Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
O
OpenLDAP
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
David Barchiesi
OpenLDAP
Commits
c37ca753
Commit
c37ca753
authored
14 years ago
by
Quanah Gibson-Mount
Browse files
Options
Downloads
Patches
Plain Diff
ITS#6834
parent
814d6114
No related branches found
No related tags found
Tags containing commit
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
CHANGES
+1
-0
1 addition, 0 deletions
CHANGES
doc/guide/admin/slapdconf2.sdf
+94
-46
94 additions, 46 deletions
doc/guide/admin/slapdconf2.sdf
with
95 additions
and
46 deletions
CHANGES
+
1
−
0
View file @
c37ca753
...
...
@@ -7,6 +7,7 @@ OpenLDAP 2.4.25 Engineering
Fixed test020 exit codes (ITS#6404)
Documentation
admin24 guide ldapi usage (ITS#6839)
admin24 guide conversion notes (ITS#6834)
OpenLDAP 2.4.24 Release (2011/02/10)
Added LDIF line wrapping setting (ITS#6645)
...
...
This diff is collapsed.
Click to expand it.
doc/guide/admin/slapdconf2.sdf
+
94
−
46
View file @
c37ca753
...
...
@@ -26,11 +26,11 @@ configuration database normally resides in the
directory (or file) can be specified via a command-line option to
{{slapd}}(8).
This chapter
briefly discusses converting to the new style configuration,
then
describes the general format of the configuration system, followed by
This chapter
describes the general format of the configuration system, followed by
a detailed description of commonly used config settings.
Note: some of the backends
and of the distributed overlays
Note: some of the backends
do not support runtime configuration yet. In those cases,
the old style {{slapd.conf}}(5) file must be used.
...
...
@@ -1033,83 +1033,131 @@ E: 20.
Line 15 is a comment. Lines 16-18 identify this entry as the global
database entry. Line 19 is a global access control. It applies to all
entries (after any applicable database-specific access controls).
Line 20 is a blank line.
The next entry defines the config backend.
E: 21. # set a rootpw for the config database so we can bind.
E: 22. # deny access to everyone else.
E: 23. dn: olcDatabase=config,cn=config
E: 24. objectClass: olcDatabaseConfig
E: 25. olcDatabase: config
E: 26. olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
E: 27. olcAccess: to * by * none
E: 28.
Lines 21-22 are comments. Lines 23-25 identify this entry as the config
database entry. Line 26 defines the {{super-user}} password for this
database. (The DN defaults to {{"cn=config"}}.) Line 27 denies all access
to this database, so only the super-user will be able to access it. (This
is already the default access on the config database. It is just listed
here for illustration, and to reiterate that unless a means to authenticate
as the super-user is explicitly configured, the config database will be
inaccessible.)
Line 28 is a blank line.
The next entry defines a BDB backend that will handle queries for things
in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
for several attributes, and the {{EX:userPassword}} attribute is to be
protected from unauthorized access.
E: 2
1
. # BDB definition for example.com
E:
22
. dn: olcDatabase=bdb,cn=config
E:
2
3. objectClass: olcDatabaseConfig
E: 2
4
. objectClass: olcBdbConfig
E:
25
. olcDatabase: bdb
E:
26
. olcSuffix: "dc=example,dc=com"
E:
27
. olcDbDirectory: /usr/local/var/openldap-data
E:
28
. olcRootDN: "cn=Manager,dc=example,dc=com"
E:
29
. olcRootPW: secret
E: 3
0
. olcDbIndex: uid pres,eq
E: 3
1
. olcDbIndex: cn,sn,uid pres,eq,approx,sub
E:
32
. olcDbIndex: objectClass eq
E:
33
. olcAccess: to attrs=userPassword
E:
3
4. by self write
E: 3
5
. by anonymous auth
E:
36
. by dn.base="cn=Admin,dc=example,dc=com" write
E:
37
. by * none
E:
38
. olcAccess: to *
E:
39
. by self write
E: 4
0
. by dn.base="cn=Admin,dc=example,dc=com" write
E: 4
1
. by * read
E:
42
.
Line 2
1
is a comment. Lines
22-25
identify this entry as a BDB database
configuration entry. Line
26
specifies the DN suffix
for queries to pass to this database. Line
27
specifies the directory
E: 2
9
. # BDB definition for example.com
E:
30
. dn: olcDatabase=bdb,cn=config
E: 3
1
. objectClass: olcDatabaseConfig
E:
3
2. objectClass: olcBdbConfig
E:
33
. olcDatabase: bdb
E:
34
. olcSuffix: "dc=example,dc=com"
E:
35
. olcDbDirectory: /usr/local/var/openldap-data
E:
36
. olcRootDN: "cn=Manager,dc=example,dc=com"
E:
37
. olcRootPW: secret
E: 3
8
. olcDbIndex: uid pres,eq
E: 3
9
. olcDbIndex: cn,sn,uid pres,eq,approx,sub
E:
40
. olcDbIndex: objectClass eq
E:
41
. olcAccess: to attrs=userPassword
E: 4
2
. by self write
E:
4
3. by anonymous auth
E:
44
. by dn.base="cn=Admin,dc=example,dc=com" write
E:
45
. by * none
E:
46
. olcAccess: to *
E:
47
. by self write
E: 4
8
. by dn.base="cn=Admin,dc=example,dc=com" write
E: 4
9
. by * read
E:
50
.
Line 2
9
is a comment. Lines
30-33
identify this entry as a BDB database
configuration entry. Line
34
specifies the DN suffix
for queries to pass to this database. Line
35
specifies the directory
in which the database files will live.
Lines
28
and
29
identify the database {{super-user}} entry and associated
Lines
36
and
37
identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
Lines 3
0
through
32
indicate the indices to maintain for various
Lines 3
8
through
40
indicate the indices to maintain for various
attributes.
Lines
33
through 4
1
specify access control for entries in this
Lines
41
through 4
9
specify access control for entries in this
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by all users (authenticated or not).
Line
42
is a blank line, indicating the end of this entry.
Line
50
is a blank line, indicating the end of this entry.
The next
section of the example configuration file
defines another
The next
entry
defines another
BDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
as the first database. Note that without line
52
, the read access
as the first database. Note that without line
60
, the read access
would be allowed due to the global access rule at line 19.
E:
43
. # BDB definition for example.net
E:
44
. dn: olcDatabase=bdb,cn=config
E:
4
5. objectClass: olcDatabaseConfig
E: 4
6
. objectClass: olcBdbConfig
E:
47
. olcDatabase: bdb
E:
48
. olcSuffix: "dc=example,dc=net"
E:
49
. olcDbDirectory: /usr/local/var/openldap-data-net
E: 5
0
. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 5
1
. olcDbIndex: objectClass eq
E:
52
. olcAccess: to * by users read
E:
51
. # BDB definition for example.net
E:
52
. dn: olcDatabase=bdb,cn=config
E: 5
3
. objectClass: olcDatabaseConfig
E:
5
4. objectClass: olcBdbConfig
E:
55
. olcDatabase: bdb
E:
56
. olcSuffix: "dc=example,dc=net"
E:
57
. olcDbDirectory: /usr/local/var/openldap-data-net
E: 5
8
. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 5
9
. olcDbIndex: objectClass eq
E:
60
. olcAccess: to * by users read
H2: Converting old style {{slapd.conf}}(5) file to {{cn=config}} format
Before converting to the {{cn=config}} format you should make sure that the
config backend is properly configured in your existing config file. While
the config backend is always present inside slapd, by default it is only
accessible by its rootDN, and there are no default credentials assigned
so unless you explicitly configure a means to authenticate to it, it will be
unusable.
If you do not already have a {{EX:database config}} section, add something
like this to the end of {{EX:slapd.conf}}
> database config
> rootpw VerySecret
Note: Since the config backend can be used to load arbitrary code into the
slapd process, it is extremely important to carefully guard whatever
credentials are used to access it. Since simple passwords are vulnerable to
password guessing attacks, it is usually better to omit the rootpw and only
use SASL authentication for the config rootDN.
An existing {{slapd.conf}}(5) file can be converted to the new format using
{{slaptest}}(8) or any of the slap tools:
> slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d
Test that you can access entries under {{EX:cn=config}} using the
default {{rootdn}} and the {{rootpw}} configured above:
> ldapsearch -x -D cn=config -w VerySecret -b cn=config
You can then discard the old {{slapd.conf}}(5) file. Make sure to launch
{{slapd}}(8) with the {{-F}} option to specify the configuration directory.
{{slapd}}(8) with the {{-F}} option to specify the configuration directory
if you are not using the default directory path.
Note: When converting from the slapd.conf format to slapd.d format, any
included files will also be integrated into the resulting configuration
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
