Michael Oberg - Freiberuflicher EDV-Berater und Software-Entwickler
Frame Version


slapd.conf

The configuration file /etc/openldap/slapd.conf contains among other things the following settings:

  • the included schemas,
  • the "log level" set on zero (because LDAP takes over all authentications and access right examinations, even the smallest "log level" lets overflow the log files),
  • the access rights (see below),
  • the "suffix" (in other configuration files usually mentioned as "ldapbase" or simply "base"), that in a myLinux server always must be of the form "dc=<SUBDOMAIN>,dc=<TOPLEVELDOMAIN>", for example "dc=fourier group, dc=de", the distinguished name of the LDAP administrator, the password of the LDAP administrator in plain text (one of the setup scripts extracts this password from the file and stores it for the user manager, which is using it for different actions like the creation of users),
  • the path to the database files,
  • the indices which have to be created for fast access to configuration data of sendmail, the authentication entries of pam_ldap and address data by mail clients such as Outlook, and
  • last the paths to the SSL certificates.

Access rights

The assignment of access rights on the LDAP directory was already described under LDAP in the section "Dedicated Access to LDAP".

Explicit setting up access rights is thereby quite simple ("... by dn=... write"). The problem is, that with enabling write access security gaps may be opened. This could lead to an insecure server, open to breakins.

For example in order to reserve the creation of UNIX users or groups only to the LDAP administrator, the creation of such objects in the directory"contacts" must be forbidden - the only way is to make the reading of attributes typical for these objects (passwords, ID numbers) impossible.

Also certain system-critical attributes may not be changed within user and group objects (ID numbers, passwords, group and user name).