diff options
Diffstat (limited to 'modules/openldap/templates')
| -rw-r--r-- | modules/openldap/templates/init_ldap.sh | 2 | ||||
| -rw-r--r-- | modules/openldap/templates/mandriva-dit-access.conf | 5 | ||||
| -rw-r--r-- | modules/openldap/templates/slapd-slave.sysconfig | 38 | ||||
| -rw-r--r-- | modules/openldap/templates/slapd.conf | 15 | ||||
| -rw-r--r-- | modules/openldap/templates/slapd.syncrepl.conf | 4 | ||||
| -rw-r--r-- | modules/openldap/templates/slapd.sysconfig | 37 | ||||
| -rw-r--r-- | modules/openldap/templates/slapd.test.conf | 1 |
7 files changed, 94 insertions, 8 deletions
diff --git a/modules/openldap/templates/init_ldap.sh b/modules/openldap/templates/init_ldap.sh index a596cfe7..dfcaf236 100644 --- a/modules/openldap/templates/init_ldap.sh +++ b/modules/openldap/templates/init_ldap.sh @@ -28,7 +28,7 @@ end -%> <% # FIXME automatically get the list of servers -for g in ['valstar','alamut'] %> +for g in ['duvel','alamut'] %> dn: cn=<%= g%>.<%= domain %>,ou=Hosts,<%= dc_suffix %> objectClass: device objectClass: simpleSecurityObject diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf index 68a2c7f8..361d956b 100644 --- a/modules/openldap/templates/mandriva-dit-access.conf +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -66,7 +66,7 @@ access to dn.subtree="<%= dc_suffix %>" by self write by * none # password history attribute -# pwdHistory is read-only, but ACL is simplier with it here +# pwdHistory is read-only, but ACL is simpler with it here access to dn.subtree="<%= dc_suffix %>" attrs=sambaPasswordHistory,pwdHistory by self read @@ -113,7 +113,7 @@ access to dn.subtree="ou=People,<%= dc_suffix %>" # let the user change some of his/her attributes access to dn.subtree="ou=People,<%= dc_suffix %>" - attrs=cn,sn,givenName,carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey + attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey by self write by users read @@ -193,4 +193,3 @@ access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" # last one access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn by users read - diff --git a/modules/openldap/templates/slapd-slave.sysconfig b/modules/openldap/templates/slapd-slave.sysconfig new file mode 100644 index 00000000..9bff24ff --- /dev/null +++ b/modules/openldap/templates/slapd-slave.sysconfig @@ -0,0 +1,38 @@ +# debug level for slapd +SLAPDSYSLOGLEVEL="0" +SLAPDSYSLOGLOCALUSER="local4" + +# SLAPD URL list +SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///" + +# Config file to use for slapd +#SLAPDCONF=/etc/openldap/slapd.conf + +# Which user to run as +#LDAPUSER=ldap +#LDAPGROUP=ldap + +# Should file permissions on database files be fixed at startup. Default is yes +# FIXPERMS=no + +# Whether database recovery should be run before starting slapd in start +# (not strictly be necessary in 2.3). Default is no +# AUTORECOVER=yes + +# At what intervals to run ldap-hot-db-backup from cron, which will +# do hot database backups for all bdb/hdb databases, and archive +# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly +# Default is daily +# Slave does not need a backup +RUN_DB_BACKUP=never + +# How many days to keep archived transaction logs for. This should be just +# greater than the backup interval on these files. Default is 7 +# KEEP_ARCHIVES_DAYS=7 + +# How many files slapd should be able to have open. By default, the process +# will inherit the default per-process limit (usually 1024), which may +# not be enough, so ulimit -n is run with the value in MAXFILES (which +# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without +# recompiling. +# MAXFILES=4096 diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf index 9451d6cd..d82fe088 100644 --- a/modules/openldap/templates/slapd.conf +++ b/modules/openldap/templates/slapd.conf @@ -30,6 +30,11 @@ pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args modulepath <%= lib_dir %>/openldap +<% if @hostname == 'duvel' then %> +moduleload back_bdb.la +<% else %> +moduleload back_mdb.la +<% end %> moduleload back_monitor.la moduleload syncprov.la moduleload ppolicy.la @@ -59,17 +64,25 @@ access to dn.subtree="cn=Monitor" by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read by * none +<% if @hostname == 'duvel' then %> database bdb +<% else %> +database mdb +# mdb defaults to 10MB max DB, so we need to hardcode some better value :( +maxsize 500000000 +<% end %> suffix "<%= dc_suffix %>" directory /var/lib/ldap rootdn "cn=manager,<%= dc_suffix %>" checkpoint 256 5 +<% if @hostname == 'duvel' then %> # 32Mbytes, can hold about 10k posixAccount entries dbconfig set_cachesize 0 33554432 1 dbconfig set_lg_bsize 2097152 cachesize 1000 idlcachesize 3000 +<% end %> index objectClass eq index uidNumber,gidNumber,memberuid,member,owner eq @@ -104,7 +117,7 @@ dynlist-attrset groupOfURLs memberURL member overlay constraint -constraint_attribute sshPublicKey regex "^ssh-(rsa|dss) [[:graph:]]+ [[:graph:]]+$" +constraint_attribute sshPublicKey regex "^ssh-(rsa|dss|ed25519) [[:graph:]]+ [[:graph:]]+$" # uncomment if you want to automatically update group # memberships when an user is removed from the tree diff --git a/modules/openldap/templates/slapd.syncrepl.conf b/modules/openldap/templates/slapd.syncrepl.conf index d9aa4cfe..2bfe7d50 100644 --- a/modules/openldap/templates/slapd.syncrepl.conf +++ b/modules/openldap/templates/slapd.syncrepl.conf @@ -6,6 +6,6 @@ syncrepl rid=<%= rid %> bindmethod=simple binddn="cn=syncuser-<%= hostname%>,ou=System Accounts,<%= dc_suffix %>" credentials=<%= sync_password %> - -updateref ldaps://ldap-master.<%= domain %>:636 + tls_reqcert=never +updateref ldaps://ldap-master.<%= domain %>:636 diff --git a/modules/openldap/templates/slapd.sysconfig b/modules/openldap/templates/slapd.sysconfig new file mode 100644 index 00000000..e6ae2e05 --- /dev/null +++ b/modules/openldap/templates/slapd.sysconfig @@ -0,0 +1,37 @@ +# debug level for slapd +SLAPDSYSLOGLEVEL="0" +SLAPDSYSLOGLOCALUSER="local4" + +# SLAPD URL list +SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///" + +# Config file to use for slapd +#SLAPDCONF=/etc/openldap/slapd.conf + +# Which user to run as +#LDAPUSER=ldap +#LDAPGROUP=ldap + +# Should file permissions on database files be fixed at startup. Default is yes +# FIXPERMS=no + +# Whether database recovery should be run before starting slapd in start +# (not strictly be necessary in 2.3). Default is no +# AUTORECOVER=yes + +# At what intervals to run ldap-hot-db-backup from cron, which will +# do hot database backups for all bdb/hdb databases, and archive +# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly +# Default is daily +# RUN_DB_BACKUP=daily + +# How many days to keep archived transaction logs for. This should be just +# greater than the backup interval on these files. Default is 7 +# KEEP_ARCHIVES_DAYS=7 + +# How many files slapd should be able to have open. By default, the process +# will inherit the default per-process limit (usually 1024), which may +# not be enough, so ulimit -n is run with the value in MAXFILES (which +# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without +# recompiling. +# MAXFILES=4096 diff --git a/modules/openldap/templates/slapd.test.conf b/modules/openldap/templates/slapd.test.conf index 355efb8e..8befa55a 100644 --- a/modules/openldap/templates/slapd.test.conf +++ b/modules/openldap/templates/slapd.test.conf @@ -7,4 +7,3 @@ authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=manager,dc=test_ldap" # force ssl security ssf=56 - |