forked from jengelh/openldap2
87 lines
3.2 KiB
Plaintext
87 lines
3.2 KiB
Plaintext
# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
|
|
#
|
|
# OpenLDAP daemon (slapd.service) supports two configuration styles:
|
|
# - Simple configuration with this file
|
|
# - Online configuration (OLC)
|
|
#
|
|
# You may choose the configuration style by setting it in:
|
|
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
|
|
# If the value is set to "files", this configuration file will be used.
|
|
# If the value is set to "ldap", this configuration file will be entirely ignored, and
|
|
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
|
|
#
|
|
# If you decide to use online configuration, please read the additional instructions in:
|
|
# /etc/openldap/slapd.conf.olctemplate
|
|
#
|
|
# Feel free to customise this file according to your needs, and start OpenLDAP
|
|
# server daemon by executing:
|
|
# systemctl start slapd.service
|
|
#
|
|
# To verify that LDAP service is running properly, try the following command:
|
|
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts
|
|
|
|
#
|
|
# See slapd.conf(5) for details on configuration options.
|
|
# See /etc/openldap/slapd.conf.example for more examples.
|
|
# This file should NOT be world readable.
|
|
#
|
|
|
|
pidfile /run/slapd/slapd.pid
|
|
argsfile /run/slapd/slapd.args
|
|
|
|
# The following schema files are often useful
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/rfc2307bis.schema
|
|
include /etc/openldap/schema/yast.schema
|
|
|
|
# Load backend modules such as database engines
|
|
moduleload back_mdb.la
|
|
|
|
# Very important: define ACL to authorise client access
|
|
# The default settings permit rootdn to read and write, while other users
|
|
# may read the entire database or change their own password.
|
|
# If no ACL is present, everyone will be allowed to read the database.
|
|
# rootdn can always read and write everything.
|
|
access to dn.base=""
|
|
by * read
|
|
|
|
access to dn.base="cn=Subschema"
|
|
by * read
|
|
|
|
access to attrs=userPassword,userPKCS12
|
|
by self write
|
|
by * auth
|
|
|
|
access to attrs=shadowLastChange
|
|
by self write
|
|
by * read
|
|
|
|
access to *
|
|
by * read
|
|
|
|
# Define a LDAP database
|
|
database mdb
|
|
suffix "dc=my-domain,dc=com"
|
|
rootdn "cn=Manager,dc=my-domain,dc=com"
|
|
# Please avoid using clear text for root password
|
|
# See slappasswd(8) for instructions on creating a salted+hashed password
|
|
rootpw secret
|
|
# The database directory must exist prior to the start of OpenLDAP daemon
|
|
# The directory should be owned by ldap user and permission 0700 is recommended
|
|
directory /var/lib/ldap
|
|
# Indices to maintain
|
|
index objectClass eq
|
|
|
|
# Using TLS to secure communication between LDAP clients and the server is strongly recommended.
|
|
# To enable TLS, you will need CA certificate, server certificate, and certificate key, and
|
|
# write down their paths below, make sure the files are readable by user "ldap".
|
|
# The server will then support StartTLS on standard port 389.
|
|
# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap.
|
|
#TLSProtocolMin 3.1
|
|
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
|
#TLSCACertificateFile /my/ca.crt
|
|
#TLSCertificateFile /my/tls.crt
|
|
#TLSCertificateKeyFile /my/tls.key
|