1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
# provider slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2024 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#ucdata-path ./ucdata
include @SCHEMADIR@/core.schema
include @SCHEMADIR@/cosine.schema
include @SCHEMADIR@/inetorgperson.schema
include @SCHEMADIR@/openldap.schema
include @SCHEMADIR@/nis.schema
pidfile @TESTDIR@/slapd.1.pid
argsfile @TESTDIR@/slapd.1.args
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#ldapmod#modulepath ../servers/slapd/back-ldap/
#ldapmod#moduleload back_ldap.la
#rwmmod#modulepath ../servers/slapd/overlays/
#rwmmod#moduleload rwm.la
#######################################################################
# database definitions
#######################################################################
authz-policy both
authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com"
authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
#
# normal installations should protect root dse,
# cn=monitor, cn=schema, and cn=config
#
access to attrs=userpassword
by self =wx
by anonymous =x
access to dn.exact=""
by * read
access to *
by users read
by * search
database @BACKEND@
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#null#bind on
#~null~#directory @TESTDIR@/db.1.a
#indexdb#index objectClass eq
#indexdb#index cn,sn,uid pres,eq,sub
access to dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com"
attrs=authzTo
by dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com" =wx
by * =x
database @BACKEND@
suffix "dc=example,dc=it"
rootdn "cn=Manager,dc=example,dc=it"
rootpw secret
#~null~#directory @TESTDIR@/db.2.a
#indexdb#index objectClass eq
#indexdb#index cn,sn,uid pres,eq,sub
database ldap
suffix "o=Example,c=US"
uri "@URI1@"
#sasl#idassert-bind bindmethod=sasl binddn="cn=Proxy US,ou=Admin,dc=example,dc=com" authcId="admin/proxy US" credentials="proxy" @SASL_MECH@ mode=self
#nosasl#idassert-bind bindmethod=simple binddn="cn=Proxy US,ou=Admin,dc=example,dc=com" credentials="proxy" mode=self
# authorizes database
idassert-authzFrom "dn.subtree:dc=example,dc=it"
overlay rwm
rwm-suffixmassage "dc=example,dc=com"
database ldap
suffix "o=Esempio,c=IT"
uri "@URI1@"
acl-bind bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy"
idassert-bind bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy" authzId="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
# authorizes database
idassert-authzFrom "dn.subtree:dc=example,dc=com"
# authorizes anonymous
idassert-authzFrom "dn.exact:"
overlay rwm
rwm-suffixmassage "dc=example,dc=com"
access to attrs=entry,cn,sn,mail
by users read
access to *
by dn.exact="cn=Proxy IT,ou=Admin,o=Esempio,c=IT" read
by group.exact="cn=Authorizable,ou=Groups,o=Esempio,c=IT" read
by dn.exact="cn=Sandbox,ou=Admin,dc=example,dc=com" search
by * none
database monitor
rootdn "cn=monitor"
rootpw monitor
|