Re: (ITS#4715) proxy retries anonymously - openldap-bugs

18 Oct 2006


      This is a multi-part message in MIME format.
--------------040702090906080801050004
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Attaching the relevant slapd.conf
--------------040702090906080801050004
Content-Type: text/plain;
 name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="slapd.conf"
pidfile		/var/run/ldap/slapd.pid
argsfile	/var/run/ldap/slapd.args
# Logging is disabled by default. Enable logging when necessary.
# (May significantly affect performance, depending on the level of
# server activity.)
# To enable logging of access, read, modify, and deletions,
# set the loglevel to 256
loglevel none
# disallow bind_anon
gentlehup on
# The sizelimit restriction controls the potential to which the directory
# contents may be exploited.   Directory queries can only return *this*
# many responses.
#
#sizelimit unlimited
sizelimit 200
# Limit the amount of time the server will spend performing
# a single query
#
#timelimit unlimited
timelimit 3600
allow bind_v2
#######################################################################
# SASL:
#######################################################################
#
# SMD is configured with SASL support for most environments.
# See the provided slapd.conf man page for additional information.
#
## sasl-secprops:
#    Used to specify Cyrus SASL security properties.  The "none" value
#    by itself causes the default "noanonymous,noplain" to be cleared.
sasl-secprops none
#
## sasl-host:
#    Used to specify the fully qualified domain name
#    used for SASL processing.
#sasl-host <fqdn>
#
## sasl-realm:
#    Specify the SASL realm.  Default is empty.
#sasl-realm <realm>
#######################################################################
# schema information
#######################################################################
include /usr/local/example/smd-4.0/schema/syntax.defs
include /usr/local/example/smd-4.0/schema/core.schema
include /usr/local/example/smd-4.0/schema/cosine.schema
include /usr/local/example/smd-4.0/schema/inetorgperson.schema
include /usr/local/example/smd-4.0/schema/openldap.schema
include /usr/local/example/smd-4.0/schema/nis.schema
include /usr/local/example/smd-4.0/schema/messageRecipient.schema
include /usr/local/example/smd-4.0/schema/smi.schema
include /usr/local/example/smd-4.0/schema/sieve.schema
include /usr/local/example/smd-4.0/schema/sendmail.schema
# All user-customized schema additions must be made in the files
# stored under /etc/mail/openldap/schema.
include /etc/mail/openldap/schema/custom.schema
#######################################################################
# ldap database definitions
#######################################################################
database	ldap
lastmod		off
suffix		""
# The proxy cache function requires that the 'rootdn' parameter is set.
# Note that with the password configured below, it cannot be used to bind
rootdn "cn=Manager"
rootpw {SHA}example-proxycache
######################################################################
# Back-LDAP connection settings
######################################################################
#
# Two settings are necessary:
#   A)	Optional TLS settings, used with all ldap:// connections.
#	This setting must appear before the LDAP URI.
#   B)	LDAP URI list, with hosts separated by spaces
#
# To require TLS on ldap:// connections, use "tls start"
# To try TLS (but not require) on ldap:// connections, use "tls try-start"
#
# tls start
# tls try-start
#
# This URI example has two LDAP replica servers to try, using ldaps and ldap
#uri "ldaps://rep1.domain.com ldaps://rep2.domain.com ldap://rep1.domain.com"
uri ldap://ldap.smi.example.com
######################################################################
# Proxycache settings
######################################################################
overlay pcache
##########  <database> <max_entries> <numattrsets> <entry_limit> <cc_period>
proxycache     bdb        10000            3              1          600
proxycachequeries 10000
# Important proxycache notes:
#  - You may have multiple queries per cache set
#  - The same query can appear in multiple cache sets
#  - Only one proxyattrset definition may appear for any cache set
#  - A given attribute may only appear in one proxyattrset.
#  - Taking all four conditions above, if multiple queries need access
#    to the same attribute in their result, the queries must appear
#    within the same cache set.   Also, the attrset for that cache set
#    must contain a list of all attributes returned from any of the
#    queries in that set.
#  - All attributes used in search queries must be defined in the schema.
#    Sendmail has pre-defined schema including the vendor-specific attributes.
#  - Additional application and target directory server notes appear
#    below the cache definitions
#  - An entry will be cached once for each different search query that
#    is being used to find it.   This means that the actual number of
#    LDAP entries which may be cached is not the value set in MAX_ENTRIES
#    above, but instead is this value divided by the number of distinct
#    LDAP queries being used.
# Cache set 0 is used for Flow Control, Authentication, LDAP routing, Proxy lookups
proxyattrset 0 DN mail mailRoutingAddress mailHost imapHost popHost objectClass smiAuthDisabled
#
# Cache set 1 is used for distribution list expansion
proxyattrset 1 mgrpRFC822MailMember objectClass
#
# Cache set 2 is used for Sieve lookups
proxyattrset 2 messageStoreUserFilter objectClass
#                                                             Set_#  ttl neg-ttl
#
# SMD:
proxytemplate (|(mailLocalAddress=)(objectClass=))                0  900  120
proxytemplate (|(mailRoutingAddress=)(objectClass=))              0  900  120
proxytemplate (&(objectClass=)(mailRoutingAddress=))              1  900  120
proxytemplate (mailRoutingAddress=)                               2  900  120
#
# AD:
proxytemplate (|(mail=)(proxyAddresses=)(userPrincipalName=)(objectClass=))     0  900  120
#
# Domino:
proxytemplate (|(mail=)(uid=)(&(uid=)(mailDomain=)))      0  900  120
#
# Novell:
proxytemplate (mail=)                                             0  900  120
#
# Netscape/ iPlanet / SunOne / Fedora
proxytemplate (|(mail=)(mailAlternateAddress=)(objectClass=))     0  900  120
proxytemplate (&(objectClass=)(|(mail=)(mailAlternateAddress=)))  1  900  120
proxytemplate (|(mail=)(mailAlternateAddress=)(objectClass=))    2  900  120
######################################################################
# BDB Settings
#    Proxycache uses BDB to store its local information
######################################################################
directory /var/example/ldap/smd-proxycache
dbconfig set_cachesize 0 8388608 0
dbconfig set_lg_max 10485760
dbconfig set_flags db_log_autoremove
dbconfig set_flags DB_TXN_NOSYNC
dbconfig set_lg_bsize 2097152
cachesize 10000
idlcachesize 10100
cachefree 20
dbnosync
index queryid,objectClass,mail,mailLocalAddress,mailRoutingAddress eq
index uid,mailDomain,userPrincipalName,proxyAddresses,mailAlternateAddress eq
######################################################################
# TLS information, required to enable TLS and LDAPS connections
######################################################################
TLSCipherSuite ALL:!EXP:!LOW:!ADH:@STRENGTH
TLSCertificateFile /etc/mail/openldap/ssl/certs/ashish.smi.example.com/default.crt
TLSCertificateKeyFile /etc/mail/openldap/ssl/certs/ashish.smi.example.com/default.key
--------------040702090906080801050004--