2007-06-29 10:03:52 +00:00
|
|
|
--- openldap-2.3.34/servers/slapd/slapd.conf.orig 2007-06-29 09:01:50.000000000 +0200
|
|
|
|
|
+++ openldap-2.3.34/servers/slapd/slapd.conf 2007-06-29 09:03:50.000000000 +0200
|
|
|
|
|
@@ -3,23 +3,48 @@
|
2005-11-11 03:39:40 +00:00
|
|
|
# This file should NOT be world readable.
|
|
|
|
|
#
|
|
|
|
|
include %SYSCONFDIR%/schema/core.schema
|
|
|
|
|
+include %SYSCONFDIR%/schema/cosine.schema
|
|
|
|
|
+include %SYSCONFDIR%/schema/inetorgperson.schema
|
|
|
|
|
+include %SYSCONFDIR%/schema/nis.schema
|
2007-06-29 10:03:52 +00:00
|
|
|
+include %SYSCONFDIR%/schema/misc.schema
|
2005-11-11 03:39:40 +00:00
|
|
|
|
|
|
|
|
-# Define global ACLs to disable default read access.
|
|
|
|
|
+# Allow LDAPv2 client connections. This is NOT the default.
|
|
|
|
|
+allow bind_v2
|
|
|
|
|
|
|
|
|
|
# Do not enable referrals until AFTER you have a working directory
|
|
|
|
|
# service AND an understanding of referrals.
|
- Upgrade to 2.3.19, which upstream now considers stable
- Modify the -config.patch, ldap.init, and this spec file to put the
pid file and args file in an ldap-owned openldap subdirectory under
/var/run.
- Move back_sql* out of %{_sbindir}/openldap , which requires
hand-moving slapd and slurpd to _sbindir, and recreating symlinks
by hand.
- Retire openldap-2.3.11-ads.patch, which went upstream.
- Update the ldap.init script to run slaptest as the ldap user rather
than as root. This solves
bz#150172 Startup failure after database problem
- Add to the servers post and preun scriptlets so that on preun, the
database is slapcatted to /var/lib/ldap/upgrade.ldif and the
database files are saved to /var/lib/ldap/rpmorig. On post, if
/var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that
on upgrades from 2.3.16-2 to higher versions, the database files may
be automatically upgraded. Unfortunatly, because of the changes to
the preun scriptlet, users have to do the slapcat, etc by hand when
upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig
files need to be removed by hand because automatically removing your
emergency fallback files is a bad idea.
- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will
require that users slapcat their databases into a temp file, move
/var/lib/ldap someplace safe, upgrade the openldap rpms, then
slapadd the temp file.
2006-01-31 21:47:36 +00:00
|
|
|
#referral ldap://root.openldap.org
|
|
|
|
|
|
|
|
|
|
-pidfile %LOCALSTATEDIR%/run/slapd.pid
|
|
|
|
|
-argsfile %LOCALSTATEDIR%/run/slapd.args
|
|
|
|
|
+pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid
|
|
|
|
|
+argsfile %LOCALSTATEDIR%/run/openldap/slapd.args
|
|
|
|
|
|
|
|
|
|
# Load dynamic backend modules:
|
|
|
|
|
# modulepath %MODULEDIR%
|
2007-06-29 10:03:52 +00:00
|
|
|
-# moduleload back_bdb.la
|
|
|
|
|
-# moduleload back_ldap.la
|
|
|
|
|
-# moduleload back_ldbm.la
|
|
|
|
|
-# moduleload back_passwd.la
|
|
|
|
|
-# moduleload back_shell.la
|
|
|
|
|
+# moduleload accesslog.la
|
|
|
|
|
+# moduleload auditlog.la
|
|
|
|
|
+# moduleload back_sql.la
|
|
|
|
|
+# moduleload denyop.la
|
|
|
|
|
+# moduleload dyngroup.la
|
|
|
|
|
+# moduleload dynlist.la
|
|
|
|
|
+# moduleload lastmod.la
|
|
|
|
|
+# moduleload pcache.la
|
|
|
|
|
+# moduleload ppolicy.la
|
|
|
|
|
+# moduleload refint.la
|
|
|
|
|
+# moduleload retcode.la
|
|
|
|
|
+# moduleload rwm.la
|
|
|
|
|
+# moduleload syncprov.la
|
|
|
|
|
+# moduleload translucent.la
|
|
|
|
|
+# moduleload unique.la
|
|
|
|
|
+# moduleload valsort.la
|
|
|
|
|
+
|
2005-11-11 03:39:40 +00:00
|
|
|
+# The next three lines allow use of TLS for encrypting connections using a
|
|
|
|
|
+# dummy test certificate which you can generate by changing to
|
|
|
|
|
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
|
|
|
|
|
+# slapd.pem so that the ldap user or group can read it. Your client software
|
|
|
|
|
+# may balk at self-signed certificates, however.
|
|
|
|
|
+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
|
|
|
|
|
+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
|
|
|
|
|
+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
|
2007-06-29 10:03:52 +00:00
|
|
|
|
2005-11-11 03:39:40 +00:00
|
|
|
# Sample security restrictions
|
|
|
|
|
# Require integrity protection (prevent hijacking)
|
2007-06-29 10:03:52 +00:00
|
|
|
@@ -49,19 +74,32 @@
|
2005-11-11 03:39:40 +00:00
|
|
|
# rootdn can always read and write EVERYTHING!
|
|
|
|
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
-# BDB database definitions
|
|
|
|
|
+# ldbm and/or bdb database definitions
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
|
|
|
|
database bdb
|
|
|
|
|
suffix "dc=my-domain,dc=com"
|
|
|
|
|
rootdn "cn=Manager,dc=my-domain,dc=com"
|
|
|
|
|
# Cleartext passwords, especially for the rootdn, should
|
|
|
|
|
-# be avoid. See slappasswd(8) and slapd.conf(5) for details.
|
|
|
|
|
+# be avoided. See slappasswd(8) and slapd.conf(5) for details.
|
|
|
|
|
# Use of strong authentication encouraged.
|
|
|
|
|
-rootpw secret
|
|
|
|
|
+# rootpw secret
|
|
|
|
|
+# rootpw {crypt}ijFYNcSNctBYg
|
|
|
|
|
+
|
|
|
|
|
# The database directory MUST exist prior to running slapd AND
|
|
|
|
|
# should only be accessible by the slapd and slap tools.
|
|
|
|
|
# Mode 700 recommended.
|
|
|
|
|
-directory %LOCALSTATEDIR%/openldap-data
|
|
|
|
|
-# Indices to maintain
|
|
|
|
|
-index objectClass eq
|
- Upgrade to 2.3.19, which upstream now considers stable
- Modify the -config.patch, ldap.init, and this spec file to put the
pid file and args file in an ldap-owned openldap subdirectory under
/var/run.
- Move back_sql* out of %{_sbindir}/openldap , which requires
hand-moving slapd and slurpd to _sbindir, and recreating symlinks
by hand.
- Retire openldap-2.3.11-ads.patch, which went upstream.
- Update the ldap.init script to run slaptest as the ldap user rather
than as root. This solves
bz#150172 Startup failure after database problem
- Add to the servers post and preun scriptlets so that on preun, the
database is slapcatted to /var/lib/ldap/upgrade.ldif and the
database files are saved to /var/lib/ldap/rpmorig. On post, if
/var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that
on upgrades from 2.3.16-2 to higher versions, the database files may
be automatically upgraded. Unfortunatly, because of the changes to
the preun scriptlet, users have to do the slapcat, etc by hand when
upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig
files need to be removed by hand because automatically removing your
emergency fallback files is a bad idea.
- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will
require that users slapcat their databases into a temp file, move
/var/lib/ldap someplace safe, upgrade the openldap rpms, then
slapadd the temp file.
2006-01-31 21:47:36 +00:00
|
|
|
+directory /var/lib/ldap
|
|
|
|
|
+
|
2005-11-11 03:39:40 +00:00
|
|
|
+# Indices to maintain for this database
|
|
|
|
|
+index objectClass eq,pres
|
|
|
|
|
+index ou,cn,mail,surname,givenname eq,pres,sub
|
|
|
|
|
+index uidNumber,gidNumber,loginShell eq,pres
|
|
|
|
|
+index uid,memberUid eq,pres,sub
|
|
|
|
|
+index nisMapName,nisMapEntry eq,pres,sub
|
|
|
|
|
+
|
|
|
|
|
+# Replicas of this database
|
|
|
|
|
+#replogfile /var/lib/ldap/openldap-master-replog
|
|
|
|
|
+#replica host=ldap-1.example.com:389 starttls=critical
|
|
|
|
|
+# bindmethod=sasl saslmech=GSSAPI
|
|
|
|
|
+# authcId=host/ldap-master.example.com@EXAMPLE.COM
|
