# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # schema configs in different file include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/kerberos.schema include /etc/openldap/schema/openssh-lpk.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/samba.schema # log statistics for connections, operations and results loglevel 256 # allow ldap version 2 binds allow bind_v2 # require modern ciphers for access localSSF 128 security ssf=128 # use random id based on hostname serverID {{ 4095 | random(seed=inventory_hostname) }} # limit search result sizes without hard limit sizelimit size.soft=500 sizelimit size.hard=none # pid and args files pidfile /run/openldap/slapd.pid argsfile /run/openldap/slapd.args # overlay modules to load modulepath /usr/lib64/openldap moduleload ppolicy.la moduleload syncprov.la #moduleload smbkrb5pwd.la moduleload constraint.la # certificates and ciphers (unfortunately modern cipher suite didn't work) TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key TLSCACertificatePath /etc/openldap/certs TLSVerifyClient try TLSECName prime256v1 TLSCipherSuite {{ tls_ciphers }} TLSProtocolMin 3.3 ##################################################################### # database {{ ldap_basedn }} configurations ##################################################################### database mdb # 1GB i guess we don't go beyond this maxsize 1073741824 suffix "{{ ldap_basedn }}" rootdn "cn=manager,{{ ldap_basedn }}" overlay ppolicy ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }} ppolicy_hash_cleartext ppolicy_use_lockout password-hash {CRYPT} password-crypt-salt-format "$6$.8s" overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 overlay constraint constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$ constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson) # database directory # chmod 700 so ldap:ldap can create encrypted backups with group readable # access without access to clear text data directory /srv/ldap # for syncrepl index entryCSN,entryUUID,objectClass eq # map root user to manager when authenticating via socket authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=manager,{{ ldap_basedn }}" # map rest of users authenticating via socket to correct ldap entries authz-regexp "gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth" "ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))" # require authentication for authenticated users that don't match above access to * by dn.children="cn=peercred,cn=external,cn=auth" auth by anonymous auth by * break # allow self to change password access to attrs=userPassword by self write by * compare # allow kerberos to read own objects access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }} by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read by * none # allow group owners to edit members access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember by dnattr=owner write by users read by * none # allow self to change login shell access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell by self write by users read by * none # block rest of queries to ou=System tree access to dn.sub=ou=System,{{ ldap_basedn }} by * none # for the rest allow users to read and block rest access to * by users read by * none ##################################################################### # database for monitoring (allow only access through local socket) ##################################################################### database monitor access to * by sockurl=ldapi:/// read by * none