3.8. Configuration File Example
The following is an example configuration file, interspersed with explanatory
text. It defines two databases to handle different parts of the X.500 tree;
both are BDB database instances. The line numbers shown are provided for
reference only and are not included in the actual file. First, the global
configuration section:
1. # example config file - global configuration section
2. include /usr/local/etc/schema/core.schema
3. referral ldap://root.openldap.org
4. access to * by * read |
Line 1 is a comment. Line 2 includes another config file which contains core
schema definitions. The referral directive on line 3 means that queries not
local to one of the databases defined below will be referred to the LDAP server
running on the standard port (389) at the host root.openldap.org.
Line 4 is a global access control. It applies to all entries (after any applicable
database-specific access controls).
The next section of the configuration file defines a BDB backend that will
handle queries for things in the "dc=example,dc=com" portion of the tree. The database
is to be replicated to two slave slapds, one on truelies, the other on judgmentday. Indexes
are to be maintained for several attributes, and the userPassword attribute is to be protected
from unauthorized access.
5. # BDB definition for the example.com
6. database bdb
7. suffix "dc=example,dc=com"
8. directory /usr/local/var/openldap-data
9. rootdn "cn=Manager,dc=example,dc=com"
10. rootpw secret
11. # replication directives
12. replogfile /usr/local/var/openldap/slapd.replog
13. replica uri=ldap://slave1.example.com:389
14. binddn="cn=Replicator,dc=example,dc=com"
15. bindmethod=simple credentials=secret
16. replica uri=ldaps://slave2.example.com:636
17. binddn="cn=Replicator,dc=example,dc=com"
18. bindmethod=simple credentials=secret
19. # indexed attribute definitions
20. index uid pres,eq
21. index cn,sn,uid pres,eq,sub
22. index objectClass eq
23. # database access control definitions
24. access to attr=userPassword
25. by self write
26. by anonymous auth
27. by dn.base="cn=Admin,dc=example,dc=com" write
28. by * none
29. access to *
30. by self write
31. by dn.base="cn=Admin,dc=example,dc=com" write
32. by * read
|
Line 5 is a comment. The start of the database definition is marked
by the database keyword on line 6. Line 7 specifies the DN suffix for queries
to pass to this database. Line 8 specifies the directory in which the database
files will live.
Lines 9 and 10 identify the database "super user" entry and associated
password. This entry is not subject to access control or size or time limit restrictions.
Please remeber to encrypt the rootpw using slappasswd.
Example: rootpw {SSHA}Jq4xhhkGa7weT/0xKmaecT4HEXsdqiYA
Lines 11 through 18 are for replication. See the Replication link for more information on these directives.
Lines 20 through 22 indicate the indexes to maintain for various attributes.
Lines 24 through 32 specify access control for entries in the this database.
As this is the first database, the controls also apply to entries not held in any
database (such as the Root DSE). For all applicable entries, the userPassword
attribute is writable by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable. All other attributes
are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).
The next section of the example configuration file defines another BDB database.
This one handles queries involving the dc=example,dc=net subtree but is managed by the same
entity as the first database. Note that without line 39, the read access would be allowed due
to the global access rule at line 4.
33. # BDB definition for example.net
34. database bdb
35. suffix "dc=example,dc=net"
36. directory /usr/local/var/openldap-data-net
37. rootdn "cn=Manager,dc=example,dc=com"
38. index objectClass eq
39. access to * by users read |