############################################################################ # See slapd.conf(5) for details on configuration options. # This file SHOULD NOT be world readable. # # Important note: # You surely have to adjust some settings to meet your (security) # requirements. # At least you should replace suffix "dc=example,dc=com" by # something meaningful for your setup. # If you plan to use OpenLDAP server as backend for Samba and/or Kerberos # KDC then you MUST add decent ACLs for protecting user credentials! # # Read the man pages before changing something! # # You can debug the config by running (as root while slapd stopped): # /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535 ############################################################################ #--------------------------------------------------------------------------- # slapd global parameters #--------------------------------------------------------------------------- # serverID must be unique across all provider replicas # for using multi-master replication (MMR) serverID 99 # only alter this when you know what you're doing #threads 4 # Run-time files pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # for more debugging set: #loglevel config stats stats2 loglevel stats #--------------------------------------------------------------------------- # Load runtime loadable modules #--------------------------------------------------------------------------- # Load additional backend modules installed by package 'openldap2' # The following backends are statically built-in and therefore don't have # to be loaded here: # config, ldif, monitor, bdb, hdb, ldap, mdb, relay #moduleload back_ #moduleload back_ #moduleload back_mdb #moduleload back_meta #moduleload back_sock # Load additional overlay modules installed by package 'openldap2' # The following overlay are statically built-in and therefore don't have # to be loaded here: # ppolicy, syncprov #moduleload accesslog #moduleload constraint #moduleload dds #moduleload deref #moduleload dynlist #moduleload memberof moduleload refint #moduleload sssvlv #moduleload translucent moduleload unique #moduleload valsort # Load additional overlay modules installed by package 'openldap2-contrib' #moduleload allowed #moduleload lastbind #moduleload noopsrch #moduleload pw-pbkdf2 #moduleload pw-sha2 #moduleload smbk5pwd #--------------------------------------------------------------------------- # Include schema files #--------------------------------------------------------------------------- # Schema files installed by package 'openldap2' include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/ppolicy.schema #include /etc/openldap/schema/yast.schema # Schema file installed by package 'dhcp-server' #include /etc/openldap/schema/dhcp.schema # Schema file installed by package 'samba' #include /etc/openldap/schema/samba3.schema # Schema file installed by package 'krb5-plugin-kdb-ldap' #include /usr/share/doc/packages/krb5/kerberos.schema #--------------------------------------------------------------------------- # Transport Layer Security (TLS) configuration #--------------------------------------------------------------------------- # require at least TLS 1.0 and highly secure ciphers #TLSProtocolMin 3.1 #TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH # TLS certificate and key files #TLSCACertificateFile /etc/ssl/ca-bundle.pem #TLSCertificateFile /etc/openldap/ssl.crt/server.crt #TLSCertificateKeyFile /etc/openldap/ssl.key/server.key # For enabling Perfect Forward Secrecy (PFS), see dhparam(1) #TLSDHParamFile /etc/openldap/ssl.key/dhparam #--------------------------------------------------------------------------- # Password hashing #--------------------------------------------------------------------------- #password-hash {CRYPT} # Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations #password-crypt-salt-format "$6$%.12s" #--------------------------------------------------------------------------- # Security requirements #--------------------------------------------------------------------------- #disallow bind_anon #require bind LDAPv3 strong # SSF value for ldapi:// localSSF 256 # minimum required SSF value (security strength factor) # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 #security ssf=128 update_ssf=256 simple_bind=128 security ssf=0 #--------------------------------------------------------------------------- # Global access control (ACLs) #--------------------------------------------------------------------------- # Root DSE: allow anyone to read it access to dn.base="" by * read # Sub schema sub entry: allow anyone to read it access to dn.base="cn=Subschema" by * read #--------------------------------------------------------------------------- # Authz-DN mappings #--------------------------------------------------------------------------- # If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used # System user root is mapped to the rootdn in database dc=example,dc=com # which has also read access on config and monitor databases authz-regexp "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com" # Map local system user to LDAP entry # if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used authz-regexp "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth" "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))" # this maps the attribute uid to a LDAP entry # if one of the typical password-based SASL mechs was used authz-regexp "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth" "ldap:///dc=example,dc=com??sub?(uid=$1)" # this maps the attribute uid to a LDAP entry # if one of the Kerberos based SASL mechs was used #authz-regexp # "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth" # "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))" # Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used #authz-regexp # "(.+)" # "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))" #=========================================================================== # Database specific configuration sections below # Required order of databases: # config (first), ...others..., monitor (last) #=========================================================================== #--------------------------------------------------------------------------- # cn=config // Configuration database (always first!) # see slapd-config(5) #--------------------------------------------------------------------------- database config # Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! # For local config access by root use LDAPI with SASL/EXTERNAL instead # (see above). #rootpw secret access to dn.subtree="cn=config" by dn.exact="cn=root,dc=example,dc=com" manage by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read by * none #--------------------------------------------------------------------------- # dc=example,dc=com // Example MDB database to be used by normal clients # see slapd-mdb(5) #--------------------------------------------------------------------------- database mdb suffix "dc=example,dc=com" # rootdn has to be set for overlays' internal operations rootdn "cn=root,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! rootpw secret # The database directory MUST exist prior to running slapd and # SHOULD only be accessible by the slapd user 'ldap'. # mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db directory /var/lib/ldap/example-db # Permissions of database files created mode 0600 # extra information to be available in cn=monitor for this database monitoring on # Perform ACL checks on the content of a new entry being added add_content_acl on # backend-specific database parameters checkpoint 1024 5 # 100 MB (you can raise the limit later) maxsize 104857600 # Indices to maintain # # Whenever you change indexing configuration you have to re-run slapindex # while slapd being stopped! # Don't forget to fix ownership/permissions of newly generated index files # afterwards! # set always! index objectClass eq # for typical address book use index cn,sn,givenName,mail eq,sub # for user management index uid,uidNumber,gidNumber eq # for authz-regexp mapping of Kerberos principal name #index krbPrincipalName,krbPrincipalAlias eq # for authz-regexp mapping of client cert subject DNs #index seeAlso eq # for syncrepl index entryUUID,entryCSN eq # access control lists (ACLs) for dc=example,dc=com # see slapd.access(5) for details on access control lists (ACLs) # full read access also to 'userPassword' for group of replicas # and control is forwarded to subsequent ACLs access to dn.subtree=dc=example,dc=com by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read by * break # write-only access to 'userPassword' for user, auth access else access to attrs=userPassword by self =w by * auth # 'userPKCS' must only be accessible by self access to attrs=userPKCS12 by self write by * none # No access to history of passwords #access to # attrs=pwdHistory # by * none # Catch-all ACL for the rest access to dn.subtree=dc=example,dc=com by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage by self read by users read by * auth # see slapo-ppolicy(5) overlay ppolicy # Default password policy entry #ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com # Hash clear-text userPassword values sent in with add/modify operations #ppolicy_hash_cleartext # Return AccountLocked error code to client #ppolicy_use_lockout # see slapo-refint(5) overlay refint refint_attributes member seeAlso refint_nothing cn=dummy # Check sub-tree wide uniqueness of certain attributes # see slapo-unique(5) # you have to add eq-index for efficient uniqueness check! # Note that filter part is currently ignored because of OpenLDAP ITS#6825 overlay unique unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub" unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))" #unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub" #unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub" #unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub" #unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub" #overlay syncprov #mirrormode on #--------------------------------------------------------------------------- # cn=monitor // Monitoring database (always last!) # see slapd-monitor(5) #--------------------------------------------------------------------------- database monitor access to dn.subtree="cn=monitor" by dn.exact="cn=root,dc=example,dc=com" write by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write by users read