include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema % for schema in sorted(conf.get('schemas', set())): include /etc/ldap/schema/${schema}.schema % endfor include /etc/ldap/schema/ppolicy.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # OpenLDAP logs can get rather spammy, so we enable logging only # on demand for debug purposes to keep the syslog nice and tidy. loglevel ${conf.get('loglevel', 0)} sizelimit unlimited disallow bind_anon modulepath /usr/lib/ldap moduleload back_mdb.so moduleload back_monitor.so moduleload back_ldap.so moduleload memberof.so moduleload syncprov.so moduleload ppolicy.so moduleload pw-sha2.so TLSCACertificateFile /etc/ldap/ssl/${conf['ssl']}.crt_intermediate.pem TLSCertificateFile /etc/ldap/ssl/${conf['ssl']}.crt.pem TLSCertificateKeyFile /etc/ldap/ssl/${conf['ssl']}.key.pem #TLSVerifyClient never #TLSCRLCheck none #security tls=1 backend mdb database mdb suffix "dc=qzwi,dc=de" checkpoint 32 30 rootdn "uid=root,dc=qzwi,dc=de" rootpw ${conf['rootpw']} directory /var/lib/ldap # mdb has a limit: maxsize 1000000000 monitoring on index cn pres,eq index dc pres,eq index member pres,eq index memberOf pres,eq index memberUid eq index objectClass eq index uid pres,eq overlay memberof memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf memberof-refint TRUE overlay ppolicy access to dn.one="ou=Users,dc=qzwi,dc=de" attrs=userPassword by anonymous auth by * break access to * by group="ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de" manage by * break % for tree, matches in sorted(conf.get('access', {}).items()): # ${tree} % for access, users in sorted(matches.items()): % for user in sorted(users): access to dn.sub="${tree}" by dn.exact="${user}" ${access} by * break % endfor % endfor # / ${tree} % endfor # Grant read access to all applications access to dn.children="ou=Applications,dc=qzwi,dc=de" attrs=userPassword by anonymous auth by * break access to dn.sub="ou=Users,dc=qzwi,dc=de" by dn.children="ou=Applications,dc=qzwi,dc=de" read by * break access to dn.sub="ou=Groups,dc=qzwi,dc=de" by dn.children="ou=Applications,dc=qzwi,dc=de" read by * break database monitor rootDN "cn=admin,cn=Monitor" rootPW admin