[openldap] / doc / man / man5 / slapd-tcl.5

.TH SLAPD-TCL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-tcl \- Tcl backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Tcl backend to
.BR slapd (8)
works by embedding a
.BR Tcl (3tcl)
interpreter into
.BR slapd (8).
Any tcl database section of the configuration file
.BR slapd.conf (5)
must then specify what Tcl script to use.
.SH WARNING
.B "This backend's calling conventions have changed since OpenLDAP 2.0."
Previously, the 2nd argument to the procs was a message ID.
Now they are an "operation ID" string.
Also, proc abandon now gets a new
.B abandonid
argument.
.SH CONFIGURATION
These
.B slapd.conf
options apply to the TCL backend database.
That is, they must follow a "database tcl" line and come before any
subsequent "backend" or "database" lines.
Other database options are described in the
.BR slapd.conf (5)
manual page.
.TP
.B scriptpath      <filename.tcl>
The full path to the tcl script used for this database.
.LP
.B search   <proc>
.br
.B add      <proc>
.br
.B delete   <proc>
.br
.B modify   <proc>
.br
.B bind     <proc>
.br
.B unbind   <proc>
.br
.B modrdn   <proc>
.br
.B compare  <proc>
.br
.B abandon  <proc>
.RS
The procs for each ldap function.
They refer to the tcl procs in the `scriptpath' script that handles them.
.RE
.TP
.B tclrealm <interpreter name>
This is one of the biggest pluses of using the tcl backend.
The realm lets you group several databases to the same interpreter.
This basically means they share the same global variables and proc space.
So global variables, as well as all the procs, are callable between databases.
If no tclrealm is specified, it is put into the "default" realm.
.SH Variables passed to the procs
.TP
.B abandon { action opid suffix abandonid }
.nf
action    - Always equal to ABANDON.
opid      - The opid of this ldap operation.
suffix    - List of suffix(es) associated with the
            call.  Each one is an entry in a tcl
            formatted list (surrounded by {}'s).
abandonid - The opid of the operation to abandon.
.fi
.TP
.B add "{ action opid suffix entry }"
.nf
action - Always equal to ADD.
opid   - The opid of this ldap operation.
suffix - List of suffix(es), as above.
entry  - Full entry to add. Each "type: val" is
         an element in a tcl formatted list.
.fi
.TP
.B bind "{ action opid suffix dn method cred_len cred }"
.nf
action   - Always equal to BIND.
opid     - The opid of this ldap operation.
suffix   - List of suffix(es), as above.
dn       - DN being bound to.
method   - One of the ldap authentication methods.
cred_len - Length of cred.
cred     - Credentials being used to authenticate,
           according to RFC.  If this value is empty,
           then it should be considered an anonymous
           bind (??)
.fi
.TP
.B compare "{ action opid suffix dn ava_type ava_value }"
.nf
action    - Always equal to COMPARE.
opid      - The opid of this ldap operation.
suffix    - List of suffix(es), as above.
dn        - DN for compare.
ava_type  - Type for comparison.
ava_value - Value to compare.
.fi
.TP
.B delete "{ action opid suffix dn }"
.nf
action    - Always equal to DELETE.
opid      - The opid of this ldap operation.
suffix    - List of suffix(es), as above.
dn        - DN to delete.
.fi
.TP
.B modify "{ action opid suffix dn mods }"
.nf
action - Always equal to MODIFY.
opid   - The opid of this ldap operation.
suffix - List of suffix(es), as above.
dn     - DN to modify.
mods   - Tcl list of modifications.
         The list is formatted in this way:

         {
           { {op: type} {type: val} }
           { {op: type} {type: val} {type: val} }
           ...
         }

         Newlines are not present in the actual var,
         they are present here for clarification.
         "op" is the type of modification
         (ADD, DELETE, REPLACE).
.fi
.TP
.B modrdn "{ action opid suffix dn newrdn deleteoldrdn }"
.nf
action - Always equal to MODRDN.
opid   - The opid of this ldap operation.
suffix - List of suffix(es), as above.
dn     - DN whose RDN is being renamed.
newrdn - New RDN.
deleteoldrdn - Boolean stating whether or not the
         old RDN should be removed after being renamed.
.fi
.TP
.B
search { action opid suffix base scope deref \
sizelimit timelimit filterstr attrsonly attrlist }
.nf
action    - Always equal to SEARCH.
opid      - The opid of this ldap operation.
suffix    - List of suffix(es), as above.
base      - Base for this search.
scope     - Scope of search, ( 0 | 1 | 2 ).
deref     - Alias dereferencing ( 0 | 1 | 2 | 3 ).
sizelimit - Maximum number of entries to return.
timelimit - Time limit for search.
filterstr - Filter string as sent by the requester.
attrsonly - Boolean for whether to list only the
            attributes, and not values as well.
attrlist  - Tcl list if to retrieve.
.fi
.TP
.B unbind "{ action opid suffix dn }"
.nf
action - Always equal to UNBIND.
opid   - The opid of this ldap operation.
suffix - List of suffix(es), as above.
dn     - DN to unbind.
.fi
.LP
An
.I opid
(operation ID) is a "connection ID/message ID" string identifying an
operation.
.LP
.SH Return Method and Syntax
There are only 2 return types.
All procs must return a result to show status of the operation.
The result is in this form:
.LP
.RS
.nf
{ RESULT {code: <integer>} {matched: <partialdn>}
  {info: <string>} {} }
.fi
.RE
.LP
This is best accomplished with this type of tcl code
.LP
.RS
.nf
  lappend ret_val "RESULT"
  lappend ret_val "code: 0"
  lappend ret_val ""
  return $ret_val
.fi
.RE
.LP
The final empty string (item in list) is necessary to point to the end
of list.
The `code', `matched', and `info' values are not necessary, and
default values are given if not specified.
The `code' value is usually an LDAP error in decimal notation from
ldap.h.
The `info', may be sent back to the client, depending on the
function.
In the bind proc, LDAP uses the value of `code' to indicate whether or
not the authentication is acceptable.
.LP
The other type of return is for searches.
It is similar format to the shell backend return (as is most of the
syntax here).
Its format follows:
.LP
.RS
.nf
{dn: o=Company, c=US} {attr: val} {objectclass: val} {}
{dn: o=CompanyB, c=US} {attr: val} {objectclass: val} {}
.fi
.RE
.LP
Again, newlines are for visual purposes here.
Also note the {} marking the end of the entry (same effect as a
newline in ldif format).
Here is some example code again, showing a full search proc example.
.LP
.RS
.nf
# Note that `args' lets you lump all possible args
# into one var, used here for simplicity of example
proc ldap:search { args } {
  # ...perform some operations...

  lappend ret_val "dn: $rdn,$base"
  lappend ret_val "objectclass: $objcl"
  lappend ret_val "sn: $rdn"
  lappend ret_val "mail: $email"
  lappend ret_val ""
  # Now setup the result
  lappend ret_val "RESULT"
  lappend ret_val "code: 0"
  lappend ret_val ""
  return $ret_val
}
.fi
.RE
.LP
NOTE: Newlines in the return value is acceptable in search entries
(i.e. when returning base64 encoded binary entries).
.LP
.SH Builtin Commands and Variables
.TP
.B ldap:debug <msg>
Allows you to send debug messages through OpenLDAP's native debugging
system, this is sent as a LDAP_DEBUG_ANY and will be logged.
Useful for debugging scripts or logging bind failures.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8),
.BR Tcl (3tcl).