1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
# slapd.conf template
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
#include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/rfc2307bis.schema
include /usr/share/openldap/schema/openldap.schema
#include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema
include /usr/share/openldap/schema/dyngroup.schema
include /usr/share/openldap/schema/ppolicy.schema
include /usr/share/openldap/schema/openssh-lpk_openldap.schema
#include /etc/openldap/schema/local.schema
pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args
modulepath <%= lib_dir %>/openldap
moduleload back_monitor.la
moduleload syncprov.la
moduleload ppolicy.la
#moduleload refint.la
moduleload memberof.la
TLSCertificateFile /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
TLSCACertificateFile /etc/ssl/openldap/ldap.pem
# Give ldapi connection some security
localSSF 56
# Require at least this security, so we allow:
# ldapi
# ldap+start_tls
# ldaps
security ssf=56
loglevel 256
database bdb
suffix "<%= dc_suffix %>"
directory /var/lib/ldap
rootdn "cn=manager,<%= dc_suffix %>"
checkpoint 256 5
# 32Mbytes, can hold about 10k posixAccount entries
dbconfig set_cachesize 0 33554432 1
dbconfig set_lg_bsize 2097152
cachesize 1000
idlcachesize 3000
index objectClass eq
index uidNumber,gidNumber,memberuid,member eq
index uid eq,subinitial
index cn,mail,surname,givenname eq,subinitial
index sambaSID eq,sub
index sambaDomainName,displayName,sambaGroupType eq
index sambaSIDList eq
index krb5PrincipalName eq
index uniqueMember pres,eq
index zoneName,relativeDomainName eq
index sudouser eq,sub
index entryCSN,entryUUID eq
index dhcpHWAddress,dhcpClassData eq
overlay memberof
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
overlay ppolicy
ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>"
ppolicy_hash_cleartext yes
ppolicy_use_lockout yes
# uncomment if you want to automatically update group
# memberships when an user is removed from the tree
# Also uncomment the refint.la moduleload above
#overlay refint
#refint_attributes member
#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com"
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"uid=Account Admin,ou=System Accounts,<%= dc_suffix %>"
authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %>
include /etc/openldap/mandriva-dit-access.conf
database monitor
access to dn.subtree="cn=Monitor"
by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read
by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
by * none
|