slapd.properties.example - directory-fortress-core - Git at Google

 #
 #   Licensed to the Apache Software Foundation (ASF) under one
 #   or more contributor license agreements.  See the NOTICE file
 #   distributed with this work for additional information
 #   regarding copyright ownership.  The ASF licenses this file
 #   to you under the Apache License, Version 2.0 (the
 #   "License"); you may not use this file except in compliance
 #   with the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 #   Unless required by applicable law or agreed to in writing,
 #   software distributed under the License is distributed on an
 #   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 #   KIND, either express or implied.  See the License for the
 #   specific language governing permissions and limitations
 #   under the License.
 #
 #
 ########################################################################
 # 0. About the fortress slapd.properties file
 ########################################################################

 # Use this property file to override environment settings when you are using openldap directory server.
 # These parameters are bound for the following locations by the Fortress during the init targets within the build.xml ant management utility:
 # a. fortress.properties - Fortress' configuration file tells fortress runtime how to connect to remote resources
 # b. refreshLDAPData.xml - Used by fortress to initialize and base load the LDAP DIT data structures.  Fortress also stores runtime params inside 'ou=Config' container on remote server.
 # c. slapd.conf - Configure the runtime OpenLDAP server (slapd) to use fortress, if applicable.

 # The ant property subsystem is fed using three files:
 # i.   user.properties  - optional, when found, located in user's home directory.  Properties found here take precedence over those following.
 # ii.  slapd.properties - optional, when found, located in root folder of the package.  These props override those found in the build.properties file.
 # iii. build.properties - this file is required and must be located in the root folder of the package.
 # More info on the fortress configuration subsystem in the README-CONFIG.

 ########################################################################
 # 1. OVERRIDE WITH OPENLDAP SPECIFIC COORDINATES:
 ####################################################################################
 ldap.server.type=openldap
 ldap.host=localhost
 ldap.port=389
 suffix.name=example
 suffix.dc=com
 suffix=dc=${suffix.name},dc=${suffix.dc}

 # A value of 'false' disables storing user membership on role object, default is 'true':
 #role.occupants=false

 #For a multi-level suffix, e.g. dc=foo, dc=example, dc=com.
 #suffix.name=foo
 #suffix.dc=example
 #suffix.dc2=com
 #suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}

 root.dn=cn=Manager,${suffix}
 # Used to load OpenLDAP admin root password in slapd.conf and was encrypted using 'slappasswd' command:
 #root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
 cfg.root.pw=secret

 # This specifies the number of default LDAP connections to maintain in the pool:
 admin.min.conn=1
 admin.max.conn=10
 # This speicifes the number of user LDAP connections (used for user authentication operations only) to maintain in the pool:
 # User Pool:
 user.min.conn=1
 user.max.conn=10

 # Used for slapd logger connection pool.  Leave zeros when using apacheds:
 min.log.conn=1
 max.log.conn=3

 #These are passwords used for LDAP audit log service accounts:
 # Audit Pool:
 log.admin.user=cn=Manager,${log.suffix}
 log.admin.pw=secret

 # Use if ldap.server.type=openldap.  (Default is false):
 disable.audit=false
 audits.dn=cn=log

 ########################################################################
 # 2. BEGIN OPENLDAP SERVER CONFIGURATION SECTION: (Ignore if using HTTP or ApacheDS):
 ####################################################################################

 # This OpenLDAP slapd logger password is bound for slapd.conf and was encrypted using 'slappasswd' command:
 log.root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU

 # More Audit Config:
 log.suffix=cn=log
 log.ops=logops bind writes compare

 #ldap.uris=ldap://${ldap.host}:${ldap.port}

 # These are needed for client SSL connections with LDAP Server:
 #enable.ldap.ssl=true
 # The LDAP hostname must match the common name in the server certificate:
 #ldap.host=fortressdemo2.com
 # 636 is default LDAPS on OpenLDAP:
 #ldap.port=636
 # If you need the ldap api to spit out more info on ssl connections:
 #enable.ldap.ssl.debug=true
 #trust.store.password=changeit
 # Will pick up the truststore from the classpath if set to true  which is the default.
 #trust.store.onclasspath=true
 #trust.store=mytruststore
 # Otherwise, file must be specified a fully qualified filename:
 #trust.store.onclasspath=false
 #trust.store=/fully/qualified/path/to/mytruststore

 # These are needed for OpenLDAP startup script to enable SSL configuration:
 #ldap.uris=ldap://${ldap.host}:389 ldaps://${ldap.host}:${ldap.port}
 # These are needed for slapd server-side SSL configuration:
 #tls.ca.cert.file=ca-cert.pem
 #tls.cert.file=server-cert.pem
 #tls.key.file=server-key.pem

 ########################################################################
 # 3. BEGIN HTTP CLIENT CONFIGURATION SECTION (Ignore if using LDAPv3):
 ########################################################################

 # The following optional HTTP parameters are needed when Fortress core client-side communicates though fortress-rest HTTP proxy (rather than LDAP) server:
 # Thr nav URL to fortress-rest impl: uri = httpProtocol + "://" + httpHost + ":" + httpPort + "/" + "fortress-rest-" + version; + "/";:
 # version is set as system property, i.e. -Dversion=2.0.2
 # Setting the enable.mgr.impl.rest to 'true' sets Fortress instance to use HTTP services rather than LDAPv3 protocol. Default value is 'false':
 # Use interface over REST/HTTP?  Default is false (use LDAPv3)
 #enable.mgr.impl.rest=true

 # This user account is added automatically during deployment of fortress-rest via -Dload.file=./src/main/resources/FortressRestServerPolicy.xml:
 #http.user=demouser4
 #http.pw=password
 #http.host=localhost
 #http.port=8080
 #http.protocol=http
 # For TLs connections:
 #http.port=8443
 #http.protocol=https

 ########################################################################
 # 4. RFC2307 OBJECT CLASS DEFINITIONS
 ########################################################################
 # Boolean value. If true, requires rfc2307bis schema because posixUser and posixGroup must be auxiliary object classes to work with ftRls which is structural..
 rfc2307=false

 ########################################################################
 # 5. BEGIN OPENLDAP SERVER INSTALLATION SETUP: (Ignore if not calling the 'init-slapd' target to automatically install Symas OpenLDAP packages:
 ####################################################################################

 # OpenLDAP MDB Backend config is default setting for Fortress::
 db.type=mdb
 dflt.rdrs=maxreaders 64
 dflt.size=maxsize 1000000000
 log.rdrs=maxreaders 64
 log.size=maxsize 1000000000
 dflt.bdb.cache.size=
 dflt.bdb.cache.idle.size=
 log.bdb.cache.size=

 # These next params used by 'init-slapd' target to install OpenLDAP to target machine.  Do not change any params below this line unless you know what you are doing:

 ## Symas OpenLDAP on NIX section:
 openldap.install.artifact.dir=./ldap
 db.root=/var/openldap
 openldap.root=/opt/symas
 slapd.dir=${openldap.root}/etc/openldap
 # to start:
 pid.dir=/var/openldap
 db.dir=${db.root}/dflt
 db.hist.dir=${db.root}/hist
 db.bak.dir=${db.root}/backup/dflt
 db.bak.hist.dir=${db.root}/backup/hist

 # unless you know what you're doing, take the default:
 log.dbnosynch=dbnosync
 dflt.dbnosynch=dbnosync
 log.checkpoint=checkpoint   64 5
 dflt.checkpoint=checkpoint    64 5

 # Each of the options are used for a particular Symas-OpenLDAP platform.Debian 64-bit Silver:

 #Debian 64-bit Silver:
 #platform=Debian-Silver-x86-64
 #slapd.install=dpkg -i symas-openldap-silver.64_2.4.43-20151204_amd64.deb
 #slapd.uninstall=dpkg -r symas-openldap-silver
 #install.image.dir=/home/smckinn/archives/debian64
 #slapd.module.dir=${openldap.root}/lib64/openldap
 #slapd.start=${openldap.root}/lib64/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap

 # Redhat 64-bit Silver:
 platform=Redhat-Silver-x86-64
 slapd.install=rpm -i symas-openldap-silver.x86_64-2.4.43-1.rpm
 slapd.uninstall=rpm -e symas-openldap-silver
 slapd.module.dir=${openldap.root}/lib64/openldap
 # use the symas openldap startup script:
 slapd.start=${openldap.root}/etc/solserver start -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap
 #slapd.start=${openldap.root}/lib64/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap

 ########################################################################
 # 6. RBAC ACCELERATOR OVERLAY PROPS
 ########################################################################

 rbac.accelerator=false
 rbac.module=moduleload slapo-rbac.la
 dds.module=moduleload  dds.la
 monitor.module=moduleload  back_monitor.la
 rbac.dn=dc=rbac
 sessions.dn=cn=rbac
 audit.dn=cn=audit
 db.sess.dir=${db.root}/rbacsess
 db.audit.dir=${db.root}/rbacaudit
 db.rbac.dir=${db.root}/rbacoverlay
 db.bak.audit.dir=${db.root}/backup/rbacaudit
 db.bak.sess.dir=${db.root}/backup/rbacsess
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#
	#
	########################################################################
	# 0. About the fortress slapd.properties file
	########################################################################

	# Use this property file to override environment settings when you are using openldap directory server.
	# These parameters are bound for the following locations by the Fortress during the init targets within the build.xml ant management utility:
	# a. fortress.properties - Fortress' configuration file tells fortress runtime how to connect to remote resources
	# b. refreshLDAPData.xml - Used by fortress to initialize and base load the LDAP DIT data structures. Fortress also stores runtime params inside 'ou=Config' container on remote server.
	# c. slapd.conf - Configure the runtime OpenLDAP server (slapd) to use fortress, if applicable.

	# The ant property subsystem is fed using three files:
	# i. user.properties - optional, when found, located in user's home directory. Properties found here take precedence over those following.
	# ii. slapd.properties - optional, when found, located in root folder of the package. These props override those found in the build.properties file.
	# iii. build.properties - this file is required and must be located in the root folder of the package.
	# More info on the fortress configuration subsystem in the README-CONFIG.

	########################################################################
	# 1. OVERRIDE WITH OPENLDAP SPECIFIC COORDINATES:
	####################################################################################
	ldap.server.type=openldap
	ldap.host=localhost
	ldap.port=389
	suffix.name=example
	suffix.dc=com
	suffix=dc=${suffix.name},dc=${suffix.dc}

	# A value of 'false' disables storing user membership on role object, default is 'true':
	#role.occupants=false

	#For a multi-level suffix, e.g. dc=foo, dc=example, dc=com.
	#suffix.name=foo
	#suffix.dc=example
	#suffix.dc2=com
	#suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}

	root.dn=cn=Manager,${suffix}
	# Used to load OpenLDAP admin root password in slapd.conf and was encrypted using 'slappasswd' command:
	#root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
	cfg.root.pw=secret

	# This specifies the number of default LDAP connections to maintain in the pool:
	admin.min.conn=1
	admin.max.conn=10
	# This speicifes the number of user LDAP connections (used for user authentication operations only) to maintain in the pool:
	# User Pool:
	user.min.conn=1
	user.max.conn=10

	# Used for slapd logger connection pool. Leave zeros when using apacheds:
	min.log.conn=1
	max.log.conn=3

	#These are passwords used for LDAP audit log service accounts:
	# Audit Pool:
	log.admin.user=cn=Manager,${log.suffix}
	log.admin.pw=secret

	# Use if ldap.server.type=openldap. (Default is false):
	disable.audit=false
	audits.dn=cn=log

	########################################################################
	# 2. BEGIN OPENLDAP SERVER CONFIGURATION SECTION: (Ignore if using HTTP or ApacheDS):
	####################################################################################

	# This OpenLDAP slapd logger password is bound for slapd.conf and was encrypted using 'slappasswd' command:
	log.root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU

	# More Audit Config:
	log.suffix=cn=log
	log.ops=logops bind writes compare

	#ldap.uris=ldap://${ldap.host}:${ldap.port}

	# These are needed for client SSL connections with LDAP Server:
	#enable.ldap.ssl=true
	# The LDAP hostname must match the common name in the server certificate:
	#ldap.host=fortressdemo2.com
	# 636 is default LDAPS on OpenLDAP:
	#ldap.port=636
	# If you need the ldap api to spit out more info on ssl connections:
	#enable.ldap.ssl.debug=true
	#trust.store.password=changeit
	# Will pick up the truststore from the classpath if set to true which is the default.
	#trust.store.onclasspath=true
	#trust.store=mytruststore
	# Otherwise, file must be specified a fully qualified filename:
	#trust.store.onclasspath=false
	#trust.store=/fully/qualified/path/to/mytruststore

	# These are needed for OpenLDAP startup script to enable SSL configuration:
	#ldap.uris=ldap://${ldap.host}:389 ldaps://${ldap.host}:${ldap.port}
	# These are needed for slapd server-side SSL configuration:
	#tls.ca.cert.file=ca-cert.pem
	#tls.cert.file=server-cert.pem
	#tls.key.file=server-key.pem

	########################################################################
	# 3. BEGIN HTTP CLIENT CONFIGURATION SECTION (Ignore if using LDAPv3):
	########################################################################

	# The following optional HTTP parameters are needed when Fortress core client-side communicates though fortress-rest HTTP proxy (rather than LDAP) server:
	# Thr nav URL to fortress-rest impl: uri = httpProtocol + "://" + httpHost + ":" + httpPort + "/" + "fortress-rest-" + version; + "/";:
	# version is set as system property, i.e. -Dversion=2.0.2
	# Setting the enable.mgr.impl.rest to 'true' sets Fortress instance to use HTTP services rather than LDAPv3 protocol. Default value is 'false':
	# Use interface over REST/HTTP? Default is false (use LDAPv3)
	#enable.mgr.impl.rest=true

	# This user account is added automatically during deployment of fortress-rest via -Dload.file=./src/main/resources/FortressRestServerPolicy.xml:
	#http.user=demouser4
	#http.pw=password
	#http.host=localhost
	#http.port=8080
	#http.protocol=http
	# For TLs connections:
	#http.port=8443
	#http.protocol=https

	########################################################################
	# 4. RFC2307 OBJECT CLASS DEFINITIONS
	########################################################################
	# Boolean value. If true, requires rfc2307bis schema because posixUser and posixGroup must be auxiliary object classes to work with ftRls which is structural..
	rfc2307=false

	########################################################################
	# 5. BEGIN OPENLDAP SERVER INSTALLATION SETUP: (Ignore if not calling the 'init-slapd' target to automatically install Symas OpenLDAP packages:
	####################################################################################

	# OpenLDAP MDB Backend config is default setting for Fortress::
	db.type=mdb
	dflt.rdrs=maxreaders 64
	dflt.size=maxsize 1000000000
	log.rdrs=maxreaders 64
	log.size=maxsize 1000000000
	dflt.bdb.cache.size=
	dflt.bdb.cache.idle.size=
	log.bdb.cache.size=

	# These next params used by 'init-slapd' target to install OpenLDAP to target machine. Do not change any params below this line unless you know what you are doing:

	## Symas OpenLDAP on NIX section:
	openldap.install.artifact.dir=./ldap
	db.root=/var/openldap
	openldap.root=/opt/symas
	slapd.dir=${openldap.root}/etc/openldap
	# to start:
	pid.dir=/var/openldap
	db.dir=${db.root}/dflt
	db.hist.dir=${db.root}/hist
	db.bak.dir=${db.root}/backup/dflt
	db.bak.hist.dir=${db.root}/backup/hist

	# unless you know what you're doing, take the default:
	log.dbnosynch=dbnosync
	dflt.dbnosynch=dbnosync
	log.checkpoint=checkpoint 64 5
	dflt.checkpoint=checkpoint 64 5

	# Each of the options are used for a particular Symas-OpenLDAP platform.Debian 64-bit Silver:

	#Debian 64-bit Silver:
	#platform=Debian-Silver-x86-64
	#slapd.install=dpkg -i symas-openldap-silver.64_2.4.43-20151204_amd64.deb
	#slapd.uninstall=dpkg -r symas-openldap-silver
	#install.image.dir=/home/smckinn/archives/debian64
	#slapd.module.dir=${openldap.root}/lib64/openldap
	#slapd.start=${openldap.root}/lib64/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap

	# Redhat 64-bit Silver:
	platform=Redhat-Silver-x86-64
	slapd.install=rpm -i symas-openldap-silver.x86_64-2.4.43-1.rpm
	slapd.uninstall=rpm -e symas-openldap-silver
	slapd.module.dir=${openldap.root}/lib64/openldap
	# use the symas openldap startup script:
	slapd.start=${openldap.root}/etc/solserver start -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap
	#slapd.start=${openldap.root}/lib64/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf -F ${openldap.root}/etc/openldap

	########################################################################
	# 6. RBAC ACCELERATOR OVERLAY PROPS
	########################################################################

	rbac.accelerator=false
	rbac.module=moduleload slapo-rbac.la
	dds.module=moduleload dds.la
	monitor.module=moduleload back_monitor.la
	rbac.dn=dc=rbac
	sessions.dn=cn=rbac
	audit.dn=cn=audit
	db.sess.dir=${db.root}/rbacsess
	db.audit.dir=${db.root}/rbacaudit
	db.rbac.dir=${db.root}/rbacoverlay
	db.bak.audit.dir=${db.root}/backup/rbacaudit
	db.bak.sess.dir=${db.root}/backup/rbacsess