[hcoop/debian/courier-authlib.git] / authldaprc

##VERSION: $Id: 7ee49247d1dbf52d4bb8e0b1a180f2411aa3628a-20160107214650$
#
# Copyright 2000-2016 Double Precision, Inc.  See COPYING for
# distribution information.
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# authldaprc created from authldaprc.dist by sysconftool
#
# DO NOT INSTALL THIS FILE with world read permissions.  This file
# might contain the LDAP admin password!
#
# This configuration file specifies LDAP authentication parameters
#
# The format of this file must be as follows:
#
# field[spaces|tabs]value
#
# That is, the name of the field, followed by spaces or tabs, followed by
# field value.  No trailing spaces.
#
# Changes to this file take effect immediately.
#
# Here are the fields:

##NAME: LOCATION:1
#
# Location of your LDAP server(s). If you have multiple LDAP servers,
# you can list them separated by commas and spaces, and they will be tried in
# turn.

LDAP_URI		ldaps://ldap.example.com, ldaps://backup.example.com

##NAME: LDAP_PROTOCOL_VERSION:0
#
# Which version of LDAP protocol to use

LDAP_PROTOCOL_VERSION	3

##NAME: LDAP_BASEDN:0
#
# Look for authentication here:

LDAP_BASEDN		o=example, c=com

##NAME: LDAP_BINDDN:0
#
# You may or may not need to specify the following.  Because you've got
# a password here, authldaprc should not be world-readable!!!

LDAP_BINDDN		cn=administrator, o=example, c=com
LDAP_BINDPW		toto

##NAME: LDAP_TIMEOUT:0
#
# Timeout for LDAP search and connection

LDAP_TIMEOUT		5

##NAME: LDAP_AUTHBIND:0
#
# Define this to have the ldap server authenticate passwords.  If LDAP_AUTHBIND
# the password is validated by rebinding with the supplied userid and password.
# If rebind succeeds, this is considered to be an authenticated request.  This
# does not support CRAM-MD5 authentication, which requires clearPassword.
# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
# the credentials of the user themselves, not LDAP_BINDDN/BINDPW
#
# LDAP_AUTHBIND		1

##NAME: LDAP_INITBIND:1
#
# Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN.
# If your LDAP server allows access without a bind, or you want to authenticate
# using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and
# need not write the LDAP-Admin passwort into this file.
#
LDAP_INITBIND		1

##NAME: LDAP_MAIL:0
#
# Here's the field on which we query

LDAP_MAIL		mail

##NAME: LDAP_FILTER:0
#
# This LDAP filter will be ANDed with the query for the field defined above
# in LDAP_MAIL.  So if you are querying for mail, and you have LDAP_FILTER
# defined to be "(objectClass=CourierMailAccount)" the query that is performed
# will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
#
# LDAP_FILTER           (objectClass=CourierMailAccount)

##NAME: LDAP_DOMAIN:0
#
# The following default domain will be appended, if not explicitly specified.
#
# LDAP_DOMAIN		example.com

##NAME: LDAP_GLOB_IDS:0
#
# The following two variables can be used to set everybody's uid and gid.
# This is convenient if your LDAP specifies a bunch of virtual mail accounts
# The values can be usernames or userids:
#
# LDAP_GLOB_UID		vmail
# LDAP_GLOB_GID		vmail

##NAME: LDAP_HOMEDIR:0
#
# We will retrieve the following attributes
#
# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it

LDAP_HOMEDIR		homeDirectory

##NAME: LDAP_MAILROOT:0
#
# If homeDirectory is not an absolute path, define the root of the
# relative paths in LDAP_MAILROOT
#
#  LDAP_MAILROOT        /var/mail


##NAME: LDAP_MAILDIR:0
#
# The MAILDIR attribute is OPTIONAL, and specifies the location of the
# mail directory.  If not specified, ./Maildir will be used

LDAP_MAILDIR		mailbox

##NAME: LDAP_DEFAULTDELIVERY:0
#
# Courier mail server only: optional attribute specifies custom mail delivery
# instructions for this account (if defined) -- essentially overrides
# DEFAULTDELIVERY from ${sysconfdir}/courierd

LDAP_DEFAULTDELIVERY	defaultDelivery

##NAME: LDAP_MAILDIRQUOTA:0
#
# The following variable, if defined, specifies the field containing the
# maildir quota, see README.maildirquota for more information
#
# LDAP_MAILDIRQUOTA	quota


##NAME: LDAP_FULLNAME:0
#
# FULLNAME is optional, specifies the user's full name

LDAP_FULLNAME		cn

##NAME: LDAP_PW:0
#
# CLEARPW is the clear text password.  CRYPT is the crypted password.
# ONE OF THESE TWO ATTRIBUTES IS REQUIRED.  If CLEARPW is provided, and
# libhmac.a is available, CRAM authentication will be possible!

LDAP_CLEARPW		clearPassword
LDAP_CRYPTPW		userPassword

##NAME: LDAP_IDS:0
#
# Uncomment the following, and modify as appropriate, if your LDAP database
# stores individual userids and groupids.  Otherwise, you must uncomment
# LDAP_GLOB_UID and LDAP_GLOB_GID above.  LDAP_GLOB_UID and LDAP_GLOB_GID
# specify a uid/gid for everyone.  Otherwise, LDAP_UID and LDAP_GID must
# be defined as attributes for everyone.
#
# LDAP_UID		uidNumber
# LDAP_GID		gidNumber


##NAME: LDAP_AUXOPTIONS:0
#
# Auxiliary options.  The LDAP_AUXOPTIONS setting should contain a list of
# comma-separated "ATTRIBUTE=NAME" pairs.  These names are additional
# attributes that define various per-account "options", as given in
# INSTALL's description of the OPTIONS setting.
#
# Each ATTRIBUTE specifies an LDAP attribute name.  If it is present,
# the attribute value gets placed in the OPTIONS variable, with the name
# NAME.  For example:
#
#    LDAP_AUXOPTIONS	shared=sharedgroup,disableimap=disableimap
#
# Then, if an LDAP record contains the following attributes:
#
#     shared: domain1
#     disableimap: 0
#
# Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
#
# NOTE: ** no spaces in this setting **, the above example has exactly
# one tab character after LDAP_AUXOPTIONS


##NAME: LDAP_ENUMERATE_FILTER:0
#
# Optional custom filter used when enumerating accounts for authenumerate,
# in order to compile a list of accounts for shared folders. If present,
# this filter will be used instead of LDAP_FILTER.
#
# LDAP_ENUMERATE_FILTER	(&(objectClass=CourierMailAccount)(!(disableshared=1)))


##NAME: LDAP_DEREF:0
#
# Determines how aliases are handled during a search.  This option is available
# only with OpenLDAP 2.0
#
# LDAP_DEREF can be one of the following values:
# never, searching, finding, always. If not specified, aliases are
# never dereferenced.

LDAP_DEREF		never

##NAME: LDAP_TLS:0
#
# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
# when the server accepts a normal LDAP connection on port 389 which
# the client then requests 'upgrading' to TLS, and is equivalent to the
# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
# set this option.
#
# For additional LDAP-related options, see the authdaemonrc config file.

LDAP_TLS		0

##NAME: LDAP_EMAILMAP:0
#
# The following optional settings, if enabled, result in an extra LDAP
# lookup to first locate a handle for an E-mail address, then a second lookup
# on that handle to get the actual authentication record.  You'll need
# to uncomment these settings to enable an email handle lookup.
#
# The E-mail address must be of the form user@realm, and this is plugged
# into the following search string.  "@user@" and "@realm@" are placeholders
# for the user and the realm portions of the login ID.
#
# LDAP_EMAILMAP		(&(userid=@user@)(realm=@realm@))

##NAME: LDAP_EMAILMAP_BASEDN:0
#
# Specify the basedn for the email lookup.  The default is LDAP_BASEDN.
#
# LDAP_EMAILMAP_BASEDN	o=emailmap, c=com


##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
#
# The attribute which holds the handle.  The contents of this attribute
# are then plugged into the regular authentication lookup, and you must set
# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
# records (which may be the same as LDAP_MAIL).
# You MUST also leave LDAP_DOMAIN undefined.  This enables authenticating
# by handles only.
#
# Here's an example:
#
# dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
# userid: john          # LDAP_EMAILMAP search
# realm: example.com    # LDAP_EMAILMAP search
# handle: cc223344      # LDAP_EMAILMAP_ATTRIBUTE
#
#
# dn: controlHandle=cc223344, o=example, c=com      # LDAP_BASEDN
# controlHandle: cc223344         # LDAP_EMAILMAP_MAIL set to "controlHandle"
# uid: ...
# gid: ...
# [ etc... ]
#
# LDAP_EMAILMAP_ATTRIBUTE handle

##NAME: LDAP_EMAILMAP_MAIL:0
#
# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
#
# LDAP_EMAILMAP_MAIL mail

##NAME: MARKER:0
#
# Do not remove this section from this configuration file. This section
# must be present at the end of this file.
Commit	Line	Data
0e333c05	1	##VERSION: $Id: 7ee49247d1dbf52d4bb8e0b1a180f2411aa3628a-20160107214650$
d9898ee8	2	#
0e333c05	3	# Copyright 2000-2016 Double Precision, Inc. See COPYING for
d9898ee8	4	# distribution information.
	5	#
	6	# Do not alter lines that begin with ##, they are used when upgrading
	7	# this configuration.
	8	#
	9	# authldaprc created from authldaprc.dist by sysconftool
	10	#
	11	# DO NOT INSTALL THIS FILE with world read permissions. This file
	12	# might contain the LDAP admin password!
	13	#
	14	# This configuration file specifies LDAP authentication parameters
	15	#
	16	# The format of this file must be as follows:
	17	#
	18	# field[spaces\|tabs]value
	19	#
	20	# That is, the name of the field, followed by spaces or tabs, followed by
	21	# field value. No trailing spaces.
	22	#
0e333c05 CE	23	# Changes to this file take effect immediately.
0e333c05 CE	24	#
d9898ee8	25	# Here are the fields:
	26
	27	##NAME: LOCATION:1
	28	#
	29	# Location of your LDAP server(s). If you have multiple LDAP servers,
	30	# you can list them separated by commas and spaces, and they will be tried in
	31	# turn.
	32
	33	LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com
	34
	35	##NAME: LDAP_PROTOCOL_VERSION:0
	36	#
	37	# Which version of LDAP protocol to use
	38
	39	LDAP_PROTOCOL_VERSION 3
	40
	41	##NAME: LDAP_BASEDN:0
	42	#
	43	# Look for authentication here:
	44
	45	LDAP_BASEDN o=example, c=com
	46
	47	##NAME: LDAP_BINDDN:0
	48	#
	49	# You may or may not need to specify the following. Because you've got
	50	# a password here, authldaprc should not be world-readable!!!
	51
	52	LDAP_BINDDN cn=administrator, o=example, c=com
	53	LDAP_BINDPW toto
	54
	55	##NAME: LDAP_TIMEOUT:0
	56	#
	57	# Timeout for LDAP search and connection
	58
	59	LDAP_TIMEOUT 5
	60
	61	##NAME: LDAP_AUTHBIND:0
	62	#
	63	# Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND
	64	# the password is validated by rebinding with the supplied userid and password.
	65	# If rebind succeeds, this is considered to be an authenticated request. This
	66	# does not support CRAM-MD5 authentication, which requires clearPassword.
	67	# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
	68	# the credentials of the user themselves, not LDAP_BINDDN/BINDPW
	69	#
	70	# LDAP_AUTHBIND 1
	71
b0322a85 CE	72	##NAME: LDAP_INITBIND:1
b0322a85 CE	73	#
0e333c05	74	# Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN.
b0322a85 CE	75	# If your LDAP server allows access without a bind, or you want to authenticate
	76	# using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and
	77	# need not write the LDAP-Admin passwort into this file.
0e333c05	78	#
b0322a85 CE	79	LDAP_INITBIND 1
b0322a85 CE	80
d9898ee8	81	##NAME: LDAP_MAIL:0
	82	#
	83	# Here's the field on which we query
	84
	85	LDAP_MAIL mail
	86
	87	##NAME: LDAP_FILTER:0
	88	#
	89	# This LDAP filter will be ANDed with the query for the field defined above
	90	# in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER
	91	# defined to be "(objectClass=CourierMailAccount)" the query that is performed
	92	# will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
	93	#
	94	# LDAP_FILTER (objectClass=CourierMailAccount)
	95
	96	##NAME: LDAP_DOMAIN:0
	97	#
0e333c05	98	# The following default domain will be appended, if not explicitly specified.
d9898ee8	99	#
	100	# LDAP_DOMAIN example.com
	101
	102	##NAME: LDAP_GLOB_IDS:0
	103	#
	104	# The following two variables can be used to set everybody's uid and gid.
	105	# This is convenient if your LDAP specifies a bunch of virtual mail accounts
	106	# The values can be usernames or userids:
	107	#
	108	# LDAP_GLOB_UID vmail
	109	# LDAP_GLOB_GID vmail
	110
	111	##NAME: LDAP_HOMEDIR:0
	112	#
	113	# We will retrieve the following attributes
	114	#
	115	# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
	116
	117	LDAP_HOMEDIR homeDirectory
	118
	119	##NAME: LDAP_MAILROOT:0
	120	#
	121	# If homeDirectory is not an absolute path, define the root of the
	122	# relative paths in LDAP_MAILROOT
	123	#
	124	# LDAP_MAILROOT /var/mail
	125
	126
	127	##NAME: LDAP_MAILDIR:0
	128	#
	129	# The MAILDIR attribute is OPTIONAL, and specifies the location of the
	130	# mail directory. If not specified, ./Maildir will be used
	131
	132	LDAP_MAILDIR mailbox
	133
	134	##NAME: LDAP_DEFAULTDELIVERY:0
	135	#
	136	# Courier mail server only: optional attribute specifies custom mail delivery
	137	# instructions for this account (if defined) -- essentially overrides
	138	# DEFAULTDELIVERY from ${sysconfdir}/courierd
	139
	140	LDAP_DEFAULTDELIVERY defaultDelivery
	141
	142	##NAME: LDAP_MAILDIRQUOTA:0
	143	#
	144	# The following variable, if defined, specifies the field containing the
	145	# maildir quota, see README.maildirquota for more information
	146	#
	147	# LDAP_MAILDIRQUOTA quota
	148
	149
	150	##NAME: LDAP_FULLNAME:0
	151	#
	152	# FULLNAME is optional, specifies the user's full name
	153
	154	LDAP_FULLNAME cn
	155
	156	##NAME: LDAP_PW:0
	157	#
	158	# CLEARPW is the clear text password. CRYPT is the crypted password.
	159	# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
	160	# libhmac.a is available, CRAM authentication will be possible!
	161
	162	LDAP_CLEARPW clearPassword
163	LDAP_CRYPTPW userPassword
164
165	##NAME: LDAP_IDS:0
166	#
167	# Uncomment the following, and modify as appropriate, if your LDAP database
168	# stores individual userids and groupids. Otherwise, you must uncomment
169	# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID
170	# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
171	# be defined as attributes for everyone.
172	#
173	# LDAP_UID uidNumber
174	# LDAP_GID gidNumber
175
176
177	##NAME: LDAP_AUXOPTIONS:0
178	#
179	# Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of
180	# comma-separated "ATTRIBUTE=NAME" pairs. These names are additional
0e333c05	181	# attributes that define various per-account "options", as given in
d9898ee8	182	# INSTALL's description of the OPTIONS setting.
	183	#
	184	# Each ATTRIBUTE specifies an LDAP attribute name. If it is present,
	185	# the attribute value gets placed in the OPTIONS variable, with the name
	186	# NAME. For example:
	187	#
	188	# LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap
	189	#
	190	# Then, if an LDAP record contains the following attributes:
	191	#
	192	# shared: domain1
	193	# disableimap: 0
	194	#
	195	# Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
	196	#
	197	# NOTE: no spaces in this setting , the above example has exactly
	198	# one tab character after LDAP_AUXOPTIONS
	199
	200
	201	##NAME: LDAP_ENUMERATE_FILTER:0
	202	#
d9898ee8	203	# Optional custom filter used when enumerating accounts for authenumerate,
	204	# in order to compile a list of accounts for shared folders. If present,
	205	# this filter will be used instead of LDAP_FILTER.
	206	#
	207	# LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1)))
	208
	209
	210	##NAME: LDAP_DEREF:0
	211	#
	212	# Determines how aliases are handled during a search. This option is available
	213	# only with OpenLDAP 2.0
	214	#
	215	# LDAP_DEREF can be one of the following values:
	216	# never, searching, finding, always. If not specified, aliases are
	217	# never dereferenced.
	218
	219	LDAP_DEREF never
	220
	221	##NAME: LDAP_TLS:0
	222	#
	223	# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
	224	# when the server accepts a normal LDAP connection on port 389 which
	225	# the client then requests 'upgrading' to TLS, and is equivalent to the
	226	# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
	227	# set this option.
	228	#
	229	# For additional LDAP-related options, see the authdaemonrc config file.
	230
	231	LDAP_TLS 0
	232
	233	##NAME: LDAP_EMAILMAP:0
	234	#
	235	# The following optional settings, if enabled, result in an extra LDAP
	236	# lookup to first locate a handle for an E-mail address, then a second lookup
	237	# on that handle to get the actual authentication record. You'll need
	238	# to uncomment these settings to enable an email handle lookup.
	239	#
	240	# The E-mail address must be of the form user@realm, and this is plugged
	241	# into the following search string. "@user@" and "@realm@" are placeholders
	242	# for the user and the realm portions of the login ID.
	243	#
	244	# LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@))
	245
	246	##NAME: LDAP_EMAILMAP_BASEDN:0
	247	#
	248	# Specify the basedn for the email lookup. The default is LDAP_BASEDN.
	249	#
	250	# LDAP_EMAILMAP_BASEDN o=emailmap, c=com
	251
	252
	253	##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
	254	#
	255	# The attribute which holds the handle. The contents of this attribute
	256	# are then plugged into the regular authentication lookup, and you must set
	257	# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
	258	# records (which may be the same as LDAP_MAIL).
	259	# You MUST also leave LDAP_DOMAIN undefined. This enables authenticating
	260	# by handles only.
	261	#
	262	# Here's an example:
	263	#
	264	# dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
	265	# userid: john # LDAP_EMAILMAP search
	266	# realm: example.com # LDAP_EMAILMAP search
267	# handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE
268	#
269	#
270	# dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN
271	# controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle"
272	# uid: ...
273	# gid: ...
274	# [ etc... ]
275	#
276	# LDAP_EMAILMAP_ATTRIBUTE handle
277
278	##NAME: LDAP_EMAILMAP_MAIL:0
279	#
280	# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
281	# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
282	#
283	# LDAP_EMAILMAP_MAIL mail
0e333c05 CE	284
	285	##NAME: MARKER:0
	286	#
	287	# Do not remove this section from this configuration file. This section
	288	# must be present at the end of this file.