API tools faq
paste
Advertisement
Guest User

slapd-proxy.conf for 2 AD backends

a guest
Aug 22nd, 2014
314
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
INI file 4.16 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # slapd-proxy.conf
  3. # configuration file for the meta-LDAP directory
  4. #
  5. # Ch. Bueche, 5.6.2014
  6. #
  7.  
  8. # certificates
  9. TLSCACertificateFile /etc/ssl/certs/stuff_cert_chain.pem
  10.  
  11. # for what we serve ourselves
  12. TLSCertificateFile /opt/openldap/etc/certs/m1pldap.xxx.stuff.com.pem
  13. TLSCertificateKeyFile /opt/openldap/etc/certs/m1pldap.xxx.stuff.com.key
  14.  
  15.  
  16. # schemas
  17. include /opt/openldap/etc/openldap/schema/core.schema
  18. include /opt/openldap/etc/openldap/schema/cosine.schema
  19. include /opt/openldap/etc/openldap/schema/inetorgperson.schema
  20. include /opt/openldap/etc/openldap/schema/nis.schema
  21. include /opt/openldap/etc/openldap/schema/misc.schema
  22. include /opt/openldap/etc/openldap/schema/corba.schema
  23. include /opt/openldap/etc/openldap/schema/openldap.schema
  24. include /opt/openldap/etc/openldap/schema/ppolicy.schema
  25. include /opt/openldap/etc/openldap/schema/microsoft.minimal.schema
  26.  
  27. # runtime files
  28. pidfile     /opt/openldap/var/run/slapd-stuff.pid
  29. argsfile    /opt/openldap/var/run/slapd-stuff.args
  30.  
  31. # modules
  32. modulepath    /opt/openldap/libexec/openldap
  33. moduleload    back_bdb.so
  34. moduleload    back_ldap.so
  35. moduleload    back_meta.so
  36. moduleload    rwm.so
  37. moduleload    memberof.so
  38. moduleload    mr_passthru.so
  39.  
  40. # ------------------------------------------------------------------------------
  41. # our LDAP-proxy service
  42. # ------------------------------------------------------------------------------
  43. database       meta
  44. suffix         dc=proxy,dc=stuff,dc=com
  45. rootdn          "cn=root,dc=proxy,dc=stuff,dc=com"
  46. rootpw          {SSHA}xxx
  47. subordinate
  48.  
  49. # this means we use TLS over port 389
  50. tls     start
  51.  
  52. # the connections from Zenoss need to be refreshed from time to time
  53. # without this, Zenoss users cannot re-auth against LDAP after one night
  54. # maybe because of firewall or AD timeouts.
  55. # This will close the connection from Zenoss to this proxy
  56. # and incidentaly close the corresponding connection to the
  57. # AD back-end.
  58. # This way, Zenoss cannot reuse long-living connections and is forced
  59. # to re-open them
  60. idletimeout 300
  61.  
  62.  
  63. # ------------------------------------------------------------------------------
  64. # AD in stuff
  65. # ------------------------------------------------------------------------------
  66.  
  67. uri         "ldap://m1pad.ad.stuff.com/dc=extra,dc=proxy,dc=stuff,dc=com"
  68. suffixmassage "dc=extra,dc=proxy,dc=stuff,dc=com" "dc=ad,dc=stuff,dc=com"
  69.  
  70. idassert-bind
  71.     bindmethod=simple
  72.     binddn="CN=srvxx,OU=Service Accounts,OU=stuff,dc=ad,dc=stuff,dc=com"
  73.     credentials="xxx"
  74.     mode=none
  75.     flags=non-prescriptive
  76. # this allows every user within ou=service,...
  77. idassert-authzFrom "dn.subtree:ou=service,ou=account,dc=stuff,dc=com"
  78.  
  79. # filters need a rewrite as well
  80. rewriteContext searchFilter
  81. rewriteRule "(.*)dc=extra,dc=proxy,dc=stuff,dc=com" "%1dc=ad,dc=stuff,dc=com" ":"
  82.  
  83.  
  84. # ------------------------------------------------------------------------------
  85. # AD in Intranet
  86. # ------------------------------------------------------------------------------
  87.  
  88. uri         "ldap://dc-003.intra.local/dc=intra,dc=proxy,dc=stuff,dc=com"
  89. suffixmassage "dc=intra,dc=proxy,dc=stuff,dc=com" "dc=intra,dc=local"
  90.  
  91. idassert-bind
  92.     bindmethod=simple
  93.     binddn="CN=srvxxx,OU=Service Accounts,OU=Infrastructure,DC=intra,DC=local"
  94.     credentials="xxx"
  95.     mode=none
  96.     flags=non-prescriptive
  97. # this allows every user within ou=service,...
  98. idassert-authzFrom "dn.subtree:ou=service,ou=account,dc=stuff,dc=com"
  99.  
  100. # filters need a rewrite as well
  101. rewriteContext searchFilter
  102. rewriteRule "(.*)dc=intra,dc=proxy,dc=stuff,dc=com" "%1dc=intra,dc=local" ":"
  103.  
  104.  
  105. # ------------------------------------------------------------------------------
  106. # protect the local meta
  107. # ------------------------------------------------------------------------------
  108.  
  109. database        bdb
  110. suffix          "dc=stuff,dc=com"
  111. rootdn          "cn=manager,dc=stuff,dc=com"
  112. rootpw          "xxx"
  113. directory       /opt/openldap/var/openldap-data-proxy-service
  114.  
  115. #------------------------------------------------------------------------------
  116. # for Microsoft attributes
  117. # ------------------------------------------------------------------------------
  118. overlay rwm
  119. rwm-map attribute email mail
  120. rwm-map attribute uid sAMAccountName
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!