--- openldap-2.3.34/servers/slapd/slapd.conf.orig 2007-06-29 09:01:50.000000000 +0200 +++ openldap-2.3.34/servers/slapd/slapd.conf 2007-06-29 09:03:50.000000000 +0200 @@ -3,23 +3,48 @@ # This file should NOT be world readable. # include %SYSCONFDIR%/schema/core.schema +include %SYSCONFDIR%/schema/cosine.schema +include %SYSCONFDIR%/schema/inetorgperson.schema +include %SYSCONFDIR%/schema/nis.schema +include %SYSCONFDIR%/schema/misc.schema -# Define global ACLs to disable default read access. +# Allow LDAPv2 client connections. This is NOT the default. +allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org -pidfile %LOCALSTATEDIR%/run/slapd.pid -argsfile %LOCALSTATEDIR%/run/slapd.args +pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid +argsfile %LOCALSTATEDIR%/run/openldap/slapd.args # Load dynamic backend modules: -# modulepath %MODULEDIR% +# modulepath /usr/lib/openldap # or /usr/lib64/openldap -# moduleload back_bdb.la -# moduleload back_ldap.la -# moduleload back_ldbm.la -# moduleload back_passwd.la -# moduleload back_shell.la +# moduleload accesslog.la +# moduleload auditlog.la +# moduleload back_sql.la +# moduleload denyop.la +# moduleload dyngroup.la +# moduleload dynlist.la +# moduleload lastmod.la +# moduleload pcache.la +# moduleload ppolicy.la +# moduleload refint.la +# moduleload retcode.la +# moduleload rwm.la +# moduleload syncprov.la +# moduleload translucent.la +# moduleload unique.la +# moduleload valsort.la + +# The next three lines allow use of TLS for encrypting connections using a +# dummy test certificate which you can generate by changing to +# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on +# slapd.pem so that the ldap user or group can read it. Your client software +# may balk at self-signed certificates, however. +# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +# TLSCertificateFile /etc/pki/tls/certs/slapd.pem +# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) @@ -49,19 +74,32 @@ # rootdn can always read and write EVERYTHING! ####################################################################### -# BDB database definitions +# ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should -# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. -rootpw secret +# rootpw secret +# rootpw {crypt}ijFYNcSNctBYg + # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. -directory %LOCALSTATEDIR%/openldap-data -# Indices to maintain -index objectClass eq +directory /var/lib/ldap + +# Indices to maintain for this database +index objectClass eq,pres +index ou,cn,mail,surname,givenname eq,pres,sub +index uidNumber,gidNumber,loginShell eq,pres +index uid,memberUid eq,pres,sub +index nisMapName,nisMapEntry eq,pres,sub + +# Replicas of this database +#replogfile /var/lib/ldap/openldap-master-replog +#replica host=ldap-1.example.com:389 starttls=critical +# bindmethod=sasl saslmech=GSSAPI +# authcId=host/ldap-master.example.com@EXAMPLE.COM