upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-02-18 18:18:06 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Quick merge: everything from HEAD

Browse source
This commit is contained in:
Kurt Zeilenga 2007-02-13 21:21:56 +00:00
commit 3c5068bc1f
905 changed files with 20778 additions and 10246 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,5 +1,5 @@
OpenLDAP 2.4 Change Log
OpenLDAP 2.4.3alpha Release
OpenLDAP 2.4.4alpha Release
Changes not tracked

2
COPYRIGHT
View file

@ -1,4 +1,4 @@
Copyright 1998-2006 The OpenLDAP Foundation
Copyright 1998-2007 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without

2
INSTALL
View file

@ -107,7 +107,7 @@ $OpenLDAP: pkg/openldap-guide/release/install.sdf,v 1.16 2002/02/18
This work is part of OpenLDAP Software <http://www.openldap.org/>.
Copyright 1998-2006 The OpenLDAP Foundation.
Copyright 1998-2007 The OpenLDAP Foundation.
All rights reserved.
Redistribution and use in source and binary forms, with or without

2
Makefile.in
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
README
View file

@ -80,7 +80,7 @@ $OpenLDAP$
This work is part of OpenLDAP Software <http://www.openldap.org/>.
Copyright 1998-2006 The OpenLDAP Foundation.
Copyright 1998-2007 The OpenLDAP Foundation.
All rights reserved.
Redistribution and use in source and binary forms, with or without

2
build/config.guess vendored
View file

@ -29,7 +29,7 @@ timestamp='2003-07-02-OpenLDAP'
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/config.sub vendored
View file

@ -34,7 +34,7 @@ timestamp='2003-07-04-OpenLDAP'
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

4
build/crupdate
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@ -18,5 +18,5 @@
set -e # exit immediately if any errors occur
find . -type f -not -name 'LICENSE*' -print -exec perl -pi -e 's/Copyright ([0-9]{4})([,\-][0-9]{2,4})*,? The OpenLDAP Foundation/Copyright $1-2006 The OpenLDAP Foundation/g;' {} \;
find . -type f -not -name 'LICENSE*' -print -exec perl -pi -e 's/Copyright ([0-9]{4})([,\-][0-9]{2,4})*,? The OpenLDAP Foundation/Copyright $1-2007 The OpenLDAP Foundation/g;' {} \;

55
build/db.4.2.52.patch Normal file
View file

@ -0,0 +1,55 @@
As posted to http://www.openldap.org/lists/openldap-devel/200610/msg00027.html
This is Sleepycat bug #14908. The provided patch is for 4.2.52. The
same bug is present in all versions up to 4.5.20 where it is fixed.
-------- Original Message --------
Subject: region size bug Re: [BDB-Alpha] Berkeley DB 4.5.8 ALPHA
Date: Mon, 10 Jul 2006 13:37:33 -0700
From: Howard Chu <hyc@symas.com>
To: support@sleepycat.com
CC: support@symas.com
References: <45A742B5-7DD5-4512-A204-A10FE8FC5DFC@oracle.com>
I just ran into this in 4.2.52 but the same calculation occurs in 4.4
and 4.5.8 alpha:
This computation gives the wrong results when the number of cache
regions is greater than the number of gigabytes (which we encounter on
Linux using shared memory regions, which are constrained to much smaller
than a gigabyte each).
in mp/mp_region.c:
roff_t reg_size;
/* Figure out how big each cache region is. */
reg_size = (roff_t)(dbenv->mp_gbytes / dbenv->mp_ncache) * GIGABYTE;
reg_size += ((roff_t)(dbenv->mp_gbytes %
dbenv->mp_ncache) * GIGABYTE) / dbenv->mp_ncache;
reg_size += dbenv->mp_bytes / dbenv->mp_ncache;
*reg_sizep = reg_size;
The first reg_size calculation always goes to zero when mp_ncache >
mp_gbytes.
This should have been, instead:
reg_size = GIGABYTE / dbenv->mp_ncache * dbenv->mp_gbytes;
--- mp/mp_region.c.O 2003-06-30 10:20:19.000000000 -0700
+++ mp/mp_region.c 2006-10-27 23:25:05.000000000 -0700
@@ -43,9 +43,7 @@
int htab_buckets, ret;
/* Figure out how big each cache region is. */
- reg_size = (dbenv->mp_gbytes / dbenv->mp_ncache) * GIGABYTE;
- reg_size += ((dbenv->mp_gbytes %
- dbenv->mp_ncache) * GIGABYTE) / dbenv->mp_ncache;
+ reg_size = GIGABYTE / dbenv->mp_ncache * dbenv->mp_gbytes;
reg_size += dbenv->mp_bytes / dbenv->mp_ncache;
/*

2
build/dir.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/info.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/lib-shared.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/lib-static.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/lib.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/ltmain.sh
View file

@ -28,7 +28,7 @@
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP inself.
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

5
build/man.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@ -32,7 +32,8 @@ all-common:
-e 's%LIBDIR%$(libdir)%' \
-e 's%LIBEXECDIR%$(libexecdir)%' \
-e 's%RELEASEDATE%$(RELEASEDATE)%' \
$(srcdir)/$$page > $$page.$(TMP_SUFFIX); \
$(srcdir)/$$page \
| (cd $(srcdir); $(SOELIM) -) > $$page.$(TMP_SUFFIX); \
done
install-common:

2
build/missing
View file

@ -29,7 +29,7 @@
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/mkdep
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/mkdep.aix
View file

@ -1,7 +1,7 @@
#! /bin/sh
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/mkrelease
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/mkvers.bat
View file

@ -1,7 +1,7 @@
:: $OpenLDAP$
:: This work is part of OpenLDAP Software <http://www.openldap.org/>.
::
:: Copyright 1998-2006 The OpenLDAP Foundation.
:: Copyright 1998-2007 The OpenLDAP Foundation.
:: All rights reserved.
::
:: Redistribution and use in source and binary forms, with or without

6
build/mkversion
View file

@ -3,7 +3,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@ -55,7 +55,7 @@ WHOWHERE="$USER@`uname -n`:`pwd`"
cat << __EOF__
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -68,7 +68,7 @@ cat << __EOF__
*/
static const char copyright[] =
"Copyright 1998-2006 The OpenLDAP Foundation. All rights reserved.\n"
"Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.\n"
"COPYING RESTRICTIONS APPLY\n";
$static $const char $SYMBOL[] =

2
build/mod.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

13
build/openldap.m4
View file

@ -2,7 +2,7 @@ dnl OpenLDAP Autoconf Macros
dnl $OpenLDAP$
dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
dnl
dnl Copyright 1998-2006 The OpenLDAP Foundation.
dnl Copyright 1998-2007 The OpenLDAP Foundation.
dnl All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
@ -486,7 +486,12 @@ __db_version
])
if test $ol_cv_bdb_major = 4 ; then
if test $ol_cv_bdb_minor = 4 ; then
if test $ol_cv_bdb_minor = 5 ; then
OL_BERKELEY_DB_TRY(ol_cv_db_db45,[-ldb45])
OL_BERKELEY_DB_TRY(ol_cv_db_db_45,[-ldb-45])
OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_5,[-ldb-4.5])
OL_BERKELEY_DB_TRY(ol_cv_db_db_4_5,[-ldb-4-5])
elif test $ol_cv_bdb_minor = 4 ; then
OL_BERKELEY_DB_TRY(ol_cv_db_db44,[-ldb44])
OL_BERKELEY_DB_TRY(ol_cv_db_db_44,[-ldb-44])
OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_4,[-ldb-4.4])
@ -691,8 +696,8 @@ AC_DEFUN([OL_BDB_COMPAT],
# define DB_VERSION_MINOR 0
#endif
/* require 4.2 or later */
#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 2)
/* require 4.2 or later, but exclude 4.3 */
#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 2) && (DB_VERSION_MINOR !=3)
__db_version_compat
#endif
], [ol_cv_bdb_compat=yes], [ol_cv_bdb_compat=no])])

2
build/rules.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
build/srv.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

4
build/top.mk
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@ -149,6 +149,8 @@ SUBST = $(SHTOOL) subst
MANCOMPRESS=$(CAT)
MANCOMPRESSSUFFIX=
SOELIM=soelim
INCLUDEDIR= $(top_srcdir)/include
LDAP_INCPATH= -I$(LDAP_INCDIR) -I$(INCLUDEDIR)
LDAP_LIBDIR= $(top_builddir)/libraries

4
build/version.h
View file

@ -1,6 +1,6 @@
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -13,6 +13,6 @@
*/
static const char copyright[] =
"Copyright 1998-2006 The OpenLDAP Foundation. All rights reserved.\n"
"Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.\n"
"COPYING RESTRICTIONS APPLY.\n";

2
build/version.sh
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

10
build/version.var
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@ -15,9 +15,9 @@
ol_package=OpenLDAP
ol_major=2
ol_minor=4
ol_patch=3alpha
ol_api_inc=20403
ol_patch=X
ol_api_inc=20404
ol_api_current=1
ol_api_revision=2
ol_api_revision=3
ol_api_age=1
ol_release_date="2006/08/22"
ol_release_date="2006/10/20"

2
clients/Makefile.in
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

2
clients/tools/Makefile.in
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

135
clients/tools/common.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 2003 Kurt D. Zeilenga.
* Portions Copyright 2003 IBM Corporation.
* All rights reserved.
@ -32,6 +32,7 @@
#include <ac/ctype.h>
#include <ac/unistd.h>
#include <ac/errno.h>
#include <ac/time.h>
#ifdef HAVE_CYRUS_SASL
#ifdef HAVE_SASL_SASL_H
@ -52,18 +53,6 @@
#include "common.h"
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#if !LDAP_DEPRECATED
/* Necessary for old LDAPv2 Kerberos Bind methods */
LDAP_F( int )
ldap_bind LDAP_P(( /* deprecated */
LDAP *ld,
LDAP_CONST char *who,
LDAP_CONST char *passwd,
int authmethod ));
#endif
#endif
/* input-related vars */
/* misc. parameters */
@ -125,6 +114,9 @@ static int chainingResolve = -1;
static int chainingContinuation = -1;
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
/* options */
struct timeval nettimeout = { -1 , 0 };
typedef int (*print_ctrl_fn)( LDAP *ld, LDAPControl *ctrl );
static int print_preread( LDAP *ld, LDAPControl *ctrl );
@ -210,16 +202,18 @@ N_(" [!]preread[=<attrs>] (a comma-separated attribute list)\n")
#ifdef LDAP_DEVEL
N_(" [!]relax\n")
#endif
N_(" abandon, cancel (SIGINT sends abandon/cancel; not really controls)\n"),
N_(" abandon, cancel, ignore (SIGINT sends abandon/cancel,\n"
" or ignores response; if critical, doesn't wait for SIGINT.\n"
" not really controls)\n")
N_(" -f file read operations from `file'\n"),
N_(" -h host LDAP server\n"),
N_(" -H URI LDAP Uniform Resource Indentifier(s)\n"),
N_(" -I use SASL Interactive mode\n"),
N_(" -k use Kerberos authentication\n"),
N_(" -K like -k, but do only step 1 of the Kerberos bind\n"),
N_(" -M enable Manage DSA IT control (-MM to make critical)\n"),
N_(" -n show what would be done but don't actually do it\n"),
N_(" -O props SASL security properties\n"),
N_(" -o <opt>[=<optparam] general options\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
N_(" -p port port on LDAP server\n"),
N_(" -P version procotol version (default: 3)\n"),
N_(" -Q use SASL Quiet mode\n"),
@ -510,9 +504,21 @@ tool_args( int argc, char **argv )
/* this shouldn't go here, really; but it's a feature... */
} else if ( strcasecmp( control, "abandon" ) == 0 ) {
abcan = LDAP_REQ_ABANDON;
if ( crit ) {
gotintr = abcan;
}
} else if ( strcasecmp( control, "cancel" ) == 0 ) {
abcan = LDAP_REQ_EXTENDED;
if ( crit ) {
gotintr = abcan;
}
} else if ( strcasecmp( control, "ignore" ) == 0 ) {
abcan = -1;
if ( crit ) {
gotintr = abcan;
}
} else {
fprintf( stderr, "Invalid general control name: %s\n",
@ -557,32 +563,6 @@ tool_args( int argc, char **argv )
prog );
exit( EXIT_FAILURE );
#endif
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( authmethod != -1 ) {
fprintf( stderr, "%s: -k incompatible with previous "
"authentication choice\n", prog );
exit( EXIT_FAILURE );
}
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
exit( EXIT_FAILURE );
#endif
break;
case 'K': /* kerberos bind, part one only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( authmethod != -1 ) {
fprintf( stderr, "%s: incompatible with previous "
"authentication choice\n", prog );
exit( EXIT_FAILURE );
}
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
exit( EXIT_FAILURE );
#endif
break;
case 'M':
/* enable Manage DSA IT */
manageDSAit++;
@ -590,6 +570,45 @@ tool_args( int argc, char **argv )
case 'n': /* print operations, don't actually do them */
dont++;
break;
case 'o':
control = ber_strdup( optarg );
if ( (cvalue = strchr( control, '=' )) != NULL ) {
*cvalue++ = '\0';
}
if ( strcasecmp( control, "nettimeout" ) == 0 ) {
if( nettimeout.tv_sec != -1 ) {
fprintf( stderr, "nettimeout option previously specified\n");
exit( EXIT_FAILURE );
}
if( cvalue == NULL || cvalue[0] == '\0' ) {
fprintf( stderr, "nettimeout: option value expected\n" );
usage();
}
if ( strcasecmp( cvalue, "none" ) == 0 ) {
nettimeout.tv_sec = 0;
} else if ( strcasecmp( cvalue, "max" ) == 0 ) {
nettimeout.tv_sec = LDAP_MAXINT;
} else {
ival = strtol( cvalue, &next, 10 );
if ( next == NULL || next[0] != '\0' ) {
fprintf( stderr,
_("Unable to parse network timeout \"%s\"\n"), cvalue );
exit( EXIT_FAILURE );
}
nettimeout.tv_sec = ival;
}
if( nettimeout.tv_sec < 0 || nettimeout.tv_sec > LDAP_MAXINT ) {
fprintf( stderr, _("%s: invalid network timeout (%ld) specified\n"),
prog, (long)nettimeout.tv_sec );
exit( EXIT_FAILURE );
}
} else {
fprintf( stderr, "Invalid general option name: %s\n",
control );
usage();
}
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
if( sasl_secprops != NULL ) {
@ -892,15 +911,6 @@ tool_args( int argc, char **argv )
exit( EXIT_FAILURE );
}
#endif
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
} else {
if ( authmethod == LDAP_AUTH_KRBV4 || authmethod == LDAP_AUTH_KRBV41 ) {
fprintf( stderr, "%s: -k/-K incompatible with LDAPv%d\n",
prog, protocol );
exit( EXIT_FAILURE );
}
#endif
}
}
@ -989,6 +999,16 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) )
}
}
}
if ( nettimeout.tv_sec > 0 ) {
if ( ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &nettimeout )
!= LDAP_OPT_SUCCESS )
{
fprintf( stderr, "Could not set LDAP_OPT_NETWORK_TIMEOUT %ld\n",
(long)nettimeout.tv_sec );
exit( EXIT_FAILURE );
}
}
}
return ld;
@ -1069,15 +1089,6 @@ tool_bind( LDAP *ld )
msgbuf[0] = 0;
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if ( authmethod == LDAP_AUTH_KRBV4 || authmethod == LDAP_AUTH_KRBV41 ) {
msgid = ldap_bind( ld, binddn, passwd.bv_val, authmethod );
if ( msgid == -1 ) {
tool_perror( "ldap_bind", -1, NULL, NULL, NULL, NULL );
exit( LDAP_LOCAL_ERROR );
}
} else
#endif
{
/* simple bind */
rc = ldap_sasl_bind( ld, binddn, LDAP_SASL_SIMPLE, &passwd,
@ -1427,6 +1438,10 @@ tool_check_abandon( LDAP *ld, int msgid )
fprintf( stderr, "got interrupt, abandon got %d: %s\n",
rc, ldap_err2string( rc ) );
return -1;
case -1:
/* just unbind, ignoring the request */
return -1;
}
return 0;

5
clients/tools/common.h
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -94,6 +94,9 @@ extern struct berval pr_cookie;
extern int chaining;
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
/* options */
extern struct timeval nettimeout;
/* Defined in common.c, set in main() */
extern const char __Version[];

4
clients/tools/ldapcompare.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* All rights reserved.
@ -102,7 +102,7 @@ static int docompare LDAP_P((
const char options[] = "z"
"Cd:D:e:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
"Cd:D:e:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
#ifdef LDAP_CONTROL_DONTUSECOPY
int dontUseCopy = 0;

4
clients/tools/ldapdelete.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* All rights reserved.
*
@ -76,7 +76,7 @@ usage( void )
const char options[] = "r"
"cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )

4
clients/tools/ldapexop.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2005-2006 The OpenLDAP Foundation.
* Copyright 2005-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -49,7 +49,7 @@ usage( void )
const char options[] = ""
"d:D:e:h:H:InO:p:QR:U:vVw:WxX:y:Y:Z";
"d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )

822
clients/tools/ldapmodify.c
View file

File diff suppressed because it is too large Load diff

4
clients/tools/ldapmodrdn.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@ -91,7 +91,7 @@ usage( void )
const char options[] = "rs:"
"cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )

7
clients/tools/ldappasswd.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@ -81,7 +81,7 @@ usage( void )
const char options[] = "a:As:St:T:"
"d:D:e:h:H:InO:p:QR:U:vVw:WxX:y:Y:Z";
"d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
@ -411,6 +411,9 @@ main( int argc, char *argv[] )
ber_memfree( retoid );
ber_bvfree( retdata );
rc = ldap_search_s( ld, binddn, LDAP_SCOPE_BASE, "(objectclass=*)",
NULL, 0, &res );
rc = ( code == LDAP_SUCCESS ) ? EXIT_SUCCESS : EXIT_FAILURE;
done:

8
clients/tools/ldapsearch.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@ -249,7 +249,7 @@ urlize(char *url)
const char options[] = "a:Ab:cE:F:l:Ls:S:tT:uz:"
"Cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
"Cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
@ -920,7 +920,7 @@ getNextPage:
char *realbase = base;
if ( realbase == NULL ) {
ldap_get_option( ld, LDAP_OPT_DEFBASE, (void **)&realbase );
ldap_get_option( ld, LDAP_OPT_DEFBASE, (void **)(char *)&realbase );
}
printf( "#\n" );
@ -1167,7 +1167,7 @@ static int dosearch(
nextended++;
print_extended( ld, msg );
if( ldap_msgid( msg ) == 0 ) {
if ( ldap_msgid( msg ) == 0 ) {
/* unsolicited extended operation */
goto done;
}

4
clients/tools/ldapwhoami.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@ -62,7 +62,7 @@ usage( void )
const char options[] = ""
"d:D:e:h:H:InO:p:QR:U:vVw:WxX:y:Y:Z";
"d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )

1989
configure vendored
View file

File diff suppressed because it is too large Load diff

287
configure.in
View file

@ -1,7 +1,7 @@
dnl $OpenLDAP$
dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
dnl
dnl Copyright 1998-2006 The OpenLDAP Foundation.
dnl Copyright 1998-2007 The OpenLDAP Foundation.
dnl All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
@ -23,7 +23,7 @@ define([AC_LIBTOOL_LANG_F77_CONFIG], [:])dnl
define([AC_LIBTOOL_LANG_GCJ_CONFIG], [:])dnl
dnl ================================================================
dnl Configure.in for OpenLDAP
AC_COPYRIGHT([[Copyright 1998-2006 The OpenLDAP Foundation. All rights reserved.
AC_COPYRIGHT([[Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.]])
AC_REVISION([$OpenLDAP$])
AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
@ -93,7 +93,7 @@ AH_TOP([
/* begin of portable.h.pre */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation
* Copyright 1998-2007 The OpenLDAP Foundation
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -230,8 +230,6 @@ OL_ARG_ENABLE(syslog,[ --enable-syslog enable syslog support], auto)dnl
OL_ARG_ENABLE(proctitle,[ --enable-proctitle enable proctitle support], yes)dnl
dnl OL_ARG_ENABLE(referrals,[ --enable-referrals enable LDAPv2+ Referrals (experimental)], no)dnl
ol_enable_referrals=${ol_enable_referrals-no}
dnl OL_ARG_ENABLE(kbind,[ --enable-kbind enable LDAPv2+ Kerberos IV bind (deprecated)], no)dnl
ol_enable_kbind=${ol_enable_kbind-no}
OL_ARG_ENABLE(ipv6,[ --enable-ipv6 enable IPv6 support], auto)dnl
OL_ARG_ENABLE(local,[ --enable-local enable AF_LOCAL (AF_UNIX) socket support], auto)dnl
@ -241,9 +239,6 @@ OL_ARG_WITH(cyrus_sasl,[ --with-cyrus-sasl with Cyrus SASL support],
auto, [auto yes no] )
OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support],
auto, [auto yes no] )
dnl OL_ARG_WITH(kerberos,[ --with-kerberos with Kerberos support],
dnl auto, [auto k5 k5only k425 kth k4 afs yes no])
ol_with_kerberos=${ol_with_kerberos-auto}
OL_ARG_WITH(threads,[ --with-threads with threads],
auto, [auto nt posix mach pth lwp yes no manual] )
OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support],
@ -254,6 +249,9 @@ OL_ARG_WITH(yielding_select,
OL_ARG_WITH(mp,
[ --with-mp with multiple precision statistics auto|longlong|long|bignum|gmp],
auto, [auto longlong long bignum gmp yes no])
OL_ARG_WITH(odbc,
[ --with-odbc with specific ODBC support iodbc|unixodbc|auto],
auto, [auto iodbc unixodbc] )
dnl ----------------------------------------------------------------
dnl Server options
@ -328,10 +326,8 @@ Overlays="accesslog \
auditlog \
constraint \
dds \
denyop \
dyngroup \
dynlist \
lastmod \
ppolicy \
proxycache \
refint \
@ -356,14 +352,10 @@ OL_ARG_ENABLE(constraint,[ --enable-constraint Attribute Constraint overlay
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(dds,[ --enable-dds Dynamic Directory Services overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(denyop,[ --enable-denyop Deny Operation overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(dyngroup,[ --enable-dyngroup Dynamic Group overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(dynlist,[ --enable-dynlist Dynamic List overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(lastmod,[ --enable-lastmod Last Modification overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(ppolicy,[ --enable-ppolicy Password Policy overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(proxycache,[ --enable-proxycache Proxy Cache overlay],
@ -503,22 +495,6 @@ if test $ol_enable_lmpasswd = yes ; then
fi
fi
if test $ol_enable_kbind = yes ; then
if test $ol_with_kerberos = no ; then
AC_MSG_ERROR([options require --with-kerberos])
elif test $ol_with_kerberos = auto ; then
ol_with_kerberos=yes
fi
elif test $ol_enable_kbind = no ; then
if test $ol_with_kerberos = auto ; then
ol_with_kerberos=no
elif test $ol_with_kerberos != no ; then
AC_MSG_WARN([Kerberos detection enabled unnecessarily]);
ol_with_kerberos=no
fi
fi
if test $ol_enable_spasswd = yes ; then
if test $ol_with_cyrus_sasl = no ; then
AC_MSG_ERROR([options require --with-cyrus-sasl])
@ -1121,174 +1097,6 @@ if test $ol_enable_local != no ; then
fi
fi
dnl ----------------------------------------------------------------
dnl Kerberos
ol_link_kbind=no
ol_link_krb5=no
ol_link_krb4=no
case $ol_with_kerberos in yes | auto | k5 | k5only | k425)
AC_CHECK_HEADERS(krb5.h)
if test $ac_cv_header_krb5_h = yes ; then
dnl lazy check for Heimdal Kerberos
AC_CHECK_HEADERS(heim_err.h)
if test $ac_cv_header_heim_err_h = yes ; then
krb5_impl=heimdal
else
krb5_impl=mit
fi
if test $krb5_impl = mit; then
AC_CHECK_LIB(k5crypto, main,
[krb5crypto=k5crypto],
[krb5crypto=crypto])
AC_CHECK_LIB(krb5, main,
[have_krb5=yes
KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"],
[have_krb5=no],
[-l$krb5crypto -lcom_err])
elif test $krb5_impl = heimdal; then
AC_CHECK_LIB(des, main,
[krb5crypto=des],
[krb5crypto=crypto])
AC_CHECK_LIB(krb5, main,
[have_krb5=yes
KRB5_LIBS="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err"],
[have_krb5=no],
[-l$krb5crypto -lasn1 -lroken -lcom_err])
AC_DEFINE(HAVE_HEIMDAL_KERBEROS, 1,
[define if you have HEIMDAL Kerberos])
else
have_krb5=no
AC_MSG_WARN([Unrecognized Kerberos5 Implementation])
fi
if test $have_krb5 = yes ; then
ol_link_krb5=yes
AC_DEFINE(HAVE_KRB5, 1,
[define if you have Kerberos V])
if test $ol_with_kerberos = k5only ; then
ol_with_kerberos=found
fi
elif test $ol_with_kerberos != auto ; then
AC_MSG_ERROR([Required Kerberos 5 support not available])
fi
fi
;;
esac
if test $ol_link_krb5 = yes &&
{ test $ol_with_kerberos = yes ||
test $ol_with_kerberos = auto ||
test $ol_with_kerberos = k425; }; then
AC_CHECK_HEADERS(kerberosIV/krb.h kerberosIV/des.h)
if test $ac_cv_header_kerberosIV_krb_h = yes ; then
if test $krb5_impl = mit; then
AC_CHECK_LIB(krb4, main, [have_k425=yes
KRB4_LIBS="-lkrb4 -ldes425"], [have_k425=no],
[-ldes425 -lkrb5 -l$krb5crypto -lcom_err])
elif test $krb5_impl = heimdal; then
AC_CHECK_LIB(krb4, main, [have_k425=yes
KRB4_LIBS="-lkrb4"], [have_k425=no],
[-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err])
else
have_425=no
AC_MSG_WARN([Unrecongized Kerberos V Implementation])
fi
if test $have_k425 = yes ; then
ol_with_kerberos=found
ol_link_krb4=yes
AC_DEFINE(HAVE_KRB425, 1,
[define if you have Kerberos V with IV support])
AC_DEFINE(HAVE_KRB4, 1,
[define if you have Kerberos IV])
AC_CACHE_CHECK([for des_debug in Kerberos libraries],
[ol_cv_var_des_debug], [
dnl save the flags
save_LIBS="$LIBS"
LIBS="$KRB4_LIBS $KRB5_LIBS $LIBS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <kerberosIV/krb.h>
#include <kerberosIV/des.h>
extern int des_debug;
]], [[
des_debug = 1;
]])],[ol_cv_var_des_debug=yes],[ol_cv_var_des_debug=no])
dnl restore the LIBS
LIBS="$save_LIBS"
])
if test $ol_cv_var_des_debug = yes ; then
AC_DEFINE(HAVE_DES_DEBUG,1,
[define if you have Kerberos des_debug])
fi
LIBS="$save_LIBS"
fi
fi
fi
if test $ol_link_krb5 = yes ; then
ol_with_kerberos=found
fi
case $ol_with_kerberos in yes | auto | k4 | kth)
AC_CHECK_HEADERS(krb.h des.h krb-archaeology.h )
if test $ac_cv_header_krb_h = yes ; then
AC_CHECK_LIB(krb, main, [have_k4=yes], [have_k4=no], [-ldes])
if test $have_k4 = yes ; then
ol_with_kerberos=found
ol_link_krb4=yes
AC_DEFINE(HAVE_KRB4, 1,
[define if you have Kerberos IV])
KRB4_LIBS="-lkrb -ldes"
if test $ac_cv_header_krb_archaeology_h = yes ; then
AC_DEFINE(HAVE_KTH_KERBEROS, 1,
[define if you have Kth Kerberos])
fi
fi
fi
;;
esac
if test $ol_link_krb4 = yes && test $ol_enable_kbind != no ; then
ol_link_kbind=yes
elif test $ol_enable_kbind = yes ; then
AC_MSG_ERROR([Kerberos IV detection failed])
fi
if test $ol_link_krb4 = yes || test $ol_link_krb5 = yes ; then
AC_DEFINE(HAVE_KERBEROS, 1, [define if you have Kerberos])
elif test $ol_with_kerberos != auto && test $ol_with_kerberos != no ; then
AC_MSG_ERROR([Kerberos detection failed])
fi
dnl ----------------------------------------------------------------
dnl TLS/SSL
@ -1518,7 +1326,22 @@ dnl [ol_cv_pthread_lpthread_lexc])
fi
dnl Check functions for compatibility
AC_CHECK_FUNCS(pthread_kill pthread_rwlock_destroy)
AC_CHECK_FUNCS(pthread_kill)
dnl Check for pthread_rwlock_destroy with <pthread.h>
dnl as pthread_rwlock_t may not be defined.
AC_CACHE_CHECK([for pthread_rwlock_destroy with <pthread.h>],
[ol_cv_func_pthread_rwlock_destroy], [
dnl save the flags
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <pthread.h>
pthread_rwlock_t rwlock;
]], [[pthread_rwlock_destroy(&rwlock);]])],[ol_cv_func_pthread_rwlock_destroy=yes],[ol_cv_func_pthread_rwlock_destroy=no])
])
if test $ol_cv_func_pthread_rwlock_destroy = yes ; then
AC_DEFINE(HAVE_PTHREAD_RWLOCK_DESTROY,1,
[define if you have pthread_rwlock_destroy function])
fi
dnl Check for pthread_detach with <pthread.h> inclusion
dnl as it's symbol may have been mangled.
@ -2071,16 +1894,34 @@ if test $ol_enable_sql != no ; then
sql_LIBS="$LIBS"
LIBS="$LTHREAD_LIBS"
AC_CHECK_LIB(iodbc,SQLDriverConnect,[have_iodbc=yes],[have_iodbc=no])
if test $have_iodbc = yes ; then
ol_link_sql="-liodbc"
else
AC_CHECK_LIB(odbc,SQLDriverConnect,[have_odbc=yes],[have_odbc=no])
if test $have_odbc = yes ; then
ol_link_sql="-lodbc"
fi
if test $ol_with_odbc = auto ; then
ol_with_odbc="iodbc unixodbc"
fi
for odbc in $ol_with_odbc ; do
if test $ol_link_sql = no ; then
case $odbc in
iodbc)
AC_CHECK_LIB(iodbc, SQLDriverConnect, [have_iodbc=yes], [have_iodbc=no])
if test $have_iodbc = yes ; then
ol_link_sql="-liodbc"
fi
;;
unixodbc)
AC_CHECK_LIB(odbc, SQLDriverConnect, [have_odbc=yes], [have_odbc=no])
if test $have_odbc = yes ; then
ol_link_sql="-lodbc"
fi
;;
*)
AC_MSG_ERROR([unknown ODBC library])
;;
esac
fi
done
LIBS="$sql_LIBS"
if test $ol_link_sql != no ; then
@ -2526,10 +2367,6 @@ if test "$ol_enable_syslog" = yes ; then
AC_DEFINE(LDAP_SYSLOG,1,
[define this to add syslog code])
fi
if test "$ol_link_kbind" != no ; then
AC_DEFINE(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND,LDAP_VENDOR_VERSION,
[define to LDAP VENDOR VERSION])
fi
if test "$ol_enable_proctitle" != no ; then
AC_DEFINE(LDAP_PROCTITLE,1,
[define this for LDAP process title support])
@ -2795,18 +2632,6 @@ if test "$ol_enable_dds" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_DDS,$MFLAG,[define for Dynamic Directory Services overlay])
fi
if test "$ol_enable_denyop" != no ; then
BUILD_DENYOP=$ol_enable_denyop
if test "$ol_enable_denyop" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS denyop.la"
else
MFLAG=SLAPD_MOD_STATIC
SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS denyop.o"
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_DENYOP,$MFLAG,[define for Deny Operation overlay])
fi
if test "$ol_enable_dyngroup" != no ; then
BUILD_DYNGROUP=$ol_enable_dyngroup
if test "$ol_enable_dyngroup" = mod ; then
@ -2831,18 +2656,6 @@ if test "$ol_enable_dynlist" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_DYNLIST,$MFLAG,[define for Dynamic List overlay])
fi
if test "$ol_enable_lastmod" != no ; then
BUILD_LASTMOD=$ol_enable_lastmod
if test "$ol_enable_lastmod" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS lastmod.la"
else
MFLAG=SLAPD_MOD_STATIC
SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS lastmod.o"
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_LASTMOD,$MFLAG,[define for Last Modification overlay])
fi
if test "$ol_enable_ppolicy" != no ; then
BUILD_PPOLICY=$ol_enable_ppolicy
if test "$ol_enable_ppolicy" = mod ; then
@ -3139,7 +2952,7 @@ rm -f $BACKENDSC
cat > $BACKENDSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -3190,7 +3003,7 @@ rm -f $OVERLAYSC
cat > $OVERLAYSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

2
contrib/ldapc++/COPYRIGHT
View file

@ -1,4 +1,4 @@
Copyright 1998-2006 The OpenLDAP Foundation
Copyright 1998-2007 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without

19
contrib/ldapc++/src/LDAPAttrType.cpp
View file

@ -15,6 +15,7 @@ LDAPAttrType::LDAPAttrType(){
desc = string ();
names = StringList ();
single = false;
usage = 0;
}
LDAPAttrType::LDAPAttrType (const LDAPAttrType &at){
@ -25,6 +26,7 @@ LDAPAttrType::LDAPAttrType (const LDAPAttrType &at){
desc = at.desc;
names = at.names;
single = at.single;
usage = at.usage;
}
LDAPAttrType::LDAPAttrType (string at_item) {
@ -38,10 +40,11 @@ LDAPAttrType::LDAPAttrType (string at_item) {
a = ldap_str2attributetype (at_item.c_str(), &ret, &errp,SCHEMA_PARSE_FLAG);
if (a) {
this->setNames (a->at_names);
this->setDesc (a->at_desc);
this->setOid (a->at_oid);
this->setSingle (a->at_single_value);
this->setNames( a->at_names );
this->setDesc( a->at_desc );
this->setOid( a->at_oid );
this->setSingle( a->at_single_value );
this->setUsage( a->at_usage );
}
// else? -> error
}
@ -70,6 +73,10 @@ void LDAPAttrType::setOid (char *at_oid) {
oid = at_oid;
}
void LDAPAttrType::setUsage (int at_usage) {
usage = at_usage;
}
bool LDAPAttrType::isSingle () {
return single;
}
@ -93,3 +100,7 @@ string LDAPAttrType::getName () {
else
return *(names.begin());
}
int LDAPAttrType::getUsage () {
return usage;
}

12
contrib/ldapc++/src/LDAPAttrType.h
View file

@ -24,6 +24,7 @@ class LDAPAttrType{
StringList names;
string desc, oid;
bool single;
int usage;
public :
@ -74,15 +75,22 @@ class LDAPAttrType{
StringList getNames();
/**
* Returns true if attribute type hllows only single value
* Returns true if attribute type allows only single value
*/
bool isSingle();
/**
* Return the 'usage' value:
* (0=userApplications, 1=directoryOperation, 2=distributedOperation,
* 3=dSAOperation)
*/
int getUsage ();
void setNames (char **at_names);
void setDesc (char *at_desc);
void setOid (char *at_oid);
void setSingle (int at_single_value);
void setUsage (int at_usage );
};
#endif // LDAP_ATTRTYPE_H

4
contrib/ldapc++/src/LDAPException.cpp
View file

@ -32,9 +32,9 @@ LDAPException::LDAPException(const LDAPAsynConnection *lc){
const char* err_string;
ldap_get_option(l,LDAP_OPT_DIAGNOSTIC_MESSAGE,&err_string);
if ( err_string ) {
m_res_string = string(err_string);
m_err_string = string(err_string);
} else {
m_res_string = "";
m_err_string = "";
}
}

2
contrib/ldapc++/src/ac/time.h
View file

@ -1,7 +1,7 @@
/* Generic time.h */
/* $OpenLDAP$ */
/*
* Copyright 1998-2006 The OpenLDAP Foundation, Redwood City, California, USA
* Copyright 1998-2007 The OpenLDAP Foundation, Redwood City, California, USA
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted only

2
contrib/slapd-modules/acl/README
View file

@ -1,4 +1,4 @@
Copyright 2005-2006 The OpenLDAP Foundation. All rights reserved.
Copyright 2005-2007 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP

4
contrib/slapd-modules/acl/posixgroup.c
View file

@ -1,6 +1,6 @@
/* $OpenLDAP$ */
/*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -283,7 +283,7 @@ cleanup:;
if ( user != NULL && user != target ) {
op->o_bd = user_be;
be_entry_release_r( op, group );
be_entry_release_r( op, user );
op->o_bd = be;
}

2
contrib/slapd-modules/allop/README
View file

@ -1,4 +1,4 @@
Copyright 2004-2006 The OpenLDAP Foundation. All rights reserved.
Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP

2
contrib/slapd-modules/allop/allop.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2005-2006 The OpenLDAP Foundation.
* Copyright 2005-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

2
contrib/slapd-modules/allop/slapo-allop.5
View file

@ -1,5 +1,5 @@
.TH SLAPO-ALLOP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2005-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME

2
contrib/slapd-modules/comp_match/Makefile
View file

@ -1,7 +1,7 @@
# $OpenLDAP$
# This work is part of OpenLDAP Software <http://www.openldap.org/>.
#
# Copyright 2003-2006 The OpenLDAP Foundation.
# Copyright 2003-2007 The OpenLDAP Foundation.
# Portions Copyright 2004 by IBM Corporation.
# All rights reserved.

3
servers/slapd/overlays/denyop.c → contrib/slapd-modules/denyop/denyop.c
View file

@ -1,7 +1,8 @@
/* denyop.c - Denies operations */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2004-2006 The OpenLDAP Foundation.
* Copyright 2004-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

2
contrib/slapd-modules/dsaschema/README
View file

@ -1,4 +1,4 @@
Copyright 2004-2006 The OpenLDAP Foundation. All rights reserved.
Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP

2
contrib/slapd-modules/dsaschema/dsaschema.c
View file

@ -1,6 +1,6 @@
/* $OpenLDAP$ */
/*
* Copyright 2004-2006 The OpenLDAP Foundation.
* Copyright 2004-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

7
servers/slapd/overlays/lastmod.c → contrib/slapd-modules/lastmod/lastmod.c
View file

@ -1,7 +1,8 @@
/* lastmod.c - returns last modification info */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2004-2006 The OpenLDAP Foundation.
* Copyright 2004-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -563,7 +564,7 @@ lastmod_update( Operation *op, SlapReply *rs )
int rc;
op->o_bd->bd_info = (BackendInfo *)on->on_info->oi_orig;
rc = (*op->o_bd->bd_info->bi_entry_get_rw)( op, &bv_name, NULL, NULL, 0, &e );
rc = op->o_bd->bd_info->bi_entry_get_rw( op, &bv_name, NULL, NULL, 0, &e );
if ( rc == LDAP_SUCCESS ) {
a = attr_find( e->e_attrs, slap_schema.si_ad_modifiersName );
if ( a != NULL ) {
@ -592,7 +593,7 @@ lastmod_update( Operation *op, SlapReply *rs )
assert( dn_match( &bv_name, &e->e_name ) );
assert( dn_match( &bv_nname, &e->e_nname ) );
(*op->o_bd->bd_info->bi_entry_release_rw)( op, e, 0 );
op->o_bd->bd_info->bi_entry_release_rw( op, e, 0 );
}
op->o_bd->bd_info = bi;

2
doc/man/man5/slapo-lastmod.5 → contrib/slapd-modules/lastmod/slapo-lastmod.5
View file

@ -1,4 +1,4 @@
.\" Copyright 2004-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.TH SLAPO_LASTMOD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.SH NAME

2
contrib/slapd-modules/passwd/README
View file

@ -1,4 +1,4 @@
Copyright 2004-2006 The OpenLDAP Foundation. All rights reserved.
Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP

2
contrib/slapd-modules/passwd/kerberos.c
View file

@ -1,6 +1,6 @@
/* $OpenLDAP$ */
/*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

2
contrib/slapd-modules/passwd/netscape.c
View file

@ -1,6 +1,6 @@
/* $OpenLDAP$ */
/*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

2
contrib/slapd-modules/passwd/radius.c
View file

@ -1,6 +1,6 @@
/* $OpenLDAP$ */
/*
* Copyright 1998-2006 The OpenLDAP Foundation.
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

20
contrib/slapd-modules/smbk5pwd/smbk5pwd.c
View file

@ -880,20 +880,32 @@ smbk5pwd_modules_init( smbk5pwd_t *pi )
ret = krb5_init_context(&context);
if (ret) {
Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
"unable to initialize krb5 context.\n",
0, 0, 0 );
"unable to initialize krb5 context (%d).\n",
ret, 0, 0 );
oc_krb5KDCEntry = NULL;
return -1;
}
/* FIXME: check return code? */
ret = kadm5_s_init_with_password_ctx( context,
KADM5_ADMIN_SERVICE,
NULL,
KADM5_ADMIN_SERVICE,
&conf, 0, 0, &kadm_context );
if (ret) {
char *err_str, *err_msg = "<unknown error>";
err_str = krb5_get_error_string( context );
if (!err_str)
err_msg = krb5_get_err_text( context, ret );
Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
"unable to initialize krb5 admin context: %s (%d).\n",
err_str ? err_str : err_msg, ret, 0 );
if (err_str)
krb5_free_error_string( context, err_str );
krb5_free_context( context );
oc_krb5KDCEntry = NULL;
return -1;
}
/* FIXME: check return code? */
db = _kadm5_s_get_db( kadm_context );
}
#endif /* DO_KRB5 */

2
contrib/slapd-modules/trace/trace.c
View file

@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2006 The OpenLDAP Foundation.
* Copyright 2006-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without

2
contrib/slapd-tools/README
View file

@ -1,4 +1,4 @@
Copyright 2004-2006 The OpenLDAP Foundation. All rights reserved.
Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP

2
contrib/slapi-plugins/addrdnvalues/README
View file

@ -1,4 +1,4 @@
Copyright 2003-2006 The OpenLDAP Foundation. All rights reserved.
Copyright 2003-2007 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP

2
doc/Makefile.in
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2006 The OpenLDAP Foundation.
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without

17
doc/devel/args
View file

@ -1,15 +1,15 @@
Tools ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
ldapcompare * DE**HI*K M*OPQR UVWXYZ de *h**k *n*p* vwxyz
ldapdelete *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *n*p* vwxy
ldapmodify *CDE**HI*K M*OPQRS UVWXYZabcde *h**k *n*p*r t vwxy
ldapmodrdn *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *n*p*rs vwxy
ldappasswd A*CDE**HI* *O QRS UVWXYZa def*h** * * * s vwxy
ldapsearch A*CDE**HI*KLM*OPQRSTUVWXYZab def*h**kl*n*p* stuvwxyz
ldapwhoami * DE**HI* *O QR UVWXYZ def*h** *n*p* vwxy
ldapcompare * DE**HI*K M*OPQR UVWXYZ de *h**k *nop* vwxyz
ldapdelete *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *nop* vwxy
ldapmodify *CDE**HI*K M*OPQRS UVWXYZabcde *h**k *nop*r t vwxy
ldapmodrdn *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *nop*rs vwxy
ldappasswd A*CDE**HI* *O QRS UVWXYZa def*h** * o * s vwxy
ldapsearch A*CDE**HI*KLM*OPQRSTUVWXYZab def*h**kl*nop* stuvwxyz
ldapwhoami * DE**HI* *O QR UVWXYZ def*h** *nop* vwxy
* reserved
BFGJgijmoq01235789
BFGJgijmq01235789
* General flags:
-C Chase Referrals
@ -25,6 +25,7 @@ ldapwhoami * DE**HI* *O QR UVWXYZ def*h** *n*p* vwxy
-h host
-n no-op
-N no (SASLprep) normalization of simple bind password
-o general connection options (currently nettimeout only)
-p port
-v verbose
-V version

2
doc/guide/COPYRIGHT
View file

@ -1,4 +1,4 @@
Copyright 1998-2006 The OpenLDAP Foundation
Copyright 1998-2007 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without

3
doc/guide/admin/Makefile
View file

@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2005-2006 The OpenLDAP Foundation.
## Copyright 2005-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@ -20,6 +20,7 @@ sdf-src: \
abstract.sdf \
config.sdf \
dbtools.sdf \
glossary.sdf \
guide.sdf \
install.sdf \
intro.sdf \

2
doc/guide/admin/abstract.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# OpenLDAP Administrator's Guide: Abstract

4
doc/guide/admin/admin.sdf
View file

@ -1,12 +1,10 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# guide.sdf
#
!define DOC_TOC 0
!macro build_html_cover
!endmacro

41
doc/guide/admin/config.sdf
View file

@ -1,20 +1,21 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: The Big Picture - Configuration Choices
This section gives a brief overview of various {{TERM:LDAP}} directory
configurations, and how your stand-alone LDAP server {{slapd}}(8)
configurations, and how your Standalone LDAP Daemon {{slapd}}(8)
fits in with the rest of the world.
H2: Local Directory Service
In this configuration, you run a {{slapd}} which provides directory
service for your local domain only. It does not interact with other
directory servers in any way. This configuration is shown in Figure 3.1.
In this configuration, you run a {{slapd}}(8) instance which provides
directory service for your local domain only. It does not interact
with other directory servers in any way. This configuration is shown
in Figure 3.1.
!import "config_local.gif"; align="center"; title="Local service via slapd configuration"
!import "config_local.gif"; align="center"; title="Local service via slapd(8) configuration"
FT[align="Center"] Figure 3.1: Local service configuration.
Use this configuration if you are just starting out (it's the one the
@ -25,31 +26,35 @@ It's easy to upgrade to another configuration later if you want.
H2: Local Directory Service with Referrals
In this configuration, you run a slapd which provides directory service
for your local domain and configure it to return referrals to a
{{superior}} service capable of handling requests outside your local domain.
You may run this service yourself or use one provided to you.
In this configuration, you run a {{slapd}}(8) instance which provides
directory service for your local domain and configure it to return
referrals to other servers capable of handling requests. You may
run this service (or services) yourself or use one provided to you.
This configuration is shown in Figure 3.2.
!import "config_ref.gif"; align="center"; title="Local service with referrals"
FT[align="Center"] Figure 3.2: Local service with referrals
Use this configuration if you want to provide local service and
participate in the Global Directory.
Use this configuration if you want to provide local service and
participate in the Global Directory, or you want to delegate
responsibility for {{subordinate}} entries to another server.
H2: Replicated Directory Service
The slurpd daemon is used to propagate changes from a master slapd
to one or more slave slapds. An example master-slave configuration
is shown in figure 3.3.
slapd(8) includes support for {{LDAP Sync}}-based replication, called
{{syncrepl}}, which may be used to maintain shadow copies of directory
information on multiple directory servers. In its most basic
configuration, the {{master}} is a syncrepl provider and one or more
{{slave}} (or {{shadow}}) are syncrepl consumers. An example
master-slave configuration is shown in figure 3.3.
!import "config_repl.gif"; align="center"; title="Replicated Directory Services"
FT[align="Center"] Figure 3.3: Replicated Directory Services
This configuration can be used in conjunction with either of the first
two configurations in situations where a single slapd does not
provide the required reliability or availability.
This configuration can be used in conjunction with either of the
first two configurations in situations where a single {{slapd}}(8)
instance does not provide the required reliability or availability.
H2: Distributed Local Directory Service

BIN
doc/guide/admin/config_dit.gif
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.5 KiB

After

Width:  |  Height:  |  Size: 4.5 KiB

4
doc/guide/admin/dbtools.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Database Creation and Maintenance Tools
@ -7,7 +7,7 @@ H1: Database Creation and Maintenance Tools
This section tells you how to create a slapd database from scratch,
and how to do trouble shooting if you run into problems. There are
two ways to create a database. First, you can create the database
on-line using LDAP. With this method, you simply start up slapd
on-line using {{TERM:LDAP}}. With this method, you simply start up slapd
and add entries using the LDAP client of your choice. This method
is fine for relatively small databases (a few hundred or thousand
entries, depending on your requirements). This method works for

16
doc/guide/admin/glossary.sdf Normal file
View file

@ -0,0 +1,16 @@
# $OpenLDAP$
# Copyright 2006-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Glossary
H2: Terms
!catalog terms ''; headings; columns="Term,Definition"
H2: Related Organizations
!catalog organisations ''; headings; columns="ORG:Name,Long,URL:Jump"
H2: Related Products
!catalog products ''; headings; columns="PRD:Name,URL:Jump"
H2: References
!catalog references ''; headings; columns="REF:Reference,Document,Status,URL:Jump"

2
doc/guide/admin/guide.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# guide.sdf

2
doc/guide/admin/index.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# index.sdf

67
doc/guide/admin/install.sdf
View file

@ -1,16 +1,15 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Building and Installing OpenLDAP Software
This chapter details how to build and install the {{ORG:OpenLDAP}}
Software package including {{slapd}}(8), the stand-alone LDAP daemon
and {{slurpd}}(8), the stand-alone update replication daemon.
Building and installing OpenLDAP Software requires several steps:
installing prerequisite software, configuring OpenLDAP Software
itself, making, and finally installing. The following sections
describe this process in detail.
This chapter details how to build and install the {{PRD:OpenLDAP}}
Software package including {{slapd}}(8), the Standalone {{TERM:LDAP}}
Daemon. Building and installing OpenLDAP Software requires several
steps: installing prerequisite software, configuring OpenLDAP
Software itself, making, and finally installing. The following
sections describe this process in detail.
H2: Obtaining and Extracting the Software
@ -76,27 +75,10 @@ OpenLDAP Software will not be fully LDAPv3 compliant unless OpenLDAP's
{{EX:configure}} detects a usable OpenSSL installation.
H3: Kerberos Authentication Services
OpenLDAP clients and servers support Kerberos-based authentication
services.
In particular, OpenLDAP supports the {{TERM:SASL}}/{{TERM:GSSAPI}}
authentication mechanism using either {{PRD:Heimdal}} or
{{PRD:MIT Kerberos}} V packages.
If you desire to use Kerberos-based SASL/GSSAPI authentication,
you should install either Heimdal or MIT Kerberos V.
Heimdal Kerberos is available from {{URL:http://www.pdc.kth.se/heimdal/}}.
MIT Kerberos is available from {{URL:http://web.mit.edu/kerberos/www/}}.
Use of strong authentication services, such as those provided by
Kerberos, is highly recommended.
H3: {{TERM[expand]SASL}}
OpenLDAP clients and servers require installation of {{PRD:Cyrus}}'s
{{PRD:SASL}} libraries to provide {{TERM[expand]SASL}} services. Though
OpenLDAP clients and servers require installation of {{PRD:Cyrus SASL}}
libraries to provide {{TERM[expand]SASL}} services. Though
some operating systems may provide this library as part of the
base system or as an optional software component, Cyrus SASL
often requires separate installation.
@ -110,10 +92,27 @@ OpenLDAP Software will not be fully LDAPv3 compliant unless OpenLDAP's
configure detects a usable Cyrus SASL installation.
H3: {{TERM[expand]Kerberos}}
OpenLDAP clients and servers support {{TERM:Kerberos}} authentication
services. In particular, OpenLDAP supports the Kerberos V
{{TERM:GSS-API}} {{TERM:SASL}} authentication mechanism known as
the {{TERM:GSSAPI}} mechanism. This feature requires, in addition to
Cyrus SASL libraries, either {{PRD:Heimdal}} or {{PRD:MIT Kerberos}}
V libraries.
Heimdal Kerberos is available from {{URL:http://www.pdc.kth.se/heimdal/}}.
MIT Kerberos is available from {{URL:http://web.mit.edu/kerberos/www/}}.
Use of strong authentication services, such as those provided by
Kerberos, is highly recommended.
H3: Database Software
OpenLDAP's {{slapd}}(8) {{TERM:BDB}} and {{TERM:HDB}} primary database backends
require {{ORG[expand]Sleepycat}} {{PRD:Berkeley DB}}.
require {{ORG[expand]Oracle}} {{PRD:Berkeley DB}}.
If not available at configure time, you will not be able build
{{slapd}}(8) with these primary database backends.
@ -122,10 +121,10 @@ Your operating system may provide a supported version of
software component. If not, you'll have to obtain and
install it yourself.
{{PRD:Berkeley DB}} is available from {{ORG[expand]Sleepycat}}'s
download page {{URL: http://www.sleepycat.com/download/}}. There
are several versions available. Generally, the most recent release
(with published patches) is recommended. This package is required
{{PRD:Berkeley DB}} is available from {{ORG[expand]Oracle}}'s Berkeley DB
download page
{{URL: http://www.oracle.com/technology/software/products/berkeley-db/index.html}}. There are several versions available. Generally, the most recent
release (with published patches) is recommended. This package is required
if you wish to use the {{TERM:BDB}} or {{TERM:HDB}} database backends.
@ -219,8 +218,8 @@ Now build the software, this step will actually compile OpenLDAP.
> make
You should examine the output of this command carefully to make sure
everything is built correctly. Note that this command builds the LDAP
libraries and associated clients as well as {{slapd}}(8) and {{slurpd}}(8).
everything is built correctly. Note that this command builds the LDAP
libraries and associated clients as well as {{slapd}}(8).
H2: Testing the Software

142
doc/guide/admin/intro.sdf
View file

@ -1,33 +1,40 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Introduction to OpenLDAP Directory Services
This document describes how to build, configure, and operate OpenLDAP
software to provide directory services. This includes details on
how to configure and run the stand-alone {{TERM:LDAP}} daemon,
{{slapd}}(8) and the stand-alone LDAP update replication daemon,
{{slurpd}}(8). It is intended for newcomers and experienced
administrators alike. This section provides a basic introduction
to directory services and, in particular, the directory services
provided by {{slapd}}(8).
This document describes how to build, configure, and operate
{{PRD:OpenLDAP}} Software to provide directory services. This
includes details on how to configure and run the Standalone
{{TERM:LDAP}} Daemon, {{slapd}}(8). It is intended for new and
experienced administrators alike. This section provides a basic
introduction to directory services and, in particular, the directory
services provided by {{slapd}}(8). This introduction is only
intended to provide enough information so one might get started
learning about {{TERM:LDAP}}, {{TERM:X.500}}, and directory services.
H2: What is a directory service?
A directory is a specialized database optimized for reading, browsing
and searching. Directories tend to contain descriptive, attribute-based
information and support sophisticated filtering capabilities.
Directories generally do not support complicated transaction or
roll-back schemes found in database management systems designed
for handling high-volume complex updates. Directory updates are
typically simple all-or-nothing changes, if they are allowed at
all. Directories are tuned to give quick response to high-volume
lookup or search operations. They may have the ability to replicate
information widely in order to increase availability and reliability,
while reducing response time. When directory information is
replicated, temporary inconsistencies between the replicas may be
okay, as long as they get in sync eventually.
A directory is a specialized database specifically designed for
searching and browsing, in additional to supporting basic lookup
and update functions.
Note: A directory is defined by some as merely a database optimized
for read access. This definition, at best, is overly simplistic.
Directories tend to contain descriptive, attribute-based information
and support sophisticated filtering capabilities. Directories
generally do not support complicated transaction or roll-back schemes
found in database management systems designed for handling high-volume
complex updates. Directory updates are typically simple all-or-nothing
changes, if they are allowed at all. Directories are generally
tuned to give quick response to high-volume lookup or search
operations. They may have the ability to replicate information
widely in order to increase availability and reliability, while
reducing response time. When directory information is replicated,
temporary inconsistencies between the replicas may be okay, as long
as inconsistencies are resolved in a timely manner.
There are many different ways to provide a directory service.
Different methods allow different kinds of information to be stored
@ -41,9 +48,17 @@ services are usually {{distributed}}, meaning that the data they
contain is spread across many machines, all of which cooperate to
provide the directory service. Typically a global service defines
a uniform {{namespace}} which gives the same view of the data no
matter where you are in relation to the data itself. The Internet
{{TERM[expand]DNS}} (DNS) is an example of a globally distributed
directory service.
matter where you are in relation to the data itself.
A web directory, such as provided by the {{Open Directory Project}}
<{{URL:http://dmoz.org}}>, is a good example of a directory service.
These services catalog web pages and are specifically designed to
support browsing and searching.
While some consider the Internet {{TERM[expand]DNS}} (DNS) is an
example of a globally distributed directory service, DNS is not
browsable nor searchable. It is more properly described as a
globaly distributed {{lookup}} service.
H2: What is LDAP?
@ -53,11 +68,10 @@ it is a lightweight protocol for accessing directory services,
specifically {{TERM:X.500}}-based directory services. LDAP runs
over {{TERM:TCP}}/{{TERM:IP}} or other connection oriented transfer
services. LDAP is an {{ORG:IETF}} Standard Track protocol and is
specified as detailed in "Lightweight Directory Access Protocol
(LDAP) Technical Specification Road Map" {{REF:RFC4510}}.
specified in "Lightweight Directory Access Protocol (LDAP) Technical
Specification Road Map" {{REF:RFC4510}}.
This section gives an overview of LDAP from a
user's perspective.
This section gives an overview of LDAP from a user's perspective.
{{What kind of information can be stored in the directory?}} The
LDAP information model is based on {{entries}}. An entry is a
@ -69,8 +83,8 @@ common name, or "{{EX:mail}}" for email address. The syntax of
values depend on the attribute type. For example, a {{EX:cn}}
attribute might contain the value {{EX:Babs Jensen}}. A {{EX:mail}}
attribute might contain the value "{{EX:babs@example.com}}". A
{{EX:jpegPhoto}} attribute would contain a photograph in the JPEG
(binary) format.
{{EX:jpegPhoto}} attribute would contain a photograph in the
{{TERM:JPEG}} (binary) format.
{{How is the information arranged?}} In LDAP, directory entries
are arranged in a hierarchical tree-like structure. Traditionally,
@ -107,8 +121,8 @@ the entry itself (called the {{TERM[expand]RDN}} or RDN) and
concatenating the names of its ancestor entries. For example, the
entry for Barbara Jensen in the Internet naming example above has
an RDN of {{EX:uid=babs}} and a DN of
{{EX:uid=babs,ou=People,dc=example,dc=com}}. The full DN format
is described in {{REF:RFC4514}}, "LDAP: String Representation of
{{EX:uid=babs,ou=People,dc=example,dc=com}}. The full DN format is
described in {{REF:RFC4514}}, "LDAP: String Representation of
Distinguished Names."
{{How is the information accessed?}} LDAP defines operations for
@ -142,16 +156,15 @@ services.
H2: How does LDAP work?
LDAP directory service is based on a {{client-server}} model. One
or more LDAP servers contain the data making up the directory
information tree (DIT). The client connects to servers and
asks it a question. The server responds with an answer and/or
with a pointer to where the client can get additional information
(typically, another LDAP server). No matter which LDAP server a
client connects to, it sees the same view of the directory; a name
presented to one LDAP server references the same entry it would at
another LDAP server. This is an important feature of a global
directory service, like LDAP.
LDAP utilizes a {{client-server model}}. One or more LDAP servers
contain the data making up the directory information tree ({{TERM:DIT}}).
The client connects to servers and asks it a question. The server
responds with an answer and/or with a pointer to where the client
can get additional information (typically, another LDAP server).
No matter which LDAP server a client connects to, it sees the same
view of the directory; a name presented to one LDAP server references
the same entry it would at another LDAP server. This is an important
feature of a global directory service.
H2: What about X.500?
@ -171,7 +184,7 @@ While LDAP is still used to access X.500 directory service via
gateways, LDAP is now more commonly directly implemented in X.500
servers.
The stand-alone LDAP daemon, or {{slapd}}(8), can be viewed as a
The Standalone LDAP Daemon, or {{slapd}}(8), can be viewed as a
{{lightweight}} X.500 directory server. That is, it does not
implement the X.500's DAP nor does it support the complete X.500
models.
@ -184,10 +197,7 @@ X.500 DAP, or have no immediate plans to run X.500 DAP, read on.
It is possible to replicate data from an LDAP directory server to
a X.500 DAP {{TERM:DSA}}. This requires an LDAP/DAP gateway.
OpenLDAP does not provide such a gateway, but our replication daemon
can be used to replicate to such a gateway. See the {{SECT:Replication
with slurpd}} chapter of this document for information regarding
replication.
OpenLDAP Software does not include such a gateway.
H2: What is the difference between LDAPv2 and LDAPv3?
@ -221,13 +231,14 @@ service, or run a service all by yourself. Some of slapd's more
interesting features and capabilities include:
{{B:LDAPv3}}: {{slapd}} implements version 3 of {{TERM[expand]LDAP}}.
{{slapd}} supports LDAP over both IPv4 and IPv6 and Unix IPC.
{{slapd}} supports LDAP over both {{TERM:IPv4}} and {{TERM:IPv6}}
and Unix {{TERM:IPC}}.
{{B:{{TERM[expand]SASL}}}}: {{slapd}} supports strong authentication
and data security (integrity and confidentiality) services through
the use of SASL. {{slapd}}'s SASL implementation utilizes {{PRD:Cyrus}}
{{PRD:SASL}} software which supports a number of mechanisms including
DIGEST-MD5, EXTERNAL, and GSSAPI.
the use of SASL. {{slapd}}'s SASL implementation utilizes {{PRD:Cyrus
SASL}} software which supports a number of mechanisms including
{{TERM:DIGEST-MD5}}, {{TERM:EXTERNAL}}, and {{TERM:GSSAPI}}.
{{B:{{TERM[expand]TLS}}}}: {{slapd}} supports certificate-based
authentication and data security (integrity and confidentiality)
@ -254,7 +265,7 @@ of different database backends you can choose from. They include
{{TERM:HDB}}, a hierarchical high-performance transactional
backend; {{SHELL}}, a backend interface to arbitrary shell scripts;
and PASSWD, a simple backend interface to the {{passwd}}(5) file.
The BDB and HDB backends utilize {{ORG:Sleepycat}} {{PRD:Berkeley
The BDB and HDB backends utilize {{ORG:Oracle}} {{PRD:Berkeley
DB}}.
{{B:Multiple database instances}}: {{slapd}} can be configured to
@ -272,7 +283,7 @@ well-defined {{TERM:C}} {{TERM:API}}, you can write your own
customized modules which extend {{slapd}} in numerous ways. Also,
a number of {{programmable database}} modules are provided. These
allow you to expose external data sources to {{slapd}} using popular
programming languages ({{PRD:Perl}}, {{shell}}, {{PRD:SQL}}, and
programming languages ({{PRD:Perl}}, {{shell}}, {{TERM:SQL}}, and
{{PRD:TCL}}).
{{B:Threads}}: {{slapd}} is threaded for high performance. A single
@ -284,8 +295,8 @@ required while providing high performance.
copies of directory information. This {{single-master/multiple-slave}}
replication scheme is vital in high-volume environments where a
single {{slapd}} just doesn't provide the necessary availability
or reliability. {{slapd}} supports two replication methods: {{LDAP
Sync}}-based and {{slurpd}}(8)-based replication.
or reliability. {{slapd}} includes support for {{LDAP Sync}}-based
replication.
{{B:Proxy Cache}}: {{slapd}} can be configured as a caching
LDAP proxy service.
@ -295,22 +306,3 @@ single configuration file which allows you to change just about
everything you'd ever want to change. Configuration options have
reasonable defaults, making your job much easier.
H2: What is slurpd and what can it do?
{{slurpd}}(8) is a daemon that, with {{slapd}} help, provides
replicated service. It is responsible for distributing changes
made to the master {{slapd}} database out to the various {{slapd}}
replicas. It frees {{slapd}} from having to worry that some replicas
might be down or unreachable when a change comes through; {{slurpd}}
handles retrying failed requests automatically. {{slapd}} and
{{slurpd}} communicate through a simple text file that is used to
log changes.
See the {{SECT:Replication with slurpd}} chapter for information
about how to configure and run {{slurpd}}(8).
Alternatively, {{LDAP-Sync}}-based replication may be used to provide
a replicated service. See the {{SECT:LDAP Sync Replication}} chapter
for details.

11
doc/guide/admin/master.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# master file for the OpenLDAP Administrator's Guide
@ -60,8 +60,8 @@ PB:
!include "tls.sdf"; chapter
PB:
#!include "monitoringslapd.sdf"; chapter
#PB:
!include "monitoringslapd.sdf"; chapter
PB:
#!include "tuning.sdf"; chapter
#PB:
@ -79,6 +79,11 @@ PB:
PB:
# Appendices
# Terms
!include "glossary.sdf"; appendix
PB:
# Autoconf
!include "../release/autoconf.sdf"; appendix
PB:

531
doc/guide/admin/monitoringslapd.sdf
View file

@ -1,111 +1,500 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Monitoring Slapd
H1: Monitoring
Slapd supports a monitoring interface you can use to find out
many useful bits of information about what slapd is currently
doing, how many connections it has, how many threads are
working, etc. You can access the monitor feature by doing a
base object search of the SLAPD_MONITOR_DN from
include/ldapconfig.h with any kind of valid filter (e.g.,
"(objectclass=*)"). By default, this DN is set to "cn=monitor".
You will get one entry returned to you, with the following
{{slapd}}(8) supports an optional {{TERM:LDAP}} monitoring interface
you can use to obtain information regarding the current state of
your {{slapd}} instance. For instance, the interface allows you
to determine how many clients are connected to the server currently.
The monitoring information is provided by a specialized backend,
the {{monitor}} backend. A manual page, {{slapd-monitor}}(5) is
available.
When the monitoring interface is enabled, LDAP clients may be used
to access information provided by the {{monitor}} backend, subject
to access and other controls.
When enabled, the {{monitor}} backend dynamically generates and
returns objects in response to search requests in the {{cn=Monitor}}
subtree. Each object contains information about a particular aspect
of the server. The information is held in a combination of user
applications and operational attributes. This information can be
access with {{ldapsearch(1)}}, with any general-purpose LDAP browser,
or with specialized monitoring tools. The {{SECT:Accessing Monitoring
Information}} section provides a brief tutorial on how to use
{{ldapsearch}}(1) to access monitoring information, while the
{{SECT:Monitor information}} section details monitoring information
base and its organization.
While support for the monitor backend is included in default builds
of slapd(8), this support requires some configuration to become
active. This may be done using either {{EX:cn=config}} or
{{slapd.conf}}(5). The former is discussed in the {{SECT:Monitor
configuration via cn=config}} section of this of this chapter. The
latter is discussed in the {{SECT:Monitor configuration via
slapd.conf(5)}} section of this chapter. These sections assume
monitor backend is built into {{slapd}} (e.g., {{EX:--enable-monitor=yes}},
the default). If the monitor backend was built as a module (e.g.,
{{EX:--enable-monitor=mod}}, this module must loaded. Loading of
modules is discussed in the {{SECT:Configuring slapd}} and {{SECT:The
slapd Configuration File}} chapters.
H2: Monitor configuration via cn=config(5)
{{This section has yet to be written.}}
H2: Monitor configuration via slapd.conf(5)
Configuration of the slapd.conf(5) to support LDAP monitoring
is quite simple.
First, ensure {{core.schema}} schema configuration file is included
by your {{slapd.conf}}(5) file. The {{monitor}} backend requires
it.
Second, instanticate the {{monitor backend}} by adding a
{{database monitor}} directive below your existing database
sections. For instance:
> database monitor
Lastly, add additional global or database directives as needed.
Like most other database backends, the monitor backend does honor
slapd(8) access and other adminstrative controls. As some monitor
information may be sensitive, it is generally recommend access to
cn=monitor be restricted to directory administrators and their
monitoring agents. Adding an {{access}} directive immediately below
the {{database monitor}} directive is a clear and effective approach
for controlling access. For instance, the addition of the following
{{access}} directive immediately below the {{database monitor}}
directive restricts access to monitoring information to the specified
directory manager.
> access to *
> by dn.exact="cn=Manager,dc=example,dc=com
> by * none
More information on {{slapd}}(8) access controls, see {{The access
Control Directive}} section of the {{SECT:The slapd Configuration
File}} chapter and {{slapd.access}}(5).
After restarting {{slapd}}(8), you are ready to start exploring the
monitoring information provided in {{EX:cn=config}} as discussed
in the {{SECT:Accessing Monitoring Information}} section of this
chapter.
One can verify slapd(8) is properly configured to provide monitoring
information by attempting to read the {{EX:cn=monitor}} object.
For instance, if the following {{ldapsearch}}(1) command returns the
cn=monitor object (with, as requested, no attributes), it's working.
> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W \
> -b 'cn=Monitor' -s base 1.1
Note that unlike general purpose database backends, the database
suffix is hardcoded. It's always {{EX:cn=Monitor}}. So no {{suffix}}
directive should be provided. Also note that general purpose
database backends, the monitor backend cannot be instantiated
multiple times. That is, there can only be one (or zero) occurances
of {{EX:database monitor}} in the server's configuration.
H2: Accessing Monitoring Information
As previously discussed, when enabled, the {{monitor}} backend
dynamically generates and returns objects in response to search
requests in the {{cn=Monitor}} subtree. Each object contains
information about a particular aspect of the server. The information
is held in a combination of user applications and operational
attributes. This information can be access with {{ldapsearch(1)}},
with any general-purpose LDAP browser, or with specialized monitoring
tools.
This section provides a provides a brief tutorial on how to use
{{ldapsearch}}(1) to access monitoring information.
To inspect any particular monitor object, one performs search
operation on the object with a baseObject scope and a
{{EX:(objectClass=*)}} filter. As the monitoring information is
contained in a combination of user applications and operational
attributes, the return all user applications attributes (e.g.,
{{EX:'*'}}) and all operational attributes (e.g., {{EX:'+'}}) should
be requested. For instance, to read the {{EX:cn=Monitor}} object
itself, the {{ldapsearch}}(1) command (modified to fit your configuration)
can be used:
> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W \
> -b 'cn=Monitor' -s base '(objectClass=*)' '*' '+'
When run against your server, this should produce output
similar to:
> dn: cn=Monitor
> objectClass: monitorServer
> structuralObjectClass: monitorServer
> cn: Monitor
> creatorsName:
> modifiersName:
> createTimestamp: 20061208223558Z
> modifyTimestamp: 20061208223558Z
> description: This subtree contains monitoring/managing objects.
> description: This object contains information about this server.
> description: Most of the information is held in operational attributes, which
> must be explicitly requested.
> monitoredInfo: OpenLDAP: slapd 2.4 (Dec 7 2006 17:30:29)
> entryDN: cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: TRUE
To reduce the number of uninteresting attributes returned, one
can be more selective when requesting which attributes are to be
returned. For instance, one could request the return of all
attributes allowed by the {{monitorServer}} object class (e.g.,
{{EX:@objectClass}}) instead of all user and all operational
attributes:
E: version: slapd <version> (<date>)
> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W \
> -b 'cn=Monitor' -s base '(objectClass=*)' '@monitorServer'
This attribute identifies the slapd server software by name,
version, and build date, e.g., {{EX: slapd 3.3 (Thu May 21 14:19:03
EDT 1996)}}
This limits the output as follows:
E: threads: <integer>
> dn: cn=Monitor
> objectClass: monitorServer
> cn: Monitor
> description: This subtree contains monitoring/managing objects.
> description: This object contains information about this server.
> description: Most of the information is held in operational attributes, which
> must be explicitly requested.
> monitoredInfo: OpenLDAP: slapd 2.X (Dec 7 2006 17:30:29)
This attribute indicates the number of threads (operations)
currently outstanding in slapd.
To return the names of all the monitoring objects, one performs a
search of {{EX:cn=Monitor}} with subtree scope and {{EX:(objectClass=*)}}
filter and requesting no attributes (e.g., {{EX:1.1}}) be returned.
E: connection: <fd> : <opentime> : <opsinitiated> :
E: <opscompleted> : <binddn> : [ <rw> ]
> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W -b 'cn=Monitor' -s sub 1.1
This multi-valued attribute summarizes information for each
open connection. The information given is {{EX: <fd>}}, the file
descriptor; {{EX: <opentime>}}, the time the connection was opened
in UTC format; {{EX: <opsinitiated>}}, the number of operations
initiated over the connection; {{EX: <opscompleted>}}, the number
of operations completed over the connection; {{EX: <binddn>}}, the
DN currently bound to the connection; and optionally {{EX: <rw>}},
indicating whether the connection is currently blocked for
read or write..
If you run this command you will discover that there are many objects
in the {{cn=Monitor}} subtree. The following section describes
some of the commonly available monitoring objects.
E: currentconnections: <integer>
The current number of connections.
H2: Monitor Information
E: totalconnections: <integer>
The {{monitor}} backend provides a wealth of information useful
for monitoring the slapd(8) contained in set of monitor objects.
Each object contains information about a particular aspect of
the server, such as a backends, a connection, or a thread.
Some objects serve as containers for other objects and used
to construct a hierarchy of objects.
The total number of connections handled by slapd since it
started.
In this hierarchy, the most superior object is {cn=Monitor}.
While this object primarily serves as a container for other
objects, most of which are containers, this object provides
information about this server. In particular, it provides the
slapd(8) version string. Example:
E: dtablesize: <integer>
> dn: cn=Monitor
> monitoredInfo: OpenLDAP: slapd 2.X (Dec 7 2006 17:30:29)
The size of slapd's file descriptor table.
Note: Examples in this section (and its subsections) have been
trimmed to show only key information.
E: writewaiters: <integer>
The number of threads blocked waiting to write data to a
client.
H3: Backends
E: readwaiters: <integer>
The {{EX:cn=Backends,cn=Monitor}} object, itself, provides a list
of available backends. The list of available backends all builtin
backends, as well as backends loaded by modules. For example:
The number of threads blocked waiting to read data from a
client.
> dn: cn=Backends,cn=Monitor
> monitoredInfo: config
> monitoredInfo: ldif
> monitoredInfo: monitor
> monitoredInfo: bdb
> monitoredInfo: hdb
E: opsinitiated: <integer>
This indicates the {{config}}, {{ldif}}, {{monitor}}, {{bdb}},
and {{hdb}} backends are available.
The total number of operations initiated by slapd since it
started.
The {{EX:cn=Backends,cn=Monitor}} object is also a container
for available backend objects. Each available backend object
contains information about a particular backend. For example:
E: opscompleted: <integer>
> dn: cn=Backend 0,cn=Backends,cn=Monitor
> monitoredInfo: config
> monitorRuntimeConfig: TRUE
> supportedControl: 2.16.840.1.113730.3.4.2
> seeAlso: cn=Database 0,cn=Databases,cn=Monitor
>
> dn: cn=Backend 1,cn=Backends,cn=Monitor
> monitoredInfo: ldif
> monitorRuntimeConfig: TRUE
> supportedControl: 2.16.840.1.113730.3.4.2
>
> dn: cn=Backend 2,cn=Backends,cn=Monitor
> monitoredInfo: monitor
> monitorRuntimeConfig: TRUE
> supportedControl: 2.16.840.1.113730.3.4.2
> seeAlso: cn=Database 2,cn=Databases,cn=Monitor
>
> dn: cn=Backend 3,cn=Backends,cn=Monitor
> monitoredInfo: bdb
> monitorRuntimeConfig: TRUE
> supportedControl: 1.3.6.1.1.12
> supportedControl: 2.16.840.1.113730.3.4.2
> supportedControl: 1.3.6.1.4.1.4203.666.5.2
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.3.6.1.1.13.1
> supportedControl: 1.3.6.1.1.13.2
> supportedControl: 1.3.6.1.4.1.4203.1.10.1
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.3.6.1.4.1.4203.666.11.7.2
> seeAlso: cn=Database 1,cn=Databases,cn=Monitor
>
> dn: cn=Backend 4,cn=Backends,cn=Monitor
> monitoredInfo: hdb
> monitorRuntimeConfig: TRUE
> supportedControl: 1.3.6.1.1.12
> supportedControl: 2.16.840.1.113730.3.4.2
> supportedControl: 1.3.6.1.4.1.4203.666.5.2
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.3.6.1.1.13.1
> supportedControl: 1.3.6.1.1.13.2
> supportedControl: 1.3.6.1.4.1.4203.1.10.1
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 1.3.6.1.4.1.4203.666.11.7.2
The total number of operations completed by slapd since it
started.
For each of these objects, monitorInfo indicates which backend the
information in the object is about. For instance, the {{EX:cn=Backend
3,cn=Backends,cn=Monitor}} object contains (in the example) information
about the {{bdb}} backend.
E: entriessent: <integer>
!block table
Attribute|Description
monitoredInfo|Name of backend
supportedControl|supported LDAP control extensions
seeAlso|Database objects of instances of this backend
!endblock
The total number of entries sent to clients by slapd since it
started.
H3: Connections
E: bytessent: <integer>
The main entry is empty; it should contain some statistics on the number
of connections.
The total number of bytes sent to clients by slapd since it
started.
Dynamic child entries are created for each open connection, with stats on
the activity on that connection (the format will be detailed later).
There are two special child entries that show the number of total and
current connections respectively.
E: currenttime: <UTC time>
For example:
Slapd's idea of the current time.
Total Connections:
E: starttime: <integer>
> dn: cn=Total,cn=Connections,cn=Monitor
> structuralObjectClass: monitorCounterObject
> monitorCounter: 4
> entryDN: cn=Total,cn=Connections,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
The time slapd was started.
Current Connections:
E: nbackends: <integer>
> dn: cn=Current,cn=Connections,cn=Monitor
> structuralObjectClass: monitorCounterObject
> monitorCounter: 2
> entryDN: cn=Current,cn=Connections,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
The number of backends currently being served by slapd.
E: concurrency: <integer>
H3: Databases
Under Solaris 2.x only, an indication of the current level of
thread concurrency.
The main entry contains the naming context of each configured database;
the child entries contain, for each database, the type and the naming
context.
Note that slapd takes a snapshot of this information and
returns it to you. No attempt is made to ensure that the
information is consistent (i.e., if an operation thread is
modifying one of these things when the monitor thread is
reading it, strange results could be returned).
For example:
You should be able to use any LDAP client to retrieve this
information. Here's how you might do it using the
{{I: ldapsearch}}(1) client:
> dn: cn=Database 2,cn=Databases,cn=Monitor
> structuralObjectClass: monitoredObject
> monitoredInfo: monitor
> monitorIsShadow: FALSE
> monitorContext: cn=Monitor
> readOnly: FALSE
> entryDN: cn=Database 2,cn=Databases,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
E: ldapsearch -x -s base -b cn=monitor 'objectclass=*'
H3: Listener
It contains the description of the devices the server is currently
listening on:
> dn: cn=Listener 0,cn=Listeners,cn=Monitor
> structuralObjectClass: monitoredObject
> monitorConnectionLocalAddress: IP=0.0.0.0:389
> entryDN: cn=Listener 0,cn=Listeners,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
H3: Log
It contains the currently active log items. The {{Log}} subsystem allows
user modify operations on the {{description}} attribute, whose values {{MUST}}
be in the list of admittable log switches:
> Trace
> Packets
> Args
> Conns
> BER
> Filter
> Config (useless)
> ACL
> Stats
> Stats2
> Shell
> Parse
> Cache (deprecated)
> Index
These values can be added, replaced or deleted; they affect what
messages are sent to the syslog device.
H3: Operations
It shows some statistics on the operations performed by the server:
> Initiated
> Completed
and for each operation type, i.e.:
> Bind
> Unbind
> Add
> Delete
> Modrdn
> Modify
> Compare
> Search
> Abandon
> Extended
There are too many types to list example here, so please try for yourself
using {{SECT: Monitor search example}}
H3: Overlays
The main entry contains the type of overlays available at run-time;
the child entries, for each overlay, contain the type of the overlay.
It should also contain the modules that have been loaded if dynamic
overlays are enabled:
> # Overlays, Monitor
> dn: cn=Overlays,cn=Monitor
> structuralObjectClass: monitorContainer
> monitoredInfo: syncprov
> monitoredInfo: accesslog
> monitoredInfo: glue
> entryDN: cn=Overlays,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: TRUE
H3: SASL
Currently empty.
H3: Statistics
It shows some statistics on the data sent by the server:
> Bytes
> PDU
> Entries
> Referrals
e.g.
> # Entries, Statistics, Monitor
> dn: cn=Entries,cn=Statistics,cn=Monitor
> structuralObjectClass: monitorCounterObject
> monitorCounter: 612248
> entryDN: cn=Entries,cn=Statistics,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
H3: Threads
It contains the maximum number of threads enabled at startup and the
current backload.
e.g.
> # Max, Threads, Monitor
> dn: cn=Max,cn=Threads,cn=Monitor
> structuralObjectClass: monitoredObject
> monitoredInfo: 16
> entryDN: cn=Max,cn=Threads,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
H3: Time
It contains two child entries with the start time and the current time
of the server.
e.g.
Start time:
> dn: cn=Start,cn=Time,cn=Monitor
> structuralObjectClass: monitoredObject
> monitorTimestamp: 20061205124040Z
> entryDN: cn=Start,cn=Time,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
Current time:
> dn: cn=Current,cn=Time,cn=Monitor
> structuralObjectClass: monitoredObject
> monitorTimestamp: 20061207120624Z
> entryDN: cn=Current,cn=Time,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
H3: TLS
Currently empty.
H3: Waiters
It contains the number of current read waiters.
e.g.
Read waiters:
> dn: cn=Read,cn=Waiters,cn=Monitor
> structuralObjectClass: monitorCounterObject
> monitorCounter: 7
> entryDN: cn=Read,cn=Waiters,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
Write waiters:
> dn: cn=Write,cn=Waiters,cn=Monitor
> structuralObjectClass: monitorCounterObject
> monitorCounter: 0
> entryDN: cn=Write,cn=Waiters,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE

43
doc/guide/admin/preface.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
@ -9,7 +9,7 @@ P1: Preface
# document's copyright
P2[notoc] Copyright
Copyright 1998-2005, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1998-2006, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}.
@ -17,21 +17,21 @@ This document is considered a part of OpenLDAP Software. This
document is subject to terms of conditions set forth in {{SECT:OpenLDAP
Software Copyright Notices}} and the {{SECT:OpenLDAP Public License}}.
Complete copies of the notices and associated license can be found
in Appendix B and C, respectively.
in Appendix C and D, respectively.
P2[notoc] Scope of this Document
This document provides a guide for installing [[DOC_NAME]]
({{URL:http://www.openldap.org/software/}})
on {{TERM:UNIX}} (and UNIX-like) systems. The document is aimed at
experienced system administrators but who may not have prior experience
operating {{TERM:LDAP}}-based directory software.
({{URL:http://www.openldap.org/software/}}) on {{TERM:UNIX}} (and
UNIX-like) systems. The document is aimed at experienced system
administrators with basic understanding of {{TERM:LDAP}}-based
directory services.
This document is meant to be used in conjunction with other OpenLDAP
information resources provided with the software package and on
the project's extensive site ({{URL:http://www.OpenLDAP.org/}}) on
the World Wide Web. The site makes available a number of resources.
information resources provided with the software package and on the
project's site ({{URL:http://www.OpenLDAP.org/}}) on the
{{TERM[expand]WWW}}. The site makes available a number of resources.
!block table; align=Center; coltags="N,URL"; \
title="OpenLDAP Resources"
@ -40,6 +40,7 @@ Document Catalog|http://www.OpenLDAP.org/doc/
Frequently Asked Questions|http://www.OpenLDAP.org/faq/
Issue Tracking System|http://www.OpenLDAP.org/its/
Mailing Lists|http://www.OpenLDAP.org/lists/
Manual Pages|http://www.OpenLDAP.org/software/man.cgi
Software Pages|http://www.OpenLDAP.org/software/
Support Pages|http://www.OpenLDAP.org/support/
!endblock
@ -47,26 +48,28 @@ Support Pages|http://www.OpenLDAP.org/support/
P2[notoc] Acknowledgments
The {{ORG[expand]OLP}} is comprised of a team of volunteers. This document
would not be possible without their contribution of time and energy.
The {{ORG[expand]OLP}} is comprised of a team of volunteers. This
document would not be possible without their contribution of time
and energy.
The OpenLDAP Project would also like to thank the {{ORG[expand]UMLDAP}}
for building the foundation of LDAP software and information to
which OpenLDAP Software is built upon. This document is based upon
U-Mich LDAP document: {{The SLAPD and SLURPD Administrators Guide}}.
University of Michigan document: {{REF[expand]UM-GUIDE}}.
P2[notoc] Amendments
Suggested enhancements and corrections to this document should
be submitted using the {{ORG:OpenLDAP}}
{{{{TERM[expand]ITS}}}} ({{URL: http://www.openldap.org/its/}}).
Suggested enhancements and corrections to this document should be
submitted using the {{PRD:OpenLDAP}} {{TERM[expand]ITS}}
({{URL: http://www.openldap.org/its/}}).
P2[notoc] About this document
This document was produced using the {{Simple Document Format}}
({{URL:http://search.cpan.org/src/IANC/sdf-2.001/doc/}}) documentation
system developed by {{Ian Clatworthy}}. Tools for {{SDF}} are
available from CPAN ({{URL:http://search.cpan.org/search?query=SDF}}).
This document was produced using the {{TERM[expand]SDF}} ({{TERM:SDF}})
documentation system
({{URL:http://search.cpan.org/src/IANC/sdf-2.001/doc/catalog.html}})
developed by {{Ian Clatworthy}}. Tools for SDF are available from
{{ORG:CPAN}} ({{URL:http://search.cpan.org/search?query=SDF}}).

14
doc/guide/admin/proxycache.sdf
View file

@ -1,15 +1,15 @@
# $OpenLDAP$
# Copyright 2003-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 2003-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: The Proxy Cache Engine
LDAP servers typically hold one or more subtrees of a DIT. Replica
(or shadow) servers hold shadow copies of entries held by one or
more master servers. Changes are propagated from the master server
to replica (slave) servers using LDAP Sync or {{slurpd}}(8). An
LDAP cache is a special type of replica which holds entries
corresponding to search filters instead of subtrees.
{{TERM:LDAP}} servers typically hold one or more subtrees of a
{{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of
entries held by one or more master servers. Changes are propagated
from the master server to replica (slave) servers using LDAP Sync
replication. An LDAP cache is a special type of replica which holds
entries corresponding to search filters instead of subtrees.
H2: Overview

44
doc/guide/admin/quickstart.sdf
View file

@ -1,33 +1,34 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: A Quick-Start Guide
The following is a quick start guide to [[DOC_NAME]],
including the stand-alone LDAP daemon, {{slapd}}(8).
including the Standalone {{TERM:LDAP}} Daemon, {{slapd}}(8).
It is meant to walk you through the basic steps needed to install
and configure OpenLDAP Software. It should be used in conjunction
with the other chapters of this document, manual pages, and other
materials provided with the distribution (e.g. the {{F:INSTALL}}
document) or on the OpenLDAP web site (in particular, the OpenLDAP
Software {{TERM:FAQ}}).
and configure {{PRD:OpenLDAP Software}}. It should be used in
conjunction with the other chapters of this document, manual pages,
and other materials provided with the distribution (e.g. the
{{F:INSTALL}} document) or on the {{PRD:OpenLDAP}} web site
({{URL: http://www.OpenLDAP.org}}), in particular the OpenLDAP
Software {{TERM:FAQ}} ({{URL: http://www.OpenLDAP.org/faq/?file=2}}).
If you intend to run OpenLDAP Software seriously, you should review
all of this document before attempting to install the software.
Note: This quick start guide does not use strong authentication
nor any integrity or confidential protection services. These
services are described in other chapters of the OpenLDAP Administrator's
Guide.
services are described in other chapters of the
OpenLDAP Administrator's Guide.
.{{S: }}
^{{B: Get the software}}
. You can obtain a copy of the software by following the
instructions on the OpenLDAP download page
instructions on the OpenLDAP Software download page
({{URL: http://www.openldap.org/software/download/}}). It is
recommended that new users start with the latest {{release}}.
@ -56,7 +57,7 @@ name of the release.
{{F:README}} and {{F:INSTALL}} documents provided with the distribution.
The {{F:COPYRIGHT}} and {{F:LICENSE}} provide information on
acceptable use, copying, and limitation of warranty of OpenLDAP
software.
Software.
.{{S: }}
. You should also review other chapters of this document.
@ -85,9 +86,9 @@ what's best:
. Assuming {{EX:configure}} doesn't dislike your system, you can
proceed with building the software. If {{EX:configure}} did
complain, well, you'll likely need to go to the FAQ Installation
Section ({{URL:http://www.openldap.org/faq/}} and/or actually
read the {{SECT:Building and Installing OpenLDAP Software}}
complain, well, you'll likely need to go to the Software FAQ
{{Installation}} section ({{URL:http://www.openldap.org/faq/?file=8}})
and/or actually read the {{SECT:Building and Installing OpenLDAP Software}}
chapter of this document.
@ -171,7 +172,7 @@ specified directory must exist prior to starting {{slapd}}(8).
.{{S: }}
+{{B:Start SLAPD}}.
. You are now ready to start the stand-alone LDAP server, {{slapd}}(8),
. You are now ready to start the Standalone LDAP Daemon, {{slapd}}(8),
by running the command:
..{{EX:su root -c /usr/local/libexec/slapd}}
@ -179,7 +180,7 @@ by running the command:
. To check to see if the server is running and configured correctly,
you can run a search against it with {{ldapsearch}}(1). By default,
ldapsearch is installed as {{F:/usr/local/bin/ldapsearch}}:
{{ldapsearch}} is installed as {{F:/usr/local/bin/ldapsearch}}:
..{{EX:ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts}}
@ -198,7 +199,8 @@ in the {{slapd}}(8) manual page and the
+{{B:Add initial entries to your directory}}.
. You can use {{ldapadd}}(1) to add entries to your LDAP directory.
{{ldapadd}} expects input in LDIF form. We'll do it in two steps:
{{ldapadd}} expects input in {{TERM:LDIF}} form. We'll do it in two
steps:
^^ create an LDIF file
++ run ldapadd
@ -269,10 +271,10 @@ Note that by default, the {{slapd}}(8) database grants {{read access
to everybody}} excepting the {{super-user}} (as specified by the
{{EX:rootdn}} configuration directive). It is highly recommended
that you establish controls to restrict access to authorized users.
Access controls are discussed in the {{SECT:Access Control}} section
of {{SECT:The slapd Configuration File}} chapter. You are also
encouraged to read the {{SECT:Security Considerations}}, {{SECT:Using
SASL}} and {{SECT:Using TLS}} sections.
Access controls are discussed in the {{SECT:The access Configuration
Directive}} section of {{SECT:The slapd Configuration File}} chapter.
You are also encouraged to read the {{SECT:Security Considerations}},
{{SECT:Using SASL}} and {{SECT:Using TLS}} sections.
The following chapters provide more detailed information on making,
installing, and running {{slapd}}(8).

18
doc/guide/admin/referrals.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Constructing a Distributed Directory Service
@ -51,7 +51,7 @@ object would be added to {{EX:a.example.net}}:
The server uses this information to generate referrals and
search continuations to subordinate servers.
For those familiar with X.500, a {{named referral}} object is
For those familiar with {{TERM:X.500}}, a {{named referral}} object is
similar to an X.500 knowledge reference held in a {{subr}}
{{TERM:DSE}}.
@ -75,8 +75,8 @@ that A holds the immediate superior naming context.
The server uses this information to generate referrals to
management operations.
For those familiar with X.500, this use of the {{EX:ref}} attribute
is similar to an X.500 knowledge reference held in a
For those familiar with {{TERM:X.500}}, this use of the {{EX:ref}}
attribute is similar to an X.500 knowledge reference held in a
{{immSupr}} {{TERM:DSE}}.
!endif
@ -99,12 +99,12 @@ as follows:
> referral ldap://a.example.net/
The server uses this information to generate referrals for
operations acting upon entries not within or subordinate
to any of the naming contexts held by the server.
The server uses this information to generate referrals for operations
acting upon entries not within or subordinate to any of the naming
contexts held by the server.
For those familiar with X.500, this use of the {{EX:ref}} attribute
is similar to an X.500 knowledge reference held in a
For those familiar with {{TERM:X.500}}, this use of the {{EX:ref}}
attribute is similar to an X.500 knowledge reference held in a
{{Supr}} {{TERM:DSE}}.

7
doc/guide/admin/replication.sdf
View file

@ -1,8 +1,13 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Replication with slurpd
Note: this section is provided for historical reasons. {{slurpd}}(8)
is deprecated in favor of LDAP Sync based replication, commonly
referred to as {{syncrepl}}. Syncrepl is discussed in
{{SECT:LDAP Sync Replication}} section of this document.
In certain configurations, a single {{slapd}}(8) instance may be
insufficient to handle the number of clients requiring
directory service via LDAP. It may become necessary to

39
doc/guide/admin/runningslapd.sdf
View file

@ -1,12 +1,12 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Running slapd
{{slapd}}(8) is designed to be run as a stand-alone server. This allows
the server to take advantage of caching, manage concurrency issues
with underlying databases, and conserve system resources. Running
from {{inetd}}(8) is {{NOT}} an option.
{{slapd}}(8) is designed to be run as a standalone service. This
allows the server to take advantage of caching, manage concurrency
issues with underlying databases, and conserve system resources.
Running from {{inetd}}(8) is {{NOT}} an option.
H2: Command-Line Options
@ -22,16 +22,17 @@ The default is normally {{F:/usr/local/etc/openldap/slapd.conf}}.
> -h <URLs>
This option specifies alternative listener configurations. The
default is {{EX:ldap:///}} which implies LDAP over TCP on all
interfaces on the default LDAP port 389. You can specify
specific host-port pairs or other protocol schemes (such as
ldaps:// or ldapi://). For example,
{{EX:-h "ldaps:// ldap://127.0.0.1:666"}} will create
two listeners: one for LDAP over SSL on all interfaces on
the default LDAP/SSL port 636, and one for LDAP over TCP on
the {{EX:localhost}} ({{loopback}}) interface on port 666.
Hosts may be specified using IPv4 dotted-decimal form or
using host names. Port values must be numeric.
default is {{EX:ldap:///}} which implies {{TERM:LDAP}} over
{{TERM:TCP}} on all interfaces on the default LDAP port 389. You
can specify specific host-port pairs or other protocol schemes (such
as {{EX:ldaps://}} or {{EX:ldapi://}}). For example, {{EX:-h
"ldaps:// ldap://127.0.0.1:666"}} will create two listeners: one
for the (non-standard) {{EX:ldaps://}} scheme on all interfaces on
the default {{EX:ldaps://}} port 636, and one for the standard
{{EX:ldap://}} scheme on the {{EX:localhost}} ({{loopback}}) interface
on port 666. Hosts may be specified using using hostnames or
{{TERM:IPv4}} or {{TERM:IPv6}} addresses. Port values must be
numeric.
> -n <service-name>
@ -67,7 +68,7 @@ exits, regardless of any other options you give it. Current
debugging levels are
!block table; colaligns="RL"; align=Center; \
title="Table 6.1: Debugging Levels"
title="Table 7.1: Debugging Levels"
Level Description
-1 enable all debugging
0 no debugging
@ -113,11 +114,11 @@ terminal and run in the background.
H2: Stopping slapd
To kill off slapd safely, you should give a command like this
To kill off {{slapd}}(8) safely, you should give a command like this
> kill -INT `cat /usr/local/var/slapd.pid`
where {{F:/usr/local/var}} is determined by {{EX:configure}}.
Killing slapd by a more drastic method may cause information
loss or database corruption.
Killing slapd by a more drastic method may cause information loss or
database corruption.

60
doc/guide/admin/sasl.sdf
View file

@ -1,4 +1,4 @@
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Using SASL
@ -10,21 +10,21 @@ SASL in OpenLDAP.
There are several industry standard authentication mechanisms that
can be used with SASL, including {{TERM:GSSAPI}} for {{TERM:Kerberos}}
V, DIGEST-MD5, and PLAIN and EXTERNAL for use with {{TERM[expand]TLS}}
(TLS).
V, {{TERM:DIGEST-MD5}}, and {{TERM:PLAIN}} and {{TERM:EXTERNAL}}
for use with {{TERM[expand]TLS}} (TLS).
The standard client tools provided with OpenLDAP Software, such as
{{ldapsearch}}(1) and {{ldapmodify}}(1), will by default attempt
to authenticate the user to the {{slapd}}(8) server using SASL.
Basic authentication service can be set up by the LDAP administrator
with a few steps, allowing users to be authenticated to the slapd
server as their LDAP entry. With a few extra steps, some users and
services can be allowed to exploit SASL's proxy authorization
feature, allowing them to authenticate themselves and then switch
their identity to that of another user or service.
to authenticate the user to the {{TERM:LDAP}} directory server using
SASL. Basic authentication service can be set up by the LDAP
administrator with a few steps, allowing users to be authenticated
to the slapd server as their LDAP entry. With a few extra steps,
some users and services can be allowed to exploit SASL's proxy
authorization feature, allowing them to authenticate themselves and
then switch their identity to that of another user or service.
This chapter assumes you have read {{Cyrus SASL for System
Administrators}}, provided with the {{PRD:Cyrus}} {{PRD:SASL}}
Administrators}}, provided with the {{PRD:Cyrus SASL}}
package (in {{FILE:doc/sysadmin.html}}) and have a working Cyrus
SASL installation. You should use the Cyrus SASL {{EX:sample_client}}
and {{EX:sample_server}} to test your SASL installation before
@ -56,19 +56,19 @@ document.
The DIGEST-MD5 mechanism is the mandatory-to-implement authentication
mechanism for LDAPv3. Though DIGEST-MD5 is not a strong authentication
mechanism in comparison with trusted third party authentication
systems (such as Kerberos or public key systems), it does offer
significant protections against a number of attacks. Unlike the
CRAM-MD5 mechanism, it prevents chosen plaintext attacks. DIGEST-MD5
is favored over the use of plaintext password mechanisms. The
CRAM-MD5 mechanism is deprecated in favor of DIGEST-MD5. Use of
{{SECT:DIGEST-MD5}} is discussed below.
systems (such as {{TERM:Kerberos}} or public key systems), it does
offer significant protections against a number of attacks. Unlike
the {{TERM:CRAM-MD5}} mechanism, it prevents chosen plaintext
attacks. DIGEST-MD5 is favored over the use of plaintext password
mechanisms. The CRAM-MD5 mechanism is deprecated in favor of
DIGEST-MD5. Use of {{SECT:DIGEST-MD5}} is discussed below.
The GSSAPI mechanism utilizes Kerberos V to provide secure
authentication services. The KERBEROS_V4 mechanism is available
for those using Kerberos IV. Kerberos is viewed as a secure,
distributed authentication system suitable for both small and large
enterprises. Use of {{SECT:GSSAPI}} and {{SECT:KERBEROS_V4}} are
discussed below.
The GSSAPI mechanism utilizes {{TERM:GSS-API}} {{TERM:Kerberos}} V
to provide secure authentication services. The KERBEROS_V4 mechanism
is available for those using Kerberos IV. Kerberos is viewed as a
secure, distributed authentication system suitable for both small
and large enterprises. Use of {{SECT:GSSAPI}} and {{SECT:KERBEROS_V4}}
are discussed below.
The EXTERNAL mechanism utilizes authentication services provided
by lower level network services such as {{TERM:TLS}} (TLS). When
@ -85,18 +85,18 @@ document.
H2: SASL Authentication
Getting basic SASL authentication running involves a few steps.
The first step configures your slapd server environment so
that it can communicate with client programs using the security
system in place at your site. This usually involves setting up a
service key, a public key, or other form of secret. The second step
concerns mapping authentication identities to LDAP DN's, which
The first step configures your slapd server environment so that it
can communicate with client programs using the security system in
place at your site. This usually involves setting up a service key,
a public key, or other form of secret. The second step concerns
mapping authentication identities to LDAP {{TERM:DN}}'s, which
depends on how entries are laid out in your directory. An explanation
of the first step will be given in the next section using Kerberos
V4 as an example mechanism. The steps necessary for your site's
authentication mechanism will be similar, but a guide to every
mechanism available under SASL is beyond the scope of this chapter.
The second step is described in the section
{{SECT:Mapping Authentication Identities}}.
The second step is described in the section {{SECT:Mapping
Authentication Identities}}.
H3: GSSAPI

46
doc/guide/admin/schema.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Schema Specification
@ -28,7 +28,7 @@ indirectly).
H2: Distributed Schema Files
OpenLDAP is distributed with a set of schema specifications for
OpenLDAP Software is distributed with a set of schema specifications for
your use. Each set is defined in a file suitable for inclusion
(using the {{EX:include}} directive) in your {{slapd.conf}}(5)
file. These schema files are normally installed in the
@ -55,7 +55,7 @@ desired file in the global definitions portion of your
> include /usr/local/etc/openldap/schema/inetorgperson.schema
Additional files may be available. Please consult the OpenLDAP
FAQ ({{URL:http://www.openldap.org/faq/}}).
{{TERM:FAQ}} ({{URL:http://www.openldap.org/faq/}}).
Note: You should not modify any of the schema items defined
in provided files.
@ -114,9 +114,9 @@ see {{URL:http://www.alvestrand.no/harald/objectid/}}.
.{{Under no circumstances should you hijack OID namespace!}}
To obtain a registered OID at {{no cost}}, apply for an OID under
the {{ORG[expand]IANA}} (IANA) maintained {{Private Enterprise}}
the {{ORG[expand]IANA}} (ORG:IANA) maintained {{Private Enterprise}}
arc. Any private enterprise (organization) may request an OID to
be assigned under this arc. Just fill out the {{ORG:IANA}} form
be assigned under this arc. Just fill out the IANA form
at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}} and your
official OID will be sent to you usually within a few days. Your
base OID will be something like {{EX:1.3.6.1.4.1.X}} where {{EX:X}}
@ -181,7 +181,7 @@ attribute found in the subschema subentry, e.g.:
E: attributetype <{{REF:RFC4512}} Attribute Type Description>
where Attribute Type Description is defined by the following
{{TERM:BNF}}:
{{TERM:ABNF}}:
> AttributeTypeDescription = "(" whsp
> numericoid whsp ; AttributeType identifier
@ -229,22 +229,22 @@ and a brief description. Each name is an alias for the OID.
{{slapd}}(8) returns the first listed name when returning results.
The first attribute, {{EX:name}}, holds values of {{EX:directoryString}}
(UTF-8 encoded Unicode) syntax. The syntax is specified by OID
(1.3.6.1.4.1.1466.115.121.1.15 identifies the directoryString
syntax). A length recommendation of 32768 is specified. Servers
should support values of this length, but may support longer values
The field does NOT specify a size constraint, so is ignored on
servers (such as slapd) which don't impose such size limits. In
addition, the equality and substring matching uses case ignore
rules. Below are tables listing commonly used syntax and
matching rules (OpenLDAP supports these and many more).
({{TERM:UTF-8}} encoded Unicode) syntax. The syntax is
specified by OID (1.3.6.1.4.1.1466.115.121.1.15 identifies the
directoryString syntax). A length recommendation of 32768 is
specified. Servers should support values of this length, but may
support longer values The field does NOT specify a size constraint,
so is ignored on servers (such as slapd) which don't impose such
size limits. In addition, the equality and substring matching uses
case ignore rules. Below are tables listing commonly used syntax
and matching rules ({{slapd}}(8) supports these and many more).
!block table; align=Center; coltags="EX,EX,N"; \
title="Table 8.3: Commonly Used Syntaxes"
Name OID Description
boolean 1.3.6.1.4.1.1466.115.121.1.7 boolean value
directoryString 1.3.6.1.4.1.1466.115.121.1.15 Unicode (UTF-8) string
distinguishedName 1.3.6.1.4.1.1466.115.121.1.12 LDAP DN
distinguishedName 1.3.6.1.4.1.1466.115.121.1.12 LDAP {{TERM:DN}}
integer 1.3.6.1.4.1.1466.115.121.1.27 integer
numericString 1.3.6.1.4.1.1466.115.121.1.36 numeric string
OID 1.3.6.1.4.1.1466.115.121.1.38 object identifier
@ -301,9 +301,9 @@ description, e.g:
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> SINGLE-VALUE )
However, if we want this name to be included in
{{EX:name}} assertions [e.g. {{EX:(name=*Jane*)}}], the attribute
could alternatively be defined as a subtype of {{EX:name}}, e.g.:
However, if we want this name to be used in {{EX:name}} assertions,
e.g. {{EX:(name=*Jane*)}}, the attribute could alternatively be
defined as a subtype of {{EX:name}}, e.g.:
> attributetype ( 1.1.2.1.1 NAME 'x-my-UniqueName'
> DESC 'unique name with my organization'
@ -354,7 +354,7 @@ attribute found in the subschema subentry, e.g.:
E: objectclass <{{REF:RFC4512}} Object Class Description>
where Object Class Description is defined by the following
{{TERM:BNF}}:
{{TERM:ABNF}}:
> ObjectClassDescription = "(" whsp
> numericoid whsp ; ObjectClass identifier
@ -369,7 +369,7 @@ where Object Class Description is defined by the following
> whsp ")"
where whsp is a space ('{{EX: }}'), numericoid is a globally unique
OID in numeric form (e.g. {{EX:1.1.0}}), qdescrs is one or more
OID in dotted-decimal form (e.g. {{EX:1.1.0}}), qdescrs is one or more
names, and oids is one or more names and/or OIDs.
@ -406,8 +406,8 @@ and {{EX:givenName}} and allows {{EX:x-my-Photo}}.
H2: Transferring Schema
Since the {{slapd.conf}}(5) schema directives use {{REF:RFC4512}}
format values, you can extract schema elements published by
any LDAPv3 server and easily construct directives for use with
format values, you can extract schema elements published by any
{{TERM:LDAPv3}} server and easily construct directives for use with
{{slapd}}(8).
LDAPv3 servers publish schema elements in special {{subschema}}

24
doc/guide/admin/security.sdf
View file

@ -1,4 +1,4 @@
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Security Considerations
@ -76,9 +76,10 @@ confidentiality protection. OpenLDAP supports negotiation of
See the {{SECT:Using TLS}} chapter for more information. StartTLS
is the standard track mechanism.
A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as DIGEST-MD5
and {{TERM:GSSAPI}}, also provide data integrity and confidentiality
protection. See the {{SECT:Using SASL}} chapter for more information.
A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as
{{TERM:DIGEST-MD5}} and {{TERM:GSSAPI}}, also provide data integrity
and confidentiality protection. See the {{SECT:Using SASL}} chapter
for more information.
H3: Security Strength Factors
@ -102,9 +103,9 @@ requires integrity protection for all operations and encryption
protection, 3DES equivalent, for update operations (e.g. add, delete,
modify, etc.). See {{slapd.conf}}(5) for details.
For fine-grained control, SSFs may be used in access controls. See
{{SECT:Access Control}} section of the {{SECT:The slapd Configuration
File}} for more information.
For fine-grained control, SSFs may be used in access controls.
See {{SECT:The access Configuration Directive}} section of the
{{SECT:The slapd Configuration File}} for more information.
H2: Authentication Methods
@ -144,13 +145,14 @@ the session. User/password authenticated bind is enabled by default.
However, as this mechanism itself offers no evesdropping protection
(e.g., the password is set in the clear), it is recommended that
it be used only in tightly controlled systems or when the LDAP
session is protected by other means (e.g., TLS, {{TERM:IPSEC}}).
session is protected by other means (e.g., TLS, {{TERM:IPsec}}).
Where the administrator relies on TLS to protect the password, it
is recommended that unprotected authentication be disabled. This
is done by setting "{{EX:disallow bind_simple_unprotected}}" in
{{slapd.conf}}(5). The {{EX:security}} directive's {{EX:simple_bind}}
option provides fine grain control over the level of confidential
is done using the {{EX:security}} directive's {{EX:simple_bind}}
option, which provides fine grain control over the level of confidential
protection to require for {{simple}} user/password authentication.
E.g., using {{EX:security simple_bind=56}} would require {{simple}}
binds to use encryption of DES equivalent or better.
The user/password authenticated bind mechanism can be completely
disabled by setting "{{EX:disallow bind_simple}}".

171
doc/guide/admin/slapdconf2.sdf
View file

@ -1,29 +1,32 @@
# $OpenLDAP$
# Copyright 2005-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 2005-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Configuring slapd
Once the software has been built and installed, you are ready
to configure {{slapd}}(8) for use at your site. Unlike previous
OpenLDAP releases, the slapd runtime configuration in 2.3 is
fully LDAP-enabled and can be managed using the standard LDAP
OpenLDAP releases, the slapd(8) runtime configuration in 2.3 (and later)
is fully LDAP-enabled and can be managed using the standard LDAP
operations with data in {{TERM:LDIF}}. The LDAP configuration engine
allows all of slapd's configuration options to be changed on the fly,
generally without requiring a server restart for the changes
to take effect. The old style {{slapd.conf}}(5) file is still
supported, but must be converted to the new {{slapd.d}}(5) format
supported, but must be converted to the new {{slapd-config}}(5) format
to allow runtime changes to be saved. While the old style
configuration uses a single file, normally installed as
{{F:/usr/local/etc/openldap/slapd.conf}}, the new style
uses a slapd backend database to store the configuration. The
configuration database normally resides in the
{{F:/usr/local/etc/openldap/slapd.d}} directory.
{{F:/usr/local/etc/openldap/slapd.d}} directory. When
converting from the slapd.conf format to slapd.d format, any
include files will also be integrated into the resulting configuration
database.
An alternate configuration directory (or file) can be specified via a
command-line option to {{slapd}}(8) or {{slurpd}}(8). This chapter
describes the general format of the configuration system, followed by a
detailed description of commonly used config settings.
An alternate configuration directory (or file) can be specified via
a command-line option to {{slapd}}(8). This chapter describes the
general format of the configuration system, followed by a detailed
description of commonly used config settings.
Note: some of the backends and of the distributed overlays
do not support runtime configuration yet. In those cases,
@ -49,13 +52,9 @@ FT[align="Center"] Figure 5.1: Sample configuration tree.
Other objects may be part of the configuration but were omitted from
the illustration for clarity.
The {{slapd.d}} configuration tree has a very specific structure. The
The {{slapd-config}} configuration tree has a very specific structure. The
root of the tree is named {{EX:cn=config}} and contains global configuration
settings. Additional settings are contained in separate child entries:
* Include files
.. Usually these are just pathnames left over from a converted
{{EX:slapd.conf}} file.
.. Otherwise use of Include files is deprecated.
* Dynamically loaded modules
.. These may only be used if the {{EX:--enable-modules}} option was
used to configure the software.
@ -146,7 +145,7 @@ and object classes) are also provided in the
H2: Configuration Directives
This section details commonly used configuration directives. For
a complete list, see the {{slapd.d}}(5) manual page. This section
a complete list, see the {{slapd-config}}(5) manual page. This section
will treat the configuration directives in a top-down order, starting
with the global directives in the {{EX:cn=config}} entry. Each
directive will be described along with its default value (if any) and
@ -244,39 +243,6 @@ H4: Sample Entry
>olcReferral: ldap://root.openldap.org
H3: cn=include
An include entry holds the pathname of one include file. Include files
are part of the old style slapd.conf configuration system and must be in
slapd.conf format. Include files were commonly used to load schema
specifications. While they are still supported, their use is deprecated.
Include entries must have the {{EX:olcIncludeFile}} objectClass.
H4: olcInclude: <filename>
This directive specifies that slapd should read additional
configuration information from the given file.
Note: You should be careful when using this directive - there is
no small limit on the number of nested include directives, and no
loop detection is done.
H4: Sample Entries
>dn: cn=include{0},cn=config
>objectClass: olcIncludeFile
>cn: include{0}
>olcInclude: ./schema/core.schema
>
>dn: cn=include{1},cn=config
>objectClass: olcIncludeFile
>cn: include{1}
>olcInclude: ./schema/cosine.schema
H3: cn=module
If support for dynamically loaded modules was enabled when configuring
@ -504,8 +470,8 @@ to the slave slapd.
Simple authentication should not be used unless adequate data
integrity and confidentiality protections are in place (e.g. TLS
or IPSEC). Simple authentication requires specification of
{{EX:binddn}} and {{EX:credentials}} parameters.
or {{TERM:IPsec}}). Simple authentication requires specification
of {{EX:binddn}} and {{EX:credentials}} parameters.
SASL authentication is generally recommended. SASL authentication
requires specification of a mechanism using the {{EX:saslmech}} parameter.
@ -522,11 +488,12 @@ H4: olcReplogfile: <filename>
This directive specifies the name of the replication log file to
which slapd will log changes. The replication log is typically
written by slapd and read by slurpd. Normally, this directive is
only used if slurpd is being used to replicate the database.
However, you can also use it to generate a transaction log, if
slurpd is not running. In this case, you will need to periodically
truncate the file, since it will grow indefinitely otherwise.
written by {{slapd}}(8) and read by {{slurpd}}(8). Normally, this
directive is only used if {{slurpd}}(8) is being used to replicate
the database. However, you can also use it to generate a transaction
log, if {{slurpd}}(8) is not running. In this case, you will need to
periodically truncate the file, since it will grow indefinitely
otherwise.
See the chapter entitled {{SECT:Replication with slurpd}} for more
information on how to use this directive.
@ -612,7 +579,7 @@ H4: olcSyncrepl
> [type=refreshOnly|refreshAndPersist]
> [interval=dd:hh:mm:ss]
> [retry=[<retry interval> <# of retries>]+]
> [searchbase=<base DN>]
> searchbase=<base DN>
> [filter=<filter str>]
> [scope=sub|one|base]
> [attrs=<attr list>]
@ -628,6 +595,17 @@ H4: olcSyncrepl
> [credentials=<passwd>]
> [realm=<realm>]
> [secprops=<properties>]
> [starttls=yes|critical]
> [tls_cert=<file>]
> [tls_key=<file>]
> [tls_cacert=<file>]
> [tls_cacertdir=<path>]
> [tls_reqcert=never|allow|try|demand]
> [tls_ciphersuite=<ciphers>]
> [tls_crlcheck=none|peer|all]
> [logbase=<base DN>]
> [logfilter=<filter str>]
> [syncdata=default|accesslog|changelog]
This directive specifies the current database as a replica of the
@ -636,8 +614,8 @@ replication consumer site running a syncrepl replication engine.
The master database is located at the replication provider site
specified by the {{EX:provider}} parameter. The replica database is
kept up-to-date with the master content using the LDAP Content
Synchronization protocol. See {{EX:draft-zeilenga-ldup-sync-xx.txt}}
({{a work in progress}}) for more information on the protocol.
Synchronization protocol. See {{REF:RFC4533}}
for more information on the protocol.
The {{EX:rid}} parameter is used for identification of the current
{{EX:syncrepl}} directive within the replication consumer server,
@ -672,7 +650,7 @@ attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}}
and {{EX:timelimit}} default to "unlimited", and only positive integers
or "unlimited" may be specified.
The LDAP Content Synchronization protocol has two operation
The {{TERM[expand]LDAP Sync}} protocol has two operation
types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}.
The operation type is specified by the {{EX:type}} parameter.
In the {{EX:refreshOnly}} operation, the next synchronization search operation
@ -680,7 +658,7 @@ is periodically rescheduled at an interval time after each
synchronization operation finishes. The interval is specified
by the {{EX:interval}} parameter. It is set to one day by default.
In the {{EX:refreshAndPersist}} operation, a synchronization search
remains persistent in the provider slapd. Further updates to the
remains persistent in the provider {{slapd}} instance. Further updates to the
master replica will generate {{EX:searchResultEntry}} to the consumer slapd
as the search responses to the persistent synchronization search.
@ -708,11 +686,11 @@ master database.
The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
depending on whether simple password-based authentication or
{{TERM:SASL}} authentication is to be used when connecting
to the provider slapd.
to the provider {{slapd}} instance.
Simple authentication should not be used unless adequate data
integrity and confidentiality protections are in place (e.g. TLS
or IPSEC). Simple authentication requires specification of {{EX:binddn}}
or IPsec). Simple authentication requires specification of {{EX:binddn}}
and {{EX:credentials}} parameters.
SASL authentication is generally recommended. SASL authentication
@ -726,11 +704,31 @@ The {{EX:realm}} parameter specifies a realm which a certain
mechanisms authenticate the identity within. The {{EX:secprops}}
parameter specifies Cyrus SASL security properties.
The syncrepl replication mechanism is supported by the
two native backends: back-bdb and back-hdb.
The {{EX:starttls}} parameter specifies use of the StartTLS extended
operation to establish a TLS session before authenticating to the provider.
If the {{EX:critical}} argument is supplied, the session will be aborted
if the StartTLS request fails. Otherwise the syncrepl session continues
without TLS. Note that the main slapd TLS settings are not used by the
syncrepl engine; by default the TLS parameters from a {{ldap.conf}}(5)
configuration file will be used. TLS settings may be specified here,
in which case any {{ldap.conf}}(5) settings will be completely ignored.
See the {{SECT:LDAP Sync Replication}} chapter of the admin guide
for more information on how to use this directive.
Rather than replicating whole entries, the consumer can query logs
of data modifications. This mode of operation is referred to as
{{delta syncrepl}}. In addition to the above parameters, the
{{EX:logbase}} and {{EX:logfilter}} parameters must be set appropriately
for the log that will be used. The {{EX:syncdata}} parameter must
be set to either {{EX:"accesslog"}} if the log conforms to the
{{slapo-accesslog}}(5) log format, or {{EX:"changelog"}} if the log
conforms to the obsolete {{changelog}} format. If the {{EX:syncdata}}
parameter is omitted or set to {{EX:"default"}} then the log
parameters are ignored.
The {{syncrepl}} replication mechanism is supported by the {{bdb}} and
{{hdb}} backends.
See the {{SECT:LDAP Sync Replication}} chapter of this guide for
more information on how to use this directive.
H4: olcTimeLimit: <integer>
@ -848,6 +846,14 @@ is multi-valued, to accomodate multiple configuration directives. No default
is provided, but it is essential to use proper settings here to get the
best server performance.
Any changes made to this attribute will be written to the {{EX:DB_CONFIG}}
file and will cause the database environment to be reset so the changes
can take immediate effect. If the environment cache is large and has not
been recently checkpointed, this reset operation may take a long time. It
may be advisable to manually perform a single checkpoint using the Berkeley DB
{{db_checkpoint}} utility before using LDAP Modify to change this
attribute.
\Example:
> olcDbConfig: set_cachesize 0 10485760 0
@ -861,7 +867,7 @@ in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to
delete transaction log files as soon as their contents have been
checkpointed and they are no longer needed. Without this setting the
transaction log files will continue to accumulate until some other
cleanup procedure removes them. See the SleepyCat documentation for the
cleanup procedure removes them. See the Berkeley DB documentation for the
{{EX:db_archive}} command for details.
Ideally the BDB cache must be
@ -870,7 +876,7 @@ should be large enough to accomodate most transactions without overflowing,
and the log directory must be on a separate physical disk from the main
database files. And both the database directory and the log directory
should be separate from disks used for regular system activities such as
the root, boot, or swap filesystems. See the FAQ-o-Matic and the SleepyCat
the root, boot, or swap filesystems. See the FAQ-o-Matic and the Berkeley DB
documentation for more details.
@ -900,7 +906,8 @@ H4: olcDbIndex: {<attrlist> | default} [pres,eq,approx,sub,none]
This directive specifies the indices to maintain for the given
attribute. If only an {{EX:<attrlist>}} is given, the default
indices are maintained.
indices are maintained. The index keywords correspond to the
common types of matches that may be used in an LDAP search filter.
\Example:
@ -917,11 +924,37 @@ be maintained for {{EX:cn}} and {{EX:sn}} attribute types. The
fourth line causes an equality index for the {{EX:objectClass}}
attribute type.
There is no index keyword for inequality matches. Generally these
matches do not use an index. However, some attributes do support
indexing for inequality matches, based on the equality index.
A substring index can be more explicitly specified as {{EX:subinitial}},
{{EX:subany}}, or {{EX:subfinal}}, corresponding to the three
possible components
of a substring match filter. A subinitial index only indexes
substrings that appear at the beginning of an attribute value.
A subfinal index only indexes substrings that appear at the end
of an attribute value, while subany indexes substrings that occur
anywhere in a value.
Note that by default, setting an index for an attribute also
affects every subtype of that attribute. E.g., setting an equality
index on the {{EX:name}} attribute causes {{EX:cn}}, {{EX:sn}}, and every other
attribute that inherits from {{EX:name}} to be indexed.
By default, no indices are maintained. It is generally advised
that minimally an equality index upon objectClass be maintained.
> olcDbindex: objectClass eq
Additional indices should be configured corresponding to the
most common searches that are used on the database.
Presence indexing should not be configured for an attribute
unless the attribute occurs very rarely in the database, and
presence searches on the attribute occur very frequently during
normal use of the directory. Most applications don't use presence
searches, so usually presence indexing is not very useful.
If this setting is changed while slapd is running, an internal task
will be run to generate the changed index data. All server operations
can continue as normal while the indexer does its work. If slapd is

54
doc/guide/admin/slapdconfig.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: The slapd Configuration File
@ -10,10 +10,10 @@ runtime configuration is primarily accomplished through the
{{slapd.conf}}(5) file, normally installed in the
{{EX:/usr/local/etc/openldap}} directory.
An alternate configuration file can be specified via a
command-line option to {{slapd}}(8) or {{slurpd}}(8). This chapter
describes the general format of the config file, followed by a
detailed description of commonly used config file directives.
An alternate configuration file location can be specified via a command-line
option to {{slapd}}(8). This chapter describes the general format
of the {{slapd.conf}}(5) configuration file, followed by a detailed
description of commonly used config file directives.
H2: Configuration File Format
@ -89,11 +89,11 @@ by actual text are shown in brackets {{EX:<>}}.
H4: access to <what> [ by <who> [<accesslevel>] [<control>] ]+
This directive grants access (specified by <accesslevel>) to a
set of entries and/or attributes (specified by <what>) by one or
more requesters (specified by <who>).
See the {{SECT:Access Control}} section of this chapter for a
summary of basic usage.
This directive grants access (specified by <accesslevel>) to a set
of entries and/or attributes (specified by <what>) by one or more
requesters (specified by <who>). See the {{SECT:The access
Configuration Directive}} section of this chapter for a summary of
basic usage.
!if 0
More details discussion of this directive can be found in the
@ -142,7 +142,7 @@ correspond to what kind of debugging, invoke slapd with {{EX:-?}}
or consult the table below. The possible values for <integer> are:
!block table; colaligns="RL"; align=Center; \
title="Table 5.1: Debugging Levels"
title="Table 6.1: Debugging Levels"
Level Description
-1 enable all debugging
0 no debugging
@ -229,7 +229,7 @@ H4: backend <type>
This directive marks the beginning of a backend declaration.
{{EX:<type>}} should be one of the
supported backend types listed in Table 5.2.
supported backend types listed in Table 6.2.
!block table; align=Center; coltags="EX,N"; \
title="Table 5.2: Database Backends"
@ -264,7 +264,7 @@ H4: database <type>
This directive marks the beginning of a database instance
declaration.
{{EX:<type>}} should be one of the
supported backend types listed in Table 5.2.
supported backend types listed in Table 6.2.
\Example:
@ -321,7 +321,7 @@ authentication is to be used when connecting to the slave slapd.
Simple authentication should not be used unless adequate data
integrity and confidentiality protections are in place (e.g. TLS
or IPSEC). Simple authentication requires specification of
or {{TERM:IPsec}}). Simple authentication requires specification of
{{EX:binddn}} and {{EX:credentials}} parameters.
SASL authentication is generally recommended. SASL authentication
@ -334,7 +334,6 @@ an authorization identity.
See the chapter entitled {{SECT:Replication with slurpd}} for more
information on how to use this directive.
H4: replogfile <filename>
This directive specifies the name of the replication log file to
@ -415,7 +414,7 @@ H4: syncrepl
> [type=refreshOnly|refreshAndPersist]
> [interval=dd:hh:mm:ss]
> [retry=[<retry interval> <# of retries>]+]
> [searchbase=<base DN>]
> searchbase=<base DN>
> [filter=<filter str>]
> [scope=sub|one|base]
> [attrs=<attr list>]
@ -439,8 +438,8 @@ replication consumer site running a syncrepl replication engine.
The master database is located at the replication provider site
specified by the {{EX:provider}} parameter. The replica database is
kept up-to-date with the master content using the LDAP Content
Synchronization protocol. See {{EX:draft-zeilenga-ldup-sync-xx.txt}}
({{a work in progress}}) for more information on the protocol.
Synchronization protocol. See {{REF:RFC4533}}
for more information on the protocol.
The {{EX:rid}} parameter is used for identification of the current
{{EX:syncrepl}} directive within the replication consumer server,
@ -515,7 +514,7 @@ to the provider slapd.
Simple authentication should not be used unless adequate data
integrity and confidentiality protections are in place (e.g. TLS
or IPSEC). Simple authentication requires specification of {{EX:binddn}}
or IPsec). Simple authentication requires specification of {{EX:binddn}}
and {{EX:credentials}} parameters.
SASL authentication is generally recommended. SASL authentication
@ -538,11 +537,13 @@ for more information on how to use this directive.
H4: updatedn <DN>
This directive is only applicable in a slave slapd. It specifies
the DN allowed to make changes to the replica. This may be the DN
This directive is only applicable in a {{slave}} (or {{shadow}})
{{slapd(8)}} instance. It specifies the DN allowed to make changes to
the replica. This may be the DN
{{slurpd}}(8) binds as when making changes to the replica or the DN
associated with a SASL identity.
Entry-based Example:
> updatedn "cn=Update Daemon,dc=example,dc=com"
@ -556,7 +557,8 @@ on how to use this directive.
H4: updateref <URL>
This directive is only applicable in a slave slapd. It
This directive is only applicable in a {{slave}} (or {{shadow}})
{{slapd}}(8) instance. It
specifies the URL to return to clients which submit update
requests upon the replica.
If specified multiple times, each {{TERM:URL}} is provided.
@ -586,9 +588,9 @@ containing the database and associated indices live.
> directory /usr/local/var/openldap-data
H2: Access Control
H2: The access Configuration Directive
Access to slapd entries and attributes is controlled by the
Access to entries and attributes is controlled by the
access configuration file directive. The general form of an
access line is:
@ -716,7 +718,7 @@ access. Note that access is granted to "entities" not "entries."
The following table summarizes entity specifiers:
!block table; align=Center; coltags="EX,N"; \
title="Table 5.3: Access Entity Specifiers"
title="Table 6.3: Access Entity Specifiers"
Specifier|Entities
*|All, including anonymous and authenticated users
anonymous|Anonymous (non-authenticated) users
@ -749,7 +751,7 @@ H3: The access to grant
The kind of <access> granted can be one of the following:
!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
title="Table 5.4: Access Levels"
title="Table 6.4: Access Levels"
Level Privileges Description
none =0 no access
disclose =d needed for information disclosure on error

57
doc/guide/admin/syncrepl.sdf
View file

@ -1,17 +1,17 @@
# $OpenLDAP$
# Copyright 2003-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 2003-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: LDAP Sync Replication
The LDAP Sync replication engine, syncrepl for short, is a consumer-side
replication engine that enables the consumer LDAP server to maintain
a shadow copy of a DIT fragment. A syncrepl engine resides at the
consumer-side as one of the {{slapd}} (8) threads. It creates and
maintains a consumer replica by connecting to the replication
provider to perform the initial DIT content load followed either
by periodic content polling or by timely updates upon content
changes.
The {{TERM:LDAP Sync}} Replication engine, {{TERM:syncrepl}} for
short, is a consumer-side replication engine that enables the
consumer {{TERM:LDAP}} server to maintain a shadow copy of a
{{TERM:DIT}} fragment. A syncrepl engine resides at the consumer-side
as one of the {{slapd}}(8) threads. It creates and maintains a
consumer replica by connecting to the replication provider to perform
the initial DIT content load followed either by periodic content
polling or by timely updates upon content changes.
Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for
short) protocol as the replica synchronization protocol. It provides
@ -66,9 +66,7 @@ The LDAP Sync protocol allows a client to maintain a synchronized
copy of a DIT fragment. The LDAP Sync operation is defined as a set
of controls and other protocol elements which extend the LDAP search
operation. This section introduces the LDAP Content Sync protocol
only briefly. For more information, refer to the Internet Draft
{{The LDAP Content Synchronization Operation
<draft-zeilenga-ldup-sync-05.txt>}}.
only briefly. For more information, refer to {{REF:RFC4533}}.
The LDAP Sync protocol supports both polling and listening for
changes by defining two respective synchronization operations:
@ -157,13 +155,14 @@ H2: Syncrepl Details
The syncrepl engine utilizes both the {{refreshOnly}} and the
{{refreshAndPersist}} operations of the LDAP Sync protocol. If a
syncrepl specification is included in a database definition, {{slapd}}
(8) launches a syncrepl engine as a {{slapd}} (8) thread and schedules
its execution. If the {{refreshOnly}} operation is specified, the
syncrepl engine will be rescheduled at the interval time after a
synchronization operation is completed. If the {{refreshAndPersist}}
operation is specified, the engine will remain active and process
the persistent synchronization messages from the provider.
syncrepl specification is included in a database definition,
{{slapd}}(8) launches a syncrepl engine as a {{slapd}}(8) thread
and schedules its execution. If the {{refreshOnly}} operation is
specified, the syncrepl engine will be rescheduled at the interval
time after a synchronization operation is completed. If the
{{refreshAndPersist}} operation is specified, the engine will remain
active and process the persistent synchronization messages from the
provider.
The syncrepl engine utilizes both the present phase and the delete
phase of the refresh synchronization. It is possible to configure
@ -262,7 +261,7 @@ this change without the use of the session log.
H2: Configuring Syncrepl
Because syncrepl is a consumer-side replication engine, the syncrepl
specification is defined in {{slapd.conf}} (5) of the consumer
specification is defined in {{slapd.conf}}(5) of the consumer
server, not in the provider server's configuration file. The initial
loading of the replica content can be performed either by starting
the syncrepl engine with no synchronization cookie or by populating
@ -286,7 +285,7 @@ syncrepl.
H3: Set up the provider slapd
The provider is implemented as an overlay, so the overlay itself
must first be configured in {{slapd.conf}} (5) before it can be
must first be configured in {{slapd.conf}}(5) before it can be
used. The provider has only two configuration directives, for setting
checkpoints on the {{EX:contextCSN}} and for configuring the session
log. Because the LDAP Sync search is subject to access control,
@ -315,7 +314,7 @@ Note that using the session log requires searching on the {{entryUUID}}
attribute. Setting an eq index on this attribute will greatly benefit
the performance of the session log on the provider.
A more complete example of the {{slapd.conf}} content is thus:
A more complete example of the {{slapd.conf}}(5) content is thus:
> database bdb
> suffix dc=Example,dc=com
@ -331,7 +330,7 @@ A more complete example of the {{slapd.conf}} content is thus:
H3: Set up the consumer slapd
The syncrepl replication is specified in the database section of
{{slapd.conf}} (5) for the replica context. The syncrepl engine
{{slapd.conf}}(5) for the replica context. The syncrepl engine
is backend independent and the directive can be defined with any
database type.
@ -354,7 +353,7 @@ database type.
> binddn="cn=syncuser,dc=example,dc=com"
> credentials=secret
In this example, the consumer will connect to the provider slapd
In this example, the consumer will connect to the provider {{slapd}}(8)
at port 389 of {{FILE:ldap://provider.example.com}} to perform a
polling ({{refreshOnly}}) mode of synchronization once a day. It
will bind as {{EX:cn=syncuser,dc=example,dc=com}} using simple
@ -371,8 +370,8 @@ entries whose objectClass is organizationalPerson in the entire
subtree rooted at {{EX:dc=example,dc=com}}. The requested attributes
are {{EX:cn}}, {{EX:sn}}, {{EX:ou}}, {{EX:telephoneNumber}},
{{EX:title}}, and {{EX:l}}. The schema checking is turned off, so
that the consumer {{slapd}} (8) will not enforce entry schema
checking when it process updates from the provider {{slapd}} (8).
that the consumer {{slapd}}(8) will not enforce entry schema
checking when it process updates from the provider {{slapd}}(8).
For more detailed information on the syncrepl directive, see the
{{SECT:syncrepl}} section of {{SECT:The slapd Configuration File}}
@ -381,7 +380,7 @@ chapter of this admin guide.
H3: Start the provider and the consumer slapd
The provider {{slapd}} (8) is not required to be restarted.
The provider {{slapd}}(8) is not required to be restarted.
{{contextCSN}} is automatically generated as needed: it might be
originally contained in the {{TERM:LDIF}} file, generated by
{{slapadd}} (8), generated upon changes in the context, or generated
@ -391,7 +390,7 @@ LDIF file is being loaded which did not previously contain the
(8) to cause it to be generated. This will allow the server to
startup a little quicker the first time it runs.
When starting a consumer {{slapd}} (8), it is possible to provide
When starting a consumer {{slapd}}(8), it is possible to provide
a synchronization cookie as the {{-c cookie}} command line option
in order to start the synchronization from a specific state. The
cookie is a comma separated list of name=value pairs. Currently
@ -399,7 +398,7 @@ supported syncrepl cookie fields are {{csn=<csn>}} and {{rid=<rid>}}.
{{<csn>}} represents the current synchronization state of the
consumer replica. {{<rid>}} identifies a consumer replica locally
within the consumer server. It is used to relate the cookie to the
syncrepl definition in {{slapd.conf}} (5) which has the matching
syncrepl definition in {{slapd.conf}}(5) which has the matching
replica identifier. The {{<rid>}} must have no more than 3 decimal
digits. The command line cookie overrides the synchronization
cookie stored in the consumer replica database.

1
doc/guide/admin/title.sdf
View file

@ -6,6 +6,7 @@
# Master: master.sdf
#
!define DOC_TOC 3
!define DOC_TYPE "Administrator's Guide"
!build_title

59
doc/guide/admin/tls.sdf
View file

@ -1,4 +1,4 @@
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Using TLS
@ -6,25 +6,26 @@ H1: Using TLS
OpenLDAP clients and servers are capable of using the
{{TERM[expand]TLS}} ({{TERM:TLS}}) framework to provide
integrity and confidentiality protections and to support
LDAP authentication using the {{TERM:SASL}} EXTERNAL mechanism.
LDAP authentication using the {{TERM:SASL}} {{TERM:EXTERNAL}} mechanism.
TLS is defined in {{REF:RFC4346}}.
H2: TLS Certificates
TLS uses {{TERM:X.509}} certificates to carry client and server
identities. All servers are required to have valid certificates,
whereas client certificates are optional. Clients must have a
identities. All servers are required to have valid certificates,
whereas client certificates are optional. Clients must have a
valid certificate in order to authenticate via SASL EXTERNAL.
For more information on creating and managing certificates,
see the {{PRD:OpenSSL}} documentation.
H3: Server Certificates
The DN of a server certificate must use the CN attribute
to name the server, and the {{EX:CN}} must carry the server's
fully qualified domain name. Additional alias names and wildcards
may be present in the {{EX:subjectAltName}} certificate extension.
More details on server certificate names are in {{REF:RFC4513}}.
The {{TERM:DN}} of a server certificate must use the {{EX:CN}}
attribute to name the server, and the {{EX:CN}} must carry the
server's fully qualified domain name. Additional alias names and
wildcards may be present in the {{EX:subjectAltName}} certificate
extension. More details on server certificate names are in
{{REF:RFC4513}}.
H3: Client Certificates
@ -117,29 +118,29 @@ and {{EX:SSLv2}}.
H4: TLSRandFile <filename>
This directive specifies the file to obtain random bits from when
{{EX:/dev/urandom}} is not available. If the
system provides {{EX:/dev/urandom}} then this option is not needed,
otherwise a source of random data must be configured.
Some systems (e.g. Linux)
provide {{EX:/dev/urandom}} by default, while others (e.g. Solaris)
{{FILE:/dev/urandom}} is not available. If the system provides
{{FILE:/dev/urandom}} then this option is not needed, otherwise a
source of random data must be configured. Some systems (e.g. Linux)
provide {{FILE:/dev/urandom}} by default, while others (e.g. Solaris)
require the installation of a patch to provide it, and others may
not support it at all. In the latter case, EGD or PRNGD should be
installed, and this directive should specify the name of the EGD/PRNGD
socket. The environment variable {{EX:RANDFILE}} can also be used to specify
the filename. Also, in the absence of these options, the {{EX:.rnd}}
file in the slapd user's home directory may be used if it exists. To
use the {{EX:.rnd}} file, just create the file and copy a few hundred
bytes of arbitrary data into the file. The file is only used to
provide a seed for the pseudo-random number generator, and it doesn't
need very much data to work.
socket. The environment variable {{EX:RANDFILE}} can also be used
to specify the filename. Also, in the absence of these options, the
{{EX:.rnd}} file in the slapd user's home directory may be used if
it exists. To use the {{EX:.rnd}} file, just create the file and
copy a few hundred bytes of arbitrary data into the file. The file
is only used to provide a seed for the pseudo-random number generator,
and it doesn't need very much data to work.
H4: TLSEphemeralDHParamFile <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
the server side (i.e. {{EX:TLSCertificateKeyFile}} points to a DSA key).
Multiple sets of parameters can be included in the file; all of them will
be processed. Parameters can be generated using the following command
This directive specifies the file that contains parameters for
Diffie-Hellman ephemeral key exchange. This is required in order
to use a DSA certificate on the server side (i.e.
{{EX:TLSCertificateKeyFile}} points to a DSA key). Multiple sets
of parameters can be included in the file; all of them will be
processed. Parameters can be generated using the following command
> openssl dhparam [-dsaparam] -out <filename> <numbits>
@ -177,8 +178,8 @@ be configured on a system-wide basis, they may all be overridden by
individual users in their {{.ldaprc}} files.
The LDAP Start TLS operation is used in LDAP to initiate TLS
negotatation. All OpenLDAP command line tools support a {{E:-Z}}
and {{E:-ZZ}} flag to indicate whether a Start TLS operation is to
negotatation. All OpenLDAP command line tools support a {{EX:-Z}}
and {{EX:-ZZ}} flag to indicate whether a Start TLS operation is to
be issued. The latter flag indicates that the tool is to cease
processing if TLS cannot be started while the former allows the
command to continue.
@ -186,7 +187,7 @@ command to continue.
In LDAPv2 environments, TLS is normally started using the LDAP
Secure URI scheme ({{EX:ldaps://}}) instead of the normal LDAP URI
scheme ({{EX:ldap://}}). OpenLDAP command line tools allow either
scheme to used with the {{EX:-U}} flag and with the {{EX:URI}}
scheme to used with the {{EX:-H}} flag and with the {{EX:URI}}
{{ldap.conf}}(5) option.

2
doc/guide/admin/tuning.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Performance Tuning

2
doc/guide/plain.sdf
View file

@ -1,5 +1,5 @@
# $OpenLDAP$
# Copyright 1999-2006 The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
# template for plain documents

Some files were not shown because too many files have changed in this diff Show more