# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/misc.schema #include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/krb5-kdc.schema loglevel -1 # Misc options # Maximum number of entries to return from a search operation. Useful # to prevent trolling of directory by spammers, etc. sizelimit 20 # Maximum size of the primary thread pool. threads 8 allow bind_v2 # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sizelimit 20 # Maximum size of the primary thread pool. threads 8 allow bind_v2 # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/lib/openldap/openldap # moduleload back_shell.so # moduleload back_relay.so # moduleload back_perl.so moduleload back_passwd.so # moduleload back_null.so # moduleload back_monitor.so # moduleload back_meta.so moduleload back_hdb.so # moduleload back_dnssrv.so # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: #Mapping of SASL authentication identities to LDAP entries sasl-regexp uid=(.*),cn=(.*),cn=.*,cn=auth ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2)) sasl-regexp uid=(.*),cn=.*,cn=auth ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR)) sasl-regexp uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr # This is needed so sasl-regexp/GSSAPI works correctly #access to attrs=krb5PrincipalName # by anonymous auth # Kerberos attributes may only be accessible to root/ldapmaster #access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb$ # by * none # We will be using userPassword to provide simple BIND access, so we don't want this to be user editable #access to attrs=userPassword #access to * # by dn="cn=M@nSpi,dc=teipir,dc=gr" write # by dn="cn=Vlachakis Emmanouil,ou=Managers,dc=teipir,dc=gr" write # by dn="cn=Oikonomakis Spyridwn,ou=Managers,dc=teipir,dc=gr" write # by users read # by * write # by * auth access to * by * write # CA signed certificate and server cert entries: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSCertificateFile /etc/openldap/ssl/voikocrt.pem TLSCertificateKeyFile /etc/openldap/ssl/voikokey.pem # Use the following if client authentication is required TLSVerifyClient try # ... or not desired at all #TLSVerifyClient never # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # BDB database definitions ####################################################################### database hdb suffix dc=teipir,dc=gr # checkpoint 32 30 rootdn cn=M@nSpi,dc=teipir,dc=gr #rootdn "cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 rec directory /var/lib/openldap-data # Indices to maintain #index objectClass eq #index cn,sn,uid pres,eq,approx,sub #index objectClass eq index default eq,pres directory /var/lib/openldap-data # Indices to maintain #index objectClass eq #index cn,sn,uid pres,eq,approx,sub #index objectClass eq index default eq,pres index objectClass eq index cn,sn,givenname,mail eq,pres,sub index uid,uidNumber,gidNumber index memberUid index krb5PrincipalName,krb5PrincipalRealm security simple_bind=64