#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

# Schema configs in different file
include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/schema.conf

# disable logging
loglevel	none

# require modern cipher (at least 128bits) for authentication
security simple_bind=128

# limit search result sizes (but don't set hard limit)
sizelimit size.soft=500
sizelimit size.hard=none

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

# overlay modules to load
modulepath /usr/lib/openldap
moduleload ppolicy.la
moduleload syncprov.la
<% if has_variable?('ldap_server_modules') -%>
<%   ldap_server_modules.each do |name| -%>
moduleload <%= name %>
<%   end -%>
<% end -%>

# certificates
TLSCertificateFile	<%= scope.lookupvar('ssl::certs') %>/slapd.crt
TLSCertificateKeyFile	<%= scope.lookupvar('ssl::private') %>/slapd.key
TLSCACertificatePath	<%= scope.lookupvar('ldap::server::config') %>/cacerts
TLSVerifyClient		never

# include database configs
include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/database.conf

# enable monitoring database
database monitor
access to *
	by peername.ip=127.0.0.1 read
        by * none