diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf index 4938b85..b9bec75 100644 --- a/servers/slapd/slapd.conf +++ b/servers/slapd/slapd.conf @@ -2,7 +2,11 @@ # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # -include %SYSCONFDIR%/schema/core.schema +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/rfc2307bis.schema +include /etc/openldap/schema/yast.schema # Define global ACLs to disable default read access. @@ -10,13 +14,13 @@ include %SYSCONFDIR%/schema/core.schema # service AND an understanding of referrals. #referral ldap://root.openldap.org -pidfile %LOCALSTATEDIR%/run/slapd.pid -argsfile %LOCALSTATEDIR%/run/slapd.args +pidfile /run/slapd/slapd.pid +argsfile /run/slapd/slapd.args # Load dynamic backend modules: -# modulepath %MODULEDIR% +# modulepath /usr/lib/openldap # moduleload back_bdb.la -# moduleload back_hdb.la +moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions @@ -26,20 +30,30 @@ argsfile %LOCALSTATEDIR%/run/slapd.args # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: -# Root DSE: allow anyone to read it -# Subschema (sub)entry DSE: allow anyone to read it -# Other DSEs: -# Allow self write access -# Allow authenticated users read access -# Allow anonymous users to authenticate -# Directives needed to implement policy: -# access to dn.base="" by * read -# access to dn.base="cn=Subschema" by * read -# access to * -# by self write -# by users read -# by anonymous auth -# +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access to user password +# Allow anonymous users to authenticate +# Allow read access to everything else +# Directives needed to implement policy: +access to dn.base="" + by * read + +access to dn.base="cn=Subschema" + by * read + +access to attrs=userPassword,userPKCS12 + by self write + by * auth + +access to attrs=shadowLastChange + by self write + by * read + +access to * + by * read + # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") @@ -50,8 +64,10 @@ argsfile %LOCALSTATEDIR%/run/slapd.args # BDB database definitions ####################################################################### -database bdb +database hdb suffix "dc=my-domain,dc=com" +checkpoint 1024 5 +cachesize 10000 rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. @@ -60,6 +76,6 @@ rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. -directory %LOCALSTATEDIR%/openldap-data +directory /var/lib/ldap # Indices to maintain index objectClass eq