# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # [ GLOBAL SETTINGS ] # Default schemas include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/misc.schema #include /etc/openldap/schema/rfc822-MailMember.schema #include /etc/openldap/schema/kerberosobject.schema #include /etc/openldap/schema/corba.schema #include /etc/openldap/schema/java.schema # Addon schemas #include /etc/openldap/schema/autofs.schema #include /etc/openldap/schema/courier.schema #include /etc/openldap/schema/dnszone.schema #include /etc/openldap/schema/qmail.schema #include /etc/openldap/schema/qmailControl.schema #include /etc/openldap/schema/samba2.schema #include /etc/openldap/schema/samba3.schema # Experementel schemas #include /etc/openldap/schema/cron.schema #include /etc/openldap/schema/trust.schema #include /etc/openldap/schema/turbo.schema # Netscape roaming #include /etc/openldap/schema/mull.schema #include /etc/openldap/schema/netscape-profile.schema # Local schema #include /etc/openldap/schema/local.schema # Specify a set of features (separated by white space) to allow. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org # Specify a desired level of concurrency. Provided to the underlying thread # system as a hint. The default is not to provide any hint. concurrency 20 # Specify the maximum number of pending requests for an anonymous session. If # requests are submitted faster than the server can process them, they will # be queued up to this limit. If the limit is exceeded, the session is closed. #conn_max_pending 100 # Specify the maximum number of pending requests for an # authenticated session. #conn_max_pending_auth 1000 # Specify a default search base to use when client submits a non-base search # request with an empty base DN. defaultsearchbase "dc=example, dc=com" # A SIGHUP signal will only cause a 'gentle' shutdown-attempt: Slapd will # stop listening for new connections, but will not close the connections to # the current clients. gentlehup on # Specify the number of seconds to wait before forcibly closing an idle client # connection. A idletimeout of 0 disables this feature. #idletimeout 0 # Specify time and size limits based on who initiated an operation. #sizelimit 500 #timelimit 60 #limits anonymous time.soft=60 time.hard=120 #limits anonymous size.soft=1000 size.hard=1100 size.unchecked=1000 #limits users time.soft=60 time.hard=120 #limits users size=1000 #limits dn.base="ou=People,dc=example,dc=com" size=100 # Specify the level at which debugging statements and operation statistics # should be syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility). # Log levels are additive, and available levels are: # -1 full # 0 none # 1 trace function calls # 2 debug packet handling # 4 heavy trace debugging # 8 connection management # 16 print out packets sent and received # 32 search filter processing # 64 configuration file processing # 128 access control list processing # 256 stats log connections/operations/results # 512 stats log entries sent # 1024 print communication with shell backends # 2048 entry parsing #loglevel 256 # This option sets the hash to be used in generation of user passwords, stored # in userPassword, during processing of LDAP Password Modify Extended # Operations (RFC 3062). The must be one of {SSHA}, {SHA}, {SMD5}, # {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}. #password-hash {SSHA} # The ( absolute ) name of a file that will hold the server's process ID # if started without the debugging command line option. pidfile /var/run/slapd.pid argsfile /var/run/slapd.args replica-pidfile /var/run/slurpd.pid replica-argsfile /var/run/slurpd.args # Specify a set of conditions (separated by white space) to require (default # none). The directive may be specified globally and/or per-database. bind # requires bind operation prior to directory operations. LDAPv3 requires # session to be using LDAP version 3. authc requires authentication prior to # directory operations. SASL requires SASL authentication prior to directory # operations. strong requires strong authentication prior to directory # operations. The strong keyword allows protected "simple" authentication as # well as SASL authentication. none may be used to require no conditions # (useful for clearly globally set conditions within a particular database). #require none # Specify the name of an LDIF(5) file containing user defined attributes for # the root DSE. These attributes are returned in addition to the attributes # normally produced by slapd. rootDSE /etc/openldap/rootdse.ldif # Specify a set of factors (separated by white space) to require. An integer # value is associated with each factor and is roughly equivalent of the # encryption key length to require. A value of 112 is equivalent to 3DES, 128 # to Blowfish, etc.. # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind #security ssf=1 update_ssf=112 simple_bind=64 # Specify the maximum size of the primary thread pool. The default is 16. #threads 16 # # [ TLS OPTIONS ] # # Permits configuring what ciphers will be accepted and the preference order. # should be a cipher specification for OpenSSL. #TLSCipherSuite HIGH:MEDIUM:+SSLv2 # Specifies the path of a directory that contains Certificate Authority # certificates in separate individual files. Usually only one of this or the # TLSCACertificateFile is used. #TLSCACertificateFile /etc/openldap/ssl/slapd.pem #TLSCACertificatePath /etc/openldap/ssl # Specifies the file that contains the slapd server certificate. #TLSCertificateFile /etc/openldap/ssl/slapd.pem # Specifies the file that contains the slapd server private key that matches # the certificate stored in the TLSCertificateFile file. Currently, the private # key must not be protected with a password, so it is of critical importance # that it is protected carefully. #TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem # Specifies what checks to perform on client certificates in an incoming TLS # session, if any. #TLSVerifyClient never # # [ GLOBAL ACCESS CONTROL ] # # See slapd.access(5) for details access to attrs=userPassword by self write by anonymous auth by * none # # [ BACKEND OPTIONS ] # # Load dynamic backend modules: modulepath /usr/lib/openldap #moduleload back_dnssrv.la #moduleload back_ldap.la #moduleload back_bdb.la moduleload back_ldbm.la #moduleload back_meta.la moduleload back_monitor.la moduleload back_null.la #moduleload back_passwd.la #moduleload back_shell.la #moduleload back_perl.la #moduleload back_sql.la # Options in this section only apply to the configuration file section for the # specified backend. They are supported by every type of backend. #backend ldbm #cachesize 1000 #dbcachesize 100000 #dbsync 10 12 5 # # [ DATABASE OPTIONS ] # # Mark the beginning of a new database instance definition. database ldbm # Specify the DN suffix of queries that will be passed to this backend # database. Multiple suffix lines can be given and at least one is required for # each database definition. If the suffix of one database is "inside" that of # another, the database with the inner suffix must come first in the # configuration file. suffix "dc=example,dc=com" # Specify the distinguished name that is not subject to access control or # administrative limit restrictions for operations on this database. An empty # root DN (the default) specifies no root access is to be granted. It is # recommended that the rootdn only be specified when needed (such as when # initially populating a database). rootdn "cn=admin,dc=example,dc=com" # Specify a password (or hash of the password) for the rootdn. This option # accepts all RFC 2307 userPassword formats known to the server (see # password-hash desription) as well as cleartext. rootpw secret # Controls whether slapd will automatically maintain the modifiersName, # modifyTimestamp, creatorsName, and createTimestamp attributes for entries. #lastmod on # Specifies the maximum number of aliases to dereference when trying to resolve # an entry, used to avoid inifinite alias loops. #maxderefdepth 1 # This option puts the database into "read-only" mode. Any attempts to modify # the database will return an "unwilling to perform" error. #readonly on # Specify a replication site for this database. Refer to the "OpenLDAP # Administrator's Guide" for detailed information on setting up a replicated # slapd directory service. #replica uri=ldaps://slave.example.com/ # binddn="cn=ldapAdminSlave,dc=domain,dc=tld" # bindmethod=simple # credentials=ldapAdminSlave_secret # see man slapd.conf for full description # Specify the name of the replication log file to log changes to. #replogfile /var/lib/ldap/replica/example.com.replog # Specify that the current backend database is a subordinate of another backend # database. A subordinate database may have only one suffix. This option may be # used to glue multiple databases into a single namingContext. #subordinate # This option is only applicable in a slave slapd. It specifies the DN allowed # to make changes to the replica #updatedn "cn=slave,dc=example,dc=com" # Specify the referral to pass back when slapd(8) is asked to modify a # replicated local database. If specified multiple times, each url is provided. #updateref "uri=ldap://ldap2.example.com" # Specify the directory where the LDBM files containing this database and # associated indexes live. directory /var/lib/ldap/bases/example.com # Specify the indexes to maintain for the given attribute (or list of # attributes). Some attributes only support a subset of indexes.Specify the # indexes to maintain for the given attribute (or list of attributes). Some # attributes only support a subset of indexes. index objectClass eq index uid pres,eq,sub index cn pres,eq,sub,subany # [BACKEND ACCESS CONTROL LIST] access to attrs=userPassword by self write by anonymous auth by * none # # Next database instance # #database bdb #suffix "o=org" #rootdn "cn=admin,o=org" #rootpw secret #directory /var/lib/ldap/bases/org # [BACKEND ACCESS CONTROL LIST] #access to attrs=userPassword # by self write # by anonymous auth # by * none # # # [END OF SLAPD.CONF]