tuxfight3r/slapd

## slapd
#file /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information

# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
#   (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldap:/// ldaps:///"

# Any custom options
SLAPD_OPTIONS="-4"

# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

## slapd.conf
#file /etc/openldap/slapd.conf
#Global Schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema


#Global options
conn_max_pending 1000
sockbuf_max_incoming 4194303
loglevel 256
sizelimit unlimited
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


#LDAP Proxy Options
modulepath /usr/lib64/openldap
moduleload back_ldap
moduleload rwm
database ldap
suffix "dc=domain,dc=local"
#subordinate
rebind-as-user yes
uri ldaps://UKADC01.domain.local,ldaps://UKADC02.domain.local
chase-referrals no
readonly yes
protocol-version 3
idassert-bind bindmethod=simple
    binddn="cn=svc_test_ad,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local"
    credentials="XxxxxxxxX"
    tls_reqcert=never
    tls_cacert=/etc/openldap/certs/ukdc2-ldapserver.pem

###############################################################
#                 OPTIONAL DATA MANIPULATION                  #
###############################################################
# more info: http://www.openldap.org/software/man.cgi?query=slapo-rwm
#Enable If there is a requirement to alter data on  the fly
#overlay                 rwm
#rwm-rewriteEngine       on
#rwm-rewriteContext default
#rwm-rewriterule "^(.+)\\\\2C(.*)" "$1\\,$2" ":"

#Enable if altered data needs a mapping to a different value
#rwm-map                 attribute       uid     sAMAccountName
#rwm-map                 attribute       mail    proxyAddresses
###############################################################

TLSVerifyClient never
#CA Certificate
TLSCACertificateFile  /etc/openldap/certs/ukdc2-ldapserver.pem
#certs for doamin ldap-proxy.aws.domain.local
TLSCertificateFile    /etc/openldap/certs/ldap-proxy.pem
TLSCertificateKeyFile /etc/openldap/certs/ldap-proxy.pem
#allow selfsigned certs
tls ldaps tls_reqcert=allow tls_cacert=/etc/openldap/certs/ukdc2-ldapserver.pem
conn-ttl 3600

## verification.MD

      
    Raw
  

              verification.MD
            
          
    verification command

#without SSL

$ ldapsearch -vxH ldap://10.140.0.10 -b "dc=domain,dc=local" \
  -D "cn=svc_test_ad,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local" \
  -w "XxxxxxxxxxxxX" sAMAccountName="user123"

#with SSL
$ LDAPTLS_REQCERT=never ldapsearch -vxH ldaps://10.140.0.10 -b "dc=domain,dc=local" \
  -D "cn=svc_test_ad,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local" \
  -w "XxxxxxxxxxxxX" sAMAccountName="user123"
  
$ LDAPTLS_REQCERT=never ldapsearch -vxH ldaps://ldap-proxy.aws.domain.local -b "dc=domain,dc=local" \
  -D "cn=svc_test_ocp,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local" \
  -w "XxxxxxxxxxxxX" -s sub "(&(objectCategory=user)(memberOf=CN=r-ocp-devtool-admin,OU=DOCET,OU=Admin Groups,OU=Admin,OU=Infrastructure,DC=domain,DC=local))"
	#file /etc/sysconfig/slapd
	# OpenLDAP server configuration
	# see 'man slapd' for additional information

	# Where the server will run (-h option)
	# - ldapi:/// is required for on-the-fly configuration using client tools
	# (use SASL with EXTERNAL mechanism for authentication)
	# - default: ldapi:/// ldap:///
	# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
	SLAPD_URLS="ldap:/// ldaps:///"

	# Any custom options
	SLAPD_OPTIONS="-4"

	# Keytab location for GSSAPI Kerberos authentication
	#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
	#file /etc/openldap/slapd.conf
	#Global Schemas
	include /etc/openldap/schema/core.schema
	include /etc/openldap/schema/cosine.schema
	include /etc/openldap/schema/inetorgperson.schema
	include /etc/openldap/schema/nis.schema
	include /etc/openldap/schema/misc.schema


	#Global options
	conn_max_pending 1000
	sockbuf_max_incoming 4194303
	loglevel 256
	sizelimit unlimited
	pidfile /var/run/openldap/slapd.pid
	argsfile /var/run/openldap/slapd.args


	#LDAP Proxy Options
	modulepath /usr/lib64/openldap
	moduleload back_ldap
	moduleload rwm
	database ldap
	suffix "dc=domain,dc=local"
	#subordinate
	rebind-as-user yes
	uri ldaps://UKADC01.domain.local,ldaps://UKADC02.domain.local
	chase-referrals no
	readonly yes
	protocol-version 3
	idassert-bind bindmethod=simple
	binddn="cn=svc_test_ad,ou=Service Accounts,ou=Admin,ou=Infrastructure,dc=domain,dc=local"
	credentials="XxxxxxxxX"
	tls_reqcert=never
	tls_cacert=/etc/openldap/certs/ukdc2-ldapserver.pem

	###############################################################
	# OPTIONAL DATA MANIPULATION #
	###############################################################
	# more info: http://www.openldap.org/software/man.cgi?query=slapo-rwm
	#Enable If there is a requirement to alter data on the fly
	#overlay rwm
	#rwm-rewriteEngine on
	#rwm-rewriteContext default
	#rwm-rewriterule "^(.+)\\\\2C(.*)" "$1\\,$2" ":"

	#Enable if altered data needs a mapping to a different value
	#rwm-map attribute uid sAMAccountName
	#rwm-map attribute mail proxyAddresses
	###############################################################

	TLSVerifyClient never
	#CA Certificate
	TLSCACertificateFile /etc/openldap/certs/ukdc2-ldapserver.pem
	#certs for doamin ldap-proxy.aws.domain.local
	TLSCertificateFile /etc/openldap/certs/ldap-proxy.pem
	TLSCertificateKeyFile /etc/openldap/certs/ldap-proxy.pem
	#allow selfsigned certs
	tls ldaps tls_reqcert=allow tls_cacert=/etc/openldap/certs/ukdc2-ldapserver.pem
	conn-ttl 3600