From 779d6af56da8facfcaf2a4ad7ed689dc36bd986a Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Sat, 1 Sep 2007 01:48:46 +0000 Subject: [PATCH] Sync 2.4 guide with HEAD for 2.4.5 --- doc/guide/COPYRIGHT | 6 +- doc/guide/admin/Makefile | 26 +- doc/guide/admin/README.spellcheck | 16 + doc/guide/admin/appendix-changes.sdf | 208 ++++ doc/guide/admin/appendix-configs.sdf | 14 + doc/guide/admin/aspell.en.pws | 1406 ++++++++++++++++++++++++++ doc/guide/admin/backends.sdf | 262 +++++ doc/guide/admin/config.sdf | 4 +- doc/guide/admin/config_dit.gif | Bin 4599 -> 0 bytes doc/guide/admin/config_dit.png | Bin 0 -> 19735 bytes doc/guide/admin/config_local.gif | Bin 1910 -> 0 bytes doc/guide/admin/config_local.png | Bin 0 -> 4172 bytes doc/guide/admin/config_ref.gif | Bin 3134 -> 0 bytes doc/guide/admin/config_ref.png | Bin 0 -> 7556 bytes doc/guide/admin/config_x500fe.gif | Bin 1667 -> 0 bytes doc/guide/admin/config_x500ref.gif | Bin 2395 -> 0 bytes doc/guide/admin/dbtools.sdf | 2 +- doc/guide/admin/guide.book | 3 + doc/guide/admin/install.sdf | 12 +- doc/guide/admin/intro.sdf | 148 ++- doc/guide/admin/intro_dctree.gif | Bin 6054 -> 0 bytes doc/guide/admin/intro_dctree.png | Bin 0 -> 21788 bytes doc/guide/admin/intro_tree.gif | Bin 6622 -> 0 bytes doc/guide/admin/intro_tree.png | Bin 0 -> 24714 bytes doc/guide/admin/maintenance.sdf | 110 ++ doc/guide/admin/master.sdf | 27 +- doc/guide/admin/monitoringslapd.sdf | 11 +- doc/guide/admin/overlays.sdf | 413 ++++++++ doc/guide/admin/preface.sdf | 4 +- doc/guide/admin/proxycache.sdf | 148 --- doc/guide/admin/referrals.sdf | 7 + doc/guide/admin/replication.gif | Bin 3538 -> 0 bytes doc/guide/admin/replication.sdf | 897 ++++++++++------ doc/guide/admin/runningslapd.sdf | 4 +- doc/guide/admin/sasl.sdf | 19 +- doc/guide/admin/schema.sdf | 32 +- doc/guide/admin/security.sdf | 3 +- doc/guide/admin/slapdconf2.sdf | 137 +-- doc/guide/admin/slapdconfig.sdf | 138 +-- doc/guide/admin/syncrepl.sdf | 404 -------- doc/guide/admin/title.sdf | 2 +- doc/guide/admin/tls.sdf | 5 +- doc/guide/admin/troubleshooting.sdf | 89 ++ doc/guide/admin/tuning.sdf | 383 +++++-- doc/guide/plain.sdf | 2 +- doc/guide/preamble.sdf | 5 +- doc/guide/release/copyright.sdf | 6 +- 47 files changed, 3676 insertions(+), 1277 deletions(-) create mode 100644 doc/guide/admin/README.spellcheck create mode 100644 doc/guide/admin/appendix-changes.sdf create mode 100644 doc/guide/admin/appendix-configs.sdf create mode 100644 doc/guide/admin/aspell.en.pws create mode 100644 doc/guide/admin/backends.sdf delete mode 100644 doc/guide/admin/config_dit.gif create mode 100644 doc/guide/admin/config_dit.png delete mode 100644 doc/guide/admin/config_local.gif create mode 100644 doc/guide/admin/config_local.png delete mode 100644 doc/guide/admin/config_ref.gif create mode 100644 doc/guide/admin/config_ref.png delete mode 100644 doc/guide/admin/config_x500fe.gif delete mode 100644 doc/guide/admin/config_x500ref.gif create mode 100644 doc/guide/admin/guide.book delete mode 100644 doc/guide/admin/intro_dctree.gif create mode 100644 doc/guide/admin/intro_dctree.png delete mode 100644 doc/guide/admin/intro_tree.gif create mode 100644 doc/guide/admin/intro_tree.png create mode 100644 doc/guide/admin/maintenance.sdf create mode 100644 doc/guide/admin/overlays.sdf delete mode 100644 doc/guide/admin/proxycache.sdf delete mode 100644 doc/guide/admin/replication.gif delete mode 100644 doc/guide/admin/syncrepl.sdf create mode 100644 doc/guide/admin/troubleshooting.sdf diff --git a/doc/guide/COPYRIGHT b/doc/guide/COPYRIGHT index 27a4e73735..3e2fba9504 100644 --- a/doc/guide/COPYRIGHT +++ b/doc/guide/COPYRIGHT @@ -36,9 +36,11 @@ Public License. --- -Portions Copyright 1999-2005 Howard Y.H. Chu. -Portions Copyright 1999-2005 Symas Corporation. +Portions Copyright 1999-2007 Howard Y.H. Chu. +Portions Copyright 1999-2007 Symas Corporation. Portions Copyright 1998-2003 Hallvard B. Furuseth. +Portions Copyright 2007 Gavin Henry +Portions Copyright 2007 Suretec Systems All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/doc/guide/admin/Makefile b/doc/guide/admin/Makefile index dfae7270e9..6b33980f98 100644 --- a/doc/guide/admin/Makefile +++ b/doc/guide/admin/Makefile @@ -18,16 +18,19 @@ sdf-src: \ ../plain.sdf \ ../preamble.sdf \ abstract.sdf \ + appendix-configs.sdf \ + backends.sdf \ config.sdf \ dbtools.sdf \ glossary.sdf \ guide.sdf \ install.sdf \ intro.sdf \ + maintenance.sdf \ master.sdf \ monitoringslapd.sdf \ + overlays.sdf \ preface.sdf \ - proxycache.sdf \ quickstart.sdf \ referrals.sdf \ replication.sdf \ @@ -36,21 +39,19 @@ sdf-src: \ schema.sdf \ security.sdf \ slapdconfig.sdf \ - syncrepl.sdf \ title.sdf \ tls.sdf \ + troubleshooting.sdf \ tuning.sdf sdf-img: \ ../images/LDAPlogo.gif \ - config_local.gif \ - config_ref.gif \ + config_dit.png \ + config_local.png \ + config_ref.png \ config_repl.gif \ - config_x500fe.gif \ - config_x500ref.gif \ - intro_dctree.gif \ - intro_tree.gif \ - replication.gif + intro_dctree.png \ + intro_tree.png \ guide.html: guide.sdf sdf-src sdf-img sdf -2html guide.sdf @@ -62,6 +63,7 @@ admin.html: admin.sdf sdf-src sdf-img sdf -DPDF -2html admin.sdf guide.pdf: admin.html - htmldoc --book --duplex --bottom 36 --top 36 \ - --toclevels 2 \ - -f guide.pdf admin.html + htmldoc --batch guide.book + +clean: + rm -f *.pdf *.html *~ diff --git a/doc/guide/admin/README.spellcheck b/doc/guide/admin/README.spellcheck new file mode 100644 index 0000000000..729b247882 --- /dev/null +++ b/doc/guide/admin/README.spellcheck @@ -0,0 +1,16 @@ +# $OpenLDAP$ +# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved. +# COPYING RESTRICTIONS APPLY, see COPYRIGHT. +# +# README.spellcheck +# + +aspell.en.pws + We use aspell to spell check the Admin Guide and Man Pages. + + Please move aspell.en.pws to ~/.aspell.en.pws and run: + + aspell --lang=en_US -c + + If you add additional words and terms, please add + them or copy them to aspell.en.pws and commit. diff --git a/doc/guide/admin/appendix-changes.sdf b/doc/guide/admin/appendix-changes.sdf new file mode 100644 index 0000000000..4ee1dce248 --- /dev/null +++ b/doc/guide/admin/appendix-changes.sdf @@ -0,0 +1,208 @@ +# $OpenLDAP$ +# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved. +# COPYING RESTRICTIONS APPLY, see COPYRIGHT. + +H1: Changes Since Previous Release + +The following sections attempt to summarize the new features and changes in OpenLDAP +software since the 2.3.x release and the OpenLDAP Admin Guide. + +H2: New Guide Sections + +In order to make the Admin Guide more thorough and cover the majority of questions +asked on the OpenLDAP mailing lists and scenarios discussed there, we have added the following new sections: + +* {{SECT:When should I use LDAP?}} +* {{SECT:When should I not use LDAP?}} +* {{SECT:LDAP vs RDBMS}} +* {{SECT:Backends}} +* {{SECT:Overlays}} +* {{SECT:Replication}} +* {{SECT:Maintenance}} +* {{SECT:Monitoring}} +* {{SECT:Tuning}} +* {{SECT:Troubleshooting}} +* {{SECT:Changes Since Previous Release}} +* {{SECT:Configuration File Examples}} +* {{SECT:Glossary}} + +Also, the table of contents is now 3 levels deep to ease navigation. + + +H2: New Features and Enhancements in 2.4 + +H3: Better {{B:cn=config}} functionality + +There is a new slapd-config(5) manpage for the {{B:cn=config}} backend. The +original design called for auto-renaming of config entries when you insert or +delete entries with ordered names, but that was not implemented in 2.3. It is +now in 2.4. This means, e.g., if you have + +> olcDatabase={1}bdb,cn=config +> olcSuffix: dc=example,dc=com + +and you want to add a new subordinate, now you can ldapadd: + +> olcDatabase={1}bdb,cn=config +> olcSuffix: dc=foo,dc=example,dc=com + +This will insert a new BDB database in slot 1 and bump all following databases + down one, so the original BDB database will now be named: + +> olcDatabase={2}bdb,cn=config +> olcSuffix: dc=example,dc=com + +H3: Better {{B:cn=schema}} functionality + +In 2.3 you were only able to add new schema elements, not delete or modify +existing elements. In 2.4 you can modify schema at will. (Except for the +hardcoded system schema, of course.) + +H3: More sophisticated Syncrepl configurations + +The original implementation of Syncrepl in OpenLDAP 2.2 was intended to support +multiple consumers within the same database, but that feature never worked and +was removed from OpenLDAP 2.3; you could only configure a single consumer in +any database. + +In 2.4 you can configure multiple consumers in a single database. The configuration +possibilities here are quite complex and numerous. You can configure consumers +over arbitrary subtrees of a database (disjoint or overlapping). Any portion +of the database may in turn be provided to other consumers using the Syncprov +overlay. The Syncprov overlay works with any number of consumers over a single +database or over arbitrarily many glued databases. + +H3: N-Way Multimaster Replication + +As a consequence of the work to support multiple consumer contexts, the syncrepl +system now supports full N-Way multimaster replication with entry-level conflict +resolution. There are some important constraints, of course: In order to maintain +consistent results across all servers, you must maintain tightly synchronized +clocks across all participating servers (e.g., you must use NTP on all servers). + +The entryCSNs used for replication now record timestamps with microsecond resolution, +instead of just seconds. The delta-syncrepl code has not been updated to support +multimaster usage yet, that will come later in the 2.4 cycle. + +H3: Replicating {{slapd}} Configuration (syncrepl and {{B:cn=config}}) + +Syncrepl was explicitly disabled on cn=config in 2.3. It is now fully supported +in 2.4; you can use syncrepl to replicate an entire server configuration from +one server to arbitrarily many other servers. It's possible to clone an entire +running slapd using just a small (less than 10 lines) seed configuration, or +you can just replicate the schema subtrees, etc. Tests 049 and 050 in the test +suite provide working examples of these capabilities. + + +H3: Push-Mode Replication + +In 2.3 you could configure syncrepl as a full push-mode replicator by using it +in conjunction with a back-ldap pointed at the target server. But because the +back-ldap database needs to have a suffix corresponding to the target's suffix, +you could only configure one instance per slapd. + +In 2.4 you can define a database to be "hidden", which means that its suffix is +ignored when checking for name collisions, and the database will never be used +to answer requests received by the frontend. Using this "hidden" database feature +allows you to configure multiple databases with the same suffix, allowing you to +set up multiple back-ldap instances for pushing replication of a single database +to multiple targets. There may be other uses for hidden databases as well (e.g., +using a syncrepl consumer to maintain a *local* mirror of a database on a separate filesystem). + + +H3: More extensive TLS configuration control + +In 2.3, the TLS configuration in slapd was only used by the slapd listeners. For +outbound connections used by e.g. back-ldap or syncrepl their TLS parameters came +from the system's ldap.conf file. + +In 2.4 all of these sessions inherit their settings from the main slapd configuration, +but settings can be individually overridden on a per-config-item basis. This is +particularly helpful if you use certificate-based authentication and need to use a +different client certificate for different destinations. + + +H3: Performance enhancements + +Too many to list. Some notable changes - ldapadd used to be a couple of orders +of magnitude slower than "slapadd -q". It's now at worst only about half the +speed of slapadd -q. Some comparisons of all the 2.x OpenLDAP releases are available +at {{URL:http://www.openldap.org/pub/hyc/scale2007.pdf}} + +That compared 2.0.27, 2.1.30, 2.2.30, 2.3.33, and HEAD). Toward the latter end +of the "Cached Search Performance" chart it gets hard to see the difference +because the run times are so small, but the new code is about 25% faster than 2.3, +which was about 20% faster than 2.2, which was about 100% faster than 2.1, which +was about 100% faster than 2.0, in that particular search scenario. That test +basically searched a 1.3GB DB of 380836 entries (all in the slapd entry cache) +in under 1 second. i.e., on a 2.4GHz CPU with DDR400 ECC/Registered RAM we can +search over 500 thousand entries per second. The search was on an unindexed +attribute using a filter that would not match any entry, forcing slapd to examine +every entry in the DB, testing the filter for a match. + +Essentially the slapd entry cache in back-bdb/back-hdb is so efficient the search +processing time is almost invisible; the runtime is limited only by the memory +bandwidth of the machine. (The search data rate corresponds to about 3.5GB/sec; +the memory bandwidth on the machine is only about 4GB/sec due to ECC and register latency.) + +H3: New overlays + +* slapo-constraint (Attribute value constraints) +* slapo-dds (Dynamic Directory Services, RFC 2589) +* slapo-memberof (reverse group membership maintenance) + +H3: New features in existing Overlays + +* slapo-pcache + - Inspection/Maintenance + -- the cache database can be directly accessed via + LDAP by adding a specific control to each LDAP request; a specific + extended operation allows to consistently remove cached entries and entire + cached queries + - Hot Restart + -- cached queries are saved on disk at shutdown, and reloaded if + not expired yet at subsequent restart + +* slapo-rwm can safely interoperate with other overlays +* Dyngroup/Dynlist merge, plus security enhancements + - added dgIdentity support (draft-haripriya-dynamicgroup) + +H3: New features in slapd + +* monitoring of back-{b,h}db: cache fill-in, non-indexed searches, +* session tracking control (draft-wahl-ldap-session) +* subtree delete in back-sql (draft-armijo-ldap-treedelete) + +H3: New features in libldap + +* ldap_sync client API (LDAP Content Sync Operation, RFC 4533) + +H3: New clients, tools and tool enhancements + +* ldapexop for arbitrary extended operations +* Complete support of controls in request/response for all clients +* LDAP Client tools now honor SRV records + +H3: New build options + +* Support for building against GnuTLS + + +H2: Obsolete Features Removed From 2.4 + +These features were strongly deprecated in 2.3 and removed in 2.4. + +H3: Slurpd + +Please read the {{SECT:Replication}} section as to why this is no longer in +OpenLDAP + +H3: back-ldbm + +back-ldbm was both slow and unreliable. Its byzantine indexing code was +prone to spontaneous corruption, as were the underlying database libraries +that were commonly used (e.g. GDBM or NDBM). back-bdb and back-hdb are +superior in every aspect, with simplified indexing to avoid index corruption, +fine-grained locking for greater concurrency, hierarchical caching for +greater performance, streamlined on-disk format for greater efficiency +and portability, and full transaction support for greater reliability. diff --git a/doc/guide/admin/appendix-configs.sdf b/doc/guide/admin/appendix-configs.sdf new file mode 100644 index 0000000000..81aaf86f86 --- /dev/null +++ b/doc/guide/admin/appendix-configs.sdf @@ -0,0 +1,14 @@ +# $OpenLDAP$ +# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved. +# COPYING RESTRICTIONS APPLY, see COPYRIGHT. + +H1: Configuration File Examples + + +H2: slapd.conf + + +H2: ldap.conf + + +H2: a-n-other.conf diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws new file mode 100644 index 0000000000..a28b908c2f --- /dev/null +++ b/doc/guide/admin/aspell.en.pws @@ -0,0 +1,1406 @@ +personal_ws-1.1 en 1405 +nattrsets +inappropriateAuthentication +api +olcAttributeTypes +BhY +reqEnd +olcOverlayConfig +shoesize +olcTLSCACertificateFile +CGI +cdx +DCE +DAP +attributename +lsei +dbconfig +arg +kurt +authzID +authzid +authzId +DAs +ddd +userApplications +BNF +attrs +mixin +wholeSubtree +chainingRequired +ldapport +hallvard +ASN +acknowledgements +Chu +ava +monitorCounter +del +DDR +testObject +OrgPerson +IGJlZ +olcUpdateref +ECC +deleteDN +cli +ltdl +CAPI +dev +serverctrls +olcDbDirectory +xvfB +BSI +modv +nonleaf +errCode +PhotoURI +buf +cdef +monitorConnectionLocalAddress +dir +EGD +dit +retoidp +ando +edu +caseExactSubstringsMatch +bvstrdup +AUTHNAME +memrealloc +auditExtended +replog +ludp +metainformation +CRL +CRP +olcReferral +XLDFLAGS +metadirectory +csn +siiiib +stateful +olcModulePath +maxentries +authc +seeAlso +searchbase +searchBase +realnamingcontext +dn's +DNs +DN's +dns +dereference +sortKey +authzTo +lossy +gcc +CWD +lssl +organizationalRole +DSA +derefInSearching +pwdGraceUseTime +DSE +groupOfURLs +modrdn +ModRDN +modrDN +pwdFailureCountInterval +homePhone +eng +paramName +errUnsolicitedData +Heimdal +EOF +authz +XINCPATH +LTFINISH +plaintext +indices +reqAssertion +olcDbUri +dst +env +oplist +MirrorMode +mirrormode +objclass +Bint +dup +hdb +gid +stderr +caseIgnoreOrderingMatch +moduledir +gif +jpegPhoto +lsasl +judgmentday +prepend +subentry +dbcache +mkversion +objectClasses +objectclasses +searchResultReference +fmt +qdescrs +olcSuffix +supportedControl +GHz +libpath +INADDR +compareDN +sizelimit +unixODBC +APIs +blen +attrsOnly +attrsonly +slappasswd +referralsPreferred +oids +OIDs +wBDARESEhgVG +syncIdSet +olcTLSCipherSuite +username +sizeLimitExceeded +subst +idl +chroot +iff +auditDelete +numbits +ZKKuqbEKJfKSXhUbHG +reqRespControls +TLSCertificateKeyFile +olcAccess +proxyTemplates +neverDerefaliases +RootDN +rootdn +loglevel +args +caseExactOrderingMatch +olcDbQuarantine +RELEASEDATE +baseDN +basedn +argv +GSS +schemachecking +whoami +WhoAmI +syslogd +dataflow +subentries +attrpair +BerkeleyDB's +singleLevel +entryDN +dSAOperation +includedir +inplace +LDAPAPIFeatureInfo +logbase +ing +moduleload +IPC +Makefile +getpid +GETREALM +numericString +MANSECT +XXXX +domainstyle +bvarray +Choi +iscritical +subschema +slapindex +plugin +distinguishedNameMatch +derefAliases +baseObject +kdz +reqMod +ldb +srcdir +pwdExpireWarning +localstatedir +sockbuf +PENs +ipv +IPv +ghenry +hyc +multimaster +noop +DEFS +joe +testAttr +syncrepl +pwdFailureTime +timestamp +whitespaces +ISP +ldp +monitorInfo +bjensen +newPasswd +irresponsive +len +perl +dynlist +browseable +attrvalue +pers +retcode +rootpw +matchedDN +auditReadObject +idletimeout +intermediateResponse +myOID +structuralObjectClass +integerMatch +openldap +OpenLDAP +moddn +rewriteEngine +AVAs +accesslog +searchDN +reqOld +MDn +aspell +TLSCACertificateFile +mem +peername +syncUUIDs +database's +krb +bool +logins +jts +memberAttr +newpasswdfile +newPasswdFile +ucdata +LLL +confdir +BerValues +olcDbLinearIndex +Elfrink +AUTOREMOVE +countp +realloc +bsize +CThreads +structs +desc +LTCOMPILE +bindmethod +olcDbCheckpoint +modme +refreshOnly +PIII +pwdPolicySubentry +FIXME +realanonymous +caseExactMatch +olcSizeLimit +Bourne +attr +objectidentifier +objectIdentifier +refint +msgtype +OBJEXT +LRL +subtrees +realdnattr +entrymods +admittable +libtool's +dupbv +searchResultEntry +lud +modifyTimestamp +TLSEphemeralDHParamFile +LRU +syncprov +strvals +preread +auth +nis +regexec +adamsom +objclasses +deallocation +strdup +gsMatch +adamson +UniqueName +ppErrStr +DESTDIR +oid +saslpasswd +interoperate +bindwhen +Solaris +oOjM +msg +submatch +refreshAndPersist +monitorServer +attributeUsage +soelim +objectIdentiferMatch +olc +PEM +Autoconf +alloc +PDU +OLF +inetorgperson +inetOrgPerson +deleteoldrdn +monitorCounterObject +pid +CPAN +sharedstatedir +OLP +LDFLAGS +dereferencing +errcodep +xeXBkeFxlZ +accessor's +extendedop +ple +NTP +reqSizeLimit +ORed +NUL +namingContexts +num +reqAttrsOnly +ldappasswd +online +libdir +unindexed +ObjectClassDescription +attrdesc +efgh +exopPasswdDN +ranlib +olcAttributeOptions +lineno +storages +nameAndOptionalUID +png +INCPATH +organizationalPerson +integerOrderingMatch +OSI +subschemaSubentry +cond +conf +bvec +rdn +ECHOPROMPT +RDBM +subany +runningslapd +configs +datagram +crlcheck +conn +builddir +OTP +entrylimit +attrdescN +logold +pos +sbi +PRD +reqEntries +pre +bvals +unixusers +olcReadonly +olcReadOnly +pwdChangedTime +mySQL +sdf +suffixmassage +referralDN +sed +statslog +perror +ldapexop +bvecadd +distributedOperation +sel +versa +TBC +telephonenumber +telephoneNumber +DLDAP +peernamestyle +SHA +filename +rpath +argsfile +ptr +INCDIR +pwd +dctree +rnd +quanah +lastmod +TCL +sprintf +shm +logops +dnattr +subdir +searchAttrDN +cctrls +tcp +strlen +spellcheck +ludpp +typedef +olcDbIDLcacheSize +ostring +mwrscdx +SMD +UCD +cancelled +crit +lucyB +slp +rdns +CPUs +TGT +modulepath +quickstart +mySNMP +tgz +UDP +RDBMs +rdbms +Matic +qdstring +gunzip +librewrite +UFl +src +lastName +ufn +cron +sql +pwdPolicyChecker +uid +olcDbConfig +refreshDone +ssf +replogfile +rwm +TOC +vec +LDAPDN +compareAttrDN +endmacro +tls +repl +monitoringslapd +referralsp +tmp +SRP +olcDbNosync +conns +SSL +PDkzODdASFxOQ +SRV +rwx +sss +deallocators +Contribware +URLlist +str +subinitial +CSNs +sbin +dbtools +datasource +sbio +posp +errText +prepended +labeledURI +scdx +startup +const +wBDABALD +octetStringSubstringsStringMatch +ttl +bvalue +bvdup +stringa +stringb +hasSubordinates +oldPasswd +sys +pwdPolicy +slapd +sasl +slapauth +MANCOMPRESS +octetStringOrderingStringMatch +updatedn +UpdateDN +slapdindex +searchFilter +uri +slapi +tty +liblunicode +url +entryExpireTimestamp +priv +slapo +UTF +vlv +ctrl +TXN +virtualnamingcontext +eatBlanks +slimit +ldaprc +usr +txt +proc +generalizedTime +loopback +unmassaged +mechs +freemods +initgroups +auditCompare +GDBM +DSA's +compareFalse +resultCode +resultcode +noSuchObject +params +groupnummer +searchEntryDN +negttl +chainingPreferred +TABs +retdatap +errAuxObject +postoperation +realself +olcPasswordHash +concat +debuglevel +addAttrDN +credp +ldaphost +pwdMaxFailure +octetStringMatch +extparam +auditWriteObject +colaligns +Diffie +attributevalue +AttributeValue +SIGTERM +MyCompany +al +AAQSkZJRgABAAAAAQABAAD +cd +contextCSN +ar +pthreads +monitorTimestamp +de +reqAuthzID +backend's +backends +cn +lcrypto +infodir +groupstyle +ldapsearch +cp +displayName +eg +bv +olcBackendConfig +dn +fd +LDAPSync +fG +fi +eq +FIPS +dx +et +eu +hh +olcLogLevel +slurpd +logevels +IG +addDN +tbls +ldapmodify +kb +syslog +io +ip +dynacl +aXRoIGEgc +enum +slapdconf +reqFilter +ld +xyz +TLSCertificateFile +idassert +failover +kerberos +lookups +md +iZ +SysNet +BerValue +idlcachesize +struct +UCASE +errno +syslogged +mk +ng +oc +errOp +pwdMaxAge +truelies +NL +mr +reindex +newentry +ok +mv +preinstalled +regex +saslmech +rc +config +ou +policyDN +sb +olcSyncrepl +QN +strtol +runtime +NOSYNC +slapover +RL +sockname +MANCOMPRESSSUFFIX +makeinfo +coltags +ro +rp +EXEEXT +sockurl +th +sn +ru +UG +ss +su +TP +reqMethod +XLIBS +PhotoObject +tt +keycol +namingContext +rlookups +searchstack +NOECHOPROMPT +sldb +wi +AlmostASearchRequest +xf +param +MChAODQ +caseExactIA +Vu +Za +idlecachesize +ws +errSleepTime +INSTALLFLAGS +pthread +pwdHistory +slen +errUnsolicitedOID +dyngroup +filtertype +rewriteRules +criticality +preoperation +smbk +subord +reqVersion +errp +ZZ +entryCSNs +dlopen +continuated +newsuperior +newSuperior +Preprocessor +XXLIBS +deallocate +reqScope +llber +bitstringa +sbindir +apache's +noidlen +monitorContext +resync +fqdn +authPassword +LDAPMatchingRule +olcIdleTimeout +treedelete +auditAdd +reqSession +derated +LDVERSION +IANA +olcDbSearchStack +bitstrings +rscdx +schemas +minssf +ldapadd +pseudorootdn +lldap +gssapi +applicatio +nelems +liblutil +wrscdx +scherr +internet +logfilter +lutil +themself +libexec +dnpattern +proxying +reqType +Kartik +libexecdir +inetd +pwdSafeModify +contrib +FQDNs +bjorn +myLDAP +SNMP +myObjectClass +thru +olcLastMod +commonName +testTwo +olcFrontendConfig +LDAPObjectClass +attributeTypes +LTINSTALL +hostname +Symas +numattrsets +msgid +ldapmodrdn +ldapbis +attributeoptions +serverID +memberof +pseudorootpw +CFLAGS +substr +pwdAllowUserChange +rewriteRule +XXXXXXXXXX +credlen +departmentNumber +rewriteMap +logfile +vals +LDAPAVA +modifyAttrDN +dcedn +olcOverlay +exop +berelement +BerElement +olcRootDN +octetString +SampleLDAP +expr +PostgreSQL +bvstr +filesystem +pathtest +objectClass +objectclass +submatches +newrdn +armijo +addBlanks +reqMessage +exts +SSHA +func +filterlist +modifyDN +syncuser +Masarati +LDAPSyntax +oldpasswdfile +oldPasswdFile +reqDN +SSFs +ietf +unwillingToPerform +oidlen +searchFilterAttrDN +CPPFLAGS +slapadd +Clatworthy +urldesc +substrings +Apurva +slapacl +multiclassing +monitoredInfo +LTLINK +ETCDIR +reqId +setspec +scanf +TLSv +distinguishedname +distinguishedName +BerVarray +caseIgnoreSubstrin +ldapwhoami +URLattr +generalizedTimeOrderingMatch +requestdata +timelimit +subr +cachesize +olcRootPW +SSLv +domainScope +LDAPMessage +LTVERSION +memalloc +refreshDeletes +BerkeleyDB +pathspec +uint +Poitou +whitespace +dynstyle +slaptest +zeilenga +WebUpdate +numericoid +changelog +ChangeLog +creatorsName +ascii +wahl +uniqueMember +slapcat +lwrap +ldapfilter +errDisconnect +sermersheim +rootdns +searchResult +libtool +servercredp +AttributeTypeDescription +LTFLAGS +authcDN +TLSCipherSuite +supportedSASLMechanisms +rootDSE +dsaparam +cachefree +UMich's +schemadir +attribute's +extern +varchar +olcDbCacheSize +olcDbCachesize +authcid +authcID +POSIX +hnPk +ldapext +authzFrom +Google +olcSchemaConfig +newsup +sbiod +XXXLIBS +LDAPBASE +Supr +olcDatabaseConfig +rwxrwxrwx +aeeiib +reqStart +sasldb +somevalue +LIBRELEASE +starttls +StartTLS +LDAPSchemaExtensionItem +reqReferral +shtool +Pierangelo +attrstyle +backend +portnumber +subjectAltName +errObject +valsort +bervals +berval's +derefFindingBaseObj +checkpointed +keytab +groupnaam +frontend +sctrls +dbnum +olcLdapConfig +sessionlog +attrset +entryCSN +strcast +kbyte +modifiersName +keytbl +olcHdbConfig +README +memcalloc +inet +saslargs +givenname +givenName +olcDbMode +pidfile +olcLimits +memvfree +tuple +superset +directoryString +proxyTemplate +proxytemplate +wildcards +monitoredObject +TTLs +LxsdLy +olcTimeLimit +stringal +init +Locators +bvalues +reqResult +impl +outvalue +returnCode +returncode +attributeDescription +attrval +dnssrv +ciphersuite +auditlog +reqControls +notypes +myAttributeType +stringbv +keyval +calloc +chmod +Subbarao +setstyle +subdirectories +errlist +slapdn +uncached +ldapapiinfo +groupOfUniqueNames +dhparam +slapd's +slapds +inputfile +RDBMSes +wildcard +Locator +errAbsObject +errABsObject +SASL's +html +searchResultDone +olcBdbConfig +ldapmod +LDAPMod +olcHidden +userPassword +TLSRandFile +use'd +auditBind +requestDN +lockdetect +selfstyle +liblber +ERXRTc +printf +AutoConfig +localhost +lber +noprompt +databasenumber +hasSubordintes +URIs +lang +auditSearch +ldapdelete +reqTimeLimit +cacertdir +queryid +Warper +XDEFS +urls +URL's +postalAddress +postaladdress +passwd +plugins +george +http +uppercased +Poobah +libldap +ldap +ldbm +ursula +LDAPModifying +slapdconfig +dnSubtreeMatch +olcSaslSecProps +olcSaslSecprops +auditModify +groupOfNames +jensen +reloadHint +prepending +olcGlobal +matchingRule +matchingrule +SmVuc +MSSQL +hostnames +ctrlp +lltdl +ctrls +rewriter +secprops +namespace +whsp +realusers +dnstyle +suffixalias +proxyAttrset +proxyAttrSet +proxyattrset +pwdMustChange +ldif +bvfree +sleeptime +pwdCheckQuality +msgidp +pwdAttribute +PRNGD +LDAPRDN +entryUUIDs +proxycache +proxyCache +SERATGCgaGBYWGDEjJR +noanonymous +accessee +createTimestamp +nretries +auditAbandon +LDAPAttributeType +logdb +procs +realdn +alwaysDerefAliases +ppolicy +jpeg +functionalities +pcache +caseIgnoreMatch +sysconfdir +checkpointing +rebindproc +dryrun +noplain +exattrs +Jong +proxied +firstName +accesslevel +login +rewriteContext +dcObject +newparent +numericStringMatch +TLSVerifyClient +subtree +multi +immSupr +manpage +assciated +wZFQrDD +serverctrlsp +onelevel +abcd +reqcert +referralsRequired +Hyuk +olcServerID +reqDerefAliases +newSuperiorDN +passwdfile +errMatchedDN +everytime +mkdep +olcDbindex +olcDbIndex +syntaxOID +reqData +databasetype +woid +numericStringOrderingMatch +clientctrls +RetCodes +pwdAccountLockedTime +attrtype +LIBVERSION +proto +endif +reqNewRDN +ldapi +notoc +matcheddnp +mkdir +mech +pwdMinAge +ldaps +userCertificate +LDAPv +IPsec +tokenization +olcModuleList +robert +generalizedTimeMatch +UMLDAP +OpenLDAP's +lookup +ABNF +olcDbShmKey +pwdLockoutDuration +TLSCACertificatePath +ldapuri +ldapurl +ACIs +behera +olcObjectIdentifier +endblock +proxyAuthz +pagedResults +bitstring +ACLs +berptr +olcModuleLoad +attributetype +attributeType +auditModRDN +cacert +freebuf +IDSET +pwdGraceAuthnLimit +invalue +XKYnrjvGT +srvtab +referralAttrDN +requestoid +basename +substring +booleanMatch +babs +pPasswd +msgfree +slapdconfigfile +olcDatabase +builtin +hardcoded +SIGINT +MAXLEN +xpasswd +cleartext +extensibleObject +pwdLockout +SIGHUP +reqDeleteOldRDN +reqAttr +subfinal +berval +octothorpe +LTONLY +filesystems +urandom +NDBM +abcdefgh +olcBackend +errmsgp +boolean +updateref +regcomp +contextp +filtercomp +LDAPNOINIT +deref +preallocated +syntaxes +memberURL +monitorRuntimeConfig +bindDn +bindDN +binddn +methodp +timelimitExceeded +pwdInHistory +LTSTATIC +requestors +requestor's +LDAPCONF +saslauthd +MKDEPFLAG +gecos +entryUUID +gnutls +GNUtls +GnuTLS +postread +timeval +DHAVE +caseIgnoreSubstringsMatch +monitorIsShadow +syncdata +olcPidFile +hostport +backload +bindir +olcObjectClasses +auditObject +LDIFv +strcasecmp +LTHREAD +dereferenced +entryTtl +LDAPControl +pwdMinLength +ldapcompare +readonly +readOnly +RANDFILE +attrlist +aci +directoryOperation +selfwrite +pwdReset +acl +attrname +ADH +searchable +bindmethods +logpurge +reqNewSuperior +multiproxy +dereferences +datadir +malloc +UUIDs +veryclean +userid +Kumar +AES +bdb +manageDSAit +ManageDsaIT +bindpw +monitorContainer +pEntry +baz +memfree +lresolv +objectIdentifierMatch +Blowfish +mkln +numericStringSubstringsMatch +openssl +OpenSSL +ModName +cacheable +freeit +pathname +ber +ali +mandir +changetype +CAs +CA's +typeA +bvecfree +ODBC +typeB +unescaped +devel +pwdCheckModule +LDAPURLDesc +authzDN diff --git a/doc/guide/admin/backends.sdf b/doc/guide/admin/backends.sdf new file mode 100644 index 0000000000..013288f453 --- /dev/null +++ b/doc/guide/admin/backends.sdf @@ -0,0 +1,262 @@ +# $OpenLDAP$ +# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved. +# COPYING RESTRICTIONS APPLY, see COPYRIGHT. + +H1: Backends + + +H2: Berkeley DB Backends + + +H3: Overview + +The {{bdb}} backend to {{slapd}}(8) is the recommended primary backend for a +normal {{slapd}} database. It uses the Oracle Berkeley DB ({{TERM:BDB}}) +package to store data. It makes extensive use of indexing and caching +(see the {{SECT:Tuning}} section) to speed data access. + +{{hdb}} is a variant of the {{bdb}} backend that uses a hierarchical database +layout which supports subtree renames. It is otherwise identical to the {{bdb}} + behavior, and all the same configuration options apply. + +Note: An {{hdb}} database needs a large {{idlcachesize}} for good search performance, +typically three times the {{cachesize}} (entry cache size) or larger. + +H3: back-bdb/back-hdb Configuration + +MORE LATER + +H3: Further Information + +{{slapd-bdb}}(5) + +H2: LDAP + + +H3: Overview + +The LDAP backend to {{slapd}}(8) is not an actual database; instead it acts +as a proxy to forward incoming requests to another LDAP server. While +processing requests it will also chase referrals, so that referrals are fully +processed instead of being returned to the {{slapd}} client. + +Sessions that explicitly {{Bind}} to the {{back-ldap}} database always create +their own private connection to the remote LDAP server. Anonymous sessions +will share a single anonymous connection to the remote server. For sessions +bound through other mechanisms, all sessions with the same DN will share the +same connection. This connection pooling strategy can enhance the proxy’s +efficiency by reducing the overhead of repeatedly making/breaking multiple +connections. + +The ldap database can also act as an information service, i.e. the identity +of locally authenticated clients is asserted to the remote server, possibly +in some modified form. For this purpose, the proxy binds to the remote server +with some administrative identity, and, if required, authorizes the asserted +identity. + +H3: back-ldap Configuration + +LATER + +H3: Further Information + +{{slapd-ldap}}(5) + +H2: LDIF + + +H3: Overview + +The LDIF backend to {{slapd}}(8) is a basic storage backend that stores +entries in text files in LDIF format, and exploits the filesystem to create +the tree structure of the database. It is intended as a cheap, low performance +easy to use backend. + +When using the {{cn=config}} dynamic configuration database with persistent +storage, the configuration data is stored using this backend. See {{slapd-config}}(5) +for more information + +H3: back-ldif Configuration + +LATER + +H3: Further Information + +{{slapd-ldif}}(5) + +H2: Metadirectory + + +H3: Overview + +The meta backend to {{slapd}}(8) performs basic LDAP proxying with respect +to a set of remote LDAP servers, called "targets". The information contained +in these servers can be presented as belonging to a single Directory Information +Tree ({{TERM:DIT}}). + +A basic knowledge of the functionality of the {{slapd-ldap}}(5) backend is +recommended. This backend has been designed as an enhancement of the ldap +backend. The two backends share many features (actually they also share portions + of code). While the ldap backend is intended to proxy operations directed + to a single server, the meta backend is mainly intended for proxying of + multiple servers and possibly naming context masquerading. + +These features, although useful in many scenarios, may result in excessive +overhead for some applications, so its use should be carefully considered. + + +H3: back-meta Configuration + +LATER + +H3: Further Information + +{{slapd-meta}}(5) + +H2: Monitor + + +H3: Overview + +The monitor backend to {{slapd}}(8) is not an actual database; if enabled, +it is automatically generated and dynamically maintained by slapd with +information about the running status of the daemon. + +To inspect all monitor information, issue a subtree search with base {{cn=Monitor}}, +requesting that attributes "+" and "*" are returned. The monitor backend produces +mostly operational attributes, and LDAP only returns operational attributes +that are explicitly requested. Requesting attribute "+" is an extension which +requests all operational attributes. + +See the {{SECT:Monitoring}} section. + +H3: back-monitor Configuration + +LATER + +H3: Further Information + +{{slapd-monitor}}(5) + +H2: Null + + +H3: Overview + +The Null backend to {{slapd}}(8) is surely the most useful part of slapd: + +* Searches return success but no entries. +* Compares return compareFalse. +* Updates return success (unless readonly is on) but do nothing. +* Binds other than as the rootdn fail unless the database option "bind on" is given. +* The slapadd(8) and slapcat(8) tools are equally exciting. + +Inspired by the {{F:/dev/null}} device. + +H3: back-null Configuration + +LATER + +H3: Further Information + +{{slapd-null}}(5) + +H2: Passwd + + +H3: Overview + +The PASSWD backend to {{slapd}}(8) serves up the user account information +listed in the system {{passwd}}(5) file. + +This backend is provided for demonstration purposes only. The DN of each entry +is "uid=,". + +H3: back-passwd Configuration + +LATER + +H3: Further Information + +{{slapd-passwd}}(5) + +H2: Perl/Shell + +H3: Overview + +The Perl backend to {{slapd}}(8) works by embedding a {{perl}}(1) interpreter +into {{slapd}}(8). Any perl database section of the configuration file +{{slapd.conf}}(5) must then specify what Perl module to use. Slapd then creates +a new Perl object that handles all the requests for that particular instance of the backend. + +The Shell backend to {{slapd}}(8) executes external programs to implement +operations, and is designed to make it easy to tie an existing database to the +slapd front-end. This backend is is primarily intended to be used in prototypes. + +H3: back-perl/back-shell Configuration + +LATER + +H3: Further Information + +{{slapd-shell}}(5) and {{slapd-perl}}(5) + +H2: Relay + + +H3: Overview + +The primary purpose of this {{slapd}}(8) backend is to map a naming context +defined in a database running in the same {{slapd}}(8) instance into a +virtual naming context, with attributeType and objectClass manipulation, if +required. It requires the rwm overlay. + +This backend and the above mentioned overlay are experimental. + +H3: back-relay Configuration + +LATER + +H3: Further Information + +{{slapd-relay}}(5) + +H2: SQL + + +H3: Overview + +The primary purpose of this {{slapd}}(8) backend is to PRESENT information +stored in some RDBMS as an LDAP subtree without any programming (some SQL and +maybe stored procedures can’t be considered programming, anyway ;). + +That is, for example, when you (some ISP) have account information you use in +an RDBMS, and want to use modern solutions that expect such information in LDAP +(to authenticate users, make email lookups etc.). Or you want to synchronize or +distribute information between different sites/applications that use RDBMSes +and/or LDAP. Or whatever else... + +It is {{B:NOT}} designed as a general-purpose backend that uses RDBMS instead of +BerkeleyDB (as the standard BDB backend does), though it can be used as such with +several limitations. Please see {{SECT: LDAP vs RDBMS}} for discussion. + +The idea is to use some meta-information to translate LDAP queries to SQL queries, +leaving relational schema untouched, so that old applications can continue using +it without any modifications. This allows SQL and LDAP applications to interoperate +without replication, and exchange data as needed. + +The SQL backend is designed to be tunable to virtually any relational schema without +having to change source (through that meta-information mentioned). Also, it uses +ODBC to connect to RDBMSes, and is highly configurable for SQL dialects RDBMSes +may use, so it may be used for integration and distribution of data on different +RDBMSes, OSes, hosts etc., in other words, in highly heterogeneous environment. + +This backend is experimental. + +H3: back-sql Configuration + +LATER + +H3: Further Information + +{{slapd-sql}}(5) diff --git a/doc/guide/admin/config.sdf b/doc/guide/admin/config.sdf index 05700cfe4d..f80ec4a1d3 100644 --- a/doc/guide/admin/config.sdf +++ b/doc/guide/admin/config.sdf @@ -15,7 +15,7 @@ directory service for your local domain only. It does not interact with other directory servers in any way. This configuration is shown in Figure 3.1. -!import "config_local.gif"; align="center"; title="Local service via slapd(8) configuration" +!import "config_local.png"; align="center"; title="Local service via slapd(8) configuration" FT[align="Center"] Figure 3.1: Local service configuration. Use this configuration if you are just starting out (it's the one the @@ -32,7 +32,7 @@ referrals to other servers capable of handling requests. You may run this service (or services) yourself or use one provided to you. This configuration is shown in Figure 3.2. -!import "config_ref.gif"; align="center"; title="Local service with referrals" +!import "config_ref.png"; align="center"; title="Local service with referrals" FT[align="Center"] Figure 3.2: Local service with referrals Use this configuration if you want to provide local service and diff --git a/doc/guide/admin/config_dit.gif b/doc/guide/admin/config_dit.gif deleted file mode 100644 index 2327d03c72b10f9edee0971d3a9d8771517511f4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4599 zcmb_d2Uk<;5{=~nf_ksgo2VdFL5Xw)6@d^?loFaqKM;!a8bErJUJ?#S7eenf@K7nz z0$!yz0jYv;uhOJk&-=n}c(Yd4$z*2s?7io(P*Ycxl{5c+g8RfCiWY&#pTOfsAjkq~ z@$TI_1pJPmkmCn0c!vTNCTFD7N~*602@F9EHI4F1krL3Fa%K{2%+f%Ye5FX5KM(& zgeDiT07WVcQK=9W0qOxM&+|k6$vHugCYM z6^~Cyv-$WcwBBQ*X|5l8M;kr1gLZ^tg*2pN(zKf#^PmAALxa}=TnU&5G=WvuX>T*_ zZvn-Cp!gVgFjYD4Ll~GvpY>Gbc0~NikA01)&g*)`fwr6Osm||?zpNb1qh9l-H(6Mx zrd~7DRzGS4- zpw@1tufBAw(ySwzSEHe9qSkh(#H7EWe5%oTp)XUTv0|phduwf`zp--mZD7<%4$Y>j z`Ho0tvFFsL>V@tEehqP+Cdsk)L@A3ws-bA$Ah%M;rE=Zd_?SYiQo3|skFL=Q%h^yz zX0&5vqxE_KOn{uK-g+@9aq>VvD!L=Y=;4fi-hCY8RejlJczJs*obQci)---^X--qaf7k&0i(u_?GW}o+=*@H7} z>~k+qDjJyL>2a%1Ls0UxMt*YdBhme{JLW4SmAUOnJiQx5Sw5F}?w!>U zP5RukQ21y2a(0|PWjw!eo_JW^%(Y7_Z}4?7woX|LHvUp%_eEndA#c=pgMuRWUv9nD zS6cD*(+3gp+7qS(e#*gbv70TUpQFX!?{T(PhVm#MEk|7t}(#XIL` zw?yBi_16=@4;q|TYIu$ST}q(l%u&^PzGd+-gn zzahR-)F{reZuOSFWxZ};v2oDk%k#s{4>JR+-&^UGk~U8nKWzP{$DYpbN70S!qpfqi ze0Rx%%1-{Ni2(xt?)2*aArt(??d8EPv$aOsFE~5i6uXvh>UmgMefsTT@u1Tkr}?2- zo8Mo%1j>HzEST=vS}38|Gy;oicu$@ydVSLF;|nIMoXo2|JhD%p1jEf{g?|;^KfBo# zB#7q;kY9b@k?8D=IbnWgKJUT1)a6jIBc8KS3z?iBo;1`D11;D6@T(EYkAW}k;&NW&lmHK8Vs1P2SmkK zoIS^7pHIA5nCJ_A|GMy1_=D7DXdGjw<=Gi;mb=TL@lI9=yz^G<_vmVH_CNBq&Yn?G z{cK|#w>@|HkRc88`D4a&8`jlE>ypJCaHhC=xlu~#2U`je;UPisVxb$wN(^Zl~L z$nAZXM{CS#%ldBMVGa2mNsryA0tqj;{nQy9z0NlYVF_tXmI3E6gAQ{NLFi&UV_&+t zdg0mn-UkkfwU0g>rO5QR57dTk#St~g@?&_pf$FWye?o=Szp8)qon&_9;S}=6>LG(@ zNpiNrY36(E`|sLT@i~>lxj7eCN%B`xh(GwP5(~X9Ip1QDO1&_oTr7D7x4U9sq%fi) z5!@7ezSQq?FE3heTjugrS9_6I-mNT_l=ub~jr4xZf~K!_`Um$yjgxqd5jO3@N4kag z3W~5Jwf|jzVuSnonYBGQtUPO3hx}Wk=s{Te@YmDi7r5YJjPl5*BA5C*J@T3a2LW8c zT`5QdEt(`9`RPYmgdeg#q9N8d{AS>l)ANhkqg66xRw@z7QIxoV&{X}E0X;*@g>(yl ztRYcy=b03v{oq=Ce%ck*QV(8MBQZg#obvke`&04H7T6{e#LMqzjy!#)wQE$5Fb-IK z#BMx`H=0QCa41YS!L@{P8++td)$4go7Jj()EV_B5@wPzm;I^J*;^t_xzCx<&tLUla z_L$OH4bf+g+_*Hy-O8MPk_vs(NV|n+vj{im`1dZOZ@ZBcV!_`AOa0mjnIlarCY6D? zOr|GDdsYm~62Z-c8Kxk%+8PzDvgs-DpV;22?z7+BBMN7>R!2I%&5%NwHJ&r+v$imP z*(CU6%<7jnm7m$G)%@Ghf@Z90=2Moug| zu2X~zd|Z4d`Bh^29@PE_8OgBxo08W1=+u^tn62r~2LtG>e_2fYcf&btdt|^u@qAw1 z-gWqrtb2{ljoo)RDUydz|AjEujDi?6>g|4ul4@~Ii`W&ZSC`DP%KULO9r{i56C^b=9KdS$EYVXbd7xIeTF^#`R60@;yQ9@Xcvt{^ z8cKaAF6YnNu6t-(l=iP3(l$9ejFMvX|5J5cGPq@jGE#*-8gqM zRp_3C@$~y`X?$JgQ}2*!RzJG~jxX#-9|>_=S|ZENqZ#1)T3adqq?&8&J(J9uNV z?8gAb#11A!oBiJES(05`b2jxKEB1`VdFxcXRcf>XozW<*85T z=!X7c_gC`puShkeSM?uS@qM4_zwar>xoZ7jInZV_FnlzSL=F(PeJb(Oo9GeLPqNk# z^45reWa+&`BfYmqtd6evagR&zt{Sh9Z7RG7(#+OqOsJf8D5cw%Puc#Cn%*y08~d>U z?U9#1Nx_=q7Gegv*H=T7$yNo@!M{jhGPdrCL;-OQT@1TV)sjg92~v&-OKEgui17UP zWLW4<@GTpAMM2-)ZYfLQpu1AyLSA-!%OUz+5{=4MKL4>WMH=kg{1rbP`T z-#=oJ2+Y$mO3~W89n;Anx2YS`lNPg;5?p?Uvv;hoj>{wm zraw7$hCzb4TW5YXy3`@;1xZ zUrchhV7aWG#ICL`>=S*;BT3Bgveb4Gr3foI5yz97D24PUW)PE?mic9SlTW(~-s^pZ zy`56kl&Fe-vbdeBE_X+>*W-~0yVkzKQ+0M7pEx~{BzLz|LpdkG;Z)oAspSmBi4=Bm zbz*ZQyM;Q@CMwbP4FAS1Q9EZmW9Tc1g((9 z7EDc+ZA+K@E_esZMi4NmnTg9j2t97j&@36s9t+D3Y6?9R@i(crtsz?q$huCu`CPym z`OCia^L)wA`U;lGVu{YxPqUa8%H4{x%(ls4S$_5#lj$a7_8YI;6lHqF#;w2Ee5W_8 zcPZSpD7%l2AT*gJXJmE)o6kHM+yon%?-?;gW|c&RE0u(5s9DFP<nq~ZiUCPnNM zy)%bIGVN?5+$aIQBoj|!=#TE#dSm*Q5gvNsW#!n|HpbhV%_V=;c&lw$@9vZPz7Vtg!)?N=iAzN)6P*&%Mf5TdAIggN{hGx0ruJ=QrUQ)$27@OfuYJAW3`8^Ww8(Z>}oDY z&^_X;lhnwlSU|ry2w&1iv;GQxyjA3mt8f17uf1wDC0}rJyjE>WF4EP*i{Y9TCHQ1y z4OzOjf>AHSsL{Bmj#t4Px7tv!XBR?uSCl~J(mp*<8EzNXzes^{h+~i;si?Je}fG7*#H0l diff --git a/doc/guide/admin/config_dit.png b/doc/guide/admin/config_dit.png new file mode 100644 index 0000000000000000000000000000000000000000..fd51f296da616785f4a3a9b99c45409bfa0c60a7 GIT binary patch literal 19735 zcmb`v30RKp-aULLDx?&W=0OQ5LNpsv8k9m44VvdkqeeoJCPk=3NogK5Pm~5yhUQX9 zC6(rR{?>)}-QV8te!pXX|Ko3aj{Q8{ch`Mg=lL7fZ>@FSx6dlcZrZ@KfkYy0k~=M} zN+PW}Mk0}MQ&He2ZS*C&_&*AL1zBm*D)GOk#qpu|38jPFnNyU_R7~4Fk2R>(MT+>`-m*)-Dv(t^{6xdsccHrucq}-?)o@Jg@WeZ$rKKC1 z7`^@c{Hpu+lj!K^LOxz5ap6yNISH>xOZt-GH9vP6^38a0o`r$~uT6+h6TjGdBQyB&$7?Nsa|eOyui3$kF>PB{Oq%7aCCGRS9^{Izso>e_~vcf zZhrfwcX!7@inzEq>*0%Ws?SnWX@aCyj^f=ZlT2FadStk{r;X<0i(RWv)QLwrK%zT5 zwlI`t@ZsSBK0(2%?-l+bj~?`tN40vTG98WlA*L2KfjK>QWj0g$Bm45N)|`NSR}4)jW}X6vm#AL z=jd>vm)q%A3+I+yN)82z`uZ{F)zsRo$T@g;c+ULDuW8K*y?3v-GJv^hz@j--ZnU$w zqtm%Zlu0Q*KECGW#_h@Vlr$`33D)M!r%s)^ckf<|!;S{KFwq@t?=}^!k#2aMf2IFZ zwuQRyuyd!YNs{H_uhuMVOuCY+jLi4<_xJA098D`-Ve(j*%1~(hyr@ zC00UAK!9f3wrx!V6BG6cjf2LGpEd05h2Fn^pInbS+?T1%6%%+DJ9%x_6PGoGPQxd( zwOMnl+HcLx%?Y>8Bx`1+doEx7IZgac)-7ctr=T_sS+0u`+ip|3ES#8>G`>9B)uUdz zaKYa)+%JLKfW&34_vZS#mLk`KCr+NsuCxTL`4N4BBq9#Y0b>cTn1mpKmBZ~W!Nq)&3a$nVE=a}s|EzXd=a&#V)Re+3Iroj6 zk(%QC`SW_MnMQL1%3g^Mn$psD^hsQUy~K9zem5> z;%FZvK0(Fi+DnH#<1$yrMgNl=Qt`F@{&szw0!NI}4XkU((vrLBA*O`$dxn(51+>Rn zO`==*`+p9M&bVY+S|oQ}n(o*C`RUo6CNdJYY~ZU$YMBgNgL6nprs|I$tLl}d0`^_Z zX%YV{apcH$B1>jQyV4wPTkYZICcl_t`Q~%1EE!2&Ql!fCP@Cf9Zb|9hO%xn46hcBm zV=IfJJsDMOS&yVpDvBoS#O7wbR-FrnH2E2droJfn-MMqZ)^>m8-5ow(zNkhR$;->{ zcN{!_!`HW`+m}7()}4hMlo@U=t~E>n6t{2RZYl97ym**7K;}cF$QDjcPR2u~n>TFS z*paI6ZxY_dDk&+cyeCMC#>>lVsOT00zXqxkm1(xt(#mY9^VJKLQCjv_uGm$vI&+AN zvs~$~yQvhP)oQc6Ex$6`+p%MZMuz^)?0r}>sg?1d@p4+JZwu2yE(-(k z2TbZ%a?L%Lr<)HLe_#v?4>uV9UQzww!&E{lHV)ZIX`HnK3w>NhhQfQbuuRo!TXM!> zi>9ZUne<&Av#fz^5_f7Nj)m7*|?L7_V+4sW3`_pG~&YnNNbNBAucbbl|%D;@_j1qrJ z-%UBt%j`7r^>$<=3+}7DTL|6f-L_km>_ZK?M=lBT@ljnZX7lvS6-<0wYrJ;dI#les zg5)=P$Mp0#yxZAZ*HTiJ>+RRbbsPJ3+L@D{)1CM4<%g;aD16AY3moh;;>EI2W*i2-RJ5_Nuviw)R%!0* zWa~$@Ibil>=T2VU?}+DeujOVh&7h=|NO4#C`gmno6&00;k#N!E|L&PfRClY_nb{tE zwd;d%R;@$1_ZJtpB=s~IV`JWhnPGp|$sgUwE2|k#aqW`Jd}BA>8BQ$7^j2mcqGsh< z<6rSbzun0x67^qNMTPExpl;wtsa2NJmFcvIVqLC5Mj|!OCN&BlsS*y0j;77lvdZ1} zj~Y9{Tk}NJ@%_T+P;*+WdYVqt!2D#tL05^#LkTxwnE%TyMJFZURyigHvYk__B{K(4P4yZ9f@%~fd_eb))Ad+b!Bw*`*3d8jHx!)pbK#W zEty6epLi||@Ny<}M_08Uv}ocdsx!6;fAP^(-elyK4_sH~`-xyb7GHmPda#jE;_9pH zeMsnN_lfn?6y$;IQh@{Y@rBxxTa?AGX%{*Xowz;6>ZH4Sk*wq4=CAoz#%J1XVhakG zy1Z5;Jg1X%MYKDkv^?i)bYoD;8yg#4W;>j%N)~sa|5sF0BqS$WHswUg$;+2DrChu$ z^ysXXR+~O&h+kWVaIum9>Ek0`*Y4xWv}zYtNorj4dLdRV$q1h(Tyxlc{$Z{0BPp*E z0Fu*&hR=aEs(~vkA9&ycctl0DfQ^j4=GjejICp8bJCAnmv$M0K-@KV)e0)69u16-< z=6chBgOJhtt)EQ~-3trbDI3T#o{(A@Ih;E_Wsz3Qiy--uq%P>%ALT3^`}t@xk*;2= z9s{3aeNmL=TR(d89NNUR9Afs2`S{FHS~hXM_3PJv@9#I6T`kx*#%nsU z+2;BTz0Gyr=l!&_ndu>Y)FAor zQ_{T;NO2oEVgd(3WZB+u2Z`$24F?V!IIXNK>)_yUk(Gun8YVzXMn*=!=UX(a=27aJnzzx_^=3ypnp~F`XJxNm6-9F2 z=L_`{-A!C62D#-+%U;=s})k;1^&ETyc9peH08;&}zt|A*YY#1AekJjq%aBS8-t)Oty z#U+p4h+ajk3fH1(Y-spa9m0Load7L>(h>*PX%vN5X7!sH850~_hn0}vq0IT{Q~m%o zjQ8)~-%Pibfb%l046nHL6wh$rPZ^y9lW!>AQ=vDe(8E)cWVPUyTJl25&bSo<> z8`Kn}XE1n*s372dC~3c!-P}kb1<3dy*$kSJHH+A9B%j~2jh>!9I5=1@O8wk9pPs59 zgWAW3v0(_byq-X@;3rQ4b&9X<*4Rf!hNlviS5UC~_L>ai7gmFlpPxEbCZO!b`YmAs z0iq8Dvyxun}<1e_SJ;j^;XjnZIoU8UU0BCZfxR~ON=lESIHXWYK>s&TP)#O zb#=;bGd@RlDMeP>(7sRuM4^pvE9Ym}s1z+3VAYSMhJtvd>CUcbI3Qo@aa!G9glFz^%W;N@ox`E&F0oV$0gmy?rgautoDsS0A3wYC-j z>X^>hh0I!d!WYBvmLwh3G~4ABL{3Tb4f%}6rP{RV)YYq3hOwbf(XDYmm=)i&WEjwG z+ZN~GDy=hsoMm(SbztaKt7Rp+dxqnX8bB3sr)bhheROwm_UIG66cikT!BbZy0$D_^ zd#y}Hr)%&NJFz%YI6hUcJc-8}m|tAv77^L;?%lg4S2TN~-p!13Y@{P2A^s@wfPlG$ zs&Vw$7padma9%2L-+@|PhV3Bxy7Ewus1*`d4|NUGchA(;(~6Ig*j&Dm4HcoaUM7Mc zKnF2__zwvSyFtVfAK&SG{o8G16ddNxgQe$FpFSlWK75#Dy*mA&c(&7DY$Wew_n@C> zAUaZucxpK|b||g1^2M15y+cf7B;c0{KRWKs+qYL8+0uKC(fhQWOe`I0*&LVybUVEa zjo^n5{qEkS?))a#aGm(v$B*xz84VSoLqAJT-|RN?i_CU$(`n4m!4DqX!nW_eutz1y zfD|L_JluAeMbx2s!N~U7wQDGLJ>@5EZzU#q@u^QIU4B0EO`a6cDf07L>S51A4Iy!G zaF7rt!~ipz5v$}w=BK4?XLkStQ%YBAa-;bH``*)%{9y@EcW&Q4uBdp|vCUAZ8$E?U z3TH1~+(>s^T6(R_UB+uIEgI|g@|a6vQBUA*Z z$^C}an}>>krddSn*A_aD=F|;!l}dg2@@1}ZO9SVAQiwVlhb_|SQjrTCdM(kUge@5} zGc)JbTE-~xV+QM~3@FE~<2f$nd6%v(kLI~f@?wJ;%ny&0ELu~ui9hVhQ5pt?ksI? zCf!WjSr9)e&_9kS z8XGI8ofH)IOV9=?C9uuas|Ajo0nA5i@jSoUvNv+A0m8`3J4zr7un;JttlP-X?ux4) zAovjsH{^NCCdnu-4<$WBORMktiAMhXX{z{e{~Kc+L=$+bYnTv;2TH$O9vl|-HmI(e zXXTayeYl`*<;wD+9l{pO1LiaCefw&Eyz!Hkj(Uf|@&KCK(5ug;ZvlQXtUE-9bfX+c zJ6Va0ZqH4_^N3ZD8pv)_DMg9iBq|NM0mk6stJ7rwY|k3a?+XO^ou)%3FpAjklnG=p zi~5})h&?gqkymy8K|xixAtF6^-amJ`PL@EP@bcyFk#J$kY$$i{E*_rCgAFg;HTdX4 zwrHg^{cw9Py>@k}UuyibEc-L`Xs+v^gs53Xw}N!-SUVHWG(9}rB#W&_J4<8_9lVeKx z9l1$K-J_#HKnhDgWu?9&=KR`@fu7lK-oSU4>F|5eQIK(be0;BUR~OXL?LkelN8P+} z19doiE5%b`HFb60va%EI;0;hWH`7rw9ilq-Lb2Qbj$c9)(akJ7Z)gEciCm$;fa9YS z5482S{Gzj@)j1!dK9=(9M{NXw+6WHPkBR`dwCr`hH|gmdInaAgD=JEZesp}I6km>q z3WHq@-nJ^n0sAh*eeDwS}JkI%+vB zqCDEMlU8cU8wu6p%kJqdAD2lHf4ThDc#vA#4hjyzhl;%J^L^n*?Y`fbuFMBg)SKvi zw=^lw#l_x`Wum;)Ub-CN*oJD0qTf>BxEDPGWdTFd0n3*CcyK@VsNH^K)#SO>9c7qb zY`e?W`BAM|vxcZi;)}nsmYP(!xXg+4Mk6_`q?A*al$u(ZVNjLsJgNi8i2%h8F%!vz zc5=OOfuRvNN_Ku}^5gx~*p5AW_m-zz%uSvh#h|9sF~8mCjknigu2;E1ki-jz-6_WP zFV1`$D$l^ua0v^m4G6XIlt@-@!5oZ<1GEXrcJbr%;_N7GfQ*5&YwYKQ#ro)#sra1a zjDr~({MYu7GVS~1<1C)hm=1i21Bd+j9*;tpKwKkkYi#;>?VDywmBqteEA9#;(uYR} zWe2np$O}*zaa;EVVjIW*>n#_~o_*Tiq5dy~`u{$M{WlXIqof3)U3-m6q0=AUaNV3V zX~K{+=8z5&HLLc@YZO3&|G07M7AA}}%98Ut1$0X+t(r{_fd=rGUF6`J;2D`ICrFzh znb_l=o+Yx2%p&%N{>?AKDh*U6qLh3+mlqB{vawM#uR9=oDZV&5_NpYEw^seq{G{EF z4?BjYF4`2|1R}gte03YxE0=HAD97r=Mm5?Mpj3#^F$`8dGH*V;CdU~9X zpZ^s>wkK<4ZvZFkU0PaN#p>wkDTy#f$Dp8PyX&zylb@~oZD!O+QIQ&W`PYc^=a^HU z%(KCwz83Tx--y7AC{RzrAE|7k9n4NiR78f4w91&uq7BZ-$ zUQa{w0CD*~gj+V*DsNfwzyP`v@X&3olm`HP`Ptf}d!eD+=pUQTiwI-FHa08 z!>A&z;}zR^goIQJ90s^(C8mNe<=MVz)46zYucoFZJuB-z6vcZ$ce+e$vBf=(O)C*y zOELwHL%iMH-4m11tCt1`2U$}0atWcZ%oDx4{)qM0-~$GgE&RyP?{#Kovk&++xdcm> zGQSwT+M}$)&c(HHyFi%ZP}A+treO$td3*cJ+MLQDc0mwfTj)Y?%eeC#v)tKpX)D=! zLXUdE@Pq*-K->7xE?1A}%Rm|4Sjd=#jJzX{5 zzw19bWOffUu|L-D#*MY_K7P!#j_nT0G8zgO6cBg-fVF<(#!yVHa*%^AE}CmxJa)_* z6aV|pVmB*u=fgkp^hYC6WaX8fh!2dpA7%@^#2PEslbki(?(^Zphl_0Mp8jweNfmWc z7Ht8RtckEG*)1BSFQ!>TtR^r1_h(JvF=)$W2qDrbaW_$ z5oXv(&j3#-5RT5kmCv8VrI zbU0YOceSn zO+!=J7R}E=Yc&mkQ)y2wwCO4_rsPm3_t8lU2Lln|l&!VTIIC6EDnsLKS67$uBaHZ; zho;XA{xofQb7b4rtvea~E4p)-R;*nLmRZG|s7P{(iec)y9v2jOL)#av@+^CnDb}q! zJaCqL%^H@bj=Ue0gisZ{ZX-iAl7>fE_yJkM7K@S9lqAohZYS*kvD%j@cKc@?S~0a~ z#3v;t?mT?Badx6Z`px7(cB?xQ*ff7`lZ3n9YcZVEcog!OOaY3px zILWR`o1h&q$c{IhQ|1&AX-zWn-NbCX?0ow4=}dfLd`xGKJ3@QLFuo&)sH6glo2L+jd(f z)-JCj@cO82#GQbE`-6k#xw(AIN_Iq@P91E-9BA*gD=FxtmqjWJ4=nvZf(TR|<7R zS&hs(dRw7XE#3C*zR0Q}2T(?kAsj_9Q4&cM=Upx5o+Qj5Rni+>g?n|fC}nUP8aIsrCEL9p^1 zEpD{|;V*3c)ej5w(?OJ9GjlD-ODnYig4yg1RR$qzyEJE~7%f@M|M^tme|Z5k+n?3d zA_UG}sf>aI6fs;IEyWJbqa1O209Cx9q2cJI<|rfOC{d&3+3BI?&)}7Vnv~__-hiDL zBdU@MME#UW?EsO~N>w+5dt$!=ykKHAgHc=C@0HWJEs}2)K z#^rJf+}3No{dy2RUB=!}T0LkjbQa`QeE6+G^XZKF{}f~^a-t$4{7?Baa3V7ykO_Bn zbk}<7x^%At{rij<;h>&k*l+(;(44I4)3q{_i>%%Yr8N+O#t{p#hJ2zeOgMZ+{U>Bf ztH}l1Z68jaIC1vUC1T3TJpueC6~yj2M+RmD5tuXI@~&~AuCv-@(fDoW!(JM!OqPMe z;kp8?QVF}odm&2kp}Wt$@RNxRdH#H7xL4rMksM~heoG+F8sHQjF0K=xPI?8##2FbIcd9NY{S@17r9^0 z7y^|-S9$vvl{!3F-D~dV?h#Dy?y5K;t)`}SxD-mm%azIK z6FWtF-FnJf!LsP|KEObr^_o)p06fyKP7kW3-hm~Au4?D(0g~(Pg9o>uf?ErA%`IL4 zK-1cQpO16z2mbmuK9Rq$c926U^5`>%^_VJU3Tcl08haW0GBL3XG5iTR0X~-t!kGVd zL8tjwPR^hqGuQ30)ZP@Wqbxm4Sylhy@iuR$j_WZ3L*dVHkPt2!2LCw;%gBC*pPv{K zs}DY*reHZL>Wf+L`Sa)B0KbVb5*-o*eqghXTkVh)b3i3SLU6+Jm?6Jet>l+_t0VCb z79893b!QxI964*1qDf}j_x^r$U0o$AoK^uFbEnhXH0@n+EYZdb(!F0n=#G6j_>lwr zBEffpJ@pqX@hd74cL&4(6>XNObmq(^LNcuc)+A7>JTm zA?QgK`p(em+{^Qjo7aIdCCFM-EMVHsW9QFr1vH+RoMdJ5jTQB7PpkQ7-%M?RP4P5? zzP|o9NKMXC`z~AoiOj3~!+UqH{t3NsOiC`Kc4~8N<(3BE^$*c91St!4D!FlB1u;lZ)&rs^j zEi8EU?o~j*$Dw#nz;7VtUY%I%8qm%fwcWYS>|%F0TZH`S)4{9r(W@co@U2$tkRS;n zM|cwIf8QgMCv#X6v@3_)0Cy3gB3^qG8k$O(!j z6Kuu$4IA!>T>0S#$G{4W$oJ$xSV7(c(!Mo4^d5{m4|=t6G_B;^)3C5GKfgn*$_h>5 zm_=QIaHZ3l6`-FljX0MA><^7SY-7@8uX7cBKng~6eOFx_3}Ch6h;`&v1_rHme}8|Y zFVE%Z+1Lckv$aqrc1lUgQKhZbwBf{p6Qv8-ErCl&Ng__mB$S*G06_t|YQ9S=6Vxntx zxl2`Bdmr3XLhf^81ZwQBXce(i`1LJf4Zp23I9Pk z6PAXxspIkCX2C9CnJrM1haNeb+IcLmEj;VWpgGn@oaPvBs2noS zV))w~fB!f@Vtt`UEU7(zmWFrtZaM3(d6%O~oQ5BRKWHDGmKdiFtN22Njwrgj2&vwNW~uvU{5y+c1k<5w!>Q#r3swo?1F zCsAV!(QJiaq`4gsU_>%EsFmod-Jw9L#w*G7m`UzEemrP9f9qO{rfFJNj$bucIwN>+ zl!k2M8BBVv#aDfHiA*RhFi-2if&?7)B=0uYt*d*PbRbz`>?mm&ASeXtSC?@o(Y(B% z#A8Jgxg8sKh;9L@tk-<3$Q#r&`#j4rI}H?CghBm)12GxZ`Da~ed(iTxF#hS&*FU0K z5M_oCX1KVBTO~5X@`2!@NE{`I6U1h={}dfbLY-#=-ii@MiYrg z6~m+IZd&cIWikIc@{XC0uHS~^(r`_yh~wc~*_3RQPXXkGMfgZU;6CDqLa&pul z6DQY$*7yQGavp{To;`cscNZoA42mqX%41G~{8BgECb8*Q;2;#Q-++3i)kR04iG_iI z7o{y*$qPgu^)ajD{Qg1_M0$khXG0;t@C+rfjc@BtxGm>&xs6H?qc-Mn0%X+L%=K9B ztE(heA8Jdg?JQ-jy)wHgEa}MR)S13tkp%~D?XHa_o!8RZLwJ4UQn|PwbbKjvw#j!H zkEyXbH1hjd6_k{$Co;~L>pp)#eJpk6{(}d+ptQ1-P(&LB1nVL0uo92F>9AzH)ooVy zb3~clUAjDM6ZiZ%QJnkQvMq?}@qTsDYxSdX{;p_u)yhEDyeuk&_)?GuC=X9gL2)v z%bi88)wQ+Rg*vLL^f}fY8$#dRfSWC$(cI$VzeE4oIe5~id3l85?363mAi!%)*E40{!*(HDDXy;)<~ zS+oO4QzOszne3wFyT|_vD$jW=_JH*IpOJSZNc$A4|1tG+w9UNTqO6CIf*YV5p3lwf z?4!2qt*xzuDwFQD>KR|voy?%#b1loUxZBdwRQ!pknC^(JlahA8<>A{k&kcnh!Ad5F zoBoxfe*XMvu+<%IDl~r_Gft~_>ww%Lz4Cwl{2BFgCludYovT~(J<_C2O%n*0*N7*| z#D{1pU7*aJ;Mm|=>;=eca#F8q%Ij!-mE>{TkH8!Rqz2UQ^qAF-m>%jnwKzXds2D~7 zL^Sm|Nt54yMdt97lv|a6Fi=obR7|prXrnBVd^};yPsV}dPL-CGRY0w{%Y3Bn$DVR< zjXVMZN}#BBN=oWrLNrZLj<0_gw)-5cL8nz!@6|~8bY)wFgR>GXD*bX{A6H-%xpR}_ z`H14l4%;VL8PCRD27kHdX9=40H#9Ofu^Ilx??c{gLbfWq2-hJ*YyEfkc;v&sn1d?U zTA04PpD`U)SO7VGoua%`xo3tcb=jqd)q&p~y}z8=JpUNF4m=y(uuQ5IY=v2mPxtyWdKW=xm!=_nGH_Q^!fNsq0nUz{luL2TRsxed6|+@0j=+V%b4C*jPLT{ zCmTBdUNdwK&69A;5God-O?~Nm^^j2bk9sT|GXD5vQ?^!$gNXF-x;A@usweyvvwappO!!et7j0_WfPhC{erbYn?_r1HhMe{u+7#K=NJLYher4w05si zLo4_QVo#&6H>cpIAq;Hjt$f-_zURDr9N>y!b00fStmVEx0c9>r__BzdK}k4)G4@NJ zgDE7xDj>-HFn9xr?m-kN{K;q)F-TblTvA)r1=@4NYDqc$91q^_>1DJR5r>#x}8fhm|Q zeIZnFh>0<4rKn+_iYk8Z6W2Pzq=DXb(#c5}8HeaMffSakQ_KXi{q4g824MoegtLpt z74wrQB!qbxuAQ_6zMmM_2pbL&+npR|;1>8@dfKW%irB%siJRo+=T{uCch>=Ls+O#A zO)iud47D6SUi{C;$Ec~ne)aY1CCqXY2H{So5U4*5I1py|-=0w4YVE%teTpzvfRo?v zHe(56#DxL->TA%Z^dPtr>kL!lecUMP-*>MAge5{Mbi=)tR2#>%mSEZ~Cv; zNQVis2XF+x|NTNV4Gun>Bvf{QBf70ypCg$9|Axp-P{_oJz)VKK7hI$0?1c+AQO)%+ zG=i8>DPZAp`y0z^a7Mrvl7K$y%5OIwi#ca|u1yuxGZ&vj*|LA`aN;_Y^ufj?Lbm>! z>M2iOz1qs|K1POFl~5;$S|RZ#j1SjCuCjw7OYD21@-7qM2qI=4K4kpeC++=66dY*? zch>~i74q}*iw1jq;O@x)Z2ExHG4QkF4kxVsel)?=2EsT<><`Gn0sGTrgj|loGY;aT z2UDjS-u-vs?Fqdb44paQV$6db1yA30ji{G>eSI!J9+}{wc3=AwcLKx_1tg-6s?+l}v zr}^{vt>ZYT(hX^-Xz-+UQt9!9{Qf6B%aX+`r)y_A1lGs_rGV`bu%=QVPPV+ z9j*oTw1u<&`2f-cg%3+C1(a6R0+vDdKX)KGY~!`aj6*BIXq&(&aW&7BD)lq;&?gWt zlsH?F;2_eF|0kT>RUtm0I}pZEc5a!wXK|fgqGk}*ejGmOGdPzJ_xG)JXp7hJGfw0! zQ-BPDUY3YOjf^#f=!Cw9>=cC^3$-rfBTl0cjz8iM4H5-KWYwuovb&u0_7)J>wk#Sw*Z7_F;J4eOep%SAs3>KQGB*>ikV*Z9y zKdPow?TwJgaT^3(3nOYK&WT`}*j`o<@K~x7|Hr$RQ%inkRLt)S; zblS%TV-s*KUJ6lwMS^JML7r3GD;K!({eRzS!^@@VG_MN6Fan?T19gvt^44sN?eHMp zAgVRTnbbe)BzhC)-!5ad3Fk9m5F=`44n#M?)kzc+x-DB`u>+oein(YJ5xA~?u7|4`8C$?Y*XKw$whs)Y9BH;Q&X9|goOh#eYmx|^_IG};L`~flW z1lfXr9*)Kg#Wc@zSrnMIB1y90dO$BgKg9KvrA8v^^w=QQ>zN%lXm#C#SmjJwc( zdf-`tU-UY9;BI;8beu*YTx3BKGY^q`_P;;*c{(aP5t>EMhhJmBwi{~N_qMVU#@5~1 zN`h8Z%! z|LJkl$CqLDaAJR-R6p=bGU0seXX0$Bl?oF(^T}QqQ|%M%D0RW{6U_?~HAdIpxDf1t zh1*4^F=_b-DKF1Zldv5DGKx{6+hFUr%yb7|j!bFi%^qJbE1in$JQ*N1m)m)DBkW;$ zSEu*j%;VT=a@ucE&Yc-Kxki-Ay?5Y%!@Nlcs}wX)SU^9uy-PG+$t|~m>&nR?17b}R?4R}NV)%xg6`S|TlN2&56C zmSoj7ynG1xWpXg3(L63O@x7=v>@;uz8t=F--{%y78WIkR^EnK^kZm<{EFURG2-m(K zMkEDC$86k#inKH$5sxA}b+wrAv%nB&2&$YdDz}a}BQ0e2T{^DD)Dh=0RJF7Q$FCyS zRW&uuayNNH5;*jzU!Yh=5C$EZc2=vsfJ?Z_#lyTjJnvx5Os)qZ5{lk`F&^-~x34e% zYiW`JtB|1|KB(nYRYgT>hqdfvr`zZ|Lh9YCEn~4e`^bw>%CHsoDaX#WPjg1THJWF` zIW+XDLZ8md%PYc2E7K>}nK~*zYi28X@Rh%;aSmDfymo4Ie=2ylj}!3gi&{FrNGK-jA-h_$Z=a{hYW?-9qf=I6`jW@m8Mq-tikhn)5hfv`hUv2`;Bwul z^1@ajAt87tsIj%AhNh;rwT$1KD5c!zYzYS1+%kE5B4G7HUP)Gy=^-|&aChZD2c40+ z-^UBSe@{ygwrab9@LdPoH)~p0y3{9_;W}xYYkt??|KzDt>tbSJaBgO=B97~2Day-l z07@kQpB|=b=m0C#!OwJ%f9&jYvHNsqWtw*|3s-_ zJX+cmx@wIhmc4=nD962!48w6k1qbXxh@&(1lRwVHFWRcbwpu=b%RoU|`UX6$@-i~F zV5F@yD>ly3)bX4*x*Zt!0Kc_E%CiV(KJq;-MXk5FuBHZ+t7<5{#_D3x`p1#o6319I zaJ(5#PpMX`En>6#TO#`XUoL z+0W6EVfK6WE?^;$IQl`T>K!qD)mAvw$C5but)qhGiTgX;*nXI)bHkNSpVqV8WiE?T z;>4>K78V^^lAN5x>}K7U=-1|p@*Lk)@|AJ*Rb+w(zMa9h<;@m46_bjf*Z)x;b<`pb z8h-SgIXLyJbqfxmfMzBR3q0mm*VYaQ*SWeLqm?i0pDYTT}@$-BDXu3#2mMelf?`WS0uA*;Jv17n2&KsEQC?2Toi|DX`+<+U#Z!R+v;6XIXRC**j|x^`=HOZbW`C45`b?VyoIFf21d&OI>;Rfu>6%$D8~h4xXG1H8E8wn7Y)v1m0IWHfI#9?m zl(ui(N*o~~47O|@Q!1MH>H%Q*mSl3V?jIO_2$R#%OO>C4xUt9>p?~H4_o050DtxHv zojA67`qZhLXWTAbimc6?wt)-AhZGE0)ZU?HFkO=i)Ne08uzFm#{|w1K*GKtZzdJyQ zJe?x=YN}{iWeaC6=!|}N^*gS5Kz#7Ea&&Y&(+1V$--zMK!?w1L{o_^a;rLFKquQ0) z_`;3NqOio2|jD5y$HgMMX5nxCrbyf!nUZxyN4g z*4#R{bd+>$>VB9VVv6^;lhmwUK5!vP?cLMkK8E;anoOW}LI&R9{hPUW+2TMsv)W!5 z9h^|GKd>jri%$KHUXmS^OxD}yrcb)*Zas5q66uW_+2%*<33K62z-+ob{rxf1-uR06&5{)-p9t{Cfb!h=;j zJc(?ojZ4go-FdQa)Js=eAe>?A)`Xfq z7zRdPe26-?Y%@0p{&#TPYsJ*p7}4^LD4q02ZO5X@GbG>0`XGE>sfb^UK%&Q*+sv8czC!GuyLQDAWq6Pg*6(K7H*;$ zqMD68xw1;GjdI93+w+%bLw3(ta8; zDiVp&m$a5dx_gqehD565B$1IwJ)6BrByYP7v^Lj6UlkScmzS3>(Q&P`eE4t|=_aCG zc^msoe_MJdQ-G-U27ASw^mYYnBlXvE_->-1dEeIdI5{m%jCjGopod-Jr;vJnhqde2 zw`*YXi1&Y(n8^HE;?X`JWGg?;M@=Hx(*~6t<^A#h`e>^Ee|P#HzkO-rGy2mG?yc;$;thDiq zn&g6BP9PcZ_JOwt$bSG_MmyKk4-$+hMt~8+h+`x$LIh!g2tkw}Aczsf2@(V$iZDfl zB1#cZ#30)aqGATE#)2qA)%bqG~J2vb^#KtyhdF(H^xOaK#x3CBcWB5P$@1| zjj|9`){)2(M9u@LFQ&?tlmbv-6gUMzf&RMv4|95@HTL3)M-Naj>F3t$4c03iS=_d?Q>Zp$L+p|ndnqqvB%q6NjuM20!X zTwrOA^g$7b5(S1S@<=5VzcE!*qg26Wlyk}jm10QVlA>gzEX06wkjTo-z)aDXGG$A~ zIA>fi2`+KuNZBn5WsXmb4Kj8C0F=uN_? z%zlWU_MXbSuK4`Tgm*2R&N!B2SD!Fk8q_{*Ce)t9>(nM2OE26`UcB~z_wCYL=QKoO|J(Qu%gEyU1qm@d zR%cdPbk`)MIh4l?4h5)FKeE1eY5S7Sdsa5_Js(E@Z}V+Uyk@{VI-E8a&2Fd zTj@LHHE*J<{3|M#Pgz@U?B9C7`b5#T&hk>Xhu6OE+?*JN!#aOgIU# z)R1l3EqBcJy8U}`+?ui0yD=fAraP=7`$wPkR{6~GJJkM6=iYH(s3Wf{PTN@f1r*N> z-x@zzJ!}f=-t2OVn`We?NAGNYBI~Go63J`qy>lNu*S3dU)a4Jpl)uG^q=cottWN z!vE+H?wxFxU6Fm*-8SW?)SME1vrzB2sXZA7UwHU@-4s5*_w-)d-i5)Qb|ZPa!bb8f zSmp=n-0aUXRy_9kI{Ve*fMkdI+}zP^s>Pay{i<}$@#u{AwZ~_x3R3d=?ECyQszW|0 z+;h&zk3V zYsSF5fAwAW(qDbY%Gc%Z?KLw#wb*#t`tj5Bb8V|bp6)D|H#(f&aCg+>LG0*%{HsbE z2FE^*aV^QKc&Yn-Aj7mTcW}_UVd6)Fn_j~$Wrj~5J^$;Fv&UbT39Lf>+>-OPgN%X+=ewrw4?yEfeg-rahB zdS1f1C#@j~?vqxV^xv9t%Q!Lgn1$MJdiYh{0)xh5Cs*OVa~@WU%#*2?$#acUT=5&RNQWp)Bg1v@;}+y_~*a9|G7zm{dL=4XC4lDSU>k=-G)XzJ+$io DT3v~c diff --git a/doc/guide/admin/config_local.png b/doc/guide/admin/config_local.png new file mode 100644 index 0000000000000000000000000000000000000000..5337c7ffee4deb75235db038c47f50824845498a GIT binary patch literal 4172 zcmZvf2{e>%`^O*ICPawHI$6rDQT8Q6L-u6L&lZ!hrNP+AUMWkN&{&I@B0C{_k`R(z zw#-QOY-8uW`@QG<&-tJ8KIhClGtar#>$$G)_jAXZ80nm1IL81%(5dUX+NKahRRMk* z!cKtiTnD~W;709(ylw`A!G8QSo(6wUVs&r%KoI@6zaOgFCv({l#Ikx_ThlBcV|gOf zfPGtl{?F>*cj~=I?_a83G>Smt*k~;--^}ocs5OZ4U_>~fp32n3 z<59VX9p1I72t-l`nwg0S7V}Z-A#>a3&k4raX4HLseXW#}&AJX$R8%F6d*Tmn_pHz` zm6VjMj#arU+?(Xhp78beKi=#&4pG-oQwtUD(535dZf@?$R58v}zS5IjBb^-QzdC7X zXc&61Q&z!4CFCfdZk(Zb`|wr*JX(^o>-BYf#xMt$SPYVtojun~yxoT=WWc-ViXceB z;hMz$XU5!258`g;Nd%EeBu|u@g`ty38s;K!cx;&oG|+>zB1;3Wegw)cXDVcfXbKTQ)Ws1VRUC zZNRO{uEf69JMSj1ye~*_wmMU zs5iEE?xp})SQjPhW+2L**uJ>DJnLO6B_&0E+2XLXQn$*l8qn-q!HRS&3)os1jERY< zs;bJ&%mi-_T;Sngfw{4S3YxaeYH4;>B(*CB2~TV%tp#}3hJ@IOzJN`SU*@`^nBZPD zmX(!NQ&Y3B;O1?TXL?IA<h(UQSqn>@7d1HO`PHr z7>ZR`sI=YXa$2|ZddnB%eblvU-RTOezx#4waOQ{jw6qVd{i5r^ym_XhBO_maVkZMg z@kResQ?|C=4ld;6oR2oq)rH|Z-o1T$iC{p_%=@z7)Gf_dCIiF6Jn<;HsFt5tQNuLy z+#E(ey{@iK=g<&hKmB*c_IAuF3_oqQ1U<2X(WMPQo{r z%0GXw^68mRpJEU9e51cv+J|nfHXX0;9<)6^_9FU%Ge7RLF+{KgHhrIAZvVaFL68DK2_ME`xt@})qP({8S=V7X3ayfw^LRV1T~ zayJZb&48))zOstSSt;vE$F|24b^bnz8AQXvf&w=emzRwmw9-c6$qP8;MRN=6S6DbT z5{aB4k-9oN9UUFl*Vi4Ss)>s;X-6Z_CioQ27f|CnJB)&({WSaOXo!yRdsL8{ z3L9=jR0&*1Bat5)L-z&Q)wnrh-amojU@4edT6qH4{(nc7hEK_UgTJSR{P9>_P zG+=E8h+{v|*dK?>Pz&}0T9L@F=3Uu?zhL}1N6nIC-SNhv(B0j=&GFJ!?&@=~oB1Q7 z*!BdzJ9qBn<>f6eFLQ8kBqt}!x4&SEB{xSC%M;Xa!Y`ou>a}BI!ZEej%{)dCCNis;; zd;(M%gV|Y zhfDk`d$^ix+LtC9>R!HV4*FD;w3euG6z~A88g`_L{4zY8x*JBmkYrtypD%WXVUa;R z`EfX!#_2OH{+S@`t=VHzO?9=uhlhu!r>B+{wUT<0(-VRFI}t&C-Dy{1V`IrAU{-?B z(suPbOujbl(`a1Lz8ngLa^w=lcR2TCD6JRm?eDW9iN@K?%*^lkw>LI&`TJdtcPGOI zHQ1pSx**|FGBYOz288h)e-*o{tJ-tI+RSWVY|ITo07Cud-jDtL{dg29S0`~NL|uvP z>{*?`TXlZR?j;TRCKn?kBZ2!xBjLO6a(!(G?jpHY1p_v^6~K#KpY8JEt-fDCBx2Ud z9a^4SKuCfD1ATEgVPRp#N)_+6Uf}K(6vps$f@+|*-rtJ>`KGkA^!01>aIvkB(t8J4 zt^rb>ekvU;t+}P;+}xa{rDfCc(LTB6zmo|ee*?1xCBYi2{m*+35RlulTzBu@ZBGI5=R@IKVnMILv>~<9sp;Ru*=ASgn1&tVw1)Ys=TyS4>Qd>%k2H zcgTRoXRhZ;dbe}MXrB`!C`jk-G^h52?re>w!otM~|0$97>|L%l+FBa~9Su!oW#!UT z(_bh6QA4D61AYK&$PT3tGK>6HC;32zfYQ#$;8o7#2c_`r*`=k%j~_p(AMKEA>-=Va z{YtWzj+gV^&0M*ztV}3kx(_IDuqmXD5g0`P$Xh?^ZPsy}s^^xD4dh z$-R~QKcA^j1jV%^Tcq)r|6tYb%YcqGCr*W@B_0*Cp$#s6Byo8n?W zKOqP0*QRfch=7FhQ8w;*3J_FtLKo#=4ARoUK@i_zpsVY0?_RasP3cr8uFsBTA)%pj zz1d+P++OZ%;Wy|zU`qrgpI^xmmH=kZXmaps111cSKmwv!GAv`?s45}h9->U+AbAyW zBA9`J;o$JFp}xMny!=aH&%(L+Ye{>_|%dJAWL@ENJDrZAD^wD(BRM6TCvzn{N8v?-}ty> zvR+4rTa|U5=^Zrs%$YNS(GT7!ktcPwGpYC)EtYE-F-2oHE}j7@T!;M`nW+SbSR3Y5 zYa=5gqn;hMI;rMuQ!?B?k6TCjMhZ&X)SNzdu3*s3i?`(6yMcM!Q2Nc(>TG3SaY@NI zL0G2I!`oa}>?|!6f+-%}>!kL?laVz+TjD_cV2;>s;&SNoNseF}>>zWg)1Lx9MQ57U z-^iN6X0o1;p_qWzf6mQB7kFFA$bzlHQi;JbpzW|#f8fEHvPEJi3$4}My%LociyVmjBY`6x~H>-nG?HwxmCmto_ zEAJGYlauqSJKcZt_l@Y&4_mJr8ctNYvImytn~C%A@Nh6(3k_}Pb3w~;@iITG{|2?n zmRXGt4-+j4Mc7Vq-?fq628KITen;Qleya5$i^eXQ-8-c8-(AfG>o-S3AlHGMxVpK` zc-KmDKB*^t2BeAdUX0&b98OJ1Nm8&^@+QLoFte~=Dn?J9JULuqzq-1bsw)iGSCX?Z zCue4)%n1gkiz;*J%lY%?&#emQ?o1U+NltuThm#TC!Mj+Dim{PSOh}--5V?Z&eHk24NPU3@khAB+hZx4Q zAM_mXYOl|*Khv#r8x+SV%t8PG zFNNt*vp^lcDIN$`_$S9Q`FoQ~hz~cFm|b1djn{YoSJI?0Vj6h0%qvlE%G!tM!feJof-f9@9bF)SoNc${Z+TB zvC&Yf>0&`{HTvX4fTT2W17mkeNUWl$bga9DFigq&Dsa?%OBzl^}=t@&2x2f=V5$?0Fi^ z4AsEzLD5+$DU?o$62(IJ^yx^!$)H6ku=@uJVMhll{wvMxFL(gmlpW0-L(S9WsmOlG RE^zpUu3t0KE=D>;{s%=k3*7(! literal 0 HcmV?d00001 diff --git a/doc/guide/admin/config_ref.gif b/doc/guide/admin/config_ref.gif deleted file mode 100644 index 9108d3a7d417c486dbb867f1e16f7c4700e5c6c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3134 zcmW+#2{=`27ykOoR5!PhqN{thDRXHcD)mvBql_oxju4XM5QRQNDxpCfp=?76$&@+T zk<3IP6?P=i?UJ!n$G`Vo&$FNJoVC|l?|R?&+j<7N8k)xfm(+myML-Ao??L|^i2jEV zNymFKt9cS)0LK8r0D%D#0~7`T1Q-Mm0vrMa0RaIC0R;iT0fqyJ0~`kk2LujC98fr* z=V1sy1aL$T1_S~m0u+r!0E_^T05|~<0SE$+1fU22NPv+5k^mh0jHNq%JBjFT86eK7}Qjnq`VAQ3@A)Jv15e#WW0Ys~YVGK5o zA%r0ULnMYM3;~7>vk=a#LnG55^gKlCi{Z?cIF1mG2po|(qHua7-AxzLIVK2%NQ5Ya zXeTfN(R^?^MIeGeB!MUb(e_{@qDkU(9f=4MktCu>M0f+Pu&B4}_LhaO3H(}i@7T>Lpn5Sa)e z=CUt>#s3caq<_&N`D57hw9jP#U`9_bI zGM!1f*A(rWA1gf1G||(EF)YckOaYH>w&s-N_U5mv2>UJX|FEyvwIyApqBQT_1CK$c zXr;18{kJ(2X05qp`GW-)woI)wE?2F67P(%^r1ks6(2IkTM(V!;wmoZ3*nXit<#zF> z4ofZ5bt@}p%(|{0Np@Ii;pg1@(D_|NTVm-y?Ng8t z1$62!3~J7QZ(Qy6_vrp9exZdo+ zns9Ne&-f*I-5JR%Sfp5An7CqqQ`C-anf=--&53yQx~a0^Xf^&T8Jyh-`UAmYQbNvG zjMgZ8j1y}wNeR^r)gVGXA9QDhOlb@C$1nHMXR)2mW%ph_Hf7jj+>8@pa{ z=yuONdoRT`iOyjbAC4x3<;Z6r@+sSBQ%K!CJLg95 zr#FLEHR^g_Tr;LToNm_7xqB38sr($X5~*yIxuzLw=v7=Ob#-mL!ol2JQWJf44j{K(Vg zJD+bpHXmv8El=F~tX%^u-1t^wnpd=Rlk|m?Q!etX?jrLoT>nDXt=lbq-F8+<9IO9h zr;P%s_4A5ciT0mgfF0(s_4n~XfnZ16~Ijnb4 zLOWLGXxB%BTMApFEc({S8gaL}v}Ya_kugrzWDULUdo^lG>AlL?5&EC|Eaz(ixnC1&EF=;+$++(cYawva4AXL-<5YYK>A|`aq!yQd(D}# zhu03}he)t}9eVR68#dW!rm;IC4w-Z8UeAxcthANmH?dK-D{45q$=YPk$IkoeA_1-XR+ph43{(2G@KN1 z#!xZ$@sy!*@#`~2o2zD~j8yB^PHQVP?3gwd>a_4}yU~1n`jBdWgs+LprOauQJ)W(; zrn^QyPMb>qUdA~r#wR=TlK<-gPN(upmzmC9iHn@B8ku`DT?MM$YYmNd&hB_%vQO0V z{$V{ezbrFT%h_BDYrpO)>zmH;d6q{#?VGIZ`qI^`9e$6`_Gb9=`LmsTW+&Lk<1DS% zx?I1xKDX+O!oA<3E*?5El2a{cyRAa4=iPy4@zLh4-D|l`kDKk6v;BH!yPN%oPjb=% zLUXt+=le%awFDLZW9>Nit7O(O_3(3RtFR?Kz5{HL&FqFRkVF#bQKj31nqtcw(8>Fm*0m8y?eCb#YRiNntIv4WcCBm}`n zotu)T>Ba`DGYsN4JJy^OGN%sQ-l1|z;>QuUwir##*w+eXpPLBnjc-%3Iqr3LjZ<}k z6D{1$ZYrSSd${Uj*B_d92s@OPO%7eGuU%RFUER6MO3w3BN|lCRenalh z>e#NiuaDXeo)Zw}J>eKO$rf5)i*YFTZ%IpYlZ}cW4Vv9A`?qL+4e#~uFH1z`S+2Y^ zJ;IZJxnNwdkZUC7Cv3$p8UBt>RUyrHow^zs--h89l3o@R_ca@mcNXxzM{Bj zR7cGB%rHVzZt$Rv_^ea>CWk;V=iQNKU9XFt${unVx~D4}@4QZk3jCl}8gJz^cOvd? z>(|nr6poINXi{L0s2mX#HTEgsqqc`^8YWdSe5O2GQ~?E_$&SC?)}-lvDZFRL2K&2_ zO`j4{c178qO?t~y7>~%@6qu7c;iY)u)__X$@U0>n_9r)P$n1%%it(gGn<2ip@&!WM zekc~_56#LKg=LL@F>M|j{ik@5@3vQPd02$&y_}F1m&z|Icga+K5f<NmH)}`7HpI@y4ihj+5BfVPIzQDf^1+!x_2Hj!FaE7pQaRF>v|@n!t3OG(y=S9+ zuA6tiyG&Md`}&gHhI5|93H(dDla8Iz=~piFo=dXt(wDPW^fcyjl6;@2|AmJra8-() zJni&yXzdzLRLt>y`LyAzx8KtC!e(oclXD(>bCOSVYzi(beLoU&sGK}%q$lZZKEL2M zTu>_dV|c9e@$C_=b9?DnOanJFQ;+-pw55)&!1)T5fwP`3OIZi~x<$%j{UWzqv)|HQ zz5ef@w(wEAC*PLX-q}McOS7t{f9N>+%uWw{otW+MHLaRzVNIOxhzoZduG=2xSo34h zx4K|qX_o0iCHXYiiqd^|cspIrd#%QQ1AXbGhAwW(X4sOMSfK;yyB%sm6Dm?<)sa8-4|0E@6e!f>b)Fp`I={CQ%59VsU11l(W*oB9?ePmB+jkjw`eB;^*zb&|DBnq^lk?XGeJ9d|n z3i9(+y;wny9F#yL`0IJ97G$dV72ED~%i-*B*}z28ApXAR9G9B_?Sv zUf9^%j|~p$nVHG59L#U}goTCSm-DIyT_8p>3-j|MeFzd$Q&STXsP-S&%D*ovE?!$% zx#qd7tFGQvTPqp*y->fDmhbLoE1{mAp02L0NYOg)b(@OO+}vC*FRzv-o}Qk3&Eev>#ynt^aEw}a>G?f2Ioofs*p zLp>}sPb$&81F!0evH<`a5U48cK+40(Zf5%K>pq-tar6v2Q-VU3XSh7k~LBS=9 zaz!nzIE?Z|F0O4KsW0`8 zNdupYF!T%$C%0OZjjnQOy)ut6Yw)izZ^DzzaI&yCM@boUfSHpD*dJ(Xd(vb+GBPqS zIC$^&iDyI>2?1`QHsGKtDJdy}NQB`sC+Dv;=LV|72*JR;t)GW`+mXK&4GczSzl5{1 zu?e)T440afTb*eW=iso$#WGF)RpfK2F>Z3JJ~EHVlnJnRa{6jf=Jk6*Rb*w)WVL26 zlA4QCGriqP=-=vSh#&8|z z_M0b6H9LFumBzy@_{VIiz4t}kkJ9?b1sr(U+S*!Je>>VCqquzevV6W`IK`SL?}fPJ%*^$rB_6aqJz1>m@$TGcg{`%< zH4zb!k`)?<`{+8y#>S?ZE{1}Jfp`_kqHdAa=z4PbK)vH$p z+xYqU^E5NqhNc@IFMJjoB}`{%_@MZ5OhY zZ8V2~(jX{#O#^Lu;$lW_l)^77@<($X2O>t;}zYR7S+|1P!_hYN2qPf1DfKl(Ea zOKedyG8%t%IqYP`w838@Nv*YBBhReH?YfCc28L&GdAY5vEowx|*f{<9bDh!y->vyG zX+1V&ck8^?*hH5kzDzqpxx@nYJ#=(*h(f5CnYBK(zLI|E_t%ezAoE*kadA&a$KJv8 zNdv5lBHZ%cJwdnmcGC(u0|Vdg6hT^ATK8YwuAZKgRgP(ynbQ$e>;w`Dd}NHGtI+(8 zj*bGl2_kIbi5r==1xRalaq;B9fRYn=Mn*=p^K{_Wd`JDme*jp42W!gt8#6#adD#>U13vJ^~`9x$H`4Gkg;0!Lw(5p=YSEOiWMViaEW=$jNbW%v!m(Wsfc^C@Mx0UcFlRlu>N|;2@6S zs(p~`la!WP$rre}{CDqE@&q~_&uClSUUV{#DJ(3Ej*ecRsL?SpGSb%mys#aaoS2xH za`RWzdEP~j{rQgP8aHopYNX~A9U5@)F3is-CMEIk^48VV5E2qnEqFgKSr{xUHLc&; z*(oY5&C})<6cp6S(;OTcGHnbz`m=I+?2{7{5vConOxNIswVo?VAGo&FM5$Dm_)#@G zAQ1)z1_BQL_M`|Z?na$~a{vG}Gn)<#4ejhygY%woc64?=sct+fh6)V)!M}BVU0q6E9-7V=df~SkX*TyxFV>}#6IuUVmtWoVmX?;04eGMH2M6xr>2L|# zex;$IX~E$Ze*LP{*^Qq zak%y+n4CI0#`z<&)IO6J?@h%oLMbNJQ zF`x%j74*>7_I6|vki8l3+UjTp-DSgzL$~7Ox%v5>R)&gcNW#=|&)K$whliIMRB&Fp zL}K~LW2tXu#(efKbSKo>L(;@$9j|xInvwuFGuYSX_Gftz`Vw|2<~+p`3jOW03)n6R*pk481SaWMT;Er%-)Sj34ko;-Qdm3-yoaQhob zoW<2uCG_a%sDY8uw@lgTp`kl^=Nrz=%*_}H-IaQDEF~>{WOlMY+><7@=ig9XzEy7B z^;RqM_pe_=!%I`h4q>oj(^V0X93ZEhoQY4q)RsjB1+^}-&CU&bHqaALek*2r;G&Yv{ z?AbYL>h0;1V>(u)>|Q)PJb!=xCuf;8z3k)?&Me4RWQ|J~O)IrFQlpMZv%@Ox14oM;LO7dTjIE={P*rjHapehA=2iBYv?r#B8? z4nq*W`ePF`{^53+CC+K;QzYg7{z_?meLdY3(;`Id75)}Qup%wAJYf9EPQO;;@jgh> zg1Wl8($dnGFX=};Q5zub%c1B$2l91513}O0>g&t8%mkH|uG5+M%X^t1hlB*-MfV*Y zrTup|64;d`B_#nxVMePQM)C5TQKJM+@(s`m@87@g&(o@|tkg&mxcBXqbm5)i;D-x{ z0a26uTX-4ds`B;guojJ1QW7jIL0@J+PjJNtP-5qy8e<^5fl{F}K;Xd?EzZuOxB~Ee zHx0CKsH5+LgXd{!Mg4Xbq0Fk!IiW)ahKEZHD@ktSw^J>;s%SlY_|VE~K1(rt>XWaf zl@$#J^U=2L3oQvV_?8wfnMXu z@wFs1ax{A5-@ovO%ZM+rJNBHeiAg;)Agl{Oatwe4rlP5-DV{+NB^Rg21{#F|D^5vI z-|^E8_$Ll4p&-?QMOu+2!OsG1R8&+C|NRD_w5}Kh)`bpcuj59DFa$WcTHozoRgUAG zU0upg89cY4j|oyad{;^xvST8UpG(SBB>2t@QK; zL8t+ygV0Vep+TPENynm~hu7EECj0uf{tTO$eRP>EENx(`V?!>IO7>;u78G;>VfXjz zC@Qi8>dVS9-^M2+qQo8zjE+JbG-;#Z*2OTD0IT08Cz-x3;e`;8>Fu-2%0Bw?gd8|h zNKjB!Q`1K1rIkKGkgj~3q7*2jG*L$o?Ug%iY)?uW4MfDF z^ETdu3Mt3)!`6SsFv|u`ba$_U5{7f<<>7fefXHEX#A_ddKwlm#1Y`g_1aOE{_d}3o z7V%>?S=s5)(Y?t!Zzm_G&CSh%f{g>zYdQhlJy3=#3kwS~Gth^gzb9&7;uYKlD5FyN0--X~? zt}ZP6gUVG^S95W3;o91osf|#(G$G#aw*Iaeojn@|cnq5{uJ;@K{5fbf3W;Y7`GDKp zS<-QL--g%D^WI5(@j}5KVR_Mn!FF_XkP&4!G{^`D2=MUOEq>2BJ*RYfW5x3_na~(a zR8(1og=tAiSKWWzEa%0O<0pSJbKl9yw8qUEY(-7Y9`L`N2m@4`rIe^kJGY@BaO{I! zOU@0TTUc_Yr8WWX(eXC3Xxb4-Fc8FmXyo)lp{EOTj*`_?RabZS_SVoTsEAb47O6s|`lvM^9eK5^!PZ`6>=x^)lTG`m#@RC5d zWop)4m2TWP#bGV2_1}|qrymISCstNbX&)*!;<}llee0H>>klQkyZQV0xtWp1M~#`8 znURsI^72jZ?|o_KCk~QVGL0)(9j{*ho}~x}`0gFLB!O72b6!XsXht(bvel-d)TE9m z9~HFIVdk>Cx0fO5+1cIAcjbzfx_b1g8-j_McZg-bczU%=OkiOu&hhv@eAw07{R3DT zJ`4CPm!x)de6XJT*9(k`rH983q#lqhD2ad*P7!xyOYX|m=1xdR7#bRS#;a;% zR0p|`+W~QoHej_0IDk=W?xN41dvxsnTGr_bXrNN# z8X<5zJfDVV1^^o#odiOl5cRkPEAAq<@2r;HD^n(KZ(mSZd9`h1aIo_AYsAvnzyL5a zQqc61kE?^q_$feqEywZP91& z!-m|lwdIO#^*i|M2&NHo1O;v}vFh5|RG-S+TtZgeyLVI4(_<*zU_7_BmLKR#i+!l5 z*xuN1@%Hw1b9=T!jIw$>gNccdptumXu(HC)z>xatRV?Kt9-dqJ`gCRIkGK6)_>&=z zAzZ0*JoVf_uI>w8Tie>8ZhAtQNc_#O6u4ki&YL&q&Yin$XlQ6^>g4SF=xJbai7G#o(Srm6b`WZbaA66f9zgM@L{FKr&y5INJyLWDSg6OA@a>TPQdi@=bYu zc#{^qDJkjXUvAhGapX**dt?{DOnW;^9ZBmw2ZzIrS;d_No(&~`tc05t=oX_Y2iCgU zCcI$99{~2$R8;a_=SiX?;vmFfmhy1{lWOL_NjQ3*oP-j4ZsF%oLN4R8H2ldA!2hg{ z3bS1SXC}}l!r(YuVlp)~1?iBm@bgs$VnQ@UBpA)$@ob93&`^ROUlo&vEH#n({NffAusguSSN4eDeEa-xN%Ele2$f;?t*3Sk|24;((2r zCcFN(^b8E=^u^Yu8#8@6%hJ*qRhbEqRxaKq*OTJ_(X`98PybhDy1ck3AS&7ba#&5R z6B>d_0pu6REUr|Y9lIHyRvb%ho&sFpKv$L~1_?2&4S-%UW1ZQw=^7X>@Q)rnN zSIlB5Q$-!e)*Dawmq<{%?J zS1%cYL%V)@wU#y>M^WC^(>s4SC7XH;QIXftd0tY&ub=|4WP3aMk6;UMjaXU_usPk1 zn%C+G6*V<`t+ZWc0kOfESd%(0$LWSsi;ZTL$z*0?ngokftnrPQ{U6CIH!_v^pFgkX z^-Ewijg7IJ(yJ0JFxUUhiLV77if>vu$816x4D#}NHP@f#M`1-|df;^pjf@t)W^^rV z!yMc6q~;ck)mMQP0cW9f{rbHaU^oUWc4DO@A`fe1Xvlf-qDq4ca@;&Uo%v;UetsUT z(%aXsS!84y7ATD%r|jrB!`fm~aT-{SjNCOcx@OmRk%@_EU_9RVyQx>ZnhQ%Pq^hbD zho*8H^YRw*0NvwHXG57axbK2#f!HaW!-y9N5EebX{%&jth=^Pqf-yMFl^L|TX&_y& zfNe`iOVsKUVUK@Z?w^^<^m%QUT{*Sj)#YbH*emIn418(lF`LTMCp8rq`43aESGUF=Ub%uhP>eitF?9?GzR9Gc@TAUno^4QwfRaqVStrTYrM5 z276RfQv=?mpr~lIl0Hm<)q+Dz%)9@sM*WSO9v&V*0N*;^I)%pZbgpl27H+Rhod5ciim?J-q%RlXI-FKZ13HZPgmpm zfw^aAm%p(E((p9jfYb^^nW5pOQ7zK;XaB=zK}FTav*FAWlamL2NjI{oNCD=7s4j&F*Kr7giMb{2j~MRSYBS< zj2u!71HPg0YGO! z*}eQPDrIhF(+B)oR#q0Mxp%l*pPiJj>@=p(01z5LU;+M^LAU=+2uZgqcPdDdgZ+IQ zTU*E#{6CaMMX9N%sK9!CeQOr8gE9kS-d9$7?kx7Av);YqmdTvX{DxRvAP9fs>g~P0 zxai{L1rZ}3E$NZ3PH+SC6)~6~Lc&NHlHDa78qQ>Gb(IfXNowjl-Q|TxY%I~{Zn|$& z(y>hG@SqQNzVlxUWa$C*!*BXY#p^t>Lrg$?W_e`=vJWYkTQHUhCZxy_D%>)+0Q5BI zDpAoYh~B=;eqZtc<@{QfMLb7ITnN4t>+D3KP*!w=aFH-&)@$Ld~oR8Twks_oGe$J9I}7r>s-7zN!V%n09X$NZVI!7@`2Qz zrzMhWggr#M_{T6^qh$r>tm1VG*`X!~*FA$%4hWF;kPJ!>o?$^zF~>2>J{i|TBnX@2 z832O8kChi9r$zZ6b|DYO|KF7J|30a6nVb6~s0WaheAd&}Udi;wp!ICsf-Zd!73vPST#n3n<#rbm{(VdEV{+Tc`u$&iJpHOJ6WCj7dfA)fUb$T5 z^U9^y^3R+UO~_;pS`yQo87sc9?Jnnw+l}SC>{0Q;VeXfzZ?v{uPM)55G_jqvj$>wr zfl;VZtJ*?|sa+?&W-QGAU-{xjhQ!Msk9)bhQl2z!`Fdkfw?N*D#BP73G>J)`ZCg|( z{MqT&M(`@*xrERIgr&D*f3&;IWF zl*_L7OrIX@y>0PuTJv?w3$xe0-Zbk?SlqA9<>q!)?l-xt-n{16&sTkZ6E}CD1B2p! c?%)u|AQ#Ut1yel(PR1-b28K!&V3}eK0E8FKUjP6A diff --git a/doc/guide/admin/config_x500ref.gif b/doc/guide/admin/config_x500ref.gif deleted file mode 100644 index c986d865e14689a034b9f684e3854a09c9c16b8a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2395 zcmeH@`9Bj10Klg_XGxCUBZL=bq^Ege#6!(kujd*$Hdn)pk=$}b8gn%=N5)LdopbJ- z%N2R%+9q?8^m#>z#NO-gczu8Tet-L#TR`>n-H!mNfDeHG-~o6%r2~FG0N?~b^Sk(7 z@ZSTE_wD52ck_cE2mWUVgm{3Tgydj#l->j(Ns!A>U2#8NT=GONte(n9`2~zh9jY%G z%uqBV$PL$f#AN|(D_w>g)nBZMw?iMW|3u8lfi(3@q#Bf8d4<*GMmQeB$VdQv($>t(nMparF zCwta>!A;0$(;crKleC!frfb#{D|9ZzEf6TiQY0Ac0Dlcv)|y?mlK>qMGv=?cva?|~ z)Yr`H*myLFk4;yx0PpOt1sP)Wy|BIwVXFC?HNp~EK`(^Wyn{${>v5qA2e%8w{}u+O z#i;80m_@yq+aM?7Smo5jkuV@NOH0b@nZ-3wX_=)~r3{U1zco>stDp`tqof}c6(I}r zbE?j!@qq8D(S0CdjsKDprPic$qzc!)Af;*DFXFt7Y*NK8)e9c@mJtK#k=%lD`=2!{ zN<}OSVB_|13N1at0Mw$L3|DF`ip1vGED~vR?L%Fn@_GGK=cn!4eY%%BlGotK%Jp_f z(31g_UO@Qq-plhec3-|y)Ad^R1-y6%kl8!fR`w4zLw7rnbPX|`<1A{#s&SVqkqZds z?Va=Kk&1uC8j#FE?>gL}b81ocm#V>i^?h=UuP#>v?~a)-yU-@gB>g`z#kYKj&&V@Q znj{)gbLVmNm7{{eK@a($bn7VKVw)RSRQkysxIdjRi@-Fq!%Xx)6RU!vTZ(%KJe5mt z#>D&-8c^p`FD$AE8?`P?O%n913H{BrHy#-r>)G#lb!@MVqtn&9WA7L3$n(rSKAZd{FL4F6m>rmd{6?@7eXaIUr{j%5N{hxn zrT4Air+?qEgclt;FgpA_zwl#?m1cxR+S(69NEcr0bFyj`4x2gxw7;#4av?`b9`LVk z_Z={?2}icl?^Y!{0Sh#b9$_+HQE9b+4emjKh9du8jBep&9PZpy;R$dOMB=Vhq{27K z2Qjt2vtG|0s$NtQF>f{9x2Q`@k1yUw0sF0{ts-yJG=vcl(8%oCe7{}5+757&7Or&v!CXH4L`>~(|P1Ffjsgn4!AhzlHTD3+Vz zMCx1CxQT1iFL}tLAf09U|=eHAVdFMr>CPv1wySfyXfeqtPWFccHu3! zU=+THoE4lUnA+aB3Ry6D?KFdB`(yQ@*JAm7%bEr7d3Xj|D`a&XsT*3;v%27-rs2S_ znQ0({{6I`8tH%vN#>jzp=w9{f)sGMeuzw9ya0G_FqQGpXAZ1m$e;I=A(4+TCYEU15 kF1pKmDvY(f!x-mg9n~BPrqkZnHp`A~^$|6FS_ok9FCZr}m;e9( diff --git a/doc/guide/admin/dbtools.sdf b/doc/guide/admin/dbtools.sdf index 3de7710d30..61b2aec692 100644 --- a/doc/guide/admin/dbtools.sdf +++ b/doc/guide/admin/dbtools.sdf @@ -18,7 +18,7 @@ special utilities provided with slapd. This method is best if you have many thousands of entries to create, which would take an unacceptably long time using the LDAP method, or if you want to ensure the database is not accessed while it is being created. Note -that not all database types support these utilitites. +that not all database types support these utilities. H2: Creating a database over LDAP diff --git a/doc/guide/admin/guide.book b/doc/guide/admin/guide.book new file mode 100644 index 0000000000..200a227edd --- /dev/null +++ b/doc/guide/admin/guide.book @@ -0,0 +1,3 @@ +#HTMLDOC 1.8.27 +-t pdf14 -f "OpenLDAP-Admin-Guide.pdf" --book --toclevels 3 --no-numbered --toctitle "Table of Contents" --title --titleimage "../images/LDAPwww.gif" --linkstyle plain --size Universal --left 1.00in --right 0.50in --top 0.50in --bottom 0.50in --header .t. --header1 ... --footer ..1 --nup 1 --tocheader .t. --tocfooter ..i --duplex --portrait --color --no-pscommands --no-xrxcomments --compression=1 --jpeg=0 --fontsize 11.0 --fontspacing 1.2 --headingfont Helvetica --bodyfont Times --headfootsize 11.0 --headfootfont Helvetica --charset iso-8859-1 --links --embedfonts --pagemode outline --pagelayout single --firstpage p1 --pageeffect none --pageduration 10 --effectduration 1.0 --no-encryption --permissions all --owner-password "" --user-password "" --browserwidth 680 --no-strict --no-overflow +admin.html diff --git a/doc/guide/admin/install.sdf b/doc/guide/admin/install.sdf index 18e113f529..1d4e7b5ab0 100644 --- a/doc/guide/admin/install.sdf +++ b/doc/guide/admin/install.sdf @@ -21,7 +21,7 @@ directly from the project's {{TERM:FTP}} service at The project makes available two series of packages for {{general use}}. The project makes {{releases}} as new features and bug fixes -come available. Though the project takes steps to improve stablity +come available. Though the project takes steps to improve stability of these releases, it is common for problems to arise only after {{release}}. The {{stable}} release is the latest {{release}} which has demonstrated stability through general use. @@ -63,16 +63,18 @@ installation instructions provided with it. H3: {{TERM[expand]TLS}} -OpenLDAP clients and servers require installation of {{PRD:OpenSSL}} +OpenLDAP clients and servers require installation of either {{PRD:OpenSSL}} +or {{PRD:GnuTLS}} {{TERM:TLS}} libraries to provide {{TERM[expand]TLS}} services. Though some operating systems may provide these libraries as part of the -base system or as an optional software component, OpenSSL often -requires separate installation. +base system or as an optional software component, OpenSSL and GnuTLS often +require separate installation. OpenSSL is available from {{URL: http://www.openssl.org/}}. +GnuTLS is available from {{URL: http://www.gnu.org/software/gnutls/}}. OpenLDAP Software will not be fully LDAPv3 compliant unless OpenLDAP's -{{EX:configure}} detects a usable OpenSSL installation. +{{EX:configure}} detects a usable TLS library. H3: {{TERM[expand]SASL}} diff --git a/doc/guide/admin/intro.sdf b/doc/guide/admin/intro.sdf index 8d40e9d724..fe8f23bb09 100644 --- a/doc/guide/admin/intro.sdf +++ b/doc/guide/admin/intro.sdf @@ -57,8 +57,8 @@ support browsing and searching. While some consider the Internet {{TERM[expand]DNS}} (DNS) is an example of a globally distributed directory service, DNS is not -browsable nor searchable. It is more properly described as a -globaly distributed {{lookup}} service. +browseable nor searchable. It is more properly described as a +globally distributed {{lookup}} service. H2: What is LDAP? @@ -96,7 +96,7 @@ units, people, printers, documents, or just about anything else you can think of. Figure 1.1 shows an example LDAP directory tree using traditional naming. -!import "intro_tree.gif"; align="center"; \ +!import "intro_tree.png"; align="center"; \ title="LDAP directory tree (traditional naming)" FT[align="Center"] Figure 1.1: LDAP directory tree (traditional naming) @@ -106,7 +106,7 @@ for directory services to be located using the {{DNS}}. Figure 1.2 shows an example LDAP directory tree using domain-based naming. -!import "intro_dctree.gif"; align="center"; \ +!import "intro_dctree.png"; align="center"; \ title="LDAP directory tree (Internet naming)" FT[align="Center"] Figure 1.2: LDAP directory tree (Internet naming) @@ -154,6 +154,12 @@ LDAP also supports data security (integrity and confidentiality) services. +H2: When should I use LDAP? + + +H2: When should I not use LDAP? + + H2: How does LDAP work? LDAP utilizes a {{client-server model}}. One or more LDAP servers @@ -205,22 +211,127 @@ H2: What is the difference between LDAPv2 and LDAPv3? LDAPv3 was developed in the late 1990's to replace LDAPv2. LDAPv3 adds the following features to LDAP: - - Strong authentication and data security services via {{TERM:SASL}} - - Certificate authentication and data security services via {{TERM:TLS}} (SSL) - - Internationalization through the use of Unicode - - Referrals and Continuations - - Schema Discovery - - Extensibility (controls, extended operations, and more) + * Strong authentication and data security services via {{TERM:SASL}} + * Certificate authentication and data security services via {{TERM:TLS}} (SSL) + * Internationalization through the use of Unicode + * Referrals and Continuations + * Schema Discovery + * Extensibility (controls, extended operations, and more) LDAPv2 is historic ({{REF:RFC3494}}). As most {{so-called}} LDAPv2 implementations (including {{slapd}}(8)) do not conform to the -LDAPv2 technical specification, interoperatibility amongst +LDAPv2 technical specification, interoperability amongst implementations claiming LDAPv2 support is limited. As LDAPv2 differs significantly from LDAPv3, deploying both LDAPv2 and LDAPv3 simultaneously is quite problematic. LDAPv2 should be avoided. LDAPv2 is disabled by default. +H2: LDAP vs RDBMS + +This question is raised many times, in different forms. The most common, +however, is: {{Why doesn't OpenLDAP drop Berkeley DB and use a relational +database management system (RDBMS) instead?}} In general, expecting that the +sophisticated algorithms implemented by commercial-grade RDBMS would make +{{OpenLDAP}} be faster or somehow better and, at the same time, permitting +sharing of data with other applications. + +The short answer is that use of an embedded database and custom indexing system +allows OpenLDAP to provide greater performance and scalability without loss of +reliability. OpenLDAP, since release 2.1, in its main storage-oriented backends +(back-bdb and, since 2.2, back-hdb) uses Berkeley DB concurrent / transactional +database software. This is the same software used by leading commercial +directory software. + +Now for the long answer. We are all confronted all the time with the choice +RDBMSes vs. directories. It is a hard choice and no simple answer exists. + +It is tempting to think that having a RDBMS backend to the directory solves all +problems. However, it is a pig. This is because the data models are very +different. Representing directory data with a relational database is going to +require splitting data into multiple tables. + +Think for a moment about the person objectclass. Its definition requires +attribute types objectclass, sn and cn and allows attribute types userPassword, +telephoneNumber, seeAlso and description. All of these attributes are multivalued, +so a normalization requires putting each attribute type in a separate table. + +Now you have to decide on appropriate keys for those tables. The primary key +might be a combination of the DN, but this becomes rather inefficient on most +database implementations. + +The big problem now is that accessing data from one entry requires seeking on +different disk areas. On some applications this may be OK but in many +applications performance suffers. + +The only attribute types that can be put in the main table entry are those that +are mandatory and single-value. You may add also the optional single-valued +attributes and set them to NULL or something if not present. + +But wait, the entry can have multiple objectclasses and they are organized in +an inheritance hierarchy. An entry of objectclass organizationalPerson now has +the attributes from person plus a few others and some formerly optional attribute +types are now mandatory. + +What to do? Should we have different tables for the different objectclasses? +This way the person would have an entry on the person table, another on +organizationalPerson, etc. Or should we get rid of person and put everything on +the second table? + +But what do we do with a filter like (cn=*) where cn is an attribute type that +appears in many, many objectclasses. Should we search all possible tables for +matching entries? Not very attractive. + +Once this point is reached, three approaches come to mind. One is to do full +normalization so that each attribute type, no matter what, has its own separate +table. The simplistic approach where the DN is part of the primary key is +extremely wasteful, and calls for an approach where the entry has a unique +numeric id that is used instead for the keys and a main table that maps DNs to +ids. The approach, anyway, is very inefficient when several attribute types from +one or more entries are requested. Such a database, though cumbersomely, +can be managed from SQL applications. + +The second approach is to put the whole entry as a blob in a table shared by all +entries regardless of the objectclass and have additional tables that act as +indices for the first table. Index tables are not database indices, but are +fully managed by the LDAP server-side implementation. However, the database +becomes unusable from SQL. And, thus, a fully fledged database system provides +little or no advantage. The full generality of the database is unneeded. +Much better to use something light and fast, like Berkeley DB. + +A completely different way to see this is to give up any hopes of implementing +the directory data model. In this case, LDAP is used as an access protocol to +data that provides only superficially the directory data model. For instance, +it may be read only or, where updates are allowed, restrictions are applied, +such as making single-value attribute types that would allow for multiple values. +Or the impossibility to add new objectclasses to an existing entry or remove +one of those present. The restrictions span the range from allowed restrictions +(that might be elsewhere the result of access control) to outright violations of +the data model. It can be, however, a method to provide LDAP access to preexisting +data that is used by other applications. But in the understanding that we don't +really have a "directory". + +Existing commercial LDAP server implementations that use a relational database +are either from the first kind or the third. I don't know of any implementation +that uses a relational database to do inefficiently what BDB does efficiently. +For those who are interested in "third way" (exposing EXISTING data from RDBMS +as LDAP tree, having some limitations compared to classic LDAP model, but making +it possible to interoperate between LDAP and SQL applications): + +OpenLDAP includes back-sql - the backend that makes it possible. It uses ODBC + +additional metainformation about translating LDAP queries to SQL queries in your +RDBMS schema, providing different levels of access - from read-only to full +access depending on RDBMS you use, and your schema. + +For more information on concept and limitations, see {{slapd-sql}}(5) man page, +or the {{SECT: Backends}} section. There are also several examples for several +RDBMSes in {{F:back-sql/rdbms_depend/*}} subdirectories. + +TO REFERENCE: + +http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database +http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database_part + H2: What is slapd and what can it do? {{slapd}}(8) is an LDAP directory server that runs on many different @@ -243,7 +354,7 @@ SASL}} software which supports a number of mechanisms including {{B:{{TERM[expand]TLS}}}}: {{slapd}} supports certificate-based authentication and data security (integrity and confidentiality) services through the use of TLS (or SSL). {{slapd}}'s TLS -implementation utilizes {{PRD:OpenSSL}} software. +implementation can utilize either {{PRD:OpenSSL}} or {{PRD:GnuTLS}} software. {{B:Topology control}}: {{slapd}} can be configured to restrict access at the socket layer based upon network topology information. @@ -283,8 +394,7 @@ well-defined {{TERM:C}} {{TERM:API}}, you can write your own customized modules which extend {{slapd}} in numerous ways. Also, a number of {{programmable database}} modules are provided. These allow you to expose external data sources to {{slapd}} using popular -programming languages ({{PRD:Perl}}, {{shell}}, {{TERM:SQL}}, and -{{PRD:TCL}}). +programming languages ({{PRD:Perl}}, {{shell}}, and {{TERM:SQL}}. {{B:Threads}}: {{slapd}} is threaded for high performance. A single multi-threaded {{slapd}} process handles all incoming requests using @@ -294,8 +404,10 @@ required while providing high performance. {{B:Replication}}: {{slapd}} can be configured to maintain shadow copies of directory information. This {{single-master/multiple-slave}} replication scheme is vital in high-volume environments where a -single {{slapd}} just doesn't provide the necessary availability -or reliability. {{slapd}} includes support for {{LDAP Sync}}-based +single {{slapd}} installation just doesn't provide the necessary availability +or reliability. For extremely demanding environments where a +single point of failure is not acceptable, {{multi-master}} replication +is also available. {{slapd}} includes support for {{LDAP Sync}}-based replication. {{B:Proxy Cache}}: {{slapd}} can be configured as a caching @@ -304,5 +416,7 @@ LDAP proxy service. {{B:Configuration}}: {{slapd}} is highly configurable through a single configuration file which allows you to change just about everything you'd ever want to change. Configuration options have -reasonable defaults, making your job much easier. +reasonable defaults, making your job much easier. Configuration can +also be performed dynamically using LDAP itself, which greatly +improves manageability. diff --git a/doc/guide/admin/intro_dctree.gif b/doc/guide/admin/intro_dctree.gif deleted file mode 100644 index 5be4b171ac5a28e3b4e279aba0f0025b8b6815b9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6054 zcmZ{I2T&AI)9t7jQ85B4;E;oWs3=Kb5Xm_wfhA{@xL|-0$siz0j)TAwMI=ic1SBWP zNfsnY&L}GUvtNDn>b+O*-KwqG?d{v$=bSrTbz4SGT2RP@=cwV4y+Z(7@P9t=e;zRQ z3x-i_jibc2bqEA-AOM2^0s<%qkU#){01yHo2*5!A3;_rPpb$WU000MoH~_){I2-`u z00al1IDmu$uy`O0Krn!VvA_TV11JoTuv`cLA^?N{I0S$Z06_p00Z0e{pa6&h5DMT> z07d}>1yB?qp#VSvKoS6v02~Q`NdQ6uP!d2Q0RRAjV!ISGW2w?ZTU!m0#82m&D- z2*DtPfDj5oBoM-UF*CMs5ClUI0zoJQk+1+b2*i=CI2;7yAOr`YIEaLUFpwZjcE!OE z3_}PEp)f>(Aq+W)koV&d2u2_Tflve@ArM9fh?0ZiPzXjL1cgu(BB2n*5lDitOgIt* zlOTiyp(Kbzf&enRSU4C*rUypIpkWdKW2}K7IX4c3VGu?@7zJSx2m@p^2!Y~PjF(p6*#_-@U69OX$j3O`z zfiZbN6vjZ}Fh3MVP#8sF5(;CQfg~71j>9&SV1xvtB$z~k0rI)P;9+WGPMC(6T$nOs z6+w{91r8)fL_ib;Q4)xWgXusf2nUhVAY^(lCdhh&I5KNE962|FLs1+`!eL}!xG{(r z8gfAhjG{1>nS3%pgv>7vAyTasKcu``iH@1QTJIIBAqdUJ+ezQkPNHBUIT zVOvQ~UzTdR{!Gx79Q7RCV%v$f(xv7+t&=`G@@4rW#nu7ptf$-^M$4c5XiFBkKQ)}} zy0tjbzL!7dgU6p(Rj4SOYT!E=qLoei=|^(}v-sZ^g?B7kVlV!hj!W}lXK*Lf@b z>vf_)yeX(Xl4OsqT9JIthQ(g?IVa6w;(l8D!6mQDmczz=S=TbB0?wH(AZm0z)~0r> zqkiha>}A>Ufj2%?M27MXw&echn$yw*f{uH$*Mj_ZLMve=V~pax$p`vyb6`JjZC$CKcAhUVs!n6MuKT2bEc5+@!YHc z_gn@|Vr0Tp_U+8J3wcL(jvQ>OkRYGq=NKNxsZKreKSwX-ORF~hIQS~%(ZV>jA5CxR zIZd}|)n{ZQS(Q>A$E(lE`+%2^K5PAE-Vwxaao*Q+%S%04x89zLsWOmhb2GimSO$b`rPOndYdz!U?+y}H~7~qTHJ*GL=TtoSRpUP z!@t{oc4@D>r}e`B$@NbI15pl>UzIkqM(cy|4JXcRl#gXJTpbcq?*FAR8gPH!pTSVr zXwvfBv2a5@L7C;S5$C$Fqyx9!+4DE?sVPP^Y9mE7tAk6)t~MK1W8zPhpI6my4(FBe zE{o;t6T<8E2POIH<4?FOvWEtzch~I$9UQf>*D1n3oC;}QzqidF+VbeaR(n|8xx{o; ziK{x?dG{}_2(OF$dr6RM+!M@rCv?o^NvH7E!Shd&TjqZwq?p6)Ihv?$vYaiA4RcX% zy}>Gn z!V@K$8gBVfQmUdXt{GY?eg~ym6CB9{-}KFzcKUVnu3l9>j#uK>F$t%L8B$T<(iR%> zw{Y(<4+&izv2u$n)3a;O*VZ{(y?u7OJv{hqG*#U%Gpmr2oEtav?V z{C5wvA{wJta!s*@p1n$V)ruKjdkryy?X}OoFOxU1i}1fxj$eX)ajWHvZoyW2 zeutPm$EsD%_OH7u)lHgZRZpilwzpN$S++IiFaKf$*F(wi0HX^u;FZ@Mgj%dlq-eGs>!{y5J{Qk-BUne}8MT^e&7MtBo_JO&Ka_74>&Np4bjT`o>8tr* z0Io&Wy`T)Z{t)l@Hrkeiy^^2W%?(gki7BLG`g9LB+iP%)l0?{19`7wgTItE7KeH{Xyg4yIp}J(BX(RQ}EeQ z>(l_>%u{COcXk69!=%bunBGcL+pt7}!KcjaIHs*F-pY*58H5`c=`j4dOHRc`(In*OPUXrw?EM+{ggH3e|2k(9?%b>kgmW@e3p_O}2Mre^EE~Tqa1#5N&hQjCILSK@iNbbyNT2^7 z_M)%P6%q+ndeUu`%X8K#<*IY1hQdg>`gR}6O+yG}4QzJVHG7c?OXYPj27KAwMZZB{ z`N8sfrJ}nCUqJLXg~IHCGa?1GmKz36MZjfy_R{I=5A#Z@*n$g-m_?e_8~6n1oSF#K z+Ab(ZRw!F8UGeOl)O&S)1^$n|iWC-hEDB~dRi{+j25r^QZS}9@>hec*ujVg=Fb4db zi4gr$ty#fSv%kGtmAAvFlx^uZdWn6n|4ZVcs6WFCI4X&M_eD3|;%&2lM z%PJ%#(pBKQ@W7`!vFX>%4*pXs1xp3^)kL3pkua1>xq3Z#!$`oph248^vqNLP5Slxd{T1)b zWWwp`nYLwv&E*K}YDCS`pt(ZqZIiE2LIg{tL;xC|l{D$-Q4MRgJneAhfy!t*osY)#{#S1mE@~BX7Kdq7#W)z0Kb=w+6&W%gt-x>0 z4OGQG?JIKa99){i6QWa>Qq%Hg_86t|WQy0n<;JNSv!at;-iK%n zVId>X`A;``?A?!W?jU{j3-u=%qdFuK*g|{0Q2x%1cyv~1neTHp|F&x5#jG>EY?tK} z)tXXOA38PBnDiIqQJdxWO8Z&Ut$n5U%;#)Q@>*7Fx%h^{xrO;1cXkUBX|LYGiud`} z%GpG?E6?>wu~$B&tm9kzbmh!u`<g_qF6jz#sNnH>^YpwCN?QcBBlCgoX~O7`pw`ne=~~qpSUf=hOk> zee~p|zb6s!i|-klyY>s~jE#Yp*wr6<6f%7crM+#tys(ij5y2!A$!)V~E)jO=NTH_Z zH&&@QdXu&&p&m=ABo6$g{`g`G1%jBsCU@I~1*|#a*_1|He#%GjUw+_F*~6t7uFI&* z`uYC!Q2yi8V4ikYQ=Q^74bG*qr5~irY;U%S?z@{$_&Xb;Oo{nvE60~YY`AJW#sE$GAs)++3?b%Kx#yPF-5->U-G0TF zYK*9`dWX@|+D|r_`w4vS=>0S~(j0Kp*l4`Oa-l2PYJ6#o&22V3b)I)+;)ToT!HAUp zp`ekl`e^Gp7w?qhef*@^)ccfkqUFy08}D4Q##0VoO*lNjy%1{MOY~YjM?>fGOGp;+ z2BQNIpGCu+QLn?}6(%oFs#_a8+r3H~?@vF-67NA3rmN?AwK8tV_vO@;v_MSNk&Ztn1uTJptVAZPjVkQHvP2vX33>V!-ql}H> zjQlNx-I+a~y9KdXOCCLKY93@Eo0$}~Gsmd!Gf+;77QfDkOMP7VdxiiVoMy0ZbUF=i zz7^ijPB*9xG7BciEc4_%#&$(YI zf3ck@$YnZ#yjp*q$QrI|v}l_p<+;yYGWw;BrF=iSJp~D@b-i4@?#OCUGDxhLu2v|h z;wgHvBi&~bm$|qSEuc(HOlJBPpWi^eN5dDlQrrKr?qrqrMy2G0=Z&Dnc&^bZ@Z_I0 zI|){)xt5m+75Z6p%t@e1;;Ma=vT*vWbBnmbAD#BcZx)Mtl^QssI+dT=ZFabF8kY3y zB}8uzq~1-wKdi4%;XEwMl}|J>G~?MBlFa*OKV~67Up_9)E|i}Ar0(1S=Y(5U&0f0~ zrO^b*Z|}@t(7mG!AE#7*)_7#URrtO!6D^}OR6!IwFU0vurS|u9ih)?{LOOwADBgLu z(UU}^Yd!d_;yQSnx9S=m@r zOLT~zc{PDZhP~Q;?{@pwik-0Kzn#hX$6hmY0i8Abo!aaNCJO?SVmh06W%03JAH#+J z@{D-b9USByMV($(xWNG41ZXAuh|1JcI zJ)F8g$bK9$&gUcKyL#j@6!&WURai>7AiKigkQ@_N3`ZI?#y>_pKF-7`Xm*Cg? zO!=X9E=-&KEnkJ6x4f-tPorOxZ5DOs3!l|^fAg@VS;97gPc+IDJR;j7bz)smdYq{c z;gFG5|K^ljG|e(gEqBkdC^BVv#2R8NVRXEtpZu4FD~&os-960SjN;6sbbOm0^{Qh5 z9ZRQmj>1T?b8PM3%oUik!zA}(Y~w?=yO*OoEW9YdgF}k*EV?};3E$IKdCiA=rX&L| zvMOi%qJpGCuibZ?8Secd6Tv7I#-jIaMlS05ZKCn4rQDcLQ@hd=28AvaZsPeuwXI^yrM zM^}$*&6hs==T0q~z-Qf`b1Xc}x-!jf;FAU3;@riuFJr}SYv1KuGy7U-^iB%UKFnHg zc^V|r(K+^ei)gH%aQokwhjU1Cj!L(fYSrFQPt!s8;m^dXrgF;Hsq?iAH4d8_vqSuc z-^KpCS*qxu3bYLcxo2C8rCXiFYT*9rnzVD6j>zCUF@r(z+0uc_K2qDic1Gc_Rf}~dg$^q#RsLKXO#qd zuiR~Vu=HfJQ*i5{M$4_0?LHx3`--OW-vfTvCg`LVf2SCg+m+JCG+HISGPgRp)#cbr zUHg9Xb!uuTOTOyrQ<1p3qd6kWqopdZ=63bAmVl1Mj+VYah}PgkgAZ;)C5}z^b&TFP zbPO3!^=s*xmot?OixS+Z3oYXBZw*`JS*VXH=9Fqb_svbcQ8`F{<2$XAn)FHinE>=BOAD_&GgXY!QChCOM61vv86 zM4MGB&-%7Io$#jJNV(F)mt=+V0>dn;KH|Wcl8o^xcLxR56V*LO+5W3>H~DT zYhP(@JU2@fpn6#IB5rqWX_D$wSnZ|tmPMr0x<`@6^|{;Zh<+=*C%{(biy3zbSY zPxBb<^TV_8jP=*%l8S$7#w2x^WF^{K_x$2Qy3-NQ z>_iz`JNkmO+^T2DZY_Ts5f9Iqn6LW2!8r{{L%jAnq*;~y1P++_CA#FN1 zx1f6Qxh$r~NzQ5o5_s@Mhj;pQ@InVR`dcR)J=VLwJafSxE477V_2?PSeQ9Z5G1OiDG z{%1)|itm^oKTCnzD`CN-|}g-#S|jMRrjWKJSdy2v}XX z5EQg=_e55ACxtZ)hhY!l@XGp%v!tXXZM4nBi`oT-zh}P4xP6tcOd~aHi}ocYNI8D_ z^5y5xpTY*&)O2*yb927FzHH3QQc_YLetu<-9_c745l-Y6lFSr8c+k<=>DGJqM9}Y< zqbE)rI(#^WN6*-Jd11IEIyyQ&KHh7*)5ph0TvAe3$%wFz_&Wv9p80P4o;5KsIetsx z-RswnD=MZwSkHWZJU2I|t*x!2ql52T*7~}JhN_6(BNZWKWw7>n`0%0bHO_;F51X7l zD=8x4;q5&(vc5fdjy5`?$+}c>ZEelc(vpsj4!=1yG2!Uynvedbanap`Hhc{JJ_kaxy?Ow{$%s`^NFm(HMO;prsX^b53&r~k)#tu_cX@0 z+bw;o^?UmC>G9*oWu&DyH#fDkwANj}+)vh_i)?BPk#%>U4-Y5U+KztyZ0g~e_vA`E zWqJ1Ms((nx)_7Omt5>hiKleVWqhp^zGOS{b5AZHa4r{^B&wo^4htX*YQ-*3T25a8k zyLVGDag7ZRD+DZ!El>9DHq+A7936d?Y-3|X|EMrOp9kwMEc~jaWi&7B?*$JzHf#3$ zWXkfWvhxj(ENb4rd-rZ&U}JWmiaz}bZ}-QK*Af$h|854Dn55smYpje)F-@w& zRq9B16S}qjV`}QTO>6vz`)3^-9L|}V(qCFEn6)eY=O3$DU-3hSp8oUCvE#?z4i0k1 zwlMHAHeSL48uotu8oV&n^yP`e^wiYP@o^=2d3x`}y!rxh3ia-naXU3NG*m*?wRo7l zy}e(&c=300O{UV2kU(H%P$S_=Rt;IN%+39tanP2QmiFt{udA!8-N)=VR~P^O{fisN z$HymQ-|@M|%i+u!R`b_{7IM)&QiXZ~@3CB1{QLLs;|0b>NBIQ=WV6G)AART8b?Ve9 zNy)OpLOvg#m9<~vwbj)(Zrq?(6_aYlr`0iVae46Qk=yCh@3Z9GJ9CueLO1;@Wu{y^ zG7c*F&54PM-aZoaJD&Bx%*;%=saXF}l1Rd%?*yIZTEBTlE@cruz8xGKrT6c@ec3)W zHI=6t#>U2GZ==r_hX` z8%35O_wL>M@$)C+FKbTz)2C09l9Jxe%BriYyCr$vAgD^YQL(XvRO-B~ZBcCOs}}*k z^!4?Ze*JQFb!8EC;CK4|A^@AA-h1+Wj*=hl!QA({;{rQ+3}`19jAg?!6_u38NJ;7G z=>-G@8-mv=F1}^s;^NZ!B;TyGJ0>Qkr>BRBOWA*G{psDiKW`p5OHJOaCq(GRg*9?& z@f}oF4xZ|}cjCkeEXD7or9HS=?GFOSl)}x;&Hd)Thpa6LvL$@z>r)Q;?SeW(Jx*Ar zGnTck7TNU%o4DjeR(fh`>h+1y zA|aupbgzd37srg9;XB)Z@xq12)=i{hY_-8_o|Q5-+7S^EZf^^x1vz=PYFOy{@?u84TV5q|ziMlPd(!sdgU|f;y8Zk2KRDmX<2zl{^S-eZ|M zzkV_VKh-rfG<0@8fJ;7t9!4FJfBW`r*MVndW@h5&o{0$yJG{Ow=;$D8E+Q%#6CEA0 zx%#-EKpiXd>Q%|($1JnOpE*h$i!4#xhFfA!=<5re%(XBy9GaMDx8e_b?9QE(o|veQ zw{UZlU}8$Hudl~Rn;&fGF^Cs`-0R0~{Rm$;&inT5laP3{xfzT$;;X!;^{9Y=KyYv{ zEgc=|f_+zRozL_~{8~}Yt}GH(S6RNa*M4(fGZlR<1q1}>=(OR)YintB8(g|7Ki`+0 zl9Cb|t9$BHDqj1}ogeEf)97J%N7wN9!&5I`y_%k!6ciA6;lIcyCZ?~WLphrmlR)-c zabpKF^XKP2&iKVUckZA{BqhBoIhlvszz}|4PA3&N69+maIeC8Ubs8llrDI78XPVH7 z^~F)D_xwK!6ZC~}Tbs|y2L%OnWyvwkCYrKiX*4chUM$dz{pX*5NXf|9B`mJ`Dt5?T z9(noZ%`vu`*SnlhVi>8ZC+6mU|Ni}~qGF`Ib5iO`eB1Cp_wR>J>B(mYfRrJCmN9rEizGB<83nzJTX{j)0 zSEJqY=g*nART7huPMkdX356)^Z?J=daR1Q)CS%!a8hoj4U#kz|~1(=>LLI%e|=3F+wS3JVJUKyxi9 zC_pvSRpPgfYJd9{rBFpi=E>8iKK+$Wu}s{L%F1+=_IroNx6ypB3zGBt*>V4D*>^OQ zxo@?{jvd3U^lZE*F6!hoiFbJMLKzFAsi}z*JvDWyGHs93kcDv20TGdf-@oxns=xsg zFZ7R^m^{0CmvUCj)IeAF6@ZF_MYR+z4QqGi%$Z7=J-qqJZI46`9LUMeo|&D+pDLl7 z@``VFOQm3ip4Zm0v$6tPh+97Qp6!2%MvEG|LrvROm4SgF=+9h^YS`b7OqpLxOC}G^ z58Y-;BJ*DO^{e*zbF@1N%jbRQ3jO_x{QP9I#VHh`dz2<8Cgiah08mgB&Knw*2mJcU zJGhkwoYiDaO-|}1LvG3}C-(fMq_p?IV_(aQ~1AeRi{!Sqv)Ol(f#{r7#XeVgKH8K6R%zC zEYwc;yY=Th3rlJOyQI0PsS9rLks~?3>aUgVWw^*bR}_uL79G7`M8x8S|G`6tR=V<3 zJ1ptU&+RalO;1Ztf9CR~B2&iUa!1e*e&+`Q?tweCY3E$vJ2C`CchV3u|N z{-UF!17!e(7tO!<3Ba8Gi4%`aT|z_af$*@|hbOTZ%;e~?SU!BwU)bng|2;c^ez=YM zb?Q_P2ti%o$`ralqKoYM&>sqSHpX8+-m(h|ms}og+jk^TR$TmHNlA%&77##@ZZgUd z-YXsW&cUZ;@VW>2DxJ~k(@R55WcUL9!+o~$y0GAF*kjr{Q030b$|`C3T=p|X*yid5 zVD8~zb-vUIS!Y+*AH%~(_4T99=N<`S``e6aa?rL-Ie4}F>_!Diqu21fk%l+(bmC&}t z-4zuT*yA)bG`Q!9uUy>Rte$({3l9&kum790SFZHv_19y#CAg-grKLCR?VO6^7sRb@9QNzax1>HYhNZ5_sCA5zvN zL0q#T2nP1N=DBP&9(j5B&;9)%c#M5Qa&qhu`6$n;7d<_tH=|MLB6&(5KfY|}9My0V zjjvJ?*n=~vzaTPCo#xZ63nrDNr6S-ASQb@)?EDCA9%e4pP#0(C`^ClHf95PHYhCnb zo-##XZhxYg04PWd&vaOaz_zl71xEiI2^ z^VmrTfRKLt_>pWYaX3DvWq9aT*h9y}8K2V)C;M(Kn0tD8Io0}9T3+WhuEbr-%*r}< z?wpL(;@h`xfws|!4Q9m|qiQTah2ENa8lRt^zu)Mt;okus6w`&}>T3CZH+Kt*Z1keY zc|V?u7cb&gcI6(~>lyX(rIxmKYh`6+!!x_N^kVvj=%WS(pwR$U3l{zEKhwp}iR2d+ z%wacy8KV$#hKfjMy4c!!Esebn9dABgU0f`%deOr}YLOSBu;3Z$G z-qvrg4c{QDn}mn|{3F_y{P_Li#vgY5nyEAh7d@g}CGdRz8?*M7xn z6nHF6%sfce7b>%?JuD{XGV(I6B{`)AA(#FQ*=Z{dSr=S^9M#f#c z_N=_T(OT;I_3L3tzX3kk*>9nG6bRb7x#eEJZiBrrKkx4Be7r<(bli$+PtLu%x{&TQ zb!Kw)y4-91(}EXE*(aFeUJ4#hC#R%DyYSP^wa>tXn76& z2A0BYL(RiaAV#cBn^R5|p{YT)*xL95kpR6ETe&-TnwpmOdRkg!SY_f17Vw?-?@#M| zKeW$Z*~-W$?YUeZomcH6ocWI*+upuCUi%5m?`T0S!$v*l10eddXFnB)50qhh0i7u_ z{CkJ;c7Lw*b8qmvfZcPqwl)a&!{cmb4V#1o2RC=uaykD!98y4ZGx zOjcgN)~-`2s;t~qA87mL#{LCHm%;mTLwP$& z9ZLh2Cwc$?Qm<|TV?!?BX9;*IucVZx5^_6^1gKb*)bi7nbSN|)o}Lk9-xn4aC;u4J z>^#tqqrvfDPvnlBJD=FS-tq5c4~rA#U&mj)%CTq9`q~V+C!!XR6o1!R3WmUaURxw872Tr<_O=vORlsZ8Q>g7eSg$Ri;t3d>kdOd1CX?$+U*C<`*zw+yllsXW zr*ToJE7uG?4jeeJ>UKCCXi5<^2$9Xolls=QoHr26K~Ga4GC z8ck;EK|xAf$qr-Y4ZP@T_CKhU!sBE1XzBK`?A*C`=}_K;hIbfhW!>}Vw{tZP~b+wHyylo<4nDQExXLG`W4v z&CT+hj5VvcGg$ogR$V<%tLn?6%$5`heg{pt8Dk@3jW0kZEYO4mmC(w^zK#7fW7?w= zo{_&F?DUt*xXz$WfKyO(?&)~NlB>*UG->VM7GpPx*uRb zi;tzJt{I3KHE?W%2@rjPL(YwpGE#jm+(1Jk;^s|OjiyupA|p%7BwWplgoD9XeYXJw zcu}Cl#1aiRhatZl0?DrS{6V`Tb$WXG{y+bK#imkU69JZ@jed_tX&6i!y)^wvvh$JS z-Me?otm-sG^;5o;`iqbaKC)rQ@Ke>OWg+zfi|6=U=XkY3uLb6DmcO)jaG0Vy7{( z=4mHwcIM0q5D>Q9C2X$}gPi^kA6mbb)3J$h{N)(bBMXt0MaNuQUw8XlennqMMsNsX z&w{`5hHp0y^$u26%W97c#>TsP`BnWF)Xtt|57l9D=!K-E&9l>1C19!e;X~I| z+hBgi+3U21*g?Pqld7(1ESZ^^qN1XafsK65ASBpxZca`YZ1nk3OA87XQICY$>@GsW zMfvO#KF(kS-g^D|>5CTyjS6{bmwUSXe!OAjORe^qHhE*nokpT=sITAg=H>xgTU(a8 z;{il*5)u|S7;W6at<6pQ&g^@4?zFzlc%W};x{5vt@IpaB(Lx{nYV>TG)jlpRoR+Q| zUsIxek5Y*2qK($#+b8eQ*wd0am=;3IX6&0@Mmeke*DD8 z+q-{YAah4jQt_QTuV24rC~+`9eOel%3}8pdK3W8LqaEspot+)z9uDplMRD;H=g)^h zxM&F|=Xd_+!2@F>qoB2=A5x>n#>OK1_cLr~o_3i+kMQ*LWS6wETcG(>iOwl_;DFL* zvb6v>v^lEvGq-P|;^MR8<9|>)uiVD5!q(5o%EB&f2>RnDAj5eSm>zdKJ|O{M15y=A z;K6B+9a;aBl~sWNRD1A_)~!}lNIN@E1F~$c6f8fW)ZE?ncrSq$N?~YdC~iOS%Jj#F zX*X`{+OcB?JG;B1BRb*RuC8t9sQ;X~&&kPY4`K7mr-Z+&i?*%ttU#+OptJcg!4s22 zY#)cOKR%&W$cs(qzsc8m;j_FTjxHSAUflb`g!y^L(Ju9>cTGnSx z$Qqz}D5_Nu6s?;g(3k#*yPAsqZi=LWG`YUMKHiyQWN4@+c;;F6hYvT?(kr6}y%O%rr}>J+{X)CWDQ(+V$(j2Vo{a9L3NILLjE~vfxWK=?xz-Cj0s{jgxtZCQ z-rgrbd#e{Fhek(1-MKWDD$lsIs}sU!J*>6wubm7IRwh>m?^}3#A?9Iesg$g&i<48p z`mz%gH-CSB(DBU7-CW5ft~z|F5T&I)Y2PU;gCL4spB%{C34#FhAtWN=Xl-q1Y^;@I zP+%Al83{!jMg?vYq@@nMN`O2R!fSiw3`|WwfBCZeZ_Fn2YYPiyY3UtqUL!AQu=`de zZM3wa{=@yFqN38$jLx0gyF55pJT_(rtxH|K$?S>!*6QLYN&$8qG=6C5_)n^@LW+v! z=xTa;j<2rmvy;wj3YKS!KEe|Bl4hq+w>uHPQb(Xt&%PZS8$+MLIo!Q>@2y+6TAo1r z@}2n%;>ar?fFJh3xRXQeSb=olRDy$qCXR~VoQnQ}!vW1D>-OzEd-kM@nep-PSX*0r z{Q7yKUls?0LYPNFqW(fl%*T%=iZv^NbaHNAp@t6q{F$DXM#sp=C9>yE!}Vhf@Bar? zmCn=;8>Jt^0R`w^9!MnY-kmv2Wd>Cp9*mWh6_y_*$;S(T3Y-KQNjZ4PfdkWEgu7@j z&Jap_{@+vt=q3fX-{`W)-ninqeb&bu2LGS9l_yOVl1 zvNFWB^ti`V4xg?3`qiSJiJfbiA^Fw#k00vHeV;$empU$-?z@%+K0~e!xnkif_8)dD z7zz%`6!D`&;<|DDI@(d;vshJ@OHV@2-z_d)ev=I}t;N?9IgX9wv5)J?_?B73$M!#3i4RnZ}iD_Q0-`e@$tmuS5cNw+-M49oA z56^+E+-18gkfK)%pbi}qHwuRuL`vME+7Rkka&odpfvlXI+@V8vN=jm5V-w=yYO1S= zkhY2MeqmvAOAE|8TYGy-b>^=ZBYE^JEkmI30)2pwRn87GZm13QQUl_LROx^-K(0b5 zL}eI4&rL}os2d(VO2ZgSM^7I`w+KmQ_jiHq*u&sUD^~Nj4OBRt`p#6=bF8%^U~o&! z48G#-{`ik5$!u)T;7eI04KJZGQpw%@tC4>pECe5{M!otEL z&xv29&z0ceDR=1N!Wz<3+S=I}pFJDfYJ-YP&CRi|9hPVn^l8wGg$0i@XFh=YWM^|i zt)-5Ds4jfsHo^jnU8>uTPEOxm1Q2_rl~wMoTXM3peXXs65b;#v%o-jXW6FqPC)7&-<}3-Ku!CraLZF_t9)2Hv++gI_~VY~e7%0q1#o1FY| z{|@{&+$xx1*cPxzp{|l|RXM9|ts}wF_VOkD)HHC!-aUKFEi5)6*rCS2|AY>9rSSFJ zw=LrW8?6z9HuN0gPZf?#-&5fMPVily&9NYc?IpmJQkd>Q6WX=&*&Rq@p1 zq=Ls#BOFk6adSIc+uo||6+s>zDd&%3_{Vq`BoGY!rY5n*X*X{kl9k0l7M?Bp*45<> z7>;xaBx3VtE@q$@{0ezTf_#BwfkeSkfK5SyBY8x4d53|saYrmHEO6Lx!-yISxOH*y z7|fPOp!65~EaZ>;a#yF$2+L?$)x?4f((n>TNu8rSA;ZsQD1|Vd8?g zb8v9L@aTau-Gh&jlDBom-FbT z-0g`;JFq8#nu!TP4ex*eh5k4xvj$cMHda=+Dl6Ei{#b~$S1|2u5jPUp5wx$C^8vp8 zRnsgwYuh-CE9)Drg!yp(fK!n8z*z}G*dpxj8r5u~PT%cA&gjnAW*`Sv=%5MQo*xS9x~C!CN?c`ZQPo%$Ct1vd3h&%QOrONr{QdfyWqBavO*>P5imM7c8|J{~FzfP7?RWNfek zMJ=4ppzXhPnVDaJ5P(T^>kKG#gwp=ZeChpDtqbx6zXL5H)5q@!WuzI%3+yW z)@Fe7?a*cWD=r=fR&aBBl$v_V-d@P(BRUBjK}bp8oKuMo0W`s5$D|K3sH>}^;X~n< zJ}5+#f5>zqZrm_N5Xr-10fiGss2^wN?Ah_zSqAlP&@QJkN#0aFl#&UbA_^n@Je94V z@3Q1MuT7?sd<1Eb^8DGEgMwF7Tr7L>%?%tS)F4gfzV2?EH+0x0_~Nf5GVuNt(rhZEBZ__e{5ICt z-{&&t8;YE(a*Lkt=z9G+H7!lk@dLI#+Bh`@l_?2cRS&@O?ml6*-z(FfAhd%=wzcU9 z%+W_LE-XMqJ$(2u-!5*oeZ=>NXjmP#9okUEMoCT%W`6L`E{F5bpum%_J|b0P*_&L) z%fr(>A5zoU4on?;{rY?BTYHpz#gr+r9%$|lH_k6Ku2BnYsM3Vre=pBbYa)x5iFyO< zQMq$>-Oyv<*cb9lOkE&+2)^klErL@*vEuf z;0M4Mh4;g$619jwZM-ZS9*y)t^XNK%RXlLCVUIjA2L!s|k&)Bjmvi#STnQ8PDhttY zMew_i(zb2%V==^nHGo>jLd#fAO8oZ7%nYhhqTvFNChGwco?V>Q6xcZrTHD*Hab&;O zc8Xzxp@!Ri%y1?+6BBX@C~O7$ysw%;YP!a$&>UdvMOOKFMS+Y!#h?Ze@U-MVC^2CzOOBU>7_|I!VH*C6Ny zcLu(qWsRqxl2R?uN@oRh#Dv!GHD0l|Zm}n{VqG+tiwg=KUwoU6PnX=im(WeN?nrRv z-4O>Z!TgE+JJ7?xci=1V;u?VpP(dZ3GJlgMr)g`q8Lo^OFpK?8d;7Mc(|ds^6R7v&@3O|{=IT9v9E&m`$wxpdTyV%ke&^0K04!n# zq=)t9ty_o#+S%J*Lwcl#m86s~u1K<+`g#nX6_jcBq$j0%3iJ^8r(kR;RxIJP_$bT! zlzjEk3Lw?+KT$+~!B)eWN;TUjbsc*nyaIcH*z0g~0Rj1+z2{a9?Z{JA<>%KlHxGPi zLYqjytH?rhfolUR$;8YoAnGhaWj}!6(ShxvKGE^e&iIg)IypNda8ZYlTl*~;Y9e^( zfB&BJ(b$j_Hcoz|M!^HCI`i}A2L}fBKI8<$#1%tHqaqq+o`ej#S zqG0hudE!>^jJlJX6#x+q`v|+ID2H0gf&(lS4ZpINqYiEXe*KYEUA!+J|I419Q;-di z#+=m(B(l+`PeEaHlvu1y{jspJhYt1NeIOf(i;8L}C9rrRKLZL36}TuzPxTSpJ0K=6 zFR!t=G%6i}ybK{R1;8Ik18p50#&<>x|*YKvj`Ox6%ql61Lk89b}2gw6Fe%g(~U|D z>cX~jV`Fpbod7y>Vbmk9v~^tB2ol{aT%>FI1F6 zCnb+!NdyAUA0H?nd{j`t+h0T93KW5$4_ZbyJ}f6btkw*Q2^=iYAuXlU0^oEy8k+sY zs4|N+v+1Kk7%cx0tOA)2TPhu>_M5k|xBm%*jN567q(oP?!sy5d>F*<7+RuyjqjDkC z2EhnQ$BmmeA@~5Yv7ERH5eqw=Ins#+b0z5-& z`uLGj67DSNNx6du*M86L{hIO2$P0QB&_5SfE~G1vBKlnnxo$Q#r0OY90Dh|Wk@xra ze=IvMDJG^Iy1A+u%hV6&&_ z2~>KK{B>(YXZ^^=&E0^K(jN!H3^G?6wym-$&BMdP$5&Wh?t#Q7jzAeQyl>vn0{2r> z=Uc{uq^LCS*}FIE)~zbsN&j`gGQ3lIUS8MRw|K*ARy44jU0|kzLSSPgU%O^<>Qn(Y z1J~Do(4_$36%}tE?nA4_KEcnoCwhvI@_Ij~)!j8*_V>BGt4Sn7r!PV@Kqs-~yUnrz zP2%H^!OriGBhaU$rWP#22Gd~fL-}+LJbiix(o)Ed@lYdh9VrZIytJ@@4caI<+{Kmr z>JP)lNGtYZ+`riyY$%G80HdtT%;DQiUCpD5=j(%^6dy6PBOAcFoMdR>RNE6@i|YO zV!`JOJNUpW2Zwwi48>SSV8=blm6a8ztc&*cNLj(*!?l-L)KtK;E-9gk;6df7z5+Ah ziW)j{q2)16P20JzH7G%_%77qlY%_jf*yYOO;nsKK?#VnWbMs?Ig0xj*8}|GhF-DU@ zcm;Bv<~dFu$S6QT0R4}#Px@qAdA)Ag%Ahpu30x4 zlF#<@2q+Zr-(j_5pJZoe19Ku8z@F! z{OsB@0~Ts>dP>bB3A$mI+aM!DrVuwRw_ch0fG~h2T|_#z8_@ary1+A7qFD>(N{DbU zjBq4TyVbhFSx=an`XhVl(3xG3L)31{zbebh5^oHErf}M8?|+pE=Dt7gd9f~5R^P$S)w zaU74RM&=X@zxkCW;iK04tpMDv#6)_;WRdAWtg$}empz(@hK2_2O`SRX_s^d{Lq&(* zEqLU}7Gz~+@}@0$NbC4?fIYY;czZAw=?pUnz)14IZb9pY-7>7GA$fSj}5i4zR8v^JY-iJ(O20-%}>pjucPpkH7u5SQH+FV32Txq_s*+S;Ze zMUMW0GlCR8a73_S7@5v@pml75pd9rPV;oaJQ}T^mG1q($Miin`v zH$ZlMKS(maz8;AE0(%OI1Kt=_UOJP$3m2P`mWG5?o}4>koPT(zBl13ISiTt4oJ7xp zHHbLa&mTW9(FUV=X z>gnTi1ldklFk2hPwfEk}M+U}{IwGc9Xw+l9@ar;gxeAOa{Dr2#@;0d+aaJg-2%do1 zIN^|D%bAL?&1!{*O3l`HA}bE=0;v)=3VE%~Jj|7tjGelcoZQvZvxtq2$qYDSC?lX1 zVvMoVRm4QT&d(?(UENqjd277JQ7Uz;eZ*itZ5|!(uqJ-kQd-9#CuDFHV{Kt&s=uDKVWkL*0t2(!z!0Y z$WfWs@(NGB4q8e?L^H4#F}U1hjSU3=%&6WCS_S=w zGSB`FG)q|h$Wnpu9@o=rfAdDV;x|AvToY(kAA=3PwL7}I%SlNQX=d4d$)L%psbl*3 z@RE?*pP!jAhTcVVD~)W&dP!nP<3=3`qkjWAlNhBlH?ah0vuM5G8Lfy%tv^Qow$}`C z&jrYDxC~|>ZTLYL`RMC2hO6@9M-GB|h|1vg?g{$_g6t#eJ`p5Cvv+MeiIe`Afx*X~ z9(;l+rTfpH2SQKA?${}$kLAdPoq@`T>vXiS!Hev|fuo>f`wBi)nPa@0BtJQ(qF|*b zaBXG!77#8t&3@Tit1+>$f9kpg6coM;4mP}a0q@?@$|@9@p}KW5P(rjb2}HIL5A(RedxHRX3-#(n4!oGTmtS3{>0gu`|^aUHPyV_bO!fKMn(oj z68=>3KBZ@Vo&NjhS~Q3T%&b#NZm17PpyOX7+3wxemV()z z8#l5KyP88aL*0WVjIpQ+|3w?>2#m78)HcXbJVg2<5nVhYFR!7Z!V@PFTQEK@ZujFe zGJGh?5c{$1AfV1nOyDHynw$4S5t=;jp4epl@5|p<@ZZFGV9<$6*vaLP`5E+XcYs!iQFuv7 z1jsSxbqOjW!s+x967W9V-0ClV5Jek+8zWUg?N#LkJr=0}h-k3Y;^W`MFziLy7&6;( zOSfvd3QzI9%9-a+o*3!ri3kctH?>}tw`kyxVSss^J%o?E^_LNP9ePsO#&1^#hjB=% zr(<_mXP1^vJolOY-Vg?@a2YimaXrSq>zyelws!1kRGUR}kJBnd#0}0N2Dku^&_YW~ z`X(P7K~NRZJQbC{NPKMlwf{Z$ZNOchG81+Z2S-L`rnuD$Oul$iI~+%U!1hL{%O5zf z;jsOjFBf7$d*y^^b^F{|+7`L zyut(J?4jx7X56xjAM_DCut8j1L*V5AybuE#1C(*IoE#k0Fxjw)goTAcrl6-IY0Xq= zHgu~pCj@d1P7C^2WmT0hhGYU)X!rQv|81VFXp@0D56=QN_yW`YMdU&O3oq!9#LS?z zQCkKY@TFqr0mECoVqzUP!f}i-I(Hr82rF6ZXY1p&uCP5cq1weP6(6^mC`49Enhovw$2gf3@*Nn zrelW@Fg8DbGVDordJq;ERT+sCG;rPXXQ)$+l5vpI~X~7^xX6ef`}qO&7f9pq$)Uqyax&essk~nn-k@ zYkm0=P)_$AMs2}^2f@IIWK@jHISF5VW1Jivk&VCp+OAD5p|Wxrn60R=u-p^^tGLCv z-RC*E4t8K#v?+q(fXRbu^av@*fuCS#dpnm1&JaWx>FK>aJrRS0od|vnn6v!cE>6*| z7XSkyIaHY;vIA&)s9wMeM*^28aQmHf!)!dt(mwv5jIpvS9~pnGtRSoUa@Yfh07S}K zN{D|Avu)oS8?7NcMTYP%zk~iHAYg~X8&Z2#f3TB?b^&XlNMKw68U_r|7ntV5beFm- z8+I2q3-b4v|7kMfuuukSICRJdaZfB@A4>~mZA~D_xT1m)DlPIqy67;X8T z6FS^X0nr|zBa{=j!TNonp|s$7=z8$a;1fYI;ZV4xJBWRL_JQf}&`^G1VFlbk956-a zSRhH;k55kiv$&`}VHL7Ed|}~~ueG5XcM=&3brj_D zs5iUG)nTro9chWk*XkJ<=*;bZi^`29=30vM*O7q|Zm6zKQkX1D^kyB>FevzP$WTzT zv95P8qCHP7Gmf%T6P(j z!>e8np;pr#RYM_bX(&!-#7;#e=V8wihftvPN`5CZbLqo}2D`O>d=3+Ku4|G7v=G_2rS@zkRiscpp=MOKWv$@1Q0}Okr%q zOB9!pf>?`@(N53Bf&Tu+JQTUu_k373J z;by@qDq1^rPLuNRZU+pU_2yGrT3hJq>LTVlp#u5^r=IAWMBMs!iV_)RPE5Xaj*W}} zm$D1E^&_$W6_BF0rJ@KhgJ;p92=4HmI~1YIqEe>$g_nhJc^GGdf+Zv8f?A=9aR)(;eHMn)1t|C1=z=;9 z4-aD$#omTE&=933aGJZFoF3jBCv+%L4701KMWy-6PSFM{DSQRCj8*j=LJ5IThb|pGk;3J239tZ-`5q?SPoCuV zOo7^g@hpsTNt#z)jjKu0z|~b?FTvgW2}2E_19orAu!kn~^_-lfRvV0izz#f%+qgw77$YHMS& z&ee`01dI4HKn@xm8auSJw+J2Z@Tl=HBQ{IS?jay%|85Vq=gyrwJ>I)IUe&U(vm<71 zVVpu6#nq!}gR<}4yBF8>@Za3z=*$fLoVEi@F?oc46U)lxf#fGtPt=u^2unyX#*?(5Ovl6d~{Q@w|aj zj3GK41NIv-*4{YlUd+@{sE}NW-i~mX9LGrs6Noo*MrahsD=HdfNDYIz5x-kX5+cjU z!ol$wsv`%-RRko%?|wh~hA<&`x$FbMUyDZp(B)&mw$Tw2h-@t;hYH1bXu2p3iNN zQowWYC)8qsDZBiq*Ic>E0ZTYn*oGdSJO5oF7aojSLmfkk1Qnimkzx#+O%6VIO9ZjE z|87W%I1m=j;woj8xfa@%hFg;XadlkAomYt4&Zx3^Qv#xwl=EZ<)f>r;S!s0 zN1q~iflYP(Jf4$aOI*I+n3Xo8j@G#B;bDky{GUI%O6&yd_wf06k@-uLPly z7bck^au3+TkoJWPvab@qtDwg1Iss_}f)0KLA_aB@b^%=#jxhd=kEhL{2-{kx$ooqC zJVbYkG6_@NFJDH*#u8_J5Fdc-^`Eb$r4f&6bTm%JPhY-FLhhKDK%&0ic@e4&m}8*7 z|L1`Lrb~5b0w@reQbNRQ(M;1#q4GB&T%ucdZ#E1Pgx}tRG)+xm)foF8U_bKn!`Imh zZG$-Nl%5__g46_tIH7|uJS#`L zI1i!?j5Y}B3xEwjFc4J|mIIJd@4Ul*&71D&i)EAYoNj4XiJ(pa2HZ;~w@u%?wczf*SQi(UzsX{asuN5+O(nF|%JhPz$l>uRaI3++uR7+@7#&!s=Pp{ zgf`5?#6%qdgB$__lr=yp;$oq_A&A7#SC0p|fQuoM2}})8Ly@B!t{pBz7IwaPI1vvugc!1?<0B(rVSra~ zMh2=cBaq9V<3~>5r!=l40qBR{b`iW^KM_>C6psD2jsYYY>Ij5=hHs%Vh73SvU07Ja znQ4@Sje74%Ia$7Cwy!#lIA{WpFDD~A2ZuaT9N^r5ChN1j)R4HO<>Z(c7>G}TK+=2C z*owe$(7Mb^4aQy;o@{_B?A3y|z%xG35xw${nBnDc15qc5ga@e;H2K*99f%Srvp5w< z9yShppe6U2VTu(7JFW>w8kT2M2?bKEKylfG*7a*_ zY72;rFKdKd-`=gxPlYf&(Xam_sJ+yotA!=80rfgLPI0)&aKCMPN3F4HJ;lt17E#SVPoblhr z%!5Grr!T6gsr|#=8Q0W!pdLeYbHLng$T%2YNIownH}Ww``xmAWZ(#O)1p6>@s-*>3 z2jeWmH$6Xp2n(Hh?hwI43ZKux#^(L>cO4-Vh)Zs6G46WsQYH>j7Gu#fGtH3i^7E6^ zpdk>zULJ-WPZ!%SF0L)I3cVgfpL!2%kc{dZ$bc^cw2e)3_IrWuJ^AiZm zSK>daVpGA{1q0(_c~M;ava|D=Z+u=}9;{w+bzHUy!G^-%N;y0F;{OZg6SoUGvVTjm}O^;^vi( zs3AkY_Y*j%If5c{(S2do!oXQrkQ#43BE~k*-JOz~t5Vq-r!|7JVvwf-+7*J-8YHp1 zb`%6oEPn$|E1njE+Wc53WymG?0uj`+ed(*=RG!6+$6I67}GLs{e!%STPOxtrio(saQv|RFd!$R~lx+NVuQi z3X+qO?x-BKD~FB%7O=W7tSOX^lnMX?5Y&!+`*Jcf?-dkW1~^A9OsI{D@Qh5fe-OqL zBD5It!WP;9A&N9l*Wx1v%kk_hP*MD?$yW!n>pY*@vQ-U`~$+qZOyQzVJzC@IX+ zGBS986eh`>U0jqQ?lwHz#`H9XlkiX&e8`N9&(wBTTZSQs@8II9hh7x2@%!M?F4q6t zAp@`y;3o{e@(KwZ#sohq2~a?P8YSQe_76lObW6lV@W3oF&!QlvsDB@gp#&8LG&Fa+ ztZswBX@p^j@OSg>w1F?J{S$3+XYqy4bnh}#$#odxtyp(&-ITub-XcujSBqJz@M~+S z2p?@BJMWE@YcY0x(&7xg-Zgi064abho%%>~CVvMV+{60&zRT>Q-$tmF>uA8|KODgd zzJ6W&)H+26-;fX-)r(FT9Y3DXGF%<9;R~QA#bIZbej%f&Nj=BFL5c&(0$g=oN{ZS+ zxN&0`|JFLCZ(zVi-ef0zik^&lpJQeF!dfuqk=O5^+o?YQ(MjtRk>Ix4d?~-6X<@+$ zh#f|^N8AJ&*Rktk-il276e|%%NWbVLOnOz>Vmgskr)Uvp!?(8X{{4jUH5^};GODFW zodof~y1&S50fwvONgg@!&E_#S+ihQw@T=-Yt$ay3Mo0kn_7<7khvtLE{dI8gq|z=m z@}aOw)A2tWNQhs0Y95fwPR^^Ol;z78KB-wm!W%_SdIetP(d*Ee$<<9UZJ(!_$;2Gu zD7&fy*IpzZJod4v81PwQpY$<8&lR1>{oa0l$FJk@EtiKHufUS&sXN0l^lA7FL7$hO zzX)1BXkJy-t?@O`B}}CC7Z5@jlPFayJ%*dX=wUN{p8q3hR#E)o#ipdIAQ|(1ycf+= z^AL3xG=kC{N8~4F+NAwn;)J>ulIpMqDg@o z-#n(R#PU)?c8^vYtU8>8BU~qe9%jYV(0I^819D6D3G{b6G9SfR`4w1KX+$`f^$und zjD*Tat-W*K34}GZB9idn{2qduO1C3{hucw>kisOphtN*7hhgj|7~FO+hDwNWdjPH; zMv7ArI%ENOM9Ixh)2@z=9yJ!oCaCUHRZxfvlDSAoqFj=Nu#=?o1kx_n5Q;-ma&p$Y zpJ3du0uV1kW^3t(3jj@%wUiY7&i=+_$S~#)538tz0)YWg@kOl$*CTl=EF|>Lhbfe@ zn0QIqs(bhL;|VqwG9VKKDRVuKr6*6Ktav5WK}=IcQso$wv<&09hCYfph>FuN0l`1_ z{1HDeYjV%ns>}}x1z0|?8x(d-9kB2gS624T`a-fP2gipAif{r=7w+yV&>uC2nw_}cs}2n%@1!FvOBlFlBrTs+34 z<+2634O|^^^@WWs%&Kv|y3APxoCNfT@)xUPZ)X?fu&A7eR{fu++4Z|TvzD4z^anFR zt)p8%?U**`!9r# zRxgAvw1u3PoQ9Uj2{~c7d|(!(4ICMdMOaOCKP6JHAWS{dPwMI@n1(C9f;f~%1dh1hgmVD?+B+?%!G zPs5xHHW42#T{QE3n=X##8d&$;wt$F|s5|!qOE7N}lVL=B^WKy7_O%f4O4P z$(NRPp@X3H9)t>duu}=4&{%XO@W|}0U7K_l(&qTS^%VReKGgK6wt?0o4eN;i3&O0G A?EnA( literal 0 HcmV?d00001 diff --git a/doc/guide/admin/intro_tree.gif b/doc/guide/admin/intro_tree.gif deleted file mode 100644 index 376e28778fec5ae85bfdb2c9989c73d55c35d710..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6622 zcmZvA1yEGs*ZwuYKvF`amQD#N=?l^+-LiBENJxm_m6TArYpJC{N*b1y1`%+{r9lLw zL`2}*{r%>f|9mt5cV_3^J$v4B&hwo2-g)LIsVF`Xvt+s6a_#gAz%J-NALu_Dg#86U zDD0X?AqRhfFaQn%AQ*sv0Vo)NfdK#rz(4>50XPUiAb1Y z0dN!mp#TI5K%oE(3IH$w3I#^SYNCeyWk)Qfgl0|Q6PxH27rSwIL-=(gAg1kAfEWx2;Mm26gWx!NAOsFHgaIHdYcLotHyj2*FbDyIP%sDs zg8&>FTtRSLIoQnDB-nTmmR}egS0x+{L2w8Ghfr_`1ILEMp2j+2ZMcPiAQS{)APCzD z7y`oLfn!Yw2!Vi52nd6Ku?Cg5V%74FX3GmI++H zVQ?I4a5yeE0**q#Q5ZOu3@mOeL@XLyK?n$ig0Pu!Hv@*i@e4=bsze}ACwz%U8`(t>+ply82|YFj!wUQ>9&R zho|z@Q_6Wh(p=y7t<-!dTZ4x2MNotD&SKUR zQP)LOu+Q%c)5e3<@CYiU(N;h6b-Y}O98J37W zSd0a_tDNkv4i#kvwqKlcYIpUI<@~)2xjJD-xL>>e1oQ5K!T}a^udfIpM=ZjTYfsAi zWH}VAf15FkR+PYu#4;!&T&Y!v^X1GAmb~%(Fr=BM0I9;c5z|xh; zbSrS!*Mofs!5sc@*spF?qfjkP@?r8oOaukEQPAIRzb`7ob5_N;_O{_FNsf}h=5LXCE_dT@Q zhh_qeNs=CtjH6G&>&lWEJ>>cYyYl2pH(h%l*v^+LP^FYr_ffx^C(Y0BFuSWnA4*$O z0<#E-`@)hGGNyEpZbml9vHLW>i@mUwY-kIR^r+!!`{yB-8ff#QN1#*Ev*WSE8p()A zp`NGslZ8w{6|pAu*ip%d<8k%J4d3pMQ=j$hkAZ~x)m_q2HizSiq_&CA1n9E#0<7uPRD4Yi-H57Jv+Mmg^xqQ=OV5#IgGh!X^*VDI^`l+99B~@lX;Fgs%)8#Qj z(PrVZn`G1l(71lbi+fu6-Hz~H)TDJ*R`M)fSsSIPS?xlyX<_^><-A4*VamK>|061M zsWFX|1(6vSs^@%5A5s=MHY=!>q>dIu=l#zvd=%bZqfgZhB6Kyt1XJ+xFNe};9xWFF zmw(w`!a9TSiJ8=kUov)w5i!U`bGS40MpE)wncapl_kX093A)GW!7>ofrj@5&QnT8Z z#B0$N&FRTDk}l#_`Xa)UeJor0?R7#fufow>#TX`yQZG*37=;YE4_vRfrb;<;Oh!sy zanDq0SHC9Y_U1v?uym$tlzBfgt#_E~`oQhO`?bMqe`TbMs&Jt#@aj6z@TV$FR~Ydm zYqYPxYM(iU1Rl)TeJC%UPtLpC&vSP8E~5-<^pxP{SL8*!qVgGhX`;xYTRQW#$NE4H z%~yIOW4P;L%B!oE)(MgQpf+n}t?b0Q^_6zV{b^Ay ze~=rJdRAl_x>k6LF0gdF9}%=Awv`=DfE3A%04_xyI1qR!Gej^xFQR|{GvLcgglKkZ zUckk{W^A+|TcbrZ)5qI*)Mtyx2M46#r-F-aM|Enq-=VPv6fH6i5V3W zpTt=yL{SM4-2|ZJzGw#7FmkbY8^kW zzvSYH4%+!jacs5&+K#$KTDgiz;;&eAOAV{-rkaz=)XK~|!zd(@%crYsCy@Fr$u5Jn zF3WvM57clcD&nZE9;{c-Gu z?U{Z@Y4ZM8$sZp#|M=lrWWVIMAat5D+qransrmZNz~S;l1JT=dr`M-kX#bB49+&>- zk7uYV-d4qpmfkL@_VnOTmCB%*!Ra+A*b8PhF_e}rBA$5G>QH;;n%x(J!cDjMIm z-nc6fMV9%C@s`FK3E%wa%3c|{#9^u2A5c#~gp#0n@6iK_^w|E;2WwkOG;>{~9h*XT zxs*au$-b7RJ(vGFz>fEjcOX^%h4ug^=flUjTd^;czXTWDBvoS_IgbC58?COBFIvWu zFu-NuC8+r%*hyzpV!wcF^x^hDT`59|f0L?DQ+^()$Xs*r(rBAqyFX4z_(M%gmR+Mx zQ|YXrPFwN3XTOtLOPyRP@nj-X(2-+#P zp2FB{xkAL?nP@Y)#{rmR^~Nr^mv@oN3VGIf`t_UnynTSl87l`7NB z(=GPA%o5OY)cTN*f~QhU0bRnp%E-v!bVNhz6Pw4^hW$1xu6k#mT32LI8x%x5R~ymp z58@e)uG^S((HZ5H_|#bS+mD-A?C95So9A*eja0M0nFPH?L0XiLYIA zikZ&6R7FvT3G6H07*$rS*28Vy2HH;Kqun?A<1&2W-4m1Kk{*-nS_`7zQf%kYT$VEC zzZV>0%36tq2QPLPeYE^vkwqk^_%=lF1^!xX5h6NWxAs|Nfi5rqk9xFx3K0FTdc4DE zbrXeEj~}mq*oXg7j~u#AJzxHxdSn|)62Yp+2om<*7*GaDtLjy(m5o!6gLRx^i2tg` z(y20|S|=%0U7Lw2izacp|EkByQuFis<)-;BRtK}xaO%;at$jgFhi4J19tr5x8_S=! zyIoK|A8y2|#~5N}A_AOxOckWb&NRZRN5s>p=NxH*^Ap9oWzQcq);T6d8e`RC%V&+5 zs`J^!k(P%2$VShE$cq-NdMpjjVEfqGbhH^4nqx!M)_k(#mBftv*w%8ouTk%FiLZrK zkA)6zZRe-dw>;K{wPF5${v0L9h|5%uo&Uw-fO`g>DCq^q@m^*Kj$kli-B*f;w#WX!|KwC*0))`TWI{eVT# zH*d#X#2mdp<>!sxETo}ZWH(`&pRCRvB@(@osLa_zIvcc5yNANtcI1*7+nfi~Udnz$ zI~yln#wSyD-1$4S*mM2XJy&JMikoDuWLERlin0Uj%b%|s)UP4 zCHK5Pv{6le9Ewk2Qn#)ZN9n0ru6%?Ui&1|!`*ZvLwtSvqedTcJG-YyHN9@n~$%aWa^+Ia}O@d)aFE_Hh0)xMAr zuF|Qo6t@07AX+Pjl#NJsG4t`T`4-;B)&5gwb9g+Rp-5V_#bJ56ytj+(f|_roF44tJ z%H_1-MR`Qb(8mSpCfm%GP(Hp#e*3>t)avgD z2=&LVH*QS-D*9kZ_k+HOaFf#%@r+qY()4#Q7f%4~n9}Rr=;FV?Z~D?DV;DVIT5r(h z+O6-C@0oAzv!J2t@kT^~89GxTKfErG#<7T8I7%EG%s zb>C$oW?m1gNI@cX>yOJ*ZbIRY+8b9x@hGXS<8|A0Y?B=&lG=mW$&6Q$*M-qmiO$nc z?6Y3=iPSx#NcUUICZtc_%1e+oa73==oyw=he6Dr0b(2nWD)$_Ey+b7vHVZ2$+IT(s zsfsScDSM3fiTMc=*W8QxrhvJn#w5)a*NmLL@gJ9I`y1(QnFqYHZk^o=pLbO@!&+WW zk{4yTC*KK|gzu1y4IK2dvlDre3TvS~#-CCJczsn9z3}>`5Kj85Oe!YIQ-{STz`E1DgErht$xXi!@1LcZ)DN?)R%u28m=zqdOC6f3l2`N-i8fp1pc@W0|)9}ud{I_XJPeCXv|&|KR#9UjhW+Qo zV>FJD4Y@g)-Kd6Y@T$~FE_4tU7yv*=vP_x zeq=TEW;LpHoT{{)`(0+*=)OLh6q&qd-s*RfSJyJLZ-IJ8{hPw<`!CDp5K=z7`R`>` z{c)^Xns?IDA&Q4|H%)lp*u>nb7&t-pQ>nzNNQ^=YzG%O`#|zu9k*3G@n}Ek^Hmo#J^+4+jWD% zX1ueCw~nOaLY$?fKlwnE=^z*T$82-0pg)^%lRW5$7+<*Bsz5q)kx7 z&-E%DV99-PG{mzi>8vJx=P16Pzf977fL%qhc3A3~{*f{_=ka|7uqx4WqH}Al1{BSg zjMtEw;n5pZ&Fb+~eJC6ts3l8HAN)l=05AR`ZMQ(7+t!QUVTFczLk1I3j!VkeL+&;V*?6SNq3ZClHm9p zp|F&f2K7O-xA|^yK%%*Cb>_7B0r`j1#j%Y-LvjCu6Dq-g(+`zPZwb74;O_D>>Oa6BbaMvquI7;4aqny)=a}ueUgPj9VY-krq zS9~o0&m7=+N6>%g0Omz`xH-UFjH;}a3%97ve3LhJ4iHuAs@@hzb$G$;%fH-pwJ3M* z#h=QR-j57V180qv*S`cZV9 z+v+93toL4WtN#t+z@|gDW%eisYW?4G%T*!~%V-N{I?%pBmefwZr`@5>!20QxA4KgDgjbF0ti=ctP7ewH7 zvD=m*GZaR-p|l4|mI2dJ@23Ljq>GnBnd3Q3UrAavzys*%$qmD}A`SAQ1-lyctT~$> zz{2@!9x#89`S>1YR$QMt9wiy(z!0luz)@f-&%{X+!p-K$oM1S*$r1)leP2zq*xM?M zH;Q-6PA<{@o%7ahyD>k*Aenm8%RZg6C~Is2ZJzCOSTd76cY!WKc;IoF=LR!HPUrfv z%{q9$=lxM!Ag54jR+wNF$yAW$@ep0u7cg5=%pLmBtRz3r34<)DQC%#p=#o+0Dy#n5 zJc}rrPA`kFJD4r2>bOqxBBPniw7j~XDWkk*=k diff --git a/doc/guide/admin/intro_tree.png b/doc/guide/admin/intro_tree.png new file mode 100644 index 0000000000000000000000000000000000000000..043b51e8130d2497e370101b6cf3307ebdb16831 GIT binary patch literal 24714 zcmdSBcR1Jo|3CUNLN*DN6)FmevPWbUDJff|G9n{0d!$Gy4YD_tEwU0)Nz2ThNw(~4 z=l1ITJ?Hnk&UOAff1K;MuFvQFe)Ag7=VRROxAl02p4C>TquxzTAQ0$IYN(te5J+C* ze-%`u_zlnEfff9N%vt&5c`7QZ?!hwy_|NT*8ivmJ=f5A4@vE$9cqQSaiqd(HxXIp| zJm=T86lcUQQ|R#CyAt~FTpItmw3G`^(v;8H?<=Y7PI`a1O#M7shK5G&bL59WGcBb(U z_%cTL7c2Oz9`#vW_>rYgNkQ>*)`MJW#$$b|yCnG5EuMWOe`~A9c2~K0iIQ zcOOYfKnS_kJAcpAiy5Wv5AMPgciE;(Y7Qoj*Ng z;uy)VU+v6=8AIP6vu!JS{aQ^$g^GqoyhM&bLBY#R%NndayR<}4Pahs0&ZX$PZXTno zTbQ0cJl$J?Yu|HRB~Z!6!J)s@Y3T2ter`Dro3p!AFkWk4V3Z^NQG#K9`Aqa6N|~{DRXWT7uK>f z)X)$(deo&O{}R4x$XtC7t;)G`k18uS##%C`CMOMAw}qf}ndZrxH=R_5pD#|yiTM@~La{90@-@R2BRdB^pQU<3^U0azO&ab2Epyg#=$Qj8mwY#11D};$JJ0}N| zBwG_MF-jJH$*J?63NL0U_x0-~OeXR5WW3CcEyUMT5I-7k4xjy>mzh<)EiYfi%TiKO z;zTHCq@`H5dp70auNczNu3}rP{I<5X>({UU`)i0sV=v+MhpXay_a;xY=k1`nb@fZ6 z(kar&z!37S%hk0%3wN=GRk}^Z#Km!>@tX_c(>AMW7{b0-UJ>i;>?})3`B@W0>1e{7 zPpZOyoG}A8XlZ>aGAc^ZdztYZvnVIl;wG+BZU5t~<)H_Kg<@FbE6(QB;&hYn@6wdrX`ku6iJq#eK9`)@GP@cGT@niz~7HQ}!ZENcJzC`r4HvnD1S zJ9i$t@`;i777{yEYJnwMe7S+p5|;Sq&z~_&&$hkh-A2E52VWx={l;nNV@e8dMN9grlpv)reUNf-h+XVgsA9QRn-s8&CE-sHRi`v zsHww=w{3mu<;#~MhJ|VA>A@|-gp1o`yGR4Ph<73uJ^AzJ+)&*E^#@#`p`lLY9MxVt zyer%#ba)#JHP-O(+TTA9ADI*I+gaV!EE-G%VziN+a zq-;o3RA)>pFOOMmPE~)vNN#iO+HS2H+Q^ZgKgGP3CV&67)cdQd-f$+V`+a02E5?4G zW+aCB>60f{u3TAOUcMC^?DYI%!0jQs<3Tm4X9W@!{d_mqZ+d!qo;-Q->eZ{4E)71{ zNkzr^yEJ92tE-C}6cl{1DN$k7kg!M6etBi(bfQ9KQPDzoi9>7DZF3l$DjC za$^w&9A`gbp`xm)df~zaCnqNplb&!+*^l9zD881Il$0Fd$yFXcK9zZS4rk9k%*hcB z0}!y?eB-pC9eheDvs1V_k4?aC39>=w+AT%(DW*!oo&I zMxzoe6E1FUZ#@^sSLR2yHrE_J#tX|`~?lWzzEAXUhYtvXoMdkeY^JZrK zA3p385wRELCS?~5(da|VdzqZ~c-T1SM5liIb(5wn?ftf?*nJV9n8%|CUsBf<0=Y4#966ewE49=W+aGdA; z`}d;FoBmZA?4cS(o1Z>uxV!&F2jZjp`TKWUe|YtPlFHmOe}BTwn=9BU40cYu5gwBr z1v;r}!^6W((K)%f_U7H{EYw&3^i|Hy%{_hk)RZlmJ7REfke&8+S?1ZmprET)u85eH ztMEpw77t)@)WSK&#>cy?JW{KKPM)#GBWh^^dvsHVb$R6(UFmARtW$b*eiGL++o|fv(j%%fuH|Y%|~M+Bg?PP zl2cM{ERO%cZ0%%Y!_9Zq)Q|+#w6?XK+YHkfS5-WG@y#>QOMzu&D?I%yJ400p3ksTA zTE2Yy#%Vxv|Ni~&-@jvePtasstv2J|xpOBw?S5X~l!^7Vr708%mYlb|e0)dPzgG9r zv(tuXBsh(H=cJ>%|L75OMiDC;o21425EPA;m;eoa?DB($4$*AiE+`=2;pHXX=V5Hz zjp5DIidL?4@!nWn{L^2hZZ_p9h!-w;pKNpaZ zF*XNr(-|f-*bSMH?VF91;Kr?qvq4# z`D&M$J=eJ!o0=|}o6oeH`E_=8ileH zzx8D%CZ?Kf3KEBakY6NL-{V5V!cbawwHVvm*fcdZhJ=PT;S)WF?DPx_&@`Sse3+D; z{^7l)tc(mT9i97B*YLnV^?OT_JpYhiZk(K)*REY_NRYog9dl-QXlNc^5i99XnBwGy zc|Ia01~|diV*I_n{>YIdD1U)Ef#i%T{3R7`Q%2{{vv{gf9Xcv0nf2mDdPYWyqWho@ ziqIb*-zvW?k%I?6-(A8N95|Ek#(6|r?B}|hu)&F?(_%R(Vt%3Z*ntQv%#l*#9 zV`B}wXeN^Q&KIsGgrj_oj2&hc6=jSt5tf(d-0%_64840doLiCDPqU{(RDTW)ef#>= zpf@Z!+E7`UG|P*mhl2M})&)Jia1QB5be#7&q|r6;F9phKYPSOdNV2@JGuBoY4~42& zxT^bS9ap(g{PN{N(tzsQ;ed*O6&;OCht6NPP%s!q9#o^Dsp(!3OFH0%D*z^rmT&(F zR53d}Y=+7(xx%}bk?PHwDk;$SqpbSRp9`&CrK7ceb0@i+0vz?)C!*R_F_8F2CMxnJ z4&E!>T=IuLefk7M`YJhfeEgbTq9okh>mk(dG>^%VKlCow3|L{Zh>t( zJ39tf!nRFF!o>RA`SZ8Jt!l=@4O9#bSBThSI{ociuArL6G8?u5O7TdGPSz2dY!A?&Rj?=H(rp@cr7?*O!}} zy*^k=iEm|fB`Muur+P#7`t_;M9S8cr5>%(Q<{K1c-KT$z0d`-h3+LQgpJ$lpVxXs& zkdV0T&2l_{XFVBa9~~Zyf?rtpTTkSU9Xs@Mj27od&h%9ZF#l+3O3uyYLN&7Qk;;(N z=8b6m@uRl3HWRyc;Uh^@P>u#yQdZW)uU|zrE&G2aq!*A$NS@DT<;3f-QWmT zHhkj&yj2hzyJtu2=`&}{3a`|od31^=Pz^{(X|oa7Q8T#ZJ&#&_=aA$2Gd?c!sVzk1 zC(7DBets<0?@#7RNhpHKd^cpu%Ou^WO)`owbq*+H$;_KuHEJId&~s)HzU3Cl{BV zS5^$Ku93-wl6ugEs>t}P7RAN&MDVEttg@RNR8;K8V#bFnC?up0I|WTnPJ)DGgX93u zR(*L?{|gP((6Do6#!;`8!h^<6b&gAjwF1nnwY3!=(UhwGr=ws9eFCMX@_SEXBjfJf zD?{OD3Rjg;v=O4udEu-0>K;Z0|Rt* zbrlwARPPwLCjqW)OG8Z!h~f+W_N)Fe8aO^GEiDZY5c?QEZ++HYd(8g4IsaQ)M#iFm z^zZ#=5fM&vzv@x%?7E7!%lF@}UA%F34s`|{j)9KugGB)rj@fIw=!Xv(*Rr;mQ1L!G zb5`KV*RNjz?7(Nts(evW&S?{W?3>e0#);gYpPQdYXWl?DbpO*gHaaSRs`~jeW;5B0 zAFl^;M*WpMb}U$2JZVpe2G8+NSLV>ysA*^t}qUE|sHffUMLu0^wdz2swce1DS&0zduBSKuFro%S<3xgD?L7 z`_}{4XJ=z;d-^QXoz&*HERoB=nr<#Bv7ZO7LNh>QW;C&)S zH824FykKNh4%9D=4RiA*WT4~|cW%4}K7IrBhMk?g=gm#s3m1yZ%VosG<^bD)?e0lh z*x8xr=maQyZ)gD8|Bs&CD*;s4D0hQ0szarf@scSAz(#w1;kRt2DIT!FlN zWn5gG{e5u*2E`;ob*2XYBXHDv_r9V&q3Qt$kA98A75we@gPP`zjS5ah>jp5#!_WU~ zdO9I0O8@-%C(oXF{OOaY4rXRz3gG$lAN&3C>h!_rT@*% zAf8Vkr4^_D#OyzRv#8Q@ky`2D&z}}*GC=vc0G|;Wlbviibr{ZfgN~3sTh(4W^rH)E z#|xw47|((LkG23RT`K5UT3Wi;f4;$UnU*7r+?yzj{hjVrP*A|sOt%L@Q$Wvz?unP7 zrb{~Xu`n~Ih*!ORyNN1tT1(6Fdz_86wUk4j92m5bcve*~ zLacy`ixjeARhi>pU~FtR_~vTtgY!G~YiXQ0Q)f|t(tF*(AyfPS{hhG;_fdR`^YcG_ z`xdY0_ckbqEGPO-b4GG<01uVtr@YMa@^Y|Olsu@U0`l^`4Gj!RjLe~}{eM+Qo?AEQ z9_{^ZqAS3X(O$d5{1EfZQxIBwJfQ#m-N&wpPMH^UJbd^ND?cVS7DDmBtcQ&FnP{=A zpPvWxu8mX=rTH_t)CeEb*?lZAx^C>$&8!uj*ym{@|0hq483M!&XXmCUIeB^YaE{RFZm|x12r=A#>&Zz;{^76i}dw(pT>4m2RAo06`+rS2@lSCK;icD+e!%gD-*n0G~pt%IJ1j3 z{mWhof=4^97AT#Jl=NBO+~Wgh+@^b07AN$T)-G*7&PdM7JQEZX69Wh`^6S^aL=^wM zSl~WzE4%C04V$C}EN614mTS^Aqx5o3>Qjhl5Ij3mJKjQP2->J1T<>qnK#SJ9-v`* ze=RI6S;0QWFA|6nyWF2|v6B1u@6VpT3gHYK(9!%<<8c+z1brQy>Oplz zO*ZId8aN1-VFUz%nTlM(MTLhE*8xf}z(xFZvf>rX6Y5~?7(BaCDn|yW&htPV9j~^G z!769hBnc8|&2kT}uT`OOO?IYI_CO_`d4o{}4#+Q$0vCtGwlvv9Hci5`-6J6)q6t*S zuvZfcEjf9wuDu4G2bBuOVY2LbtUTLuGJ7(-tnb$L9k@Io4a4?r!OCTRTfQZGYXW%u z@m&l-HFlka!wX|A*%LqOA0NP4MrXKW%H}UyqoL@}4WJB-58LBQeSJZS&yF3B<7M4N zj9=f|d7sRl!Z^a8TjS)(9J8vvZ{P0kypPRPm62gN)|{Sg&EY7G0ryTRF1~Q)Ohb2f zY+1J_$ zGXM8)qO7|;7Uh8P#N=dAaq)*iN1_1XZR@XI<5NUp29xK)<;$sPjwq5?;uJmfp(;jj zekg)~VhaGsb{ryq12LJTsuQynOv6S?OPhPKQYN3ZxupeI5xim#dQ06?cHMRXbJjcPRYSPi+zzlCpwB-P^mcFOt$=|ts`A0{=<^D=9Dr(TY zKzJ{_5gN9Z)WMG;Bi(*|VnV0HzdwDtZH4MA@f{q{AOYkd1g@7VA6g!B>D|hlK_EeN70sIVi{TZna75|ME#Evh_TesX?hn-10@h}1N9tzCX64#^ZIRVnxX+48GRm8KK=(avmsuV5-XQJQH4K{hn-eUOY2_C1^>R#kPvfGc5Qu< z<5jTI{$BxCa(UjNp`jz}ptW?FG`o2Aw>3;~Z##2HK%m;90L7YxI=H3Sf2(GTDKz=M z;1nAxtBkaC{g*E^G&ET+Uv4h8o1q+Q*+erz-$(B>m^{82-Ye!LdOAR<98&S?*KU|b zhzgmuBwImS?RVz30E~F3pnkHAKdF%ftdVpbZv{dJp@%|UU0uy~_~O?%=~tkN?JLl7 zDEe*mVG&@<@TuJ!c$q;?7op+e?hZ!)oEmBgEj9J{pP%h{X8mQ(nK?OA@IuSqs=%Xx zN__0tF*&Zhq$CJsM}AfPd0kps3aSM0V|-%55BsLK!d*908z21xat5|hxfHy=+1aMn zR*1KH=g-S|FN;FrXscjlVR?HNs=;(xdtqTMEiF4(SrgD}fyD$^ zsIj8`HrKHen*6?6%?{Uem=2dNuclly60|El_^BtjH z0WL31b)%zyc>i8VSlFSbR4M16fPe-Z6$1mJ4VLM9h3sG7Q= z7lXb*!v!!!i=(5b&shI^K=kNQ@3p1t5aR;^YQP_%lmZ0KqnW{bfc)Sx8$`)~b@cK5 zdlojfx(^@jbIE&dZEk$^Y$qkdf5Vkg2{>pG+o`?KnY>%LUr&3frs#bn!0P(t{|Ho8JwTZ4FlGB+a?xmff%U7Yg(l@TON8M)N)~>qR zxD)kzVfn8zgU#QSDp1z|9t}6Q*C{C$?PH)JSfZwXnEx?eIv`sb=)P~gR|+oI!7?E&I#UpKUCQdv`z z=1whG+ci+$(I;4>xS(;xQ3z2!{mj_ zKdyq}?B(SJXO4+at+c#+x~o|8{CStvg)s<=Fi43iW7zHtK(>YX_af$3J5FNObV)lLo$6IeHiiQG&~O%sZ3!1n+Ok;2B2F)>CaChPDD zI-xLf$}FHZSH2e7w+}*Hk=I}Q1(maoj-sAwdxB~(5EcanxFTd`puxGD*0D!Cdh~N@ zY6Eu<#0?2~FNuRaM=l^bo8`Pha1?(ju<>yCOtOU?)-0#)bw5kcy3$ zcNA=GC!p(TYG}ZCNVT$w?vM)P85va71Y87c}eCq7D2Osw2<@nDeV z%Id0&jEsFpzLKfw#@A?ZHW3pfTgdomE|%T6`tjZ_Q>1<#f+!9;N-b~?;RW5VuXn$) zdhqh)I8>3au&`Z1+lR--ZvK29iXMk10zqaB5FM7{#x;^^y(@n})ew33o*-WV!J30! z^3pqUE31)&SHS9T0j54h@WCR)_2C`R{&1&}aEX4*eF$TNK>BlF04vqf((*S9waG~# zD4xQ?QzIiI=y4Mhwsv-t!^6e)y)qwZBA+~gEmsT^+tsxg-K3zv3C$Y`ka!6Y6nXr} z$(fj#2yAiwR>w_4Qo~IrmzNu&ZAKA<7E5upTL)~pA@sy;THKp5H{8SIwM|ni zQE~B!)pX^pG3<4y`W^l62s>|&nGJC0n3%}HE?Zys)@EyVKu4+cUb%7d zSa@Z-?i{9k?}^(T-Q9T03X*L>4s%YGV%mH9h zf_d;>&QDLjivRF4PC6@qT7gTjI;D_;Fh!KG@$0K!Sl{-4r7SwGQrMk#@-d)wKL}7~ z=gP*~Uuaa-pP0@AYG4Z=Me90xRL<$AN<(7Nj!+ed1s9_#p(OxWzzcY0%p7pMvAvzU z5Lu@&W+i&ADHgGZ&vlY)D{*KR44ad3jYpo@>v_duH8LWCJuZ z`rv|p5?FJOhK|lGQdya25;vikad2`1G&7RJV3dK<6QKd`LAT_KG@ue{bA5`Y&=K}~ z=u1eP9NJB3LeIghrYmjQMJUzYVaR*=a<_yX`<_)&lfW~)u8s0OSRPz?M9G|;-awe^ag zF7v;i)&OrgIXM|w*`^Bm{PXJSlzgdtWWMhXFop7jAWI=b;AK3DQGtSI*Rh4{9zP>h z_VhN#ol>S`9ti+2uKuc#s7;R|A}*a!_xB=dB9cCfOpa>vGu zzr?bNZtU&2BbRR@yR)O4T#g)4gc+oR6Q@qyy?>uhH+&E95Naqe$^{7JGdUy|$svd2 zK}|`A&MqhCJ=6UN`vwxRv%C8pZ(vK7T`2?r&dr_1WddAvLO-<{1%nFQ4p8_o*EquO{~QAF6^B(4&6Ca zE0jDI>U}~&_dK6Ug{s6zJO92-x2G-7tf6_8#2t>%I?us_*C0Pb`I2`?$JLGh{_O_h zgB=B|3^CPv85iXQX$E);>J7FedN8CDci;h3js$Tl?Go0va4%7n0b^nEx>fG27RG*R z0QHM~@xlfzB{x?j=jNv?H;jzBz}Em|fC$c-n)dee2pv9r_`re8loZ&e%+Tj#^c51M zo%f4~h)77V2G!*MK1~qW2C2XpC>dY}Nk%j^!*-fzErgJW=47c8--IX0KZ#G2I@kg) zOG|S>=1lMJ)2JvbJG*rt1bB?E$`4n|52SEc*J{T}=@=V(jkgL)ED+rm+|=YGt?^FM zZCD~N5k%WYL2>)eouOHerG--0i8iEu{rvovTqsLPCauX577!#s^hm*D2AtkMe#3Wb z(+52tTL9WFt?b&iI8v;WztGeT@GYL6h0@$i#vM!^IU>fyT#9}KbI7o=Ek&==^ z+Qam%cQjumWN_R)*unMg*G_4KYHcj1x;Ts!S_xJv3lr1edAe=ewqX`Ps32C4oTu}b z$0#4ZxiXhtS?P1_+Dqt6R)@CJ(t@Y{1`!y1U9e8KS?+HIAsKz?4zhW2xRy>Ne9@}B zy}cpUmkup-^$+a<}DEW3|!kk+1_!qM@T3cGja5b{LtnrAb4SC4+4{SXdUOdu6qw zNIcc|KZcOShCt((vXtPlV?VmOFf8p5QsZ*d*|2=D!nSYU4yKFm7UiaRP-j+lBe>6wa1l!v3Jk5&m8q(0@?5uz-hL z_WICZNbz#m&(at%G03{<_Ly#NZlvj46WB++TA%BH<3T2ZZ~e@o zxgL@*+@R*>M=iw*vGCmil`px+CZbMG|D2u zk(wGrd>LwlN%GsbeV8WLPY|@?a)Y-ce~kqWl!^gi7s7x*ng0OY_uV^-;m=R;3LEfE z514(Z-_GTXq5@dW^RQB&YrVJ9XTi{zyzywlm*nK!$Cm^QjfdQO@Sx6I6cEPb2MhO; znhO9+H>SFZL1Je5*%?u`ya)_ki&k;|an1IN_o_SuGbYISI(;JclR7$ADKxn3B$|bKb z@dz;xfj^>rxw*cGev&JV9<}{nE^&>ysA(+h=jrKbTn^9+_Bs&gJ(gN2ihiAT>b34| z+yJ9keMpj+l-P6P#)P4bVmx3CWBpR7z#DIl{rve9xe}(T`FeRtNl9QJ>FP2x45~mV z)1Zg{sf~6$r8*ZcZo+*)vqRZ<`uOn)V#rtq_3y}$0`RgUM|3nbzqGYQcJXwDz?CIZ zBJJ;(hx_;LmA^d?QSg7Wi|_-7R>XLdq~CszX8K6jD$qka9Za~)Kd7VJwr$Z+t0b@~!!!QVC)shmOL=~z(Cee3proiyTu5+3E8ycxU0QO}W_w2u zR)rBkjs5AeH>uxR?H4K?kgbTww8RGb2x6O(lDeD5gQ+PgjZr`c@DMS4&&B_AzRI+U z>8bQ0+SwZXDQBA0KujAmf$-m16pY54pnC$G1ceyMXPG}~?UpZ0brVxmZ{NCgmaXTl zPepmTXX1ymN7y44`k8Xv%9Z$T01-oDcCj3iMm+@gLQ9Slx#feCAPC3?rw=yWQ&p|4V6-1$}_hRAa&Z{)yUIXw=V+*+v4FLh}y(`^UiW{P`ke z|3DOA(>s^5E*X|OCWnUB2ar(`Jpk?)rWgMs2f3B}j}`=DyHyZlwXpU)E6X_FJOC#L zkTQoq1K!9;j(GZ(ZrxUb?KCU76bIVB1e(LUcf694?zmE%Te){slV+pVZy^jDT!}HQ zyUG3NrKTu$n=~`vT*xGsE?<7-(67MB84n$+PksrxB+Kj9eIVzcGdq^Ey2*Mi5#s?j zZiu0XY#bNo-A?`vCsdH0>~`(7hq>duGWYUAmZz!8KeZ^?YxFtvcRs2|@$tQ_t-pqc zuUcC_$6av^bNEBNnd~Z_03LzXjX6fDAiYJ%)9kWXbdOa8z_ zp($IUPi*Yoda4&(iG2+4vOY5yl$h9$E`dxTlG|sYZ+p0#SfD(h(4uBwzR9qUL;!iQ z)Zh(jx0AA~I;gKfM?ih}5-E(*B`hN1yENGe+D3$gU=bHbAT*({cU5}1YiVhria=sQ zdt@XhLX>|-v#@|bDPT6Vm{sGefV?Foe?fb&$PlyxorjMNB7Z#75FP@#5|@Iv0l?Z~ z*9o9W=n!CI|93&<9vk0*10~mfyo5Q9Jy4RLFRG}x_47j*Vhuzx*&aJ?w0B4o7#Qv7 zFFpXS!I?7-5aZ-rzQrddnn5;1W+RhkkR75bkWfPD9)@MbBJK7h%_!`Y80YiS{aHHR9B{dw%zHga<0i{XbLH~>kQb8JfGR6}NK z9g02;n~2KcatI$Lg;!46+lvG%C$|W}9YL;6`UZdbncm_~oR9KZTS5eZ`avCvGHQ8? zr+U%%=jeE)Wo0k2vH%U?%OM14`o<$dYrptrc=-j5iTO-FwTc%n>Y*?Jlu}SoK+{L0 zt?2hJ3RDvW8qO;zk>CdNZ{MZ>lv&6Z8}Ri}`Nac8+xNodJ;h1g-P*bUFtu>l zHYYC+*;N}C7Z-Fu%nalb;A0$UK@ zj`ilsxi2XTf)3;m=(X${>5;c?y@#6F-QB$htZ#fAyby@@3Rc9mYX_ex&RZcHkSnnq zqJoWvvq9+R#TdMoFYn51JW$*$g}c?TBFOR?RHO3E8{9++RBoVqK|yJk(X-pPhhmBT z$Hf4f(Pe;pF>f2tE%A;&ZAe5d0viK@l_KD%)Ygy(H0|Q*ia`K9?{M`*wg`8EUh$)~ z6$KGj2d-BkY>X}qdIsPNTnd>AIXKh~iMH?bFc0y4P}LzA#9a&Mr#P~$a<}x2Ur2%C z{pEC70Qg6-QB5n{T;thy>=+stAQDG1vLMJjZr#c?gN_(}eDLV)OZZev%M7#%tXzi{Kyc1aBU3JQkuXaIB}$*z0u+`{4_;J~bhT+UTk zWld&|0QSKA8wlQEbWu1jtH$3up;&OK_BO`$tY3IUe0&a|EDzO$LcRUAv$DI_j~AH8 zk4u@0Ku%8B0qVO3ooK-c00fhb@BE6B5uBU=qH8@twL`O`pYJ93QBhF=4N(PR|I=~G zJjqfctZi;ofX6@zpuh7tGBV+qt)88oP-d7i;;6(%1OP{_gynh!Y5AC#-E3@8aA=$A z>vFNEvJq3ee!V@%7(>xMBD&3v2UH1|bi4&v14k$rlHzL^lw_BgjP~+wQ$pA$9{GO&d&@hn`la)9F`aH;YFY);6cL-akMbIHJvk6h!P^|vIeFAv1 z?%PY%+|y%cV-p=8j{`6hD5D%QE}#1Q`*Fe;u`S>W21wr1c`kbdUXK_{-T3v1=#Pkt z7Z^;UTsMZo=eZADN3ap;_Xt{BJzd40zLZ4MN8SV|O~ zG^}B;c5JY%fyHppS1wzRFFQ2o z&WxVQ%FRtkOss;&3F#ZBj@)BM8k0|8ugpWuhVl)$4p#?lk$7ALkd7EmC@bp)_*GHi z2XJh^mClDVVgOgDRPaSNjPmute9+5)b#Q1b$+fNs7Xh2iq{8hR4sa?lVuzrmBuF`> zG%!eui$9Lot#*(7l8w#Hsjg%2f)Rgpl_h&1e=;0#D04=AU}D@!`h)mfAr;vsfcVP(cEm_0xV*c~h~iYjSINw03gXF)VJDKD?# zNqD|N_S2_7uwg)uB(Hb1_J1%eT0)p&3pE)MxU}zjDZolXLIP}GSHARyr;*>Ufv2eP zM&NYby@V=^(fFS=S4YSE!a@sZ|M%|S#}VuSI5tyLy%V&R;W3B=x40tPcf@x#^3}he zurN&vi=R+pDlR^qU0t+gV0eJ_hcG?_XZrcB#VPlSs0jFV*jz3yN6Y;l1ID(sscm%c zrBddN0KkNF_3e{Yhci!m`NFs1|1%4KSy+l!W$DOr%!5=v#ad9gQ>2uDAL9SS4N)Wn26 zy37pv8iKc#aB~(i_V=DuKb_8XKRrC=;NHD3%`v>?sa;bsCKT>POyo%S;{*Y`EpQj5 z_OaHc%T3>=pin8q&MhoJrbm~9^$`v68fyxN2LW5!rxafL($(G_U$JqyuhN6aXQYtf zI}d07L=$+DU!NTzCk@znAK}>#{r!r_NE#c*&Zc+dFQx21lh6afp|i98(6VNzcYltI;emAwti?Z|S?Im&WW>o}Ak@KBjX;c_XCFcuRC{ZPEK z*8<;L6hJ8!bgDAR-PC5Mgc}zTkg1LWhyh8y!PxDFUUM zc&GrXmpE$Q%nbXC61yB%|GcsjT9cxpA_D`1nVA_-7bI_rKg`~kTn_pYoNR@4?egRU zDx*D)o!qHC{Y*5#^SKeC8dyL$#)Q*xbNy5~J~)o}6Ag@mg9CdPsP|1}C0yzz=h$Zo z?jK01PHAbmI5`!(dUe^94FCqj3m67o*(L86ka1wu2H(D&V*3ZJ`*}qQQfPjgD^@l( zFHjqUf@)FecCFW_;lHDz+Myj|FCtToz72!}nXgH>1tKL1%<8HqZa`MH0>XImH@CGH z6rNANV%nZ(4P);YzIyd{syiwn;UW%X@7;R|>U)FYmgtR3V}OD0YHKUF`mdDZVnD)( zrrHXp{OA~f8zN?E4&DF+rN|TfogGp)@(TaT%*Ew9_-`$iW}U&p(RC0H3Tnh9`i!`_HD zZ`Q%Ha73=*MRqpJjvbe4H}i^$TtFeSyart%&7~}wQ5#2)!Wh#wF^QwAO6HPr8TEId z`C12%zUrzuNV0>C?M{QAC=c&8(EXjB8G%3EfA|2Yv9poM0f}adhM902#4`~yqI?h- z!g3byk~X~fm@Gva(&Aw4}7O|Gfqb$LfSS{sIJUHyTm`a$I0FX&mxNiTFLx4zW6}*53Yw z(%<1|!_tFhr^Szq@M(rfNzwC};)sgb-!WOLN%hjR&a25zPvi2mlwBZ5m0iJ75a z@W8Td6El&+L5W!OY&e#|6QP01B!!T1SQi^3V+859-d=eG3eAQdh)n}=A;tnZDcd?u z5qKVtafncD7lze`@TBga6aQ{D3G1Q0qeE)nzTh!ooL7JL>>1(<)uJXY_rUl-Rz))1$Y-!4QByQp9Tomz*AD19(H-BA}5Vp4UVCQrlz3z z;HDiq3$H@s`+7~+yhblA>2X9v8H^h!Vn)Ws(LWFlR)ki9U@FB*M<${L$d}6btUd|V zXG1Hw_g_r;>$S5Fl~hQH4}QS{hqekIm&4l@J`oI5wf5$klKoVu@X(oR5ud~{fBLt@ zaJZn1K+b;mcZY6uxWsYbYrtRdIP}1)4i1XXl*-}f?MBFP&z`V8huxyn=&tA|M~)ri zoOy5w#Rr0rz`lJ?LDTYNFA-!gDV#V5S#~2Grw!1*A&ufp5Y9bNI2Ii7{8fMn!|^^~ z)GMklybnuCwnORF;K$c4Ne&T>QBKY&toyOC`h+8K0k!grc=XgoKFs4`4)~$jRyH z+^noGAG=lzVL3r5ffy%u^K%D94^XpxYt`4jh06Dg&35=I>Z*n+<|zb_qVmT<1l>q9?9=8US@xO0Q`;1eUhl8Lj4>`GicfX z*rH;zXP^gQJ%CxlbRdTPco>P&MmXn}1Y;TksvIJ153#F}sB#e|CFecIn4Fo97Bbju zK^P4RVUdEl16XNfB*Vkw-%?Ddo-%*JA22jH2p@G1E9=KGWx@anV?^LEyh=3Qlc!Gy zYmN}i$?>R`hY-y`XmF2WPVdPH%X>^T_6gt~ftm2IguUFvMv87CD z2ybA=uW(~c6<7oV(-M_ITN3{|Jicku9VG(P0s9A<7{P-V{J(|?j40W z!CXBy5p!>k?S;Nh8{SDq7^To|pUFXmg4>2X(QyS*QFA=KI9@ym|?)tUP?Tq z=i^7%PMc^ma6Acb5h-7;!5Kqj>iKwiA*K`7aYlRuLLZLk%pq_m#j$>j#9Rz-zK*;y zEYTHUPvUG6FZTq#`wsecXIB@j1>9&gFAo2{gf0nvv^s#yk$MlI4dH_X+$j2PE<)t9 zKUImhuZUyP2`*5}q4YpyAdc=bM;zI(Jc2u5@3(Y22>Ecp=h+unmVgitH6qT`I)hu$ z&69`++}(KykAWi2C_~5HU%RkX;T!>w;AapwONFOf^d0}_{Q|&&zDncGq?qQLwV-c$pEX3o@|1=K6ui&KtKwW3axaMF@gmQ#e}5bJ5O5E!9OH{J3fAoT??~FB z9Zq7IBeIF1#wM`z+t6a-=60~RC*mkRzFJHyyHLl2%i&l&M4u@+xu&B72PP|#WiI-? z?l;xzb@a)~7GcK9@=mnC6Xs~w(Da?ddb>jRHlKPi)p+5KiJR_yF;%MvLfx(!IVK0Q z41Oet7^&|wI$GvXtU@vT+Ejz-WfS{lkt)T6`S`>O;x0gS>qPid_Pd6 zr6f&JNKs<@aU4wq{1?1}pVrJ_kLe5~D(5)umbr zBtt+6XFqR{;h{fJQxT>CeqH+cfd=wqsGGXqmyVN%=n0p}_ubHf+ll<}#kbyLLqmK` z=_hC@E+fvHd={Sz?GvH;LUaq5HB5c)e$TJKDiOouqaYQvwINccST3)q$Q@JzlgH55 z7y>_hS2&cRz7YsqU~S=PN1-a9zwiS*{!ViS@<2sNz)2~t2l~3Y0RE(s91=e{%4zc6UpFar7yW$Bn`DFE|7|^E{5=SX< z*-6}xS(m*P9@pb>A?l1*_@hWiT~@(@SG+d?A&G;yb0$N%CTzQyRQU3=!t;!b+utl{?%>4yjE5ZF z2bD?Z&Q%;tzDcRdJX%slvrN=#vht zAF%r?v)2%toWn5Db4Wdmi8+`NjifwEm4*gYz;Tcp?NaCb;`dI-~BTO>lT*Ig}X-}&GXp4)Aa4h|w zl-mrAfRTJTlvLkblWR|yFj;@r{Q-=F~eQc~+Hx`4;e6_#;?=GC+#gk3GeVfWm^nGN?mUtf+i}>K9ygY{AYXmXURE_OaMpFf~5r(8B3$cWQCO4k=xn!!Z22ICjI$?e^c&8YzFB zG;%!TttslvmFqwtwS5I7gnMKH5zHPa`^$11>O71P;XWqw5&S(IQ-lMMyF`SOo+x#o z5M3;Hd0}>xI+(Y@>H&cufVZ91*Y^W&kaBrH=!hX<-L=cm%xtR$t(yYuhx?8eVfkH6 z=xcJAT1ONlV><0#Rv9gsfEa_+1L(q5Aq!*)7na zF=((0@f-zI#6v9?k$Aa=gF0_qx$x`@50Yp&?^uw=hK6Mo6V+ieAiq4?K2$&mDnKAmOEDIR0*syyB@kW&*$DAt(Zr)W;;!!| z-f(Tj=0P_iN(j)GYPxsP;wh*<9i_0IvF=CJ0**Vvl-_;6t+$tR_wI7v4Nn6u0%0tW zS?~xr9B+g`T#Q*c79J`h<>9geE;ud?{7P?VMU5n}a%vN70X#sAiII_KqU00F@(m0N zo=t%V)gP6dVouodP4M3Gz^1@B!TER)t0YlPyN zV~0)4i4Wd7_aF|>vE||tu{^0do2Q6Qx(Razo(&=?*z^D?*KKSfJRcFfbw}~DPcq|8j&z%!w^NLb%LcjSMdglf{2sp6cH66pzK$dEc>tz z;~Ob$`M-VN=YO7a&U3m;HS>juHEM1ai<}6=;K`TV8w5>1SSOs}6r@eEE0{9~UH>Ap zaW%~lv5qI|>s8lwJ|8Pi!>(?>qaQ^80h)*w@LOTOM7Kr=nHa02BV{j}5DHT;^yO1K z3XI)*Aa~_*j}L0Aury7c=EV{xB_%=KP@k_~zs^p8kN#=Pa*1|{L$33Ia^N{s4MhYo zNa^i8$*b&c@;vS~JOeUwL27SFMn+@mJq3A&Q%pnj#juR`Zr_du`yAhIrVF)-*guCx z0_VU-bt&PdxrorL02#-9x~<8>hK68(25Lvj zw@!i}a*;|HZ8nYMo;?fYm6e%UckEb`?^NOL_z3yHc*i_75-5~3v9IiICg%3GPu3Vp zg44zi{dwe6;+z{uX@^!+=H(d&sy-d9(~pjjTX!=HGROW0@|jsBhDq@|?^K5fxzkf; zO0&ICD#^g`DSq|%)QG*E-J|xOhu~`aBFAcHRtI_z4mCjXs zc(F(kRiF9<;gfzF^9vDlz@?U3w`M%vFXW5d3IaZ1k{NuBTkBGL`$7m%oH_Is24976 zRvaPESK@nM-8q4bqu~M{8W_N0VR|@Z3=ii(hE185TtZJyH%RAr=1h52)jM3UZ1%BL z=5d&Mzo)gBHZ1}1n+pP$q`Pj_9TY{#ZCy1B{n<1=KG-cmODQ;H>2FL+8558r?xHcy z4=JB*Yw5oG0lXE~%E!4nPZBKjp5Z4|{6!xLgT0_)QqIJYb^cp0+If5L4t6&9PMEJ% zJ83nxc6Pvnt1T^zG#h;1^vq=)`1z{PMcR{SE@;EvB~~gx?p8pVmhNIk-RxPnkn5-jQ+!G<$?#4G;X8;G=!X-&Qg*%DsCwvrM|{47(_KPw{UFHKRmgmY>(UNhiyB*5Q9)y(kjYAp9$jH|%0`nf2=nK!za!2FDp1>u zQ24WCVQbbL43I%VR3q(HS4S%g#iCL+MXQIO-zwA!WA`{U>3YPD{PF7p8j3}~e6Chw z%X;=KrSm)L3>BrbC&kC%7JTYv51Y1*j#+IT3MVWsK&^AW;|8@$<-#HgiIarB52j&b z&&}ibQsx#xy*jVebv(ix_cesGboio9!8| znj0F#FH4{$x}VbflWsk4c$ue%>7!hH@G|+IWtEjaWR@!J6=Z& zq=A0wCz_psz9`1&P+yZj-t^$|O`E*;oZqdsiMHiXU slapcat -f slapd.conf -b "dc=example,dc=com" + +For back-bdb and back-hdb, this command may be ran while slapd(8) is running. + +MORE + + +H2: Berkeley DB Logs + +Berkeley DB log files grow, and the administrator has to deal with it. The +procedure is known as log file archival or log file rotation. + +Note: The actual log file rotation is handled by the Berkeley DB engine. + +Logs of current transactions need to be stored into files so that the database +can be recovered in the event of an application crash. Administrators can change +the size limit of a single log file (by default 10MB), and have old log files +removed automatically, by setting up DB environment (see below). The reason +Berkeley DB never deletes any log files by default is that the administrator +may wish to backup the log files before removal to make database recovery +possible even after a catastrophic failure, such as file system corruption. + +Log file names are {{F:log.XXXXXXXXXX}} (X is a digit). By default the log files +are located in the BDB backend directory. The {{F:db_archive}} tool knows what +log files are used in current transactions, and what are not. Administrators can +move unused log files to a backup media, and delete them. To have them removed +automatically, place set_flags {{DB_LOG_AUTOREMOVE}} directive in {{F:DB_CONFIG}}. + +Note: If the log files are removed automatically, recovery after a catastrophic +failure is likely to be impossible. + +The files with names {{F:__db.001}}, {{F:__db.002}}, etc are just shared memory +regions (or whatever). These ARE NOT 'logs', they must be left alone. Don't be +afraid of them, they do not grow like logs do. + +To understand the {{F:db_archive}} interface, the reader should refer to +chapter 9 of the Berkeley DB guide. In particular, the following chapters are +recommended: + +* Database and log file archival +* Log file removal +* Recovery procedures +* Hot failover + +Advanced installations can use special environment settings to fine-tune some +Berkeley DB options (change the log file limit, etc). This can be done by using +the {{F:DB_CONFIG}} file. This magic file can be created in BDB backend directory +set up by {{slapd.conf}}(5). More information on this file can be found in File +naming chapter. Specific directives can be found in C Interface, look for +{{DB_ENV->set_XXXX}} calls. + +Note: options set in {{F:DB_CONFIG}} file override options set by OpenLDAP. +Use them with extreme caution. Do not use them unless You know what You are doing. + +The advantages of {{F:DB_CONFIG}} usage can be the following: + +* to keep data files and log files on different mediums (i.e. disks) to improve + performance and/or reliability; +* to fine-tune some specific options (such as shared memory region sizes); +* to set the log file limit (please read Log file limits before doing this). + +To figure out the best-practice BDB backup scenario, the reader is highly +recommended to read the whole Chapter 9: Berkeley DB Transactional Data Store Applications. +This chapter is a set of small pages with examples in C language. Non-programming +people can skip this examples without loss of knowledge. + + +H2: Checkpointing + +MORE/TIDY + +If you put "checkpoint 1024 5" in slapd.conf (to checkpoint after 1024kb or 5 minutes, +for example), this does not checkpoint every 5 minutes as you may think. +The explanation from Howard is: + +'In OpenLDAP 2.1 and 2.2 the checkpoint directive acts as follows - *when there +is a write operation*, and more than minutes have occurred since the +last checkpoint, perform the checkpoint. If more than minutes pass after +a write without any other write operations occurring, no checkpoint is performed, +so it's possible to lose the last write that occurred.'' + +In other words, a write operation occurring less than "check" minutes after the +last checkpoint will not be checkpointed until the next write occurs after "check" +minutes have passed since the checkpoint. + +This has been modified in 2.3 to indeed checkpoint every so often; in the meantime +a workaround is to invoke "db_checkpoint" from a cron script every so often, say 5 minutes. + +H2: Migration + +Exporting to a new system...... + + diff --git a/doc/guide/admin/master.sdf b/doc/guide/admin/master.sdf index 7d7b4b2471..f9dc9ee61a 100644 --- a/doc/guide/admin/master.sdf +++ b/doc/guide/admin/master.sdf @@ -48,6 +48,12 @@ PB: !include "dbtools.sdf"; chapter PB: +!include "backends.sdf"; chapter +PB: + +!include "overlays.sdf"; chapter +PB: + !include "schema.sdf"; chapter PB: @@ -60,25 +66,32 @@ PB: !include "tls.sdf"; chapter PB: -!include "monitoringslapd.sdf"; chapter +!include "referrals.sdf"; chapter PB: -#!include "tuning.sdf"; chapter -#PB: +!include "replication.sdf"; chapter +PB: -!include "referrals.sdf"; chapter +!include "maintenance.sdf"; chapter PB: -!include "replication.sdf"; chapter +!include "monitoringslapd.sdf"; chapter PB: -!include "syncrepl.sdf"; chapter +!include "tuning.sdf"; chapter PB: -!include "proxycache.sdf"; chapter +!include "troubleshooting.sdf"; chapter PB: # Appendices +!include "appendix-changes.sdf"; appendix +PB: + +# Config file examples +!include "appendix-configs.sdf"; appendix +PB: + # Terms !include "glossary.sdf"; appendix PB: diff --git a/doc/guide/admin/monitoringslapd.sdf b/doc/guide/admin/monitoringslapd.sdf index cc2311b605..a21ebcaf5b 100644 --- a/doc/guide/admin/monitoringslapd.sdf +++ b/doc/guide/admin/monitoringslapd.sdf @@ -55,7 +55,7 @@ First, ensure {{core.schema}} schema configuration file is included by your {{slapd.conf}}(5) file. The {{monitor}} backend requires it. -Second, instanticate the {{monitor backend}} by adding a +Second, instantiate the {{monitor backend}} by adding a {{database monitor}} directive below your existing database sections. For instance: @@ -64,7 +64,7 @@ sections. For instance: Lastly, add additional global or database directives as needed. Like most other database backends, the monitor backend does honor -slapd(8) access and other adminstrative controls. As some monitor +slapd(8) access and other administrative controls. As some monitor information may be sensitive, it is generally recommend access to cn=monitor be restricted to directory administrators and their monitoring agents. Adding an {{access}} directive immediately below @@ -99,7 +99,7 @@ Note that unlike general purpose database backends, the database suffix is hardcoded. It's always {{EX:cn=Monitor}}. So no {{suffix}} directive should be provided. Also note that general purpose database backends, the monitor backend cannot be instantiated -multiple times. That is, there can only be one (or zero) occurances +multiple times. That is, there can only be one (or zero) occurrences of {{EX:database monitor}} in the server's configuration. @@ -498,3 +498,8 @@ Write waiters: > entryDN: cn=Write,cn=Waiters,cn=Monitor > subschemaSubentry: cn=Subschema > hasSubordinates: FALSE + +Add new monitored things here and discuss, referencing man pages and present +examples + + diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf new file mode 100644 index 0000000000..b153978ece --- /dev/null +++ b/doc/guide/admin/overlays.sdf @@ -0,0 +1,413 @@ +# $OpenLDAP$ +# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved. +# COPYING RESTRICTIONS APPLY, see COPYRIGHT. + +H1: Overlays + +Overlays are software components that provide hooks to functions analogous to +those provided by backends, which can be stacked on top of the backend calls +and as callbacks on top of backend responses to alter their behavior. + +Overlays may be compiled statically into slapd, or when module support +is enabled, they may be dynamically loaded. Most of the overlays +are only allowed to be configured on individual databases, but some +may also be configured globally. + +Essentially they represent a means to: + + * customize the behavior of existing backends without changing the backend + code and without requiring one to write a new custom backend with + complete functionality + * write functionality of general usefulness that can be applied to + different backend types + +Overlays are usually documented by separate specific man pages in section 5; +the naming convention is + +> slapo- + +Not all distributed overlays have a man page yet. Feel free to contribute one, +if you think you well understood the behavior of the component and the +implications of all the related configuration directives. + +Official overlays are located in + +> servers/slapd/overlays/ + +That directory also contains the file slapover.txt, which describes the +rationale of the overlay implementation, and may serve as guideline for the +development of custom overlays. + +Contribware overlays are located in + +> contrib/slapd-modules// + +along with other types of run-time loadable components; they are officially +distributed, but not maintained by the project. + +They can be stacked on the frontend as well; this means that they can be +executed after a request is parsed and validated, but right before the +appropriate database is selected. The main purpose is to affect operations +regardless of the database they will be handled by, and, in some cases, +to influence the selection of the database by massaging the request DN. + +All the current overlays in 2.4 are listed and described in detail in the +following sections. + + +H2: Access Logging + + +H3: Overview + +This overlay can record accesses to a given backend database on another +database. + + +H3: Access Logging Configuration + + +H2: Audit Logging + +This overlay records changes on a given backend database to an LDIF log +file. + + +H3: Overview + + +H3: Audit Logging Configuration + + +H2: Chaining + + +H3: Overview + +The chain overlay provides basic chaining capability to the underlying +database. + +What is chaining? It indicates the capability of a DSA to follow referrals on +behalf of the client, so that distributed systems are viewed as a single +virtual DSA by clients that are otherwise unable to "chase" (i.e. follow) +referrals by themselves. + +The chain overlay is built on top of the ldap backend; it is compiled by +default when --enable-ldap. + + +H3: Chaining Configuration + + +H2: Constraints + + +H3: Overview + +This overlay enforces a regular expression constraint on all values +of specified attributes. It is used to enforce a more rigorous +syntax when the underlying attribute syntax is too general. + + +H3: Constraint Configuration + + +H2: Dynamic Directory Services + + +H3: Overview + +This overlay supports dynamic objects, which have a limited life after +which they expire and are automatically deleted. + + +H3: Dynamic Directory Service Configuration + + +H2: Dynamic Groups + + +H3: Overview + +This overlay extends the Compare operation to detect +members of a dynamic group. This overlay is now deprecated +as all of its functions are available using the +{{SECT:Dynamic Lists}} overlay. + + +H3: Dynamic Group Configuration + + +H2: Dynamic Lists + + +H3: Overview + +This overlay allows expansion of dynamic groups and more. + + +H3: Dynamic List Configuration + + +H2: Reverse Group Membership Maintenance + + +H3: Member Of Configuration + + +H2: The Proxy Cache Engine + +{{TERM:LDAP}} servers typically hold one or more subtrees of a +{{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of +entries held by one or more master servers. Changes are propagated +from the master server to replica (slave) servers using LDAP Sync +replication. An LDAP cache is a special type of replica which holds +entries corresponding to search filters instead of subtrees. + +H3: Overview + +The proxy cache extension of slapd is designed to improve the +responsiveness of the ldap and meta backends. It handles a search +request (query) +by first determining whether it is contained in any cached search +filter. Contained requests are answered from the proxy cache's local +database. Other requests are passed on to the underlying ldap or +meta backend and processed as usual. + +E.g. {{EX:(shoesize>=9)}} is contained in {{EX:(shoesize>=8)}} and +{{EX:(sn=Richardson)}} is contained in {{EX:(sn=Richards*)}} + +Correct matching rules and syntaxes are used while comparing +assertions for query containment. To simplify the query containment +problem, a list of cacheable "templates" (defined below) is specified +at configuration time. A query is cached or answered only if it +belongs to one of these templates. The entries corresponding to +cached queries are stored in the proxy cache local database while +its associated meta information (filter, scope, base, attributes) +is stored in main memory. + +A template is a prototype for generating LDAP search requests. +Templates are described by a prototype search filter and a list of +attributes which are required in queries generated from the template. +The representation for prototype filter is similar to {{REF:RFC4515}}, +except that the assertion values are missing. Examples of prototype +filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by +search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively. + +The cache replacement policy removes the least recently used (LRU) +query and entries belonging to only that query. Queries are allowed +a maximum time to live (TTL) in the cache thus providing weak +consistency. A background task periodically checks the cache for +expired queries and removes them. + +The Proxy Cache paper +({{URL:http://www.openldap.org/pub/kapurva/proxycaching.pdf}}) provides +design and implementation details. + + +H3: Proxy Cache Configuration + +The cache configuration specific directives described below must +appear after a {{EX:overlay proxycache}} directive within a +{{EX:"database meta"}} or {{EX:database ldap}} section of +the server's {{slapd.conf}}(5) file. + +H4: Setting cache parameters + +> proxyCache + +This directive enables proxy caching and sets general cache +parameters. The parameter specifies which underlying database +is to be used to hold cached entries. It should be set to +{{EX:bdb}} or {{EX:hdb}}. The parameter specifies the +total number of entries which may be held in the cache. The + parameter specifies the total number of attribute sets +(as specified by the {{EX:proxyAttrSet}} directive) that may be +defined. The parameter specifies the maximum number of +entries in a cacheable query. The specifies the consistency +check period (in seconds). In each period, queries with expired +TTLs are removed. + +H4: Defining attribute sets + +> proxyAttrset + +Used to associate a set of attributes to an index. Each attribute +set is associated with an index number from 0 to -1. +These indices are used by the proxyTemplate directive to define +cacheable templates. + +H4: Specifying cacheable templates + +> proxyTemplate + +Specifies a cacheable template and the "time to live" (in sec) +for queries belonging to the template. A template is described by +its prototype filter string and set of required attributes identified +by . + + +H4: Example + +An example {{slapd.conf}}(5) database section for a caching server +which proxies for the {{EX:"dc=example,dc=com"}} subtree held +at server {{EX:ldap.example.com}}. + +> database ldap +> suffix "dc=example,dc=com" +> rootdn "dc=example,dc=com" +> uri ldap://ldap.example.com/dc=example%2cdc=com +> overlay proxycache +> proxycache bdb 100000 1 1000 100 +> proxyAttrset 0 mail postaladdress telephonenumber +> proxyTemplate (sn=) 0 3600 +> proxyTemplate (&(sn=)(givenName=)) 0 3600 +> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600 +> +> cachesize 20 +> directory ./testrun/db.2.a +> index objectClass eq +> index cn,sn,uid,mail pres,eq,sub + + +H5: Cacheable Queries + +A LDAP search query is cacheable when its filter matches one of the +templates as defined in the "proxyTemplate" statements and when it references +only the attributes specified in the corresponding attribute set. +In the example above the attribute set number 0 defines that only the +attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following +proxyTemplates. + +H5: Examples: + +> Filter: (&(sn=Richard*)(givenName=jack)) +> Attrs: mail telephoneNumber + + is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its + attributes are contained in proxyAttrset 0. + +> Filter: (&(sn=Richard*)(telephoneNumber)) +> Attrs: givenName + + is not cacheable, because the filter does not match the template, + nor is the attribute givenName stored in the cache + +> Filter: (|(sn=Richard*)(givenName=jack)) +> Attrs: mail telephoneNumber + + is not cacheable, because the filter does not match the template ( logical + OR "|" condition instead of logical AND "&" ) + + +H2: Password Policies + + +H3: Overview + +This overlay provides a variety of password control mechanisms, +e.g. password aging, password reuse and duplication control, mandatory +password resets, etc. + + +H3: Password Policy Configuration + + +H2: Referential Integrity + + +H3: Overview + +This overlay can be used with a backend database such as slapd-bdb (5) +to maintain the cohesiveness of a schema which utilizes reference +attributes. + + +H3: Referential Integrity Configuration + + +H2: Return Code + + +H3: Overview + +This overlay is useful to test the behavior of clients when +server-generated erroneous and/or unusual responses occur. + + +H3: Return Code Configuration + + +H2: Rewrite/Remap + + +H3: Overview + +It performs basic DN/data rewrite and +objectClass/attributeType mapping. + + +H3: Rewrite/Remap Configuration + + +H2: Sync Provider + + +H3: Overview + +This overlay implements the provider-side support for syncrepl +replication, including persistent search functionality + + +H3: Sync Provider Configuration + + +H2: Translucent Proxy + + +H3: Overview + +This overlay can be used with a backend database such as slapd-bdb (5) +to create a "translucent proxy". + +Content of entries retrieved from a remote LDAP server can be partially +overridden by the database. + + +H3: Translucent Proxy Configuration + + +H2: Attribute Uniqueness + + +H3: Overview + +This overlay can be used with a backend database such as slapd-bdb (5) +to enforce the uniqueness of some or all attributes within a subtree. + + +H3: Attribute Uniqueness Configuration + + +H2: Value Sorting + + +H3: Overview + +This overlay can be used to enforce a specific order for the values +of an attribute when it is returned in a search. + + +H3: Value Sorting Configuration + + +H2: Overlay Stacking + + +H3: Overview + + +H3: Example Scenarios + + +H4: Samba diff --git a/doc/guide/admin/preface.sdf b/doc/guide/admin/preface.sdf index c3d7f320b7..83db7c7c13 100644 --- a/doc/guide/admin/preface.sdf +++ b/doc/guide/admin/preface.sdf @@ -9,7 +9,7 @@ P1: Preface # document's copyright P2[notoc] Copyright -Copyright 1998-2006, The {{ORG[expand]OLF}}, {{All Rights Reserved}}. +Copyright 1998-2007, The {{ORG[expand]OLF}}, {{All Rights Reserved}}. Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}. @@ -71,5 +71,5 @@ This document was produced using the {{TERM[expand]SDF}} ({{TERM:SDF}}) documentation system ({{URL:http://search.cpan.org/src/IANC/sdf-2.001/doc/catalog.html}}) developed by {{Ian Clatworthy}}. Tools for SDF are available from -{{ORG:CPAN}} ({{URL:http://search.cpan.org/search?query=SDF}}). +{{ORG:CPAN}} ({{URL:http://search.cpan.org/search?query=SDF&mode=dist}}). diff --git a/doc/guide/admin/proxycache.sdf b/doc/guide/admin/proxycache.sdf deleted file mode 100644 index 0d4dcab72b..0000000000 --- a/doc/guide/admin/proxycache.sdf +++ /dev/null @@ -1,148 +0,0 @@ -# $OpenLDAP$ -# Copyright 2003-2007 The OpenLDAP Foundation, All Rights Reserved. -# COPYING RESTRICTIONS APPLY, see COPYRIGHT. - -H1: The Proxy Cache Engine - -{{TERM:LDAP}} servers typically hold one or more subtrees of a -{{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of -entries held by one or more master servers. Changes are propagated -from the master server to replica (slave) servers using LDAP Sync -replication. An LDAP cache is a special type of replica which holds -entries corresponding to search filters instead of subtrees. - -H2: Overview - -The proxy cache extension of slapd is designed to improve the -responseiveness of the ldap and meta backends. It handles a search -request (query) -by first determining whether it is contained in any cached search -filter. Contained requests are answered from the proxy cache's local -database. Other requests are passed on to the underlying ldap or -meta backend and processed as usual. - -E.g. {{EX:(shoesize>=9)}} is contained in {{EX:(shoesize>=8)}} and -{{EX:(sn=Richardson)}} is contained in {{EX:(sn=Richards*)}} - -Correct matching rules and syntaxes are used while comparing -assertions for query containment. To simplify the query containment -problem, a list of cacheable "templates" (defined below) is specified -at configuration time. A query is cached or answered only if it -belongs to one of these templates. The entries corresponding to -cached queries are stored in the proxy cache local database while -its associated meta information (filter, scope, base, attributes) -is stored in main memory. - -A template is a prototype for generating LDAP search requests. -Templates are described by a prototype search filter and a list of -attributes which are required in queries generated from the template. -The representation for prototype filter is similar to {{REF:RFC4515}}, -except that the assertion values are missing. Examples of prototype -filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by -search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively. - -The cache replacement policy removes the least recently used (LRU) -query and entries belonging to only that query. Queries are allowed -a maximum time to live (TTL) in the cache thus providing weak -consistency. A background task periodically checks the cache for -expired queries and removes them. - -The Proxy Cache paper -({{URL:http://www.openldap.org/pub/kapurva/proxycaching.pdf}}) provides -design and implementation details. - - -H2: Proxy Cache Configuration - -The cache configuration specific directives described below must -appear after a {{EX:overlay proxycache}} directive within a -{{EX:"database meta"}} or {{EX:database ldap}} section of -the server's {{slapd.conf}}(5) file. - -H3: Setting cache parameters - -> proxyCache - -This directive enables proxy caching and sets general cache -parameters. The parameter specifies which underlying database -is to be used to hold cached entries. It should be set to -{{EX:bdb}} or {{EX:hdb}}. The parameter specifies the -total number of entries which may be held in the cache. The - parameter specifies the total number of attribute sets -(as specified by the {{EX:proxyAttrSet}} directive) that may be -defined. The parameter specifies the maximum number of -entries in a cachable query. The specifies the consistency -check period (in seconds). In each period, queries with expired -TTLs are removed. - -H3: Defining attribute sets - -> proxyAttrset - -Used to associate a set of attributes to an index. Each attribute -set is associated with an index number from 0 to -1. -These indices are used by the proxyTemplate directive to define -cacheable templates. - -H3: Specifying cacheable templates - -> proxyTemplate - -Specifies a cacheable template and the "time to live" (in sec) -for queries belonging to the template. A template is described by -its prototype filter string and set of required attributes identified -by . - - -H3: Example - -An example {{slapd.conf}}(5) database section for a caching server -which proxies for the {{EX:"dc=example,dc=com"}} subtree held -at server {{EX:ldap.example.com}}. - -> database ldap -> suffix "dc=example,dc=com" -> rootdn "dc=example,dc=com" -> uri ldap://ldap.example.com/dc=example%2cdc=com -> overlay proxycache -> proxycache bdb 100000 1 1000 100 -> proxyAttrset 0 mail postaladdress telephonenumber -> proxyTemplate (sn=) 0 3600 -> proxyTemplate (&(sn=)(givenName=)) 0 3600 -> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600 -> -> cachesize 20 -> directory ./testrun/db.2.a -> index objectClass eq -> index cn,sn,uid,mail pres,eq,sub - - -H4: Cacheable Queries - -A LDAP search query is cacheable when its filter matches one of the -templates as defined in the "proxyTemplate" statements and when it references -only the attributes specified in the corresponding attribute set. -In the example above the attribute set number 0 defines that only the -attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following -proxyTemplates. - -H4: Examples: - -> Filter: (&(sn=Richard*)(givenName=jack)) -> Attrs: mail telephoneNumber - - is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its - attributes are contained in proxyAttrset 0. - -> Filter: (&(sn=Richard*)(telephoneNumber)) -> Attrs: givenName - - is not cacheable, because the filter does not match the template, - nor is the attribute givenName stored in the cache - -> Filter: (|(sn=Richard*)(givenName=jack)) -> Attrs: mail telephoneNumber - - is not cacheable, because the filter does not match the template ( logical - OR "|" condition instead of logical AND "&" ) - diff --git a/doc/guide/admin/referrals.sdf b/doc/guide/admin/referrals.sdf index 0b41a2a355..8756553cb8 100644 --- a/doc/guide/admin/referrals.sdf +++ b/doc/guide/admin/referrals.sdf @@ -132,3 +132,10 @@ or with {{ldapsearch}}(1): Note: the {{EX:ref}} attribute is operational and must be explicitly requested when desired in search results. +Note: the use of referrals to construct a Distributed Directory Service is +extremely clumsy and not well supported by common clients. If an existing +installation has already been built using referrals, the use of the +{{chain}} overlay to hide the referrals will greatly improve the usability +of the Directory system. A better approach would be to use explicitly +defined local and proxy databases in {{subordinate}} configurations to +provide a seamless view of the Distributed Directory. diff --git a/doc/guide/admin/replication.gif b/doc/guide/admin/replication.gif deleted file mode 100644 index 70814033e541e4f7b828f7777aceadb923268931..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3538 zcmeH@`6Cky1AtK&<>*x}N4Hg(Q5Qg*BLl|=d4MbB68N zBbr^3cOHBxJ4&)^fX*j{RMPNW?JoI>O{Ww*=A$P1duR4t3r`H8=8= zYae&OcBxm5TLZ1|ZpYg{&rMZ+X~zm*DKc&gHu-3H!3g(O80OyZwlDy(5=?NeEJ_M^`Bu$Q=6 zp9N~?)4lDly~(U=rd@9jzpsx~xr}sm9`ElIzeqLhJ{>;X`@R{lVdv+uaLft%s!P_| zTZjb!0htdv7l~g{0)N7VeFbgo@Nsw(&&32DS9Cr~EJ5U&>j#sj0yK!=m7gT{81gjv zPM7{tit?lv9jmYk5MyKiu})9D&n2_`QU^(*r=fNs%jw3d-qPu2T@~&bRyNc0408|6 zM5YbQKswtYVR}4ME!&%({v?SEGt)j5K~M%x2fCr}{>^}%pY@nQ)=PhMv_dTZcC#|4Fq^lKP~FU^ zbd-F?f)Yq%fqeD;kTPo+FHDOkf8w&*7z%KKVOCw@d^h{W%AZ{2bdT*15%&b>Y@O_>Iil6@@pX`|pzfmL#$m(zO@5 zYLF+p(+46Tb*@vh@C_lUUNlGvGf@|&hQjcfx7-#~9Yh)aRV={Q*9zt`PX=z5UX+Q~ z?qWBGz6f#d%hRh?{^JddCmO#zN$BUGD)=fXxYdf}T)&E>dCG^DUVA;ICRcgqrJ}L; z&`DE|)@fZT(A|BNAu>?3_{Q9CPJ$H;(l;4Z03yXcAIm+X2@x;=YuUq=A>mS$j0b2 zMqbL`stk={a#C$!5@I8w87M1TsE?k(_Nmo(7!Iz3wV#t9wSY-S|_LRVU62qgIEP^2EC~4MS7tW(#tc z(!HA=Sr$7?V(nGr?VPDb`L?f$vTxP}$IHf&28!N6!`@7{Gi<9+c59i|vYXRY&Mh;y z2UfG{gI4$g=Ah$0&_5c7#?9QdqDD#*U#WMypk=>Z zPziWQyJAJ|$?7!LlDM~cWnp0e-8J)cB6_#V`Pd`7oBjar%^qEpC!YOosc_4;FZqeH z>cRUdL|vSV+9I#zP>%@EDdBi?mOo>%{mP`jMpVyN!LhjV24)f_S97T_6aJBM)&t{m zp6+KD(x*ZVNVYC;YuY}zr?t0>4bh=XuoQFY;QBOsJItwGt#3O_*(O$ZgzNfB zx{kh;zoFSNzs(gc?wqSCe|Tm305;h1;!?n%iXb&B`^h^_d0zpSE16s_%0ld2J5@F1 zUjf~PSJq5+lWt-LNTq55y(GO+^LnnL^i$GkcWdBK2>PQ$aZ)cUi&?x>sLT?*`wKT4q_x!9i z3jWC{bTIk!w$HRn;oeQLeP+-#8Lj!E{Wmify(qquua+6FInD>{vS#h43eeR<-2u>i zfnQyE3&pb^<*ZVBr#HFnz^et%S^oE!zy1vmYbpzSe7NiV^)r9C&gMvU6j|W%LH{+a zZ}B2bi=m&#;m=M_Jtf&hVmYRspG8}&g~xJ|qIoG6y_2y#lP?4zq5|rOGad+$SBT54 z2(c-I_yIyf1SzGCl(s{jszrm~w}4)57Pi5+0KwpO?hZq^WiZBwnWwIV;ik2~dWnk%LXbphb0^;pSk&f#ZYSxTh z(DBae25yviuRnrtpP@wCfVjROQDU4YL`N_@LaN^zz^(Ty0UqL|5k`3sJ_Y|PC$I(> zAJeM5|2HU*qLZYoQBFSVIU$AM6Vdecg2ybQwJqVnaCBS-+SeU}B_$l5NzA8Uy1pkO z07)>?eU@s7jaSk*GKotcnghU8gOX~wlhFs5e4zH8M}SJ>-6VosIw|(4I;7oB=@}`0 zU_Ei@Rq`<4;s^jsvr`+J(wS&Y{tP#t24QC@*m*DPg1X include ./schema/core.schema +> include ./schema/cosine.schema +> include ./schema/inetorgperson.schema +> include ./schema/openldap.schema +> include ./schema/nis.schema +> +> pidfile /home/ghenry/openldap/ldap/tests/testrun/slapd.3.pid +> argsfile /home/ghenry/openldap/ldap/tests/testrun/slapd.3.args +> +> modulepath ../servers/slapd/back-bdb/ +> moduleload back_bdb.la +> modulepath ../servers/slapd/back-monitor/ +> moduleload back_monitor.la +> modulepath ../servers/slapd/overlays/ +> moduleload syncprov.la +> modulepath ../servers/slapd/back-ldap/ +> moduleload back_ldap.la +> +> # We don't need any access to this DSA +> restrict all +> +> ####################################################################### +> # consumer proxy database definitions +> ####################################################################### +> +> database ldap +> suffix "dc=example,dc=com" +> rootdn "cn=Whoever" +> uri ldap://localhost:9012/ +> +> lastmod on +> +> # HACK: use the RootDN of the monitor database as UpdateDN so ACLs apply +> # without the need to write the UpdateDN before starting replication +> acl-bind bindmethod=simple +> binddn="cn=Monitor" +> credentials=monitor +> +> # HACK: use the RootDN of the monitor database as UpdateDN so ACLs apply +> # without the need to write the UpdateDN before starting replication +> syncrepl rid=1 +> provider=ldap://localhost:9011/ +> binddn="cn=Manager,dc=example,dc=com" +> bindmethod=simple +> credentials=secret +> searchbase="dc=example,dc=com" +> filter="(objectClass=*)" +> attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp" +> schemachecking=off +> scope=sub +> type=refreshAndPersist +> retry="5 5 300 5" +> +> overlay syncprov +> +> database monitor + +DETAILED EXPLANATION OF ABOVE LIKE IN OTHER SECTIONS (line numbers?) + + +ANOTHER DIAGRAM HERE + +As you can see, you can let your imagination go wild using Syncrepl and +{{slapd-ldap(8)}} tailoring your replication to fit your specific network +topology. + +H3: Pull Based + + +H4: syncrepl replication + + +H4: delta-syncrepl replication + + +H2: Replication Types + + +H3: syncrepl replication + + +H3: delta-syncrepl replication + + +H3: N-Way Multi-Master + +http://www.connexitor.com/blog/pivot/entry.php?id=105#body +http://www.openldap.org/lists/openldap-software/200702/msg00006.html +http://www.openldap.org/lists/openldap-software/200602/msg00064.html + + +H3: MirrorMode + +MirrorMode is a hybrid configuration that provides all of the consistency +guarantees of single-master replication while also providing the high +availability of multi-master. In MirrorMode two masters are set up to +replicate from each other (as a multi-master configuration) but an +external frontend is employed to direct all writes to only one of +the two servers. The second master will only be used for writes if +the first master crashes, at which point the frontend will switch to +directing all writes to the second master. When a crashed master is +repaired and restarted it will automatically catch up to any changes +on the running master and resync. + +H2: LDAP Sync Replication + +The {{TERM:LDAP Sync}} Replication engine, {{TERM:syncrepl}} for +short, is a consumer-side replication engine that enables the +consumer {{TERM:LDAP}} server to maintain a shadow copy of a +{{TERM:DIT}} fragment. A syncrepl engine resides at the consumer-side +as one of the {{slapd}}(8) threads. It creates and maintains a +consumer replica by connecting to the replication provider to perform +the initial DIT content load followed either by periodic content +polling or by timely updates upon content changes. + +Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for +short) protocol as the replica synchronization protocol. It provides +a stateful replication which supports both pull-based and push-based +synchronization and does not mandate the use of a history store. + +Syncrepl keeps track of the status of the replication content by +maintaining and exchanging synchronization cookies. Because the +syncrepl consumer and provider maintain their content status, the +consumer can poll the provider content to perform incremental +synchronization by asking for the entries required to make the +consumer replica up-to-date with the provider content. Syncrepl +also enables convenient management of replicas by maintaining replica +status. The consumer replica can be constructed from a consumer-side +or a provider-side backup at any synchronization status. Syncrepl +can automatically resynchronize the consumer replica up-to-date +with the current provider content. + +Syncrepl supports both pull-based and push-based synchronization. +In its basic refreshOnly synchronization mode, the provider uses +pull-based synchronization where the consumer servers need not be +tracked and no history information is maintained. The information +required for the provider to process periodic polling requests is +contained in the synchronization cookie of the request itself. To +optimize the pull-based synchronization, syncrepl utilizes the +present phase of the LDAP Sync protocol as well as its delete phase, +instead of falling back on frequent full reloads. To further optimize +the pull-based synchronization, the provider can maintain a per-scope +session log as a history store. In its refreshAndPersist mode of +synchronization, the provider uses a push-based synchronization. +The provider keeps track of the consumer servers that have requested +a persistent search and sends them necessary updates as the provider +replication content gets modified. + +With syncrepl, a consumer server can create a replica without +changing the provider's configurations and without restarting the +provider server, if the consumer server has appropriate access +privileges for the DIT fragment to be replicated. The consumer +server can stop the replication also without the need for provider-side +changes and restart. + +Syncrepl supports both partial and sparse replications. The shadow +DIT fragment is defined by a general search criteria consisting of +base, scope, filter, and attribute list. The replica content is +also subject to the access privileges of the bind identity of the +syncrepl replication connection. + + +H3: The LDAP Content Synchronization Protocol + +The LDAP Sync protocol allows a client to maintain a synchronized +copy of a DIT fragment. The LDAP Sync operation is defined as a set +of controls and other protocol elements which extend the LDAP search +operation. This section introduces the LDAP Content Sync protocol +only briefly. For more information, refer to {{REF:RFC4533}}. + +The LDAP Sync protocol supports both polling and listening for +changes by defining two respective synchronization operations: +{{refreshOnly}} and {{refreshAndPersist}}. Polling is implemented +by the {{refreshOnly}} operation. The client copy is synchronized +to the server copy at the time of polling. The server finishes the +search operation by returning {{SearchResultDone}} at the end of +the search operation as in the normal search. The listening is +implemented by the {{refreshAndPersist}} operation. Instead of +finishing the search after returning all entries currently matching +the search criteria, the synchronization search remains persistent +in the server. Subsequent updates to the synchronization content +in the server cause additional entry updates to be sent to the +client. + +The {{refreshOnly}} operation and the refresh stage of the +{{refreshAndPersist}} operation can be performed with a present +phase or a delete phase. + +In the present phase, the server sends the client the entries updated +within the search scope since the last synchronization. The server +sends all requested attributes, be it changed or not, of the updated +entries. For each unchanged entry which remains in the scope, the +server sends a present message consisting only of the name of the +entry and the synchronization control representing state present. +The present message does not contain any attributes of the entry. +After the client receives all update and present entries, it can +reliably determine the new client copy by adding the entries added +to the server, by replacing the entries modified at the server, and +by deleting entries in the client copy which have not been updated +nor specified as being present at the server. + +The transmission of the updated entries in the delete phase is the +same as in the present phase. The server sends all the requested +attributes of the entries updated within the search scope since the +last synchronization to the client. In the delete phase, however, +the server sends a delete message for each entry deleted from the +search scope, instead of sending present messages. The delete +message consists only of the name of the entry and the synchronization +control representing state delete. The new client copy can be +determined by adding, modifying, and removing entries according to +the synchronization control attached to the {{SearchResultEntry}} +message. + +In the case that the LDAP Sync server maintains a history store and +can determine which entries are scoped out of the client copy since +the last synchronization time, the server can use the delete phase. +If the server does not maintain any history store, cannot determine +the scoped-out entries from the history store, or the history store +does not cover the outdated synchronization state of the client, +the server should use the present phase. The use of the present +phase is much more efficient than a full content reload in terms +of the synchronization traffic. To reduce the synchronization +traffic further, the LDAP Sync protocol also provides several +optimizations such as the transmission of the normalized {{EX:entryUUID}}s +and the transmission of multiple {{EX:entryUUIDs}} in a single +{{syncIdSet}} message. + +At the end of the {{refreshOnly}} synchronization, the server sends +a synchronization cookie to the client as a state indicator of the +client copy after the synchronization is completed. The client +will present the received cookie when it requests the next incremental +synchronization to the server. + +When {{refreshAndPersist}} synchronization is used, the server sends +a synchronization cookie at the end of the refresh stage by sending +a Sync Info message with TRUE refreshDone. It also sends a +synchronization cookie by attaching it to {{SearchResultEntry}} +generated in the persist stage of the synchronization search. During +the persist stage, the server can also send a Sync Info message +containing the synchronization cookie at any time the server wants +to update the client-side state indicator. The server also updates +a synchronization indicator of the client at the end of the persist +stage. + +In the LDAP Sync protocol, entries are uniquely identified by the +{{EX:entryUUID}} attribute value. It can function as a reliable +identifier of the entry. The DN of the entry, on the other hand, +can be changed over time and hence cannot be considered as the +reliable identifier. The {{EX:entryUUID}} is attached to each +{{SearchResultEntry}} or {{SearchResultReference}} as a part of the +synchronization control. + + +H3: Syncrepl Details + +The syncrepl engine utilizes both the {{refreshOnly}} and the +{{refreshAndPersist}} operations of the LDAP Sync protocol. If a +syncrepl specification is included in a database definition, +{{slapd}}(8) launches a syncrepl engine as a {{slapd}}(8) thread +and schedules its execution. If the {{refreshOnly}} operation is +specified, the syncrepl engine will be rescheduled at the interval +time after a synchronization operation is completed. If the +{{refreshAndPersist}} operation is specified, the engine will remain +active and process the persistent synchronization messages from the +provider. + +The syncrepl engine utilizes both the present phase and the delete +phase of the refresh synchronization. It is possible to configure +a per-scope session log in the provider server which stores the +{{EX:entryUUID}}s of a finite number of entries deleted from a +replication content. Multiple replicas of single provider content +share the same per-scope session log. The syncrepl engine uses the +delete phase if the session log is present and the state of the +consumer server is recent enough that no session log entries are +truncated after the last synchronization of the client. The syncrepl +engine uses the present phase if no session log is configured for +the replication content or if the consumer replica is too outdated +to be covered by the session log. The current design of the session +log store is memory based, so the information contained in the +session log is not persistent over multiple provider invocations. +It is not currently supported to access the session log store by +using LDAP operations. It is also not currently supported to impose +access control to the session log. + +As a further optimization, even in the case the synchronization +search is not associated with any session log, no entries will be +transmitted to the consumer server when there has been no update +in the replication context. + +The syncrepl engine, which is a consumer-side replication engine, +can work with any backends. The LDAP Sync provider can be configured +as an overlay on any backend, but works best with the {{back-bdb}} +or {{back-hdb}} backend. + +The LDAP Sync provider maintains a {{EX:contextCSN}} for each +database as the current synchronization state indicator of the +provider content. It is the largest {{EX:entryCSN}} in the provider +context such that no transactions for an entry having smaller +{{EX:entryCSN}} value remains outstanding. The {{EX:contextCSN}} +could not just be set to the largest issued {{EX:entryCSN}} because +{{EX:entryCSN}} is obtained before a transaction starts and +transactions are not committed in the issue order. + +The provider stores the {{EX:contextCSN}} of a context in the +{{EX:contextCSN}} attribute of the context suffix entry. The attribute +is not written to the database after every update operation though; +instead it is maintained primarily in memory. At database start +time the provider reads the last saved {{EX:contextCSN}} into memory +and uses the in-memory copy exclusively thereafter. By default, +changes to the {{EX:contextCSN}} as a result of database updates +will not be written to the database until the server is cleanly +shut down. A checkpoint facility exists to cause the contextCSN to +be written out more frequently if desired. + +Note that at startup time, if the provider is unable to read a +{{EX:contextCSN}} from the suffix entry, it will scan the entire +database to determine the value, and this scan may take quite a +long time on a large database. When a {{EX:contextCSN}} value is +read, the database will still be scanned for any {{EX:entryCSN}} +values greater than it, to make sure the {{EX:contextCSN}} value +truly reflects the greatest committed {{EX:entryCSN}} in the database. +On databases which support inequality indexing, setting an eq index +on the {{EX:entryCSN}} attribute and configuring {{contextCSN}} +checkpoints will greatly speed up this scanning step. + +If no {{EX:contextCSN}} can be determined by reading and scanning +the database, a new value will be generated. Also, if scanning the +database yielded a greater {{EX:entryCSN}} than was previously +recorded in the suffix entry's {{EX:contextCSN}} attribute, a +checkpoint will be immediately written with the new value. + +The consumer also stores its replica state, which is the provider's +{{EX:contextCSN}} received as a synchronization cookie, in the +{{EX:contextCSN}} attribute of the suffix entry. The replica state +maintained by a consumer server is used as the synchronization state +indicator when it performs subsequent incremental synchronization +with the provider server. It is also used as a provider-side +synchronization state indicator when it functions as a secondary +provider server in a cascading replication configuration. Since +the consumer and provider state information are maintained in the +same location within their respective databases, any consumer can +be promoted to a provider (and vice versa) without any special +actions. + +Because a general search filter can be used in the syncrepl +specification, some entries in the context may be omitted from the +synchronization content. The syncrepl engine creates a glue entry +to fill in the holes in the replica context if any part of the +replica content is subordinate to the holes. The glue entries will +not be returned in the search result unless {{ManageDsaIT}} control +is provided. + +Also as a consequence of the search filter used in the syncrepl +specification, it is possible for a modification to remove an entry +from the replication scope even though the entry has not been deleted +on the provider. Logically the entry must be deleted on the consumer +but in {{refreshOnly}} mode the provider cannot detect and propagate +this change without the use of the session log. + + +H3: Configuring Syncrepl + +Because syncrepl is a consumer-side replication engine, the syncrepl +specification is defined in {{slapd.conf}}(5) of the consumer +server, not in the provider server's configuration file. The initial +loading of the replica content can be performed either by starting +the syncrepl engine with no synchronization cookie or by populating +the consumer replica by adding an {{TERM:LDIF}} file dumped as a +backup at the provider. + +When loading from a backup, it is not required to perform the initial +loading from the up-to-date backup of the provider content. The +syncrepl engine will automatically synchronize the initial consumer +replica to the current provider content. As a result, it is not +required to stop the provider server in order to avoid the replica +inconsistency caused by the updates to the provider content during +the content backup and loading process. + +When replicating a large scale directory, especially in a bandwidth +constrained environment, it is advised to load the consumer replica +from a backup instead of performing a full initial load using +syncrepl. + + +H4: Set up the provider slapd + +The provider is implemented as an overlay, so the overlay itself +must first be configured in {{slapd.conf}}(5) before it can be +used. The provider has only two configuration directives, for setting +checkpoints on the {{EX:contextCSN}} and for configuring the session +log. Because the LDAP Sync search is subject to access control, +proper access control privileges should be set up for the replicated +content. + +The {{EX:contextCSN}} checkpoint is configured by the + +> syncprov-checkpoint + +directive. Checkpoints are only tested after successful write +operations. If {{}} operations or more than {{}} +time has passed since the last checkpoint, a new checkpoint is +performed. + +The session log is configured by the + +> syncprov-sessionlog + +directive, where {{}} is the maximum number of session log +entries the session log can record. When a session log is configured, +it is automatically used for all LDAP Sync searches within the +database. + +Note that using the session log requires searching on the {{entryUUID}} +attribute. Setting an eq index on this attribute will greatly benefit +the performance of the session log on the provider. + +A more complete example of the {{slapd.conf}}(5) content is thus: + +> database bdb +> suffix dc=Example,dc=com +> rootdn dc=Example,dc=com +> directory /var/ldap/db +> index objectclass,entryCSN,entryUUID eq +> +> overlay syncprov +> syncprov-checkpoint 100 10 +> syncprov-sessionlog 100 + + +H4: Set up the consumer slapd + +The syncrepl replication is specified in the database section of +{{slapd.conf}}(5) for the replica context. The syncrepl engine +is backend independent and the directive can be defined with any +database type. + +> database hdb +> suffix dc=Example,dc=com +> rootdn dc=Example,dc=com +> directory /var/ldap/db +> index objectclass,entryCSN,entryUUID eq +> +> syncrepl rid=123 +> provider=ldap://provider.example.com:389 +> type=refreshOnly +> interval=01:00:00:00 +> searchbase="dc=example,dc=com" +> filter="(objectClass=organizationalPerson)" +> scope=sub +> attrs="cn,sn,ou,telephoneNumber,title,l" +> schemachecking=off +> bindmethod=simple +> binddn="cn=syncuser,dc=example,dc=com" +> credentials=secret + +In this example, the consumer will connect to the provider {{slapd}}(8) +at port 389 of {{FILE:ldap://provider.example.com}} to perform a +polling ({{refreshOnly}}) mode of synchronization once a day. It +will bind as {{EX:cn=syncuser,dc=example,dc=com}} using simple +authentication with password "secret". Note that the access control +privilege of {{EX:cn=syncuser,dc=example,dc=com}} should be set +appropriately in the provider to retrieve the desired replication +content. Also the search limits must be high enough on the provider +to allow the syncuser to retrieve a complete copy of the requested +content. The consumer uses the rootdn to write to its database so +it always has full permissions to write all content. + +The synchronization search in the above example will search for the +entries whose objectClass is organizationalPerson in the entire +subtree rooted at {{EX:dc=example,dc=com}}. The requested attributes +are {{EX:cn}}, {{EX:sn}}, {{EX:ou}}, {{EX:telephoneNumber}}, +{{EX:title}}, and {{EX:l}}. The schema checking is turned off, so +that the consumer {{slapd}}(8) will not enforce entry schema +checking when it process updates from the provider {{slapd}}(8). + +For more detailed information on the syncrepl directive, see the +{{SECT:syncrepl}} section of {{SECT:The slapd Configuration File}} +chapter of this admin guide. + + +H4: Start the provider and the consumer slapd + +The provider {{slapd}}(8) is not required to be restarted. +{{contextCSN}} is automatically generated as needed: it might be +originally contained in the {{TERM:LDIF}} file, generated by +{{slapadd}} (8), generated upon changes in the context, or generated +when the first LDAP Sync search arrives at the provider. If an +LDIF file is being loaded which did not previously contain the +{{contextCSN}}, the {{-w}} option should be used with {{slapadd}} +(8) to cause it to be generated. This will allow the server to +startup a little quicker the first time it runs. + +When starting a consumer {{slapd}}(8), it is possible to provide +a synchronization cookie as the {{-c cookie}} command line option +in order to start the synchronization from a specific state. The +cookie is a comma separated list of name=value pairs. Currently +supported syncrepl cookie fields are {{csn=}} and {{rid=}}. +{{}} represents the current synchronization state of the +consumer replica. {{}} identifies a consumer replica locally +within the consumer server. It is used to relate the cookie to the +syncrepl definition in {{slapd.conf}}(5) which has the matching +replica identifier. The {{}} must have no more than 3 decimal +digits. The command line cookie overrides the synchronization +cookie stored in the consumer replica database. + + +H2: N-Way Multi-Master + + +H2: MirrorMode -+ The slave slapd performs the modify operation and -returns a success code to the slurpd process. - - -Note: {{ldapmodify}}(1) and other clients distributed as part of -OpenLDAP Software do not support automatic referral chasing -(for security reasons). - - - -H2: Replication Logs - -When slapd is configured to generate a replication logfile, it -writes out a file containing {{TERM:LDIF}} change records. The -replication log gives the replication site(s), a timestamp, the DN -of the entry being modified, and a series of lines which specify -the changes to make. In the example below, Barbara ({{EX:uid=bjensen}}) -has replaced the {{EX:description}} value. The change is to be -propagated to the slapd instance running on {{EX:slave.example.net}} -Changes to various operational attributes, such as {{EX:modifiersName}} -and {{EX:modifyTimestamp}}, are included in the change record and -will be propagated to the slave slapd. - -> replica: slave.example.com:389 -> time: 809618633 -> dn: uid=bjensen,dc=example,dc=com -> changetype: modify -> replace: multiLineDescription -> description: A dreamer... -> - -> replace: modifiersName -> modifiersName: uid=bjensen,dc=example,dc=com -> - -> replace: modifyTimestamp -> modifyTimestamp: 20000805073308Z -> - - -The modifications to {{EX:modifiersName}} and {{EX:modifyTimestamp}} -operational attributes were added by the master {{slapd}}. - - - -H2: Command-Line Options - -This section details commonly used {{slurpd}}(8) command-line options. - -> -d | ? - -This option sets the slurpd debug level to {{EX: }}. When -level is a `?' character, the various debugging levels are printed -and slurpd exits, regardless of any other options you give it. -Current debugging levels (a subset of slapd's debugging levels) are - -!block table; colaligns="RL"; align=Center; \ - title="Table 13.1: Debugging Levels" -Level Description -4 heavy trace debugging -64 configuration file processing -65535 enable all debugging -!endblock - -Debugging levels are additive. That is, if you want heavy trace -debugging and want to watch the config file being processed, you -would set level to the sum of those two levels (in this case, 68). - -> -f - -This option specifies an alternate slapd configuration file. Slurpd -does not have its own configuration file. Instead, all configuration -information is read from the slapd configuration file. - -> -r - -This option specifies an alternate slapd replication log file. -Under normal circumstances, slurpd reads the name of the slapd -replication log file from the slapd configuration file. However, -you can override this with the -r flag, to cause slurpd to process -a different replication log file. See the {{SECT:Advanced slurpd -Operation}} section for a discussion of how you might use this -option. - -> -o - -Operate in "one-shot" mode. Under normal circumstances, when slurpd -finishes processing a replication log, it remains active and -periodically checks to see if new entries have been added to the -replication log. In one-shot mode, by comparison, slurpd processes -a replication log and exits immediately. If the -o option is given, -the replication log file must be explicitly specified with the -r -option. See the {{SECT:One-shot mode and reject files}} section -for a discussion of this mode. - -> -t - -Specify an alternate directory for slurpd's temporary copies of -replication logs. The default location is {{F:/usr/tmp}}. - - -H2: Configuring slurpd and a slave slapd instance - -To bring up a replica slapd instance, you must configure the master -and slave slapd instances for replication, then shut down the master -slapd so you can copy the database. Finally, you bring up the master -slapd instance, the slave slapd instance, and the slurpd instance. -These steps are detailed in the following sections. You can set up -as many slave slapd instances as you wish. - - -H3: Set up the master {{slapd}} - -The following section assumes you have a properly working {{slapd}}(8) -instance. To configure your working {{slapd}}(8) server as a -replication master, you need to make the following changes to your -{{slapd.conf}}(5). - -^ Add a {{EX:replica}} directive for each replica. The {{EX:binddn=}} -parameter should match the {{EX:updatedn}} option in the corresponding -slave slapd configuration file, and should name an entry with write -permission to the slave database (e.g., an entry allowed access via -{{EX:access}} directives in the slave slapd configuration file). -This DN generally {{should not}} be the same as the master's -{{EX:rootdn}}. - -+ Add a {{EX:replogfile}} directive, which tells slapd where to log -changes. This file will be read by slurpd. - - -H3: Set up the slave {{slapd}} - -Install the slapd software on the host which is to be the slave -slapd server. The configuration of the slave server should be -identical to that of the master, with the following exceptions: - -^ Do not include a {{EX:replica}} directive. While it is possible -to create "chains" of replicas, in most cases this is inappropriate. - -+ Do not include a {{EX:replogfile}} directive. - -+ Do include an {{EX:updatedn}} line. The DN given should match the -DN given in the {{EX:binddn=}} parameter of the corresponding -{{EX:replica=}} directive in the master slapd config file. The -{{EX:updatedn}} generally {{should not}} be the same as the -{{EX:rootdn}} of the master database. - -+ Make sure the DN given in the {{EX:updatedn}} directive has -permission to write the database (e.g., it is is allowed {{EX:access}} -by one or more access directives). - -+ Use the {{EX:updateref}} directive to define the URL the slave -should return if an update request is received. - - -H3: Shut down the master server - -In order to ensure that the slave starts with an exact copy of the -master's data, you must shut down the master slapd. Do this by -sending the master slapd process an interrupt signal with -{{EX:kill -INT }}, where {{EX:}} is the process-id of the master -slapd process. - -If you like, you may restart the master slapd in read-only mode -while you are replicating the database. During this time, the master -slapd will return an "unwilling to perform" error to clients that -attempt to modify data. - - -H3: Copy the master slapd's database to the slave - -Copy the master's database(s) to the slave. For {{TERM:BDB}} and -{{TERM:HDB}} databases, you must copy all database files located -in the database {{EX:directory}} specified in {{slapd.conf}}(5). -In general, you should copy each file found in the database {{EX: -directory}} unless you know it is not used by {{slapd}}(8). - -Note: This copy process assumes homogeneous servers with identically -configured OpenLDAP installations. Alternatively, you may use -{{slapcat}} to output the master's database in LDIF format and use -the LDIF with {{slapadd}} to populate the slave. Using LDIF avoids -any potential incompatibilities due to differing server architectures -or software configurations. See the {{SECT:Database Creation and -Maintenance Tools}} chapter for details on these tools. - - -H3: Configure the master slapd for replication - -To configure slapd to generate a replication logfile, you add a -"{{EX: replica}}" configuration option to the master slapd's config -file. For example, if we wish to propagate changes to the slapd -instance running on host {{EX:slave.example.com}}: - -> replica uri=ldap://slave.example.com:389 -> binddn="cn=Replicator,dc=example,dc=com" -> bindmethod=simple credentials=secret - -In this example, changes will be sent to port 389 (the standard -LDAP port) on host slave.example.com. The slurpd process will bind -to the slave slapd as "{{EX:cn=Replicator,dc=example,dc=com}}" using -simple authentication with password "{{EX:secret}}". - -If we wish to perform the same replication using ldaps on port 636: - -> replica uri=ldaps://slave.example.com:636 -> binddn="cn=Replicator,dc=example,dc=com" -> bindmethod=simple credentials=secret - -The host option is deprecated in favor of uri, but the following -replica configuration is still supported: - -> replica host=slave.example.com:389 -> binddn="cn=Replicator,dc=example,dc=com" -> bindmethod=simple credentials=secret - -Note that the DN given by the {{EX:binddn=}} directive must exist -in the slave slapd's database (or be the rootdn specified in the -slapd config file) in order for the bind operation to succeed. The -DN should also be listed as the {{EX:updatedn}} for the database -in the slave's slapd.conf(5). It is generally recommended that -this DN be different than the {{EX:rootdn}} of the master database. - -Note: The use of strong authentication and transport security is -highly recommended. - - -H3: Restart the master slapd and start the slave slapd - -Restart the master slapd process. To check that it is -generating replication logs, perform a modification of any -entry in the database, and check that data has been -written to the log file. - - -H3: Start slurpd - -Start the slurpd process. Slurpd should immediately send -the test modification you made to the slave slapd. Watch -the slave slapd's logfile to be sure that the modification -was sent. - -> slurpd -f - - - -H2: Advanced slurpd Operation - -H3: Replication errors - -When slurpd propagates a change to a slave slapd and receives an -error return code, it writes the reason for the error and the -replication record to a reject file. The reject file is located in -the same directory as the per-replica replication logfile, and has -the same name, but with the string "{{F:.rej}}" appended. For -example, for a replica running on host {{EX:slave.example.com}}, -port 389, the reject file, if it exists, will be named - -> /usr/local/var/openldap/replog.slave.example.com:389.rej - -A sample rejection log entry follows: - -> ERROR: No such attribute -> replica: slave.example.com:389 -> time: 809618633 -> dn: uid=bjensen,dc=example,dc=com -> changetype: modify -> replace: description -> description: A dreamer... -> - -> replace: modifiersName -> modifiersName: uid=bjensen,dc=example,dc=com -> - -> replace: modifyTimestamp -> modifyTimestamp: 20000805073308Z -> - - -Note that this is precisely the same format as the original replication -log entry, but with an {{EX:ERROR}} line prepended to the entry. - - - -H3: One-shot mode and reject files - -It is possible to use slurpd to process a rejection log with its -"one-shot mode." In normal operation, slurpd watches for more -replication records to be appended to the replication log file. In -one-shot mode, by contrast, slurpd processes a single log file and -exits. Slurpd ignores {{EX:ERROR}} lines at the beginning of -replication log entries, so it's not necessary to edit them out -before feeding it the rejection log. - -To use one-shot mode, specify the name of the rejection log on the -command line as the argument to the -r flag, and specify one-shot -mode with the -o flag. For example, to process the rejection log -file {{F:/usr/local/var/openldap/replog.slave.example.com:389}} and -exit, use the command - -> slurpd -r /usr/tmp/replog.slave.example.com:389 -o diff --git a/doc/guide/admin/runningslapd.sdf b/doc/guide/admin/runningslapd.sdf index c96eaf0686..54a4145c80 100644 --- a/doc/guide/admin/runningslapd.sdf +++ b/doc/guide/admin/runningslapd.sdf @@ -104,9 +104,9 @@ H2: Starting slapd In general, slapd is run like this: -> /usr/local/etc/libexec/slapd [OpenLDAP Foundation}}, {{EMAIL: info@OpenLDAP.org}} {{INLINE:
}} diff --git a/doc/guide/preamble.sdf b/doc/guide/preamble.sdf index 4bdff5c537..46562992da 100644 --- a/doc/guide/preamble.sdf +++ b/doc/guide/preamble.sdf @@ -132,7 +132,7 @@ CVS|http://www.cvshome.org/ Cyrus|http://cyrusimap.web.cmu.edu/generalinfo.html Cyrus SASL|http://asg.web.cmu.edu/sasl/sasl-library.html GNU|http://www.gnu.org/software/ -GDBM|http://www.gnu.org/software/gdbm/ +GnuTLS|http://www.gnu.org/software/gnutls/ Heimdal|http://www.pdc.kth.se/heimdal/ JLDAP|http://www.openldap.org/jldap/ MIT Kerberos|http://web.mit.edu/kerberos/www/ @@ -142,7 +142,6 @@ OpenLDAP ITS|http://www.openldap.org/its/ OpenLDAP Software|http://www.openldap.org/software/ OpenSSL|http://www.openssl.org/ Perl|http://www.perl.org/ -TCL|http://www.tcl.tk/ SDF|http://search.cpan.org/src/IANC/sdf-2.001/doc/catalog.html UMLDAP|http://www.umich.edu/~dirsvcs/ldap/ldap.html !endblock @@ -209,6 +208,7 @@ IDNA|Internationalized Domain Names in Applications IDN|Internationalized Domain Name ID|Identification ID|Identifier +IDL|Index Data Lookups IP|Internet Protocol IPC|Inter-process communication IPsec|Internet Protocol Security @@ -232,6 +232,7 @@ OSI|Open Systems Interconnect OTP|One Time Password PDU|Protocol Data Unit PEM|Privacy Enhanced eMail +PEN|Private Enterprise Number PKCS|Public Key Cryptosystem PKI|Public Key Infrastructure PKIX|Public Key Infrastructure (X.509) diff --git a/doc/guide/release/copyright.sdf b/doc/guide/release/copyright.sdf index 204015082b..2050f462a6 100644 --- a/doc/guide/release/copyright.sdf +++ b/doc/guide/release/copyright.sdf @@ -55,9 +55,11 @@ Public License}}. !block nofill -Portions [[copyright]] 1999-2005 Howard Y.H. Chu. -Portions [[copyright]] 1999-2005 Symas Corporation. +Portions [[copyright]] 1999-2007 Howard Y.H. Chu. +Portions [[copyright]] 1999-2007 Symas Corporation. Portions [[copyright]] 1998-2003 Hallvard B. Furuseth. +Portions [[copyright]] 2007 Gavin Henry +Portions [[copyright]] 2007 Suretec Systems {{All rights reserved.}} !endblock -- 2.39.5