|
|
|
#
|
|
|
|
# TDE slapd.conf template
|
|
|
|
#
|
|
|
|
include /etc/ldap/schema/core.schema
|
|
|
|
include /etc/ldap/schema/cosine.schema
|
|
|
|
include /etc/ldap/schema/inetorgperson.schema
|
|
|
|
include /etc/ldap/schema/rfc2307bis.schema
|
|
|
|
include /etc/ldap/schema/rfc2739.schema
|
|
|
|
include /etc/ldap/schema/samba.schema
|
|
|
|
include /etc/ldap/schema/qmail.schema
|
|
|
|
include /etc/ldap/schema/hdb.schema
|
|
|
|
include /etc/ldap/schema/dlz.schema
|
|
|
|
include /etc/ldap/schema/dhcp.schema
|
|
|
|
include /etc/ldap/schema/amavis.schema
|
|
|
|
include /etc/ldap/schema/ppolicy.schema
|
|
|
|
|
|
|
|
pidfile /opt/zivios/openldap/var/run/slapd.pid
|
|
|
|
argsfile /opt/zivios/openldap/var/run/slapd.args
|
|
|
|
|
|
|
|
allow bind_v2
|
|
|
|
loglevel 256
|
|
|
|
|
|
|
|
modulepath /usr/lib/ldap
|
|
|
|
moduleload back_hdb
|
|
|
|
moduleload syncprov
|
|
|
|
moduleload back_monitor
|
|
|
|
moduleload auditlog
|
|
|
|
moduleload smbk5pwd
|
|
|
|
moduleload unique
|
|
|
|
moduleload ppolicy
|
|
|
|
|
|
|
|
sizelimit 500
|
|
|
|
tool-threads 1
|
|
|
|
|
|
|
|
backend hdb
|
|
|
|
|
|
|
|
database monitor
|
|
|
|
database config
|
|
|
|
rootdn cn=config
|
|
|
|
rootpw {SHA}@@@ROOTPW_SHA@@@
|
|
|
|
|
|
|
|
database hdb
|
|
|
|
overlay syncprov
|
|
|
|
overlay auditlog
|
|
|
|
overlay smbk5pwd
|
|
|
|
overlay unique
|
|
|
|
overlay ppolicy
|
|
|
|
|
|
|
|
auditlog "/var/log/realmauditlog.txt"
|
|
|
|
suffix "@@@REALM_DCNAME@@@"
|
|
|
|
rootdn "cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@"
|
|
|
|
rootpw {SHA}@@@ROOTPW_SHA@@@
|
|
|
|
|
|
|
|
checkpoint 512 30
|
|
|
|
directory "/var/ldap-realm-database"
|
|
|
|
|
|
|
|
dbconfig set_cachesize 0 2097152 0
|
|
|
|
dbconfig set_lk_max_objects 1500
|
|
|
|
dbconfig set_lk_max_locks 1500
|
|
|
|
dbconfig set_lk_max_lockers 1500
|
|
|
|
|
|
|
|
index accountStatus eq
|
|
|
|
index mailHost eq
|
|
|
|
index cn eq,pres,subinitial
|
|
|
|
index mail eq,pres
|
|
|
|
index mailAlternateAddress eq,pres
|
|
|
|
index objectClass eq
|
|
|
|
index uid pres,eq
|
|
|
|
index uidNumber eq
|
|
|
|
index gidNumber eq
|
|
|
|
|
|
|
|
lastmod on
|
|
|
|
unique_attributes mail uid uidNumber
|
|
|
|
|
|
|
|
TLSCertificateFile @@@LDAPPEMFILE@@@
|
|
|
|
TLSCertificateKeyFile @@@LDAPPEMKEYFILE@@@
|
|
|
|
|
|
|
|
sasl-realm @@@REALM_UCNAME@@@
|
|
|
|
sasl-host @@@ADMINSERVER@@@
|
|
|
|
sasl-secprops minssf=0
|
|
|
|
|
|
|
|
authz-regexp uid=(.*),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth ldap:///@@@REALM_DCNAME@@@??sub?(&(uid=$1)(objectClass=posixAccount))
|
|
|
|
authz-regexp "gidNumber=.*+uidNumber=0,cn=peercred,cn=external,cn=auth" "uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@"
|
|
|
|
|
|
|
|
#
|
|
|
|
# ACL Section
|
|
|
|
#
|
|
|
|
access to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags
|
|
|
|
by dn="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
|
|
|
|
by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
|
|
|
|
by sockurl.regex="^ldapi:///$" write
|
|
|
|
by anonymous auth
|
|
|
|
by self write
|
|
|
|
by * none
|
|
|
|
|
|
|
|
access to dn="" by * read
|