Commit feeec419 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Sync with HEAD

parent 3a40cb81
......@@ -3,21 +3,24 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-bdb, slapd-hdb \- Berkeley DB backends to slapd
\fBslapd-bdb\fP, \fBslapd-hdb\fP \- Berkeley DB backends to \fBslapd\fP
.SH SYNOPSIS
ETCDIR/slapd.conf
.B ETCDIR/slapd.conf
.SH DESCRIPTION
The BDB backend to
The \fBbdb\fP backend to
.BR slapd (8)
is the recommended backend for a normal slapd database.
is the recommended backend for a normal
.B slapd
database.
However, it takes more care than with the LDBM backend to configure
it properly.
It uses the Sleepycat Berkeley DB (BDB) package to store data.
It makes extensive use of indexing and caching to speed data access.
.LP
"hdb" is a variant of the BDB backend that uses a hierarchical database
\fBhdb\fP is a variant of the \fBbdb\fP backend that uses a
hierarchical database
layout which supports subtree renames. It is otherwise identical to
the "bdb" behavior, and all the same configuration options apply.
the \fBbdb\fP behavior, and all the same configuration options apply.
.LP
It is noted that these options are intended to complement
Berkeley DB configuration options set in the environment's
......@@ -31,30 +34,30 @@ take precedence.
.SH CONFIGURATION
These
.B slapd.conf
options apply to the BDB backend database.
options apply to the \fBbdb\fP and \fBhdb\fP backend database.
That is, they must follow a "database bdb" or "database hdb" line and
come before any subsequent "backend" or "database" lines.
Other database options are described in the
.BR slapd.conf (5)
manual page.
.TP
.B cachesize <integer>
.BI cachesize \ <integer>
Specify the size in entries of the in-memory entry cache maintained
by the BDB backend database instance.
by the \fBbdb\fP or \fBhdb\fP backend database instance.
The default is 1000 entries.
.TP
.B checkpoint <kbyte> <min>
.BI checkpoint \ <kbyte>\ <min>
Specify the frequency for checkpointing the database transaction log.
A checkpoint operation flushes the database buffers to disk and writes
a checkpoint record in the log.
The checkpoint will occur if either <kbyte> data has been written or
<min> minutes have passed since the last checkpoint.
The checkpoint will occur if either \fI<kbyte>\fP data has been written or
\fI<min>\fP minutes have passed since the last checkpoint.
Both arguments default to zero, in which case they are ignored. When
the <min> argument is non-zero, an internal task will run every <min>
minutes to perform the checkpoint.
the \fI<min>\fP argument is non-zero, an internal task will run every
\fI<min>\fP minutes to perform the checkpoint.
See the Berkeley DB reference guide for more details.
.TP
.B dbconfig <Berkeley DB setting>
.BI dbconfig \ <Berkeley\-DB\-setting>
Specify a configuration directive to be placed in the
.B DB_CONFIG
file of the database directory. The
......@@ -63,11 +66,14 @@ directive is just a convenience
to allow all necessary configuration to be set in the
.B slapd.conf
file.
The options set using this directive will only be written to the DB_CONFIG
The options set using this directive will only be written to the
.B DB_CONFIG
file if no such file existed at server startup time. This allows one
to set initial values without overwriting/destroying a DB_CONFIG file
that was already customized through other means. This directive may
be specified multiple times, as needed. For example
to set initial values without overwriting/destroying a
.B DB_CONFIG
file that was already customized through other means.
This directive may be specified multiple times, as needed.
For example:
.RS
.nf
dbconfig set_cachesize 0 1048576 0
......@@ -82,7 +88,7 @@ Enabling this option may improve performance at the expense of data
security.
See the Berkeley DB reference guide for more details.
.TP
.B directory <directory>
.BI directory \ <directory>
Specify the directory where the BDB files containing this database and
associated indexes live.
A separate directory must be specified for each database.
......@@ -98,19 +104,20 @@ results if the data comes from a transaction that is later aborted.
In this case, the modified data is discarded and a subsequent search
will return a different result.
.TP
.B idlcachesize <integer>
.BI idlcachesize \ <integer>
Specify the size of the in-memory index cache, in index slots. The
default is zero. A larger value will speed up frequent searches of
indexed entries. An hdb database needs a large idlcachesize
for good search performance, typically three times the entry cache size
indexed entries. An \fBhdb\fP database needs a large \fBidlcachesize\fP
for good search performance, typically three times the
.B cachesize
(entry cache size)
or larger.
.TP
.B
index {<attrlist>|default} [pres,eq,approx,sub,<special>]
\fBindex \fR{\fI<attrlist>\fR|\fBdefault\fR} [\fBpres\fR,\fBeq\fR,\fBapprox\fR,\fBsub\fR,\fI<special>\fR]
Specify the indexes to maintain for the given attribute (or
list of attributes).
Some attributes only support a subset of indexes.
If only an <attr> is given, the indices specified for \fBdefault\fR
If only an \fI<attr>\fP is given, the indices specified for \fBdefault\fR
are maintained.
Note that setting a default does not imply that all attributes will be
indexed. Also, for best performance, an
......@@ -133,31 +140,46 @@ may be specified to disallow use of this index by language subtypes.
The special type
.B nosubtypes
may be specified to disallow use of this index by named subtypes.
Note: changing index settings requires rebuilding indices, see
.BR slapindex (8).
Note: changing \fBindex\fP settings in
.BR slapd.conf (5)
requires rebuilding indices, see
.BR slapindex (8);
changing \fBindex\fP settings
dynamically by LDAPModifying "cn=config" automatically causes rebuilding
of the indices online in a background task.
.TP
.B linearindex
Tell slapindex to index one attribute at a time. By default, all indexed
Tell
.B slapindex
to index one attribute at a time. By default, all indexed
attributes in an entry are processed at the same time. With this option,
each indexed attribute is processed individually, using multiple passes
through the entire database. This option improves slapindex performance
when the database size exceeds the dbcache size. When the dbcache is
through the entire database. This option improves
.B slapindex
performance
when the database size exceeds the \fBdbcache\fP size. When the \fBdbcache\fP is
large enough, this option is not needed and will decrease performance.
Also by default, slapadd performs full indexing and so a separate slapindex
run is not needed. With this option, slapadd does no indexing and slapindex
Also by default,
.B slapadd
performs full indexing and so a separate
.B slapindex
run is not needed. With this option,
.B slapadd
does no indexing and
.B slapindex
must be used.
.TP
.B lockdetect {oldest|youngest|fewest|random|default}
.BR lockdetect \ { oldest | youngest | fewest | random | default }
Specify which transaction to abort when a deadlock is detected.
The default is the same as
The default is
.BR random .
.TP
.B mode <integer>
.BI mode \ <integer>
Specify the file protection mode that newly created database
index files should have.
The default is 0600.
.TP
.B searchstack <depth>
.BI searchstack \ <depth>
Specify the depth of the stack used for search filter evaluation.
Search filters are evaluated on a stack to accommodate nested AND / OR
clauses. An individual stack is assigned to each server thread.
......@@ -170,7 +192,7 @@ but specifying too much stack will also consume a great deal of memory.
Each search stack uses 512K bytes per level. The default stack depth
is 16, thus 8MB per thread is used.
.TP
.B shm_key <integer>
.BI shm_key \ <integer>
Specify a key for a shared memory BDB environment. By default the
BDB environment uses memory mapped files. If a non-zero value is
specified, it will be used as the key to identify a shared memory
......@@ -184,10 +206,12 @@ backends honor access control semantics as indicated in
.BR slapd.access (5).
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.B ETCDIR/slapd.conf
default
.B slapd
configuration file
.TP
DB_CONFIG
.B DB_CONFIG
Berkeley DB configuration file
.SH SEE ALSO
.BR slapd.conf (5),
......
......@@ -105,6 +105,22 @@ before any target specification, it applies to all targets (by default,
.BR never );
the global value can be overridden by redefinitions inside each target
specification.
.TP
.B onerr {CONTINUE|stop}
This directive allows to select the behavior in case an error is returned
by one target during a search.
The default, \fBcontinue\fP, consists in continuing the operation,
trying to return as much data as possible.
If this statement is set to \fBstop\fP, the search is terminated as soon
as an error is returned by one target, and the error is immediately
propagated to the client.
.TP
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
.SH TARGET SPECIFICATION
Target specification starts with a "uri" directive:
......@@ -165,16 +181,13 @@ Password used with the
acl-authcDN
above.
.TP
.B rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
.TP
.B chase-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B tls {[try-]start|[try-]propagate}
......@@ -184,6 +197,8 @@ only works if the URI directive protocol scheme is not \fBldaps://\fP.
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if start TLS failed; its use is highly deprecated.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B t-f-support {NO|yes|discover}
......@@ -192,16 +207,26 @@ enable if the remote server supports absolute filters
If set to
.BR discover ,
support is detected by reading the remote server's root DSE.
.TP
.B onerr {CONTINUE|stop}
This directive allows to select the behavior in case an error is returned
by one target during a search.
The default, \fBcontinue\fP, consists in continuing the operation,
trying to return as much data as possible.
If this statement is set to \fBstop\fP, the search is terminated as soon
as an error is returned by one target, and the error is immediately
propagated to the client.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B timeout [{add|delete|modify|modrdn}=]<val> [...]
This directive allows to set per-database, per-target and per-operation
timeouts.
If no operation is specified, it affects all.
Currently, only write operations are addressed, because searches
can already be limited by means of the
.B limits
directive (see
.BR slapd.conf (5)
for details), and other operations are not supposed to incur into the
need for timeouts.
Note: if the timelimit is exceeded, the operation is abandoned;
the protocol does not provide any means to rollback the operation,
so the client will not know if the operation eventually succeeded or not.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B pseudorootdn "<substitute DN in case of rootdn bind>"
......
......@@ -3,15 +3,19 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-monitor \- Monitor backend to slapd
.B slapd-monitor
\- Monitor backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The monitor backend to
The
.B monitor
backend to
.BR slapd (8)
is not an actual database; if enabled, it is automatically generated
and dynamically maintained by slapd with information about the running
status of the daemon.
and dynamically maintained by
.B slapd
with information about the running status of the daemon.
.LP
To inspect all monitor information, issue a subtree search with base
cn=Monitor, requesting that attributes "+" and "*" are returned.
......@@ -22,19 +26,23 @@ attributes.
.SH CONFIGURATION
These
.B slapd.conf
options apply to the monitor backend database.
options apply to the
.B monitor
backend database.
That is, they must follow a "database monitor" line and come before any
subsequent "backend" or "database" lines.
.LP
As opposed to most databases, the monitor database can be instantiated
only once, i.e. only one occurrence of "database monitor" can occur
in the
As opposed to most databases, the
.B monitor
database can be instantiated only once, i.e. only one occurrence
of "database monitor" can occur in the
.BR slapd.conf (5)
file.
Moreover, the suffix of the database cannot be explicitly set by means
of the
.B suffix
directive; on the contrary, the suffix is automatically set
directive.
The suffix is automatically set
to "\fIcn=Monitor\fP".
.LP
The
......@@ -46,15 +54,14 @@ and the
directives, and the usual ACL directives, e.g. the
.B access
directive.
.LP
The following directives can be used:
.TP
.B l <locality>
The
.B <locality>
string is added to the "\fIcn=Monitor\fP" entry as value of the
.B l
attribute (Note: this may be subjected to changes).
.\".LP
.\"The following directives can be used:
.\".TP
.\".BI l \ <locality>
.\"The additional argument \fI<locality>\fP,
.\"a string, is added to the "\fIcn=Monitor\fP" entry as value of the
.\".B l
.\"attribute (Note: this may be subjected to changes).
.LP
Other database options are described in the
.BR slapd.conf (5)
......@@ -62,7 +69,7 @@ manual page.
.SH USAGE
The usage is:
.TP
1) enable the monitor backend at configure:
1) enable the \fBmonitor\fP backend at configure:
.LP
.RS
.nf
......@@ -70,9 +77,7 @@ configure --enable-monitor
.fi
.RE
.TP
2) activate the monitor database in the
.BR slapd.conf (5)
file:
2) activate the \fBmonitor\fP database in the \fBslapd.conf\fP(5) file:
.LP
.RS
.nf
......@@ -80,9 +85,7 @@ database monitor
.fi
.RE
.TP
3) add ACLs as detailed in
.BR slapd.access (5)
to control access to the database, e.g.:
3) add ACLs as detailed in \fBslapd.access\fP(5) to control access to the database, e.g.:
.LP
.RS
.nf
......@@ -94,7 +97,9 @@ access to dn.subtree="cn=Monitor"
.RE
.TP
4) ensure that the \fBcore.schema\fP file is loaded.
The monitor backend relies on some standard track attributeTypes
The
.B monitor
backend relies on some standard track attributeTypes
that must be already defined when the backend is started.
.SH ACCESS CONTROL
The
......@@ -105,10 +110,12 @@ including the
.B disclose
access privilege, on all currently implemented operations.
.SH KNOWN LIMITATIONS
The monitor backend does not honor size/time limits in search operations.
The
.B monitor
backend does not honor size/time limits in search operations.
.SH FILES
.TP
ETCDIR/slapd.conf
.B ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
......
......@@ -161,7 +161,7 @@ The default is
The statement that is used to delete an existing entry's ID
from table \fIldap_objclasses\fP; see "METAINFORMATION USED" for details.
The default is
\fB""DELETE FROM ldap_entry_objclasses WHERE entry_id=?"\fP.
\fB"DELETE FROM ldap_entry_objclasses WHERE entry_id=?"\fP.
.RE
.SH HELPER CONFIGURATION
......
......@@ -806,6 +806,25 @@ or the (even more silly) example
.LP
which grants everybody search and compare privileges, and adds read
privileges to authenticated clients.
.LP
One useful application is to easily grant write privileges to an
.B updatedn
that is different from the
.BR rootdn .
In this case, since the
.B updatedn
needs write access to (almost) all data, one can use
.LP
.nf
access to *
by dn.exact="cn=The Update DN,dc=example,dc=com" write
by * break
.fi
.LP
as the first access rule.
As a consequence, unless the operation is performed with the
.B updatedn
identity, control is passed straight to the subsequent rules.
.SH OPERATION REQUIREMENTS
Operations require different privileges on different portions of entries.
The following summary applies to primary database backends such as
......
......@@ -970,9 +970,12 @@ type of backend.
Mark the beginning of a backend definition. <databasetype>
should be one of
.BR bdb ,
.BR config ,
.BR dnssrv ,
.BR hdb ,
.BR ldap ,
.BR ldbm ,
.BR ldif ,
.BR meta ,
.BR monitor ,
.BR null ,
......@@ -980,9 +983,8 @@ should be one of
.BR perl ,
.BR relay ,
.BR shell ,
.BR sql ,
or
.BR tcl ,
.BR sql ,
depending on which backend will serve the database.
.SH GENERAL DATABASE OPTIONS
......@@ -998,9 +1000,12 @@ option are mandatory for each database.
Mark the beginning of a new database instance definition. <databasetype>
should be one of
.BR bdb ,
.BR config ,
.BR dnssrv ,
.BR hdb ,
.BR ldap ,
.BR ldbm ,
.BR ldif ,
.BR meta ,
.BR monitor ,
.BR null ,
......@@ -1008,9 +1013,8 @@ should be one of
.BR perl ,
.BR relay ,
.BR shell ,
.BR sql ,
or
.BR tcl ,
.BR sql ,
depending on which backend will serve the database.
.TP
.B lastmod on | off
......@@ -1552,21 +1556,34 @@ However, it takes more care than with the LDBM backend to configure
it properly.
It uses the Sleepycat Berkeley DB (BDB) package to store data.
.TP
.B ldbm
This is the database backend which is easiest to configure.
However, it does not offer the data durability features of the BDB
backend.
It uses Berkeley DB or GDBM to store data.
.B config
This backend is used to manage the configuration of slapd run-time.
.TP
.B dnssrv
This backend is experimental.
It serves up referrals based upon SRV resource records held in the
Domain Name System.
.TP
.B hdb
This is a variant of the BDB backend that uses a hierarchical database
layout which supports subtree renames.
.TP
.B ldap
This backend acts as a proxy to forward incoming requests to another
LDAP server.
.TP
.B ldbm
This is the database backend which is easiest to configure.
However, it does not offer the data durability features of the BDB
backend.
It uses Berkeley DB or GDBM to store data.
.TP
.B ldif
This database uses the filesystem to build the tree structure
of the database, using plain ascii files to store data.
Its usage should be limited to very simple databases, where performances
are not a requirement.
.TP
.B meta
This backend performs basic LDAP proxying with respect to a set of
remote LDAP servers. It is an enhancement of the ldap backend. The
......@@ -1593,7 +1610,8 @@ interpreter into slapd.
It runs Perl subroutines to implement LDAP operations.
.TP
.B relay
This backend redirects LDAP operations to another database
This backend is experimental.
It redirects LDAP operations to another database
in the same server, based on the naming context of the request.
Its use requires the
.B rwm
......@@ -1610,13 +1628,100 @@ It is primarily intended to be used in prototypes.
.B sql
This backend is experimental.
It services LDAP requests from an SQL database.
.SH OVERLAYS
The following overlays can be compiled into slapd.
They are documented in the
.BR slapo-<overlay> (5)
manual pages.
.TP
.B tcl
This backend is experimental.
It embeds a
.BR Tcl (3tcl)
interpreter into slapd.
It runs Tcl commands to implement LDAP operations.
.B accesslog
Access Logging.
This overlay can record accesses to a given backend database on another
database.
.TP
.B auditlog
Audit Logging.
This overlay records changes on a given backend database to an LDIF log
file.
By default it is not built.
.TP
.B chain
Chaining.
This overlay allows automatic referral chasing when a referral would
have been returned.
.TP
.B denyop
Deny Operation.
This overlay allows selected operations to be denied, similar to the
\fBrestrict\fP option.
.TP
.B dyngroup
Dynamic Group.
This is a demo overlay which extends the Compare operation to detect
members of a dynamic group.
It has no effect on any other operations.
.TP
.B dynlist
Dynamic List.
This overlay allows expansion of dynamic groups and more.
.TP
.B glue
Backend Glue.
This overlay glues multiple databases into a single namingContext.
.TP
.B lastmod
Last Modification.
This overlay maintains a service entry in the database with the DN,
modification type, modifiersName and modifyTimestamp of the last write
operation performed on that database.
.TP
.B pcache
Proxycache.
This overlay allows caching of LDAP search requests in a local database.
.TP
.B ppolicy
Password Policy.
This overlay provides a variety of password control mechanisms,
e.g. password aging, password reuse and duplication control, mandatory
password resets, etc.
.TP
.B refint
Referential Integrity.
This overlay can be used with a backend database such as
.BR slapd-bdb (5)
to maintain the cohesiveness of a schema which utilizes reference
attributes.
.TP
.B retcode
Return Code.
This overlay is useful to test the behavior of clients when
server-generated erroneous and/or unusual responses occur.
.TP
.B rwm
Rewrite/remap.
This overlay is experimental.
It performs basic DN/data rewrite and
objectClass/attributeType mapping.
.TP
.B syncprov
Syncrepl Provider.
This overlay implements the provider-side support for
.B syncrepl
replication, including persistent search functionality.
.TP
.B translucent
Translucent Proxy.
This overlay can be used with a backend database such as
.BR slapd-bdb (5)
to create a "translucent proxy".
Content of entries retrieved from a remote LDAP server can be partially
overridden by the database.
.TP
.B unique
Attribute Uniqueness.
This overlay can be used with a backend database such as