mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
896 lines
30 KiB
Plaintext
896 lines
30 KiB
Plaintext
# $OpenLDAP$
|
|
# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
|
|
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
|
|
|
H1: The slapd Configuration File
|
|
|
|
Once the software has been built and installed, you are ready
|
|
to configure {{slapd}}(8) for use at your site. The slapd
|
|
runtime configuration is primarily accomplished through the
|
|
{{slapd.conf}}(5) file, normally installed in the
|
|
{{EX:/usr/local/etc/openldap}} directory.
|
|
|
|
An alternate configuration file can be specified via a
|
|
command-line option to {{slapd}}(8) or {{slurpd}}(8). This chapter
|
|
describes the general format of the config file, followed by a
|
|
detailed description of commonly used config file directives.
|
|
|
|
|
|
H2: Configuration File Format
|
|
|
|
The {{slapd.conf}}(5) file consists of three types of configuration
|
|
information: global, backend specific, and database specific. Global
|
|
information is specified first, followed by information associated
|
|
with a particular backend type, which is then followed by information
|
|
associated with a particular database instance. Global directives can
|
|
be overridden in a backend and/or database directives, backend directives
|
|
can be overridden by database directives.
|
|
|
|
Blank lines and comment lines beginning with a '{{EX:#}}' character
|
|
are ignored. If a line begins with white space, it is considered a
|
|
continuation of the previous line. The general format of slapd.conf is
|
|
as follows:
|
|
|
|
> # global configuration directives
|
|
> <global config directives>
|
|
>
|
|
> # backend definition
|
|
> backend <typeA>
|
|
> <backend-specific directives>
|
|
>
|
|
> # first database definition & config directives
|
|
> database <typeA>
|
|
> <database-specific directives>
|
|
>
|
|
> # second database definition & config directives
|
|
> database <typeB>
|
|
> <database-specific directives>
|
|
>
|
|
> # second database definition & config directives
|
|
> database <typeA>
|
|
> <database-specific directives>
|
|
>
|
|
> # subsequent backend & database definitions & config directives
|
|
> ...
|
|
|
|
A configuration directive may take arguments. If so, they are
|
|
separated by white space. If an argument contains white space,
|
|
the argument should be enclosed in double quotes {{EX:"like this"}}. If
|
|
an argument contains a double quote or a backslash character `{{EX:\}}',
|
|
the character should be preceded by a backslash character `{{EX:\}}'.
|
|
|
|
The distribution contains an example configuration file that will
|
|
be installed in the {{F: /usr/local/etc/openldap}} directory.
|
|
A number of files containing schema definitions (attribute types
|
|
and object classes) are also provided in the
|
|
{{F: /usr/local/etc/openldap/schema}} directory.
|
|
|
|
|
|
H2: Configuration File Directives
|
|
|
|
This section details commonly used configuration directives. For
|
|
a complete list, see {{slapd.conf}}(5) manual page. This section
|
|
separates the configuration file directives into global,
|
|
backend-specific and data-specific categories, describing each
|
|
directive and its default value (if any), and giving an example of
|
|
its use.
|
|
|
|
|
|
|
|
H3: Global Directives
|
|
|
|
Directives described in this section apply to all backends
|
|
and databases unless specifically overridden in a backend or
|
|
database definition. Arguments that should be replaced
|
|
by actual text are shown in brackets {{EX:<>}}.
|
|
|
|
|
|
H4: access to <what> [ by <who> <accesslevel> <control> ]+
|
|
|
|
This directive grants access (specified by <accesslevel>) to a
|
|
set of entries and/or attributes (specified by <what>) by one or
|
|
more requesters (specified by <who>).
|
|
See the {{SECT:Access Control}} section of this chapter for a
|
|
summary of basic usage.
|
|
!if 0
|
|
More details discussion of this directive can be found in the
|
|
{{SECT:Advanced Access Control}} chapter.
|
|
!endif
|
|
|
|
|
|
H4: attributetype <{{REF:RFC2252}} Attribute Type Description>
|
|
|
|
This directive defines an attribute type.
|
|
Please see the {{SECT:Schema Specification}} chapter
|
|
for information regarding how to use this directive.
|
|
|
|
H4: defaultaccess { none | compare | search | read | write }
|
|
|
|
This directive specifies the default access to grant requesters
|
|
when no {{EX:access}} directives have been specified. Any given
|
|
access level implies all lesser access levels (e.g., read access
|
|
implies search and compare but not write).
|
|
|
|
Note: It is recommend that the {{EX:access}} directive be used
|
|
to specify access control. See the {{SECT:Access Control}}
|
|
section of this chapter for information regarding the {{EX:access}}
|
|
directive.
|
|
|
|
\Default:
|
|
|
|
E: defaultaccess read
|
|
|
|
|
|
H4: idletimeout <integer>
|
|
|
|
Specify the number of seconds to wait before forcibly closing
|
|
an idle client connection. An idletimeout of 0, the default,
|
|
disables this feature.
|
|
|
|
|
|
H4: include <filename>
|
|
|
|
This directive specifies that slapd should read additional
|
|
configuration information from the given file before continuing
|
|
with the next line of the current file. The included file should
|
|
follow the normal slapd config file format. The file is commonly
|
|
used to include files containing schema specifications.
|
|
|
|
Note: You should be careful when using this directive - there is
|
|
no small limit on the number of nested include directives, and no
|
|
loop detection is done.
|
|
|
|
H4: loglevel <integer>
|
|
|
|
This directive specifies the level at which debugging statements
|
|
and operation statistics should be syslogged (currently logged to
|
|
the {{syslogd}}(8) {EX:LOG_LOCAL4}} facility). You must have
|
|
configured OpenLDAP {{EX:--enable-debug}} (the default) for this
|
|
to work (except for the two statistics levels, which are always
|
|
enabled). Log levels are additive. To display what numbers
|
|
correspond to what kind of debugging, invoke slapd with {{EX:-?}}
|
|
or consult the table below. The possible values for <integer> are:
|
|
|
|
!block table; colaligns="RL"; align=Center; \
|
|
title="Table 5.1: Debugging Levels"
|
|
Level Description
|
|
-1 enable all debugging
|
|
0 no debugging
|
|
1 trace function calls
|
|
2 debug packet handling
|
|
4 heavy trace debugging
|
|
8 connection management
|
|
16 print out packets sent and received
|
|
32 search filter processing
|
|
64 configuration file processing
|
|
128 access control list processing
|
|
256 stats log connections/operations/results
|
|
512 stats log entries sent
|
|
1024 print communication with shell backends
|
|
2048 print entry parsing debugging
|
|
!endblock
|
|
|
|
\Example:
|
|
|
|
E: loglevel -1
|
|
|
|
This will cause lots and lots of debugging information to be
|
|
logged.
|
|
|
|
\Default:
|
|
|
|
E: loglevel 256
|
|
|
|
|
|
H4: objectclass <{{REF:RFC2252}} Object Class Description>
|
|
|
|
This directive defines an object class.
|
|
Please see the {{SECT:Schema Specification}} chapter for
|
|
information regarding how to use this directive.
|
|
|
|
|
|
H4: referral <URI>
|
|
|
|
This directive specifies the referral to pass back when slapd
|
|
cannot find a local database to handle a request.
|
|
|
|
\Example:
|
|
|
|
> referral ldap://root.openldap.org
|
|
|
|
This will refer non-local queries to the global root LDAP server
|
|
at the OpenLDAP Project. Smart LDAP clients can re-ask their
|
|
query at that server, but note that most of these clients are
|
|
only going to know how to handle simple LDAP URLs that
|
|
contain a host part and optionally a distinguished name part.
|
|
|
|
|
|
H4: sizelimit <integer>
|
|
|
|
This directive specifies the maximum number of entries to return
|
|
from a search operation.
|
|
|
|
\Default:
|
|
|
|
> sizelimit 500
|
|
|
|
|
|
H4: timelimit <integer>
|
|
|
|
This directive specifies the maximum number of seconds (in real
|
|
time) slapd will spend answering a search request. If a
|
|
request is not finished in this time, a result indicating an
|
|
exceeded timelimit will be returned.
|
|
|
|
\Default:
|
|
|
|
> timelimit 3600
|
|
|
|
|
|
H3: General Backend Directives
|
|
|
|
Directives in this section apply only to the backend in which
|
|
they are defined. They are supported by every type of backend.
|
|
Backend directives apply to all databases instances of the
|
|
same type and, depending on the directive, may be overridden
|
|
by database directives.
|
|
|
|
H4: backend <type>
|
|
|
|
This directive marks the beginning of a backend definition.
|
|
{{EX:<type>}} should be one of {{EX:ldbm}}, {{EX:shell}},
|
|
{{EX:passwd}}, or other supported backend type.
|
|
|
|
|
|
H3: General Database Directives
|
|
|
|
Directives in this section apply only to the database in which
|
|
they are defined. They are supported by every type of database.
|
|
|
|
H4: database <type>
|
|
|
|
This directive marks the beginning of a new database instance
|
|
definition.
|
|
{{EX:<type>}} should be one of {{EX:ldbm}}, {{EX:shell}},
|
|
{{EX:passwd}}, or other supported database type.
|
|
|
|
\Example:
|
|
|
|
> database ldbm
|
|
|
|
This marks the beginning of a new LDBM backend database
|
|
instance definition.
|
|
|
|
|
|
H4: readonly { on | off }
|
|
|
|
This directive puts the database into "read-only" mode. Any
|
|
attempts to modify the database will return an "unwilling to
|
|
perform" error.
|
|
|
|
\Default:
|
|
|
|
> readonly off
|
|
|
|
H4: replica
|
|
|
|
> replica host=<hostname>[:<port>]
|
|
> [bindmethod={ simple | kerberos | sasl }]
|
|
> ["binddn=<DN>"]
|
|
> [mech=<mech>]
|
|
> [authcid=<identity>]
|
|
> [authzid=<identity>]
|
|
> [credentials=<password>]
|
|
> [srvtab=<filename>]
|
|
|
|
This directive specifies a replication site for this database. The
|
|
{{EX:host=}} parameter specifies a host and optionally a port where
|
|
the slave slapd instance can be found. Either a domain name
|
|
or IP address may be used for <hostname>. If <port> is not
|
|
given, the standard LDAP port number (389) is used.
|
|
|
|
The {{EX:binddn=}} parameter gives the DN to bind as for updates to
|
|
the slave slapd. It should be a DN which has read/write
|
|
access to the slave slapd's database, typically given as a
|
|
{{EX:rootdn}} in the slave's config file. It must also match the
|
|
{{EX:updatedn}} directive in the slave slapd's config file. Since DNs are
|
|
likely to contain embedded spaces, the entire {{EX:"binddn=<DN>"}}
|
|
string should be enclosed in double quotes.
|
|
|
|
The {{EX:bindmethod}} is {{EX:simple}} or {{EX:kerberos}} or {{EX:sasl}},
|
|
depending on whether simple password-based authentication or Kerberos
|
|
authentication or {{TERM:SASL}} authentication is to be used when connecting
|
|
to the slave slapd.
|
|
|
|
Simple authentication should not be used unless adequate integrity
|
|
and privacy protections are in place (e.g. TLS or IPSEC). Simple
|
|
authentication requires specification of {{EX:binddn}} and
|
|
{{EX:credentials}} parameters.
|
|
|
|
Kerberos authentication is deprecated in favor of SASL authentication
|
|
mechanisms, in particular the {{EX:KERBEROS_V4}} and {{EX:GSSAPI}}
|
|
mechanisms. Kerberos authentication requires {{EX:binddn}} and
|
|
{{EX:srvtab}} parameters.
|
|
|
|
SASL authentication is generally recommended. SASL authentication
|
|
requires specification of a mechanism using the {{EX:mech}} parameter.
|
|
Depending on the mechanism, an authentication identity and/or
|
|
credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
|
|
respectively. The {{EX:authzid}} parameter may be used to specify
|
|
an authorization identity.
|
|
|
|
See the chapter entitled {{SECT:Replication with slurpd}} for more
|
|
information on how to use this directive.
|
|
|
|
|
|
H4: replogfile <filename>
|
|
|
|
This directive specifies the name of the replication log file to
|
|
which slapd will log changes. The replication log is typically
|
|
written by slapd and read by slurpd. Normally, this directive is
|
|
only used if slurpd is being used to replicate the database.
|
|
However, you can also use it to generate a transaction log, if
|
|
slurpd is not running. In this case, you will need to periodically
|
|
truncate the file, since it will grow indefinitely otherwise.
|
|
|
|
See the chapter entitled {{SECT:Replication with slurpd}} for more
|
|
information on how to use this directive.
|
|
|
|
|
|
H4: rootdn <dn>
|
|
|
|
This directive specifies the DN that is not subject to
|
|
access control or administrative limit restrictions for
|
|
operations on this database. The DN need not refer to
|
|
an entry in the directory. The DN may refer to a SASL
|
|
identity.
|
|
|
|
Entry-based Example:
|
|
|
|
> rootdn "cn=Manager, dc=example, dc=com"
|
|
|
|
SASL-based Example:
|
|
|
|
> rootdn "uid=root@EXAMPLE.COM"
|
|
|
|
|
|
H4: rootpw <password>
|
|
|
|
This directive specifies a password for the DN given above that
|
|
will always work, regardless of whether an entry with the given
|
|
DN exists or has a password.
|
|
This directive is deprecated in favor of SASL based authentication.
|
|
|
|
\Example:
|
|
|
|
> rootpw secret
|
|
|
|
|
|
H4: suffix <dn suffix>
|
|
|
|
This directive specifies the DN suffix of queries that will be
|
|
passed to this backend database. Multiple suffix lines can be
|
|
given, and at least one is required for each database
|
|
definition.
|
|
|
|
\Example:
|
|
|
|
> suffix "dc=example, dc=com"
|
|
|
|
Queries with a DN ending in "dc=example, dc=com"
|
|
will be passed to this backend.
|
|
|
|
Note: When the backend to pass a query to is selected, slapd
|
|
looks at the suffix line(s) in each database definition in the
|
|
order they appear in the file. Thus, if one database suffix is a
|
|
prefix of another, it must appear after it in the config file.
|
|
|
|
H4: updatedn <dn>
|
|
|
|
This directive is only applicable in a slave slapd. It specifies the
|
|
DN allowed to make changes to the replica. This may be the
|
|
the DN slurpd binds as when making changes to the replica or
|
|
the DN associated with a SASL identity.
|
|
|
|
Entry-based Example:
|
|
|
|
> updatedn "cn=Update Daemon, dc=example, dc=com"
|
|
|
|
SASL-based Example:
|
|
|
|
> updatedn "uid=slurpd@EXAMPLE.COM"
|
|
|
|
See the {{SECT:Replication}} chapter for more information on how to
|
|
use this directive.
|
|
|
|
H4: updateref <URL>
|
|
|
|
This directive is only applicable in a slave slapd. It
|
|
specifies the URL to return to clients which submit update
|
|
requests upon the replica.
|
|
If specified multiple times, each {{TERM:URL}} is provided.
|
|
|
|
\Example:
|
|
|
|
> update ldap://master.example.net
|
|
|
|
|
|
H3: LDBM Backend-Specific Directives
|
|
|
|
Directives in this category only apply to the LDBM backend
|
|
database. That is, they must follow a "database ldbm" line and
|
|
come before any other "database" line.
|
|
|
|
H4: cachesize <integer>
|
|
|
|
This directive specifies the size in entries of the in-memory
|
|
cache maintained by the LDBM backend database instance.
|
|
|
|
\Default:
|
|
|
|
> cachesize 1000
|
|
|
|
|
|
H4: dbcachesize <integer>
|
|
|
|
This directive specifies the size in bytes of the in-memory cache
|
|
associated with each open index file. If not supported by the
|
|
underlying database method, this directive is ignored without
|
|
comment. Increasing this number uses more memory but can
|
|
cause a dramatic performance increase, especially during
|
|
modifies or when building indexes.
|
|
|
|
\Default:
|
|
|
|
> dbcachesize 100000
|
|
|
|
|
|
H4: dbnolocking
|
|
|
|
This option, if present, disables database locking.
|
|
Enabling this option may improve performance at the expense
|
|
of data security.
|
|
|
|
|
|
H4: dbnosync
|
|
|
|
This option causes on-disk database contents not be immediately
|
|
synchronized with in memory changes upon change. Enabling this option
|
|
may improve performance at the expense of data security.
|
|
|
|
|
|
H4: directory <directory>
|
|
|
|
This directive specifies the directory where the LDBM files
|
|
containing the database and associated indexes live.
|
|
|
|
\Default:
|
|
|
|
> directory /usr/local/var/openldap-ldbm
|
|
|
|
|
|
H4: index {<attrlist> | default} [pres,eq,approx,sub,none]
|
|
|
|
This directive specifies the indexes to maintain for the given
|
|
attribute. If only an {{EX:<attrlist>}} is given, the default
|
|
indexes are maintained.
|
|
|
|
|
|
\Example:
|
|
|
|
> index default pres,eq
|
|
> index objectClass,uid
|
|
> index cn,sn eq,sub,approx
|
|
|
|
The first line sets the default set of indices to maintain to present
|
|
and equality. The second line causes the default (pres,eq) set
|
|
of indices to be maintained for {{EX:objectClass}} and {{EX:uid}} attribute
|
|
types. The third line causes equality, substring, and approximate
|
|
indices to be maintained for {{EX:cn}} and {{EX:sn}} attribute types.
|
|
|
|
H4: mode <integer>
|
|
|
|
This directive specifies the file protection mode that newly
|
|
created database index files should have.
|
|
|
|
\Default:
|
|
|
|
> mode 0600
|
|
|
|
|
|
|
|
H3: Other Backend Databases
|
|
|
|
{{slapd}}(8) supports a number of backend database types besides the default LDBM.
|
|
|
|
!block table; align=Center; coltags="EX,N"; \
|
|
title="Table 5.2: Backend Database Types"
|
|
Types Description
|
|
ldbm Berkeley or GNU DBM compatible backend
|
|
passwd Provides read-only access to {{F:/etc/passwd}}
|
|
shell Shell (extern program) backend
|
|
sql SQL Programmable backend
|
|
!endblock
|
|
|
|
See {{slapd.conf}}(5) for details.
|
|
|
|
|
|
|
|
H2: Access Control
|
|
|
|
Access to slapd entries and attributes is controlled by the
|
|
access configuration file directive. The general form of an
|
|
access line is:
|
|
|
|
> <access directive> ::= access to <what>
|
|
> [by <who> <access> <control>]+
|
|
> <what> ::= * | [ dn[.<target style>]=<regex>]
|
|
> [filter=<ldapfilter>] [attrs=<attrlist>]
|
|
> <target style> ::= regex | base | one | subtree | children
|
|
> <attrlist> ::= <attr> | <attr> , <attrlist>
|
|
> <attr> ::= <attrname> | entry | children
|
|
> <who> ::= [* | anonymous | users | self |
|
|
> dn[.<subject style>]=<regex>]
|
|
> [dnattr=<attrname> ]
|
|
> [group[/<objectclass>[/<attrname>][.<basic style>]]=<regex> ]
|
|
> [peername[.<basic style>]=<regex>]
|
|
> [sockname[.<basic style>]=<regex>]
|
|
> [domain[.<basic style>]=<regex>]
|
|
> [sockurl[.<basic style>]=<regex>]
|
|
> [set=<setspec>]
|
|
> [aci=<attrname>]
|
|
> <subject style> ::= regex | exact | base | one | subtree | children
|
|
> <basic style> ::= regex | exact
|
|
> <access> ::= [self]{<level>|<priv>}
|
|
> <level> ::= none | auth | compare | search | read | write
|
|
> <priv> ::= {=|+|-}{w|r|s|c|x}+
|
|
> <control> ::= [stop | continue | break]
|
|
|
|
where the <what> part selects the entries and/or attributes to
|
|
which the access applies, the {{EX:<who>}} part specifies which
|
|
entities are granted access, and the {{EX:<access>}} part specifies
|
|
the access granted. Multiple {{EX:<who> <access> <control>}} triplets
|
|
are supported, allowing many entities to be granted different
|
|
access to the same set of entries and attributes.
|
|
|
|
|
|
H3: What to control access to
|
|
|
|
The <what> part of an access specification determines the
|
|
entries and attributes to which the access control applies.
|
|
Entries can be selected in two ways: by a regular expression
|
|
matching the entry's distinguished name:
|
|
|
|
> dn=<regular expression>
|
|
|
|
Note: The DN pattern specified should be "normalized",
|
|
meaning that there should be no extra spaces, and commas
|
|
should be used to separate components. An example
|
|
normalized DN is "cn=Babs Jensen,dc=example,dc=com".
|
|
An example of a non-normalized DN is
|
|
"cn=Babs Jensen; dc=example, dc=com".
|
|
|
|
Or, entries may be selected by a filter matching some
|
|
attribute(s) in the entry:
|
|
|
|
> filter=<ldap filter>
|
|
|
|
where <ldap filter> is a string representation of an LDAP
|
|
search filter, as described in {{REF:RFC2254}}.
|
|
|
|
Attributes within an entry are selected by including a
|
|
comma-separated list of attribute names in the <what>
|
|
selector:
|
|
|
|
> attrs=<attribute list>
|
|
|
|
Access to the entry itself must be granted or denied using the
|
|
special attribute name "{{EX:entry}}". Note that giving access to an
|
|
attribute is not enough; access to the entry itself through the
|
|
{{EX:entry}} attribute is also required. The complete examples at
|
|
the end of this section should help clear things up.
|
|
|
|
Lastly, there is a special entry selector {{EX:"*"}} that is used to
|
|
select any entry. It is used when no other {{EX:<what>}}
|
|
selector has been provided. It's equivalent to "{{EX:dn=.*}}"
|
|
|
|
|
|
H3: Who to grant access to
|
|
|
|
The <who> part identifies the entity or entities being granted
|
|
access. Note that access is granted to "entities" not "entries."
|
|
The following table summarizes entity specifiers:
|
|
|
|
!block table; align=Center; coltags="EX,N"; \
|
|
title="Table 5.3: Access Entity Specifiers"
|
|
Specifier Entities
|
|
* All, including anonymous and authenticated users
|
|
anonymous Anonymous (non-authenticated) users
|
|
users Authenticated users
|
|
self User associated with target entry
|
|
dn=<regex> Users matching regular expression
|
|
!endblock
|
|
|
|
The DN specifier takes a regular expression which is used
|
|
to match against the "normalized" DN of the current entity.
|
|
|
|
> dn=<regular expression>
|
|
|
|
By "normalized", we mean that all extra spaces have been
|
|
removed from the entity's DN and commas are used to
|
|
separate RDN components.
|
|
|
|
Other control factors are also supported.
|
|
For example, a {{EX:<what>}} can be restricted by a
|
|
regular expression matching the client's IP address or domain name:
|
|
|
|
> addr=<regular expression>
|
|
> domain=<regular expression>
|
|
|
|
or by an entry listed in a DN-valued attribute in the entry to
|
|
which the access applies:
|
|
|
|
> dnattr=<dn-valued attribute name>
|
|
|
|
The dnattr specification is used to give access to an entry
|
|
whose DN is listed in an attribute of the entry (e.g., give
|
|
access to a group entry to whoever is listed as the owner of
|
|
the group entry).
|
|
|
|
|
|
H3: The access to grant
|
|
|
|
|
|
The kind of <access> granted can be one of the following:
|
|
|
|
|
|
!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
|
|
title="Table 5.4: Access Levels"
|
|
Level Privileges Description
|
|
none no access
|
|
auth =x needed to bind
|
|
compare =cx needed to compare
|
|
search =scx needed to apply search filters
|
|
read =rscx needed to read search results
|
|
write =wrscx needed to modify/rename
|
|
!endblock
|
|
|
|
Each level implies all lower levels of access. So, for
|
|
example, granting someone {{EX:write}} access to an entry also
|
|
grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and
|
|
{{EX:auth}} access. However, one may use the privileges specifier
|
|
to grant specific permissions.
|
|
|
|
|
|
H3: Access Control Evaluation
|
|
|
|
When evaluating whether some requester should be given
|
|
access to an entry and/or attribute, slapd compares the entry
|
|
and/or attribute to the {{EX:<what>}} selectors given in the
|
|
configuration file. Access directives local to the current
|
|
database are examined first, followed by global access
|
|
directives. Within this priority, access directives are
|
|
examined in the order in which they appear in the config file.
|
|
Slapd stops with the first {{EX:<what>}} selector that matches the
|
|
entry and/or attribute. The corresponding access directive is
|
|
the one slapd will use to evaluate access.
|
|
|
|
Next, slapd compares the entity requesting access to the
|
|
{{EX:<who>}} selectors within the access directive selected above
|
|
in the order in which they appear. It stops with the first {{EX:<who>}}
|
|
selector that matches the requester. This determines the
|
|
access the entity requesting access has to the entry and/or
|
|
attribute.
|
|
|
|
Finally, slapd compares the access granted in the selected
|
|
{{EX:<access>}} clause to the access requested by the client. If it
|
|
allows greater or equal access, access is granted. Otherwise,
|
|
access is denied.
|
|
|
|
The order of evaluation of access directives makes their
|
|
placement in the configuration file important. If one access
|
|
directive is more specific than another in terms of the entries
|
|
it selects, it should appear first in the config file. Similarly, if
|
|
one {{EX:<who>}} selector is more specific than another it should
|
|
come first in the access directive. The access control
|
|
examples given below should help make this clear.
|
|
|
|
|
|
|
|
H3: Access Control Examples
|
|
|
|
The access control facility described above is quite powerful.
|
|
This section shows some examples of its use. First, some
|
|
simple examples:
|
|
|
|
> access to * by * read
|
|
|
|
This access directive grants read access to everyone.
|
|
|
|
> access to *
|
|
> by self write
|
|
> by anonymous auth
|
|
> by * read
|
|
|
|
This directive allows users to modify their own entries,
|
|
allows authenticate, and allows authenticated users to read.
|
|
Note that only the first {{EX:by <who>}} clause which matches applies.
|
|
Hence, the anonymous users are granted {{EX:auth}}, not {{EX:read}}.
|
|
The last clause could just as well have been "{{EX:by users read}}".
|
|
|
|
The following example shows the use of a regular expression
|
|
to select the entries by DN in two access directives where
|
|
ordering is significant.
|
|
|
|
> access to dn=".*,dc=example,dc=com"
|
|
> by * search
|
|
> access to dn=".*,dc=com"
|
|
> by * read
|
|
|
|
Read access is granted to entries under the {{EX:dc=com}}
|
|
subtree, except for those entries under the {{EX:dc=example,dc=com}}
|
|
subtree, to which search access is granted. No access is granted to
|
|
{{EX:dc=com}} as neither access directive matches this DN.
|
|
If the order of these access directives was reversed, the
|
|
trailing directive would never be reached, since all
|
|
{{EX:dc=example,dc=com}} entries are also {{EX:dc=com}} entries.
|
|
|
|
Also note that if no {{EX:access to}} directive matches or
|
|
no {{EX:by <who>}} clause, {{B:access is denied}}. That is, every
|
|
{{EX:access to}} directive ends with an implicit {{EX:by * none}}
|
|
clause and every access list ends with an implicit
|
|
{{EX:access to * by * none}} directive. Only if no access controls
|
|
are specified is the {{EX:defaultaccess}} granted.
|
|
|
|
The next example again shows the importance of ordering,
|
|
both of the access directives and the {{EX:by <who>}} clauses.
|
|
It also shows the use of an attribute selector to grant access
|
|
to a specific attribute and various {{EX:<who>}} selectors.
|
|
|
|
> access to dn="(.*,)?dc=example,dc=com" attr=homePhone
|
|
> by self write
|
|
> by dn="(.*,)?dc=example,dc=com" search
|
|
> by domain=.*\.example\.com read
|
|
> access to dn="(.*,)?dc=example,dc=com"
|
|
> by self write
|
|
> by dn=".*,dc=example,dc=com" search
|
|
> by anonymous auth
|
|
|
|
This example applies to entries in the "{{EX:dc=example, dc=com}}"
|
|
subtree. To all attributes except {{EX:homePhone}}, the entry itself
|
|
can write them, other {{EX:example.com}} entries can search by them,
|
|
anybody else has no access ((implicit {{EX:by * none}}) excepting for
|
|
authentication/authorization (which is always done anonymously).
|
|
The {{EX:homePhone}} attribute is writable by the entry, searchable
|
|
by other {{EX:example.com}} entries, readable by clients connecting
|
|
from somewhere in the {{EX:example.com}} domain, and otherwise not
|
|
readable (implicit {{EX:by * none}}). All other access
|
|
is denied by the implicit {{EX:access to * by * none}}.
|
|
|
|
Sometimes it is useful to permit a particular DN to add or
|
|
remove itself from an attribute. For example, if you would like to
|
|
create a group and allow people to add and remove only
|
|
their own DN from the member attribute, you could accomplish
|
|
it with an access directive like this:
|
|
|
|
> access to attr=member,entry
|
|
> by dnattr=member selfwrite
|
|
|
|
The dnattr {{EX:<who>}} selector says that the access applies to
|
|
entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
|
|
selector says that such members can only add or delete their
|
|
own DN from the attribute, not other values. The addition of
|
|
the entry attribute is required because access to the entry is
|
|
required to access any of the entry's attributes.
|
|
|
|
!if 0
|
|
For more details on how to use the {{EX:access}} directive,
|
|
consult the {{Advanced Access Control}} chapter.
|
|
!endif
|
|
|
|
|
|
H2: Configuration File Example
|
|
|
|
The following is an example configuration file, interspersed
|
|
with explanatory text. It defines two databases to handle
|
|
different parts of the {{TERM:X.500}} tree; both are {{TERM:LDBM}}
|
|
database instances. The line numbers shown are provided for
|
|
reference only and are not included in the actual file. First, the
|
|
global configuration section:
|
|
|
|
E: 1. # example config file - global configuration section
|
|
E: 2. include /usr/local/etc/schema/core.schema
|
|
E: 3. referral ldap://root.openldap.org
|
|
E: 4. access to * by * read
|
|
|
|
Line 1 is a comment. Line 2 includes another config file
|
|
which containing {{core}} schema definitions.
|
|
The {{EX:referral}} directive on line 3
|
|
means that queries not local to one of the databases defined
|
|
below will be referred to the LDAP server running on the
|
|
standard port (389) at the host {{EX:root.openldap.org}}.
|
|
|
|
Line 4 is a global access control. It is used only if
|
|
no database access controls match or when the target
|
|
objects are not under the control of any database (such as
|
|
the Root DSE).
|
|
|
|
The next section of the configuration file defines an LDBM
|
|
backend that will handle queries for things in the
|
|
"dc=example,dc=com" portion of the tree. The
|
|
database is to be replicated to two slave slapds, one on
|
|
truelies, the other on judgmentday. Indexes are to be
|
|
maintained for several attributes, and the {{EX:userPassword}}
|
|
attribute is to be protected from unauthorized access.
|
|
|
|
E: 5. # ldbm definition for the example.com
|
|
E: 6. database ldbm
|
|
E: 7. suffix "dc=example, dc=com"
|
|
E: 8. directory /usr/local/var/openldap
|
|
E: 9. rootdn "cn=Manager, dc=example, dc=com"
|
|
E: 10. rootpw secret
|
|
E: 11. # replication directives
|
|
E: 12. replogfile /usr/local/var/openldap/slapd.replog
|
|
E: 13. replica host=slave1.example.com:389
|
|
E: 14. binddn="cn=Replicator, dc=example, dc=com"
|
|
E: 15. bindmethod=simple credentials=secret
|
|
E: 16. replica host=slave2.example.com
|
|
E: 17. binddn="cn=Replicator, dc=example, dc=com"
|
|
E: 18. bindmethod=simple credentials=secret
|
|
E: 19. # indexed attribute definitions
|
|
E: 20. index uid pres,eq
|
|
E: 21. index cn,sn,uid pres,eq,approx,sub
|
|
E: 22. index objectClass eq
|
|
E: 23. # ldbm access control definitions
|
|
E: 24. access to attr=userPassword
|
|
E: 25. by self write
|
|
E: 26. by anonymous auth
|
|
E: 27. by dn="cn=Admin,dc=example,dc=com" write
|
|
E: 28. by * none
|
|
E: 29. access to *
|
|
E: 30. by self write
|
|
E: 31. by dn="cn=Admin,dc=example,dc=com" write
|
|
E: 32. by * read
|
|
|
|
Line 5 is a comment. The start of the database definition is
|
|
marked by the database keyword on line 6. Line 7 specifies
|
|
the DN suffix for queries to pass to this database. Line 8
|
|
specifies the directory in which the database files will live.
|
|
|
|
Lines 9 and 10 identify the database "super user" entry and
|
|
associated password. This entry is not subject to access
|
|
control or size or time limit restrictions.
|
|
|
|
Lines 11 through 18 are for replication. Line 11 specifies the
|
|
replication log file (where changes to the database are logged
|
|
\- this file is written by slapd and read by slurpd). Lines 12
|
|
through 14 specify the hostname and port for a replicated
|
|
host, the DN to bind as when performing updates, the bind
|
|
method (simple) and the credentials (password) for the
|
|
binddn. Lines 15 through 18 specify a second replication site.
|
|
See the {{SECT:Replication with slurpd}} chapter for more
|
|
information on these directives.
|
|
|
|
Lines 20 through 22 indicate the indexes to maintain for
|
|
various attributes.
|
|
|
|
Lines 24 through 32 specify access control for entries in the
|
|
database. For all entries, the {{EX:userPassword}} attribute is
|
|
writable by the entry itself and by the "admin" entry. It may be
|
|
used for authentication/authorization purposes, but is otherwise
|
|
not readable. All other attributes are writable by the entry and
|
|
the "admin" entry, but may be read by authenticated users.
|
|
|
|
The next section of the example configuration file defines
|
|
another LDBM database. This one handles queries involving
|
|
the {{EX:dc=example,dc=net}} subtree. Note that without
|
|
line 38, the read access would be allowed due to the
|
|
global access rule at line 4.
|
|
|
|
E: 33. # ldbm definition for example.net
|
|
E: 34. database ldbm
|
|
E: 35. suffix "dc=example, dc=net"
|
|
E: 36. directory /usr/local/var/ldbm-example-net
|
|
E: 37. rootdn "cn=Manager, dc=example, dc=com"
|
|
E: 38. access to * by users read
|