bundlewrap/bundles/openldap/files/slapd.conf

101 lines
2.5 KiB
Text

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
% for schema in sorted(conf.get('schemas', set())):
include /etc/ldap/schema/${schema}.schema
% endfor
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# OpenLDAP logs can get rather spammy, so we enable logging only
# on demand for debug purposes to keep the syslog nice and tidy.
loglevel ${conf.get('loglevel', 0)}
sizelimit unlimited
disallow bind_anon
modulepath /usr/lib/ldap
moduleload back_mdb.so
moduleload back_monitor.so
moduleload back_ldap.so
moduleload memberof.so
moduleload syncprov.so
moduleload ppolicy.so
moduleload pw-sha2.so
TLSCACertificateFile /etc/ldap/ssl/${conf['ssl']}.crt_intermediate.pem
TLSCertificateFile /etc/ldap/ssl/${conf['ssl']}.crt.pem
TLSCertificateKeyFile /etc/ldap/ssl/${conf['ssl']}.key.pem
#TLSVerifyClient never
#TLSCRLCheck none
#security tls=1
backend mdb
database mdb
suffix "dc=qzwi,dc=de"
checkpoint 32 30
rootdn "uid=root,dc=qzwi,dc=de"
rootpw ${conf['rootpw']}
directory /var/lib/ldap
# mdb has a limit:
maxsize 1000000000
monitoring on
index cn pres,eq
index dc pres,eq
index member pres,eq
index memberOf pres,eq
index memberUid eq
index objectClass eq
index uid pres,eq
overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-refint TRUE
overlay ppolicy
access to dn.one="ou=Users,dc=qzwi,dc=de"
attrs=userPassword
by anonymous auth
by * break
access to *
by group="ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de" manage
by * break
% for tree, matches in sorted(conf.get('access', {}).items()):
# ${tree}
% for access, users in sorted(matches.items()):
% for user in sorted(users):
access to dn.sub="${tree}"
by dn.exact="${user}" ${access}
by * break
% endfor
% endfor
# / ${tree}
% endfor
# Grant read access to all applications
access to dn.children="ou=Applications,dc=qzwi,dc=de"
attrs=userPassword
by anonymous auth
by * break
access to dn.sub="ou=Users,dc=qzwi,dc=de"
by dn.children="ou=Applications,dc=qzwi,dc=de" read
by * break
access to dn.sub="ou=Groups,dc=qzwi,dc=de"
by dn.children="ou=Applications,dc=qzwi,dc=de" read
by * break
database monitor
rootDN "cn=admin,cn=Monitor"
rootPW admin