Previous Topic
|
Next Topic
Home
|
Catalog
OpenLDAP Software 2.4 Administrator's Guide
The OpenLDAP Project <
http://www.openldap.org/
>
7 May 2008
Table of Contents
Preface
1. Introduction to OpenLDAP Directory Services
1.1. What is a directory service?
1.2. What is LDAP?
1.3. When should I use LDAP?
1.4. When should I not use LDAP?
1.5. How does LDAP work?
1.6. What about X.500?
1.7. What is the difference between LDAPv2 and LDAPv3?
1.8. LDAP vs RDBMS
1.9. What is slapd and what can it do?
2. A Quick-Start Guide
3. The Big Picture - Configuration Choices
3.1. Local Directory Service
3.2. Local Directory Service with Referrals
3.3. Replicated Directory Service
3.4. Distributed Local Directory Service
4. Building and Installing OpenLDAP Software
4.1. Obtaining and Extracting the Software
4.2. Prerequisite software
4.2.1.
Transport Layer Security
4.2.2.
Simple Authentication and Security Layer
4.2.3.
Kerberos Authentication Service
4.2.4. Database Software
4.2.5. Threads
4.2.6. TCP Wrappers
4.3. Running configure
4.4. Building the Software
4.5. Testing the Software
4.6. Installing the Software
5. Configuring slapd
5.1. Configuration Layout
5.2. Configuration Directives
5.2.1. cn=config
5.2.2. cn=module
5.2.3. cn=schema
5.2.4. Backend-specific Directives
5.2.5. Database-specific Directives
5.2.6. BDB and HDB Database Directives
6. The slapd Configuration File
6.1. Configuration File Format
6.2. Configuration File Directives
6.2.1. Global Directives
6.2.2. General Backend Directives
6.2.3. General Database Directives
6.2.4. BDB and HDB Database Directives
7. Access Control
7.1. Introduction
7.2. Access Control via Static Configuration
7.2.1. What to control access to
7.2.2. Who to grant access to
7.2.3. The access to grant
7.2.4. Access Control Evaluation
7.2.5. Access Control Examples
7.2.6. Configuration File Example
7.3. Access Control via Dynamic Configuration
7.3.1. What to control access to
7.3.2. Who to grant access to
7.3.3. The access to grant
7.3.4. Access Control Evaluation
7.3.5. Access Control Examples
7.3.6. Access Control Ordering
7.3.7. Configuration Example
7.3.8. Converting from
slapd.conf
(5) to a
cn=config
directory format
7.4. Access Control Common Examples
7.4.1. Basic ACLs
7.4.2. Matching Anonymous and Authenticated users
7.4.3. Controlling rootdn access
7.4.4. Managing access with Groups
7.4.5. Granting access to a subset of attributes
7.4.6. Allowing a user write to all entries below theirs
7.4.7. Allowing entry creation
7.4.8. Tips for using regular expressions in Access Control
7.4.9. Granting and Denying access based on security strength factors (ssf)
7.4.10. When things aren't working as expected
7.5. Sets - Granting rights based on relationships
7.5.1. Groups of Groups
7.5.2. Group ACLs without DN syntax
7.5.3. Following references
8. Running slapd
8.1. Command-Line Options
8.2. Starting slapd
8.3. Stopping slapd
9. Database Creation and Maintenance Tools
9.1. Creating a database over LDAP
9.2. Creating a database off-line
9.2.1. The
slapadd
program
9.2.2. The
slapindex
program
9.2.3. The
slapcat
program
9.3. The LDIF text entry format
10. Backends
10.1. Berkeley DB Backends
10.1.1. Overview
10.1.2. back-bdb/back-hdb Configuration
10.1.3. Further Information
10.2. LDAP
10.2.1. Overview
10.2.2. back-ldap Configuration
10.2.3. Further Information
10.3. LDIF
10.3.1. Overview
10.3.2. back-ldif Configuration
10.3.3. Further Information
10.4. Metadirectory
10.4.1. Overview
10.4.2. back-meta Configuration
10.4.3. Further Information
10.5. Monitor
10.5.1. Overview
10.5.2. back-monitor Configuration
10.5.3. Further Information
10.6. Null
10.6.1. Overview
10.6.2. back-null Configuration
10.6.3. Further Information
10.7. Passwd
10.7.1. Overview
10.7.2. back-passwd Configuration
10.7.3. Further Information
10.8. Perl/Shell
10.8.1. Overview
10.8.2. back-perl/back-shell Configuration
10.8.3. Further Information
10.9. Relay
10.9.1. Overview
10.9.2. back-relay Configuration
10.9.3. Further Information
10.10. SQL
10.10.1. Overview
10.10.2. back-sql Configuration
10.10.3. Further Information
11. Overlays
11.1. Access Logging
11.1.1. Overview
11.1.2. Access Logging Configuration
11.2. Audit Logging
11.2.1. Overview
11.2.2. Audit Logging Configuration
11.3. Chaining
11.3.1. Overview
11.3.2. Chaining Configuration
11.3.3. Handling Chaining Errors
11.4. Constraints
11.4.1. Overview
11.4.2. Constraint Configuration
11.5. Dynamic Directory Services
11.5.1. Overview
11.5.2. Dynamic Directory Service Configuration
11.6. Dynamic Groups
11.6.1. Overview
11.6.2. Dynamic Group Configuration
11.7. Dynamic Lists
11.7.1. Overview
11.7.2. Dynamic List Configuration
11.8. Reverse Group Membership Maintenance
11.8.1. Overview
11.8.2. Member Of Configuration
11.9. The Proxy Cache Engine
11.9.1. Overview
11.9.2. Proxy Cache Configuration
11.10. Password Policies
11.10.1. Overview
11.10.2. Password Policy Configuration
11.11. Referential Integrity
11.11.1. Overview
11.11.2. Referential Integrity Configuration
11.12. Return Code
11.12.1. Overview
11.12.2. Return Code Configuration
11.13. Rewrite/Remap
11.13.1. Overview
11.13.2. Rewrite/Remap Configuration
11.14. Sync Provider
11.14.1. Overview
11.14.2. Sync Provider Configuration
11.15. Translucent Proxy
11.15.1. Overview
11.15.2. Translucent Proxy Configuration
11.16. Attribute Uniqueness
11.16.1. Overview
11.16.2. Attribute Uniqueness Configuration
11.17. Value Sorting
11.17.1. Overview
11.17.2. Value Sorting Configuration
11.18. Overlay Stacking
11.18.1. Overview
11.18.2. Example Scenarios
12. Schema Specification
12.1. Distributed Schema Files
12.2. Extending Schema
12.2.1. Object Identifiers
12.2.2. Naming Elements
12.2.3. Local schema file
12.2.4. Attribute Type Specification
12.2.5. Object Class Specification
12.2.6. OID Macros
13. Security Considerations
13.1. Network Security
13.1.1. Selective Listening
13.1.2. IP Firewall
13.1.3. TCP Wrappers
13.2. Data Integrity and Confidentiality Protection
13.2.1. Security Strength Factors
13.3. Authentication Methods
13.3.1. "simple" method
13.3.2. SASL method
13.4. Password Storage
13.4.1. SSHA password storage scheme
13.4.2. CRYPT password storage scheme
13.4.3. MD5 password storage scheme
13.4.4. SMD5 password storage scheme
13.4.5. SHA password storage scheme
13.4.6. SASL password storage scheme
13.4.7. KERBEROS password storage scheme
13.5. Pass-Through authentication
13.5.1. Configuring slapd to use an authentication provider
13.5.2. Configuring saslauthd
13.5.3. Testing pass-through authentication
14. Using SASL
14.1. SASL Security Considerations
14.2. SASL Authentication
14.2.1. GSSAPI
14.2.2. KERBEROS_V4
14.2.3. DIGEST-MD5
14.2.4. Mapping Authentication Identities
14.2.5. Direct Mapping
14.2.6. Search-based mappings
14.3. SASL Proxy Authorization
14.3.1. Uses of Proxy Authorization
14.3.2. SASL Authorization Identities
14.3.3. Proxy Authorization Rules
15. Using TLS
15.1. TLS Certificates
15.1.1. Server Certificates
15.1.2. Client Certificates
15.2. TLS Configuration
15.2.1. Server Configuration
15.2.2. Client Configuration
16. Constructing a Distributed Directory Service
16.1. Subordinate Knowledge Information
16.2. Superior Knowledge Information
16.3. The ManageDsaIT Control
17. Replication
17.1. Push Based
17.1.1. Replacing Slurpd
17.2. Pull Based
17.2.1. LDAP Sync Replication
17.2.2. Delta-syncrepl replication
17.3. Mixture of both Pull and Push based
17.3.1. N-Way Multi-Master replication
17.3.2. MirrorMode replication
17.4. Configuring the different replication types
17.4.1. Syncrepl
17.4.2. Delta-syncrepl
17.4.3. N-Way Multi-Master
17.4.4. MirrorMode
18. Maintenance
18.1. Directory Backups
18.2. Berkeley DB Logs
18.3. Checkpointing
18.4. Migration
19. Monitoring
19.1. Monitor configuration via cn=config(5)
19.2. Monitor configuration via slapd.conf(5)
19.3. Accessing Monitoring Information
19.4. Monitor Information
19.4.1. Backends
19.4.2. Connections
19.4.3. Databases
19.4.4. Listener
19.4.5. Log
19.4.6. Operations
19.4.7. Overlays
19.4.8. SASL
19.4.9. Statistics
19.4.10. Threads
19.4.11. Time
19.4.12. TLS
19.4.13. Waiters
20. Tuning
20.1. Performance Factors
20.1.1. Memory
20.1.2. Disks
20.1.3. Network Topology
20.1.4. Directory Layout Design
20.1.5. Expected Usage
20.2. Indexes
20.2.1. Understanding how a search works
20.2.2. What to index
20.2.3. Presence indexing
20.3. Logging
20.3.1. What log level to use
20.3.2. What to watch out for
20.3.3. Improving throughput
20.4. Caching
20.4.1. Berkeley DB Cache
20.4.2.
slapd
(8) Entry Cache (cachesize)
20.4.3.
IDL
Cache (idlcachesize)
20.4.4.
slapd
(8) Threads
21. Troubleshooting
21.1. User or Software errors?
21.2. Checklist
21.3. OpenLDAP Bugs
21.4. 3rd party software error
21.5. How to contact the OpenLDAP Project
21.6. How to present your problem
21.7. Debugging
slapd
(8)
21.8. Commercial Support
A. Changes Since Previous Release
A.1. New Guide Sections
A.2. New Features and Enhancements in 2.4
A.2.1. Better
cn=config
functionality
A.2.2. Better
cn=schema
functionality
A.2.3. More sophisticated Syncrepl configurations
A.2.4. N-Way Multimaster Replication
A.2.5. Replicating
slapd
Configuration (syncrepl and
cn=config
)
A.2.6. Push-Mode Replication
A.2.7. More extensive TLS configuration control
A.2.8. Performance enhancements
A.2.9. New overlays
A.2.10. New features in existing Overlays
A.2.11. New features in slapd
A.2.12. New features in libldap
A.2.13. New clients, tools and tool enhancements
A.2.14. New build options
A.3. Obsolete Features Removed From 2.4
A.3.1. Slurpd
A.3.2. back-ldbm
B. Upgrading from 2.3.x
B.1. Monitor Backend
B.2.
cn=config
olc* attributes
B.3. ACLs: searches require privileges on the search base
C. Common errors encountered when using OpenLDAP Software
C.1. Common causes of LDAP errors
C.1.1. ldap_*: Can't contact LDAP server
C.1.2. ldap_*: No such object
C.1.3. ldap_*: Can't chase referral
C.1.4. ldap_*: server is unwilling to perform
C.1.5. ldap_*: Insufficient access
C.1.6. ldap_*: Invalid DN syntax
C.1.7. ldap_*: Referral hop limit exceeded
C.1.8. ldap_*: operations error
C.1.9. ldap_*: other error
C.1.10. ldap_add/modify: Invalid syntax
C.1.11. ldap_add/modify: Object class violation
C.1.12. ldap_add: No such object
C.1.13. ldap add: invalid structural object class chain
C.1.14. ldap_add: no structuralObjectClass operational attribute
C.1.15. ldap_add/modify/rename: Naming violation
C.1.16. ldap_add/delete/modify/rename: no global superior knowledge
C.1.17. ldap_bind: Insufficient access
C.1.18. ldap_bind: Invalid credentials
C.1.19. ldap_bind: Protocol error
C.1.20. ldap_modify: cannot modify object class
C.1.21. ldap_sasl_interactive_bind_s: ...
C.1.22. ldap_sasl_interactive_bind_s: No such Object
C.1.23. ldap_sasl_interactive_bind_s: No such attribute
C.1.24. ldap_sasl_interactive_bind_s: Unknown authentication method
C.1.25. ldap_sasl_interactive_bind_s: Local error (82)
C.1.26. ldap_search: Partial results and referral received
C.1.27. ldap_start_tls: Operations error
C.2. Other Errors
C.2.1. ber_get_next on fd X failed errno=34 (Numerical result out of range)
C.2.2. ber_get_next on fd X failed errno=11 (Resource temporarily unavailable)
C.2.3. daemon: socket() failed errno=97 (Address family not supported)
C.2.4. GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied;
C.2.5. access from unknown denied
C.2.6. ldap_read: want=# error=Resource temporarily unavailable
C.2.7. `make test' fails
C.2.8. ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed
C.2.9. ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
D. Recommended OpenLDAP Software Dependency Versions
D.1. Dependency Versions
E. Real World OpenLDAP Deployments and Examples
F. OpenLDAP Software Contributions
F.1. Client APIs
F.1.1. ldapc++
F.1.2. ldaptcl
F.2. Overlays
F.2.1. acl
F.2.2. addpartial
F.2.3. allop
F.2.4. comp_match
F.2.5. denyop
F.2.6. dsaschema
F.2.7. lastmod
F.2.8. passwd
F.2.9. proxyOld
F.2.10. smbk5pwd
F.2.11. trace
F.3. Tools
F.3.1. Statistic Logging
F.4. SLAPI Plugins
F.4.1. addrdnvalues
G. Configuration File Examples
G.1. slapd.conf
G.2. ldap.conf
G.3. a-n-other.conf
H. LDAP Result Codes
H.1. Non-Error Result Codes
H.2. Result Codes
H.3.
success (0)
H.4.
operationsError (1)
H.5.
protocolError (2)
H.6.
timeLimitExceeded (3)
H.7.
sizeLimitExceeded (4)
H.8.
compareFalse (5)
H.9.
compareTrue (6)
H.10.
authMethodNotSupported (7)
H.11.
strongerAuthRequired (8)
H.12.
referral (10)
H.13.
adminLimitExceeded (11)
H.14.
unavailableCriticalExtension (12)
H.15.
confidentialityRequired (13)
H.16.
saslBindInProgress (14)
H.17.
noSuchAttribute (16)
H.18.
undefinedAttributeType (17)
H.19.
inappropriateMatching (18)
H.20.
constraintViolation (19)
H.21.
attributeOrValueExists (20)
H.22.
invalidAttributeSyntax (21)
H.23.
noSuchObject (32)
H.24.
aliasProblem (33)
H.25.
invalidDNSyntax (34)
H.26.
aliasDereferencingProblem (36)
H.27.
inappropriateAuthentication (48)
H.28.
invalidCredentials (49)
H.29.
insufficientAccessRights (50)
H.30.
busy (51)
H.31.
unavailable (52)
H.32.
unwillingToPerform (53)
H.33.
loopDetect (54)
H.34.
namingViolation (64)
H.35.
objectClassViolation (65)
H.36.
notAllowedOnNonLeaf (66)
H.37.
notAllowedOnRDN (67)
H.38.
entryAlreadyExists (68)
H.39.
objectClassModsProhibited (69)
H.40.
affectsMultipleDSAs (71)
H.41.
other (80)
I. Glossary
I.1. Terms
I.2. Related Organizations
I.3. Related Products
I.4. References
J. Generic configure Instructions
K. OpenLDAP Software Copyright Notices
K.1. OpenLDAP Copyright Notice
K.2. Additional Copyright Notices
K.3. University of Michigan Copyright Notice
L. OpenLDAP Public License