---
-Portions Copyright 1999-2003 Howard Y.H. Chu.
-Portions Copyright 1999-2003 Symas Corporation.
+Portions Copyright 1999-2005 Howard Y.H. Chu.
+Portions Copyright 1999-2005 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
All rights reserved.
#!/bin/sh
##
## GNU shtool -- The GNU Portable Shell Tool
-## Copyright (c) 1994-2004 Ralf S. Engelschall <rse@engelschall.com>
+## Copyright (c) 1994-2005 Ralf S. Engelschall <rse@engelschall.com>
##
## See http://www.gnu.org/software/shtool/ for more information.
## See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
##
-## Version: 2.0.1 (11-Aug-2004)
+## Version: 2.0.2 (15-Jun-2005)
## Contents: 6/19 available modules
##
exit 1
fi
if [ ".$1" = ".-h" ] || [ ".$1" = ".--help" ]; then
- echo "This is GNU shtool, version 2.0.1 (11-Aug-2004)"
- echo "Copyright (c) 1994-2004 Ralf S. Engelschall <rse@engelschall.com>"
+ echo "This is GNU shtool, version 2.0.2 (15-Jun-2005)"
+ echo "Copyright (c) 1994-2005 Ralf S. Engelschall <rse@engelschall.com>"
echo "Report bugs to <bug-shtool@gnu.org>"
echo ''
echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]"
exit 0
fi
if [ ".$1" = ".-v" ] || [ ".$1" = ".--version" ]; then
- echo "GNU shtool 2.0.1 (11-Aug-2004)"
+ echo "GNU shtool 2.0.2 (15-Jun-2005)"
exit 0
fi
if [ ".$1" = ".-r" ] || [ ".$1" = ".--recreate" ]; then
- shtoolize -obuild/shtool echo move install mkdir mkln subst
+ shtoolize -oshtool echo move install mkdir mkln subst
exit 0
fi
if [ ".$1" = ".-d" ] || [ ".$1" = ".--debug" ]; then
# establish a temporary file on request
if [ ".$gen_tmpfile" = .yes ]; then
+ # create (explicitly) secure temporary directory
if [ ".$TMPDIR" != . ]; then
tmpdir="$TMPDIR"
elif [ ".$TEMPDIR" != . ]; then
else
tmpdir="/tmp"
fi
- tmpfile="$tmpdir/.shtool.$$"
- rm -f $tmpfile >/dev/null 2>&1
- touch $tmpfile
- chmod 600 $tmpfile
+ tmpdir="$tmpdir/.shtool.$$"
+ ( umask 077
+ rm -rf "$tmpdir" >/dev/null 2>&1 || true
+ mkdir "$tmpdir" >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ echo "$msgprefix:Error: failed to create temporary directory \`$tmpdir'" 1>&2
+ exit 1
+ fi
+ )
+
+ # create (implicitly) secure temporary file
+ tmpfile="$tmpdir/shtool.tmp"
+ touch "$tmpfile"
fi
# utility function: map string to lower case
shtool_exit () {
rc="$1"
if [ ".$gen_tmpfile" = .yes ]; then
- rm -f $tmpfile >/dev/null 2>&1 || true
+ rm -rf "$tmpdir" >/dev/null 2>&1 || true
fi
exit $rc
}
echo )
##
## echo -- Print string with optional construct expansion
- ## Copyright (c) 1998-2004 Ralf S. Engelschall <rse@engelschall.com>
+ ## Copyright (c) 1998-2005 Ralf S. Engelschall <rse@engelschall.com>
##
text="$*"
move )
##
## move -- Move files with simultaneous substitution
- ## Copyright (c) 1999-2004 Ralf S. Engelschall <rse@engelschall.com>
+ ## Copyright (c) 1999-2005 Ralf S. Engelschall <rse@engelschall.com>
##
src="$1"
install )
##
## install -- Install a program, script or datafile
- ## Copyright (c) 1997-2004 Ralf S. Engelschall <rse@engelschall.com>
+ ## Copyright (c) 1997-2005 Ralf S. Engelschall <rse@engelschall.com>
##
# special case: "shtool install -d <dir> [...]" internally
mkdir )
##
## mkdir -- Make one or more directories
- ## Copyright (c) 1996-2004 Ralf S. Engelschall <rse@engelschall.com>
+ ## Copyright (c) 1996-2005 Ralf S. Engelschall <rse@engelschall.com>
##
errstatus=0
mkln )
##
## mkln -- Make link with calculation of relative paths
- ## Copyright (c) 1998-2004 Ralf S. Engelschall <rse@engelschall.com>
+ ## Copyright (c) 1998-2005 Ralf S. Engelschall <rse@engelschall.com>
##
# determine source(s) and destination
subst )
##
## subst -- Apply sed(1) substitution operations
- ## Copyright (c) 2001-2004 Ralf S. Engelschall <rse@engelschall.com>
+ ## Copyright (c) 2001-2005 Ralf S. Engelschall <rse@engelschall.com>
##
# remember optional list of file(s)
dnl ----------------------------------------------------------------
dnl SLAPD Overlay Options
Overlays="accesslog denyop dyngroup dynlist glue lastmod ppolicy proxycache \
- refint rwm syncprov translucent unique"
+ refint retcode rwm syncprov translucent unique"
AC_ARG_WITH(xxslapoverlays,[
SLAPD Overlay Options:])
no, [no yes mod])
OL_ARG_ENABLE(refint,[ --enable-refint Referential Integrity overlay no|yes|mod],
no, [no yes mod])
+OL_ARG_ENABLE(retcode,[ --enable-retcode Return Code testing overlay no|yes|mod],
+ no, [no yes mod])
OL_ARG_ENABLE(rwm,[ --enable-rwm Rewrite/Remap overlay no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(syncprov,[ --enable-syncprov Syncrepl Provider overlay no|yes|mod],
BUILD_PPOLICY=no
BUILD_PROXYCACHE=no
BUILD_REFINT=no
+BUILD_RETCODE=no
BUILD_RWM=no
BUILD_SYNCPROV=no
BUILD_TRANSLUCENT=no
AC_DEFINE_UNQUOTED(SLAPD_OVER_REFINT,$MFLAG,[define for Referential Integrity overlay])
fi
+if test "$ol_enable_retcode" != no ; then
+ BUILD_RETCODE=$ol_enable_retcode
+ if test "$ol_enable_retcode" = mod ; then
+ MFLAG=SLAPD_MOD_DYNAMIC
+ SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS retcode.la"
+ else
+ MFLAG=SLAPD_MOD_STATIC
+ SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS retcode.o"
+ fi
+ AC_DEFINE_UNQUOTED(SLAPD_OVER_RETCODE,$MFLAG,[define for Referential Integrity overlay])
+fi
+
if test "$ol_enable_rwm" != no ; then
BUILD_REWRITE=yes
BUILD_RWM=$ol_enable_rwm
AC_SUBST(BUILD_PPOLICY)
AC_SUBST(BUILD_PROXYCACHE)
AC_SUBST(BUILD_REFINT)
+ AC_SUBST(BUILD_RETCODE)
AC_SUBST(BUILD_RWM)
AC_SUBST(BUILD_SYNCPROV)
AC_SUBST(BUILD_TRANSLUCENT)
If a PasswordModify is performed on an entry that has the krb5KDCEntry
objectclass, then the krb5Key and krb5KeyVersionNumber will be updated
using the new password in the PasswordModify request. Additionally, a
-new "{K5KEY}" password hash mechanism is provided. krb5KDCEntries that
+new "{K5KEY}" password hash mechanism is provided. For krb5KDCEntries that
have this hash specifier in their userPassword attribute, Simple Binds
will be checked against the Kerberos keys of the Entry. No data is
needed after the "{K5KEY}" hash specifier in the userPassword, it is
other of Kerberos or Samba support.
This overlay is only set up to be built as a dynamically loaded module.
-If you need to build it statically, you will have to move it into the
+On most platforms, in order for the module to be usable, all of the
+library dependencies must also be available as shared libraries.
+
+If you need to build the overlay statically, you will have to move it into the
slapd/overlays directory and edit the Makefile and overlays.c to reference
it. You will also have to define SLAPD_OVER_SMBK5PWD to SLAPD_MOD_STATIC,
and add the relevant libraries to the main slapd link command.
-Copyright 1998-2001 The OpenLDAP Foundation
+Copyright 1998-2005 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.
-A copy of this license is available in file LICENSE in the
+A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
-<http://www.OpenLDAP.org/license.html>
+<http://www.OpenLDAP.org/license.html>.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
This work also contains materials derived from public sources.
-Additional information about OpenLDAP software can be obtained at
+Additional information about OpenLDAP can be obtained at
<http://www.openldap.org/>.
---
-Portions Copyright 1998-2003 Kurt D. Zeilenga.
-Portions Copyright 1998-2003 Net Boolean Incorporated.
-Portions Copyright 2001-2003 IBM Corporation.
+Portions Copyright 1998-2005 Kurt D. Zeilenga.
+Portions Copyright 1998-2005 Net Boolean Incorporated.
+Portions Copyright 2001-2005 IBM Corporation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
---
-Portions Copyright 1999-2003 Howard Y.H. Chu.
-Portions Copyright 1999-2003 Symas Corporation.
+Portions Copyright 1999-2005 Howard Y.H. Chu.
+Portions Copyright 1999-2005 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
All rights reserved.
Redistribution and use in source and binary forms are permitted
provided that this notice is preserved and that due credit is given
-to the University of Michigan at Ann Arbor. The name of the University
-may not be used to endorse or promote products derived from this
-software without specific prior written permission. This software
-is provided ``as is'' without express or implied warranty.
+to the University of Michigan at Ann Arbor. The name of the
+University may not be used to endorse or promote products derived
+from this software without specific prior written permission. This
+software is provided ``as is'' without express or implied warranty.
+
and the {{TERM:HDB}} database.
They are used in an olcDatabase entry in addition to the generic
database directives defined above. For a complete reference
-of BDB/HDB configuration directives, see {{slapd-bdb}}(5). BDB and
-HDB database entries must have the {{EX:olcBdbConfig}} objectClass in
-addition to the {{EX:olcDatabaseConfig}} class.
+of BDB/HDB configuration directives, see {{slapd-bdb}}(5). In
+addition to the {{EX:olcDatabaseConfig}} objectClass, BDB and HDB
+database entries must have the {{EX:olcBdbConfig}} and
+{{EX:olcHdbConfig}} objectClass, respectively.
H4: olcDbDirectory: <directory>
>dn: olcDatabase=hdb,cn=config
>objectClass: olcDatabaseConfig
->objectClass: olcBdbConfig
+>objectClass: olcHdbConfig
>olcDatabase: hdb
>olcSuffix: "dc=example,dc=com"
>olcDbDirectory: /usr/local/var/openldap-data
<P>
<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
________________<BR>
-<SMALL>© Copyright 2003, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
+<SMALL>© Copyright 2005, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
!endblock
!endmacro
.BI \-S \ attribute
Sort the entries returned based on \fIattribute\fP. The default is not
to sort entries returned. If \fIattribute\fP is a zero-length string (""),
-the entries are sorted by the components of their Distingished Name. See
+the entries are sorted by the components of their Distinguished Name. See
.BR ldap_sort (3)
for more details. Note that
.B ldapsearch
.B bv_len
octets.
.B bv_val
-is not necessarly terminated by a NUL (zero) octet.
+is not necessarily terminated by a NUL (zero) octet.
.BR ber_bvfree ()
frees a BerValue, pointed to by \fIbv\fP, returned from this API. If \fIbv\fP
is NULL, the routine does nothing.
.BR ldap_err2string (3).
.SH LDAP versions
This library supports version 3 of the Lightweight Directory Access
-Protocol (LDAPv3) as defined in RFC 3377. It also supports a varient
+Protocol (LDAPv3) as defined in RFC 3377. It also supports a variant
of version 2 of LDAP as defined by U-Mich LDAP and, to some degree,
-RFC 1777. Version 2 (all varients) should be viewed as obsolete.
+RFC 1777. Version 2 (all variants) should be viewed as obsolete.
Version 3 should be used instead.
.LP
For backwards compatibility reasons, the library defaults to version 2.
.BR ldap_get_dn (3)
into a more user-friendly form, stripping off all type names. See
"Using the Directory to Achieve User Friendly Naming" (RFC 1781)
-for more details on the UFN format. Due to the ambigious nature
+for more details on the UFN format. Due to the ambiguous nature
of the format, it is generally only used for display purposes.
The space for the UFN returned is obtained dynamically and the user
is responsible for freeing it via a call to
.LP
A search response is made up of zero or
more search entries, zero or more search references, and zero or
-more extended parital responses followed by a search result. If
+more extended partial responses followed by a search result. If
\fIall\fP is set to 0, search entries will be returned one at a
time as they come in, via separate calls to
.BR ldap_result() .
If it's set to 1, the search
response will only be returned in its entirety, i.e., after all entries,
-all references, all extended parital responses, and the final search
+all references, all extended partial responses, and the final search
result have been received.
.LP
Upon success, the type of the result received is returned and the
These routines are used to parse schema definitions in the syntax
defined in RFC 2252 into structs and handle these structs. These
routines handle four kinds of definitions: syntaxes, matching rules,
-attribute types and objectclasses. For each definition kind, four
+attribute types and object classes. For each definition kind, four
routines are provided.
.LP
.B ldap_str2xxx()
\fIScope\fP is the scope of the search and should be one of LDAP_SCOPE_BASE,
to search the object itself,
LDAP_SCOPE_ONELEVEL, to search the object's immediate children,
-or LDAP_SCOPE_SUBTREE, to search the object and all its descendents.
+or LDAP_SCOPE_SUBTREE, to search the object and all its descendants.
.LP
\fIFilter\fP is a string
representation of the filter to apply in the search. Simple filters
Specifies the URI(s) of an LDAP server(s) to which the
.I LDAP
library should connect. The URI scheme may be either
-.BR ldap or
+.B ldap
+or
.B ldaps
which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
Each server's name can be specified as a
is deprecated in favor of
.BR URI.
.TP
+.B REFERRALS <on/true/yes/off/false/no>
+Specifies if the client should automatically follow referrals returned
+by LDAP servers.
+The default is on.
+Note that the command line tools
+.BR ldapsearch (1)
+&co always override this option.
+.TP
.B SIZELIMIT <integer>
Specifies a size limit to use when performing searches. The
number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
.TP
.B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be
-used to verify if the server certicates have not been revoked. This
+used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
parameter to be set.
.I $CWD/ldaprc
local ldap configuration file
.SH "SEE ALSO"
-.BR ldap (3)
+.BR ldap (3),
+.BR openssl (1),
+.BR sasl (3)
.SH AUTHOR
Kurt Zeilenga, The OpenLDAP Project
.SH ACKNOWLEDGEMENTS
.ft
.fi
.LP
-Lines beginning with a sharpe sign ('#') are ignored.
+Lines beginning with a sharp sign ('#') are ignored.
.LP
Multiple attribute values are specified on separate lines, e.g.,
.LP
permissions. Note, however, that the ID assertion feature is mostly
useful when the asserted identities do not exist on the remote server.
+Flags can be
+
+\fBoverride,{prescriptive|non-prescriptive}\fP
+
When the
.B override
flag is used, identity assertion takes place even when the database
performs the identity assertion using the configured identity and
authentication method.
+When the
+.B prescriptive
+flag is used (the default), operations fail with
+\fIinappropriateAuthentication\fP
+for those identities whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+If the
+.B non-prescriptive
+flag is used, operations are performed anonymously for those identities
+whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+
This directive obsoletes
.BR idassert-authcDN ,
.BR idassert-passwd ,
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals. Useful when
-\fBchase-referrals\fP is set to \fByes\P, useless otherwise.
+\fBchase-referrals\fP is set to \fByes\fP, useless otherwise.
.TP
.B chase-referrals {YES|no}
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
.BR discover ,
-support is detected by reading the remote server's rootDSE.
+support is detected by reading the remote server's root DSE.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
-belong to the DIT fragment that is being proxyied by back-ldap.
+belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by
.BR idassert-bind ,
and may be dismissed in the future.
seconds.
Implies
.B dbnosync
-(ie. indvidual updates are no longer written to disk).
+(ie. individual updates are no longer written to disk).
It attempts to avoid syncs during periods of peak activity by waiting
.B <delayinterval>
seconds if the server is busy, repeating this delay up to
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8),
-.BR LDIF (5).
+.BR ldif (5).
.SH AUTHOR
Eric Stokes
.BR slapd.conf (5)
manual page.
.LP
-Note: as with the
-.B ldap
-backend, operational attributes related to entry creation/modification
-should not be used, as they would be passed to the target servers,
-generating an error.
-Moreover, it makes little sense to use such attributes in proxying, as
-the proxy server doesn't actually store data, so it should have no
-knowledge of such attributes.
-While code to strip the modification attributes has been put in place
-(and #ifdef'd), it implies unmotivated overhead.
-So it is strongly recommended to set
+Note: In early versions of back-ldap and back-meta it was recommended to always set
+.LP
.RS
+.nf
lastmod off
+.fi
.RE
+.LP
for every
.B ldap
and
.B meta
-backend.
+database.
+This is because operational attributes related to entry creation and
+modification should not be proxied, as they could be mistakenly written
+to the target server(s), generating an error.
+The current implementation automatically sets lastmod to off, so its use
+is redundant and should be omitted, because the lastmod directive will
+be deprecated in the future.
+
.SH SPECIAL CONFIGURATION DIRECTIVES
Target configuration starts with the "uri" directive.
All the configuration directives that are not specific to targets
should be defined first for clarity, including those that are common
to all backends.
They are:
+
.TP
.B default-target none
This directive forces the backend to reject all those operations
target, with the constraint that at most one must succeed.
This directive can also be used when processing targets to mark a
specific target as default.
+
.TP
.B dncache-ttl {forever|disabled|<ttl>}
This directive sets the time-to-live of the DN cache.
selection in case multiple targets would result from an uncached
search; forever means cache never expires; disabled means no DN
caching; otherwise a valid ( > 0 ) ttl in seconds is required.
+
.TP
.B nretries {forever|never|<nretries>}
This directive defines how many times a bind should be retried
specification.
.SH TARGET SPECIFICATION
Target specification starts with a "uri" directive:
+
.TP
.B uri <protocol>://[<host>[:<port>]]/<naming context>
The "server" directive that was allowed in the LDAP backend (although
be separated by TABs (e.g. '\\t'; commas or spaces, unlike back-ldap,
will not work,
because they are legal in the <naming context>, and we don't want to use
-URL-encoded <namimg context>s), and the additional URIs must have
+URL-encoded <naming context>s), and the additional URIs must have
no <naming context> part. This causes the underlying library
to contact the first server of the list that responds.
.RE
+
.TP
.B default-target [<target>]
The "default-target" directive can also be used during target specification.
The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
+
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
+
.TP
.B acl-passwd <password>
Password used with the
.B
acl-authcDN
above.
+
.TP
-.B rebind-as-user
+.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
+
+.TP
+.B chase-referrals {YES|no}
+enable/disable automatic referral chasing, which is delegated to the
+underlying libldap, with rebinding eventually performed if the
+\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+
+.TP
+.B tls {[try-]start|[try-]propagate}
+execute the start TLS extended operation when the connection is initialized;
+only works if the URI directive protocol scheme is not \fBldaps://\fP.
+\fBpropagate\fP issues the Start TLS exop only if the original
+connection did.
+The \fBtry-\fP prefix instructs the proxy to continue operations
+if start TLS failed; its use is highly deprecated.
+
+.TP
+.B t-f-support {NO|yes|discover}
+enable if the remote server supports absolute filters
+(see \fIdraft-zeilenga-ldap-t-f\fP for details).
+If set to
+.BR discover ,
+support is detected by reading the remote server's root DSE.
+
+.TP
+.B onerr {CONTINUE|stop}
+This directive allows to select the behavior in case an error is returned
+by one target during a search.
+The default, \fBcontinue\fP, consists in continuing the operation,
+trying to return as much data as possible.
+If this statement is set to \fBstop\fP, the search is terminated as soon
+as an error is returned by one target, and the error is immediately
+propagated to the client.
+
.TP
.B pseudorootdn "<substitute DN in case of rootdn bind>"
This directive, if present, sets the DN that will be substituted to
the bind DN if a bind with the backend's "rootdn" succeeds.
The true "rootdn" of the target server ought not be used; an arbitrary
administrative DN should used instead.
+
.TP
.B pseudorootpw "<substitute password in case of rootdn bind>"
This directive sets the credential that will be used in case a bind
with the backend's "rootdn" succeeds, and the bind is propagated to
the target using the "pseudorootdn" DN.
-.LP
+
Note: cleartext credentials must be supplied here; as a consequence,
using the pseudorootdn/pseudorootpw directives is inherently unsafe.
+
.TP
.B rewrite* ...
The rewrite options are described in the "REWRITING" section.
+
.TP
.B suffixmassage "<virtual naming context>" "<real naming context>"
All the directives starting with "rewrite" refer to the rewrite engine
so "dc=foo, dc=com" would not match "dc=foo,dc=com".
.LP
See the "REWRITING" section.
+
.TP
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
The underlying concept is to build a lightweight rewrite module
for the slapd server (initially dedicated to the LDAP backend).
.SH Passes
-An incoming string is matched agains a set of rules.
+An incoming string is matched against a set of rules.
Rules are made of a regex match pattern, a substitution pattern
and a set of actions, described by a set of flags.
In case of match a string rewriting is performed according to the
The substitution pattern allows map resolution of substrings.
A map is a generic object that maps a substitution pattern to a value.
The flags are divided in "Pattern matching Flags" and "Action Flags";
-the former alter the regex match pattern behaviorm while the latter
+the former alter the regex match pattern behavior while the latter
alter the action that is taken after substitution.
.SH "Pattern Matching Flags"
.TP
assigns a variable in the rewrite context scope; operator
.B &&
assigns a variable that scopes the entire session, e.g. its value
-can be derefenced later by other rewrite contexts
+can be dereferenced later by other rewrite contexts
.TP
.B *
variable dereferencing; <name> must refer to a variable that is
<Context name> is the name that identifies the context, i.e. the name
used by the application to refer to the set of rules it contains.
It is used also to reference sub contexts in string rewriting.
-A context may aliase another one.
+A context may alias another one.
In this case the alias context contains no rule, and any reference to
it will result in accessing the aliased one.
.TP
is not an actual database; if enabled, it is automatically generated
and dynamically maintained by slapd with information about the running
status of the daemon.
-
+.LP
+To inspect all monitor information, issue a subtree search with base
+cn=Monitor, requesting that attributes "+" and "*" are returned.
+The monitor backend produces mostly operational attributes, and LDAP
+only returns operational attributes that are explicitly requested.
+Requesting attribute "+" is an extension which requests all operational
+attributes.
.SH CONFIGURATION
These
.B slapd.conf
options apply to the monitor backend database.
That is, they must follow a "database monitor" line and come before any
subsequent "backend" or "database" lines.
+.LP
As opposed to most databases, the monitor database can be instantiated
only once, i.e. only one occurrence of "database monitor" can occur
in the
.TH SLAPD-NULL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2002-2005 The OpenLDAP Foundation. All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-null \- Null backend to slapd
* object reference
* base DN
* scope
- * alias deferencing policy
+ * alias dereferencing policy
* size limit
* time limit
* filter string
returned directly to the client.
.SH EXAMPLE
There is an example Perl module `SampleLDAP' in the slapd/back-perl/
-direcetory in the OpenLDAP source tree.
+directory in the OpenLDAP source tree.
.SH ACCESS CONTROL
The
.B passwd
suffix, and the scope is subtree; rather collect all entries.
.RE
-.SH STAMEMENT CONFIGURATION
+.SH STATEMENT CONFIGURATION
These options specify SQL query templates for loading schema mapping
metainformation, adding and deleting entries to ldap_entries, etc.
All these and subtree_cond should have the given default values.
.B has_ldapinfo_dn_ru { NO | yes }
Explicitly inform the backend whether the dn_ru column
(DN in reverse uppercased form) is present in table \fIldap_entries\fP.
-Overrides automatic check (this is required, ofr instance,
+Overrides automatic check (this is required, for instance,
by PostgreSQL/unixODBC).
This is \fIexperimental\fP and may change in future releases.
.LP
The \fBhasSubordintes\fP operational attribute is honored by back-sql
in search results and in compare operations; it is partially honored
-also in filtering. Owing to design limitations, a (braindead?) filter
+also in filtering. Owing to design limitations, a (brain-dead?) filter
of the form
\fB(!(hasSubordinates=TRUE))\fP
will give no results instead of returning all the leaf entries, because
.nf
[dn[.<dnstyle>]=]<dnpattern>
filter=<ldapfilter>
- attrs=<attrlist>[ val[.<attrstyle>]=<attrval>]
+ attrs=<attrlist>[ val[/matchingRule][.<attrstyle>]=<attrval>]
.fi
.LP
with
is implied, i.e. all attributes are addressed.
.LP
Using the form
-.B attrs=<attr> val[.<attrstyle>]=<attrval>
+.B attrs=<attr> val[/matchingRule][.<attrstyle>]=<attrval>
specifies access to a particular value of a single attribute.
In this case, only a single attribute type may be given. The
.B <attrstyle>
.B exact
(the default) uses the attribute's equality matching rule to compare the
-value. If the
+value, unless a different (and compatible) matching rule is specified. If the
.B <attrstyle>
is
.BR regex ,
.B modify
operation requires
.B write (=w)
-privileges on the attibutes being modified.
+privileges on the attributes being modified.
.LP
The
.B modrdn
and
.B <who>
clauses, to avoid possible incorrect specifications of the access rules
-as well as for performance (avoid unrequired regex matching when an exact
+as well as for performance (avoid unnecessary regex matching when an exact
match suffices) reasons.
.LP
An administrator might create a rule of the form:
.TP
.B TLSCRLCheck <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be
-used to verify if the client certicates have not been revoked. This
+used to verify if the client certificates have not been revoked. This
requires
.B TLSCACertificatePath
parameter to be set.
.BR unchecked
specifier sets a limit on the number of candidates a search request is allowed
to examine.
-The rationale behind it is that searches for non-properly indicized
+The rationale behind it is that searches for non-properly indexed
attributes may result in large sets of candidates, which must be
examined by
.BR slapd (8)
to determine whether they match the search filter or not.
The
-.B unckeched
+.B unchecked
limit provides a means to drop such operations before they are even
started.
If the selected candidates exceed the
In general the search path is made of colon-separated paths; usually
the user-defined path is searched first; then the value of the
\fILTDL_LIBRARY_PATH\fP environment variable, if defined, is used;
-finally, the systemi-specific dynamic load path is attempted (e.g. on
+finally, the system-specific dynamic load path is attempted (e.g. on
Linux the value of the environment variable \fILD_LIBRARY_PATH\fP).
Please carefully read the documentation of ltdl because its behavior
is very platform dependent.
.RE
.P
Note that all of the OIDs used in the logging schema currently reside
-under the OpenLDAP Experimental branch. It is anticipated that thay
+under the OpenLDAP Experimental branch. It is anticipated that they
will migrate to a Standard branch in the future.
An overview of the attributes follows:
circumstances.
The
-.BR reqControls and
+.B reqControls
+and
.B reqRespControls
attributes carry any controls sent by the client on the request and returned
by the server in the response, respectively. The attribute values are just
--- /dev/null
+.TH SLAPO-AUDITLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapo-auditlog \- Audit Logging overlay
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+The Audit Logging overlay can be used to record all changes on a given
+backend database to a specified log file. Changes are logged as standard
+LDIF, with an additional comment header giving the timestamp of the change
+and the identity of the user making the change.
+.LP
+For Add and Modify operations the identity comes from the modifiersName
+associated with the operation. This is usually the same as the requestor's
+identity, but may be set by other overlays to reflect other values.
+.SH CONFIGURATION
+This
+.B slapd.conf
+option applies to the Audit Logging overlay.
+It should appear after the
+.B overlay
+directive and before any subsequent
+.B database
+directive.
+.TP
+.B auditlog <filename>
+Specify the fully qualified path for the log file.
+.TP
+.B
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.SH SEE ALSO
+.BR slapd.conf (5).
.LP
There are no chain overlay specific directives; however, directives
related to the \fIldap\fP database that is implicitly instantiated
-by the overlay may assume a special meaning when used in conjuction
+by the overlay may assume a special meaning when used in conjunction
with this overlay. They are described in
.BR slapd-ldap (5).
.TP
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-dynlist \- dynnamic list overlay
+slapo-dynlist \- Dynamic List overlay
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.B dynlist-member-ad <attributeName>
The name of the attributeDescription that will list the DN of the entries
resulting from the internal search. This statement is optional and, if
-present, changes the behvior of the overlay into that of a dynamic group.
+present, changes the behavior of the overlay into that of a dynamic group.
The <attrs> portion of the URI is ignored, and the DNs of all the entries
resulting from the expansion of the URI are listed as values of this
attribute.
optional \fBasync\fP keyword is supplied, searches against this database may
be spawned in a separate thread to run concurrently with other operations
(currently not implemented). If the optional \fBadvertise\fP flag
-is supplied, the naming context is advertised in the rootDSE.
+is supplied, the naming context is advertised in the root DSE.
.SH FILES
.TP
ETCDIR/slapd.conf
.LP
The
.B lastmod
-overlay creates aa service entry rooted at the suffix of the database
+overlay creates a service entry rooted at the suffix of the database
it's stacked onto, which holds the DN, the modification type,
the modifiersName and the modifyTimestamp of the last write operation
performed on that database.
.B lastmodEnabled
.P
This attribute contains a boolean flag that determines the status
-of the overlay. It can be latered via protocol by issuing a modify
+of the overlay. It can be altered via protocol by issuing a modify
operation that replaces the value of the attribute.
.LP
.RS 4
.B lastmodDN
.P
-This attribute contains the distingyished name of the entry
+This attribute contains the distinguished name of the entry
that was last modified within the naming context of a database.
.LP
.RS 4
.SH ACKNOWLEDGEMENTS
.P
-This module was written in 2004 by Pierangelo Masarati in fulfilment
+This module was written in 2004 by Pierangelo Masarati in fulfillment
of requirements from SysNet s.n.c.; this man page has been copied
from
.BR slapo-ppolicy (5),
Specify that cleartext passwords present in Add and Modify requests should
be hashed before being stored in the database. This violates the X.500
information model, but may be needed to compensate for LDAP clients that
-don't use the PasswordModify exop to manage passwords.
+don't use the Password Modify exop to manage passwords.
.TP
.B ppolicy_use_lockout
A client will always receive an LDAP
module will enforce the default password policy rules on the
user associated with this authenticating DN. If there is no
default, or the referenced subentry does not exist, then no
-policy rules wil be enforced.
+policy rules will be enforced.
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.23
--- /dev/null
+.TH SLAPO-RETCODE5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2004 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copying restrictions apply. See the COPYRIGHT file.
+.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
+.\" $OpenLDAP$
+.SH NAME
+slapo-retcode \- return code overlay
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+The
+.B retcode
+overlay to
+.BR slapd (8)
+is useful to test the behavior of clients when server-generated erroneous
+and/or unusual responses occur, e.g. error codes, referrals,
+excessive response times and so on.
+
+The error responses are generated according to different strategies.
+.LP
+In the first case, all operations targeted at a specific configurable
+subtree cause the object related to the request DN to be looked up
+and checked for return code data: a response code, plus an optional
+textual message, an optional configurable delay, and, when the response code
+is referral, a (list of) referral(s).
+.LP
+Well-known response codes from standard track documents are provided
+in \fBretcode.conf\fP, which can be included after instantiating
+the overlay.
+.LP
+In the second case, objects of the \fBerrObject\fP class, when returned
+as intermediate responses of a search request, are changed into
+the response dictated by their content.
+.LP
+A third mode causes objects to be looked up from the underlying database
+to discover if their class is \fBerrObject\fP; in that case, their content
+is used to compute the corresponding response.
+.LP
+The behavior is disabled by using the \fBmanageDSAit\fP control (RFC 3296);
+in that case, the resulting object, either present in the directory
+or dynamically generated by the overlay, or contained in the request,
+is handled as usual.
+.LP
+The config directives that are specific to the
+.B retcode
+overlay must be prefixed by
+.BR retcode\- ,
+to avoid conflicts with directives specific to the underlying database
+or to other stacked overlays. The following specific directives
+can be used to configure the retcode overlay:
+.TP
+.B retcode\-parent <DN>
+This directive defines the parent DN where dynamically generated
+entries reside.
+If not defined, the suffix of the database is used.
+.HP
+.hy 0
+.B retcode\-item <RDN> <errCode> [op=<oplist>] [text=<message>]
+.B [ref=<referral>] [sleeptime=<sec>]
+.RS
+A dynamically generated entry, located below \fBretcode\-parent\fP.
+The \fB<errCode>\fP is the number of the response code;
+it can be in any format supported by strtol.
+The optional \fB<oplist>\fP is a list of operations that cause
+response code generation; if absent, all operations are affected.
+The \fBref\fP field is only allowed for the \fBreferral\fP
+response code.
+.RE
+.TP
+.B retcode\-indir
+Enables exploitation of in-directory stored errObjects. May result
+in lots of unnecessary overhead.
+
+.SH SCHEMA
+The following schema items are created and used by the overlay:
+.LP
+The error code:
+.RS 4
+( 1.3.6.1.4.1.4203.666.11.4.1.1
+ NAME ( 'errCode' )
+ DESC 'LDAP error code'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+.RE
+.LP
+The operations that trigger the response code:
+.RS 4
+( 1.3.6.1.4.1.4203.666.11.4.1.2
+ NAME ( 'errOp' )
+ DESC 'Operations the errObject applies to'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+.RE
+.LP
+The text message:
+.RS 4
+( 1.3.6.1.4.1.4203.666.11.4.1.3
+ NAME ( 'errText' )
+ DESC 'LDAP error textual description'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE )
+.RE
+.LP
+The sleep time before the response is actually returned to the client:
+.RS 4
+( 1.3.6.1.4.1.4203.666.11.4.1.4
+ NAME ( 'errSleepTime' )
+ DESC 'Time to wait before returning the error'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+.RE
+.LP
+The objectclass:
+.RS 4
+( 1.3.6.1.4.1.4203.666.11.4.3.1
+ NAME ( 'errObject' )
+ SUP top STRUCTURAL
+ MUST ( errCode )
+ MAY ( cn $ description $ errOp $ errText $ errSleepTime ) )
+.RE
+
+.SH EXAMPLE
+.LP
+.RS
+.nf
+overlay retcode
+retcode-parent "ou=RetCodes,dc=example,dc=com"
+include ./retcode.conf
+
+# Wait 10 seconds, then return success (0x00)
+retcode-item "cn=Success after 10 seconds" 0x00 sleeptime=10
+# Wait 10 seconds, then return timelimitExceeded (0x03)
+retcode-item "cn=Timelimit after 10 seconds" 0x03 sleeptime=10
+.fi
+.RE
+.LP
+.LP
+
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.SH SEE ALSO
+.BR slapd.conf (5),
+.BR slapd (8),
+.SH AUTHOR
+Pierangelo Masarati
same purpose, etc.
If local or foreign name is `*', the name is preserved.
If local name is omitted, the foreign name is removed.
-Unmapped names are preseved if both local and foreign name are `*',
+Unmapped names are preserved if both local and foreign name are `*',
and removed if local name is omitted and foreign name is `*'.
.LP
The local
for the slapd server (initially dedicated to the LDAP backend):
.LP
.SH Passes
-An incoming string is matched agains a set of
+An incoming string is matched against a set of
.IR rewriteRules .
Rules are made of a
.IR "regex match pattern" ,
assigns a variable in the rewrite context scope; operator
.B &&
assigns a variable that scopes the entire session, e.g. its value
-can be derefenced later by other rewrite contexts
+can be dereferenced later by other rewrite contexts
.TP
.B *
variable dereferencing; <name> must refer to a variable that is
<Context name> is the name that identifies the context, i.e. the name
used by the application to refer to the set of rules it contains.
It is used also to reference sub contexts in string rewriting.
-A context may aliase another one.
+A context may alias another one.
In this case the alias context contains no rule, and any reference to
it will result in accessing the aliased one.
.TP
The contextCSN is updated for every write operation performed against the
database. To reduce database contention, the contextCSN is only updated in
-memory. The value is written to the detabase on server shutdown and read into
+memory. The value is written to the database on server shutdown and read into
memory on startup, and maintained in memory thereafter. Checkpoints may be
configured to write the contextCSN into the underlying database to minimize
recovery time after an unclean shutdown.
.B Slaptest
is used to check the conformance of the
.BR slapd.conf (5)
-configurtion file.
+configuration file.
It opens the
.BR slapd.conf (5)
configuration file, and parses it according to the general
If the replication log file does not exist or is empty,
.B slurpd
goes to sleep. It periodically wakes up and checks to see if there
-are any changes to be propoagated.
+are any changes to be propagated.
.LP
When
.B slurpd
} LDIFFP;
LDAP_LDIF_F( LDIFFP * )
-ldif_open LDAP_P(( char *file, char *mode ));
+ldif_open LDAP_P(( LDAP_CONST char *file, LDAP_CONST char *mode ));
LDAP_LDIF_F( void )
ldif_close LDAP_P(( LDIFFP * ));
}
if ( lr->lr_origid == msgid ) {/* child: abandon it */
(void) do_abandon( ld,
- msgid, lr->lr_msgid, sctrls, cctrls );
+ lr->lr_origid, lr->lr_msgid, sctrls, cctrls );
}
}
return LDAP_SUCCESS;
}
+ /* fetch again the request that we are abandoning */
+ if ( lr != NULL ) {
+ for ( lr = ld->ld_requests; lr != NULL; lr = lr->lr_next ) {
+ if ( lr->lr_msgid == msgid ) { /* this message */
+ break;
+ }
+ }
+ }
+
err = 0;
if ( sendabandon ) {
if( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, NULL ) == -1 ) {
}
}
+#ifdef LDAP_R_COMPILE
+ /* ld_abandoned is actually protected by the ld_res_mutex;
+ * give up the ld_req_mutex and get the other */
+ ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
+ ldap_pvt_thread_mutex_lock( &ld->ld_res_mutex );
+#endif
i = 0;
if ( ld->ld_abandoned != NULL ) {
for ( ; ld->ld_abandoned[i] != -1; i++ )
if ( ld->ld_abandoned == NULL ) {
ld->ld_abandoned = old_abandon;
ld->ld_errno = LDAP_NO_MEMORY;
- return( ld->ld_errno );
+ goto done;
}
ld->ld_abandoned[i] = msgid;
ld->ld_errno = LDAP_SUCCESS;
}
+done:;
+#ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_unlock( &ld->ld_res_mutex );
+ ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
+#endif
return( ld->ld_errno );
}
#endif
sip = (struct selectinfo *)ld->ld_selectinfo;
+ assert( sip != NULL );
#ifdef HAVE_POLL
{
LDAPMessage **result )
{
int rc;
- struct timeval tv, *tvp;
+ struct timeval tv, tv0, *tvp;
time_t start_time = 0;
time_t tmp_time;
LDAPConn *lc, *nextlc;
if ( timeout == NULL ) {
tvp = NULL;
} else {
+ tv0 = *timeout;
tv = *timeout;
tvp = &tv;
start_time = time( NULL );
if ( rc == -2 && tvp != NULL ) {
tmp_time = time( NULL );
- if (( tv.tv_sec -= ( tmp_time - start_time )) <= 0 ) {
+ if (( tv0.tv_sec -= ( tmp_time - start_time )) <= 0 ) {
rc = 0; /* timed out */
ld->ld_errno = LDAP_TIMEOUT;
break;
}
+ tv.tv_sec = tv0.tv_sec;
Debug( LDAP_DEBUG_TRACE, "wait4msg: %ld secs to go\n",
(long) tv.tv_sec, 0, 0 );
static char *
get_line( char *line, int len, FILE *fp, const char *prompt )
{
- printf(prompt);
+ fputs(prompt, stdout);
if ( fgets( line, len, fp ) == NULL )
return( NULL );
LDAP_INT_THREAD_POOL_RUNNING,
LDAP_INT_THREAD_POOL_FINISHING,
LDAP_INT_THREAD_POOL_STOPPING,
- LDAP_INT_THREAD_POOL_PAUSING,
+ LDAP_INT_THREAD_POOL_PAUSING
};
typedef struct ldap_int_thread_key_s {
FILE *
ldif_open_url(
- LDAP_CONST char *urlstr
-)
+ LDAP_CONST char *urlstr )
{
FILE *url;
char *p = NULL;
ldif_fetch_url(
LDAP_CONST char *urlstr,
char **valuep,
- ber_len_t *vlenp
-)
+ ber_len_t *vlenp )
{
FILE *url;
char buffer[1024];
LDIFFP *
ldif_open(
- char *file,
- char *mode
+ LDAP_CONST char *file,
+ LDAP_CONST char *mode
)
{
FILE *fp = fopen( file, mode );
const char* scheme )
{
struct pw_slist *pws;
+ struct berval bv;
if (!pw_inited) lutil_passwd_init();
+ bv.bv_val = strchr( scheme, '}' );
+ if ( !bv.bv_val )
+ return NULL;
+
+ bv.bv_len = bv.bv_val - scheme + 1;
+ bv.bv_val = (char *) scheme;
+
for( pws=pw_schemes; pws; pws=pws->next ) {
- if( strcasecmp(scheme, pws->s.name.bv_val ) == 0 ) {
+ if( bv.bv_len != pws->s.name.bv_len )
+ continue;
+ if( strncasecmp(bv.bv_val, pws->s.name.bv_val, bv.bv_len ) == 0 ) {
return &(pws->s);
}
}
- return NULL;
+ return (const struct pw_scheme *) NULL;
}
int lutil_passwd_scheme(