mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
412 lines
11 KiB
Plaintext
412 lines
11 KiB
Plaintext
# $OpenLDAP$
|
|
# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
|
|
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
|
|
|
H1: Overlays
|
|
|
|
Overlays are software components that provide hooks to functions analogous to
|
|
those provided by backends, which can be stacked on top of the backend calls
|
|
and as callbacks on top of backend responses to alter their behavior.
|
|
|
|
Overlays may be compiled statically into slapd, or when module support
|
|
is enabled, they may be dynamically loaded. Most of the overlays
|
|
are only allowed to be configured on individual databases, but some
|
|
may also be configured globally.
|
|
|
|
Essentially they represent a means to:
|
|
|
|
* customize the behavior of existing backends without changing the backend
|
|
code and without requiring one to write a new custom backend with
|
|
complete functionality
|
|
* write functionality of general usefulness that can be applied to
|
|
different backend types
|
|
|
|
Overlays are usually documented by separate specific man pages in section 5;
|
|
the naming convention is
|
|
|
|
> slapo-<overlay name>
|
|
|
|
Not all distributed overlays have a man page yet. Feel free to contribute one,
|
|
if you think you well understood the behavior of the component and the
|
|
implications of all the related configuration directives.
|
|
|
|
Official overlays are located in
|
|
|
|
> servers/slapd/overlays/
|
|
|
|
That directory also contains the file slapover.txt, which describes the
|
|
rationale of the overlay implementation, and may serve as guideline for the
|
|
development of custom overlays.
|
|
|
|
Contribware overlays are located in
|
|
|
|
> contrib/slapd-modules/<overlay name>/
|
|
|
|
along with other types of run-time loadable components; they are officially
|
|
distributed, but not maintained by the project.
|
|
|
|
They can be stacked on the frontend as well; this means that they can be
|
|
executed after a request is parsed and validated, but right before the
|
|
appropriate database is selected. The main purpose is to affect operations
|
|
regardless of the database they will be handled by, and, in some cases,
|
|
to influence the selection of the database by massaging the request DN.
|
|
|
|
All the current overlays in 2.4 are listed and described in detail in the
|
|
following sections.
|
|
|
|
|
|
H2: Access Logging
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay can record accesses to a given backend database on another
|
|
database.
|
|
|
|
|
|
H3: Access Logging Configuration
|
|
|
|
|
|
H2: Audit Logging
|
|
|
|
This overlay records changes on a given backend database to an LDIF log
|
|
file.
|
|
|
|
|
|
H3: Overview
|
|
|
|
|
|
H3: Audit Logging Configuration
|
|
|
|
|
|
H2: Chaining
|
|
|
|
|
|
H3: Overview
|
|
|
|
The chain overlay provides basic chaining capability to the underlying
|
|
database.
|
|
|
|
What is chaining? It indicates the capability of a DSA to follow referrals on
|
|
behalf of the client, so that distributed systems are viewed as a single
|
|
virtual DSA by clients that are otherwise unable to "chase" (i.e. follow)
|
|
referrals by themselves.
|
|
|
|
The chain overlay is built on top of the ldap backend; it is compiled by
|
|
default when --enable-ldap.
|
|
|
|
|
|
H3: Chaining Configuration
|
|
|
|
|
|
H2: Constraints
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay enforces a regular expression constraint on all values
|
|
of specified attributes. It is used to enforce a more rigorous
|
|
syntax when the underlying attribute syntax is too general.
|
|
|
|
|
|
H3: Constraint Configuration
|
|
|
|
|
|
H2: Dynamic Directory Services
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay supports dynamic objects, which have a limited life after
|
|
which they expire and are automatically deleted.
|
|
|
|
|
|
H3: Dynamic Directory Service Configuration
|
|
|
|
|
|
H2: Dynamic Groups
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay extends the Compare operation to detect
|
|
members of a dynamic group.
|
|
|
|
|
|
H3: Dynamic Group Configuration
|
|
|
|
|
|
H2: Dynamic Lists
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay allows expansion of dynamic groups and more.
|
|
|
|
|
|
H3: Dynamic List Configuration
|
|
|
|
|
|
H2: Reverse Group Membership Maintenance
|
|
|
|
|
|
H3: Member Of Configuration
|
|
|
|
|
|
H2: The Proxy Cache Engine
|
|
|
|
{{TERM:LDAP}} servers typically hold one or more subtrees of a
|
|
{{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of
|
|
entries held by one or more master servers. Changes are propagated
|
|
from the master server to replica (slave) servers using LDAP Sync
|
|
replication. An LDAP cache is a special type of replica which holds
|
|
entries corresponding to search filters instead of subtrees.
|
|
|
|
H3: Overview
|
|
|
|
The proxy cache extension of slapd is designed to improve the
|
|
responsiveness of the ldap and meta backends. It handles a search
|
|
request (query)
|
|
by first determining whether it is contained in any cached search
|
|
filter. Contained requests are answered from the proxy cache's local
|
|
database. Other requests are passed on to the underlying ldap or
|
|
meta backend and processed as usual.
|
|
|
|
E.g. {{EX:(shoesize>=9)}} is contained in {{EX:(shoesize>=8)}} and
|
|
{{EX:(sn=Richardson)}} is contained in {{EX:(sn=Richards*)}}
|
|
|
|
Correct matching rules and syntaxes are used while comparing
|
|
assertions for query containment. To simplify the query containment
|
|
problem, a list of cacheable "templates" (defined below) is specified
|
|
at configuration time. A query is cached or answered only if it
|
|
belongs to one of these templates. The entries corresponding to
|
|
cached queries are stored in the proxy cache local database while
|
|
its associated meta information (filter, scope, base, attributes)
|
|
is stored in main memory.
|
|
|
|
A template is a prototype for generating LDAP search requests.
|
|
Templates are described by a prototype search filter and a list of
|
|
attributes which are required in queries generated from the template.
|
|
The representation for prototype filter is similar to {{REF:RFC4515}},
|
|
except that the assertion values are missing. Examples of prototype
|
|
filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by
|
|
search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.
|
|
|
|
The cache replacement policy removes the least recently used (LRU)
|
|
query and entries belonging to only that query. Queries are allowed
|
|
a maximum time to live (TTL) in the cache thus providing weak
|
|
consistency. A background task periodically checks the cache for
|
|
expired queries and removes them.
|
|
|
|
The Proxy Cache paper
|
|
({{URL:http://www.openldap.org/pub/kapurva/proxycaching.pdf}}) provides
|
|
design and implementation details.
|
|
|
|
|
|
H3: Proxy Cache Configuration
|
|
|
|
The cache configuration specific directives described below must
|
|
appear after a {{EX:overlay proxycache}} directive within a
|
|
{{EX:"database meta"}} or {{EX:database ldap}} section of
|
|
the server's {{slapd.conf}}(5) file.
|
|
|
|
H4: Setting cache parameters
|
|
|
|
> proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
|
|
|
|
This directive enables proxy caching and sets general cache
|
|
parameters. The <DB> parameter specifies which underlying database
|
|
is to be used to hold cached entries. It should be set to
|
|
{{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
|
|
total number of entries which may be held in the cache. The
|
|
<nattrsets> parameter specifies the total number of attribute sets
|
|
(as specified by the {{EX:proxyAttrSet}} directive) that may be
|
|
defined. The <entrylimit> parameter specifies the maximum number of
|
|
entries in a cacheable query. The <period> specifies the consistency
|
|
check period (in seconds). In each period, queries with expired
|
|
TTLs are removed.
|
|
|
|
H4: Defining attribute sets
|
|
|
|
> proxyAttrset <index> <attrs...>
|
|
|
|
Used to associate a set of attributes to an index. Each attribute
|
|
set is associated with an index number from 0 to <numattrsets>-1.
|
|
These indices are used by the proxyTemplate directive to define
|
|
cacheable templates.
|
|
|
|
H4: Specifying cacheable templates
|
|
|
|
> proxyTemplate <prototype_string> <attrset_index> <TTL>
|
|
|
|
Specifies a cacheable template and the "time to live" (in sec) <TTL>
|
|
for queries belonging to the template. A template is described by
|
|
its prototype filter string and set of required attributes identified
|
|
by <attrset_index>.
|
|
|
|
|
|
H4: Example
|
|
|
|
An example {{slapd.conf}}(5) database section for a caching server
|
|
which proxies for the {{EX:"dc=example,dc=com"}} subtree held
|
|
at server {{EX:ldap.example.com}}.
|
|
|
|
> database ldap
|
|
> suffix "dc=example,dc=com"
|
|
> rootdn "dc=example,dc=com"
|
|
> uri ldap://ldap.example.com/dc=example%2cdc=com
|
|
> overlay proxycache
|
|
> proxycache bdb 100000 1 1000 100
|
|
> proxyAttrset 0 mail postaladdress telephonenumber
|
|
> proxyTemplate (sn=) 0 3600
|
|
> proxyTemplate (&(sn=)(givenName=)) 0 3600
|
|
> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
|
|
>
|
|
> cachesize 20
|
|
> directory ./testrun/db.2.a
|
|
> index objectClass eq
|
|
> index cn,sn,uid,mail pres,eq,sub
|
|
|
|
|
|
H5: Cacheable Queries
|
|
|
|
A LDAP search query is cacheable when its filter matches one of the
|
|
templates as defined in the "proxyTemplate" statements and when it references
|
|
only the attributes specified in the corresponding attribute set.
|
|
In the example above the attribute set number 0 defines that only the
|
|
attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
|
|
proxyTemplates.
|
|
|
|
H5: Examples:
|
|
|
|
> Filter: (&(sn=Richard*)(givenName=jack))
|
|
> Attrs: mail telephoneNumber
|
|
|
|
is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
|
|
attributes are contained in proxyAttrset 0.
|
|
|
|
> Filter: (&(sn=Richard*)(telephoneNumber))
|
|
> Attrs: givenName
|
|
|
|
is not cacheable, because the filter does not match the template,
|
|
nor is the attribute givenName stored in the cache
|
|
|
|
> Filter: (|(sn=Richard*)(givenName=jack))
|
|
> Attrs: mail telephoneNumber
|
|
|
|
is not cacheable, because the filter does not match the template ( logical
|
|
OR "|" condition instead of logical AND "&" )
|
|
|
|
|
|
H2: Password Policies
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay provides a variety of password control mechanisms,
|
|
e.g. password aging, password reuse and duplication control, mandatory
|
|
password resets, etc.
|
|
|
|
|
|
H3: Password Policy Configuration
|
|
|
|
|
|
H2: Referential Integrity
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay can be used with a backend database such as slapd-bdb (5)
|
|
to maintain the cohesiveness of a schema which utilizes reference
|
|
attributes.
|
|
|
|
|
|
H3: Referential Integrity Configuration
|
|
|
|
|
|
H2: Return Code
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay is useful to test the behavior of clients when
|
|
server-generated erroneous and/or unusual responses occur.
|
|
|
|
|
|
H3: Return Code Configuration
|
|
|
|
|
|
H2: Rewrite/Remap
|
|
|
|
|
|
H3: Overview
|
|
|
|
It performs basic DN/data rewrite and
|
|
objectClass/attributeType mapping.
|
|
|
|
|
|
H3: Rewrite/Remap Configuration
|
|
|
|
|
|
H2: Sync Provider
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay implements the provider-side support for syncrepl
|
|
replication, including persistent search functionality
|
|
|
|
|
|
H3: Sync Provider Configuration
|
|
|
|
|
|
H2: Translucent Proxy
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay can be used with a backend database such as slapd-bdb (5)
|
|
to create a "translucent proxy".
|
|
|
|
Content of entries retrieved from a remote LDAP server can be partially
|
|
overridden by the database.
|
|
|
|
|
|
H3: Translucent Proxy Configuration
|
|
|
|
|
|
H2: Attribute Uniqueness
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay can be used with a backend database such as slapd-bdb (5)
|
|
to enforce the uniqueness of some or all attributes within a subtree.
|
|
|
|
|
|
H3: Attribute Uniqueness Configuration
|
|
|
|
|
|
H2: Value Sorting
|
|
|
|
|
|
H3: Overview
|
|
|
|
This overlay can be used to enforce a specific order for the values
|
|
of an attribute when it is returned in a search.
|
|
|
|
|
|
H3: Value Sorting Configuration
|
|
|
|
|
|
H2: Overlay Stacking
|
|
|
|
|
|
H3: Overview
|
|
|
|
|
|
H3: Example Scenarios
|
|
|
|
|
|
H4: Samba
|