The role will by default enable the Sync Provider (
module and overlay, in both the
cn=config configuration database, and the
main OpenLDAP database.
The Sync Provider functionality is used in different data replication
strategies. Enabling it by default, even on a standalone OpenLDAP server,
should be harmless - the replication requires additional configuration defined
in each OpenLDAP database. The overlay is enabled first to keep the
X-ORDERED index number consistent between the
cn=config database and
the main database.
Manual page: slapo-syncprov(5)
The debops.slapd role will by default import the
schema, load the
ppolicy dynamic module and enable the Password Policy
overlay in the main OpenLDAP database.
The Password Policy overlay is used to maintain the security and quality of
various passwords stored in the LDAP database. By default the overlay will
ensure that the cleartext passwords passed to the OpenLDAP server are hashed
using the algorithms specified in the
olcPasswordHash parameter (salted
SHA-512 via crypt(3) function is set by default by the
The LDAP administrators can define default and custom Password Policies in the main database, which can enforce additional password requirements, like minimum password length, different types of characters used, lockout policy, etc.
Manual page: slapo-ppolicy(5)
The Attribute Uniqueness overlay is used to enforce that specific LDAP
attributes are unique acrosse the LDAP directory. The default configuration
enforces the uniqueness of the
gidNumber attributes in
the entire LDAP directory, and the
ou=People,dc=example,dc=org subtree of the directory.
Manual page: slapo-unique(5)
The memberOf overlay is used to update the LDAP objects of group members
when they are added or removed from a particular
Applications and services can search for objects with the
attribute with specific values to get the list of groups a given user belongs
Manual page: slapo-memberof(5)
The refint overlay is used to update Distinguished Name references in other LDAP objects when a particular object is renamed or removed. This ensures that the references between objects in the LDAP database are consistent.
Manual page: slapo-refint(5)
The auditlog overlay records all changes performed in the LDAP database using an external log file. Changes are stored in the LDIF format, that includes a timestamp and the identity of the modifier. The role will automatically ensure that the audit log files are rotated periodically using the logrotate service to keep the disk usage under control.
Manual page: slapo-auditlog(5)
The constraint overlay can be used to place constraints on specific LDAP attributes, for example number of possible values, size or format.
Manual page: slapo-constraint(5)
lastbind overlay and the corresponding OpenLDAP module can be used to
maintain information about last login time of a LDAP account, similar to the
lastLogon functionality from Active Directory. The primary purpose
lastbind overlay is detection of inactive user accounts; it
shouldn't be relied on for real-time login tracking.
The time of the last successful authenticated bind operation of a given LDAP
object is stored in the
authTimestamp operational attribute (not
replicated, not visible in normal queries, has to be specifically requested).
By default the timestamp is updated once a day to avoid performance issues in
Manual page: slapo-lastbind(5)