[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Administrator for groups OpenLDAP with Samba Admins
Hi,
For weeks I have being reading about openldap, in the mailing lists, etc. Basically I have Samba with ldap and I need a GUI to administrate the users(I can use smbldap-tools and a shell, but not some of the administrators). I installed phpldapadmin, and I can log in with the user "Administrator", but I can change, remove or add any user or anything. I have read about people that have similar configurations to mine and solve this problem. Besides the user interface everything seems to work fine, the machines are logged to the domain, the samba server is a PDC.
As far as I understand I need to create an ACL in /etc/openldap/slapd.conf for the group that is going to administrate, and the problem is because I am trying to grant permisions to the Group "Domain Admins", and domain admins is more like samba group. So far I can figure out why is not working the stuff I try, but I dont know how to fix it. It has to do with the objectclass.
One of my ideas was to create an extra group, just for administrators, and called something like bofhs. I used this as a reference
http://www.openldap.org/faq/data/cache/52.html
dn: cn=bofh,dc=mydomain,dc=com,dc=ec
cn: bofhs
objectclass: groupofNames
member: cn=administrator,dc=mydomain,dc=com,dc=ec
Can I add something to the "Domain Admins" group so they can change data.
But i had problems creating this group, didnt work, in some examples they use ou=Group, I dont understand what the ou thing does.
Here is a sample of a backup of the ldap db,
dn: dc=mydomain,dc=com,dc=ec
objectClass: dcObject
objectClass: organization
o: Company
dc: mydomain
structuralObjectClass: organization
entryUUID: 9c8201ce-ccc9-102f-9758-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210326Z
entryCSN: 20110214210326Z#000000#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210326Z
dn: cn=Manager,dc=mydomain,dc=com,dc=ec
objectClass: organizationalRole
cn: Manager
structuralObjectClass: organizationalRole
entryUUID: 9c82917a-ccc9-102f-9759-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210326Z
entryCSN: 20110214210326Z#000001#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210326Z
dn: ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: b071f8b0-ccc9-102f-975a-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000000#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: Group
structuralObjectClass: organizationalUnit
entryUUID: b0727074-ccc9-102f-975b-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000001#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: ou=Computers,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: Computers
structuralObjectClass: organizationalUnit
entryUUID: b072cd3a-ccc9-102f-975c-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000002#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: ou=Idmap,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: Idmap
structuralObjectClass: organizationalUnit
entryUUID: b07343a0-ccc9-102f-975d-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000003#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec
cn: Administrator
sn: Administrator
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /home/Administrator
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\IESS\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\IESS\profiles\Administrator
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-512
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
structuralObjectClass: inetOrgPerson
entryUUID: b0739f26-ccc9-102f-975e-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
sambaLMPassword: 71DAB35FA93A2AB817306D272A9441BB
sambaAcctFlags: [U]
sambaNTPassword: AB9EA058E462D1881CD7AAC70FC462F2
sambaPwdLastSet: 1305237753
sambaPwdMustChange: 1309125753
userPassword:: e1NTSEF9Mnl6SUJjNTZEN1AxaW5oVmhFaE05dWtLNE1CdGR6Tkw=
shadowLastChange: 15106
shadowMax: 45
entryCSN: 20110512220224Z#000001#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110512220224Z
dn: uid=nobody,ou=People,dc=mydomain,dc=com,dc=ec
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\IESS\nobody
sambaHomeDrive: H:
sambaProfilePath: \\IESS\profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD ]
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-2998
loginShell: /bin/false
structuralObjectClass: inetOrgPerson
entryUUID: b07615da-ccc9-102f-975f-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000005#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Domain Admins,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: b0769776-ccc9-102f-9760-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000006#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: b07735b4-ccc9-102f-9761-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
memberUid: user1
memberUid: user2
memberUid: user3
entryCSN: 20110511142120Z#000002#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110511142120Z
dn: cn=Domain Guests,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: b077a364-ccc9-102f-9762-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000008#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Domain Computers,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: b0781966-ccc9-102f-9763-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000009#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Administrators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDom
ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: b07892b0-ccc9-102f-9764-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000a#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Account Operators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
structuralObjectClass: posixGroup
entryUUID: b07907c2-ccc9-102f-9765-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000b#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Print Operators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
structuralObjectClass: posixGroup
entryUUID: b079790a-ccc9-102f-9766-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000c#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Backup Operators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
structuralObjectClass: posixGroup
entryUUID: b079eab6-ccc9-102f-9767-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000d#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Replicators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
structuralObjectClass: posixGroup
entryUUID: b07a6950-ccc9-102f-9768-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000e#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: sambaDomainName=IESS,dc=mydomain,dc=com,dc=ec
structuralObjectClass: sambaDomain
entryUUID: b07ad228-ccc9-102f-9769-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
sambaMaxPwdAge: -1
gidNumber: 1000
uidNumber: 1000
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaSID: S-1-5-21-2323392562-1448967901-2038806033
sambaNextRid: 1000
sambaDomainName: IESS
entryCSN: 20110512220215Z#000000#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110512220215Z
dn: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: user1
sn: user1
givenName: user1
uid: user1
uidNumber: 1002
gidNumber: 513
homeDirectory: /home/user1
loginShell: /bin/false
gecos: System User
userPassword:: e2NyeXB0fXg=
structuralObjectClass: inetOrgPerson
entryUUID: e660228a-ccc9-102f-9447-ffc7e9a6c1f6
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210530Z
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: rloor
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3004
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaNTPassword: XXX
sambaLogonScript: logon.bat
sambaHomePath: \\IESS\user1
sambaHomeDrive: H:
entryCSN: 20110214210530Z#000006#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210530Z
dn: uid=user2,ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: user2
sn: user2
givenName: user2
uid: user2
uidNumber: 1003
gidNumber: 513
homeDirectory: /home/user2
loginShell: /bin/false
gecos: System User
userPassword:: e2NyeXB0fXg=
structuralObjectClass: inetOrgPerson
entryUUID: e692c104-ccc9-102f-9448-ffc7e9a6c1f6
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210530Z
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: user2
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3006
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaNTPassword: XXX
sambaLogonScript: logon.bat
sambaHomePath: \\IESS\user2
sambaHomeDrive: H:
entryCSN: 20110214210530Z#00000b#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210530Z
dn: uid=user3,ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: user3
sn: user3
givenName: user3
uid: user3
uidNumber: 1204
gidNumber: 513
homeDirectory: /home/user3
loginShell: /bin/false
gecos: System User
structuralObjectClass: inetOrgPerson
entryUUID: e6c4c500-ccc9-102f-9449-ffc7e9a6c1f6
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210531Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: user3
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3008
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaLogonScript: logon.bat
sambaHomePath: \\IESS\user3
sambaHomeDrive: H:
sambaLMPassword: 57D26D340E8A2411AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 79715183CF6136D501018FF3F5C381E4
sambaPwdLastSet: 1297878031
sambaPwdMustChange: 1301766031
userPassword:: e1NTSEF9MXQ3dHJoWUxRT05hUnFuQWQ0N3A5QTAwQUNkR05tZGg=
shadowLastChange: 15021
shadowMax: 45
entryCSN: 20110216174031Z#000003#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110216174031Z
And here is my slapd.conf, I erased the acls I created to test most of it, none worked.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#access to *
# by self write
# by users read
# by anonymous auth
#access to attrs=userpassword
# by self =xw
# by anonymous auth by anonymous auth
#access to *
# by self write
# by users read
access to attrs=userpassword by self write by anonymous auth by * none
access to * by self write by users read by anonymous read by * none
access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write
#access to dn.regex = "ou = personal_addressbook or =(.+),, dc = korrigan, dc = org"
#by dn.regex="cn=$1,ou=Users,dc=korrigan,dc=org" write by dn.regex = "cn = $ 1, ou = Users, dc = korrigan, dc = org" write
#by dn="cn=admin,dc=korrigan,dc=org" write by dn = "cn = admin, dc = korrigan, dc = org" write
#by * none by * none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=mydomain,dc=com,dc=ec"
rootdn "cn=Manager,dc=mydomain,dc=com,dc=ec"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
# Extras para ser servidor master de ldap
loglevel 256
Sorry for the long email.
JDC