only going to know how to handle simple LDAP URLs that
contain a host part and optionally a distinguished name part.
-H4: schemacheck { on | off }
-
-This directive turns schema checking on or off. If schema
-checking is on, entries added or modified through LDAP operations
-will be checked to ensure they obey the schema rules implied
-by their object class(es) as defined by the corresponding objectclass
-directive(s). If schema checking is off this check is not done.
-
-\Default:
-
-> schemacheck on
H4: sizelimit <integer>
This marks the beginning of a new LDBM backend database
instance definition.
-H4: lastmod { on | off }
-
-This directive controls whether slapd will automatically maintain
-the modifiersName, modifyTimestamp, creatorsName, and
-createTimestamp attributes for entries.
-
-\Default:
-
-> lastmod on
H4: readonly { on | off }
> rootdn "uid=root@EXAMPLE.COM"
-H4: rootkrbname <kerberosname>
-
-This directive specifies a Kerberos name for the DN given above
-that will always work, regardless of whether an entry with the
-given DN exists or has a {{EX:krbName}} attribute.
-This directive is deprecated in favor of SASL based authentication.
-
-\Example:
-
-> rootkrbname admin@EXAMPLE.COM
-
-
H4: rootpw <password>
This directive specifies a password for the DN given above that
> filter=<ldap filter>
where <ldap filter> is a string representation of an LDAP
-search filter, as described in RFC 2254.
-
-The special entry selector "*" is used to select any entry,
-and is a convenient shorthand for the equivalent "dn=.*" selector.
+search filter, as described in {{REF:RFC2254}}.
Attributes within an entry are selected by including a
comma-separated list of attribute names in the <what>
{{EX:entry}} attribute is also required. The complete examples at
the end of this section should help clear things up.
+Lastly, there is a special entry selector {{EX:"*"}} is used to
+select any entry. It is used when no other {{EX:<what>}}
+selector has been provided. It's equivalent to "{{EX:dn=.*}}"
H3: Who to grant access to
The <who> part identifies the entity or entities being granted
access. Note that access is granted to "entities" not "entries."
-Entities can be specified by the special "*" identifier, matching
-any entry, the keyword "self" matching the entry protected by
-the access, or by a regular expression matching an entry's
-distinguished name:
+The follow table summaries entity specifiers:
+
+!block table; align=Center; \
+ title="Table 5.2: Access Entity Specifiers"
+Specifier Entities
+* All, including anonymous and authenticated users
+anonymous Anonymous (non-authenticated) users
+users Authenticated users
+self User associated with target entry
+dn=<regex> Users matching regular expression
+!endblock
+
+The DN specifier takes a regular expression which is used
+to match against the "normalized" DN of the current entity.
> dn=<regular expression>
-Note: The DN pattern specified should be "normalized",
-meaning that there should be no extra spaces, and commas
-should be used to separate components.
+By "normalized", we mean that all extra spaces have been
+removed from the entities DN and commas are used to
+separate RDN components.
-Or entities can be specified by a regular expression matching
-the client's IP address or domain name:
+Other control factors forms are also supported.
+For example, a {{EX:<what>}} can be restricted by a
+regular expression matching the client's IP address or domain name:
> addr=<regular expression>
> domain=<regular expression>
the group entry).
-
H3: The access to grant
!block table; colaligns="LRL"; align=Center; \
- title="Table 5.2: Access Levels"
+ title="Table 5.3: Access Levels"
Level Privledges Description
none no access
auth =x needed to bind
allows authenticate, and allows authenticated users to read.
Note that only the first {{EX:by <who>}} clause which matches applies.
Hence, the anonymous users are granted {{EX:auth}}, not {{EX:read}}.
+The last clause just as well have been "{{EX:by users read}}".
The following example shows the use of a regular expression
to select the entries by DN in two access directives where
the entry attribute is required because access to the entry is
required to access any of the entry's attributes.
-Note that the {{EX:attr=member}} construct in the {{EX:<what>}}
-clause is a shorthand for the clause "{{EX:dn=.* attr=member}}"
-(i.e., it matches the {{EX:member}} attribute in all entries).
-
-
+!if 0
+For more details on how to use the {{EX:access}} directive,
+consult the {{Advanced Access Control}} chapter.
+!endif
H2: Schema Specification
the tree as follows:
!block table; colaligns="LR"; coltags="EX,N"; align=Center; \
- title="Table 5.1: Debugging Levels"
-{{N:OID}} Assignment
+ title="Table 5.4: Example OID hierarchy"
+OID Assignment
1.1 Organization's OID
1.1.1 SNMP Elements
1.1.2 LDAP Elements
maintained for several attributes, and the {{EX:userPassword}}
attribute is to be protected from unauthorized access.
-E: 4. # ldbm definition for the example.com
-E: 5. database ldbm
-E: 6. suffix "dc=example, dc=com"
-E: 7. directory /usr/local/var/openldap
-E: 8. rootdn "cn=Manager, dc=example, dc=com"
-E: 9. rootpw secret
-E: 10. replogfile /usr/local/var/openldap/slapd.replog
-E: 11. replica host=slave1.example.com:389
-E: 12. binddn="cn=Replicator, dc=example, dc=com"
-E: 13. bindmethod=simple credentials=secret
-E: 14. replica host=slave2.example.com
-E: 15. binddn="cn=Replicator, dc=example, dc=com"
-E: 16. bindmethod=kerberos
-E: 17. srvtab=/etc/srvtab.slave2
-E: 18. # ldbm indexed attribute definitions
-E: 19. index uid pres,eq
-E: 20. index cn,sn,uid pres,eq,approx,sub
-E: 21. index objectClass eq
-E: 22. # ldbm access control definitions
-E: 23. access to attr=userPassword
-E: 24. by self write
-E: 25. by anonymous auth
-E: 26. by dn="cn=Admin,dc=example,dc=com" write
-E: 27. by * none
-E: 28. access to *
-E: 29. by self write
-E: 30. by anonymous auth
-E: 31. by dn="cn=Admin,dc=example,dc=com" write
-E: 32. by * read
+E: 4. # ldbm definition for the example.com
+E: 5. database ldbm
+E: 6. suffix "dc=example, dc=com"
+E: 7. directory /usr/local/var/openldap
+E: 8. rootdn "cn=Manager, dc=example, dc=com"
+E: 9. rootpw secret
+E: 10. # replication directives
+E: 11. replogfile /usr/local/var/openldap/slapd.replog
+E: 12. replica host=slave1.example.com:389
+E: 13. binddn="cn=Replicator, dc=example, dc=com"
+E: 14. bindmethod=simple credentials=secret
+E: 15. replica host=slave2.example.com
+E: 16. binddn="cn=Replicator, dc=example, dc=com"
+E: 17. bindmethod=simple credentials=secret
+E: 18. # indexed attribute definitions
+E: 19. index uid pres,eq
+E: 20. index cn,sn,uid pres,eq,approx,sub
+E: 21. index objectClass eq
+E: 22. # ldbm access control definitions
+E: 23. access to attr=userPassword
+E: 24. by self write
+E: 25. by anonymous auth
+E: 26. by dn="cn=Admin,dc=example,dc=com" write
+E: 27. by * none
+E: 28. access to *
+E: 29. by self write
+E: 30. by anonymous auth
+E: 31. by dn="cn=Admin,dc=example,dc=com" write
+E: 32. by * read
Line 4 is a comment. The start of the database definition is
marked by the database keyword on line 5. Line 6 specifies
through 13 specify the hostname and port for a replicated
host, the DN to bind as when performing updates, the bind
method (simple) and the credentials (password) for the
-binddn. Lines 14 through 17 specify a second replication site,
-using Kerberos instead of simple authentication. See Section
-10 on slurpd for more information on these directives.
+binddn. Lines 14 through 17 specify a second replication site.
+See the {{SECT:Replication with slurpd}} chapter for more
+information on these directives.
Lines 19 through 21 indicate the indexes to maintain for
various attributes.
another LDBM database. This one handles queries involving
the {{EX:dc=example,dc=net}} subtree.
-E: 33. # ldbm definition for example.net
-E: 34. database ldbm
-E: 35. suffix "dc=example, dc=net"
-E: 36. directory /usr/local/var/ldbm-example-net
-E: 37. rootdn "cn=Manager, dc=example, dc=net"
-
+E: 33. # ldbm definition for example.net
+E: 34. database ldbm
+E: 35. suffix "dc=example, dc=net"
+E: 36. directory /usr/local/var/ldbm-example-net
+E: 37. rootdn "cn=Manager, dc=example, dc=com"
+E: 38. access to * by users read
projects / openldap / commitdiff