# $OpenLDAP$
-# Copyright 1999-2003, The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2005, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Introduction to OpenLDAP Directory Services
{{How is the information protected from unauthorized access?}} Some
directory services provide no protection, allowing anyone to see
-the information. LDAP provides a mechanism for a client to
-authenticate, or prove its identity to a directory server, paving
-the way for rich access control to protect the information the
-server contains. LDAP also supports privacy and integrity security
+the information. LDAP provides a mechanism for a client to authenticate,
+or prove its identity to a directory server, paving the way for
+rich access control to protect the information the server contains.
+LDAP also supports data security (integrity and confidentiality)
services.
The stand-alone LDAP daemon, or {{slapd}}(8), can be viewed as a
{{lightweight}} X.500 directory server. That is, it does not
-implement the X.500's DAP. As a {{lightweight directory}} server,
-{{slapd}}(8) implements only a subset of the X.500 models.
+implement the X.500's DAP nor does it support the complete X.500
+models.
If you are already running a X.500 DAP service and you want to
continue to do so, you can probably stop reading this guide. This
LDAPv3 was developed in the late 1990's to replace LDAPv2.
LDAPv3 adds the following features to LDAP:
- - Strong Authentication via {{TERM:SASL}}
- - Integrity and Confidentiality Protection via {{TERM:TLS}} (SSL)
+ - Strong authentication and data security services via {{TERM:SASL}}
+ - Certificate authentication and data security services via {{TERM:TLS}} (SSL)
- Internationalization through the use of Unicode
- Referrals and Continuations
- Schema Discovery
- Extensibility (controls, extended operations, and more)
-LDAPv2 is considered historical. As deploying both LDAPv2 and
-LDAPv3 simultaneously can be quite problematic, LDAPv2 should be
-avoided. LDAPv2 is disabled by default.
+LDAPv2 is historic ({{REF:RFC3494}}). As most {{so-called}} LDAPv2
+implementations (including {{slapd}}(8)) do not conform to the
+LDAPv2 technical specification, interoperatibility amongst
+implementations claiming LDAPv2 support is limited. As LDAPv2
+differs significantly from LDAPv3, deploying both LDAPv2 and LDAPv3
+simultaneously is quite problematic. LDAPv2 should be avoided.
+LDAPv2 is disabled by default.
H2: What is slapd and what can it do?
interesting features and capabilities include:
{{B:LDAPv3}}: {{slapd}} implements version 3 of {{TERM[expand]LDAP}}.
-{{slapd}} supports LDAP over both IPv4 and IPv6.
+{{slapd}} supports LDAP over both IPv4 and IPv6 and Unix IPC.
{{B:{{TERM[expand]SASL}}}}: {{slapd}} supports strong authentication
-services through the use of SASL. {{slapd}}'s SASL implementation
-utilizes {{PRD:Cyrus}} {{PRD:SASL}} software which supports a number
-of mechanisms including DIGEST-MD5, EXTERNAL, and GSSAPI.
-
-{{B:{{TERM[expand]TLS}}}}: {{slapd}} provides privacy and integrity
-protections through the use of TLS (or SSL). {{slapd}}'s TLS
+and data security (integrity and confidentiality) services through
+the use of SASL. {{slapd}}'s SASL implementation utilizes {{PRD:Cyrus}}
+{{PRD:SASL}} software which supports a number of mechanisms including
+DIGEST-MD5, EXTERNAL, and GSSAPI.
+
+{{B:{{TERM[expand]TLS}}}}: {{slapd}} supports certificate-based
+authentication and data security (integrity and confidentiality)
+services through the use of TLS (or SSL). {{slapd}}'s TLS
implementation utilizes {{PRD:OpenSSL}} software.
-{{B:Topology control}}: {{slapd}} allows one to restrict access to
-the server based upon network topology. This feature utilizes
-{{TCP wrappers}}.
+{{B:Topology control}}: {{slapd}} can be configured to restrict
+access at the socket layer based upon network topology information.
+This feature utilizes {{TCP wrappers}}.
{{B:Access control}}: {{slapd}} provides a rich and powerful access
control facility, allowing you to control access to the information
in your database(s). You can control access to entries based on
LDAP authorization information, {{TERM:IP}} address, domain name
-and other criteria. {{slapd}} supports both {{static}} and
-{{dynamic}} access control information.
+and other criteria. {{slapd}} supports both {{static}} and {{dynamic}}
+access control information.
{{B:Internationalization}}: {{slapd}} supports Unicode and language
tags.
{{B:Choice of database backends}}: {{slapd}} comes with a variety
of different database backends you can choose from. They include
{{TERM:BDB}}, a high-performance transactional database backend;
+{{TERM:HDB}}, a hierarchical high-performance transactional backend;
{{TERM:LDBM}}, a lightweight DBM based backend; {{SHELL}}, a backend
interface to arbitrary shell scripts; and PASSWD, a simple backend
-interface to the {{passwd}}(5) file. BDB utilizes {{ORG:Sleepycat}}
-{{PRD:Berkeley DB}}. LDBM utilizes either {{PRD:Berkeley DB}} or
-{{PRD:GDBM}}.
+interface to the {{passwd}}(5) file. The BDB and HDB backends
+utilize {{ORG:Sleepycat}} {{PRD:Berkeley DB}}. The LDBM utilizes
+either {{PRD:Berkeley DB}} or {{PRD:GDBM}}.
{{B:Multiple database instances}}: {{slapd}} can be configured to
serve multiple databases at the same time. This means that a single
portions of the LDAP tree, using the same or different database
backends.
-{{B:Generic modules API}}: If you require even more customization,
+{{B:Generic modules API}}: If you require even more customization,
{{slapd}} lets you write your own modules easily. {{slapd}} consists
of two distinct parts: a front end that handles protocol communication
with LDAP clients; and modules which handle specific tasks such as
-database operations. Because these two pieces communicate via a
+database operations. Because these two pieces communicate via a
well-defined {{TERM:C}} {{TERM:API}}, you can write your own
customized modules which extend {{slapd}} in numerous ways. Also,
a number of {{programmable database}} modules are provided. These
{{PRD:TCL}}).
{{B:Threads}}: {{slapd}} is threaded for high performance. A single
-multi-threaded {{slapd}} process handles all incoming requests
-using a pool of threads. This reduces the amount of system overhead
+multi-threaded {{slapd}} process handles all incoming requests using
+a pool of threads. This reduces the amount of system overhead
required while providing high performance.
-{{B:Replication}}: {{slapd}} can be configured to maintain replica
-copies of its database. This {{single-master/multiple-slave}}
+{{B:Replication}}: {{slapd}} can be configured to maintain shadow
+copies of directory information. This {{single-master/multiple-slave}}
replication scheme is vital in high-volume environments where a
single {{slapd}} just doesn't provide the necessary availability
-or reliability. {{slapd}} also includes experimental support for
-{{multi-master}} replication.
+or reliability. {{slapd}} supports two replication methods: {{LDAP
+Sync}}-based and {{slurpd}}(8)-based replication.
+
+{{B:Proxy Cache}}: {{slapd}} can be configured as a caching
+LDAP proxy service.
{{B:Configuration}}: {{slapd}} is highly configurable through a
single configuration file which allows you to change just about
everything you'd ever want to change. Configuration options have
reasonable defaults, making your job much easier.
-{{slapd}} also has its limitations, of course. The main BDB
-backend does not handle range queries or negation queries
-very well.
-
H2: What is slurpd and what can it do?
-{{slurpd}}(8) is a daemon that helps {{slapd}} provide replicated
-service. It is responsible for distributing changes made to the
-master {{slapd}} database out to the various {{slapd}} replicas.
-It frees {{slapd}} from having to worry that some replicas might
-be down or unreachable when a change comes through; {{slurpd}}
+{{slurpd}}(8) is a daemon that, with {{slapd}} help, provides
+replicated service. It is responsible for distributing changes
+made to the master {{slapd}} database out to the various {{slapd}}
+replicas. It frees {{slapd}} from having to worry that some replicas
+might be down or unreachable when a change comes through; {{slurpd}}
handles retrying failed requests automatically. {{slapd}} and
{{slurpd}} communicate through a simple text file that is used to
log changes.
See the {{SECT:Replication with slurpd}} chapter for information
about how to configure and run {{slurpd}}(8).
+
+Alternatively, {{LDAP-Sync}}-based replication may be used to provide
+a replicated service. See the {{SECT:LDAP Sync Replication}} chapter
+for details.
+