#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

# schema configs in different file
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/kerberos.schema
include /etc/openldap/schema/openssh-lpk.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/samba.schema

# log statistics for connections, operations and results
loglevel 256

# allow ldap version 2 binds
allow bind_v2

# require modern ciphers for access
localSSF 128
security ssf=128

# use random id based on hostname
serverID {{ 4095 | random(seed=inventory_hostname) }}

# limit search result sizes without hard limit
sizelimit size.soft=500
sizelimit size.hard=none

# pid and args files
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args

# overlay modules to load
modulepath /usr/lib64/openldap
moduleload ppolicy.la
moduleload syncprov.la
#moduleload smbkrb5pwd.la
moduleload constraint.la
moduleload memberof.la

# certificates and ciphers (unfortunately modern cipher suite didn't work)
TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
TLSCACertificatePath /etc/openldap/certs
TLSVerifyClient allow
TLSECName prime256v1
TLSProtocolMin 3.4

# force hostname to get kerberos working correctly behind proxies
sasl-host ldap.foo.sh

#####################################################################
# database {{ ldap_basedn }} configurations
#####################################################################

database mdb
# 1GB i guess we don't go beyond this
maxsize 1073741824

suffix "{{ ldap_basedn }}"
rootdn "cn=manager,{{ ldap_basedn }}"

overlay ppolicy
ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }}
ppolicy_hash_cleartext
ppolicy_use_lockout
password-hash {CRYPT}
password-crypt-salt-format "$6$.8s"

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

overlay constraint
constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)

overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-memberof-ad memberOf

# database directory
# chmod 700 so ldap:ldap can create encrypted backups with group readable
# access without access to clear text data
directory /srv/ldap

{% if not ldap_master %}
# replication
syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
    provider=ldaps://ldap01.foo.sh
    type=refreshAndPersist
    retry="10 10 60 +"
    searchbase="{{ ldap_basedn }}"
    filter="(objectClass=*)"
    scope="sub"
    sizelimit=500000
    timelimit=360000
    schemachecking="off"
    bindmethod="simple"
    tls_cacert="{{ tls_bundle }}"
    tls_reqcert="demand"
    binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
    credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
updateref ldaps://ldap01.foo.sh

{% endif %}
# for syncrepl
index entryCSN,entryUUID,objectClass eq
# for kerberos kdc
index krbPrincipalName eq
# for username lookups
index uid eq

# map root user to manager when authenticating via socket
authz-regexp
    "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
    "cn=manager,{{ ldap_basedn }}"
# map rest of users authenticating via socket to correct ldap entries
authz-regexp
    "gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
    "ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
# map kerberos users
authz-regexp
    "uid=([^,]\+),cn=gssapi,cn=auth"
    "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
authz-regexp
    "uid=([^,]\+),cn=gss-spnego,cn=auth"
    "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
# map sasl plain users
authz-regexp
    "uid=([^.]\+),cn=plain,cn=auth"
    "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
# map sasl login users
authz-regexp
    "uid=([^.]\+),cn=login,cn=auth"
    "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"

# allow everyone to read root object
access to dn.base={{ ldap_basedn }}
    by * read

# require authentication for authenticated users that don't match above
access to *
    by dn.children="cn=peercred,cn=external,cn=auth" auth
    by dn.children="cn=gssapi,cn=auth" auth
    by dn.children="cn=gss-spnego,cn=auth" auth
    by anonymous auth
    by * break

{% if ldap_master is defined %}
# allow replicator to read everything
access to *
    by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
    by * break

{% endif %}
# allow self to change password
access to attrs=userPassword
    by self write
    by * compare

# allow kerberos to write password changes
access to attrs=krbPrincipalKey,krbExtraData,krbLoginFailedCount,krbTicketFlags,krbPasswordExpiration,krbLastPwdChange
    by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" write
    by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
    by * none

# allow kerberos to read own objects
access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
    by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
    by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
    by * none

# allow group owners to edit members
access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
    by dnattr=owner write
    by users read
    by * none

# allow self to change login shell
access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
    by self write
    by users read
    by * none

# allow reads to netgroups
#   TODO: change that only sysadm + host certs can read
access to dn.sub=ou=Netgroup,ou=System,{{ ldap_basedn }}
    by users read
    by * none

# allow reads to ou=System object itself
access to dn.base=ou=System,{{ ldap_basedn }}
    by users read
    by * none

# block rest of queries to ou=System tree
access to dn.sub=ou=System,{{ ldap_basedn }}
    by * none

# for the rest allow users to read and block rest
access to *
    by users read
    by * none

#####################################################################
# database for monitoring (allow only access through local socket)
#####################################################################
database monitor
access to *
    by sockurl=ldapi:/// read
    by * none