2
# See slapd.conf(5) for details on configuration options.
3
# This file should NOT be world readable.
5
include /etc/openldap/schema/core.schema
6
include /etc/openldap/schema/cosine.schema
7
include /etc/openldap/schema/inetorgperson.schema
8
include /etc/openldap/schema/nis.schema
9
include /etc/openldap/schema/samba.schema
13
# Allow LDAPv2 client connections. This is NOT the default.
16
# Do not enable referrals until AFTER you have a working directory
17
# service AND an understanding of referrals.
18
#referral ldap://root.openldap.org
20
pidfile /var/run/slapd.pid
21
argsfile /var/run/slapd.args
23
# Load dynamic backend modules:
24
# modulepath /usr/sbin/openldap
25
# moduleload back_bdb.la
26
# moduleload back_ldap.la
27
# moduleload back_ldbm.la
28
# moduleload back_passwd.la
29
# moduleload back_shell.la
31
# The next three lines allow use of TLS for encrypting connections using a
32
# dummy test certificate which you can generate by changing to
33
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
34
# slapd.pem so that the ldap user or group can read it. Your client software
35
# may balk at self-signed certificates, however.
36
#TLSCertificateFile /etc/openldap/ldap.company.com.pem
37
#TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
38
#TLSCACertificateFile /etc/openldap/ca.pem
39
#TLSCipherSuite :SSLv3
41
# Sample security restrictions
42
# Require integrity protection (prevent hijacking)
43
# Require 112-bit (3DES or better) encryption for updates
44
# Require 63-bit encryption for simple bind
45
# security ssf=1 update_ssf=112 simple_bind=64
47
# Sample access control policy:
48
# Root DSE: allow anyone to read it
49
# Subschema (sub)entry DSE: allow anyone to read it
51
# Allow self write access
52
# Allow authenticated users read access
53
# Allow anonymous users to authenticate
54
# Directives needed to implement policy:
55
# access to dn.base="" by * read
56
# access to dn.base="cn=Subschema" by * read
62
# if no access controls are present, the default policy
63
# allows anyone and everyone to read anything but restricts
64
# updates to rootdn. (e.g., "access to * by * read")
66
# rootdn can always read and write EVERYTHING!
68
#######################################################################
69
# ldbm and/or bdb database definitions
70
#######################################################################
73
suffix "dc=company,dc=com"
74
rootdn "cn=Manager,dc=company,dc=com"
75
# Cleartext passwords, especially for the rootdn, should
76
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
77
# Use of strong authentication encouraged.
79
# rootpw {crypt}ijFYNcSNctBYg
81
# The database directory MUST exist prior to running slapd AND
82
# should only be accessible by the slapd and slap tools.
83
# Mode 700 recommended.
84
directory /var/lib/ldap
87
# Indices to maintain for this database
88
index objectClass eq,pres
89
index ou,cn,sn,mail,givenname eq,pres,sub
90
index uidNumber,gidNumber,memberUid eq,pres
91
index loginShell eq,pres
92
## required to support pdb_getsampwnam
94
## required to support pdb_getsambapwrid()
95
index displayName pres,sub,eq
96
index nisMapName,nisMapEntry eq,pres,sub
98
index sambaPrimaryGroupSID eq
99
index sambaDomainName eq
103
# users can authenticate and change their password
104
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
105
by dn="cn=Manager,dc=company,dc=com" write
110
# those 2 parameters must be world readable for password aging to work correctly
111
# (or use a priviledge account in /etc/ldap.conf to bind to the directory)
112
access to attrs=shadowLastChange,shadowMax
113
by dn="cn=Manager,dc=company,dc=com" write
117
# all others attributes are readable to everybody
121
# Replicas of this database
122
#replogfile /var/lib/ldap/openldap-master-replog
123
#replica host=ldap-1.example.com:389 starttls=critical
124
# bindmethod=sasl saslmech=GSSAPI
125
# authcId=host/ldap-master.example.com@EXAMPLE.COM