/etc/openldap/slapd.conf
http://www.stanford.edu/services/directory/openldap/configuration/bdb-config.html
# The database configuration parameters must appear *after* the "database"
# directive, as DB_CONFIG files are 'per backend'.
dbconfig set_cachesize 4 0 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
dbconfig set_lg_dir /var/log
# Automatically remove log files that are no longer needed.
dbconfig set_flags DB_LOG_AUTOREMOVE
#
# Setting set_tas_spins reduces resource contention from
# multiple clients on systems with multiple CPU's.
set_tas_spins 1
#set_tas_spins is mutex_set_tas_spins in BDB 4.4.
# For multi-CPU systems, "tool-threads" should be set to the number of available processors
# CPU-kernels.
# It allows slapadd and slapindex to use multiple CPU's to index the database.
# tool-threads = 2
You can check on your locker statistics with:
> db_stat -c
/etc/openldap/slapd.conf:
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # ####################################################################### # schema-definitions ####################################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/yast.schema #include /etc/openldap/schema/nis.schema # fuer eGroupWare besser als nis.schema: include /etc/openldap/schema/rfc2307bis.schema # fuer Adressbuch mit Mozilla: include /etc/openldap/schema/mozillaAbPersonAlpha.schema # fuer Adressbuch mit Evolution: include /etc/openldap/schema/evolutionOrgPerson.schema # These should be present for GOsa: include /etc/openldap/schema/gosa/samba3.schema #include /etc/openldap/schema/gosa/gohard.schema include /etc/openldap/schema/gosa/gofon.schema include /etc/openldap/schema/gosa/gosystem.schema include /etc/openldap/schema/gosa/goto.schema include /etc/openldap/schema/gosa/gosa+samba3.schema include /etc/openldap/schema/gosa/gofax.schema include /etc/openldap/schema/gosa/goserver.schema include /etc/openldap/schema/gosa/goto-mime.schema include /etc/openldap/schema/gosa/trust.schema include /etc/openldap/schema/gosa/fai.schema # 12.03.2007, chhaas: fuer eGroupWare (ab 1.3x nicht mehr notwendig): #include /etc/openldap/schema/gosa/phpgwaccount.schema ####################################################################### # general settings ####################################################################### # 24.07.2006, chhaas: loglevel 1024 # 12.03.2007, chhaas: nur fuer OpenGroupware.org-LDAP-Authentication: # allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # Load dynamic backend modules: modulepath /usr/lib/openldap/modules # 24.07.2006, chhaas: # fuer Replikation: # moduleload back_bdb # moduleload back_ldap.la # moduleload back_meta.la # moduleload back_monitor.la # moduleload back_perl.la # 24.07.2006, chhaas: # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # 24.07.2006, chhaas: # Password hash default value # Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT} # generate new passwords using the mkpasswd utility password-hash {CRYPT} # 24.07.2006, chhaas: # Search base defaultsearchbase "dc=example,dc=com" # 24.07.2006, chhaas: ## SASL setup #sasl-authz-policy #sasl-host station7.example.com #sasl-realm EXXAMPLE.COM #sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=example,dc=com #sasl-secprops noanonymous # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf, # update_tls, update_transport # security ssf=1 update_ssf=112 simple_bind=64 # security update_sasl=128,uptate_tls=128 ####################################################################### # BDB database definitions ####################################################################### ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 # The backend type, ldbm, is the default standard database bdb # The base of your directory suffix "dc=example,dc=com" checkpoint 1024 5 cachesize 10000 mode 0600 # Log modifications and write entryUUID lastmod on # Where the database file are physically stored directory /var/lib/ldap
# The database configuration parameters must appear *after* the "database" # directive, as DB_CONFIG files are 'per backend'. dbconfig set_cachesize 4 0 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_lg_dir /var/log # Automatically remove log files that are no longer needed. dbconfig set_flags DB_LOG_AUTOREMOVE # # Setting set_tas_spins reduces resource contention from # multiple clients on systems with multiple CPU's. set_tas_spins 1 mutex_set_tas_spins 1 # For multi-CPU systems, "tool-threads" should be set to the number of available processors # CPU-kernels. # It allows slapadd and slapindex to use multiple CPU's to index the database. tool-threads = 2
# Example replication using admin account. This will require taking the # out put of this database using slapcat(8C), and then importing that into # the replica using slapadd(8C). # Replication setup # replogfile /var/log/ldap-replicalog # replica host=ldap-2.example.local # binddn="cn=replicator,dc=example,dc=com" bindmethod=simple credentials=secret # Dummy database for config replication # database shell # suffix "dc=uk-bw,dc=shell" # search /etc/ldap/shell/process.pl # add /etc/ldap/shell/process.pl
# Sample password is "tester" ;-), generate a new one using the mkpasswd # utility and put the string after {crypt} rootdn "cn=ldapadmin,dc=example,dc=com" rootpw {crypt}OuorOLd3VqvC2 ####################################################################### # Indexing ####################################################################### index default sub index uid,mail eq #index gosaSnapshotDN eq #index gosaSnapshotTimestamp eq,sub index gosaMailAlternateAddress,gosaMailForwardingAddress eq index cn,sn,givenName,ou pres,eq,sub index objectClass pres,eq index uidNumber,gidNumber,memberuid eq index gosaSubtreeACL,gosaObject,gosaUser pres,eq # 24.07.2006, chhaas: wegen Fehlermeldung in /var/log/messages # hinsichtlich fehlendem Index: #index facsimileTelephoneNumber eq,sub # 24.07.2006, chhaas: wegen Fehlermeldung in /var/log/messages # hinsichtlich fehlendem Index: index facsimileAlternateTelephoneNumber eq,sub # 2007-05-09, chhaas: wegen Fehlermeldung in /var/log/messages # hinsichtlich fehlendem Index: index gosaMailDeliveryMode eq,sub #--- Indexing for Samba 3 ---# index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq #--- SSL/TLS setting ---# # 2007-06-28, chhaas: #TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCACertificateFile /etc/ssl/certs/ca_cert.pem TLSCertificateFile /etc/ssl/certs/station7_cert.pem TLSCertificateKeyFile /etc/ssl/private/station7_key.pem # 2007-07-10, chhaas: TLSVerifyClient never #TLSVerifyClient try #TLSVerifyClient allow ####################################################################### # access policies ####################################################################### # Define global ACLs to disable default read access. # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access to user password # Allow anonymous users to authenticate # Allow read access to everything else # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # #--- GOsa policies Start ---# # The userPassword/shadow Emtries by default can be # changed by the entry owning it if they are authenticated. # Others should not be able to see it, except the admin # entry below access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire by anonymous auth by self write by * none # Deny access to imap/fax/kerberos admin passwords stored # in ldap tree access to attrs=goImapPassword by * none access to attrs=goKrbPassword by * none access to attrs=goFaxPassword by * none # Let servers write last user attribute access to attrs=gotoLastUser by * write # Samba passwords by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below access to attrs=sambaLmPassword,sambaNtPassword by anonymous auth by self write by * none # Enable write create access for the terminal admin access to dn="ou=incoming,dc=example,dc=com" by dn="cn=terminal-admin,dc=example,dc=com" write by * none access to dn.sub="ou=incoming,dc=example,dc=com" by dn="cn=terminal-admin,dc=example,dc=com" write by * none # What trees should be readable, depends on your policy. Either # use this entry and specify what should be readable, or leave # the access to * => by * read below untouched #access to dn="ou=(people|groups)" # by * read #--- GOsa policies End ---# #--- eGroupWare policies Start ---# # Access to users __personal__ addressbooks # allow read of addressbook by owner and admin account access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$" attrs=entry by dn.regex="uid=$1,ou=people,dc=example,dc=com" read by dn.regex="uid=admin,dc=example,dc=com" write by users none # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$" attrs=children by dn.regex="uid=$1,ou=people,dc=example,dc=com" write by users none # ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by dn.regex="uid=$1,ou=people,dc=example,dc=com" write by users none # Access to __groups__ addressbooks # allow read of addressbook by members and admin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$" attrs=entry by group.expand="cn=$1,ou=groups,dc=example,dc=com" read by dn.regex="uid=admin,dc=example,dc=com" write by users none # allow members to create entries in there group addressbooks; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$" attrs=children by group.expand="cn=$1,ou=groups,dc=example,dc=com" write by users none # ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by group.expand="cn=$1,ou=groups,dc=example,dc=com" write by users none #--- eGroupWare policies End ---# #--- This Section MUST be the LAST!!! ---# # rootdn can always read and write EVERYTHING! # The admin dn (dn="cn=ldapadmin,dc=example,dc=com") has full write access access to * by dn="cn=ldapadmin,dc=example,dc=com" =wrscx by * read access to dn.base="" by * read access to dn.subtree=cn=Monitor by * read # Access to schema information #access to dn.subtree="" # by * read #--- ###--- End of sldapd.conf configuration file