Commit d0a77750 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Misc updates

parent c22e91c4
......@@ -285,8 +285,7 @@ reasonable defaults, making your job much easier.
{{slapd}} also has its limitations, of course. The main LDBM
database backend does not handle range queries or negation queries
very well. These features and more will be coming in a future
release.
very well.
H2: What is slurpd and what can it do?
......
......@@ -33,6 +33,9 @@ PB:
!include "config.sdf"; chapter
PB:
!include "security.sdf"; chapter
PB:
!include "install.sdf"; chapter
PB:
......
......@@ -9,7 +9,7 @@ P1: Preface
# document's copyright
P2[notoc] Copyright
Copyright 1998-2000, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1998-2001, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}.
......@@ -17,6 +17,7 @@ Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}.
P2[notoc] Scope of this Document
This document provides a guide for installing OpenLDAP 2.1 Software
({{URL:http://www.openldap.org/software/}})
on {{TERM:UNIX}} (and UNIX-like) systems. The document is aimed at
experienced system administrators but who may not have prior experience
operating {{TERM:LDAP}}-based directory software.
......@@ -44,8 +45,9 @@ The {{ORG[expand]OLP}} is comprised of a team of volunteers. This document
would not be possible without their contribution of time and energy.
The OpenLDAP Project would also like to thank the {{ORG[expand]UMLDAP}}
for building the foundation of LDAP software and information
to which OpenLDAP Software is built upon.
for building the foundation of LDAP software and information to
which OpenLDAP Software is built upon. This document is based upon
U-Mich LDAP document: {{The SLAPD and SLURPD Administrators Guide}}.
P2[notoc] Amendments
......
# $OpenLDAP$
# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: A Quick-Start Guide
......@@ -17,9 +17,10 @@ OpenLDAP Software FAQ).
If you intend to run OpenLDAP seriously, you should review the all
of this document before attempt to install the software.
Note: This quick start guide does not use strong authentication nor
any privacy and integrity protection services. These services are
described in other chapters of the OpenLDAP Administrator's Guide.
Note: This quick start guide does not use strong authentication
nor any integrity or confidential protection services. These
services are described in other chapters of the OpenLDAP Administrator's
Guide.
.{{S: }}
......@@ -265,10 +266,12 @@ backend arrangements, etc.
Note that by default, the {{slapd}}(8) database grants {{read access
to everybody}} excepting the {{super-user}} (as specified by the
{{EX:rootdn}} configuration directive). It is highly recommended that
you establish controls to restrict access to authorized users. Access
controls are discussed in the {{SECT:Access Control}} section of the
{{SECT:The slapd Configuration File}} chapter.
{{EX:rootdn}} configuration directive). It is highly recommended
that you establish controls to restrict access to authorized users.
Access controls are discussed in the {{SECT:Access Control}} section
of the {{SECT:The slapd Configuration File}} chapter. You are also
encouraged to read {{SECT:Security Considerations}}, {{SECT:Using
SASL}} and {{SECT:Using TLS}} sections.
The following chapters provide more detailed information on making,
installing, and running {{slapd}}(8).
......@@ -663,36 +663,35 @@ to grant specific permissions.
H3: Access Control Evaluation
When evaluating whether some requester should be given
access to an entry and/or attribute, slapd compares the entry
and/or attribute to the {{EX:<what>}} selectors given in the
configuration file. Access directives local to the current
database are examined first, followed by global access
directives. Within this priority, access directives are
examined in the order in which they appear in the config file.
Slapd stops with the first {{EX:<what>}} selector that matches the
entry and/or attribute. The corresponding access directive is
the one slapd will use to evaluate access.
Next, slapd compares the entity requesting access to the
{{EX:<who>}} selectors within the access directive selected above
in the order in which they appear. It stops with the first {{EX:<who>}}
selector that matches the requester. This determines the
access the entity requesting access has to the entry and/or
attribute.
When evaluating whether some requester should be given access to
an entry and/or attribute, slapd compares the entry and/or attribute
to the {{EX:<what>}} selectors given in the configuration file.
For each entry, access control provided in the database which holds
the entry (or the first database if not held in any database) apply
first, followed by the global access directivies. Within this
priority, access directives are examined in the order in which they
appear in the config file. Slapd stops with the first {{EX:<what>}}
selector that matches the entry and/or attribute. The corresponding
access directive is the one slapd will use to evaluate access.
Next, slapd compares the entity requesting access to the {{EX:<who>}}
selectors within the access directive selected above in the order
in which they appear. It stops with the first {{EX:<who>}} selector
that matches the requester. This determines the access the entity
requesting access has to the entry and/or attribute.
Finally, slapd compares the access granted in the selected
{{EX:<access>}} clause to the access requested by the client. If it
allows greater or equal access, access is granted. Otherwise,
{{EX:<access>}} clause to the access requested by the client. If
it allows greater or equal access, access is granted. Otherwise,
access is denied.
The order of evaluation of access directives makes their
placement in the configuration file important. If one access
directive is more specific than another in terms of the entries
it selects, it should appear first in the config file. Similarly, if
one {{EX:<who>}} selector is more specific than another it should
come first in the access directive. The access control
examples given below should help make this clear.
The order of evaluation of access directives makes their placement
in the configuration file important. If one access directive is
more specific than another in terms of the entries it selects, it
should appear first in the config file. Similarly, if one {{EX:<who>}}
selector is more specific than another it should come first in the
access directive. The access control examples given below should
help make this clear.
......@@ -809,10 +808,9 @@ means that queries not local to one of the databases defined
below will be referred to the LDAP server running on the
standard port (389) at the host {{EX:root.openldap.org}}.
Line 4 is a global access control. It is used only if
no database access controls match or when the target
objects are not under the control of any database (such as
the Root DSE).
Line 4 is a global access control. It applies to all
entries (after any applicable database-specific access
controls).
The next section of the configuration file defines an LDBM
backend that will handle queries for things in the
......@@ -851,40 +849,41 @@ E: 30. by self write
E: 31. by dn="cn=Admin,dc=example,dc=com" write
E: 32. by * read
Line 5 is a comment. The start of the database definition is
marked by the database keyword on line 6. Line 7 specifies
the DN suffix for queries to pass to this database. Line 8
specifies the directory in which the database files will live.
Line 5 is a comment. The start of the database definition is marked
by the database keyword on line 6. Line 7 specifies the DN suffix
for queries to pass to this database. Line 8 specifies the directory
in which the database files will live.
Lines 9 and 10 identify the database "super user" entry and
associated password. This entry is not subject to access
control or size or time limit restrictions.
Lines 9 and 10 identify the database "super user" entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
Lines 11 through 18 are for replication. Line 11 specifies the
replication log file (where changes to the database are logged
\- this file is written by slapd and read by slurpd). Lines 12
through 14 specify the hostname and port for a replicated
host, the DN to bind as when performing updates, the bind
method (simple) and the credentials (password) for the
binddn. Lines 15 through 18 specify a second replication site.
See the {{SECT:Replication with slurpd}} chapter for more
information on these directives.
Lines 20 through 22 indicate the indexes to maintain for
various attributes.
Lines 24 through 32 specify access control for entries in the
database. For all entries, the {{EX:userPassword}} attribute is
writable by the entry itself and by the "admin" entry. It may be
used for authentication/authorization purposes, but is otherwise
not readable. All other attributes are writable by the entry and
the "admin" entry, but may be read by authenticated users.
The next section of the example configuration file defines
another LDBM database. This one handles queries involving
the {{EX:dc=example,dc=net}} subtree. Note that without
line 38, the read access would be allowed due to the
global access rule at line 4.
replication log file (where changes to the database are logged \-
this file is written by slapd and read by slurpd). Lines 12 through
14 specify the hostname and port for a replicated host, the DN to
bind as when performing updates, the bind method (simple) and the
credentials (password) for the binddn. Lines 15 through 18 specify
a second replication site. See the {{SECT:Replication with slurpd}}
chapter for more information on these directives.
Lines 20 through 22 indicate the indexes to maintain for various
attributes.
Lines 24 through 32 specify access control for entries in the this
database. As this is the first database, the controls also apply
to entries not held in any database (such as the Root DSE). For
all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by authenticated users.
The next section of the example configuration file defines another
LDBM database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree. Note that without line 38, the
read access would be allowed due to the global access rule at line
4.
E: 33. # ldbm definition for example.net
E: 34. database ldbm
......
# $OpenLDAP$
# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
# template for plain documents
......@@ -12,7 +12,7 @@
!endmacro
!macro HTML_FOOTER
{{INLINE:<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1">}}
{{INLINE:<B>______________<BR><SMALL>}}
{{INLINE:<B>________________<BR><SMALL>}}
[[c]] Copyright 2001,
{{INLINE:<A HREF="/foundation/">OpenLDAP Foundation</A>}},
{{EMAIL: info@OpenLDAP.org}}
......
# $OpenLDAP$
# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
......@@ -53,7 +53,7 @@
!block inline; expand
<P>
<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
______________<BR>
________________<BR>
<SMALL>&copy; Copyright 2001, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
!endblock
......@@ -89,7 +89,7 @@ ______________<BR>
!block inline; expand
<P>
<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
______________<BR>
________________<BR>
<SMALL>&copy; Copyright 2001, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
!endblock
......
......@@ -12,7 +12,7 @@ H1: OpenLDAP Software Copyright Notices
H2: OpenLDAP Copyright Notice
[[copyright]] 1998-2000 The OpenLDAP Foundation, Redwood City, California, USA
[[copyright]] 1998-2001 The OpenLDAP Foundation, Redwood City, California, USA
All rights reserved.
Redistribution and use in source and binary forms are permitted
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment