authldaprc

   1 ##VERSION: $Id: authldaprc 265 2013-02-25 03:49:33Z mrsam $
   2 #
   3 # Copyright 2000-2004 Double Precision, Inc.  See COPYING for
   4 # distribution information.
   5 #
   6 # Do not alter lines that begin with ##, they are used when upgrading
   7 # this configuration.
   8 #
   9 # authldaprc created from authldaprc.dist by sysconftool
  10 #
  11 # DO NOT INSTALL THIS FILE with world read permissions.  This file
  12 # might contain the LDAP admin password!
  13 #
  14 # This configuration file specifies LDAP authentication parameters
  15 #
  16 # The format of this file must be as follows:
  17 #
  18 # field[spaces|tabs]value
  19 #
  20 # That is, the name of the field, followed by spaces or tabs, followed by
  21 # field value.  No trailing spaces.
  22 #
  23 # Here are the fields:
  24
  25 ##NAME: LOCATION:1
  26 #
  27 # Location of your LDAP server(s). If you have multiple LDAP servers,
  28 # you can list them separated by commas and spaces, and they will be tried in
  29 # turn.
  30
  31 LDAP_URI                ldaps://ldap.example.com, ldaps://backup.example.com
  32
  33 ##NAME: LDAP_PROTOCOL_VERSION:0
  34 #
  35 # Which version of LDAP protocol to use
  36
  37 LDAP_PROTOCOL_VERSION   3
  38
  39 ##NAME: LDAP_BASEDN:0
  40 #
  41 # Look for authentication here:
  42
  43 LDAP_BASEDN             o=example, c=com
  44
  45 ##NAME: LDAP_BINDDN:0
  46 #
  47 # You may or may not need to specify the following.  Because you've got
  48 # a password here, authldaprc should not be world-readable!!!
  49
  50 LDAP_BINDDN             cn=administrator, o=example, c=com
  51 LDAP_BINDPW             toto
  52
  53 ##NAME: LDAP_TIMEOUT:0
  54 #
  55 # Timeout for LDAP search and connection
  56
  57 LDAP_TIMEOUT            5
  58
  59 ##NAME: LDAP_AUTHBIND:0
  60 #
  61 # Define this to have the ldap server authenticate passwords.  If LDAP_AUTHBIND
  62 # the password is validated by rebinding with the supplied userid and password.
  63 # If rebind succeeds, this is considered to be an authenticated request.  This
  64 # does not support CRAM-MD5 authentication, which requires clearPassword.
  65 # Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
  66 # the credentials of the user themselves, not LDAP_BINDDN/BINDPW
  67 #
  68 # LDAP_AUTHBIND         1
  69
  70 ##NAME: LDAP_INITBIND:1
  71 #
  72 # Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN.
  73 # If your LDAP server allows access without a bind, or you want to authenticate
  74 # using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and
  75 # need not write the LDAP-Admin passwort into this file.
  76 #
  77 LDAP_INITBIND           1
  78
  79 ##NAME: LDAP_MAIL:0
  80 #
  81 # Here's the field on which we query
  82
  83 LDAP_MAIL               mail
  84
  85 ##NAME: LDAP_FILTER:0
  86 #
  87 # This LDAP filter will be ANDed with the query for the field defined above
  88 # in LDAP_MAIL.  So if you are querying for mail, and you have LDAP_FILTER
  89 # defined to be "(objectClass=CourierMailAccount)" the query that is performed
  90 # will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
  91 #
  92 # LDAP_FILTER           (objectClass=CourierMailAccount)
  93
  94 ##NAME: LDAP_DOMAIN:0
  95 #
  96 # The following default domain will be appended, if not explicitly specified.
  97 #
  98 # LDAP_DOMAIN           example.com
  99
 100 ##NAME: LDAP_GLOB_IDS:0
 101 #
 102 # The following two variables can be used to set everybody's uid and gid.
 103 # This is convenient if your LDAP specifies a bunch of virtual mail accounts
 104 # The values can be usernames or userids:
 105 #
 106 # LDAP_GLOB_UID         vmail
 107 # LDAP_GLOB_GID         vmail
 108
 109 ##NAME: LDAP_HOMEDIR:0
 110 #
 111 # We will retrieve the following attributes
 112 #
 113 # The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
 114
 115 LDAP_HOMEDIR            homeDirectory
 116
 117 ##NAME: LDAP_MAILROOT:0
 118 #
 119 # If homeDirectory is not an absolute path, define the root of the
 120 # relative paths in LDAP_MAILROOT
 121 #
 122 #  LDAP_MAILROOT        /var/mail
 123
 124
 125 ##NAME: LDAP_MAILDIR:0
 126 #
 127 # The MAILDIR attribute is OPTIONAL, and specifies the location of the
 128 # mail directory.  If not specified, ./Maildir will be used
 129
 130 LDAP_MAILDIR            mailbox
 131
 132 ##NAME: LDAP_DEFAULTDELIVERY:0
 133 #
 134 # Courier mail server only: optional attribute specifies custom mail delivery
 135 # instructions for this account (if defined) -- essentially overrides
 136 # DEFAULTDELIVERY from ${sysconfdir}/courierd
 137
 138 LDAP_DEFAULTDELIVERY    defaultDelivery
 139
 140 ##NAME: LDAP_MAILDIRQUOTA:0
 141 #
 142 # The following variable, if defined, specifies the field containing the
 143 # maildir quota, see README.maildirquota for more information
 144 #
 145 # LDAP_MAILDIRQUOTA     quota
 146
 147
 148 ##NAME: LDAP_FULLNAME:0
 149 #
 150 # FULLNAME is optional, specifies the user's full name
 151
 152 LDAP_FULLNAME           cn
 153
 154 ##NAME: LDAP_PW:0
 155 #
 156 # CLEARPW is the clear text password.  CRYPT is the crypted password.
 157 # ONE OF THESE TWO ATTRIBUTES IS REQUIRED.  If CLEARPW is provided, and
 158 # libhmac.a is available, CRAM authentication will be possible!
 159
 160 LDAP_CLEARPW            clearPassword
 161 LDAP_CRYPTPW            userPassword
 162
 163 ##NAME: LDAP_IDS:0
 164 #
 165 # Uncomment the following, and modify as appropriate, if your LDAP database
 166 # stores individual userids and groupids.  Otherwise, you must uncomment
 167 # LDAP_GLOB_UID and LDAP_GLOB_GID above.  LDAP_GLOB_UID and LDAP_GLOB_GID
 168 # specify a uid/gid for everyone.  Otherwise, LDAP_UID and LDAP_GID must
 169 # be defined as attributes for everyone.
 170 #
 171 # LDAP_UID              uidNumber
 172 # LDAP_GID              gidNumber
 173
 174
 175 ##NAME: LDAP_AUXOPTIONS:0
 176 #
 177 # Auxiliary options.  The LDAP_AUXOPTIONS setting should contain a list of
 178 # comma-separated "ATTRIBUTE=NAME" pairs.  These names are additional
 179 # attributes that define various per-account "options", as given in
 180 # INSTALL's description of the OPTIONS setting.
 181 #
 182 # Each ATTRIBUTE specifies an LDAP attribute name.  If it is present,
 183 # the attribute value gets placed in the OPTIONS variable, with the name
 184 # NAME.  For example:
 185 #
 186 #    LDAP_AUXOPTIONS    shared=sharedgroup,disableimap=disableimap
 187 #
 188 # Then, if an LDAP record contains the following attributes:
 189 #
 190 #     shared: domain1
 191 #     disableimap: 0
 192 #
 193 # Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
 194 #
 195 # NOTE: ** no spaces in this setting **, the above example has exactly
 196 # one tab character after LDAP_AUXOPTIONS
 197
 198
 199 ##NAME: LDAP_ENUMERATE_FILTER:0
 200 #
 201 # {EXPERIMENTAL}
 202 # Optional custom filter used when enumerating accounts for authenumerate,
 203 # in order to compile a list of accounts for shared folders. If present,
 204 # this filter will be used instead of LDAP_FILTER.
 205 #
 206 # LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1)))
 207
 208
 209 ##NAME: LDAP_DEREF:0
 210 #
 211 # Determines how aliases are handled during a search.  This option is available
 212 # only with OpenLDAP 2.0
 213 #
 214 # LDAP_DEREF can be one of the following values:
 215 # never, searching, finding, always. If not specified, aliases are
 216 # never dereferenced.
 217
 218 LDAP_DEREF              never
 219
 220 ##NAME: LDAP_TLS:0
 221 #
 222 # Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
 223 # when the server accepts a normal LDAP connection on port 389 which
 224 # the client then requests 'upgrading' to TLS, and is equivalent to the
 225 # -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
 226 # set this option.
 227 #
 228 # For additional LDAP-related options, see the authdaemonrc config file.
 229
 230 LDAP_TLS                0
 231
 232 ##NAME: LDAP_EMAILMAP:0
 233 #
 234 # The following optional settings, if enabled, result in an extra LDAP
 235 # lookup to first locate a handle for an E-mail address, then a second lookup
 236 # on that handle to get the actual authentication record.  You'll need
 237 # to uncomment these settings to enable an email handle lookup.
 238 #
 239 # The E-mail address must be of the form user@realm, and this is plugged
 240 # into the following search string.  "@user@" and "@realm@" are placeholders
 241 # for the user and the realm portions of the login ID.
 242 #
 243 # LDAP_EMAILMAP         (&(userid=@user@)(realm=@realm@))
 244
 245 ##NAME: LDAP_EMAILMAP_BASEDN:0
 246 #
 247 # Specify the basedn for the email lookup.  The default is LDAP_BASEDN.
 248 #
 249 # LDAP_EMAILMAP_BASEDN  o=emailmap, c=com
 250
 251
 252 ##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
 253 #
 254 # The attribute which holds the handle.  The contents of this attribute
 255 # are then plugged into the regular authentication lookup, and you must set
 256 # LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
 257 # records (which may be the same as LDAP_MAIL).
 258 # You MUST also leave LDAP_DOMAIN undefined.  This enables authenticating
 259 # by handles only.
 260 #
 261 # Here's an example:
 262 #
 263 # dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
 264 # userid: john          # LDAP_EMAILMAP search
 265 # realm: example.com    # LDAP_EMAILMAP search
 266 # handle: cc223344      # LDAP_EMAILMAP_ATTRIBUTE
 267 #
 268 #
 269 # dn: controlHandle=cc223344, o=example, c=com      # LDAP_BASEDN
 270 # controlHandle: cc223344         # LDAP_EMAILMAP_MAIL set to "controlHandle"
 271 # uid: ...
 272 # gid: ...
 273 # [ etc... ]
 274 #
 275 # LDAP_EMAILMAP_ATTRIBUTE handle
 276
 277 ##NAME: LDAP_EMAILMAP_MAIL:0
 278 #
 279 # After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
 280 # LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
 281 #
 282 # LDAP_EMAILMAP_MAIL mail