2002-06-13 11:59:10 +08:00
|
|
|
.TH SLAPD-SHELL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
2009-01-22 08:40:04 +08:00
|
|
|
.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
|
2002-04-30 04:24:29 +08:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
|
|
.\" $OpenLDAP$
|
|
|
|
.SH NAME
|
2009-06-03 08:43:44 +08:00
|
|
|
slapd\-shell \- Shell backend to slapd
|
2002-04-30 04:24:29 +08:00
|
|
|
.SH SYNOPSIS
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
.SH DESCRIPTION
|
|
|
|
The Shell backend to
|
|
|
|
.BR slapd (8)
|
|
|
|
executes external programs to implement operations, and is designed to
|
|
|
|
make it easy to tie an existing database to the
|
|
|
|
.B slapd
|
|
|
|
front-end.
|
2003-01-09 20:07:14 +08:00
|
|
|
.LP
|
2008-01-16 05:57:55 +08:00
|
|
|
This backend is primarily intended to be used in prototypes.
|
2002-05-09 10:11:39 +08:00
|
|
|
.SH WARNING
|
2003-06-03 20:02:00 +08:00
|
|
|
The
|
|
|
|
.B abandon
|
|
|
|
shell command has been removed since OpenLDAP 2.1.
|
2002-04-30 04:24:29 +08:00
|
|
|
.SH CONFIGURATION
|
2002-05-02 00:38:30 +08:00
|
|
|
These
|
|
|
|
.B slapd.conf
|
|
|
|
options apply to the SHELL backend database.
|
2002-04-30 04:24:29 +08:00
|
|
|
That is, they must follow a "database shell" line and come before any
|
|
|
|
subsequent "backend" or "database" lines.
|
2002-05-02 00:38:30 +08:00
|
|
|
Other database options are described in the
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
manual page.
|
2002-05-03 00:35:16 +08:00
|
|
|
.LP
|
|
|
|
These options specify the pathname and arguments of the program to
|
|
|
|
execute in response to the given LDAP operation.
|
|
|
|
Each option is followed by the input lines that the program receives:
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B add <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
ADD
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
<entry in LDIF format>
|
|
|
|
.fi
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B bind <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
BIND
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
dn: <DN>
|
|
|
|
method: <method number>
|
|
|
|
credlen: <length of <credentials>>
|
|
|
|
cred: <credentials>
|
|
|
|
.fi
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B compare <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
COMPARE
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
dn: <DN>
|
|
|
|
<attribute>: <value>
|
|
|
|
.fi
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B delete <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
DELETE
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
dn: <DN>
|
|
|
|
.fi
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B modify <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
MODIFY
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
dn: <DN>
|
|
|
|
<repeat {
|
|
|
|
<"add"/"delete"/"replace">: <attribute>
|
|
|
|
<repeat { <attribute>: <value> }>
|
2009-06-03 08:43:44 +08:00
|
|
|
\-
|
2002-05-03 00:35:16 +08:00
|
|
|
}>
|
|
|
|
.fi
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B modrdn <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
MODRDN
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
dn: <DN>
|
|
|
|
newrdn: <new RDN>
|
|
|
|
deleteoldrdn: <0 or 1>
|
|
|
|
<if new superior is specified: "newSuperior: <DN>">
|
|
|
|
.fi
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B search <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
SEARCH
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
base: <base DN>
|
|
|
|
scope: <0-2, see ldap.h>
|
|
|
|
deref: <0-3, see ldap.h>
|
|
|
|
sizelimit: <size limit>
|
|
|
|
timelimit: <time limit>
|
|
|
|
filter: <filter>
|
|
|
|
attrsonly: <0 or 1>
|
|
|
|
attrs: <"all" or space-separated attribute list>
|
|
|
|
.fi
|
2002-04-30 04:24:29 +08:00
|
|
|
.TP
|
2002-05-03 00:35:16 +08:00
|
|
|
.B unbind <pathname> <argument>...
|
|
|
|
.nf
|
|
|
|
UNBIND
|
2002-06-06 00:40:16 +08:00
|
|
|
msgid: <message id>
|
2002-05-03 00:35:16 +08:00
|
|
|
<repeat { "suffix:" <database suffix DN> }>
|
|
|
|
dn: <bound DN>
|
|
|
|
.fi
|
|
|
|
.LP
|
2002-05-02 00:38:30 +08:00
|
|
|
Note that you need only supply configuration lines for those commands you
|
|
|
|
want the backend to handle.
|
|
|
|
Operations for which a command is not supplied will be refused with an
|
|
|
|
"unwilling to perform" error.
|
2002-05-03 00:35:16 +08:00
|
|
|
.LP
|
2006-04-19 21:52:20 +08:00
|
|
|
The \fBsearch\fP command should output the entries in LDIF format,
|
|
|
|
each entry followed by a blank line, and after these the RESULT below.
|
|
|
|
.LP
|
|
|
|
All commands except \fBunbind\fP should then output:
|
2002-05-03 00:35:16 +08:00
|
|
|
.RS
|
|
|
|
.nf
|
|
|
|
RESULT
|
|
|
|
code: <integer>
|
|
|
|
matched: <matched DN>
|
|
|
|
info: <text>
|
|
|
|
.fi
|
|
|
|
.RE
|
2006-04-19 21:52:20 +08:00
|
|
|
where only the RESULT line is mandatory.
|
2002-05-03 00:35:16 +08:00
|
|
|
Lines starting with `#' or `DEBUG:' are ignored.
|
2005-04-09 03:27:22 +08:00
|
|
|
.SH ACCESS CONTROL
|
|
|
|
The
|
|
|
|
.B shell
|
|
|
|
backend does not honor all ACL semantics as described in
|
|
|
|
.BR slapd.access (5).
|
|
|
|
In general, access to objects is checked by using a dummy object
|
|
|
|
that contains only the DN, so access rules that rely on the contents
|
|
|
|
of the object are not honored.
|
|
|
|
In detail:
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B add
|
|
|
|
operation does not require
|
|
|
|
.B write (=w)
|
|
|
|
access to the
|
|
|
|
.B children
|
|
|
|
pseudo-attribute of the parent entry.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B bind
|
|
|
|
operation requires
|
|
|
|
.B auth (=x)
|
|
|
|
access to the
|
|
|
|
.B entry
|
|
|
|
pseudo-attribute of the entry whose identity is being assessed;
|
|
|
|
.B auth (=x)
|
|
|
|
access to the credentials is not checked, but rather delegated
|
|
|
|
to the underlying shell script.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B compare
|
|
|
|
operation requires
|
|
|
|
.B read (=r)
|
|
|
|
access (FIXME: wouldn't
|
|
|
|
.B compare (=c)
|
|
|
|
be a more appropriate choice?)
|
|
|
|
to the
|
|
|
|
.B entry
|
|
|
|
pseudo-attribute
|
|
|
|
of the object whose value is being asserted;
|
|
|
|
.B compare (=c)
|
|
|
|
access to the attribute whose value is being asserted is not checked.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B delete
|
|
|
|
operation does not require
|
|
|
|
.B write (=w)
|
|
|
|
access to the
|
|
|
|
.B children
|
|
|
|
pseudo-attribute of the parent entry.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B modify
|
|
|
|
operation requires
|
|
|
|
.B write (=w)
|
|
|
|
access to the
|
|
|
|
.B entry
|
|
|
|
pseudo-attribute;
|
|
|
|
.B write (=w)
|
|
|
|
access to the specific attributes that are modified is not checked.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B modrdn
|
|
|
|
operation does not require
|
|
|
|
.B write (=w)
|
|
|
|
access to the
|
|
|
|
.B children
|
|
|
|
pseudo-attribute of the parent entry, nor to that of the new parent,
|
|
|
|
if different;
|
|
|
|
.B write (=w)
|
|
|
|
access to the distinguished values of the naming attributes
|
|
|
|
is not checked.
|
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B search
|
|
|
|
operation does not require
|
|
|
|
.B search (=s)
|
|
|
|
access to the
|
|
|
|
.B entry
|
|
|
|
pseudo_attribute of the searchBase;
|
|
|
|
.B search (=s)
|
|
|
|
access to the attributes and values used in the filter is not checked.
|
|
|
|
|
2002-04-30 04:24:29 +08:00
|
|
|
.SH EXAMPLE
|
2009-06-03 08:43:44 +08:00
|
|
|
There is an example search script in the slapd/back\-shell/ directory
|
2002-04-30 04:24:29 +08:00
|
|
|
in the OpenLDAP source tree.
|
2002-10-17 00:54:27 +08:00
|
|
|
.SH LIMITATIONS
|
|
|
|
The shell backend does not support threaded environments.
|
|
|
|
When using the shell backend,
|
|
|
|
.BR slapd (8)
|
|
|
|
should be built
|
2009-06-03 08:43:44 +08:00
|
|
|
.IR \-\-without\-threads .
|
2002-05-02 00:38:30 +08:00
|
|
|
.SH FILES
|
2002-05-09 10:07:41 +08:00
|
|
|
.TP
|
2002-05-02 00:38:30 +08:00
|
|
|
ETCDIR/slapd.conf
|
2002-05-09 10:07:41 +08:00
|
|
|
default slapd configuration file
|
2002-04-30 04:24:29 +08:00
|
|
|
.SH SEE ALSO
|
|
|
|
.BR slapd.conf (5),
|
|
|
|
.BR slapd (8),
|
|
|
|
.BR sh (1).
|