OpenLDAP Overlays¶
OpenLDAP server supports overlays which can be added to a LDAP database to modify its functionality. The overlays listed below are enabled by the debops.slapd role by default.
Sync Provider overlay¶
The role will by default enable the Sync Provider (syncprov
) dynamic
module and overlay, in both the cn=config
configuration database, and the
main OpenLDAP database.
The Sync Provider functionality is used in different data replication
strategies. Enabling it by default, even on a standalone OpenLDAP server,
should be harmless - the replication requires additional configuration defined
in each OpenLDAP database. The overlay is enabled first to keep the
X-ORDERED
index number consistent between the cn=config
database and
the main database.
Manual page: slapo-syncprov(5)
Password Policy overlay¶
The debops.slapd role will by default import the ppolicy
LDAP
schema, load the ppolicy
dynamic module and enable the Password Policy
overlay in the main OpenLDAP database.
The Password Policy overlay is used to maintain the security and quality of
various passwords stored in the LDAP database. By default the overlay will
ensure that the cleartext passwords passed to the OpenLDAP server are hashed
using the algorithms specified in the olcPasswordHash
parameter (salted
SHA-512 via crypt(3) function is set by default by the
debops.slapd role).
The LDAP administrators can define default and custom Password Policies in the main database, which can enforce additional password requirements, like minimum password length, different types of characters used, lockout policy, etc.
Manual page: slapo-ppolicy(5)
Attribute Uniqueness overlay¶
The Attribute Uniqueness overlay is used to enforce that specific LDAP
attributes are unique acrosse the LDAP directory. The default configuration
enforces the uniqueness of the uidNumber
and gidNumber
attributes in
the entire LDAP directory, and the uid
, gid
and mail
attributes in
the ou=People,dc=example,dc=org
subtree of the directory.
Manual page: slapo-unique(5)
Reverse Group Membership Maintenance overlay¶
The memberOf overlay is used to update the LDAP objects of group members
when they are added or removed from a particular groupOfNames
object.
Applications and services can search for objects with the memberOf
attribute with specific values to get the list of groups a given user belongs
to.
Manual page: slapo-memberof(5)
Referential Integrity overlay¶
The refint overlay is used to update Distinguished Name references in other LDAP objects when a particular object is renamed or removed. This ensures that the references between objects in the LDAP database are consistent.
Manual page: slapo-refint(5)
Audit Logging overlay¶
The auditlog overlay records all changes performed in the LDAP database using an external log file. Changes are stored in the LDIF format, that includes a timestamp and the identity of the modifier. The role will automatically ensure that the audit log files are rotated periodically using the logrotate service to keep the disk usage under control.
Manual page: slapo-auditlog(5)
Attribute Constraints overlay¶
The constraint overlay can be used to place constraints on specific LDAP attributes, for example number of possible values, size or format.
Manual page: slapo-constraint(5)
LastBind overlay¶
The lastbind
overlay and the corresponding OpenLDAP module can be used to
maintain information about last login time of a LDAP account, similar to the
lastLogon functionality from Active Directory. The primary purpose
of the lastbind
overlay is detection of inactive user accounts; it
shouldn't be relied on for real-time login tracking.
The time of the last successful authenticated bind operation of a given LDAP
object is stored in the authTimestamp
operational attribute (not
replicated, not visible in normal queries, has to be specifically requested).
By default the timestamp is updated once a day to avoid performance issues in
larger environments.
Manual page: slapo-lastbind(5)