OpenLDAP server configuration
The configuration file: slapd.conf
NOTE: This example includes extensive ACL for a number of services, including Kerberos (Heimdal), and Samba.
# Includes. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/krb5-kdc.schema include /etc/openldap/schema/lpk.schema modulepath /usr/lib/openldap/openldap pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sizelimit 1000 loglevel none # stats moduleload smbk5pwd.so localSSF 256 # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind #security ssf=1 update_ssf=112 simple_bind=64 #security ssf=0 update_ssf=112 simple_bind=0 security ssf=1 update_ssf=64 simple_bind=64 #security ssf=0 #security simple_bind=64 TLSCACertificateFile /etc/ssl/certs/ca-cert.pem TLSCertificateFile /etc/openldap/ssl/ldap.example.com.pem TLSCertificateKeyFile /etc/openldap/ssl/ldap.example.com.key TLSDHParamFile /etc/openldap/ssl/dh.pem TLSVerifyClient never TLSCRLCheck none ######## MAIN DATABASE DEFINITION ######### database bdb directory /var/lib/openldap-data suffix "dc=example,dc=com" rootdn "uid=ldapmaster,ou=System,dc=example,dc=com" checkpoint 32 30 # <kbyte> <min> lastmod on overlay smbk5pwd # Indices to maintain index default eq,pres index objectClass eq index uid,uidNumber,gidNumber eq index cn,sn,givenname,mail,displayName eq,pres,sub index memberUid,uniqueMember # Kerberos indexes index krb5PrincipalName,krb5PrincipalRealm # Samba indexes index sambaSID eq,sub index sambaPrimaryGroupSID eq index sambaDomainName,sambaGroupType,sambaSIDList eq #password-hash {CLEARTEXT} # Sasl configuration sasl-host ldap.example.com sasl-realm EXAMPLE.COM sasl-secprops none # Mapping of SASL authentication identities to LDAP entries sasl-regexp uid=(.+),cn=(.+),cn=.+,cn=auth ldap:///dc=example,dc=com??sub?(|(uid=$1)(cn=$1@$2)) # Kerberos authenticated users sasl-regexp uid=(.+),cn=.+,cn=auth ldap:///dc=example,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.COM)) # Kerberos sasl-regexp gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth "uid=kerberos,ou=System,dc=example,dc=com" # uidNumber=0\\\+gidNumber=0,cn=peercred,cn=external,cn=auth # Access controll lists # #nssproxy - user for nss and pam(not root) #samba - samba server #remoteroot - user for changing passwords and creating users #kerberos - user for kerberos server #dovecot - dovecot auth daemon (DIGEST-MD5 requires cleartext password #jabber - jabber server (see above) #saslauthd - saslauthd auth server (see above), currently unussed - not working yet # posixAccount/posixGroup attributes may only be accessible to root/ldapmaster and samba (write) and pamproxy (read) access to attrs=uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid by dn="uid=nssproxy,ou=System,dc=example,dc=com" read by dn="uid=remoteroot,ou=System,dc=example,dc=com" write by dn="uid=samba,ou=System,dc=example,dc=com" write by users read # This is needed so sasl-regexp/GSSAPI works correctly access to attrs=krb5PrincipalName,uid by dn="uid=samba,ou=System,dc=example,dc=com" write by dn="uid=kerberos,ou=System,dc=example,dc=com" write by dn="uid=remoteroot,ou=System,dc=example,dc=com" write by anonymous auth by users read # Kerberos (HEIMDAL) attributes may only be accessible to kerberos and samba (smbldap-tools) access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName by dn="uid=kerberos,ou=System,dc=example,dc=com" write by dn="uid=samba,ou=System,dc=example,dc=com" =w by dn="uid=remoteroot,ou=System,dc=example,dc=com" =w by * none # Kerberos (MIT) attributes may only be accessible to kerberos and samba (smbldap-tools) #access to attrs=krbLoginFailedCount,krbMaxTicketLife,krbMaxRenewableAge,krbTicketFlags,krbPrincipalExpiration,krbPrincipalKey,krbLastPwdChange,krbExtraData,krbPasswordExpiration # by dn="uid=kerberos,ou=System,dc=test,dc=al" write # by dn="uid=samba,ou=System,dc=test,dc=al" =w # by dn="uid=remoteroot,ou=System,dc=test,dc=al" =w # by * none # We will be using userPassword to provide simple BIND access and updating all passwords by smbk5pwd access to attrs=userPassword by anonymous auth by dn="uid=samba,ou=System,dc=example,dc=com" =w by dn="uid=remoteroot,ou=System,dc=example,dc=com" =w by dn="uid=dovecot,ou=System,dc=example,dc=com" read by dn="uid=saslauthd,ou=System,dc=example,dc=com" read by dn="uid=jabber,ou=System,dc=example,dc=com" read by self =w by * none # Samba password hashes and other options access to attrs=sambaLMPassword,sambaNTPassword,sambaAcctFlags,sambaPwdLastSet,sambaPwdMustChange by dn="uid=samba,ou=System,dc=example,dc=com" write by dn="uid=sambaboss,ou=System,dc=example,dc=com" read by dn="uid=kerberos,ou=System,dc=example,dc=com" read by * none # Kerberos only entries access to dn.subtree="ou=Kerberos,dc=example,dc=com" by dn="uid=kerberos,ou=System,dc=example,dc=com" write # Domain member computers access to dn.subtree="ou=Hosts,dc=example,dc=com" by dn="uid=samba,ou=System,dc=example,dc=com" write by dn="uid=sambaboss,ou=System,dc=example,dc=com" read by dn="uid=nssproxy,ou=System,dc=example,dc=com" read # Samba domain parameters access to dn="sambaDomainName=EXAMPLE,dc=example,dc=com" by dn="uid=samba,ou=System,dc=example,dc=com" write by dn="uid=sambaboss,ou=System,dc=example,dc=com" read access to dn.subtree="ou=People,dc=example,dc=com" by dn="uid=samba,ou=System,dc=example,dc=com" write by dn="uid=remoteroot,ou=System,dc=example,dc=com" write by users read access to dn.subtree="ou=Group,dc=example,dc=com" by dn="uid=remoteroot,ou=System,dc=example,dc=com" write by users read # Anything else we may have forgotten is writable by admin, and viewable by authenticated users # anonymous auth for SASL authz search... access to dn.subtree="dc=example,dc=com" by anonymous auth by users read # by dn="uid=kerberos,ou=System,dc=example,dc=com" write # by dn="uid=samba,ou=System,dc=example,dc=com" write
Saslauthd configuration (remember friends leave pwcheck_method: saslauthd to /etc/sasl/slapd.conf and -a ldap to saslauthd):
ldap_servers: ldapi:// ldap_bind_dn: uid=saslauthd,ou=System,dc=example,dc=com ldap_password: haslo ldap_search_base: dc=example,dc=com ldap_mech: SIMPLE ldap_auth_method: bind
Configure LDAP client tools (ldapsearch, ldapvi etc.) - /etc/ldap/ldap.conf:
BASE dc=example,dc=com URI ldapi:// TLS_CACERTDIR /etc/ssl/certs/ TLS_REQCERT never