1 |
# slapd.conf template |
2 |
include /usr/share/openldap/schema/core.schema |
3 |
include /usr/share/openldap/schema/cosine.schema |
4 |
include /usr/share/openldap/schema/corba.schema |
5 |
include /usr/share/openldap/schema/inetorgperson.schema |
6 |
include /usr/share/openldap/schema/java.schema |
7 |
include /usr/share/openldap/schema/krb5-kdc.schema |
8 |
#include /usr/share/openldap/schema/kerberosobject.schema |
9 |
include /usr/share/openldap/schema/misc.schema |
10 |
include /usr/share/openldap/schema/rfc2307bis.schema |
11 |
include /usr/share/openldap/schema/openldap.schema |
12 |
#include /usr/share/openldap/schema/autofs.schema |
13 |
include /usr/share/openldap/schema/samba.schema |
14 |
# removed as it cause issue on 2010.0 : |
15 |
# /usr/share/openldap/schema/kolab.schema: |
16 |
# line 175 objectclass: Duplicate objectClass: "1.3.6.1.4.1.5322.13.1.1" |
17 |
#include /usr/share/openldap/schema/kolab.schema |
18 |
include /usr/share/openldap/schema/evolutionperson.schema |
19 |
include /usr/share/openldap/schema/calendar.schema |
20 |
include /usr/share/openldap/schema/sudo.schema |
21 |
include /usr/share/openldap/schema/dnszone.schema |
22 |
include /usr/share/openldap/schema/dhcp.schema |
23 |
include /usr/share/openldap/schema/dyngroup.schema |
24 |
include /usr/share/openldap/schema/ppolicy.schema |
25 |
include /usr/share/openldap/schema/openssh-lpk_openldap.schema |
26 |
|
27 |
#include /etc/openldap/schema/local.schema |
28 |
|
29 |
pidfile /var/run/ldap/slapd.pid |
30 |
argsfile /var/run/ldap/slapd.args |
31 |
|
32 |
modulepath <%= lib_dir %>/openldap |
33 |
moduleload back_monitor.la |
34 |
moduleload syncprov.la |
35 |
moduleload ppolicy.la |
36 |
#moduleload refint.la |
37 |
moduleload memberof.la |
38 |
moduleload unique.la |
39 |
moduleload dynlist.la |
40 |
moduleload constraint.la |
41 |
|
42 |
TLSCertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem |
43 |
TLSCertificateKeyFile /etc/ssl/openldap/ldap.<%= domain %>.pem |
44 |
TLSCACertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem |
45 |
|
46 |
# Give ldapi connection some security |
47 |
localSSF 56 |
48 |
# Require at least this security, so we allow: |
49 |
# ldapi |
50 |
# ldap+start_tls |
51 |
# ldaps |
52 |
security ssf=56 |
53 |
|
54 |
loglevel 256 |
55 |
|
56 |
database monitor |
57 |
access to dn.subtree="cn=Monitor" |
58 |
by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read |
59 |
by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read |
60 |
by * none |
61 |
|
62 |
database bdb |
63 |
suffix "<%= dc_suffix %>" |
64 |
directory /var/lib/ldap |
65 |
rootdn "cn=manager,<%= dc_suffix %>" |
66 |
|
67 |
checkpoint 256 5 |
68 |
# 32Mbytes, can hold about 10k posixAccount entries |
69 |
dbconfig set_cachesize 0 33554432 1 |
70 |
dbconfig set_lg_bsize 2097152 |
71 |
cachesize 1000 |
72 |
idlcachesize 3000 |
73 |
|
74 |
index objectClass eq |
75 |
index uidNumber,gidNumber,memberuid,member,owner eq |
76 |
index uid eq,subinitial |
77 |
index cn,mail,surname,givenname eq,subinitial |
78 |
index sambaSID eq,sub |
79 |
index sambaDomainName,displayName,sambaGroupType eq |
80 |
index sambaSIDList eq |
81 |
index krb5PrincipalName eq |
82 |
index uniqueMember pres,eq |
83 |
index zoneName,relativeDomainName eq |
84 |
index sudouser eq,sub |
85 |
index entryCSN,entryUUID eq |
86 |
index dhcpHWAddress,dhcpClassData eq |
87 |
|
88 |
overlay memberof |
89 |
|
90 |
overlay syncprov |
91 |
syncprov-checkpoint 100 10 |
92 |
syncprov-sessionlog 100 |
93 |
|
94 |
overlay ppolicy |
95 |
ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>" |
96 |
ppolicy_hash_cleartext yes |
97 |
ppolicy_use_lockout yes |
98 |
|
99 |
overlay unique |
100 |
unique_uri ldap:///?mail?sub? |
101 |
|
102 |
overlay dynlist |
103 |
dynlist-attrset groupOfURLs memberURL member |
104 |
|
105 |
|
106 |
overlay constraint |
107 |
constraint_attribute sshPublicKey regex "^ssh-(rsa|dss) [[:graph:]]+ [[:graph:]]+$" |
108 |
|
109 |
# uncomment if you want to automatically update group |
110 |
# memberships when an user is removed from the tree |
111 |
# Also uncomment the refint.la moduleload above |
112 |
#overlay refint |
113 |
#refint_attributes member |
114 |
#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com" |
115 |
|
116 |
<% if environment == "test" %> |
117 |
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" |
118 |
"cn=manager,<%= dc_suffix %>" |
119 |
authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %> |
120 |
<% end %> |
121 |
|
122 |
include /etc/openldap/mandriva-dit-access.conf |
123 |
|
124 |
|
125 |
|