101 lines
2.5 KiB
Text
101 lines
2.5 KiB
Text
include /etc/ldap/schema/core.schema
|
|
include /etc/ldap/schema/cosine.schema
|
|
include /etc/ldap/schema/nis.schema
|
|
include /etc/ldap/schema/inetorgperson.schema
|
|
% for schema in sorted(conf.get('schemas', set())):
|
|
include /etc/ldap/schema/${schema}.schema
|
|
% endfor
|
|
include /etc/ldap/schema/ppolicy.schema
|
|
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
# OpenLDAP logs can get rather spammy, so we enable logging only
|
|
# on demand for debug purposes to keep the syslog nice and tidy.
|
|
loglevel ${conf.get('loglevel', 0)}
|
|
|
|
sizelimit unlimited
|
|
|
|
disallow bind_anon
|
|
|
|
modulepath /usr/lib/ldap
|
|
moduleload back_mdb.so
|
|
moduleload back_monitor.so
|
|
moduleload back_ldap.so
|
|
moduleload memberof.so
|
|
moduleload syncprov.so
|
|
moduleload ppolicy.so
|
|
moduleload pw-sha2.so
|
|
|
|
TLSCACertificateFile /etc/ldap/ssl/${conf['ssl']}.crt_intermediate.pem
|
|
TLSCertificateFile /etc/ldap/ssl/${conf['ssl']}.crt.pem
|
|
TLSCertificateKeyFile /etc/ldap/ssl/${conf['ssl']}.key.pem
|
|
#TLSVerifyClient never
|
|
#TLSCRLCheck none
|
|
#security tls=1
|
|
|
|
backend mdb
|
|
database mdb
|
|
suffix "dc=qzwi,dc=de"
|
|
checkpoint 32 30
|
|
rootdn "uid=root,dc=qzwi,dc=de"
|
|
rootpw ${conf['rootpw']}
|
|
directory /var/lib/ldap
|
|
# mdb has a limit:
|
|
maxsize 1000000000
|
|
|
|
monitoring on
|
|
|
|
index cn pres,eq
|
|
index dc pres,eq
|
|
index member pres,eq
|
|
index memberOf pres,eq
|
|
index memberUid eq
|
|
index objectClass eq
|
|
index uid pres,eq
|
|
|
|
overlay memberof
|
|
memberof-group-oc groupOfNames
|
|
memberof-member-ad member
|
|
memberof-memberof-ad memberOf
|
|
memberof-refint TRUE
|
|
|
|
overlay ppolicy
|
|
|
|
access to dn.one="ou=Users,dc=qzwi,dc=de"
|
|
attrs=userPassword
|
|
by anonymous auth
|
|
by * break
|
|
|
|
access to *
|
|
by group="ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de" manage
|
|
by * break
|
|
|
|
% for tree, matches in sorted(conf.get('access', {}).items()):
|
|
# ${tree}
|
|
% for access, users in sorted(matches.items()):
|
|
% for user in sorted(users):
|
|
access to dn.sub="${tree}"
|
|
by dn.exact="${user}" ${access}
|
|
by * break
|
|
% endfor
|
|
% endfor
|
|
# / ${tree}
|
|
|
|
% endfor
|
|
|
|
# Grant read access to all applications
|
|
access to dn.children="ou=Applications,dc=qzwi,dc=de"
|
|
attrs=userPassword
|
|
by anonymous auth
|
|
by * break
|
|
access to dn.sub="ou=Users,dc=qzwi,dc=de"
|
|
by dn.children="ou=Applications,dc=qzwi,dc=de" read
|
|
by * break
|
|
access to dn.sub="ou=Groups,dc=qzwi,dc=de"
|
|
by dn.children="ou=Applications,dc=qzwi,dc=de" read
|
|
by * break
|
|
|
|
database monitor
|
|
rootDN "cn=admin,cn=Monitor"
|
|
rootPW admin
|