slapd.properties.example

#
#   Licensed to the Apache Software Foundation (ASF) under one
#   or more contributor license agreements.  See the NOTICE file
#   distributed with this work for additional information
#   regarding copyright ownership.  The ASF licenses this file
#   to you under the Apache License, Version 2.0 (the
#   "License"); you may not use this file except in compliance
#   with the License.  You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing,
#   software distributed under the License is distributed on an
#   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
#   KIND, either express or implied.  See the License for the
#   specific language governing permissions and limitations
#   under the License.
#
#
########################################################################
# 0. About the fortress slapd.properties file
########################################################################

# Use this property file to override environment settings when you are using openldap directory server.
# These parameters are bound for the following locations by the Fortress during the init targets within the build.xml ant management utility:
# a. fortress.properties - Fortress' configuration file tells fortress runtime how to connect to remote resources
# b. refreshLDAPData.xml - Used by fortress to initialize and base load the LDAP DIT data structures.  Fortress also stores runtime params inside 'ou=Config' container on remote server.
# c. slapd.conf - Configure the runtime OpenLDAP server (slapd) to use fortress, if applicable.

# The ant property subsystem is fed using three files:
# i.   user.properties  - optional, when found, located in user's home directory.  Properties found here take precedence over those following.
# ii.  slapd.properties - optional, when found, located in root folder of the package.  These props override those found in the build.properties file.
# iii. build.properties - this file is required and must be located in the root folder of the package.
# More info on the fortress configuration subsystem in the README-CONFIG.

########################################################################
# 1. OVERRIDE WITH OPENLDAP SPECIFIC COORDINATES:
####################################################################################
ldap.server.type=openldap
ldap.host=localhost
ldap.port=389
suffix.name=example
suffix.dc=com
suffix=dc=${suffix.name},dc=${suffix.dc}

# This sets the maximum search result set from LDAP, default is 1000:
ldap.max.batch.size=1000

# A value of 'false' disables storing user membership on role object, default is 'true':
#role.occupants=false

#For a multi-level suffix, e.g. dc=foo, dc=example, dc=com.
#suffix.name=foo
#suffix.dc=example
#suffix.dc2=com
#suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}

root.dn=cn=manager,${suffix}
# Used to load OpenLDAP admin root password in slapd.conf and was encrypted using 'slappasswd' command:
root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
cfg.root.pw=secret

# This specifies the number of default LDAP connections to maintain in the pool:
admin.min.conn=1
admin.max.conn=10
# This speicifes the number of user LDAP connections (used for user authentication operations only) to maintain in the pool:
# User Pool:
user.min.conn=1
user.max.conn=10

# Used for slapd logger connection pool.
log.min.conn=1
log.max.conn=3

# Applies to all pools, connection validated on retrieval with dummy ldapsearch. (default is false)
#all.validate.conn.borrow=false
# Applies to all pools, connection validated when idle with dummy ldapsearch. (default is false)
#all.validate.conn.idle=false
# Applies to all pools, when all connections are exhausted will block. (default is true)
#all.max.conn.block=true
# Applies to all pools, when all connections are exhausted will block for this many milliseconds. (default is 5000)
#all.max.conn.block.time=5000

#These are passwords used for LDAP audit log service accounts:
# Audit Pool:
log.admin.user=cn=manager,${log.suffix}
log.admin.pw=secret

# Use if ldap.server.type=openldap and accesslog enabled.  (Default is true):
enable.audit=true
audits.dn=cn=log

########################################################################
# 2. BEGIN OPENLDAP SERVER CONFIGURATION SECTION: (Ignore if using HTTP or ApacheDS):
####################################################################################

# This OpenLDAP slapd logger password is bound for slapd.conf and was encrypted using 'slappasswd' command:
log.root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU

# More Audit Config:
log.suffix=cn=log
log.ops=logops bind writes compare

#ldap.uris=ldap://${ldap.host}:${ldap.port}

# These are needed for client SSL connections with LDAP Server:
#enable.ldap.ssl=true
# The LDAP hostname must match the common name in the server certificate:
#ldap.host=fortressdemo2.com
# 636 is default LDAPS on OpenLDAP:
#ldap.port=636
# If you need the ldap api to spit out more info on ssl connections:
#enable.ldap.ssl.debug=true
#trust.store.password=changeit
# Will pick up the truststore from the classpath if set to true  which is the default.
#trust.store.onclasspath=true
#trust.store=mytruststore
# Otherwise, file must be specified a fully qualified filename:
#trust.store.onclasspath=false
#trust.store=/fully/qualified/path/to/mytruststore

# These are needed for OpenLDAP startup script to enable SSL configuration:
#ldap.uris=ldap://${ldap.host}:389 ldaps://${ldap.host}:${ldap.port}
# These are needed for slapd server-side SSL configuration:
#tls.ca.cert.file=ca-cert.pem
#tls.cert.file=server-cert.pem
#tls.key.file=server-key.pem

########################################################################
# 3. BEGIN HTTP CLIENT CONFIGURATION SECTION (Ignore if using LDAPv3):
########################################################################

# The following optional HTTP parameters are needed when Fortress core client-side communicates though fortress-rest HTTP proxy (rather than LDAP) server:
# Thr nav URL to fortress-rest impl: uri = httpProtocol + "://" + httpHost + ":" + httpPort + "/" + "fortress-rest-" + version; + "/";:
# version is set as system property, i.e. -Dversion=3.0.0
# Setting the enable.mgr.impl.rest to 'true' sets Fortress instance to use HTTP services rather than LDAPv3 protocol. Default value is 'false':
# Use interface over REST/HTTP?  Default is false (use LDAPv3)
#enable.mgr.impl.rest=true

# This user account is added automatically during deployment of fortress-rest via -Dload.file=./src/main/resources/FortressRestServerPolicy.xml:
#http.user=demouser4
#http.pw=password
#http.host=localhost
#http.port=8080
#http.protocol=http
# For TLs connections:
#http.port=8443
#http.protocol=https

########################################################################
# 4. RFC2307 OBJECT CLASS DEFINITIONS
########################################################################
# Boolean value. Default is false.  If true, requires rfc2307bis schema because posixUser and posixGroup must be auxiliary object classes to work with ftRls which is structural..
rfc2307=false

########################################################################
# 5. BEGIN OPENLDAP SERVER INSTALLATION SETUP: (Ignore if not calling the 'init-slapd' target to automatically install Symas OpenLDAP packages:
####################################################################################

# OpenLDAP MDB Backend config is default setting for Fortress::
db.type=mdb
dflt.size=maxsize 1000000000
log.size=maxsize 1000000000

# These next params used by 'init-slapd' target to install OpenLDAP to target machine.  Do not change any params below this line unless you know what you are doing:

## Symas OpenLDAP on NIX section:
openldap.install.artifact.dir=./ldap
db.root=/var/symas/openldap-data
openldap.root=/opt/symas
slapd.dir=${openldap.root}/etc/openldap
# to start:
pid.dir=/var/symas/run
db.dir=${db.root}/dflt
db.hist.dir=${db.root}/hist
db.bak.dir=${db.root}/backup/dflt
db.bak.hist.dir=${db.root}/backup/hist

# unless you know what you're doing, take the default:
log.dbnosynch=dbnosync
dflt.dbnosynch=dbnosync
log.checkpoint=checkpoint   64 5
dflt.checkpoint=checkpoint    64 5

# Symas-OpenLDAP Configurations:
platform=symas-openldap
slapd.module.dir=${openldap.root}/lib/openldap
slapd.start=${openldap.root}/lib/slapd -h ldap://${ldap.host}:${ldap.port} -f ${openldap.root}/etc/openldap/slapd.conf

#Debian:
#slapd.install=apt install symas-openldap-clients symas-openldap-server -y
#slapd.uninstall=apt remove symas-openldap-clients symas-openldap-server -y

# Redhat:
#slapd.install=yum install symas-openldap-servers symas-openldap-clients -y
#slapd.uninstall=yum remove symas-openldap-servers symas-openldap-clients -y

########################################################################
# 6. RBAC ACCELERATOR OVERLAY PROPS
########################################################################

# Default is false, if set to 'true', the OpenLDAP RBAC Accelerator overlay will be enabled:
rbac.accelerator=false
rbac.module=moduleload slapo-rbac.la
dds.module=moduleload  dds.la
monitor.module=moduleload  back_monitor.la
rbac.dn=dc=rbac
sessions.dn=cn=rbac
audit.dn=cn=audit
db.sess.dir=${db.root}/rbacsess
db.audit.dir=${db.root}/rbacaudit
db.rbac.dir=${db.root}/rbacoverlay
db.bak.audit.dir=${db.root}/backup/rbacaudit
db.bak.sess.dir=${db.root}/backup/rbacsess