slapd.conf OpenLDAP Configuration File
[Configuration Files]

SYNOPSIS

slapd.conf is the main config file for OpenLDAP. An example configuration with comments is presented here, though OpenLDAP is not part of the Director.

Schema and objectClass definitions

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/misc.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /usr/share/sfidirector/etc/extraschema/evolutionperson.schema
include         /usr/share/sfidirector/etc/director.schema
include         /usr/share/sfidirector/etc/extraschema/samba.schema
include         /usr/share/sfidirector/etc/extraschema/autofs.schema

schemacheck on

Database entry

database        bdb
directory       "/var/ldap/"
lastmod         on
cachesize       10000
checkpoint      128 10

suffix          "dc=yourcompany,dc=example"

# protect passwords
access to attr=userpassword,ntpassword,lmpassword,sambantpassword,sambalmpassword by self write
        by dn="uid=root,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by dn="uid=ldaproot,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by * compare

# open read access to everything else, write for admins only
access to dn.sub="dc=yourcompany,dc=example" by self read
        by dn="uid=root,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by dn="uid=ldaproot,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by * read


index   uid,sfihostclass,macaddress,apprepository   eq
index   cn,ou,mail,surname,givenname            eq,subinitial,pres
index   appname                         eq,sub
index   apppackageprovides              eq
index   objectclass,uidNumber,gidNumber         eq,pres

DESCRIPTION

OpenLDAP is the database server most commonly used with the Director. Therefore, its configuration is explained here in brevity. Note that there are various versions of OpenLDAP out there, unfortunately, the configuration here will not work with all of them.

Attributes

Together with your OpenLDAP installation a number of standard schema definition files have been installed. The director requires core, cosine, nis, misc and the inetorgpersion schema, thus you will have to complement the schema include directives near the start of the configuration file.

The Director then includes its own schema (director.schema) and a few 3rd-party schema definitions like evolutionperson, samba and autofs. Please also include them.

Database backend

OpenLDAP supports multiple different database backend implementations. Current releases favour the bdb or hdb backends, both based on the Berkeley DB. Some OpenLDAP packages require you to explicitly load the respective backend before you can use it for a database, e.g. like

  moduleload back_bdb

Later in the config file you start configuring a database tree for the Director:

  database bdb
  directory       "/var/ldap/"
  lastmod         on

where /var/ldap is the directory where the database files are going to be stored. Please create this directory yourself. Depending on your distribution the OpenLDAP server will run under a special system user account, e.g. slapd. Make sure, this user has read/write access to the database directory.

Lastmod switches automatic generation of time stamps of creation and last modification on. The Director does not use those time stamps, but sooner or later you might be glad to be able to see when records have been modified.

Unfortunately, the BDB backend's default configuration is not safe, using it without additional parameters is highly dangerous - expect to loose modifications on restart or crashes. At least enable checkpointing. Some minimal suggested parameters are:

  cachesize       10000
  checkpoint    128 10

Additionally, the BDB backend expects further configuration in a file called DB_CONFIG within the database directory. Suggested configuration therein:

  set_cachesize   0       2097152         0
  set_lg_bsize    524288
  set_lk_max_objects      5000
  set_lk_max_locks        5000
  set_lk_max_lockers      5000

OpenLDAP needs to know which part of its tree is to be stored in the database we are about to configure:

  suffix          "dc=yourcompany,dc=example"

Access rights

Access rules describe who gets access to the data stored in the database. Please think carefully about who will need access to your database - the example presented here is a rather open configuration.

The configuration requires a user named root and/or ldaproot being present in the database and stored under a well-defined DN.

First of all we limit access to password attributes, since some of them contain weak hashes:

access to attr=userpassword,ntpassword,lmpassword,sambantpassword,sambalmpassword by self write
        by dn="uid=root,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by dn="uid=ldaproot,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by * compare

So, the root and ldaproot users get full access to the password hashes, each user is allowed to read and change his password records, everyone else can compare entries (used by a few applications for authentication purposes).

We allow rather open access to everything else:

access to dn.sub="dc=yourcompany,dc=example" by self write
        by dn="uid=root,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by dn="uid=ldaproot,ou=System Users,ou=people,dc=yourcompany,dc=example" write
        by * read

Everyone is allowed to update his own record, the root/ldaproot users may update everything, everyone else (including anonymous users) get read access. You probably want to limit anonymous access, maybe replacing the last line by

        by users read
        by * none

or if you are not going to use your LDAP database for anything else even drop the "by users read" part of it.

Also, the first entry allowing write access for every user to its own record is potentially dangerous. You might change "by self write" to "by self read" or at least limit the attributes you allow write access to.

Indexes

In order to get OpenLDAP to respond reasonably fast to the commonly used Director requests, a number of indexes should be set up:

  index   uid,sfihostclass,macaddress,apprepository   eq
  index   cn,ou,mail,surname,givenname            eq,subinitial,pres
  index   appname                         eq,sub
  index   apppackageprovides              eq
  index   objectclass,uidNumber,gidNumber         eq,pres

This list of suggested indexes may change in the future as new queries are going to be implemented.

Generated on Sat May 19 01:19:48 2012 for Node Director by  doxygen 1.4.5