2011-05-19 21:30:53 -05:00
|
|
|
# Enforce matching SSL certificate host names when 389-ds acts as an SSL
|
|
|
|
# client. A restart is necessary for this to take effect, we do one when
|
|
|
|
# upgrading.
|
|
|
|
dn: cn=config
|
|
|
|
only:nsslapd-ssl-check-hostname: on
|
2011-07-16 12:35:30 -05:00
|
|
|
|
2011-09-12 09:36:56 -05:00
|
|
|
# Remove incorrect placement
|
|
|
|
dn: cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config
|
|
|
|
remove: nsslapd-pluginPrecedence: 60
|
|
|
|
|
2011-07-16 12:35:30 -05:00
|
|
|
# Set the precedence of the ipa-modrdn plugin so it runs after other
|
|
|
|
# plugins (the default is 50).
|
2011-09-12 09:36:56 -05:00
|
|
|
dn: cn=IPA MODRDN,cn=plugins,cn=config
|
2011-07-16 12:35:30 -05:00
|
|
|
only: nsslapd-pluginPrecedence: 60
|
2011-09-27 13:59:21 -05:00
|
|
|
|
|
|
|
# Set limits to suite better IPA deployment sizes, defaults are too
|
|
|
|
# conservative
|
|
|
|
dn: cn=config
|
2021-08-19 15:45:14 -05:00
|
|
|
replace: nsslapd-sizelimit:2000::100000
|
2011-09-27 13:59:21 -05:00
|
|
|
|
|
|
|
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
|
|
|
|
replace: nsslapd-lookthroughlimit:5000::100000
|
|
|
|
replace: nsslapd-idlistscanlimit:4000::100000
|
|
|
|
|
|
|
|
#Set much lower limits for anonymous searhes
|
|
|
|
dn: cn=anonymous-limits,cn=etc,$SUFFIX
|
|
|
|
default:objectclass:nsContainer
|
|
|
|
default:objectclass:top
|
|
|
|
default:cn: anonymous-limits
|
|
|
|
default:nsSizeLimit: 5000
|
|
|
|
default:nsLookThroughLimit: 5000
|
|
|
|
|
|
|
|
dn: cn=config
|
2015-04-16 08:27:12 -05:00
|
|
|
only:nsslapd-anonlimitsdn:cn=anonymous-limits,cn=etc,$SUFFIX
|
2012-01-30 15:29:32 -06:00
|
|
|
|
|
|
|
# Add a defaultNamingContext if one hasn't already been set. This was
|
|
|
|
# introduced in 389-ds-base-1.2.10-0.9.a8. Adding this to a server that
|
|
|
|
# doesn't support it generates a non-fatal error.
|
|
|
|
dn: cn=config
|
2015-04-16 08:27:12 -05:00
|
|
|
add:nsslapd-defaultNamingContext:$SUFFIX
|
2012-03-22 16:19:01 -05:00
|
|
|
|
|
|
|
# Allow the root DSE to be searched even with minssf set
|
|
|
|
dn: cn=config
|
|
|
|
only:nsslapd-minssf-exclude-rootdse:on
|
2012-08-31 14:11:20 -05:00
|
|
|
|
|
|
|
# Set the IPA winsync precedence so it will run after the DS
|
|
|
|
# POSIX winsync plugin
|
|
|
|
dn: cn=ipa-winsync,cn=plugins,cn=config
|
|
|
|
only: nsslapd-pluginPrecedence: 60
|
2013-03-22 05:15:51 -05:00
|
|
|
|
|
|
|
# Enable SASL mapping fallback
|
|
|
|
dn: cn=config
|
|
|
|
only:nsslapd-sasl-mapping-fallback: on
|
|
|
|
|
|
|
|
dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
|
|
|
|
addifnew:nsSaslMapPriority: 10
|
|
|
|
|
|
|
|
dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
|
|
|
|
addifnew:nsSaslMapPriority: 10
|
2013-08-07 06:35:27 -05:00
|
|
|
|
2014-07-23 06:03:57 -05:00
|
|
|
# Allow hashed passwords to be added by non-DM users. Without this
|
|
|
|
# setting, password migration fails
|
|
|
|
dn: cn=config
|
|
|
|
only:nsslapd-allow-hashed-passwords:on
|
2016-05-31 10:01:29 -05:00
|
|
|
|
|
|
|
# Decrease default value for IO blocking to prevent server unresponsiveness
|
|
|
|
dn: cn=config
|
|
|
|
only:nsslapd-ioblocktimeout:10000
|
2020-05-08 05:01:03 -05:00
|
|
|
|
|
|
|
# 389-DS 1.4.1.6+ attempts to update passwords to new schema on LDAP bind.
|
|
|
|
# IPa blocks hashed password updates and requires password changes to go
|
|
|
|
# through proper APIs. This option disables password hashing schema updates
|
|
|
|
# on LDAP bind, see https://pagure.io/freeipa/issue/8315
|
|
|
|
dn: cn=config
|
|
|
|
only: nsslapd-enable-upgrade-hash:off
|