1
0
forked from infra/ansible
infra/roles/slapd/templates/slapd.conf.j2

170 lines
4.5 KiB
Plaintext
Raw Permalink Normal View History

2017-01-28 16:42:22 +01:00
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#######################################################################
# Schemas
#######################################################################
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/kitchen.schema
include /etc/ldap/schema/misc.schema
2019-11-28 22:40:51 +01:00
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openssh-lpk.schema
2017-01-28 16:42:22 +01:00
include /etc/ldap/schema/radius.schema
2019-11-28 22:40:51 +01:00
include /etc/ldap/schema/samba.schema
2017-01-28 16:42:22 +01:00
#######################################################################
# Files, logging, modules
#######################################################################
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
#loglevel stats sync
loglevel sync
# Load dynamic backend modules:
modulepath /usr/lib/ldap
moduleload back_hdb.la
2017-01-30 20:00:37 +01:00
{% if slapd_role == 'master' %}
moduleload syncprov.la
{% endif %}
2017-01-28 16:42:22 +01:00
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#######################################################################
# ACL
#######################################################################
2019-05-13 20:03:20 +02:00
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=userPassword
by self write
by group="cn=admin,dc=binary-kitchen,dc=de" write
by anonymous auth
by * none
access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=loginShell
by self write
by group="cn=admin,dc=binary-kitchen,dc=de" write
by users read
by * none
2019-05-17 08:25:14 +02:00
access to dn.sub="ou=people,dc=binary-kitchen,dc=de"
2019-05-13 20:03:20 +02:00
by group="cn=admin,dc=binary-kitchen,dc=de" write
by self read
by users read
by * none
access to dn.one="ou=groups,dc=binary-kitchen,dc=de" attrs=memberUid
by group="cn=admin,dc=binary-kitchen,dc=de" write
by self read
by users read
by * none
2017-01-28 16:42:22 +01:00
access to attrs=userPassword
by self write
by anonymous auth
2019-05-13 20:03:20 +02:00
by * none
2017-01-28 16:42:22 +01:00
access to attrs=loginShell
by self write
by users read
2019-05-13 20:03:20 +02:00
by * none
2017-01-28 16:42:22 +01:00
access to *
by self read
by users read
by * none
#######################################################################
# TLS
#######################################################################
TLSCertificateFile /etc/ldap/ssl/srv.crt
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSCACertificatePath /etc/ssl/certs
2017-01-28 16:42:22 +01:00
TLSCipherSuite NORMAL
TLSVerifyClient never
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "{{ ldap_base }}"
# <kbyte> <min>
checkpoint 32 30
rootdn "cn=Manager,dc=binary-kitchen,dc=de"
2020-02-03 19:08:09 +01:00
rootpw {{ slapd_root_hash }}
2017-01-28 16:42:22 +01:00
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
#######################################################################
# Indices
#######################################################################
index objectClass eq
# Replication related
index entryCSN eq
index entryUUID eq
# Posix Users/Groups
index cn eq
index gidNumber eq
index memberUid eq
index uid eq
index uidNumber eq
# Mail
index mail eq
index mailAlternateAddress eq
2017-01-30 20:00:37 +01:00
{% if slapd_role == 'master' %}
#######################################################################
# Replication
#######################################################################
overlay syncprov
syncprov-checkpoint 10 1
syncprov-sessionlog 100
#######################################################################
# Samba Password Sync
#######################################################################
moduleload smbk5pwd.so
overlay smbk5pwd
smbk5pwd-enable samba
smbk5pwd-must-change 0
{% elif slapd_role == 'slave' %}
2017-01-28 16:42:22 +01:00
#######################################################################
# Replication Consumer
#######################################################################
syncrepl rid=1
provider="ldaps://ldapm.binary.kitchen"
2019-02-23 23:55:35 +01:00
searchbase="{{ ldap_base }}"
2017-01-28 16:42:22 +01:00
type=refreshAndPersist
retry="5 10 30 +"
binddn="cn=Manager,dc=binary-kitchen,dc=de"
bindmethod=simple
2020-02-03 19:08:09 +01:00
credentials="{{ slapd_root_pass }}"
2017-01-28 16:42:22 +01:00
tls_reqcert=demand
2017-01-30 20:00:37 +01:00
{% endif %}