# This is the main slapd configuration file. See slapd.conf(5) for more # Features to permit # allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema <% if has_variable?("ldap_smb") -%> include /etc/ldap/schema/samba.schema <% end -%> include /etc/ldap/schema/authldap.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # to use ldapsearch sizelimit 2000 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # Specific Backend Directives for bdb backend bdb checkpoint 512 30 database bdb # The base of your directory in database #1 suffix "<%= ldap_base %>" # rootdn directive for specifying a superuser on the database. This is needed # # for syncrepl. #rootdn "cn=admin,<%= ldap_base %>" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial <% if has_variable?("ldap_smb") -%> index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq <% end -%> # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only <% if has_variable?("ldap_smb") -%> access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags <% else -%> access to attrs=userPassword <% end -%> by dn="cn=admin,<%= ldap_base %>" write by anonymous auth by self write by * none # Ensure read access to the base for things like # # supportedSASLMechanisms. Without this you may # # have problems with SASL not knowing what # # mechanisms are available and the like. # # Note that this is covered by the 'access to *' # # ACL below too but if you change that as people # # are wont to do you'll still need this if you # # want SASL (and possible other things) to work # # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,<%= ldap_base %>" write by * read <% if has_variable?("ldap_ssl") -%> TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSVerifyClient never TLSCertificateFile /etc/ssl/certs/ldap.pem TLSCertificateKeyFile /etc/ssl/certs/ldap.pem TLSCACertificateFile /etc/ssl/certs/ldap.pem <% end -%>