# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # [ GLOBAL SETTINGS ] # Default schemas include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/misc.schema #include /etc/openldap/schema/rfc822-MailMember.schema #include /etc/openldap/schema/kerberosobject.schema #include /etc/openldap/schema/corba.schema #include /etc/openldap/schema/java.schema # Addon schemas #include /etc/openldap/schema/autofs.schema #include /etc/openldap/schema/courier.schema #include /etc/openldap/schema/dnszone.schema #include /etc/openldap/schema/freeradius.schema #include /etc/openldap/schema/qmail.schema #include /etc/openldap/schema/qmailControl.schema #include /etc/openldap/schema/samba2.schema #include /etc/openldap/schema/samba3.schema # Experementel schemas #include /etc/openldap/schema/cron.schema #include /etc/openldap/schema/trust.schema #include /etc/openldap/schema/turbo.schema # Netscape roaming #include /etc/openldap/schema/mull.schema #include /etc/openldap/schema/netscape-profile.schema # Local schema #include /etc/openldap/schema/local.schema # Specify a set of features (separated by white space) to allow. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org # Specify a desired level of concurrency. Provided to the underlying thread # system as a hint. The default is not to provide any hint. concurrency 20 # Specify the maximum number of pending requests for an anonymous session. If # requests are submitted faster than the server can process them, they will # be queued up to this limit. If the limit is exceeded, the session is closed. #conn_max_pending 100 # Specify the maximum number of pending requests for an # authenticated session. #conn_max_pending_auth 1000 # Specify a default search base to use when client submits a non-base search # request with an empty base DN. #defaultsearchbase "dc=example, dc=com" # A SIGHUP signal will only cause a 'gentle' shutdown-attempt: Slapd will # stop listening for new connections, but will not close the connections to # the current clients. gentlehup on # Specify the number of seconds to wait before forcibly closing an idle client # connection. A idletimeout of 0 disables this feature. #idletimeout 0 # Specify time and size limits based on who initiated an operation. sizelimit -1 #sizelimit 500 #timelimit 60 #limits anonymous time.soft=60 time.hard=120 #limits anonymous size.soft=1000 size.hard=1100 size.unchecked=1000 #limits users time.soft=60 time.hard=120 #limits users size=1000 #limits dn.base="ou=People,dc=example,dc=com" size=100 # Specify the level at which debugging statements and operation statistics # should be syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility). # Log levels are additive, and available levels are: # -1 full # 0 none # 1 trace function calls # 2 debug packet handling # 4 heavy trace debugging # 8 connection management # 16 print out packets sent and received # 32 search filter processing # 64 configuration file processing # 128 access control list processing # 256 stats log connections/operations/results # 512 stats log entries sent # 1024 print communication with shell backends # 2048 entry parsing loglevel 0 # This option sets the hash to be used in generation of user passwords, stored # in userPassword, during processing of LDAP Password Modify Extended # Operations (RFC 3062). The must be one of {SSHA}, {SHA}, {SMD5}, # {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}. #password-hash {SSHA} # The ( absolute ) name of a file that will hold the server's process ID # if started without the debugging command line option. pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # Specify the name of the replication log file to log changes to. # This one is a global replogfile for all configured databases. # Path to file is relative to chroot dir. #replogfile /replica/replica.data # Specify a set of conditions (separated by white space) to require (default # none). The directive may be specified globally and/or per-database. bind # requires bind operation prior to directory operations. LDAPv3 requires # session to be using LDAP version 3. authc requires authentication prior to # directory operations. SASL requires SASL authentication prior to directory # operations. strong requires strong authentication prior to directory # operations. The strong keyword allows protected "simple" authentication as # well as SASL authentication. none may be used to require no conditions # (useful for clearly globally set conditions within a particular database). #require none # Specify the name of an LDIF(5) file containing user defined attributes for # the root DSE. These attributes are returned in addition to the attributes # normally produced by slapd. rootDSE /etc/openldap/rootdse.ldif # Specify a set of factors (separated by white space) to require. An integer # value is associated with each factor and is roughly equivalent of the # encryption key length to require. A value of 112 is equivalent to 3DES, 128 # to Blowfish, etc.. # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind #security ssf=1 update_ssf=112 simple_bind=64 # Specify the maximum size of the primary thread pool. The default is 16. #threads 16 # # [ TLS OPTIONS ] # # Permits configuring what ciphers will be accepted and the preference order. # should be a cipher specification for OpenSSL. #TLSCipherSuite HIGH:MEDIUM:+SSLv2 # Specifies the path of a directory that contains Certificate Authority # certificates in separate individual files. Usually only one of this or the # TLSCACertificateFile is used. #TLSCACertificateFile /var/lib/ssl/cert.pem #TLSCACertificatePath /var/lib/ssl/certs # Specifies the file that contains the slapd server certificate. #TLSCertificateFile /var/lib/ssl/certs/slapd.cert # Specifies the file that contains the slapd server private key that matches # the certificate stored in the TLSCertificateFile file. Currently, the private # key must not be protected with a password, so it is of critical importance # that it is protected carefully. #TLSCertificateKeyFile /var/lib/ssl/private/slapd.key # Specifies what checks to perform on client certificates in an incoming TLS # session, if any. #TLSVerifyClient never # # [ GLOBAL ACCESS CONTROL ] # # See slapd.access(5) for details # The root DIT should be accessible to all clients access to dn.exact="" by * read # Allow read access to schemas access to dn.subtree="cn=Subschema" by * read access to attrs=userPassword by self write by anonymous auth by * none # # [ BACKEND OPTIONS ] # # Load dynamic backend modules: modulepath /usr/lib/openldap ## Backends #moduleload back_dnssrv.la #moduleload back_ldap.la moduleload back_hdb.la #moduleload back_bdb.la #moduleload back_ldbm.la #moduleload back_meta.la moduleload back_monitor.la moduleload back_null.la #moduleload back_passwd.la #moduleload back_shell.la #moduleload back_perl.la #moduleload back_sql.la ## Overlays # Known overlays are documented in slapo-accesslog(5), slapo-auditlog(5), # slapo-chain(5), slapo-dynlist(5), slapo-lastmod(5), slapo-pcache(5), # slapo-ppolicy(5), slapo-refint(5), slapo-retcode(5), slapo-rwm(5), # slapo-syncprov(5), slapo-translucent(5), slapo-unique(5). #moduleload accesslog.la #moduleload denyop.la #moduleload dyngroup.la #moduleload dynlist.la #moduleload lastmod.la #moduleload pcache.la #moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la #moduleload syncprov.la #moduleload translucent.la #moduleload unique.la #moduleload valsort.la # # [ DATABASE OPTIONS ] # # First database definition include /etc/openldap/slapd-hdb-db01.conf # Second database definition include /etc/openldap/slapd-hdb-db02.conf # # [END OF SLAPD.CONF]