From Commodious Lion, 1 Year ago, written in Plain Text.
This paste is a reply to from
- view diff
Embed
  1. ## See slapd.conf(5) for details on configuration options.
  2. # This file should NOT be world readable.
  3. #
  4. include /etc/openldap/schema/core.schema
  5.  
  6. # Define global ACLs to disable default read access.
  7. #
  8. # Typically used schemas
  9. include /etc/openldap/schema/cosine.schema
  10. include /etc/openldap/schema/inetorgperson.schema
  11. include /etc/openldap/schema/nis.schema
  12. include /etc/openldap/schema/openldap.schema
  13. include /etc/openldap/schema/misc.schema
  14. include /etc/openldap/schema/samba.schema
  15.  
  16. # Do not enable referrals until AFTER you have a working directory
  17. # service AND an understanding of referrals.
  18. #referral       ldap://root.openldap.org
  19.  
  20. pidfile         /run/openldap/slapd.pid
  21. argsfile        /run/openldap/slapd.args
  22.  
  23. # Load dynamic backend modules:
  24. modulepath      /usr/lib/openldap
  25. moduleload      back_bdb.la
  26. #moduleload  accesslog.la
  27. # moduleload  syncprov.la
  28. # moduleload    back_hdb.la
  29. # moduleload    back_ldap.la
  30.  
  31. # Sample security restrictions
  32. #       Require integrity protection (prevent hijacking)
  33. #       Require 112-bit (3DES or better) encryption for updates
  34. #       Require 63-bit encryption for simple bind
  35. #security ssf=1 update_ssf=112 simple_bind=64
  36.  
  37. # Sample access control policy:
  38. #       Root DSE: allow anyone to read it
  39. #       Subschema (sub)entry DSE: allow anyone to read it
  40. #       Other DSEs:
  41. #               Allow self write access
  42. #               Allow authenticated users read access
  43. #               Allow anonymous users to authenticate
  44. #       Directives needed to implement policy:
  45. # access to dn.base="" by * read
  46. # access to dn.base="cn=Subschema" by * read
  47. # access to *
  48. # by anonymous read
  49. # by * none
  50. #       by self write
  51. #       by users read
  52. #       by anonymous auth
  53. #
  54. access to * attrs=userPassword
  55.         by self write
  56.         by anonymous auth
  57.         by dn.base="cn=Manager,dc=domain,dc=net" write
  58.         by * none
  59.  
  60. access to *
  61.         by self write
  62.         by dn.base="cn=Manager,dc=domain,dc=net" write
  63.         by * read
  64.  
  65. # if no access controls are present, the default policy
  66. # allows anyone and everyone to read anything but restricts
  67. # updates to rootdn.  (e.g., "access to * by * read")
  68. #
  69. # rootdn can always read and write EVERYTHING!
  70. #
  71. # Create strong root pw with:  echo "rootpw   $(slappasswd)" >> /etc/openldap/slapd.conf
  72.  
  73. allow bind_v2 bind_anon_cred bind_anon_dn update_anon
  74.  
  75. #######################################################################
  76. # BDB database definitions
  77. #######################################################################
  78.  
  79. database        bdb
  80. suffix  "dc=domain,dc=net"
  81. rootdn  "cn=Manager,dc=domain,dc=net"
  82. # Cleartext passwords, especially for the rootdn, should
  83. # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
  84. # Use of strong authentication encouraged.
  85. rootpw   {SSHA}Dk48FvXvbzNeI8N2O1qeuisUTyUQkbws
  86.  
  87. # The database directory MUST exist prior to running slapd AND
  88. # should only be accessible by the slapd and slap tools.
  89. # Mode 700 recommended.
  90. directory       /var/lib/openldap/openldap-data
  91. # Indices to maintain
  92. index   objectClass     eq
  93.  
  94. # Typically used indexes
  95. index   uid             pres,eq
  96. index   mail            pres,sub,eq
  97. index   cn              pres,sub,eq
  98. index   sn              pres,sub,eq
  99. index   dc              eq
  100.  
  101. # Certificate/SSL Section
  102. #TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
  103. #TLSCipherSuite DEFAULT
  104. #TLSCACertificateFile /etc/openldap/ssl/ca_server.pem
  105. #TLSCertificateFile /etc/openldap/ssl/slapdcert.pem
  106. #TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem