mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Revert "(ITS#7341) Ordered list error in overlays.sdf and attr in access-control.sdf"
This reverts commit dc9fccccc9
.
The commit appears to have come from an out of date branch.
This commit is contained in:
parent
e30981838c
commit
b06a0261c7
@ -1,5 +1,5 @@
|
|||||||
# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.9 2009-06-19 19:12:12 ghenry Exp $
|
# $OpenLDAP$
|
||||||
# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
|
# Copyright 1999-2012 The OpenLDAP Foundation, All Rights Reserved.
|
||||||
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
||||||
|
|
||||||
H1: Access Control
|
H1: Access Control
|
||||||
@ -25,8 +25,9 @@ rights (i.e. auth, search, compare, read and write) on everything and anything.
|
|||||||
As a consequence, it's useless (and results in a performance penalty) to explicitly
|
As a consequence, it's useless (and results in a performance penalty) to explicitly
|
||||||
list the {{rootdn}} among the {{<by>}} clauses.
|
list the {{rootdn}} among the {{<by>}} clauses.
|
||||||
|
|
||||||
The following sections will describe Access Control Lists in more details and
|
The following sections will describe Access Control Lists in greater depth and
|
||||||
follow with some examples and recommendations.
|
follow with some examples and recommendations. See {{slapd.access}}(5) for
|
||||||
|
complete details.
|
||||||
|
|
||||||
H2: Access Control via Static Configuration
|
H2: Access Control via Static Configuration
|
||||||
|
|
||||||
@ -326,7 +327,7 @@ attribute and various {{EX:<who>}} selectors.
|
|||||||
> access to dn.subtree="dc=example,dc=com" attrs=homePhone
|
> access to dn.subtree="dc=example,dc=com" attrs=homePhone
|
||||||
> by self write
|
> by self write
|
||||||
> by dn.children="dc=example,dc=com" search
|
> by dn.children="dc=example,dc=com" search
|
||||||
> by peername.regex=IP:10\..+ read
|
> by peername.regex=IP=10\..+ read
|
||||||
> access to dn.subtree="dc=example,dc=com"
|
> access to dn.subtree="dc=example,dc=com"
|
||||||
> by self write
|
> by self write
|
||||||
> by dn.children="dc=example,dc=com" search
|
> by dn.children="dc=example,dc=com" search
|
||||||
@ -664,7 +665,7 @@ attribute and various {{EX:<who>}} selectors.
|
|||||||
> olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
|
> olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
|
||||||
> by self write
|
> by self write
|
||||||
> by dn.children=dc=example,dc=com" search
|
> by dn.children=dc=example,dc=com" search
|
||||||
> by peername.regex=IP:10\..+ read
|
> by peername.regex=IP=10\..+ read
|
||||||
> olcAccess: to dn.subtree="dc=example,dc=com"
|
> olcAccess: to dn.subtree="dc=example,dc=com"
|
||||||
> by self write
|
> by self write
|
||||||
> by dn.children="dc=example,dc=com" search
|
> by dn.children="dc=example,dc=com" search
|
||||||
@ -780,7 +781,7 @@ H3: Basic ACLs
|
|||||||
|
|
||||||
Generally one should start with some basic ACLs such as:
|
Generally one should start with some basic ACLs such as:
|
||||||
|
|
||||||
> access to attrs=userPassword
|
> access to attr=userPassword
|
||||||
> by self =xw
|
> by self =xw
|
||||||
> by anonymous auth
|
> by anonymous auth
|
||||||
> by * none
|
> by * none
|
||||||
@ -826,7 +827,7 @@ This ACL grants read permissions to authenticated users while denying others
|
|||||||
|
|
||||||
H3: Controlling rootdn access
|
H3: Controlling rootdn access
|
||||||
|
|
||||||
You could specify the {{rootdn}} in {{slapd.conf}}(5) or {[slapd.d}} without
|
You could specify the {{rootdn}} in {{slapd.conf}}(5) or {{slapd.d}} without
|
||||||
specifying a {{rootpw}}. Then you have to add an actual directory entry with
|
specifying a {{rootpw}}. Then you have to add an actual directory entry with
|
||||||
the same dn, e.g.:
|
the same dn, e.g.:
|
||||||
|
|
||||||
@ -876,7 +877,7 @@ One can then grant access to the members of this this group by adding appropriat
|
|||||||
> by group.exact="cn=Administrators,dc=example,dc=com" write
|
> by group.exact="cn=Administrators,dc=example,dc=com" write
|
||||||
> by * auth
|
> by * auth
|
||||||
|
|
||||||
Like by {[dn}} clauses, one can also use {{expand}} to expand the group name
|
Like by {{dn}} clauses, one can also use {{expand}} to expand the group name
|
||||||
based upon the regular expression matching of the target, that is, the to {{dn.regex}}).
|
based upon the regular expression matching of the target, that is, the to {{dn.regex}}).
|
||||||
For instance,
|
For instance,
|
||||||
|
|
||||||
@ -1153,7 +1154,7 @@ To get what we wanted the file has to read:
|
|||||||
|
|
||||||
The general rule is: "special access rules first, generic access rules last"
|
The general rule is: "special access rules first, generic access rules last"
|
||||||
|
|
||||||
See also {{slapd.access}}(8), loglevel 128 and {{slapacl}}(8) for debugging
|
See also {{slapd.access}}(5), loglevel 128 and {{slapacl}}(8) for debugging
|
||||||
information.
|
information.
|
||||||
|
|
||||||
|
|
||||||
@ -1322,7 +1323,7 @@ The end result is that when Jane accesses John's entry, she will be granted
|
|||||||
write access to the specified attributes. Better yet, this will happen to any
|
write access to the specified attributes. Better yet, this will happen to any
|
||||||
entry she accesses which has Mary as the manager.
|
entry she accesses which has Mary as the manager.
|
||||||
|
|
||||||
This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further
|
This is all cool and nice, but perhaps gives too much power to secretaries. Maybe we need to further
|
||||||
restrict it. For example, let's only allow executive secretaries to have this power:
|
restrict it. For example, let's only allow executive secretaries to have this power:
|
||||||
|
|
||||||
> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
|
> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.47 2009-12-15 12:09:35 ghenry Exp $
|
# $OpenLDAP$
|
||||||
# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
|
# Copyright 2007-2012 The OpenLDAP Foundation, All Rights Reserved.
|
||||||
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
||||||
|
|
||||||
H1: Overlays
|
H1: Overlays
|
||||||
@ -326,7 +326,7 @@ H3: Read-Back of Chained Modifications
|
|||||||
|
|
||||||
Occasionally, applications want to read back the data that they just wrote.
|
Occasionally, applications want to read back the data that they just wrote.
|
||||||
If a modification requested to a shadow server was silently chained to its
|
If a modification requested to a shadow server was silently chained to its
|
||||||
producer, an immediate read could result in receiving data not yet synchronized.
|
provider, an immediate read could result in receiving data not yet synchronized.
|
||||||
In those cases, clients should use the {{B:dontusecopy}} control to ensure
|
In those cases, clients should use the {{B:dontusecopy}} control to ensure
|
||||||
they are directed to the authoritative source for that piece of data.
|
they are directed to the authoritative source for that piece of data.
|
||||||
|
|
||||||
@ -555,7 +555,7 @@ In {{F:slapd.conf}}(5):
|
|||||||
> ...
|
> ...
|
||||||
> overlay dynlist
|
> overlay dynlist
|
||||||
> dynlist-attrset groupOfURLs labeledURI member
|
> dynlist-attrset groupOfURLs labeledURI member
|
||||||
|
+
|
||||||
+Note: We must include the {{F:dyngroup.schema}} file that defines the
|
+Note: We must include the {{F:dyngroup.schema}} file that defines the
|
||||||
+{{F:groupOfURLs}} objectClass used in this example.
|
+{{F:groupOfURLs}} objectClass used in this example.
|
||||||
|
|
||||||
@ -613,8 +613,7 @@ specific database. For example, with the following minimal slapd.conf:
|
|||||||
|
|
||||||
> include /usr/share/openldap/schema/core.schema
|
> include /usr/share/openldap/schema/core.schema
|
||||||
> include /usr/share/openldap/schema/cosine.schema
|
> include /usr/share/openldap/schema/cosine.schema
|
||||||
> modulepath /usr/lib/openldap
|
>
|
||||||
> moduleload memberof.la
|
|
||||||
> authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
> authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
||||||
> "cn=Manager,dc=example,dc=com"
|
> "cn=Manager,dc=example,dc=com"
|
||||||
> database bdb
|
> database bdb
|
||||||
@ -725,13 +724,13 @@ design and implementation details.
|
|||||||
H3: Proxy Cache Configuration
|
H3: Proxy Cache Configuration
|
||||||
|
|
||||||
The cache configuration specific directives described below must
|
The cache configuration specific directives described below must
|
||||||
appear after a {{EX:overlay proxycache}} directive within a
|
appear after a {{EX:overlay pcache}} directive within a
|
||||||
{{EX:"database meta"}} or {{EX:database ldap}} section of
|
{{EX:"database meta"}} or {{EX:"database ldap"}} section of
|
||||||
the server's {{slapd.conf}}(5) file.
|
the server's {{slapd.conf}}(5) file.
|
||||||
|
|
||||||
H4: Setting cache parameters
|
H4: Setting cache parameters
|
||||||
|
|
||||||
> proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
|
> pcache <DB> <maxentries> <nattrsets> <entrylimit> <period>
|
||||||
|
|
||||||
This directive enables proxy caching and sets general cache
|
This directive enables proxy caching and sets general cache
|
||||||
parameters. The <DB> parameter specifies which underlying database
|
parameters. The <DB> parameter specifies which underlying database
|
||||||
@ -739,7 +738,7 @@ is to be used to hold cached entries. It should be set to
|
|||||||
{{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
|
{{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
|
||||||
total number of entries which may be held in the cache. The
|
total number of entries which may be held in the cache. The
|
||||||
<nattrsets> parameter specifies the total number of attribute sets
|
<nattrsets> parameter specifies the total number of attribute sets
|
||||||
(as specified by the {{EX:proxyAttrSet}} directive) that may be
|
(as specified by the {{EX:pcacheAttrset}} directive) that may be
|
||||||
defined. The <entrylimit> parameter specifies the maximum number of
|
defined. The <entrylimit> parameter specifies the maximum number of
|
||||||
entries in a cacheable query. The <period> specifies the consistency
|
entries in a cacheable query. The <period> specifies the consistency
|
||||||
check period (in seconds). In each period, queries with expired
|
check period (in seconds). In each period, queries with expired
|
||||||
@ -747,16 +746,16 @@ TTLs are removed.
|
|||||||
|
|
||||||
H4: Defining attribute sets
|
H4: Defining attribute sets
|
||||||
|
|
||||||
> proxyAttrset <index> <attrs...>
|
> pcacheAttrset <index> <attrs...>
|
||||||
|
|
||||||
Used to associate a set of attributes to an index. Each attribute
|
Used to associate a set of attributes to an index. Each attribute
|
||||||
set is associated with an index number from 0 to <numattrsets>-1.
|
set is associated with an index number from 0 to <numattrsets>-1.
|
||||||
These indices are used by the proxyTemplate directive to define
|
These indices are used by the pcacheTemplate directive to define
|
||||||
cacheable templates.
|
cacheable templates.
|
||||||
|
|
||||||
H4: Specifying cacheable templates
|
H4: Specifying cacheable templates
|
||||||
|
|
||||||
> proxyTemplate <prototype_string> <attrset_index> <TTL>
|
> pcacheTemplate <prototype_string> <attrset_index> <TTL>
|
||||||
|
|
||||||
Specifies a cacheable template and the "time to live" (in sec) <TTL>
|
Specifies a cacheable template and the "time to live" (in sec) <TTL>
|
||||||
for queries belonging to the template. A template is described by
|
for queries belonging to the template. A template is described by
|
||||||
@ -764,7 +763,7 @@ its prototype filter string and set of required attributes identified
|
|||||||
by <attrset_index>.
|
by <attrset_index>.
|
||||||
|
|
||||||
|
|
||||||
H4: Example
|
H4: Example for slapd.conf
|
||||||
|
|
||||||
An example {{slapd.conf}}(5) database section for a caching server
|
An example {{slapd.conf}}(5) database section for a caching server
|
||||||
which proxies for the {{EX:"dc=example,dc=com"}} subtree held
|
which proxies for the {{EX:"dc=example,dc=com"}} subtree held
|
||||||
@ -774,27 +773,60 @@ at server {{EX:ldap.example.com}}.
|
|||||||
> suffix "dc=example,dc=com"
|
> suffix "dc=example,dc=com"
|
||||||
> rootdn "dc=example,dc=com"
|
> rootdn "dc=example,dc=com"
|
||||||
> uri ldap://ldap.example.com/
|
> uri ldap://ldap.example.com/
|
||||||
> overlay proxycache
|
> overlay pcache
|
||||||
> proxycache bdb 100000 1 1000 100
|
> pcache bdb 100000 1 1000 100
|
||||||
> proxyAttrset 0 mail postaladdress telephonenumber
|
> pcacheAttrset 0 mail postaladdress telephonenumber
|
||||||
> proxyTemplate (sn=) 0 3600
|
> pcacheTemplate (sn=) 0 3600
|
||||||
> proxyTemplate (&(sn=)(givenName=)) 0 3600
|
> pcacheTemplate (&(sn=)(givenName=)) 0 3600
|
||||||
> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
|
> pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600
|
||||||
>
|
>
|
||||||
> cachesize 20
|
> cachesize 20
|
||||||
> directory ./testrun/db.2.a
|
> directory ./testrun/db.2.a
|
||||||
> index objectClass eq
|
> index objectClass eq
|
||||||
> index cn,sn,uid,mail pres,eq,sub
|
> index cn,sn,uid,mail pres,eq,sub
|
||||||
|
|
||||||
|
H4: Example for slapd-config
|
||||||
|
|
||||||
|
The same example as a LDIF file for back-config for a caching server
|
||||||
|
which proxies for the {{EX:"dc=example,dc=com"}} subtree held
|
||||||
|
at server {{EX:ldap.example.com}}.
|
||||||
|
|
||||||
|
> dn: olcDatabase={2}ldap
|
||||||
|
> objectClass: olcDatabaseConfig
|
||||||
|
> objectClass: olcLDAPConfig
|
||||||
|
> olcDatabase: {2}ldap
|
||||||
|
> olcSuffix: dc=example,dc=com
|
||||||
|
> olcRootDN: dc=example,dc=com
|
||||||
|
> olcDbURI: "ldap://ldap.example.com"
|
||||||
|
>
|
||||||
|
> dn: olcOverlay={0}pcache
|
||||||
|
> objectClass: olcOverlayConfig
|
||||||
|
> objectClass: olcPcacheConfig
|
||||||
|
> olcOverlay: {0}pcache
|
||||||
|
> olcPcache: bdb 100000 1 1000 100
|
||||||
|
> olcPcacheAttrset: 0 mail postalAddress telephoneNumber
|
||||||
|
> olcPcacheTemplate: "(sn=)" 0 3600 0 0 0
|
||||||
|
> olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 0 0 0
|
||||||
|
> olcPcacheTemplate: "(&(departmentNumber=)(secretary=))" 0 3600
|
||||||
|
>
|
||||||
|
> dn: olcDatabase={0}hdb
|
||||||
|
> objectClass: olcHdbConfig
|
||||||
|
> objectClass: olcPcacheDatabase
|
||||||
|
> olcDatabase: {0}hdb
|
||||||
|
> olcDbDirectory: ./testrun/db.2.a
|
||||||
|
> olcDbCacheSize: 20
|
||||||
|
> olcDbIndex: objectClass eq
|
||||||
|
> olcDbIndex: cn,sn,uid,mail pres,eq,sub
|
||||||
|
|
||||||
|
|
||||||
H5: Cacheable Queries
|
H5: Cacheable Queries
|
||||||
|
|
||||||
A LDAP search query is cacheable when its filter matches one of the
|
A LDAP search query is cacheable when its filter matches one of the
|
||||||
templates as defined in the "proxyTemplate" statements and when it references
|
templates as defined in the "pcacheTemplate" statements and when it references
|
||||||
only the attributes specified in the corresponding attribute set.
|
only the attributes specified in the corresponding attribute set.
|
||||||
In the example above the attribute set number 0 defines that only the
|
In the example above the attribute set number 0 defines that only the
|
||||||
attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
|
attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
|
||||||
proxyTemplates.
|
pcacheTemplates.
|
||||||
|
|
||||||
H5: Examples:
|
H5: Examples:
|
||||||
|
|
||||||
@ -802,7 +834,7 @@ H5: Examples:
|
|||||||
> Attrs: mail telephoneNumber
|
> Attrs: mail telephoneNumber
|
||||||
|
|
||||||
is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
|
is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
|
||||||
attributes are contained in proxyAttrset 0.
|
attributes are contained in pcacheAttrset 0.
|
||||||
|
|
||||||
> Filter: (&(sn=Richard*)(telephoneNumber))
|
> Filter: (&(sn=Richard*)(telephoneNumber))
|
||||||
> Attrs: givenName
|
> Attrs: givenName
|
||||||
@ -1010,6 +1042,8 @@ If we removed all users from the directory who are a member of this group, then
|
|||||||
would be a single member in the group: {{F:cn=admin,dc=example,dc=com}}. This is the
|
would be a single member in the group: {{F:cn=admin,dc=example,dc=com}}. This is the
|
||||||
{{F:refint_nothing}} parameter kicking into action so that the schema is not violated.
|
{{F:refint_nothing}} parameter kicking into action so that the schema is not violated.
|
||||||
|
|
||||||
|
The {{rootdn}} must be set for the database as refint runs as the {{rootdn}} to gain access to
|
||||||
|
make its updates. The {{rootpw}} does not need to be set.
|
||||||
|
|
||||||
H3: Further Information
|
H3: Further Information
|
||||||
|
|
||||||
@ -1175,11 +1209,6 @@ First we configure the overlay in the normal manner:
|
|||||||
> pidfile ./slapd.pid
|
> pidfile ./slapd.pid
|
||||||
> argsfile ./slapd.args
|
> argsfile ./slapd.args
|
||||||
>
|
>
|
||||||
> modulepath /usr/local/libexec/openldap
|
|
||||||
> moduleload back_bdb.la
|
|
||||||
> moduleload back_ldap.la
|
|
||||||
> moduleload translucent.la
|
|
||||||
>
|
|
||||||
> database bdb
|
> database bdb
|
||||||
> suffix "dc=suretecsystems,dc=com"
|
> suffix "dc=suretecsystems,dc=com"
|
||||||
> rootdn "cn=trans,dc=suretecsystems,dc=com"
|
> rootdn "cn=trans,dc=suretecsystems,dc=com"
|
||||||
|
Loading…
Reference in New Issue
Block a user