| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # |
| # Apache Fortress OpenLDAP slapd.conf default settings. |
| # Note: Directives that begin with '@' are substitution parms that get automatically replaced. |
| |
| include @SCHEMA_PATH@/core.schema |
| include @SCHEMA_PATH@/ppolicy.schema |
| include @SCHEMA_PATH@/cosine.schema |
| include @SCHEMA_PATH@/inetorgperson.schema |
| include @SCHEMA_PATH@/rfc2307bis.schema |
| include @SCHEMA_PATH@/openldap.schema |
| include @SCHEMA_PATH@/fortress.schema |
| @IS_RBAC_ACCELERATOR@include @SCHEMA_PATH@/rbac.schema |
| |
| ### SSL Configuration |
| @IS_SSL@TLSCACertificateFile @CA_CERT_FILEW@ |
| @IS_SSL@TLSCertificateFile @CERT_FILEW@ |
| @IS_SSL@TLSCertificateKeyFile @CERT_KEY_FILEW@ |
| |
| disallow bind_anon |
| idletimeout 0 |
| sizelimit 5000 |
| timelimit 60 |
| threads 8 |
| loglevel 32768 |
| gentlehup on |
| sortvals roleOccupant |
| pidfile @PID_PATH@/slapd.pid |
| argsfile @PID_PATH@/slapd.args |
| modulepath @SLAPD_MODULE_PATH@ |
| moduleload @DB_MODULE_NM@ |
| moduleload ppolicy.la |
| moduleload accesslog.la |
| @RBAC_MODULE@ |
| @DDS_MODULE@ |
| @MONITOR_MODULE@ |
| |
| # Global ACLS: |
| # RootDSE is always readable |
| access to dn.base="" by * read |
| |
| # For tooling: |
| access to dn.base="cn=subschema" |
| by * read |
| |
| password-hash {SSHA} |
| |
| ####################################################################### |
| # Access Log DB Settings |
| ####################################################################### |
| database @DB_TYPE@ |
| @LOG_RDRS@ |
| @LOG_SIZE@ |
| suffix "@LOG_SUFFIX@" |
| rootdn "@LOG_ROOT_DN@" |
| rootpw "@LOG_ROOT_PW@" |
| index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq |
| directory "@HISTORY_DB_PATH@" |
| access to * |
| by dn.base="@LOG_ROOT_DN@" write |
| @LOG_DBNOSYNCH@ |
| @LOG_CHECKPOINT@ |
| @LOG_BDB_CACHE_SIZE@ |
| |
| # Accesslog is readable by replicator and fortress: |
| access to dn.subtree="@LOG_SUFFIX@" |
| by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read |
| by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read |
| by * break |
| |
| ####################################################################### |
| # Default DB Settings |
| ####################################################################### |
| database @DB_TYPE@ |
| @DFLT_RDRS@ |
| @DFLT_SIZE@ |
| suffix "@SUFFIX@" |
| rootdn "@ROOT_DN@" |
| rootpw "@ROOT_PW@" |
| |
| index uidNumber,gidNumber,objectclass eq |
| index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub |
| index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq |
| index roleOccupant eq |
| |
| directory "@DEFAULT_DB_PATH@" |
| overlay accesslog |
| logdb "@LOG_SUFFIX@" |
| @DFLT_DBNOSYNCH@ |
| @DFLT_CHECKPOINT@ |
| @DFLT_BDB_CACHE_SIZE@ |
| @DFLT_BDB_CACHE_IDLE_SIZE@ |
| |
| # The fortress admin needs write access to the whole DIT |
| access to dn.subtree="@SUFFIX@" |
| by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" write |
| by * break |
| |
| # Accesslog is readable by replicator and fortress: |
| access to dn.subtree="@LOG_SUFFIX@" |
| by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read |
| by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read |
| by * break |
| |
| # Allow anonymous ability to bind: |
| access to dn.subtree="@SUFFIX@" attrs=userPassword |
| by anonymous auth |
| by * break |
| |
| # For audit trail: |
| # Allow users access to modify their own pw & fortress audit attrs. |
| access to dn.subtree="@SUFFIX@" attrs=userPassword,ftModifier,ftModCode,ftModId |
| by self =wx |
| by * none |
| |
| # Allow users compare access to a fortress perm op name: |
| access to dn.subtree="@SUFFIX@" attrs=ftOpNm |
| by users compare |
| |
| ####################################################################### |
| # More Audit Log Settings |
| ####################################################################### |
| @LOGOPS@ |
| logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType |
| logpurge 5+00:00 1+00:00 |
| |
| ####################################################################### |
| # PW Policy Settings |
| ####################################################################### |
| # Enable the Password Policy overlay to enforce password policies on this database. |
| overlay ppolicy |
| ppolicy_default "cn=PasswordPolicy,@POLICIES_DN@" |
| ppolicy_use_lockout |
| ppolicy_hash_cleartext |
| |
| ####################################################################### |
| # RBAC Session database |
| ####################################################################### |
| @IS_RBAC_ACCELERATOR@database mdb |
| @IS_RBAC_ACCELERATOR@suffix "@SESSIONS_DN@" |
| @IS_RBAC_ACCELERATOR@rootdn "cn=manager,@SESSIONS_DN@" |
| @IS_RBAC_ACCELERATOR@rootpw @LOG_ROOT_PW@ |
| @IS_RBAC_ACCELERATOR@index rbacSessid eq |
| @IS_RBAC_ACCELERATOR@directory "@RBACSESS_DB_PATH@" |
| @IS_RBAC_ACCELERATOR@overlay dds |
| @IS_RBAC_ACCELERATOR@dds-default-ttl 3600 |
| @IS_RBAC_ACCELERATOR@dds-max-dynamicObjects 100000 |
| @IS_RBAC_ACCELERATOR@@DFLT_DBNOSYNCH@ |
| @IS_RBAC_ACCELERATOR@@DFLT_CHECKPOINT@ |
| |
| ####################################################################### |
| # RBAC audit database |
| ####################################################################### |
| @IS_RBAC_ACCELERATOR@database mdb |
| @IS_RBAC_ACCELERATOR@suffix "@AUDITS_DN@" |
| @IS_RBAC_ACCELERATOR@rootdn "cn=manager,@AUDITS_DN@" |
| @IS_RBAC_ACCELERATOR@rootpw @LOG_ROOT_PW@ |
| @IS_RBAC_ACCELERATOR@directory "@AUDIT_DB_PATH@" |
| @IS_RBAC_ACCELERATOR@@DFLT_DBNOSYNCH@ |
| @IS_RBAC_ACCELERATOR@@DFLT_CHECKPOINT@ |
| |
| ####################################################################### |
| # RBAC database |
| ####################################################################### |
| @IS_RBAC_ACCELERATOR@database mdb |
| @IS_RBAC_ACCELERATOR@suffix "@RBAC_DN@" |
| @IS_RBAC_ACCELERATOR@rootdn "cn=manager,@RBAC_DN@" |
| @IS_RBAC_ACCELERATOR@rootpw @LOG_ROOT_PW@ |
| @IS_RBAC_ACCELERATOR@directory "@RBACOVERLAY_DB_PATH@" |
| @IS_RBAC_ACCELERATOR@overlay rbac |
| @IS_RBAC_ACCELERATOR@rbac-default-tenant-id "@SUFFIX_NAME@" |
| @IS_RBAC_ACCELERATOR@rbac-default-users-base-dn "@USERS_DN@" |
| @IS_RBAC_ACCELERATOR@rbac-default-roles-base-dn "@ROLES_DN@" |
| @IS_RBAC_ACCELERATOR@rbac-default-permissions-base-dn "@PERMS_DN@" |
| @IS_RBAC_ACCELERATOR@rbac-default-sessions-base-dn "@SESSIONS_DN@" |
| @IS_RBAC_ACCELERATOR@rbac-default-audit-base-dn "@AUDITS_DN@" |
| @IS_RBAC_ACCELERATOR@rbac-admin "@SUFFIX@" |
| @IS_RBAC_ACCELERATOR@rbac-pwd "secret" |
| @IS_RBAC_ACCELERATOR@rbac-session-admin "cn=manager,@SESSIONS_DN@" |
| @IS_RBAC_ACCELERATOR@rbac-session-admin-pwd secret |
| |
| ####################################################################### |
| # Monitor database |
| ####################################################################### |
| @IS_RBAC_ACCELERATOR@database monitor |