add conifg jabber and ldap

ejabberd/README.md

@@ -0,0 +1,14 @@
+For ALT Linux
+
+1. Directory /var/www/webapps/jabber_data should exist (or another specified in the config file) and should have access rights for both ejabberd and httpd2
+2. place ejabberd.yml to /etc/ejabberd.conf
+3. service ejabberd start
+4. systemctl enable ejabberd
+
+openssl genrsa -out rootCA.key 2048
+
+Затем сам сертификат:
+
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+
+https://www.altlinux.org/%D0%A1%D0%BE%D0%B7%D0%B4%D0%B0%D0%BD%D0%B8%D0%B5_%D1%81%D0%B0%D0%BC%D0%BE%D0%BF%D0%BE%D0%B4%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%BD%D1%8B%D1%85_%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82%D0%BE%D0%B2

ejabberd/ejabberd.yml

@@ -0,0 +1,297 @@
+###
+###              ejabberd configuration file
+###
+### The parameters used in this configuration file are explained at
+###
+###       https://docs.ejabberd.im/admin/configuration
+###
+### The configuration file is written in YAML.
+### *******************************************************
+### *******           !!! WARNING !!!               *******
+### *******     YAML IS INDENTATION SENSITIVE       *******
+### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY *******
+### *******************************************************
+### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
+###
+
+hosts:
+  - "msg.sharix-app.org"
+  - "10.0.2.10"
+  - localhost
+
+host_config:
+  msg.sharix-app.org:
+    auth_method: [ldap]
+    ldap_servers: ["ldap.sharix.ru"]
+    ldap_port: 389
+    ldap_rootdn: "cn=admin,dc=ldap,dc=sharix,dc=ru"
+    ldap_password: "secret"
+    ldap_filter: "(objectClass=inetOrgPerson)"
+    ldap_encrypt: none
+    ldap_base: "ou=users,dc=ldap,dc=sharix,dc=ru"
+
+certfiles:
+  - /etc/ejabberd/ssl/fullchain.pem
+  - /etc/ejabberd/ssl/privkey.pem
+
+loglevel: info
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+  -
+    port: 5223
+    ip: "::"
+    tls: true
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5443
+    ip: "::"
+    module: ejabberd_http
+    tls: true
+    request_handlers:
+      /admin: ejabberd_web_admin
+      /api: mod_http_api
+      /bosh: mod_bosh
+      /captcha: ejabberd_captcha
+      /upload: mod_http_upload
+      /ws: ejabberd_http_ws
+      /pub/content: mod_http_fileserver
+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    request_handlers:
+      /bosh: mod_bosh
+      /admin: ejabberd_web_admin
+      /.well-known/acme-challenge: ejabberd_acme
+  -
+    port: 3478
+    ip: "::"
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    ## The server's public IPv4 address:
+    # turn_ipv4_address: "203.0.113.3"
+    ## The server's public IPv6 address:
+    # turn_ipv6_address: "2001:db8::3"
+  -
+    port: 1883
+    ip: "::"
+    module: mod_mqtt
+    backlog: 1000
+
+s2s_use_starttls: optional
+
+acme:
+  auto: false
+  ca_url: https://acme-v02.api.letsencrypt.org/directory
+
+acl:
+  admin:
+    user: "admin@msg.sharix-app.org"
+  users:
+    user: all
+
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: all
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          - acl: loopback
+          - acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+      ip: 10.0.2.10/24
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+      - status
+      - connected_users_number
+
+shaper:
+  normal:
+    rate: 3000
+    burst_size: 20000
+  fast: 100000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  mod_disco:
+    extra_domains:
+      - ej.sharix-app.org
+    name: SXPlatform
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    access: all
+    max_size: 5242880
+    put_url: https://@HOST@:5443/upload
+    custom_headers:
+      "Access-Control-Allow-Origin": "https://@HOST@"
+      "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
+      "Access-Control-Allow-Headers": "Content-Type"
+  mod_last: {}
+  mod_mam:
+    ## Mnesia is limited to 2GB, better to use an SQL backend
+    ## For small servers SQLite is a good fit and is very easy
+    ## to configure. Uncomment this when you have SQL configured:
+    ## db_type: sql
+    assume_mam_usage: true
+    default: always
+  mod_mqtt: {}
+  mod_muc:
+    # Service name    
+    hosts:
+      - "chat.msg.sharix-app.org"
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+
+    history_size: 1000
+    default_room_options:
+
+      mam: true
+      persistent: true
+      public: true
+      members_only: false
+      allow_visitor_nickchange: true
+      allow_user_invites: true
+      allow_subscription: true
+      max_users: 1000
+  
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ## Only accept registration requests from the "trusted"
+    ## network (see access_rules section above).
+    ## Think twice before enabling registration from any
+    ## address. See the Jabber SPAM Manifesto for details:
+    ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+    ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_stun_disco: {}
+  mod_vcard: {}
+  mod_vcard_xupdate: {}
+  mod_version:
+    show_os: false
+  mod_http_fileserver:
+    docroot: /var/www/webapps/jabber_data
+    accesslog: /var/log/ejabberd/access.log
+    content_types:
+      .png: image/png
+      .jpg: image/jpg
+      .dng: image/dng
+      .heic: image/heic
+      .pdf: application/pdf
+      .xml: application/xml
+    default_content_type: image/jpg
+
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8

ldap/README.md

@@ -0,0 +1,30 @@
+For ALT Linux P10/P11
+1. Place slapd.conf to /etc/openldap/
+chown -R ldap:ldap /etc/openldap /var/lib/ldap /etc/sasl2
+#idea - correct group for ldap, otherwise it could not run correctly
+
+Place sharix.schema to /etc/openldap/schema/
+
+2. service slapd stop
+3. Init database from init.ldif files
+
+slapadd -v -l init.ldif -f /etc/openldap/slapd.conf
+
+4. check `ldap` file and place in to /etc/sysconfig/ldap
+5. service slapd start
+6. systemctl enable slapd
+
+Maybe it's better to use localhost instead ldap.sharix.ru.
+OR write to /etc/hosts local ip address and ldap host specified in the config.
+
+7. Check if packages in installed on a host system:
+
+libsasl2-devel
+gcc
+python3-dev
+libldap-devel
+libldap2
+
+8. add to /etc/hosts:
+
+ip_address       ldap.sharix.ru

ldap/init.ldif

@@ -0,0 +1,264 @@
+# init.ldif
+
+# Корневая запись (базовый DN)
+dn: dc=ldap,dc=sharix,dc=ru
+objectClass: dcObject
+objectClass: organization
+dc: ldap
+o: Sharix LDAP Server
+
+#дальше все ou
+#после все cn
+#после все пользователи
+
+#OU
+# Подразделение для пользователей
+dn: ou=users,dc=ldap,dc=sharix,dc=ru
+objectClass: organizationalUnit
+ou: users
+
+# Подразделение для групп (опционально)
+dn: ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: organizationalUnit
+ou: groups
+
+# Подразделение для обработчиков и приложений (опционально)
+dn: ou=apps,dc=ldap,dc=sharix,dc=ru
+objectClass: organizationalUnit
+ou: apps
+
+#Подразделение с обработчиками с их описанием и может быть apikey
+dn: ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: organizationalUnit
+ou: handlers
+
+#UID FOR HANDLERS
+dn: uid=platform_access_request_pending,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_access_request_pending
+cn: platform_access_request_pending
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_access_request_accepted,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_access_request_accepted
+cn: platform_access_request_accepted
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_access_request_declined,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_access_request_declined
+cn: platform_access_request_declined
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_neg_request_pending,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_neg_request_pending
+cn: platform_neg_request_pending
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_neg_request_accepted,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_neg_request_accepted
+cn: platform_neg_request_accepted
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_neg_request_declined,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_neg_request_declined
+cn: platform_neg_request_declined
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_st_request_new,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_st_request_new
+cn: platform_st_request_new
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_st_request_reopened,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_st_request_reopened
+cn: platform_st_request_reopened
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_st_request_assigned,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_st_request_assigned
+cn: platform_st_request_assigned
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_st_request_inprocess,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_st_request_inprocess
+cn: platform_st_request_inprocess
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_st_request_wontfix,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_st_request_wontfix
+cn: platform_st_request_wontfix
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+dn: uid=platform_st_request_done,ou=handlers,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+uid: platform_st_request_done
+cn: platform_st_request_done
+sn: handler
+#maybe set the same for all for the beggining? Or make it like apikey? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+
+
+#UID FOR OU=USERS
+dn: uid=5101,ou=users,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+objectClass: sharixAccount
+#objectClass: posixAccount
+#objectClass: shadowAccount
+uid: 5101
+cn: User One
+sn: One
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+#uidNumber: 1003
+#gidNumber: 103
+#homeDirectory: /home/ldaptest1
+givenName: Test
+displayName: Test
+mail: test@sharix-app.org
+jpegPhoto: 0
+telephoneNumber: 5102
+
+dn: uid=11111111111,ou=users,dc=ldap,dc=sharix,dc=ru
+objectClass: inetOrgPerson
+objectClass: sharixAccount
+uid: 11111111111
+cn: Django Admin
+sn: First
+#maybe set the same for all for the beggining? Now for testing - let's make it like Django main admin password
+userPassword: {SSHA}A7+gYVdJggPPyC4htCqk5N9hFzjQcLkT
+givenName: Admin
+displayName: Django Admin
+mail: admin@sharix-app.org
+jpegPhoto: 0
+telephoneNumber: 11111111112
+
+#CN FOR OU=GROUP
+dn: cn=platform_admin,ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: platform_admin
+description: Group for Platform Admins
+member: cn=admin,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=platform_supervisor,ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: platform_supervisor
+description: Group for Platform Supervisors
+member: cn=admin,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=platform_support,ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: platform_support
+description: Group for Platform Support
+member: cn=admin,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=platform_techsupport,ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: platform_techsupport
+description: Group for Platform Techsupport
+member: cn=admin,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=metaservice_admin,ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: metaservice_admin
+description: Group for Metaservice Admins
+member: cn=admin,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=client,ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: client
+description: Group for Clients
+member: uid=5101,ou=users,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=django_admin,ou=groups,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: django_admin
+description: Group for Django Admins
+member: uid=11111111111,ou=users,dc=ldap,dc=sharix,dc=ru
+
+#CN FOR OU=APPS
+dn: cn=django,ou=apps,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: django
+description: Group for Django users
+member: cn=11111111111,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=5101,ou=users,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=handlers,ou=apps,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: handlers
+description: Group for Handlers
+member: cn=platform_access_request_pending,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_access_request_accepted,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_access_request_declined,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_neg_request_pending,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_neg_request_accepted,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_neg_request_declined,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_new,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_reopened,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_assigned,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_inprocess,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_wontfix,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_done,ou=users,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=ejabberd,ou=apps,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: ejabberd
+description: Group for Ejabberd users
+member: cn=platform_access_request_pending,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_access_request_accepted,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_access_request_declined,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_neg_request_pending,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_neg_request_accepted,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_neg_request_declined,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_new,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_reopened,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_assigned,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_inprocess,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_wontfix,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=platform_st_request_done,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=11111111111,ou=users,dc=ldap,dc=sharix,dc=ru
+member: cn=5101,ou=users,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=local,ou=apps,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: local
+description: Group for Local users
+member: cn=admin,dc=ldap,dc=sharix,dc=ru
+member: cn=11111111111,ou=users,dc=ldap,dc=sharix,dc=ru
+
+dn: cn=mail,ou=apps,dc=ldap,dc=sharix,dc=ru
+objectClass: groupOfNames
+cn: mail
+description: Group for Mail users
+member: cn=admin,dc=ldap,dc=sharix,dc=ru

ldap/ldap

@@ -0,0 +1,16 @@
+########################################
+# SLAPD Proccess options
+########################################
+
+# SLAPD URL list
+SLAPDURLLIST="ldap://ldap.sharix.ru/"
+#SLAPDURLLIST="'ldap://localhost/ ldaps:///'"
+#SLAPDURLLIST="'ldapi:/// ldap:/// ldaps:///'"
+
+SLAPD_OPTIONS="-f /etc/openldap/slapd.conf"
+
+# By default, ALT openldap use modern MDB-backend.
+# Uncomment next line to use deprecated HDB-backends.
+# This applied only with new calls of 'ldap-dn create'.
+#
+#SLAPD_BACKEND="hdb"

ldap/sharix.schema

@@ -0,0 +1,10 @@
+include		/etc/openldap/schema/core.schema
+include         /etc/openldap/schema/cosine.schema
+include		/etc/openldap/schema/inetorgperson.schema
+
+
+objectClass ( 1.3.6.1.4.1.9998.2.1.1 NAME 'sharixAccount'
+	SUP inetOrgPerson
+		DESC 'Пользователь с дополнительными атрибутами'
+	STRUCTURAL
+		MUST ( uid $ userPassword $ givenName $ displayName $ mail $ jpegPhoto $ telephoneNumber ) )

ldap/slapd.conf

@@ -0,0 +1,281 @@
+# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+# [ GLOBAL SETTINGS ]
+# Default schemas
+include         /etc/openldap/schema/sharix.schema
+#include		/etc/openldap/schema/core.schema
+#include		/etc/openldap/schema/cosine.schema
+#include		/etc/openldap/schema/inetorgperson.schema
+include		/etc/openldap/schema/openldap.schema
+include		/etc/openldap/schema/nis.schema
+#include		/etc/openldap/schema/misc.schema
+#include		/etc/openldap/schema/rfc822-MailMember.schema
+#include		/etc/openldap/schema/kerberosobject.schema
+#include		/etc/openldap/schema/corba.schema
+#include		/etc/openldap/schema/java.schema
+# ALT Domain schemas
+#include		/etc/openldap/schema/samba.schema
+#include		/etc/openldap/schema/kerberos.schema
+# Addon schemas
+#include		/etc/openldap/schema/autofs.schema
+#include		/etc/openldap/schema/courier.schema
+#include		/etc/openldap/schema/dnszone.schema
+#include		/etc/openldap/schema/freeradius.schema
+#include		/etc/openldap/schema/qmail.schema
+#include		/etc/openldap/schema/qmailControl.schema
+#include		/etc/openldap/schema/samba2.schema
+#include		/etc/openldap/schema/samba3.schema
+# Experementel schemas
+#include		/etc/openldap/schema/cron.schema
+#include		/etc/openldap/schema/trust.schema
+#include		/etc/openldap/schema/turbo.schema
+# Netscape roaming
+#include		/etc/openldap/schema/mull.schema
+#include		/etc/openldap/schema/netscape-profile.schema
+# Local schema
+#include		/etc/openldap/schema/local.schema
+
+# Specify  a  set  of features (separated by white space) to allow.
+allow bind_v2
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral ldap://root.openldap.org
+
+# Specify a desired level of concurrency. Provided to the underlying thread
+# system as a hint. The default is not to provide any hint.
+concurrency 20
+
+# Specify  the maximum number of pending requests for an anonymous session.  If
+# requests are submitted faster than the  server  can process them, they will
+# be queued up to this limit. If the limit is exceeded, the session is closed.
+#conn_max_pending 100
+
+# Specify  the  maximum  number  of  pending   requests   for   an
+# authenticated session.
+#conn_max_pending_auth 1000 
+
+# Specify  a default search base to use when client submits a non-base search
+# request with an empty base DN.
+#defaultsearchbase "dc=example, dc=com"
+
+# A SIGHUP signal will only  cause  a  'gentle'  shutdown-attempt: Slapd  will
+# stop  listening  for  new connections, but will not close the connections to
+# the  current  clients.
+gentlehup on
+
+# Specify the number of seconds to wait before forcibly closing an idle client
+# connection. A idletimeout of 0 disables this feature.
+#idletimeout 0
+
+# Specify time and size limits based on who initiated an operation.
+sizelimit -1
+#sizelimit 500
+#timelimit 60
+#limits anonymous time.soft=60 time.hard=120
+#limits anonymous size.soft=1000 size.hard=1100 size.unchecked=1000
+#limits users time.soft=60 time.hard=120
+#limits users size=1000
+#limits dn.base="ou=People,dc=example,dc=com" size=100
+
+# Specify the level at which debugging statements and operation statistics
+# should be syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility).
+# Log levels are additive, and available levels are:
+#    -1  full
+#     0  none
+#     1  trace function calls
+#     2  debug packet handling
+#     4  heavy trace debugging
+#     8  connection management
+#    16  print out packets sent and received
+#    32  search filter processing
+#    64  configuration file processing
+#   128  access control list processing
+#   256  stats log connections/operations/results
+#   512  stats log entries sent
+#  1024  print communication with shell backends
+#  2048  entry parsing
+loglevel 0
+
+# This option sets the hash to be used in generation of user passwords, stored
+# in userPassword, during processing of LDAP Password Modify Extended
+# Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5},
+# {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
+#password-hash {SSHA}
+
+# The ( absolute ) name of a file that will hold the server's process ID
+# if started without the debugging command line option.
+
+# Specify the name of the replication log file to log changes to.
+# This one is a global replogfile for all configured databases.
+# Path to file is relative to chroot dir.
+#replogfile /replica/replica.data
+
+# Specify a set of conditions (separated by white space) to require (default
+# none). The directive may be specified globally and/or per-database. bind
+# requires bind operation prior to directory operations. LDAPv3 requires
+# session to be using LDAP version 3. authc requires authentication prior to
+# directory operations. SASL requires SASL authentication prior to directory
+# operations. strong requires strong authentication prior to directory
+# operations. The strong keyword allows protected "simple" authentication as
+# well as SASL authentication. none may be used to require no conditions
+# (useful for clearly globally set conditions within a particular database).
+#require none
+
+# Specify the name of an LDIF(5) file containing user defined attributes for
+# the root DSE. These attributes are returned in addition to the attributes
+# normally produced by slapd.
+rootDSE /etc/openldap/rootdse.ldif
+
+# Specify a set of factors (separated by white space) to require. An integer
+# value is associated with each factor and is roughly equivalent of the
+# encryption key length to require. A value of 112 is equivalent to 3DES, 128
+# to Blowfish, etc..
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+#security ssf=1 update_ssf=112 simple_bind=64
+
+# Specify the maximum size of the primary thread pool. The default is 16.
+#threads 16
+
+
+#
+# [ TLS OPTIONS ]
+#
+# Permits configuring what ciphers will be accepted and the preference order.
+# <cipher-suite-spec> should be a cipher specification for OpenSSL.
+#TLSCipherSuite HIGH:MEDIUM:+SSLv2
+
+# Specifies the path of a directory that contains Certificate Authority
+# certificates in separate individual files. Usually only one of this or the
+# TLSCACertificateFile is used.
+#TLSCACertificateFile /var/lib/ssl/cert.pem
+#TLSCACertificatePath /var/lib/ssl/certs
+
+# Specifies the file that contains the slapd server certificate.
+#TLSCertificateFile /var/lib/ssl/certs/slapd.cert
+
+# Specifies the file that contains the slapd server private key that matches
+# the certificate stored in the TLSCertificateFile file. Currently, the private
+# key must not be protected with a password, so it is of critical importance
+# that it is protected carefully.
+#TLSCertificateKeyFile /var/lib/ssl/private/slapd.key
+
+# Specifies what checks to perform on client certificates in an incoming TLS
+# session, if any.
+#TLSVerifyClient never
+database mdb
+suffix "dc=ldap,dc=sharix,dc=ru"
+rootdn "cn=admin,dc=ldap,dc=sharix,dc=ru"
+rootpw {SSHA}3gVsX+hkaayGbHHL7BKJep9JNL2NL02k
+directory /var/lib/ldap/bases/ldap.sharix.ru
+
+index objectClass eq
+index uid pres,eq,sub
+index cn pres,eq,sub,subany
+
+#
+# [ GLOBAL ACCESS CONTROL ]
+#
+# See slapd.access(5) for details
+
+# The root DIT should be accessible to all clients
+# 1. Доступ к паролям (userPassword)
+access to attrs=userPassword
+    by self write
+    by anonymous auth
+    by dn.exact="cn=admin,dc=ldap,dc=sharix,dc=ru" write
+    by * none
+
+# 2. Доступ к записи администратора
+access to dn.exact="cn=admin,dc=ldap,dc=sharix,dc=ru"
+    by * none 
+    by dn.exact="cn=admin,dc=ldap,dc=sharix,dc=ru" write
+
+# 3. Доступ к корневой записи (dc=ldap,dc=sharix,dc=ru)
+access to dn.exact="dc=ldap,dc=sharix,dc=ru"
+    by * read
+    by dn.exact="cn=admin,dc=ldap,dc=sharix,dc=ru" write
+
+# 4. Доступ к остальным данным
+access to *
+    by dn.exact="cn=admin,dc=ldap,dc=sharix,dc=ru" write
+    by users read
+    by * read
+
+# Запрет анонимного доступа ко всем данным, кроме аутентификации
+access to *
+    by anonymous none
+    by * read
+
+# Для работы с группами (posixGroup)
+access to dn.subtree="ou=Groups,dc=ldap,dc=sharix,dc=ru"
+    by dn.exact="cn=admin,dc=ldap,dc=sharix,dc=ru" write
+    by users read
+#
+# [ BACKEND OPTIONS ]
+#
+# Load dynamic backend modules:
+modulepath	/usr/lib/openldap
+
+## Backends
+#moduleload	back_asyncmeta.la
+#moduleload	back_dnssrv.la
+#moduleload	back_ldap.la
+#moduleload	back_meta.la
+moduleload	back_null.la
+#moduleload	back_passwd.la
+#moduleload	back_relay.la
+#moduleload	back_sock.la
+#moduleload	back_shell.la
+#moduleload	back_perl.la
+#moduleload	back_sql.la
+
+## Overlays
+# Known overlays are documented in slapo-accesslog(5), slapo-auditlog(5),
+# slapo-chain(5),  slapo-dynlist(5),  slapo-lastmod(5),  slapo-pcache(5),
+# slapo-ppolicy(5),  slapo-refint(5),   slapo-retcode(5),   slapo-rwm(5),
+# slapo-syncprov(5), slapo-translucent(5), slapo-unique(5).
+
+#moduleload	accesslog.la
+#moduleload	auditlog.la
+#moduleload	autoca.la
+#moduleload	collect.la
+#moduleload	constraint.la
+#moduleload	dds.la
+#moduleload	deref.la
+#moduleload	dyngroup.la
+#moduleload	dynlist.la
+#moduleload	homedir.la
+#moduleload	memberof.la
+#moduleload	lastmod.la
+#moduleload	otp.la
+#moduleload	pcache.la
+#moduleload	ppolicy.la
+#moduleload	refint.la
+#moduleload	remoteauth.la
+#moduleload	retcode.la
+#moduleload	rwm.la
+#moduleload	seqmod.la
+#moduleload	sssvlv.la
+#moduleload	syncprov.la
+#moduleload	translucent.la
+#moduleload	unique.la
+#moduleload	valsort.la
+
+#
+# [ DATABASE OPTIONS ]
+#
+
+# First database definition
+#include /etc/openldap/slapd-mdb-db01.conf
+
+# Second database definition
+#include /etc/openldap/slapd-mdb-db02.conf
+
+#
+# [END OF SLAPD.CONF]