ldap/slapd.conf.src - directory-fortress-core - Git at Google

 # Copyright © Joshua Tree Software, LLC, 2009-2013 All Rights Reserved.
 # Fortress slapd.conf default settings.
 # Note: Directives that begin with '@' are substitution parms for Fortress' build.xml 'init-slapd' target.
 include		@SCHEMA_PATH@/core.schema
 include		@SCHEMA_PATH@/ppolicy.schema
 include		@SCHEMA_PATH@/cosine.schema
 include		@SCHEMA_PATH@/inetorgperson.schema
 include		@SCHEMA_PATH@/nis.schema
 include		@SCHEMA_PATH@/openldap.schema
 include		@SCHEMA_PATH@/fortress.schema

 disallow bind_anon
 idletimeout 0
 sizelimit 5000
 timelimit 60
 threads 8
 loglevel 32768
 gentlehup on
 pidfile		@PID_PATH@/slapd.pid
 argsfile	@PID_PATH@/slapd.args
 modulepath	@SLAPD_MODULE_PATH@
 moduleload	@DB_MODULE_NM@
 moduleload	ppolicy.la
 moduleload  accesslog.la

 ### ACLs
 ### Allow users to read permission records (needed for OAM authorization):
 access to dn.sub="ou=Permissions,ou=RBAC,@SUFFIX@" by users read
 access to dn.sub="ou=AdminPerms,ou=ARBAC,@SUFFIX@" by users read

 access to dn.sub="ou=Permissions,ou=RBAC,ou=client123,@SUFFIX@" by users read
 access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client123,@SUFFIX@" by users read

 access to dn.sub="ou=Permissions,ou=RBAC,ou=client456,@SUFFIX@" by users read
 access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client456,@SUFFIX@" by users read

 access to dn.sub="ou=Permissions,ou=RBAC,ou=client789,@SUFFIX@" by users read
 access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client789,@SUFFIX@" by users read

 ### This one allows user to modify their own password (needed for pw policies):
 ### This also allows user to modify their own ftmod attributes (needed for audit):
 access to attrs=userpassword,ftModCode,ftModId,ftModifier
          by self write
          by * auth

 ### Must allow access to dn.base to read supported features on this directory:
 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 access to *
 	by self write
 	by anonymous auth

 ### Disable null base search of rootDSE
 ### This disables auto-discovery capabilities of clients.
 # Changed -> access to dn.base="" by * read <- to the following:
 access to dn.base=""
      by * none
 password-hash {SSHA}

 #######################################################################
 # History DB Settings
 #######################################################################
 database	 @DB_TYPE@
 @LOG_RDRS@
 @LOG_SIZE@
 suffix		"@LOG_SUFFIX@"
 rootdn      "@LOG_ROOT_DN@"
 rootpw      "@LOG_ROOT_PW@"
 index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
 directory	@HISTORY_DB_PATH@
 access to *
     by dn.base="@LOG_ROOT_DN@" write
 @LOG_DBNOSYNCH@
 @LOG_CHECKPOINT@
 @LOG_BDB_CACHE_SIZE@

 #######################################################################
 # Default DB Settings
 #######################################################################
 database	@DB_TYPE@
 @DFLT_RDRS@
 @DFLT_SIZE@
 suffix		"@SUFFIX@"
 rootdn      "@ROOT_DN@"
 rootpw      "@ROOT_PW@"
 #index ou,uid,uidNumber,gidNumber,objectclass eq,pres
 #index cn,sn eq,sub
 #index ftId,ftPermName,ftObjNm,ftOpNm,ftRoles,ftUsers,ftRA,ftARA,ftRoleName eq

 index uidNumber,gidNumber,objectclass eq,pres
 index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
 index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq

 directory	@DEFAULT_DB_PATH@
 overlay accesslog
 logdb   "@LOG_SUFFIX@"
 @DFLT_DBNOSYNCH@
 @DFLT_CHECKPOINT@
 @DFLT_BDB_CACHE_SIZE@
 @DFLT_BDB_CACHE_IDLE_SIZE@

 #######################################################################
 # Audit Log Settings
 #######################################################################
 @LOGOPS@
 logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
 logpurge 5+00:00 1+00:00

 #######################################################################
 # PW Policy Settings
 #######################################################################
 # Enable the Password Policy overlay to enforce password policies on this database.
 overlay     ppolicy
 ppolicy_default "cn=PasswordPolicy, ou=Policies, @SUFFIX@"
 ppolicy_use_lockout
 ppolicy_hash_cleartext
	# Copyright © Joshua Tree Software, LLC, 2009-2013 All Rights Reserved.
	# Fortress slapd.conf default settings.
	# Note: Directives that begin with '@' are substitution parms for Fortress' build.xml 'init-slapd' target.
	include @SCHEMA_PATH@/core.schema
	include @SCHEMA_PATH@/ppolicy.schema
	include @SCHEMA_PATH@/cosine.schema
	include @SCHEMA_PATH@/inetorgperson.schema
	include @SCHEMA_PATH@/nis.schema
	include @SCHEMA_PATH@/openldap.schema
	include @SCHEMA_PATH@/fortress.schema

	disallow bind_anon
	idletimeout 0
	sizelimit 5000
	timelimit 60
	threads 8
	loglevel 32768
	gentlehup on
	pidfile @PID_PATH@/slapd.pid
	argsfile @PID_PATH@/slapd.args
	modulepath @SLAPD_MODULE_PATH@
	moduleload @DB_MODULE_NM@
	moduleload ppolicy.la
	moduleload accesslog.la

	### ACLs
	### Allow users to read permission records (needed for OAM authorization):
	access to dn.sub="ou=Permissions,ou=RBAC,@SUFFIX@" by users read
	access to dn.sub="ou=AdminPerms,ou=ARBAC,@SUFFIX@" by users read

	access to dn.sub="ou=Permissions,ou=RBAC,ou=client123,@SUFFIX@" by users read
	access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client123,@SUFFIX@" by users read

	access to dn.sub="ou=Permissions,ou=RBAC,ou=client456,@SUFFIX@" by users read
	access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client456,@SUFFIX@" by users read

	access to dn.sub="ou=Permissions,ou=RBAC,ou=client789,@SUFFIX@" by users read
	access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client789,@SUFFIX@" by users read

	### This one allows user to modify their own password (needed for pw policies):
	### This also allows user to modify their own ftmod attributes (needed for audit):
	access to attrs=userpassword,ftModCode,ftModId,ftModifier
	by self write
	by * auth

	### Must allow access to dn.base to read supported features on this directory:
	access to dn.base="" by * read
	access to dn.base="cn=Subschema" by * read
	access to *
	by self write
	by anonymous auth

	### Disable null base search of rootDSE
	### This disables auto-discovery capabilities of clients.
	# Changed -> access to dn.base="" by * read <- to the following:
	access to dn.base=""
	by * none
	password-hash {SSHA}

	#######################################################################
	# History DB Settings
	#######################################################################
	database @DB_TYPE@
	@LOG_RDRS@
	@LOG_SIZE@
	suffix "@LOG_SUFFIX@"
	rootdn "@LOG_ROOT_DN@"
	rootpw "@LOG_ROOT_PW@"
	index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
	directory @HISTORY_DB_PATH@
	access to *
	by dn.base="@LOG_ROOT_DN@" write
	@LOG_DBNOSYNCH@
	@LOG_CHECKPOINT@
	@LOG_BDB_CACHE_SIZE@

	#######################################################################
	# Default DB Settings
	#######################################################################
	database @DB_TYPE@
	@DFLT_RDRS@
	@DFLT_SIZE@
	suffix "@SUFFIX@"
	rootdn "@ROOT_DN@"
	rootpw "@ROOT_PW@"
	#index ou,uid,uidNumber,gidNumber,objectclass eq,pres
	#index cn,sn eq,sub
	#index ftId,ftPermName,ftObjNm,ftOpNm,ftRoles,ftUsers,ftRA,ftARA,ftRoleName eq

	index uidNumber,gidNumber,objectclass eq,pres
	index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
	index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq

	directory @DEFAULT_DB_PATH@
	overlay accesslog
	logdb "@LOG_SUFFIX@"
	@DFLT_DBNOSYNCH@
	@DFLT_CHECKPOINT@
	@DFLT_BDB_CACHE_SIZE@
	@DFLT_BDB_CACHE_IDLE_SIZE@

	#######################################################################
	# Audit Log Settings
	#######################################################################
	@LOGOPS@
	logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
	logpurge 5+00:00 1+00:00

	#######################################################################
	# PW Policy Settings
	#######################################################################
	# Enable the Password Policy overlay to enforce password policies on this database.
	overlay ppolicy
	ppolicy_default "cn=PasswordPolicy, ou=Policies, @SUFFIX@"
	ppolicy_use_lockout
	ppolicy_hash_cleartext