mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Revert "(ITS#7341) Ordered list error in overlays.sdf and attr in access-control.sdf"
This reverts commit dc9fccccc9
.
The commit appears to have come from an out of date branch.
This commit is contained in:
parent
e30981838c
commit
b06a0261c7
@ -1,5 +1,5 @@
|
||||
# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.9 2009-06-19 19:12:12 ghenry Exp $
|
||||
# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
|
||||
# $OpenLDAP$
|
||||
# Copyright 1999-2012 The OpenLDAP Foundation, All Rights Reserved.
|
||||
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
||||
|
||||
H1: Access Control
|
||||
@ -25,8 +25,9 @@ rights (i.e. auth, search, compare, read and write) on everything and anything.
|
||||
As a consequence, it's useless (and results in a performance penalty) to explicitly
|
||||
list the {{rootdn}} among the {{<by>}} clauses.
|
||||
|
||||
The following sections will describe Access Control Lists in more details and
|
||||
follow with some examples and recommendations.
|
||||
The following sections will describe Access Control Lists in greater depth and
|
||||
follow with some examples and recommendations. See {{slapd.access}}(5) for
|
||||
complete details.
|
||||
|
||||
H2: Access Control via Static Configuration
|
||||
|
||||
@ -326,7 +327,7 @@ attribute and various {{EX:<who>}} selectors.
|
||||
> access to dn.subtree="dc=example,dc=com" attrs=homePhone
|
||||
> by self write
|
||||
> by dn.children="dc=example,dc=com" search
|
||||
> by peername.regex=IP:10\..+ read
|
||||
> by peername.regex=IP=10\..+ read
|
||||
> access to dn.subtree="dc=example,dc=com"
|
||||
> by self write
|
||||
> by dn.children="dc=example,dc=com" search
|
||||
@ -664,7 +665,7 @@ attribute and various {{EX:<who>}} selectors.
|
||||
> olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
|
||||
> by self write
|
||||
> by dn.children=dc=example,dc=com" search
|
||||
> by peername.regex=IP:10\..+ read
|
||||
> by peername.regex=IP=10\..+ read
|
||||
> olcAccess: to dn.subtree="dc=example,dc=com"
|
||||
> by self write
|
||||
> by dn.children="dc=example,dc=com" search
|
||||
@ -780,7 +781,7 @@ H3: Basic ACLs
|
||||
|
||||
Generally one should start with some basic ACLs such as:
|
||||
|
||||
> access to attrs=userPassword
|
||||
> access to attr=userPassword
|
||||
> by self =xw
|
||||
> by anonymous auth
|
||||
> by * none
|
||||
@ -826,7 +827,7 @@ This ACL grants read permissions to authenticated users while denying others
|
||||
|
||||
H3: Controlling rootdn access
|
||||
|
||||
You could specify the {{rootdn}} in {{slapd.conf}}(5) or {[slapd.d}} without
|
||||
You could specify the {{rootdn}} in {{slapd.conf}}(5) or {{slapd.d}} without
|
||||
specifying a {{rootpw}}. Then you have to add an actual directory entry with
|
||||
the same dn, e.g.:
|
||||
|
||||
@ -876,7 +877,7 @@ One can then grant access to the members of this this group by adding appropriat
|
||||
> by group.exact="cn=Administrators,dc=example,dc=com" write
|
||||
> by * auth
|
||||
|
||||
Like by {[dn}} clauses, one can also use {{expand}} to expand the group name
|
||||
Like by {{dn}} clauses, one can also use {{expand}} to expand the group name
|
||||
based upon the regular expression matching of the target, that is, the to {{dn.regex}}).
|
||||
For instance,
|
||||
|
||||
@ -1153,7 +1154,7 @@ To get what we wanted the file has to read:
|
||||
|
||||
The general rule is: "special access rules first, generic access rules last"
|
||||
|
||||
See also {{slapd.access}}(8), loglevel 128 and {{slapacl}}(8) for debugging
|
||||
See also {{slapd.access}}(5), loglevel 128 and {{slapacl}}(8) for debugging
|
||||
information.
|
||||
|
||||
|
||||
@ -1322,7 +1323,7 @@ The end result is that when Jane accesses John's entry, she will be granted
|
||||
write access to the specified attributes. Better yet, this will happen to any
|
||||
entry she accesses which has Mary as the manager.
|
||||
|
||||
This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further
|
||||
This is all cool and nice, but perhaps gives too much power to secretaries. Maybe we need to further
|
||||
restrict it. For example, let's only allow executive secretaries to have this power:
|
||||
|
||||
> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.47 2009-12-15 12:09:35 ghenry Exp $
|
||||
# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
|
||||
# $OpenLDAP$
|
||||
# Copyright 2007-2012 The OpenLDAP Foundation, All Rights Reserved.
|
||||
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
||||
|
||||
H1: Overlays
|
||||
@ -326,7 +326,7 @@ H3: Read-Back of Chained Modifications
|
||||
|
||||
Occasionally, applications want to read back the data that they just wrote.
|
||||
If a modification requested to a shadow server was silently chained to its
|
||||
producer, an immediate read could result in receiving data not yet synchronized.
|
||||
provider, an immediate read could result in receiving data not yet synchronized.
|
||||
In those cases, clients should use the {{B:dontusecopy}} control to ensure
|
||||
they are directed to the authoritative source for that piece of data.
|
||||
|
||||
@ -555,7 +555,7 @@ In {{F:slapd.conf}}(5):
|
||||
> ...
|
||||
> overlay dynlist
|
||||
> dynlist-attrset groupOfURLs labeledURI member
|
||||
|
||||
+
|
||||
+Note: We must include the {{F:dyngroup.schema}} file that defines the
|
||||
+{{F:groupOfURLs}} objectClass used in this example.
|
||||
|
||||
@ -613,8 +613,7 @@ specific database. For example, with the following minimal slapd.conf:
|
||||
|
||||
> include /usr/share/openldap/schema/core.schema
|
||||
> include /usr/share/openldap/schema/cosine.schema
|
||||
> modulepath /usr/lib/openldap
|
||||
> moduleload memberof.la
|
||||
>
|
||||
> authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
||||
> "cn=Manager,dc=example,dc=com"
|
||||
> database bdb
|
||||
@ -725,13 +724,13 @@ design and implementation details.
|
||||
H3: Proxy Cache Configuration
|
||||
|
||||
The cache configuration specific directives described below must
|
||||
appear after a {{EX:overlay proxycache}} directive within a
|
||||
{{EX:"database meta"}} or {{EX:database ldap}} section of
|
||||
appear after a {{EX:overlay pcache}} directive within a
|
||||
{{EX:"database meta"}} or {{EX:"database ldap"}} section of
|
||||
the server's {{slapd.conf}}(5) file.
|
||||
|
||||
H4: Setting cache parameters
|
||||
|
||||
> proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
|
||||
> pcache <DB> <maxentries> <nattrsets> <entrylimit> <period>
|
||||
|
||||
This directive enables proxy caching and sets general cache
|
||||
parameters. The <DB> parameter specifies which underlying database
|
||||
@ -739,7 +738,7 @@ is to be used to hold cached entries. It should be set to
|
||||
{{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
|
||||
total number of entries which may be held in the cache. The
|
||||
<nattrsets> parameter specifies the total number of attribute sets
|
||||
(as specified by the {{EX:proxyAttrSet}} directive) that may be
|
||||
(as specified by the {{EX:pcacheAttrset}} directive) that may be
|
||||
defined. The <entrylimit> parameter specifies the maximum number of
|
||||
entries in a cacheable query. The <period> specifies the consistency
|
||||
check period (in seconds). In each period, queries with expired
|
||||
@ -747,16 +746,16 @@ TTLs are removed.
|
||||
|
||||
H4: Defining attribute sets
|
||||
|
||||
> proxyAttrset <index> <attrs...>
|
||||
> pcacheAttrset <index> <attrs...>
|
||||
|
||||
Used to associate a set of attributes to an index. Each attribute
|
||||
set is associated with an index number from 0 to <numattrsets>-1.
|
||||
These indices are used by the proxyTemplate directive to define
|
||||
These indices are used by the pcacheTemplate directive to define
|
||||
cacheable templates.
|
||||
|
||||
H4: Specifying cacheable templates
|
||||
|
||||
> proxyTemplate <prototype_string> <attrset_index> <TTL>
|
||||
> pcacheTemplate <prototype_string> <attrset_index> <TTL>
|
||||
|
||||
Specifies a cacheable template and the "time to live" (in sec) <TTL>
|
||||
for queries belonging to the template. A template is described by
|
||||
@ -764,7 +763,7 @@ its prototype filter string and set of required attributes identified
|
||||
by <attrset_index>.
|
||||
|
||||
|
||||
H4: Example
|
||||
H4: Example for slapd.conf
|
||||
|
||||
An example {{slapd.conf}}(5) database section for a caching server
|
||||
which proxies for the {{EX:"dc=example,dc=com"}} subtree held
|
||||
@ -774,27 +773,60 @@ at server {{EX:ldap.example.com}}.
|
||||
> suffix "dc=example,dc=com"
|
||||
> rootdn "dc=example,dc=com"
|
||||
> uri ldap://ldap.example.com/
|
||||
> overlay proxycache
|
||||
> proxycache bdb 100000 1 1000 100
|
||||
> proxyAttrset 0 mail postaladdress telephonenumber
|
||||
> proxyTemplate (sn=) 0 3600
|
||||
> proxyTemplate (&(sn=)(givenName=)) 0 3600
|
||||
> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
|
||||
> overlay pcache
|
||||
> pcache bdb 100000 1 1000 100
|
||||
> pcacheAttrset 0 mail postaladdress telephonenumber
|
||||
> pcacheTemplate (sn=) 0 3600
|
||||
> pcacheTemplate (&(sn=)(givenName=)) 0 3600
|
||||
> pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600
|
||||
>
|
||||
> cachesize 20
|
||||
> directory ./testrun/db.2.a
|
||||
> index objectClass eq
|
||||
> index cn,sn,uid,mail pres,eq,sub
|
||||
|
||||
H4: Example for slapd-config
|
||||
|
||||
The same example as a LDIF file for back-config for a caching server
|
||||
which proxies for the {{EX:"dc=example,dc=com"}} subtree held
|
||||
at server {{EX:ldap.example.com}}.
|
||||
|
||||
> dn: olcDatabase={2}ldap
|
||||
> objectClass: olcDatabaseConfig
|
||||
> objectClass: olcLDAPConfig
|
||||
> olcDatabase: {2}ldap
|
||||
> olcSuffix: dc=example,dc=com
|
||||
> olcRootDN: dc=example,dc=com
|
||||
> olcDbURI: "ldap://ldap.example.com"
|
||||
>
|
||||
> dn: olcOverlay={0}pcache
|
||||
> objectClass: olcOverlayConfig
|
||||
> objectClass: olcPcacheConfig
|
||||
> olcOverlay: {0}pcache
|
||||
> olcPcache: bdb 100000 1 1000 100
|
||||
> olcPcacheAttrset: 0 mail postalAddress telephoneNumber
|
||||
> olcPcacheTemplate: "(sn=)" 0 3600 0 0 0
|
||||
> olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 0 0 0
|
||||
> olcPcacheTemplate: "(&(departmentNumber=)(secretary=))" 0 3600
|
||||
>
|
||||
> dn: olcDatabase={0}hdb
|
||||
> objectClass: olcHdbConfig
|
||||
> objectClass: olcPcacheDatabase
|
||||
> olcDatabase: {0}hdb
|
||||
> olcDbDirectory: ./testrun/db.2.a
|
||||
> olcDbCacheSize: 20
|
||||
> olcDbIndex: objectClass eq
|
||||
> olcDbIndex: cn,sn,uid,mail pres,eq,sub
|
||||
|
||||
|
||||
H5: Cacheable Queries
|
||||
|
||||
A LDAP search query is cacheable when its filter matches one of the
|
||||
templates as defined in the "proxyTemplate" statements and when it references
|
||||
templates as defined in the "pcacheTemplate" statements and when it references
|
||||
only the attributes specified in the corresponding attribute set.
|
||||
In the example above the attribute set number 0 defines that only the
|
||||
attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
|
||||
proxyTemplates.
|
||||
pcacheTemplates.
|
||||
|
||||
H5: Examples:
|
||||
|
||||
@ -802,7 +834,7 @@ H5: Examples:
|
||||
> Attrs: mail telephoneNumber
|
||||
|
||||
is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
|
||||
attributes are contained in proxyAttrset 0.
|
||||
attributes are contained in pcacheAttrset 0.
|
||||
|
||||
> Filter: (&(sn=Richard*)(telephoneNumber))
|
||||
> Attrs: givenName
|
||||
@ -1010,6 +1042,8 @@ If we removed all users from the directory who are a member of this group, then
|
||||
would be a single member in the group: {{F:cn=admin,dc=example,dc=com}}. This is the
|
||||
{{F:refint_nothing}} parameter kicking into action so that the schema is not violated.
|
||||
|
||||
The {{rootdn}} must be set for the database as refint runs as the {{rootdn}} to gain access to
|
||||
make its updates. The {{rootpw}} does not need to be set.
|
||||
|
||||
H3: Further Information
|
||||
|
||||
@ -1175,11 +1209,6 @@ First we configure the overlay in the normal manner:
|
||||
> pidfile ./slapd.pid
|
||||
> argsfile ./slapd.args
|
||||
>
|
||||
> modulepath /usr/local/libexec/openldap
|
||||
> moduleload back_bdb.la
|
||||
> moduleload back_ldap.la
|
||||
> moduleload translucent.la
|
||||
>
|
||||
> database bdb
|
||||
> suffix "dc=suretecsystems,dc=com"
|
||||
> rootdn "cn=trans,dc=suretecsystems,dc=com"
|
||||
|
Loading…
Reference in New Issue
Block a user