openldap/templates/slapd.conf

# slapd.conf template
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema 
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/java.schema 
include /usr/share/openldap/schema/krb5-kdc.schema
#include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/rfc2307bis.schema
include /usr/share/openldap/schema/openldap.schema 
#include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
# removed as it cause issue on 2010.0 :
# /usr/share/openldap/schema/kolab.schema: 
# line 175 objectclass: Duplicate objectClass: "1.3.6.1.4.1.5322.13.1.1"
#include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema
include /usr/share/openldap/schema/dyngroup.schema
include /usr/share/openldap/schema/ppolicy.schema
include /usr/share/openldap/schema/openssh-lpk_openldap.schema

#include        /etc/openldap/schema/local.schema

pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args

modulepath      <%= lib_dir %>/openldap
moduleload      back_monitor.la
moduleload      syncprov.la
moduleload      ppolicy.la
#moduleload     refint.la
moduleload  memberof.la
moduleload  unique.la
moduleload  dynlist.la
moduleload  constraint.la

TLSCertificateFile      /etc/ssl/openldap/ldap.<%= domain %>.pem
TLSCertificateKeyFile   /etc/ssl/openldap/ldap.<%= domain %>.pem
TLSCACertificateFile    /etc/ssl/openldap/ldap.<%= domain %>.pem

# Give ldapi connection some security
localSSF 56
# Require at least this security, so we allow:
# ldapi
# ldap+start_tls
# ldaps
security ssf=56

loglevel 256

database monitor
access to dn.subtree="cn=Monitor"
        by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read
        by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
        by * none

database        bdb
suffix          "<%= dc_suffix %>"
directory       /var/lib/ldap
rootdn          "cn=manager,<%= dc_suffix %>"

checkpoint 256 5
# 32Mbytes, can hold about 10k posixAccount entries
dbconfig set_cachesize 0 33554432 1
dbconfig set_lg_bsize 2097152
cachesize 1000
idlcachesize 3000

index   objectClass                                     eq
index   uidNumber,gidNumber,memberuid,member,owner      eq
index   uid                                             eq,subinitial
index   cn,mail,surname,givenname                       eq,subinitial
index   sambaSID                                        eq,sub
index   sambaDomainName,displayName,sambaGroupType      eq
index   sambaSIDList                                    eq
index   krb5PrincipalName                               eq
index   uniqueMember                                    pres,eq
index   zoneName,relativeDomainName                     eq
index   sudouser                                        eq,sub
index   entryCSN,entryUUID                              eq
index   dhcpHWAddress,dhcpClassData                     eq

overlay memberof

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

overlay ppolicy
ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>"
ppolicy_hash_cleartext yes
ppolicy_use_lockout yes

overlay unique
unique_uri ldap:///?mail?sub?

overlay dynlist
dynlist-attrset groupOfURLs memberURL member


overlay constraint
constraint_attribute sshPublicKey regex "^ssh-(rsa|dss) [[:graph:]]+ [[:graph:]]+$"

# uncomment if you want to automatically update group
# memberships when an user is removed from the tree
# Also uncomment the refint.la moduleload above
#overlay refint
#refint_attributes member
#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com"

<% if environment == "test" %>
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
        "cn=manager,<%= dc_suffix %>"
authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %>
<% end %>

include /etc/openldap/mandriva-dit-access.conf


1	# slapd.conf template
2	include /usr/share/openldap/schema/core.schema
3	include /usr/share/openldap/schema/cosine.schema
4	include /usr/share/openldap/schema/corba.schema
5	include /usr/share/openldap/schema/inetorgperson.schema
6	include /usr/share/openldap/schema/java.schema
7	include /usr/share/openldap/schema/krb5-kdc.schema
8	#include /usr/share/openldap/schema/kerberosobject.schema
9	include /usr/share/openldap/schema/misc.schema
10	include /usr/share/openldap/schema/rfc2307bis.schema
11	include /usr/share/openldap/schema/openldap.schema
12	#include /usr/share/openldap/schema/autofs.schema
13	include /usr/share/openldap/schema/samba.schema
14	# removed as it cause issue on 2010.0 :
15	# /usr/share/openldap/schema/kolab.schema:
16	# line 175 objectclass: Duplicate objectClass: "1.3.6.1.4.1.5322.13.1.1"
17	#include /usr/share/openldap/schema/kolab.schema
18	include /usr/share/openldap/schema/evolutionperson.schema
19	include /usr/share/openldap/schema/calendar.schema
20	include /usr/share/openldap/schema/sudo.schema
21	include /usr/share/openldap/schema/dnszone.schema
22	include /usr/share/openldap/schema/dhcp.schema
23	include /usr/share/openldap/schema/dyngroup.schema
24	include /usr/share/openldap/schema/ppolicy.schema
25	include /usr/share/openldap/schema/openssh-lpk_openldap.schema
26
27	#include /etc/openldap/schema/local.schema
28
29	pidfile /var/run/ldap/slapd.pid
30	argsfile /var/run/ldap/slapd.args
31
32	modulepath <%= lib_dir %>/openldap
33	moduleload back_monitor.la
34	moduleload syncprov.la
35	moduleload ppolicy.la
36	#moduleload refint.la
37	moduleload memberof.la
38	moduleload unique.la
39	moduleload dynlist.la
40	moduleload constraint.la
41
42	TLSCertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem
43	TLSCertificateKeyFile /etc/ssl/openldap/ldap.<%= domain %>.pem
44	TLSCACertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem
45
46	# Give ldapi connection some security
47	localSSF 56
48	# Require at least this security, so we allow:
49	# ldapi
50	# ldap+start_tls
51	# ldaps
52	security ssf=56
53
54	loglevel 256
55
56	database monitor
57	access to dn.subtree="cn=Monitor"
58	by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read
59	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
60	by * none
61
62	database bdb
63	suffix "<%= dc_suffix %>"
64	directory /var/lib/ldap
65	rootdn "cn=manager,<%= dc_suffix %>"
66
67	checkpoint 256 5
68	# 32Mbytes, can hold about 10k posixAccount entries
69	dbconfig set_cachesize 0 33554432 1
70	dbconfig set_lg_bsize 2097152
71	cachesize 1000
72	idlcachesize 3000
73
74	index objectClass eq
75	index uidNumber,gidNumber,memberuid,member,owner eq
76	index uid eq,subinitial
77	index cn,mail,surname,givenname eq,subinitial
78	index sambaSID eq,sub
79	index sambaDomainName,displayName,sambaGroupType eq
80	index sambaSIDList eq
81	index krb5PrincipalName eq
82	index uniqueMember pres,eq
83	index zoneName,relativeDomainName eq
84	index sudouser eq,sub
85	index entryCSN,entryUUID eq
86	index dhcpHWAddress,dhcpClassData eq
87
88	overlay memberof
89
90	overlay syncprov
91	syncprov-checkpoint 100 10
92	syncprov-sessionlog 100
93
94	overlay ppolicy
95	ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>"
96	ppolicy_hash_cleartext yes
97	ppolicy_use_lockout yes
98
99	overlay unique
100	unique_uri ldap:///?mail?sub?
101
102	overlay dynlist
103	dynlist-attrset groupOfURLs memberURL member
104
105
106	overlay constraint
107	constraint_attribute sshPublicKey regex "^ssh-(rsa\|dss) [[:graph:]]+ [[:graph:]]+$"
108
109	# uncomment if you want to automatically update group
110	# memberships when an user is removed from the tree
111	# Also uncomment the refint.la moduleload above
112	#overlay refint
113	#refint_attributes member
114	#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com"
115
116	<% if environment == "test" %>
117	authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
118	"cn=manager,<%= dc_suffix %>"
119	authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %>
120	<% end %>
121
122	include /etc/openldap/mandriva-dit-access.conf
123
124
125