2017-01-28 16:42:22 +01:00
|
|
|
#
|
|
|
|
|
# See slapd.conf(5) for details on configuration options.
|
|
|
|
|
# This file should NOT be world readable.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
# Schemas
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
include /etc/ldap/schema/core.schema
|
|
|
|
|
include /etc/ldap/schema/cosine.schema
|
|
|
|
|
include /etc/ldap/schema/inetorgperson.schema
|
|
|
|
|
include /etc/ldap/schema/kitchen.schema
|
|
|
|
|
include /etc/ldap/schema/misc.schema
|
2024-09-11 15:06:18 +02:00
|
|
|
include /etc/ldap/schema/namedobject.schema
|
2019-11-28 22:40:51 +01:00
|
|
|
include /etc/ldap/schema/nis.schema
|
|
|
|
|
include /etc/ldap/schema/openssh-lpk.schema
|
2017-01-28 16:42:22 +01:00
|
|
|
include /etc/ldap/schema/radius.schema
|
2019-11-28 22:40:51 +01:00
|
|
|
include /etc/ldap/schema/samba.schema
|
2017-01-28 16:42:22 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
# Files, logging, modules
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
pidfile /var/run/slapd/slapd.pid
|
|
|
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
|
|
|
|
|
|
#loglevel stats sync
|
|
|
|
|
loglevel sync
|
|
|
|
|
|
|
|
|
|
# Load dynamic backend modules:
|
|
|
|
|
modulepath /usr/lib/ldap
|
2023-09-20 22:38:24 +02:00
|
|
|
moduleload back_mdb.la
|
2024-09-11 15:06:18 +02:00
|
|
|
moduleload ppolicy.la
|
2017-01-30 20:00:37 +01:00
|
|
|
{% if slapd_role == 'master' %}
|
|
|
|
|
moduleload syncprov.la
|
|
|
|
|
{% endif %}
|
2017-01-28 16:42:22 +01:00
|
|
|
|
|
|
|
|
# Sample security restrictions
|
|
|
|
|
# Require integrity protection (prevent hijacking)
|
|
|
|
|
# Require 112-bit (3DES or better) encryption for updates
|
|
|
|
|
# Require 63-bit encryption for simple bind
|
|
|
|
|
# security ssf=1 update_ssf=112 simple_bind=64
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
# ACL
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
2019-05-13 20:03:20 +02:00
|
|
|
access to dn.base=""
|
|
|
|
|
by * read
|
|
|
|
|
access to dn.base="cn=Subschema"
|
|
|
|
|
by * read
|
|
|
|
|
access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=userPassword
|
|
|
|
|
by self write
|
|
|
|
|
by group="cn=admin,dc=binary-kitchen,dc=de" write
|
|
|
|
|
by anonymous auth
|
|
|
|
|
by * none
|
|
|
|
|
access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=loginShell
|
|
|
|
|
by self write
|
|
|
|
|
by group="cn=admin,dc=binary-kitchen,dc=de" write
|
|
|
|
|
by users read
|
|
|
|
|
by * none
|
2019-05-17 08:25:14 +02:00
|
|
|
access to dn.sub="ou=people,dc=binary-kitchen,dc=de"
|
2019-05-13 20:03:20 +02:00
|
|
|
by group="cn=admin,dc=binary-kitchen,dc=de" write
|
|
|
|
|
by self read
|
|
|
|
|
by users read
|
|
|
|
|
by * none
|
|
|
|
|
access to dn.one="ou=groups,dc=binary-kitchen,dc=de" attrs=memberUid
|
|
|
|
|
by group="cn=admin,dc=binary-kitchen,dc=de" write
|
|
|
|
|
by self read
|
|
|
|
|
by users read
|
|
|
|
|
by * none
|
2017-01-28 16:42:22 +01:00
|
|
|
access to attrs=userPassword
|
|
|
|
|
by self write
|
|
|
|
|
by anonymous auth
|
2019-05-13 20:03:20 +02:00
|
|
|
by * none
|
2017-01-28 16:42:22 +01:00
|
|
|
access to attrs=loginShell
|
|
|
|
|
by self write
|
|
|
|
|
by users read
|
2019-05-13 20:03:20 +02:00
|
|
|
by * none
|
2017-01-28 16:42:22 +01:00
|
|
|
access to *
|
|
|
|
|
by self read
|
|
|
|
|
by users read
|
|
|
|
|
by * none
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
# TLS
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
|
|
|
|
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
2018-09-20 18:30:42 +02:00
|
|
|
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
|
|
|
|
|
TLSCACertificatePath /etc/ssl/certs
|
2017-01-28 16:42:22 +01:00
|
|
|
TLSCipherSuite NORMAL
|
|
|
|
|
TLSVerifyClient never
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
2023-09-20 22:38:24 +02:00
|
|
|
# MDB database definitions
|
2017-01-28 16:42:22 +01:00
|
|
|
#######################################################################
|
|
|
|
|
|
2023-09-20 22:38:24 +02:00
|
|
|
database mdb
|
2017-01-28 16:42:22 +01:00
|
|
|
suffix "{{ ldap_base }}"
|
|
|
|
|
# <kbyte> <min>
|
|
|
|
|
checkpoint 32 30
|
|
|
|
|
rootdn "cn=Manager,dc=binary-kitchen,dc=de"
|
2020-02-03 19:08:09 +01:00
|
|
|
rootpw {{ slapd_root_hash }}
|
2017-01-28 16:42:22 +01:00
|
|
|
# The database directory MUST exist prior to running slapd AND
|
|
|
|
|
# should only be accessible by the slapd and slap tools.
|
|
|
|
|
# Mode 700 recommended.
|
|
|
|
|
directory /var/lib/ldap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
# Indices
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
index objectClass eq
|
|
|
|
|
|
|
|
|
|
# Replication related
|
|
|
|
|
index entryCSN eq
|
|
|
|
|
index entryUUID eq
|
|
|
|
|
|
|
|
|
|
# Posix Users/Groups
|
|
|
|
|
index cn eq
|
|
|
|
|
index gidNumber eq
|
|
|
|
|
index memberUid eq
|
|
|
|
|
index uid eq
|
|
|
|
|
index uidNumber eq
|
|
|
|
|
|
|
|
|
|
# Mail
|
|
|
|
|
index mail eq
|
|
|
|
|
index mailAlternateAddress eq
|
|
|
|
|
|
|
|
|
|
|
2024-09-11 15:06:18 +02:00
|
|
|
#######################################################################
|
|
|
|
|
# Password Policies
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
overlay ppolicy
|
|
|
|
|
ppolicy_default "cn=pp-default,ou=policies,dc=binary-kitchen,dc=de"
|
|
|
|
|
|
|
|
|
|
|
2017-01-30 20:00:37 +01:00
|
|
|
{% if slapd_role == 'master' %}
|
|
|
|
|
#######################################################################
|
|
|
|
|
# Replication
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
overlay syncprov
|
|
|
|
|
syncprov-checkpoint 10 1
|
|
|
|
|
syncprov-sessionlog 100
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
# Samba Password Sync
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
moduleload smbk5pwd.so
|
|
|
|
|
overlay smbk5pwd
|
|
|
|
|
smbk5pwd-enable samba
|
|
|
|
|
smbk5pwd-must-change 0
|
|
|
|
|
{% elif slapd_role == 'slave' %}
|
2017-01-28 16:42:22 +01:00
|
|
|
#######################################################################
|
|
|
|
|
# Replication Consumer
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
2023-09-20 22:38:24 +02:00
|
|
|
syncrepl rid={{ slapd_replica_id }}
|
2017-01-28 16:42:22 +01:00
|
|
|
provider="ldaps://ldapm.binary.kitchen"
|
2019-02-23 23:55:35 +01:00
|
|
|
searchbase="{{ ldap_base }}"
|
2017-01-28 16:42:22 +01:00
|
|
|
type=refreshAndPersist
|
|
|
|
|
retry="5 10 30 +"
|
|
|
|
|
binddn="cn=Manager,dc=binary-kitchen,dc=de"
|
|
|
|
|
bindmethod=simple
|
2020-02-03 19:08:09 +01:00
|
|
|
credentials="{{ slapd_root_pass }}"
|
2017-01-28 16:42:22 +01:00
|
|
|
tls_reqcert=demand
|
2017-01-30 20:00:37 +01:00
|
|
|
{% endif %}
|
