openldap2/slapd.conf
Michael Ströder 1d9e87d5de Accepting request 593976 from home:zkalmar:branches:network:ldap
- bsc#1085064 Add script "openldap_update_modules_path.sh" which
  which removes the configuration item olcModulePath in cn=config
  which is after upgrade from SLE12 to SLE15 holds inappropriate
  information. If the cn=config is being used on a system, the
  conflicting items in slapd.conf are ignored, despite of it, the
  backend DB configuration section has been also commented out in
  the default slapd.conf.
  In case of correct cn=config (the olcModulePath has been already
  removed), the script stops without touching anything.

OBS-URL: https://build.opensuse.org/request/show/593976
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=207
2018-04-06 12:15:51 +00:00

90 lines
3.3 KiB
Plaintext

# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
#
# OpenLDAP daemon (slapd.service) supports two configuration styles:
# - Simple configuration with this file
# - Online configuration (OLC)
#
# You may choose the configuration style by setting it in:
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
# If the value is set to "files", this configuration file will be used.
# If the value is set to "ldap", this configuration file will be entirely ignored, and
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
#
# If you decide to use online configuration, please read the additional instructions in:
# /etc/openldap/slapd.conf.olctemplate
#
# Feel free to customise this file according to your needs, and start OpenLDAP
# server daemon by executing:
# systemctl start slapd.service
#
# To verify that LDAP service is running properly, try the following command:
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts
#
# See slapd.conf(5) for details on configuration options.
# See /etc/openldap/slapd.conf.example for more examples.
# This file should NOT be world readable.
#
pidfile /run/slapd/slapd.pid
argsfile /run/slapd/slapd.args
# The following schema files are often useful
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
# Load backend modules such as databas engines
#modulepath /usr/lib64/openldap
#moduleload back_mdb.la
#moduleload back_hdb.la
#moduleload back_bdb.la
# Very important: define ACL to authorise client access
# The default settings permit rootdn to read and write, while other users
# may read the entire database or change their own password.
# If no ACL is present, everyone will be allowed to read the database.
# rootdn can always read and write everything.
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# Define a LDAP database
database mdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Please avoid using clear text for root password
# See slappasswd(8) for instructions on creating a salted+hashed password
rootpw secret
# The database directory must exist prior to the start of OpenLDAP daemon
# The directory should be owned by ldap user and permission 0700 is recommended
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
# Using TLS to secure communication between LDAP clients and the server is strongly recommended.
# To enable TLS, you will need CA certificate, server certificate, and certificate key, and
# write down their paths below, make sure the files are readable by user "ldap".
# The server will then support StartTLS on standard port 389.
# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap.
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
#TLSCACertificateFile /my/ca.crt
#TLSCertificateFile /my/tls.crt
#TLSCertificateKeyFile /my/tls.key