/home/wpollock1/public_html/AUnixNet/LDAP/slapd.conf.bak
# Working slapd.conf, created from the sample file
# by Wayne Pollock, Tampa Florida USA, Nov. 2010
# Note many comments have been added/changed!
# Warning! Lines that start with whitespace are considered as a
# continuation of the previous line! Configuration options are
# case-insensitive, but the values may not be. If a value contains
# white space or double quote marks, it must be surrounded by
# double quotes; inside you use \" for a double quote mark and
# \\ for a single backslash.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable, but must be readable by
# the user specified on the command line (e.g.,"ldap").
#
# The new-style configuration is a directory tree full of LDIF files.
# However this old-style is still supported, and can be converted to the
# new style if desired.
# Which schemas to include. If it is used by any directory defined
# in this file, than it must be included here (globally). I include them all,
# which can hurt performance and is wasteful:
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
#include /etc/openldap/schema/pmi.schema
#include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/samba.schema
# Add logging:
# Log levels are additive, and available levels are:
# -1 (any) enable all logging
# 0 disable all logging
# 1 (trace) trace function calls
# 2 (packet) debug packet handling
# 4 (args) heavy trace debugging
# 8 (conns) connection management
# 16 (BER) print out packets sent and received
# 32 (filter) search filter processing
# 64 (config) configuration file processing
# 128 (ACL) access control list processing
# 256 (stats) stats log connections/operations/results
# 512 (stats2) stats log entries sent
# 1024 (shell) print communication with shell backends
# 2048 (parse) entry parsing
# 16384 (sync) syncrepl processing messages
# 32769 (none) only messages that get logged whatever log level is set
#
#The desired log level can be input as a single integer
# that combines the (ORed) desired levels, as a list of
# integers (that are ORed internally), or as a list of
# the names that are shown in parenthesis, so the following
# are equivalent:
#
loglevel conns filter config stats
#loglevel 8 32 64 256
#loglevel 360
# Note: logging goes to syslog "local4" facility, which must be configured in
# syslog.conf (and logrotate.conf if a separate file is used)!
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
# argsfile, if defined, stores the command line arguments used to start slapd:
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules (ONLY if OpenLDAP was compiled with
# the ENABLE_MODULES option; it isn't with Fedora):
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
## moduleload back_sql.la
## moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
## moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# (and others; varies with distrobution)
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# SASL options:
# (Defaults to allowing everything without any required SASL security.)
#sasl-host wpserver.gcaw.org
#sasl-realm some-realm-name-goes-here
#sasl-secprops noplain,noanonymous
# Default (Global) access policy:
# (See the man page for slapd.access(5) for details on the access directive.)
#
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# Default base for searches that don't supply one:
#defaultsearchbase "dc=gcaw,dc=org"
# End of Global directives.
#######################################################################
# Datastore (e.g., bdb) definitions:
#######################################################################
database bdb
suffix "dc=gcaw,dc=org"
# The DN of the root (administrater) user:
rootdn "cn=Manager,dc=gcaw,dc=org"
# The root user's password (use slappasswd to generate a hashed version,
# which is much more secure than storing a plain-text password!):
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
rootpw {SSHA}aS2fWR19mjQzTcs2Qc9LN0OQBYOO7n2s
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 0700 recommended for the directory.
directory /var/lib/ldap/gcaw.org
# The mode of newly created index files (default is 0600):
#mode 0600
# Indices to maintain for this database (use the fist one at least):
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
# monitoring on
## Access controls for this database (over-rides global settings):
#
## Allow only a user and root to change passwords:
access to dn.children="ou=people,dc=gcaw,dc=org"
attrs=userPassword
by self write
by dn="cn=Manager,dc=gcaw,dc=org" write
by * auth
# Allow read access to everything else by anyone:
access to *
by * read
# enable monitoring
database monitor
# allow only rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=gcaw,dc=org" read
by * none