H3: Database software
OpenLDAP's {{slapd}}(8) primary database backend, {{TERM:LDBM}},
-requires that a compatible database package for entry storage. LDBM
+requires a compatible database package for entry storage. LDBM
is compatible with {{ORG[expand]Sleepy}}'s {{PRD:BerkeleyDB}} (recommended)
or the {{ORG[expand]FSF}}'s {{PRD:GNU}} Database Manager ({{PRD:GDBM}}).
If neither of these packages are available at configure time,
you will not be able build slapd(8) with primary database backend.
Your operating system may provide one of these two packages in
-in base system or as an optional software component. You may
+the base system or as an optional software component. You may
need may need to obtain the software and install it yourself.
{{PRD:BerkeleyDB}} is available from {{ORG[expand]Sleepy}}'s
{{slapd}}(8) supports TCP wrappers (IP level access control filters)
if preinstalled. Use of TCP wrappers or other IP level access
-filters (such as those provided by a IP-level firewall) is recommended
+filters (such as those provided by an IP-level firewall) is recommended
for servers containing non-public information.
H2: Running configure
-If you haven't already done so, extra the distribution for the
+If you haven't already done so, extract the distribution from the
compressed archive file and change directory to the top of the
distribution:
.{{EX:gunzip -c openldap-VERSION.tgz | tar xf -}}
.{{EX:cd openldap-VERSION}}
-Replacing {{EX:VERSION}} with the appropriate version string.
+You'll have to replace {{EX:VERSION}} with the version name of the
+release.
Note: If you intend to build OpenLDAP for multiple platforms from a
single source tree you should consult the {{F: INSTALL}} file in the
LIBS Specify additional libraries
!endblock
-Now run the configure script with any desired configure options or
+Now run the configure script with any desired configuration options or
environment variables.
> [[env] settings] ./configure [options]
As an example, let's assume that we want a copy of OpenLDAP configured
-to use the LDBM backend, and the shell backend. The LDBM backend
+to use the LDBM backend and the shell backend. The LDBM backend
is turned on by default, so we don't need to do anything special
to enable it.
The {{EX:configure}} script will normally auto-detect appropriate settings.
If you have problems at this stage, consult any platform specific
-hints and check your {{EX:configure}} options if any.
+hints and check your {{EX:configure}} options, if any.
H2: Building the Software
should be:
> Please "make depend" to build dependencies
-If the last line of output does not match, {{EX:configure}} has failed.
+If the last line of output does not match, {{EX:configure}} has failed,
+and you will need to review its output to determine what went wrong.
You should not proceed until {{EX:configure}} completes successfully.
To build dependencies, run:
> make test
-The test will run a number of tests.
+This command will run a number of tests.
H2: Installing the Software
setting with the {{F:--prefix}} configure option, it will be installed
in the location you provided.
-Typically, the installation is done as {{root}}. From the top level OpenLDAP
-source directory, type:
+Typically, the installation is done as the super-user: {{root}}. From the top
+level OpenLDAP source directory, type:
> make install
H2: Command-Line Options
{{slapd}}(8) supports a number of command-line options as detailed
-in manual page. This section details a few commonly used options.
+in the manual page. This section details a few commonly used options.
> -f <filename>
> -h <URLs>
-This option specifies alternative listener configuration. The
-default is {{EX:ldap:///}} which implies LDAP over TCP, on all
-interfaces, on the default LDAP port 389. You can specify
+This option specifies alternative listener configurations. The
+default is {{EX:ldap:///}} which implies LDAP over TCP on all
+interfaces on the default LDAP port 389. You can specify
specific host-port pairs or other protocol schemes (such as
ldaps:// or ldapi://). For example,
{{EX:-h "ldaps:// ldap://127.0.0.1:666"}} will create
-two listeners: one for LDAP over SSL, on all interfaces, on
-the default LDAP/SSL port 646 and one for LDAP over TCL, only
-the {{EX:localhost}} ({{loopback}}) interface, on port 666.
-Hosts may be specified using IPv4 dot-decimal form or
-using host names. Ports values must be numeric.
+two listeners: one for LDAP over SSL on all interfaces on
+the default LDAP/SSL port 646, and one for LDAP over TCL on
+the {{EX:localhost}} ({{loopback}}) interface on port 666.
+Hosts may be specified using IPv4 dotted-decimal form or
+using host names. Port values must be numeric.
> -n <service-name>
This option specifies a run-time directory. slapd will
{{chroot}}(2) to this directory after opening listeners but
-before any reading any configuration file or initializing
-any backend.
+before reading any configuration files or initializing
+any backends.
.
> -d <level> | ?
> /usr/local/etc/libexec/slapd [<option>]*
-where {{F:/usr/local/etc/libexec}} is determined by {{EX:configure}}.
+where {{F:/usr/local/etc/libexec}} is determined by {{EX:configure}}
and <option> is one of the options described above (or in {{slapd}}(8)).
Unless you have specified a debugging level (including level {{EX:0}}),
slapd will automatically fork and detach itself from its controlling
where {{F:/usr/local/var}} is determined by {{EX:configure}}.
-Killing slapd by a more drastic method may cause its information
+Killing slapd by a more drastic method may cause information
loss or database corruption.
H2: Configuration File Format
-The {{slapd.conf}}(5) file consists three types of configuration
-information: global, backend specific, database specific. Global
+The {{slapd.conf}}(5) file consists of three types of configuration
+information: global, backend specific, and database specific. Global
information is specified first, followed by information associated
with a particular backend type, which is then followed by information
associated with a particular database instance. Global directives can
The distribution contains an example configuration file that will
be installed in the {{F: /usr/local/etc/openldap}} directory.
-A number of files containing schema definition (attribute types
+A number of files containing schema definitions (attribute types
and object classes) are also provided in the
{{F: /usr/local/etc/openldap/schema}} directory.
H3: Global Directives
Directives described in this section apply to all backends
-and databases, unless specifically overridden in a backend or
-database definition. Arguments to directives should be replaced
+and databases unless specifically overridden in a backend or
+database definition. Arguments that should be replaced
by actual text are shown in brackets {{EX:<>}}.
H4: defaultaccess { none | compare | search | read | write }
This directive specifies the default access to grant requesters
-when no {{EX:access}} directives have been specified. Access
-levels implies all lesser access levels (e.g., read access
-implies search and compare but no write).
+when no {{EX:access}} directives have been specified. Any given
+access level implies all lesser access levels (e.g., read access
+implies search and compare but not write).
Note: It is recommend that the {{EX:access}} directive be used
to specify access control. See the {{SECT:Access Control}}
H4: idletimeout <integer>
Specify the number of seconds to wait before forcibly closing
-an idle client connections. A idletimeout of 0, the default,
+an idle client connection. An idletimeout of 0, the default,
disables this feature.
Queries with a DN ending in "dc=example, dc=com"
will be passed to this backend.
-Note: when the backend to pass a query to is selected, slapd
+Note: When the backend to pass a query to is selected, slapd
looks at the suffix line(s) in each database definition in the
order they appear in the file. Thus, if one database suffix is a
prefix of another, it must appear after it in the config file.
> index objectClass,uid
> index cn,sn eq,sub,approx
-The first line sets the default to indices to maintain to present
+The first line sets the default set of indices to maintain to present
and equality. The second line causes the default (pres,eq) set
of indices to be maintained for {{EX:objectClass}} and {{EX:uid}} attribute
types. The third line causes equality, substring, and approximate
-filters to be maintained for {{EX:cn}} and {{EX:sn}} attribute types.
+indices to be maintained for {{EX:cn}} and {{EX:sn}} attribute types.
H4: mode <integer>
-H3: Other Backend and Databases
+H3: Other Backend Databases
-{{slapd}}(8) supports a number of other backend database types.
+{{slapd}}(8) supports a number of backend database types besides the default LDBM.
!block table; align=Center; coltags="EX,N"; \
title="Table 5.2: Backend Database Types"
Types Description
+ldbm Berkeley or GNU DBM compatible backend
passwd Provides read-only access to {{F:/etc/passwd}}
shell Shell (extern program) backend
sql SQL Programmable backend
{{EX:entry}} attribute is also required. The complete examples at
the end of this section should help clear things up.
-Lastly, there is a special entry selector {{EX:"*"}} is used to
+Lastly, there is a special entry selector {{EX:"*"}} that is used to
select any entry. It is used when no other {{EX:<what>}}
selector has been provided. It's equivalent to "{{EX:dn=.*}}"
The <who> part identifies the entity or entities being granted
access. Note that access is granted to "entities" not "entries."
-The follow table summaries entity specifiers:
+The following table summarizes entity specifiers:
!block table; align=Center; coltags="EX,N"; \
title="Table 5.3: Access Entity Specifiers"
> dn=<regular expression>
By "normalized", we mean that all extra spaces have been
-removed from the entities DN and commas are used to
+removed from the entity's DN and commas are used to
separate RDN components.
-Other control factors forms are also supported.
+Other control factors are also supported.
For example, a {{EX:<what>}} can be restricted by a
regular expression matching the client's IP address or domain name:
!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
title="Table 5.4: Access Levels"
-Level Privledges Description
+Level Privileges Description
none no access
auth =x needed to bind
compare =cx needed to compare
!endblock
Each level implies all lower levels of access. So, for
-example, granting someone write access to an entry also
-grants them read, search, compare, and auth access. However,
-one may use the privledges specify to grant specific permissions.
+example, granting someone {{EX:write}} access to an entry also
+grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and
+{{EX:auth}} access. However, one may use the privileges specifier
+to grant specific permissions.
H3: Access Control Evaluation
the one slapd will use to evaluate access.
Next, slapd compares the entity requesting access to the
-{{EX:<who>}} selectors within the access directive selected above,
+{{EX:<who>}} selectors within the access directive selected above
in the order in which they appear. It stops with the first {{EX:<who>}}
selector that matches the requester. This determines the
access the entity requesting access has to the entry and/or
allows authenticate, and allows authenticated users to read.
Note that only the first {{EX:by <who>}} clause which matches applies.
Hence, the anonymous users are granted {{EX:auth}}, not {{EX:read}}.
-The last clause just as well have been "{{EX:by users read}}".
+The last clause could just as well have been "{{EX:by users read}}".
The following example shows the use of a regular expression
to select the entries by DN in two access directives where
Also note that if no {{EX:access to}} directive matches or
no {{EX:by <who>}} clause, {{B:access is denied}}. That is, every
-{{EX:access to}} directive ends with a implicit {{EX:by * none}}
-clause and access list itself ends with {{EX:access to * by * none}}
-directive. Only if no access controls are specified, is the
-{{EX:defaultaccess}} granted.
+{{EX:access to}} directive ends with an implicit {{EX:by * none}}
+clause and every access list ends with an implicit
+{{EX:access to * by * none}} directive. Only if no access controls
+are specified is the {{EX:defaultaccess}} granted.
The next example again shows the importance of ordering,
both of the access directives and the {{EX:by <who>}} clauses.
E: 3. referral ldap://root.openldap.org
E: 4. access to * by * read
-Line 1 is a comment. Lines 2 include another config file
+Line 1 is a comment. Line 2 includes another config file
which containing {{core}} schema definitions.
The {{EX:referral}} directive on line 3
means that queries not local to one of the databases defined
various attributes.
Lines 24 through 33 specify access control for entries in the
-database. For all entries, the {{EX:userPassword}} attribute is
-writable by the entry and the "admin" entry, may be used for
-authentication/authorization purposes, but is otherwise not
-readable. All other attributes by writable by the entry and
-the "admin" entry, may be used for authentication/authorization
-purposes, but may be read by authenticated users.
+database. For all entries, the {{EX:userPassword}} attribute
+is writable by the entry itself and by the "admin" entry. It
+may be used for authentication/authorization purposes, but is
+otherwise not readable. All other attributes are writable by
+the entry and the "admin" entry, may be used for
+authentication/authorization purposes, but may be read by
+authenticated users.
The next section of the example configuration file defines
another LDBM database. This one handles queries involving
projects / openldap / commitdiff