| # Copyright © Joshua Tree Software, LLC, 2009-2013 All Rights Reserved. |
| # Fortress slapd.conf default settings. |
| # Note: Directives that begin with '@' are substitution parms for Fortress' build.xml 'init-slapd' target. |
| include @SCHEMA_PATH@/core.schema |
| include @SCHEMA_PATH@/ppolicy.schema |
| include @SCHEMA_PATH@/cosine.schema |
| include @SCHEMA_PATH@/inetorgperson.schema |
| include @SCHEMA_PATH@/nis.schema |
| include @SCHEMA_PATH@/openldap.schema |
| include @SCHEMA_PATH@/fortress.schema |
| |
| disallow bind_anon |
| idletimeout 0 |
| sizelimit 5000 |
| timelimit 60 |
| threads 8 |
| loglevel 32768 |
| gentlehup on |
| pidfile @PID_PATH@/slapd.pid |
| argsfile @PID_PATH@/slapd.args |
| modulepath @SLAPD_MODULE_PATH@ |
| moduleload @DB_MODULE_NM@ |
| moduleload ppolicy.la |
| moduleload accesslog.la |
| |
| ### ACLs |
| ### Allow users to read permission records (needed for OAM authorization): |
| access to dn.sub="ou=Permissions,ou=RBAC,@SUFFIX@" by users read |
| access to dn.sub="ou=AdminPerms,ou=ARBAC,@SUFFIX@" by users read |
| |
| access to dn.sub="ou=Permissions,ou=RBAC,ou=client123,@SUFFIX@" by users read |
| access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client123,@SUFFIX@" by users read |
| |
| access to dn.sub="ou=Permissions,ou=RBAC,ou=client456,@SUFFIX@" by users read |
| access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client456,@SUFFIX@" by users read |
| |
| access to dn.sub="ou=Permissions,ou=RBAC,ou=client789,@SUFFIX@" by users read |
| access to dn.sub="ou=AdminPerms,ou=ARBAC,ou=client789,@SUFFIX@" by users read |
| |
| ### This one allows user to modify their own password (needed for pw policies): |
| ### This also allows user to modify their own ftmod attributes (needed for audit): |
| access to attrs=userpassword,ftModCode,ftModId,ftModifier |
| by self write |
| by * auth |
| |
| ### Must allow access to dn.base to read supported features on this directory: |
| access to dn.base="" by * read |
| access to dn.base="cn=Subschema" by * read |
| access to * |
| by self write |
| by anonymous auth |
| |
| ### Disable null base search of rootDSE |
| ### This disables auto-discovery capabilities of clients. |
| # Changed -> access to dn.base="" by * read <- to the following: |
| access to dn.base="" |
| by * none |
| password-hash {SSHA} |
| |
| ####################################################################### |
| # History DB Settings |
| ####################################################################### |
| database @DB_TYPE@ |
| @LOG_RDRS@ |
| @LOG_SIZE@ |
| suffix "@LOG_SUFFIX@" |
| rootdn "@LOG_ROOT_DN@" |
| rootpw "@LOG_ROOT_PW@" |
| index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq |
| directory @HISTORY_DB_PATH@ |
| access to * |
| by dn.base="@LOG_ROOT_DN@" write |
| @LOG_DBNOSYNCH@ |
| @LOG_CHECKPOINT@ |
| @LOG_BDB_CACHE_SIZE@ |
| |
| ####################################################################### |
| # Default DB Settings |
| ####################################################################### |
| database @DB_TYPE@ |
| @DFLT_RDRS@ |
| @DFLT_SIZE@ |
| suffix "@SUFFIX@" |
| rootdn "@ROOT_DN@" |
| rootpw "@ROOT_PW@" |
| #index ou,uid,uidNumber,gidNumber,objectclass eq,pres |
| #index cn,sn eq,sub |
| #index ftId,ftPermName,ftObjNm,ftOpNm,ftRoles,ftUsers,ftRA,ftARA,ftRoleName eq |
| |
| index uidNumber,gidNumber,objectclass eq,pres |
| index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub |
| index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq |
| |
| directory @DEFAULT_DB_PATH@ |
| overlay accesslog |
| logdb "@LOG_SUFFIX@" |
| @DFLT_DBNOSYNCH@ |
| @DFLT_CHECKPOINT@ |
| @DFLT_BDB_CACHE_SIZE@ |
| @DFLT_BDB_CACHE_IDLE_SIZE@ |
| |
| ####################################################################### |
| # Audit Log Settings |
| ####################################################################### |
| @LOGOPS@ |
| logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType |
| logpurge 5+00:00 1+00:00 |
| |
| ####################################################################### |
| # PW Policy Settings |
| ####################################################################### |
| # Enable the Password Policy overlay to enforce password policies on this database. |
| overlay ppolicy |
| ppolicy_default "cn=PasswordPolicy, ou=Policies, @SUFFIX@" |
| ppolicy_use_lockout |
| ppolicy_hash_cleartext |