Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # slapd-proxy.conf
- # configuration file for the meta-LDAP directory
- #
- # Ch. Bueche, 5.6.2014
- #
- # certificates
- TLSCACertificateFile /etc/ssl/certs/stuff_cert_chain.pem
- # for what we serve ourselves
- TLSCertificateFile /opt/openldap/etc/certs/m1pldap.xxx.stuff.com.pem
- TLSCertificateKeyFile /opt/openldap/etc/certs/m1pldap.xxx.stuff.com.key
- # schemas
- include /opt/openldap/etc/openldap/schema/core.schema
- include /opt/openldap/etc/openldap/schema/cosine.schema
- include /opt/openldap/etc/openldap/schema/inetorgperson.schema
- include /opt/openldap/etc/openldap/schema/nis.schema
- include /opt/openldap/etc/openldap/schema/misc.schema
- include /opt/openldap/etc/openldap/schema/corba.schema
- include /opt/openldap/etc/openldap/schema/openldap.schema
- include /opt/openldap/etc/openldap/schema/ppolicy.schema
- include /opt/openldap/etc/openldap/schema/microsoft.minimal.schema
- # runtime files
- pidfile /opt/openldap/var/run/slapd-stuff.pid
- argsfile /opt/openldap/var/run/slapd-stuff.args
- # modules
- modulepath /opt/openldap/libexec/openldap
- moduleload back_bdb.so
- moduleload back_ldap.so
- moduleload back_meta.so
- moduleload rwm.so
- moduleload memberof.so
- moduleload mr_passthru.so
- # ------------------------------------------------------------------------------
- # our LDAP-proxy service
- # ------------------------------------------------------------------------------
- database meta
- suffix dc=proxy,dc=stuff,dc=com
- rootdn "cn=root,dc=proxy,dc=stuff,dc=com"
- rootpw {SSHA}xxx
- subordinate
- # this means we use TLS over port 389
- tls start
- # the connections from Zenoss need to be refreshed from time to time
- # without this, Zenoss users cannot re-auth against LDAP after one night
- # maybe because of firewall or AD timeouts.
- # This will close the connection from Zenoss to this proxy
- # and incidentaly close the corresponding connection to the
- # AD back-end.
- # This way, Zenoss cannot reuse long-living connections and is forced
- # to re-open them
- idletimeout 300
- # ------------------------------------------------------------------------------
- # AD in stuff
- # ------------------------------------------------------------------------------
- uri "ldap://m1pad.ad.stuff.com/dc=extra,dc=proxy,dc=stuff,dc=com"
- suffixmassage "dc=extra,dc=proxy,dc=stuff,dc=com" "dc=ad,dc=stuff,dc=com"
- idassert-bind
- bindmethod=simple
- binddn="CN=srvxx,OU=Service Accounts,OU=stuff,dc=ad,dc=stuff,dc=com"
- credentials="xxx"
- mode=none
- flags=non-prescriptive
- # this allows every user within ou=service,...
- idassert-authzFrom "dn.subtree:ou=service,ou=account,dc=stuff,dc=com"
- # filters need a rewrite as well
- rewriteContext searchFilter
- rewriteRule "(.*)dc=extra,dc=proxy,dc=stuff,dc=com" "%1dc=ad,dc=stuff,dc=com" ":"
- # ------------------------------------------------------------------------------
- # AD in Intranet
- # ------------------------------------------------------------------------------
- uri "ldap://dc-003.intra.local/dc=intra,dc=proxy,dc=stuff,dc=com"
- suffixmassage "dc=intra,dc=proxy,dc=stuff,dc=com" "dc=intra,dc=local"
- idassert-bind
- bindmethod=simple
- binddn="CN=srvxxx,OU=Service Accounts,OU=Infrastructure,DC=intra,DC=local"
- credentials="xxx"
- mode=none
- flags=non-prescriptive
- # this allows every user within ou=service,...
- idassert-authzFrom "dn.subtree:ou=service,ou=account,dc=stuff,dc=com"
- # filters need a rewrite as well
- rewriteContext searchFilter
- rewriteRule "(.*)dc=intra,dc=proxy,dc=stuff,dc=com" "%1dc=intra,dc=local" ":"
- # ------------------------------------------------------------------------------
- # protect the local meta
- # ------------------------------------------------------------------------------
- database bdb
- suffix "dc=stuff,dc=com"
- rootdn "cn=manager,dc=stuff,dc=com"
- rootpw "xxx"
- directory /opt/openldap/var/openldap-data-proxy-service
- #------------------------------------------------------------------------------
- # for Microsoft attributes
- # ------------------------------------------------------------------------------
- overlay rwm
- rwm-map attribute email mail
- rwm-map attribute uid sAMAccountName
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement