#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

# Schema configs in different file
include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/schema.conf

# disable logging
loglevel	none

# allow ldap version 2 connections
allow bind_v2

# require modern cipher (at least 128bits) for authentication
security simple_bind=128

# limit search result sizes (but don't set hard limit)
sizelimit size.soft=500
sizelimit size.hard=none

pidfile		<%= scope.lookupvar('ldap::server::rundir') %>/slapd.pid
argsfile	<%= scope.lookupvar('ldap::server::rundir') %>/slapd.args

# overlay modules to load
<% if scope.lookupvar('ldap::server::modulepath') != '' -%>
modulepath <%= modulepath %>
moduleload ppolicy.la
moduleload syncprov.la
<%   if ['Ubuntu','Debian'].index(operatingsystem) -%>
moduleload back_hdb.la
moduleload back_monitor.la
<%   end -%>
<%   if has_variable?('ldap_server_modules') -%>
<%     ldap_server_modules.each do |name| -%>
moduleload <%= name %>.la
<%     end -%>
<%   end -%>
<% end -%>

# certificates
TLSCertificateFile	<%= scope.lookupvar('ssl::certs') %>/slapd.crt
TLSCertificateKeyFile	<%= scope.lookupvar('ssl::private') %>/slapd.key
TLSCACertificatePath	<%= scope.lookupvar('ldap::server::config') %>/cacerts
TLSVerifyClient		try

# include database configs
include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/database.conf

# enable monitoring database
database monitor
access to *
	by peername.ip=127.0.0.1 read
        by * none