Commit 6ccef352 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Sync with HEAD

parent c6a45e14
......@@ -19,7 +19,12 @@ sdf-src: \
../preamble.sdf \
abstract.sdf \
appendix-changes.sdf \
appendix-common-errors.sdf \
appendix-configs.sdf \
appendix-contrib.sdf \
appendix-deployments.sdf \
appendix-ldap-result-codes.sdf \
appendix-recommended-versions.sdf \
appendix-upgrading.sdf \
backends.sdf \
config.sdf \
......
......@@ -23,7 +23,13 @@ asked on the OpenLDAP mailing lists and scenarios discussed there, we have added
* {{SECT:Tuning}}
* {{SECT:Troubleshooting}}
* {{SECT:Changes Since Previous Release}}
* {{SECT:Upgrading from 2.3.x}}
* {{SECT:Common errors encountered when using OpenLDAP Software}}
* {{SECT:Recommended OpenLDAP Software Dependency Versions}}
* {{SECT:Real World OpenLDAP Deployments and Examples}}
* {{SECT:OpenLDAP Software Contributions}}
* {{SECT:Configuration File Examples}}
* {{SECT:LDAP Result Codes}}
* {{SECT:Glossary}}
Also, the table of contents is now 3 levels deep to ease navigation.
......
This diff is collapsed.
# $OpenLDAP$
# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: OpenLDAP Software Contributions
The following sections attempt to summarize the various contributions in OpenLDAP
software, as found in {{F:openldap_src/contrib}}
H2: Client APIs
Intro and discuss
H3: ldapc++
Intro and discuss
H3: ldaptcl
Intro and discuss
H2: Overlays
Intro and complete/expand correct names for below:
H3: acl
H3: addpartial
H3: allop
H3: comp_match
H3: denyop
H3: dsaschema
H3: lastmod
H3: passwd
H3: proxyOld
H3: smbk5pwd
H3: trace
H2: Tools
Intro and discuss
H3: Statistic Logging
statslog
H2: SLAPI Plugins
Intro and discuss
H3: addrdnvalues
More
# $OpenLDAP$
# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Real World OpenLDAP Deployments and Examples
Examples and discussions
# $OpenLDAP$
# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: LDAP Result Codes
Port "Appendix A. LDAP Result Codes" from rfc4511 and add a small explanation
in addition to current one for ldap*/slap* tools, with the aim of fending off simple, recurring
questions on the lists.
# $OpenLDAP$
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Recommended OpenLDAP Software Dependency Versions
This appendix details the recommended versions of the software
that OpenLDAP depends on.
Please read the {{SECT:Prerequisite software}} section for more
information on the following software dependencies.
H2: Dependency Versions
!block table; align=Center; coltags="N,EX,EX"; title="Table 8.5: OpenLDAP Software Dependency Versions"
Feature|Software|Version
{{TERM[expand]TLS}}:
|{{PRD:OpenSSL}}|0.9.7+
|{{PRD:GnuTLS}}|2.0.1
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
{{TERM[expand]Kerberos}}:
|{{PRD:Heimdal}}|Version
|{{PRD:MIT Kerberos}}|Version
Database Software|{{PRD:Berkeley DB}}:|
||4.2
||4.4
||4.5
||4.6
||Note: It is highly recommended to apply the patches from for a given release.
Threads:
|POSIX {{pthreads}}|Version
|Mach {{CThreads}}|Version
TCP Wrappers|Name|Version
!endblock
personal_ws-1.1 en 1406
personal_ws-1.1 en 1451
nattrsets
inappropriateAuthentication
api
......@@ -190,7 +190,7 @@ RELEASEDATE
baseDN
basedn
argv
GSS
gss
schemachecking
whoami
WhoAmI
......@@ -198,6 +198,7 @@ syslogd
dataflow
subentries
attrpair
balancer
BerkeleyDB's
singleLevel
entryDN
......@@ -206,6 +207,7 @@ includedir
inplace
LDAPAPIFeatureInfo
logbase
ldapmaster
ing
moduleload
IPC
......@@ -230,6 +232,7 @@ reqMod
ldb
srcdir
pwdExpireWarning
ldd
localstatedir
sockbuf
PENs
......@@ -249,6 +252,7 @@ whitespaces
ISP
ldp
monitorInfo
PDUs
bjensen
newPasswd
irresponsive
......@@ -305,10 +309,13 @@ desc
LTCOMPILE
bindmethod
olcDbCheckpoint
addprinc
modme
refreshOnly
PIII
pwdPolicySubentry
supportedSASLmechanism
supportedSASLMechanism
FIXME
realanonymous
caseExactMatch
......@@ -345,6 +352,7 @@ strdup
gsMatch
adamson
UniqueName
LVL
ppErrStr
DESTDIR
oid
......@@ -376,6 +384,7 @@ sharedstatedir
OLP
LDFLAGS
dereferencing
allop
errcodep
xeXBkeFxlZ
accessor's
......@@ -409,6 +418,7 @@ OSI
subschemaSubentry
cond
conf
rfc
bvec
rdn
ECHOPROMPT
......@@ -435,6 +445,7 @@ olcReadonly
olcReadOnly
pwdChangedTime
mySQL
DITs
sdf
suffixmassage
referralDN
......@@ -451,6 +462,7 @@ telephonenumber
telephoneNumber
DLDAP
peernamestyle
Sep
SHA
filename
rpath
......@@ -471,6 +483,7 @@ subdir
searchAttrDN
cctrls
tcp
kadmin
strlen
spellcheck
ludpp
......@@ -482,6 +495,7 @@ SMD
UCD
cancelled
crit
organizationalUnit
lucyB
slp
rdns
......@@ -594,6 +608,7 @@ initgroups
auditCompare
GDBM
DSA's
dsaschema
compareFalse
resultCode
resultcode
......@@ -620,6 +635,7 @@ extparam
auditWriteObject
colaligns
Diffie
offsite
attributevalue
AttributeValue
SIGTERM
......@@ -650,6 +666,7 @@ fd
LDAPSync
olcReplicationInterval
fG
gidNumber
fi
eq
FIPS
......@@ -755,6 +772,8 @@ errSleepTime
INSTALLFLAGS
pthread
pwdHistory
x's
Debian
slen
errUnsolicitedOID
dyngroup
......@@ -782,6 +801,7 @@ sbindir
apache's
noidlen
monitorContext
testrun
resync
fqdn
authPassword
......@@ -822,7 +842,9 @@ pwdSafeModify
contrib
FQDNs
bjorn
myldap
myLDAP
peercred
SNMP
myObjectClass
thru
......@@ -841,9 +863,11 @@ ldapmodrdn
ldapbis
attributeoptions
serverID
memberOf
memberof
pseudorootpw
CFLAGS
operationsError
substr
pwdAllowUserChange
rewriteRule
......@@ -880,6 +904,7 @@ SSHA
func
filterlist
modifyDN
jane
syncuser
Masarati
LDAPSyntax
......@@ -901,6 +926,8 @@ slapacl
multiclassing
monitoredInfo
LTLINK
addrdnvalues
KTNAME
ETCDIR
reqId
setspec
......@@ -919,6 +946,7 @@ subr
cachesize
olcRootPW
SSLv
proxyOld
domainScope
LDAPMessage
LTVERSION
......@@ -951,13 +979,16 @@ libtool
servercredp
AttributeTypeDescription
LTFLAGS
simplebinddn
authcDN
TLSCipherSuite
supportedSASLMechanisms
rootdse
rootDSE
dsaparam
cachefree
UMich's
uidNumber
schemadir
attribute's
extern
......@@ -980,10 +1011,12 @@ Supr
olcDatabaseConfig
rwxrwxrwx
aeeiib
SUPs
reqStart
sasldb
somevalue
LIBRELEASE
randkey
starttls
StartTLS
LDAPSchemaExtensionItem
......@@ -995,6 +1028,7 @@ backend
portnumber
subjectAltName
errObject
gsskrb
valsort
bervals
berval's
......@@ -1008,6 +1042,7 @@ dbnum
olcLdapConfig
sessionlog
attrset
organizationPerson
entryCSN
strcast
kbyte
......@@ -1027,6 +1062,7 @@ memvfree
tuple
superset
directoryString
ktadd
proxyTemplate
proxytemplate
wildcards
......@@ -1059,6 +1095,7 @@ Subbarao
setstyle
subdirectories
errlist
addpartial
slapdn
uncached
ldapapiinfo
......@@ -1096,6 +1133,7 @@ noprompt
databasenumber
hasSubordintes
URIs
denyop
lang
auditSearch
ldapdelete
......@@ -1120,6 +1158,7 @@ ldbm
ursula
LDAPModifying
slapdconfig
sysconfig
dnSubtreeMatch
olcSaslSecProps
olcSaslSecprops
......@@ -1154,6 +1193,7 @@ sleeptime
pwdCheckQuality
msgidp
pwdAttribute
chown
PRNGD
LDAPRDN
entryUUIDs
......@@ -1182,6 +1222,7 @@ dryrun
noplain
exattrs
Jong
ldaptcl
proxied
firstName
accesslevel
......@@ -1219,11 +1260,13 @@ woid
numericStringOrderingMatch
clientctrls
RetCodes
ldapc
pwdAccountLockedTime
attrtype
LIBVERSION
proto
endif
logfiles
reqNewRDN
ldapi
notoc
......@@ -1333,6 +1376,7 @@ DHAVE
caseIgnoreSubstringsMatch
monitorIsShadow
syncdata
BDB's
olcPidFile
hostport
backload
......@@ -1384,6 +1428,7 @@ objectIdentifierMatch
Blowfish
mkln
numericStringSubstringsMatch
testgroup
openssl
OpenSSL
ModName
......
......@@ -187,6 +187,15 @@ format}} section).
Specifies the slapd configuration file that tells where to create
the indices, what indices to create, etc.
> -F <slapdconfdirectory>
Specifies a config directory. If both {{EX:-f}} and {{EX:-F}} are specified,
the config file will be read and converted to config directory format and
written to the specified directory. If neither option is specified, an attempt
to read the default config directory will be made before trying to use the
default config file. If a valid config directory exists then the default
config file is ignored. If dryrun mode is also specified, no conversion will occur.
> -d <debuglevel>
Turn on debugging, as specified by {{EX:<debuglevel>}}. The debug
......
......@@ -156,9 +156,44 @@ services.
H2: When should I use LDAP?
This is a very good question. In general, you should use a Directory
server when you require data to be centrally managed, stored and accessible via
standards based methods.
Some common examples found throughout the industry are, but not limited to:
* Machine Authentication
* User Authentication
* User/System Groups
* Address book
* Organization Representation
* Asset Tracking
* Telephony Information Store
* User resource management
* E-mail address lookups
* Application Configuration store
* PBX Configuration store
* etc.....
There are various {{SECT:Distributed Schema Files}} that are standards based, but
you can always create your own {{SECT:Schema Specification}}.
There are always new ways to use a Directory and apply LDAP principles to address
certain problems, therefore there is no simple answer to this question.
If in doubt, join the general LDAP forum for non-commercial discussions and
information relating to LDAP at:
{{URL:http://www.umich.edu/~dirsvcs/ldap/mailinglist.html}} and ask
H2: When should I not use LDAP?
When you start finding yourself bending the directory to do what you require,
maybe a redesign is needed. Or if you only require one application to use and
manipulate your data (for discussion of LDAP vs RDBMS, please read the
{{SECT:LDAP vs RDBMS}} section).
It will become obvious when LDAP is the right tool for the job.
H2: How does LDAP work?
......@@ -238,8 +273,7 @@ sharing of data with other applications.
The short answer is that use of an embedded database and custom indexing system
allows OpenLDAP to provide greater performance and scalability without loss of
reliability. OpenLDAP, since release 2.1, in its main storage-oriented backends
(back-bdb and, since 2.2, back-hdb) uses Berkeley DB concurrent / transactional
reliability. OpenLDAP uses Berkeley DB concurrent / transactional
database software. This is the same software used by leading commercial
directory software.
......
......@@ -10,7 +10,40 @@ discuss how to correctly maintain an OpenLDAP deployment.
H2: Directory Backups
MORE
Backup strategies largely depend on the amount of change in the database
and how much of that change an administrator might be willing to lose in a
catastrophic failure. There are two basic methods that can be used:
1. Backup the Berkeley database itself and periodically back up the transaction
log files:
Berkeley DB produces transaction logs that can be used to reconstruct
changes from a given point in time. For example, if an administrator were willing to only
lose one hour's worth of changes, they could take down the server in
the middle of the night, copy the Berkeley database files offsite, and bring
the server back online. Then, on an hourly basis, they could force a
database checkpoint, capture the log files that have been generated in the
past hour, and copy them offsite. The accumulated log files, in combination
with the previous database backup, could be used with db_recover to
reconstruct the database up to the time the last collection of log files was
copied offsite. This method affords good protection, with minimal space
overhead.
2. Periodically run slapcat and back up the LDIF file:
Slapcat can be run while slapd is active. However, one runs the risk of an
inconsistent database- not from the point of slapd, but from the point of
the applications using LDAP. For example, if a provisioning application
performed tasks that consisted of several LDAP operations, and the slapcat
took place concurrently with those operations, then there might be
inconsistencies in the LDAP database from the point of view of that
provisioning application and applications that depended on it. One must,
therefore, be convinced something like that won't happen. One way to do that
would be to put the database in read-only mode while performing the
slapcat. The other disadvantage of this approach is that the generated LDIF
files can be rather large and the accumulation of the day's backups could
add up to a substantial amount of space.
You can use {{slapcat}}(8) to generate an LDIF file for each of your {{slapd}}(8)
back-bdb or back-hdb databases.
......@@ -19,8 +52,7 @@ back-bdb or back-hdb databases.
For back-bdb and back-hdb, this command may be ran while slapd(8) is running.
MORE
MORE on actual Berkeley DB backups later covering db_recover etc.
H2: Berkeley DB Logs
......
......@@ -92,10 +92,31 @@ PB:
!include "appendix-upgrading.sdf"; appendix
PB:
# Common Errors
!include "appendix-common-errors.sdf"; appendix
PB:
# What versions we recommend
!include "appendix-recommended-versions.sdf"; appendix
PB:
# Real Deployments
!include "appendix-deployments.sdf"; appendix
PB:
# Contributions
!include "appendix-contrib.sdf"; appendix
PB:
# Config file examples
!include "appendix-configs.sdf"; appendix
PB:
# LDAP Result Codes
!include "appendix-ldap-result-codes.sdf"; appendix
PB:
# Terms
!include "glossary.sdf"; appendix
PB:
......
......@@ -354,17 +354,17 @@ be in the list of admittable log switches:
> Conns
> BER
> Filter
> Config (useless)
> Config
> ACL
> Stats
> Stats2
> Shell
> Parse
> Cache (deprecated)
> Index
> Sync
These values can be added, replaced or deleted; they affect what
messages are sent to the syslog device.
Custom values could be added by custom modules.
H3: Operations
......
......@@ -98,6 +98,71 @@ default when --enable-ldap.
H3: Chaining Configuration
In order to demonstrate how this overlay works, we shall discuss a typical
scenario which might be one master server and three Syncrepl slaves.
On each replica, add this near the top of the file (global), before any database
definitions:
> overlay chain
> chain-uri "ldap://ldapmaster.example.com"
> chain-idassert-bind bindmethod="simple"
> binddn="cn=Manager,dc=example,dc=com"
> credentials="<secret>"
> mode="self"
> chain-tls start
> chain-return-error TRUE
> updateref "ldap://ldapmaster.example.com/"
The {{B:chain-tls}} statement enables TLS from the slave to the ldap master.
The DITs are exactly the same between these machines, therefore whatever user
bound to the slave will also exist on the master. If that DN does not have
update privileges on the master, nothing will happen.
You will need to restart the slave after these changes. Then, if you are using
{{loglevel 256}}, you can monitor an {{ldapmodify}} on the slave and the master.
Now start an {{ldapmodify}} on the slave and watch the logs. You should expect
something like: