1 ##VERSION: $Id: authldaprc,v 1.25 2005/10/05 00:07:32 mrsam Exp $
3 # Copyright 2000-2004 Double Precision, Inc. See COPYING for
4 # distribution information.
6 # Do not alter lines that begin with ##, they are used when upgrading
9 # authldaprc created from authldaprc.dist by sysconftool
11 # DO NOT INSTALL THIS FILE with world read permissions. This file
12 # might contain the LDAP admin password!
14 # This configuration file specifies LDAP authentication parameters
16 # The format of this file must be as follows:
18 # field[spaces|tabs]value
20 # That is, the name of the field, followed by spaces or tabs, followed by
21 # field value. No trailing spaces.
23 # Here are the fields:
27 # Location of your LDAP server(s). If you have multiple LDAP servers,
28 # you can list them separated by commas and spaces, and they will be tried in
31 LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com
33 ##NAME: LDAP_PROTOCOL_VERSION:0
35 # Which version of LDAP protocol to use
37 LDAP_PROTOCOL_VERSION 3
41 # Look for authentication here:
43 LDAP_BASEDN o=example, c=com
47 # You may or may not need to specify the following. Because you've got
48 # a password here, authldaprc should not be world-readable!!!
50 LDAP_BINDDN cn=administrator, o=example, c=com
53 ##NAME: LDAP_TIMEOUT:0
55 # Timeout for LDAP search and connection
59 ##NAME: LDAP_AUTHBIND:0
61 # Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND
62 # the password is validated by rebinding with the supplied userid and password.
63 # If rebind succeeds, this is considered to be an authenticated request. This
64 # does not support CRAM-MD5 authentication, which requires clearPassword.
65 # Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
66 # the credentials of the user themselves, not LDAP_BINDDN/BINDPW
72 # Here's the field on which we query
78 # This LDAP filter will be ANDed with the query for the field defined above
79 # in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER
80 # defined to be "(objectClass=CourierMailAccount)" the query that is performed
81 # will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
83 # LDAP_FILTER (objectClass=CourierMailAccount)
87 # The following default domain will be appended, if not explicitly specified.
89 # LDAP_DOMAIN example.com
91 ##NAME: LDAP_GLOB_IDS:0
93 # The following two variables can be used to set everybody's uid and gid.
94 # This is convenient if your LDAP specifies a bunch of virtual mail accounts
95 # The values can be usernames or userids:
100 ##NAME: LDAP_HOMEDIR:0
102 # We will retrieve the following attributes
104 # The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
106 LDAP_HOMEDIR homeDirectory
108 ##NAME: LDAP_MAILROOT:0
110 # If homeDirectory is not an absolute path, define the root of the
111 # relative paths in LDAP_MAILROOT
113 # LDAP_MAILROOT /var/mail
116 ##NAME: LDAP_MAILDIR:0
118 # The MAILDIR attribute is OPTIONAL, and specifies the location of the
119 # mail directory. If not specified, ./Maildir will be used
123 ##NAME: LDAP_DEFAULTDELIVERY:0
125 # Courier mail server only: optional attribute specifies custom mail delivery
126 # instructions for this account (if defined) -- essentially overrides
127 # DEFAULTDELIVERY from ${sysconfdir}/courierd
129 LDAP_DEFAULTDELIVERY defaultDelivery
131 ##NAME: LDAP_MAILDIRQUOTA:0
133 # The following variable, if defined, specifies the field containing the
134 # maildir quota, see README.maildirquota for more information
136 # LDAP_MAILDIRQUOTA quota
139 ##NAME: LDAP_FULLNAME:0
141 # FULLNAME is optional, specifies the user's full name
147 # CLEARPW is the clear text password. CRYPT is the crypted password.
148 # ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
149 # libhmac.a is available, CRAM authentication will be possible!
151 LDAP_CLEARPW clearPassword
152 LDAP_CRYPTPW userPassword
156 # Uncomment the following, and modify as appropriate, if your LDAP database
157 # stores individual userids and groupids. Otherwise, you must uncomment
158 # LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID
159 # specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
160 # be defined as attributes for everyone.
166 ##NAME: LDAP_AUXOPTIONS:0
168 # Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of
169 # comma-separated "ATTRIBUTE=NAME" pairs. These names are additional
170 # attributes that define various per-account "options", as given in
171 # INSTALL's description of the OPTIONS setting.
173 # Each ATTRIBUTE specifies an LDAP attribute name. If it is present,
174 # the attribute value gets placed in the OPTIONS variable, with the name
177 # LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap
179 # Then, if an LDAP record contains the following attributes:
184 # Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
186 # NOTE: ** no spaces in this setting **, the above example has exactly
187 # one tab character after LDAP_AUXOPTIONS
190 ##NAME: LDAP_ENUMERATE_FILTER:0
193 # Optional custom filter used when enumerating accounts for authenumerate,
194 # in order to compile a list of accounts for shared folders. If present,
195 # this filter will be used instead of LDAP_FILTER.
197 # LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1)))
202 # Determines how aliases are handled during a search. This option is available
203 # only with OpenLDAP 2.0
205 # LDAP_DEREF can be one of the following values:
206 # never, searching, finding, always. If not specified, aliases are
207 # never dereferenced.
213 # Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
214 # when the server accepts a normal LDAP connection on port 389 which
215 # the client then requests 'upgrading' to TLS, and is equivalent to the
216 # -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
219 # For additional LDAP-related options, see the authdaemonrc config file.
223 ##NAME: LDAP_EMAILMAP:0
225 # The following optional settings, if enabled, result in an extra LDAP
226 # lookup to first locate a handle for an E-mail address, then a second lookup
227 # on that handle to get the actual authentication record. You'll need
228 # to uncomment these settings to enable an email handle lookup.
230 # The E-mail address must be of the form user@realm, and this is plugged
231 # into the following search string. "@user@" and "@realm@" are placeholders
232 # for the user and the realm portions of the login ID.
234 # LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@))
236 ##NAME: LDAP_EMAILMAP_BASEDN:0
238 # Specify the basedn for the email lookup. The default is LDAP_BASEDN.
240 # LDAP_EMAILMAP_BASEDN o=emailmap, c=com
243 ##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
245 # The attribute which holds the handle. The contents of this attribute
246 # are then plugged into the regular authentication lookup, and you must set
247 # LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
248 # records (which may be the same as LDAP_MAIL).
249 # You MUST also leave LDAP_DOMAIN undefined. This enables authenticating
254 # dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
255 # userid: john # LDAP_EMAILMAP search
256 # realm: example.com # LDAP_EMAILMAP search
257 # handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE
260 # dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN
261 # controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle"
266 # LDAP_EMAILMAP_ATTRIBUTE handle
268 ##NAME: LDAP_EMAILMAP_MAIL:0
270 # After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
271 # LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
273 # LDAP_EMAILMAP_MAIL mail