88 lines
3.1 KiB
Plaintext
88 lines
3.1 KiB
Plaintext
|
# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
|
||
|
#
|
||
|
# OpenLDAP daemon (slapd.service) supports two configuration styles:
|
||
|
# - Simple configuration with this file
|
||
|
# - Online configuration (OLC)
|
||
|
#
|
||
|
# You may choose the configuration style by setting it in:
|
||
|
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
|
||
|
# If the value is set to "files", this configuration file will be used.
|
||
|
# If the value is set to "ldap", this configuration file will be entirely ignored, and
|
||
|
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
|
||
|
#
|
||
|
# If you decide to use online configuration, please read the additional instructions in:
|
||
|
# /etc/openldap/slapd.conf.olctemplate
|
||
|
#
|
||
|
# Feel free to customise this file according to your needs, and start OpenLDAP
|
||
|
# server daemon by executing:
|
||
|
# systemctl start slapd.service
|
||
|
#
|
||
|
# To verify that LDAP service is running properly, try the following command:
|
||
|
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts
|
||
|
|
||
|
#
|
||
|
# See slapd.conf(5) for details on configuration options.
|
||
|
# See /etc/openldap/slapd.conf.example for more examples.
|
||
|
# This file should NOT be world readable.
|
||
|
#
|
||
|
|
||
|
pidfile /run/slapd/slapd.pid
|
||
|
argsfile /run/slapd/slapd.args
|
||
|
|
||
|
# The following schema files are often useful
|
||
|
include /etc/openldap/schema/core.schema
|
||
|
include /etc/openldap/schema/cosine.schema
|
||
|
include /etc/openldap/schema/inetorgperson.schema
|
||
|
include /etc/openldap/schema/rfc2307bis.schema
|
||
|
include /etc/openldap/schema/yast.schema
|
||
|
|
||
|
# Load backend modules such as databas engines
|
||
|
modulepath /usr/lib64/openldap
|
||
|
moduleload back_mdb.la
|
||
|
#moduleload back_hdb.la
|
||
|
#moduleload back_bdb.la
|
||
|
|
||
|
# Very important: define ACL to authorise client access
|
||
|
# The default settings permit rootdn to read and write, while other users
|
||
|
# may read the entire database or change their own password.
|
||
|
# If no ACL is present, everyone will be allowed to read the database.
|
||
|
# rootdn can always read and write everything.
|
||
|
access to dn.base=""
|
||
|
by * read
|
||
|
|
||
|
access to dn.base="cn=Subschema"
|
||
|
by * read
|
||
|
|
||
|
access to attrs=userPassword,userPKCS12
|
||
|
by self write
|
||
|
by * auth
|
||
|
|
||
|
access to attrs=shadowLastChange
|
||
|
by self write
|
||
|
by * read
|
||
|
|
||
|
access to *
|
||
|
by * read
|
||
|
|
||
|
# Define a LDAP database
|
||
|
database mdb
|
||
|
suffix "dc=my-domain,dc=com"
|
||
|
rootdn "cn=Manager,dc=my-domain,dc=com"
|
||
|
# Please avoid using clear text for root password
|
||
|
# See slappasswd(8) for instructions on creating a salted+hashed password
|
||
|
rootpw secret
|
||
|
# The database directory must exist prior to the start of OpenLDAP daemon
|
||
|
# The directory should be owned by ldap user and permission 0700 is recommended
|
||
|
directory /var/lib/ldap
|
||
|
# Indices to maintain
|
||
|
index objectClass eq
|
||
|
|
||
|
# Using TLS to secure communication between LDAP clients and the server is strongly recommended
|
||
|
# To enable TLS, first visit /etc/sysconfig/openldap and set OPENLDAP_START_LDAPS="yes", then
|
||
|
# set and uncomment the following lines:
|
||
|
#TLSProtocolMin 3.1
|
||
|
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
||
|
#TLSCACertificateFile /my/ca.crt
|
||
|
#TLSCertificateFile /my/tls.crt
|
||
|
#TLSCertificateKeyFile /my/tls.key
|