ldap/slapd.conf.src - directory-fortress-core - Git at Google

 #
 #   Licensed to the Apache Software Foundation (ASF) under one
 #   or more contributor license agreements.  See the NOTICE file
 #   distributed with this work for additional information
 #   regarding copyright ownership.  The ASF licenses this file
 #   to you under the Apache License, Version 2.0 (the
 #   "License"); you may not use this file except in compliance
 #   with the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 #   Unless required by applicable law or agreed to in writing,
 #   software distributed under the License is distributed on an
 #   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 #   KIND, either express or implied.  See the License for the
 #   specific language governing permissions and limitations
 #   under the License.
 #

 #
 # Fortress slapd.conf default settings.
 # Note: Directives that begin with '@' are substitution parms for Fortress' build.xml 'init-slapd' target.

 include		@SCHEMA_PATH@/core.schema
 include		@SCHEMA_PATH@/ppolicy.schema
 include		@SCHEMA_PATH@/cosine.schema
 include		@SCHEMA_PATH@/inetorgperson.schema
 include		@SCHEMA_PATH@/nis.schema
 include		@SCHEMA_PATH@/openldap.schema
 include		@SCHEMA_PATH@/fortress.schema
 @IS_RBAC_ACCELERATOR@include		@SCHEMA_PATH@/rbac.schema

 ### SSL Configuration
 @IS_SSL@TLSCACertificateFile @CA_CERT_FILEW@
 @IS_SSL@TLSCertificateFile @CERT_FILEW@
 @IS_SSL@TLSCertificateKeyFile @CERT_KEY_FILEW@

 disallow bind_anon
 idletimeout 0
 sizelimit 5000
 timelimit 60
 threads 8
 loglevel 32768
 gentlehup on
 sortvals  roleOccupant
 pidfile		@PID_PATH@/slapd.pid
 argsfile	@PID_PATH@/slapd.args
 modulepath	@SLAPD_MODULE_PATH@
 moduleload	@DB_MODULE_NM@
 moduleload	ppolicy.la
 moduleload  accesslog.la
 @RBAC_MODULE@
 @DDS_MODULE@
 @MONITOR_MODULE@

 # ACLS:
 access to dn.base=""
   by * read

 # LDAPv3 Schema
 access to dn.base="cn=subschema"
   by * read

 # Internal OpenLDAP config backend
 access to dn.subtree="cn=config"
   by * none

 # Monitor backend
 @IS_RBAC_ACCELERATOR@access to dn.subtree="cn=monitor"
 @IS_RBAC_ACCELERATOR@  by dn.base="@ROOT_DN@" write
 @IS_RBAC_ACCELERATOR@  by users read

 # Generic overall privilege
 access to *
   by anonymous auth
   by dn.base="@ROOT_DN@" manage
   by * break

 # Password should be protected, allow user to modify their own audit attributes.
 access to attrs=userPassword,ftModifier,ftModCode,ftModId
   by self =wx
   by * none

 # Self-readable password policy info
 access to attrs=pwdFailureTime,pwdChangedTime,pwdGraceUseTime,pwdReset,pwdPolicySubentry
   by self read
   by * none

 # Admin-only password policy info
 access to attrs=pwdAccountLockedTime,pwdHistory
   by * none

 # Users may read their own attributes
 access to attrs=@inetorgperson
   by users read
   by * none

 access to attrs=@shadowAccount
   by * none

 access to * by users read

 password-hash {SSHA}

 #######################################################################
 # History DB Settings
 #######################################################################
 database	 @DB_TYPE@
 @LOG_RDRS@
 @LOG_SIZE@
 suffix		"@LOG_SUFFIX@"
 rootdn      "@LOG_ROOT_DN@"
 rootpw      "@LOG_ROOT_PW@"
 index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
 directory	"@HISTORY_DB_PATH@"
 access to *
     by dn.base="@LOG_ROOT_DN@" write
 @LOG_DBNOSYNCH@
 @LOG_CHECKPOINT@
 @LOG_BDB_CACHE_SIZE@

 #######################################################################
 # Default DB Settings
 #######################################################################
 database	@DB_TYPE@
 @DFLT_RDRS@
 @DFLT_SIZE@
 suffix		"@SUFFIX@"
 rootdn      "@ROOT_DN@"
 rootpw      "@ROOT_PW@"

 index uidNumber,gidNumber,objectclass eq
 index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
 index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq

 directory	"@DEFAULT_DB_PATH@"
 overlay accesslog
 logdb   "@LOG_SUFFIX@"
 @DFLT_DBNOSYNCH@
 @DFLT_CHECKPOINT@
 @DFLT_BDB_CACHE_SIZE@
 @DFLT_BDB_CACHE_IDLE_SIZE@

 #######################################################################
 # Audit Log Settings
 #######################################################################
 @LOGOPS@
 logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
 logpurge 5+00:00 1+00:00

 #######################################################################
 # PW Policy Settings
 #######################################################################
 # Enable the Password Policy overlay to enforce password policies on this database.
 overlay     ppolicy
 ppolicy_default "cn=PasswordPolicy,@POLICIES_DN@"
 ppolicy_use_lockout
 ppolicy_hash_cleartext

 #######################################################################
 # RBAC Session database
 #######################################################################
 @IS_RBAC_ACCELERATOR@database mdb
 @IS_RBAC_ACCELERATOR@suffix     "@SESSIONS_DN@"
 @IS_RBAC_ACCELERATOR@rootdn	    "cn=manager,@SESSIONS_DN@"
 @IS_RBAC_ACCELERATOR@rootpw	    @LOG_ROOT_PW@
 @IS_RBAC_ACCELERATOR@index  rbacSessid  eq
 @IS_RBAC_ACCELERATOR@directory  "@RBACSESS_DB_PATH@"
 @IS_RBAC_ACCELERATOR@overlay     dds
 @IS_RBAC_ACCELERATOR@dds-default-ttl 3600
 @IS_RBAC_ACCELERATOR@dds-max-dynamicObjects	100000
 @IS_RBAC_ACCELERATOR@@DFLT_DBNOSYNCH@
 @IS_RBAC_ACCELERATOR@@DFLT_CHECKPOINT@

 #######################################################################
 # RBAC audit database
 #######################################################################
 @IS_RBAC_ACCELERATOR@database	mdb
 @IS_RBAC_ACCELERATOR@suffix		"@AUDITS_DN@"
 @IS_RBAC_ACCELERATOR@rootdn		"cn=manager,@AUDITS_DN@"
 @IS_RBAC_ACCELERATOR@rootpw		@LOG_ROOT_PW@
 @IS_RBAC_ACCELERATOR@directory	"@AUDIT_DB_PATH@"
 @IS_RBAC_ACCELERATOR@@DFLT_DBNOSYNCH@
 @IS_RBAC_ACCELERATOR@@DFLT_CHECKPOINT@

 #######################################################################
 # RBAC database
 #######################################################################
 @IS_RBAC_ACCELERATOR@database	mdb
 @IS_RBAC_ACCELERATOR@suffix		"@RBAC_DN@"
 @IS_RBAC_ACCELERATOR@rootdn		"cn=manager,@RBAC_DN@"
 @IS_RBAC_ACCELERATOR@rootpw		@LOG_ROOT_PW@
 @IS_RBAC_ACCELERATOR@directory	"@RBACOVERLAY_DB_PATH@"
 @IS_RBAC_ACCELERATOR@overlay	rbac
 @IS_RBAC_ACCELERATOR@rbac-default-tenant-id "@SUFFIX_NAME@"
 @IS_RBAC_ACCELERATOR@rbac-default-users-base-dn "@USERS_DN@"
 @IS_RBAC_ACCELERATOR@rbac-default-roles-base-dn "@ROLES_DN@"
 @IS_RBAC_ACCELERATOR@rbac-default-permissions-base-dn "@PERMS_DN@"
 @IS_RBAC_ACCELERATOR@rbac-default-sessions-base-dn "@SESSIONS_DN@"
 @IS_RBAC_ACCELERATOR@rbac-default-audit-base-dn "@AUDITS_DN@"
 @IS_RBAC_ACCELERATOR@rbac-admin "@SUFFIX@"
 @IS_RBAC_ACCELERATOR@rbac-pwd "secret"
 @IS_RBAC_ACCELERATOR@rbac-session-admin "cn=manager,@SESSIONS_DN@"
 @IS_RBAC_ACCELERATOR@rbac-session-admin-pwd secret

 #######################################################################
 # Monitor database
 #######################################################################
 @IS_RBAC_ACCELERATOR@database monitor
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#

	#
	# Fortress slapd.conf default settings.
	# Note: Directives that begin with '@' are substitution parms for Fortress' build.xml 'init-slapd' target.

	include @SCHEMA_PATH@/core.schema
	include @SCHEMA_PATH@/ppolicy.schema
	include @SCHEMA_PATH@/cosine.schema
	include @SCHEMA_PATH@/inetorgperson.schema
	include @SCHEMA_PATH@/nis.schema
	include @SCHEMA_PATH@/openldap.schema
	include @SCHEMA_PATH@/fortress.schema
	@IS_RBAC_ACCELERATOR@include @SCHEMA_PATH@/rbac.schema

	### SSL Configuration
	@IS_SSL@TLSCACertificateFile @CA_CERT_FILEW@
	@IS_SSL@TLSCertificateFile @CERT_FILEW@
	@IS_SSL@TLSCertificateKeyFile @CERT_KEY_FILEW@

	disallow bind_anon
	idletimeout 0
	sizelimit 5000
	timelimit 60
	threads 8
	loglevel 32768
	gentlehup on
	sortvals roleOccupant
	pidfile @PID_PATH@/slapd.pid
	argsfile @PID_PATH@/slapd.args
	modulepath @SLAPD_MODULE_PATH@
	moduleload @DB_MODULE_NM@
	moduleload ppolicy.la
	moduleload accesslog.la
	@RBAC_MODULE@
	@DDS_MODULE@
	@MONITOR_MODULE@

	# ACLS:
	access to dn.base=""
	by * read

	# LDAPv3 Schema
	access to dn.base="cn=subschema"
	by * read

	# Internal OpenLDAP config backend
	access to dn.subtree="cn=config"
	by * none

	# Monitor backend
	@IS_RBAC_ACCELERATOR@access to dn.subtree="cn=monitor"
	@IS_RBAC_ACCELERATOR@ by dn.base="@ROOT_DN@" write
	@IS_RBAC_ACCELERATOR@ by users read

	# Generic overall privilege
	access to *
	by anonymous auth
	by dn.base="@ROOT_DN@" manage
	by * break

	# Password should be protected, allow user to modify their own audit attributes.
	access to attrs=userPassword,ftModifier,ftModCode,ftModId
	by self =wx
	by * none

	# Self-readable password policy info
	access to attrs=pwdFailureTime,pwdChangedTime,pwdGraceUseTime,pwdReset,pwdPolicySubentry
	by self read
	by * none

	# Admin-only password policy info
	access to attrs=pwdAccountLockedTime,pwdHistory
	by * none

	# Users may read their own attributes
	access to attrs=@inetorgperson
	by users read
	by * none

	access to attrs=@shadowAccount
	by * none

	access to * by users read

	password-hash {SSHA}

	#######################################################################
	# History DB Settings
	#######################################################################
	database @DB_TYPE@
	@LOG_RDRS@
	@LOG_SIZE@
	suffix "@LOG_SUFFIX@"
	rootdn "@LOG_ROOT_DN@"
	rootpw "@LOG_ROOT_PW@"
	index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
	directory "@HISTORY_DB_PATH@"
	access to *
	by dn.base="@LOG_ROOT_DN@" write
	@LOG_DBNOSYNCH@
	@LOG_CHECKPOINT@
	@LOG_BDB_CACHE_SIZE@

	#######################################################################
	# Default DB Settings
	#######################################################################
	database @DB_TYPE@
	@DFLT_RDRS@
	@DFLT_SIZE@
	suffix "@SUFFIX@"
	rootdn "@ROOT_DN@"
	rootpw "@ROOT_PW@"

	index uidNumber,gidNumber,objectclass eq
	index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
	index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq

	directory "@DEFAULT_DB_PATH@"
	overlay accesslog
	logdb "@LOG_SUFFIX@"
	@DFLT_DBNOSYNCH@
	@DFLT_CHECKPOINT@
	@DFLT_BDB_CACHE_SIZE@
	@DFLT_BDB_CACHE_IDLE_SIZE@

	#######################################################################
	# Audit Log Settings
	#######################################################################
	@LOGOPS@
	logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
	logpurge 5+00:00 1+00:00

	#######################################################################
	# PW Policy Settings
	#######################################################################
	# Enable the Password Policy overlay to enforce password policies on this database.
	overlay ppolicy
	ppolicy_default "cn=PasswordPolicy,@POLICIES_DN@"
	ppolicy_use_lockout
	ppolicy_hash_cleartext

	#######################################################################
	# RBAC Session database
	#######################################################################
	@IS_RBAC_ACCELERATOR@database mdb
	@IS_RBAC_ACCELERATOR@suffix "@SESSIONS_DN@"
	@IS_RBAC_ACCELERATOR@rootdn "cn=manager,@SESSIONS_DN@"
	@IS_RBAC_ACCELERATOR@rootpw @LOG_ROOT_PW@
	@IS_RBAC_ACCELERATOR@index rbacSessid eq
	@IS_RBAC_ACCELERATOR@directory "@RBACSESS_DB_PATH@"
	@IS_RBAC_ACCELERATOR@overlay dds
	@IS_RBAC_ACCELERATOR@dds-default-ttl 3600
	@IS_RBAC_ACCELERATOR@dds-max-dynamicObjects 100000
	@IS_RBAC_ACCELERATOR@@DFLT_DBNOSYNCH@
	@IS_RBAC_ACCELERATOR@@DFLT_CHECKPOINT@

	#######################################################################
	# RBAC audit database
	#######################################################################
	@IS_RBAC_ACCELERATOR@database mdb
	@IS_RBAC_ACCELERATOR@suffix "@AUDITS_DN@"
	@IS_RBAC_ACCELERATOR@rootdn "cn=manager,@AUDITS_DN@"
	@IS_RBAC_ACCELERATOR@rootpw @LOG_ROOT_PW@
	@IS_RBAC_ACCELERATOR@directory "@AUDIT_DB_PATH@"
	@IS_RBAC_ACCELERATOR@@DFLT_DBNOSYNCH@
	@IS_RBAC_ACCELERATOR@@DFLT_CHECKPOINT@

	#######################################################################
	# RBAC database
	#######################################################################
	@IS_RBAC_ACCELERATOR@database mdb
	@IS_RBAC_ACCELERATOR@suffix "@RBAC_DN@"
	@IS_RBAC_ACCELERATOR@rootdn "cn=manager,@RBAC_DN@"
	@IS_RBAC_ACCELERATOR@rootpw @LOG_ROOT_PW@
	@IS_RBAC_ACCELERATOR@directory "@RBACOVERLAY_DB_PATH@"
	@IS_RBAC_ACCELERATOR@overlay rbac
	@IS_RBAC_ACCELERATOR@rbac-default-tenant-id "@SUFFIX_NAME@"
	@IS_RBAC_ACCELERATOR@rbac-default-users-base-dn "@USERS_DN@"
	@IS_RBAC_ACCELERATOR@rbac-default-roles-base-dn "@ROLES_DN@"
	@IS_RBAC_ACCELERATOR@rbac-default-permissions-base-dn "@PERMS_DN@"
	@IS_RBAC_ACCELERATOR@rbac-default-sessions-base-dn "@SESSIONS_DN@"
	@IS_RBAC_ACCELERATOR@rbac-default-audit-base-dn "@AUDITS_DN@"
	@IS_RBAC_ACCELERATOR@rbac-admin "@SUFFIX@"
	@IS_RBAC_ACCELERATOR@rbac-pwd "secret"
	@IS_RBAC_ACCELERATOR@rbac-session-admin "cn=manager,@SESSIONS_DN@"
	@IS_RBAC_ACCELERATOR@rbac-session-admin-pwd secret

	#######################################################################
	# Monitor database
	#######################################################################
	@IS_RBAC_ACCELERATOR@database monitor