slapdconf2.sdf

OpenLdap是LDAP的开源项目

shell	Shell (extern program) backend
sql	SQL Programmable backend
!endblock

\Example:

>	olcBackend: bdb

There are no other directives defined for this entry.  Specific backend
types may define additional attributes for their particular use but so
far none have ever been defined.  As such, these directives usually do
not appear in any actual configurations.


H4: Sample Entry

> dn: olcBackend=bdb,cn=config
> objectClass: olcBackendConfig
> olcBackend: bdb


H3: Database-specific Directives

Directives in this section are supported by every type of database.
Database entries must have the {{EX:olcDatabaseConfig}} objectClass.

H4: olcDatabase: [{<index>}]<type>

This directive names a specific database instance. The numeric {<index>} may
be provided to distinguish multiple databases of the same type. Usually the
index can be omitted, and slapd will generate it automatically.
{{EX:<type>}} should be one of the
supported backend types listed in Table 5.2 or the {{EX:frontend}} type.

The {{EX:frontend}} is a special database that is used to hold
database-level options that should be applied to all the other
databases. Subsequent database definitions may also override some
frontend settings.

The {{EX:config}} database is also special; both the {{EX:config}} and
the {{EX:frontend}} databases are always created implicitly even if they
are not explicitly configured, and they are created before any other
databases.

\Example:

>	olcDatabase: bdb

This marks the beginning of a new {{TERM:BDB}} database instance.


H4: olcAccess: to <what> [ by <who> <accesslevel> <control> ]+

This directive grants access (specified by <accesslevel>) to a
set of entries and/or attributes (specified by <what>) by one or
more requesters (specified by <who>).
See the {{SECT:Access Control}} section of this chapter for a
summary of basic usage.

!if 0
More detailed discussion of this directive can be found in the
{{SECT:Advanced Access Control}} chapter.
!endif

Note: If no {{EX:olcAccess}} directives are specified, the default
access control policy, {{EX:to * by * read}}, allows all
users (both authenticated and anonymous) read access.

Note: Access controls defined in the frontend are appended to all
other databases' controls.


H4: olcReadonly { TRUE | FALSE }

This directive puts the database into "read-only" mode. Any
attempts to modify the database will return an "unwilling to
perform" error.

\Default:

>	olcReadonly: FALSE


H4: olcReplica

>	olcReplica: uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
>		[bindmethod={simple|sasl}]
>		["binddn=<DN>"]
>		[saslmech=<mech>]
>		[authcid=<identity>]
>		[authzid=<identity>]
>		[credentials=<password>]

This directive specifies a replication site for this database for
use with slurpd. The
{{EX:uri=}} parameter specifies a scheme, a host and optionally a port where
the slave slapd instance can be found. Either a domain name
or IP address may be used for <hostname>. If <port> is not
given, the standard LDAP port number (389 or 636) is used.

{{EX:host}} is deprecated in favor of the {{EX:uri}} parameter.

{{EX:uri}} allows the replica LDAP server to be specified as an LDAP 
URI such as {{EX:ldap://slave.example.com:389}} or
{{EX:ldaps://slave.example.com:636}}.

The {{EX:binddn=}} parameter gives the DN to bind as for updates
to the slave slapd. It should be a DN which has read/write access
to the slave slapd's database.  It must also match the {{EX:updatedn}}
directive in the slave slapd's config file.  Generally, this DN
{{should not}} be the same as the {{EX:rootdn}} of the master
database.  Since DNs are likely to contain embedded spaces, the
entire {{EX:"binddn=<DN>"}} string should be enclosed in double
quotes.

The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
depending on whether simple password-based authentication
or {{TERM:SASL}} authentication is to be used when connecting
to the slave slapd.

Simple authentication should not be used unless adequate data
integrity and confidentiality protections are in place (e.g. TLS
or IPSEC).  Simple authentication requires specification of
{{EX:binddn}} and {{EX:credentials}} parameters.

SASL authentication is generally recommended.  SASL authentication
requires specification of a mechanism using the {{EX:saslmech}} parameter.
Depending on the mechanism, an authentication identity and/or
credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
respectively.  The {{EX:authzid}} parameter may be used to specify
an authorization identity.

See the chapter entitled {{SECT:Replication with slurpd}} for more
information on how to use this directive.


H4: olcReplogfile: <filename>

This directive specifies the name of the replication log file to
which slapd will log changes. The replication log is typically
written by slapd and read by slurpd. Normally, this directive is
only used if slurpd is being used to replicate the database.
However, you can also use it to generate a transaction log, if
slurpd is not running. In this case, you will need to periodically
truncate the file, since it will grow indefinitely otherwise.

See the chapter entitled {{SECT:Replication with slurpd}} for more
information on how to use this directive.


H4: olcRootDN: <DN>

This directive specifies the DN that is not subject to
access control or administrative limit restrictions for
operations on this database.  The DN need not refer to
an entry in this database or even in the directory. The
DN may refer to a SASL identity.

Entry-based Example:

>	olcRootDN: "cn=Manager,dc=example,dc=com"

SASL-based Example:

>	olcRootDN: "uid=root,cn=example.com,cn=digest-md5,cn=auth"

See the {{SECT:SASL Authentication}} section for information on
SASL authentication identities.


H4: olcRootPW: <password>

This directive can be used to specify a password for the DN for
the rootdn (when the rootdn is set to a DN within the database).

\Example:

>	olcRootPW: secret

It is also permissible to provide a hash of the password in RFC 2307
form.  {{slappasswd}}(8) may be used to generate the password hash.

\Example:

>	olcRootPW: {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN

The hash was generated using the command {{EX:slappasswd -s secret}}.


H4: olcSizeLimit: <integer>

This directive specifies the maximum number of entries to return
from a search operation.

\Default:

>	olcSizeLimit: 500



H4: olcSuffix: <dn suffix>

This directive specifies the DN suffix of queries that will be
passed to this backend database. Multiple suffix lines can be
given, and usually at least one is required for each database
definition. (Some backend types, such as {{EX:frontend}} and
{{EX:monitor}} use a hard-coded suffix which may not be overridden
in the configuration.)

\Example:

>	olcSuffix: "dc=example,dc=com"

Queries with a DN ending in "dc=example,dc=com"
will be passed to this backend.

Note: When the backend to pass a query to is selected, slapd
looks at the suffix value(s) in each database definition in the
order in which they were configured. Thus, if one database suffix is a
prefix of another, it must appear after it in the configuration.


H4: olcSyncrepl

>	olcSyncrepl: rid=<replica ID>
>		provider=ldap[s]://<hostname>[:port]
>		[starttls=yes|critical]
>		[type=refreshOnly|refreshAndPersist]
>		[interval=dd:hh:mm:ss]
>		[retry=[<retry interval> <# of retries>]+]
>		searchbase=<base DN>
>		[filter=<filter str>]
>		[scope=sub|one|base]
>		[attrs=<attr list>]
>		[attrsonly]
>		[sizelimit=<limit>]
>		[timelimit=<limit>]
>		[schemachecking=on|off]
>		[bindmethod=simple|sasl]
>		[binddn=<DN>]
>		[saslmech=<mech>]
>		[authcid=<identity>]
>		[authzid=<identity>]
>		[credentials=<passwd>]
>		[realm=<realm>]
>		[secprops=<properties>]


This directive specifies the current database as a replica of the
master content by establishing the current {{slapd}}(8) as a
replication consumer site running a syncrepl replication engine.
The master database is located at the replication provider site
specified by the {{EX:provider}} parameter. The replica database is
kept up-to-date with the master content using the LDAP Content
Synchronization protocol. See {{EX:draft-zeilenga-ldup-sync-xx.txt}}
({{a work in progress}}) for more information on the protocol.

The {{EX:rid}} parameter is used for identification of the current
{{EX:syncrepl}} directive within the replication consumer server,
where {{EX:<replica ID>}} uniquely identifies the syncrepl specification
described by the current {{EX:syncrepl}} directive. {{EX:<replica ID>}}
is non-negative and is no more than three decimal digits in length.

The {{EX:provider}} parameter specifies the replication provider site
containing the master content as an LDAP URI. The {{EX:provider}}
parameter specifies a scheme, a host and optionally a port where the
provider slapd instance can be found. Either a domain name or IP
address may be used for <hostname>. Examples are
{{EX:ldap://provider.example.com:389}} or {{EX:ldaps://192.168.1.1:636}}.
If <port> is not given, the standard LDAP port number (389 or 636) is used.
Note that the syncrepl uses a consumer-initiated protocol, and hence its
specification is located at the consumer site, whereas the {{EX:replica}}
specification is located at the provider site. {{EX:syncrepl}} and
{{EX:replica}} directives define two independent replication
mechanisms. They do not represent the replication peers of each other.

The {{EX:starttls}} parameter specifies use of the StartTLS extended
operation to establish a TLS session before Binding to the provider. If the
StartTLS request fails and the {{EX:critical}} argument was used, the
session will be aborted. Otherwise the syncrepl session continues without
TLS.

The content of the syncrepl replica is defined using a search
specification as its result set. The consumer slapd will
send search requests to the provider slapd according to the search
specification. The search specification includes {{EX:searchbase}},
{{EX:scope}}, {{EX:filter}}, {{EX:attrs}}, {{EX:attrsonly}},
{{EX:sizelimit}}, and {{EX:timelimit}} parameters as in the normal
search specification. The {{EX:searchbase}} parameter has no
default value and must always be specified. The {{EX:scope}} defaults
to {{EX:sub}}, the {{EX:filter}} defaults to {{EX:(objectclass=*)}},
{{EX:attrs}} defaults to {{EX:"*,+"}} to replicate all user and operational
attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}}
and {{EX:timelimit}} default to "unlimited", and only positive integers
or "unlimited" may be specified.

The LDAP Content Synchronization protocol has two operation
types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}.
The operation type is specified by the {{EX:type}} parameter.
In the {{EX:refreshOnly}} operation, the next synchronization search operation
is periodically rescheduled at an interval time after each
synchronization operation finishes. The interval is specified
by the {{EX:interval}} parameter. It is set to one day by default.
In the {{EX:refreshAndPersist}} operation, a synchronization search
remains persistent in the provider slapd. Further updates to the
master replica will generate {{EX:searchResultEntry}} to the consumer slapd
as the search responses to the persistent synchronization search.

If an error occurs during replication, the consumer will attempt to reconnect
according to the retry parameter which is a list of the <retry interval>
and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer
retry every 60 seconds for the first 10 times and then retry every 300 seconds
for the next three times before stop retrying. + in <#  of retries> means
indefinite number of retries until success.

The schema checking can be enforced at the LDAP Sync consumer site
by turning on the {{EX:schemachecking}} parameter.
If it is turned on, every replicated entry will be checked for its
schema as the entry is stored into the replica content.
Every entry in the replica should contain those attributes
required by the schema definition.
If it is turned off, entries will be stored without checking
schema conformance. The default is off.

The {{EX:binddn}} parameter gives the DN to bind as for the
syncrepl searches to the provider slapd. It should be a DN
which has read access to the replication content in the
master database. 

The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
depending on whether simple password-based authentication or
{{TERM:SASL}} authentication is to be used when connecting
to the provider slapd.

Simple authentication should not be used unless adequate data
integrity and confidentiality protections are in place (e.g. TLS
or IPSEC). Simple authentication requires specification of {{EX:binddn}}
and {{EX:credentials}} parameters.

SASL authentication is generally recommended.  SASL authentication
requires specification of a mechanism using the {{EX:saslmech}} parameter.
Depending on the mechanism, an authentication identity and/or
credentials can be specified using {{EX:authcid}} and {{EX:credentials}},
respectively.  The {{EX:authzid}} parameter may be used to specify
an authorization identity.

The {{EX:realm}} parameter specifies a realm which a certain
mechanisms authenticate the identity within. The {{EX:secprops}}
parameter specifies Cyrus SASL security properties.

The syncrepl replication mechanism is supported by the
three native backends: back-bdb, back-hdb, and back-ldbm.

See the {{SECT:LDAP Sync Replication}} chapter of the admin guide
for more information on how to use this directive.


H4: olcTimeLimit: <integer>

This directive specifies the maximum number of seconds (in real
time) slapd will spend answering a search request. If a
request is not finished in this time, a result indicating an
exceeded timelimit will be returned.

\Default:

>	olcTimeLimit: 3600


H4: olcUpdateDN: <DN>

This directive is only applicable in a slave slapd. It specifies
the DN allowed to make changes to the replica.  This may be the DN
{{slurpd}}(8) binds as when making changes to the replica or the DN
associated with a SASL identity.

Entry-based Example:

>	olcUpdateDN: "cn=Update Daemon,dc=example,dc=com"

SASL-based Example:

>	olcUpdateDN: "uid=slurpd,cn=example.com,cn=digest-md5,cn=auth"

See the {{SECT:Replication with slurpd}} chapter for more information