Installer FusionDirectory sur CentOS 6

Cette page est en cours de rédaction, les notes peuvent être incomplètes ou erronées

Dans ce how-to, nous allons mettre en place FusionDirectory pour gérer dans un annuaire LDAP

Les groupes et utilisateurs
Samba
DHCP
DNS
les utilisateurs LDAP système (branche DSA)

Deux serveurs seront mis en place:

Le premier exécutera OpenLDAP
Le second hébergera l'interface de FusionDirectory

Prérequis

Deux serveurs (possible de tout déployer sur un seul également) sous CentOS 6.4 x86_64. Le dépôt EPEL est configuré et activé

Configuration des dépôts

Il faut ajouter le dépôt FusionFirectory

cat <<'EOF' > /etc/yum.repos.d/fusiondirectory.repo
[fusiondirectory]
name=Fusiondirectory Packages for RHEL / CentOS 6
baseurl=http://repos.fusiondirectory.org/rhel/6/noarch
enabled=1
gpgcheck=1
gpgkey=http://download.fusiondirectory.org/gpg/fusiondirectory_public.key
EOF

Préparer l'environnement

mkdir /etc/install
chmod 700 /etc/install
echo 'p@ssw0rd' > /etc/install/ldap.pw
echo 'Firewall Services' > /etc/install/ldap.org
echo 'dc=firewall-services,dc=com' > /etc/install/ldap.base
echo 'firewall-services' > /etc/install/ldap.topdc
echo 'files' > /etc/install/samba.netbios
echo 'FIREWALL.LOCAL' > /etc/install/samba.domain
echo 'firewall-services.com' > /etc/install/dnsdomain
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/samba.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/dhcp.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/unix.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/dns.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/ssh.pw

Installer OpenLDAP

Sur le serveur LDAP

installer OpenLDAP:

yum install openldap-servers openldap-clients

Installer les schemas

yum install fusiondirectory-schema

Schema supplémentaires:

Récupérer et installer les 4 fichiers suivants dans /etc/openldap/schema/fusiondirectory

dhcp-fd.schema

attributetype ( 2.16.840.1.38414.1.203.4.1 
  NAME 'dhcpPrimaryDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The DN of the dhcpServer which is the primary server for the configuration.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.2 
  NAME 'dhcpSecondaryDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The DN of dhcpServer(s) which provide backup service for the configuration.'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.3 
  NAME 'dhcpStatements' 
  EQUALITY caseIgnoreIA5Match
  DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 2.16.840.1.38414.1.203.4.4 
  NAME 'dhcpRange' 
  EQUALITY caseIgnoreIA5Match
  DESC 'The starting & ending IP Addresses in the range (inclusive), separated by a hyphen; if the range only contains one address, then just the address can be specified with no hyphen.  Each range is defined as a separate value.'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 2.16.840.1.38414.1.203.4.5 
  NAME 'dhcpPermitList' 
  EQUALITY caseIgnoreIA5Match
  DESC 'This attribute contains the permit lists associated with a pool. Each permit list is defined as a separate value.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 2.16.840.1.38414.1.203.4.6 
  NAME 'dhcpNetMask' 
  EQUALITY integerMatch
  DESC 'The subnet mask length for the subnet.  The mask can be easily computed from this length.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.7 
  NAME 'dhcpOption' 
  EQUALITY caseIgnoreIA5Match
  DESC 'Encoded option values to be sent to clients.  Each value represents a single option and contains (OptionTag, Length, OptionValue) encoded in the format used by DHCP.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 2.16.840.1.38414.1.203.4.8 
  NAME 'dhcpClassData' 
  EQUALITY caseIgnoreIA5Match
  DESC 'Encoded text string or list of bytes expressed in hexadecimal, separated by colons.  Clients match subclasses based on matching the class data with the results of match or spawn with statements in the class name declarations.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.9 
  NAME 'dhcpOptionsDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name(s) of the dhcpOption objects containing the configuration options provided by the server.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.10 
  NAME 'dhcpHostDN' 
  EQUALITY distinguishedNameMatch
  DESC 'the distinguished name(s) of the dhcpHost objects.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 
 
attributetype ( 2.16.840.1.38414.1.203.4.11 
  NAME 'dhcpPoolDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name(s) of pools.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.12 
  NAME 'dhcpGroupDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name(s)   of the groups.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.13 
  NAME 'dhcpSubnetDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name(s) of the subnets.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.14 
  NAME 'dhcpLeaseDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name of a client address.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
 
attributetype ( 2.16.840.1.38414.1.203.4.15 
  NAME 'dhcpLeasesDN' 
  DESC 'The distinguished name(s) client addresses.' 
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.16 
  NAME 'dhcpClassesDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name(s) of a class(es) in a subclass.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.17 
  NAME 'dhcpSubclassesDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name(s) of subclass(es).' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.18 
  NAME 'dhcpSharedNetworkDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name(s) of sharedNetworks.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.19 
  NAME 'dhcpServiceDN' 
  EQUALITY distinguishedNameMatch
  DESC 'The DN of dhcpService object(s)which contain the configuration information. Each dhcpServer object has this attribute identifying the DHCP configuration(s) that the server is associated with.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.20 
  NAME 'dhcpVersion'
  DESC 'The version attribute of this object.'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.21 
  NAME 'dhcpImplementation' 
  EQUALITY caseIgnoreIA5Match
  DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendor.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.22 
  NAME 'dhcpAddressState' 
  EQUALITY caseIgnoreIA5Match
  DESC 'This stores information about the current binding-status of an address.  For dynamic addresses managed by DHCP, the values should be restricted to the following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED", "BACKUP".  For other addresses, it SHOULD be one of the following: "UNKNOWN", "RESERVED" (an address that is managed by DHCP that is reserved for a specific client), "RESERVED-ACTIVE" (same as reserved, but address is currently in use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED", "NOTASSIGNABLE".'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.23 
  NAME 'dhcpExpirationTime' 
  EQUALITY generalizedTimeMatch 
  DESC 'This is the time the current lease for an address expires.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.24 
  NAME 'dhcpStartTimeOfState' 
  EQUALITY generalizedTimeMatch 
  DESC 'This is the time of the last state change for a leased address.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.25 
  NAME 'dhcpLastTransactionTime' 
  EQUALITY generalizedTimeMatch 
  DESC 'This is the last time a valid DHCP packet was received from the client.'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.26 
  NAME 'dhcpBootpFlag' 
  EQUALITY booleanMatch 
  DESC 'This indicates whether the address was assigned via BOOTP.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.27 
  NAME 'dhcpDomainName' 
  EQUALITY caseIgnoreIA5Match
  DESC 'This is the name of the domain sent to the client by the server.  It is essentially the same as the value for DHCP option 15 sent to the client, and represents only the domain - not the full FQDN.  To obtain the full FQDN assigned to the client you must prepend the "dhcpAssignedHostName" to this value with a ".".' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.28 
  NAME 'dhcpDnsStatus' 
  EQUALITY integerMatch
  DESC 'This indicates the status of updating DNS resource records on behalf of the client by the DHCP server for this address.  The value is a 16-bit bitmask.'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.29 
  NAME 'dhcpRequestedHostName' 
  EQUALITY caseIgnoreIA5Match
  DESC 'This is the hostname that was requested by the client.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.30 
  NAME 'dhcpAssignedHostName' 
  EQUALITY caseIgnoreIA5Match
  DESC 'This is the actual hostname that was assigned to a client. It may not be the name that was requested by the client.  The fully qualified domain name can be determined by appending the value of "dhcpDomainName" (with a dot separator) to this name.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.31 
  NAME 'dhcpReservedForClient' 
  EQUALITY distinguishedNameMatch
  DESC 'The distinguished name of a "dhcpClient" that an address is reserved for.  This may not be the same as the "dhcpAssignedToClient" attribute if the address is being reassigned but the current lease has not yet expired.'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.32 
  NAME 'dhcpAssignedToClient' 
  EQUALITY distinguishedNameMatch
  DESC 'This is the distinguished name of a "dhcpClient" that an address is currently assigned to.  This attribute is only present in the class when the address is leased.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.33 
  NAME 'dhcpRelayAgentInfo' 
  EQUALITY octetStringMatch
  DESC 'If the client request was received via a relay agent, this contains information about the relay agent that was available from the DHCP request.  This is a hex-encoded option value.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.34 
  NAME 'dhcpHWAddress' 
  EQUALITY caseIgnoreIA5Match
  DESC 'The clients hardware address that requested this IP address.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.35 
  NAME 'dhcpHashBucketAssignment' 
  EQUALITY octetStringMatch
  DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in DHC Load Balancing Algorithm [RFC 3074].' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.36 
  NAME 'dhcpDelayedServiceParameter' 
  EQUALITY integerMatch
  DESC 'Delay in seconds corresponding to Delayed Service Parameter configuration, as defined in  DHC Load Balancing Algorithm [RFC 3074]. '
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.37 
  NAME 'dhcpMaxClientLeadTime' 
  EQUALITY integerMatch
  DESC 'Maximum Client Lead Time configuration in seconds, as defined in DHCP Failover Protocol [FAILOVR]' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.38 
  NAME 'dhcpFailOverEndpointState' 
  EQUALITY caseIgnoreIA5Match
  DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover Protocol [FAILOVR]' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.39 
  NAME 'dhcpErrorLog' 
  EQUALITY caseIgnoreIA5Match
  DESC 'Generic error log attribute that allows logging error conditions within a dhcpService or a dhcpSubnet, like no IP addresses available for lease.'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.40 
  NAME 'dhcpLocatorDN' 
  EQUALITY distinguishedNameMatch 
  DESC 'The DN of dhcpLocator object which contain the DNs of all DHCP configuration objects. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype  ( 2.16.840.1.38414.1.203.4.41 
  NAME 'dhcpKeyAlgorithm' 
  EQUALITY caseIgnoreIA5Match 
  DESC 'Algorithm to generate TSIG Key' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype  ( 2.16.840.1.38414.1.203.4.42 
  NAME 'dhcpKeySecret' 
  EQUALITY octetStringMatch 
  DESC 'Secret to generate TSIG Key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.43 
  NAME 'dhcpDnsZoneServer' 
  EQUALITY caseIgnoreIA5Match 
  DESC 'Master server of the DNS Zone' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
attributetype ( 2.16.840.1.38414.1.203.4.44 
  NAME 'dhcpKeyDN' 
  EQUALITY distinguishedNameMatch 
  DESC 'The DNs of TSIG Key to use in secure dynamic updates. In case of locator object, this will be list of TSIG keys.  In case of DHCP Service, Shared Network, Subnet and DNS Zone, it will be a single key.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
 
attributetype ( 2.16.840.1.38414.1.203.4.45 
  NAME 'dhcpZoneDN' 
  EQUALITY distinguishedNameMatch 
  DESC 'The DNs of DNS Zone. In case of locator object, this will be list of DNS Zones in the tree. In case of DHCP Service, Shared Network and Subnet, it will be a single DNS Zone.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
 
attributetype ( 2.16.840.1.38414.1.203.4.46 
  NAME 'dhcpFailOverPrimaryServer' 
  EQUALITY caseIgnoreIA5Match 
  DESC 'IP address or DNS name of the server playing primary role in DHC Load Balancing and Fail over.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26  )
 
attributetype ( 2.16.840.1.38414.1.203.4.47 
  NAME 'dhcpFailOverSecondaryServer' 
  EQUALITY caseIgnoreIA5Match 
  DESC 'IP address or DNS name of the server playing secondary role in DHC Load Balancing and Fail over.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26  )
 
attributetype ( 2.16.840.1.38414.1.203.4.48
  NAME 'dhcpFailOverPrimaryPort' 
  EQUALITY integerMatch 
  DESC 'Port on which primary server listens for connections from its fail over peer (secondary server)' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
 
attributetype ( 2.16.840.1.38414.1.203.4.49
  NAME 'dhcpFailOverSecondaryPort' 
  EQUALITY integerMatch 
  DESC 'Port on which secondary server listens for connections from its fail over peer (primary server)' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
 
attributetype ( 2.16.840.1.38414.1.203.4.50
  NAME 'dhcpFailOverResponseDelay' 
  EQUALITY integerMatch 
  DESC 'Maximum response time in seconds, before Server assumes that connection to fail over peer has failed' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
 
attributetype ( 2.16.840.1.38414.1.203.4.51
  NAME 'dhcpFailOverUnackedUpdates' 
  EQUALITY integerMatch 
  DESC 'Number of BNDUPD messages that server can send before it receives BNDACK from its fail over peer' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
 
attributetype ( 2.16.840.1.38414.1.203.4.52
  NAME 'dhcpFailOverSplit' 
  EQUALITY integerMatch 
  DESC 'Split between the primary and secondary servers for fail over purpose' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
 
attributetype ( 2.16.840.1.38414.1.203.4.53
  NAME 'dhcpFailOverLoadBalanceTime' 
  EQUALITY integerMatch 
  DESC 'Cutoff time in seconds, after which load balance is disabled' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  )
 
attributetype ( 2.16.840.1.38414.1.203.4.54
  NAME 'dhcpFailOverPeerDN' 
  EQUALITY distinguishedNameMatch 
  DESC 'The DNs of Fail over peers. In case of locator object, this will be list of fail over peers in the tree. In case of Subnet and pool, it will be a single Fail Over Peer' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 
 
#List of all servers in the tree
attributetype ( 2.16.840.1.38414.1.203.4.55
  NAME 'dhcpServerDN' 
  EQUALITY distinguishedNameMatch 
  DESC 'List of all  DHCP Servers in the tree. Used by dhcpLocatorObject' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 
attributetype ( 2.16.840.1.38414.1.203.4.56
  NAME 'dhcpComments' 
  EQUALITY caseIgnoreIA5Match 
  DESC 'Generic attribute that allows coments  within any DHCP object' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 
# Classes
 
objectclass ( 2.16.840.1.38414.1.203.6.1 
  NAME 'dhcpService' 
  DESC 'Service object that represents the actual DHCP Service configuration. This is a container object.' 
  SUP top 
  MUST (cn) 
  MAY ( dhcpPrimaryDN $ dhcpSecondaryDN $ dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $  dhcpClassesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $dhcpComments $ dhcpOption) )
 
objectclass ( 2.16.840.1.38414.1.203.6.2 
  NAME 'dhcpSharedNetwork' 
  DESC 'This stores configuration information for a shared network.' 
  SUP top 
  MUST cn 
  MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpStatements $dhcpComments $ dhcpOption) X-NDS_CONTAINMENT ('dhcpService' ) )
 
objectclass ( 2.16.840.1.38414.1.203.6.3 
  NAME 'dhcpSubnet' 
  DESC 'This class defines a subnet. This is a container object.' 
  SUP top 
  MUST ( cn $ dhcpNetMask ) 
  MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption ) X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork') )
 
objectclass ( 2.16.840.1.38414.1.203.6.4 
  NAME 'dhcpPool' 
  DESC 'This stores configuration information about a pool.' 
  SUP top 
  MUST ( cn $ dhcpRange ) 
  MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $dhcpKeyDN $ dhcpStatements $ dhcpComments $ dhcpOption ) 
  X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpSharedNetwork') )
 
objectclass ( 2.16.840.1.38414.1.203.6.5 
  NAME 'dhcpGroup' 
  DESC 'Group object that lists host DNs and parameters. This is a container object.' 
  SUP top 
  MUST cn 
  MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption )
  X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpService' ) )
 
objectclass ( 2.16.840.1.38414.1.203.6.6 
  NAME 'dhcpHost' 
  DESC 'This represents information about a particular client' 
  SUP top 
  MUST cn 
  MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) 
  X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
 
objectclass ( 2.16.840.1.38414.1.203.6.7 
  NAME 'dhcpClass' 
  DESC 'Represents information about a collection of related clients.' 
  SUP top 
  MUST cn 
  MAY (dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) 
  X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' ) )
 
objectclass ( 2.16.840.1.38414.1.203.6.8 
  NAME 'dhcpSubClass' 
  DESC 'Represents information about a collection of related classes.' 
  SUP top 
  MUST cn 
  MAY (dhcpClassData $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) X-NDS_CONTAINMENT 'dhcpClass' )
 
objectclass ( 2.16.840.1.38414.1.203.6.9 
  NAME 'dhcpOptions' 
  DESC 'Represents information about a collection of options defined.' 
  SUP top AUXILIARY
  MUST cn 
  MAY ( dhcpOption $ dhcpComments ) 
  X-NDS_CONTAINMENT  ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) )
 
objectclass ( 2.16.840.1.38414.1.203.6.10 
  NAME 'dhcpLeases' 
  DESC 'This class represents an IP Address, which may or may not have been leased.' 
  SUP top 
  MUST ( cn $ dhcpAddressState ) 
  MAY ( dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) 
  X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool') )
 
objectclass ( 2.16.840.1.38414.1.203.6.11 
  NAME 'dhcpLog' 
  DESC 'This is the object that holds past information about the IP address. The cn is the time/date stamp when the address was assigned or released, the address state at the time, if the address was assigned or released.' 
  SUP top 
  MUST ( cn ) 
  MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog) 
  X-NDS_CONTAINMENT ('dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpService' ) )
 
objectclass ( 2.16.840.1.38414.1.203.6.12 
  NAME 'dhcpServer' 
  DESC 'DHCP Server Object' 
  SUP top AUXILIARY 
  MUST ( cn ) 
  MAY (dhcpServiceDN  $ dhcpLocatorDN $ dhcpVersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServiceParameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements $ dhcpComments $ dhcpOption) 
  X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') )
 
objectclass ( 2.16.840.1.38414.1.203.6.13 
  NAME 'dhcpTSigKey' 
  DESC 'TSIG key for secure dynamic updates' 
  SUP top 
  MUST (cn $ dhcpKeyAlgorithm $ dhcpKeySecret ) 
  MAY ( dhcpComments ) 
  X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
 
objectclass ( 2.16.840.1.38414.1.203.6.14 
  NAME 'dhcpDnsZone' 
  DESC 'DNS Zone for updating leases' 
  SUP top 
  MUST (cn $ dhcpDnsZoneServer ) 
  MAY (dhcpKeyDN $ dhcpComments) 
  X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
 
objectclass ( 2.16.840.1.38414.1.203.6.15 
  NAME 'dhcpFailOverPeer' 
  DESC 'This class defines the Fail over peer' 
  SUP top 
  MUST ( cn $ dhcpFailOverPrimaryServer $ dhcpFailOverSecondaryServer $ dhcpFailoverPrimaryPort $ dhcpFailOverSecondaryPort) MAY (dhcpFailOverResponseDelay  $ dhcpFailOverUnackedUpdates $ dhcpMaxClientLeadTime $ dhcpFailOverSplit $ dhcpHashBucketAssignment $ dhcpFailOverLoadBalanceTime $ dhcpComments ) 
  X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
 
objectclass ( 2.16.840.1.38414.1.203.6.16 
  NAME 'dhcpLocator' 
  DESC 'Locator object for DHCP configuration in the tree. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree' 
  SUP top 
  MUST ( cn ) 
  MAY ( dhcpServiceDN $dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $  dhcpClassesDN $ dhcpKeyDN $ dhcpZoneDN $ dhcpFailOverPeerDN $ dhcpOption $ dhcpComments) 
  X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') )

dnszone.schema

# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
	DESC 'An integer denoting time to live'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
 
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
	DESC 'The class of a resource record'
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
	DESC 'The name of a zone, i.e. the name of the highest node in the zone'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
	DESC 'The starting labels of a domain name'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
	DESC 'domain name pointer, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
	DESC 'host information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
	DESC 'mailbox or mail list information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
	DESC 'text string, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
	DESC 'for AFS Data Base location, RFC 1183'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
	DESC 'Signature, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
	DESC 'Key, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
	DESC 'IPv6 address, RFC 1886'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
	DESC 'Location, RFC 1876'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
	DESC 'non-existant, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
	DESC 'service location, RFC 2782'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
	DESC 'Naming Authority Pointer, RFC 2915'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
	DESC 'Key Exchange Delegation, RFC 2230'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
	DESC 'certificate, RFC 2538'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
	DESC 'A6 Record Type, RFC 2874'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
	DESC 'Delegation Signer, RFC 3658'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
	DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
	DESC 'RRSIG, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
	DESC 'NSEC, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
        SUP top STRUCTURAL
	MUST ( zoneName $ relativeDomainName )
        MAY ( DNSTTL $ DNSClass $
              ARecord $ MDRecord $ MXRecord $ NSRecord $
	      SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
              MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
              KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
              SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
              A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
              RRSIGRecord $ NSECRecord ) )

dsa-fd-conf.schema

##
## dsa-fd.schema - Needed by Fusion Directory for managing DSA
##
 
# Attributes
attributetype ( 1.3.6.1.4.1.38414.13.1.1 NAME 'fdDSARDN'
  DESC 'FusionDirectory - DSA RDN'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE)
 
# Object Class
objectclass ( 1.3.6.1.4.1.38414.13.2.1 NAME 'fdDsaPluginConf'
  DESC 'FusionDirectory dsa plugin configuration'
  SUP top AUXILIARY
  MUST ( cn )
  MAY ( fdDSARDN ) )

samba-fd-conf.schema

##
## fd-samba-conf.schema - Needed by FusionDirectory Samba Plugin for its configuration
##
 
# Attributes
 
# Samba settings
 
attributetype ( 1.3.6.1.4.1.38414.9.1.1 NAME 'fdSambaMachineAccountRDN'
  DESC 'FusionDirectory - Samba RDN'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 
attributetype ( 1.3.6.1.4.1.38414.9.1.2 NAME 'fdSambaIdMapping'
  DESC 'FusionDirectory - Samba id mapping'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE )
 
attributetype ( 1.3.6.1.4.1.38414.9.1.3 NAME 'fdSambaSID'
  DESC 'FusionDirectory - Samba SID'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 
attributetype ( 1.3.6.1.4.1.38414.9.1.4 NAME 'fdSambaRidBase'
  DESC 'FusionDirectory - Samba rid base'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 
attributetype ( 1.3.6.1.4.1.38414.9.1.5 NAME 'fdSambaExpirationSync'
  DESC 'FusionDirectory - Samba expiration date synchronisation'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 
attributetype ( 1.3.6.1.4.1.38414.9.1.6 NAME 'fdSambaGenLMPassword'
  DESC 'FusionDirectory - Samba LMPassword activation'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE )
 
 
# Object Class
objectclass ( 1.3.6.1.4.1.38414.9.2.1 NAME 'fdSambaPluginConf'
  DESC 'FusionDirectory samba plugin configuration'
  SUP top AUXILIARY
  MUST ( )
  MAY ( fdSambaMachineAccountRDN $ fdSambaIdMapping $
        fdSambaSID $ fdSambaRidBase $ fdSambaExpirationSync $ fdSambaGenLMPassword) )

Mise en place de la conf slapd

cat <<'EOF' > /etc/openldap/slapd.conf

sed -i -e "s/dc=firewall-services,dc=com/$(cat /etc/install/ldap.base)/g" \
       -e "s/__SECRET__/$(cat /etc/install/ldap.pw)/g" /etc/openldap/slapd.conf

mkdir -p /var/lib/ldap/db_log
chown ldap:ldap /var/lib/ldap/db_log
chown 770 /var/lib/ldap/db_log
cat <<'EOF' > /var/lib/ldap/DB_CONFIG
#
# Set the database in memory cache size.
#
set_cachesize   0       2097152        0
#
# Set log values.
#
set_lg_regionmax        1048576
set_lg_max              10485760
set_lg_bsize            2097152
set_lg_dir              /var/lib/ldap/db_log
EOF

init.ldif

dn: dc=firewall-services,dc=com
dc: firewall-services
o: Firewall Services
ou: firewall-services
description: firewall-services
objectClass: top
objectClass: organization
objectClass: dcObject
objectClass: gosaDepartment

sed -i -e "s/dc=firewall-services,dc=com/$(cat /etc/install/ldap.base)/g" \
       -e "s/firewall-services/$(cat /etc/install/ldap.topdc)/g" ./init.ldif

slapadd -f init.ldif
chown -R ldap:ldap /var/lib/ldap/*

En vrac

named.conf

options {
        listen-on port 53 { 127.0.0.1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost;};
        recursion no;
 
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;
 
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
 
        managed-keys-directory "/var/named/dynamic";
};
 
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
 
zone "firewall-services.com" IN {
        type master;
        database "ldap ldap://localhost/ou=servers,ou=systems,dc=firewall-services,dc=com????!bindname=cn=dns%2cou=DSA%2cdc=firewall-services%2cdc=com,!x-bindpw=__DNS_SECRET__ 172800";
};
 
zone "10.10.in-addr.arpa" IN {
        type master;
        database "ldap ldap://localhost/ou=servers,ou=systems,dc=firewall-services,dc=com????!bindname=cn=dns%2cou=DSA%2cdc=firewall-services%2cdc=com,!x-bindpw=__DNS_SECRET__ 172800";
};

unbound.conf

server:
        verbosity: 1
        statistics-interval: 0
        statistics-cumulative: no
        extended-statistics: yes
        num-threads: 2
        interface: 10.10.4.10
        interface-automatic: no
        do-ip6: no
        access-control: 127.0.0.1 allow
        access-control: 10.10.0.0/16 allow
        chroot: ""
        username: "unbound"
        directory: "/etc/unbound"
        log-time-ascii: yes
        pidfile: "/var/run/unbound/unbound.pid"
        hide-identity: yes
        hide-version: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        use-caps-for-id: no
        unwanted-reply-threshold: 10000000
        do-not-query-localhost: no
        prefetch: yes
        prefetch-key: yes
        dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
        trusted-keys-file: /etc/unbound/keys.d/*.key
        auto-trust-anchor-file: "/etc/unbound/root.anchor"
        val-clean-additional: yes
        val-permissive-mode: no
        val-log-level: 1
        include: /etc/unbound/local.d/*.conf
 
remote-control:
        control-enable: no
 
stub-zone:
       name: "firewall-services.com"
       stub-addr: 127.0.0.1
 
forward-zone:
       name: "."
       forward-addr: 88.191.254.60
       forward-addr: 88.191.254.70

slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/fusiondirectory/rfc2307bis.schema
include         /etc/openldap/schema/fusiondirectory/samba.schema
include         /etc/openldap/schema/fusiondirectory/samba-fd-conf.schema
include         /etc/openldap/schema/fusiondirectory/core-fd-conf.schema
include         /etc/openldap/schema/fusiondirectory/core-fd.schema
include         /etc/openldap/schema/fusiondirectory/ldapns.schema
include         /etc/openldap/schema/fusiondirectory/recovery-fd.schema
include         /etc/openldap/schema/fusiondirectory/dnszone.schema
include         /etc/openldap/schema/fusiondirectory/dhcp-fd.schema
include         /etc/openldap/schema/fusiondirectory/dsa-fd-conf.schema
include         /etc/openldap/schema/fusiondirectory/mime-fd.schema
include         /etc/openldap/schema/fusiondirectory/service-fd.schema
include         /etc/openldap/schema/fusiondirectory/systems-fd-conf.schema
include         /etc/openldap/schema/fusiondirectory/openssh-lpk.schema
include         /etc/openldap/schema/fusiondirectory/systems-fd.schema
include         /etc/openldap/schema/fusiondirectory/mail-fd.schema
include         /etc/openldap/schema/fusiondirectory/mail-fd-conf.schema
include         /etc/openldap/schema/fusiondirectory/alias-fd-conf.schema
include         /etc/openldap/schema/fusiondirectory/alias-fd.schema
 
password-hash               {SSHA}
pidfile                     /var/run/openldap/slapd.pid
loglevel                    256
modulepath                  /usr/lib64/openldap
moduleload                  back_hdb
moduleload                  memberof
database                    monitor
database                    hdb
mode                        0600
suffix                      dc=firewall-services,dc=com
rootdn                      cn=admin,dc=firewall-services,dc=com
rootpw                      __LDAP_SECRET__
directory                   /var/lib/ldap
cachesize                   10000
checkpoint                  128 15
 
index                       uid,mail                                               eq,sub
index                       cn,sn,givenName,ou                                     pres,eq,sub
index                       objectClass                                            pres,eq
index                       uidNumber,gidNumber,memberuid,member                   eq
index                       gosaSubtreeACL,gosaObject,gosaUser                     pres,eq
index                       sambaSID                                               eq,sub
index                       sambaPrimaryGroupSID                                   eq
index                       sambaDomainName                                        eq
index                       sambaGroupType                                         eq
index                       sambaSIDList                                           eq
index                       zoneName                                               eq
index                       relativeDomainName                                     eq
index                       dhcpHWAddress                                          eq
index                       dhcpClassData                                          eq
index                       dhcpPrimaryDN                                          eq
index                       dhcpSecondaryDN                                        eq
index                       dhcpServerDN                                           eq
index                       dhcpFailOverPeerDN                                     eq
 
access to attrs=userPassword,sambaLmPassword,sambaNtPassword
       by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
       by anonymous auth
       by self write
       by * none
access to attrs=sambaAcctFlags,sambaBadPasswordCount,sambaBadPasswordTime,sambaKickoffTime,sambaLogoffTime,sambaLogonHours,sambaPasswordHistory,sambaSID,sambaPrimaryGroupSID,sambaPwdCanChange,sambaPwdLastSet,sambaPwdMustChange,sambaUserWorkstations,sambaSIDList,sambaGroupType,sambaMungedDial,sambaLogonHours,sambaLogonTime,sambaDomainName,sambaHomePath,sambaHomeDrive
       by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
       by self read
       by * none
access to filter=(objectClass=sambaDomain)
       by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
       by * none
access to dn.subtree=ou=Computers,ou=systems,dc=firewall-services,dc=com
       by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
       by * none
access to attrs=loginShell,gidNumber,homeDirectory,uidNumber,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning
       by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
       by self read
       by dn="cn=unix,ou=DSA,dc=firewall-services,dc=com" read
access to dn.subtree=ou=DSA,dc=firewall-services,dc=com
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
       by * none
access to dn.base=dc=firewall-services,dc=com
       by * read
access to dn.subtree=ou=systems,dc=firewall-services,dc=com filter=(objectClass=dNSZone)
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
       by dn="cn=dns,ou=DSA,dc=firewall-services,dc=com" read
       by * none
access to dn.regex="^.*,ou=(People|Groups),dc=firewall-services,dc=org"
       by * read
access to *
       by users read
       by anonymous auth