Force the default db directory to /var/lib/ldap, default to including nis.schema and its prerequisites, allow LDAPv2 clients, increase the set of indexed attributes for the default database. --- openldap-2.2.13/doc/man/man8/slurpd.8 2004-01-01 13:16:27.000000000 -0500 +++ openldap-2.2.13/doc/man/man8/slurpd.8 2004-06-15 11:40:04.000000000 -0400 @@ -120,7 +120,7 @@ temporary files may contain sensitive information. This option allows you to specify the location of these temporary files. The default is -.BR LOCALSTATEDIR/openldap-slurp . +.BR /var/lib/ldap . .TP .BI \-k " srvtab\-file" Specify the location of the kerberos srvtab file which contains keys --- openldap-2.2.13/servers/slapd/slapd.conf 2003-12-29 13:10:40.000000000 -0500 +++ openldap-2.2.13/servers/slapd/slapd.conf 2004-06-15 11:44:23.000000000 -0400 @@ -3,8 +3,12 @@ # This file should NOT be world readable. # include %SYSCONFDIR%/schema/core.schema +include %SYSCONFDIR%/schema/cosine.schema +include %SYSCONFDIR%/schema/inetorgperson.schema +include %SYSCONFDIR%/schema/nis.schema -# Define global ACLs to disable default read access. +# Allow LDAPv2 client connections. This is NOT the default. +allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. @@ -21,6 +25,15 @@ # moduleload back_passwd.la # moduleload back_shell.la +# The next three lines allow use of TLS for encrypting connections using a +# dummy test certificate which you can generate by changing to +# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on +# slapd.pem so that the ldap user or group can read it. Your client software +# may balk at self-signed certificates, however. +# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt +# TLSCertificateFile /usr/share/ssl/certs/slapd.pem +# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem + # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates @@ -49,19 +62,32 @@ # rootdn can always read and write EVERYTHING! ####################################################################### -# BDB database definitions +# ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should -# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. -rootpw secret +# rootpw secret +# rootpw {crypt}ijFYNcSNctBYg + # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. -directory %LOCALSTATEDIR%/openldap-data +directory /var/lib/ldap + -# Indices to maintain -index objectClass eq +# Indices to maintain for this database +index objectClass eq,pres +index ou,cn,mail,surname,givenname eq,pres,sub +index uidNumber,gidNumber,loginShell eq,pres +index uid,memberUid eq,pres,sub +index nisMapName,nisMapEntry eq,pres,sub + +# Replicas of this database +#replogfile /var/lib/ldap/openldap-master-replog +#replica host=ldap-1.example.com:389 starttls=critical +# bindmethod=sasl saslmech=GSSAPI +# authcId=host/ldap-master.example.com@EXAMPLE.COM --- openldap-2.2.13/servers/slurpd/slurp.h 2004-01-01 13:16:42.000000000 -0500 +++ openldap-2.2.13/servers/slurpd/slurp.h 2004-06-15 11:40:04.000000000 -0400 @@ -66,7 +66,7 @@ #define SERVICE_NAME OPENLDAP_PACKAGE "-slurpd" /* Default directory for slurpd's private copy of replication logs */ -#define DEFAULT_SLURPD_REPLICA_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-slurp" +#define DEFAULT_SLURPD_REPLICA_DIR "/var/lib/ldap" /* Default name for slurpd's private copy of the replication log */ #define DEFAULT_SLURPD_REPLOGFILE "slurpd.replog" @@ -75,7 +75,7 @@ #define DEFAULT_SLURPD_STATUS_FILE "slurpd.status" /* slurpd dump file - contents of rq struct are written here (debugging) */ -#define SLURPD_DUMPFILE LDAP_TMPDIR LDAP_DIRSEP "slurpd.dump" +#define SLURPD_DUMPFILE DEFAULT_SLURPD_REPLICA_DIR "/slurpd.dump" /* Amount of time to sleep if no more work to do */ #define DEFAULT_NO_WORK_INTERVAL 3