mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Chaining example added.

Browse Source
This commit is contained in:
Gavin Henry 2007-09-06 21:17:45 +00:00
parent 221e0f727b
commit 1985c17a65
2 changed files with 122 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
doc/guide/admin/aspell.en.pws
View File

@ -1,4 +1,4 @@
personal_ws-1.1 en 1406
personal_ws-1.1 en 1410
nattrsets
inappropriateAuthentication
api
@ -8,8 +8,8 @@ reqEnd
olcOverlayConfig
shoesize
olcTLSCACertificateFile
CGI
cdx
CGI
DCE
DAP
attributename
@ -20,8 +20,8 @@ kurt
authzID
authzid
authzId
DAs
ddd
DAs
userApplications
BNF
attrs
@ -32,8 +32,8 @@ ldapport
hallvard
ASN
acknowledgements
Chu
ava
Chu
monitorCounter
del
DDR
@ -84,13 +84,13 @@ olcModulePath
maxentries
authc
seeAlso
searchbase
searchBase
searchbase
realnamingcontext
dn's
DNs
DN's
dns
DN's
DNs
dn's
dereference
sortKey
authzTo
@ -155,8 +155,8 @@ INADDR
compareDN
sizelimit
unixODBC
APIs
blen
APIs
attrsOnly
attrsonly
slappasswd
@ -192,8 +192,8 @@ basedn
argv
GSS
schemachecking
whoami
WhoAmI
whoami
syslogd
dataflow
subentries
@ -206,6 +206,7 @@ includedir
inplace
LDAPAPIFeatureInfo
logbase
ldapmaster
ing
moduleload
IPC
@ -233,8 +234,8 @@ pwdExpireWarning
localstatedir
sockbuf
PENs
ipv
IPv
ipv
ghenry
hyc
multimaster
@ -267,8 +268,8 @@ intermediateResponse
myOID
structuralObjectClass
integerMatch
openldap
OpenLDAP
openldap
moddn
rewriteEngine
AVAs
@ -287,8 +288,8 @@ bool
logins
jts
memberAttr
newpasswdfile
newPasswdFile
newpasswdfile
ucdata
LLL
confdir
@ -315,8 +316,8 @@ caseExactMatch
olcSizeLimit
Bourne
attr
objectidentifier
objectIdentifier
objectidentifier
refint
msgtype
OBJEXT
@ -366,8 +367,8 @@ Autoconf
alloc
PDU
OLF
inetorgperson
inetOrgPerson
inetorgperson
deleteoldrdn
monitorCounterObject
pid
@ -424,9 +425,9 @@ OTP
entrylimit
attrdescN
logold
pos
sbi
PRD
sbi
pos
reqEntries
pre
bvals
@ -435,6 +436,7 @@ olcReadonly
olcReadOnly
pwdChangedTime
mySQL
DITs
sdf
suffixmassage
referralDN
@ -452,6 +454,7 @@ telephoneNumber
DLDAP
peernamestyle
SHA
Sep
filename
rpath
argsfile
@ -478,8 +481,8 @@ typedef
olcDbIDLcacheSize
ostring
mwrscdx
SMD
UCD
SMD
cancelled
crit
lucyB
@ -490,8 +493,8 @@ TGT
modulepath
quickstart
mySNMP
tgz
UDP
tgz
RDBMs
rdbms
Matic
@ -510,9 +513,9 @@ olcDbConfig
refreshDone
ssf
replogfile
rwm
TOC
vec
TOC
rwm
LDAPDN
compareAttrDN
endmacro
@ -520,15 +523,15 @@ tls
repl
monitoringslapd
referralsp
tmp
SRP
tmp
olcDbNosync
conns
SSL
PDkzODdASFxOQ
SRV
rwx
sss
rwx
deallocators
Contribware
URLlist
@ -642,11 +645,11 @@ groupstyle
ldapsearch
cp
displayName
eg
bv
eg
olcBackendConfig
dn
fd
dn
LDAPSync
olcReplicationInterval
fG
@ -729,8 +732,8 @@ sn
ru
UG
ss
su
TP
su
reqMethod
XLIBS
PhotoObject
@ -747,8 +750,8 @@ xf
param
MChAODQ
caseExactIA
Vu
Za
Vu
idlecachesize
ws
errSleepTime
@ -770,8 +773,8 @@ ZZ
entryCSNs
dlopen
continuated
newsuperior
newSuperior
newsuperior
Preprocessor
XXLIBS
deallocate
@ -858,8 +861,8 @@ modifyAttrDN
dcedn
olcOverlay
exop
berelement
BerElement
berelement
olcRootDN
octetString
SampleLDAP
@ -868,8 +871,8 @@ PostgreSQL
bvstr
filesystem
pathtest
objectClass
objectclass
objectClass
submatches
newrdn
armijo
@ -883,8 +886,8 @@ modifyDN
syncuser
Masarati
LDAPSyntax
oldpasswdfile
oldPasswdFile
oldpasswdfile
reqDN
SSFs
ietf
@ -906,8 +909,8 @@ reqId
setspec
scanf
TLSv
distinguishedname
distinguishedName
distinguishedname
BerVarray
caseIgnoreSubstrin
ldapwhoami
@ -934,8 +937,8 @@ slaptest
zeilenga
WebUpdate
numericoid
changelog
ChangeLog
changelog
creatorsName
ascii
wahl
@ -951,6 +954,7 @@ libtool
servercredp
AttributeTypeDescription
LTFLAGS
simplebinddn
authcDN
TLSCipherSuite
supportedSASLMechanisms
@ -962,10 +966,10 @@ schemadir
attribute's
extern
varchar
olcDbCacheSize
olcDbCachesize
authcid
olcDbCacheSize
authcID
authcid
POSIX
hnPk
ldapext
@ -984,8 +988,8 @@ reqStart
sasldb
somevalue
LIBRELEASE
starttls
StartTLS
starttls
LDAPSchemaExtensionItem
reqReferral
shtool
@ -996,8 +1000,8 @@ portnumber
subjectAltName
errObject
valsort
bervals
berval's
bervals
derefFindingBaseObj
checkpointed
keytab
@ -1018,8 +1022,8 @@ README
memcalloc
inet
saslargs
givenname
givenName
givenname
olcDbMode
pidfile
olcLimits
@ -1027,8 +1031,8 @@ memvfree
tuple
superset
directoryString
proxyTemplate
proxytemplate
proxyTemplate
wildcards
monitoredObject
TTLs
@ -1041,8 +1045,8 @@ bvalues
reqResult
impl
outvalue
returnCode
returncode
returnCode
attributeDescription
attrval
dnssrv
@ -1064,20 +1068,20 @@ uncached
ldapapiinfo
groupOfUniqueNames
dhparam
slapd's
slapds
slapd's
inputfile
RDBMSes
wildcard
Locator
errAbsObject
errABsObject
errAbsObject
SASL's
html
searchResultDone
olcBdbConfig
ldapmod
LDAPMod
ldapmod
olcHidden
userPassword
TLSRandFile
@ -1104,10 +1108,10 @@ cacertdir
queryid
Warper
XDEFS
urls
URL's
postalAddress
urls
postaladdress
postalAddress
passwd
plugins
george
@ -1121,16 +1125,16 @@ ursula
LDAPModifying
slapdconfig
dnSubtreeMatch
olcSaslSecProps
olcSaslSecprops
olcSaslSecProps
auditModify
groupOfNames
jensen
reloadHint
prepending
olcGlobal
matchingRule
matchingrule
matchingRule
SmVuc
MSSQL
hostnames
@ -1144,9 +1148,9 @@ whsp
realusers
dnstyle
suffixalias
proxyAttrset
proxyAttrSet
proxyattrset
proxyAttrSet
proxyAttrset
pwdMustChange
ldif
bvfree
@ -1157,8 +1161,8 @@ pwdAttribute
PRNGD
LDAPRDN
entryUUIDs
proxycache
proxyCache
proxycache
SERATGCgaGBYWGDEjJR
noanonymous
accessee
@ -1210,8 +1214,8 @@ passwdfile
errMatchedDN
everytime
mkdep
olcDbindex
olcDbIndex
olcDbindex
syntaxOID
reqData
databasetype
@ -1258,8 +1262,8 @@ bitstring
ACLs
berptr
olcModuleLoad
attributetype
attributeType
attributetype
auditModRDN
cacert
freebuf
@ -1310,23 +1314,23 @@ preallocated
syntaxes
memberURL
monitorRuntimeConfig
bindDn
bindDN
binddn
bindDN
bindDn
methodp
timelimitExceeded
pwdInHistory
LTSTATIC
requestors
requestor's
requestors
LDAPCONF
saslauthd
MKDEPFLAG
gecos
entryUUID
gnutls
GNUtls
GnuTLS
GNUtls
gnutls
postread
timeval
DHAVE
@ -1347,8 +1351,8 @@ entryTtl
LDAPControl
pwdMinLength
ldapcompare
readonly
readOnly
readonly
RANDFILE
attrlist
aci
@ -1372,8 +1376,8 @@ userid
Kumar
AES
bdb
manageDSAit
ManageDsaIT
manageDSAit
bindpw
monitorContainer
pEntry
@ -1384,8 +1388,8 @@ objectIdentifierMatch
Blowfish
mkln
numericStringSubstringsMatch
openssl
OpenSSL
openssl
ModName
cacheable
freeit
@ -1394,8 +1398,8 @@ ber
ali
mandir
changetype
CAs
CA's
CAs
typeA
bvecfree
ODBC

57
doc/guide/admin/overlays.sdf
View File

@ -98,6 +98,63 @@ default when --enable-ldap.
H3: Chaining Configuration
In order to demonstrate how this overlay works, we shall discuss a typical
scenario which might be one master server and three Syncrepl slaves.
On each replica, add this near the top of the file (global), before any database
definitions:
> overlay chain
> chain-uri "ldap://ldapmaster.example.com"
> chain-idassert-bind bindmethod="simple"
> binddn="cn=Manager,dc=example,dc=com"
> credentials="<secret>"
> mode="self"
> chain-tls start
> chain-idassert-authzFrom "*"
> updateref "ldap://ldapmaster.example.com/"
The {{B:chain-tls}} statement enables TLS from the slave to the ldap master.
The {{B:chain-idassert-authzFrom}} statement will assert the identity of whatever
bound dn on the slave is making the update request. The DITs are exactly the
same between these machines, therefore whatever user bound to the slave will
also exist on the master. If that DN does not have update privileges on the master,
nothing will happen.
You will need to restart the slave after these changes. Then, if you are using
{{loglevel 256}}, you can monitor an {{ldapmodify}} on the slave and the master.
Now start an {{ldapmodify}} on the slave and watch the logs. You should expect
something like:
> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389)
> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 STARTTLS
> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 RESULT oid= err=0 text=
> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 TLS established tls_ssf=256 ssf=256
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=people,dc=example,dc=com" method=128
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 RESULT tag=97 err=0 text=
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD dn="uid=user1,ou=People,dc=example,dc=com"
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD attr=mail
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 RESULT tag=103 err=0 text=
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=3 UNBIND
> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 fd=31 closed
> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_search (0)
> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: uid=user1,ou=People,dc=example,dc=com
> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_modify (0)
And on the master you will see this:
> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 PROXYAUTHZ dn="uid=user1,ou=people,dc=example,dc=com"
> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD dn="uid=user1,ou=People,dc=example,dc=com"
> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD attr=mail
> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 RESULT tag=103 err=0 text=
Note: You can clearly see the PROXYAUTHZ line on the master, indicating the
proper identity assertion for the update on the master. Also note the slave
immediately receiving the Syncrepl update from the master.
H2: Constraints