1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#
# TDE slapd.conf template
#
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/rfc2739.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/qmail.schema
include /etc/ldap/schema/hdb.schema
include /etc/ldap/schema/dlz.schema
include /etc/ldap/schema/dhcp.schema
include /etc/ldap/schema/amavis.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /opt/zivios/openldap/var/run/slapd.pid
argsfile /opt/zivios/openldap/var/run/slapd.args
allow bind_v2
loglevel 256
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload syncprov
moduleload back_monitor
moduleload auditlog
moduleload smbk5pwd
moduleload unique
moduleload ppolicy
sizelimit 500
tool-threads 1
backend hdb
database monitor
database config
rootdn cn=config
rootpw {SHA}@@@ROOTPW_SHA@@@
database hdb
overlay syncprov
overlay auditlog
overlay smbk5pwd
overlay unique
overlay ppolicy
auditlog "/var/log/realmauditlog.txt"
suffix "@@@REALM_DCNAME@@@"
rootdn "cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@"
rootpw {SHA}@@@ROOTPW_SHA@@@
checkpoint 512 30
directory "/var/ldap-realm-database"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index accountStatus eq
index mailHost eq
index cn eq,pres,subinitial
index mail eq,pres
index mailAlternateAddress eq,pres
index objectClass eq
index uid pres,eq
index uidNumber eq
index gidNumber eq
lastmod on
unique_attributes mail uid uidNumber
TLSCertificateFile /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt
TLSCertificateKeyFile /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key
sasl-realm @@@REALM_UCNAME@@@
sasl-host @@@ADMINSERVER@@@
sasl-secprops minssf=0
authz-regexp uid=(.*),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth ldap:///@@@REALM_DCNAME@@@??sub?(&(uid=$1)(objectClass=posixAccount))
authz-regexp "gidNumber=.*+uidNumber=0,cn=peercred,cn=external,cn=auth" "uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@"
#
# ACL Section
#
access to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags
by dn="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
by sockurl.regex="^ldapi:///$" write
by anonymous auth
by self write
by * none
access to dn="" by * read
|
