source: trunk/puppet/modules/puppet-openldap/templates/slapd.conf_slave.erb @ 500

# This is the main slapd configuration file. See slapd.conf(5) for more
# ldap slave...

# Features to permit
# allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
<% if has_variable?("ldap_smb") -%>
include         /etc/ldap/schema/samba.schema
<% end -%>
include         /etc/ldap/schema/authldap.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
##schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        0

# to use ldapsearch
sizelimit 2000

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_hdb
<% if has_variable?("ldap_slave") -%>
moduleload      syncprov
<% end -%>

# Specific Backend Directives for hdb
backend           hdb
#checkpoint  512 30
database    hdb

# The base of your directory in database #1
suffix          "<%= ldap_base %>"

# rootdn directive for specifying a superuser on the database. This is needed
# # for syncrepl.
#rootdn          "cn=admin,<%= ldap_base %>"
<% if has_variable?("ldap_slave") -%>
rootdn          "cn=admin,<%= ldap_base %>"
syncrepl rid=<%= ldap_slave_rid %>
 provider=<%= ldap_slave_provider %>
 type=refreshAndPersist
 retry="60 10 300 +"
 searchbase="<%= ldap_base %>"
 filter="(objectclass=*)"
 schemachecking=off
 bindmethod=simple
 binddn="cn=<%= ldap_slave %>,<%= ldap_base %>"
 credentials=<%= ldap_admin_password %>"
<% end -%>

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index         uid,uidNumber,gidNumber,memberUid       eq
index         cn,mail,surname,givenname               eq,subinitial
<% if has_variable?("ldap_smb") -%>
index         sambaSID                                eq
index         sambaPrimaryGroupSID                    eq
index         sambaDomainName                         eq
<% end -%>
# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
<% if has_variable?("ldap_smb") -%>
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags
<% else -%>
access to attrs=userPassword,shadowLastChange
<% end -%>
        by dn="cn=admin,<%= ldap_base %>" write
        by anonymous auth
        by self write
        by * none
# Ensure read access to the base for things like
# # supportedSASLMechanisms.  Without this you may
# # have problems with SASL not knowing what
# # mechanisms are available and the like.
# # Note that this is covered by the 'access to *'
# # ACL below too but if you change that as people
# # are wont to do you'll still need this if you
# # want SASL (and possible other things) to work 
# # happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,<%= ldap_base %>" write
        by * read

<% if has_variable?("ldap_ssl") -%>
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSVerifyClient never
TLSCertificateFile /etc/ssl/certs/ldap.pem
TLSCertificateKeyFile /etc/ssl/certs/ldap.pem
TLSCACertificateFile /etc/ssl/certs/ldap.pem
<% end -%>