Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
openldap2.15537
slapd.conf.example
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File slapd.conf.example of Package openldap2.15537
############################################################################ # See slapd.conf(5) for details on configuration options. # This file SHOULD NOT be world readable. # # Important note: # You surely have to adjust some settings to meet your (security) # requirements. # At least you should replace suffix "dc=example,dc=com" by # something meaningful for your setup. # If you plan to use OpenLDAP server as backend for Samba and/or Kerberos # KDC then you MUST add decent ACLs for protecting user credentials! # # Read the man pages before changing something! # # You can debug the config by running (as root while slapd stopped): # /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535 ############################################################################ #--------------------------------------------------------------------------- # slapd global parameters #--------------------------------------------------------------------------- # serverID must be unique across all provider replicas # for using multi-master replication (MMR) serverID 99 # only alter this when you know what you're doing #threads 4 # Run-time files pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # for more debugging set: #loglevel config stats stats2 loglevel stats #--------------------------------------------------------------------------- # Load runtime loadable modules #--------------------------------------------------------------------------- # Load additional backend modules installed by package 'openldap2' # The following backends are statically built-in and therefore don't have # to be loaded here: # config, ldif, monitor, bdb, hdb, ldap, mdb, relay #moduleload back_ #moduleload back_ #moduleload back_mdb #moduleload back_meta #moduleload back_sock # Load additional overlay modules installed by package 'openldap2' # The following overlay are statically built-in and therefore don't have # to be loaded here: # ppolicy, syncprov #moduleload accesslog #moduleload constraint #moduleload dds #moduleload deref #moduleload dynlist #moduleload memberof moduleload refint #moduleload sssvlv #moduleload translucent moduleload unique #moduleload valsort # Load additional overlay modules installed by package 'openldap2-contrib' #moduleload allowed #moduleload lastbind #moduleload noopsrch #moduleload pw-pbkdf2 #moduleload pw-sha2 #moduleload smbk5pwd #--------------------------------------------------------------------------- # Include schema files #--------------------------------------------------------------------------- # Schema files installed by package 'openldap2' include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/ppolicy.schema #include /etc/openldap/schema/yast.schema # Schema file installed by package 'dhcp-server' #include /etc/openldap/schema/dhcp.schema # Schema file installed by package 'samba' #include /etc/openldap/schema/samba3.schema # Schema file installed by package 'krb5-plugin-kdb-ldap' #include /usr/share/doc/packages/krb5/kerberos.schema #--------------------------------------------------------------------------- # Transport Layer Security (TLS) configuration #--------------------------------------------------------------------------- # require at least TLS 1.0 and highly secure ciphers #TLSProtocolMin 3.1 #TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH # TLS certificate and key files #TLSCACertificateFile /etc/ssl/ca-bundle.pem #TLSCertificateFile /etc/openldap/ssl.crt/server.crt #TLSCertificateKeyFile /etc/openldap/ssl.key/server.key # For enabling Perfect Forward Secrecy (PFS), see dhparam(1) #TLSDHParamFile /etc/openldap/ssl.key/dhparam #--------------------------------------------------------------------------- # Password hashing #--------------------------------------------------------------------------- #password-hash {CRYPT} # Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations #password-crypt-salt-format "$6$%.12s" #--------------------------------------------------------------------------- # Security requirements #--------------------------------------------------------------------------- #disallow bind_anon #require bind LDAPv3 strong # SSF value for ldapi:// localSSF 256 # minimum required SSF value (security strength factor) # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 #security ssf=128 update_ssf=256 simple_bind=128 security ssf=0 #--------------------------------------------------------------------------- # Global access control (ACLs) #--------------------------------------------------------------------------- # Root DSE: allow anyone to read it access to dn.base="" by * read # Sub schema sub entry: allow anyone to read it access to dn.base="cn=Subschema" by * read #--------------------------------------------------------------------------- # Authz-DN mappings #--------------------------------------------------------------------------- # If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used # System user root is mapped to the rootdn in database dc=example,dc=com # which has also read access on config and monitor databases authz-regexp "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com" # Map local system user to LDAP entry # if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used authz-regexp "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth" "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))" # this maps the attribute uid to a LDAP entry # if one of the typical password-based SASL mechs was used authz-regexp "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth" "ldap:///dc=example,dc=com??sub?(uid=$1)" # this maps the attribute uid to a LDAP entry # if one of the Kerberos based SASL mechs was used #authz-regexp # "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth" # "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))" # Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used #authz-regexp # "(.+)" # "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))" #=========================================================================== # Database specific configuration sections below # Required order of databases: # config (first), ...others..., monitor (last) #=========================================================================== #--------------------------------------------------------------------------- # cn=config // Configuration database (always first!) # see slapd-config(5) #--------------------------------------------------------------------------- database config # Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! # For local config access by root use LDAPI with SASL/EXTERNAL instead # (see above). #rootpw secret access to dn.subtree="cn=config" by dn.exact="cn=root,dc=example,dc=com" manage by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read by * none #--------------------------------------------------------------------------- # dc=example,dc=com // Example MDB database to be used by normal clients # see slapd-mdb(5) #--------------------------------------------------------------------------- database mdb suffix "dc=example,dc=com" # rootdn has to be set for overlays' internal operations rootdn "cn=root,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! rootpw secret # The database directory MUST exist prior to running slapd and # SHOULD only be accessible by the slapd user 'ldap'. # mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db directory /var/lib/ldap/example-db # Permissions of database files created mode 0600 # extra information to be available in cn=monitor for this database monitoring on # Perform ACL checks on the content of a new entry being added add_content_acl on # backend-specific database parameters checkpoint 1024 5 # 100 MB (you can raise the limit later) maxsize 104857600 # Indices to maintain # # Whenever you change indexing configuration you have to re-run slapindex # while slapd being stopped! # Don't forget to fix ownership/permissions of newly generated index files # afterwards! # set always! index objectClass eq # for typical address book use index cn,sn,givenName,mail eq,sub # for user management index uid,uidNumber,gidNumber eq # for authz-regexp mapping of Kerberos principal name #index krbPrincipalName,krbPrincipalAlias eq # for authz-regexp mapping of client cert subject DNs #index seeAlso eq # for syncrepl index entryUUID,entryCSN eq # access control lists (ACLs) for dc=example,dc=com # see slapd.access(5) for details on access control lists (ACLs) # full read access also to 'userPassword' for group of replicas # and control is forwarded to subsequent ACLs access to dn.subtree=dc=example,dc=com by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read by * break # write-only access to 'userPassword' for user, auth access else access to attrs=userPassword by self =w by * auth # 'userPKCS' must only be accessible by self access to attrs=userPKCS12 by self write by * none # No access to history of passwords #access to # attrs=pwdHistory # by * none # Catch-all ACL for the rest access to dn.subtree=dc=example,dc=com by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage by self read by users read by * auth # see slapo-ppolicy(5) overlay ppolicy # Default password policy entry #ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com # Hash clear-text userPassword values sent in with add/modify operations #ppolicy_hash_cleartext # Return AccountLocked error code to client #ppolicy_use_lockout # see slapo-refint(5) overlay refint refint_attributes member seeAlso refint_nothing cn=dummy # Check sub-tree wide uniqueness of certain attributes # see slapo-unique(5) # you have to add eq-index for efficient uniqueness check! # Note that filter part is currently ignored because of OpenLDAP ITS#6825 overlay unique unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub" unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))" #unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub" #unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub" #unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub" #unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub" #overlay syncprov #mirrormode on #--------------------------------------------------------------------------- # cn=monitor // Monitoring database (always last!) # see slapd-monitor(5) #--------------------------------------------------------------------------- database monitor access to dn.subtree="cn=monitor" by dn.exact="cn=root,dc=example,dc=com" write by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write by users read
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor