Typical OpenLDAP settings
Some basic hints to configure the OpenLDAP server:
Size
limit:
You will get a message like "LDAP sizelimit exceeded, not all
entries are shown." when you hit the LDAP search limit.
OpenLDAP allows by default 500 return values per search, if you have
more users/groups/hosts please change this:
slapd.conf:
e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return
values
slapd.d:
e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited
return values in /etc/ldap/slapd.d/cn=config.ldif
Unique
attributes:
There are cases where you do not want that same attribute values
exist multiple times in your database. A good example are UID/GID
numbers.
OpenLDAP provides the attribute
uniqueness overlay for this task.
Example to force unique UID numbers:
In
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add
"olcModuleLoad: {3}unique" (replace "3" with the highest existing number
plus one).
Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g.
"olcUniqueURI: ldap:///?uidNumber?sub"
Indices:
Indices will improve the performance when searching for entries in
the LDAP directory. The following indices are recommended:
index objectClass eq
index default sub
index uidNumber eq
index gidNumber eq
index memberUid eq
index cn,sn,uid,displayName pres,sub,eq
# Samba 3.x
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq