mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-02-23 14:09:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#6183 Configuration examples should not be in ACL section

Browse Source
This commit is contained in:
Gavin Henry 2009-06-19 21:12:12 +00:00
parent 53f8b761f1
commit 5d6d7ee5b5
3 changed files with 228 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

217
doc/guide/admin/access-control.sdf
View File

@ -365,93 +365,6 @@ consult the {{Advanced Access Control}} chapter.
!endif
H3: Configuration File Example
The following is an example configuration file, interspersed
with explanatory text. It defines two databases to handle
different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
database instances. The line numbers shown are provided for
reference only and are not included in the actual file. First, the
global configuration section:
E: 1. # example config file - global configuration section
E: 2. include /usr/local/etc/schema/core.schema
E: 3. referral ldap://root.openldap.org
E: 4. access to * by * read
Line 1 is a comment. Line 2 includes another config file
which contains {{core}} schema definitions.
The {{EX:referral}} directive on line 3
means that queries not local to one of the databases defined
below will be referred to the LDAP server running on the
standard port (389) at the host {{EX:root.openldap.org}}.
Line 4 is a global access control. It applies to all
entries (after any applicable database-specific access
controls).
The next section of the configuration file defines a BDB
backend that will handle queries for things in the
"dc=example,dc=com" portion of the tree. The
database is to be replicated to two slave slapds, one on
truelies, the other on judgmentday. Indices are to be
maintained for several attributes, and the {{EX:userPassword}}
attribute is to be protected from unauthorized access.
E: 5. # BDB definition for the example.com
E: 6. database bdb
E: 7. suffix "dc=example,dc=com"
E: 8. directory /usr/local/var/openldap-data
E: 9. rootdn "cn=Manager,dc=example,dc=com"
E: 10. rootpw secret
E: 11. # indexed attribute definitions
E: 12. index uid pres,eq
E: 13. index cn,sn,uid pres,eq,approx,sub
E: 14. index objectClass eq
E: 15. # database access control definitions
E: 16. access to attrs=userPassword
E: 17. by self write
E: 18. by anonymous auth
E: 19. by dn.base="cn=Admin,dc=example,dc=com" write
E: 20. by * none
E: 21. access to *
E: 22. by self write
E: 23. by dn.base="cn=Admin,dc=example,dc=com" write
E: 24. by * read
Line 5 is a comment. The start of the database definition is marked
by the database keyword on line 6. Line 7 specifies the DN suffix
for queries to pass to this database. Line 8 specifies the directory
in which the database files will live.
Lines 9 and 10 identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
Lines 12 through 14 indicate the indices to maintain for various
attributes.
Lines 16 through 24 specify access control for entries in this
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by all users (authenticated or not).
The next section of the example configuration file defines another
BDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
as the first database. Note that without line 39, the read access
would be allowed due to the global access rule at line 4.
E: 33. # BDB definition for example.net
E: 34. database bdb
E: 35. suffix "dc=example,dc=net"
E: 36. directory /usr/local/var/openldap-data-net
E: 37. rootdn "cn=Manager,dc=example,dc=com"
E: 38. index objectClass eq
E: 39. access to * by users read
H2: Access Control via Dynamic Configuration
Access to slapd entries and attributes is controlled by the
@ -861,136 +774,6 @@ consult the {{Advanced Access Control}} chapter.
!endif
H3: Configuration Example
The following is an example configuration, interspersed
with explanatory text. It defines two databases to handle
different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
database instances. The line numbers shown are provided for
reference only and are not included in the actual file. First, the
global configuration section:
E: 1. # example config file - global configuration entry
E: 2. dn: cn=config
E: 3. objectClass: olcGlobal
E: 4. cn: config
E: 5. olcReferral: ldap://root.openldap.org
E: 6.
Line 1 is a comment. Lines 2-4 identify this as the global
configuration entry.
The {{EX:olcReferral:}} directive on line 5
means that queries not local to one of the databases defined
below will be referred to the LDAP server running on the
standard port (389) at the host {{EX:root.openldap.org}}.
Line 6 is a blank line, indicating the end of this entry.
E: 7. # internal schema
E: 8. dn: cn=schema,cn=config
E: 9. objectClass: olcSchemaConfig
E: 10. cn: schema
E: 11.
Line 7 is a comment. Lines 8-10 identify this as the root of
the schema subtree. The actual schema definitions in this entry
are hardcoded into slapd so no additional attributes are specified here.
Line 11 is a blank line, indicating the end of this entry.
E: 12. # include the core schema
E: 13. include: file:///usr/local/etc/openldap/schema/core.ldif
E: 14.
Line 12 is a comment. Line 13 is an LDIF include directive which
accesses the {{core}} schema definitions in LDIF format. Line 14
is a blank line.
Next comes the database definitions. The first database is the
special {{EX:frontend}} database whose settings are applied globally
to all the other databases.
E: 15. # global database parameters
E: 16. dn: olcDatabase=frontend,cn=config
E: 17. objectClass: olcDatabaseConfig
E: 18. olcDatabase: frontend
E: 19. olcAccess: to * by * read
E: 20.
Line 15 is a comment. Lines 16-18 identify this entry as the global
database entry. Line 19 is a global access control. It applies to all
entries (after any applicable database-specific access controls).
The next entry defines a BDB backend that will handle queries for things
in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
for several attributes, and the {{EX:userPassword}} attribute is to be
protected from unauthorized access.
E: 21. # BDB definition for example.com
E: 22. dn: olcDatabase=bdb,cn=config
E: 23. objectClass: olcDatabaseConfig
E: 24. objectClass: olcBdbConfig
E: 25. olcDatabase: bdb
E: 26. olcSuffix: "dc=example,dc=com"
E: 27. olcDbDirectory: /usr/local/var/openldap-data
E: 28. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 29. olcRootPW: secret
E: 30. olcDbIndex: uid pres,eq
E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
E: 32. olcDbIndex: objectClass eq
E: 33. olcAccess: to attrs=userPassword
E: 34. by self write
E: 35. by anonymous auth
E: 36. by dn.base="cn=Admin,dc=example,dc=com" write
E: 37. by * none
E: 38. olcAccess: to *
E: 39. by self write
E: 40. by dn.base="cn=Admin,dc=example,dc=com" write
E: 41. by * read
E: 42.
Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
configuration entry. Line 26 specifies the DN suffix
for queries to pass to this database. Line 27 specifies the directory
in which the database files will live.
Lines 28 and 29 identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
Lines 30 through 32 indicate the indices to maintain for various
attributes.
Lines 33 through 41 specify access control for entries in this
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by all users (authenticated or not).
Line 42 is a blank line, indicating the end of this entry.
The next section of the example configuration file defines another
BDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
as the first database. Note that without line 52, the read access
would be allowed due to the global access rule at line 19.
E: 43. # BDB definition for example.net
E: 44. dn: olcDatabase=bdb,cn=config
E: 45. objectClass: olcDatabaseConfig
E: 46. objectClass: olcBdbConfig
E: 47. olcDatabase: bdb
E: 48. olcSuffix: "dc=example,dc=net"
E: 49. olcDbDirectory: /usr/local/var/openldap-data-net
E: 50. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 51. olcDbIndex: objectClass eq
E: 52. olcAccess: to * by users read
H3: Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format
See the related section in {{SECT:Configuring slapd}}.
H2: Access Control Common Examples
H3: Basic ACLs

155
doc/guide/admin/slapdconf2.sdf
View File

@ -35,21 +35,6 @@ do not support runtime configuration yet. In those cases,
the old style {{slapd.conf}}(5) file must be used.
H2: Converting old style {{slapd.conf}}(5) file to {{cn=config}} format
An existing {{slapd.conf}}(5) file can be converted to the new format using
{{slaptest}}(8) or any of the slap tools:
> slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d
You can then discard the old {{slapd.conf}}(5) file. Make sure to launch
{{slapd}}(8) with the {{-F}} option to specify the configuration directory.
Note: When converting from the slapd.conf format to slapd.d format, any
included files will also be integrated into the resulting configuration
database.
H2: Configuration Layout
The slapd configuration is stored as a special LDAP directory with
@ -989,3 +974,143 @@ H4: Sample Entry
>olcDbConfig: set_flags DB_LOG_AUTOREMOVE
>olcDbIDLcacheSize: 3000
>olcDbIndex: objectClass eq
H2: Configuration Example
The following is an example configuration, interspersed
with explanatory text. It defines two databases to handle
different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
database instances. The line numbers shown are provided for
reference only and are not included in the actual file. First, the
global configuration section:
E: 1. # example config file - global configuration entry
E: 2. dn: cn=config
E: 3. objectClass: olcGlobal
E: 4. cn: config
E: 5. olcReferral: ldap://root.openldap.org
E: 6.
Line 1 is a comment. Lines 2-4 identify this as the global
configuration entry.
The {{EX:olcReferral:}} directive on line 5
means that queries not local to one of the databases defined
below will be referred to the LDAP server running on the
standard port (389) at the host {{EX:root.openldap.org}}.
Line 6 is a blank line, indicating the end of this entry.
E: 7. # internal schema
E: 8. dn: cn=schema,cn=config
E: 9. objectClass: olcSchemaConfig
E: 10. cn: schema
E: 11.
Line 7 is a comment. Lines 8-10 identify this as the root of
the schema subtree. The actual schema definitions in this entry
are hardcoded into slapd so no additional attributes are specified here.
Line 11 is a blank line, indicating the end of this entry.
E: 12. # include the core schema
E: 13. include: file:///usr/local/etc/openldap/schema/core.ldif
E: 14.
Line 12 is a comment. Line 13 is an LDIF include directive which
accesses the {{core}} schema definitions in LDIF format. Line 14
is a blank line.
Next comes the database definitions. The first database is the
special {{EX:frontend}} database whose settings are applied globally
to all the other databases.
E: 15. # global database parameters
E: 16. dn: olcDatabase=frontend,cn=config
E: 17. objectClass: olcDatabaseConfig
E: 18. olcDatabase: frontend
E: 19. olcAccess: to * by * read
E: 20.
Line 15 is a comment. Lines 16-18 identify this entry as the global
database entry. Line 19 is a global access control. It applies to all
entries (after any applicable database-specific access controls).
The next entry defines a BDB backend that will handle queries for things
in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
for several attributes, and the {{EX:userPassword}} attribute is to be
protected from unauthorized access.
E: 21. # BDB definition for example.com
E: 22. dn: olcDatabase=bdb,cn=config
E: 23. objectClass: olcDatabaseConfig
E: 24. objectClass: olcBdbConfig
E: 25. olcDatabase: bdb
E: 26. olcSuffix: "dc=example,dc=com"
E: 27. olcDbDirectory: /usr/local/var/openldap-data
E: 28. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 29. olcRootPW: secret
E: 30. olcDbIndex: uid pres,eq
E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
E: 32. olcDbIndex: objectClass eq
E: 33. olcAccess: to attrs=userPassword
E: 34. by self write
E: 35. by anonymous auth
E: 36. by dn.base="cn=Admin,dc=example,dc=com" write
E: 37. by * none
E: 38. olcAccess: to *
E: 39. by self write
E: 40. by dn.base="cn=Admin,dc=example,dc=com" write
E: 41. by * read
E: 42.
Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
configuration entry. Line 26 specifies the DN suffix
for queries to pass to this database. Line 27 specifies the directory
in which the database files will live.
Lines 28 and 29 identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
Lines 30 through 32 indicate the indices to maintain for various
attributes.
Lines 33 through 41 specify access control for entries in this
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by all users (authenticated or not).
Line 42 is a blank line, indicating the end of this entry.
The next section of the example configuration file defines another
BDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
as the first database. Note that without line 52, the read access
would be allowed due to the global access rule at line 19.
E: 43. # BDB definition for example.net
E: 44. dn: olcDatabase=bdb,cn=config
E: 45. objectClass: olcDatabaseConfig
E: 46. objectClass: olcBdbConfig
E: 47. olcDatabase: bdb
E: 48. olcSuffix: "dc=example,dc=net"
E: 49. olcDbDirectory: /usr/local/var/openldap-data-net
E: 50. olcRootDN: "cn=Manager,dc=example,dc=com"
E: 51. olcDbIndex: objectClass eq
E: 52. olcAccess: to * by users read
H2: Converting old style {{slapd.conf}}(5) file to {{cn=config}} format
An existing {{slapd.conf}}(5) file can be converted to the new format using
{{slaptest}}(8) or any of the slap tools:
> slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d
You can then discard the old {{slapd.conf}}(5) file. Make sure to launch
{{slapd}}(8) with the {{-F}} option to specify the configuration directory.
Note: When converting from the slapd.conf format to slapd.d format, any
included files will also be integrated into the resulting configuration
database.

88
doc/guide/admin/slapdconfig.sdf
View File

@ -573,3 +573,91 @@ containing the database and associated indices live.
\Default:
> directory /usr/local/var/openldap-data
H2: Configuration File Example
The following is an example configuration file, interspersed
with explanatory text. It defines two databases to handle
different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
database instances. The line numbers shown are provided for
reference only and are not included in the actual file. First, the
global configuration section:
E: 1. # example config file - global configuration section
E: 2. include /usr/local/etc/schema/core.schema
E: 3. referral ldap://root.openldap.org
E: 4. access to * by * read
Line 1 is a comment. Line 2 includes another config file
which contains {{core}} schema definitions.
The {{EX:referral}} directive on line 3
means that queries not local to one of the databases defined
below will be referred to the LDAP server running on the
standard port (389) at the host {{EX:root.openldap.org}}.
Line 4 is a global access control. It applies to all
entries (after any applicable database-specific access
controls).
The next section of the configuration file defines a BDB
backend that will handle queries for things in the
"dc=example,dc=com" portion of the tree. The
database is to be replicated to two slave slapds, one on
truelies, the other on judgmentday. Indices are to be
maintained for several attributes, and the {{EX:userPassword}}
attribute is to be protected from unauthorized access.
E: 5. # BDB definition for the example.com
E: 6. database bdb
E: 7. suffix "dc=example,dc=com"
E: 8. directory /usr/local/var/openldap-data
E: 9. rootdn "cn=Manager,dc=example,dc=com"
E: 10. rootpw secret
E: 11. # indexed attribute definitions
E: 12. index uid pres,eq
E: 13. index cn,sn,uid pres,eq,approx,sub
E: 14. index objectClass eq
E: 15. # database access control definitions
E: 16. access to attrs=userPassword
E: 17. by self write
E: 18. by anonymous auth
E: 19. by dn.base="cn=Admin,dc=example,dc=com" write
E: 20. by * none
E: 21. access to *
E: 22. by self write
E: 23. by dn.base="cn=Admin,dc=example,dc=com" write
E: 24. by * read
Line 5 is a comment. The start of the database definition is marked
by the database keyword on line 6. Line 7 specifies the DN suffix
for queries to pass to this database. Line 8 specifies the directory
in which the database files will live.
Lines 9 and 10 identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
Lines 12 through 14 indicate the indices to maintain for various
attributes.
Lines 16 through 24 specify access control for entries in this
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by all users (authenticated or not).
The next section of the example configuration file defines another
BDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
as the first database. Note that without line 39, the read access
would be allowed due to the global access rule at line 4.
E: 33. # BDB definition for example.net
E: 34. database bdb
E: 35. suffix "dc=example,dc=net"
E: 36. directory /usr/local/var/openldap-data-net
E: 37. rootdn "cn=Manager,dc=example,dc=com"
E: 38. index objectClass eq
E: 39. access to * by users read