Commit 626e3f93 authored by Howard Chu's avatar Howard Chu
Browse files

More for ITS#6834 (#6836 was a dup of 6834)

parent 1fe59d33
......@@ -1033,72 +1033,95 @@ E: 20.
Line 15 is a comment. Lines 16-18 identify this entry as the global
database entry. Line 19 is a global access control. It applies to all
entries (after any applicable database-specific access controls).
Line 20 is a blank line.
The next entry defines the config backend.
E: 21. # set a rootpw for the config database so we can bind.
E: 22. # deny access to everyone else.
E: 23. dn: olcDatabase=config,cn=config
E: 24. objectClass: olcDatabaseConfig
E: 25. olcDatabase: config
E: 26. olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
E: 27. olcAccess: to * by * none
E: 28.
Lines 21-22 are comments. Lines 23-25 identify this entry as the config
database entry. Line 26 defines the {{super-user}} password for this
database. (The DN defaults to {{"cn=config"}}.) Line 27 denies all access
to this database, so only the super-user will be able to access it. (This
is already the default access on the config database. It is just listed
here for illustration, and to reiterate that unless a means to authenticate
as the super-user is explicitly configured, the config database will be
inaccessible.)
Line 28 is a blank line.
The next entry defines a BDB backend that will handle queries for things
in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
for several attributes, and the {{EX:userPassword}} attribute is to be
protected from unauthorized access.
E: 21. # BDB definition for example.com
E: 22. dn: olcDatabase=bdb,cn=config
E: 23. objectClass: olcDatabaseConfig
E: 24. objectClass: olcBdbConfig
E: 25. olcDatabase: bdb
E: 26. olcSuffix: "dc=example,dc=com"
E: 27. olcDbDirectory: /usr/local/var/openldap-data
E: 28. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 29. olcRootPW: secret
E: 30. olcDbIndex: uid pres,eq
E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
E: 32. olcDbIndex: objectClass eq
E: 33. olcAccess: to attrs=userPassword
E: 34. by self write
E: 35. by anonymous auth
E: 36. by dn.base="cn=Admin,dc=example,dc=com" write
E: 37. by * none
E: 38. olcAccess: to *
E: 39. by self write
E: 40. by dn.base="cn=Admin,dc=example,dc=com" write
E: 41. by * read
E: 42.
Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
configuration entry. Line 26 specifies the DN suffix
for queries to pass to this database. Line 27 specifies the directory
E: 29. # BDB definition for example.com
E: 30. dn: olcDatabase=bdb,cn=config
E: 31. objectClass: olcDatabaseConfig
E: 32. objectClass: olcBdbConfig
E: 33. olcDatabase: bdb
E: 34. olcSuffix: "dc=example,dc=com"
E: 35. olcDbDirectory: /usr/local/var/openldap-data
E: 36. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 37. olcRootPW: secret
E: 38. olcDbIndex: uid pres,eq
E: 39. olcDbIndex: cn,sn,uid pres,eq,approx,sub
E: 40. olcDbIndex: objectClass eq
E: 41. olcAccess: to attrs=userPassword
E: 42. by self write
E: 43. by anonymous auth
E: 44. by dn.base="cn=Admin,dc=example,dc=com" write
E: 45. by * none
E: 46. olcAccess: to *
E: 47. by self write
E: 48. by dn.base="cn=Admin,dc=example,dc=com" write
E: 49. by * read
E: 50.
Line 29 is a comment. Lines 30-33 identify this entry as a BDB database
configuration entry. Line 34 specifies the DN suffix
for queries to pass to this database. Line 35 specifies the directory
in which the database files will live.
Lines 28 and 29 identify the database {{super-user}} entry and associated
Lines 36 and 37 identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
Lines 30 through 32 indicate the indices to maintain for various
Lines 38 through 40 indicate the indices to maintain for various
attributes.
Lines 33 through 41 specify access control for entries in this
Lines 41 through 49 specify access control for entries in this
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by all users (authenticated or not).
Line 42 is a blank line, indicating the end of this entry.
Line 50 is a blank line, indicating the end of this entry.
The next section of the example configuration file defines another
The next entry defines another
BDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
as the first database. Note that without line 52, the read access
as the first database. Note that without line 60, the read access
would be allowed due to the global access rule at line 19.
E: 43. # BDB definition for example.net
E: 44. dn: olcDatabase=bdb,cn=config
E: 45. objectClass: olcDatabaseConfig
E: 46. objectClass: olcBdbConfig
E: 47. olcDatabase: bdb
E: 48. olcSuffix: "dc=example,dc=net"
E: 49. olcDbDirectory: /usr/local/var/openldap-data-net
E: 50. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 51. olcDbIndex: objectClass eq
E: 52. olcAccess: to * by users read
E: 51. # BDB definition for example.net
E: 52. dn: olcDatabase=bdb,cn=config
E: 53. objectClass: olcDatabaseConfig
E: 54. objectClass: olcBdbConfig
E: 55. olcDatabase: bdb
E: 56. olcSuffix: "dc=example,dc=net"
E: 57. olcDbDirectory: /usr/local/var/openldap-data-net
E: 58. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 59. olcDbIndex: objectClass eq
E: 60. olcAccess: to * by users read
H2: Converting old style {{slapd.conf}}(5) file to {{cn=config}} format
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment