| 1 | # This is the main slapd configuration file. See slapd.conf(5) for more |
|---|
| 2 | # ldap slave... |
|---|
| 3 | |
|---|
| 4 | # Features to permit |
|---|
| 5 | # allow bind_v2 |
|---|
| 6 | |
|---|
| 7 | # Schema and objectClass definitions |
|---|
| 8 | include /etc/ldap/schema/core.schema |
|---|
| 9 | include /etc/ldap/schema/cosine.schema |
|---|
| 10 | #include /etc/ldap/schema/nis.schema |
|---|
| 11 | include /etc/ldap/schema/inetorgperson.schema |
|---|
| 12 | <% if has_variable?("ldap_smb") -%> |
|---|
| 13 | include /etc/ldap/schema/samba.schema |
|---|
| 14 | <% end -%> |
|---|
| 15 | #include /etc/ldap/schema/authldap.schema |
|---|
| 16 | |
|---|
| 17 | include /etc/ldap/schema/rfc2307bis.schema |
|---|
| 18 | include /etc/ldap/schema/mozillaabpersonalpha.schema |
|---|
| 19 | include /etc/ldap/schema/evolutionperson.schema |
|---|
| 20 | |
|---|
| 21 | |
|---|
| 22 | # Schema check allows for forcing entries to |
|---|
| 23 | # match schemas for their objectClasses's |
|---|
| 24 | ##schemacheck on |
|---|
| 25 | |
|---|
| 26 | # Where the pid file is put. The init.d script |
|---|
| 27 | # will not stop the server if you change this. |
|---|
| 28 | pidfile /var/run/slapd/slapd.pid |
|---|
| 29 | |
|---|
| 30 | # List of arguments that were passed to the server |
|---|
| 31 | argsfile /var/run/slapd/slapd.args |
|---|
| 32 | |
|---|
| 33 | # Read slapd.conf(5) for possible values |
|---|
| 34 | loglevel 16384 |
|---|
| 35 | |
|---|
| 36 | # to use ldapsearch |
|---|
| 37 | sizelimit 2000 |
|---|
| 38 | |
|---|
| 39 | # Where the dynamically loaded modules are stored |
|---|
| 40 | modulepath /usr/lib/ldap |
|---|
| 41 | moduleload back_hdb |
|---|
| 42 | <% if has_variable?("ldap_slave") -%> |
|---|
| 43 | moduleload syncprov |
|---|
| 44 | <% end -%> |
|---|
| 45 | |
|---|
| 46 | # Specific Backend Directives for hdb |
|---|
| 47 | backend hdb |
|---|
| 48 | #checkpoint 512 30 |
|---|
| 49 | database hdb |
|---|
| 50 | |
|---|
| 51 | # The base of your directory in database #1 |
|---|
| 52 | suffix "<%= ldap_base %>" |
|---|
| 53 | |
|---|
| 54 | # rootdn directive for specifying a superuser on the database. This is needed |
|---|
| 55 | # # for syncrepl. |
|---|
| 56 | #rootdn "cn=admin,<%= ldap_base %>" |
|---|
| 57 | <% if has_variable?("ldap_slave") -%> |
|---|
| 58 | rootdn "cn=admin,<%= ldap_base %>" |
|---|
| 59 | syncrepl rid=<%= ldap_slave_rid %> |
|---|
| 60 | provider=<%= ldap_slave_provider %> |
|---|
| 61 | type=refreshAndPersist |
|---|
| 62 | retry="60 10 300 +" |
|---|
| 63 | searchbase="<%= ldap_base %>" |
|---|
| 64 | filter="(objectclass=*)" |
|---|
| 65 | schemachecking=off |
|---|
| 66 | bindmethod=simple |
|---|
| 67 | binddn="cn=<%= ldap_slave %>,<%= ldap_base %>" |
|---|
| 68 | credentials="<%= ldap_slave_credentials %>" |
|---|
| 69 | <% end -%> |
|---|
| 70 | |
|---|
| 71 | # Where the database file are physically stored for database #1 |
|---|
| 72 | directory "/var/lib/ldap" |
|---|
| 73 | |
|---|
| 74 | # Indexing options for database #1 |
|---|
| 75 | #index uid,uidNumber,gidNumber,memberUid eq |
|---|
| 76 | index mail,surname,givenname eq,subinitial |
|---|
| 77 | # Indexing options for database #1 |
|---|
| 78 | index objectClass eq |
|---|
| 79 | index uid pres,eq |
|---|
| 80 | index gidNumber pres,eq |
|---|
| 81 | index uidNumber pres,eq |
|---|
| 82 | index memberUid pres,eq |
|---|
| 83 | index cn pres,eq |
|---|
| 84 | index entryCSN,entryUUID eq |
|---|
| 85 | |
|---|
| 86 | <% if has_variable?("ldap_smb") -%> |
|---|
| 87 | index sambaSID eq |
|---|
| 88 | index sambaPrimaryGroupSID eq |
|---|
| 89 | index sambaDomainName eq |
|---|
| 90 | <% end -%> |
|---|
| 91 | # Save the time that the entry gets modified, for database #1 |
|---|
| 92 | lastmod on |
|---|
| 93 | |
|---|
| 94 | # Where to store the replica logs for database #1 |
|---|
| 95 | # replogfile /var/lib/ldap/replog |
|---|
| 96 | |
|---|
| 97 | # The userPassword by default can be changed |
|---|
| 98 | # by the entry owning it if they are authenticated. |
|---|
| 99 | # Others should not be able to see it, except the |
|---|
| 100 | # admin entry below |
|---|
| 101 | # These access lines apply to database #1 only |
|---|
| 102 | <% if has_variable?("ldap_smb") -%> |
|---|
| 103 | access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags |
|---|
| 104 | <% else -%> |
|---|
| 105 | access to attrs=userPassword,shadowLastChange |
|---|
| 106 | <% end -%> |
|---|
| 107 | by dn="cn=admin,<%= ldap_base %>" write |
|---|
| 108 | by anonymous auth |
|---|
| 109 | by self write |
|---|
| 110 | by * none |
|---|
| 111 | # Ensure read access to the base for things like |
|---|
| 112 | # # supportedSASLMechanisms. Without this you may |
|---|
| 113 | # # have problems with SASL not knowing what |
|---|
| 114 | # # mechanisms are available and the like. |
|---|
| 115 | # # Note that this is covered by the 'access to *' |
|---|
| 116 | # # ACL below too but if you change that as people |
|---|
| 117 | # # are wont to do you'll still need this if you |
|---|
| 118 | # # want SASL (and possible other things) to work |
|---|
| 119 | # # happily. |
|---|
| 120 | #access to dn.base="" by * read |
|---|
| 121 | |
|---|
| 122 | # The admin dn has full write access, everyone else |
|---|
| 123 | # can read everything. |
|---|
| 124 | #access to * |
|---|
| 125 | # by dn="cn=admin,<%= ldap_base %>" write |
|---|
| 126 | # by * read |
|---|
| 127 | |
|---|
| 128 | <% if has_variable?("ldap_ssl") -%> |
|---|
| 129 | TLSCipherSuite HIGH:MEDIUM:-SSLv2 |
|---|
| 130 | TLSVerifyClient never |
|---|
| 131 | TLSCertificateFile /etc/ssl/certs/ldap.pem |
|---|
| 132 | TLSCertificateKeyFile /etc/ssl/certs/ldap.pem |
|---|
| 133 | TLSCACertificateFile /etc/ssl/certs/ldap.pem |
|---|
| 134 | <% end -%> |
|---|
