diff --git a/slapd.conf.obsolete b/slapd.conf.obsolete index 6def6d2..d8220b5 100644 --- a/slapd.conf.obsolete +++ b/slapd.conf.obsolete @@ -36,8 +36,15 @@ argsfile /var/run/openldap/slapd.args # moduleload accesslog.la # moduleload auditlog.la -# moduleload back_sql.la -# moduleload chain.la +# moduleload back_dnssrv.la +# moduleload back_ldap.la +# moduleload back_mdb.la +# moduleload back_meta.la +# moduleload back_null.la +# moduleload back_passwd.la +# moduleload back_relay.la +# moduleload back_shell.la +# moduleload back_sock.la # moduleload collect.la # moduleload constraint.la # moduleload dds.la @@ -45,7 +52,6 @@ argsfile /var/run/openldap/slapd.args # moduleload dyngroup.la # moduleload dynlist.la # moduleload memberof.la -# moduleload pbind.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la diff --git a/slapd.ldif b/slapd.ldif index 9904767..a016384 100644 --- a/slapd.ldif +++ b/slapd.ldif @@ -2,49 +2,90 @@ # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # + dn: cn=config objectClass: olcGlobal cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid # +# TLS settings # -# Define global ACLs to disable default read access. -# -olcArgsFile: /var/run/slapd.args -olcPidFile: /var/run/slapd.pid +#olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt +#olcTLSCertificateFile: /etc/pki/tls/certs/slapd.pem +#olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.pem # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. -#olcReferral: ldap://root.openldap.org +# +#olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind +# #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 # # Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time # + #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module +#olcModulepath: /usr/lib/openldap #olcModulepath: /usr/lib64/openldap -#olcModuleload: back_bdb.la -#olcModuleload: back_hdb.la -#olcModuleload: back_ldap.la -#olcModuleload: back_passwd.la -#olcModuleload: back_shell.la +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la +# +# Schema settings +# + dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///etc/openldap/schema/core.ldif +# # Frontend settings # + dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: frontend @@ -71,24 +112,36 @@ olcDatabase: frontend # rootdn can always read and write EVERYTHING! # - -####################################################################### -# BDB database definitions -####################################################################### # -dn: olcDatabase=bdb,cn=config +# Configuration database +# + +dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig -objectClass: olcBdbConfig -olcDatabase: bdb +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=hdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcHdbConfig +olcDatabase: hdb olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com -# Cleartext passwords, especially for the rootdn, should -# be avoided. See slappasswd(8) and slapd-config(5) for details. -# Use of strong authentication encouraged. -olcRootPW: secret -# The database directory MUST exist prior to running slapd AND -# should only be accessible by the slapd and slap tools. -# Mode 700 recommended. -olcDbDirectory: /var/openldap-data -# Indices to maintain -olcDbIndex: objectClass eq +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub