diff -up openldap-2.4.11/servers/slapd/slapd.conf.config openldap-2.4.11/servers/slapd/slapd.conf --- openldap-2.4.11/servers/slapd/slapd.conf.config 2007-02-13 21:22:22.000000000 +0100 +++ openldap-2.4.11/servers/slapd/slapd.conf 2008-10-09 16:13:52.000000000 +0200 @@ -2,22 +2,57 @@ # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # -include %SYSCONFDIR%/schema/core.schema -# Define global ACLs to disable default read access. +include /etc/openldap/schema/corba.schema +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/duaconf.schema +include /etc/openldap/schema/dyngroup.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/java.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/openldap.schema +include /etc/openldap/schema/ppolicy.schema +include /etc/openldap/schema/collective.schema + +# Allow LDAPv2 client connections. This is NOT the default. +allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org -pidfile %LOCALSTATEDIR%/run/slapd.pid -argsfile %LOCALSTATEDIR%/run/slapd.args +pidfile /var/run/openldap/slapd.pid +argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: -# modulepath %MODULEDIR% -# moduleload back_bdb.la -# moduleload back_hdb.la -# moduleload back_ldap.la +# modulepath /usr/lib/openldap # or /usr/lib64/openldap +# moduleload accesslog.la +# moduleload auditlog.la +# moduleload back_sql.la +# moduleload denyop.la +# moduleload dyngroup.la +# moduleload dynlist.la +# moduleload lastmod.la +# moduleload pcache.la +# moduleload ppolicy.la +# moduleload refint.la +# moduleload retcode.la +# moduleload rwm.la +# moduleload syncprov.la +# moduleload translucent.la +# moduleload unique.la +# moduleload valsort.la + +# The next three lines allow use of TLS for encrypting connections using a +# dummy test certificate which you can generate by changing to +# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on +# slapd.pem so that the ldap user or group can read it. Your client software +# may balk at self-signed certificates, however. +# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +# TLSCertificateFile /etc/pki/tls/certs/slapd.pem +# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) @@ -47,19 +82,42 @@ argsfile %LOCALSTATEDIR%/run/slapd.args # rootdn can always read and write EVERYTHING! ####################################################################### -# BDB database definitions +# ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=my-domain,dc=com" +checkpoint 1024 15 rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should -# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. -rootpw secret +# rootpw secret +# rootpw {crypt}ijFYNcSNctBYg + # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. -directory %LOCALSTATEDIR%/openldap-data -# Indices to maintain -index objectClass eq +directory /var/lib/ldap + +# Indices to maintain for this database +index objectClass eq,pres +index ou,cn,mail,surname,givenname eq,pres,sub +index uidNumber,gidNumber,loginShell eq,pres +index uid,memberUid eq,pres,sub +index nisMapName,nisMapEntry eq,pres,sub + +# Replicas of this database +#replogfile /var/lib/ldap/openldap-master-replog +#replica host=ldap-1.example.com:389 starttls=critical +# bindmethod=sasl saslmech=GSSAPI +# authcId=host/ldap-master.example.com@EXAMPLE.COM + + +# enable monitoring +database monitor + +# allow onlu rootdn to read the monitor +access to * + by dn.exact="cn=Manager,dc=my-domain,dc=com" read + by * none