HCoop / hcoop / debian / courier-authlib.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
hcoop release
[hcoop/debian/courier-authlib.git] / authldaprc
1 ##VERSION: $Id: 7ee49247d1dbf52d4bb8e0b1a180f2411aa3628a-20160107214650$
2 #
3 # Copyright 2000-2016 Double Precision, Inc. See COPYING for
4 # distribution information.
5 #
6 # Do not alter lines that begin with ##, they are used when upgrading
7 # this configuration.
8 #
9 # authldaprc created from authldaprc.dist by sysconftool
10 #
11 # DO NOT INSTALL THIS FILE with world read permissions. This file
12 # might contain the LDAP admin password!
13 #
14 # This configuration file specifies LDAP authentication parameters
15 #
16 # The format of this file must be as follows:
17 #
18 # field[spaces|tabs]value
19 #
20 # That is, the name of the field, followed by spaces or tabs, followed by
21 # field value. No trailing spaces.
22 #
23 # Changes to this file take effect immediately.
24 #
25 # Here are the fields:
26
27 ##NAME: LOCATION:1
28 #
29 # Location of your LDAP server(s). If you have multiple LDAP servers,
30 # you can list them separated by commas and spaces, and they will be tried in
31 # turn.
32
33 LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com
34
35 ##NAME: LDAP_PROTOCOL_VERSION:0
36 #
37 # Which version of LDAP protocol to use
38
39 LDAP_PROTOCOL_VERSION 3
40
41 ##NAME: LDAP_BASEDN:0
42 #
43 # Look for authentication here:
44
45 LDAP_BASEDN o=example, c=com
46
47 ##NAME: LDAP_BINDDN:0
48 #
49 # You may or may not need to specify the following. Because you've got
50 # a password here, authldaprc should not be world-readable!!!
51
52 LDAP_BINDDN cn=administrator, o=example, c=com
53 LDAP_BINDPW toto
54
55 ##NAME: LDAP_TIMEOUT:0
56 #
57 # Timeout for LDAP search and connection
58
59 LDAP_TIMEOUT 5
60
61 ##NAME: LDAP_AUTHBIND:0
62 #
63 # Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND
64 # the password is validated by rebinding with the supplied userid and password.
65 # If rebind succeeds, this is considered to be an authenticated request. This
66 # does not support CRAM-MD5 authentication, which requires clearPassword.
67 # Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
68 # the credentials of the user themselves, not LDAP_BINDDN/BINDPW
69 #
70 # LDAP_AUTHBIND 1
71
72 ##NAME: LDAP_INITBIND:1
73 #
74 # Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN.
75 # If your LDAP server allows access without a bind, or you want to authenticate
76 # using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and
77 # need not write the LDAP-Admin passwort into this file.
78 #
79 LDAP_INITBIND 1
80
81 ##NAME: LDAP_MAIL:0
82 #
83 # Here's the field on which we query
84
85 LDAP_MAIL mail
86
87 ##NAME: LDAP_FILTER:0
88 #
89 # This LDAP filter will be ANDed with the query for the field defined above
90 # in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER
91 # defined to be "(objectClass=CourierMailAccount)" the query that is performed
92 # will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
93 #
94 # LDAP_FILTER (objectClass=CourierMailAccount)
95
96 ##NAME: LDAP_DOMAIN:0
97 #
98 # The following default domain will be appended, if not explicitly specified.
99 #
100 # LDAP_DOMAIN example.com
101
102 ##NAME: LDAP_GLOB_IDS:0
103 #
104 # The following two variables can be used to set everybody's uid and gid.
105 # This is convenient if your LDAP specifies a bunch of virtual mail accounts
106 # The values can be usernames or userids:
107 #
108 # LDAP_GLOB_UID vmail
109 # LDAP_GLOB_GID vmail
110
111 ##NAME: LDAP_HOMEDIR:0
112 #
113 # We will retrieve the following attributes
114 #
115 # The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
116
117 LDAP_HOMEDIR homeDirectory
118
119 ##NAME: LDAP_MAILROOT:0
120 #
121 # If homeDirectory is not an absolute path, define the root of the
122 # relative paths in LDAP_MAILROOT
123 #
124 # LDAP_MAILROOT /var/mail
125
126
127 ##NAME: LDAP_MAILDIR:0
128 #
129 # The MAILDIR attribute is OPTIONAL, and specifies the location of the
130 # mail directory. If not specified, ./Maildir will be used
131
132 LDAP_MAILDIR mailbox
133
134 ##NAME: LDAP_DEFAULTDELIVERY:0
135 #
136 # Courier mail server only: optional attribute specifies custom mail delivery
137 # instructions for this account (if defined) -- essentially overrides
138 # DEFAULTDELIVERY from ${sysconfdir}/courierd
139
140 LDAP_DEFAULTDELIVERY defaultDelivery
141
142 ##NAME: LDAP_MAILDIRQUOTA:0
143 #
144 # The following variable, if defined, specifies the field containing the
145 # maildir quota, see README.maildirquota for more information
146 #
147 # LDAP_MAILDIRQUOTA quota
148
149
150 ##NAME: LDAP_FULLNAME:0
151 #
152 # FULLNAME is optional, specifies the user's full name
153
154 LDAP_FULLNAME cn
155
156 ##NAME: LDAP_PW:0
157 #
158 # CLEARPW is the clear text password. CRYPT is the crypted password.
159 # ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
160 # libhmac.a is available, CRAM authentication will be possible!
161
162 LDAP_CLEARPW clearPassword
163 LDAP_CRYPTPW userPassword
164
165 ##NAME: LDAP_IDS:0
166 #
167 # Uncomment the following, and modify as appropriate, if your LDAP database
168 # stores individual userids and groupids. Otherwise, you must uncomment
169 # LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID
170 # specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
171 # be defined as attributes for everyone.
172 #
173 # LDAP_UID uidNumber
174 # LDAP_GID gidNumber
175
176
177 ##NAME: LDAP_AUXOPTIONS:0
178 #
179 # Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of
180 # comma-separated "ATTRIBUTE=NAME" pairs. These names are additional
181 # attributes that define various per-account "options", as given in
182 # INSTALL's description of the OPTIONS setting.
183 #
184 # Each ATTRIBUTE specifies an LDAP attribute name. If it is present,
185 # the attribute value gets placed in the OPTIONS variable, with the name
186 # NAME. For example:
187 #
188 # LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap
189 #
190 # Then, if an LDAP record contains the following attributes:
191 #
192 # shared: domain1
193 # disableimap: 0
194 #
195 # Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
196 #
197 # NOTE: ** no spaces in this setting **, the above example has exactly
198 # one tab character after LDAP_AUXOPTIONS
199
200
201 ##NAME: LDAP_ENUMERATE_FILTER:0
202 #
203 # Optional custom filter used when enumerating accounts for authenumerate,
204 # in order to compile a list of accounts for shared folders. If present,
205 # this filter will be used instead of LDAP_FILTER.
206 #
207 # LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1)))
208
209
210 ##NAME: LDAP_DEREF:0
211 #
212 # Determines how aliases are handled during a search. This option is available
213 # only with OpenLDAP 2.0
214 #
215 # LDAP_DEREF can be one of the following values:
216 # never, searching, finding, always. If not specified, aliases are
217 # never dereferenced.
218
219 LDAP_DEREF never
220
221 ##NAME: LDAP_TLS:0
222 #
223 # Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
224 # when the server accepts a normal LDAP connection on port 389 which
225 # the client then requests 'upgrading' to TLS, and is equivalent to the
226 # -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
227 # set this option.
228 #
229 # For additional LDAP-related options, see the authdaemonrc config file.
230
231 LDAP_TLS 0
232
233 ##NAME: LDAP_EMAILMAP:0
234 #
235 # The following optional settings, if enabled, result in an extra LDAP
236 # lookup to first locate a handle for an E-mail address, then a second lookup
237 # on that handle to get the actual authentication record. You'll need
238 # to uncomment these settings to enable an email handle lookup.
239 #
240 # The E-mail address must be of the form user@realm, and this is plugged
241 # into the following search string. "@user@" and "@realm@" are placeholders
242 # for the user and the realm portions of the login ID.
243 #
244 # LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@))
245
246 ##NAME: LDAP_EMAILMAP_BASEDN:0
247 #
248 # Specify the basedn for the email lookup. The default is LDAP_BASEDN.
249 #
250 # LDAP_EMAILMAP_BASEDN o=emailmap, c=com
251
252
253 ##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
254 #
255 # The attribute which holds the handle. The contents of this attribute
256 # are then plugged into the regular authentication lookup, and you must set
257 # LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
258 # records (which may be the same as LDAP_MAIL).
259 # You MUST also leave LDAP_DOMAIN undefined. This enables authenticating
260 # by handles only.
261 #
262 # Here's an example:
263 #
264 # dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
265 # userid: john # LDAP_EMAILMAP search
266 # realm: example.com # LDAP_EMAILMAP search
267 # handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE
268 #
269 #
270 # dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN
271 # controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle"
272 # uid: ...
273 # gid: ...
274 # [ etc... ]
275 #
276 # LDAP_EMAILMAP_ATTRIBUTE handle
277
278 ##NAME: LDAP_EMAILMAP_MAIL:0
279 #
280 # After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
281 # LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
282 #
283 # LDAP_EMAILMAP_MAIL mail
284
285 ##NAME: MARKER:0
286 #
287 # Do not remove this section from this configuration file. This section
288 # must be present at the end of this file.
courier-authlib packaging