From 5d6d7ee5b5f000305994d61105445320ea586e41 Mon Sep 17 00:00:00 2001 From: Gavin Henry Date: Fri, 19 Jun 2009 21:12:12 +0000 Subject: [PATCH] ITS#6183 Configuration examples should not be in ACL section --- doc/guide/admin/access-control.sdf | 217 ----------------------------- doc/guide/admin/slapdconf2.sdf | 155 +++++++++++++++++++-- doc/guide/admin/slapdconfig.sdf | 88 ++++++++++++ 3 files changed, 228 insertions(+), 232 deletions(-) diff --git a/doc/guide/admin/access-control.sdf b/doc/guide/admin/access-control.sdf index 9de4b1c0f2..0ec48c840c 100644 --- a/doc/guide/admin/access-control.sdf +++ b/doc/guide/admin/access-control.sdf @@ -365,93 +365,6 @@ consult the {{Advanced Access Control}} chapter. !endif -H3: Configuration File Example - -The following is an example configuration file, interspersed -with explanatory text. It defines two databases to handle -different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}} -database instances. The line numbers shown are provided for -reference only and are not included in the actual file. First, the -global configuration section: - -E: 1. # example config file - global configuration section -E: 2. include /usr/local/etc/schema/core.schema -E: 3. referral ldap://root.openldap.org -E: 4. access to * by * read - -Line 1 is a comment. Line 2 includes another config file -which contains {{core}} schema definitions. -The {{EX:referral}} directive on line 3 -means that queries not local to one of the databases defined -below will be referred to the LDAP server running on the -standard port (389) at the host {{EX:root.openldap.org}}. - -Line 4 is a global access control. It applies to all -entries (after any applicable database-specific access -controls). - -The next section of the configuration file defines a BDB -backend that will handle queries for things in the -"dc=example,dc=com" portion of the tree. The -database is to be replicated to two slave slapds, one on -truelies, the other on judgmentday. Indices are to be -maintained for several attributes, and the {{EX:userPassword}} -attribute is to be protected from unauthorized access. - -E: 5. # BDB definition for the example.com -E: 6. database bdb -E: 7. suffix "dc=example,dc=com" -E: 8. directory /usr/local/var/openldap-data -E: 9. rootdn "cn=Manager,dc=example,dc=com" -E: 10. rootpw secret -E: 11. # indexed attribute definitions -E: 12. index uid pres,eq -E: 13. index cn,sn,uid pres,eq,approx,sub -E: 14. index objectClass eq -E: 15. # database access control definitions -E: 16. access to attrs=userPassword -E: 17. by self write -E: 18. by anonymous auth -E: 19. by dn.base="cn=Admin,dc=example,dc=com" write -E: 20. by * none -E: 21. access to * -E: 22. by self write -E: 23. by dn.base="cn=Admin,dc=example,dc=com" write -E: 24. by * read - -Line 5 is a comment. The start of the database definition is marked -by the database keyword on line 6. Line 7 specifies the DN suffix -for queries to pass to this database. Line 8 specifies the directory -in which the database files will live. - -Lines 9 and 10 identify the database {{super-user}} entry and associated -password. This entry is not subject to access control or size or -time limit restrictions. - -Lines 12 through 14 indicate the indices to maintain for various -attributes. - -Lines 16 through 24 specify access control for entries in this -database. For all applicable entries, the {{EX:userPassword}} attribute is writable -by the entry itself and by the "admin" entry. It may be used for -authentication/authorization purposes, but is otherwise not readable. -All other attributes are writable by the entry and the "admin" -entry, but may be read by all users (authenticated or not). - -The next section of the example configuration file defines another -BDB database. This one handles queries involving the -{{EX:dc=example,dc=net}} subtree but is managed by the same entity -as the first database. Note that without line 39, the read access -would be allowed due to the global access rule at line 4. - -E: 33. # BDB definition for example.net -E: 34. database bdb -E: 35. suffix "dc=example,dc=net" -E: 36. directory /usr/local/var/openldap-data-net -E: 37. rootdn "cn=Manager,dc=example,dc=com" -E: 38. index objectClass eq -E: 39. access to * by users read - H2: Access Control via Dynamic Configuration Access to slapd entries and attributes is controlled by the @@ -861,136 +774,6 @@ consult the {{Advanced Access Control}} chapter. !endif -H3: Configuration Example - -The following is an example configuration, interspersed -with explanatory text. It defines two databases to handle -different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}} -database instances. The line numbers shown are provided for -reference only and are not included in the actual file. First, the -global configuration section: - -E: 1. # example config file - global configuration entry -E: 2. dn: cn=config -E: 3. objectClass: olcGlobal -E: 4. cn: config -E: 5. olcReferral: ldap://root.openldap.org -E: 6. - -Line 1 is a comment. Lines 2-4 identify this as the global -configuration entry. -The {{EX:olcReferral:}} directive on line 5 -means that queries not local to one of the databases defined -below will be referred to the LDAP server running on the -standard port (389) at the host {{EX:root.openldap.org}}. -Line 6 is a blank line, indicating the end of this entry. - -E: 7. # internal schema -E: 8. dn: cn=schema,cn=config -E: 9. objectClass: olcSchemaConfig -E: 10. cn: schema -E: 11. - -Line 7 is a comment. Lines 8-10 identify this as the root of -the schema subtree. The actual schema definitions in this entry -are hardcoded into slapd so no additional attributes are specified here. -Line 11 is a blank line, indicating the end of this entry. - -E: 12. # include the core schema -E: 13. include: file:///usr/local/etc/openldap/schema/core.ldif -E: 14. - -Line 12 is a comment. Line 13 is an LDIF include directive which -accesses the {{core}} schema definitions in LDIF format. Line 14 -is a blank line. - -Next comes the database definitions. The first database is the -special {{EX:frontend}} database whose settings are applied globally -to all the other databases. - -E: 15. # global database parameters -E: 16. dn: olcDatabase=frontend,cn=config -E: 17. objectClass: olcDatabaseConfig -E: 18. olcDatabase: frontend -E: 19. olcAccess: to * by * read -E: 20. - -Line 15 is a comment. Lines 16-18 identify this entry as the global -database entry. Line 19 is a global access control. It applies to all -entries (after any applicable database-specific access controls). - -The next entry defines a BDB backend that will handle queries for things -in the "dc=example,dc=com" portion of the tree. Indices are to be maintained -for several attributes, and the {{EX:userPassword}} attribute is to be -protected from unauthorized access. - -E: 21. # BDB definition for example.com -E: 22. dn: olcDatabase=bdb,cn=config -E: 23. objectClass: olcDatabaseConfig -E: 24. objectClass: olcBdbConfig -E: 25. olcDatabase: bdb -E: 26. olcSuffix: "dc=example,dc=com" -E: 27. olcDbDirectory: /usr/local/var/openldap-data -E: 28. olcRootDN: "cn=Manager,dc=example,dc=com" -E: 29. olcRootPW: secret -E: 30. olcDbIndex: uid pres,eq -E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub -E: 32. olcDbIndex: objectClass eq -E: 33. olcAccess: to attrs=userPassword -E: 34. by self write -E: 35. by anonymous auth -E: 36. by dn.base="cn=Admin,dc=example,dc=com" write -E: 37. by * none -E: 38. olcAccess: to * -E: 39. by self write -E: 40. by dn.base="cn=Admin,dc=example,dc=com" write -E: 41. by * read -E: 42. - -Line 21 is a comment. Lines 22-25 identify this entry as a BDB database -configuration entry. Line 26 specifies the DN suffix -for queries to pass to this database. Line 27 specifies the directory -in which the database files will live. - -Lines 28 and 29 identify the database {{super-user}} entry and associated -password. This entry is not subject to access control or size or -time limit restrictions. - -Lines 30 through 32 indicate the indices to maintain for various -attributes. - -Lines 33 through 41 specify access control for entries in this -database. For all applicable entries, the {{EX:userPassword}} attribute is writable -by the entry itself and by the "admin" entry. It may be used for -authentication/authorization purposes, but is otherwise not readable. -All other attributes are writable by the entry and the "admin" -entry, but may be read by all users (authenticated or not). - -Line 42 is a blank line, indicating the end of this entry. - -The next section of the example configuration file defines another -BDB database. This one handles queries involving the -{{EX:dc=example,dc=net}} subtree but is managed by the same entity -as the first database. Note that without line 52, the read access -would be allowed due to the global access rule at line 19. - -E: 43. # BDB definition for example.net -E: 44. dn: olcDatabase=bdb,cn=config -E: 45. objectClass: olcDatabaseConfig -E: 46. objectClass: olcBdbConfig -E: 47. olcDatabase: bdb -E: 48. olcSuffix: "dc=example,dc=net" -E: 49. olcDbDirectory: /usr/local/var/openldap-data-net -E: 50. olcRootDN: "cn=Manager,dc=example,dc=com" -E: 51. olcDbIndex: objectClass eq -E: 52. olcAccess: to * by users read - - -H3: Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format - -See the related section in {{SECT:Configuring slapd}}. - - H2: Access Control Common Examples H3: Basic ACLs diff --git a/doc/guide/admin/slapdconf2.sdf b/doc/guide/admin/slapdconf2.sdf index cbf4df4aaa..e8d66cb779 100644 --- a/doc/guide/admin/slapdconf2.sdf +++ b/doc/guide/admin/slapdconf2.sdf @@ -35,21 +35,6 @@ do not support runtime configuration yet. In those cases, the old style {{slapd.conf}}(5) file must be used. -H2: Converting old style {{slapd.conf}}(5) file to {{cn=config}} format - -An existing {{slapd.conf}}(5) file can be converted to the new format using -{{slaptest}}(8) or any of the slap tools: - -> slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d - -You can then discard the old {{slapd.conf}}(5) file. Make sure to launch -{{slapd}}(8) with the {{-F}} option to specify the configuration directory. - -Note: When converting from the slapd.conf format to slapd.d format, any -included files will also be integrated into the resulting configuration -database. - - H2: Configuration Layout The slapd configuration is stored as a special LDAP directory with @@ -989,3 +974,143 @@ H4: Sample Entry >olcDbConfig: set_flags DB_LOG_AUTOREMOVE >olcDbIDLcacheSize: 3000 >olcDbIndex: objectClass eq + + +H2: Configuration Example + +The following is an example configuration, interspersed +with explanatory text. It defines two databases to handle +different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}} +database instances. The line numbers shown are provided for +reference only and are not included in the actual file. First, the +global configuration section: + +E: 1. # example config file - global configuration entry +E: 2. dn: cn=config +E: 3. objectClass: olcGlobal +E: 4. cn: config +E: 5. olcReferral: ldap://root.openldap.org +E: 6. + +Line 1 is a comment. Lines 2-4 identify this as the global +configuration entry. +The {{EX:olcReferral:}} directive on line 5 +means that queries not local to one of the databases defined +below will be referred to the LDAP server running on the +standard port (389) at the host {{EX:root.openldap.org}}. +Line 6 is a blank line, indicating the end of this entry. + +E: 7. # internal schema +E: 8. dn: cn=schema,cn=config +E: 9. objectClass: olcSchemaConfig +E: 10. cn: schema +E: 11. + +Line 7 is a comment. Lines 8-10 identify this as the root of +the schema subtree. The actual schema definitions in this entry +are hardcoded into slapd so no additional attributes are specified here. +Line 11 is a blank line, indicating the end of this entry. + +E: 12. # include the core schema +E: 13. include: file:///usr/local/etc/openldap/schema/core.ldif +E: 14. + +Line 12 is a comment. Line 13 is an LDIF include directive which +accesses the {{core}} schema definitions in LDIF format. Line 14 +is a blank line. + +Next comes the database definitions. The first database is the +special {{EX:frontend}} database whose settings are applied globally +to all the other databases. + +E: 15. # global database parameters +E: 16. dn: olcDatabase=frontend,cn=config +E: 17. objectClass: olcDatabaseConfig +E: 18. olcDatabase: frontend +E: 19. olcAccess: to * by * read +E: 20. + +Line 15 is a comment. Lines 16-18 identify this entry as the global +database entry. Line 19 is a global access control. It applies to all +entries (after any applicable database-specific access controls). + +The next entry defines a BDB backend that will handle queries for things +in the "dc=example,dc=com" portion of the tree. Indices are to be maintained +for several attributes, and the {{EX:userPassword}} attribute is to be +protected from unauthorized access. + +E: 21. # BDB definition for example.com +E: 22. dn: olcDatabase=bdb,cn=config +E: 23. objectClass: olcDatabaseConfig +E: 24. objectClass: olcBdbConfig +E: 25. olcDatabase: bdb +E: 26. olcSuffix: "dc=example,dc=com" +E: 27. olcDbDirectory: /usr/local/var/openldap-data +E: 28. olcRootDN: "cn=Manager,dc=example,dc=com" +E: 29. olcRootPW: secret +E: 30. olcDbIndex: uid pres,eq +E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub +E: 32. olcDbIndex: objectClass eq +E: 33. olcAccess: to attrs=userPassword +E: 34. by self write +E: 35. by anonymous auth +E: 36. by dn.base="cn=Admin,dc=example,dc=com" write +E: 37. by * none +E: 38. olcAccess: to * +E: 39. by self write +E: 40. by dn.base="cn=Admin,dc=example,dc=com" write +E: 41. by * read +E: 42. + +Line 21 is a comment. Lines 22-25 identify this entry as a BDB database +configuration entry. Line 26 specifies the DN suffix +for queries to pass to this database. Line 27 specifies the directory +in which the database files will live. + +Lines 28 and 29 identify the database {{super-user}} entry and associated +password. This entry is not subject to access control or size or +time limit restrictions. + +Lines 30 through 32 indicate the indices to maintain for various +attributes. + +Lines 33 through 41 specify access control for entries in this +database. For all applicable entries, the {{EX:userPassword}} attribute is writable +by the entry itself and by the "admin" entry. It may be used for +authentication/authorization purposes, but is otherwise not readable. +All other attributes are writable by the entry and the "admin" +entry, but may be read by all users (authenticated or not). + +Line 42 is a blank line, indicating the end of this entry. + +The next section of the example configuration file defines another +BDB database. This one handles queries involving the +{{EX:dc=example,dc=net}} subtree but is managed by the same entity +as the first database. Note that without line 52, the read access +would be allowed due to the global access rule at line 19. + +E: 43. # BDB definition for example.net +E: 44. dn: olcDatabase=bdb,cn=config +E: 45. objectClass: olcDatabaseConfig +E: 46. objectClass: olcBdbConfig +E: 47. olcDatabase: bdb +E: 48. olcSuffix: "dc=example,dc=net" +E: 49. olcDbDirectory: /usr/local/var/openldap-data-net +E: 50. olcRootDN: "cn=Manager,dc=example,dc=com" +E: 51. olcDbIndex: objectClass eq +E: 52. olcAccess: to * by users read + + +H2: Converting old style {{slapd.conf}}(5) file to {{cn=config}} format + +An existing {{slapd.conf}}(5) file can be converted to the new format using +{{slaptest}}(8) or any of the slap tools: + +> slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d + +You can then discard the old {{slapd.conf}}(5) file. Make sure to launch +{{slapd}}(8) with the {{-F}} option to specify the configuration directory. + +Note: When converting from the slapd.conf format to slapd.d format, any +included files will also be integrated into the resulting configuration +database. diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf index f4ed11e657..a05f41a9ae 100644 --- a/doc/guide/admin/slapdconfig.sdf +++ b/doc/guide/admin/slapdconfig.sdf @@ -573,3 +573,91 @@ containing the database and associated indices live. \Default: > directory /usr/local/var/openldap-data + + +H2: Configuration File Example + +The following is an example configuration file, interspersed +with explanatory text. It defines two databases to handle +different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}} +database instances. The line numbers shown are provided for +reference only and are not included in the actual file. First, the +global configuration section: + +E: 1. # example config file - global configuration section +E: 2. include /usr/local/etc/schema/core.schema +E: 3. referral ldap://root.openldap.org +E: 4. access to * by * read + +Line 1 is a comment. Line 2 includes another config file +which contains {{core}} schema definitions. +The {{EX:referral}} directive on line 3 +means that queries not local to one of the databases defined +below will be referred to the LDAP server running on the +standard port (389) at the host {{EX:root.openldap.org}}. + +Line 4 is a global access control. It applies to all +entries (after any applicable database-specific access +controls). + +The next section of the configuration file defines a BDB +backend that will handle queries for things in the +"dc=example,dc=com" portion of the tree. The +database is to be replicated to two slave slapds, one on +truelies, the other on judgmentday. Indices are to be +maintained for several attributes, and the {{EX:userPassword}} +attribute is to be protected from unauthorized access. + +E: 5. # BDB definition for the example.com +E: 6. database bdb +E: 7. suffix "dc=example,dc=com" +E: 8. directory /usr/local/var/openldap-data +E: 9. rootdn "cn=Manager,dc=example,dc=com" +E: 10. rootpw secret +E: 11. # indexed attribute definitions +E: 12. index uid pres,eq +E: 13. index cn,sn,uid pres,eq,approx,sub +E: 14. index objectClass eq +E: 15. # database access control definitions +E: 16. access to attrs=userPassword +E: 17. by self write +E: 18. by anonymous auth +E: 19. by dn.base="cn=Admin,dc=example,dc=com" write +E: 20. by * none +E: 21. access to * +E: 22. by self write +E: 23. by dn.base="cn=Admin,dc=example,dc=com" write +E: 24. by * read + +Line 5 is a comment. The start of the database definition is marked +by the database keyword on line 6. Line 7 specifies the DN suffix +for queries to pass to this database. Line 8 specifies the directory +in which the database files will live. + +Lines 9 and 10 identify the database {{super-user}} entry and associated +password. This entry is not subject to access control or size or +time limit restrictions. + +Lines 12 through 14 indicate the indices to maintain for various +attributes. + +Lines 16 through 24 specify access control for entries in this +database. For all applicable entries, the {{EX:userPassword}} attribute is writable +by the entry itself and by the "admin" entry. It may be used for +authentication/authorization purposes, but is otherwise not readable. +All other attributes are writable by the entry and the "admin" +entry, but may be read by all users (authenticated or not). + +The next section of the example configuration file defines another +BDB database. This one handles queries involving the +{{EX:dc=example,dc=net}} subtree but is managed by the same entity +as the first database. Note that without line 39, the read access +would be allowed due to the global access rule at line 4. + +E: 33. # BDB definition for example.net +E: 34. database bdb +E: 35. suffix "dc=example,dc=net" +E: 36. directory /usr/local/var/openldap-data-net +E: 37. rootdn "cn=Manager,dc=example,dc=com" +E: 38. index objectClass eq +E: 39. access to * by users read -- 2.39.5