# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon. # # OpenLDAP daemon (slapd.service) supports two configuration styles: # - Simple configuration with this file # - Online configuration (OLC) # # You may choose the configuration style by setting it in: # /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap" # If the value is set to "files", this configuration file will be used. # If the value is set to "ldap", this configuration file will be entirely ignored, and # the OLC configuration from /etc/openldap/slapd.d will be loaded. # # If you decide to use online configuration, please read the additional instructions in: # /etc/openldap/slapd.conf.olctemplate # # Feel free to customise this file according to your needs, and start OpenLDAP # server daemon by executing: # systemctl start slapd.service # # To verify that LDAP service is running properly, try the following command: # ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts # # See slapd.conf(5) for details on configuration options. # See /etc/openldap/slapd.conf.example for more examples. # This file should NOT be world readable. # pidfile /run/slapd/slapd.pid argsfile /run/slapd/slapd.args # The following schema files are often useful include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema # Load backend modules such as databas engines modulepath /usr/lib64/openldap moduleload back_mdb.la #moduleload back_hdb.la #moduleload back_bdb.la # Very important: define ACL to authorise client access # The default settings permit rootdn to read and write, while other users # may read the entire database or change their own password. # If no ACL is present, everyone will be allowed to read the database. # rootdn can always read and write everything. access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read # Define a LDAP database database mdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Please avoid using clear text for root password # See slappasswd(8) for instructions on creating a salted+hashed password rootpw secret # The database directory must exist prior to the start of OpenLDAP daemon # The directory should be owned by ldap user and permission 0700 is recommended directory /var/lib/ldap # Indices to maintain index objectClass eq # Using TLS to secure communication between LDAP clients and the server is strongly recommended. # To enable TLS, you will need CA certificate, server certificate, and certificate key, and # write down their paths below, make sure the files are readable by user "ldap". # The server will then support StartTLS on standard port 389. # To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap. #TLSProtocolMin 3.1 #TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH #TLSCACertificateFile /my/ca.crt #TLSCertificateFile /my/tls.crt #TLSCertificateKeyFile /my/tls.key