Accepting request 354705 from home:stroeder:branches:network:ldap

Compared to my obsoleted request #339745:
1. sysconfdir now correctly is /etc/openldap
2. slapd starts with default configuration file (tested on openSUSE 13.2 and Tumbleweed)
3. added Recommends: cyrus-sasl
4. replaced README.dynamic-overlays by README.module-loading with updated text
5. added patch for OpenLDAP ITS#8336

OBS-URL: https://build.opensuse.org/request/show/354705
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=146

slapd.conf.example

@@ -0,0 +1,354 @@
+############################################################################
+# See slapd.conf(5) for details on configuration options.
+# This file SHOULD NOT be world readable.
+#
+# Important note:
+# You surely have to adjust some settings to meet your (security)
+# requirements.
+# At least you should replace suffix "dc=example,dc=com" by
+# something meaningful for your setup.
+# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos 
+# KDC then you MUST add decent ACLs for protecting user credentials!
+#
+# Read the man pages before changing something!
+#
+# You can debug the config by running (as root while slapd stopped):
+# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
+############################################################################
+
+#---------------------------------------------------------------------------
+# slapd global parameters
+#---------------------------------------------------------------------------
+
+# serverID must be unique across all provider replicas
+# for using multi-master replication (MMR)
+serverID 99
+
+# only alter this when you know what you're doing
+#threads 4
+
+# Run-time files
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+# for more debugging set:
+#loglevel config stats stats2
+loglevel stats
+
+#---------------------------------------------------------------------------
+# Load runtime loadable modules
+#---------------------------------------------------------------------------
+
+# Load additional backend modules installed by package 'openldap2'
+# The following backends are statically built-in and therefore don't have
+# to be loaded here:
+# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
+#moduleload back_
+#moduleload back_
+#moduleload back_mdb
+#moduleload back_meta
+#moduleload back_sock
+
+# Load additional overlay modules installed by package 'openldap2'
+# The following overlay are statically built-in and therefore don't have
+# to be loaded here:
+# ppolicy, syncprov
+#moduleload accesslog
+#moduleload constraint
+#moduleload dds
+#moduleload deref
+#moduleload dynlist
+#moduleload memberof
+moduleload refint
+#moduleload sssvlv
+#moduleload translucent
+moduleload unique
+#moduleload valsort
+
+# Load additional overlay modules installed by package 'openldap2-contrib'
+#moduleload allowed
+#moduleload lastbind
+#moduleload noopsrch
+#moduleload pw-pbkdf2
+#moduleload pw-sha2
+#moduleload smbk5pwd
+
+#---------------------------------------------------------------------------
+# Include schema files
+#---------------------------------------------------------------------------
+
+# Schema files installed by package 'openldap2'
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/rfc2307bis.schema
+include /etc/openldap/schema/ppolicy.schema
+#include /etc/openldap/schema/yast.schema
+
+# Schema file installed by package 'dhcp-server'
+#include /etc/openldap/schema/dhcp.schema
+
+# Schema file installed by package 'samba'
+#include /etc/openldap/schema/samba3.schema
+
+# Schema file installed by package 'krb5-plugin-kdb-ldap'
+#include /usr/share/doc/packages/krb5/kerberos.schema
+
+#---------------------------------------------------------------------------
+# Transport Layer Security (TLS) configuration
+#---------------------------------------------------------------------------
+
+# require at least TLS 1.0 and highly secure ciphers
+#TLSProtocolMin 3.1
+#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
+
+# TLS certificate and key files
+#TLSCACertificateFile /etc/ssl/ca-bundle.pem
+#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
+#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
+
+# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
+#TLSDHParamFile /etc/openldap/ssl.key/dhparam
+
+#---------------------------------------------------------------------------
+# Password hashing
+#---------------------------------------------------------------------------
+
+#password-hash {CRYPT}
+# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
+#password-crypt-salt-format "$6$%.12s"
+
+#---------------------------------------------------------------------------
+# Security requirements
+#---------------------------------------------------------------------------
+
+#disallow bind_anon
+#require bind LDAPv3 strong
+
+# SSF value for ldapi://
+localSSF 256
+
+# minimum required SSF value (security strength factor)
+# Sample security restrictions
+#       Require integrity protection (prevent hijacking)
+#       Require 112-bit (3DES or better) encryption for updates
+#       Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+#security ssf=128 update_ssf=256 simple_bind=128
+security ssf=0
+
+#---------------------------------------------------------------------------
+# Global access control (ACLs)
+#---------------------------------------------------------------------------
+
+# Root DSE: allow anyone to read it
+access to
+  dn.base=""
+    by * read
+
+# Sub schema sub entry: allow anyone to read it
+access to
+  dn.base="cn=Subschema"
+    by * read
+
+#---------------------------------------------------------------------------
+# Authz-DN mappings
+#---------------------------------------------------------------------------
+
+# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
+# System user root is mapped to the rootdn in database dc=example,dc=com
+# which has also read access on config and monitor databases
+authz-regexp
+  "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
+    "cn=root,dc=example,dc=com"
+
+# Map local system user to LDAP entry
+# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
+authz-regexp
+  "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
+  "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
+
+# this maps the attribute uid to a LDAP entry
+# if one of the typical password-based SASL mechs was used
+authz-regexp
+  "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
+  "ldap:///dc=example,dc=com??sub?(uid=$1)"
+
+# this maps the attribute uid to a LDAP entry
+# if one of the Kerberos based SASL mechs was used
+#authz-regexp
+#  "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
+#  "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
+
+# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
+#authz-regexp
+#  "(.+)"
+#  "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
+
+
+#===========================================================================
+# Database specific configuration sections below
+# Required order of databases:
+# config (first), ...others..., monitor (last)
+#===========================================================================
+
+
+#---------------------------------------------------------------------------
+# cn=config // Configuration database (always first!)
+# see slapd-config(5)
+#---------------------------------------------------------------------------
+
+database config
+
+# Cleartext passwords, especially for the rootdn, should
+# be avoid!  See slappasswd(8) and slapd.conf(5) for details.
+# Best thing is not to set rootpw at all!
+# For local config access by root use LDAPI with SASL/EXTERNAL instead
+# (see above).
+#rootpw secret
+
+access to
+  dn.subtree="cn=config"
+    by dn.exact="cn=root,dc=example,dc=com" manage
+    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
+    by * none
+
+
+#---------------------------------------------------------------------------
+# dc=example,dc=com // Example MDB database to be used by normal clients
+# see slapd-mdb(5)
+#---------------------------------------------------------------------------
+
+database mdb
+
+suffix "dc=example,dc=com"
+
+# rootdn has to be set for overlays' internal operations
+rootdn "cn=root,dc=example,dc=com"
+
+# Cleartext passwords, especially for the rootdn, should
+# be avoid! See slappasswd(8) and slapd.conf(5) for details.
+# Best thing is not to set rootpw at all!
+rootpw secret
+
+# The database directory MUST exist prior to running slapd and
+# SHOULD only be accessible by the slapd user 'ldap'.
+# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
+directory /var/lib/ldap/example-db
+
+# Permissions of database files created
+mode 0600
+
+# extra information to be available in cn=monitor for this database
+monitoring on
+
+# Perform ACL checks on the content of a new entry being added
+add_content_acl on
+
+# backend-specific database parameters
+checkpoint 1024 5
+# 100 MB (you can raise the limit later)
+maxsize 104857600
+
+# Indices to maintain
+#
+# Whenever you change indexing configuration you have to re-run slapindex
+# while slapd being stopped!
+# Don't forget to fix ownership/permissions of newly generated index files
+# afterwards!
+
+# set always!
+index objectClass eq
+
+# for typical address book use
+index cn,sn,givenName,mail eq,sub
+
+# for user management
+index uid,uidNumber,gidNumber eq
+
+# for authz-regexp mapping of Kerberos principal name
+#index krbPrincipalName,krbPrincipalAlias eq
+
+# for authz-regexp mapping of client cert subject DNs
+#index seeAlso eq
+
+# for syncrepl
+index entryUUID,entryCSN eq
+
+# access control lists (ACLs) for dc=example,dc=com
+# see slapd.access(5) for details on access control lists (ACLs)
+
+# full read access also to 'userPassword' for group of replicas
+# and control is forwarded to subsequent ACLs
+access to
+  dn.subtree=dc=example,dc=com
+    by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
+    by * break
+
+# write-only access to 'userPassword' for user, auth access else
+access to
+  attrs=userPassword
+    by self =w
+    by * auth
+
+# 'userPKCS' must only be accessible by self
+access to
+  attrs=userPKCS12
+    by self write
+    by * none
+
+# No access to history of passwords
+#access to
+#  attrs=pwdHistory
+#    by * none
+
+# Catch-all ACL for the rest
+access to
+  dn.subtree=dc=example,dc=com
+    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
+    by self read
+    by users read
+    by * auth
+
+# see slapo-ppolicy(5)
+overlay ppolicy
+# Default password policy entry
+#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
+# Hash clear-text userPassword values sent in with add/modify operations
+#ppolicy_hash_cleartext
+# Return AccountLocked error code to client
+#ppolicy_use_lockout
+
+# see slapo-refint(5)
+overlay refint
+refint_attributes member seeAlso
+refint_nothing cn=dummy
+
+# Check sub-tree wide uniqueness of certain attributes
+# see slapo-unique(5)
+# you have to add eq-index for efficient uniqueness check!
+# Note that filter part is currently ignored because of OpenLDAP ITS#6825
+overlay unique
+unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
+unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
+#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
+#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
+#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
+#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
+
+#overlay syncprov
+#mirrormode on
+
+
+#---------------------------------------------------------------------------
+# cn=monitor // Monitoring database (always last!)
+# see slapd-monitor(5)
+#---------------------------------------------------------------------------
+
+database monitor
+
+access to
+  dn.subtree="cn=monitor"
+    by dn.exact="cn=root,dc=example,dc=com" write
+    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
+    by users read