | |
256 | # are then plugged into the regular authentication lookup, and you must set | |
257 | # LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication | |
258 | # records (which may be the same as LDAP_MAIL). | |
259 | # You MUST also leave LDAP_DOMAIN undefined. This enables authenticating | |
260 | # by handles only. | |
261 | # | |
262 | # Here's an example: | |
263 | # | |
264 | # dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN | |
265 | # userid: john # LDAP_EMAILMAP search | |
266 | # realm: example.com # LDAP_EMAILMAP search | |
267 | # handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE | |
268 | # | |
269 | # | |
270 | # dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN | |
271 | # controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle" | |
272 | # uid: ... | |
273 | # gid: ... | |
274 | # [ etc... ] | |
275 | # | |
276 | # LDAP_EMAILMAP_ATTRIBUTE handle | |
277 | ||
278 | ##NAME: LDAP_EMAILMAP_MAIL:0 | |
279 | # | |
280 | # After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against | |
281 | # LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL. | |
282 | # | |
283 | # LDAP_EMAILMAP_MAIL mail | |
0e333c05 CE |
284 | |
285 | ##NAME: MARKER:0 | |
286 | # | |
287 | # Do not remove this section from this configuration file. This section | |
288 | # must be present at the end of this file. |