path: root/modules/openldap/templates/slapd.conf

# slapd.conf template
include	/usr/share/openldap/schema/core.schema
include	/usr/share/openldap/schema/cosine.schema
include	/usr/share/openldap/schema/corba.schema 
include	/usr/share/openldap/schema/inetorgperson.schema
include	/usr/share/openldap/schema/java.schema 
include	/usr/share/openldap/schema/krb5-kdc.schema
#include /usr/share/openldap/schema/kerberosobject.schema
include	/usr/share/openldap/schema/misc.schema
include	/usr/share/openldap/schema/rfc2307bis.schema
include	/usr/share/openldap/schema/openldap.schema 
#include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
# removed as it cause issue on 2010.0 :
# /usr/share/openldap/schema/kolab.schema: 
# line 175 objectclass: Duplicate objectClass: "1.3.6.1.4.1.5322.13.1.1"
#include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema
include /usr/share/openldap/schema/dyngroup.schema
include /usr/share/openldap/schema/ppolicy.schema
include /usr/share/openldap/schema/openssh-lpk_openldap.schema

#include	/etc/openldap/schema/local.schema

pidfile		/var/run/ldap/slapd.pid
argsfile	/var/run/ldap/slapd.args

modulepath	<%= lib_dir %>/openldap
<% if scope.function_versioncmp([lsbdistrelease, '4']) >= 0 %>
moduleload	back_bdb.la
<% end %>
moduleload	back_monitor.la
moduleload	syncprov.la
moduleload	ppolicy.la
#moduleload	refint.la
moduleload  memberof.la
moduleload  unique.la
moduleload  dynlist.la
moduleload  constraint.la

TLSCertificateFile      /etc/ssl/openldap/ldap.<%= domain %>.pem
TLSCertificateKeyFile   /etc/ssl/openldap/ldap.<%= domain %>.pem
TLSCACertificateFile    /etc/ssl/openldap/ldap.<%= domain %>.pem

# Give ldapi connection some security
localSSF 56
# Require at least this security, so we allow:
# ldapi
# ldap+start_tls
# ldaps
security ssf=56

loglevel 256

database monitor
access to dn.subtree="cn=Monitor"
	by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read
	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
	by * none

database	bdb
suffix		"<%= dc_suffix %>"
directory	/var/lib/ldap
rootdn		"cn=manager,<%= dc_suffix %>"

checkpoint 256 5
# 32Mbytes, can hold about 10k posixAccount entries
dbconfig set_cachesize 0 33554432 1
dbconfig set_lg_bsize 2097152
cachesize 1000
idlcachesize 3000

index	objectClass					eq
index	uidNumber,gidNumber,memberuid,member,owner  	eq
index	uid						eq,subinitial
index	cn,mail,surname,givenname			eq,subinitial
index	sambaSID					eq,sub
index	sambaDomainName,displayName,sambaGroupType	eq
index	sambaSIDList					eq
index	krb5PrincipalName				eq
index	uniqueMember					pres,eq
index	zoneName,relativeDomainName			eq
index	sudouser					eq,sub
index	entryCSN,entryUUID				eq
index	dhcpHWAddress,dhcpClassData			eq

overlay memberof

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

overlay ppolicy
ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>"
ppolicy_hash_cleartext yes
ppolicy_use_lockout yes

overlay unique
unique_uri ldap:///?mail?sub?

overlay dynlist
dynlist-attrset groupOfURLs memberURL member


overlay constraint
constraint_attribute sshPublicKey regex "^ssh-(rsa|dss) [[:graph:]]+ [[:graph:]]+$"

# uncomment if you want to automatically update group
# memberships when an user is removed from the tree
# Also uncomment the refint.la moduleload above
#overlay refint
#refint_attributes member
#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com"

<% if environment == "test" %>
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
	"cn=manager,<%= dc_suffix %>"
authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %>
<% end %>

include /etc/openldap/mandriva-dit-access.conf