Software Freedom Conservancy

Software Freedom Law Center

root/trunk/configs/ldap/slapd.conf

Revision 42, 6.1 kB (checked in by bkuhn, 1 year ago)

# Formatting changes

Line 
1 # slapd.conf for Loblaw
2 # Copyright (C) 2005, 2006, 2007, Software Freedom Law Center, Inc.
3 #
4 # Permission to use, copy, modify, and/or distribute this software for any
5 # purpose with or without fee is hereby granted, provided that the above
6 # copyright notice and this permission notice appear in all copies.
7 #
8 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
9 # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
10 # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
11 # AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
12 # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA
13 # OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
14 # TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 # PERFORMANCE OF THIS SOFTWARE.
16 #
17 # License: ISC
18
19 TLSCipherSuite HIGH:+SSLv2:+SSLv3:+MEDIUM
20 TLSCertificateFile      /etc/ldap/server.pem
21 TLSCertificateKeyFile   /etc/ldap/server.pem
22 TLSCACertificateFile    /etc/ldap/server.pem
23 TLSVerifyClient never
24 sasl-secprops noplain
25 #disallow bind_simple
26
27 password-hash  {SSHA}
28
29 allow bind_v2
30
31 include         /etc/ldap/schema/core.schema
32 include         /etc/ldap/schema/cosine.schema
33 include         /etc/ldap/schema/nis.schema
34 include         /etc/ldap/schema/inetorgperson.schema
35 #include         /etc/ldap/schema/mozilla.schema
36 include         /etc/ldap/schema/misc.schema
37 include         /etc/ldap/schema/loblawperson.schema
38 include         /etc/ldap/schema/publickey.schema
39
40 schemacheck     on
41
42 pidfile         /home/ldap/run/slapd.pid
43
44 argsfile        /home/ldap/run/slapd/slapd.args
45
46 loglevel        0
47
48 modulepath      /usr/lib/ldap
49 moduleload      back_bdb
50
51 defaultsearchbase       "ou=people,dc=example,dc=org"
52
53 sizelimit 1000
54 tool-threads 1
55
56 backend         bdb
57 checkpoint 512 30
58
59 database        bdb
60
61 suffix          "dc=example,dc=org"
62 pidfile         /home/ldap/run/slapd.pid
63
64 # List of arguments that were passed to the server
65 argsfile        /var/run/slapd/slapd.args
66
67 # Read slapd.conf(5) for possible values
68 loglevel        0
69
70 # Where the dynamically loaded modules are stored
71 modulepath      /usr/lib/ldap
72 moduleload      back_bdb
73
74 defaultsearchbase       "ou=people,dc=example,dc=org"
75
76 rootdn          "cn=root,dc=example,dc=org"
77 rootpw          {SSHA}4bAdjN1Q4VxtniRJ6ICNzEijUGcJNH3+
78
79 directory       "/home/ldap/example-org.db"
80
81 # For the Debian package we use 2MB as default but be sure to update this
82 # value if you have plenty of RAM... I left it the same for the loblaw-test
83 #  image since it runs in QEMU
84 dbconfig set_cachesize 0 2097152 0
85
86 # Sven Hartge reported that he had to set this value incredibly high
87 # to get slapd running at all. See http://bugs.debian.org/303057
88 # for more information.
89
90 # Number of objects that can be locked at the same time.
91 dbconfig set_lk_max_objects 1500
92 # Number of locks (both requested and granted)
93 dbconfig set_lk_max_locks 1500
94 # Number of lockers
95 dbconfig set_lk_max_lockers 1500
96
97 # Indexing options for database #1
98 index           objectClass eq
99 index   cn              pres,eq
100
101 cachesize       2000
102
103 lastmod         on
104
105 # Where to store the replica logs for database #1
106 # replogfile    /var/lib/ldap/replog
107
108 access to dn.regex="cn=.*,ou=staff,ou=people,dc=example,dc=org"
109        attrs=userPassword
110        by self write
111        by anonymous auth
112        by dn.regex="uid=apache,ou=roles,dc=example,dc=org" auth
113        by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
114
115 # Note: if you want emailPassword to be readable, userPassword has to
116 #  be readable because emailPassword is currently a SUP of
117 #  userPassword
118
119 access to dn.regex="uid=.*,ou=roles,dc=example,dc=org"
120        attrs=userPassword
121        by self read
122        by anonymous auth
123        by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
124
125 access to dn.regex="uid=.*,ou=roles,dc=example,dc=org" attr=cn,entry,userPassword,uid,mail,displayName,emailPassword
126        by self read
127        by anonymous auth
128        by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
129
130
131 # This next clause makes sure that other users, while they may get
132 # access to various fields in the staff account, don't get access to a
133 # few key security-related ones from the posixAccount objectClass.
134
135 access to dn.regex=".*,ou=staff,ou=people,dc=example,dc=org"
136        attrs=userPassword,homeDirectory,loginShell,emailPassword
137        by self read
138        by dn.regex="cn=.*,ou=staff,ou=people,dc=example,dc=org" none
139        by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
140
141 access to dn.regex=".*,ou=staff,ou=people,dc=example,dc=org"
142         attrs=entry,cn,uid,gidNumber,uidNumber,homeDirectory,displayName,objectClass,mail,givenName,sn
143         by dn.regex="uid=apache,ou=roles,dc=example,dc=org" read
144         by dn.regex="uid=lj,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
145        by dn.regex="cn=.*,ou=staff,ou=people,dc=example,dc=org" read
146        by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
147
148  access to dn.regex=".*,ou=staff,ou=people,dc=example,dc=org"
149         by dn.regex="cn=.*,ou=staff,ou=people,dc=example,dc=org" read
150         by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
151
152 access to dn.regex="cn=.*,ou=mailAliases,ou=groups,dc=example,dc=org"
153         by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
154
155 access to dn.regex="cn=.*,ou=emailAccounts,ou=roles,dc=example,dc=org"
156         by dn.regex="uid=downloader,ou=roles,dc=example,dc=org"  peername.regex=127.0.0.1 read
157
158 access to dn.regex="cn=.*,ou=groups,dc=example,dc=org"
159        by dn.regex="uid=apache,ou=roles,dc=example,dc=org" read
160        by dn.regex="cn=.*,ou=staff,ou=people,dc=example,dc=org" read
161
162 access to dn.base="" by * read
163
164 # Ensure read access to the base for things like supportedSASLMechanisms.
165 # Without this you may have problems with SASL not knowing what mechanisms
166 # are available and the like.  Note that this is covered by the 'access to
167 # *' ACL below too but if you change that as people are wont to do you'll
168 # still need this if you want SASL (and possible other things) to work
169 # happily.
Note: See TracBrowser for help on using the browser.

SFLC Main Page

[frdm] Support SFLC