# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

#readonly on

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/amavis.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/RADIUS-LDAPv3.schema
include         /etc/ldap/schema/autofs.schema
include         /etc/ldap/schema/tcc.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# SSL config - commented out on test systems.
#TLSCipherSuite  HIGH:MEDIUM:+SSLv3:+SSLv2:RSA
#TLSCertificateFile    /etc/ldap/certs/ldap0.nmt.edu.pem
#TLSCertificateKeyFile /etc/ldap/certs/ldap0.nmt.edu.key
#TLSCACertificateFile  /etc/ssl/certs/tccCA.pem
#security        tls=128
# Read slapd.conf(5) for possible values
#loglevel        sync config none
loglevel       -1 
# Syncrepl debugging

# Size limit so ldapsearch can find all entries
sizelimit -1

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      syncprov

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend     bdb
checkpoint  512   30 # Database checkpoints every 512k, or 30 minutes
cachesize   10000000 # 
dbcachesize 10000000

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
##
## Here is where things originate from!
## Make the password by hitting the keyboard for a while.
##
suffix          "dc=tcc,dc=nmt,dc=edu"
rootdn          "cn=manager,dc=tcc,dc=nmt,dc=edu"
#####
##### This password is replicated in several places!
#####
##### TO CHANGE THE ROOT PASSWORD
##### Send email to tcc-all warning people before you start
##### In the replica lines below
##### On the slave ldap servers mentioned below
##### In the freeradius servers on ldap0 and ldap1
##### In samba on userhost:
#####           a) smbpasswd -w (should update samba/private/secret.tdb)
#####           b) ldapmodify root user Samba*Passwd fields
##### In /etc/openldap/slapd.conf on userhost
#####
##### this is the literal root password! - snuh
rootpw          hatrack

# Crypt really blows -- twopir
password-hash   {MD5}

# Where the database file are physically stored for database #1
directory       "/system/ldap-data"

# Indices:
index           objectClass             eq,pres
index           cn                      eq,pres
index           uid                     eq
index           gecos                   eq,sub
index           uidNumber               eq,pres
index           gidNumber               eq,pres
index           tccInfo                 eq
index           sambaSID                eq
index           sambaPrimaryGroupSID    eq
index           sambaDomainName         eq
index           memberUid               eq,pres
index           entryUUID               eq
index           uniqueMember            eq
# Above for syncrepl

# Save the time that the entry gets modified, for database #1
# We don't use this.
lastmod         off

# Syncrepl doesn't need this
# Where to store the replica logs for database #1 
#replogfile    /system/ldap-replog

overlay syncprov
syncprov-checkpoint 512 30
syncprov-sessionlog 314


# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
access to dn.base="" by * read

# Access control:
access to attrs=userPassword,tccBannerId,tccArNumber
        by group/organizationalRole/roleOccupant="cn=manager,dc=tcc,dc=nmt,dc=edu" write
        by self write
        by anonymous auth
        by * none

access to attrs=objectClass,uidNumber,gidNumber,tccModemUser,tccAccountStatus,tccAccountType,tccArNumber,tccBannerId
        by group/organizationalRole/roleOccupant="cn=manager,dc=tcc,dc=nmt,dc=edu" write
        by self read
        by * read

##
##jeffa grouped samba attributes for readability
##
access to attrs=sambaSID,sambaPrimaryGroupSID,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb
aPwdMustChange
        by group/organizationalRole/roleOccupant="cn=manager,dc=tcc,dc=nmt,dc=edu" write
        by self read
        by * read

access to attrs=host
        by group/organizationalRole/roleOccupant="cn=manager,dc=tcc,dc=nmt,dc=edu" write
        by * read

access to attrs=sambaLmPassword,sambaNtPassword
        by self write
        by * none

access to *
        by self write
        by users read
        by * read