The role will by default enable the Sync Provider (
module and overlay, in both the
cn=config configuration database, and the
main OpenLDAP database.
The Sync Provider functionality is used in different data replication
strategies. Enabling it by default, even on a standalone OpenLDAP server,
should be harmless - the replication requires additional configuration defined
in each OpenLDAP database. The overlay is enabled first to keep the
X-ORDERED index number consistent between the
cn=config database and
the main database.
Manual page: slapo-syncprov(5)
The debops.slapd role will by default import the
schema, load the
ppolicy dynamic module and enable the Password Policy
overlay in the main OpenLDAP database.
The Password Policy overlay is used to maintain the security and quality of
various passwords stored in the LDAP database. By default the overlay will
ensure that the cleartext passwords passed to the OpenLDAP server are hashed
using the algorithms specified in the
olcPasswordHash parameter (salted
SHA-512 via crypt(3) function is set by default by the
The LDAP administrators can define default and custom Password Policies in the main database, which can enforce additional password requirements, like minimum password length, different types of characters used, lockout policy, etc.
Manual page: slapo-ppolicy(5)
The Attribute Uniqueness overlay is used to enforce that specific LDAP
attributes are unique acrosse the LDAP directory. The default configuration
enforces the uniqueness of the
gidNumber attributes in
the entire LDAP directory, and the
ou=People,dc=example,dc=org subtree of the directory.
Manual page: slapo-unique(5)
The memberOf overlay is used to update the LDAP objects of group members
when they are added or removed from a particular
groupOfEntries objects, as well as "role occupants" defined in a given
organizationalRole object. The overlay also maintains reverse membership
information of the
groupOfURLs objects maintained by the
Applications and services can search for objects with the
attribute with specific values to get the list of groups or roles a given user
Manual page: slapo-memberof(5)
The refint overlay is used to update Distinguished Name references in other LDAP objects when a particular object is renamed or removed. This ensures that the references between objects in the LDAP database are consistent.
Manual page: slapo-refint(5)
The auditlog overlay records all changes performed in the LDAP database using an external log file. Changes are stored in the LDIF format, that includes a timestamp and the identity of the modifier. The role will automatically ensure that the audit log files are rotated periodically using the logrotate service to keep the disk usage under control.
Manual page: slapo-auditlog(5)
The constraint overlay can be used to place constraints on specific LDAP attributes, for example number of possible values, size or format.
Manual page: slapo-constraint(5)
autogroup overlay is yet another attempt at creating dynamic groups
in the LDAP directory. Normally using the combination of the
slapo-dynlist(5) and the slapo-dyngroup(5) overlays the LDAP
directory can support dynamic group objects which define membership in a group
using LDAP search URLs. However these groups are "virtual" and don't really
exist, using the dynamic attributes in searches will not include these groups.
Also, the reverse membership information defined by the
cannot be implemented this way.
autogroup overlay, the directory server checks on each add, modify or
delete operation on an object if that object is included in a search of
groupOfURLs group and statically adds or removes a reference
to it in the
member attribute as needed. With addition of the
overlay which maintains reverse membership information of a given object using
memberOf attribute, the AutoGroup overlay can be used to provide
two-way dynamic group support in the LDAP directory. The write performance
might be an issue with large datasets.
During development of the feature in DebOps, crashes of the slapd daemon were observed in multi-master replication mode on older Debian releases. The OpenLDAP version included in Debian Buster seems to work fine, though.
lastbind overlay and the corresponding OpenLDAP module can be used to
maintain information about last login time of a LDAP account, similar to the
lastLogon functionality from Active Directory. The primary purpose
lastbind overlay is detection of inactive user accounts; it
shouldn't be relied on for real-time login tracking.
The time of the last successful authenticated bind operation of a given LDAP
object is stored in the
authTimestamp operational attribute (not
replicated, not visible in normal queries, has to be specifically requested).
By default the timestamp is updated once a day to avoid performance issues in
Manual page: slapo-lastbind(5)