# LDAPVI syntax
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcSuffix: dc=coin2,dc=fr
olcDbDirectory: /var/lib/ldap/dc=coin2,dc=fr/
olcRootDN: uid=admin,ou=people,dc=coin2,dc=fr
olcRootPW: xxx
olcLastMod: TRUE
olcAddContentACL: FALSE
olcMonitoring: TRUE
olcSyncUseSubentry: FALSE
olcMaxDerefDepth: 0
olcLimits: {0}dn.exact="uid=admin,ou=people,dc=coin2,dc=fr" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
olcReadOnly: FALSE
# Index
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
# Accès super-utilisateur
olcAccess: {0}to *
   by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
   by group.exact="cn=admin,ou=groups,dc=coin2,dc=fr" manage 
   by * break
# Branche people
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,dc=coin2,dc=fr" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI
   by self write
   by * break
# Les accès aux autres attributs utilisateurs
olcAccess: {2}to dn.one="ou=people,dc=coin2,dc=fr"
   by users read
   by anonymous auth
   by * none
# Branche groups
# Le propriétaire du groupe
olcAccess: {3}to dn.one="ou=groups,dc=coin2,dc=fr" 
   by set="this/owner & user" manage 
   by * break
# Les utilisateurs en général sur les attributs descriptifs
olcAccess: {4}to dn.one="ou=groups,dc=coin2,dc=fr" attrs=cn,description,owner,supannRefId
   by users read 
   by * break
# Les admin et lecteur des membres du groupe
# les membres peuvent trouver leurs groupes
olcAccess: {5}to dn.one="ou=groups,dc=coin2,dc=fr" attrs=member
   by set="this/supannGroupeAdminDN/member* & user" write
   by set="this/supannGroupeAdminDN & user" write
   by set="this/supannGroupeLecteurDN/member* & user" read
   by set="this/supannGroupeLecteurDN & user" read
   by dnattr=member search
# Branche structures
olcAccess: {6}to dn.one="ou=structures,dc=coin2,dc=fr" 
   by * read
# Autorisation de recherche par tous les utilisateurs sur toute la base
olcAccess: {7}to * by users search

# Create accesslog DIT
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcSuffix: cn=accesslog,dc=coin2,dc=fr
olcDbDirectory: /var/lib/ldap/dc=coin2,dc=fr/accesslog/
olcAccess: {0}to * 
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by group=cn=admin,ou=groupes,dc=coin2,dc=fr manage
  by * break

add olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

# Log all writes to the db
add olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config
objectClass: olcAccesslogConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog,dc=coin2,dc=fr
olcAccessLogOps: writes
# log are conserved one year and purged every day
olcAccessLogPurge: 365+00:00 1+00:00
# Keep a copy of everything
olcAccessLogOld: objectClass=*

add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: member 
  eduPersonOrgDN 
  eduPersonOrgUnitDN
  owner
  eduPersonPrimaryOrgUnitDN
  supannGroupeAdminDN
  supannGroupeLecteurDN
  supannParrainDN
olcRefintNothing: dc=coin2,dc=fr

add olcOverlay={3}constraint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: {3}constraint
# un seul cn pour les utilisateurs
olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,dc=coin2,dc=fr??sub?(objectClass=*)" 
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,dc=coin2,dc=fr??sub?(objectClass=*)" 
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,dc=coin2,dc=fr??sub?(objectClass=*)" 
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///dc=coin2,dc=fr??base?(objectClass=*)" 
olcConstraintAttribute: dc regex "^[a-z0-9-]*$" 
olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI regex "^https?://.*$" 
olcConstraintAttribute: eduPersonAffiliation regex "^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$" 
olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$" 
olcConstraintAttribute: mail count 1
olcConstraintAttribute: mail,supannMailPerso,supannAutreMail 
  regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$" 
# olcConstraintAttribute: mailForwardingAddress 
  regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$" 
olcConstraintAttribute: supannCodeEntiteParent,supannEntiteAffectation uri  ldap:///ou=structures,dc=coin2,dc=fr?supannCodeEntite?sub?(objectClass=supannEntite)
olcConstraintAttribute: supannCodeINE count 1
olcConstraintAttribute: supannEmpId count 1
# FIXME: syntex regex pas bonne
olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$" 
olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex "^\{SUPANN\}[A-Z][0-9]+$" 
# attribut issu d'une nomenclature
olcConstraintAttribute: supannEtablissement,
 supannEtuDiplome,
 supannEtuElementPedagogique,
 supannEtuEtape,
 supannEtuRegimeInscription,
 supannEtuSecteurDisciplinaire,
 supannEtuTypeDiplome,
  regex "^\{[^}]+\}.*$" 
olcConstraintAttribute: supannEtuAnneeInscription regex "^[0-9][0-9][0-9][0-9]$" 

add olcOverlay={4}unique,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcUniqueConfig
olcOverlay: {4}unique
olcUniqueURI: ldap://?supannAutreMail?sub

add dc=coin2,dc=fr
objectClass: organization
objectClass: dcObject
objectClass: eduOrg
objectClass: supannOrg
dc: coin2
o: COIN
supannEtablissement: {UAI}COIN

add ou=people,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: people

add uid=admin,ou=people,dc=coin2,dc=fr
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: supannPerson
uid: admin
cn: Administrateur annuaire
displayName: Administrateur annuaire
givenName: Administrateur
sn: annuaire
supannListeRouge: TRUE
userPassword: xxx
supannEtablissement: {UAI}COIN

add ou=structures,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: structures

add supannCodeEntite=COIN,ou=structures,dc=coin2,dc=fr
objectClass: supannOrg
objectClass: supannEntite
objectClass: organization
objectClass: eduOrg
o: COIN
supannCodeEntite: COIN
description: COIN

add ou=groups,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: groups

add cn=admin,ou=groups,dc=coin2,dc=fr
objectClass: groupOfNames
objectClass: supannGroupe
cn: admin
description: Groupe des administrateurs de l'annuaire
member: uid=admin,ou=people,dc=coin2,dc=fr