slapdconf2.sdf

OpenLdap是LDAP的开源项目

on how to use this directive.

H4: olcUpdateref: <URL>

This directive is only applicable in a slave slapd. It
specifies the URL to return to clients which submit update
requests upon the replica.
If specified multiple times, each {{TERM:URL}} is provided.

\Example:

>	olcUpdateref:	ldap://master.example.net


H4: Sample Entries

>dn: olcDatabase=frontend,cn=config
>objectClass: olcDatabaseConfig
>objectClass: olcFrontendConfig
>olcDatabase: frontend
>olcReadOnly: FALSE
>
>dn: olcDatabase=config,cn=config
>objectClass: olcDatabaseConfig
>olcDatabase: config
>olcRootDN: cn=Manager,dc=example,dc=com


H3: BDB and HDB Database Directives

Directives in this category apply to both the {{TERM:BDB}}
and the {{TERM:HDB}} database.
They are used in an olcDatabase entry in addition to the generic
database directives defined above.  For a complete reference
of BDB/HDB configuration directives, see {{slapd-bdb}}(5). In
addition to the {{EX:olcDatabaseConfig}} objectClass, BDB and HDB
database entries must have the {{EX:olcBdbConfig}} and
{{EX:olcHdbConfig}} objectClass, respectively.


H4: olcDbDirectory: <directory>

This directive specifies the directory where the BDB files
containing the database and associated indices live.

\Default:

>	olcDbDirectory: /usr/local/var/openldap-data


H4: olcDbCachesize: <integer>

This directive specifies the size in entries of the in-memory
cache maintained by the BDB backend database instance.

\Default:

>	olcDbCachesize: 1000


H4: olcDbCheckpoint: <kbyte> <min>

This directive specifies how often to checkpoint the BDB transaction log.
A checkpoint operation flushes the database buffers to disk and writes a
checkpoint record in the log.
The checkpoint will occur if either <kbyte> data has been written or
<min> minutes have passed since the last checkpont. Both arguments default
to zero, in which case they are ignored. When the <min> argument is
non-zero, an internal task will run every <min> minutes to perform the
checkpoint. See the Berkeley DB reference guide for more details.

\Example:

>	olcDbCheckpoint: 1024 10


H4: olcDbConfig: <DB_CONFIG setting>

This attribute specifies a configuration directive to be placed in the
{{EX:DB_CONFIG}} file of the database directory. At server startup time, if
no such file exists yet, the {{EX:DB_CONFIG}} file will be created and the
settings in this attribute will be written to it. If the file exists,
its contents will be read and displayed in this attribute. The attribute
is multi-valued, to accomodate multiple configuration directives. No default
is provided, but it is essential to use proper settings here to get the
best server performance.

\Example:

>	olcDbConfig: set_cachesize 0 10485760 0
>	olcDbConfig: set_lg_bsize 2097512
>	olcDbConfig: set_lg_dir /var/tmp/bdb-log
>	olcDbConfig: set_flags DB_LOG_AUTOREMOVE

In this example, the BDB cache is set to 10MB, the BDB transaction log
buffer size is set to 2MB, and the transaction log files are to be stored
in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to
delete transaction log files as soon as their contents have been
checkpointed and they are no longer needed. Without this setting the
transaction log files will continue to accumulate until some other
cleanup procedure removes them. See the SleepyCat documentation for the
{{EX:db_archive}} command for details.

Ideally the BDB cache must be
at least as large as the working set of the database, the log buffer size
should be large enough to accomodate most transactions without overflowing,
and the log directory must be on a separate physical disk from the main
database files. And both the database directory and the log directory
should be separate from disks used for regular system activities such as
the root, boot, or swap filesystems. See the FAQ-o-Matic and the SleepyCat
documentation for more details.


H4: olcDbNosync: { TRUE | FALSE }

This option causes on-disk database contents to not be immediately
synchronized with in memory changes upon change.  Setting this option
to {{EX:TRUE}} may improve performance at the expense of data integrity. This
directive has the same effect as using
>	olcDbConfig: set_flags DB_TXN_NOSYNC


H4: olcDbIDLcacheSize: <integer>

Specify the size of the in-memory index cache, in index slots. The
default is zero. A larger value will speed up frequent searches of
indexed entries. The optimal size will depend on the data and search
characteristics of the database, but using a number three times
the entry cache size is a good starting point.

\Example:

>	olcDbIDLcacheSize: 3000


H4: olcDbIndex: {<attrlist> | default} [pres,eq,approx,sub,none]

This directive specifies the indices to maintain for the given
attribute. If only an {{EX:<attrlist>}} is given, the default
indices are maintained.

\Example:

>	olcDbIndex: default pres,eq
>	olcDbIndex: uid
>	olcDbIndex: cn,sn pres,eq,sub
>	olcDbIndex: objectClass eq

The first line sets the default set of indices to maintain to
present and equality.  The second line causes the default (pres,eq)
set of indices to be maintained for the {{EX:uid}} attribute type.
The third line causes present, equality, and substring indices to
be maintained for {{EX:cn}} and {{EX:sn}} attribute types.  The
fourth line causes an equality index for the {{EX:objectClass}}
attribute type.

By default, no indices are maintained.  It is generally advised
that minimally an equality index upon objectClass be maintained.

>	olcDbindex: objectClass eq

If this setting is changed while slapd is running, an internal task
will be run to generate the changed index data. All server operations
can continue as normal while the indexer does its work.  If slapd is
stopped before the index task completes, indexing will have to be
manually completed using the slapindex tool.


H4: olcDbLinearIndex: { TRUE | FALSE }

If this setting is {{EX:TRUE}} slapindex will index one attribute
at a time. The default settings is {{EX:FALSE}} in which case all
indexed attributes of an entry are processed at the same time. When
enabled, each indexed attribute is processed individually, using
multiple passes through the entire database. This option improves
slapindex performance when the database size exceeds the BDB cache
size. When the BDB cache is large enough, this option is not needed
and will decrease performance. Also by default, slapadd performs
full indexing and so a separate slapindex run is not needed. With
this option, slapadd does no indexing and slapindex must be used.


H4: olcDbMode: <integer>

This directive specifies the file protection mode that newly
created database index files should have.

\Default:

>	olcDbMode: 0600


H4: olcDbSearchStack: <integer>

Specify the depth of the stack used for search filter evaluation.
Search filters are evaluated on a stack to accomodate nested {{EX:AND}} /
{{EX:OR}} clauses. An individual stack is allocated for each server thread.
The depth of the stack determines how complex a filter can be evaluated
without requiring any additional memory allocation. Filters that are
nested deeper than the search stack depth will cause a separate stack to
be allocated for that particular search operation. These separate allocations
can have a major negative impact on server performance, but specifying
too much stack will also consume a great deal of memory. Each search
uses 512K bytes per level on a 32-bit machine, or 1024K bytes per level
on a 64-bit machine. The default stack depth is 16, thus 8MB or 16MB
per thread is used on 32 and 64 bit machines, respectively. Also the
512KB size of a single stack slot is set by a compile-time constant which
may be changed if needed; the code must be recompiled for the change
to take effect.

\Default:

>	olcDbSearchStack: 16


H4: olcDbShmKey: <integer>

Specify a key for a shared memory BDB environment. By default the BDB
environment uses memory mapped files. If a non-zero value is specified,
it will be used as the key to identify a shared memory region that will
house the environment.

\Example:

>	olcDbShmKey: 42


H4: Sample Entry

>dn: olcDatabase=hdb,cn=config
>objectClass: olcDatabaseConfig
>objectClass: olcHdbConfig
>olcDatabase: hdb
>olcSuffix: "dc=example,dc=com"
>olcDbDirectory: /usr/local/var/openldap-data
>olcDbCacheSize: 1000
>olcDbCheckpoint: 1024 10
>olcDbConfig: set_cachesize 0 10485760 0
>olcDbConfig: set_lg_bsize 2097152
>olcDbConfig: set_lg_dir /var/tmp/bdb-log
>olcDbConfig: set_flags DB_LOG_AUTOREMOVE
>olcDbIDLcacheSize: 3000
>olcDbIndex: objectClass eq


H2: Access Control

Access to slapd entries and attributes is controlled by the
olcAccess attribute, whose values are a sequence of access directives.
The general form of the olcAccess configuration is:

>	olcAccess: <access directive>
>	<access directive> ::= to <what>
>		[by <who> <access> <control>]+
>	<what> ::= * |
>		[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
>		[filter=<ldapfilter>] [attrs=<attrlist>]
>	<basic-style> ::= regex | exact
>	<scope-style> ::= base | one | subtree | children
>	<attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
>	<attr> ::= <attrname> | entry | children
>	<who> ::= * | [anonymous | users | self
>			| dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] 
>		[dnattr=<attrname>]
>		[group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
>		[peername[.<basic-style>]=<regex>]
>		[sockname[.<basic-style>]=<regex>]
>		[domain[.<basic-style>]=<regex>]
>		[sockurl[.<basic-style>]=<regex>]
>		[set=<setspec>]
>		[aci=<attrname>]
>	<access> ::= [self]{<level>|<priv>}
>	<level> ::= none | auth | compare | search | read | write
>	<priv> ::= {=|+|-}{w|r|s|c|x|0}+
>	<control> ::= [stop | continue | break]

where the <what> part selects the entries and/or attributes to which
the access applies, the {{EX:<who>}} part specifies which entities
are granted access, and the {{EX:<access>}} part specifies the
access granted. Multiple {{EX:<who> <access> <control>}} triplets
are supported, allowing many entities to be granted different access
to the same set of entries and attributes. Not all of these access
control options are described here; for more details see the
{{slapd.access}}(5) man page.


H3: What to control access to

The <what> part of an access specification determines the entries
and attributes to which the access control applies.  Entries are
commonly selected in two ways: by DN and by filter.  The following
qualifiers select entries by DN:

>	to *
>	to dn[.<basic-style>]=<regex>
>	to dn.<scope-style>=<DN>

The first form is used to select all entries.  The second form may
be used to select entries by matching a regular expression against
the target entry's {{normalized DN}}.   (The second form is not
discussed further in this document.)  The third form is used to
select entries which are within the requested scope of DN.  The
<DN> is a string representation of the Distinguished Name, as
described in {{REF:RFC2253}}.

The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
or {{EX:children}}.  Where {{EX:base}} matches only the entry with
provided DN, {{EX:one}} matches the entries whose parent is the
provided DN, {{EX:subtree}} matches all entries in the subtree whose
root is the provided DN, and {{EX:children}} matches all entries
under the DN (but not the entry named by the DN).

For example, if the directory contained entries named:

>	0: o=suffix
>	1: cn=Manager,o=suffix
>	2: ou=people,o=suffix
>	3: uid=kdz,ou=people,o=suffix
>	4: cn=addresses,uid=kdz,ou=people,o=suffix
>	5: uid=hyc,ou=people,o=suffix

\Then:
. {{EX:dn.base="ou=people,o=suffix"}} match 2;
. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.


Entries may also be selected using a filter:

>	to filter=<ldap filter>

where <ldap filter> is a string representation of an LDAP
search filter, as described in {{REF:RFC2254}}.  For example:

>	to filter=(objectClass=person)

Note that entries may be selected by both DN and filter by
including both qualifiers in the <what> clause.

>	to dn.one="ou=people,o=suffix" filter=(objectClass=person)

Attributes within an entry are selected by including a comma-separated
list of attribute names in the <what> selector:

>	attrs=<attribute list>

A specific value of an attribute is selected by using a single
attribute name and also using a value selector:

>	attrs=<attribute> val[.<style>]=<regex>

There are two special {{pseudo}} attributes {{EX:entry}} and
{{EX:children}}.  To read (and hence return) a target entry, the
subject must have {{EX:read}} access to the target's {{entry}}
attribute.  To add or delete an entry, the subject must have
{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
have {{EX:write}} access to the entry's parent's {{EX:children}}
attribute.  To rename an entry, the subject must have {{EX:write}}
access to entry's {{EX:entry}} attribute AND have {{EX:write}}
access to both the old parent's and new parent's {{EX:children}}
attributes.  The complete examples at the end of this section should
help clear things up.

Lastly, there is a special entry selector {{EX:"*"}} that is used to
select any entry.  It is used when no other {{EX:<what>}}
selector has been provided.  It's equivalent to "{{EX:dn=.*}}"


H3: Who to grant access to

The <who> part identifies the entity or entities being granted
access. Note that access is granted to "entities" not "entries."
The following table summarizes entity specifiers:

!block table; align=Center; coltags="EX,N"; \
	title="Table 5.3: Access Entity Specifiers"
Specifier|Entities
*|All, including anonymous and authenticated users
anonymous|Anonymous (non-authenticated) users
users|Authenticated users
self|User associated with target entry
dn[.<basic-style>]=<regex>|Users matching a regular expression
dn.<scope-style>=<DN>|Users within scope of a DN
!endblock