On Sun, Aug 08, 2010 at 05:59:15PM +0200, Luk Claes wrote: > Hi > > Can someone more involved with Debian Edu have a look at this, TIA?
[...] > This bug is open for a long time now, what reasonable defaults are > needed for debian-edu ? > > I've attached the default file currently shipped with OpenLDAP. [...] Here are the modifications needed/done by debian-edu: > # Default location of the slapd.conf file. If empty, use the compiled-in > # default (/etc/ldap/slapd.conf). If using the cn=config backend to store > # configuration in LDIF, set this variable to the directory containing the > # cn=config data. > SLAPD_CONF= > > # System account to run the slapd server under. If empty the server > # will run as root. > SLAPD_USER="openldap" > > # System group to run the slapd server under. If empty the server will > # run in the primary group of its user. > SLAPD_GROUP="openldap" > > # Path to the pid file of the slapd server. If not set the init.d script > # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by > # default) > SLAPD_PIDFILE= > > # slapd normally serves ldap only on all TCP-ports 389. slapd can also > # service requests on TCP-port 636 (ldaps) and requests via unix > # sockets. > # Example usage: > # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" > SLAPD_SERVICES="ldap:/// ldapi:///" We currently add the deprecated ldaps:/// protocoll here: SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" It would be nice if we would not need ldaps and could only use TLS. This has to be checked. > # If SLAPD_NO_START is set, the init script will not start or restart > # slapd (but stop will still work). Uncomment this if you are > # starting slapd via some other means or if you don't want slapd normally > # started at boot. > #SLAPD_NO_START=1 > > # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, > # the init script will not start or restart slapd (but stop will still > # work). Use this for temporarily disabling startup of slapd (when doing > # maintenance, for example, or through a configuration management system) > # when you don't want to edit a configuration file. > SLAPD_SENTINEL_FILE=/etc/ldap/noslapd > > # For Kerberos authentication (via SASL), slapd by default uses the system > # keytab file (/etc/krb5.keytab). To use a different keytab file, > # uncomment this line and change the path. > #export KRB5_KTNAME=/etc/krb5.keytab We add: KRB5_KTNAME=/etc/krb5.keytab.ldap; export KRB5_KTNAME here. We do not use the default keytab file because the user openldap needs to have read permissions on that file. > # Additional options to pass to slapd > SLAPD_OPTIONS="" > We use: SLAPD_OPTIONS="-4" here, which might be there for traditional reasons. I am currently not able to test the entries as I have no debian-edu installation around for the time being. Best regards, Andi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
