1 | # This is the main slapd configuration file. See slapd.conf(5) for more |
---|
2 | |
---|
3 | # Features to permit |
---|
4 | # allow bind_v2 |
---|
5 | |
---|
6 | # Schema and objectClass definitions |
---|
7 | include /etc/ldap/schema/core.schema |
---|
8 | include /etc/ldap/schema/cosine.schema |
---|
9 | include /etc/ldap/schema/nis.schema |
---|
10 | include /etc/ldap/schema/inetorgperson.schema |
---|
11 | <% if has_variable?("ldap_smb") -%> |
---|
12 | include /etc/ldap/schema/samba.schema |
---|
13 | <% end -%> |
---|
14 | include /etc/ldap/schema/authldap.schema |
---|
15 | |
---|
16 | # Schema check allows for forcing entries to |
---|
17 | # match schemas for their objectClasses's |
---|
18 | schemacheck on |
---|
19 | |
---|
20 | # Where the pid file is put. The init.d script |
---|
21 | # will not stop the server if you change this. |
---|
22 | pidfile /var/run/slapd/slapd.pid |
---|
23 | |
---|
24 | # List of arguments that were passed to the server |
---|
25 | argsfile /var/run/slapd/slapd.args |
---|
26 | |
---|
27 | # Read slapd.conf(5) for possible values |
---|
28 | loglevel 0 |
---|
29 | |
---|
30 | # to use ldapsearch |
---|
31 | sizelimit 2000 |
---|
32 | |
---|
33 | # Where the dynamically loaded modules are stored |
---|
34 | modulepath /usr/lib/ldap |
---|
35 | moduleload back_bdb |
---|
36 | |
---|
37 | # Specific Backend Directives for bdb |
---|
38 | backend bdb |
---|
39 | checkpoint 512 30 |
---|
40 | database bdb |
---|
41 | |
---|
42 | # The base of your directory in database #1 |
---|
43 | suffix "<%= ldap_base %>" |
---|
44 | |
---|
45 | # rootdn directive for specifying a superuser on the database. This is needed |
---|
46 | # # for syncrepl. |
---|
47 | #rootdn "cn=admin,<%= ldap_base %>" |
---|
48 | |
---|
49 | # Where the database file are physically stored for database #1 |
---|
50 | directory "/var/lib/ldap" |
---|
51 | |
---|
52 | # Indexing options for database #1 |
---|
53 | index uid,uidNumber,gidNumber,memberUid eq |
---|
54 | index cn,mail,surname,givenname eq,subinitial |
---|
55 | <% if has_variable?("ldap_smb") -%> |
---|
56 | index sambaSID eq |
---|
57 | index sambaPrimaryGroupSID eq |
---|
58 | index sambaDomainName eq |
---|
59 | <% end -%> |
---|
60 | # Save the time that the entry gets modified, for database #1 |
---|
61 | lastmod on |
---|
62 | |
---|
63 | # Where to store the replica logs for database #1 |
---|
64 | # replogfile /var/lib/ldap/replog |
---|
65 | |
---|
66 | # The userPassword by default can be changed |
---|
67 | # by the entry owning it if they are authenticated. |
---|
68 | # Others should not be able to see it, except the |
---|
69 | # admin entry below |
---|
70 | # These access lines apply to database #1 only |
---|
71 | <% if has_variable?("ldap_smb") -%> |
---|
72 | access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags |
---|
73 | <% else -%> |
---|
74 | access to attrs=userPassword |
---|
75 | <% end -%> |
---|
76 | by dn="cn=admin,<%= ldap_base %>" write |
---|
77 | by anonymous auth |
---|
78 | by self write |
---|
79 | by * none |
---|
80 | # Ensure read access to the base for things like |
---|
81 | # # supportedSASLMechanisms. Without this you may |
---|
82 | # # have problems with SASL not knowing what |
---|
83 | # # mechanisms are available and the like. |
---|
84 | # # Note that this is covered by the 'access to *' |
---|
85 | # # ACL below too but if you change that as people |
---|
86 | # # are wont to do you'll still need this if you |
---|
87 | # # want SASL (and possible other things) to work |
---|
88 | # # happily. |
---|
89 | access to dn.base="" by * read |
---|
90 | |
---|
91 | # The admin dn has full write access, everyone else |
---|
92 | # can read everything. |
---|
93 | access to * |
---|
94 | by dn="cn=admin,<%= ldap_base %>" write |
---|
95 | by * read |
---|
96 | |
---|
97 | <% if has_variable?("ldap_ssl") -%> |
---|
98 | TLSCipherSuite HIGH:MEDIUM:-SSLv2 |
---|
99 | TLSVerifyClient never |
---|
100 | TLSCertificateFile /etc/ssl/certs/ldap.pem |
---|
101 | TLSCertificateKeyFile /etc/ssl/certs/ldap.pem |
---|
102 | TLSCACertificateFile /etc/ssl/certs/ldap.pem |
---|
103 | <% end -%> |
---|