| 1 |
# |
| 2 |
# See slapd.conf(5) for details on configuration options. |
| 3 |
# This file should NOT be world readable. |
| 4 |
# |
| 5 |
|
| 6 |
include /etc/openldap/schema/corba.schema |
| 7 |
include /etc/openldap/schema/core.schema |
| 8 |
include /etc/openldap/schema/cosine.schema |
| 9 |
include /etc/openldap/schema/duaconf.schema |
| 10 |
include /etc/openldap/schema/dyngroup.schema |
| 11 |
include /etc/openldap/schema/inetorgperson.schema |
| 12 |
include /etc/openldap/schema/java.schema |
| 13 |
include /etc/openldap/schema/misc.schema |
| 14 |
include /etc/openldap/schema/nis.schema |
| 15 |
include /etc/openldap/schema/openldap.schema |
| 16 |
include /etc/openldap/schema/ppolicy.schema |
| 17 |
include /etc/openldap/schema/collective.schema |
| 18 |
|
| 19 |
# Allow LDAPv2 client connections. This is NOT the default. |
| 20 |
allow bind_v2 |
| 21 |
|
| 22 |
# Do not enable referrals until AFTER you have a working directory |
| 23 |
# service AND an understanding of referrals. |
| 24 |
#referral ldap://root.openldap.org |
| 25 |
|
| 26 |
pidfile /var/run/openldap/slapd.pid |
| 27 |
argsfile /var/run/openldap/slapd.args |
| 28 |
|
| 29 |
# Load dynamic backend modules |
| 30 |
# - modulepath is architecture dependent value (32/64-bit system) |
| 31 |
# - back_sql.la overlay requires openldap-server-sql package |
| 32 |
# - dyngroup.la and dynlist.la cannot be used at the same time |
| 33 |
|
| 34 |
# modulepath /usr/lib/openldap |
| 35 |
# modulepath /usr/lib64/openldap |
| 36 |
|
| 37 |
# moduleload accesslog.la |
| 38 |
# moduleload auditlog.la |
| 39 |
# moduleload back_sql.la |
| 40 |
# moduleload chain.la |
| 41 |
# moduleload collect.la |
| 42 |
# moduleload constraint.la |
| 43 |
# moduleload dds.la |
| 44 |
# moduleload deref.la |
| 45 |
# moduleload dyngroup.la |
| 46 |
# moduleload dynlist.la |
| 47 |
# moduleload memberof.la |
| 48 |
# moduleload pbind.la |
| 49 |
# moduleload pcache.la |
| 50 |
# moduleload ppolicy.la |
| 51 |
# moduleload refint.la |
| 52 |
# moduleload retcode.la |
| 53 |
# moduleload rwm.la |
| 54 |
# moduleload seqmod.la |
| 55 |
# moduleload smbk5pwd.la |
| 56 |
# moduleload sssvlv.la |
| 57 |
# moduleload syncprov.la |
| 58 |
# moduleload translucent.la |
| 59 |
# moduleload unique.la |
| 60 |
# moduleload valsort.la |
| 61 |
|
| 62 |
# The next three lines allow use of TLS for encrypting connections using a |
| 63 |
# dummy test certificate which you can generate by running |
| 64 |
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk |
| 65 |
# at self-signed certificates, however. |
| 66 |
TLSCACertificatePath /etc/openldap/certs |
| 67 |
TLSCertificateFile "\"OpenLDAP Server\"" |
| 68 |
TLSCertificateKeyFile /etc/openldap/certs/password |
| 69 |
|
| 70 |
# Sample security restrictions |
| 71 |
# Require integrity protection (prevent hijacking) |
| 72 |
# Require 112-bit (3DES or better) encryption for updates |
| 73 |
# Require 63-bit encryption for simple bind |
| 74 |
# security ssf=1 update_ssf=112 simple_bind=64 |
| 75 |
|
| 76 |
# Sample access control policy: |
| 77 |
# Root DSE: allow anyone to read it |
| 78 |
# Subschema (sub)entry DSE: allow anyone to read it |
| 79 |
# Other DSEs: |
| 80 |
# Allow self write access |
| 81 |
# Allow authenticated users read access |
| 82 |
# Allow anonymous users to authenticate |
| 83 |
# Directives needed to implement policy: |
| 84 |
# access to dn.base="" by * read |
| 85 |
# access to dn.base="cn=Subschema" by * read |
| 86 |
# access to * |
| 87 |
# by self write |
| 88 |
# by users read |
| 89 |
# by anonymous auth |
| 90 |
# |
| 91 |
# if no access controls are present, the default policy |
| 92 |
# allows anyone and everyone to read anything but restricts |
| 93 |
# updates to rootdn. (e.g., "access to * by * read") |
| 94 |
# |
| 95 |
# rootdn can always read and write EVERYTHING! |
| 96 |
|
| 97 |
# enable on-the-fly configuration (cn=config) |
| 98 |
database config |
| 99 |
access to * |
| 100 |
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage |
| 101 |
by * none |
| 102 |
|
| 103 |
# enable server status monitoring (cn=monitor) |
| 104 |
database monitor |
| 105 |
access to * |
| 106 |
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read |
| 107 |
by dn.exact="cn=Manager,dc=my-domain,dc=com" read |
| 108 |
by * none |
| 109 |
|
| 110 |
####################################################################### |
| 111 |
# database definitions |
| 112 |
####################################################################### |
| 113 |
|
| 114 |
database bdb |
| 115 |
suffix "dc=my-domain,dc=com" |
| 116 |
checkpoint 1024 15 |
| 117 |
rootdn "cn=Manager,dc=my-domain,dc=com" |
| 118 |
# Cleartext passwords, especially for the rootdn, should |
| 119 |
# be avoided. See slappasswd(8) and slapd.conf(5) for details. |
| 120 |
# Use of strong authentication encouraged. |
| 121 |
# rootpw secret |
| 122 |
# rootpw {crypt}ijFYNcSNctBYg |
| 123 |
|
| 124 |
# The database directory MUST exist prior to running slapd AND |
| 125 |
# should only be accessible by the slapd and slap tools. |
| 126 |
# Mode 700 recommended. |
| 127 |
directory /var/lib/ldap |
| 128 |
|
| 129 |
# Indices to maintain for this database |
| 130 |
index objectClass eq,pres |
| 131 |
index ou,cn,mail,surname,givenname eq,pres,sub |
| 132 |
index uidNumber,gidNumber,loginShell eq,pres |
| 133 |
index uid,memberUid eq,pres,sub |
| 134 |
index nisMapName,nisMapEntry eq,pres,sub |
| 135 |
|
| 136 |
# Replicas of this database |
| 137 |
#replogfile /var/lib/ldap/openldap-master-replog |
| 138 |
#replica host=ldap-1.example.com:389 starttls=critical |
| 139 |
# bindmethod=sasl saslmech=GSSAPI |
| 140 |
# authcId=host/ldap-master.example.com@EXAMPLE.COM |
Parent Directory
| 
Revision Log
| 
Revision Graph
