Differences

This shows you the differences between two versions of the page.

--- ldap:openldap_server_configuration [2016/11/11 14:48] – peter
+++ ldap:openldap_server_configuration [2019/11/30 13:43] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== LDAP - OpenLDAP Server Configuration ======
-OpenLDAP server configuration
-The configuration file: slapd.conf
-**NOTE**:  This example includes extensive ACL for a number of services, including Kerberos (Heimdal), and Samba.
-<file bash slapd.conf>
-# Includes.
-include         /etc/openldap/schema/core.schema
-include         /etc/openldap/schema/cosine.schema
-include         /etc/openldap/schema/nis.schema
-include         /etc/openldap/schema/inetorgperson.schema
-include         /etc/openldap/schema/samba.schema
-include         /etc/openldap/schema/java.schema
-include         /etc/openldap/schema/krb5-kdc.schema
-include         /etc/openldap/schema/lpk.schema
-modulepath      /usr/lib/openldap/openldap
-pidfile         /var/run/openldap/slapd.pid
-argsfile        /var/run/openldap/slapd.args
-sizelimit	1000
-loglevel	none
-# stats
-moduleload smbk5pwd.so
-localSSF	256
-# Sample security restrictions
-#       Require integrity protection (prevent hijacking)
-#       Require 112-bit (3DES or better) encryption for updates
-#       Require 63-bit encryption for simple bind
-#security ssf=1 update_ssf=112 simple_bind=64
-#security ssf=0 update_ssf=112 simple_bind=0
-security ssf=1 update_ssf=64 simple_bind=64
-#security ssf=0
-#security simple_bind=64
-TLSCACertificateFile    /etc/ssl/certs/ca-cert.pem
-TLSCertificateFile      /etc/openldap/ssl/ldap.example.com.pem
-TLSCertificateKeyFile   /etc/openldap/ssl/ldap.example.com.key
-TLSDHParamFile		/etc/openldap/ssl/dh.pem
-TLSVerifyClient never
-TLSCRLCheck	none
-######## MAIN DATABASE DEFINITION #########
-database        bdb
-directory	/var/lib/openldap-data
-suffix          "dc=example,dc=com"
-rootdn          "uid=ldapmaster,ou=System,dc=example,dc=com"
-checkpoint      32      30 # <kbyte> <min>
-lastmod		on
-overlay         smbk5pwd
-# Indices to maintain
-index   default     eq,pres
-index   objectClass             eq
-index   uid,uidNumber,gidNumber eq
-index   cn,sn,givenname,mail,displayName    eq,pres,sub
-index   memberUid,uniqueMember
-# Kerberos indexes
-index   krb5PrincipalName,krb5PrincipalRealm
-# Samba indexes
-index    sambaSID    eq,sub
-index    sambaPrimaryGroupSID    eq
-index    sambaDomainName,sambaGroupType,sambaSIDList    eq
-#password-hash {CLEARTEXT}
-# Sasl configuration
-sasl-host       ldap.example.com
-sasl-realm      EXAMPLE.COM
-sasl-secprops	none
-# Mapping of SASL authentication identities to LDAP entries
-sasl-regexp
-    uid=(.+),cn=(.+),cn=.+,cn=auth
-    ldap:///dc=example,dc=com??sub?(|(uid=$1)(cn=$1@$2))
-# Kerberos authenticated users
-sasl-regexp
-    uid=(.+),cn=.+,cn=auth
-    ldap:///dc=example,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.COM))
-# Kerberos
-sasl-regexp
-    gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
-    "uid=kerberos,ou=System,dc=example,dc=com"
-#    uidNumber=0\\\+gidNumber=0,cn=peercred,cn=external,cn=auth
-# Access controll lists
-#
-#nssproxy - user for nss and pam(not root)
-#samba - samba server
-#remoteroot - user for changing passwords and creating users
-#kerberos - user for kerberos server
-#dovecot - dovecot auth daemon (DIGEST-MD5 requires cleartext password
-#jabber - jabber server (see above)
-#saslauthd - saslauthd auth server (see above), currently unussed - not working yet
-# posixAccount/posixGroup attributes may only be accessible to root/ldapmaster and samba (write) and pamproxy (read)
-access to attrs=uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
-    by dn="uid=nssproxy,ou=System,dc=example,dc=com" read
-    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
-    by dn="uid=samba,ou=System,dc=example,dc=com" write
-    by users read
-# This is needed so sasl-regexp/GSSAPI works correctly
-access to attrs=krb5PrincipalName,uid
-    by dn="uid=samba,ou=System,dc=example,dc=com" write
-    by dn="uid=kerberos,ou=System,dc=example,dc=com" write
-    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
-    by anonymous auth
-    by users read
-# Kerberos (HEIMDAL) attributes may only be accessible to kerberos and samba (smbldap-tools)
-access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName
-    by dn="uid=kerberos,ou=System,dc=example,dc=com" write
-    by dn="uid=samba,ou=System,dc=example,dc=com" =w
-    by dn="uid=remoteroot,ou=System,dc=example,dc=com" =w
-    by * none
-# Kerberos (MIT) attributes may only be accessible to kerberos and samba (smbldap-tools)
-#access to attrs=krbLoginFailedCount,krbMaxTicketLife,krbMaxRenewableAge,krbTicketFlags,krbPrincipalExpiration,krbPrincipalKey,krbLastPwdChange,krbExtraData,krbPasswordExpiration
-#    by dn="uid=kerberos,ou=System,dc=test,dc=al" write
-#    by dn="uid=samba,ou=System,dc=test,dc=al" =w
-#    by dn="uid=remoteroot,ou=System,dc=test,dc=al" =w
-#    by * none
-# We will be using userPassword to provide simple BIND access and updating all passwords by smbk5pwd
-access to attrs=userPassword
-    by anonymous auth
-    by dn="uid=samba,ou=System,dc=example,dc=com" =w
-    by dn="uid=remoteroot,ou=System,dc=example,dc=com" =w
-    by dn="uid=dovecot,ou=System,dc=example,dc=com" read
-    by dn="uid=saslauthd,ou=System,dc=example,dc=com" read
-    by dn="uid=jabber,ou=System,dc=example,dc=com" read
-    by self =w
-    by * none
-# Samba password hashes and other options
-access to attrs=sambaLMPassword,sambaNTPassword,sambaAcctFlags,sambaPwdLastSet,sambaPwdMustChange
-    by dn="uid=samba,ou=System,dc=example,dc=com" write
-    by dn="uid=sambaboss,ou=System,dc=example,dc=com" read
-    by dn="uid=kerberos,ou=System,dc=example,dc=com" read
-    by * none
-# Kerberos only entries
-access to dn.subtree="ou=Kerberos,dc=example,dc=com"
-    by dn="uid=kerberos,ou=System,dc=example,dc=com" write
-# Domain member computers
-access to dn.subtree="ou=Hosts,dc=example,dc=com"
-    by dn="uid=samba,ou=System,dc=example,dc=com" write
-    by dn="uid=sambaboss,ou=System,dc=example,dc=com" read
-    by dn="uid=nssproxy,ou=System,dc=example,dc=com" read
-# Samba domain parameters
-access to dn="sambaDomainName=EXAMPLE,dc=example,dc=com"
-    by dn="uid=samba,ou=System,dc=example,dc=com" write
-    by dn="uid=sambaboss,ou=System,dc=example,dc=com" read
-access to dn.subtree="ou=People,dc=example,dc=com"
-    by dn="uid=samba,ou=System,dc=example,dc=com" write
-    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
-    by users read
-access to dn.subtree="ou=Group,dc=example,dc=com"
-    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
-    by users read
-# Anything else we may have forgotten is writable by admin, and viewable by authenticated users
-# anonymous auth for SASL authz search...
-access to dn.subtree="dc=example,dc=com"
-	by anonymous auth
-    by users read
-#    by dn="uid=kerberos,ou=System,dc=example,dc=com" write
-#    by dn="uid=samba,ou=System,dc=example,dc=com" write
-</file>
-Saslauthd configuration (remember friends leave pwcheck_method: saslauthd to /etc/sasl/slapd.conf and -a ldap to saslauthd):
-<file bash saslauthd.conf>
-ldap_servers: ldapi://
-ldap_bind_dn: uid=saslauthd,ou=System,dc=example,dc=com
-ldap_password: haslo
-ldap_search_base: dc=example,dc=com
-ldap_mech: SIMPLE
-ldap_auth_method: bind
-</file>
-Configure LDAP client tools (ldapsearch, ldapvi etc.) - /etc/ldap/ldap.conf:
-<file bash ldap.conf>
-BASE	dc=example,dc=com
-URI	ldapi://
-TLS_CACERTDIR	/etc/ssl/certs/
-TLS_REQCERT never
-</file>