latest working release

.gitignore

@@ -1,3 +1,4 @@
 slapd.d/
 backups/
-restore/
+restore/
+certs/

Dockerfile

@@ -4,37 +4,29 @@ FROM alpine:latest
 # http://www.openldap.org/doc/admin24/guide.html
 
 # Define env variables
-ENV DOMAIN        ""
-ENV ORGANIZATION  ""
+ENV DOMAIN        "example.com"
+ENV ORGANIZATION  "Example Org."
+ENV SUFFIX        "dc=example,dc=org"
 ENV DEBUG         1
+ENV USER          ldap
+ENV GROUP         ldap
 
-# Default env variables
-#ENV USER          ldap
-#ENV GROUP         ldap
-
-# Install openldap with MDB backend
+# Install OpenLDAP with MDB backend
+# openldap-clients is not really required, can be removed after evaluation.
 RUN apk add --update --no-cache \ 
+  gettext \
+  pwgen \
   openldap \
   openldap-clients \
   openldap-back-mdb
 
-RUN mkdir /run/openldap
-#RUN chown ${USER}:${GROUP} /run/openldap
+RUN mkdir /run/openldap && \
+    chown ${USER}:${GROUP} /run/openldap
 
-#COPY ./slapd.conf /etc/openldap/slapd.conf
-#COPY ./setup.sh /setup.sh
 COPY ./entrypoint.sh /entrypoint.sh
 
-# Add setup script
-#ADD setup.sh /setup.sh
-#RUN /setup.sh
-
-CMD /entrypoint.sh /usr/sbin/slapd -d ${DEBUG} -h "ldap:/// ldapi:///" -F /etc/openldap/slapd.d
+CMD /entrypoint.sh
 
 EXPOSE 389
 
-VOLUME /etc/openldap/slapd.d
-VOLUME /var/backups
-VOLUME /var/ldifs
-VOLUME /var/lib/openldap
-
+VOLUME /etc/openldap/slapd.d /var/backups /var/restore /var/ldifs /scripts /var/lib/openldap

dhcp.ldif

@@ -0,0 +1,317 @@
+dn: cn=dhcp,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: dhcp
+olcAttributeTypes: {0}( 2.16.840.1.113719.1.203.4.1 NAME 'dhcpPrimaryDN' DESC 
+ 'The DN of the dhcpServer which is the primary server for the configuration.'
+  EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-
+ VALUE )
+olcAttributeTypes: {1}( 2.16.840.1.113719.1.203.4.2 NAME 'dhcpSecondaryDN' DES
+ C 'The DN of dhcpServer(s) which provide backup service for the configuration
+ .' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {2}( 2.16.840.1.113719.1.203.4.3 NAME 'dhcpStatements' DESC
+  'Flexible storage for specific data depending on what object this exists in.
+  Like conditional statements, server parameters, etc. This allows the standar
+ d to evolve without needing to adjust the schema.' EQUALITY caseIgnoreIA5Matc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {3}( 2.16.840.1.113719.1.203.4.4 NAME 'dhcpRange' DESC 'The
+  starting & ending IP Addresses in the range (inclusive), separated by a hyph
+ en; if the range only contains one address, then just the address can be spec
+ ified with no hyphen.  Each range is defined as a separate value.' EQUALITY c
+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {4}( 2.16.840.1.113719.1.203.4.5 NAME 'dhcpPermitList' DESC
+  'This attribute contains the permit lists associated with a pool. Each permi
+ t list is defined as a separate value.' EQUALITY caseIgnoreIA5Match SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {5}( 2.16.840.1.113719.1.203.4.6 NAME 'dhcpNetMask' DESC 'T
+ he subnet mask length for the subnet.  The mask can be easily computed from t
+ his length.' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
+ E-VALUE )
+olcAttributeTypes: {6}( 2.16.840.1.113719.1.203.4.7 NAME 'dhcpOption' DESC 'En
+ coded option values to be sent to clients.  Each value represents a single op
+ tion and contains (OptionTag, Length, OptionValue) encoded in the format used
+  by DHCP.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {7}( 2.16.840.1.113719.1.203.4.8 NAME 'dhcpClassData' DESC 
+ 'Encoded text string or list of bytes expressed in hexadecimal, separated by 
+ colons.  Clients match subclasses based on matching the class data with the r
+ esults of match or spawn with statements in the class name declarations.' EQU
+ ALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {8}( 2.16.840.1.113719.1.203.4.9 NAME 'dhcpOptionsDN' DESC 
+ 'The distinguished name(s) of the dhcpOption objects containing the configura
+ tion options provided by the server.' EQUALITY distinguishedNameMatch SYNTAX 
+ 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {9}( 2.16.840.1.113719.1.203.4.10 NAME 'dhcpHostDN' DESC 't
+ he distinguished name(s) of the dhcpHost objects.' EQUALITY distinguishedName
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {10}( 2.16.840.1.113719.1.203.4.11 NAME 'dhcpPoolDN' DESC '
+ The distinguished name(s) of pools.' EQUALITY distinguishedNameMatch SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {11}( 2.16.840.1.113719.1.203.4.12 NAME 'dhcpGroupDN' DESC 
+ 'The distinguished name(s)   of the groups.' EQUALITY distinguishedNameMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {12}( 2.16.840.1.113719.1.203.4.13 NAME 'dhcpSubnetDN' DESC
+  'The distinguished name(s) of the subnets.' EQUALITY distinguishedNameMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {13}( 2.16.840.1.113719.1.203.4.14 NAME 'dhcpLeaseDN' DESC 
+ 'The distinguished name of a client address.' EQUALITY distinguishedNameMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: {14}( 2.16.840.1.113719.1.203.4.15 NAME 'dhcpLeasesDN' DESC
+  'The distinguished name(s) client addresses.' EQUALITY distinguishedNameMatc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {15}( 2.16.840.1.113719.1.203.4.16 NAME 'dhcpClassesDN' DES
+ C 'The distinguished name(s) of a class(es) in a subclass.' EQUALITY distingu
+ ishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {16}( 2.16.840.1.113719.1.203.4.17 NAME 'dhcpSubclassesDN' 
+ DESC 'The distinguished name(s) of subclass(es).' EQUALITY distinguishedNameM
+ atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {17}( 2.16.840.1.113719.1.203.4.18 NAME 'dhcpSharedNetworkD
+ N' DESC 'The distinguished name(s) of sharedNetworks.' EQUALITY distinguished
+ NameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {18}( 2.16.840.1.113719.1.203.4.19 NAME 'dhcpServiceDN' DES
+ C 'The DN of dhcpService object(s)which contain the configuration information
+ . Each dhcpServer object has this attribute identifying the DHCP configuratio
+ n(s) that the server is associated with.' EQUALITY distinguishedNameMatch SYN
+ TAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {19}( 2.16.840.1.113719.1.203.4.20 NAME 'dhcpVersion' DESC 
+ 'The version attribute of this object.' EQUALITY caseIgnoreIA5Match SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {20}( 2.16.840.1.113719.1.203.4.21 NAME 'dhcpImplementation
+ ' DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendo
+ r.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
+ ALUE )
+olcAttributeTypes: {21}( 2.16.840.1.113719.1.203.4.22 NAME 'dhcpAddressState' 
+ DESC 'This stores information about the current binding-status of an address.
+   For dynamic addresses managed by DHCP, the values should be restricted to t
+ he following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED", 
+ "BACKUP".  For other addresses, it SHOULD be one of the following: "UNKNOWN",
+  "RESERVED" (an address that is managed by DHCP that is reserved for a specif
+ ic client), "RESERVED-ACTIVE" (same as reserved, but address is currently in 
+ use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED"
+ , "NOTASSIGNABLE".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.26 SINGLE-VALUE )
+olcAttributeTypes: {22}( 2.16.840.1.113719.1.203.4.23 NAME 'dhcpExpirationTime
+ ' DESC 'This is the time the current lease for an address expires.' EQUALITY 
+ generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: {23}( 2.16.840.1.113719.1.203.4.24 NAME 'dhcpStartTimeOfSta
+ te' DESC 'This is the time of the last state change for a leased address.' EQ
+ UALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
+  )
+olcAttributeTypes: {24}( 2.16.840.1.113719.1.203.4.25 NAME 'dhcpLastTransactio
+ nTime' DESC 'This is the last time a valid DHCP packet was received from the 
+ client.' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 S
+ INGLE-VALUE )
+olcAttributeTypes: {25}( 2.16.840.1.113719.1.203.4.26 NAME 'dhcpBootpFlag' DES
+ C 'This indicates whether the address was assigned via BOOTP.' EQUALITY boole
+ anMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {26}( 2.16.840.1.113719.1.203.4.27 NAME 'dhcpDomainName' DE
+ SC 'This is the name of the domain sent to the client by the server.  It is e
+ ssentially the same as the value for DHCP option 15 sent to the client, and r
+ epresents only the domain - not the full FQDN.  To obtain the full FQDN assig
+ ned to the client you must prepend the "dhcpAssignedHostName" to this value w
+ ith a ".".' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
+ SINGLE-VALUE )
+olcAttributeTypes: {27}( 2.16.840.1.113719.1.203.4.28 NAME 'dhcpDnsStatus' DES
+ C 'This indicates the status of updating DNS resource records on behalf of th
+ e client by the DHCP server for this address.  The value is a 16-bit bitmask.
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {28}( 2.16.840.1.113719.1.203.4.29 NAME 'dhcpRequestedHostN
+ ame' DESC 'This is the hostname that was requested by the client.' EQUALITY c
+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {29}( 2.16.840.1.113719.1.203.4.30 NAME 'dhcpAssignedHostNa
+ me' DESC 'This is the actual hostname that was assigned to a client. It may n
+ ot be the name that was requested by the client.  The fully qualified domain 
+ name can be determined by appending the value of "dhcpDomainName" (with a dot
+  separator) to this name.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {30}( 2.16.840.1.113719.1.203.4.31 NAME 'dhcpReservedForCli
+ ent' DESC 'The distinguished name of a "dhcpClient" that an address is reserv
+ ed for.  This may not be the same as the "dhcpAssignedToClient" attribute if 
+ the address is being reassigned but the current lease has not yet expired.' E
+ QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VA
+ LUE )
+olcAttributeTypes: {31}( 2.16.840.1.113719.1.203.4.32 NAME 'dhcpAssignedToClie
+ nt' DESC 'This is the distinguished name of a "dhcpClient" that an address is
+  currently assigned to.  This attribute is only present in the class when the
+  address is leased.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: {32}( 2.16.840.1.113719.1.203.4.33 NAME 'dhcpRelayAgentInfo
+ ' DESC 'If the client request was received via a relay agent, this contains i
+ nformation about the relay agent that was available from the DHCP request.  T
+ his is a hex-encoded option value.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.40 SINGLE-VALUE )
+olcAttributeTypes: {33}( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' DES
+ C 'The clients hardware address that requested this IP address.' EQUALITY cas
+ eIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {34}( 2.16.840.1.113719.1.203.4.35 NAME 'dhcpHashBucketAssi
+ gnment' DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in
+  DHC Load Balancing Algorithm [RFC 3074].' EQUALITY octetStringMatch SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
+olcAttributeTypes: {35}( 2.16.840.1.113719.1.203.4.36 NAME 'dhcpDelayedService
+ Parameter' DESC 'Delay in seconds corresponding to Delayed Service Parameter 
+ configuration, as defined in  DHC Load Balancing Algorithm [RFC 3074]. ' EQUA
+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {36}( 2.16.840.1.113719.1.203.4.37 NAME 'dhcpMaxClientLeadT
+ ime' DESC 'Maximum Client Lead Time configuration in seconds, as defined in D
+ HCP Failover Protocol [FAILOVR]' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {37}( 2.16.840.1.113719.1.203.4.38 NAME 'dhcpFailOverEndpoi
+ ntState' DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover 
+ Protocol [FAILOVR]' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.26 SINGLE-VALUE )
+olcAttributeTypes: {38}( 2.16.840.1.113719.1.203.4.39 NAME 'dhcpErrorLog' DESC
+  'Generic error log attribute that allows logging error conditions within a d
+ hcpService or a dhcpSubnet, like no IP addresses available for lease.' EQUALI
+ TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {39}( 2.16.840.1.113719.1.203.4.40 NAME 'dhcpLocatorDN' DES
+ C 'The DN of dhcpLocator object which contain the DNs of all DHCP configurati
+ on objects. There will be a single dhcpLocator object in the tree with links 
+ to all the DHCP objects in the tree' EQUALITY distinguishedNameMatch SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {40}( 2.16.840.1.113719.1.203.4.41 NAME 'dhcpKeyAlgorithm' 
+ DESC 'Algorithm to generate TSIG Key' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {41}( 2.16.840.1.113719.1.203.4.42 NAME 'dhcpKeySecret' DES
+ C 'Secret to generate TSIG Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.40 SINGLE-VALUE )
+olcAttributeTypes: {42}( 2.16.840.1.113719.1.203.4.43 NAME 'dhcpDnsZoneServer'
+  DESC 'Master server of the DNS Zone' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {43}( 2.16.840.1.113719.1.203.4.44 NAME 'dhcpKeyDN' DESC 'T
+ he DNs of TSIG Key to use in secure dynamic updates. In case of locator objec
+ t, this will be list of TSIG keys.  In case of DHCP Service, Shared Network, 
+ Subnet and DNS Zone, it will be a single key.' EQUALITY distinguishedNameMatc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {44}( 2.16.840.1.113719.1.203.4.45 NAME 'dhcpZoneDN' DESC '
+ The DNs of DNS Zone. In case of locator object, this will be list of DNS Zone
+ s in the tree. In case of DHCP Service, Shared Network and Subnet, it will be
+  a single DNS Zone.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.12 )
+olcAttributeTypes: {45}( 2.16.840.1.113719.1.203.4.46 NAME 'dhcpFailOverPrimar
+ yServer' DESC 'IP address or DNS name of the server playing primary role in D
+ HC Load Balancing and Fail over.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.26 )
+olcAttributeTypes: {46}( 2.16.840.1.113719.1.203.4.47 NAME 'dhcpFailOverSecond
+ aryServer' DESC 'IP address or DNS name of the server playing secondary role 
+ in DHC Load Balancing and Fail over.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {47}( 2.16.840.1.113719.1.203.4.48 NAME 'dhcpFailOverPrimar
+ yPort' DESC 'Port on which primary server listens for connections from its fa
+ il over peer (secondary server)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.27 )
+olcAttributeTypes: {48}( 2.16.840.1.113719.1.203.4.49 NAME 'dhcpFailOverSecond
+ aryPort' DESC 'Port on which secondary server listens for connections from it
+ s fail over peer (primary server)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.27 )
+olcAttributeTypes: {49}( 2.16.840.1.113719.1.203.4.50 NAME 'dhcpFailOverRespon
+ seDelay' DESC 'Maximum response time in seconds, before Server assumes that c
+ onnection to fail over peer has failed' EQUALITY integerMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.27 )
+olcAttributeTypes: {50}( 2.16.840.1.113719.1.203.4.51 NAME 'dhcpFailOverUnacke
+ dUpdates' DESC 'Number of BNDUPD messages that server can send before it rece
+ ives BNDACK from its fail over peer' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1
+ .1466.115.121.1.27 )
+olcAttributeTypes: {51}( 2.16.840.1.113719.1.203.4.52 NAME 'dhcpFailOverSplit'
+  DESC 'Split between the primary and secondary servers for fail over purpose'
+  EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: {52}( 2.16.840.1.113719.1.203.4.53 NAME 'dhcpFailOverLoadBa
+ lanceTime' DESC 'Cutoff time in seconds, after which load balance is disabled
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: {53}( 2.16.840.1.113719.1.203.4.54 NAME 'dhcpFailOverPeerDN
+ ' DESC 'The DNs of Fail over peers. In case of locator object, this will be l
+ ist of fail over peers in the tree. In case of Subnet and pool, it will be a 
+ single Fail Over Peer' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.12 )
+olcAttributeTypes: {54}( 2.16.840.1.113719.1.203.4.55 NAME 'dhcpServerDN' DESC
+  'List of all  DHCP Servers in the tree. Used by dhcpLocatorObject' EQUALITY 
+ distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {55}( 2.16.840.1.113719.1.203.4.56 NAME 'dhcpComments' DESC
+  'Generic attribute that allows coments  within any DHCP object' EQUALITY cas
+ eIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcObjectClasses: {0}( 2.16.840.1.113719.1.203.6.1 NAME 'dhcpService' DESC 'Se
+ rvice object that represents the actual DHCP Service configuration. This is a
+  container object.' SUP top STRUCTURAL MUST cn MAY ( dhcpPrimaryDN $ dhcpSeco
+ ndaryDN $ dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ d
+ hcpHostDN $ dhcpClassesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFail
+ OverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption ) )
+olcObjectClasses: {1}( 2.16.840.1.113719.1.203.6.2 NAME 'dhcpSharedNetwork' DE
+ SC 'This stores configuration information for a shared network.' SUP top STRU
+ CTURAL MUST cn MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpZoneDN $
+  dhcpStatements $ dhcpComments $ dhcpOption ) X-NDS_CONTAINMENT 'dhcpService'
+  )
+olcObjectClasses: {2}( 2.16.840.1.113719.1.203.6.3 NAME 'dhcpSubnet' DESC 'Thi
+ s class defines a subnet. This is a container object.' SUP top STRUCTURAL MUS
+ T ( cn $ dhcpNetMask ) MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostD
+ N $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ d
+ hcpFailOverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption ) X-NDS_CONTAI
+ NMENT ( 'dhcpService' 'dhcpSharedNetwork' ) )
+olcObjectClasses: {3}( 2.16.840.1.113719.1.203.6.4 NAME 'dhcpPool' DESC 'This 
+ stores configuration information about a pool.' SUP top STRUCTURAL MUST ( cn 
+ $ dhcpRange ) MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptio
+ nsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpStatements $ dhcpComments $ dhcpOption ) 
+ X-NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpSharedNetwork' ) )
+olcObjectClasses: {4}( 2.16.840.1.113719.1.203.6.5 NAME 'dhcpGroup' DESC 'Grou
+ p object that lists host DNs and parameters. This is a container object.' SUP
+  top STRUCTURAL MUST cn MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements $ d
+ hcpComments $ dhcpOption ) X-NDS_CONTAINMENT ( 'dhcpSubnet' 'dhcpService' ) )
+olcObjectClasses: {5}( 2.16.840.1.113719.1.203.6.6 NAME 'dhcpHost' DESC 'This 
+ represents information about a particular client' SUP top STRUCTURAL MUST cn 
+ MAY ( dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComm
+ ents $ dhcpOption ) X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpGroup
+ ' ) )
+olcObjectClasses: {6}( 2.16.840.1.113719.1.203.6.7 NAME 'dhcpClass' DESC 'Repr
+ esents information about a collection of related clients.' SUP top STRUCTURAL
+  MUST cn MAY ( dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements $ dhcpCommen
+ ts $ dhcpOption ) X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' ) )
+olcObjectClasses: {7}( 2.16.840.1.113719.1.203.6.8 NAME 'dhcpSubClass' DESC 'R
+ epresents information about a collection of related classes.' SUP top STRUCTU
+ RAL MUST cn MAY ( dhcpClassData $ dhcpOptionsDN $ dhcpStatements $ dhcpCommen
+ ts $ dhcpOption ) X-NDS_CONTAINMENT 'dhcpClass' )
+olcObjectClasses: {8}( 2.16.840.1.113719.1.203.6.9 NAME 'dhcpOptions' DESC 'Re
+ presents information about a collection of options defined.' SUP top AUXILIAR
+ Y MUST cn MAY ( dhcpOption $ dhcpComments ) X-NDS_CONTAINMENT ( 'dhcpService'
+  'dhcpSharedNetwork' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClas
+ s' ) )
+olcObjectClasses: {9}( 2.16.840.1.113719.1.203.6.10 NAME 'dhcpLeases' DESC 'Th
+ is class represents an IP Address, which may or may not have been leased.' SU
+ P top STRUCTURAL MUST ( cn $ dhcpAddressState ) MAY ( dhcpExpirationTime $ dh
+ cpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName
+  $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReserve
+ dForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress ) X-ND
+ S_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool' ) )
+olcObjectClasses: {10}( 2.16.840.1.113719.1.203.6.11 NAME 'dhcpLog' DESC 'This
+  is the object that holds past information about the IP address. The cn is th
+ e time/date stamp when the address was assigned or released, the address stat
+ e at the time, if the address was assigned or released.' SUP top STRUCTURAL M
+ UST cn MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ d
+ hcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhc
+ pRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssig
+ nedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog ) X-NDS_CONTA
+ INMENT ( 'dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpServic
+ e' ) )
+olcObjectClasses: {11}( 2.16.840.1.113719.1.203.6.12 NAME 'dhcpServer' DESC 'D
+ HCP Server Object' SUP top STRUCTURAL MUST cn MAY ( dhcpServiceDN $ dhcpLocat
+ orDN $ dhcpVersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDela
+ yedServiceParameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhc
+ pStatements $ dhcpComments $ dhcpOption ) X-NDS_CONTAINMENT ( 'organization' 
+ 'organizationalunit' 'domain' ) )
+olcObjectClasses: {12}( 2.16.840.1.113719.1.203.6.13 NAME 'dhcpTSigKey' DESC '
+ TSIG key for secure dynamic updates' SUP top STRUCTURAL MUST ( cn $ dhcpKeyAl
+ gorithm $ dhcpKeySecret ) MAY dhcpComments X-NDS_CONTAINMENT ( 'dhcpService' 
+ 'dhcpSharedNetwork' 'dhcpSubnet' ) )
+olcObjectClasses: {13}( 2.16.840.1.113719.1.203.6.14 NAME 'dhcpDnsZone' DESC '
+ DNS Zone for updating leases' SUP top STRUCTURAL MUST ( cn $ dhcpDnsZoneServe
+ r ) MAY ( dhcpKeyDN $ dhcpComments ) X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpS
+ haredNetwork' 'dhcpSubnet' ) )
+olcObjectClasses: {14}( 2.16.840.1.113719.1.203.6.15 NAME 'dhcpFailOverPeer' D
+ ESC 'This class defines the Fail over peer' SUP top STRUCTURAL MUST ( cn $ dh
+ cpFailOverPrimaryServer $ dhcpFailOverSecondaryServer $ dhcpFailoverPrimaryPo
+ rt $ dhcpFailOverSecondaryPort ) MAY ( dhcpFailOverResponseDelay $ dhcpFailOv
+ erUnackedUpdates $ dhcpMaxClientLeadTime $ dhcpFailOverSplit $ dhcpHashBucket
+ Assignment $ dhcpFailOverLoadBalanceTime $ dhcpComments ) X-NDS_CONTAINMENT (
+  'dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet' ) )
+olcObjectClasses: {15}( 2.16.840.1.113719.1.203.6.16 NAME 'dhcpLocator' DESC '
+ Locator object for DHCP configuration in the tree. There will be a single dhc
+ pLocator object in the tree with links to all the DHCP objects in the tree' S
+ UP top STRUCTURAL MUST cn MAY ( dhcpServiceDN $ dhcpServerDN $ dhcpSharedNetw
+ orkDN $ dhcpSubnetDN $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN 
+ $ dhcpKeyDN $ dhcpZoneDN $ dhcpFailOverPeerDN $ dhcpOption $ dhcpComments ) X
+ -NDS_CONTAINMENT ( 'organization' 'organizationalunit' 'domain' ) )

docker-compose.yml

@@ -0,0 +1,23 @@
+version: "3"
+
+services:
+  ldap-server:
+    build: .
+    container_name: ldap-server
+    #image: ldap-server
+    #restart: always
+    ports:
+      - "127.0.0.1:389:389"
+      - "636:636"
+    environment: 
+      - DOMAIN="slurm.ch"
+      - ORGANIZATION="Slurm - It's addictive!"
+      - SUFFIX="dc=slurm,dc=ch"
+    volumes: 
+      - ./scripts:/scripts
+      - ./ldifs:/var/ldifs
+      - ./backups:/var/backups
+      - ./restore:/var/restore
+      - ./certs:/etc/ssl/certs
+      - /etc/openldap/slapd.d
+      - /var/lib/openldap

entrypoint.sh

@@ -1,57 +1,81 @@
 #!/bin/sh
 
-# Log everything to this log file. Use LOG env var or default /var/log/ldap.log
-ENTRYLOG=${LOG:-/var/log/ldap.log}
-echo Logfile: $ENTRYLOG
-exec &> $ENTRYLOG
-
-# Inspired by https://github.com/acobaugh/openldap-alpine
+# The setup follows the OpenLDAP admin guide on 
+# http://www.openldap.org/doc/admin24/guide.html
 
 # When not limiting the open file descriptors, the memory consumption
 # of slapd is absurdly high. See https://github.com/docker/docker/issues/8231
 ulimit -n 8192
 
 # If there's no cn=config database, initialize one.
-# Take the original slapd.conf file as template.
+# Take the original slapd.ldif file as template.
 if [ ! -d '/etc/openldap/slapd.d/cn=config' ]; then
 
-	# Limit the access to the database
-	SLAPD_CONFIG_ROOTPW=`< /dev/urandom tr -dc A-Za-z0-9 | head -c14; echo`
-	
-	# Generate a password hash
-	config_rootpw_hash=`slappasswd -s "${SLAPD_CONFIG_ROOTPW}"`
-	echo $SLAPD_CONFIG_ROOTPW > /etc/openldap/slapd.d/slapd_config_rootpw
-	chmod 400 /etc/openldap/slapd.d/slapd_config_rootpw
-	
-	# Use the original slapd.conf file
-	cp /etc/openldap/slapd.conf /tmp/slapd.conf
+	# Create the run directory
+	if [ ! -d /var/lib/openldap/run ]; then
+		mkdir -p /var/lib/openldap/run
+		chown -R ${USER}:${GROUP} /var/lib/openldap/run
+	fi
+
+	# Use the original slapd.conf file as template
+	cp /etc/openldap/slapd.ldif /tmp/slapd.ldif
 	
 	# Set the correct suffix
-	sed -i -e "s/dc=my-domain,dc=com/${SUFFIX}/g" /tmp/slapd.conf
+	# https://www.openldap.org/doc/admin24/quickstart.html 
+	# Point 8ff
+	sed -i "s/dc=my-domain,dc=com/${SUFFIX}/g" /tmp/slapd.ldif
+	# Set the root password for the database
+	sed -i "s|olcRootPW: secret|olcRootPW: ${LDAP_ROOT_HASH}|" /tmp/slapd.ldif
+	# Remove those newlines, or slapadd will fail to initialize the DB.
+	sed -i '/^olcRootDN/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif 
+	sed -i '/^olcRootPW/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif 
+	sed -i '/^olcDbDirectory/ {n; s/^[[:blank:]]*$/#/}' /tmp/slapd.ldif
+	# Set up authentication patterns for -Y EXTERNAL over ldapi:/// (SASL).
+	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by * read" /tmp/slapd.ldif
+	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to attrs=userPassword by self write by anonymous auth by * none" /tmp/slapd.ldif
+	#sed -i "/^olcSuffix: ${SUFFIX}/a olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" /tmp/slapd.ldif
 
 	# Add more schemas
-	sed -i -e "/core.schema/a include\t\t/etc/openldap/schema/cosine.schema" /tmp/slapd.conf
-	sed -i -e "/cosine.schema/a include\t\t/etc/openldap/schema/inetorgperson.schema" /tmp/slapd.conf
-	
-	cat <<-EOF >> /tmp/slapd.conf
-	
-#######################################################################
-# Dynamic config
-#######################################################################
-	
-	database 	config
-	rootDN 		"cn=admin,cn=config"
-	rootPW 		$config_rootpw_hash
-	EOF
+	sed -i "/core.ldif/a include: file:///etc/openldap/schema/cosine.ldif" /tmp/slapd.ldif
+	sed -i "/cosine.ldif/a include: file:///etc/openldap/schema/inetorgperson.ldif" /tmp/slapd.ldif
+
+	# Create config admin to allow binding to config database.
+	# https://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example
+	# Lines 21ff
+	sed -i "/^############/d" /tmp/slapd.ldif
+	sed -i "/^# LMDB/i \
+# Config settings\n\
+#\n\
+dn: olcDatabase=config,cn=config\n\
+objectClass: olcDatabaseConfig\n\
+olcDatabase: config\n\
+# Don't allow access to cn=config with password, only over SASL via -Y EXTERNAL ldapi:///
+#olcRootPW: ${LDAP_ADMIN_HASH}\n\
+olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break\n\
+olcAccess: to * by * none\n\
+" /tmp/slapd.ldif
 	
 	# Generate config database from slapd.conf file.
 	echo Generating configuration
-	slaptest -f /tmp/slapd.conf -F /etc/openldap/slapd.d
-fi
+	slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/slapd.ldif
+
+	# Copy the generated slapd.ldif to the ldifs mount.
+	cp /tmp/slapd.ldif /var/ldifs
 
-# Set all ownerships straight.	
-chown -R ldap:ldap /etc/openldap/slapd.d
-mkdir /var/lib/openldap/run || true
+	# if [ -f /etc/ssl/certs/sourceme ]; then
+	# 	cp /var/ldifs/tls.ldif /tmp/tls.ldif
+	# 	source /etc/ssl/certs/sourceme
+	# 	sed -i -e "s#{{CA_CERT}}#${CA_CERT}#g" /tmp/tls.ldif
+	# 	sed -i -e "s#{{LDAP_TLS_CERT}}#${LDAP_TLS_CERT}#g" /tmp/tls.ldif
+	# 	sed -i -e "s#{{LDAP_TLS_KEY}}#${LDAP_TLS_KEY}#g" /tmp/tls.ldif
+
+	# 	echo Adding TLS certificates to configuration
+	# 	slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/tls.ldif
+	# fi
+
+	# Set all ownerships straight.
+	chown -R ${USER}:${GROUP} /etc/openldap/slapd.d
+fi
 
-echo Starting slapd with $@
-exec "$@" 
+echo Starting slapd
+exec /usr/sbin/slapd -u ${USER} -g ${GROUP} -d ${DEBUG} -h "ldap:/// ldapi:///" -F /etc/openldap/slapd.d

ldifs/database.ldif

@@ -1,11 +0,0 @@
-dn: olcDatabase={1}hdb,cn=config
-changeType: modify
-replace: olcDbConfig
-olcDbConfig: {0}set_cachesize 0 2097152 0
-olcDbConfig: {1}set_lk_max_objects 1500
-olcDbConfig: {2}set_lk_max_locks 1500
-olcDbConfig: {3}set_lk_max_lockers 1500
-olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
--
-replace: olcRootPW
-olcRootPW: {{LDAP_ADMIN_HASH}}

ldifs/initial_data.ldif

@@ -0,0 +1,9 @@
+dn: ${SUFFIX}
+objectClass: dcObject
+objectClass: organization
+o: ${ORGANIZATION}
+dc: ${DOMAIN}
+
+dn: cn=Manager,${SUFFIX}
+objectClass: organizationalRole
+cn: Manager

ldifs/krb_indices.ldif

@@ -1,9 +1,9 @@
 dn: oclDatabase={1}hdb,cn=config
 replace: olcAccess
-olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="krb-admin,{{LDAP_ROOT}}" write by anonymous auth by self write by * none
+olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="krb-admin,{{SUFFIX}}" write by anonymous auth by self write by * none
 -
 add: olcAccess
 olcAccess: to dn.base="" by * read
 -
 add: olcAccess
-olcAccess: to * by dn="cn=krb-admin,{{LDAP_ROOT}}" write by * read
+olcAccess: to * by dn="cn=krb-admin,${SUFFIX}" write by * read

ldifs/krb_structure.ldif

@@ -1,13 +1,13 @@
-dn: cn=krb-admin,{{LDAP_ROOT}}
+dn: cn=krb-admin,${SUFFIX}
 cn: krb-admin
 objectClass: organizationalRole
 objectClass: simpleSecurityObject
-userPassword: {{LDAP_KRBADMIN_HASH}}
+userPassword: ${LDAP_KRBADMIN_HASH}
 
-dn: ou=group,{{LDAP_ROOT}}
+dn: ou=group,${SUFFIX}
 objectClass: organizationalUnit
 ou: groups
 
-dn: ou=users,{{LDAP_ROOT}}
+dn: ou=users,${SUFFIX}
 objectClass: organizationalUnit
 ou: users

ldifs/loglevel.ldif

@@ -1,4 +0,0 @@
-dn: cn=config
-changeType: modify
-replace: olcLogLevel
-olcLogLevel: stats

ldifs/tls.ldif

@@ -1,10 +1,10 @@
 dn: cn=config
 changeType: modify
 add: olcTLSCACertificateFile
-olcTLSCACertificateFile: /etc/ssl/certs/{{CA_CERT}}
+olcTLSCACertificateFile: /etc/ssl/${CA_CERT}
 -
 add: olcTLSCertificateFile
-olcTLSCertificateFile: /etc/ssl/certs/{{LDAP_TLS_CERT}}
+olcTLSCertificateFile: /etc/ssl/${LDAP_TLS_CERT}
 -
 add: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: /etc/ssl/certs/{{LDAP_TLS_KEY}}
+olcTLSCertificateKeyFile: /etc/ssl/${LDAP_TLS_KEY}

scripts/gen_certs.sh

@@ -1,52 +1,57 @@
 #!/bin/sh
 
 # Set the variables
+
 SERVER=${SERVER:-`hostname --fqdn`}
 DOMAIN=${SERVER#*.}
 LDAP_ROOT=""
 IFS="."
-for DC in $DOMAIN
+for DC in ${DOMAIN}
 do
-  LDAP_ROOT="${LDAP_ROOT},dc=$DC"
+  LDAP_ROOT="${LDAP_ROOT},dc=${DC}"
 done
 LDAP_ROOT="${LDAP_ROOT#,}"
 echo -e "
-\nServer:    $SERVER
-\nDomain:    $DOMAIN
-\nLDAP Root: $LDAP_ROOT
+\nServer:    ${SERVER}
+\nDomain:    ${DOMAIN}
+\nLDAP Root: ${LDAP_ROOT}
 "
 
 # Setup TLS certificate (self-signed) for LDAP
 
-CA_KEY=certs/CAself-key.pem
-CA_INFO=certs=certs/CAself.info
-CA_CERT=certs/CAself-cert.pem
+if [ ! -d 'certs' ]
+then
+  mkdir certs
+fi
+CA_KEY="certs/CAself-key.pem"
+CA_INFO="certs/CAself.info"
+CA_CERT="certs/CAself-cert.pem"
 
-certtool --generate-privkey > $CA_KEY
-cat > $CA_INFO <<EOF
-cn = $DOMAIN
+certtool --generate-privkey > "${CA_KEY}"
+cat > "${CA_INFO}" <<EOF
+cn = ${DOMAIN}
 ca
 cert_signing_key
 expiration_days = 8000
 EOF
 certtool \
   --generate-self-signed \
-  --load-privkey $CA_KEY \
-  --template $CA_INFO \
-  --outfile $CA_CERT
-chmod 0640 $CA_KEY
+  --load-privkey "${CA_KEY}" \
+  --template "${CA_INFO}" \
+  --outfile "${CA_CERT}"
+chmod 0640 "${CA_KEY}"
 
 
 # Generate private key for LDAP service
 
-LDAP_TLS_KEY=certs/$SERVER_slapd_key.pem
-LDAP_TLS_INFO=certs/$SERVER.info
-LDAP_TLS_CERT=certs/$SERVER_slapd_cert.pem
+LDAP_TLS_KEY="certs/${SERVER}_slapd_key.pem"
+LDAP_TLS_INFO="certs/${SERVER}.info"
+LDAP_TLS_CERT="certs/${SERVER}_slapd_cert.pem"
 
-certtool --generate-privkey > $LDAP_TLS_KEY
-cat > $LDAP_TLS_INFO <<EOF
-organization = $DOMAIN
-cn = $SERVER
+certtool --generate-privkey > "${LDAP_TLS_KEY}"
+cat > "${LDAP_TLS_INFO}" <<EOF
+organization = ${DOMAIN}
+cn = ${SERVER}
 tls_www_server
 encryption_key
 signing_key
@@ -54,10 +59,18 @@ expiration_days = 8000
 EOF
 certtool \
   --generate-certificate \
-  --load-privkey $LDAP_TLS_KEY \
-  --load-ca-certificate $CA_CERT \
-  --load-ca-privkey $CA_KEY \
-  --template $LDAP_TLS_INFO \
-  --outfile $LDAP_TLS_CERT
-chmod 0640 $LDAP_TLS_KEY
+  --load-privkey "${LDAP_TLS_KEY}" \
+  --load-ca-certificate "${CA_CERT}" \
+  --load-ca-privkey "${CA_KEY}" \
+  --template "${LDAP_TLS_INFO}" \
+  --outfile "${LDAP_TLS_CERT}"
+chmod 0640 "${LDAP_TLS_KEY}"
 
+cat > "certs/sourceme" <<EOF
+CA_KEY="certs/CAself-key.pem"
+CA_INFO="certs/CAself.info"
+CA_CERT="certs/CAself-cert.pem"
+LDAP_TLS_KEY="certs/${SERVER}_slapd_key.pem"
+LDAP_TLS_INFO="certs/${SERVER}.info"
+LDAP_TLS_CERT="certs/${SERVER}_slapd_cert.pem"
+EOF

slapd.conf

@@ -1,71 +0,0 @@
-#
-# See slapd.conf(5) for details on configuration options.
-# This file should NOT be world readable.
-#
-include		/etc/openldap/schema/core.schema
-
-# Define global ACLs to disable default read access.
-
-# Do not enable referrals until AFTER you have a working directory
-# service AND an understanding of referrals.
-#referral	ldap://root.openldap.org
-
-# If you change this, adjust pidfile path also in runscript!
-pidfile		/run/openldap/slapd.pid
-argsfile	/run/openldap/slapd.args
-
-# Load dynamic backend modules:
-modulepath	/usr/lib/openldap
-moduleload	back_mdb.so
-# moduleload	back_hdb.so
-# moduleload	back_bbd.so
-# moduleload	back_ldap.so
-
-# Sample security restrictions
-#	Require integrity protection (prevent hijacking)
-#	Require 112-bit (3DES or better) encryption for updates
-#	Require 63-bit encryption for simple bind
-# security ssf=1 update_ssf=112 simple_bind=64
-
-# Sample access control policy:
-#	Root DSE: allow anyone to read it
-#	Subschema (sub)entry DSE: allow anyone to read it
-#	Other DSEs:
-#		Allow self write access
-#		Allow authenticated users read access
-#		Allow anonymous users to authenticate
-#	Directives needed to implement policy:
-# access to dn.base="" by * read
-# access to dn.base="cn=Subschema" by * read
-access to *
-	by self write
-	by users read
-	by anonymous auth
-#
-# if no access controls are present, the default policy
-# allows anyone and everyone to read anything but restricts
-# updates to rootdn.  (e.g., "access to * by * read")
-#
-# rootdn can always read and write EVERYTHING!
-
-#######################################################################
-# MDB database definitions
-#######################################################################
-
-database	mdb
-maxsize		1073741824
-suffix		"dc=slurm,dc=ch"
-rootdn		"cn=admin,dc=slurm,dc=ch"
-
-# Cleartext passwords, especially for the rootdn, should
-# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
-# Use of strong authentication encouraged.
-rootpw		{SHA}og1PPUHxZ0LDh6+i1YUyOmyg0a0=
-
-# The database directory MUST exist prior to running slapd AND 
-# should only be accessible by the slapd and slap tools.
-# Mode 700 recommended.
-directory /var/lib/openldap
-
-# Indices to maintain
-index	objectClass	eq