Blame | Last modification | View Log | RSS feed
## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schemainclude /etc/openldap/schema/zarafa.schema# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.orgpidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args# Load dynamic backend modules:# modulepath /usr/sbin/openldap# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la# moduleload back_shell.la# The next three lines allow use of TLS for encrypting connections using a# dummy test certificate which you can generate by changing to# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on# slapd.pem so that the ldap user or group can read it. Your client software# may balk at self-signed certificates, however.#TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem#TLSCertificateKeyFile /etc/pki/tls/private/slapdkey.pem#TLSCACertificateFile /etc/openldap/ca.pem#TLSCipherSuite :SSLv3# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind# security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base="" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!######################################################################## ldbm and/or bdb database definitions#######################################################################database bdbsuffix "dc=ujsoftware,dc=com"rootdn "cn=Manager,dc=ujsoftware,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoided. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.# rootpw kVxfoHHFrootpw {CRYPT}$2X7KXqudASgY# The database directory MUST exist prior to running slapd AND# should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /var/lib/ldaplastmod on# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,sn,mail,givenname eq,pres,subindex uidNumber,gidNumber,memberUid eq,presindex loginShell eq,pres## required to support pdb_getsampwnamindex uid pres,sub,eq## required to support pdb_getsambapwrid()index displayName pres,sub,eqindex nisMapName,nisMapEntry eq,pres,subindex sambaSID eqindex sambaPrimaryGroupSID eqindex sambaDomainName eqindex default sub# users can authenticate and change their passwordaccess to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSetby dn="cn=Manager,dc=ujsoftware,dc=com" writeby self writeby anonymous authby * none# those 2 parameters must be world readable for password aging to work correctly# (or use a priviledge account in /etc/ldap.conf to bind to the directory)access to attrs=shadowLastChange,shadowMaxby dn="cn=Manager,dc=ujsoftware,dc=com" writeby self writeby * read# all others attributes are readable to everybodyaccess to *by * read# Replicas of this database#replogfile /var/lib/ldap/openldap-master-replog#replica host=ldap-1.example.com:389 starttls=critical# bindmethod=sasl saslmech=GSSAPI# authcId=host/ldap-master.example.com@EXAMPLE.COM