upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 08:39:37 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

3rd step at updating docs by hallvard Furuseth (with minor changes in slapd-meta.5)

Browse source
This commit is contained in:
Pierangelo Masarati 2002-05-02 16:35:16 +00:00
parent b732d3ec55
commit 4f24ebbb8d
9 changed files with 443 additions and 297 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
doc/man/man5/slapd-ldap.5
View file

@ -1,4 +1,4 @@
.TH SLAPD-LDAP 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD-LDAP 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
@ -22,6 +22,19 @@ subsequent "backend" or "database" lines.
Other database options are described in the
.BR slapd.conf (5)
manual page.
.LP
Note: It is strongly recommended to set
.RS
lastmod off
.RE
for every
.B ldap
and
.B meta
database.
This is because operational attributes related to entry creation and
modification should not be used, as they could be passed to the target
servers, generating an error.
.TP
.B uri <ldapurl>
LDAP server to use.
@ -71,20 +84,24 @@ manual page.
This maps the OpenLDAP objectclass `groupOfNames' to the Active
Directory objectclass `group':
.LP
.RS
.nf
map objectclass groupOfNames group
map objectclass groupOfNames group
.fi
.RE
.LP
This presents a limited attribute set from the foreign
server:
.LP
.RS
.nf
map attribute cn *
map attribute sn *
map attribute manager *
map attribute description *
map attribute *
map attribute cn *
map attribute sn *
map attribute manager *
map attribute description *
map attribute *
.fi
.RE
.LP
These lines map cn, sn, manager, and description to themselves, and
any other attribute gets "removed" from the object before it is sent

311
doc/man/man5/slapd-meta.5
View file

@ -1,4 +1,4 @@
.TH SLAPD_META 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD_META 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
@ -61,11 +61,9 @@ knowledge of such attributes.
While code to strip the modification attributes has been put in place
(and #ifdef'd), it implies unmotivated overhead.
So it is strongly recommended to set
.LP
.nf
lastmod off
.fi
.LP
.RS
lastmod off
.RE
for every
.B ldap
and
@ -108,10 +106,12 @@ The <naming context> part is mandatory.
It must end with one of the naming contexts defined for the backend,
e.g.:
.LP
.RS
.nf
suffix "\fBdc=foo,dc=com\fP"
uri "ldap://x.foo.com/dc=x,\fBdc=foo,dc=com\fP"
suffix "\fBdc=foo,dc=com\fP"
uri "ldap://x.foo.com/dc=x,\fBdc=foo,dc=com\fP"
.fi
.RE
.LP
The <naming context> part doesn't need to be unique across the targets;
it may also match one of the values of the "suffix" directive.
@ -185,12 +185,14 @@ Consider a couple of scenarios first.
say "dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
Then, an unambiguous Meta database can be configured as:
.LP
.RS
.nf
database meta
suffix "dc=foo,dc=com"
uri "ldap://a.foo.com/dc=a,dc=foo,dc=com"
uri "ldap://b.foo.com/dc=b,dc=foo,dc=com"
database meta
suffix "\fBdc=foo,dc=com\fP"
uri "ldap://a.foo.com/dc=a,\fBdc=foo,dc=com\fP"
uri "ldap://b.foo.com/dc=b,\fBdc=foo,dc=com\fP"
.fi
.RE
.LP
Operations directed to a specific target can be easily resolved
because there are no ambiguities.
@ -208,16 +210,18 @@ and we'd like them to appear as branches of "dc=foo,dc=com", say
"dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
Then we need to configure our Meta backend as:
.LP
.RS
.nf
database meta
suffix "dc=foo,dc=com"
uri "ldap://a.bar.com/dc=a,dc=foo,dc=com"
suffixmassage "dc=a,dc=foo,dc=com" "dc=bar,dc=org"
uri "ldap://b.foo.com/dc=b,dc=foo,dc=com"
suffixmassage "dc=b,dc=foo,dc=com" "o=Foo,c=US"
database meta
suffix "dc=foo,dc=com"
uri "ldap://a.bar.com/\fBdc=a,dc=foo,dc=com\fP"
suffixmassage "\fBdc=a,dc=foo,dc=com\fP" "dc=bar,dc=org"
uri "ldap://b.foo.com/\fBdc=b,dc=foo,dc=com\fP"
suffixmassage "\fBdc=b,dc=foo,dc=com\fP" "o=Foo,c=US"
.fi
.RE
.LP
Again, operations can be resolved without ambiguity, although
some rewriting is required.
@ -243,16 +247,18 @@ is not altered.
2b) Consider the above reported scenario with the two servers
sharing the same naming context:
.LP
.RS
.nf
database meta
suffix "dc=foo,dc=com"
uri "ldap://a.bar.com/dc=foo,dc=com"
suffixmassage "dc=foo,dc=com" "dc=bar,dc=org"
uri "ldap://b.foo.com/dc=foo,dc=com"
suffixmassage "dc=foo,dc=com" "o=Foo,c=US"
database meta
suffix "\fBdc=foo,dc=com\fP"
uri "ldap://a.bar.com/\fBdc=foo,dc=com\fP"
suffixmassage "\fBdc=foo,dc=com\fP" "dc=bar,dc=org"
uri "ldap://b.foo.com/\fBdc=foo,dc=com\fP"
suffixmassage "\fBdc=foo,dc=com\fP" "o=Foo,c=US"
.fi
.RE
.LP
All the previous considerations hold, except that now there is
no way to unambiguously resolve a DN.
@ -283,11 +289,13 @@ slapd except a special subtle case (please drop me a note if you can
find other exceptions: <ando@openldap.org>).
The rule
.LP
.RS
.nf
access to dn="<dn>" attr=<attr>
by dnattr=<dnattr> read
by * none
access to dn="<dn>" attr=<attr>
by dnattr=<dnattr> read
by * none
.fi
.RE
.LP
cannot be matched iff the attribute that is being requested, <attr>,
is NOT <dnattr>, and the attribute that determines membership,
@ -367,30 +375,8 @@ More flags (mainly Action Flags) will be added as needed.
.SH "Pattern matching:"
See
.BR regex (7).
.SH "String Substitution:"
The string substitution happens according to a substitution pattern.
.TP
.B -
substring substitution is allowed with the syntax `\ed' where `d' is a
digit ranging 0-9 (0 is the full match).
I see that 0-9 digit expansion is a widely accepted practise; however
there is no technical reason to use such a strict limit.
A syntax of the form `\e{ddd}' should be fine if there is any need to
use a higher number of possible submatches.
.TP
.B -
variable substitution will be allowed (at least when I figure out
which kind of variable could be proficiently substituted)
.TP
.B -
map lookup will be allowed (map lookup of substring matches in gdbm,
ldap(!), math(?) and so on maps `a la sendmail'.
.TP
.B -
subroutine invocation will make it possible to rewrite a submatch in
terms of the output of another rewriteContext.
.SH "Substitution Pattern Syntax:"
everything starting with `%' requires substitution;
Everything starting with `%' requires substitution;
.LP
the only obvious exception is `%%', which is left as is;
.LP
@ -401,16 +387,18 @@ the basic substitution is `%d', where `d' is a digit;
a `%' followed by a `{' invokes an advanced substitution.
The pattern is:
.LP
.nf
`%' `{' [ <op> ] <name> `(' <substitution> `)' `}'
.fi
.RS
`%' `{' [ <op> ] <name> `(' <substitution> `)' `}'
.RE
.LP
where <name> must be a legal name for the map, i.e.
.LP
.RS
.nf
<name> ::= [a-z][a-z0-9]* (case insensitive)
<op> ::= `>' `|' `&' `&&' `*' `**' `$'
<name> ::= [a-z][a-z0-9]* (case insensitive)
<op> ::= `>' `|' `&' `&&' `*' `**' `$'
.fi
.RE
.LP
and <substitution> must be a legal substitution
pattern, with no limits on the nesting level.
@ -482,26 +470,33 @@ server \-> client rewriting.
.LP
client -> server:
.LP
.RS
.nf
(default) if defined and no specific context
is available
bindDn bind
searchBase search
searchFilter search
compareDn compare
addDn add
modifyDn modify
modrDn modrdn
newSuperiorDn modrdn
deleteDn delete
(default) if defined and no specific context
is available
bindDn bind
searchBase search
searchFilter search
compareDn compare
addDn add
modifyDn modify
modrDn modrdn
newSuperiorDn modrdn
deleteDn delete
.fi
.RE
.LP
server -> client:
.LP
.RS
.nf
searchResult search (only if defined; no default)
matchedDn all ops (only if defined; no default; NOT IMPL.)
searchResult search (only if defined; no default;
acts on DN and DN-syntax attributes
of search results)
matchedDn all ops (only if defined; no default;
NOT IMPL. except in search)
.fi
.RE
.LP
.SH "Basic configuration syntax"
.TP
@ -537,103 +532,107 @@ Sets the maximum number of total rewriting passes that can be
performed in a single rewrite operation (to avoid loops).
.SH "Configuration examples:"
.nf
# set to `off' to disable rewriting
rewriteEngine on
# set to `off' to disable rewriting
rewriteEngine on
# Everything defined here goes into the `default' context.
# This rule changes the naming context of anything sent
# to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
# Everything defined here goes into the `default' context.
# This rule changes the naming context of anything sent
# to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
rewriteRule "(.*)dc=home,[ ]?dc=net"
"%1dc=OpenLDAP, dc=org" ":"
rewriteRule "(.*)dc=home,[ ]?dc=net"
"%1dc=OpenLDAP, dc=org" ":"
# since a pretty/normalized DN does not include spaces
# after rdn separators, e.g. `,', this rule suffices:
# since a pretty/normalized DN does not include spaces
# after rdn separators, e.g. `,', this rule suffices:
rewriteRule "(.*)dc=home,dc=net"
"%1dc=OpenLDAP,dc=org" ":"
rewriteRule "(.*)dc=home,dc=net"
"%1dc=OpenLDAP,dc=org" ":"
# Start a new context (ends input of the previous one).
# This rule adds blanks between DN parts if not present.
rewriteContext addBlanks
rewriteRule "(.*),([^ ].*)" "%1, %2"
# Start a new context (ends input of the previous one).
# This rule adds blanks between DN parts if not present.
rewriteContext addBlanks
rewriteRule "(.*),([^ ].*)" "%1, %2"
# This one eats blanks
rewriteContext eatBlanks
rewriteRule "(.*),[ ](.*)" "%1,%2"
# This one eats blanks
rewriteContext eatBlanks
rewriteRule "(.*),[ ](.*)" "%1,%2"
# Here control goes back to the default rewrite
# context; rules are appended to the existing ones.
# anything that gets here is piped into rule `addBlanks'
rewriteContext default
rewriteRule ".*" "%{>addBlanks(%0)}" ":"
# Here control goes back to the default rewrite
# context; rules are appended to the existing ones.
# anything that gets here is piped into rule `addBlanks'
rewriteContext default
rewriteRule ".*" "%{>addBlanks(%0)}" ":"
# Anything with `uid=username' is looked up in
# /etc/passwd for gecos (I know it's nearly useless,
# but it is there just as a guideline to implementing
# custom maps).
# Note the `I' flag that leaves `uid=username' in place
# if `username' does not have a valid account, and the
# `:' that forces the rule to be processed exactly once.
rewriteContext uid2Gecos
rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
"%1cn=%2{xpasswd},%3" "I:"
.\" # Anything with `uid=username' is looked up in
.\" # /etc/passwd for gecos (I know it's nearly useless,
.\" # but it is there just as a guideline to implementing
.\" # custom maps).
.\" # Note the `I' flag that leaves `uid=username' in place
.\" # if `username' does not have a valid account, and the
.\" # `:' that forces the rule to be processed exactly once.
.\" rewriteContext uid2Gecos
.\" rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
.\" "%1cn=%2{xpasswd},%3" "I:"
.\"
.\" # Finally, in a bind, if one uses a `uid=username' DN,
.\" # it is rewritten in `cn=name surname' if possible.
.\" rewriteContext bindDn
.\" rewriteRule ".*" "%{>addBlanks(%{>uid2Gecos(%0)})}" ":"
.\"
# Rewrite the search base according to `default' rules.
rewriteContext searchBase alias default
# Finally, in a bind, if one uses a `uid=username' DN,
# it is rewritten in `cn=name surname' if possible.
rewriteContext bindDn
rewriteRule ".*" "%{>addBlanks(%{>uid2Gecos(%0)})}" ":"
# Search results with OpenLDAP DN are rewritten back with
# `dc=home,dc=net' naming context, with spaces eaten.
rewriteContext searchResult
rewriteRule "(.*[^ ]?)[ ]?dc=OpenLDAP,[ ]?dc=org"
"%{>eatBlanks(%1)}dc=home,dc=net" ":"
# Rewrite the search base according to `default' rules.
rewriteContext searchBase alias default
# Bind with email instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# argument used when invoking the map is appended to
# the URI and acts as the filter portion)
rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
# Search results with OpenLDAP DN are rewritten back with
# `dc=home,dc=net' naming context, with spaces eaten.
rewriteContext searchResult
rewriteRule "(.*[^ ]?)[ ]?dc=OpenLDAP,[ ]?dc=org"
"%{>eatBlanks(%1)}dc=home,dc=net" ":"
# Then we need to detect DN made up of a single email,
# e.g. `mail=someone@example.com'; note that the rule
# in case of match stops rewriting; in case of error,
# it is ignored. In case we are mapping virtual
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDn
# rewrite context overrides the default definition.
rewriteContext bindDn
rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" "@I"
# Bind with email instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# filter is appended by the ldap map substitution):
rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
# This is a rather sophisticated example. It massages a
# search filter in case who performs the search has
# administrative privileges. First we need to keep
# track of the bind DN of the incoming request, which is
# stored in a variable called `binddn' with session scope,
# and left in place to allow regular binding:
rewriteContext bindDn
rewriteRule ".+" "%{&&binddn(%0)}%0" ":"
# Then we need to detect emails; note that the rule
# in case of match stops rewriting; in case of error,
# it is ignored. In case we are mapping virtual
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDn
# rewrite context overrides the default definition.
rewriteContext bindDn
rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" "@I"
# This is a rather sophisticated example. It massages a
# search filter in case who performs the search has
# administrative privileges. First we need to keep
# track of the bind DN of the incoming request:
rewriteContext bindDn
rewriteRule ".+" "%{&&binddn(%0)}%0" ":"
# A search filter containing `uid=' is rewritten only
# if an appropriate DN is bound.
# To do this, in the first rule the bound DN is
# dereferenced, while the filter is decomposed in a
# prefix, the argument of the `uid=', and in a
# suffix. A tag `<>' is appended to the DN. If the DN
# refers to an entry in the `ou=admin' subtree, the
# filter is rewritten OR-ing the `uid=<arg>' with
# `cn=<arg>'; otherwise it is left as is. This could be
# useful, for instance, to allow apache's auth_ldap-1.4
# module to authenticate users with both `uid' and
# `cn', but only if the request comes from a possible
# `dn: cn=Web auth, ou=admin, dc=home, dc=net' user.
rewriteContext searchFilter
rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
"%{**binddn}<>%{&prefix(%1)}%{&arg(%2)}%{&suffix(%3)}"
":I"
rewriteRule "[^,]+,ou=admin,dc=home,dc=net"
"%{*prefix}|(uid=%{*arg})(cn=%{*arg})%{*suffix}" "@I"
rewriteRule ".*<>" "%{*prefix}uid=%{*arg}%{*suffix}" ":"
# A search filter containing `uid=' is rewritten only
# if an appropriate DN is bound.
# To do this, in the first rule the bound DN is
# dereferenced, while the filter is decomposed in a
# prefix, in the value of the `uid=<arg>' AVA, and
# in a suffix. A tag `<>' is appended to the DN.
# If the DN refers to an entry in the `ou=admin' subtree,
# the filter is rewritten OR-ing the `uid=<arg>' with
# `cn=<arg>'; otherwise it is left as is. This could be
# useful, for instance, to allow apache's auth_ldap-1.4
# module to authenticate users with both `uid' and
# `cn', but only if the request comes from a possible
# `cn=Web auth,ou=admin,dc=home,dc=net' user.
rewriteContext searchFilter
rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
"%{**binddn}<>%{&prefix(%1)}%{&arg(%2)}%{&suffix(%3)}"
":I"
rewriteRule "[^,]+,ou=admin,dc=home,dc=net"
"%{*prefix}|(uid=%{*arg})(cn=%{*arg})%{*suffix}" "@I"
rewriteRule ".*<>" "%{*prefix}uid=%{*arg}%{*suffix}" ":"
.fi
.SH "LDAP Proxy resolution (a possible evolution of slapd\-ldap(5)):"
In case the rewritten DN is an LDAP URI, the operation is initiated

10
doc/man/man5/slapd-null.5
View file

@ -1,4 +1,4 @@
.TH SLAPD-NULL 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD-NULL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-null \- Null backend to slapd
@ -35,11 +35,13 @@ The default is "off".
.SH EXAMPLE
Here is a possible slapd.conf extract using the Null backend:
.LP
.RS
.nf
database null
suffix "cn=Nothing"
bind on
database null
suffix "cn=Nothing"
bind on
.fi
.RE
.SH FILES
ETCDIR/slapd.conf
.SH SEE ALSO

11
doc/man/man5/slapd-passwd.5
View file

@ -1,4 +1,4 @@
.TH SLAPD-PASSWD 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD-PASSWD 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
@ -12,11 +12,14 @@ The PASSWD backend to
serves up the user account information listed in the system
.BR passwd (5)
file.
The DN of each entry is "uid=<username>,<suffix>".
Note that non-base searches scan the the entire passwd file, and
are best suited for hosts with small passwd files.
.SH CONFIGURATION
These
This
.B slapd.conf
options apply to the PASSWD backend database.
That is, they must follow a "database passwd" line and come before any
option applies to the PASSWD backend database.
That is, it must follow a "database passwd" line and come before any
subsequent "backend" or "database" lines.
Other database options are described in the
.BR slapd.conf (5)

9
doc/man/man5/slapd-perl.5
View file

@ -1,4 +1,4 @@
.TH SLAPD-PERL 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD-PERL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-perl \- Perl backend to slapd
@ -63,7 +63,7 @@ It arguments are as follows:
* time limit
* filter string
* attributes only flag (1 for yes)
* list of attributes that are to be returned (may be empty).
* list of attributes to return (may be empty)
.fi
.LP
Return value: (resultcode, ldif-entry, ldif-entry, ...)
@ -85,7 +85,8 @@ Its arguments are as follows.
* object reference
* dn
* a list formatted as follows
{ "ADD" | "DELETE" | "REPLACE" }, attributetype, value..., ...
({ "ADD" | "DELETE" | "REPLACE" },
attributetype, value...)...
.fi
.LP
.TP
@ -94,7 +95,7 @@ This method is called when a add request comes from a client.
Its arguments are as follows.
.nf
* object reference
* entry in string format.
* entry in string format
.fi
.LP
.TP

115
doc/man/man5/slapd-shell.5
View file

@ -1,4 +1,4 @@
.TH SLAPD-SHELL 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD-SHELL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
@ -22,32 +22,121 @@ subsequent "backend" or "database" lines.
Other database options are described in the
.BR slapd.conf (5)
manual page.
.LP
These options specify the pathname and arguments of the program to
execute in response to the given LDAP operation.
Each option is followed by the input lines that the program receives:
.TP
.B bind <pathname>
.B abandon <pathname> <argument>...
.nf
ABANDON
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
.fi
.TP
.B unbind <pathname>
.B add <pathname> <argument>...
.nf
ADD
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
<entry in LDIF format>
.fi
.TP
.B search <pathname>
.B bind <pathname> <argument>...
.nf
BIND
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
dn: <DN>
method: <method number>
credlen: <length of <credentials>>
cred: <credentials>
.fi
.TP
.B compare <pathname>
.B compare <pathname> <argument>...
.nf
COMPARE
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
dn: <DN>
<attribute>: <value>
.fi
.TP
.B modify <pathname>
.B delete <pathname> <argument>...
.nf
DELETE
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
dn: <DN>
.fi
.TP
.B modrdn <pathname>
.B modify <pathname> <argument>...
.nf
MODIFY
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
dn: <DN>
<repeat {
<"add"/"delete"/"replace">: <attribute>
<repeat { <attribute>: <value> }>
-
}>
.fi
.TP
.B add <pathname>
.B modrdn <pathname> <argument>...
.nf
MODRDN
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
dn: <DN>
newrdn: <new RDN>
deleteoldrdn: <0 or 1>
<if new superior is specified: "newSuperior: <DN>">
.fi
.TP
.B delete <pathname>
.B search <pathname> <argument>...
.nf
SEARCH
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
base: <base DN>
scope: <0-2, see ldap.h>
deref: <0-3, see ldap.h>
sizelimit: <size limit>
timelimit: <time limit>
filter: <filter>
attrsonly: <0 or 1>
attrs: <"all" or space-separated attribute list>
.fi
.TP
.B abandon <pathname>
These options specify the pathname of the command to execute in response
to the given LDAP operation.
.B unbind <pathname> <argument>...
.nf
UNBIND
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
dn: <bound DN>
.fi
.LP
Note that you need only supply configuration lines for those commands you
want the backend to handle.
Operations for which a command is not supplied will be refused with an
"unwilling to perform" error.
.LP
The commands - except \fBabandon\fP and \fBunbind\fP - should output:
.RS
.nf
RESULT
code: <integer>
matched: <matched DN>
info: <text>
.fi
.RE
where only RESULT is mandatory.
The \fBsearch\fP RESULT should be preceded by the entries in LDIF
format, each entry followed by a blank line.
Lines starting with `#' or `DEBUG:' are ignored.
.SH EXAMPLE
There is a skeleton search script in the slapd/back-shell/ directory
There is an example search script in the slapd/back-shell/ directory
in the OpenLDAP source tree.
.SH FILES
ETCDIR/slapd.conf

20
doc/man/man5/slapd-sql.5
View file

@ -1,4 +1,4 @@
.TH SLAPD-SQL 5 "01 May 2002" "OpenLDAP LDVERSION"
.TH SLAPD-SQL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-sql \- SQL backend to slapd
@ -52,17 +52,19 @@ manual page.
.TP
.B dbname <datasource name>
The name of the ODBC datasource to use.
.TP
.LP
.B dbhost <hostname>
.TP
.br
.B dbuser <username>
.TP
.br
.B dbpasswd <password>
.RS
These three options are generally unneeded, because this information is already
taken from the datasource.
Use them if you need to override datasource settings.
Also, several RDBMS' drivers tend to require explicit passing of user/password,
even if those are given in datasource.
.RE
.TP
.B subtree_cond <SQL expression>
Specifies a where-clause template used to form a subtree search condition.
@ -127,11 +129,11 @@ Let's suppose that we store information about persons working in our
organization in two tables:
.LP
.nf
PERSONS PHONES
---------- -------------
id integer id integer
first_name varchar pers_id integer references persons(id)
last_name varchar phone
PERSONS PHONES
---------- -------------
id integer id integer
first_name varchar pers_id integer references persons(id)
last_name varchar phone
middle_name varchar
...
.fi

197
doc/man/man5/slapd-tcl.5
View file

@ -1,4 +1,4 @@
.TH SLAPD-TCL 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD-TCL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-tcl \- Tcl backend to slapd
@ -26,9 +26,6 @@ manual page.
.TP
.B scriptpath <filename.tcl>
The full path to the tcl script used for this database.
.\"
.\" There must be a .TP before this list, otherwise the .in doesn't work.
.\"
.LP
.B search <proc>
.br
@ -47,12 +44,10 @@ The full path to the tcl script used for this database.
.B compare <proc>
.br
.B abandon <proc>
.in
.RS
The procs for each ldap function.
This is similar to how the
.BR slapd-shell (5)
backend setup works, but these refer to the tcl procs in the
`scriptpath' script that handle them.
They refer to the tcl procs in the `scriptpath' script that handles them.
.RE
.TP
.B tclrealm <interpreter name>
This is one of the biggest pluses of using the tcl backend.
@ -64,110 +59,110 @@ If no tclrealm is specified, it is put into the "default" realm.
.TP
.B abandon { action msgid suffix }
.nf
action - Always equal to ABANDON.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es) associated with the
call. Each one is an entry in a tcl
formatted list (surrounded by {}'s).
action - Always equal to ABANDON.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es) associated with the
call. Each one is an entry in a tcl
formatted list (surrounded by {}'s).
.fi
.TP
.B add "{ action msgid suffix entry }"
.nf
action - Always equal to ADD.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
entry - Full entry to add. Each "type: val" is
an element in a tcl formatted list.
action - Always equal to ADD.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
entry - Full entry to add. Each "type: val" is
an element in a tcl formatted list.
.fi
.TP
.B bind "{ action msgid suffix dn method cred_len cred }"
.nf
action - Always equal to BIND.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN being bound to.
method - One of the ldap authentication methods.
cred_len - Length of cred.
cred - Credentials being used to authenticate,
according to RFC. If this value is empty,
then it should be considered an anonymous
bind (??)
action - Always equal to BIND.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN being bound to.
method - One of the ldap authentication methods.
cred_len - Length of cred.
cred - Credentials being used to authenticate,
according to RFC. If this value is empty,
then it should be considered an anonymous
bind (??)
.fi
.TP
.B compare "{ action msgid suffix dn ava_type ava_value }"
.nf
action - Always equal to COMPARE.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN for compare.
ava_type - Type for comparison.
ava_value - Value to compare.
action - Always equal to COMPARE.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN for compare.
ava_type - Type for comparison.
ava_value - Value to compare.
.fi
.TP
.B delete "{ action msgid suffix dn }"
.nf
action - Always equal to DELETE.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN to delete.
action - Always equal to DELETE.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN to delete.
.fi
.TP
.B modify "{ action msgid suffix dn mods }"
.nf
action - Always equal to MODIFY.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN to modify.
mods - Tcl list of modifications.
The list is formatted in this way:
action - Always equal to MODIFY.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN to modify.
mods - Tcl list of modifications.
The list is formatted in this way:
{
{ {op: type} {type: val} }
{ {op: type} {type: val} {type: val} }
...
}
{
{ {op: type} {type: val} }
{ {op: type} {type: val} {type: val} }
...
}
Newlines are not present in the actual var,
they are present here for clarification.
"op" is the type of modification
(ADD, DELETE, REPLACE).
Newlines are not present in the actual var,
they are present here for clarification.
"op" is the type of modification
(ADD, DELETE, REPLACE).
.fi
.TP
.B modrdn "{ action msgid suffix dn newrdn deleteoldrdn }"
.nf
action - Always equal to MODRDN.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN whose RDN is being renamed.
newrdn - New RDN.
deleteoldrdn - Boolean stating whether or not the
old RDN should be removed after being renamed.
action - Always equal to MODRDN.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN whose RDN is being renamed.
newrdn - New RDN.
deleteoldrdn - Boolean stating whether or not the
old RDN should be removed after being renamed.
.fi
.TP
.B
search { action msgid suffix base scope deref \
sizelimit timelimit filterstr attrsonly attrlist }
.nf
action - Always equal to SEARCH.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
base - Base for this search.
scope - Scope of search, ( 0 | 1 | 2 ).
deref - Alias dereferencing ( 0 | 1 | 2 | 3 ).
sizelimit - Maximum number of entries to return.
timelimit - Time limit for search.
filterstr - Filter string as sent by the requester.
attrsonly - Boolean for whether to list only the
attributes, and not values as well.
attrlist - Tcl list if to retrieve.
action - Always equal to SEARCH.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
base - Base for this search.
scope - Scope of search, ( 0 | 1 | 2 ).
deref - Alias dereferencing ( 0 | 1 | 2 | 3 ).
sizelimit - Maximum number of entries to return.
timelimit - Time limit for search.
filterstr - Filter string as sent by the requester.
attrsonly - Boolean for whether to list only the
attributes, and not values as well.
attrlist - Tcl list if to retrieve.
.fi
.TP
.B unbind "{ action msgid suffix dn }"
.nf
action - Always equal to UNBIND.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN to unbind.
action - Always equal to UNBIND.
msgid - The msgid of this ldap operation.
suffix - List of suffix(es), as above.
dn - DN to unbind.
.fi
.LP
.SH Return Method and Syntax
@ -175,19 +170,23 @@ There are only 2 return types.
All procs must return a result to show status of the operation.
The result is in this form:
.LP
.RS
.nf
{ RESULT {code: <integer>} {matched: <partialdn>}
{info: <string>} {} }
{ RESULT {code: <integer>} {matched: <partialdn>}
{info: <string>} {} }
.fi
.RE
.LP
This is best accomplished with this type of tcl code
.LP
.RS
.nf
lappend ret_val "RESULT"
lappend ret_val "code: 0"
lappend ret_val ""
return $ret_val
.fi
.RE
.LP
The final empty string (item in list) is necessary to point to the end
of list.
@ -205,34 +204,38 @@ It is similar format to the shell backend return (as is most of the
syntax here).
Its format follows:
.LP
.RS
.nf
{dn: o=Company, c=US} {attr: val} {objectclass: val} {}
{dn: o=CompanyB, c=US} {attr: val} {objectclass: val} {}
{dn: o=Company, c=US} {attr: val} {objectclass: val} {}
{dn: o=CompanyB, c=US} {attr: val} {objectclass: val} {}
.fi
.RE
.LP
Again, newlines are for visual purposes here.
Also note the {} marking the end of the entry (same effect as a
newline in ldif format).
Here is some example code again, showing a full search proc example.
.LP
.RS
.nf
# Note that `args' lets you lump all possible args
# into one var, used here for simplicity of example
proc ldap:search { args } {
# ...perform some operations...
lappend ret_val "dn: $rdn,$base"
lappend ret_val "objectclass: $objcl"
lappend ret_val "sn: $rdn"
lappend ret_val "mail: $email"
lappend ret_val ""
# Now setup the result
lappend ret_val "RESULT"
lappend ret_val "code: 0"
lappend ret_val ""
return $ret_val
}
# Note that `args' lets you lump all possible args
# into one var, used here for simplicity of example
proc ldap:search { args } {
# ...perform some operations...
lappend ret_val "dn: $rdn,$base"
lappend ret_val "objectclass: $objcl"
lappend ret_val "sn: $rdn"
lappend ret_val "mail: $email"
lappend ret_val ""
# Now setup the result
lappend ret_val "RESULT"
lappend ret_val "code: 0"
lappend ret_val ""
return $ret_val
}
.fi
.RE
.LP
NOTE: Newlines in the return value is acceptable in search entries
(i.e. when returning base64 encoded binary entries).

36
doc/man/man5/slapd.conf.5
View file

@ -1,4 +1,4 @@
.TH SLAPD.CONF 5 "30 April 2002" "OpenLDAP LDVERSION"
.TH SLAPD.CONF 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
@ -915,6 +915,8 @@ and \fB{CRYPT}\fP passwords are not recommended. If empty
Specify the DN suffix of queries that will be passed to this
backend database. Multiple suffix lines can be given and at least one is
required for each database definition.
If the suffix of one database is "inside" that of another, the database
with the inner suffix must come first in the configuration file.
.TP
.B suffixalias <alias> <aliased suffix>
Specify an alternate suffix that may be used to reference an already defined
@ -951,9 +953,37 @@ Each database may allow specific configuration options; they are
documented separately in the
.BR slapd-<backend> (5)
manual pages.
.SH EXAMPLE
"OpenLDAP Administrator's Guide" contains an annotated
.SH EXAMPLES
.LP
Here is a short example of a configuration file:
.LP
.RS
.nf
include SYSCONFDIR/schema/core.schema
pidfile LOCALSTATEDIR/slapd.pid
database bdb
suffix "dc=our-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 700 recommended.
directory LOCALSTATEDIR/openldap-data
# Indices to maintain
index objectClass eq
index cn,sn,mail pres,eq,approx,sub
# We serve small clients that do not handle referrals,
# so handle remote lookups on their behalf.
database ldap
suffix ""
uri ldap://ldap.some-server.com/
lastmod off
.fi
.RE
.LP
"OpenLDAP Administrator's Guide" contains a longer annotated
example of a configuration file.
The original ETCDIR/slapd.conf is another example.
.SH FILES
ETCDIR/slapd.conf
.SH SEE ALSO