Re: Fwd: Re: Make /etc/default/slapd automatically configurable
On Sun, Aug 08, 2010 at 05:59:15PM +0200, Luk Claes wrote:
> Hi
>
> Can someone more involved with Debian Edu have a look at this, TIA?
[...]
> This bug is open for a long time now, what reasonable defaults are
> needed for debian-edu ?
>
> I've attached the default file currently shipped with OpenLDAP.
[...]
Here are the modifications needed/done by debian-edu:
> # Default location of the slapd.conf file. If empty, use the compiled-in
> # default (/etc/ldap/slapd.conf). If using the cn=config backend to store
> # configuration in LDIF, set this variable to the directory containing the
> # cn=config data.
> SLAPD_CONF=
>
> # System account to run the slapd server under. If empty the server
> # will run as root.
> SLAPD_USER="openldap"
>
> # System group to run the slapd server under. If empty the server will
> # run in the primary group of its user.
> SLAPD_GROUP="openldap"
>
> # Path to the pid file of the slapd server. If not set the init.d script
> # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
> # default)
> SLAPD_PIDFILE=
>
> # slapd normally serves ldap only on all TCP-ports 389. slapd can also
> # service requests on TCP-port 636 (ldaps) and requests via unix
> # sockets.
> # Example usage:
> # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
> SLAPD_SERVICES="ldap:/// ldapi:///"
We currently add the deprecated ldaps:/// protocoll here:
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
It would be nice if we would not need ldaps and could only use
TLS. This has to be checked.
> # If SLAPD_NO_START is set, the init script will not start or restart
> # slapd (but stop will still work). Uncomment this if you are
> # starting slapd via some other means or if you don't want slapd normally
> # started at boot.
> #SLAPD_NO_START=1
>
> # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
> # the init script will not start or restart slapd (but stop will still
> # work). Use this for temporarily disabling startup of slapd (when doing
> # maintenance, for example, or through a configuration management system)
> # when you don't want to edit a configuration file.
> SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
>
> # For Kerberos authentication (via SASL), slapd by default uses the system
> # keytab file (/etc/krb5.keytab). To use a different keytab file,
> # uncomment this line and change the path.
> #export KRB5_KTNAME=/etc/krb5.keytab
We add:
KRB5_KTNAME=/etc/krb5.keytab.ldap; export KRB5_KTNAME
here. We do not use the default keytab file because the user openldap
needs to have read permissions on that file.
> # Additional options to pass to slapd
> SLAPD_OPTIONS=""
>
We use:
SLAPD_OPTIONS="-4"
here, which might be there for traditional reasons.
I am currently not able to test the entries as I have no debian-edu
installation around for the time being.
Best regards,
Andi
Reply to: