# slapd.conf template include /usr/share/openldap/schema/core.schema include /usr/share/openldap/schema/cosine.schema include /usr/share/openldap/schema/corba.schema include /usr/share/openldap/schema/inetorgperson.schema include /usr/share/openldap/schema/java.schema include /usr/share/openldap/schema/krb5-kdc.schema #include /usr/share/openldap/schema/kerberosobject.schema include /usr/share/openldap/schema/misc.schema include /usr/share/openldap/schema/rfc2307bis.schema include /usr/share/openldap/schema/openldap.schema #include /usr/share/openldap/schema/autofs.schema include /usr/share/openldap/schema/samba.schema # removed as it cause issue on 2010.0 : # /usr/share/openldap/schema/kolab.schema: # line 175 objectclass: Duplicate objectClass: "1.3.6.1.4.1.5322.13.1.1" #include /usr/share/openldap/schema/kolab.schema include /usr/share/openldap/schema/evolutionperson.schema include /usr/share/openldap/schema/calendar.schema include /usr/share/openldap/schema/sudo.schema include /usr/share/openldap/schema/dnszone.schema include /usr/share/openldap/schema/dhcp.schema include /usr/share/openldap/schema/dyngroup.schema include /usr/share/openldap/schema/ppolicy.schema include /usr/share/openldap/schema/openssh-lpk_openldap.schema #include /etc/openldap/schema/local.schema pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args modulepath <%= lib_dir %>/openldap <% if scope.function_versioncmp([lsbdistrelease, '4']) >= 0 %> <% if scope.function_versioncmp([lsbdistrelease, '6']) < 0 -%> moduleload back_bdb.la <% else %> moduleload back_mdb.la <% end %> <% end %> moduleload back_monitor.la moduleload syncprov.la moduleload ppolicy.la #moduleload refint.la moduleload memberof.la moduleload unique.la moduleload dynlist.la moduleload constraint.la TLSCertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem TLSCertificateKeyFile /etc/ssl/openldap/ldap.<%= domain %>.pem TLSCACertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem # Give ldapi connection some security localSSF 56 # Require at least this security, so we allow: # ldapi # ldap+start_tls # ldaps security ssf=56 loglevel 256 database monitor access to dn.subtree="cn=Monitor" by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read by * none <% if scope.function_versioncmp([lsbdistrelease, '6']) < 0 -%> database bdb <% else %> database mdb <% end %> suffix "<%= dc_suffix %>" directory /var/lib/ldap rootdn "cn=manager,<%= dc_suffix %>" checkpoint 256 5 <% if scope.function_versioncmp([lsbdistrelease, '6']) < 0 -%> # 32Mbytes, can hold about 10k posixAccount entries dbconfig set_cachesize 0 33554432 1 dbconfig set_lg_bsize 2097152 cachesize 1000 idlcachesize 3000 <% end %> index objectClass eq index uidNumber,gidNumber,memberuid,member,owner eq index uid eq,subinitial index cn,mail,surname,givenname eq,subinitial index sambaSID eq,sub index sambaDomainName,displayName,sambaGroupType eq index sambaSIDList eq index krb5PrincipalName eq index uniqueMember pres,eq index zoneName,relativeDomainName eq index sudouser eq,sub index entryCSN,entryUUID eq index dhcpHWAddress,dhcpClassData eq overlay memberof overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 overlay ppolicy ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>" ppolicy_hash_cleartext yes ppolicy_use_lockout yes overlay unique unique_uri ldap:///?mail?sub? overlay dynlist dynlist-attrset groupOfURLs memberURL member overlay constraint constraint_attribute sshPublicKey regex "^ssh-(rsa|dss) [[:graph:]]+ [[:graph:]]+$" # uncomment if you want to automatically update group # memberships when an user is removed from the tree # Also uncomment the refint.la moduleload above #overlay refint #refint_attributes member #refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com" <% if environment == "test" %> authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=manager,<%= dc_suffix %>" authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %> <% end %> include /etc/openldap/mandriva-dit-access.conf