| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # |
| # Fortress slapd.conf default settings. |
| |
| include /etc/ldap/schema/core.schema |
| include /etc/ldap/schema/ppolicy.schema |
| include /etc/ldap/schema/cosine.schema |
| include /etc/ldap/schema/inetorgperson.schema |
| include /etc/ldap/schema/nis.schema |
| include /etc/ldap/schema/openldap.schema |
| include /etc/ldap/schema/fortress.schema |
| include /etc/ldap/schema/rbac.schema |
| |
| disallow bind_anon |
| idletimeout 0 |
| sizelimit 5000 |
| timelimit 60 |
| threads 4 |
| loglevel 32768 |
| gentlehup on |
| sortvals roleOccupant |
| |
| pidfile /var/run/slapd/slapd.pid |
| argsfile /var/run/slapd/slapd.args |
| |
| modulepath /usr/lib/ldap |
| moduleload back_mdb.la |
| moduleload ppolicy.la |
| moduleload accesslog.la |
| moduleload dds.la |
| moduleload back_monitor.la |
| |
| # ACLS: |
| access to dn.base="" |
| by * read |
| |
| # LDAPv3 Schema |
| access to dn.base="cn=subschema" |
| by * read |
| |
| # Internal OpenLDAP config backend |
| access to dn.subtree="cn=config" |
| by * none |
| |
| # Monitor backend |
| access to dn.subtree="cn=monitor" |
| by dn.base="cn=Manager,dc=example,dc=com" write |
| by users read |
| |
| # Generic overall privilege |
| access to * |
| by anonymous auth |
| by dn.base="cn=Manager,dc=example,dc=com" manage |
| by * break |
| |
| # Password should be protected, allow user to modify their own audit attributes. |
| access to attrs=userPassword,ftModifier,ftModCode,ftModId |
| by self =wx |
| by * none |
| |
| # Self-readable password policy info |
| access to attrs=pwdFailureTime,pwdChangedTime,pwdGraceUseTime,pwdReset,pwdPolicySubentry |
| by self read |
| by * none |
| |
| # Admin-only password policy info |
| access to attrs=pwdAccountLockedTime,pwdHistory |
| by * none |
| |
| # Users may read their own attributes |
| access to attrs=@inetorgperson |
| by users read |
| by * none |
| |
| access to attrs=@shadowAccount |
| by * none |
| |
| access to * by users read |
| |
| password-hash {SSHA} |
| |
| ####################################################################### |
| # History DB Settings |
| ####################################################################### |
| database mdb |
| maxreaders 64 |
| maxsize 1000000000 |
| suffix "cn=log" |
| rootdn "cn=Manager,cn=log" |
| rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU" |
| index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq |
| directory "/var/lib/ldap/hist" |
| access to * |
| by dn.base="cn=Manager,cn=log" write |
| dbnosync |
| checkpoint 64 5 |
| |
| ####################################################################### |
| # Default DB Settings |
| ####################################################################### |
| database mdb |
| maxreaders 64 |
| maxsize 1000000000 |
| suffix "dc=example,dc=com" |
| rootdn "cn=Manager,dc=example,dc=com" |
| rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU" |
| |
| index uidNumber,gidNumber,objectclass eq |
| index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub |
| index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq |
| |
| directory "/var/lib/ldap/dflt" |
| overlay accesslog |
| logdb "cn=log" |
| dbnosync |
| checkpoint 64 5 |
| |
| ####################################################################### |
| # Audit Log Settings |
| ####################################################################### |
| logops bind writes compare |
| logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType |
| logpurge 5+00:00 1+00:00 |
| |
| ####################################################################### |
| # PW Policy Settings |
| ####################################################################### |
| # Enable the Password Policy overlay to enforce password policies on this database. |
| overlay ppolicy |
| ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=example,dc=com" |
| ppolicy_use_lockout |
| ppolicy_hash_cleartext |
| |
| ####################################################################### |
| # Monitor database |
| ####################################################################### |
| database monitor |
| |