|
Node Director
|
slapd.conf is the main config file for OpenLDAP. An example configuration with comments is presented here, though OpenLDAP is not part of the Director.
OpenLDAP is the database server most commonly used with the Director. Therefore, its configuration is explained here in brevity. Note that there are various versions of OpenLDAP out there, unfortunately, the configuration here will not work with all of them.
Together with your OpenLDAP installation a number of standard schema definition files have been installed. The director requires core, cosine, nis, misc and the inetorgpersion schema, thus you will have to complement the schema include directives near the start of the configuration file.
The Director then includes its own schema (director.schema) and a few 3rd-party schema definitions like evolutionperson, samba and autofs. Please also include them.
OpenLDAP supports multiple different database backend implementations. Current releases favour the bdb or hdb backends, both based on the Berkeley DB. Some OpenLDAP packages require you to explicitly load the respective backend before you can use it for a database, e.g. like
Later in the config file you start configuring a database tree for the Director:
where /var/ldap is the directory where the database files are going to be stored. Please create this directory yourself. Depending on your distribution the OpenLDAP server will run under a special system user account, e.g. slapd. Make sure, this user has read/write access to the database directory.
Lastmod switches automatic generation of time stamps of creation and last modification on. The Director does not use those time stamps, but sooner or later you might be glad to be able to see when records have been modified.
Unfortunately, the BDB backend's default configuration is not safe, using it without additional parameters is highly dangerous - expect to loose modifications on restart or crashes. At least enable checkpointing. Some minimal suggested parameters are:
Additionally, the BDB backend expects further configuration in a file called DB_CONFIG within the database directory. Suggested configuration therein:
OpenLDAP needs to know which part of its tree is to be stored in the database we are about to configure:
Access rules describe who gets access to the data stored in the database. Please think carefully about who will need access to your database - the example presented here is a rather open configuration.
The configuration requires a user named root and/or ldaproot being present in the database and stored under a well-defined DN.
First of all we limit access to password attributes, since some of them contain weak hashes:
So, the root and ldaproot users get full access to the password hashes, each user is allowed to read and change his password records, everyone else can compare entries (used by a few applications for authentication purposes).
We allow rather open access to everything else:
Everyone is allowed to update his own record, the root/ldaproot users may update everything, everyone else (including anonymous users) get read access. You probably want to limit anonymous access, maybe replacing the last line by
or if you are not going to use your LDAP database for anything else even drop the "by users read" part of it.
Also, the first entry allowing write access for every user to its own record is potentially dangerous. You might change "by self write" to "by self read" or at least limit the attributes you allow write access to.
In order to get OpenLDAP to respond reasonably fast to the commonly used Director requests, a number of indexes should be set up:
This list of suggested indexes may change in the future as new queries are going to be implemented.
1.8.1.2