/etc/openldap/slapd.conf
http://www.stanford.edu/services/directory/openldap/configuration/bdb-config.html
# The database configuration parameters must appear *after* the "database" # directive, as DB_CONFIG files are 'per backend'. dbconfig set_cachesize 4 0 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_lg_dir /var/log # Automatically remove log files that are no longer needed. dbconfig set_flags DB_LOG_AUTOREMOVE # # Setting set_tas_spins reduces resource contention from # multiple clients on systems with multiple CPU's. set_tas_spins 1 #set_tas_spins is mutex_set_tas_spins in BDB 4.4. # For multi-CPU systems, "tool-threads" should be set to the number of available processors # CPU-kernels. # It allows slapadd and slapindex to use multiple CPU's to index the database. # tool-threads = 2
You can check on your locker statistics with:
> db_stat -c
/etc/openldap/slapd.conf:
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#######################################################################
# schema-definitions
#######################################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/yast.schema
#include /etc/openldap/schema/nis.schema
# fuer eGroupWare besser als nis.schema:
include /etc/openldap/schema/rfc2307bis.schema
# fuer Adressbuch mit Mozilla:
include /etc/openldap/schema/mozillaAbPersonAlpha.schema
# fuer Adressbuch mit Evolution:
include /etc/openldap/schema/evolutionOrgPerson.schema
# These should be present for GOsa:
include /etc/openldap/schema/gosa/samba3.schema
#include /etc/openldap/schema/gosa/gohard.schema
include /etc/openldap/schema/gosa/gofon.schema
include /etc/openldap/schema/gosa/gosystem.schema
include /etc/openldap/schema/gosa/goto.schema
include /etc/openldap/schema/gosa/gosa+samba3.schema
include /etc/openldap/schema/gosa/gofax.schema
include /etc/openldap/schema/gosa/goserver.schema
include /etc/openldap/schema/gosa/goto-mime.schema
include /etc/openldap/schema/gosa/trust.schema
include /etc/openldap/schema/gosa/fai.schema
# 12.03.2007, chhaas: fuer eGroupWare (ab 1.3x nicht mehr notwendig):
#include /etc/openldap/schema/gosa/phpgwaccount.schema
#######################################################################
# general settings
#######################################################################
# 24.07.2006, chhaas:
loglevel 1024
# 12.03.2007, chhaas: nur fuer OpenGroupware.org-LDAP-Authentication:
# allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# 24.07.2006, chhaas:
# fuer Replikation:
# moduleload back_bdb
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# 24.07.2006, chhaas:
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# 24.07.2006, chhaas:
# Password hash default value
# Parameters: {SHA}, {SMD5}, {MD4}, {CRYPT}, {CLEARTEXT}
# generate new passwords using the mkpasswd utility
password-hash {CRYPT}
# 24.07.2006, chhaas:
# Search base
defaultsearchbase "dc=example,dc=com"
# 24.07.2006, chhaas:
## SASL setup
#sasl-authz-policy
#sasl-host station7.example.com
#sasl-realm EXXAMPLE.COM
#sasl-regexp cn=(.*),ou=(.*) cn=$1,ou=$2,ou=People,dc=example,dc=com
#sasl-secprops noanonymous
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# Parameters: sasl, ssf, tls, transport, update_sasl, update_ssf,
# update_tls, update_transport
# security ssf=1 update_ssf=112 simple_bind=64
# security update_sasl=128,uptate_tls=128
#######################################################################
# BDB database definitions
#######################################################################
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
# The backend type, ldbm, is the default standard
database bdb
# The base of your directory
suffix "dc=example,dc=com"
checkpoint 1024 5
cachesize 10000
mode 0600
# Log modifications and write entryUUID
lastmod on
# Where the database file are physically stored
directory /var/lib/ldap
# The database configuration parameters must appear *after* the "database" # directive, as DB_CONFIG files are 'per backend'. dbconfig set_cachesize 4 0 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_lg_dir /var/log # Automatically remove log files that are no longer needed. dbconfig set_flags DB_LOG_AUTOREMOVE # # Setting set_tas_spins reduces resource contention from # multiple clients on systems with multiple CPU's. set_tas_spins 1 mutex_set_tas_spins 1 # For multi-CPU systems, "tool-threads" should be set to the number of available processors # CPU-kernels. # It allows slapadd and slapindex to use multiple CPU's to index the database. tool-threads = 2
# Example replication using admin account. This will require taking the
# out put of this database using slapcat(8C), and then importing that into
# the replica using slapadd(8C).
# Replication setup
# replogfile /var/log/ldap-replicalog
# replica host=ldap-2.example.local
# binddn="cn=replicator,dc=example,dc=com" bindmethod=simple credentials=secret
# Dummy database for config replication
# database shell
# suffix "dc=uk-bw,dc=shell"
# search /etc/ldap/shell/process.pl
# add /etc/ldap/shell/process.pl
# Sample password is "tester" ;-), generate a new one using the mkpasswd
# utility and put the string after {crypt}
rootdn "cn=ldapadmin,dc=example,dc=com"
rootpw {crypt}OuorOLd3VqvC2
#######################################################################
# Indexing
#######################################################################
index default sub
index uid,mail eq
#index gosaSnapshotDN eq
#index gosaSnapshotTimestamp eq,sub
index gosaMailAlternateAddress,gosaMailForwardingAddress eq
index cn,sn,givenName,ou pres,eq,sub
index objectClass pres,eq
index uidNumber,gidNumber,memberuid eq
index gosaSubtreeACL,gosaObject,gosaUser pres,eq
# 24.07.2006, chhaas: wegen Fehlermeldung in /var/log/messages
# hinsichtlich fehlendem Index:
#index facsimileTelephoneNumber eq,sub
# 24.07.2006, chhaas: wegen Fehlermeldung in /var/log/messages
# hinsichtlich fehlendem Index:
index facsimileAlternateTelephoneNumber eq,sub
# 2007-05-09, chhaas: wegen Fehlermeldung in /var/log/messages
# hinsichtlich fehlendem Index:
index gosaMailDeliveryMode eq,sub
#--- Indexing for Samba 3 ---#
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
#--- SSL/TLS setting ---#
# 2007-06-28, chhaas:
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSCACertificateFile /etc/ssl/certs/ca_cert.pem
TLSCertificateFile /etc/ssl/certs/station7_cert.pem
TLSCertificateKeyFile /etc/ssl/private/station7_key.pem
# 2007-07-10, chhaas:
TLSVerifyClient never
#TLSVerifyClient try
#TLSVerifyClient allow
#######################################################################
# access policies
#######################################################################
# Define global ACLs to disable default read access.
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
#--- GOsa policies Start ---#
# The userPassword/shadow Emtries by default can be
# changed by the entry owning it if they are authenticated.
# Others should not be able to see it, except the admin
# entry below
access to attrs=userPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire
by anonymous auth
by self write
by * none
# Deny access to imap/fax/kerberos admin passwords stored
# in ldap tree
access to attrs=goImapPassword
by * none
access to attrs=goKrbPassword
by * none
access to attrs=goFaxPassword
by * none
# Let servers write last user attribute
access to attrs=gotoLastUser
by * write
# Samba passwords by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attrs=sambaLmPassword,sambaNtPassword
by anonymous auth
by self write
by * none
# Enable write create access for the terminal admin
access to dn="ou=incoming,dc=example,dc=com"
by dn="cn=terminal-admin,dc=example,dc=com" write
by * none
access to dn.sub="ou=incoming,dc=example,dc=com"
by dn="cn=terminal-admin,dc=example,dc=com" write
by * none
# What trees should be readable, depends on your policy. Either
# use this entry and specify what should be readable, or leave
# the access to * => by * read below untouched
#access to dn="ou=(people|groups)"
# by * read
#--- GOsa policies End ---#
#--- eGroupWare policies Start ---#
# Access to users __personal__ addressbooks
# allow read of addressbook by owner and admin account
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$"
attrs=entry
by dn.regex="uid=$1,ou=people,dc=example,dc=com" read
by dn.regex="uid=admin,dc=example,dc=com" write
by users none
# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$"
attrs=children
by dn.regex="uid=$1,ou=people,dc=example,dc=com" write
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=example,dc=com$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha
by dn.regex="uid=$1,ou=people,dc=example,dc=com" write
by users none
# Access to __groups__ addressbooks
# allow read of addressbook by members and admin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$"
attrs=entry
by group.expand="cn=$1,ou=groups,dc=example,dc=com" read
by dn.regex="uid=admin,dc=example,dc=com" write
by users none
# allow members to create entries in there group addressbooks; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$"
attrs=children
by group.expand="cn=$1,ou=groups,dc=example,dc=com" write
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=example,dc=com$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha
by group.expand="cn=$1,ou=groups,dc=example,dc=com" write
by users none
#--- eGroupWare policies End ---#
#--- This Section MUST be the LAST!!! ---#
# rootdn can always read and write EVERYTHING!
# The admin dn (dn="cn=ldapadmin,dc=example,dc=com") has full write access
access to *
by dn="cn=ldapadmin,dc=example,dc=com" =wrscx
by * read
access to dn.base=""
by * read
access to dn.subtree=cn=Monitor
by * read
# Access to schema information
#access to dn.subtree=""
# by * read
#---
###--- End of sldapd.conf configuration file