source: trunk/puppet/modules/puppet-openldap/templates/slapd.conf_slave.erb @ 702

Last change on this file since 702 was 564, checked in by sebas@…, 15 years ago

permitir a los clientes ldap de conectar al servidor ldap esclavo
File size: 4.2 KB
RevLine 
[447]1# This is the main slapd configuration file. See slapd.conf(5) for more
2# ldap slave...
3
4# Features to permit
5# allow bind_v2
6
7# Schema and objectClass definitions
8include         /etc/ldap/schema/core.schema
9include         /etc/ldap/schema/cosine.schema
[532]10#include         /etc/ldap/schema/nis.schema
[447]11include         /etc/ldap/schema/inetorgperson.schema
12<% if has_variable?("ldap_smb") -%>
13include         /etc/ldap/schema/samba.schema
14<% end -%>
[532]15#include         /etc/ldap/schema/authldap.schema
[447]16
[532]17include /etc/ldap/schema/rfc2307bis.schema
18include /etc/ldap/schema/mozillaabpersonalpha.schema
19include /etc/ldap/schema/evolutionperson.schema
20
21
[447]22# Schema check allows for forcing entries to
23# match schemas for their objectClasses's
[449]24##schemacheck     on
[447]25
26# Where the pid file is put. The init.d script
27# will not stop the server if you change this.
28pidfile         /var/run/slapd/slapd.pid
29
30# List of arguments that were passed to the server
31argsfile        /var/run/slapd/slapd.args
32
33# Read slapd.conf(5) for possible values
[532]34loglevel        16384
[447]35
36# to use ldapsearch
37sizelimit 2000
38
39# Where the dynamically loaded modules are stored
40modulepath      /usr/lib/ldap
[448]41moduleload      back_hdb
42<% if has_variable?("ldap_slave") -%>
43moduleload      syncprov
44<% end -%>
[447]45
[448]46# Specific Backend Directives for hdb
47backend           hdb
[449]48#checkpoint  512 30
[448]49database    hdb
[447]50
51# The base of your directory in database #1
52suffix          "<%= ldap_base %>"
53
54# rootdn directive for specifying a superuser on the database. This is needed
55# # for syncrepl.
56#rootdn          "cn=admin,<%= ldap_base %>"
[448]57<% if has_variable?("ldap_slave") -%>
58rootdn          "cn=admin,<%= ldap_base %>"
[500]59syncrepl rid=<%= ldap_slave_rid %>
60 provider=<%= ldap_slave_provider %>
[448]61 type=refreshAndPersist
62 retry="60 10 300 +"
63 searchbase="<%= ldap_base %>"
64 filter="(objectclass=*)"
65 schemachecking=off
66 bindmethod=simple
[450]67 binddn="cn=<%= ldap_slave %>,<%= ldap_base %>"
[532]68 credentials="<%= ldap_slave_credentials %>"
[448]69<% end -%>
[447]70
71# Where the database file are physically stored for database #1
72directory       "/var/lib/ldap"
73
74# Indexing options for database #1
[532]75#index         uid,uidNumber,gidNumber,memberUid       eq
76index         mail,surname,givenname               eq,subinitial
77# Indexing options for database #1
78index           objectClass eq
79index           uid pres,eq
80index           gidNumber pres,eq
81index           uidNumber pres,eq
82index           memberUid pres,eq
83index           cn pres,eq
84index           entryCSN,entryUUID eq
85
[447]86<% if has_variable?("ldap_smb") -%>
87index         sambaSID                                eq
88index         sambaPrimaryGroupSID                    eq
89index         sambaDomainName                         eq
90<% end -%>
91# Save the time that the entry gets modified, for database #1
92lastmod         on
93
94# Where to store the replica logs for database #1
95# replogfile    /var/lib/ldap/replog
96
97# The userPassword by default can be changed
98# by the entry owning it if they are authenticated.
99# Others should not be able to see it, except the
100# admin entry below
101# These access lines apply to database #1 only
102<% if has_variable?("ldap_smb") -%>
103access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags
104<% else -%>
[448]105access to attrs=userPassword,shadowLastChange
[447]106<% end -%>
107        by dn="cn=admin,<%= ldap_base %>" write
108        by anonymous auth
109        by self write
110        by * none
111# Ensure read access to the base for things like
112# # supportedSASLMechanisms.  Without this you may
113# # have problems with SASL not knowing what
114# # mechanisms are available and the like.
115# # Note that this is covered by the 'access to *'
116# # ACL below too but if you change that as people
117# # are wont to do you'll still need this if you
118# # want SASL (and possible other things) to work
119# # happily.
[532]120#access to dn.base="" by * read
[447]121
122# The admin dn has full write access, everyone else
123# can read everything.
[564]124access to *
125        by dn="cn=admin,<%= ldap_base %>" write
126        by * read
[447]127
128<% if has_variable?("ldap_ssl") -%>
129TLSCipherSuite HIGH:MEDIUM:-SSLv2
130TLSVerifyClient never
131TLSCertificateFile /etc/ssl/certs/ldap.pem
132TLSCertificateKeyFile /etc/ssl/certs/ldap.pem
133TLSCACertificateFile /etc/ssl/certs/ldap.pem
134<% end -%>
Note: See TracBrowser for help on using the repository browser.