====== Ubuntu - LDAP - OpenLDAP Server Configuration ======

OpenLDAP server configuration

The configuration file: slapd.conf

**NOTE**:  This example includes extensive ACL for a number of services, including Kerberos (Heimdal), and Samba.

<file bash slapd.conf>
# Includes.
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/lpk.schema

modulepath      /usr/lib/openldap/openldap

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
sizelimit	1000
loglevel	none
# stats

moduleload smbk5pwd.so

localSSF	256
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=112 simple_bind=64
#security ssf=0 update_ssf=112 simple_bind=0
security ssf=1 update_ssf=64 simple_bind=64
#security ssf=0
#security simple_bind=64

TLSCACertificateFile    /etc/ssl/certs/ca-cert.pem
TLSCertificateFile      /etc/openldap/ssl/ldap.example.com.pem
TLSCertificateKeyFile   /etc/openldap/ssl/ldap.example.com.key
TLSDHParamFile		/etc/openldap/ssl/dh.pem
TLSVerifyClient never
TLSCRLCheck	none

######## MAIN DATABASE DEFINITION #########
database        bdb
directory	/var/lib/openldap-data
suffix          "dc=example,dc=com"
rootdn          "uid=ldapmaster,ou=System,dc=example,dc=com"
checkpoint      32      30 # <kbyte> <min>
lastmod		on

overlay         smbk5pwd

# Indices to maintain
index   default     eq,pres
index   objectClass             eq
index   uid,uidNumber,gidNumber eq
index   cn,sn,givenname,mail,displayName    eq,pres,sub
index   memberUid,uniqueMember
# Kerberos indexes
index   krb5PrincipalName,krb5PrincipalRealm
# Samba indexes
index    sambaSID    eq,sub
index    sambaPrimaryGroupSID    eq
index    sambaDomainName,sambaGroupType,sambaSIDList    eq

#password-hash {CLEARTEXT}

# Sasl configuration
sasl-host       ldap.example.com
sasl-realm      EXAMPLE.COM
sasl-secprops	none

# Mapping of SASL authentication identities to LDAP entries
sasl-regexp
    uid=(.+),cn=(.+),cn=.+,cn=auth
    ldap:///dc=example,dc=com??sub?(|(uid=$1)(cn=$1@$2))
# Kerberos authenticated users
sasl-regexp
    uid=(.+),cn=.+,cn=auth
    ldap:///dc=example,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.COM))
# Kerberos
sasl-regexp
    gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
    "uid=kerberos,ou=System,dc=example,dc=com"
#    uidNumber=0\\\+gidNumber=0,cn=peercred,cn=external,cn=auth

# Access controll lists
#
#nssproxy - user for nss and pam(not root)
#samba - samba server
#remoteroot - user for changing passwords and creating users
#kerberos - user for kerberos server
#dovecot - dovecot auth daemon (DIGEST-MD5 requires cleartext password
#jabber - jabber server (see above)
#saslauthd - saslauthd auth server (see above), currently unussed - not working yet

# posixAccount/posixGroup attributes may only be accessible to root/ldapmaster and samba (write) and pamproxy (read)
access to attrs=uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
    by dn="uid=nssproxy,ou=System,dc=example,dc=com" read
    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
    by dn="uid=samba,ou=System,dc=example,dc=com" write
    by users read

# This is needed so sasl-regexp/GSSAPI works correctly
access to attrs=krb5PrincipalName,uid
    by dn="uid=samba,ou=System,dc=example,dc=com" write
    by dn="uid=kerberos,ou=System,dc=example,dc=com" write
    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
    by anonymous auth
    by users read

# Kerberos (HEIMDAL) attributes may only be accessible to kerberos and samba (smbldap-tools)
access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName
    by dn="uid=kerberos,ou=System,dc=example,dc=com" write
    by dn="uid=samba,ou=System,dc=example,dc=com" =w
    by dn="uid=remoteroot,ou=System,dc=example,dc=com" =w
    by * none
    
# Kerberos (MIT) attributes may only be accessible to kerberos and samba (smbldap-tools)
#access to attrs=krbLoginFailedCount,krbMaxTicketLife,krbMaxRenewableAge,krbTicketFlags,krbPrincipalExpiration,krbPrincipalKey,krbLastPwdChange,krbExtraData,krbPasswordExpiration
#    by dn="uid=kerberos,ou=System,dc=test,dc=al" write
#    by dn="uid=samba,ou=System,dc=test,dc=al" =w
#    by dn="uid=remoteroot,ou=System,dc=test,dc=al" =w
#    by * none


# We will be using userPassword to provide simple BIND access and updating all passwords by smbk5pwd
access to attrs=userPassword
    by anonymous auth
    by dn="uid=samba,ou=System,dc=example,dc=com" =w
    by dn="uid=remoteroot,ou=System,dc=example,dc=com" =w
    by dn="uid=dovecot,ou=System,dc=example,dc=com" read
    by dn="uid=saslauthd,ou=System,dc=example,dc=com" read
    by dn="uid=jabber,ou=System,dc=example,dc=com" read
    by self =w
    by * none

# Samba password hashes and other options
access to attrs=sambaLMPassword,sambaNTPassword,sambaAcctFlags,sambaPwdLastSet,sambaPwdMustChange
    by dn="uid=samba,ou=System,dc=example,dc=com" write
    by dn="uid=sambaboss,ou=System,dc=example,dc=com" read
    by dn="uid=kerberos,ou=System,dc=example,dc=com" read
    by * none

# Kerberos only entries
access to dn.subtree="ou=Kerberos,dc=example,dc=com"
    by dn="uid=kerberos,ou=System,dc=example,dc=com" write

# Domain member computers
access to dn.subtree="ou=Hosts,dc=example,dc=com"
    by dn="uid=samba,ou=System,dc=example,dc=com" write
    by dn="uid=sambaboss,ou=System,dc=example,dc=com" read
    by dn="uid=nssproxy,ou=System,dc=example,dc=com" read

# Samba domain parameters
access to dn="sambaDomainName=EXAMPLE,dc=example,dc=com"
    by dn="uid=samba,ou=System,dc=example,dc=com" write
    by dn="uid=sambaboss,ou=System,dc=example,dc=com" read

access to dn.subtree="ou=People,dc=example,dc=com"
    by dn="uid=samba,ou=System,dc=example,dc=com" write
    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
    by users read
    
access to dn.subtree="ou=Group,dc=example,dc=com"
    by dn="uid=remoteroot,ou=System,dc=example,dc=com" write
    by users read

# Anything else we may have forgotten is writable by admin, and viewable by authenticated users
# anonymous auth for SASL authz search...
access to dn.subtree="dc=example,dc=com"
	by anonymous auth
    by users read
#    by dn="uid=kerberos,ou=System,dc=example,dc=com" write
#    by dn="uid=samba,ou=System,dc=example,dc=com" write
</file>

Saslauthd configuration (remember friends leave pwcheck_method: saslauthd to /etc/sasl/slapd.conf and -a ldap to saslauthd):

<file bash saslauthd.conf>
ldap_servers: ldapi://
ldap_bind_dn: uid=saslauthd,ou=System,dc=example,dc=com
ldap_password: haslo
ldap_search_base: dc=example,dc=com
ldap_mech: SIMPLE
ldap_auth_method: bind
</file>

Configure LDAP client tools (ldapsearch, ldapvi etc.) - /etc/ldap/ldap.conf:

<file bash ldap.conf>
BASE	dc=example,dc=com
URI	ldapi://
TLS_CACERTDIR	/etc/ssl/certs/
TLS_REQCERT never
</file>