This file is indexed.

/etc/ldap/slapd-squeeze_debian-edu.conf is in debian-edu-config 1.702.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
# Allow LDAPv2 binds
allow bind_v2

# The skolelinux slapd configuration file

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/autofs.schema
include		/etc/ldap/schema/inetorgperson.schema
#include		/etc/ldap/schema/dhcp.schema
include		/etc/ldap/schema/gosa/dhcp.schema
#include		/etc/ldap/schema/dnsdomain2.schema
include		/etc/ldap/schema/gosa/dnszone.schema
include		/etc/ldap/schema/kerberos.schema
include		/etc/ldap/schema/ltspclientaux.schema

## gosa:
include         /etc/ldap/schema/gosa/samba3.schema
include         /etc/ldap/schema/gosa/trust.schema
include         /etc/ldap/schema/gosa/gosystem.schema
include         /etc/ldap/schema/gosa/gofon.schema
include         /etc/ldap/schema/gosa/goto.schema
include         /etc/ldap/schema/gosa/gosa-samba3.schema
include         /etc/ldap/schema/gosa/gofax.schema
include         /etc/ldap/schema/gosa/goserver.schema
include         /etc/ldap/schema/gosa/goto-mime.schema
include         /etc/ldap/schema/gosa/sudo.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile		/var/run/slapd/slapd.pid

# Read slapd.conf(5) for possible values
#loglevel	65535
loglevel	none

rootDSE                 /etc/ldap/rootDSE-debian-edu.ldif

# TLS/SSL
TLSCACertificateFile    /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
TLSCertificateFile      /etc/ldap/ssl/slapd.pem
#TLSCACertificateFile    /var/lib/pyca/Root/cacert.pem
#TLSCertificateKeyFile   /var/lib/pyca/ServerCerts/private/cakey.pem
#TLSCertificateFile      /var/lib/pyca/ServerCerts/cacert.pem

modulepath	/usr/lib/ldap
moduleload	back_bdb
moduleload	back_monitor

defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
security update_ssf=128  simple_bind=128

# Access via ldapi/unix socket is assumed to have 128 bit encryption.
# This is required to allow the kerberos and powerdns daemon to
# connect.
localssf 128

backend		bdb
backend		monitor

#######################################################################
# ldbm database definitions
#######################################################################

# The backend type, ldbm, is the default standard

database	bdb
# Set the database in memory cache size.
#
cachesize   4000
dbnosync
sizelimit 4000

# First database
suffix		"dc=skole,dc=skolelinux,dc=no"
rootdn		"cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
# Where the database file are physically stored
directory	"/var/lib/ldap"

# Indices to maintain
index           objectClass     pres,eq
index           cn,sn,ou        pres,eq,sub
index           uid             pres,eq,sub
index           krbPrincipalName pres,eq,sub
index           uidNumber       eq
index           gidNumber       eq
index           memberUid       eq
index           default         eq
#for some clients, even if not used
index		givenname	eq
index		displayName	eq
#index		telephoneNumber	eq

#samba index
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index sambaGroupType                    eq
index sambaSIDList                      eq

# PowerDNS index
index associatedDomain         pres,eq,sub
index aRecord                      pres,eq

# ldap2zone index
index zoneName                          eq
index relativeDomainName                eq

# Sudo
index sudoUser                      eq,sub

# LTSP configuration index (dhcpHWAddress also used by dhcpd)
index macAddress                        eq
index dhcpHWAddress                     eq

# libnss-ldapd look for this one.  Make sure it is indexed to avoid
# lots of log messages.
index uniqueMember                      eq

# lwat cron job uses this
index createTimestamp                   eq

# Save the time that the entry gets modified
lastmod on

# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
#

## map authentication via gssapi on user dn:
authz-regexp "uid=([^,]*),cn=gssapi,cn=auth"
        "ldap:///dc=skole,dc=skolelinux,dc=no??sub?(uid=$1)"

## default: no access, but allow members of the ldap-admins group full
## access.
access to *
        by group.exact="cn=ldap-admins,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" manage
        by * none break

access to dn.base="cn=nextID,ou=variables,dc=skole,dc=skolelinux,dc=no"
	attrs=gidNumber
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 write
	by * read

access to dn.exact="ou=idmap,ou=samba,dc=skole,dc=skolelinux,dc=no"
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
	by * break 

access to dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no"
	attrs=userPassword
	by self      ssf=128 =wx
	by anonymous ssf=128 auth
	by * none

access to attrs=userPassword
	by self      =wx
	by anonymous auth
	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
        by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 write
	by * none

access to attrs=shadowLastChange
	by self      ssf=128 =w
	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
	by * none

access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
	attrs=children,entry
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 write
	by * none break

#
# Allow samba to add groupmap information to existing groups.
#
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
	attrs=objectClass,sambaSID,sambaGroupType,displayName,description,sambaSIDList
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
	by * none break

#
# Allow samba to create/edit posix accounts and posix groups
#

access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
	attrs=uid,uidNumber,cn,gidNumber,userPassword,memberUid,description,homeDirectory,loginShell,gecos 
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr 
	by * none break

#
# Allow samba to create/edit samba3 accounts (everything missing that has not already been mentioned above
#
access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
        attrs=sambaAcctFlags
        by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =rw 
        by * none break

access to dn.subtree="dc=skole,dc=skolelinux,dc=no"
        attrs=sambaDomainName
        by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =rws 
        by * none break

access to dn.exact="sambaDomainName=*,ou=samba,dc=skole,dc=skolelinux,dc=no"
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =rws
        by * none break

#
#
# Ensure samba password hashes.
#
# Restricted access to some samba attributes
# (allow access for admin to don't break old installations)
access to attrs=sambaLMPassword,sambaNTPassword
	by self ssf=128 =w
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
	by * none

access to attrs=sambaPwdLastSet,sambaPwdCanChange
	by self ssf=128 =wr
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
	by * read

# Access to samba attributes; kadmin-service needs to add
# attr=objectClass too, so break:
access to attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdMustChange,sambaAcctFlags,sambaGroupType,sambaPasswordHistory,sambaNextRid
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
	by * read break

access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaLogonHours,sambaBadPasswordCount,sambaBadPasswordTime
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
	by * read

# We store machine-accounts for samba in a private ou visible via NSS
access to  dn.sub="ou=netdevices,ou=systems,dc=skole,dc=skolelinux,dc=no"
	by dn.exact="cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
	by * read

# Control access to kerberos attributes
access to attrs=krbPrincipalKey,krbExtraData
       by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  read
       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  write
       by self read
       by * auth

access to attrs=krbPrincipalName,krbLastPwdChange
       by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  read
       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no"  write
       by * auth
       by * read

# Limit access to kerberos data in cn=kerberos.  Allow everyone to
# see the objects, as long as the attributes
# krbPrincipalKey,krbLastPwdChange and krbExtraData are hidden.
access to dn.subtree="cn=kerberos,dc=skole,dc=skolelinux,dc=no"
       by dn.exact="cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" read
       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
       by * read

# Default access; kadmin needs full access:
access to *
       by dn.exact="cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no" write
       by * read

# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
database monitor

# End of ldapd configuration file