bundlewrap/bundles/openldap/files/slapd.conf

88 lines
2.4 KiB
Text

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
% for schema in sorted(conf.get('schemas', set())):
include /etc/ldap/schema/${schema}.schema
% endfor
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# OpenLDAP logs can get rather spammy, so we enable logging only
# on demand for debug purposes to keep the syslog nice and tidy.
loglevel ${conf.get('loglevel', 0)}
sizelimit unlimited
disallow bind_anon
modulepath /usr/lib/ldap
moduleload back_mdb.so
moduleload back_monitor.so
moduleload back_ldap.so
moduleload memberof.so
moduleload syncprov.so
moduleload ppolicy.so
moduleload pw-sha2.so
TLSCACertificateFile /etc/ldap/ssl/${conf['ssl']}.crt_intermediate.pem
TLSCertificateFile /etc/ldap/ssl/${conf['ssl']}.crt.pem
TLSCertificateKeyFile /etc/ldap/ssl/${conf['ssl']}.key.pem
#TLSVerifyClient never
#TLSCRLCheck none
#security tls=1
backend mdb
database mdb
suffix "dc=qzwi,dc=de"
checkpoint 32 30
rootdn "uid=root,dc=qzwi,dc=de"
rootpw ${conf['rootpw']}
directory /var/lib/ldap
# mdb has a limit:
maxsize 1000000000
monitoring on
index cn pres,eq
index dc pres,eq
index member pres,eq
index memberOf pres,eq
index memberUid eq
index objectClass eq
index uid pres,eq
overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-refint TRUE
overlay ppolicy
#access to dn.one="ou=QZWI,dc=qzwi,dc=de"
# attrs=userPassword
# by anonymous auth
# by * break
#access to * by group="ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de" manage by * break
% for tree, matches in sorted(conf.get('access', {}).items()):
# ${tree}
% for access, user in sorted(matches.items()):
access to dn.sub="${tree}" by dn.exact="${user}" ${access} by * break
% endfor
# / ${tree}
% endfor
# Grant read access to all applications
#access to dn.children="ou=Applications,dc=qzwi,dc=de" attrs=userPassword by anonymous auth by * break
#access to dn.sub="ou=People,dc=qzwi,dc=de" by dn.children="ou=Applications,dc=qzwi,dc=de" read by * break
#access to dn.sub="ou=Groups,dc=qzwi,dc=de" by dn.children="ou=Applications,dc=qzwi,dc=de" read by * break
database monitor
rootDN "cn=admin,cn=Monitor"
rootPW admin