authldaprc

   1 ##VERSION: $Id: authldaprc,v 1.25 2005/10/05 00:07:32 mrsam Exp $
   2 #
   3 # Copyright 2000-2004 Double Precision, Inc.  See COPYING for
   4 # distribution information.
   5 #
   6 # Do not alter lines that begin with ##, they are used when upgrading
   7 # this configuration.
   8 #
   9 # authldaprc created from authldaprc.dist by sysconftool
  10 #
  11 # DO NOT INSTALL THIS FILE with world read permissions.  This file
  12 # might contain the LDAP admin password!
  13 #
  14 # This configuration file specifies LDAP authentication parameters
  15 #
  16 # The format of this file must be as follows:
  17 #
  18 # field[spaces|tabs]value
  19 #
  20 # That is, the name of the field, followed by spaces or tabs, followed by
  21 # field value.  No trailing spaces.
  22 #
  23 # Here are the fields:
  24
  25 ##NAME: LOCATION:1
  26 #
  27 # Location of your LDAP server(s). If you have multiple LDAP servers,
  28 # you can list them separated by commas and spaces, and they will be tried in
  29 # turn.
  30
  31 LDAP_URI                ldaps://ldap.example.com, ldaps://backup.example.com
  32
  33 ##NAME: LDAP_PROTOCOL_VERSION:0
  34 #
  35 # Which version of LDAP protocol to use
  36
  37 LDAP_PROTOCOL_VERSION   3
  38
  39 ##NAME: LDAP_BASEDN:0
  40 #
  41 # Look for authentication here:
  42
  43 LDAP_BASEDN             o=example, c=com
  44
  45 ##NAME: LDAP_BINDDN:0
  46 #
  47 # You may or may not need to specify the following.  Because you've got
  48 # a password here, authldaprc should not be world-readable!!!
  49
  50 LDAP_BINDDN             cn=administrator, o=example, c=com
  51 LDAP_BINDPW             toto
  52
  53 ##NAME: LDAP_TIMEOUT:0
  54 #
  55 # Timeout for LDAP search and connection
  56
  57 LDAP_TIMEOUT            5
  58
  59 ##NAME: LDAP_AUTHBIND:0
  60 #
  61 # Define this to have the ldap server authenticate passwords.  If LDAP_AUTHBIND
  62 # the password is validated by rebinding with the supplied userid and password.
  63 # If rebind succeeds, this is considered to be an authenticated request.  This
  64 # does not support CRAM-MD5 authentication, which requires clearPassword.
  65 # Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
  66 # the credentials of the user themselves, not LDAP_BINDDN/BINDPW
  67 #
  68 # LDAP_AUTHBIND         1
  69
  70 ##NAME: LDAP_MAIL:0
  71 #
  72 # Here's the field on which we query
  73
  74 LDAP_MAIL               mail
  75
  76 ##NAME: LDAP_FILTER:0
  77 #
  78 # This LDAP filter will be ANDed with the query for the field defined above
  79 # in LDAP_MAIL.  So if you are querying for mail, and you have LDAP_FILTER
  80 # defined to be "(objectClass=CourierMailAccount)" the query that is performed
  81 # will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
  82 #
  83 # LDAP_FILTER           (objectClass=CourierMailAccount)
  84
  85 ##NAME: LDAP_DOMAIN:0
  86 #
  87 # The following default domain will be appended, if not explicitly specified.
  88 #
  89 # LDAP_DOMAIN           example.com
  90
  91 ##NAME: LDAP_GLOB_IDS:0
  92 #
  93 # The following two variables can be used to set everybody's uid and gid.
  94 # This is convenient if your LDAP specifies a bunch of virtual mail accounts
  95 # The values can be usernames or userids:
  96 #
  97 # LDAP_GLOB_UID         vmail
  98 # LDAP_GLOB_GID         vmail
  99
 100 ##NAME: LDAP_HOMEDIR:0
 101 #
 102 # We will retrieve the following attributes
 103 #
 104 # The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
 105
 106 LDAP_HOMEDIR            homeDirectory
 107
 108 ##NAME: LDAP_MAILROOT:0
 109 #
 110 # If homeDirectory is not an absolute path, define the root of the
 111 # relative paths in LDAP_MAILROOT
 112 #
 113 #  LDAP_MAILROOT        /var/mail
 114
 115
 116 ##NAME: LDAP_MAILDIR:0
 117 #
 118 # The MAILDIR attribute is OPTIONAL, and specifies the location of the
 119 # mail directory.  If not specified, ./Maildir will be used
 120
 121 LDAP_MAILDIR            mailbox
 122
 123 ##NAME: LDAP_DEFAULTDELIVERY:0
 124 #
 125 # Courier mail server only: optional attribute specifies custom mail delivery
 126 # instructions for this account (if defined) -- essentially overrides
 127 # DEFAULTDELIVERY from ${sysconfdir}/courierd
 128
 129 LDAP_DEFAULTDELIVERY    defaultDelivery
 130
 131 ##NAME: LDAP_MAILDIRQUOTA:0
 132 #
 133 # The following variable, if defined, specifies the field containing the
 134 # maildir quota, see README.maildirquota for more information
 135 #
 136 # LDAP_MAILDIRQUOTA     quota
 137
 138
 139 ##NAME: LDAP_FULLNAME:0
 140 #
 141 # FULLNAME is optional, specifies the user's full name
 142
 143 LDAP_FULLNAME           cn
 144
 145 ##NAME: LDAP_PW:0
 146 #
 147 # CLEARPW is the clear text password.  CRYPT is the crypted password.
 148 # ONE OF THESE TWO ATTRIBUTES IS REQUIRED.  If CLEARPW is provided, and
 149 # libhmac.a is available, CRAM authentication will be possible!
 150
 151 LDAP_CLEARPW            clearPassword
 152 LDAP_CRYPTPW            userPassword
 153
 154 ##NAME: LDAP_IDS:0
 155 #
 156 # Uncomment the following, and modify as appropriate, if your LDAP database
 157 # stores individual userids and groupids.  Otherwise, you must uncomment
 158 # LDAP_GLOB_UID and LDAP_GLOB_GID above.  LDAP_GLOB_UID and LDAP_GLOB_GID
 159 # specify a uid/gid for everyone.  Otherwise, LDAP_UID and LDAP_GID must
 160 # be defined as attributes for everyone.
 161 #
 162 # LDAP_UID              uidNumber
 163 # LDAP_GID              gidNumber
 164
 165
 166 ##NAME: LDAP_AUXOPTIONS:0
 167 #
 168 # Auxiliary options.  The LDAP_AUXOPTIONS setting should contain a list of
 169 # comma-separated "ATTRIBUTE=NAME" pairs.  These names are additional
 170 # attributes that define various per-account "options", as given in
 171 # INSTALL's description of the OPTIONS setting.
 172 #
 173 # Each ATTRIBUTE specifies an LDAP attribute name.  If it is present,
 174 # the attribute value gets placed in the OPTIONS variable, with the name
 175 # NAME.  For example:
 176 #
 177 #    LDAP_AUXOPTIONS    shared=sharedgroup,disableimap=disableimap
 178 #
 179 # Then, if an LDAP record contains the following attributes:
 180 #
 181 #     shared: domain1
 182 #     disableimap: 0
 183 #
 184 # Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
 185 #
 186 # NOTE: ** no spaces in this setting **, the above example has exactly
 187 # one tab character after LDAP_AUXOPTIONS
 188
 189
 190 ##NAME: LDAP_ENUMERATE_FILTER:0
 191 #
 192 # {EXPERIMENTAL}
 193 # Optional custom filter used when enumerating accounts for authenumerate,
 194 # in order to compile a list of accounts for shared folders. If present,
 195 # this filter will be used instead of LDAP_FILTER.
 196 #
 197 # LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1)))
 198
 199
 200 ##NAME: LDAP_DEREF:0
 201 #
 202 # Determines how aliases are handled during a search.  This option is available
 203 # only with OpenLDAP 2.0
 204 #
 205 # LDAP_DEREF can be one of the following values:
 206 # never, searching, finding, always. If not specified, aliases are
 207 # never dereferenced.
 208
 209 LDAP_DEREF              never
 210
 211 ##NAME: LDAP_TLS:0
 212 #
 213 # Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
 214 # when the server accepts a normal LDAP connection on port 389 which
 215 # the client then requests 'upgrading' to TLS, and is equivalent to the
 216 # -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
 217 # set this option.
 218 #
 219 # For additional LDAP-related options, see the authdaemonrc config file.
 220
 221 LDAP_TLS                0
 222
 223 ##NAME: LDAP_EMAILMAP:0
 224 #
 225 # The following optional settings, if enabled, result in an extra LDAP
 226 # lookup to first locate a handle for an E-mail address, then a second lookup
 227 # on that handle to get the actual authentication record.  You'll need
 228 # to uncomment these settings to enable an email handle lookup.
 229 #
 230 # The E-mail address must be of the form user@realm, and this is plugged
 231 # into the following search string.  "@user@" and "@realm@" are placeholders
 232 # for the user and the realm portions of the login ID.
 233 #
 234 # LDAP_EMAILMAP         (&(userid=@user@)(realm=@realm@))
 235
 236 ##NAME: LDAP_EMAILMAP_BASEDN:0
 237 #
 238 # Specify the basedn for the email lookup.  The default is LDAP_BASEDN.
 239 #
 240 # LDAP_EMAILMAP_BASEDN  o=emailmap, c=com
 241
 242
 243 ##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
 244 #
 245 # The attribute which holds the handle.  The contents of this attribute
 246 # are then plugged into the regular authentication lookup, and you must set
 247 # LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
 248 # records (which may be the same as LDAP_MAIL).
 249 # You MUST also leave LDAP_DOMAIN undefined.  This enables authenticating
 250 # by handles only.
 251 #
 252 # Here's an example:
 253 #
 254 # dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
 255 # userid: john          # LDAP_EMAILMAP search
 256 # realm: example.com    # LDAP_EMAILMAP search
 257 # handle: cc223344      # LDAP_EMAILMAP_ATTRIBUTE
 258 #
 259 #
 260 # dn: controlHandle=cc223344, o=example, c=com      # LDAP_BASEDN
 261 # controlHandle: cc223344         # LDAP_EMAILMAP_MAIL set to "controlHandle"
 262 # uid: ...
 263 # gid: ...
 264 # [ etc... ]
 265 #
 266 # LDAP_EMAILMAP_ATTRIBUTE handle
 267
 268 ##NAME: LDAP_EMAILMAP_MAIL:0
 269 #
 270 # After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
 271 # LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
 272 #
 273 # LDAP_EMAILMAP_MAIL mail