slapd-meta.5

ldap服务器源码

.TP
.B suffixmassage "<virtual naming context>" "<real naming context>"
All the directives starting with "rewrite" refer to the rewrite engine
that has been added to slapd.
The "suffixmassage" directive was introduced in the LDAP backend to
allow suffix massaging while proxying.
It has been obsoleted by the rewriting tools.
However, both for backward compatibility and for ease of configuration
when simple suffix massage is required, it has been preserved.
It wraps the basic rewriting instructions that perform suffix
massaging.  See the "REWRITING" section for a detailed list 
of the rewrite rules it implies.

.TP
.B t-f-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
.BR discover ,
support is detected by reading the remote server's root DSE.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.

.TP
.B timeout [{add|delete|modify|modrdn}=]<seconds> [...]
This directive allows to set per-database, per-target and per-operation
timeouts.
If no operation is specified, it affects all.
Currently, only write operations are addressed, because searches
can already be limited by means of the
.B limits
directive (see 
.BR slapd.conf (5)
for details), and other operations are not supposed to incur into the
need for timeouts.
Note: if the timelimit is exceeded, the operation is abandoned;
the protocol does not provide any means to rollback the operation,
so the client will not know if the operation eventually succeeded or not.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.

.TP
.B tls {[try-]start|[try-]propagate}
execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is highly deprecated.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.

.SH SCENARIOS
A powerful (and in some sense dangerous) rewrite engine has been added
to both the LDAP and Meta backends.
While the former can gain limited beneficial effects from rewriting
stuff, the latter can become an amazingly powerful tool.
.LP
Consider a couple of scenarios first.
.LP
1) Two directory servers share two levels of naming context;
say "dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
Then, an unambiguous Meta database can be configured as:
.LP
.RS
.nf
database meta
suffix   "\fBdc=foo,dc=com\fP"
uri      "ldap://a.foo.com/dc=a,\fBdc=foo,dc=com\fP"
uri      "ldap://b.foo.com/dc=b,\fBdc=foo,dc=com\fP"
.fi
.RE
.LP
Operations directed to a specific target can be easily resolved
because there are no ambiguities.
The only operation that may resolve to multiple targets is a search
with base "dc=foo,dc=com" and scope at least "one", which results in
spawning two searches to the targets.
.LP
2a) Two directory servers don't share any portion of naming context,
but they'd present as a single DIT
[Caveat: uniqueness of (massaged) entries among the two servers is
assumed; integrity checks risk to incur in excessive overhead and have
not been implemented].
Say we have "dc=bar,dc=org" and "o=Foo,c=US",
and we'd like them to appear as branches of "dc=foo,dc=com", say
"dc=a,dc=foo,dc=com" and "dc=b,dc=foo,dc=com".
Then we need to configure our Meta backend as:
.LP
.RS
.nf
database      meta
suffix        "dc=foo,dc=com"

uri           "ldap://a.bar.com/\fBdc=a,dc=foo,dc=com\fP"
suffixmassage "\fBdc=a,dc=foo,dc=com\fP" "dc=bar,dc=org"

uri           "ldap://b.foo.com/\fBdc=b,dc=foo,dc=com\fP"
suffixmassage "\fBdc=b,dc=foo,dc=com\fP" "o=Foo,c=US"
.fi
.RE
.LP
Again, operations can be resolved without ambiguity, although
some rewriting is required.
Notice that the virtual naming context of each target is a branch of
the database's naming context; it is rewritten back and forth when
operations are performed towards the target servers.
What "back and forth" means will be clarified later.
.LP
When a search with base "dc=foo,dc=com" is attempted, if the 
scope is "base" it fails with "no such object"; in fact, the
common root of the two targets (prior to massaging) does not
exist.
If the scope is "one", both targets are contacted with the base
replaced by each target's base; the scope is derated to "base".
In general, a scope "one" search is honored, and the scope is derated,
only when the incoming base is at most one level lower of a target's
naming context (prior to massaging).
.LP
Finally, if the scope is "sub" the incoming base is replaced
by each target's unmassaged naming context, and the scope
is not altered.
.LP
2b) Consider the above reported scenario with the two servers
sharing the same naming context:
.LP
.RS
.nf
database      meta
suffix        "\fBdc=foo,dc=com\fP"

uri           "ldap://a.bar.com/\fBdc=foo,dc=com\fP"
suffixmassage "\fBdc=foo,dc=com\fP" "dc=bar,dc=org"

uri           "ldap://b.foo.com/\fBdc=foo,dc=com\fP"
suffixmassage "\fBdc=foo,dc=com\fP" "o=Foo,c=US"
.fi
.RE
.LP
All the previous considerations hold, except that now there is
no way to unambiguously resolve a DN.
In this case, all the operations that require an unambiguous target
selection will fail unless the DN is already cached or a default
target has been set.
Practical configurations may result as a combination of all the
above scenarios.
.SH ACLs
Note on ACLs: at present you may add whatever ACL rule you desire
to to the Meta (and LDAP) backends.
However, the meaning of an ACL on a proxy may require some
considerations.
Two philosophies may be considered:
.LP
a) the remote server dictates the permissions; the proxy simply passes
back what it gets from the remote server.
.LP
b) the remote server unveils "everything"; the proxy is responsible
for protecting data from unauthorized access.
.LP
Of course the latter sounds unreasonable, but it is not.
It is possible to imagine scenarios in which a remote host discloses
data that can be considered "public" inside an intranet, and a proxy
that connects it to the internet may impose additional constraints.
To this purpose, the proxy should be able to comply with all the ACL
matching criteria that the server supports.
This has been achieved with regard to all the criteria supported by
slapd except a special subtle case (please drop me a note if you can
find other exceptions: <ando@openldap.org>).
The rule
.LP
.RS
.nf
access to dn="<dn>" attr=<attr>
       by dnattr=<dnattr> read
       by * none
.fi
.RE
.LP
cannot be matched iff the attribute that is being requested, <attr>,
is NOT <dnattr>, and the attribute that determines membership,
<dnattr>, has not been requested (e.g. in a search)
.LP
In fact this ACL is resolved by slapd using the portion of entry it
retrieved from the remote server without requiring any further
intervention of the backend, so, if the <dnattr> attribute has not
been fetched, the match cannot be assessed because the attribute is
not present, not because no value matches the requirement!
.LP
Note on ACLs and attribute mapping: ACLs are applied to the mapped
attributes; for instance, if the attribute locally known as "foo" is
mapped to "bar" on a remote server, then local ACLs apply to attribute
"foo" and are totally unaware of its remote name.
The remote server will check permissions for "bar", and the local
server will possibly enforce additional restrictions to "foo".
.\"
.\" If this section is moved, also update the reference in
.\" libraries/librewrite/RATIONALE.
.\"
.SH REWRITING
A string is rewritten according to a set of rules, called a `rewrite
context'.
The rules are based on POSIX (''extended'') regular expressions (regex)
with substring matching; basic variable substitution and map resolution 
of substrings is allowed by specific mechanisms detailed in the following.
The behavior of pattern matching/substitution can be altered by a set
of flags.
.LP
The underlying concept is to build a lightweight rewrite module
for the slapd server (initially dedicated to the LDAP backend).
.SH Passes
An incoming string is matched against a set of rules.
Rules are made of a regex match pattern, a substitution pattern
and a set of actions, described by a set of flags.
In case of match a string rewriting is performed according to the
substitution pattern that allows to refer to substrings matched in the
incoming string.
The actions, if any, are finally performed.
The substitution pattern allows map resolution of substrings.
A map is a generic object that maps a substitution pattern to a value.
The flags are divided in "Pattern matching Flags" and "Action Flags";
the former alter the regex match pattern behavior while the latter
alter the action that is taken after substitution.
.SH "Pattern Matching Flags"
.TP
.B `C'
honors case in matching (default is case insensitive)
.TP
.B `R'
use POSIX ''basic'' regular expressions (default is ''extended'')
.TP
.B `M{n}'
allow no more than
.B n
recursive passes for a specific rule; does not alter the max total count
of passes, so it can only enforce a stricter limit for a specific rule.
.SH "Action Flags"
.TP
.B `:'
apply the rule once only (default is recursive)
.TP
.B `@'
stop applying rules in case of match; the current rule is still applied 
recursively; combine with `:' to apply the current rule only once 
and then stop.
.TP
.B `#'
stop current operation if the rule matches, and issue an `unwilling to
perform' error.
.TP
.B `G{n}'
jump
.B n
rules back and forth (watch for loops!).
Note that `G{1}' is implicit in every rule.
.TP
.B `I'
ignores errors in rule; this means, in case of error, e.g. issued by a
map, the error is treated as a missed match.
The `unwilling to perform' is not overridden.
.TP
.B `U{n}'
uses
.B
n
as return code if the rule matches; the flag does not alter the recursive
behavior of the rule, so, to have it performed only once, it must be used 
in combination with `:', e.g.
.B `:U{16}'
returns the value `16' after exactly one execution of the rule, if the
pattern matches.
As a consequence, its behavior is equivalent to `@', with the return
code set to
.BR n ;
or, in other words, `@' is equivalent to `U{0}'.
By convention, the freely available codes are above 16 included;
the others are reserved.
.LP
The ordering of the flags can be significant.
For instance: `IG{2}' means ignore errors and jump two lines ahead
both in case of match and in case of error, while `G{2}I' means ignore
errors, but jump two lines ahead only in case of match.
.LP
More flags (mainly Action Flags) will be added as needed.
.SH "Pattern matching:"
See
.BR regex (7)
and/or
.BR re_format (7).
.SH "Substitution Pattern Syntax:"
Everything starting with `%' requires substitution;
.LP
the only obvious exception is `%%', which is left as is;
.LP
the basic substitution is `%d', where `d' is a digit;
0 means the whole string, while 1-9 is a submatch;
.LP
a `%' followed by a `{' invokes an advanced substitution.
The pattern is:
.LP
.RS
`%' `{' [ <op> ] <name> `(' <substitution> `)' `}'
.RE
.LP
where <name> must be a legal name for the map, i.e.
.LP
.RS
.nf
<name> ::= [a-z][a-z0-9]* (case insensitive)
<op> ::= `>' `|' `&' `&&' `*' `**' `$'
.fi
.RE
.LP
and <substitution> must be a legal substitution
pattern, with no limits on the nesting level.
.LP
The operators are:
.TP
.B >