Installation de base du système
Breizh ha modificato questa pagina 3 mesi fa

Installation de base du système

SSH

Éditer le fichier /etc/ssh/sshd_config :

#   $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
MACs umac-128-etm@openssh.com

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

AllowUsers breizh darks lephe

Sont précisé ci-dessous les paramètres modifiés. Le reste correspond à la configuration par défaut.

Cryptologie :

  • HostKey /etc/ssh/ssh_host_ed25519_key : force la clef du serveur à être en ed25519, plus sécurisée que le autres à l’heure actuelle.
  • Ciphers chacha20-poly1305@openssh.com : utilisation du cipher chacha20-poly1305 plus sécurisé que les paramètres par défaut.
  • KexAlgorithms curve25519-sha256@libssh.org : algorithme d’échanges des clefs.
  • MACs umac-128-etm@openssh.com : algorithme pour vérifier l’authenticité des échanges.

Authentification :

  • PermitRootLogin prohibit-password : autorise à se connecter en root directement via des clefs SSH (connexion par mot de passe interdite)
  • AuthorizedKeysFile .ssh/authorized_keys : fichier listant les clefs SSH autorisées à se connecter (relatif au répertoire personnel de l’utilisateur)
  • PasswordAuthentication no : interdit la connexion par mot de passe
  • AllowUsers : utilisateurs autorisés à se connecter
systemctl reload sshd

Locale

Génération des locales française et anglaise, et utilisation du français par défaut.

cat > /etc/locale.gen <<<EOF
en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8

EOF

locale-gen

echo "LANG=fr_FR.UTF-8" > /etc/locale.conf

Heure

Activation de la synchronisation horaire par NTP et définition du fuseau horaire local.

timedatectl set-ntp true
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime 

Pacman

Installer yay pour pouvoir gérer l’AUR (https://github.com/Jguer/yay).

Installer et exécuter reflector afin d’avoir une liste de miroirs correcte.

yay -S reflector
reflector -c FR --sort rate --save /etc/pacman.d/mirrorlist

Dans /etc/pacman.conf, décommenter UseDelta = 0.7, Color, TotalDownload, CheckSpace et VerbosePkgLists. Ces paramètres permettent de ne télécharge que le nécessaire (UseDelta), de vérifier l’espace disque pour éviter les mauvaises surprises et d’améliorer l’affichage.

Mettre à jour dépôts et paquets :

yay -Syyu

IPTables

IPTables permet de configurer le pare-feu du kernel Linux.

/etc/iptables/iptables.rules :

# Protection contre DDOS
*mangle
:PREROUTING ACCEPT [176:18588]
:INPUT ACCEPT [176:18588]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [157:27472]
:POSTROUTING ACCEPT [157:27472]
-A PREROUTING -f -j DROP
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:26977]

# Autoriser les réponses
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser les requêtes sur Localhost
-A INPUT -i lo -j ACCEPT

# Autoriser le ping
-A INPUT -p icmp -j ACCEPT

# Autoriser SSH
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# Autoriser le HTTP(S)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Interdire tout le reste
-A INPUT -i eth0 -j DROP

# Protection contre le DDOS bis (limite le trafic)
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
COMMIT

Même chose pour IPv6, à quelques détails près.

/etc/iptables/ip6tables.rules :

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:26977]

# Réponses
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Localhost
-A INPUT -i lo -j ACCEPT

# Ping
-A INPUT -p ipv6-icmp -j ACCEPT

# SSH
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# HTTP(S)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Tout le reste
-A INPUT -i eth0 -j DROP

# DDOS
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
COMMIT

systemctl enable --now iptables
systemctl enable --now ip6tables

Réseau

On utilise systemd-networkd. La configuration est assez explicite, ci-dessous celle pour le VPS (IP statique, v4 et v6).

rename '.network' '.network.bak' /etc/systemd/network/*.network
cat > /etc/systemd/network/eth0.network <<<EOF
[Match]
Name=eth0

[Address]
Address=2001:41d0:305:2100::8930/128

[Address]
Address=51.83.79.246/32

[Route]
Gateway=2001:41d0:305:2100::1
GatewayOnlink=true

[Route]
Gateway=51.83.72.1
GatewayOnlink=true

[Network]
DNS=2001:41d0:3:163::1
DNS=2001:910:800::12
DNS=2001:910:800::40
DNS=213.186.33.99
DNS=80.67.169.12
DNS=80.67.169.40

EOF

Adapter selon usage (IPs, interface…). Les DNS sont ceux d’OVH puis de la FDN.

Postfix

yay -S postfix
cp -a /etc/postfix/main.cf /etc/postfix/.main.cf.orig
cp -a /etc/postfix/master.cf /etc/postfix/.master.cf.orig
echo "planet-casio.com" > /etc/mailname

cat > /etc/postfix/main.cf <<<\EOF
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 1

myhostname = planet-casio.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 127.0.0.1
inet_protocols = ipv4

slow_destination_recipient_limit = 20
slow_destination_concurrency_limit = 2

transport_maps = hash:/etc/postfix/transport
EOF

cat > /etc/postfix/master.cf <<\EOF
smtp      inet  n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
  -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
slow      unix  -       -       n       -       5       smtp
  -o syslog_name=postfix-slow
  -o smtp_destination_concurrency_limit=3
  -o slow_destination_rate_delay=1
EOF

> /etc/postfix/transport
cat > /etc/postfix/transport <<\EOF
laposte.net slow:
orange.fr slow:
wanadoo.fr slow:
free.fr slow:
EOF

postmap /etc/postfix/transport
systemctl restart postfix
systemctl enable postfix

Fail2ban (WIP)

Installation de fail2ban pour déjouer les attaques. La configuration de base peut suffire, à voir avec le temps s’il est nécessaire de la blinder un peu plus.

yay -S fail2ban
systemctl enable --now fail2ban

Nginx

Installation de Nginx, et dehydrated pour les certificats Let’s Encrypt.

yay -S dehydrated nginx

Configuration initiale de Nginx.

cp -a /etc/nginx/nginx.conf /etc/nginx/.nginx.conf.orig

> /etc/nginx/nginx.conf
cat > /etc/nginx/nginx.conf <<\EOF
pid /var/run/nginx.pid;
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
    multi_accept on;
    use epoll;
    worker_connections 256;
}

http {

    index               index.html index.htm index.php;

    server_tokens       off;

    include             /etc/nginx/mime.types;
    charset_types       text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;

    types_hash_bucket_size 128;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
EOF

cat > /etc/nginx/conf.d/buffer.conf <<\EOF
# Buffer Overflow Protection
client_body_buffer_size     100K;
client_header_buffer_size   1k;
client_max_body_size        100k;
large_client_header_buffers 2 1k;
EOF

cat > /etc/nginx/conf.d/ddos.conf <<\EOF
# Slow DDOS Protection
client_body_timeout         10;
client_header_timeout       10;
keepalive_timeout           5 5;
send_timeout                10;

# DDOS Protection
# Maximum request per IP // 100 per seconde
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;

# Maximum Connection per IP // 100 per seconde
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;
EOF

cat > /etc/nginx/conf.d/header.conf <<\EOF
# Bad Header Protection
add_header X-Frame-Options           SAMEORIGIN;
add_header X-Content-Type-Options    nosniff;
add_header X-XSS-Protection          "1; mode=block";
add_header Referrer-Policy           "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
EOF

cat > /etc/nginx/conf.d/blockuseragents.conf <<\EOF
map $http_user_agent $blockedagent {
    default         0;
    ~*malicious     1;
    ~*backdoor      1;
    ~*crawler       1;
    ~*spider        1;
}
EOF

cat > /etc/logrotate.d/nginx <<\EOF
/var/log/nginx/*.log {
    daily
    missingok
    rotate 14
    compress
    delaycompress
    notifempty
    create 0644 root root
    sharedscripts
    prerotate
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
            run-parts /etc/logrotate.d/httpd-prerotate; \
        fi \
    endscript
    postrotate
        invoke-rc.d nginx rotate >/dev/null 2>&1
    endscript
}
EOF

> /etc/nginx/ssl.conf
cat > /etc/nginx/ssl.conf <<EOF
ssl_prefer_server_ciphers   on;
ssl_protocols               TLSv1.2 TLSv1.3;
ssl_ciphers                 'EECDH+CHACHA20:EECDH+AES';
ssl_session_cache           shared:SSL:10m;
ssl_session_timeout         5m;
ssl_dhparam                 /etc/ssl/ssl.dh/dhparam.pem;
ssl_stapling                on;
ssl_stapling_verify         on;
EOF

> /etc/nginx/common.conf
cat > /etc/nginx/common.conf <<EOF
location ^~ /.well-known/acme-challenge {
    alias /var/www/dehydrated;
}

if ($blockedagent) {
    return 403;
}

if ($request_method !~ ^(GET|PUT|POST)$ ) {
    return 444;
}
EOF

Monitoring

Installation des outils.

yay -S grafana telegraf influxdb goaccess

InfluxDB

systemctl enable --now influxdb
influx
CREATE DATABASE telegraf
CREATE USER telegraf WITH PASSWORD 'un_joli_password'
GRANT ALL ON telegraf TO telegraf
CREATE RETENTION POLICY thirty_days ON telegraf DURATION 30d REPLICATION 1 DEFAULT

Permet de conserver les informations de monitoring sur 30 jours.

Telegraf

Configuration pour enregistrer les données dans InfluxDB.

cat > /etc/telegraf/telegraf.d/outputs.conf <<EOF
[[outputs.influxdb]]
  database = "telegraf"
  precision = "s"
  urls = [ "http://127.0.0.1:8086" ]
  username = "telegraf"
  password = "un_joli_password"
EOF

Configuration de base (mesures toutes les 15 secondes).

cat > /etc/telegraf/telegraf.conf <<EOF
[tags]

# Configuration for telegraf agent
[agent]
  debug = false
  flush_buffer_when_full = true
  flush_interval = "15s"
  flush_jitter = "0s"
  hostname = "planet-casio.com"
  interval = "15s"
  round_interval = true
EOF

Diverses mesures systèmes utiles (CPU, RAM, disque, IO…).

cat > /etc/telegraf/telegraf.d/inputs_cpu.conf <<EOF
# Read metrics about CPU usage
[[inputs.cpu]]
  percpu = false
  totalcpu = true
  fieldpass = [ "usage*" ]
EOF

cat > /etc/telegraf/telegraf.d/inputs_disk.conf <<EOF
# Read metrics about disk usagee
[[inputs.disk]]
  mount_points=["/"]
EOF

cat > /etc/telegraf/telegraf.d/inputs_diskio.conf <<EOF
# Read metrics about diskio usage
[[inputs.diskio]]
  devices = ["vda1"]
  skip_serial_number = true
EOF

cat > /etc/telegraf/telegraf.d/inputs_net.conf <<EOF
# Read metrics about network usage
[[inputs.net]]
  interfaces = [ "eth0" ]
  fielddrop = [ "icmp*", "ip*", "tcp*", "udp*" ]
EOF

cat > /etc/telegraf/telegraf.d/inputs_memory.conf <<EOF
# Read metrics about memory usage
[[inputs.mem]]
  # no configuration
EOF

cat > /etc/telegraf/telegraf.d/inputs_swap.conf <<EOF
# Read metrics about swap memory usage
[[inputs.swap]]
  # no configuration
EOF

cat > /etc/telegraf/telegraf.d/inputs_system.conf <<EOF
# Read metrics about system load & uptime
[[inputs.system]]
  # no configuration
EOF

cat > /etc/telegraf/telegraf.d/inputs_nginx.conf <<EOF
[[inputs.nginx]]
  urls = ["http://127.0.0.1:8080/nginx-status"]
EOF

systemctl enable --now telegraf

Grafana

yay -S grafana
systemctl enable --now grafana

La configuration se trouve dans /etc/grafana.ini, notamment pour y changer le port d’écoute.

Gitea

yay -S gitea

La configuration de base (port, URL, domaine SSH) se trouve dans /etc/gitea/app.ini. Une fois lancé, le reste se fait via l’interface web d’installation.

LDAP

yay -S openldap

Vérifier le contenu de /etc/openldap/slapd.conf :

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile     /run/openldap/slapd.pid
argsfile    /run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap
# moduleload    back_mdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#   Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# MDB database definitions
#######################################################################

database    mdb
maxsize     1073741824
suffix      "o=planet-casio"
rootdn      "cn=ldap-root,o=planet-casio"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw      unjolimotdepasse
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/openldap/openldap-data
# Indices to maintain
index   objectClass eq
index   uid             pres,eq
index   mail            pres,sub,eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   dc              eq

Les champs include, suffix, rootdn, rootpw sont à priori les seuls à modifier.