-.TH SLAPD-LDAP 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD-LDAP 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
Other database options are described in the
.BR slapd.conf (5)
manual page.
+.LP
+Note: It is strongly recommended to set
+.RS
+lastmod off
+.RE
+for every
+.B ldap
+and
+.B meta
+database.
+This is because operational attributes related to entry creation and
+modification should not be used, as they could be passed to the target
+servers, generating an error.
.TP
.B uri <ldapurl>
LDAP server to use.
This maps the OpenLDAP objectclass `groupOfNames' to the Active
Directory objectclass `group':
.LP
+.RS
.nf
- map objectclass groupOfNames group
+map objectclass groupOfNames group
.fi
+.RE
.LP
This presents a limited attribute set from the foreign
server:
.LP
+.RS
.nf
- map attribute cn *
- map attribute sn *
- map attribute manager *
- map attribute description *
- map attribute *
+map attribute cn *
+map attribute sn *
+map attribute manager *
+map attribute description *
+map attribute *
.fi
+.RE
.LP
These lines map cn, sn, manager, and description to themselves, and
any other attribute gets "removed" from the object before it is sent
-.TH SLAPD_META 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD_META 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
While code to strip the modification attributes has been put in place
(and #ifdef'd), it implies unmotivated overhead.
So it is strongly recommended to set
-.LP
-.nf
- lastmod off
-.fi
-.LP
+.RS
+lastmod off
+.RE
for every
.B ldap
and
It must end with one of the naming contexts defined for the backend,
e.g.:
.LP
+.RS
.nf
- suffix "\fBdc=foo,dc=com\fP"
- uri "ldap://x.foo.com/dc=x,\fBdc=foo,dc=com\fP"
+suffix "\fBdc=foo,dc=com\fP"
+uri "ldap://x.foo.com/dc=x,\fBdc=foo,dc=com\fP"
.fi
+.RE
.LP
The <naming context> part doesn't need to be unique across the targets;
it may also match one of the values of the "suffix" directive.
say "dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
Then, an unambiguous Meta database can be configured as:
.LP
+.RS
.nf
- database meta
- suffix "dc=foo,dc=com"
- uri "ldap://a.foo.com/dc=a,dc=foo,dc=com"
- uri "ldap://b.foo.com/dc=b,dc=foo,dc=com"
+database meta
+suffix "\fBdc=foo,dc=com\fP"
+uri "ldap://a.foo.com/dc=a,\fBdc=foo,dc=com\fP"
+uri "ldap://b.foo.com/dc=b,\fBdc=foo,dc=com\fP"
.fi
+.RE
.LP
Operations directed to a specific target can be easily resolved
because there are no ambiguities.
"dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
Then we need to configure our Meta backend as:
.LP
+.RS
.nf
- database meta
- suffix "dc=foo,dc=com"
-
- uri "ldap://a.bar.com/dc=a,dc=foo,dc=com"
- suffixmassage "dc=a,dc=foo,dc=com" "dc=bar,dc=org"
-
- uri "ldap://b.foo.com/dc=b,dc=foo,dc=com"
- suffixmassage "dc=b,dc=foo,dc=com" "o=Foo,c=US"
+database meta
+suffix "dc=foo,dc=com"
+
+uri "ldap://a.bar.com/\fBdc=a,dc=foo,dc=com\fP"
+suffixmassage "\fBdc=a,dc=foo,dc=com\fP" "dc=bar,dc=org"
+
+uri "ldap://b.foo.com/\fBdc=b,dc=foo,dc=com\fP"
+suffixmassage "\fBdc=b,dc=foo,dc=com\fP" "o=Foo,c=US"
.fi
+.RE
.LP
Again, operations can be resolved without ambiguity, although
some rewriting is required.
2b) Consider the above reported scenario with the two servers
sharing the same naming context:
.LP
+.RS
.nf
- database meta
- suffix "dc=foo,dc=com"
-
- uri "ldap://a.bar.com/dc=foo,dc=com"
- suffixmassage "dc=foo,dc=com" "dc=bar,dc=org"
-
- uri "ldap://b.foo.com/dc=foo,dc=com"
- suffixmassage "dc=foo,dc=com" "o=Foo,c=US"
+database meta
+suffix "\fBdc=foo,dc=com\fP"
+
+uri "ldap://a.bar.com/\fBdc=foo,dc=com\fP"
+suffixmassage "\fBdc=foo,dc=com\fP" "dc=bar,dc=org"
+
+uri "ldap://b.foo.com/\fBdc=foo,dc=com\fP"
+suffixmassage "\fBdc=foo,dc=com\fP" "o=Foo,c=US"
.fi
+.RE
.LP
All the previous considerations hold, except that now there is
no way to unambiguously resolve a DN.
find other exceptions: <ando@openldap.org>).
The rule
.LP
+.RS
.nf
-
access to dn="<dn>" attr=<attr>
- by dnattr=<dnattr> read
- by * none
+access to dn="<dn>" attr=<attr>
+ by dnattr=<dnattr> read
+ by * none
.fi
+.RE
.LP
cannot be matched iff the attribute that is being requested, <attr>,
is NOT <dnattr>, and the attribute that determines membership,
.SH "Pattern matching:"
See
.BR regex (7).
-.SH "String Substitution:"
-The string substitution happens according to a substitution pattern.
-.TP
-.B -
-substring substitution is allowed with the syntax `\ed' where `d' is a
-digit ranging 0-9 (0 is the full match).
-I see that 0-9 digit expansion is a widely accepted practise; however
-there is no technical reason to use such a strict limit.
-A syntax of the form `\e{ddd}' should be fine if there is any need to
-use a higher number of possible submatches.
-.TP
-.B -
-variable substitution will be allowed (at least when I figure out
-which kind of variable could be proficiently substituted)
-.TP
-.B -
-map lookup will be allowed (map lookup of substring matches in gdbm,
-ldap(!), math(?) and so on maps `a la sendmail'.
-.TP
-.B -
-subroutine invocation will make it possible to rewrite a submatch in
-terms of the output of another rewriteContext.
.SH "Substitution Pattern Syntax:"
-everything starting with `%' requires substitution;
+Everything starting with `%' requires substitution;
.LP
the only obvious exception is `%%', which is left as is;
.LP
a `%' followed by a `{' invokes an advanced substitution.
The pattern is:
.LP
-.nf
- `%' `{' [ <op> ] <name> `(' <substitution> `)' `}'
-.fi
+.RS
+`%' `{' [ <op> ] <name> `(' <substitution> `)' `}'
+.RE
.LP
where <name> must be a legal name for the map, i.e.
.LP
+.RS
.nf
- <name> ::= [a-z][a-z0-9]* (case insensitive)
- <op> ::= `>' `|' `&' `&&' `*' `**' `$'
+<name> ::= [a-z][a-z0-9]* (case insensitive)
+<op> ::= `>' `|' `&' `&&' `*' `**' `$'
.fi
+.RE
.LP
and <substitution> must be a legal substitution
pattern, with no limits on the nesting level.
.LP
client -> server:
.LP
+.RS
.nf
- (default) if defined and no specific context
- is available
- bindDn bind
- searchBase search
- searchFilter search
- compareDn compare
- addDn add
- modifyDn modify
- modrDn modrdn
- newSuperiorDn modrdn
- deleteDn delete
+(default) if defined and no specific context
+ is available
+bindDn bind
+searchBase search
+searchFilter search
+compareDn compare
+addDn add
+modifyDn modify
+modrDn modrdn
+newSuperiorDn modrdn
+deleteDn delete
.fi
+.RE
.LP
server -> client:
.LP
+.RS
.nf
- searchResult search (only if defined; no default)
- matchedDn all ops (only if defined; no default; NOT IMPL.)
+searchResult search (only if defined; no default;
+ acts on DN and DN-syntax attributes
+ of search results)
+matchedDn all ops (only if defined; no default;
+ NOT IMPL. except in search)
.fi
+.RE
.LP
.SH "Basic configuration syntax"
.TP
performed in a single rewrite operation (to avoid loops).
.SH "Configuration examples:"
.nf
- # set to `off' to disable rewriting
- rewriteEngine on
-
- # Everything defined here goes into the `default' context.
- # This rule changes the naming context of anything sent
- # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
-
- rewriteRule "(.*)dc=home,[ ]?dc=net"
- "%1dc=OpenLDAP, dc=org" ":"
+# set to `off' to disable rewriting
+rewriteEngine on
- # since a pretty/normalized DN does not include spaces
- # after rdn separators, e.g. `,', this rule suffices:
+# Everything defined here goes into the `default' context.
+# This rule changes the naming context of anything sent
+# to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
- rewriteRule "(.*)dc=home,dc=net"
- "%1dc=OpenLDAP,dc=org" ":"
+rewriteRule "(.*)dc=home,[ ]?dc=net"
+ "%1dc=OpenLDAP, dc=org" ":"
- # Start a new context (ends input of the previous one).
- # This rule adds blanks between DN parts if not present.
- rewriteContext addBlanks
- rewriteRule "(.*),([^ ].*)" "%1, %2"
+# since a pretty/normalized DN does not include spaces
+# after rdn separators, e.g. `,', this rule suffices:
- # This one eats blanks
- rewriteContext eatBlanks
- rewriteRule "(.*),[ ](.*)" "%1,%2"
+rewriteRule "(.*)dc=home,dc=net"
+ "%1dc=OpenLDAP,dc=org" ":"
- # Here control goes back to the default rewrite
- # context; rules are appended to the existing ones.
- # anything that gets here is piped into rule `addBlanks'
- rewriteContext default
- rewriteRule ".*" "%{>addBlanks(%0)}" ":"
+# Start a new context (ends input of the previous one).
+# This rule adds blanks between DN parts if not present.
+rewriteContext addBlanks
+rewriteRule "(.*),([^ ].*)" "%1, %2"
- # Anything with `uid=username' is looked up in
- # /etc/passwd for gecos (I know it's nearly useless,
- # but it is there just as a guideline to implementing
- # custom maps).
- # Note the `I' flag that leaves `uid=username' in place
- # if `username' does not have a valid account, and the
- # `:' that forces the rule to be processed exactly once.
- rewriteContext uid2Gecos
- rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
- "%1cn=%2{xpasswd},%3" "I:"
+# This one eats blanks
+rewriteContext eatBlanks
+rewriteRule "(.*),[ ](.*)" "%1,%2"
- # Finally, in a bind, if one uses a `uid=username' DN,
- # it is rewritten in `cn=name surname' if possible.
- rewriteContext bindDn
- rewriteRule ".*" "%{>addBlanks(%{>uid2Gecos(%0)})}" ":"
+# Here control goes back to the default rewrite
+# context; rules are appended to the existing ones.
+# anything that gets here is piped into rule `addBlanks'
+rewriteContext default
+rewriteRule ".*" "%{>addBlanks(%0)}" ":"
- # Rewrite the search base according to `default' rules.
- rewriteContext searchBase alias default
+.\" # Anything with `uid=username' is looked up in
+.\" # /etc/passwd for gecos (I know it's nearly useless,
+.\" # but it is there just as a guideline to implementing
+.\" # custom maps).
+.\" # Note the `I' flag that leaves `uid=username' in place
+.\" # if `username' does not have a valid account, and the
+.\" # `:' that forces the rule to be processed exactly once.
+.\" rewriteContext uid2Gecos
+.\" rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
+.\" "%1cn=%2{xpasswd},%3" "I:"
+.\"
+.\" # Finally, in a bind, if one uses a `uid=username' DN,
+.\" # it is rewritten in `cn=name surname' if possible.
+.\" rewriteContext bindDn
+.\" rewriteRule ".*" "%{>addBlanks(%{>uid2Gecos(%0)})}" ":"
+.\"
+# Rewrite the search base according to `default' rules.
+rewriteContext searchBase alias default
- # Search results with OpenLDAP DN are rewritten back with
- # `dc=home,dc=net' naming context, with spaces eaten.
- rewriteContext searchResult
- rewriteRule "(.*[^ ]?)[ ]?dc=OpenLDAP,[ ]?dc=org"
- "%{>eatBlanks(%1)}dc=home,dc=net" ":"
+# Search results with OpenLDAP DN are rewritten back with
+# `dc=home,dc=net' naming context, with spaces eaten.
+rewriteContext searchResult
+rewriteRule "(.*[^ ]?)[ ]?dc=OpenLDAP,[ ]?dc=org"
+ "%{>eatBlanks(%1)}dc=home,dc=net" ":"
- # Bind with email instead of full DN: we first need
- # an ldap map that turns attributes into a DN (the
- # filter is appended by the ldap map substitution):
- rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
+# Bind with email instead of full DN: we first need
+# an ldap map that turns attributes into a DN (the
+# argument used when invoking the map is appended to
+# the URI and acts as the filter portion)
+rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
- # Then we need to detect emails; note that the rule
- # in case of match stops rewriting; in case of error,
- # it is ignored. In case we are mapping virtual
- # to real naming contexts, we also need to rewrite
- # regular DNs, because the definition of a bindDn
- # rewrite context overrides the default definition.
- rewriteContext bindDn
- rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" "@I"
+# Then we need to detect DN made up of a single email,
+# e.g. `mail=someone@example.com'; note that the rule
+# in case of match stops rewriting; in case of error,
+# it is ignored. In case we are mapping virtual
+# to real naming contexts, we also need to rewrite
+# regular DNs, because the definition of a bindDn
+# rewrite context overrides the default definition.
+rewriteContext bindDn
+rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" "@I"
- # This is a rather sophisticated example. It massages a
- # search filter in case who performs the search has
- # administrative privileges. First we need to keep
- # track of the bind DN of the incoming request:
- rewriteContext bindDn
- rewriteRule ".+" "%{&&binddn(%0)}%0" ":"
+# This is a rather sophisticated example. It massages a
+# search filter in case who performs the search has
+# administrative privileges. First we need to keep
+# track of the bind DN of the incoming request, which is
+# stored in a variable called `binddn' with session scope,
+# and left in place to allow regular binding:
+rewriteContext bindDn
+rewriteRule ".+" "%{&&binddn(%0)}%0" ":"
- # A search filter containing `uid=' is rewritten only
- # if an appropriate DN is bound.
- # To do this, in the first rule the bound DN is
- # dereferenced, while the filter is decomposed in a
- # prefix, the argument of the `uid=', and in a
- # suffix. A tag `<>' is appended to the DN. If the DN
- # refers to an entry in the `ou=admin' subtree, the
-
# filter is rewritten OR-ing the `uid=<arg>' with
-
# `cn=<arg>'; otherwise it is left as is. This could be
- # useful, for instance, to allow apache's auth_ldap-1.4
- # module to authenticate users with both `uid' and
- # `cn', but only if the request comes from a possible
- # `dn: cn=Web auth, ou=admin, dc=home, dc=net' user.
- rewriteContext searchFilter
- rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
- "%{**binddn}<>%{&prefix(%1)}%{&arg(%2)}%{&suffix(%3)}"
- ":I"
- rewriteRule "[^,]+,ou=admin,dc=home,dc=net"
- "%{*prefix}|(uid=%{*arg})(cn=%{*arg})%{*suffix}" "@I"
- rewriteRule ".*<>" "%{*prefix}uid=%{*arg}%{*suffix}" ":"
+# A search filter containing `uid=' is rewritten only
+# if an appropriate DN is bound.
+# To do this, in the first rule the bound DN is
+# dereferenced, while the filter is decomposed in a
+# prefix, in the value of the `uid=<arg>' AVA, and
+# in a suffix. A tag `<>' is appended to the DN.
+# If the DN refers to an entry in the `ou=admin' subtree,
+
# the filter is rewritten OR-ing the `uid=<arg>' with
+# `cn=<arg>'; otherwise it is left as is. This could be
+# useful, for instance, to allow apache's auth_ldap-1.4
+# module to authenticate users with both `uid' and
+# `cn', but only if the request comes from a possible
+# `cn=Web auth,ou=admin,dc=home,dc=net' user.
+rewriteContext searchFilter
+rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
+ "%{**binddn}<>%{&prefix(%1)}%{&arg(%2)}%{&suffix(%3)}"
+ ":I"
+rewriteRule "[^,]+,ou=admin,dc=home,dc=net"
+ "%{*prefix}|(uid=%{*arg})(cn=%{*arg})%{*suffix}" "@I"
+rewriteRule ".*<>" "%{*prefix}uid=%{*arg}%{*suffix}" ":"
.fi
.SH "LDAP Proxy resolution (a possible evolution of slapd\-ldap(5)):"
In case the rewritten DN is an LDAP URI, the operation is initiated
-.TH SLAPD-NULL 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD-NULL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-null \- Null backend to slapd
.SH EXAMPLE
Here is a possible slapd.conf extract using the Null backend:
.LP
+.RS
.nf
- database null
- suffix "cn=Nothing"
- bind on
+database null
+suffix "cn=Nothing"
+bind on
.fi
+.RE
.SH FILES
ETCDIR/slapd.conf
.SH SEE ALSO
-.TH SLAPD-PASSWD 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD-PASSWD 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
serves up the user account information listed in the system
.BR passwd (5)
file.
+The DN of each entry is "uid=<username>,<suffix>".
+Note that non-base searches scan the the entire passwd file, and
+are best suited for hosts with small passwd files.
.SH CONFIGURATION
-These
+This
.B slapd.conf
-options apply to the PASSWD backend database.
-That is, they must follow a "database passwd" line and come before any
+option applies to the PASSWD backend database.
+That is, it must follow a "database passwd" line and come before any
subsequent "backend" or "database" lines.
Other database options are described in the
.BR slapd.conf (5)
-.TH SLAPD-PERL 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD-PERL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-perl \- Perl backend to slapd
* time limit
* filter string
* attributes only flag (1 for yes)
- * list of attributes that are to be returned (may be empty).
+ * list of attributes to return (may be empty)
.fi
.LP
Return value: (resultcode, ldif-entry, ldif-entry, ...)
* object reference
* dn
* a list formatted as follows
- { "ADD" | "DELETE" | "REPLACE" }, attributetype, value..., ...
+ ({ "ADD" | "DELETE" | "REPLACE" },
+ attributetype, value...)...
.fi
.LP
.TP
Its arguments are as follows.
.nf
* object reference
- * entry in string format.
+ * entry in string format
.fi
.LP
.TP
-.TH SLAPD-SHELL 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD-SHELL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
Other database options are described in the
.BR slapd.conf (5)
manual page.
+.LP
+These options specify the pathname and arguments of the program to
+execute in response to the given LDAP operation.
+Each option is followed by the input lines that the program receives:
.TP
-.B bind <pathname>
+.B abandon <pathname> <argument>...
+.nf
+ABANDON
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+.fi
.TP
-.B unbind <pathname>
+.B add <pathname> <argument>...
+.nf
+ADD
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+<entry in LDIF format>
+.fi
.TP
-.B search <pathname>
+.B bind <pathname> <argument>...
+.nf
+BIND
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+method: <method number>
+credlen: <length of <credentials>>
+cred: <credentials>
+.fi
.TP
-.B compare <pathname>
+.B compare <pathname> <argument>...
+.nf
+COMPARE
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+<attribute>: <value>
+.fi
.TP
-.B modify <pathname>
+.B delete <pathname> <argument>...
+.nf
+DELETE
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+.fi
.TP
-.B modrdn <pathname>
+.B modify <pathname> <argument>...
+.nf
+MODIFY
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+<repeat {
+ <"add"/"delete"/"replace">: <attribute>
+ <repeat { <attribute>: <value> }>
+ -
+}>
+.fi
.TP
-.B add <pathname>
+.B modrdn <pathname> <argument>...
+.nf
+MODRDN
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+newrdn: <new RDN>
+deleteoldrdn: <0 or 1>
+<if new superior is specified: "newSuperior: <DN>">
+.fi
.TP
-.B delete <pathname>
+.B search <pathname> <argument>...
+.nf
+SEARCH
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+base: <base DN>
+scope: <0-2, see ldap.h>
+deref: <0-3, see ldap.h>
+sizelimit: <size limit>
+timelimit: <time limit>
+filter: <filter>
+attrsonly: <0 or 1>
+attrs: <"all" or space-separated attribute list>
+.fi
.TP
-.B abandon <pathname>
-These options specify the pathname of the command to execute in response
-to the given LDAP operation.
+.B unbind <pathname> <argument>...
+.nf
+UNBIND
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <bound DN>
+.fi
+.LP
Note that you need only supply configuration lines for those commands you
want the backend to handle.
Operations for which a command is not supplied will be refused with an
"unwilling to perform" error.
+.LP
+The commands - except \fBabandon\fP and \fBunbind\fP - should output:
+.RS
+.nf
+RESULT
+code: <integer>
+matched: <matched DN>
+info: <text>
+.fi
+.RE
+where only RESULT is mandatory.
+The \fBsearch\fP RESULT should be preceded by the entries in LDIF
+format, each entry followed by a blank line.
+Lines starting with `#' or `DEBUG:' are ignored.
.SH EXAMPLE
-There is a skeleton search script in the slapd/back-shell/ directory
+There is an example search script in the slapd/back-shell/ directory
in the OpenLDAP source tree.
.SH FILES
ETCDIR/slapd.conf
-.TH SLAPD-SQL 5 "01 May 2002" "OpenLDAP LDVERSION"
+.TH SLAPD-SQL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-sql \- SQL backend to slapd
.TP
.B dbname <datasource name>
The name of the ODBC datasource to use.
-.TP
+.LP
.B dbhost <hostname>
-.TP
+.br
.B dbuser <username>
-.TP
+.br
.B dbpasswd <password>
+.RS
These three options are generally unneeded, because this information is already
taken from the datasource.
Use them if you need to override datasource settings.
Also, several RDBMS' drivers tend to require explicit passing of user/password,
even if those are given in datasource.
+.RE
.TP
.B subtree_cond <SQL expression>
Specifies a where-clause template used to form a subtree search condition.
organization in two tables:
.LP
.nf
- PERSONS PHONES
- ---------- -------------
- id integer id integer
- first_name varchar pers_id integer references persons(id)
- last_name varchar phone
+ PERSONS PHONES
+ ---------- -------------
+ id integer id integer
+ first_name varchar pers_id integer references persons(id)
+ last_name varchar phone
middle_name varchar
...
.fi
-.TH SLAPD-TCL 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD-TCL 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-tcl \- Tcl backend to slapd
.TP
.B scriptpath <filename.tcl>
The full path to the tcl script used for this database.
-.\"
-.\" There must be a .TP before this list, otherwise the .in doesn't work.
-.\"
.LP
.B search <proc>
.br
.B compare <proc>
.br
.B abandon <proc>
-.in
+.RS
The procs for each ldap function.
-This is similar to how the
-.BR slapd-shell (5)
-backend setup works, but these refer to the tcl procs in the
-`scriptpath' script that handle them.
+They refer to the tcl procs in the `scriptpath' script that handles them.
+.RE
.TP
.B tclrealm <interpreter name>
This is one of the biggest pluses of using the tcl backend.
.TP
.B abandon { action msgid suffix }
.nf
- action - Always equal to ABANDON.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es) associated with the
- call. Each one is an entry in a tcl
- formatted list (surrounded by {}'s).
+action - Always equal to ABANDON.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es) associated with the
+ call. Each one is an entry in a tcl
+ formatted list (surrounded by {}'s).
.fi
.TP
.B add "{ action msgid suffix entry }"
.nf
- action - Always equal to ADD.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- entry - Full entry to add. Each "type: val" is
- an element in a tcl formatted list.
+action - Always equal to ADD.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+entry - Full entry to add. Each "type: val" is
+ an element in a tcl formatted list.
.fi
.TP
.B bind "{ action msgid suffix dn method cred_len cred }"
.nf
- action - Always equal to BIND.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- dn - DN being bound to.
- method - One of the ldap authentication methods.
- cred_len - Length of cred.
- cred - Credentials being used to authenticate,
- according to RFC. If this value is empty,
- then it should be considered an anonymous
- bind (??)
+action - Always equal to BIND.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+dn - DN being bound to.
+method - One of the ldap authentication methods.
+cred_len - Length of cred.
+cred - Credentials being used to authenticate,
+ according to RFC. If this value is empty,
+ then it should be considered an anonymous
+ bind (??)
.fi
.TP
.B compare "{ action msgid suffix dn ava_type ava_value }"
.nf
- action - Always equal to COMPARE.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- dn - DN for compare.
- ava_type - Type for comparison.
- ava_value - Value to compare.
+action - Always equal to COMPARE.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+dn - DN for compare.
+ava_type - Type for comparison.
+ava_value - Value to compare.
.fi
.TP
.B delete "{ action msgid suffix dn }"
.nf
- action - Always equal to DELETE.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- dn - DN to delete.
+action - Always equal to DELETE.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+dn - DN to delete.
.fi
.TP
.B modify "{ action msgid suffix dn mods }"
.nf
- action - Always equal to MODIFY.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- dn - DN to modify.
- mods - Tcl list of modifications.
- The list is formatted in this way:
+action - Always equal to MODIFY.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+dn - DN to modify.
+mods - Tcl list of modifications.
+ The list is formatted in this way:
- {
- { {op: type} {type: val} }
- { {op: type} {type: val} {type: val} }
- ...
- }
+ {
+ { {op: type} {type: val} }
+ { {op: type} {type: val} {type: val} }
+ ...
+ }
- Newlines are not present in the actual var,
- they are present here for clarification.
- "op" is the type of modification
- (ADD, DELETE, REPLACE).
+ Newlines are not present in the actual var,
+ they are present here for clarification.
+ "op" is the type of modification
+ (ADD, DELETE, REPLACE).
.fi
.TP
.B modrdn "{ action msgid suffix dn newrdn deleteoldrdn }"
.nf
- action - Always equal to MODRDN.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- dn - DN whose RDN is being renamed.
- newrdn - New RDN.
- deleteoldrdn - Boolean stating whether or not the
- old RDN should be removed after being renamed.
+action - Always equal to MODRDN.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+dn - DN whose RDN is being renamed.
+newrdn - New RDN.
+deleteoldrdn - Boolean stating whether or not the
+ old RDN should be removed after being renamed.
.fi
.TP
.B
search { action msgid suffix base scope deref \
sizelimit timelimit filterstr attrsonly attrlist }
.nf
- action - Always equal to SEARCH.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- base - Base for this search.
- scope - Scope of search, ( 0 | 1 | 2 ).
- deref - Alias dereferencing ( 0 | 1 | 2 | 3 ).
- sizelimit - Maximum number of entries to return.
- timelimit - Time limit for search.
- filterstr - Filter string as sent by the requester.
- attrsonly - Boolean for whether to list only the
- attributes, and not values as well.
- attrlist - Tcl list if to retrieve.
+action - Always equal to SEARCH.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+base - Base for this search.
+scope - Scope of search, ( 0 | 1 | 2 ).
+deref - Alias dereferencing ( 0 | 1 | 2 | 3 ).
+sizelimit - Maximum number of entries to return.
+timelimit - Time limit for search.
+filterstr - Filter string as sent by the requester.
+attrsonly - Boolean for whether to list only the
+ attributes, and not values as well.
+attrlist - Tcl list if to retrieve.
.fi
.TP
.B unbind "{ action msgid suffix dn }"
.nf
- action - Always equal to UNBIND.
- msgid - The msgid of this ldap operation.
- suffix - List of suffix(es), as above.
- dn - DN to unbind.
+action - Always equal to UNBIND.
+msgid - The msgid of this ldap operation.
+suffix - List of suffix(es), as above.
+dn - DN to unbind.
.fi
.LP
.SH Return Method and Syntax
All procs must return a result to show status of the operation.
The result is in this form:
.LP
+.RS
.nf
-
{ RESULT {code: <integer>} {matched: <partialdn>}
- {info: <string>} {} }
+{ RESULT {code: <integer>} {matched: <partialdn>}
+ {info: <string>} {} }
.fi
+.RE
.LP
This is best accomplished with this type of tcl code
.LP
+.RS
.nf
lappend ret_val "RESULT"
lappend ret_val "code: 0"
lappend ret_val ""
return $ret_val
.fi
+.RE
.LP
The final empty string (item in list) is necessary to point to the end
of list.
syntax here).
Its format follows:
.LP
+.RS
.nf
- {dn: o=Company, c=US} {attr: val} {objectclass: val} {}
- {dn: o=CompanyB, c=US} {attr: val} {objectclass: val} {}
+{dn: o=Company, c=US} {attr: val} {objectclass: val} {}
+{dn: o=CompanyB, c=US} {attr: val} {objectclass: val} {}
.fi
+.RE
.LP
Again, newlines are for visual purposes here.
Also note the {} marking the end of the entry (same effect as a
newline in ldif format).
Here is some example code again, showing a full search proc example.
.LP
+.RS
.nf
- # Note that `args' lets you lump all possible args
- # into one var, used here for simplicity of example
- proc ldap:search { args } {
- # ...perform some operations...
-
- lappend ret_val "dn: $rdn,$base"
- lappend ret_val "objectclass: $objcl"
- lappend ret_val "sn: $rdn"
- lappend ret_val "mail: $email"
- lappend ret_val ""
- # Now setup the result
- lappend ret_val "RESULT"
- lappend ret_val "code: 0"
- lappend ret_val ""
- return $ret_val
- }
+# Note that `args' lets you lump all possible args
+# into one var, used here for simplicity of example
+proc ldap:search { args } {
+ # ...perform some operations...
+
+ lappend ret_val "dn: $rdn,$base"
+ lappend ret_val "objectclass: $objcl"
+ lappend ret_val "sn: $rdn"
+ lappend ret_val "mail: $email"
+ lappend ret_val ""
+ # Now setup the result
+ lappend ret_val "RESULT"
+ lappend ret_val "code: 0"
+ lappend ret_val ""
+ return $ret_val
+}
.fi
+.RE
.LP
NOTE: Newlines in the return value is acceptable in search entries
(i.e. when returning base64 encoded binary entries).
-.TH SLAPD.CONF 5 "30 April 2002" "OpenLDAP LDVERSION"
+.TH SLAPD.CONF 5 "2 May 2002" "OpenLDAP LDVERSION"
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
Specify the DN suffix of queries that will be passed to this
backend database. Multiple suffix lines can be given and at least one is
required for each database definition.
+If the suffix of one database is "inside" that of another, the database
+with the inner suffix must come first in the configuration file.
.TP
.B suffixalias <alias> <aliased suffix>
Specify an alternate suffix that may be used to reference an already defined
documented separately in the
.BR slapd-<backend> (5)
manual pages.
-.SH EXAMPLE
-"OpenLDAP Administrator's Guide" contains an annotated
+.SH EXAMPLES
+.LP
+Here is a short example of a configuration file:
+.LP
+.RS
+.nf
+include SYSCONFDIR/schema/core.schema
+pidfile LOCALSTATEDIR/slapd.pid
+
+database bdb
+suffix "dc=our-domain,dc=com"
+# The database directory MUST exist prior to
+# running slapd AND should only be accessible
+# by the slapd/tools. Mode 700 recommended.
+directory LOCALSTATEDIR/openldap-data
+# Indices to maintain
+index objectClass eq
+index cn,sn,mail pres,eq,approx,sub
+
+# We serve small clients that do not handle referrals,
+# so handle remote lookups on their behalf.
+database ldap
+suffix ""
+uri ldap://ldap.some-server.com/
+lastmod off
+.fi
+.RE
+.LP
+"OpenLDAP Administrator's Guide" contains a longer annotated
example of a configuration file.
+The original ETCDIR/slapd.conf is another example.
.SH FILES
ETCDIR/slapd.conf
.SH SEE ALSO
projects / openldap / commitdiff