prerequisite software, configuring OpenLDAP itself, making, and finally
installing. The following sections describe this process in detail.
-In case you haven't already obtained OpenLDAP it is available at the following
-location: {{URL: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz}}
+In case you haven't already obtained OpenLDAP it is available at
+the following location:
+{{URL: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz}}.
The {{ORG[expand]OLP}} also maintains an extensive site
({{URL:http://www.OpenLDAP.org/}}) on the World Wide Web. The site
!block table; align=Center; coltags="N,URL"; \
title="Table 4.1: Other OpenLDAP resources"
Resource URL
+Document Catalog http://www.OpenLDAP.org/doc/
Frequently Asked Questions http://www.OpenLDAP.org/faq/
Issue Tracking System http://www.OpenLDAP.org/its/
Mailing Lists http://www.OpenLDAP.org/lists/
H2: Prerequisite software
-OpenLDAP relies a number of software packages distributed by third
-parties. Depending on the features you intend to use, you may have
-to download and install a number of additional software packages.
-This section details commonly needed third party software packages
-you might have to install. Note that some of these third party
-packages may depend on additional software packages. Install each
-package per installation instructions provided with it.
+OpenLDAP Software relies upon a number of software packages distributed
+by third parties. Depending on the features you intend to use,
+you may have to download and install a number of additional
+software packages. This section details commonly needed third party
+software packages you might have to install. Note that some of
+these third party packages may depend on additional software
+packages. Install each package per installation instructions
+provided with it.
H3: {{TERM[expand]TLS}}
You should examine the output of this command carefully to make sure
everything is installed correctly. You will find the configuration files
-for slapd in {{F:/usr/local/etc/openldap}} by default. See chapter 5 for more
-information on the configuration files.
+for slapd in {{F:/usr/local/etc/openldap}} by default. See the
+{{SECT:The slapd Configuration File}} chapter for additional information.
{{EX:lastModifiedBy}} and {{EX:lastModifiedTime}}.
A solution to this attribute naming problem is to have the
-ldapd read oidtables that map {{EX:modifiersName}} to the
-Object Identifier ({{TERM:OID}}) for the {{EX:lastModifiedBy}} attribute and
-{{EX:modifyTimeStamp}} to the OID for the {{EX:lastModifiedTime}}
-attribute. Since attribute names are carried as OIDs over
-DAP, this should perform the appropriate translation of
-attribute names.
+LDAP/DAP gateway to map {{EX:modifiersName}} to the Object
+Identifier ({{TERM:OID}}) for the {{EX:lastModifiedBy}}
+attribute and {{EX:modifyTimeStamp}} to the OID for the
+{{EX:lastModifiedTime}} attribute. Since attribute names
+are carried as OIDs over DAP, this should perform the
+appropriate translation of attribute names.
H1: Schema Specification
-This chapter describes how to extend {{slapd}}(8) schema. The
-first section details how to extend schema using provided
-schema files. The second section details how to define
-new schema items.
+This chapter describes how to extend the schema used by {{slapd}}(8).
+The first section details optional schema definitions provided
+in the distribution and where to obtain other definitions. The
+second section details how to define new schema items.
H2: Distributed Schema Files
H2: Extending Schema
-Schema used by {{slapd}}(8) can be extended to support additional
+Schema used by {{slapd}}(8) may be extended to support additional
syntaxes, matching rules, attribute types, and object classes.
This chapter details how to add attribute types and object classes
using the syntaxes and matching rules already support by slapd.
-slapd(8) can also be extended to support additional syntaxes
+slapd can also be extended to support additional syntaxes
and matching rules, but this requires some programming and hence
is not discussed here.
H3: Object Identifiers
Each schema element is identified by a globally unique
-{{TERM[expand]OID}} ({{TERM:OID}}). OIDs are also used to identify
+{{TERM[expand]OID}} (OID). OIDs are also used to identify
other objects.
They are commonly found in protocols described by {{TERM:ASN.1}}. In
-particular, they are heavy used by {{Simple Network Management
-Protocol}} (SNMP). As OIDs are hierarchical, your organization
+particular, they are heavy used by {{TERM[expand]SNMP}} (SNMP).
+As OIDs are hierarchical, your organization
can obtain one OID and branch it as needed. For example,
if your organization were assigned OID {{EX:1.1}}, you could branch
the tree as follows:
.{{Under no circumstances should you use a fictious OID!}}
To obtain a fully registered OID at {{no cost}}, apply for
-a OID under {{ORG[expand]IANA}} maintained
+a OID under {{ORG[expand]IANA}} (IANA) maintained
{{Private Enterprise}} arch. Any private enterprise (organization)
may request an OID to be assigned under this arch. Just fill
-out the form at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}}
+out the {{ORG:IANA}} form at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}}
and your official OID will be sent to you usually within a few days.
Your base OID will be something like {{EX:1.3.6.1.4.1.X}} were {{EX:X}}
is an integer.
The first attribute, {{EX:name}}, has a syntax of directory string
(a UTF-8 encoded Unicode string) with a recommend maximun length.
Note that syntaxes is specified by OID. In addition, the equality
-and substring matching uses case ignore rules. Below are tables of
-{{slapd}}(8) supported syntax and matching rules.
+and substring matching uses case ignore rules. Below are tables
+listing commonly used supported syntax and matching rules.
!block table; align=Center; coltags="EX,EX,N"; \
title="Table 6.3: Supported Syntaxes"
-Name OID Description
-directoryString 1.3.6.1.4.1.1466.115.121.1.15 A directory string
+Name OID Description
+binary 1.3.6.1.4.1.1466.115.121.1.5 BER/DER data
+boolean 1.3.6.1.4.1.1466.115.121.1.7 boolean value
+distinguishedName 1.3.6.1.4.1.1466.115.121.1.15 DN
+directoryString 1.3.6.1.4.1.1466.115.121.1.15 UTF-8 string
+IA5String 1.3.6.1.4.1.1466.115.121.1.26 ASCII string
+Integer 1.3.6.1.4.1.1466.115.121.1.27 integer
+Name and Optional UID 1.3.6.1.4.1.1466.115.121.1.34 DN plus UID
+Numeric String 1.3.6.1.4.1.1466.115.121.1.36 numeric string
+OID 1.3.6.1.4.1.1466.115.121.1.38 object identifier
+Octet String 1.3.6.1.4.1.1466.115.121.1.40 arbitary octets
+Printable String 1.3.6.1.4.1.1466.115.121.1.44 printable string
!endblock
->
+>
!block table; align=Center; coltags="EX,N"; \
title="Table 6.4: Supported Matching Rules"
-Name Description
-caseIgnoreMatch case insensitive, space insensitive matching
-caseExactMatch case sensitive, space insensitive matching
+Name Type Description
+booleanMatch equality boolean
+objectIdentiferMatch equality OID
+distinguishedNameMatch equality DN
+uniqueMemberMatch equality DN with optional UID
+numericStringMatch equality numerical
+numericStringOrderingMatch ordering numerical
+numericStringSubstringsMatch substrings numerical
+caseIgnoreMatch equality case insensitive, space insensitive
+caseIgnoreOrderingMatch ordering case insensitive, space insensitive
+caseIgnoreSubstringsMatch substrings case insensitive, space insensitive
+caseExactMatch equality case sensitive, space insensitive
+caseExactOrderingMatch ordering case sensitive, space insensitive
+caseExactSubstringsMatch substrings case sensitive, space insensitive
+caseIgnoreIA5Match equality case insensitive, space insensitive
+caseIgnoreOrderingIA5Match ordering case insensitive, space insensitive
+caseIgnoreSubstringsIA5Match substrings case insensitive, space insensitive
+caseExactIA5Match equality case sensitive, space insensitive
+caseExactOrderingIA5Match ordering case sensitive, space insensitive
+caseExactSubstringsIA5Match substrings case sensitive, space insensitive
!endblock
The second attribute, {{EX:cn}}, is a subtype of {{EX:name}} hence
Once the software has been built and installed, you are ready
to configure {{slapd}}(8) for use at your site. The slapd
runtime configuration is primarily accomplished through the
-{{I:slapd.conf}}(5) file, normally installed in the
+{{slapd.conf}}(5) file, normally installed in the
{{EX:/usr/local/etc/openldap}} directory.
An alternate configuration file can be specified via a
H4: loglevel <integer>
This directive specifies the level at which debugging statements
-and operation statistics should be syslogged (currently
-logged to the {{syslogd}}(8) LOG_LOCAL4 facility). You must
-have compiled slapd with -DLDAP_DEBUG for this to work
-(except for the two statistics levels, which are always enabled).
-Log levels are additive. To display what numbers correspond
-to what kind of debugging, invoke slapd with the ? flag or
-consult the table below. The possible values for <integer> are:
+and operation statistics should be syslogged (currently logged to
+the {{syslogd}}(8) {EX:LOG_LOCAL4}} facility). You must have
+configured OpenLDAP {{EX:--enable-debug}} (the default) for this
+to work (except for the two statistics levels, which are always
+enabled). Log levels are additive. To display what numbers
+correspond to what kind of debugging, invoke slapd with {{EX:-?}}
+or consult the table below. The possible values for <integer> are:
!block table; colaligns="RL"; align=Center; \
title="Table 5.1: Debugging Levels"
H4: replica
> replica host=<hostname>[:<port>]
-> "binddn=<DN>"
-> [bindmethod={ simple | kerberos }]
+> [bindmethod={ simple | kerberos | sasl }]
+> ["binddn=<DN>"]
+> [mech=<mech>]
+> [authcid=<identity>]
+> [authzid=<identity>]
> [credentials=<password>]
> [srvtab=<filename>]
the slave slapd. It should be a DN which has read/write
access to the slave slapd's database, typically given as a
{{EX:rootdn}} in the slave's config file. It must also match the
-updatedn directive in the slave slapd's config file. Since DNs are
+{{EX:updatedn}} directive in the slave slapd's config file. Since DNs are
likely to contain embedded spaces, the entire {{EX:"binddn=<DN>"}}
string should be enclosed in double quotes.
-The {{EX:bindmethod}} is either simple or Kerberos, depending on
-whether simple password-based authentication or Kerberos
-authentication is to be used when connecting to the slave
-slapd. Simple authentication requires a valid password be
-given. Kerberos authentication requires a valid srvtab file.
-
-The {{EX:credentials=}} parameter, which is only required if using
-simple authentication, gives the password for {{EX:binddn}} on the
-slave slapd. Simple authentication is deprecated in favor of
-{{TERM:SASL}} based authentication services.
-
-The {{EX:srvtab=}} parameter is deprecated in favor of SASL
-based authentication services.
+The {{EX:bindmethod}} is {{EX:simple}} or {{EX:kerberos}} or {{EX:sasl}},
+depending on whether simple password-based authentication or Kerberos
+authentication or {{TERM:SASL}} authentication is to be used when connecting
+to the slave slapd.
+
+Simple authentication should not be used unless adequate integrity
+and privacy protections are in place (e.g. TLS or IPSEC). Simple
+authentication requires specification of {{EX:binddn}} and
+{{EX:credentials}} parameters.
+
+Kerberos authentication is deprecated in favor of SASL authentication
+mechanisms, in particular the {EX:KERBEROS_V4}} and {{EX:GSSAPI}}
+mechanisms. Kerberos authentication requires {{EX:binddn}} and
+{{EX:srvtab}} parameters.
+
+SASL authentication is generally recommended. SASL authentication
+requires specification of a mechanism using the {{EX:mech}} parameter.
+Depending on the mechanism, an authentication identity and/or
+credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
+respectively. The {{EX:authzid}} parameter may be used to specify
+an authorization identity.
See the {{SECT:Replication}} chapter for more information on how to
use this directive.
Cyrus Cyrus http://asg.web.cmu.edu/cyrus/
Sleepy Sleepycat Software http://www.sleepycat.com/
FSF Free Software Foundation http://www.fsf.org/
-GNU Gnu Not Unix http://www.gnu.org/
+GNU GNU Not Unix http://www.gnu.org/
!endblock
!block products; data
CLDAP Connection-less LDAP
DAP Directory Access Protocol
DER Distinguished Encoding Rules
+DIT Directory Information Tree
DN Distinguished Name
-DSE DSA-specific Entry
DNS Domain Name System
DS Draft Standard
-DSA Directory System Agent
+DSA Directory Service Agent
+DSE DSA-specific Entry
DUA Directory User Agent
FAQ Frequently Asked Questions
FYI For Your Information
LDAP Lightweight Directory Access Protocol
LDIF LDAP Data Interchange Format
LDBM LDAP Database Manager
+MIB Management Information Base
OID Object Identifier
OSI OSI
PS Proposed Standard
TCP Transmission Control Protocol
TLS Transport Security Layer
SASL Simple Authentication and Security Layer
+SMTP Simple Mail Transfer Protocol
+SNMP Simple Network Management Protocol
STD Internet Standard
UDP User Datagram Protocol
URI Uniform Resource Identifier
projects / openldap / commitdiff