From: Kurt Zeilenga Date: Tue, 9 Aug 2005 18:58:45 +0000 (+0000) Subject: Sync with HEAD X-Git-Tag: OPENLDAP_REL_ENG_2_3_5~30 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=feeec4191f9c45f6f2f494467a8785f9c89f1d06;p=openldap Sync with HEAD --- diff --git a/doc/man/man5/slapd-bdb.5 b/doc/man/man5/slapd-bdb.5 index bccb72d0fe..52859538ff 100644 --- a/doc/man/man5/slapd-bdb.5 +++ b/doc/man/man5/slapd-bdb.5 @@ -3,21 +3,24 @@ .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME -slapd-bdb, slapd-hdb \- Berkeley DB backends to slapd +\fBslapd-bdb\fP, \fBslapd-hdb\fP \- Berkeley DB backends to \fBslapd\fP .SH SYNOPSIS -ETCDIR/slapd.conf +.B ETCDIR/slapd.conf .SH DESCRIPTION -The BDB backend to +The \fBbdb\fP backend to .BR slapd (8) -is the recommended backend for a normal slapd database. +is the recommended backend for a normal +.B slapd +database. However, it takes more care than with the LDBM backend to configure it properly. It uses the Sleepycat Berkeley DB (BDB) package to store data. It makes extensive use of indexing and caching to speed data access. .LP -"hdb" is a variant of the BDB backend that uses a hierarchical database +\fBhdb\fP is a variant of the \fBbdb\fP backend that uses a +hierarchical database layout which supports subtree renames. It is otherwise identical to -the "bdb" behavior, and all the same configuration options apply. +the \fBbdb\fP behavior, and all the same configuration options apply. .LP It is noted that these options are intended to complement Berkeley DB configuration options set in the environment's @@ -31,30 +34,30 @@ take precedence. .SH CONFIGURATION These .B slapd.conf -options apply to the BDB backend database. +options apply to the \fBbdb\fP and \fBhdb\fP backend database. That is, they must follow a "database bdb" or "database hdb" line and come before any subsequent "backend" or "database" lines. Other database options are described in the .BR slapd.conf (5) manual page. .TP -.B cachesize +.BI cachesize \ Specify the size in entries of the in-memory entry cache maintained -by the BDB backend database instance. +by the \fBbdb\fP or \fBhdb\fP backend database instance. The default is 1000 entries. .TP -.B checkpoint +.BI checkpoint \ \ Specify the frequency for checkpointing the database transaction log. A checkpoint operation flushes the database buffers to disk and writes a checkpoint record in the log. -The checkpoint will occur if either data has been written or - minutes have passed since the last checkpoint. +The checkpoint will occur if either \fI\fP data has been written or +\fI\fP minutes have passed since the last checkpoint. Both arguments default to zero, in which case they are ignored. When -the argument is non-zero, an internal task will run every -minutes to perform the checkpoint. +the \fI\fP argument is non-zero, an internal task will run every +\fI\fP minutes to perform the checkpoint. See the Berkeley DB reference guide for more details. .TP -.B dbconfig +.BI dbconfig \ Specify a configuration directive to be placed in the .B DB_CONFIG file of the database directory. The @@ -63,11 +66,14 @@ directive is just a convenience to allow all necessary configuration to be set in the .B slapd.conf file. -The options set using this directive will only be written to the DB_CONFIG +The options set using this directive will only be written to the +.B DB_CONFIG file if no such file existed at server startup time. This allows one -to set initial values without overwriting/destroying a DB_CONFIG file -that was already customized through other means. This directive may -be specified multiple times, as needed. For example +to set initial values without overwriting/destroying a +.B DB_CONFIG +file that was already customized through other means. +This directive may be specified multiple times, as needed. +For example: .RS .nf dbconfig set_cachesize 0 1048576 0 @@ -82,7 +88,7 @@ Enabling this option may improve performance at the expense of data security. See the Berkeley DB reference guide for more details. .TP -.B directory +.BI directory \ Specify the directory where the BDB files containing this database and associated indexes live. A separate directory must be specified for each database. @@ -98,19 +104,20 @@ results if the data comes from a transaction that is later aborted. In this case, the modified data is discarded and a subsequent search will return a different result. .TP -.B idlcachesize +.BI idlcachesize \ Specify the size of the in-memory index cache, in index slots. The default is zero. A larger value will speed up frequent searches of -indexed entries. An hdb database needs a large idlcachesize -for good search performance, typically three times the entry cache size +indexed entries. An \fBhdb\fP database needs a large \fBidlcachesize\fP +for good search performance, typically three times the +.B cachesize +(entry cache size) or larger. .TP -.B -index {|default} [pres,eq,approx,sub,] +\fBindex \fR{\fI\fR|\fBdefault\fR} [\fBpres\fR,\fBeq\fR,\fBapprox\fR,\fBsub\fR,\fI\fR] Specify the indexes to maintain for the given attribute (or list of attributes). Some attributes only support a subset of indexes. -If only an is given, the indices specified for \fBdefault\fR +If only an \fI\fP is given, the indices specified for \fBdefault\fR are maintained. Note that setting a default does not imply that all attributes will be indexed. Also, for best performance, an @@ -133,31 +140,46 @@ may be specified to disallow use of this index by language subtypes. The special type .B nosubtypes may be specified to disallow use of this index by named subtypes. -Note: changing index settings requires rebuilding indices, see -.BR slapindex (8). +Note: changing \fBindex\fP settings in +.BR slapd.conf (5) +requires rebuilding indices, see +.BR slapindex (8); +changing \fBindex\fP settings +dynamically by LDAPModifying "cn=config" automatically causes rebuilding +of the indices online in a background task. .TP .B linearindex -Tell slapindex to index one attribute at a time. By default, all indexed +Tell +.B slapindex +to index one attribute at a time. By default, all indexed attributes in an entry are processed at the same time. With this option, each indexed attribute is processed individually, using multiple passes -through the entire database. This option improves slapindex performance -when the database size exceeds the dbcache size. When the dbcache is +through the entire database. This option improves +.B slapindex +performance +when the database size exceeds the \fBdbcache\fP size. When the \fBdbcache\fP is large enough, this option is not needed and will decrease performance. -Also by default, slapadd performs full indexing and so a separate slapindex -run is not needed. With this option, slapadd does no indexing and slapindex +Also by default, +.B slapadd +performs full indexing and so a separate +.B slapindex +run is not needed. With this option, +.B slapadd +does no indexing and +.B slapindex must be used. .TP -.B lockdetect {oldest|youngest|fewest|random|default} +.BR lockdetect \ { oldest | youngest | fewest | random | default } Specify which transaction to abort when a deadlock is detected. -The default is the same as +The default is .BR random . .TP -.B mode +.BI mode \ Specify the file protection mode that newly created database index files should have. The default is 0600. .TP -.B searchstack +.BI searchstack \ Specify the depth of the stack used for search filter evaluation. Search filters are evaluated on a stack to accommodate nested AND / OR clauses. An individual stack is assigned to each server thread. @@ -170,7 +192,7 @@ but specifying too much stack will also consume a great deal of memory. Each search stack uses 512K bytes per level. The default stack depth is 16, thus 8MB per thread is used. .TP -.B shm_key +.BI shm_key \ Specify a key for a shared memory BDB environment. By default the BDB environment uses memory mapped files. If a non-zero value is specified, it will be used as the key to identify a shared memory @@ -184,10 +206,12 @@ backends honor access control semantics as indicated in .BR slapd.access (5). .SH FILES .TP -ETCDIR/slapd.conf -default slapd configuration file +.B ETCDIR/slapd.conf +default +.B slapd +configuration file .TP -DB_CONFIG +.B DB_CONFIG Berkeley DB configuration file .SH SEE ALSO .BR slapd.conf (5), diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index e686aaf9a7..9c61bb15d1 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -105,6 +105,22 @@ before any target specification, it applies to all targets (by default, .BR never ); the global value can be overridden by redefinitions inside each target specification. + +.TP +.B onerr {CONTINUE|stop} +This directive allows to select the behavior in case an error is returned +by one target during a search. +The default, \fBcontinue\fP, consists in continuing the operation, +trying to return as much data as possible. +If this statement is set to \fBstop\fP, the search is terminated as soon +as an error is returned by one target, and the error is immediately +propagated to the client. + +.TP +.B rebind-as-user {NO|yes} +If this option is given, the client's bind credentials are remembered +for rebinds when chasing referrals. + .SH TARGET SPECIFICATION Target specification starts with a "uri" directive: @@ -165,16 +181,13 @@ Password used with the acl-authcDN above. -.TP -.B rebind-as-user {NO|yes} -If this option is given, the client's bind credentials are remembered -for rebinds when chasing referrals. - .TP .B chase-referrals {YES|no} enable/disable automatic referral chasing, which is delegated to the underlying libldap, with rebinding eventually performed if the \fBrebind-as-user\fP directive is used. The default is to chase referrals. +If set before any target specification, it affects all targets, unless +overridden by any per-target directive. .TP .B tls {[try-]start|[try-]propagate} @@ -184,6 +197,8 @@ only works if the URI directive protocol scheme is not \fBldaps://\fP. connection did. The \fBtry-\fP prefix instructs the proxy to continue operations if start TLS failed; its use is highly deprecated. +If set before any target specification, it affects all targets, unless +overridden by any per-target directive. .TP .B t-f-support {NO|yes|discover} @@ -192,16 +207,26 @@ enable if the remote server supports absolute filters If set to .BR discover , support is detected by reading the remote server's root DSE. - -.TP -.B onerr {CONTINUE|stop} -This directive allows to select the behavior in case an error is returned -by one target during a search. -The default, \fBcontinue\fP, consists in continuing the operation, -trying to return as much data as possible. -If this statement is set to \fBstop\fP, the search is terminated as soon -as an error is returned by one target, and the error is immediately -propagated to the client. +If set before any target specification, it affects all targets, unless +overridden by any per-target directive. + +.TP +.B timeout [{add|delete|modify|modrdn}=] [...] +This directive allows to set per-database, per-target and per-operation +timeouts. +If no operation is specified, it affects all. +Currently, only write operations are addressed, because searches +can already be limited by means of the +.B limits +directive (see +.BR slapd.conf (5) +for details), and other operations are not supposed to incur into the +need for timeouts. +Note: if the timelimit is exceeded, the operation is abandoned; +the protocol does not provide any means to rollback the operation, +so the client will not know if the operation eventually succeeded or not. +If set before any target specification, it affects all targets, unless +overridden by any per-target directive. .TP .B pseudorootdn "" diff --git a/doc/man/man5/slapd-monitor.5 b/doc/man/man5/slapd-monitor.5 index 542032b559..88199292de 100644 --- a/doc/man/man5/slapd-monitor.5 +++ b/doc/man/man5/slapd-monitor.5 @@ -3,15 +3,19 @@ .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME -slapd-monitor \- Monitor backend to slapd +.B slapd-monitor +\- Monitor backend to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION -The monitor backend to +The +.B monitor +backend to .BR slapd (8) is not an actual database; if enabled, it is automatically generated -and dynamically maintained by slapd with information about the running -status of the daemon. +and dynamically maintained by +.B slapd +with information about the running status of the daemon. .LP To inspect all monitor information, issue a subtree search with base cn=Monitor, requesting that attributes "+" and "*" are returned. @@ -22,19 +26,23 @@ attributes. .SH CONFIGURATION These .B slapd.conf -options apply to the monitor backend database. +options apply to the +.B monitor +backend database. That is, they must follow a "database monitor" line and come before any subsequent "backend" or "database" lines. .LP -As opposed to most databases, the monitor database can be instantiated -only once, i.e. only one occurrence of "database monitor" can occur -in the +As opposed to most databases, the +.B monitor +database can be instantiated only once, i.e. only one occurrence +of "database monitor" can occur in the .BR slapd.conf (5) file. Moreover, the suffix of the database cannot be explicitly set by means of the .B suffix -directive; on the contrary, the suffix is automatically set +directive. +The suffix is automatically set to "\fIcn=Monitor\fP". .LP The @@ -46,15 +54,14 @@ and the directives, and the usual ACL directives, e.g. the .B access directive. -.LP -The following directives can be used: -.TP -.B l -The -.B -string is added to the "\fIcn=Monitor\fP" entry as value of the -.B l -attribute (Note: this may be subjected to changes). +.\".LP +.\"The following directives can be used: +.\".TP +.\".BI l \ +.\"The additional argument \fI\fP, +.\"a string, is added to the "\fIcn=Monitor\fP" entry as value of the +.\".B l +.\"attribute (Note: this may be subjected to changes). .LP Other database options are described in the .BR slapd.conf (5) @@ -62,7 +69,7 @@ manual page. .SH USAGE The usage is: .TP -1) enable the monitor backend at configure: +1) enable the \fBmonitor\fP backend at configure: .LP .RS .nf @@ -70,9 +77,7 @@ configure --enable-monitor .fi .RE .TP -2) activate the monitor database in the -.BR slapd.conf (5) -file: +2) activate the \fBmonitor\fP database in the \fBslapd.conf\fP(5) file: .LP .RS .nf @@ -80,9 +85,7 @@ database monitor .fi .RE .TP -3) add ACLs as detailed in -.BR slapd.access (5) -to control access to the database, e.g.: +3) add ACLs as detailed in \fBslapd.access\fP(5) to control access to the database, e.g.: .LP .RS .nf @@ -94,7 +97,9 @@ access to dn.subtree="cn=Monitor" .RE .TP 4) ensure that the \fBcore.schema\fP file is loaded. -The monitor backend relies on some standard track attributeTypes +The +.B monitor +backend relies on some standard track attributeTypes that must be already defined when the backend is started. .SH ACCESS CONTROL The @@ -105,10 +110,12 @@ including the .B disclose access privilege, on all currently implemented operations. .SH KNOWN LIMITATIONS -The monitor backend does not honor size/time limits in search operations. +The +.B monitor +backend does not honor size/time limits in search operations. .SH FILES .TP -ETCDIR/slapd.conf +.B ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO .BR slapd.conf (5), diff --git a/doc/man/man5/slapd-sql.5 b/doc/man/man5/slapd-sql.5 index fd2c9f6003..7048ce96f3 100644 --- a/doc/man/man5/slapd-sql.5 +++ b/doc/man/man5/slapd-sql.5 @@ -161,7 +161,7 @@ The default is The statement that is used to delete an existing entry's ID from table \fIldap_objclasses\fP; see "METAINFORMATION USED" for details. The default is -\fB""DELETE FROM ldap_entry_objclasses WHERE entry_id=?"\fP. +\fB"DELETE FROM ldap_entry_objclasses WHERE entry_id=?"\fP. .RE .SH HELPER CONFIGURATION diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index 8eea8a1b8d..7413ee6e07 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -806,6 +806,25 @@ or the (even more silly) example .LP which grants everybody search and compare privileges, and adds read privileges to authenticated clients. +.LP +One useful application is to easily grant write privileges to an +.B updatedn +that is different from the +.BR rootdn . +In this case, since the +.B updatedn +needs write access to (almost) all data, one can use +.LP +.nf + access to * + by dn.exact="cn=The Update DN,dc=example,dc=com" write + by * break +.fi +.LP +as the first access rule. +As a consequence, unless the operation is performed with the +.B updatedn +identity, control is passed straight to the subsequent rules. .SH OPERATION REQUIREMENTS Operations require different privileges on different portions of entries. The following summary applies to primary database backends such as diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index fcd80166e3..573d4f1af8 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -970,9 +970,12 @@ type of backend. Mark the beginning of a backend definition. should be one of .BR bdb , +.BR config , .BR dnssrv , +.BR hdb , .BR ldap , .BR ldbm , +.BR ldif , .BR meta , .BR monitor , .BR null , @@ -980,9 +983,8 @@ should be one of .BR perl , .BR relay , .BR shell , -.BR sql , or -.BR tcl , +.BR sql , depending on which backend will serve the database. .SH GENERAL DATABASE OPTIONS @@ -998,9 +1000,12 @@ option are mandatory for each database. Mark the beginning of a new database instance definition. should be one of .BR bdb , +.BR config , .BR dnssrv , +.BR hdb , .BR ldap , .BR ldbm , +.BR ldif , .BR meta , .BR monitor , .BR null , @@ -1008,9 +1013,8 @@ should be one of .BR perl , .BR relay , .BR shell , -.BR sql , or -.BR tcl , +.BR sql , depending on which backend will serve the database. .TP .B lastmod on | off @@ -1552,21 +1556,34 @@ However, it takes more care than with the LDBM backend to configure it properly. It uses the Sleepycat Berkeley DB (BDB) package to store data. .TP -.B ldbm -This is the database backend which is easiest to configure. -However, it does not offer the data durability features of the BDB -backend. -It uses Berkeley DB or GDBM to store data. +.B config +This backend is used to manage the configuration of slapd run-time. .TP .B dnssrv This backend is experimental. It serves up referrals based upon SRV resource records held in the Domain Name System. .TP +.B hdb +This is a variant of the BDB backend that uses a hierarchical database +layout which supports subtree renames. +.TP .B ldap This backend acts as a proxy to forward incoming requests to another LDAP server. .TP +.B ldbm +This is the database backend which is easiest to configure. +However, it does not offer the data durability features of the BDB +backend. +It uses Berkeley DB or GDBM to store data. +.TP +.B ldif +This database uses the filesystem to build the tree structure +of the database, using plain ascii files to store data. +Its usage should be limited to very simple databases, where performances +are not a requirement. +.TP .B meta This backend performs basic LDAP proxying with respect to a set of remote LDAP servers. It is an enhancement of the ldap backend. The @@ -1593,7 +1610,8 @@ interpreter into slapd. It runs Perl subroutines to implement LDAP operations. .TP .B relay -This backend redirects LDAP operations to another database +This backend is experimental. +It redirects LDAP operations to another database in the same server, based on the naming context of the request. Its use requires the .B rwm @@ -1610,13 +1628,100 @@ It is primarily intended to be used in prototypes. .B sql This backend is experimental. It services LDAP requests from an SQL database. +.SH OVERLAYS +The following overlays can be compiled into slapd. +They are documented in the +.BR slapo- (5) +manual pages. .TP -.B tcl -This backend is experimental. -It embeds a -.BR Tcl (3tcl) -interpreter into slapd. -It runs Tcl commands to implement LDAP operations. +.B accesslog +Access Logging. +This overlay can record accesses to a given backend database on another +database. +.TP +.B auditlog +Audit Logging. +This overlay records changes on a given backend database to an LDIF log +file. +By default it is not built. +.TP +.B chain +Chaining. +This overlay allows automatic referral chasing when a referral would +have been returned. +.TP +.B denyop +Deny Operation. +This overlay allows selected operations to be denied, similar to the +\fBrestrict\fP option. +.TP +.B dyngroup +Dynamic Group. +This is a demo overlay which extends the Compare operation to detect +members of a dynamic group. +It has no effect on any other operations. +.TP +.B dynlist +Dynamic List. +This overlay allows expansion of dynamic groups and more. +.TP +.B glue +Backend Glue. +This overlay glues multiple databases into a single namingContext. +.TP +.B lastmod +Last Modification. +This overlay maintains a service entry in the database with the DN, +modification type, modifiersName and modifyTimestamp of the last write +operation performed on that database. +.TP +.B pcache +Proxycache. +This overlay allows caching of LDAP search requests in a local database. +.TP +.B ppolicy +Password Policy. +This overlay provides a variety of password control mechanisms, +e.g. password aging, password reuse and duplication control, mandatory +password resets, etc. +.TP +.B refint +Referential Integrity. +This overlay can be used with a backend database such as +.BR slapd-bdb (5) +to maintain the cohesiveness of a schema which utilizes reference +attributes. +.TP +.B retcode +Return Code. +This overlay is useful to test the behavior of clients when +server-generated erroneous and/or unusual responses occur. +.TP +.B rwm +Rewrite/remap. +This overlay is experimental. +It performs basic DN/data rewrite and +objectClass/attributeType mapping. +.TP +.B syncprov +Syncrepl Provider. +This overlay implements the provider-side support for +.B syncrepl +replication, including persistent search functionality. +.TP +.B translucent +Translucent Proxy. +This overlay can be used with a backend database such as +.BR slapd-bdb (5) +to create a "translucent proxy". +Content of entries retrieved from a remote LDAP server can be partially +overridden by the database. +.TP +.B unique +Attribute Uniqueness. +This overlay can be used with a backend database such as +.BR slapd-bdb (5) +to enforce the uniqueness of some or all attributes within a subtree. .SH EXAMPLES .LP Here is a short example of a configuration file: @@ -1632,6 +1737,11 @@ pidfile LOCALSTATEDIR/slapd.pid attributeoptions x-hidden lang- access to attr=name;x-hidden by * =cs +# Protect passwords. See \fBslapd.access\fP(5). +access to attrs=userPassword by * auth +# Read access to other attributes and entries. +access to * by * read + database bdb suffix "dc=our-domain,dc=com" # The database directory MUST exist prior to @@ -1654,6 +1764,15 @@ lastmod off "OpenLDAP Administrator's Guide" contains a longer annotated example of a configuration file. The original ETCDIR/slapd.conf is another example. +.SH OBSOLETED DIRECTIVES +.TP +.B subordinate +This directive was used in OpenLDAP 2.1 and 2.2 to glue a database +with its superior. The same functionality is now provided by the +.B glue +overlay; see +.BR slapo-glue (5) +for details. .SH FILES .TP ETCDIR/slapd.conf @@ -1662,8 +1781,10 @@ default slapd configuration file .BR ldap (3), .BR slapd\-bdb (5), .BR slapd\-dnssrv (5), +.BR slapd\-hdb (5), .BR slapd\-ldap (5), .BR slapd\-ldbm (5), +.BR slapd\-ldif (5), .BR slapd\-meta (5), .BR slapd\-monitor (5), .BR slapd\-null (5), @@ -1687,11 +1808,19 @@ default slapd configuration file .BR slurpd (8). Known overlays are documented in +.BR slapo\-accesslog (5), +.BR slapo\-auditlog (5), +.BR slapo\-chain (5), +.BR slapo\-dynlist (5), +.BR slapo\-glue (5), .BR slapo\-lastmod (5), .BR slapo\-pcache (5), .BR slapo\-ppolicy (5), .BR slapo\-refint (5), +.BR slapo\-retcode (5), .BR slapo\-rwm (5), +.BR slapo\-syncprov (5), +.BR slapo\-translucent (5), .BR slapo\-unique (5). .LP "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) diff --git a/doc/man/man5/slapo-glue.5 b/doc/man/man5/slapo-glue.5 index f9195bffcf..23d8f569c1 100644 --- a/doc/man/man5/slapo-glue.5 +++ b/doc/man/man5/slapo-glue.5 @@ -15,11 +15,12 @@ should have identical rootdns. All search and write operations will be intercepted by this overlay. Searches against the root database will be propagated to all the subordinates. Write -operations will pass unaltered to the relevant target database. Note that +operations will pass unaltered to the relevant target database. + +Note that any overlays on the root database configured before this overlay will fail to execute. As such, the glue overlay should always be the first overlay configured on the root database. - .SH CONFIGURATION These .B slapd.conf @@ -37,6 +38,41 @@ optional \fBasync\fP keyword is supplied, searches against this database may be spawned in a separate thread to run concurrently with other operations (currently not implemented). If the optional \fBadvertise\fP flag is supplied, the naming context is advertised in the root DSE. +.SH EXAMPLE +The following will cause a search from dc=example,dc=com to search +people as well, but it will not search services. +.LP +.RS +.nf +database bdb +suffix "ou=people,dc=example,dc=com" + +database bdb +suffix "ou=services,dc=example,dc=com" + +database bdb +suffix "dc=example,dc=com" +overlay glue +glue-sub "ou=people,dc=example,dc=com" +.fi +.RE +.SH NOTES +Databases that are glued together should usually be configured with +the same indexes, even for attributes that only exist in some of +these databases. +A search for an attribute which is only indexed in some of the glued +databases must otherwise examine each entry in the search scope in the +other databases, looking for the attribute. + +If the extra indexes assist searches one would prefer not to +support, these can be disabled with access controls in some of the +databases. +E.g.: +.RS +access to attrs=cn by * =rcxd +.RE +See +.BR slapd.access (5). .SH FILES .TP ETCDIR/slapd.conf diff --git a/doc/man/man5/slapo-rwm.5 b/doc/man/man5/slapo-rwm.5 index a95e9276d4..f2dd650f8b 100644 --- a/doc/man/man5/slapo-rwm.5 +++ b/doc/man/man5/slapo-rwm.5 @@ -22,6 +22,8 @@ either remotely, in conjunction with the proxy backend described in .BR slapd-ldap (5), or locally, in conjunction with the relay backend described in .BR slapd-relay (5). +.LP +This overlay is experimental. .SH MAPPING An important feature of the .B rwm diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 index 43876d916d..015905ad18 100644 --- a/doc/man/man8/slapd.8 +++ b/doc/man/man8/slapd.8 @@ -64,7 +64,7 @@ Listen on IPv4 addresses only. .B \-6 Listen on IPv6 addresses only. .TP -.B \-T {a|c|d|i|p|t} +.B \-T {a|c|d|i|p|t|acl|auth} Run in Tool mode. The additional argument selects whether to run as slapadd, slapcat, slapdn, slapindex, slappasswd, or slaptest (slapacl and slapauth need the entire "\fIacl\fP" and "\fIauth\fP" @@ -124,7 +124,7 @@ Specifies the slapd configuration file. The default is .BR ETCDIR/slapd.conf . .TP .BI \-F " slapd\-config\-directory" -Specifies the slapd configuration file. The default is +Specifies the slapd configuration directory. The default is .BR ETCDIR/slapd.d . If both .B -f @@ -159,19 +159,22 @@ Support for the latter two schemes depends on selected configuration options. Hosts may be specified by name or IPv4 and IPv6 address formats. Ports, if specified, must be numeric. The default ldap:// port is 389 and the default ldaps:// port is 636. -The socket permissions for LDAP over IPC are indicated by + +The listener permissions are indicated by "x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any -of the "rwx" can be "-" to suppress the related permission (note, -however, that sockets only honor the "w" permission), while any +of the "rwx" can be "-" to suppress the related permission, while any of the "7" can be any legal octal digit, according to chmod(1). -While LDAP over IPC requires write permissions on the socket to allow -any operation, the other listeners can take advantage of the "x-mod" -extension to apply rough limitations to users, e.g. allow read operations +The listeners can take advantage of the "x-mod" +extension to apply rough limitations to operations, e.g. allow read operations ("r", which applies to search and compare), write operations ("w", which applies to add, delete, modify and modrdn), and execute operations ("x", which means bind is required). -"User" permissions apply to bound users, while "other" apply -to anonymous users. +"User" permissions apply to authenticated users, while "other" apply +to anonymous users; "group" permissions are ignored. +For example, "ldap:///????x-mod=-rw-------" means that read and write is only allowed +for authenticated connections, and bind is required for all operations. +This feature is experimental, and requires to be manually enabled +at configure time. .TP .BI \-r " directory" Specifies a directory to become the root directory. slapd will