# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.pid #argsfile /var/run/openldap/slapd.args # Limit SASL options to only GSSAPI and not other client-favorites. Apparently there is an issue where # clients will default to non-working SASL mechanisms and will make you angry. sasl-secprops noanonymous,noplain,noactive # SASL connection information. The realm should be your Kerberos realm as configured for the system. The # host should be the LEGITIMATE hostname of this server sasl-realm EDT.ORG sasl-host ldap.edt.org # Rewrite certain SASL bind DNs to more readable ones. Otherwise you bind as some crazy default # that ends up in a different base than your actual one. This uses regex to rewrite that weird # DN and make it become one that you can put within your suffix. authz-policy from authz-regexp "^uid=[^,/]+/admin,cn=edt\.org,cn=gssapi,cn=auth" "cn=Manager,dc=edt,dc=org" authz-regexp "^uid=([^,]+),cn=edt\.org,cn=gssapi,cn=auth" "cn=$1,ou=usuaris,dc=edt,dc=org" # ------------------------------------------------------------------------------------------------------------ # SSL certificate file paths TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSCertificateFile /etc/openldap/certs/ldapcert.pem TLSCertificateKeyFile /etc/openldap/certs/ldapserver.pem TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSVerifyClient allow # ----------------------------------------------- database hdb suffix "dc=edt,dc=org" rootdn "cn=Manager,dc=edt,dc=org" rootpw {SASL}admin/admin@EDT.ORG directory /var/lib/ldap index objectClass eq,pres access to attrs=userPassword by anonymous auth by self write access to * by peername.ip=172.18.0.0%255.255.0.0 read by * read break