# provider slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.

#ucdata-path	./ucdata
include		@SCHEMADIR@/core.schema
include		@SCHEMADIR@/cosine.schema
include		@SCHEMADIR@/inetorgperson.schema
include		@SCHEMADIR@/openldap.schema
include		@SCHEMADIR@/nis.schema
pidfile		@TESTDIR@/slapd.1.pid
argsfile	@TESTDIR@/slapd.1.args

#mod#modulepath	../servers/slapd/back-@BACKEND@/
#mod#moduleload	back_@BACKEND@.la
#ldapmod#modulepath ../servers/slapd/back-ldap/
#ldapmod#moduleload back_ldap.la
#rwmmod#modulepath ../servers/slapd/overlays/
#rwmmod#moduleload rwm.la

#######################################################################
# database definitions
#######################################################################

authz-policy	both
authz-regexp	"^uid=manager,.+" "cn=Manager,dc=example,dc=com"
authz-regexp	"^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
authz-regexp	"^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
authz-regexp	"^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"

#
# normal installations should protect root dse,
# cn=monitor, cn=schema, and cn=config
#

access to attrs=userpassword
	by self =wx
	by anonymous =x

access to dn.exact=""
	by * read

access to *
	by users read
	by * search

database	@BACKEND@

suffix		"dc=example,dc=com"
rootdn		"cn=Manager,dc=example,dc=com"
rootpw		secret
#null#bind		on
#~null~#directory	@TESTDIR@/db.1.a
#indexdb#index		objectClass	eq
#indexdb#index		cn,sn,uid	pres,eq,sub
#ndb#dbname db_1
#ndb#include @DATADIR@/ndb.conf

access to dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com"
		attrs=authzTo
	by dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com" =wx
	by * =x

database	@BACKEND@

suffix		"dc=example,dc=it"
rootdn		"cn=Manager,dc=example,dc=it"
rootpw		secret
#~null~#directory	@TESTDIR@/db.2.a
#indexdb#index		objectClass	eq
#indexdb#index		cn,sn,uid	pres,eq,sub
#ndb#dbname db_2
#ndb#include @DATADIR@/ndb.conf

database	ldap
suffix		"o=Example,c=US"
uri		"@URI1@"

#sasl#idassert-bind	bindmethod=sasl binddn="cn=Proxy US,ou=Admin,dc=example,dc=com" authcId="admin/proxy US" credentials="proxy" @SASL_MECH@ mode=self
#nosasl#idassert-bind	bindmethod=simple binddn="cn=Proxy US,ou=Admin,dc=example,dc=com" credentials="proxy" mode=self

# authorizes database
idassert-authzFrom	"dn.subtree:dc=example,dc=it"

overlay		rwm
rwm-suffixmassage	"dc=example,dc=com"

database	ldap
suffix		"o=Esempio,c=IT"
uri		"@URI1@"

acl-bind	bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy"
idassert-bind	bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy" authzId="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"

# authorizes database
idassert-authzFrom	"dn.subtree:dc=example,dc=com"
# authorizes anonymous
idassert-authzFrom	"dn.exact:"

overlay		rwm
rwm-suffixmassage	"dc=example,dc=com"

access to attrs=entry,cn,sn,mail
	by users read

access to *
	by dn.exact="cn=Proxy IT,ou=Admin,o=Esempio,c=IT" read
	by group.exact="cn=Authorizable,ou=Groups,o=Esempio,c=IT" read
	by dn.exact="cn=Sandbox,ou=Admin,dc=example,dc=com" search
	by * none

database	monitor
rootdn		"cn=monitor"
rootpw		monitor