Created
December 10, 2010 13:43
-
-
Save syzdek/736209 to your computer and use it in GitHub Desktop.
Example OpenLDAP slapd configuration.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Slapd Daemon Configuration | |
# Copyright (C) 2011 Bindle Binaries <syzdek@bindlebinaries.com>. | |
# | |
# @BINDLE_BINARIES_BSD_LICENSE_START@ | |
# | |
# Redistribution and use in source and binary forms, with or without | |
# modification, are permitted provided that the following conditions are | |
# met: | |
# | |
# * Redistributions of source code must retain the above copyright | |
# notice, this list of conditions and the following disclaimer. | |
# * Redistributions in binary form must reproduce the above copyright | |
# notice, this list of conditions and the following disclaimer in the | |
# documentation and/or other materials provided with the distribution. | |
# * Neither the name of Bindle Binaries nor the | |
# names of its contributors may be used to endorse or promote products | |
# derived from this software without specific prior written permission. | |
# | |
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS | |
# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, | |
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BINDLE BINARIES BE LIABLE FOR | |
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
# SUCH DAMAGE. | |
# | |
# @BINDLE_BINARIES_BSD_LICENSE_END@ | |
# | |
# slapd.conf - generic slapd.conf file for Bindle Binaries | |
# | |
# Notes: | |
# Stop daemon: kill `cat /var/run/slapd/slapd.pid` | |
# Start daemon: /usr/local/libexec/slapd -u slapd -g ldap | |
# Start daemon with debug: | |
# /usr/local/libexec/slapd -u slapd -g ldap -d $((1+8+16+32+64+128)) | |
# | |
# Load schema files | |
include /usr/local/etc/openldap/schema/core.schema | |
include /usr/local/etc/openldap/schema/cosine.schema | |
include /usr/local/etc/openldap/schema/inetorgperson.schema | |
include /usr/local/etc/openldap/schema/nis.schema | |
include /usr/local/etc/openldap/schema-custom/asterisk.schema | |
include /usr/local/etc/openldap/schema-custom/cmusasl.schema | |
# Set daemon options | |
pidfile /var/run/slapd/slapd.pid | |
argsfile /var/run/slapd/slapd.args | |
# Load dynamic backend modules: | |
# modulepath /usr/local/libexec/openldap | |
moduleload back_null.la | |
moduleload back_bdb.la | |
moduleload back_hdb.la | |
moduleload back_ldap.la | |
moduleload back_ldif.la | |
moduleload back_shell.la | |
moduleload back_perl.la | |
####################################################################### | |
# Local Configuration | |
####################################################################### | |
include /usr/local/etc/openldap/slapd-local.inc | |
####################################################################### | |
# SSL Connections | |
####################################################################### | |
# Generate SSL private key: | |
# openssl genrsa -out hostkey.pem 4096 | |
# | |
# Generate a certificate signing request: | |
# openssl req -new -key hostkey.pem -out hostcsr.pem | |
# | |
# Sign CSR with private key (does not work with localhost as CN): | |
# openssl x509 -req -days 365 -in hostcsr.pem \ | |
# -signkey hostkey.pem -out hostcert.pem | |
# | |
# Copy server certificate and protect key: | |
# chmod 600 hostkey.pem | |
# cp hostcert.pem ca-certs.pem | |
# | |
# Add the following to ldap.conf: | |
# TLS_CACERT /usr/local/etc/openldap/keys/ca-certs.pem | |
# | |
# Test SSL connection: | |
# openssl s_client -connect ${SERVERADDR}:636 -showcerts | |
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 | |
TLSCACertificateFile /usr/local/etc/openldap/keys/ca-certs.pem | |
TLSCertificateFile /usr/local/etc/openldap/keys/hostcert.pem | |
TLSCertificateKeyFile /usr/local/etc/openldap/keys/hostkey.pem | |
TLSVerifyClient never | |
####################################################################### | |
# SASL Auth | |
####################################################################### | |
# SASL Users authenticate against the following | |
# meta DNs in the LDAP tree: | |
# | |
# With a SASL Realm (for supported mechanisms): | |
# uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth | |
# | |
# Without a SASL Realm: | |
# uid=<username>,cn=<mechanism>,cn=auth | |
# | |
# Map the meta DN to a real dn using authz-regexp. | |
# Hardcoded test user | |
authz-regexp | |
uid=test,cn=(.*),cn=auth | |
uid=test,ou=people,o=bindlebinaries.com,o=test | |
# scripts, daemons, staff, etc | |
authz-regexp | |
uid=(.*)@(.*),cn=(.*),cn=auth | |
uid=$1,ou=$2,o=slapdUsers | |
# shortcut for staff accounts | |
authz-regexp | |
uid=(.*),cn=(.*),cn=auth | |
uid=$1,ou=People,o=slapdUsers | |
####################################################################### | |
# Access Control | |
####################################################################### | |
# Access Layout: | |
# +--rootDSE | |
# +--cn=auth | |
# +--cn=Directory Manager | |
# +--cn=monior | |
# +--cn=Subschema | |
# +--o=slapdUsers | |
# | +--ou=Clients | |
# | | \--cn=ldap01-slapd | |
# | +--ou=Groups | |
# | | +--cn=Administrators (allows write access to everything) | |
# | | +--cn=Authentication (allows read access to credentials) | |
# | | +--cn=AuthProvisioning (allows write access to credentials) | |
# | | +--cn=Provisioning (allows read-write access to entries) | |
# | | +--cn=Services (allows read-only access to entries) | |
# | | \--cn=Staff (allows read-only/limited-write access) | |
# | \--ou=People | |
# | \--uid=root | |
# +--o=subscribers | |
# \--o=test | |
# | |
# Access Levels (OpenLDAP 2.4 Admin Guide 8.2.3): | |
# none 0 no access | |
# disclose d needed for information disclosure on error | |
# auth xd needed to authenticate (bind) | |
# compare cxd needed to compare | |
# search scxd needed to apply search filters | |
# read rscxd needed to read search results | |
# write wrscxd needed to modify/rename | |
# manage mwrscxd needed to manage | |
access to dn.base="" by * read | |
access to dn.base="cn=Subschema" by * read | |
# restrict access to protected user "root" | |
access to dn.base="uid=root,ou=People,o=slapdUsers" | |
by ssf=256 self write | |
by ssf=256 anonymous auth | |
by * none | |
# enable broad permissions for LDAP administrators | |
access to * | |
by ssf=256 dn.base="uid=root,ou=People,o=slapdUsers" write | |
by ssf=256 group.exact="cn=Administrators,ou=Groups,o=slapdUsers" write | |
by * break | |
# restricts access to admin entries | |
access to dn.subtree="o=slapdUsers" | |
by ssf=256 self write | |
by ssf=256 anonymous auth | |
by * none | |
# restrict access to passwords | |
access to attrs=userPassword | |
by ssf=256 group.exact="cn=AuthProvisioning,ou=Groups,o=slapdUsers" write | |
by ssf=256 group.exact="cn=Authentication,ou=Groups,o=slapdUsers" read | |
by ssf=256 group.exact="cn=Provisioning,ou=Groups,o=slapdUsers" +w | |
by ssf=256 group.exact="cn=Staff,ou=Groups,o=slapdUsers" +w | |
by self read | |
by * none | |
# allow limited access to subscribers tree | |
access to dn.subtree="o=subscribers" | |
by ssf=256 group.exact="cn=Provisioning,ou=Groups,o=slapdUsers" write | |
by ssf=256 group.exact="cn=Services,ou=Groups,o=slapdUsers" read | |
by ssf=256 group.exact="cn=Staff,ou=Groups,o=slapdUsers" read | |
by * none | |
# open read access to test branch | |
access to dn.subtree="o=test" | |
by users read | |
by anonymous auth | |
by * none | |
# block everything else | |
access to * by * none | |
####################################################################### | |
# Database definitions | |
####################################################################### | |
# Directory Manager rootDN (cn=Directory Manager) | |
# rootpw: 'drowssap' | |
database null | |
suffix "cn=Directory Manager" | |
rootdn "cn=Directory Manager" | |
rootpw {SSHA}*JHuj9uGw3HYwnindShgKZ5P+yJrmFxK/ | |
# Monitoring rootDN (cn=monitor) | |
database monitor | |
rootdn "cn=Directory Manager" | |
# Slapd User rootDN (o=slapdUsers) | |
# See: https://gist.github.com/997335 | |
database ldif | |
suffix "o=slapdUsers" | |
rootdn "cn=Directory Manager" | |
directory /usr/local/var/openldap-data/slapdUsersRoot | |
# Bindle Binaries userRoot (o=subscribers) | |
database bdb | |
suffix "o=subscribers" | |
rootdn "cn=Directory Manager" | |
directory /usr/local/var/openldap-data/subscribersRoot | |
index mail eq | |
index uid eq | |
# Test rootDN (o=test) | |
database ldif | |
suffix "o=test" | |
rootdn "cn=Directory Manager" | |
directory /usr/local/var/openldap-data/testRoot | |
# end of config |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment