include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
% for schema in sorted(conf.get('schemas', set())):
include         /etc/ldap/schema/${schema}.schema
% endfor
include         /etc/ldap/schema/ppolicy.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

# OpenLDAP logs can get rather spammy, so we enable logging only
# on demand for debug purposes to keep the syslog nice and tidy.
loglevel ${conf.get('loglevel', 0)}

sizelimit unlimited

disallow bind_anon

modulepath      /usr/lib/ldap
moduleload      back_mdb.so
moduleload      back_monitor.so
moduleload      back_ldap.so
moduleload      memberof.so
moduleload      syncprov.so
moduleload      ppolicy.so
moduleload      pw-sha2.so

TLSCACertificateFile    /etc/ldap/ssl/${conf['ssl']}.crt_intermediate.pem
TLSCertificateFile      /etc/ldap/ssl/${conf['ssl']}.crt.pem
TLSCertificateKeyFile   /etc/ldap/ssl/${conf['ssl']}.key.pem
#TLSVerifyClient never
#TLSCRLCheck             none
#security tls=1

backend mdb
database mdb
suffix      "dc=qzwi,dc=de"
checkpoint   32   30
rootdn      "uid=root,dc=qzwi,dc=de"
rootpw      ${conf['rootpw']}
directory   /var/lib/ldap
# mdb has a limit:
maxsize     1000000000

monitoring on

index cn pres,eq
index dc pres,eq
index member pres,eq
index memberOf pres,eq
index memberUid eq
index objectClass eq
index uid pres,eq

overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-refint TRUE

overlay ppolicy

#access to dn.one="ou=QZWI,dc=qzwi,dc=de"
#        attrs=userPassword
#        by anonymous auth
#        by * break

#access to * by group="ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de" manage by * break

% for tree, matches in sorted(conf.get('access', {}).items()):
# ${tree}
%  for access, user in sorted(matches.items()):
access to dn.sub="${tree}" by dn.exact="${user}" ${access} by * break
%  endfor
# / ${tree}

% endfor

# Grant read access to all applications
#access to dn.children="ou=Applications,dc=qzwi,dc=de" attrs=userPassword by anonymous auth by * break
#access to dn.sub="ou=People,dc=qzwi,dc=de" by dn.children="ou=Applications,dc=qzwi,dc=de" read by * break
#access to dn.sub="ou=Groups,dc=qzwi,dc=de" by dn.children="ou=Applications,dc=qzwi,dc=de" read by * break

database monitor
rootDN  "cn=admin,cn=Monitor"
rootPW  admin