############################################################################
# See slapd.conf(5) for details on configuration options.
# This file SHOULD NOT be world readable.
#
# Important note:
# You surely have to adjust some settings to meet your (security)
# requirements.
# At least you should replace suffix "dc=example,dc=com" by
# something meaningful for your setup.
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos 
# KDC then you MUST add decent ACLs for protecting user credentials!
#
# Read the man pages before changing something!
#
# You can debug the config by running (as root while slapd stopped):
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
############################################################################

#---------------------------------------------------------------------------
# slapd global parameters
#---------------------------------------------------------------------------

# serverID must be unique across all provider replicas
# for using multi-master replication (MMR)
serverID 99

# only alter this when you know what you're doing
#threads 4

# Run-time files
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

# for more debugging set:
#loglevel config stats stats2
loglevel stats

#---------------------------------------------------------------------------
# Load runtime loadable modules
#---------------------------------------------------------------------------

# Load additional backend modules installed by package 'openldap2'
# The following backends are statically built-in and therefore don't have
# to be loaded here:
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
#moduleload back_
#moduleload back_
#moduleload back_mdb
#moduleload back_meta
#moduleload back_sock

# Load additional overlay modules installed by package 'openldap2'
# The following overlay are statically built-in and therefore don't have
# to be loaded here:
# ppolicy, syncprov
#moduleload accesslog
#moduleload constraint
#moduleload dds
#moduleload deref
#moduleload dynlist
#moduleload memberof
moduleload refint
#moduleload sssvlv
#moduleload translucent
moduleload unique
#moduleload valsort

# Load additional overlay modules installed by package 'openldap2-contrib'
#moduleload allowed
#moduleload lastbind
#moduleload noopsrch
#moduleload pw-pbkdf2
#moduleload pw-sha2
#moduleload smbk5pwd

#---------------------------------------------------------------------------
# Include schema files
#---------------------------------------------------------------------------

# Schema files installed by package 'openldap2'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/yast.schema

# Schema file installed by package 'dhcp-server'
#include /etc/openldap/schema/dhcp.schema

# Schema file installed by package 'samba'
#include /etc/openldap/schema/samba3.schema

# Schema file installed by package 'krb5-plugin-kdb-ldap'
#include /usr/share/doc/packages/krb5/kerberos.schema

#---------------------------------------------------------------------------
# Transport Layer Security (TLS) configuration
#---------------------------------------------------------------------------

# require at least TLS 1.0 and highly secure ciphers
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH

# TLS certificate and key files
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key

# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
#TLSDHParamFile /etc/openldap/ssl.key/dhparam

#---------------------------------------------------------------------------
# Password hashing
#---------------------------------------------------------------------------

#password-hash {CRYPT}
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
#password-crypt-salt-format "$6$%.12s"

#---------------------------------------------------------------------------
# Security requirements
#---------------------------------------------------------------------------

#disallow bind_anon
#require bind LDAPv3 strong

# SSF value for ldapi://
localSSF 256

# minimum required SSF value (security strength factor)
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security ssf=128 update_ssf=256 simple_bind=128
security ssf=0

#---------------------------------------------------------------------------
# Global access control (ACLs)
#---------------------------------------------------------------------------

# Root DSE: allow anyone to read it
access to
  dn.base=""
    by * read

# Sub schema sub entry: allow anyone to read it
access to
  dn.base="cn=Subschema"
    by * read

#---------------------------------------------------------------------------
# Authz-DN mappings
#---------------------------------------------------------------------------

# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
# System user root is mapped to the rootdn in database dc=example,dc=com
# which has also read access on config and monitor databases
authz-regexp
  "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
    "cn=root,dc=example,dc=com"

# Map local system user to LDAP entry
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
authz-regexp
  "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
  "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"

# this maps the attribute uid to a LDAP entry
# if one of the typical password-based SASL mechs was used
authz-regexp
  "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
  "ldap:///dc=example,dc=com??sub?(uid=$1)"

# this maps the attribute uid to a LDAP entry
# if one of the Kerberos based SASL mechs was used
#authz-regexp
#  "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
#  "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"

# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
#authz-regexp
#  "(.+)"
#  "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"


#===========================================================================
# Database specific configuration sections below
# Required order of databases:
# config (first), ...others..., monitor (last)
#===========================================================================


#---------------------------------------------------------------------------
# cn=config // Configuration database (always first!)
# see slapd-config(5)
#---------------------------------------------------------------------------

database config

# Cleartext passwords, especially for the rootdn, should
# be avoid!  See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
# For local config access by root use LDAPI with SASL/EXTERNAL instead
# (see above).
#rootpw secret

access to
  dn.subtree="cn=config"
    by dn.exact="cn=root,dc=example,dc=com" manage
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
    by * none


#---------------------------------------------------------------------------
# dc=example,dc=com // Example MDB database to be used by normal clients
# see slapd-mdb(5)
#---------------------------------------------------------------------------

database mdb

suffix "dc=example,dc=com"

# rootdn has to be set for overlays' internal operations
rootdn "cn=root,dc=example,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
rootpw secret

# The database directory MUST exist prior to running slapd and
# SHOULD only be accessible by the slapd user 'ldap'.
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
directory /var/lib/ldap/example-db

# Permissions of database files created
mode 0600

# extra information to be available in cn=monitor for this database
monitoring on

# Perform ACL checks on the content of a new entry being added
add_content_acl on

# backend-specific database parameters
checkpoint 1024 5
# 100 MB (you can raise the limit later)
maxsize 104857600

# Indices to maintain
#
# Whenever you change indexing configuration you have to re-run slapindex
# while slapd being stopped!
# Don't forget to fix ownership/permissions of newly generated index files
# afterwards!

# set always!
index objectClass eq

# for typical address book use
index cn,sn,givenName,mail eq,sub

# for user management
index uid,uidNumber,gidNumber eq

# for authz-regexp mapping of Kerberos principal name
#index krbPrincipalName,krbPrincipalAlias eq

# for authz-regexp mapping of client cert subject DNs
#index seeAlso eq

# for syncrepl
index entryUUID,entryCSN eq

# access control lists (ACLs) for dc=example,dc=com
# see slapd.access(5) for details on access control lists (ACLs)

# full read access also to 'userPassword' for group of replicas
# and control is forwarded to subsequent ACLs
access to
  dn.subtree=dc=example,dc=com
    by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
    by * break

# write-only access to 'userPassword' for user, auth access else
access to
  attrs=userPassword
    by self =w
    by * auth

# 'userPKCS' must only be accessible by self
access to
  attrs=userPKCS12
    by self write
    by * none

# No access to history of passwords
#access to
#  attrs=pwdHistory
#    by * none

# Catch-all ACL for the rest
access to
  dn.subtree=dc=example,dc=com
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
    by self read
    by users read
    by * auth

# see slapo-ppolicy(5)
overlay ppolicy
# Default password policy entry
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
# Hash clear-text userPassword values sent in with add/modify operations
#ppolicy_hash_cleartext
# Return AccountLocked error code to client
#ppolicy_use_lockout

# see slapo-refint(5)
overlay refint
refint_attributes member seeAlso
refint_nothing cn=dummy

# Check sub-tree wide uniqueness of certain attributes
# see slapo-unique(5)
# you have to add eq-index for efficient uniqueness check!
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
overlay unique
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"

#overlay syncprov
#mirrormode on


#---------------------------------------------------------------------------
# cn=monitor // Monitoring database (always last!)
# see slapd-monitor(5)
#---------------------------------------------------------------------------

database monitor

access to
  dn.subtree="cn=monitor"
    by dn.exact="cn=root,dc=example,dc=com" write
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
    by users read