212 lines
6.4 KiB
Django/Jinja
212 lines
6.4 KiB
Django/Jinja
#
|
|
# See slapd.conf(5) for details on configuration options.
|
|
# This file should NOT be world readable.
|
|
#
|
|
|
|
# schema configs in different file
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/kerberos.schema
|
|
include /etc/openldap/schema/openssh-lpk.schema
|
|
include /etc/openldap/schema/rfc2307bis.schema
|
|
include /etc/openldap/schema/samba.schema
|
|
|
|
# log statistics for connections, operations and results
|
|
loglevel 256
|
|
|
|
# allow ldap version 2 binds
|
|
allow bind_v2
|
|
|
|
# require modern ciphers for access
|
|
localSSF 128
|
|
security ssf=128
|
|
|
|
# use random id based on hostname
|
|
serverID {{ 4095 | random(seed=inventory_hostname) }}
|
|
|
|
# limit search result sizes without hard limit
|
|
sizelimit size.soft=500
|
|
sizelimit size.hard=none
|
|
|
|
# pid and args files
|
|
pidfile /run/openldap/slapd.pid
|
|
argsfile /run/openldap/slapd.args
|
|
|
|
# overlay modules to load
|
|
modulepath /usr/lib64/openldap
|
|
moduleload ppolicy.la
|
|
moduleload syncprov.la
|
|
#moduleload smbkrb5pwd.la
|
|
moduleload constraint.la
|
|
moduleload memberof.la
|
|
|
|
# certificates and ciphers (unfortunately modern cipher suite didn't work)
|
|
TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
|
|
TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
|
|
TLSCACertificatePath /etc/openldap/certs
|
|
TLSVerifyClient allow
|
|
TLSECName prime256v1
|
|
TLSProtocolMin 3.4
|
|
|
|
# force hostname to get kerberos working correctly behind proxies
|
|
sasl-host ldap.foo.sh
|
|
|
|
#####################################################################
|
|
# database {{ ldap_basedn }} configurations
|
|
#####################################################################
|
|
|
|
database mdb
|
|
# 1GB i guess we don't go beyond this
|
|
maxsize 1073741824
|
|
|
|
suffix "{{ ldap_basedn }}"
|
|
rootdn "cn=manager,{{ ldap_basedn }}"
|
|
|
|
overlay ppolicy
|
|
ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }}
|
|
ppolicy_hash_cleartext
|
|
ppolicy_use_lockout
|
|
password-hash {CRYPT}
|
|
password-crypt-salt-format "$6$.8s"
|
|
|
|
overlay syncprov
|
|
syncprov-checkpoint 100 10
|
|
syncprov-sessionlog 100
|
|
|
|
overlay constraint
|
|
constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
|
|
constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)
|
|
|
|
overlay memberof
|
|
memberof-group-oc groupOfUniqueNames
|
|
memberof-member-ad uniqueMember
|
|
memberof-memberof-ad memberOf
|
|
|
|
# database directory
|
|
# chmod 700 so ldap:ldap can create encrypted backups with group readable
|
|
# access without access to clear text data
|
|
directory /srv/ldap
|
|
|
|
{% if ldap_master is not defined %}
|
|
# replication
|
|
syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
|
|
provider=ldaps://ldap01.foo.sh
|
|
type=refreshAndPersist
|
|
retry="10 10 60 +"
|
|
searchbase="{{ ldap_basedn }}"
|
|
filter="(objectClass=*)"
|
|
scope="sub"
|
|
sizelimit=500000
|
|
timelimit=360000
|
|
schemachecking="off"
|
|
bindmethod="simple"
|
|
tls_cacert="{{ tls_bundle }}"
|
|
tls_reqcert="demand"
|
|
binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
|
|
credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
|
|
updateref ldaps://ldap01.foo.sh
|
|
|
|
{% endif %}
|
|
# for syncrepl
|
|
index entryCSN,entryUUID,objectClass eq
|
|
# for kerberos kdc
|
|
index krbPrincipalName eq
|
|
# for username lookups
|
|
index uid eq
|
|
|
|
# map root user to manager when authenticating via socket
|
|
authz-regexp
|
|
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
|
"cn=manager,{{ ldap_basedn }}"
|
|
# map rest of users authenticating via socket to correct ldap entries
|
|
authz-regexp
|
|
"gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
|
|
"ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
|
|
# map kerberos users
|
|
authz-regexp
|
|
"uid=([^,]\+),cn=gssapi,cn=auth"
|
|
"ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
|
|
authz-regexp
|
|
"uid=([^,]\+),cn=gss-spnego,cn=auth"
|
|
"ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
|
|
# map sasl plain users
|
|
authz-regexp
|
|
"uid=([^.]\+),cn=plain,cn=auth"
|
|
"ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
|
|
# map sasl login users
|
|
authz-regexp
|
|
"uid=([^.]\+),cn=login,cn=auth"
|
|
"ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
|
|
|
|
# require authentication for authenticated users that don't match above
|
|
access to *
|
|
by dn.children="cn=peercred,cn=external,cn=auth" auth
|
|
by dn.children="cn=gssapi,cn=auth" auth
|
|
by dn.children="cn=gss-spnego,cn=auth" auth
|
|
by anonymous auth
|
|
by * break
|
|
|
|
{% if ldap_master is defined %}
|
|
# allow replicator to read everything
|
|
access to *
|
|
by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
|
|
by * break
|
|
|
|
{% endif %}
|
|
# allow self to change password
|
|
access to attrs=userPassword
|
|
by self write
|
|
by * compare
|
|
|
|
# allow kerberos to write password changes
|
|
access to attrs=krbPrincipalKey,krbExtraData,krbLoginFailedCount,krbTicketFlags,krbPasswordExpiration,krbLastPwdChange
|
|
by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" write
|
|
by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
|
by * none
|
|
|
|
# allow kerberos to read own objects
|
|
access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
|
|
by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
|
by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
|
by * none
|
|
|
|
# allow group owners to edit members
|
|
access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
|
|
by dnattr=owner write
|
|
by users read
|
|
by * none
|
|
|
|
# allow self to change login shell
|
|
access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
|
|
by self write
|
|
by users read
|
|
by * none
|
|
|
|
# allow reads to netgroups
|
|
# TODO: change that only sysadm + host certs can read
|
|
access to dn.sub=ou=Netgroup,ou=System,{{ ldap_basedn }}
|
|
by users read
|
|
by * none
|
|
|
|
# allow reads to ou=System object itself
|
|
access to dn.base=ou=System,{{ ldap_basedn }}
|
|
by users read
|
|
by * none
|
|
|
|
# block rest of queries to ou=System tree
|
|
access to dn.sub=ou=System,{{ ldap_basedn }}
|
|
by * none
|
|
|
|
# for the rest allow users to read and block rest
|
|
access to *
|
|
by users read
|
|
by * none
|
|
|
|
#####################################################################
|
|
# database for monitoring (allow only access through local socket)
|
|
#####################################################################
|
|
database monitor
|
|
access to *
|
|
by sockurl=ldapi:/// read
|
|
by * none
|