Commits

Zhang Huangbin committed f790b7f

Split OpenLDAP config files as template file: slapd.conf, ldap.conf.

Comments (0)

Files changed (7)

iRedMail/conf/openldap

 export OPENLDAP_CONF_ROOT='/etc/openldap'
 
 # Database backend type.
-# Note:
-#   * We use the same database type on all distributions to reduce our
-#     workflow, and users migrate their mail server between supported
-#     OS will be more comfortable.
-#   * Performance of bdb backend is good enough. but Debian/Ubuntu can
-#     also use 'hdb' for OpenLDAP-2.4.x.
-export OPENLDAP_DEFAULT_DBTYPE='bdb'
+export OPENLDAP_DEFAULT_DBTYPE='hdb'
 
 # Default LDAP data directory.
 export OPENLDAP_DATA_DIR='/var/lib/ldap'    # Do *NOT* end with '/'.

iRedMail/functions/mysql.sh

         perl -pi -e 's#^(\[mysqld\])#${1}\ninnodb_file_per_table#' ${MYSQL_MY_CNF}
     fi
 
-    service_control mariadb restart &>/dev/null
+    service_control restart ${MYSQL_RC_SCRIPT_NAME} &>/dev/null
 
-    ECHO_DEBUG "Sleep 5 seconds for MySQL daemon initialize ..."
+    ECHO_DEBUG "Sleep 5 seconds for MySQL daemon initialization ..."
     sleep 5
 
     if [ X"${LOCAL_ADDRESS}" == X'127.0.0.1' ]; then

iRedMail/functions/nginx.sh

     perl -pi -e 's#PH_PHPPGADMIN_HTTPD_ROOT_SYMBOL_LINK#$ENV{PHPPGADMIN_HTTPD_ROOT_SYMBOL_LINK}#g' ${NGINX_CONF_DEFAULT}
     # iRedAdmin
     perl -pi -e 's#PH_IREDADMIN_HTTPD_ROOT_SYMBOL_LINK#$ENV{IREDADMIN_HTTPD_ROOT_SYMBOL_LINK}#g' ${NGINX_CONF_DEFAULT}
-    perl -pi -e 's#PH_UWSGI_SOCKET_IREDADMIN#$ENV{UWSGI_SOCKET_IREDADMIN}#g' ${NGINX_CONF_DEFAULT}
+    perl -pi -e 's#PH_UWSGI_SOCKET_IREDADMIN_FULL#$ENV{UWSGI_SOCKET_IREDADMIN_FULL}#g' ${NGINX_CONF_DEFAULT}
 
     # php-fpm
     perl -pi -e 's#^(listen *=).*#${1} $ENV{PHP_FASTCGI_SOCKET}#g' ${PHP_FPM_POOL_WWW_CONF}
     if [ -f ${UWSGI_CONF_DIR}/iredadmin.ini ]; then
         perl -pi -e 's#PH_HTTPD_USER#$ENV{HTTPD_USER}#g' ${UWSGI_CONF_DIR}/iredadmin.ini
         perl -pi -e 's#PH_HTTPD_GROUP#$ENV{HTTPD_GROUP}#g' ${UWSGI_CONF_DIR}/iredadmin.ini
-        perl -pi -e 's#PH_UWSGI_SOCKET_IREDADMIN_FULL#$ENV{UWSGI_SOCKET_IREDADMIN_FULL}#g' ${UWSGI_CONF_DIR}/iredadmin.ini
+        perl -pi -e 's#PH_UWSGI_SOCKET_IREDADMIN#$ENV{UWSGI_SOCKET_IREDADMIN}#g' ${UWSGI_CONF_DIR}/iredadmin.ini
     fi
 
     cat >> ${TIP_FILE} <<EOF

iRedMail/functions/openldap.sh

         cp -f /usr/local/share/doc/amavisd-new/LDAP.schema ${OPENLDAP_SCHEMA_DIR}/${AMAVISD_LDAP_SCHEMA_NAME}
     fi
 
+    ECHO_DEBUG "Generate new server configuration file: ${OPENLDAP_SLAPD_CONF}."
+    cp -f ${SAMPLE_DIR}/openldap/slapd.conf ${OPENLDAP_SLAPD_CONF}
 
-    ECHO_DEBUG "Generate new server configuration file: ${OPENLDAP_SLAPD_CONF}."
-    cat > ${OPENLDAP_SLAPD_CONF} <<EOF
-${CONF_MSG}
-# Schemas.
-include     ${OPENLDAP_SCHEMA_DIR}/core.schema
-include     ${OPENLDAP_SCHEMA_DIR}/corba.schema
-include     ${OPENLDAP_SCHEMA_DIR}/cosine.schema
-include     ${OPENLDAP_SCHEMA_DIR}/inetorgperson.schema
-include     ${OPENLDAP_SCHEMA_DIR}/nis.schema
-# Integrate Amavisd-new.
-include     ${OPENLDAP_SCHEMA_DIR}/${AMAVISD_LDAP_SCHEMA_NAME}
-# Schema provided by ${PROG_NAME}.
-include     ${OPENLDAP_SCHEMA_DIR}/${PROG_NAME_LOWERCASE}.schema
+    perl -pi -e 's#PH_OPENLDAP_SCHEMA_DIR#$ENV{OPENLDAP_SCHEMA_DIR}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_AMAVISD_LDAP_SCHEMA_NAME#$ENV{AMAVISD_LDAP_SCHEMA_NAME}#g' ${OPENLDAP_SLAPD_CONF}
 
-# Where the pid file is put. The init.d script will not stop the
-# server if you change this.
-pidfile     ${OPENLDAP_PID_FILE}
+    perl -pi -e 's#PH_OPENLDAP_PID_FILE#$ENV{OPENLDAP_PID_FILE}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_OPENLDAP_ARGS_FILE#$ENV{OPENLDAP_ARGS_FILE}#g' ${OPENLDAP_SLAPD_CONF}
 
-# List of arguments that were passed to the server
-argsfile    ${OPENLDAP_ARGS_FILE}
-
-# TLS files.
-TLSCACertificateFile ${SSL_CERT_FILE}
-TLSCertificateFile ${SSL_CERT_FILE}
-TLSCertificateKeyFile ${SSL_KEY_FILE}
-
-EOF
-
-    # Load backend module. Required on Debian/Ubuntu.
-    if [ X"${OPENLDAP_VERSION}" == X"2.4" -a X"${DISTRO}" != X'OPENBSD' ]; then
-        if [ X"${OPENLDAP_DEFAULT_DBTYPE}" == X"bdb" ]; then
-            # bdb, Berkeley DB.
-            cat >> ${OPENLDAP_SLAPD_CONF} <<EOF
-# Modules.
-modulepath  ${OPENLDAP_MODULE_PATH}
-moduleload  back_bdb
-
-EOF
-        elif [ X"${OPENLDAP_DEFAULT_DBTYPE}" == X"hdb" ]; then
-            # hdb.
-            cat >> ${OPENLDAP_SLAPD_CONF} <<EOF
-# Modules.
-modulepath  ${OPENLDAP_MODULE_PATH}
-moduleload  back_hdb
-
-EOF
-        fi
+    perl -pi -e 's#PH_OPENLDAP_MODULE_PATH#$ENV{OPENLDAP_MODULE_PATH}#g' ${OPENLDAP_SLAPD_CONF}
+    if [ X"${DISTRO}" == X'DEBIAN' -o X"${DISTRO}" == X'UBUNTU' ]; then
+        perl -pi -e 's/^#(modulepath.*)/${1}/g' ${OPENLDAP_SLAPD_CONF}
+        perl -pi -e 's/^#(moduleload.*)/${1}/g' ${OPENLDAP_SLAPD_CONF}
     fi
 
-    cat >> ${OPENLDAP_SLAPD_CONF} <<EOF
-# Disallow bind as anonymous.
-disallow    bind_anon
+    perl -pi -e 's#PH_SSL_CERT_FILE#$ENV{SSL_CERT_FILE}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_SSL_KEY_FILE#$ENV{SSL_KEY_FILE}#g' ${OPENLDAP_SLAPD_CONF}
 
-# Uncomment below line to allow binding as anonymous.
-#allow bind_anon_cred
+    perl -pi -e 's#PH_LDAP_BINDDN#$ENV{LDAP_BINDDN}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_ADMIN_DN#$ENV{LDAP_ADMIN_DN}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_BASEDN#$ENV{LDAP_BASEDN}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_ADMIN_BASEDN#$ENV{LDAP_ADMIN_BASEDN}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_SUFFIX#$ENV{LDAP_SUFFIX}#g' ${OPENLDAP_SLAPD_CONF}
 
-# Specify LDAP protocol version.
-require     LDAPv3
-#allow       bind_v2
-
-# Log level.
-#   -1:     enable all debugging
-#    0:     no debugging
-#   128:    access control list processing
-#   256:    stats log connections/operations/results
-loglevel    0
-
-#
-# Access Control List. Used for LDAP bind.
-#
-# NOTE: Every domain have a administrator. e.g.
-#   Domain Name: '${FIRST_DOMAIN}'
-#   Admin Name: ${LDAP_ATTR_USER_RDN}=${DOMAIN_ADMIN_NAME}@${FIRST_DOMAIN}, ${LDAP_ATTR_DOMAIN_RDN}=${FIRST_DOMAIN}, ${LDAP_BASEDN}
-#
-
-# Allow users to change their own passwords and mail forwarding addresses.
-access to attrs="${LDAP_ATTR_USER_PASSWD},${LDAP_ATTR_USER_FORWARD},${LDAP_ATTR_USER_STORAGE_BASE_DIRECTORY},homeDirectory,mailMessageStore"
-    by anonymous    auth
-    by self         write
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by users        none
-
-# Allow to read others public info.
-access to attrs="cn,sn,gn,givenName,telephoneNumber"
-    by anonymous    auth
-    by self         write
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by users        read
-
-# Domain attrs.
-access to attrs="objectclass,${LDAP_ATTR_DOMAIN_RDN},${LDAP_ATTR_MTA_TRANSPORT},${LDAP_ENABLED_SERVICE},${LDAP_ATTR_DOMAIN_SENDER_BCC_ADDRESS},${LDAP_ATTR_DOMAIN_RECIPIENT_BCC_ADDRESS},${LDAP_ATTR_DOMAIN_BACKUPMX},${LDAP_ATTR_DOMAIN_MAX_QUOTA_SIZE},${LDAP_ATTR_DOMAIN_MAX_USER_NUMBER}"
-    by anonymous    auth
-    by self         read
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by users        read
-
-access to attrs="${LDAP_ATTR_DOMAIN_ADMIN},${LDAP_ATTR_DOMAIN_GLOBALADMIN},${LDAP_ATTR_DOMAIN_SENDER_BCC_ADDRESS},${LDAP_ATTR_DOMAIN_RECIPIENT_BCC_ADDRESS}"
-    by anonymous    auth
-    by self         read
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by users        none
-
-# User attrs.
-access to attrs="employeeNumber,${LDAP_ATTR_USER_RDN},${LDAP_ATTR_ACCOUNT_STATUS},${LDAP_ATTR_USER_SENDER_BCC_ADDRESS},${LDAP_ATTR_USER_RECIPIENT_BCC_ADDRESS},${LDAP_ATTR_USER_QUOTA},${LDAP_ATTR_USER_BACKUP_MAIL_ADDRESS},${LDAP_ATTR_USER_SHADOW_ADDRESS},${LDAP_ATTR_USER_MEMBER_OF_GROUP}"
-    by anonymous    auth
-    by self         read
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by users        read
-
-#
-# Set ACL for vmail/vmailadmin.
-#
-access to dn="${LDAP_BINDDN}"
-    by anonymous                    auth
-    by self                         write
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by users                        none
-
-access to dn="${LDAP_ADMIN_DN}"
-    by anonymous                    auth
-    by self                         write
-    by users                        none
-
-#
-# Allow users to access their own domain subtree.
-# Allow domain admin to modify accounts under same domain.
-#
-access to dn.regex="${LDAP_ATTR_DOMAIN_RDN}=([^,]+),${LDAP_BASEDN}\$"
-    by anonymous                    auth
-    by self                         write
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by dn.regex="${LDAP_ATTR_USER_RDN}=[^,]+@\$1,${LDAP_ADMIN_BASEDN}\$" write
-    by dn.regex="${LDAP_ATTR_USER_RDN}=[^,]+@\$1,${LDAP_ATTR_GROUP_RDN}=${LDAP_ATTR_GROUP_USERS},${LDAP_ATTR_DOMAIN_RDN}=\$1,${LDAP_BASEDN}\$" read
-    by users                        none
-
-#
-# Grant correct privileges to vmail/vmailadmin.
-#
-access to dn.subtree="${LDAP_BASEDN}"
-    by anonymous                    auth
-    by self                         write
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by dn.regex="${LDAP_ATTR_USER_RDN}=[^,]+,${LDAP_ATTR_GROUP_RDN}=${LDAP_ATTR_GROUP_USERS},${LDAP_ATTR_DOMAIN_RDN}=\$1,${LDAP_BASEDN}\$" read
-    by users                        read
-
-access to dn.subtree="${LDAP_ADMIN_BASEDN}"
-    by anonymous                    auth
-    by self                         write
-    by dn.exact="${LDAP_BINDDN}"   read
-    by dn.exact="${LDAP_ADMIN_DN}"  write
-    by users                        none
-
-#
-# Set permission for "cn=*,${LDAP_SUFFIX}".
-#
-access to dn.regex="cn=[^,]+,${LDAP_SUFFIX}"
-    by anonymous                    auth
-    by self                         write
-    by users                        none
-
-#
-# Set default permission.
-#
-access to *
-    by anonymous                    auth
-    by self                         write
-    by users                        read
-
-#######################################################################
-# BDB database definitions
-#######################################################################
-
-database    ${OPENLDAP_DEFAULT_DBTYPE}
-suffix      ${LDAP_SUFFIX}
-directory   ${LDAP_DATA_DIR}
-
-rootdn      ${LDAP_ROOTDN}
-rootpw      ${LDAP_ROOTPW_SSHA}
-
-sizelimit   10000
-cachesize   10000
-
-# This directive specifies how often to checkpoint the BDB transaction log.
-# A checkpoint operation flushes the database buffers to disk and writes a
-# checkpoint record in the log. The checkpoint will occur if either <kbyte>
-# data has been written or <min> minutes have passed since the last checkpoint.
-# Both arguments default to zero, in which case they are ignored. When the
-# <min> argument is non-zero, an internal task will run every <min> minutes
-# to perform the checkpoint. See the Berkeley DB reference guide for more
-# details.
-#
-# OpenLDAP default is NO CHECKPOINTING.
-#
-# whenever 128kb data bytes written or 5 minutes has elapsed
-checkpoint  128 5
-
-# Set directory permission.
-mode        0700
-
-#
-# Default index.
-#
-index objectClass                                   eq,pres
-index uidNumber,gidNumber,uid,memberUid,loginShell  eq,pres
-index homeDirectory,mailMessageStore                eq,pres
-index ou,cn,mail,surname,givenname,telephoneNumber  eq,pres,sub
-#index nisMapName,nisMapEntry                        eq,pres,sub
-index shadowLastChange                              eq,pres
-
-#
-# Index for mail attrs.
-#
-# ---- Domain related ----
-index ${LDAP_ATTR_DOMAIN_RDN},${LDAP_ATTR_MTA_TRANSPORT},${LDAP_ATTR_ACCOUNT_STATUS},${LDAP_ENABLED_SERVICE}  eq,pres,sub
-index ${LDAP_ATTR_DOMAIN_ALIAS_NAME}    eq,pres,sub
-index ${LDAP_ATTR_DOMAIN_MAX_USER_NUMBER} eq,pres
-index ${LDAP_ATTR_DOMAIN_ADMIN},${LDAP_ATTR_DOMAIN_GLOBALADMIN},${LDAP_ATTR_DOMAIN_BACKUPMX}    eq,pres,sub
-index ${LDAP_ATTR_DOMAIN_SENDER_BCC_ADDRESS},${LDAP_ATTR_DOMAIN_RECIPIENT_BCC_ADDRESS}  eq,pres,sub
-# ---- Group related ----
-index ${LDAP_ATTR_GROUP_ACCESSPOLICY},${LDAP_ATTR_GROUP_HASMEMBER},${LDAP_ATTR_GROUP_ALLOWED_USER}   eq,pres,sub
-# ---- User related ----
-index ${LDAP_ATTR_USER_FORWARD},${LDAP_ATTR_USER_SHADOW_ADDRESS}   eq,pres,sub
-index ${LDAP_ATTR_USER_BACKUP_MAIL_ADDRESS},${LDAP_ATTR_USER_MEMBER_OF_GROUP}   eq,pres,sub
-index ${LDAP_ATTR_USER_RECIPIENT_BCC_ADDRESS},${LDAP_ATTR_USER_SENDER_BCC_ADDRESS}  eq,pres,sub
-EOF
+    perl -pi -e 's#PH_OPENLDAP_DEFAULT_DBTYPE#$ENV{OPENLDAP_DEFAULT_DBTYPE}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_SUFFIX#$ENV{LDAP_SUFFIX}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_DATA_DIR#$ENV{LDAP_DATA_DIR}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_ROOTDN#$ENV{LDAP_ROOTDN}#g' ${OPENLDAP_SLAPD_CONF}
+    perl -pi -e 's#PH_LDAP_ROOTPW_SSHA#$ENV{LDAP_ROOTPW_SSHA}#g' ${OPENLDAP_SLAPD_CONF}
 
     # Make slapd use slapd.conf insteald of slapd.d (cn=config backend).
     if [ X"${DISTRO}" == X"DEBIAN" -o X"${DISTRO}" == X"UBUNTU" ]; then
     fi
 
     ECHO_DEBUG "Generate new client configuration file: ${OPENLDAP_LDAP_CONF}"
-    cat > ${OPENLDAP_LDAP_CONF} <<EOF
-BASE    ${LDAP_SUFFIX}
-URI     ldap://${LDAP_SERVER_HOST}:${LDAP_SERVER_PORT}
-TLS_CACERT ${SSL_CERT_FILE}
-EOF
+    cp ${SAMPLE_DIR}/openldap/ldap.conf ${OPENLDAP_LDAP_CONF}
+    perl -pi -e 's#PH_LDAP_SUFFIX#$ENV{LDAP_SUFFIX}#g' ${OPENLDAP_LDAP_CONF}
+    perl -pi -e 's#PH_LDAP_SERVER_HOST#$ENV{LDAP_SERVER_HOST}#g' ${OPENLDAP_LDAP_CONF}
+    perl -pi -e 's#PH_LDAP_SERVER_PORT#$ENV{LDAP_SERVER_PORT}#g' ${OPENLDAP_LDAP_CONF}
+    perl -pi -e 's#PH_SSL_CERT_FILE#$ENV{SSL_CERT_FILE}#g' ${OPENLDAP_LDAP_CONF}
     chown ${OPENLDAP_DAEMON_USER}:${OPENLDAP_DAEMON_GROUP} ${OPENLDAP_LDAP_CONF}
 
     ECHO_DEBUG "Setting up syslog configration file for OpenLDAP."
     chmod -R 0700 ${OPENLDAP_DATA_DIR}
 
     ECHO_DEBUG "Starting OpenLDAP."
-    service_control slapd restart &>/dev/null
+    service_control restart ${OPENLDAP_RC_SCRIPT_NAME} &>/dev/null
 
-    ECHO_DEBUG "Sleep 5 seconds for LDAP daemon initialize ..."
+    ECHO_DEBUG "Sleep 5 seconds for LDAP daemon initialization ..."
     sleep 5
 
     ECHO_DEBUG "Populate LDAP tree."

iRedMail/functions/packages.sh

 
                 if [ X"${ret1}" == X'0' -o X"${ret2}" == X'0' ]; then
                     mkdir -p ${POSTFIX_CHROOT_DIR}${i}
-                    cp ${i}/*nss* ${i}/*reso* ${POSTFIX_CHROOT_DIR}${i}/
+                    cp ${i}/*nss* ${i}/*reso* ${POSTFIX_CHROOT_DIR}${i}/ &>/dev/null
                 fi
             done
         elif [ X"${DISTRO}" == X'OPENBSD' ]; then

iRedMail/samples/openldap/ldap.conf

+BASE    PH_LDAP_SUFFIX
+URI     ldap://PH_LDAP_SERVER_HOST:PH_LDAP_SERVER_PORT
+TLS_CACERT PH_SSL_CERT_FILE

iRedMail/samples/openldap/slapd.conf

+# Schemas.
+include     PH_OPENLDAP_SCHEMA_DIR/core.schema
+include     PH_OPENLDAP_SCHEMA_DIR/corba.schema
+include     PH_OPENLDAP_SCHEMA_DIR/cosine.schema
+include     PH_OPENLDAP_SCHEMA_DIR/inetorgperson.schema
+include     PH_OPENLDAP_SCHEMA_DIR/nis.schema
+# Amavisd-new schema.
+include     PH_OPENLDAP_SCHEMA_DIR/PH_AMAVISD_LDAP_SCHEMA_NAME
+# iRedMail schema.
+include     PH_OPENLDAP_SCHEMA_DIR/iredmail.schema
+
+# Where the pid file is put. The init.d script will not stop the
+# server if you change this.
+pidfile     PH_OPENLDAP_PID_FILE
+
+# List of arguments that were passed to the server
+argsfile    PH_OPENLDAP_ARGS_FILE
+
+#modulepath  PH_OPENLDAP_MODULE_PATH
+#moduleload  back_PH_OPENLDAP_DEFAULT_DBTYPE
+
+# TLS files.
+TLSCACertificateFile PH_SSL_CERT_FILE
+TLSCertificateFile PH_SSL_CERT_FILE
+TLSCertificateKeyFile PH_SSL_KEY_FILE
+
+# Disallow bind as anonymous.
+disallow    bind_anon
+
+# Uncomment below line to allow binding as anonymous.
+#allow bind_anon_cred
+
+# Specify LDAP protocol version.
+require     LDAPv3
+#allow       bind_v2
+
+# Log level.
+#   -1:     enable all debugging
+#    0:     no debugging
+#   128:    access control list processing
+#   256:    stats log connections/operations/results
+loglevel    0
+
+# Access Control
+# Allow users to change their own passwords and mail forwarding addresses.
+access to attrs="userPassword,mailForwardingAddress,storageBaseDirectory,homeDirectory,mailMessageStore"
+    by anonymous    auth
+    by self         write
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by users        none
+
+# Allow to read others public info.
+access to attrs="cn,sn,gn,givenName,telephoneNumber"
+    by anonymous    auth
+    by self         write
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by users        read
+
+# Domain attrs.
+access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"
+    by anonymous    auth
+    by self         read
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by users        read
+
+access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"
+    by anonymous    auth
+    by self         read
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by users        none
+
+# User attrs.
+access to attrs="employeeNumber,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress,memberOfGroup"
+    by anonymous    auth
+    by self         read
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by users        read
+
+#
+# Set ACL for vmail/vmailadmin.
+#
+access to dn="PH_LDAP_BINDDN"
+    by anonymous                    auth
+    by self                         write
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by users                        none
+
+access to dn="PH_LDAP_ADMIN_DN"
+    by anonymous                    auth
+    by self                         write
+    by users                        none
+
+#
+# Allow users to access their own domain subtree.
+# Allow domain admin to modify accounts under same domain.
+#
+access to dn.regex="domainName=([^,]+),PH_LDAP_BASEDN$"
+    by anonymous                    auth
+    by self                         write
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by dn.regex="mail=[^,]+@$1,PH_LDAP_ADMIN_BASEDN$" write
+    by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,PH_LDAP_BASEDN$" read
+    by users                        none
+
+#
+# Grant correct privileges to vmail/vmailadmin.
+#
+access to dn.subtree="PH_LDAP_BASEDN"
+    by anonymous                    auth
+    by self                         write
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by dn.regex="mail=[^,]+,ou=Users,domainName=$1,PH_LDAP_BASEDN$" read
+    by users                        read
+
+access to dn.subtree="PH_LDAP_ADMIN_BASEDN"
+    by anonymous                    auth
+    by self                         write
+    by dn.exact="PH_LDAP_BINDDN"   read
+    by dn.exact="PH_LDAP_ADMIN_DN"  write
+    by users                        none
+
+#
+# Set permission for "cn=*,PH_LDAP_SUFFIX".
+#
+access to dn.regex="cn=[^,]+,PH_LDAP_SUFFIX"
+    by anonymous                    auth
+    by self                         write
+    by users                        none
+
+#
+# Set default permission.
+#
+access to *
+    by anonymous                    auth
+    by self                         write
+    by users                        read
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database    PH_OPENLDAP_DEFAULT_DBTYPE
+suffix      PH_LDAP_SUFFIX
+directory   PH_LDAP_DATA_DIR
+
+rootdn      PH_LDAP_ROOTDN
+rootpw      PH_LDAP_ROOTPW_SSHA
+
+sizelimit   10000
+cachesize   10000
+
+# This directive specifies how often to checkpoint the BDB transaction log.
+# A checkpoint operation flushes the database buffers to disk and writes a
+# checkpoint record in the log. The checkpoint will occur if either <kbyte>
+# data has been written or <min> minutes have passed since the last checkpoint.
+# Both arguments default to zero, in which case they are ignored. When the
+# <min> argument is non-zero, an internal task will run every <min> minutes
+# to perform the checkpoint. See the Berkeley DB reference guide for more
+# details.
+#
+# OpenLDAP default is NO CHECKPOINTING.
+#
+# whenever 128kb data bytes written or 5 minutes has elapsed
+checkpoint  128 5
+
+# Set directory permission.
+mode        0700
+
+# Default index.
+index objectClass                                   eq,pres
+index uidNumber,gidNumber,uid,memberUid,loginShell  eq,pres
+index homeDirectory,mailMessageStore                eq,pres
+index ou,cn,mail,surname,givenname,telephoneNumber  eq,pres,sub
+index nisMapName,nisMapEntry                        eq,pres,sub
+index shadowLastChange                              eq,pres
+
+#
+# Index for mail attrs.
+#
+# Domain object
+index domainName,mtaTransport,accountStatus,enabledService  eq,pres,sub
+index domainAliasName    eq,pres,sub
+index domainMaxUserNumber eq,pres
+index domainAdmin,domainGlobalAdmin,domainBackupMX    eq,pres,sub
+index domainSenderBccAddress,domainRecipientBccAddress  eq,pres,sub
+# Group object
+index accessPolicy,hasMember,listAllowedUser   eq,pres,sub
+# User object
+index mailForwardingAddress,shadowAddress   eq,pres,sub
+index backupMailAddress,memberOfGroup   eq,pres,sub
+index userRecipientBccAddress,userSenderBccAddress  eq,pres,sub