pool/openldap2
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a45efc1eb5
openldap2/slapd.conf.example
Jan Engelhardt 17245dd92c Accepting request 1190307 from home:jamborm:gcc14test-m 
- Backported one hunk from upstream commit fb9e6a81bbee as
  openldap2-fb9e6a81bbee.patch to fix incompatible pointer type being
  passed to a function which is diagnosed as an error by GCC 14.

If the request is OK, please forward it to Factory soon so that we can
switch the default compiler.  Thanks!

OBS-URL: https://build.opensuse.org/request/show/1190307
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=323
2024-07-31 04:59:13 +00:00

355 lines
11 KiB
Plaintext
Raw Blame History

############################################################################
# See slapd.conf(5) for details on configuration options.
# This file SHOULD NOT be world readable.
#
# Important note:
# You surely have to adjust some settings to meet your (security)
# requirements.
# At least you should replace suffix "dc=example,dc=com" by
# something meaningful for your setup.
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
# KDC then you MUST add decent ACLs for protecting user credentials!
#
# Read the man pages before changing something!
#
# You can debug the config by running (as root while slapd stopped):
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
############################################################################
#---------------------------------------------------------------------------
# slapd global parameters
#---------------------------------------------------------------------------
# serverID must be unique across all provider replicas
# for using multi-master replication (MMR)
serverID 99
# only alter this when you know what you're doing
#threads 4
# Run-time files
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# for more debugging set:
#loglevel config stats stats2
loglevel stats
#---------------------------------------------------------------------------
# Load runtime loadable modules
#---------------------------------------------------------------------------
# Load additional backend modules installed by package 'openldap2'
# The following backends are statically built-in and therefore don't have
# to be loaded here:
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
#moduleload back_bdb
#moduleload back_hdb
moduleload back_mdb
#moduleload back_meta
#moduleload back_sock
# Load additional overlay modules installed by package 'openldap2'
# The following overlay are statically built-in and therefore don't have
# to be loaded here:
# ppolicy, syncprov
#moduleload accesslog
#moduleload constraint
#moduleload dds
#moduleload deref
#moduleload dynlist
#moduleload memberof
moduleload refint
#moduleload sssvlv
#moduleload translucent
moduleload unique
#moduleload valsort
# Load additional overlay modules installed by package 'openldap2-contrib'
#moduleload allowed
#moduleload lastbind
#moduleload noopsrch
#moduleload pw-pbkdf2
#moduleload pw-sha2
#moduleload smbk5pwd
#---------------------------------------------------------------------------
# Include schema files
#---------------------------------------------------------------------------
# Schema files installed by package 'openldap2'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/yast.schema
# Schema file installed by package 'dhcp-server'
#include /etc/openldap/schema/dhcp.schema
# Schema file installed by package 'samba'
#include /etc/openldap/schema/samba3.schema
# Schema file installed by package 'krb5-plugin-kdb-ldap'
#include /usr/share/doc/packages/krb5/kerberos.schema
#---------------------------------------------------------------------------
# Transport Layer Security (TLS) configuration
#---------------------------------------------------------------------------
# require at least TLS 1.0 and highly secure ciphers
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
# TLS certificate and key files
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
#---------------------------------------------------------------------------
# Password hashing
#---------------------------------------------------------------------------
#password-hash {CRYPT}
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
#password-crypt-salt-format "$6$%.12s"
#---------------------------------------------------------------------------
# Security requirements
#---------------------------------------------------------------------------
#disallow bind_anon
#require bind LDAPv3 strong
# SSF value for ldapi://
localSSF 256
# minimum required SSF value (security strength factor)
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security ssf=128 update_ssf=256 simple_bind=128
security ssf=0
#---------------------------------------------------------------------------
# Global access control (ACLs)
#---------------------------------------------------------------------------
# Root DSE: allow anyone to read it
access to
dn.base=""
by * read
# Sub schema sub entry: allow anyone to read it
access to
dn.base="cn=Subschema"
by * read
#---------------------------------------------------------------------------
# Authz-DN mappings
#---------------------------------------------------------------------------
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
# System user root is mapped to the rootdn in database dc=example,dc=com
# which has also read access on config and monitor databases
authz-regexp
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
# Map local system user to LDAP entry
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
authz-regexp
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
# this maps the attribute uid to a LDAP entry
# if one of the typical password-based SASL mechs was used
authz-regexp
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
"ldap:///dc=example,dc=com??sub?(uid=$1)"
# this maps the attribute uid to a LDAP entry
# if one of the Kerberos based SASL mechs was used
#authz-regexp
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
#authz-regexp
# "(.+)"
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
#===========================================================================
# Database specific configuration sections below
# Required order of databases:
# config (first), ...others..., monitor (last)
#===========================================================================
#---------------------------------------------------------------------------
# cn=config // Configuration database (always first!)
# see slapd-config(5)
#---------------------------------------------------------------------------
database config
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
# For local config access by root use LDAPI with SASL/EXTERNAL instead
# (see above).
#rootpw secret
access to
dn.subtree="cn=config"
by dn.exact="cn=root,dc=example,dc=com" manage
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
by * none
#---------------------------------------------------------------------------
# dc=example,dc=com // Example MDB database to be used by normal clients
# see slapd-mdb(5)
#---------------------------------------------------------------------------
database mdb
suffix "dc=example,dc=com"
# rootdn has to be set for overlays' internal operations
rootdn "cn=root,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
rootpw secret
# The database directory MUST exist prior to running slapd and
# SHOULD only be accessible by the slapd user 'ldap'.
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
directory /var/lib/ldap/example-db
# Permissions of database files created
mode 0600
# extra information to be available in cn=monitor for this database
monitoring on
# Perform ACL checks on the content of a new entry being added
add_content_acl on
# backend-specific database parameters
checkpoint 1024 5
# 100 MB (you can raise the limit later)
maxsize 104857600
# Indices to maintain
#
# Whenever you change indexing configuration you have to re-run slapindex
# while slapd being stopped!
# Don't forget to fix ownership/permissions of newly generated index files
# afterwards!
# set always!
index objectClass eq
# for typical address book use
index cn,sn,givenName,mail eq,sub
# for user management
index uid,uidNumber,gidNumber eq
# for authz-regexp mapping of Kerberos principal name
#index krbPrincipalName,krbPrincipalAlias eq
# for authz-regexp mapping of client cert subject DNs
#index seeAlso eq
# for syncrepl
index entryUUID,entryCSN eq
# access control lists (ACLs) for dc=example,dc=com
# see slapd.access(5) for details on access control lists (ACLs)
# full read access also to 'userPassword' for group of replicas
# and control is forwarded to subsequent ACLs
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
by * break
# write-only access to 'userPassword' for user, auth access else
access to
attrs=userPassword
by self =w
by * auth
# 'userPKCS' must only be accessible by self
access to
attrs=userPKCS12
by self write
by * none
# No access to history of passwords
#access to
# attrs=pwdHistory
# by * none
# Catch-all ACL for the rest
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
by self read
by users read
by * auth
# see slapo-ppolicy(5)
overlay ppolicy
# Default password policy entry
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
# Hash clear-text userPassword values sent in with add/modify operations
#ppolicy_hash_cleartext
# Return AccountLocked error code to client
#ppolicy_use_lockout
# see slapo-refint(5)
overlay refint
refint_attributes member seeAlso
refint_nothing cn=dummy
# Check sub-tree wide uniqueness of certain attributes
# see slapo-unique(5)
# you have to add eq-index for efficient uniqueness check!
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
overlay unique
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
#overlay syncprov
#mirrormode on
#---------------------------------------------------------------------------
# cn=monitor // Monitoring database (always last!)
# see slapd-monitor(5)
#---------------------------------------------------------------------------
database monitor
access to
dn.subtree="cn=monitor"
by dn.exact="cn=root,dc=example,dc=com" write
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
by users read
Reference in New Issue View Git Blame Copy Permalink