• yum安装openldap,slapd.conf文件


    操作系统:CentOS release 6.10 (Final)
    版本:OpenLDAP: slapd 2.4.40

    硬性硬件配置要求
    内存 4GB
    CPU 2核
    系统盘 50GB
    数据盘 200GB

    #
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #
    
    include     /etc/openldap/schema/corba.schema
    include     /etc/openldap/schema/core.schema
    include     /etc/openldap/schema/cosine.schema
    include     /etc/openldap/schema/duaconf.schema
    include     /etc/openldap/schema/dyngroup.schema
    include     /etc/openldap/schema/inetorgperson.schema
    include     /etc/openldap/schema/java.schema
    include     /etc/openldap/schema/misc.schema
    include     /etc/openldap/schema/nis.schema
    include     /etc/openldap/schema/openldap.schema
    include     /etc/openldap/schema/ppolicy.schema
    include     /etc/openldap/schema/collective.schema
    include     /etc/openldap/schema/sudo.schema
    include     /etc/openldap/schema/openssh-lpk-openldap.schema
    include     /etc/openldap/schema/ldapns.schema
    
    
    # Allow LDAPv2 client connections.  This is NOT the default.
    allow bind_v2
    
    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral   ldap://root.openldap.org
    
    pidfile     /var/run/openldap/slapd.pid
    argsfile    /var/run/openldap/slapd.args
    
    # Load dynamic backend modules
    # - modulepath is architecture dependent value (32/64-bit system)
    # - back_sql.la overlay requires openldap-server-sql package
    # - dyngroup.la and dynlist.la cannot be used at the same time
    
    # modulepath /usr/lib/openldap
    modulepath /usr/lib64/openldap
    
    # moduleload accesslog.la
    # moduleload auditlog.la
    # moduleload back_sql.la
    # moduleload chain.la
    # moduleload collect.la
    # moduleload constraint.la
    # moduleload dds.la
    # moduleload deref.la
    # moduleload dyngroup.la
    # moduleload dynlist.la
    moduleload memberof.la
    # moduleload pbind.la
    # moduleload pcache.la
    moduleload ppolicy.la
    moduleload refint.la
    # moduleload retcode.la
    # moduleload rwm.la
    # moduleload seqmod.la
    # moduleload smbk5pwd.la
    # moduleload sssvlv.la
    # moduleload syncprov.la
    # moduleload translucent.la
    # moduleload unique.la
    # moduleload valsort.la
    
    # The next three lines allow use of TLS for encrypting connections using a
    # dummy test certificate which you can generate by running
    # /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
    # at self-signed certificates, however.
    TLSCACertificatePath /etc/openldap/certs
    TLSCertificateFile /etc/openldap/certs/ldap.crt
    TLSCertificateKeyFile /etc/openldap/certs/ldap.key
    #TLSCertificateFile "\"OpenLDAP Server\""
    #TLSCertificateKeyFile /etc/openldap/certs/password
    
    # Sample security restrictions
    #   Require integrity protection (prevent hijacking)
    #   Require 112-bit (3DES or better) encryption for updates
    #   Require 63-bit encryption for simple bind
    # security ssf=1 update_ssf=112 simple_bind=64
    
    # Sample access control policy:
    #   Root DSE: allow anyone to read it
    #   Subschema (sub)entry DSE: allow anyone to read it
    #   Other DSEs:
    #       Allow self write access
    #       Allow authenticated users read access
    #       Allow anonymous users to authenticate
    #   Directives needed to implement policy:
    # access to dn.base="" by * read
    access to dn.base="cn=Subschema" by * read
    # access to *
    #   by self write
    #   by users read
    #   by anonymous auth
    #
    access to dn="dc=XXXXXX,dc=cn"
        by self read
        by users read
         by anonymous auth
     
    #access to dn.subtree="ou=Servers,dc=XXXXXX,dc=cn"
    #    by self read
    #    by users read
    #    by anonymous read
    #    by anonymous auth
    
    #access to dn.subtree="ou=People,dc=XXXXXX,dc=cn"
    #    by self read
    #    by users read
    #    by anonymous read
    #    by anonymous auth
    #
    #
    #access to dn.regex="(.+,)?(uid=[^,]+,ou=internal,ou=People,dc=XXXXXX,dc=cn)$"
    #    by self read
    #    by users read
    #    by dn.exact,expand="$2" read
    #    by anonymous auth
    
    access to dn.regex="ou=[^i]+,ou=People,dc=XXXXXX,dc=cn"
        by self read
        by anonymous auth
    
    access to dn.regex="(.+,)?(uid=[^,]+,ou=internal,ou=People,dc=XXXXXX,dc=cn)$"
        by self read
        by dn.exact,expand="$2" read
        by dn="cn=readonly,ou=Manager,dc=XXXXXX,dc=cn" read
        by dn="cn=add_rw,ou=Manager,dc=XXXXXX,dc=cn" read
        by anonymous auth
    
    #access to dn.subtree="ou=internal,ou=People,dc=XXXXXX,dc=cn"
    #    by self read
    #    by dn.regex="(.+,)?(uid=[^,]+,ou=internal,ou=People,dc=XXXXXX,dc=cn)$" read
    #    by anonymous auth
    
    access to dn.subtree="ou=People,dc=XXXXXX,dc=cn"
        by self read
        by dn.regex="(.+,)?(uid=[^,]+,ou=internal,ou=People,dc=XXXXXX,dc=cn)$" read
        by dn="cn=readonly,ou=Manager,dc=XXXXXX,dc=cn" read
        by dn="cn=add_rw,ou=Manager,dc=XXXXXX,dc=cn" read
        by anonymous auth
    
    #Services
    #access to dn.regex="(.+,)?cn=confluence-users,ou=Confluence,ou=Services,dc=XXXXXX,dc=cn"
    #    by self read
    #    by dn="cn=add_rw,ou=Manager,dc=XXXXXX,dc=cn" write
    #    by anonymous auth
    access to dn.regex="cn=.+users,ou=[^,]+,ou=Services,dc=XXXXXX,dc=cn"
        by self read
        by dn="cn=add_rw,ou=Manager,dc=XXXXXX,dc=cn" write
        by anonymous auth
    access to dn.regex="^(ou=[^,]+|cn=[^,]+),ou=Services,dc=XXXXXX,dc=cn"
        by self read
        by dn="cn=add_rw,ou=Manager,dc=XXXXXX,dc=cn" write
        by anonymous auth
    access to dn="ou=Services,dc=XXXXXX,dc=cn"
        by self read
        by dn="cn=add_rw,ou=Manager,dc=XXXXXX,dc=cn" write
        by anonymous auth
    
    #access to dn.subtree="ou=Group,dc=XXXXXX,dc=cn"
    #    by self read
    #    by users read
    #    by anonymous read
    #    by anonymous auth
    
    #access to dn.one="ou=People,dc=XXXXXX,dc=cn" attrs=userPassword
    #    by self write
    #    by anonymous auth
    
    #access to dn.one="ou=People,dc=XXXXXX,dc=cn"
    #    by self read
    #    by anonymous auth
    #
    #access to dn.one="ou=Hosts,dc=XXXXXX,dc=cn"
    #    by self read
    #    by anonymous auth
    
    access to *
        by anonymous auth
    
    #
    # if no access controls are present, the default policy
    # allows anyone and everyone to read anything but restricts
    # updates to rootdn.  (e.g., "access to * by * read")
    #
    # rootdn can always read and write EVERYTHING!
    
    # enable on-the-fly configuration (cn=config)
    database config
    access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
            by dn.exact="cn=admin,dc=XXXXXX,dc=cn" write
        by * none
    
    # enable server status monitoring (cn=monitor)
    database monitor
    access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
            by dn.exact="cn=admin,dc=XXXXXX,dc=cn" read
            by * none
    
    #######################################################################
    # database definitions
    #######################################################################
    
    database    bdb
    suffix      "dc=XXXXXX,dc=cn"
    checkpoint  1024 15
    rootdn      "cn=admin,dc=XXXXXX,dc=cn"
    # Cleartext passwords, especially for the rootdn, should
    # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
    # Use of strong authentication encouraged.
    # rootpw        secret
    # rootpw        {crypt}ijFYNcSNctBYg
    rootpw                  {SSHA}sJ2hfyp34a8rnMgo02MPhaY8hmBKxGwJ
    
    # The database directory MUST exist prior to running slapd AND 
    # should only be accessible by the slapd and slap tools.
    # Mode 700 recommended.
    directory   /var/lib/ldap
    
    # Indices to maintain for this database
    index objectClass                       eq,pres
    index ou,cn,mail,surname,givenname      eq,pres,sub
    index uidNumber,gidNumber,loginShell    eq,pres
    index uid,memberUid                     eq,pres,sub
    index nisMapName,nisMapEntry            eq,pres,sub
    
    overlay memberof
    memberof-group-oc   groupOfUniqueNames
    memberof-member-ad  uniqueMember
    
    overlay ppolicy
    ppolicy_default  cn=Captain,ou=pwpolicies,dc=XXXXXX,dc=cn
    
    # Replicas of this database
    #replogfile /var/lib/ldap/openldap-master-replog
    #replica host=ldap-1.example.com:389 starttls=critical
    #     bindmethod=sasl saslmech=GSSAPI
    #     authcId=host/ldap-master.example.com@EXAMPLE.COM
    password-hash {sha}
    
    loglevel 256
  • 相关阅读:
    我的黄金时代
    《无垠的太空(9).利维坦陨落》原著小说·中文版
    《无垠的太空(9).利维坦陨落》第一章:吉姆
    《无垠的太空(9).利维坦陨落》第二章:田中
    python的try except else finally
    FastAPI7参数额外的校验
    FastAPI5查询参数
    FastAPI4路径参数
    FastAPI6请求体
    typing库学习
  • 原文地址:https://www.cnblogs.com/jackcui/p/16110644.html
Copyright © 2020-2023  润新知