forked from pool/openldap2
Jan Engelhardt
17245dd92c
- Backported one hunk from upstream commit fb9e6a81bbee as openldap2-fb9e6a81bbee.patch to fix incompatible pointer type being passed to a function which is diagnosed as an error by GCC 14. If the request is OK, please forward it to Factory soon so that we can switch the default compiler. Thanks! OBS-URL: https://build.opensuse.org/request/show/1190307 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=323
355 lines
11 KiB
Plaintext
355 lines
11 KiB
Plaintext
############################################################################
|
|
# See slapd.conf(5) for details on configuration options.
|
|
# This file SHOULD NOT be world readable.
|
|
#
|
|
# Important note:
|
|
# You surely have to adjust some settings to meet your (security)
|
|
# requirements.
|
|
# At least you should replace suffix "dc=example,dc=com" by
|
|
# something meaningful for your setup.
|
|
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
|
|
# KDC then you MUST add decent ACLs for protecting user credentials!
|
|
#
|
|
# Read the man pages before changing something!
|
|
#
|
|
# You can debug the config by running (as root while slapd stopped):
|
|
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
|
|
############################################################################
|
|
|
|
#---------------------------------------------------------------------------
|
|
# slapd global parameters
|
|
#---------------------------------------------------------------------------
|
|
|
|
# serverID must be unique across all provider replicas
|
|
# for using multi-master replication (MMR)
|
|
serverID 99
|
|
|
|
# only alter this when you know what you're doing
|
|
#threads 4
|
|
|
|
# Run-time files
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
# for more debugging set:
|
|
#loglevel config stats stats2
|
|
loglevel stats
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Load runtime loadable modules
|
|
#---------------------------------------------------------------------------
|
|
|
|
# Load additional backend modules installed by package 'openldap2'
|
|
# The following backends are statically built-in and therefore don't have
|
|
# to be loaded here:
|
|
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
|
|
#moduleload back_bdb
|
|
#moduleload back_hdb
|
|
moduleload back_mdb
|
|
#moduleload back_meta
|
|
#moduleload back_sock
|
|
|
|
# Load additional overlay modules installed by package 'openldap2'
|
|
# The following overlay are statically built-in and therefore don't have
|
|
# to be loaded here:
|
|
# ppolicy, syncprov
|
|
#moduleload accesslog
|
|
#moduleload constraint
|
|
#moduleload dds
|
|
#moduleload deref
|
|
#moduleload dynlist
|
|
#moduleload memberof
|
|
moduleload refint
|
|
#moduleload sssvlv
|
|
#moduleload translucent
|
|
moduleload unique
|
|
#moduleload valsort
|
|
|
|
# Load additional overlay modules installed by package 'openldap2-contrib'
|
|
#moduleload allowed
|
|
#moduleload lastbind
|
|
#moduleload noopsrch
|
|
#moduleload pw-pbkdf2
|
|
#moduleload pw-sha2
|
|
#moduleload smbk5pwd
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Include schema files
|
|
#---------------------------------------------------------------------------
|
|
|
|
# Schema files installed by package 'openldap2'
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/rfc2307bis.schema
|
|
include /etc/openldap/schema/ppolicy.schema
|
|
#include /etc/openldap/schema/yast.schema
|
|
|
|
# Schema file installed by package 'dhcp-server'
|
|
#include /etc/openldap/schema/dhcp.schema
|
|
|
|
# Schema file installed by package 'samba'
|
|
#include /etc/openldap/schema/samba3.schema
|
|
|
|
# Schema file installed by package 'krb5-plugin-kdb-ldap'
|
|
#include /usr/share/doc/packages/krb5/kerberos.schema
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Transport Layer Security (TLS) configuration
|
|
#---------------------------------------------------------------------------
|
|
|
|
# require at least TLS 1.0 and highly secure ciphers
|
|
#TLSProtocolMin 3.1
|
|
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
|
|
|
# TLS certificate and key files
|
|
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
|
|
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
|
|
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
|
|
|
|
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
|
|
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Password hashing
|
|
#---------------------------------------------------------------------------
|
|
|
|
#password-hash {CRYPT}
|
|
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
|
|
#password-crypt-salt-format "$6$%.12s"
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Security requirements
|
|
#---------------------------------------------------------------------------
|
|
|
|
#disallow bind_anon
|
|
#require bind LDAPv3 strong
|
|
|
|
# SSF value for ldapi://
|
|
localSSF 256
|
|
|
|
# minimum required SSF value (security strength factor)
|
|
# Sample security restrictions
|
|
# Require integrity protection (prevent hijacking)
|
|
# Require 112-bit (3DES or better) encryption for updates
|
|
# Require 63-bit encryption for simple bind
|
|
# security ssf=1 update_ssf=112 simple_bind=64
|
|
#security ssf=128 update_ssf=256 simple_bind=128
|
|
security ssf=0
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Global access control (ACLs)
|
|
#---------------------------------------------------------------------------
|
|
|
|
# Root DSE: allow anyone to read it
|
|
access to
|
|
dn.base=""
|
|
by * read
|
|
|
|
# Sub schema sub entry: allow anyone to read it
|
|
access to
|
|
dn.base="cn=Subschema"
|
|
by * read
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Authz-DN mappings
|
|
#---------------------------------------------------------------------------
|
|
|
|
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
|
# System user root is mapped to the rootdn in database dc=example,dc=com
|
|
# which has also read access on config and monitor databases
|
|
authz-regexp
|
|
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
|
"cn=root,dc=example,dc=com"
|
|
|
|
# Map local system user to LDAP entry
|
|
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
|
authz-regexp
|
|
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
|
|
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
|
|
|
|
# this maps the attribute uid to a LDAP entry
|
|
# if one of the typical password-based SASL mechs was used
|
|
authz-regexp
|
|
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
|
|
"ldap:///dc=example,dc=com??sub?(uid=$1)"
|
|
|
|
# this maps the attribute uid to a LDAP entry
|
|
# if one of the Kerberos based SASL mechs was used
|
|
#authz-regexp
|
|
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
|
|
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
|
|
|
|
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
|
|
#authz-regexp
|
|
# "(.+)"
|
|
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
|
|
|
|
|
|
#===========================================================================
|
|
# Database specific configuration sections below
|
|
# Required order of databases:
|
|
# config (first), ...others..., monitor (last)
|
|
#===========================================================================
|
|
|
|
|
|
#---------------------------------------------------------------------------
|
|
# cn=config // Configuration database (always first!)
|
|
# see slapd-config(5)
|
|
#---------------------------------------------------------------------------
|
|
|
|
database config
|
|
|
|
# Cleartext passwords, especially for the rootdn, should
|
|
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
|
# Best thing is not to set rootpw at all!
|
|
# For local config access by root use LDAPI with SASL/EXTERNAL instead
|
|
# (see above).
|
|
#rootpw secret
|
|
|
|
access to
|
|
dn.subtree="cn=config"
|
|
by dn.exact="cn=root,dc=example,dc=com" manage
|
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
|
|
by * none
|
|
|
|
|
|
#---------------------------------------------------------------------------
|
|
# dc=example,dc=com // Example MDB database to be used by normal clients
|
|
# see slapd-mdb(5)
|
|
#---------------------------------------------------------------------------
|
|
|
|
database mdb
|
|
|
|
suffix "dc=example,dc=com"
|
|
|
|
# rootdn has to be set for overlays' internal operations
|
|
rootdn "cn=root,dc=example,dc=com"
|
|
|
|
# Cleartext passwords, especially for the rootdn, should
|
|
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
|
# Best thing is not to set rootpw at all!
|
|
rootpw secret
|
|
|
|
# The database directory MUST exist prior to running slapd and
|
|
# SHOULD only be accessible by the slapd user 'ldap'.
|
|
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
|
|
directory /var/lib/ldap/example-db
|
|
|
|
# Permissions of database files created
|
|
mode 0600
|
|
|
|
# extra information to be available in cn=monitor for this database
|
|
monitoring on
|
|
|
|
# Perform ACL checks on the content of a new entry being added
|
|
add_content_acl on
|
|
|
|
# backend-specific database parameters
|
|
checkpoint 1024 5
|
|
# 100 MB (you can raise the limit later)
|
|
maxsize 104857600
|
|
|
|
# Indices to maintain
|
|
#
|
|
# Whenever you change indexing configuration you have to re-run slapindex
|
|
# while slapd being stopped!
|
|
# Don't forget to fix ownership/permissions of newly generated index files
|
|
# afterwards!
|
|
|
|
# set always!
|
|
index objectClass eq
|
|
|
|
# for typical address book use
|
|
index cn,sn,givenName,mail eq,sub
|
|
|
|
# for user management
|
|
index uid,uidNumber,gidNumber eq
|
|
|
|
# for authz-regexp mapping of Kerberos principal name
|
|
#index krbPrincipalName,krbPrincipalAlias eq
|
|
|
|
# for authz-regexp mapping of client cert subject DNs
|
|
#index seeAlso eq
|
|
|
|
# for syncrepl
|
|
index entryUUID,entryCSN eq
|
|
|
|
# access control lists (ACLs) for dc=example,dc=com
|
|
# see slapd.access(5) for details on access control lists (ACLs)
|
|
|
|
# full read access also to 'userPassword' for group of replicas
|
|
# and control is forwarded to subsequent ACLs
|
|
access to
|
|
dn.subtree=dc=example,dc=com
|
|
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
|
|
by * break
|
|
|
|
# write-only access to 'userPassword' for user, auth access else
|
|
access to
|
|
attrs=userPassword
|
|
by self =w
|
|
by * auth
|
|
|
|
# 'userPKCS' must only be accessible by self
|
|
access to
|
|
attrs=userPKCS12
|
|
by self write
|
|
by * none
|
|
|
|
# No access to history of passwords
|
|
#access to
|
|
# attrs=pwdHistory
|
|
# by * none
|
|
|
|
# Catch-all ACL for the rest
|
|
access to
|
|
dn.subtree=dc=example,dc=com
|
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
|
|
by self read
|
|
by users read
|
|
by * auth
|
|
|
|
# see slapo-ppolicy(5)
|
|
overlay ppolicy
|
|
# Default password policy entry
|
|
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
|
|
# Hash clear-text userPassword values sent in with add/modify operations
|
|
#ppolicy_hash_cleartext
|
|
# Return AccountLocked error code to client
|
|
#ppolicy_use_lockout
|
|
|
|
# see slapo-refint(5)
|
|
overlay refint
|
|
refint_attributes member seeAlso
|
|
refint_nothing cn=dummy
|
|
|
|
# Check sub-tree wide uniqueness of certain attributes
|
|
# see slapo-unique(5)
|
|
# you have to add eq-index for efficient uniqueness check!
|
|
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
|
|
overlay unique
|
|
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
|
|
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
|
|
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
|
|
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
|
|
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
|
|
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
|
|
|
|
#overlay syncprov
|
|
#mirrormode on
|
|
|
|
|
|
#---------------------------------------------------------------------------
|
|
# cn=monitor // Monitoring database (always last!)
|
|
# see slapd-monitor(5)
|
|
#---------------------------------------------------------------------------
|
|
|
|
database monitor
|
|
|
|
access to
|
|
dn.subtree="cn=monitor"
|
|
by dn.exact="cn=root,dc=example,dc=com" write
|
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
|
|
by users read
|