Commit 6d67d4a4 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Misc. cleanup

parent 45ef1d2c
......@@ -11,8 +11,9 @@ Building and installing OpenLDAP requires several steps: installing
prerequisite software, configuring OpenLDAP itself, making, and finally
installing. The following sections describe this process in detail.
In case you haven't already obtained OpenLDAP it is available at the following
location: {{URL: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz}}
In case you haven't already obtained OpenLDAP it is available at
the following location:
{{URL: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz}}.
The {{ORG[expand]OLP}} also maintains an extensive site
({{URL:http://www.OpenLDAP.org/}}) on the World Wide Web. The site
......@@ -22,6 +23,7 @@ properly install OpenLDAP Software. This includes:
!block table; align=Center; coltags="N,URL"; \
title="Table 4.1: Other OpenLDAP resources"
Resource URL
Document Catalog http://www.OpenLDAP.org/doc/
Frequently Asked Questions http://www.OpenLDAP.org/faq/
Issue Tracking System http://www.OpenLDAP.org/its/
Mailing Lists http://www.OpenLDAP.org/lists/
......@@ -31,13 +33,14 @@ Support Page http://www.OpenLDAP.org/support/
H2: Prerequisite software
OpenLDAP relies a number of software packages distributed by third
parties. Depending on the features you intend to use, you may have
to download and install a number of additional software packages.
This section details commonly needed third party software packages
you might have to install. Note that some of these third party
packages may depend on additional software packages. Install each
package per installation instructions provided with it.
OpenLDAP Software relies upon a number of software packages distributed
by third parties. Depending on the features you intend to use,
you may have to download and install a number of additional
software packages. This section details commonly needed third party
software packages you might have to install. Note that some of
these third party packages may depend on additional software
packages. Install each package per installation instructions
provided with it.
H3: {{TERM[expand]TLS}}
......@@ -243,6 +246,6 @@ source directory, type:
You should examine the output of this command carefully to make sure
everything is installed correctly. You will find the configuration files
for slapd in {{F:/usr/local/etc/openldap}} by default. See chapter 5 for more
information on the configuration files.
for slapd in {{F:/usr/local/etc/openldap}} by default. See the
{{SECT:The slapd Configuration File}} chapter for additional information.
......@@ -380,9 +380,9 @@ DSA may expect these attributes to be named
{{EX:lastModifiedBy}} and {{EX:lastModifiedTime}}.
A solution to this attribute naming problem is to have the
ldapd read oidtables that map {{EX:modifiersName}} to the
Object Identifier ({{TERM:OID}}) for the {{EX:lastModifiedBy}} attribute and
{{EX:modifyTimeStamp}} to the OID for the {{EX:lastModifiedTime}}
attribute. Since attribute names are carried as OIDs over
DAP, this should perform the appropriate translation of
attribute names.
LDAP/DAP gateway to map {{EX:modifiersName}} to the Object
Identifier ({{TERM:OID}}) for the {{EX:lastModifiedBy}}
attribute and {{EX:modifyTimeStamp}} to the OID for the
{{EX:lastModifiedTime}} attribute. Since attribute names
are carried as OIDs over DAP, this should perform the
appropriate translation of attribute names.
......@@ -4,10 +4,10 @@
H1: Schema Specification
This chapter describes how to extend {{slapd}}(8) schema. The
first section details how to extend schema using provided
schema files. The second section details how to define
new schema items.
This chapter describes how to extend the schema used by {{slapd}}(8).
The first section details optional schema definitions provided
in the distribution and where to obtain other definitions. The
second section details how to define new schema items.
H2: Distributed Schema Files
......@@ -46,11 +46,11 @@ in provided files.
H2: Extending Schema
Schema used by {{slapd}}(8) can be extended to support additional
Schema used by {{slapd}}(8) may be extended to support additional
syntaxes, matching rules, attribute types, and object classes.
This chapter details how to add attribute types and object classes
using the syntaxes and matching rules already support by slapd.
slapd(8) can also be extended to support additional syntaxes
slapd can also be extended to support additional syntaxes
and matching rules, but this requires some programming and hence
is not discussed here.
......@@ -64,11 +64,11 @@ There are five steps to defining new schema:
H3: Object Identifiers
Each schema element is identified by a globally unique
{{TERM[expand]OID}} ({{TERM:OID}}). OIDs are also used to identify
{{TERM[expand]OID}} (OID). OIDs are also used to identify
other objects.
They are commonly found in protocols described by {{TERM:ASN.1}}. In
particular, they are heavy used by {{Simple Network Management
Protocol}} (SNMP). As OIDs are hierarchical, your organization
particular, they are heavy used by {{TERM[expand]SNMP}} (SNMP).
As OIDs are hierarchical, your organization
can obtain one OID and branch it as needed. For example,
if your organization were assigned OID {{EX:1.1}}, you could branch
the tree as follows:
......@@ -98,10 +98,10 @@ service) see {{URL:http://www.alvestrand.no/harald/objectid/}}.
.{{Under no circumstances should you use a fictious OID!}}
To obtain a fully registered OID at {{no cost}}, apply for
a OID under {{ORG[expand]IANA}} maintained
a OID under {{ORG[expand]IANA}} (IANA) maintained
{{Private Enterprise}} arch. Any private enterprise (organization)
may request an OID to be assigned under this arch. Just fill
out the form at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}}
out the {{ORG:IANA}} form at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}}
and your official OID will be sent to you usually within a few days.
Your base OID will be something like {{EX:1.3.6.1.4.1.X}} were {{EX:X}}
is an integer.
......@@ -210,22 +210,49 @@ the first listed name when returning results.
The first attribute, {{EX:name}}, has a syntax of directory string
(a UTF-8 encoded Unicode string) with a recommend maximun length.
Note that syntaxes is specified by OID. In addition, the equality
and substring matching uses case ignore rules. Below are tables of
{{slapd}}(8) supported syntax and matching rules.
and substring matching uses case ignore rules. Below are tables
listing commonly used supported syntax and matching rules.
!block table; align=Center; coltags="EX,EX,N"; \
title="Table 6.3: Supported Syntaxes"
Name OID Description
directoryString 1.3.6.1.4.1.1466.115.121.1.15 A directory string
Name OID Description
binary 1.3.6.1.4.1.1466.115.121.1.5 BER/DER data
boolean 1.3.6.1.4.1.1466.115.121.1.7 boolean value
distinguishedName 1.3.6.1.4.1.1466.115.121.1.15 DN
directoryString 1.3.6.1.4.1.1466.115.121.1.15 UTF-8 string
IA5String 1.3.6.1.4.1.1466.115.121.1.26 ASCII string
Integer 1.3.6.1.4.1.1466.115.121.1.27 integer
Name and Optional UID 1.3.6.1.4.1.1466.115.121.1.34 DN plus UID
Numeric String 1.3.6.1.4.1.1466.115.121.1.36 numeric string
OID 1.3.6.1.4.1.1466.115.121.1.38 object identifier
Octet String 1.3.6.1.4.1.1466.115.121.1.40 arbitary octets
Printable String 1.3.6.1.4.1.1466.115.121.1.44 printable string
!endblock
>
>
!block table; align=Center; coltags="EX,N"; \
title="Table 6.4: Supported Matching Rules"
Name Description
caseIgnoreMatch case insensitive, space insensitive matching
caseExactMatch case sensitive, space insensitive matching
Name Type Description
booleanMatch equality boolean
objectIdentiferMatch equality OID
distinguishedNameMatch equality DN
uniqueMemberMatch equality DN with optional UID
numericStringMatch equality numerical
numericStringOrderingMatch ordering numerical
numericStringSubstringsMatch substrings numerical
caseIgnoreMatch equality case insensitive, space insensitive
caseIgnoreOrderingMatch ordering case insensitive, space insensitive
caseIgnoreSubstringsMatch substrings case insensitive, space insensitive
caseExactMatch equality case sensitive, space insensitive
caseExactOrderingMatch ordering case sensitive, space insensitive
caseExactSubstringsMatch substrings case sensitive, space insensitive
caseIgnoreIA5Match equality case insensitive, space insensitive
caseIgnoreOrderingIA5Match ordering case insensitive, space insensitive
caseIgnoreSubstringsIA5Match substrings case insensitive, space insensitive
caseExactIA5Match equality case sensitive, space insensitive
caseExactOrderingIA5Match ordering case sensitive, space insensitive
caseExactSubstringsIA5Match substrings case sensitive, space insensitive
!endblock
The second attribute, {{EX:cn}}, is a subtype of {{EX:name}} hence
......
......@@ -7,7 +7,7 @@ H1: The slapd Configuration File
Once the software has been built and installed, you are ready
to configure {{slapd}}(8) for use at your site. The slapd
runtime configuration is primarily accomplished through the
{{I:slapd.conf}}(5) file, normally installed in the
{{slapd.conf}}(5) file, normally installed in the
{{EX:/usr/local/etc/openldap}} directory.
An alternate configuration file can be specified via a
......@@ -143,13 +143,13 @@ loop detection is done.
H4: loglevel <integer>
This directive specifies the level at which debugging statements
and operation statistics should be syslogged (currently
logged to the {{syslogd}}(8) LOG_LOCAL4 facility). You must
have compiled slapd with -DLDAP_DEBUG for this to work
(except for the two statistics levels, which are always enabled).
Log levels are additive. To display what numbers correspond
to what kind of debugging, invoke slapd with the ? flag or
consult the table below. The possible values for <integer> are:
and operation statistics should be syslogged (currently logged to
the {{syslogd}}(8) {EX:LOG_LOCAL4}} facility). You must have
configured OpenLDAP {{EX:--enable-debug}} (the default) for this
to work (except for the two statistics levels, which are always
enabled). Log levels are additive. To display what numbers
correspond to what kind of debugging, invoke slapd with {{EX:-?}}
or consult the table below. The possible values for <integer> are:
!block table; colaligns="RL"; align=Center; \
title="Table 5.1: Debugging Levels"
......@@ -262,8 +262,11 @@ perform" error.
H4: replica
> replica host=<hostname>[:<port>]
> "binddn=<DN>"
> [bindmethod={ simple | kerberos }]
> [bindmethod={ simple | kerberos | sasl }]
> ["binddn=<DN>"]
> [mech=<mech>]
> [authcid=<identity>]
> [authzid=<identity>]
> [credentials=<password>]
> [srvtab=<filename>]
......@@ -277,23 +280,31 @@ The {{EX:binddn=}} parameter gives the DN to bind as for updates to
the slave slapd. It should be a DN which has read/write
access to the slave slapd's database, typically given as a
{{EX:rootdn}} in the slave's config file. It must also match the
updatedn directive in the slave slapd's config file. Since DNs are
{{EX:updatedn}} directive in the slave slapd's config file. Since DNs are
likely to contain embedded spaces, the entire {{EX:"binddn=<DN>"}}
string should be enclosed in double quotes.
The {{EX:bindmethod}} is either simple or Kerberos, depending on
whether simple password-based authentication or Kerberos
authentication is to be used when connecting to the slave
slapd. Simple authentication requires a valid password be
given. Kerberos authentication requires a valid srvtab file.
The {{EX:credentials=}} parameter, which is only required if using
simple authentication, gives the password for {{EX:binddn}} on the
slave slapd. Simple authentication is deprecated in favor of
{{TERM:SASL}} based authentication services.
The {{EX:srvtab=}} parameter is deprecated in favor of SASL
based authentication services.
The {{EX:bindmethod}} is {{EX:simple}} or {{EX:kerberos}} or {{EX:sasl}},
depending on whether simple password-based authentication or Kerberos
authentication or {{TERM:SASL}} authentication is to be used when connecting
to the slave slapd.
Simple authentication should not be used unless adequate integrity
and privacy protections are in place (e.g. TLS or IPSEC). Simple
authentication requires specification of {{EX:binddn}} and
{{EX:credentials}} parameters.
Kerberos authentication is deprecated in favor of SASL authentication
mechanisms, in particular the {EX:KERBEROS_V4}} and {{EX:GSSAPI}}
mechanisms. Kerberos authentication requires {{EX:binddn}} and
{{EX:srvtab}} parameters.
SASL authentication is generally recommended. SASL authentication
requires specification of a mechanism using the {{EX:mech}} parameter.
Depending on the mechanism, an authentication identity and/or
credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
respectively. The {{EX:authzid}} parameter may be used to specify
an authorization identity.
See the {{SECT:Replication}} chapter for more information on how to
use this directive.
......
......@@ -47,7 +47,7 @@ OpenSSL OpenSSL http://www.openssl.org/
Cyrus Cyrus http://asg.web.cmu.edu/cyrus/
Sleepy Sleepycat Software http://www.sleepycat.com/
FSF Free Software Foundation http://www.fsf.org/
GNU Gnu Not Unix http://www.gnu.org/
GNU GNU Not Unix http://www.gnu.org/
!endblock
!block products; data
......@@ -78,11 +78,12 @@ BNF BNF
CLDAP Connection-less LDAP
DAP Directory Access Protocol
DER Distinguished Encoding Rules
DIT Directory Information Tree
DN Distinguished Name
DSE DSA-specific Entry
DNS Domain Name System
DS Draft Standard
DSA Directory System Agent
DSA Directory Service Agent
DSE DSA-specific Entry
DUA Directory User Agent
FAQ Frequently Asked Questions
FYI For Your Information
......@@ -95,6 +96,7 @@ LBER Lightweight BER
LDAP Lightweight Directory Access Protocol
LDIF LDAP Data Interchange Format
LDBM LDAP Database Manager
MIB Management Information Base
OID Object Identifier
OSI OSI
PS Proposed Standard
......@@ -103,6 +105,8 @@ RFC Request for Comments
TCP Transmission Control Protocol
TLS Transport Security Layer
SASL Simple Authentication and Security Layer
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
STD Internet Standard
UDP User Datagram Protocol
URI Uniform Resource Identifier
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment