slapd.conf
Download slapd.conf
1: # Working slapd.conf, created from the sample file
2: # by Wayne Pollock, Tampa Florida USA, Nov. 2010
3: # Note many comments have been added/changed!
4: # Warning! Lines that start with whitespace are considered as a
5: # continuation of the previous line! Configuration options are
6: # case-insensitive, but the values may not be. If a value contains
7: # white space or double quote marks, it must be surrounded by
8: # double quotes; inside you use \" for a double quote mark and
9: # \\ for a single backslash.
10: #
11: # See slapd.conf(5) for details on configuration options.
12: # This file should NOT be world readable, but must be readable by
13: # the user specified on the command line (e.g.,"ldap").
14: #
15: # The new-style configuration is a directory tree full of LDIF files.
16: # However this old-style is still supported, and can be converted to the
17: # new style if desired.
18:
19: # Which schemas to include. If it is used by any directory defined
20: # in this file, than it must be included here (globally). I include them all,
21: # which can hurt performance and is wasteful:
22:
23: include /etc/openldap/schema/corba.schema
24: include /etc/openldap/schema/core.schema
25: include /etc/openldap/schema/cosine.schema
26: include /etc/openldap/schema/duaconf.schema
27: include /etc/openldap/schema/dyngroup.schema
28: include /etc/openldap/schema/inetorgperson.schema
29: include /etc/openldap/schema/java.schema
30: include /etc/openldap/schema/misc.schema
31: include /etc/openldap/schema/nis.schema
32: include /etc/openldap/schema/openldap.schema
33: #include /etc/openldap/schema/pmi.schema
34: #include /etc/openldap/schema/collective.schema
35: include /etc/openldap/schema/ppolicy.schema
36: #include /etc/openldap/schema/samba.schema
37:
38:
39: # Add logging:
40: # Log levels are additive, and available levels are:
41: # -1 (any) enable all logging
42: # 0 disable all logging
43: # 1 (trace) trace function calls
44: # 2 (packet) debug packet handling
45: # 4 (args) heavy trace debugging
46: # 8 (conns) connection management
47: # 16 (BER) print out packets sent and received
48: # 32 (filter) search filter processing
49: # 64 (config) configuration file processing
50: # 128 (ACL) access control list processing
51: # 256 (stats) stats log connections/operations/results
52: # 512 (stats2) stats log entries sent
53: # 1024 (shell) print communication with shell backends
54: # 2048 (parse) entry parsing
55: # 16384 (sync) syncrepl processing messages
56: # 32769 (none) only messages that get logged whatever log level is set
57: #
58: #The desired log level can be input as a single integer
59: # that combines the (ORed) desired levels, as a list of
60: # integers (that are ORed internally), or as a list of
61: # the names that are shown in parenthesis, so the following
62: # are equivalent:
63: #
64: loglevel conns filter config stats
65: #loglevel 8 32 64 256
66: #loglevel 360
67:
68: # Note: logging goes to syslog "local4" facility, which must be configured in
69: # syslog.conf (and logrotate.conf if a separate file is used)!
70:
71: # Allow LDAPv2 client connections. This is NOT the default.
72: allow bind_v2
73:
74: # Do not enable referrals until AFTER you have a working directory
75: # service AND an understanding of referrals.
76: #referral ldap://root.openldap.org
77:
78: pidfile /var/run/openldap/slapd.pid
79:
80: # argsfile, if defined, stores the command line arguments used to start slapd:
81: argsfile /var/run/openldap/slapd.args
82:
83: # Load dynamic backend modules (ONLY if OpenLDAP was compiled with
84: # the ENABLE_MODULES option; it isn't with Fedora):
85: # modulepath /usr/lib/openldap # or /usr/lib64/openldap
86: # moduleload accesslog.la
87: # moduleload auditlog.la
88: ## moduleload back_sql.la
89: ## moduleload denyop.la
90: # moduleload dyngroup.la
91: # moduleload dynlist.la
92: ## moduleload lastmod.la
93: # moduleload pcache.la
94: # moduleload ppolicy.la
95: # moduleload refint.la
96: # moduleload retcode.la
97: # moduleload rwm.la
98: # moduleload syncprov.la
99: # moduleload translucent.la
100: # moduleload unique.la
101: # moduleload valsort.la
102: # (and others; varies with distrobution)
103:
104: # The next three lines allow use of TLS for encrypting connections using a
105: # dummy test certificate which you can generate by changing to
106: # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
107: # slapd.pem so that the ldap user or group can read it. Your client software
108: # may balk at self-signed certificates, however.
109: # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
110: # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
111: # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
112:
113: # Sample security restrictions
114: # Require integrity protection (prevent hijacking)
115: # Require 112-bit (3DES or better) encryption for updates
116: # Require 63-bit encryption for simple bind
117: # security ssf=1 update_ssf=112 simple_bind=64
118:
119: # SASL options:
120: # (Defaults to allowing everything without any required SASL security.)
121: #sasl-host wpserver.gcaw.org
122: #sasl-realm some-realm-name-goes-here
123: #sasl-secprops noplain,noanonymous
124:
125: # Default (Global) access policy:
126: # (See the man page for slapd.access(5) for details on the access directive.)
127: #
128: # Sample access control policy:
129: # Root DSE: allow anyone to read it
130: # Subschema (sub)entry DSE: allow anyone to read it
131: # Other DSEs:
132: # Allow self write access
133: # Allow authenticated users read access
134: # Allow anonymous users to authenticate
135: # Directives needed to implement policy:
136: # access to dn.base="" by * read
137: # access to dn.base="cn=Subschema" by * read
138:
139: access to *
140: by self write
141: by users read
142: by anonymous auth
143: #
144: # if no access controls are present, the default policy
145: # allows anyone and everyone to read anything but restricts
146: # updates to rootdn. (e.g., "access to * by * read")
147: #
148: # rootdn can always read and write EVERYTHING!
149:
150: # Default base for searches that don't supply one:
151: #defaultsearchbase "dc=gcaw,dc=org"
152:
153: # End of Global directives.
154:
155: #######################################################################
156: # Datastore (e.g., bdb) definitions:
157: #######################################################################
158:
159: database bdb
160: suffix "dc=gcaw,dc=org"
161:
162: # The DN of the root (administrater) user:
163: rootdn "cn=Manager,dc=gcaw,dc=org"
164:
165: # The root user's password (use slappasswd to generate a hashed version,
166: # which is much more secure than storing a plain-text password!):
167: # rootpw secret
168: # rootpw {crypt}ijFYNcSNctBYg
169: # rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
170: rootpw {SSHA}aS2fWR19mjQzTcs2Qc9LN0OQBYOO7n2s
171:
172: # The database directory MUST exist prior to running slapd AND
173: # should only be accessible by the slapd and slap tools.
174: # Mode 0700 recommended for the directory.
175: directory /var/lib/ldap/gcaw.org
176:
177: # The mode of newly created index files (default is 0600):
178: #mode 0600
179:
180: # Indices to maintain for this database (use the fist one at least):
181: index objectClass eq,pres
182: index ou,cn,mail,surname,givenname eq,pres,sub
183: index uidNumber,gidNumber,loginShell eq,pres
184: index uid,memberUid eq,pres,sub
185: index nisMapName,nisMapEntry eq,pres,sub
186:
187: # Replicas of this database
188: #replogfile /var/lib/ldap/openldap-master-replog
189: #replica host=ldap-1.example.com:389 starttls=critical
190: # bindmethod=sasl saslmech=GSSAPI
191: # authcId=host/ldap-master.example.com@EXAMPLE.COM
192:
193: # monitoring on
194:
195: ## Access controls for this database (over-rides global settings):
196: #
197: ## Allow only a user and root to change passwords:
198: access to dn.children="ou=people,dc=gcaw,dc=org"
199: attrs=userPassword
200: by self write
201: by dn="cn=Manager,dc=gcaw,dc=org" write
202: by * auth
203:
204: # Allow read access to everything else by anyone:
205: access to *
206: by * read
207:
208:
209: # enable monitoring
210: database monitor
211:
212: # allow only rootdn to read the monitor
213: access to *
214: by dn.exact="cn=Manager,dc=gcaw,dc=org" read
215: by * none