##VERSION: $Id: 7ee49247d1dbf52d4bb8e0b1a180f2411aa3628a-20160107214650$ # # Copyright 2000-2016 Double Precision, Inc. See COPYING for # distribution information. # # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # # authldaprc created from authldaprc.dist by sysconftool # # DO NOT INSTALL THIS FILE with world read permissions. This file # might contain the LDAP admin password! # # This configuration file specifies LDAP authentication parameters # # The format of this file must be as follows: # # field[spaces|tabs]value # # That is, the name of the field, followed by spaces or tabs, followed by # field value. No trailing spaces. # # Changes to this file take effect immediately. # # Here are the fields: ##NAME: LOCATION:1 # # Location of your LDAP server(s). If you have multiple LDAP servers, # you can list them separated by commas and spaces, and they will be tried in # turn. LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com ##NAME: LDAP_PROTOCOL_VERSION:0 # # Which version of LDAP protocol to use LDAP_PROTOCOL_VERSION 3 ##NAME: LDAP_BASEDN:0 # # Look for authentication here: LDAP_BASEDN o=example, c=com ##NAME: LDAP_BINDDN:0 # # You may or may not need to specify the following. Because you've got # a password here, authldaprc should not be world-readable!!! LDAP_BINDDN cn=administrator, o=example, c=com LDAP_BINDPW toto ##NAME: LDAP_TIMEOUT:0 # # Timeout for LDAP search and connection LDAP_TIMEOUT 5 ##NAME: LDAP_AUTHBIND:0 # # Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND # the password is validated by rebinding with the supplied userid and password. # If rebind succeeds, this is considered to be an authenticated request. This # does not support CRAM-MD5 authentication, which requires clearPassword. # Additionally, if LDAP_AUTHBIND is 1 then password changes are done under # the credentials of the user themselves, not LDAP_BINDDN/BINDPW # # LDAP_AUTHBIND 1 ##NAME: LDAP_INITBIND:1 # # Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN. # If your LDAP server allows access without a bind, or you want to authenticate # using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and # need not write the LDAP-Admin passwort into this file. # LDAP_INITBIND 1 ##NAME: LDAP_MAIL:0 # # Here's the field on which we query LDAP_MAIL mail ##NAME: LDAP_FILTER:0 # # This LDAP filter will be ANDed with the query for the field defined above # in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER # defined to be "(objectClass=CourierMailAccount)" the query that is performed # will be "(&(objectClass=CourierMailAccount)(mail=))" # # LDAP_FILTER (objectClass=CourierMailAccount) ##NAME: LDAP_DOMAIN:0 # # The following default domain will be appended, if not explicitly specified. # # LDAP_DOMAIN example.com ##NAME: LDAP_GLOB_IDS:0 # # The following two variables can be used to set everybody's uid and gid. # This is convenient if your LDAP specifies a bunch of virtual mail accounts # The values can be usernames or userids: # # LDAP_GLOB_UID vmail # LDAP_GLOB_GID vmail ##NAME: LDAP_HOMEDIR:0 # # We will retrieve the following attributes # # The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it LDAP_HOMEDIR homeDirectory ##NAME: LDAP_MAILROOT:0 # # If homeDirectory is not an absolute path, define the root of the # relative paths in LDAP_MAILROOT # # LDAP_MAILROOT /var/mail ##NAME: LDAP_MAILDIR:0 # # The MAILDIR attribute is OPTIONAL, and specifies the location of the # mail directory. If not specified, ./Maildir will be used LDAP_MAILDIR mailbox ##NAME: LDAP_DEFAULTDELIVERY:0 # # Courier mail server only: optional attribute specifies custom mail delivery # instructions for this account (if defined) -- essentially overrides # DEFAULTDELIVERY from ${sysconfdir}/courierd LDAP_DEFAULTDELIVERY defaultDelivery ##NAME: LDAP_MAILDIRQUOTA:0 # # The following variable, if defined, specifies the field containing the # maildir quota, see README.maildirquota for more information # # LDAP_MAILDIRQUOTA quota ##NAME: LDAP_FULLNAME:0 # # FULLNAME is optional, specifies the user's full name LDAP_FULLNAME cn ##NAME: LDAP_PW:0 # # CLEARPW is the clear text password. CRYPT is the crypted password. # ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and # libhmac.a is available, CRAM authentication will be possible! LDAP_CLEARPW clearPassword LDAP_CRYPTPW userPassword ##NAME: LDAP_IDS:0 # # Uncomment the following, and modify as appropriate, if your LDAP database # stores individual userids and groupids. Otherwise, you must uncomment # LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID # specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must # be defined as attributes for everyone. # # LDAP_UID uidNumber # LDAP_GID gidNumber ##NAME: LDAP_AUXOPTIONS:0 # # Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of # comma-separated "ATTRIBUTE=NAME" pairs. These names are additional # attributes that define various per-account "options", as given in # INSTALL's description of the OPTIONS setting. # # Each ATTRIBUTE specifies an LDAP attribute name. If it is present, # the attribute value gets placed in the OPTIONS variable, with the name # NAME. For example: # # LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap # # Then, if an LDAP record contains the following attributes: # # shared: domain1 # disableimap: 0 # # Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0" # # NOTE: ** no spaces in this setting **, the above example has exactly # one tab character after LDAP_AUXOPTIONS ##NAME: LDAP_ENUMERATE_FILTER:0 # # Optional custom filter used when enumerating accounts for authenumerate, # in order to compile a list of accounts for shared folders. If present, # this filter will be used instead of LDAP_FILTER. # # LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1))) ##NAME: LDAP_DEREF:0 # # Determines how aliases are handled during a search. This option is available # only with OpenLDAP 2.0 # # LDAP_DEREF can be one of the following values: # never, searching, finding, always. If not specified, aliases are # never dereferenced. LDAP_DEREF never ##NAME: LDAP_TLS:0 # # Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is # when the server accepts a normal LDAP connection on port 389 which # the client then requests 'upgrading' to TLS, and is equivalent to the # -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not # set this option. # # For additional LDAP-related options, see the authdaemonrc config file. LDAP_TLS 0 ##NAME: LDAP_EMAILMAP:0 # # The following optional settings, if enabled, result in an extra LDAP # lookup to first locate a handle for an E-mail address, then a second lookup # on that handle to get the actual authentication record. You'll need # to uncomment these settings to enable an email handle lookup. # # The E-mail address must be of the form user@realm, and this is plugged # into the following search string. "@user@" and "@realm@" are placeholders # for the user and the realm portions of the login ID. # # LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@)) ##NAME: LDAP_EMAILMAP_BASEDN:0 # # Specify the basedn for the email lookup. The default is LDAP_BASEDN. # # LDAP_EMAILMAP_BASEDN o=emailmap, c=com ##NAME: LDAP_EMAILMAP_ATTRIBUTE:0 # # The attribute which holds the handle. The contents of this attribute # are then plugged into the regular authentication lookup, and you must set # LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication # records (which may be the same as LDAP_MAIL). # You MUST also leave LDAP_DOMAIN undefined. This enables authenticating # by handles only. # # Here's an example: # # dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN # userid: john # LDAP_EMAILMAP search # realm: example.com # LDAP_EMAILMAP search # handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE # # # dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN # controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle" # uid: ... # gid: ... # [ etc... ] # # LDAP_EMAILMAP_ATTRIBUTE handle ##NAME: LDAP_EMAILMAP_MAIL:0 # # After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against # LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL. # # LDAP_EMAILMAP_MAIL mail ##NAME: MARKER:0 # # Do not remove this section from this configuration file. This section # must be present at the end of this file.