## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/misc.schema# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.orgpidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args# Load dynamic backend modules:# modulepath /usr/lib64/openldap# moduleload accesslog.la# moduleload auditlog.la# moduleload back_sql.la# moduleload denyop.la# moduleload dyngroup.la# moduleload dynlist.la# moduleload lastmod.la# moduleload pcache.la# moduleload ppolicy.la# moduleload refint.la# moduleload retcode.la# moduleload rwm.la# moduleload syncprov.la# moduleload translucent.la# moduleload unique.la# moduleload valsort.la# The next three lines allow use of TLS for encrypting connections using a# dummy test certificate which you can generate by changing to# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on# slapd.pem so that the ldap user or group can read it. Your client software# may balk at self-signed certificates, however.# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt# TLSCertificateFile /etc/pki/tls/certs/slapd.pem# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind# security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base="" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!######################################################################## ldbm and/or bdb database definitions#######################################################################database bdbsuffix "dc=example-fedora,dc=jp"rootdn "cn=Manager,dc=example-fedora,dc=jp"# Cleartext passwords, especially for the rootdn, should# be avoided. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.# rootpw secret# rootpw {crypt}ijFYNcSNctBYgrootpw {MD5}Fh69fUUImzRG7k4NhtvPkg==# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /var/lib/ldap# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,sub# Replicas of this database#replogfile /var/lib/ldap/openldap-master-replog#replica host=ldap-1.example.com:389 starttls=critical# bindmethod=sasl saslmech=GSSAPI# authcId=host/ldap-master.example.com@EXAMPLE.COMaccess to attrs=userPassword by self write by dn="cn=Manager,dc=example-fedora,dc=jp" write by anonymous auth by * noneaccess to * by dn="cn=Manager,dc=example-fedora,dc=jp" write by self write by * read