Most of the configuration of the ldap server has to do with getting correct
access controls to keep the data safe. Here is a sample:


# only allow plain text auth when we do crypto
security simple_bind=128

# and the database definition
database bdb

# Turn on automatic last modification time 
lastmod on

# Index some things
index uid eq
index keyfingerprint eq
index cn,sn approx,sub,eq

# Administrate 
#rootdn "uid=admin,ou=users,dc=debian,dc=org"
#rootpw

# Restrict reading/modification of the password to administration and self
access to attrs=userpassword,sshrsaauthkey
        by self write
        by dn="uid=admin,ou=users,dc=debian,dc=org" write
        by group="uid=admin,ou=users,dc=debian,dc=org" write
        by * compare    

access to attrs=emailforward
        by dn="uid=admin,ou=users,dc=debian,dc=org" write
        by group="uid=admin,ou=users,dc=debian,dc=org" write
        by self write
        by addr=127.0.0.1 read
        by domain=.*\.debian\.org read
        by * none
access to attrs=c,l,loginShell,ircNick
        by dn="uid=admin,ou=users,dc=debian,dc=org" write
        by group="uid=admin,ou=users,dc=debian,dc=org" write
        by self write
access to attrs=facsimileTelephoneNumber,telephoneNumber,postalAddress,postalC
ode,loginShell,onvacation,privateSub,latitude,longitude
        by dn="uid=admin,ou=users,dc=debian,dc=org" write
        by group="uid=admin,ou=users,dc=debian,dc=org" write
        by self write
        by dn="uid=.*,ou=users,dc=debian,dc=org" read
        by * none
access to * 
        by dn="uid=admin,ou=users,dc=debian,dc=org" write
        by group="uid=admin,ou=users,dc=debian,dc=org" write

# Overlays are useful to enforce constraints:

moduleload /usr/lib/ldap/unique.so
overlay unique
unique_uri ldap:///ou=users,dc=debian,dc=org?uidNumber,uid,keyFingerPrint?sub
unique_uri ldap:///ou=groups,dc=debian,dc=org?gidNumber,cn?sub

# End----------

Note that in more modern versions of slapd, the "by addr" and "by domain"
syntax has changed and the following should be used instead:
        by peername.ip=127.0.0.1 read
        by domain.subtree=debian.org read



Here is the initial seed file to import and setup the proper entries:

dn: dc=org
dc: net
objectClass: top
objectClass: domain

dn: dc=debian,dc=org
dc: visi
objectClass: top
objectClass: domain

dn: ou=users,dc=debian,dc=org
ou: users
objectClass: top
objectClass: organizationalUnit

dn: uid=admin,ou=users,dc=debian,dc=org
uid: admin
cn: LDAP administrator
objectClass: top
objectClass: groupOfNames
userPassword: {crypt}?????
member: uid=jgg,ou=users,dc=debian,dc=org
member: uid=joey,ou=users,dc=debian,dc=org
member: uid=troup,ou=users,dc=debian,dc=org
mail: debian-admin@debian.org