/etc/openldap/slapd.conf
http://www.stanford.edu/services/directory/openldap/configuration/bdb-config.html
# The database configuration parameters must appear *after* the "database" # directive, as DB_CONFIG files are 'per backend'. dbconfig set_cachesize 4 0 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_lg_dir /var/log # Automatically remove log files that are no longer needed. dbconfig set_flags DB_LOG_AUTOREMOVE # # Setting set_tas_spins reduces resource contention from # multiple clients on systems with multiple CPU's. set_tas_spins 1 #set_tas_spins is mutex_set_tas_spins in BDB 4.4. # For multi-CPU systems, "tool-threads" should be set to the number of available processors # CPU-kernels. # It allows slapadd and slapindex to use multiple CPU's to index the database. # tool-threads = 2
You can check on your locker statistics with:
> db_stat -c
/etc/openldap/slapd.conf:
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#######################################################################
# schema-definitions
#######################################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/yast.schema
#include /etc/openldap/schema/nis.schema
# fuer eGroupWare besser als nis.schema:
include /etc/openldap/schema/rfc2307bis.schema
# fuer Adressbuch mit Mozilla:
include /etc/openldap/schema/mozillaAbPersonAlpha.schema
# fuer Adressbuch mit Evolution:
include /etc/openldap/schema/evolutionOrgPerson.schema
# These should be present for GOsa:
include /etc/openldap/schema/gosa/samba3.schema
#include /etc/openldap/schema/gosa/gohard.schema
include /etc/openldap/schema/gosa/gofon.schema
include /etc/openldap/schema/gosa/gosystem.schema
include /etc/openldap/schema/gosa/goto.schema
include /etc/openldap/schema/gosa/gosa+samba3.schema
include /etc/openldap/schema/gosa/gofax.schema
include /etc/openldap/schema/gosa/goserver.schema
include /etc/openldap/schema/gosa/goto-mime.schema
include /etc/openldap/schema/gosa/trust.schema
include /etc/openldap/schema/gosa/fai.schema
# 12.03.2007, chhaas: fuer eGroupWare (ab 1.3x nicht mehr notwendig):
#include /etc/openldap/schema/gosa/phpgwaccount.schema
#######################################################################
# general settings
#######################################################################
# 24.07.2006, chhaas:
loglevel 1024
# 12.03.2007, chhaas: nur fuer OpenGroupware.org-LDAP-Authentication:
# allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# 24.07.2006, chhaas:
# fuer Replikation:
# moduleload back_bdb
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# 24.07.2006, chhaas:
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# 24.07.2006, chhaas:
# Password hash default value
# Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
# generate new passwords using the mkpasswd utility
password-hash {CRYPT}
# 24.07.2006, chhaas:
# Search base
defaultsearchbase "dc=example,dc=com"
# 24.07.2006, chhaas:
## SASL setup
#sasl-authz-policy
#sasl-host station7.example.com
#sasl-realm EXXAMPLE.COM
#sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=example,dc=com
#sasl-secprops noanonymous
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
# update_tls, update_transport
# security ssf=1 update_ssf=112 simple_bind=64
# security update_sasl=128,uptate_tls=128
#######################################################################
# BDB database definitions
#######################################################################
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
# The backend type, ldbm, is the default standard
database bdb
# The base of your directory
suffix "dc=example,dc=com"
checkpoint 1024 5
cachesize 10000
mode 0600
# Log modifications and write entryUUID
lastmod on
# Where the database file are physically stored
directory /var/lib/ldap
# The database configuration parameters must appear *after* the "database" # directive, as DB_CONFIG files are 'per backend'. dbconfig set_cachesize 4 0 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_lg_dir /var/log # Automatically remove log files that are no longer needed. dbconfig set_flags DB_LOG_AUTOREMOVE # # Setting set_tas_spins reduces resource contention from # multiple clients on systems with multiple CPU's. set_tas_spins 1 mutex_set_tas_spins 1 # For multi-CPU systems, "tool-threads" should be set to the number of available processors # CPU-kernels. # It allows slapadd and slapindex to use multiple CPU's to index the database. tool-threads = 2
# Example replication using admin account. This will require taking the # out put of this database using slapcat(8C), and then importing that into # the replica using slapadd(8C). # Replication setup # replogfile /var/log/ldap-replicalog # replica host=ldap-2.example.local # binddn="cn=replicator,dc=example,dc=com" bindmethod=simple credentials=secret # Dummy database for config replication # database shell # suffix "dc=uk-bw,dc=shell" # search /etc/ldap/shell/process.pl # add /etc/ldap/shell/process.pl
# Sample password is "tester" ;-), generate a new one using the mkpasswd # utility and put the string after {crypt} rootdn "cn=ldapadmin,dc=example,dc=com" rootpw {crypt}OuorOLd3VqvC2 ####################################################################### # Indexing ####################################################################### index default sub index uid,mail eq #index gosaSnapshotDN eq #index gosaSnapshotTimestamp eq,sub index gosaMailAlternateAddress,gosaMailForwardingAddress eq index cn,sn,givenName,ou pres,eq,sub index objectClass pres,eq index uidNumber,gidNumber,memberuid eq index gosaSubtreeACL,gosaObject,gosaUser pres,eq # 24.07.2006, chhaas: wegen Fehlermeldung in /var/log/messages # hinsichtlich fehlendem Index: #index facsimileTelephoneNumber eq,sub # 24.07.2006, chhaas: wegen Fehlermeldung in /var/log/messages # hinsichtlich fehlendem Index: index facsimileAlternateTelephoneNumber eq,sub # 2007-05-09, chhaas: wegen Fehlermeldung in /var/log/messages # hinsichtlich fehlendem Index: index gosaMailDeliveryMode eq,sub #--- Indexing for Samba 3 ---# index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq #--- SSL/TLS setting ---# # 2007-06-28, chhaas: #TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCACertificateFile /etc/ssl/certs/ca_cert.pem TLSCertificateFile /etc/ssl/certs/station7_cert.pem TLSCertificateKeyFile /etc/ssl/private/station7_key.pem # 2007-07-10, chhaas: TLSVerifyClient never #TLSVerifyClient try #TLSVerifyClient allow ####################################################################### # access policies ####################################################################### # Define global ACLs to disable default read access. # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access to user password # Allow anonymous users to authenticate # Allow read access to everything else # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # #--- GOsa policies Start ---# # The userPassword/shadow Emtries by default can be # changed by the entry owning it if they are authenticated. # Others should not be able to see it, except the admin # entry below access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire by anonymous auth by self write by * none # Deny access to imap/fax/kerberos admin passwords stored # in ldap tree access to attrs=goImapPassword by * none access to attrs=goKrbPassword by * none access to attrs=goFaxPassword by * none # Let servers write last user attribute access to attrs=gotoLastUser by * write # Samba passwords by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below access to attrs=sambaLmPassword,sambaNtPassword by anonymous auth by self write by * none # Enable write create access for the terminal admin access to dn="ou=incoming,dc=example,dc=com" by dn="cn=terminal-admin,dc=example,dc=com" write by * none access to dn.sub="ou=incoming,dc=example,dc=com" by dn="cn=terminal-admin,dc=example,dc=com" write by * none # What trees should be readable, depends on your policy. Either # use this entry and specify what should be readable, or leave # the access to * => by * read below untouched #access to dn="ou=(people|groups)" # by * read #--- GOsa policies End ---# #--- eGroupWare policies Start ---# # Access to users __personal__ addressbooks # allow read of addressbook by owner and admin account access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$" attrs=entry by dn.regex="uid=$1,ou=people,dc=example,dc=com" read by dn.regex="uid=admin,dc=example,dc=com" write by users none # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$" attrs=children by dn.regex="uid=$1,ou=people,dc=example,dc=com" write by users none # ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by dn.regex="uid=$1,ou=people,dc=example,dc=com" write by users none # Access to __groups__ addressbooks # allow read of addressbook by members and admin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$" attrs=entry by group.expand="cn=$1,ou=groups,dc=example,dc=com" read by dn.regex="uid=admin,dc=example,dc=com" write by users none # allow members to create entries in there group addressbooks; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$" attrs=children by group.expand="cn=$1,ou=groups,dc=example,dc=com" write by users none # ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by group.expand="cn=$1,ou=groups,dc=example,dc=com" write by users none #--- eGroupWare policies End ---# #--- This Section MUST be the LAST!!! ---# # rootdn can always read and write EVERYTHING! # The admin dn (dn="cn=ldapadmin,dc=example,dc=com") has full write access access to * by dn="cn=ldapadmin,dc=example,dc=com" =wrscx by * read access to dn.base="" by * read access to dn.subtree=cn=Monitor by * read # Access to schema information #access to dn.subtree="" # by * read #--- ###--- End of sldapd.conf configuration file