1##VERSION: $Id: c473c49f63772e95a791fb3b90275796c033920e-20211107164046$ 2# 3# Copyright 2000-2016 Double Precision, Inc. See COPYING for 4# distribution information. 5# 6# Do not alter lines that begin with ##, they are used when upgrading 7# this configuration. 8# 9# authldaprc created from authldaprc.dist by sysconftool 10# 11# DO NOT INSTALL THIS FILE with world read permissions. This file 12# might contain the LDAP admin password! 13# 14# This configuration file specifies LDAP authentication parameters 15# 16# The format of this file must be as follows: 17# 18# field[spaces|tabs]value 19# 20# That is, the name of the field, followed by spaces or tabs, followed by 21# field value. No trailing spaces. 22# 23# Changes to this file take effect immediately. 24# 25# Here are the fields: 26 27##NAME: LOCATION:1 28# 29# Location of your LDAP server(s). If you have multiple LDAP servers, 30# you can list them separated by commas and spaces, and they will be tried in 31# turn. 32 33LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com 34 35##NAME: LDAP_PROTOCOL_VERSION:0 36# 37# Which version of LDAP protocol to use 38 39LDAP_PROTOCOL_VERSION 3 40 41##NAME: LDAP_BASEDN:0 42# 43# Look for authentication here: 44 45LDAP_BASEDN o=example, c=com 46 47##NAME: LDAP_BINDDN:0 48# 49# You may or may not need to specify the following. Because you've got 50# a password here, authldaprc should not be world-readable!!! 51 52LDAP_BINDDN cn=administrator, o=example, c=com 53LDAP_BINDPW toto 54 55##NAME: LDAP_TIMEOUT:0 56# 57# Timeout for LDAP search and connection 58 59LDAP_TIMEOUT 5 60 61##NAME: LDAP_AUTHBIND:0 62# 63# Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND 64# the password is validated by rebinding with the supplied userid and password. 65# If rebind succeeds, this is considered to be an authenticated request. This 66# does not support CRAM-MD5 authentication, which requires clearPassword. 67# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under 68# the credentials of the user themselves, not LDAP_BINDDN/BINDPW 69# 70# LDAP_AUTHBIND 1 71 72##NAME: LDAP_INITBIND:1 73# 74# Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN. 75# If your LDAP server allows access without a bind, or you want to authenticate 76# using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and 77# need not write the LDAP-Admin passwort into this file. 78# 79LDAP_INITBIND 1 80 81##NAME: LDAP_MAIL:0 82# 83# Here's the field on which we query 84 85LDAP_MAIL mail 86 87##NAME: LDAP_FILTER:0 88# 89# This LDAP filter will be ANDed with the query for the field defined above 90# in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER 91# defined to be "(objectClass=CourierMailAccount)" the query that is performed 92# will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))" 93# 94# LDAP_FILTER (objectClass=CourierMailAccount) 95 96##NAME: LDAP_DOMAIN:0 97# 98# The following default domain will be appended, if not explicitly specified. 99# 100# LDAP_DOMAIN example.com 101 102##NAME: LDAP_GLOB_IDS:0 103# 104# The following two variables can be used to set everybody's uid and gid. 105# This is convenient if your LDAP specifies a bunch of virtual mail accounts 106# The values can be usernames or userids: 107# 108# LDAP_GLOB_UID vmail 109# LDAP_GLOB_GID vmail 110 111##NAME: LDAP_HOMEDIR:0 112# 113# We will retrieve the following attributes 114# 115# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it 116 117LDAP_HOMEDIR homeDirectory 118 119##NAME: LDAP_MAILROOT:0 120# 121# If homeDirectory is not an absolute path, define the root of the 122# relative paths in LDAP_MAILROOT 123# 124# LDAP_MAILROOT /var/mail 125 126 127##NAME: LDAP_MAILDIR:0 128# 129# The MAILDIR attribute is OPTIONAL, and specifies the location of the 130# mail directory. If not specified, ./Maildir will be used 131 132LDAP_MAILDIR mailbox 133 134##NAME: LDAP_DEFAULTDELIVERY:0 135# 136# Courier mail server only: optional attribute specifies custom mail delivery 137# instructions for this account (if defined) -- essentially overrides 138# DEFAULTDELIVERY from ${sysconfdir}/courierd 139 140LDAP_DEFAULTDELIVERY defaultDelivery 141 142##NAME: LDAP_MAILDIRQUOTA:0 143# 144# The following variable, if defined, specifies the field containing the 145# maildir quota, see README.maildirquota for more information 146# 147# LDAP_MAILDIRQUOTA quota 148 149 150##NAME: LDAP_FULLNAME:0 151# 152# FULLNAME is optional, specifies the user's full name 153 154LDAP_FULLNAME cn 155 156##NAME: LDAP_PW:0 157# 158# CLEARPW is the clear text password. CRYPT is the crypted password. 159# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and 160# libhmac.a is available, CRAM authentication will be possible! 161 162LDAP_CLEARPW clearPassword 163LDAP_CRYPTPW userPassword 164 165##NAME: LDAP_IDS:0 166# 167# Uncomment the following, and modify as appropriate, if your LDAP database 168# stores individual userids and groupids. Otherwise, you must uncomment 169# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID 170# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must 171# be defined as attributes for everyone. 172# 173# LDAP_UID uidNumber 174# LDAP_GID gidNumber 175 176 177##NAME: LDAP_AUXOPTIONS:0 178# 179# Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of 180# comma-separated "ATTRIBUTE=NAME" pairs. These names are additional 181# attributes that define various per-account "options", as given in 182# INSTALL's description of the OPTIONS setting. 183# 184# Each ATTRIBUTE specifies an LDAP attribute name. If it is present, 185# the attribute value gets placed in the OPTIONS variable, with the name 186# NAME. For example: 187# 188# LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap 189# 190# Then, if an LDAP record contains the following attributes: 191# 192# shared: domain1 193# disableimap: 0 194# 195# Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0" 196# 197# NOTE: ** no spaces in this setting **, the above example has exactly 198# one tab character after LDAP_AUXOPTIONS 199 200 201##NAME: LDAP_ENUMERATE_FILTER:0 202# 203# Optional custom filter used when enumerating accounts for authenumerate, 204# in order to compile a list of accounts for shared folders. If present, 205# this filter will be used instead of LDAP_FILTER. 206# 207# LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1))) 208 209 210##NAME: LDAP_DEREF:0 211# 212# Determines how aliases are handled during a search. This option is available 213# only with OpenLDAP 2.0 214# 215# LDAP_DEREF can be one of the following values: 216# never, searching, finding, always. If not specified, aliases are 217# never dereferenced. 218 219LDAP_DEREF never 220 221##NAME: LDAP_TLS:0 222# 223# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is 224# when the server accepts a normal LDAP connection on port 389 which 225# the client then requests 'upgrading' to TLS, and is equivalent to the 226# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not 227# set this option. 228# 229# For additional LDAP-related options, see the authdaemonrc config file. 230 231LDAP_TLS 0 232 233##NAME: LDAP_EMAILMAP:0 234# 235# The following optional settings, if enabled, result in an extra LDAP 236# lookup to first locate a handle for an E-mail address, then a second lookup 237# on that handle to get the actual authentication record. You'll need 238# to uncomment these settings to enable an email handle lookup. 239# 240# The E-mail address must be of the form user@realm, and this is plugged 241# into the following search string. "@user@" and "@realm@" are placeholders 242# for the user and the realm portions of the login ID. 243# 244# This is an LDAP search filter, so \40 can be used to represent a literal 245# @ character in the search string. 246# 247# LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@)) 248 249##NAME: LDAP_EMAILMAP_BASEDN:0 250# 251# Specify the basedn for the email lookup. The default is LDAP_BASEDN. 252# 253# LDAP_EMAILMAP_BASEDN o=emailmap, c=com 254 255 256##NAME: LDAP_EMAILMAP_ATTRIBUTE:0 257# 258# The attribute which holds the handle. The contents of this attribute 259# are then plugged into the regular authentication lookup, and you must set 260# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication 261# records (which may be the same as LDAP_MAIL). 262# You MUST also leave LDAP_DOMAIN undefined. This enables authenticating 263# by handles only. 264# 265# Here's an example: 266# 267# dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN 268# userid: john # LDAP_EMAILMAP search 269# realm: example.com # LDAP_EMAILMAP search 270# handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE 271# 272# 273# dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN 274# controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle" 275# uid: ... 276# gid: ... 277# [ etc... ] 278# 279# LDAP_EMAILMAP_ATTRIBUTE handle 280 281##NAME: LDAP_EMAILMAP_MAIL:0 282# 283# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against 284# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL. 285# 286# LDAP_EMAILMAP_MAIL mail 287 288##NAME: MARKER:0 289# 290# Do not remove this section from this configuration file. This section 291# must be present at the end of this file. 292