-# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.9 2009-06-19 19:12:12 ghenry Exp $
-# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP$
+# Copyright 1999-2012 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Access Control
As a consequence, it's useless (and results in a performance penalty) to explicitly
list the {{rootdn}} among the {{<by>}} clauses.
-The following sections will describe Access Control Lists in more details and
-follow with some examples and recommendations.
+The following sections will describe Access Control Lists in greater depth and
+follow with some examples and recommendations. See {{slapd.access}}(5) for
+complete details.
H2: Access Control via Static Configuration
> access to dn.subtree="dc=example,dc=com" attrs=homePhone
> by self write
> by dn.children="dc=example,dc=com" search
-> by peername.regex=IP:10\..+ read
+> by peername.regex=IP=10\..+ read
> access to dn.subtree="dc=example,dc=com"
> by self write
> by dn.children="dc=example,dc=com" search
> olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
> by self write
> by dn.children=dc=example,dc=com" search
-> by peername.regex=IP:10\..+ read
+> by peername.regex=IP=10\..+ read
> olcAccess: to dn.subtree="dc=example,dc=com"
> by self write
> by dn.children="dc=example,dc=com" search
Generally one should start with some basic ACLs such as:
-> access to attrs=userPassword
+> access to attr=userPassword
> by self =xw
> by anonymous auth
> by * none
H3: Controlling rootdn access
-You could specify the {{rootdn}} in {{slapd.conf}}(5) or {[slapd.d}} without
+You could specify the {{rootdn}} in {{slapd.conf}}(5) or {{slapd.d}} without
specifying a {{rootpw}}. Then you have to add an actual directory entry with
the same dn, e.g.:
> by group.exact="cn=Administrators,dc=example,dc=com" write
> by * auth
-Like by {[dn}} clauses, one can also use {{expand}} to expand the group name
+Like by {{dn}} clauses, one can also use {{expand}} to expand the group name
based upon the regular expression matching of the target, that is, the to {{dn.regex}}).
For instance,
The general rule is: "special access rules first, generic access rules last"
-See also {{slapd.access}}(8), loglevel 128 and {{slapacl}}(8) for debugging
+See also {{slapd.access}}(5), loglevel 128 and {{slapacl}}(8) for debugging
information.
write access to the specified attributes. Better yet, this will happen to any
entry she accesses which has Mary as the manager.
-This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further
+This is all cool and nice, but perhaps gives too much power to secretaries. Maybe we need to further
restrict it. For example, let's only allow executive secretaries to have this power:
> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
-# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.47 2009-12-15 12:09:35 ghenry Exp $
-# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP$
+# Copyright 2007-2012 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Overlays
Occasionally, applications want to read back the data that they just wrote.
If a modification requested to a shadow server was silently chained to its
-producer, an immediate read could result in receiving data not yet synchronized.
+provider, an immediate read could result in receiving data not yet synchronized.
In those cases, clients should use the {{B:dontusecopy}} control to ensure
they are directed to the authoritative source for that piece of data.
> ...
> overlay dynlist
> dynlist-attrset groupOfURLs labeledURI member
-
++
+Note: We must include the {{F:dyngroup.schema}} file that defines the
+{{F:groupOfURLs}} objectClass used in this example.
> include /usr/share/openldap/schema/core.schema
> include /usr/share/openldap/schema/cosine.schema
-> modulepath /usr/lib/openldap
-> moduleload memberof.la
+>
> authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
> "cn=Manager,dc=example,dc=com"
> database bdb
H3: Proxy Cache Configuration
The cache configuration specific directives described below must
-appear after a {{EX:overlay proxycache}} directive within a
-{{EX:"database meta"}} or {{EX:database ldap}} section of
+appear after a {{EX:overlay pcache}} directive within a
+{{EX:"database meta"}} or {{EX:"database ldap"}} section of
the server's {{slapd.conf}}(5) file.
H4: Setting cache parameters
-> p
roxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
+> p
cache <DB> <maxentries> <nattrsets> <entrylimit> <period>
This directive enables proxy caching and sets general cache
parameters. The <DB> parameter specifies which underlying database
{{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
total number of entries which may be held in the cache. The
<nattrsets> parameter specifies the total number of attribute sets
-(as specified by the {{EX:proxyAttrSet}} directive) that may be
+(as specified by the {{EX:pcacheAttrset}} directive) that may be
defined. The <entrylimit> parameter specifies the maximum number of
entries in a cacheable query. The <period> specifies the consistency
check period (in seconds). In each period, queries with expired
H4: Defining attribute sets
-> p
roxyAttrset <index> <attrs...>
+> p
cacheAttrset <index> <attrs...>
Used to associate a set of attributes to an index. Each attribute
set is associated with an index number from 0 to <numattrsets>-1.
-These indices are used by the proxyTemplate directive to define
+These indices are used by the pcacheTemplate directive to define
cacheable templates.
H4: Specifying cacheable templates
-> p
roxyTemplate <prototype_string> <attrset_index> <TTL>
+> p
cacheTemplate <prototype_string> <attrset_index> <TTL>
Specifies a cacheable template and the "time to live" (in sec) <TTL>
for queries belonging to the template. A template is described by
by <attrset_index>.
-H4: Example
+H4: Example for slapd.conf
An example {{slapd.conf}}(5) database section for a caching server
which proxies for the {{EX:"dc=example,dc=com"}} subtree held
> suffix "dc=example,dc=com"
> rootdn "dc=example,dc=com"
> uri ldap://ldap.example.com/
-> overlay proxycache
-> proxycache bdb 100000 1 1000 100
-> proxyAttrset 0 mail postaladdress telephonenumber
-> proxyTemplate (sn=) 0 3600
-> proxyTemplate (&(sn=)(givenName=)) 0 3600
-> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
+> overlay pcache
+> pcache bdb 100000 1 1000 100
+> pcacheAttrset 0 mail postaladdress telephonenumber
+> pcacheTemplate (sn=) 0 3600
+> pcacheTemplate (&(sn=)(givenName=)) 0 3600
+> pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600
>
> cachesize 20
> directory ./testrun/db.2.a
> index objectClass eq
> index cn,sn,uid,mail pres,eq,sub
+H4: Example for slapd-config
+
+The same example as a LDIF file for back-config for a caching server
+which proxies for the {{EX:"dc=example,dc=com"}} subtree held
+at server {{EX:ldap.example.com}}.
+
+> dn: olcDatabase={2}ldap
+> objectClass: olcDatabaseConfig
+> objectClass: olcLDAPConfig
+> olcDatabase: {2}ldap
+> olcSuffix: dc=example,dc=com
+> olcRootDN: dc=example,dc=com
+> olcDbURI: "ldap://ldap.example.com"
+>
+> dn: olcOverlay={0}pcache
+> objectClass: olcOverlayConfig
+> objectClass: olcPcacheConfig
+> olcOverlay: {0}pcache
+> olcPcache: bdb 100000 1 1000 100
+> olcPcacheAttrset: 0 mail postalAddress telephoneNumber
+> olcPcacheTemplate: "(sn=)" 0 3600 0 0 0
+> olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 0 0 0
+> olcPcacheTemplate: "(&(departmentNumber=)(secretary=))" 0 3600
+>
+> dn: olcDatabase={0}hdb
+> objectClass: olcHdbConfig
+> objectClass: olcPcacheDatabase
+> olcDatabase: {0}hdb
+> olcDbDirectory: ./testrun/db.2.a
+> olcDbCacheSize: 20
+> olcDbIndex: objectClass eq
+> olcDbIndex: cn,sn,uid,mail pres,eq,sub
+
H5: Cacheable Queries
A LDAP search query is cacheable when its filter matches one of the
-templates as defined in the "proxyTemplate" statements and when it references
+templates as defined in the "pcacheTemplate" statements and when it references
only the attributes specified in the corresponding attribute set.
In the example above the attribute set number 0 defines that only the
attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
-proxyTemplates.
+pcacheTemplates.
H5: Examples:
> Attrs: mail telephoneNumber
is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
- attributes are contained in proxyAttrset 0.
+ attributes are contained in pcacheAttrset 0.
> Filter: (&(sn=Richard*)(telephoneNumber))
> Attrs: givenName
would be a single member in the group: {{F:cn=admin,dc=example,dc=com}}. This is the
{{F:refint_nothing}} parameter kicking into action so that the schema is not violated.
+The {{rootdn}} must be set for the database as refint runs as the {{rootdn}} to gain access to
+make its updates. The {{rootpw}} does not need to be set.
H3: Further Information
> pidfile ./slapd.pid
> argsfile ./slapd.args
>
-> modulepath /usr/local/libexec/openldap
-> moduleload back_bdb.la
-> moduleload back_ldap.la
-> moduleload translucent.la
->
> database bdb
> suffix "dc=suretecsystems,dc=com"
> rootdn "cn=trans,dc=suretecsystems,dc=com"
projects / openldap / commitdiff