139 lines
4.1 KiB
Django/Jinja
139 lines
4.1 KiB
Django/Jinja
#
|
|
# See slapd.conf(5) for details on configuration options.
|
|
# This file should NOT be world readable.
|
|
#
|
|
|
|
# schema configs in different file
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/kerberos.schema
|
|
include /etc/openldap/schema/openssh-lpk.schema
|
|
include /etc/openldap/schema/ppolicy.schema
|
|
include /etc/openldap/schema/rfc2307bis.schema
|
|
include /etc/openldap/schema/samba.schema
|
|
|
|
# log statistics for connections, operations and results
|
|
loglevel 256
|
|
|
|
# allow ldap version 2 binds
|
|
allow bind_v2
|
|
|
|
# require modern ciphers for access
|
|
localSSF 128
|
|
security ssf=128
|
|
|
|
# use random id based on hostname
|
|
serverID {{ 4095 | random(seed=inventory_hostname) }}
|
|
|
|
# limit search result sizes without hard limit
|
|
sizelimit size.soft=500
|
|
sizelimit size.hard=none
|
|
|
|
# pid and args files
|
|
pidfile /run/openldap/slapd.pid
|
|
argsfile /run/openldap/slapd.args
|
|
|
|
# overlay modules to load
|
|
modulepath /usr/lib64/openldap
|
|
moduleload ppolicy.la
|
|
moduleload syncprov.la
|
|
#moduleload smbkrb5pwd.la
|
|
moduleload constraint.la
|
|
|
|
# certificates and ciphers (unfortunately modern cipher suite didn't work)
|
|
TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
|
|
TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
|
|
TLSCACertificatePath /etc/openldap/certs
|
|
TLSVerifyClient try
|
|
TLSECName prime256v1
|
|
TLSCipherSuite {{ tls_ciphers }}
|
|
TLSProtocolMin 3.3
|
|
|
|
#####################################################################
|
|
# database {{ ldap_basedn }} configurations
|
|
#####################################################################
|
|
|
|
database mdb
|
|
# 1GB i guess we don't go beyond this
|
|
maxsize 1073741824
|
|
|
|
suffix "{{ ldap_basedn }}"
|
|
rootdn "cn=manager,{{ ldap_basedn }}"
|
|
|
|
overlay ppolicy
|
|
ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }}
|
|
ppolicy_hash_cleartext
|
|
ppolicy_use_lockout
|
|
password-hash {CRYPT}
|
|
password-crypt-salt-format "$6$.8s"
|
|
|
|
overlay syncprov
|
|
syncprov-checkpoint 100 10
|
|
syncprov-sessionlog 100
|
|
|
|
overlay constraint
|
|
constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
|
|
constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)
|
|
|
|
# database directory
|
|
# chmod 700 so ldap:ldap can create encrypted backups with group readable
|
|
# access without access to clear text data
|
|
directory /srv/ldap
|
|
|
|
# for syncrepl
|
|
index entryCSN,entryUUID,objectClass eq
|
|
|
|
# map root user to manager when authenticating via socket
|
|
authz-regexp
|
|
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
|
"cn=manager,{{ ldap_basedn }}"
|
|
# map rest of users authenticating via socket to correct ldap entries
|
|
authz-regexp
|
|
"gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
|
|
"ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
|
|
|
|
# require authentication for authenticated users that don't match above
|
|
access to *
|
|
by dn.children="cn=peercred,cn=external,cn=auth" auth
|
|
by anonymous auth
|
|
by * break
|
|
|
|
# allow self to change password
|
|
access to attrs=userPassword
|
|
by self write
|
|
by * compare
|
|
|
|
# allow kerberos to read own objects
|
|
access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
|
|
by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
|
by * none
|
|
|
|
# allow group owners to edit members
|
|
access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
|
|
by dnattr=owner write
|
|
by users read
|
|
by * none
|
|
|
|
# allow self to change login shell
|
|
access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
|
|
by self write
|
|
by users read
|
|
by * none
|
|
|
|
# block rest of queries to ou=System tree
|
|
access to dn.sub=ou=System,{{ ldap_basedn }}
|
|
by * none
|
|
|
|
# for the rest allow users to read and block rest
|
|
access to *
|
|
by users read
|
|
by * none
|
|
|
|
#####################################################################
|
|
# database for monitoring (allow only access through local socket)
|
|
#####################################################################
|
|
database monitor
|
|
access to *
|
|
by sockurl=ldapi:/// read
|
|
by * none
|