├── ldap.conf.template ├── domain.ldif.template ├── .gitignore ├── README.md ├── openldap.sh ├── Dockerfile └── slapd-config.ldif.template /ldap.conf.template: -------------------------------------------------------------------------------- 1 | # 2 | # LDAP Defaults 3 | # 4 | 5 | # See ldap.conf(5) for details 6 | # This file should be world readable but not world writable. 7 | 8 | #BASE ${LDAP_SUFFIX} 9 | URI ldapi:// 10 | 11 | #SIZELIMIT 12 12 | #TIMELIMIT 15 13 | #DEREF never 14 | 15 | # TLS certificates (needed for GnuTLS) 16 | #TLS_CACERT /etc/ssl/certs/ca-certificates.crt 17 | -------------------------------------------------------------------------------- /domain.ldif.template: -------------------------------------------------------------------------------- 1 | # vim:set ft=ldif: 2 | # 3 | dn: ${LDAP_SUFFIX} 4 | objectClass: ${LDAP_DOMAIN_OBJECTCLASS} 5 | dc: ${LDAP_DOMAIN_RDC} 6 | o: ${LDAP_ORGANIZATION} 7 | 8 | dn: cn=admin,${LDAP_SUFFIX} 9 | objectClass: organizationalRole 10 | cn: admin 11 | 12 | dn: ou=users,${LDAP_SUFFIX} 13 | objectClass: organizationalUnit 14 | ou: users 15 | 16 | dn: ou=groups,${LDAP_SUFFIX} 17 | objectClass: organizationalUnit 18 | ou: groups 19 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | ### JetBrains template 3 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion 4 | 5 | *.iml 6 | 7 | ## Directory-based project format: 8 | .idea/ 9 | # if you remove the above rule, at least ignore the following: 10 | 11 | # User-specific stuff: 12 | # .idea/workspace.xml 13 | # .idea/tasks.xml 14 | # .idea/dictionaries 15 | 16 | # Sensitive or high-churn files: 17 | # .idea/dataSources.ids 18 | # .idea/dataSources.xml 19 | # .idea/sqlDataSources.xml 20 | # .idea/dynamic.xml 21 | # .idea/uiDesigner.xml 22 | 23 | # Gradle: 24 | # .idea/gradle.xml 25 | # .idea/libraries 26 | 27 | # Mongo Explorer plugin: 28 | # .idea/mongoSettings.xml 29 | 30 | ## File-based project format: 31 | *.ipr 32 | *.iws 33 | 34 | ## Plugin-specific files: 35 | 36 | # IntelliJ 37 | /out/ 38 | 39 | # mpeltonen/sbt-idea plugin 40 | .idea_modules/ 41 | 42 | # JIRA plugin 43 | atlassian-ide-plugin.xml 44 | 45 | # Crashlytics plugin (for Android Studio and IntelliJ) 46 | com_crashlytics_export_strings.xml 47 | crashlytics.properties 48 | crashlytics-build.properties 49 | 50 | 51 | ### OSX template 52 | .DS_Store 53 | .AppleDouble 54 | .LSOverride 55 | 56 | # Icon must end with two \r 57 | Icon 58 | 59 | # Thumbnails 60 | ._* 61 | 62 | # Files that might appear in the root of a volume 63 | .DocumentRevisions-V100 64 | .fseventsd 65 | .Spotlight-V100 66 | .TemporaryItems 67 | .Trashes 68 | .VolumeIcon.icns 69 | 70 | # Directories potentially created on remote AFP share 71 | .AppleDB 72 | .AppleDesktop 73 | Network Trash Folder 74 | Temporary Items 75 | .apdisk 76 | 77 | 78 | ### Windows template 79 | # Windows image file caches 80 | Thumbs.db 81 | ehthumbs.db 82 | 83 | # Folder config file 84 | Desktop.ini 85 | 86 | # Recycle Bin used on file shares 87 | $RECYCLE.BIN/ 88 | 89 | # Windows Installer files 90 | *.cab 91 | *.msi 92 | *.msm 93 | *.msp 94 | 95 | # Windows shortcuts 96 | *.lnk 97 | 98 | 99 | ### Vim template 100 | [._]*.s[a-w][a-z] 101 | [._]s[a-w][a-z] 102 | *.un~ 103 | Session.vim 104 | .netrwhist 105 | *~ 106 | 107 | 108 | ### Eclipse template 109 | *.pydevproject 110 | .metadata 111 | .gradle 112 | bin/ 113 | tmp/ 114 | *.tmp 115 | *.bak 116 | *.swp 117 | *~.nib 118 | local.properties 119 | .settings/ 120 | .loadpath 121 | 122 | # Eclipse Core 123 | .project 124 | 125 | # External tool builders 126 | .externalToolBuilders/ 127 | 128 | # Locally stored "Eclipse launch configurations" 129 | *.launch 130 | 131 | # CDT-specific 132 | .cproject 133 | 134 | # JDT-specific (Eclipse Java Development Tools) 135 | .classpath 136 | 137 | # Java annotation processor (APT) 138 | .factorypath 139 | 140 | # PDT-specific 141 | .buildpath 142 | 143 | # sbteclipse plugin 144 | .target 145 | 146 | # TeXlipse plugin 147 | .texlipse 148 | 149 | 150 | ### Linux template 151 | *~ 152 | 153 | # KDE directory preferences 154 | .directory 155 | 156 | # Linux trash folder which might appear on any partition or disk 157 | .Trash-* 158 | 159 | 160 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenLDAP SLAPD on Alpine Linux 2 | 3 | [![Docker Stars](https://img.shields.io/docker/stars/dweomer/openldap.svg)][hub] 4 | [![Docker Pulls](https://img.shields.io/docker/pulls/dweomer/openldap.svg)][hub] 5 | [![Image Size](https://img.shields.io/imagelayers/image-size/dweomer/openldap/latest.svg)][layers] 6 | [![Image Layers](https://img.shields.io/imagelayers/layers/dweomer/openldap/latest.svg)][layers] 7 | 8 | The [_`memberOf`_](http://www.openldap.org/software/man.cgi?query=slapo-memberof&sektion=5) (with [_refint_](http://www.openldap.org/software/man.cgi?query=slapo-refint&sektion=5)) overlay is installed and configured for [`groupOfUniqueNames`](https://tools.ietf.org/html/rfc4519#section-3.6). 9 | 10 | ## Usage 11 | ``` 12 | docker run -itd -p 389:389 dweomer/openldap 13 | ``` 14 | 15 | ## Modifying Init/Runtime Behavior 16 | ### Environment 17 | #### `declare -x LDAP_DOMAIN` 18 | Defaults to `example.com` if not overridden. 19 | 20 | #### `declare -x LDAP_DOMAIN_OBJECTCLASS` 21 | Default value is [`domain`](https://tools.ietf.org/html/rfc4524#section-3.4). Supports any [`objectClass`](https://tools.ietf.org/html/rfc4512#section-3.3) or combination thereof that allows for the [`dc` aka `domainComponent`](https://tools.ietf.org/html/rfc4519#section-2.4) and [`o` aka `organizationName`](https://tools.ietf.org/html/rfc4519#section-2.19) attributes, e.g. 22 | 23 | ``` 24 | export LDAP_DOMAIN_OBJECTCLASS="organization 25 | objectClass: dcObject" 26 | ``` 27 | 28 | #### `declare -x LDAP_SUFFIX` 29 | By default this is generated from `LDAP_DOMAIN`, e.g. `dc=example,dc=com` for the default value of such, but one could as easily pass `o=example.com` or any other legitimate [`distinguishedName`](https://tools.ietf.org/html/rfc4512#section-2.3.2) supported by the [`objectClass`](https://tools.ietf.org/html/rfc4512#section-3.3). 30 | 31 | #### `declare -x LDAP_ORGANIZATION` 32 | Defaults to the value of `LDAP_DOMAIN` if not overridden. 33 | 34 | #### `declare -x LDAP_PASSWORD` 35 | If not specified this is the string 'lderp!' concatenated with the first [`domainComponent`](https://tools.ietf.org/html/rfc4519#section-2.4) from `LDAP_DOMAIN`. So, `lderp!example` for the default value of `LDAP_DOMAIN`. This will be the password for the bind [`dn`](https://tools.ietf.org/html/rfc4512#section-2.3.2) of `cn=admin,${LDAP_SUFFIX}`, e.g. `cn=admin,dc=example,dc=com`. 36 | 37 | ### Database 38 | The first time the container starts up it will look for any files under the `/srv/openldap.d/` hierarchy and process them in lexical order. Right now the only supported file extensions are `.sh` and `.ldif`, everything else is ignored. 39 | 40 | If not already present, `/srv/openldap.d/000-domain.ldif` is created prior to such processing so that it will be picked up. This will create an [`organizationalUnit`](https://tools.ietf.org/html/rfc4519#section-3.11) for user accounts with [RDN](https://tools.ietf.org/html/rfc4512#section-2.3.1) `cn=users` and for user groups with [RDN](https://tools.ietf.org/html/rfc4512#section-2.3.1) `cn=groups`. 41 | 42 | ## License 43 | 44 | See the `LICENSE` file in this repository. 45 | 46 | [hub]: https://hub.docker.com/r/dweomer/openldap/ 47 | [issues]: https://github.com/dweomer/dockerfiles-openldap/issues 48 | [layers]: https://imagelayers.io/?images=dweomer/openldap:latest 49 | -------------------------------------------------------------------------------- /openldap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | export OPENLDAP_ETC_DIR="/etc/openldap" 4 | export OPENLDAP_RUN_DIR="/var/run/openldap" 5 | export OPENLDAP_RUN_ARGSFILE="${OPENLDAP_RUN_DIR}/slapd.args" 6 | export OPENLDAP_RUN_PIDFILE="${OPENLDAP_RUN_DIR}/slapd.pid" 7 | export OPENLDAP_MODULES_DIR="/usr/lib/openldap" 8 | export OPENLDAP_CONFIG_DIR="${OPENLDAP_ETC_DIR}/slapd.d" 9 | export OPENLDAP_BACKEND_DIR="/var/lib/openldap" 10 | export OPENLDAP_BACKEND_DATABASE="hdb" 11 | export OPENLDAP_BACKEND_OBJECTCLASS="olcHdbConfig" 12 | export OPENLDAP_ULIMIT="2048" 13 | 14 | export LDAP_DOMAIN="${LDAP_DOMAIN:-example.com}" 15 | export LDAP_DOMAIN_RDC="$(echo ${LDAP_DOMAIN} | sed 's/^\.//; s/\..*$//')" 16 | # export LDAP_DOMAIN_OBJECTCLASS="organization 17 | # objectClass: dcObject 18 | # " 19 | export LDAP_DOMAIN_OBJECTCLASS="${LDAP_DOMAIN_OBJECTCLASS:-domain}" 20 | export LDAP_ORGANIZATION="${LDAP_ORGANIZATION:-${LDAP_DOMAIN}}" 21 | export LDAP_SUFFIX="${LDAP_SUFFIX:-$(echo dc=$(echo ${LDAP_DOMAIN} | sed 's/^\.//; s/\./,dc=/g'))}" 22 | export LDAP_PASSWORD="${LDAP_PASSWORD:-lderp!${LDAP_DOMAIN_RDC}}" 23 | export LDAP_PASSWORD_ENCRYPTED="$(slappasswd -u -h '{SSHA}' -s ${LDAP_PASSWORD})" 24 | 25 | ulimit -n ${OPENLDAP_ULIMIT} 26 | 27 | if [[ ! -d ${OPENLDAP_CONFIG_DIR}/cn=config ]]; then 28 | mkdir -p ${OPENLDAP_CONFIG_DIR} 29 | 30 | if [[ ! -s ${OPENLDAP_ETC_DIR}/slapd-config.ldif ]]; then 31 | cat /srv/openldap/slapd-config.ldif.template | envsubst > ${OPENLDAP_ETC_DIR}/slapd-config.ldif 32 | fi 33 | 34 | slapadd -n0 -F ${OPENLDAP_CONFIG_DIR} -l ${OPENLDAP_ETC_DIR}/slapd-config.ldif > ${OPENLDAP_ETC_DIR}/slapd-config.ldif.log 35 | 36 | if [[ ! -s ${OPENLDAP_ETC_DIR}/ldap.conf ]]; then 37 | cat /srv/openldap/ldap.conf.template | envsubst > ${OPENLDAP_ETC_DIR}/ldap.conf 38 | fi 39 | 40 | mkdir -p ${OPENLDAP_BACKEND_DIR}/run 41 | chown -R ldap:ldap ${OPENLDAP_BACKEND_DIR} 42 | chown -R ldap:ldap ${OPENLDAP_CONFIG_DIR} ${OPENLDAP_BACKEND_DIR} 43 | 44 | if [[ -d /srv/openldap.d ]]; then 45 | if [[ ! -s /srv/openldap.d/000-domain.ldif ]]; then 46 | cat /srv/openldap/domain.ldif.template | envsubst > /srv/openldap.d/000-domain.ldif 47 | fi 48 | 49 | slapd_exe=$(which slapd) 50 | echo >&2 "$0 ($slapd_exe): starting initdb daemon" 51 | slapd -u ldap -g ldap -h ldapi:/// 52 | 53 | for f in $(find /srv/openldap.d -type f | sort); do 54 | case "$f" in 55 | *.sh) echo "$0: sourcing $f"; . "$f" ;; 56 | *.ldif) echo "$0: applying $f"; ldapadd -Y EXTERNAL -f "$f" 2>&1;; 57 | *) echo "$0: ignoring $f" ;; 58 | esac 59 | done 60 | 61 | if [[ ! -s ${OPENLDAP_RUN_PIDFILE} ]]; then 62 | echo >&2 "$0 ($slapd_exe): ${OPENLDAP_RUN_PIDFILE} is missing, did the daemon start?" 63 | exit 1 64 | else 65 | slapd_pid=$(cat ${OPENLDAP_RUN_PIDFILE}) 66 | echo >&2 "$0 ($slapd_exe): sending SIGINT to initdb daemon with pid=$slapd_pid" 67 | kill -s INT "$slapd_pid" || true 68 | while : ; do 69 | [[ ! -f ${OPENLDAP_RUN_PIDFILE} ]] && break 70 | sleep 1 71 | echo >&2 "$0 ($slapd_exe): initdb daemon is still up, sleeping ..." 72 | done 73 | echo >&2 "$0 ($slapd_exe): initdb daemon stopped" 74 | fi 75 | fi 76 | fi 77 | 78 | exec "$@" 79 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.2 2 | 3 | MAINTAINER Jacob Blain Christen 4 | 5 | ENV OPENLDAP_VERSION=2.4.40 6 | 7 | COPY *.template /srv/openldap/ 8 | COPY openldap.sh /srv/ 9 | 10 | VOLUME ["/etc/openldap/slapd.d", "/var/lib/openldap"] 11 | 12 | RUN set -x \ 13 | && chmod -v +x /srv/openldap.sh \ 14 | && mkdir -vp \ 15 | /etc/openldap/sasl2 \ 16 | /srv/openldap.d \ 17 | /tmp/openldap \ 18 | && export BUILD_DEPS=" \ 19 | autoconf \ 20 | automake \ 21 | curl \ 22 | cyrus-sasl-dev \ 23 | db-dev \ 24 | g++ \ 25 | gcc \ 26 | groff \ 27 | gzip \ 28 | libtool \ 29 | make \ 30 | mosquitto-dev \ 31 | openldap-back-bdb \ 32 | openldap-back-ldap \ 33 | openldap-back-meta \ 34 | openldap-back-monitor \ 35 | openldap-back-sql \ 36 | openssl-dev \ 37 | tar \ 38 | unixodbc-dev \ 39 | util-linux-dev \ 40 | " \ 41 | && apk add --update \ 42 | gettext \ 43 | libintl \ 44 | openldap \ 45 | openldap-back-hdb \ 46 | openldap-clients \ 47 | openldap-mqtt \ 48 | unixodbc \ 49 | ${BUILD_DEPS} \ 50 | # Grab envsubst from gettext 51 | && cp -v /usr/bin/envsubst /usr/local/bin/ \ 52 | # Install OpenLDAP from source 53 | && curl -fL ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-${OPENLDAP_VERSION}.tgz -o /tmp/openldap.tgz \ 54 | && curl -fL http://git.alpinelinux.org/cgit/aports/plain/main/openldap/0001-dbd-enabled-by-default.patch?h=3.2-stable -o /tmp/0001-dbd-enabled-by-default.patch \ 55 | && curl -fL http://git.alpinelinux.org/cgit/aports/plain/main/openldap/CVE-2015-1545.patch?h=3.2-stable -o /tmp/CVE-2015-1545.patch \ 56 | && curl -fL http://git.alpinelinux.org/cgit/aports/plain/main/openldap/CVE-2015-1546.patch?h=3.2-stable -o /tmp/CVE-2015-1546.patch \ 57 | && curl -fL http://git.alpinelinux.org/cgit/aports/plain/main/openldap/CVE-2015-6908.patch?h=3.2-stable -o /tmp/CVE-2015-6908.patch \ 58 | && curl -fL http://git.alpinelinux.org/cgit/aports/plain/main/openldap/openldap-2.4-ppolicy.patch?h=3.2-stable -o /tmp/openldap-2.4-ppolicy.patch \ 59 | && curl -fL http://git.alpinelinux.org/cgit/aports/plain/main/openldap/openldap-2.4.11-libldap_r.patch?h=3.2-stable -o /tmp/openldap-2.4.11-libldap_r.patch \ 60 | && curl -fL http://git.alpinelinux.org/cgit/aports/plain/main/openldap/openldap-mqtt-overlay.patch?h=3.2-stable -o /tmp/openldap-mqtt-overlay.patch \ 61 | && tar -xzf /tmp/openldap.tgz --strip=1 -C /tmp/openldap \ 62 | && cd /tmp/openldap \ 63 | && for p in /tmp/*.patch; do patch -p1 -i $p || true; done \ 64 | && rm -vrf /etc/openldap/schema /usr/sbin/slap* /usr/lib/slap* \ 65 | && ./configure \ 66 | --prefix=/usr \ 67 | --libexecdir=/usr/lib \ 68 | --sysconfdir=/etc \ 69 | --mandir=/tmp/man \ 70 | --localstatedir=/var/lib/openldap \ 71 | --enable-crypt \ 72 | --enable-dynamic \ 73 | --enable-modules \ 74 | --enable-local \ 75 | --enable-slapd \ 76 | --enable-spasswd \ 77 | --enable-bdb=mod \ 78 | --enable-hdb=mod \ 79 | --enable-dnssrv=mod \ 80 | --enable-ldap=mod \ 81 | --enable-meta=mod \ 82 | --enable-monitor=mod \ 83 | --enable-null=mod \ 84 | --enable-passwd=mod \ 85 | --enable-relay=mod \ 86 | --enable-shell=mod \ 87 | --enable-sock=mod \ 88 | --enable-sql=mod \ 89 | --enable-overlays=mod \ 90 | --with-tls=openssl \ 91 | --with-cyrus-sasl \ 92 | && make \ 93 | && make install \ 94 | && cd contrib/slapd-modules/mqtt \ 95 | && make prefix=/usr libexec=/usr/lib \ 96 | && make prefix=/usr libexec=/usr/lib install \ 97 | && cd /usr/sbin && ln -vs ../lib/slapd \ 98 | && chown -vR ldap:ldap \ 99 | /etc/openldap \ 100 | /var/lib/openldap \ 101 | && apk del --purge \ 102 | gettext \ 103 | ${BUILD_DEPS} \ 104 | && mv -vf /etc/openldap/ldap.conf /etc/openldap/ldap.conf.original \ 105 | && mv -vf /etc/openldap/slapd.conf /etc/openldap/slapd.conf.original \ 106 | && echo "mech_list: plain external" > /etc/openldap/sasl2/slapd.conf \ 107 | && rm -vfr \ 108 | /tmp/* \ 109 | /usr/share/man/* \ 110 | /var/tmp/* \ 111 | /var/cache/apk/* 112 | 113 | EXPOSE 389 114 | 115 | ENTRYPOINT ["/srv/openldap.sh"] 116 | CMD ["slapd", "-h", "ldapi:/// ldap:///", "-u", "ldap", "-g", "ldap", "-d", "none"] 117 | -------------------------------------------------------------------------------- /slapd-config.ldif.template: -------------------------------------------------------------------------------- 1 | # vim:set ft=ldif: 2 | # 3 | # See slapd.d(5) for details on configuration options. 4 | # This file should NOT be world readable. 5 | # 6 | dn: cn=config 7 | objectClass: olcGlobal 8 | cn: config 9 | olcConfigDir: ${OPENLDAP_CONFIG_DIR} 10 | # 11 | # Where the pid file is put. The init.d script will not stop the server if you change this. 12 | olcPidFile: ${OPENLDAP_RUN_PIDFILE} 13 | # 14 | # List of arguments that were passed to the server 15 | olcArgsFile: ${OPENLDAP_RUN_ARGSFILE} 16 | # 17 | # Read slapd.conf(5) for possible values 18 | olcLogLevel: none 19 | # 20 | # The tool-threads parameter sets the actual amount of cpu's that is used for indexing. 21 | olcToolThreads: 1 22 | # 23 | # Do not enable referrals until AFTER you have a working directory 24 | # service AND an understanding of referrals. 25 | #olcReferral: ldap://root.openldap.org 26 | # 27 | # Sample security restrictions 28 | # Require integrity protection (prevent hijacking) 29 | # Require 112-bit (3DES or better) encryption for updates 30 | # Require 64-bit encryption for simple bind 31 | #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 32 | 33 | # 34 | # MODULES 35 | # 36 | dn: cn=module{0},cn=config 37 | objectClass: olcModuleList 38 | cn: module{0} 39 | olcModulePath: ${OPENLDAP_MODULES_DIR} 40 | olcModuleLoad: {0}back_${OPENLDAP_BACKEND_DATABASE} 41 | olcModuleLoad: {1}memberof 42 | olcModuleLoad: {2}refint 43 | 44 | # 45 | # SCHEMATA 46 | # 47 | dn: cn=schema,cn=config 48 | objectClass: olcSchemaConfig 49 | cn: schema 50 | 51 | include: file://${OPENLDAP_ETC_DIR}/schema/core.ldif 52 | include: file://${OPENLDAP_ETC_DIR}/schema/cosine.ldif 53 | include: file://${OPENLDAP_ETC_DIR}/schema/nis.ldif 54 | include: file://${OPENLDAP_ETC_DIR}/schema/inetorgperson.ldif 55 | 56 | # 57 | # FRONTEND DATABASE 58 | # 59 | dn: olcDatabase={-1}frontend,cn=config 60 | objectClass: olcDatabaseConfig 61 | objectClass: olcFrontendConfig 62 | olcDatabase: {-1}frontend 63 | # The maximum number of entries that is returned for a search operation 64 | olcSizeLimit: 1000 65 | # 66 | # Sample global access control policy: 67 | # Root DSE: allow anyone to read it 68 | # Subschema (sub)entry DSE: allow anyone to read it 69 | # Other DSEs: 70 | # Allow self write access 71 | # Allow authenticated users read access 72 | # Allow anonymous users to authenticate 73 | # 74 | #olcAccess: to dn.base="" by * read 75 | #olcAccess: to dn.base="cn=Subschema" by * read 76 | #olcAccess: to * 77 | # by self write 78 | # by users read 79 | # by anonymous auth 80 | # 81 | # if no access controls are present, the default policy 82 | # allows anyone and everyone to read anything but restricts 83 | # updates to rootdn. (e.g., "access to * by * read") 84 | # 85 | # rootdn can always read and write EVERYTHING! 86 | # 87 | # FRONTEND ACCESS 88 | # Allow unlimited access to local connection from the local root user 89 | olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break 90 | # Allow unauthenticated read access for schema and base DN autodiscovery 91 | olcAccess: {1}to dn.exact="" by * read 92 | olcAccess: {2}to dn.base="cn=Subschema" by * read 93 | 94 | # 95 | # CONFIG DATABASE 96 | # 97 | dn: olcDatabase=config,cn=config 98 | objectClass: olcDatabaseConfig 99 | olcDatabase: config 100 | # 101 | # Allow unlimited access to local connection from the local root user 102 | olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break 103 | 104 | # 105 | # BACKENDS 106 | # 107 | dn: olcBackend=${OPENLDAP_BACKEND_DATABASE},cn=config 108 | objectClass: olcBackendConfig 109 | olcBackend: ${OPENLDAP_BACKEND_DATABASE} 110 | 111 | # BACKEND DATABASE 112 | dn: olcDatabase=${OPENLDAP_BACKEND_DATABASE},cn=config 113 | objectClass: olcDatabaseConfig 114 | objectClass: ${OPENLDAP_BACKEND_OBJECTCLASS} 115 | olcDatabase: ${OPENLDAP_BACKEND_DATABASE} 116 | olcDbCheckpoint: 512 30 117 | olcDbConfig: set_cachesize 0 2097152 0 118 | olcDbConfig: set_lk_max_objects 1500 119 | olcDbConfig: set_lk_max_locks 1500 120 | olcDbConfig: set_lk_max_lockers 1500 121 | olcLastMod: TRUE 122 | olcSuffix: ${LDAP_SUFFIX} 123 | olcDbDirectory: ${OPENLDAP_BACKEND_DIR} 124 | olcRootDN: cn=admin,${LDAP_SUFFIX} 125 | olcRootPW: ${LDAP_PASSWORD_ENCRYPTED} 126 | olcDbIndex: objectClass eq 127 | olcDbIndex: cn pres,eq,approx,sub 128 | olcDbIndex: uid pres,eq,approx,sub 129 | olcDbIndex: dc pres,eq 130 | olcDbIndex: l pres,eq 131 | olcDbIndex: o pres,eq 132 | olcDbIndex: mail pres,eq,approx,sub 133 | olcDbIndex: sn pres,eq,approx,sub 134 | # BACKEND ACCESS 135 | olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break 136 | olcAccess: to attrs=userPassword,shadowLastChange 137 | by self write 138 | by anonymous auth 139 | by dn="cn=admin,${LDAP_SUFFIX}" write 140 | by group/organizationalRole/roleOccupant="cn=admin,${LDAP_SUFFIX}" write 141 | by * none 142 | olcAccess: to dn.base="" by * read 143 | olcAccess: to * 144 | by self write 145 | by dn="cn=admin,${LDAP_SUFFIX}" write 146 | by group/organizationalRole/roleOccupant="cn=admin,${LDAP_SUFFIX}" write 147 | by * read 148 | 149 | # BACKEND MEMBEROF OVERLAY 150 | dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config 151 | objectClass: olcOverlayConfig 152 | objectClass: olcMemberOf 153 | olcOverlay: {0}memberof 154 | olcMemberOfDangling: ignore 155 | olcMemberOfRefInt: TRUE 156 | olcMemberOfGroupOC: groupOfUniqueNames 157 | olcMemberOfMemberAD: uniqueMember 158 | olcMemberOfMemberOfAD: memberOf 159 | 160 | # BACKEND REFINT OVERLAY 161 | dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config 162 | objectClass: olcOverlayConfig 163 | objectClass: olcRefintConfig 164 | olcOverlay: {1}refint 165 | olcRefintAttribute: owner 166 | olcRefintAttribute: manager 167 | olcRefintAttribute: uniqueMember 168 | olcRefintAttribute: member 169 | olcRefintAttribute: memberOf 170 | --------------------------------------------------------------------------------