149 lines
5.0 KiB
Django/Jinja
149 lines
5.0 KiB
Django/Jinja
# This is the main slapd configuration file. See slapd.conf(5) for more
|
|
# info on the configuration options.
|
|
|
|
include /etc/ldap/schema/core.schema
|
|
include /etc/ldap/schema/cosine.schema
|
|
include /etc/ldap/schema/rfc2307bis.schema
|
|
include /etc/ldap/schema/inetorgperson.schema
|
|
include /etc/ldap/schema/sudo.schema
|
|
include /etc/ldap/schema/csc.schema
|
|
include /etc/ldap/schema/misc.schema
|
|
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
#Warning: "stats" is *lots* of logging
|
|
loglevel sync
|
|
#loglevel stats config sync acl
|
|
|
|
modulepath /usr/lib/ldap
|
|
moduleload back_hdb
|
|
moduleload syncprov
|
|
moduleload auditlog
|
|
moduleload unique
|
|
|
|
# resource limits
|
|
#limits dn.base="cn=ldap-slave,{{ ldap_base }}" time=unlimited size=unlimited
|
|
#limits group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited
|
|
#limits group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited
|
|
#limits users size=1000 time=300
|
|
#limits * size=10 time=30
|
|
|
|
# the above don't seem to work
|
|
sizelimit unlimited
|
|
timelimit unlimited
|
|
|
|
# enable TLS connections
|
|
# TLSCertificateFile /etc/ssl/private/csclub-wildcard-chain.crt
|
|
# TLSCertificateKeyFile /etc/ssl/private/csclub-wildcard.key
|
|
|
|
# enable TLS client authentication
|
|
#TLSCACertificateFile /etc/ssl/certs/csclub.pem
|
|
#TLSVerifyClient allow
|
|
|
|
# consider local connections encrypted
|
|
localssf 128
|
|
|
|
# map kerberos users to ldap users
|
|
# sasl-realm CSCLUB.UWATERLOO.CA
|
|
# authz-regexp "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
|
# "uid=$1,ou=people,{{ ldap_base }}"
|
|
# authz-regexp "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
|
# "cn=ceod,{{ ldap_base }}"
|
|
# authz-regexp "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
|
# "cn=ldap-slave,{{ ldap_base }}"
|
|
# authz-regexp "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
|
# "cn=renewal,{{ ldap_base }}"
|
|
|
|
# map sasl external users to ldap users
|
|
#authz-regexp "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
|
# "cn=ldap-slave,{{ ldap_base }}"
|
|
|
|
# kerberos has code to allow SASL external auth, but it doesn't work yet
|
|
#authz-regexp "cn=kdc[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
|
# "cn=kerberos-kdc,{{ ldap_base }}"
|
|
#authz-regexp "cn=kadmin.csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
|
# "cn=kerberos-admin,{{ ldap_base }}"
|
|
|
|
access to *
|
|
by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
|
by * break
|
|
|
|
# systems committee get full access
|
|
access to *
|
|
by dn="cn=ceod,{{ ldap_base }}" write
|
|
by group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" write
|
|
by * break
|
|
|
|
# slave servers get full read access for replication
|
|
access to *
|
|
by dn="cn=ldap-slave,{{ ldap_base }}" read
|
|
by * break
|
|
|
|
# allow office staff to add terms
|
|
# the renewal program may do the same
|
|
access to attrs=term
|
|
by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add
|
|
by dn="cn=renewal,{{ ldap_base }}" add
|
|
by * read
|
|
access to attrs=nonMemberTerm
|
|
by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add
|
|
by dn="cn=renewal,{{ ldap_base }}" add
|
|
by * read
|
|
|
|
# allow users to change their shells
|
|
access to attrs=loginShell
|
|
by self write
|
|
by * read
|
|
|
|
# allow simple authentication
|
|
access to attrs=userPassword
|
|
by anonymous auth
|
|
by * none
|
|
|
|
# allow access to attributes of top; they would otherwise be denied below
|
|
access to attrs=@top
|
|
by * read
|
|
|
|
# default permit
|
|
access to *
|
|
by * read
|
|
|
|
# main database options
|
|
# note: the mdb backend has a horrible bug in 2.4.31
|
|
# that causes indexing to destroy the database
|
|
database hdb
|
|
suffix "{{ ldap_base }}"
|
|
directory "/var/lib/ldap"
|
|
rootdn cn=root,{{ ldap_base }}
|
|
index default eq
|
|
index objectClass
|
|
index entryCSN,entryUUID
|
|
index uid,uidNumber
|
|
index cn,gidNumber
|
|
index uniqueMember,memberUid
|
|
index sudoUser,sudoHost pres,sub,eq
|
|
index term,nonMemberTerm
|
|
index mailLocalAddress
|
|
index modifyTimestamp,createTimestamp
|
|
|
|
# 4 MB cache. use db_stat -m to check hit rate
|
|
#dbconfig set_cachesize 0 4194304 0
|
|
#cachesize 2000
|
|
#idlcachesize 6000
|
|
#checkpoint 512 30
|
|
|
|
# log all changes to the directory
|
|
overlay auditlog
|
|
auditlog /var/log/ldap/audit.log
|
|
|
|
# enforce uniqueness of usernames etc.
|
|
overlay unique
|
|
unique_uri ldap:///ou=People,{{ ldap_base }}?uid,uidNumber?sub
|
|
unique_uri ldap:///ou=Group,{{ ldap_base }}?cn,gidNumber?sub
|
|
|
|
# this is the master server
|
|
overlay syncprov
|
|
syncprov-checkpoint 100 10
|
|
syncprov-sessionlog 100
|