src/docker/openldap-for-apache-fortress-tests/slapd.conf - directory-fortress-core - Git at Google

 #
 #   Licensed to the Apache Software Foundation (ASF) under one
 #   or more contributor license agreements.  See the NOTICE file
 #   distributed with this work for additional information
 #   regarding copyright ownership.  The ASF licenses this file
 #   to you under the Apache License, Version 2.0 (the
 #   "License"); you may not use this file except in compliance
 #   with the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 #   Unless required by applicable law or agreed to in writing,
 #   software distributed under the License is distributed on an
 #   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 #   KIND, either express or implied.  See the License for the
 #   specific language governing permissions and limitations
 #   under the License.
 #
 #
 # Fortress slapd.conf default settings.

 include		/etc/ldap/schema/core.schema
 include		/etc/ldap/schema/ppolicy.schema
 include		/etc/ldap/schema/cosine.schema
 include		/etc/ldap/schema/inetorgperson.schema
 include		/etc/ldap/schema/nis.schema
 include		/etc/ldap/schema/openldap.schema
 include		/etc/ldap/schema/fortress.schema
 include		/etc/ldap/schema/rbac.schema

 disallow bind_anon
 idletimeout 0
 sizelimit 5000
 timelimit 60
 threads 4
 loglevel 32768
 gentlehup on
 sortvals  roleOccupant

 pidfile		/var/run/slapd/slapd.pid
 argsfile	/var/run/slapd/slapd.args

 modulepath	/usr/lib/ldap
 moduleload	back_mdb.la
 moduleload	ppolicy.la
 moduleload  accesslog.la
 moduleload  dds.la
 moduleload  back_monitor.la

 # Global ACLS:
 # RootDSE is always readable
 access to dn.base="" by * read

 # For tooling:
 access to dn.base="cn=subschema"
   by * read

 password-hash {SSHA}

 #######################################################################
 # History DB Settings
 #######################################################################
 database	 mdb
 maxreaders 64
 maxsize 1000000000
 suffix		"cn=log"
 rootdn      "cn=Manager,cn=log"
 rootpw      "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
 index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
 directory	"/var/lib/ldap/hist"
 access to *
     by dn.base="cn=Manager,cn=log" write
 dbnosync
 checkpoint   64 5

 # Accesslog is readable by replicator and fortress:
 access to dn.subtree="cn=log"
         by dn.exact="cn=replicator,dc=admin,dc=example,dc=com" read
         by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" read
         by * break

 #######################################################################
 # Default DB Settings
 #######################################################################
 database	mdb
 maxreaders 64
 maxsize 1000000000
 suffix		"dc=example,dc=com"
 rootdn      "cn=Manager,dc=example,dc=com"
 rootpw      "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"

 index uidNumber,gidNumber,objectclass eq
 index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
 index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq
 index roleOccupant eq

 directory	"/var/lib/ldap/dflt"
 overlay accesslog
 logdb   "cn=log"
 dbnosync
 checkpoint	64 5

 # The fortress admin needs write access to the whole DIT
 access to dn.subtree="dc=example,dc=com"
         by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" write
         by * break

 # Accesslog is readable by replicator and fortress:
 access to dn.subtree="cn=log"
         by dn.exact="cn=replicator,dc=admin,dc=example,dc=com" read
         by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" read
         by * break

 # Allow anonymous ability to bind:
 access to dn.subtree="dc=example,dc=com" attrs=userPassword
   by anonymous auth
   by * break

 # For audit trail:
 # Allow users access to modify their own pw & fortress audit attrs.
 access to dn.subtree="dc=example,dc=com" attrs=userPassword,ftModifier,ftModCode,ftModId
   by self =wx
   by * none

 # Allow users compare access to a fortress perm op name:
 access to dn.subtree="dc=example,dc=com" attrs=ftOpNm
   by users compare

 #######################################################################
 # Audit Log Settings
 #######################################################################
 logops bind writes compare
 logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
 logpurge 5+00:00 1+00:00

 #######################################################################
 # PW Policy Settings
 #######################################################################
 # Enable the Password Policy overlay to enforce password policies on this database.
 overlay     ppolicy
 ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=example,dc=com"
 ppolicy_use_lockout
 ppolicy_hash_cleartext

 #######################################################################
 # Monitor database
 #######################################################################
 database monitor
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#
	#
	# Fortress slapd.conf default settings.

	include /etc/ldap/schema/core.schema
	include /etc/ldap/schema/ppolicy.schema
	include /etc/ldap/schema/cosine.schema
	include /etc/ldap/schema/inetorgperson.schema
	include /etc/ldap/schema/nis.schema
	include /etc/ldap/schema/openldap.schema
	include /etc/ldap/schema/fortress.schema
	include /etc/ldap/schema/rbac.schema

	disallow bind_anon
	idletimeout 0
	sizelimit 5000
	timelimit 60
	threads 4
	loglevel 32768
	gentlehup on
	sortvals roleOccupant

	pidfile /var/run/slapd/slapd.pid
	argsfile /var/run/slapd/slapd.args

	modulepath /usr/lib/ldap
	moduleload back_mdb.la
	moduleload ppolicy.la
	moduleload accesslog.la
	moduleload dds.la
	moduleload back_monitor.la

	# Global ACLS:
	# RootDSE is always readable
	access to dn.base="" by * read

	# For tooling:
	access to dn.base="cn=subschema"
	by * read

	password-hash {SSHA}

	#######################################################################
	# History DB Settings
	#######################################################################
	database mdb
	maxreaders 64
	maxsize 1000000000
	suffix "cn=log"
	rootdn "cn=Manager,cn=log"
	rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
	index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
	directory "/var/lib/ldap/hist"
	access to *
	by dn.base="cn=Manager,cn=log" write
	dbnosync
	checkpoint 64 5

	# Accesslog is readable by replicator and fortress:
	access to dn.subtree="cn=log"
	by dn.exact="cn=replicator,dc=admin,dc=example,dc=com" read
	by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" read
	by * break

	#######################################################################
	# Default DB Settings
	#######################################################################
	database mdb
	maxreaders 64
	maxsize 1000000000
	suffix "dc=example,dc=com"
	rootdn "cn=Manager,dc=example,dc=com"
	rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"

	index uidNumber,gidNumber,objectclass eq
	index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
	index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq
	index roleOccupant eq

	directory "/var/lib/ldap/dflt"
	overlay accesslog
	logdb "cn=log"
	dbnosync
	checkpoint 64 5

	# The fortress admin needs write access to the whole DIT
	access to dn.subtree="dc=example,dc=com"
	by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" write
	by * break

	# Accesslog is readable by replicator and fortress:
	access to dn.subtree="cn=log"
	by dn.exact="cn=replicator,dc=admin,dc=example,dc=com" read
	by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" read
	by * break

	# Allow anonymous ability to bind:
	access to dn.subtree="dc=example,dc=com" attrs=userPassword
	by anonymous auth
	by * break

	# For audit trail:
	# Allow users access to modify their own pw & fortress audit attrs.
	access to dn.subtree="dc=example,dc=com" attrs=userPassword,ftModifier,ftModCode,ftModId
	by self =wx
	by * none

	# Allow users compare access to a fortress perm op name:
	access to dn.subtree="dc=example,dc=com" attrs=ftOpNm
	by users compare

	#######################################################################
	# Audit Log Settings
	#######################################################################
	logops bind writes compare
	logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
	logpurge 5+00:00 1+00:00

	#######################################################################
	# PW Policy Settings
	#######################################################################
	# Enable the Password Policy overlay to enforce password policies on this database.
	overlay ppolicy
	ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=example,dc=com"
	ppolicy_use_lockout
	ppolicy_hash_cleartext

	#######################################################################
	# Monitor database
	#######################################################################
	database monitor