1##VERSION: $Id: c473c49f63772e95a791fb3b90275796c033920e-20211107164046$
2#
3# Copyright 2000-2016 Double Precision, Inc.  See COPYING for
4# distribution information.
5#
6# Do not alter lines that begin with ##, they are used when upgrading
7# this configuration.
8#
9# authldaprc created from authldaprc.dist by sysconftool
10#
11# DO NOT INSTALL THIS FILE with world read permissions.  This file
12# might contain the LDAP admin password!
13#
14# This configuration file specifies LDAP authentication parameters
15#
16# The format of this file must be as follows:
17#
18# field[spaces|tabs]value
19#
20# That is, the name of the field, followed by spaces or tabs, followed by
21# field value.  No trailing spaces.
22#
23# Changes to this file take effect immediately.
24#
25# Here are the fields:
26
27##NAME: LOCATION:1
28#
29# Location of your LDAP server(s). If you have multiple LDAP servers,
30# you can list them separated by commas and spaces, and they will be tried in
31# turn.
32
33LDAP_URI		ldaps://ldap.example.com, ldaps://backup.example.com
34
35##NAME: LDAP_PROTOCOL_VERSION:0
36#
37# Which version of LDAP protocol to use
38
39LDAP_PROTOCOL_VERSION	3
40
41##NAME: LDAP_BASEDN:0
42#
43# Look for authentication here:
44
45LDAP_BASEDN		o=example, c=com
46
47##NAME: LDAP_BINDDN:0
48#
49# You may or may not need to specify the following.  Because you've got
50# a password here, authldaprc should not be world-readable!!!
51
52LDAP_BINDDN		cn=administrator, o=example, c=com
53LDAP_BINDPW		toto
54
55##NAME: LDAP_TIMEOUT:0
56#
57# Timeout for LDAP search and connection
58
59LDAP_TIMEOUT		5
60
61##NAME: LDAP_AUTHBIND:0
62#
63# Define this to have the ldap server authenticate passwords.  If LDAP_AUTHBIND
64# the password is validated by rebinding with the supplied userid and password.
65# If rebind succeeds, this is considered to be an authenticated request.  This
66# does not support CRAM-MD5 authentication, which requires clearPassword.
67# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
68# the credentials of the user themselves, not LDAP_BINDDN/BINDPW
69#
70# LDAP_AUTHBIND		1
71
72##NAME: LDAP_INITBIND:1
73#
74# Define this to do an initial bind to the adminstrator DN set in LDAP_BINDDN.
75# If your LDAP server allows access without a bind, or you want to authenticate
76# using a rebind (and have set LDAP_AUTHBIND to 1, you can set this to 0 and
77# need not write the LDAP-Admin passwort into this file.
78#
79LDAP_INITBIND		1
80
81##NAME: LDAP_MAIL:0
82#
83# Here's the field on which we query
84
85LDAP_MAIL		mail
86
87##NAME: LDAP_FILTER:0
88#
89# This LDAP filter will be ANDed with the query for the field defined above
90# in LDAP_MAIL.  So if you are querying for mail, and you have LDAP_FILTER
91# defined to be "(objectClass=CourierMailAccount)" the query that is performed
92# will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
93#
94# LDAP_FILTER           (objectClass=CourierMailAccount)
95
96##NAME: LDAP_DOMAIN:0
97#
98# The following default domain will be appended, if not explicitly specified.
99#
100# LDAP_DOMAIN		example.com
101
102##NAME: LDAP_GLOB_IDS:0
103#
104# The following two variables can be used to set everybody's uid and gid.
105# This is convenient if your LDAP specifies a bunch of virtual mail accounts
106# The values can be usernames or userids:
107#
108# LDAP_GLOB_UID		vmail
109# LDAP_GLOB_GID		vmail
110
111##NAME: LDAP_HOMEDIR:0
112#
113# We will retrieve the following attributes
114#
115# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
116
117LDAP_HOMEDIR		homeDirectory
118
119##NAME: LDAP_MAILROOT:0
120#
121# If homeDirectory is not an absolute path, define the root of the
122# relative paths in LDAP_MAILROOT
123#
124#  LDAP_MAILROOT        /var/mail
125
126
127##NAME: LDAP_MAILDIR:0
128#
129# The MAILDIR attribute is OPTIONAL, and specifies the location of the
130# mail directory.  If not specified, ./Maildir will be used
131
132LDAP_MAILDIR		mailbox
133
134##NAME: LDAP_DEFAULTDELIVERY:0
135#
136# Courier mail server only: optional attribute specifies custom mail delivery
137# instructions for this account (if defined) -- essentially overrides
138# DEFAULTDELIVERY from ${sysconfdir}/courierd
139
140LDAP_DEFAULTDELIVERY	defaultDelivery
141
142##NAME: LDAP_MAILDIRQUOTA:0
143#
144# The following variable, if defined, specifies the field containing the
145# maildir quota, see README.maildirquota for more information
146#
147# LDAP_MAILDIRQUOTA	quota
148
149
150##NAME: LDAP_FULLNAME:0
151#
152# FULLNAME is optional, specifies the user's full name
153
154LDAP_FULLNAME		cn
155
156##NAME: LDAP_PW:0
157#
158# CLEARPW is the clear text password.  CRYPT is the crypted password.
159# ONE OF THESE TWO ATTRIBUTES IS REQUIRED.  If CLEARPW is provided, and
160# libhmac.a is available, CRAM authentication will be possible!
161
162LDAP_CLEARPW		clearPassword
163LDAP_CRYPTPW		userPassword
164
165##NAME: LDAP_IDS:0
166#
167# Uncomment the following, and modify as appropriate, if your LDAP database
168# stores individual userids and groupids.  Otherwise, you must uncomment
169# LDAP_GLOB_UID and LDAP_GLOB_GID above.  LDAP_GLOB_UID and LDAP_GLOB_GID
170# specify a uid/gid for everyone.  Otherwise, LDAP_UID and LDAP_GID must
171# be defined as attributes for everyone.
172#
173# LDAP_UID		uidNumber
174# LDAP_GID		gidNumber
175
176
177##NAME: LDAP_AUXOPTIONS:0
178#
179# Auxiliary options.  The LDAP_AUXOPTIONS setting should contain a list of
180# comma-separated "ATTRIBUTE=NAME" pairs.  These names are additional
181# attributes that define various per-account "options", as given in
182# INSTALL's description of the OPTIONS setting.
183#
184# Each ATTRIBUTE specifies an LDAP attribute name.  If it is present,
185# the attribute value gets placed in the OPTIONS variable, with the name
186# NAME.  For example:
187#
188#    LDAP_AUXOPTIONS	shared=sharedgroup,disableimap=disableimap
189#
190# Then, if an LDAP record contains the following attributes:
191#
192#     shared: domain1
193#     disableimap: 0
194#
195# Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
196#
197# NOTE: ** no spaces in this setting **, the above example has exactly
198# one tab character after LDAP_AUXOPTIONS
199
200
201##NAME: LDAP_ENUMERATE_FILTER:0
202#
203# Optional custom filter used when enumerating accounts for authenumerate,
204# in order to compile a list of accounts for shared folders. If present,
205# this filter will be used instead of LDAP_FILTER.
206#
207# LDAP_ENUMERATE_FILTER	(&(objectClass=CourierMailAccount)(!(disableshared=1)))
208
209
210##NAME: LDAP_DEREF:0
211#
212# Determines how aliases are handled during a search.  This option is available
213# only with OpenLDAP 2.0
214#
215# LDAP_DEREF can be one of the following values:
216# never, searching, finding, always. If not specified, aliases are
217# never dereferenced.
218
219LDAP_DEREF		never
220
221##NAME: LDAP_TLS:0
222#
223# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
224# when the server accepts a normal LDAP connection on port 389 which
225# the client then requests 'upgrading' to TLS, and is equivalent to the
226# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
227# set this option.
228#
229# For additional LDAP-related options, see the authdaemonrc config file.
230
231LDAP_TLS		0
232
233##NAME: LDAP_EMAILMAP:0
234#
235# The following optional settings, if enabled, result in an extra LDAP
236# lookup to first locate a handle for an E-mail address, then a second lookup
237# on that handle to get the actual authentication record.  You'll need
238# to uncomment these settings to enable an email handle lookup.
239#
240# The E-mail address must be of the form user@realm, and this is plugged
241# into the following search string.  "@user@" and "@realm@" are placeholders
242# for the user and the realm portions of the login ID.
243#
244# This is an LDAP search filter, so \40 can be used to represent a literal
245# @ character in the search string.
246#
247# LDAP_EMAILMAP		(&(userid=@user@)(realm=@realm@))
248
249##NAME: LDAP_EMAILMAP_BASEDN:0
250#
251# Specify the basedn for the email lookup.  The default is LDAP_BASEDN.
252#
253# LDAP_EMAILMAP_BASEDN	o=emailmap, c=com
254
255
256##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
257#
258# The attribute which holds the handle.  The contents of this attribute
259# are then plugged into the regular authentication lookup, and you must set
260# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
261# records (which may be the same as LDAP_MAIL).
262# You MUST also leave LDAP_DOMAIN undefined.  This enables authenticating
263# by handles only.
264#
265# Here's an example:
266#
267# dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
268# userid: john          # LDAP_EMAILMAP search
269# realm: example.com    # LDAP_EMAILMAP search
270# handle: cc223344      # LDAP_EMAILMAP_ATTRIBUTE
271#
272#
273# dn: controlHandle=cc223344, o=example, c=com      # LDAP_BASEDN
274# controlHandle: cc223344         # LDAP_EMAILMAP_MAIL set to "controlHandle"
275# uid: ...
276# gid: ...
277# [ etc... ]
278#
279# LDAP_EMAILMAP_ATTRIBUTE handle
280
281##NAME: LDAP_EMAILMAP_MAIL:0
282#
283# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
284# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
285#
286# LDAP_EMAILMAP_MAIL mail
287
288##NAME: MARKER:0
289#
290# Do not remove this section from this configuration file. This section
291# must be present at the end of this file.
292