个人工具

OpenLDAPAdminGuide/ConfiguringSlapd

来自Ubuntu中文

跳转至: 导航, 搜索

目录

Configuring slapd(配置 slapd)

Once the software has been built and installed, you are ready to configure slapd(8) for use at your site. Unlike previous OpenLDAP releases, the slapd runtime configuration in 2.3 is fully LDAP-enabled and can be managed using the standard LDAP operations with data in LDIF. The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect. The old style slapd.conf(5) file is still supported, but must be converted to the new slapd.d(5) format to allow runtime changes to be saved. While the old style configuration uses a single file, normally installed as /usr/local/etc/openldap/slapd.conf, the new style uses a slapd backend database to store the configuration. The configuration database normally resides in the /usr/local/etc/openldap/slapd.d directory.
一旦软件编译安装后,您就要准备为您的站点配置 slapd(8) 了。与以住的 OpenLDAP 版本不同,在 2.3 版中的 slapd 运行时配置是完全由 LDAP 启用的,并且可以通过使用 LDIF 数据的标准 LDAP 操作来管理。LDAP 配置引擎允许所有的 slapd 配置选项在运行中改变,但必须转换成新的 slapd.d(5) 格式以便允许保存运行时的改变。老的配置使用单个文件,通常安装在 /usr/local/etc/openldap/slapd.conf,而新的配置则使用 slapd 后台数据库来保存。配置数据库通常存放在 /usr/local/etc/openldap/slapd.d 目录中。

An alternate configuration directory (or file) can be specified via a command-line option to slapd(8) or slurpd(8). This chapter describes the general format of the configuration system, followed by a detailed description of commonly used config settings.
替代配置目录(或文件)可以通过 slapd(8) 或 slurpd(8) 的命令行选项来指定。本章将描述配置系统的一般格式,并伴有常用配置的详细说明。

Note: some of the backends and of the distributed overlays do not support runtime configuration yet. In those cases, the old style slapd.conf(5) file must be used.
注意:有些后台和分布覆盖并不支持运行时配置。这种情况下,必须要用老的 slapd.conf(5) 文件。

Note: the current version of slurpd has not been updated for compatibility with this new configuration engine. If you must use slurpd for replication at your site, you will have to maintain an old-style slapd.conf file for slurpd to use.
注意:slurpd 的当前版本并没有更新成与新配置引擎兼容。如果您必须在您的站点上使用 slurpd 复制的话,那么您将必须维护一个老的 slapd.conf 文件用于使用 slurpd。

Configuration Layout(配置规划)

The slapd configuration is stored as a special LDAP directory with a predefined schema and DIT. There are specific objectClasses used to carry global configuration options, schema definitions, backend and database definitions, and assorted other items. A sample config tree is shown in Figure 5.1.
slapd 配置被当作一个有着预定义模式和DIT的特殊 LDAP 目录来保存。在那里特定的 objectClasses 被用来支持全局配置选项、模式定义、后台和数据库定义以及其它各项。图 5.1 显示了一个配置树示例:

attechment:config_dit.gif

Other objects may be part of the configuration but were omitted from the illustration for clarity.
其它配置对象部分为了能说明清楚而被忽略。

The slapd.d configuration tree has a very specific structure. The root of the tree is named cn=config and contains global configuration settings. Additional settings are contained in separate child entries:
slapd.d 配置树有个非常特殊结构。树根被命名为 cn=config 并包含全局配置设置。附加设置被包含在特定的子条目中:

  • Include files (包含文件)
    • Usually these are just pathnames left over from a converted slapd.conf file.
      通常是从已被转换的 slapd.conf 文件所残留下来的路径名
    • Otherwise use of Include files is deprecated.
      否则并不留成使用包含文件
  • Dynamically loaded modules(动态引导模块)
    • These may only be used if the --enable-modules option was used to configure the software.
      这只有在编译软件时使用 --enable-modules 选项才能使用
  • Schema definitions(模式定义)
    • The cn=schema,cn=config entry contains the system schema (all the schema that is hard-coded in slapd).
      cn=schema,cn=config 条目包含系统模式(在 slapd 中所有模式都是硬编码)
    • Child entries of cn=schema,cn=config contain user schema as loaded from config files or added at runtime.
      cn=schema,cn=config 的子条目包含在运行时从配置文件引导或添加的用户模式。
  • Backend-specific configuration(特定后台配置)
  • Database-specific configuration(特定数据库配置)
    • Overlays are defined in children of the Database entry.
      覆盖定义数据库子条目
    • Databases and Overlays may also have other miscellaneous children.
      数据库和覆盖定义也可以有其它各种子条目

The usual rules for LDIF files apply to the configuration information: Comment lines beginning with a '#' character are ignored. If a line begins with a single space, it is considered a continuation of the previous line (even if the previous line is a comment) and the single leading space is removed. Entries are separated by blank lines.
LDIF 文件的通用规则应用于配置信息:用 # 号开始的注释行被忽略。如果是以单个空格开始的行,那么它被认为是前一行的延续(甚至前一行是注释行也一样)同样删除该空格。条目之间用空行分隔。

The general layout of the config LDIF is as follows:
LDIF 配置的常见形式如下所示: 

# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
<global config settings>
# schema definitions 模式定义
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
<system schema>
dn: cn={X}core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {X}core
<core schema>
# additional user-specified schema 用户指定的额外模式
...
# backend definitions 后台定义
dn: olcBackend=<typeA>,cn=config
objectClass: olcBackendConfig
olcBackend: <typeA>
<backend-specific settings>
# database definitions 数据库定义
dn: olcDatabase={X}<typeA>,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {X}<typeA>
<database-specific settings>
# subsequent definitions and settings 随后的定义和设置
...

Some of the entries listed above have a numeric index "{X}" in their names. While most configuration settings have an inherent ordering dependency (i.e., one setting must take effect before a subsequent one may be set), LDAP databases are inherently unordered. The numeric index is used to enforce a consistent ordering in the configuration database, so that all ordering dependencies are preserved. In most cases the index does not have to be provided; it will be automatically generated based on the order in which entries are created.
上面所列的某些条目名称中有一个数据索引 "{X}"。因为大多数配置设定都有一个固定顺序(如一个设定必须在其后可能被设置的设定之前发生作用),而LDAP 数据库天生是没有次序的。

Configuration directives are specified as values of individual attributes. Most of the attributes and objectClasses used in the slapd configuration have a prefix of "olc" (OpenLDAP Configuration) in their names. Generally there is a one-to-one correspondence between the attributes and the old-style slapd.conf configuration keywords, using the keyword as the attribute name, with the "olc" prefix attached.
配置指令作为单个属性值。大多数用在 slapd 配置的属性和 objectClass,在它们的名字中都有 “olc“ 的前缀(OpenLDAP 配置)。通常在属性和老的 slapd.conf 配置关键字之间存在着一一对应的关系,一般使用带 “olc“ 前缀的关键字做为属性名。

A configuration directive may take arguments. If so, the arguments are separated by white space. If an argument contains white space, the argument should be enclosed in double quotes "like this". In the descriptions that follow, arguments that should be replaced by actual text are shown in brackets <>.
配置语句是可以有参数,如果是那样的话,参数之间用空白符分隔。如果参数中包含空白符,那么参数将被双引号引起来,"就象这样"。在接下来的说明中,显示在 <> 尖括号中的参数应该用实际文本替代。

The distribution contains an example configuration file that will be installed in the /usr/local/etc/openldap directory. A number of files containing schema definitions (attribute types and object classes) are also provided in the /usr/local/etc/openldap/schema directory.
发行版中包含的配置文件样本被安装在 /usr/local/etc/openldap 目录中。而在 /usr/local/etc/openldap/schema 目录中也提供了大量包含着 schema 定义(属性类型和对象类)的文件。

Configuration Directives(配置目录)

This section details commonly used configuration directives. For a complete list, see the slapd.d(5) manual page. This section will treat the configuration directives in a top-down order, starting with the global directives in the cn=config entry. Each directive will be described along with its default value (if any) and an example of its use.
这部分内容详细说明了常用配置指令。要看完全的列表,参阅 slapd.d(5) 手册页。这部分内容将从 cn=config 条目中的全局指令开始,以自顶向下的顺序来论述配置指令。每个指令将说明它的缺省值(如果有的话)和它的用法示例。

cn=config

Directives contained in this entry generally apply to the server as a whole. Most of them are system or connection oriented, not database related. This entry must have the olcGlobal objectClass.
包含在本条目中的指令通常应用在整个服务器中。它们大多数是系统或面向连接的,与数据库无关。这个条目必须有 olcGlobal 对象类(objectClass)。

olcIdleTimeout: <integer>

Specify the number of seconds to wait before forcibly closing an idle client connection. A value of 0, the default, disables this feature.
指定关闭一个空闲客户连接前所需等待的秒数。缺省值是0,表示禁用本特性。

olcLogLevel: <level>

This directive specifies the level at which debugging statements and operation statistics should be syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility). You must have configured OpenLDAP --enable-debug (the default) for this to work (except for the two statistics levels, which are always enabled). Log levels may be specified as integers or by keyword. Multiple log levels may be used and the levels are additive. To display what levels correspond to what kind of debugging, invoke slapd with -? or consult the table below. The possible values for <level> are:
本指令指定调试状态和操作统计应该被记录的级别(当前被 syslogd(8) LOG_LOCAL4 工具记录)。您需要在编译时使用 OpenLDAP --enable-debug (缺省)才能正常使用本指令(两个统计级别除外,它们总是被启用)。日志级别可以使用整数或通过关键词来指定。可以使用多日志级别,级别是可以累加的。要显示哪种级别对应哪种调试,在运行 slapd 时使用 -? 或查阅下表。<level> 可能的值如下所示:

Table 5.1: Debugging Levels

level Keyword Description
0 no debugging
1 Trace trace function calls
2 Packets debug packet handling
4 Args heavy trace debugging
8 Conns connection management
16 BER print out packets sent and received
32 Filter search filter processing
64 Config configuration processing
128 ACL access control list processing
256 Stats stats log connections/operations/results
512 Stats2 stats log entries sent
1024 Shell print communication with shell backends
2048 Parse print entry parsing debugging
4096 Cache database cache processing
8192 Index database indexing
16384 Sync syncrepl consumer processing


Example:(举例) 

olcLogLevel: -1

This will cause lots and lots of debugging information to be logged.
这将引起非常非常多的调试信息被记录。 

olcLogLevel: Conns Filter

Just log the connection and search filter processing.
只记录连接和搜索过滤处理

Default:(缺省) 

olcLogLevel: Stats
olcReferral <URI>

This directive specifies the referral to pass back when slapd cannot find a local database to handle a request.
该指令指定了在 slapd 处理请求时如果不能在本地数据库中找到信息将返回的引用

Example:(示例) 

olcReferral: ldap://root.openldap.org

This will refer non-local queries to the global root LDAP server at the OpenLDAP Project. Smart LDAP clients can re-ask their query at that server, but note that most of these clients are only going to know how to handle simple LDAP URLs that contain a host part and optionally a distinguished name part.
它将非本地的查询引向 OpenLDAP 项目中的全局根 LDAP 服务器。LDAP 的智能客户端可以向该服务器上重新查询,但请注意大多数这样的客户端只知道如何处理简单的 LDAP URLs,它们包括一个主机部分和一个可选的标识名部分。

Sample Entry(演示条目)
dn: cn=config
objectClass: olcGlobal
cn: config
olcIdleTimeout: 30
olcLogLevel: Stats
olcReferral: ldap://root.openldap.org
cn=include

An include entry holds the pathname of one include file. Include files are part of the old style slapd.conf configuration system and must be in slapd.conf format. Include files were commonly used to load schema specifications. While they are still supported, their use is deprecated. Include entries must have the olcIncludeFile objectClass.
一个 include 条目保存一个包含文件的路径。包含文件是老的 slapd.conf 配置系统的一部分,也必须是 slapd.conf 格式。包括文件常用于本地模式说明。尽管它们一直被支持,但并不推荐使用它们。包含条目必须有 olcINcludeFile 对象类(objectClass)。

olcInclude: <filename>

This directive specifies that slapd should read additional configuration information from the given file.
本指令指定 slapd 应该从给定的文件中读取附加的配置信息。

Note: You should be careful when using this directive - there is no small limit on the number of nested include directives, and no loop detection is done.
注意:您应该小心使用本指令 - 它对 include 指令的嵌套数没有限制,同时不做循环保护。

Sample Entries(演示条目)
dn: cn=include{0},cn=config
objectClass: olcIncludeFile
cn: include{0}
olcInclude: ./schema/core.schema
dn: cn=include{1},cn=config
objectClass: olcIncludeFile
cn: include{1}
olcInclude: ./schema/cosine.schema
cn=module

If support for dynamically loaded modules was enabled when configuring slapd, cn=module entries may be used to specify sets of modules to load. Module entries must have the olcModuleList objectClass.
如果在编译 slapd 时支持动态引导模块,那么 cn=module 条目就可以用来指定引导的模块集了。模块条目必须要有 olcModuleList objectClass

olcModuleLoad: <filename>

Specify the name of a dynamically loadable module to load. The filename may be an absolute path name or a simple filename. Non-absolute names are searched for in the directories specified by the olcModulePath directive.
指定要引导的动态可引导模块名。文件名可以是绝对路径名也可以只是文件名。非绝对路径名将会在 olcModulePath 指令所指定的目录中搜索。

olcModulePath: <pathspec>

Specify a list of directories to search for loadable modules. Typically the path is colon-separated but this depends on the operating system.
指定搜索可引导模块的目录列表。通常该目录以冒号分隔,不过这取决于操作系统。

Sample Entries(演示条目)
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: /usr/local/lib/smbk5pwd.la
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/local/lib:/usr/local/lib/slapd
olcModuleLoad: accesslog.la
olcModuleLoad: pcache.la
cn=schema

The cn=schema entry holds all of the schema definitions that are hard-coded in slapd. As such, the values in this entry are generated by slapd so no schema values need to be provided in the config file. The entry must still be defined though, to serve as a base for the user-defined schema to add in underneath. Schema entries must have the olcSchemaConfig objectClass.
cn=schema 条目保存了所有的在 slapd 中硬编码的模式定义。就这点而点,本条目中值都是由 slapd 生成的,是没必要在配置文件中提供模式值。不过本条目还要用来作为为在其下添加用户自定义模式的基础,因此它仍然要被定义。模式条目必须要有 olcSchemaConfig 对象类(objectClass)。

olcAttributeTypes: <RFC2252 Attribute Type Description>

This directive defines an attribute type. Please see the Schema Specification chapter for information regarding how to use this directive.
这个指令定义一个属性类型。请参阅模式说明章节以获取如何使用该命令的相关信息。

olcObjectClasses: <RFC2252 Object Class Description>

This directive defines an object class. Please see the Schema Specification chapter for information regarding how to use this directive.
这个指定定义一个对象类。请参阅模式说明章节以获取如何使用该命令的相关信息。

Sample Entries
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
dn: cn=test,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: test
olcAttributeTypes: ( 1.1.1
NAME 'testAttr'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcAttributeTypes: ( 1.1.2 NAME 'testTwo' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
olcObjectClasses: ( 1.1.3 NAME 'testObject'
MAY ( testAttr $ testTwo ) AUXILIARY )
Backend-specific Directives

Backend directives apply to all database instances of the same type and, depending on the directive, may be overridden by database directives. Backend entries must have the olcBackendConfig objectClass.
后台指令应用于所有相同类型的数据库实例,并且根据指令的不同也可能被数据库指令覆盖。后台条目必须要有 olcBackendConfig 对象类(objectClass)。

olcBackend: <type>

This directive names a backend-specific configuration entry. <type> should be one of the supported backend types listed in Table 5.2.
这个指令命名一个指定后台配置条目。<type> 应该是表 5.2 中列出被支持的后台类型之一。

Table 5.2: Database Backends

Types Description
bdb Berkeley DB transactional backend
config Slapd configuration backend
dnssrv DNS SRV backend
hdb Hierarchical variant of bdb backend
ldap Lightweight Directory Access Protocol (Proxy) backend
ldbm Lightweight DBM backend
ldif Lightweight Data Interchange Format backend
meta Meta Directory backend
monitor Monitor backend
passwd Provides read-only access to passwd(5)
perl Perl Programmable backend
shell Shell (extern program) backend
sql SQL Programmable backend


Example: 

olcBackend: bdb

There are no other directives defined for this entry. Specific backend types may define additional attributes for their particular use but so far none have ever been defined. As such, these directives usually do not appear in any actual configurations.
在这个条目中没有定义其它指令。指定后台类型可以在实际使用时定义附加属性,不过到目前为止也没有定义过。因此,这些指令通常不出现在任何实际配置中。

Sample Entry(演示条目)
dn: olcBackend=bdb,cn=config
objectClass: olcBackendConfig
olcBackend: bdb
Database-specific Directives

Directives in this section are supported by every type of database. Database entries must have the olcDatabaseConfig objectClass.
在这部分的指令被每个数据库类型支持。数据库条目必须要有 olcDatabaseConfig objectClass

olcDatabase: [{<index>}]<type>

This directive names a specific database instance. The numeric {<index>} may be provided to distinguish multiple databases of the same type. Usually the index can be omitted, and slapd will generate it automatically. <type> should be one of the supported backend types listed in Table 5.2 or the frontend type.
本指令命名一个指定的数据库实例。数字{<索引>}可以分辨同一类型的多个数据库。通常索引被省略,slapd 将自动生成它。<type> 应该是在表 5.2 中列出的被支持后台类型之一或是前台(frontend)类型。

The frontend is a special database that is used to hold database-level options that should be applied to all the other databases. Subsequent database definitions may also override some frontend settings.
前台是一个特殊的数据库,常用于保存应用于所有其他数据库的数据库级别选项。后继的数据库定义也可以覆盖某些前台设置。

The config database is also special; both the config and the frontend databases are always created implicitly even if they are not explicitly configured, and they are created before any other databases.
配置数据库也是特殊的;配置数据库和前台数据库都总被隐含创建,甚至在它们没有明确配置时,它们总是在其他任何数据库之前创建。

Example: 

olcDatabase: bdb

This marks the beginning of a new BDB database instance.
这表明开始一个新的BDB数据库实例。

olcAccess: to <what> [ by <who> <accesslevel> <control> ]+

This directive grants access (specified by <accesslevel>) to a set of entries and/or attributes (specified by <what>) by one or more requesters (specified by <who>). See the Access Control section of this chapter for a summary of basic usage.
这个指令授予一个或多个(被 <who> 指定的)请求者以访问(被 <what> 指定的)条目及其属性集的(被 <accesslevel> 所指定的)权限。参阅本章的访问控制部分以获得基本用法的简介。

Note: If no olcAccess directives are specified, the default access control policy, to * by * read, allows all users (both authenticated and anonymous) read access.
注意:如果没有指定 olcAccess 指令,那么缺省的访问控制策略,to * by * read,将允许所有用户(包括授权和匿名用户)有读的权限。

Note: Access controls defined in the frontend are appended to all other databases' controls.
注意:在前台定义的访问控制将添加到所有其他数据库控制中。

olcReadonly { TRUE | FALSE }

This directive puts the database into "read-only" mode. Any attempts to modify the database will return an "unwilling to perform" error.
这个指令将数据库置入“只读”模式。任何对该数据库所做的修改尝试将返回“unwilling to perform”的错误。

Default:(缺省) 

olcReadonly: FALSE
olcReplica
olcReplica: uri=ldap[s]://<hostname>[[UbuntuHelp:<port>] | host=<hostname>[|<port>]]
[bindmethod={simple|sasl}]
[[UbuntuHelp:binddn=<DN>]]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<password>]

This directive specifies a replication site for this database for use with slurpd. The uri= parameter specifies a scheme, a host and optionally a port where the slave slapd instance can be found. Either a domain name or IP address may be used for <hostname>. If <port> is not given, the standard LDAP port number (389 or 636) is used.
这个指令为这个数据库指定了一个使用 slurpd 的复制站点。 uri=parameter 指定了一个可以找到从 slapd 服务的主机加端口号(可选)的组合,<hostname> 可以使用域名也可以用 IP 地址。如果没有指定 <port>,那么将使用标准的 LDAP 端口号(389 或 636)。

host is deprecated in favor of the uri parameter.
不推荐用 host 来取代 uri 参数。

uri allows the replica LDAP server to be specified as an LDAP URI such as ldap://slave.example.com:389 or ldaps://slave.example.com:636.
uri 允许复制 LDAP 服务器到指定的 LDAP URI 去,如 ldap://slave.example.com:389 或 ldaps://slave.example.com:636 。

The binddn= parameter gives the DN to bind as for updates to the slave slapd. It should be a DN which has read/write access to the slave slapd's database. It must also match the updatedn directive in the slave slapd's config file. Generally, this DN should not be the same as the rootdn of the master database. Since DNs are likely to contain embedded spaces, the entire "binddn=<DN>" string should be enclosed in double quotes.
binddn= parameter 给出了更新从 slapd 的 DN。该 DN 应该对从 slapd 数据库有读/写权限。它也应该与从 slapd 配置文件中的 updatedn 指令相吻合。通常该 DN 不应该与主数据库中的 rootdn 相同。因为 DN 有可能包含空格,所以条目 "binddn=<DN>" 字符串应该包含在双引号中。

The bindmethod is simple or sasl, depending on whether simple password-based authentication or SASL authentication is to be used when connecting to the slave slapd.
bindmethod 是 simple 还是 sasl,这将取决于当连接从 slapd 时所使用的是基于密码的简单认证,还是 SASL 认证。

Simple authentication should not be used unless adequate data integrity and confidentiality protections are in place (e.g. TLS or IPSEC). Simple authentication requires specification of binddn and credentials parameters.
除非有着足够的数据完整性和私密性保护措施(如 TLS 或 IPSEC),否则不应使用简单认证。简单认证要求指定 binddn 和 credentials 参数。

SASL authentication is generally recommended. SASL authentication requires specification of a mechanism using the saslmech parameter. Depending on the mechanism, an authentication identity and/or credentials can be specified using authcid and credentials respectively. The authzid parameter may be used to specify an authorization identity.
SASL 认证通常是被推荐的。SASL 认证要求使用 saslmech 参数的特定机制。根据该机制,一个认证 ID 或证书将被指定使用各自的 authcid 或证书。authzid 参数可能被用来指定一个授权 ID。

See the chapter entitled Replication with slurpd for more information on how to use this directive.
参见使用 slurpd 进行复制一章来得到更多如何使用该指令的信息。

olcReplogfile: <filename>

This directive specifies the name of the replication log file to which slapd will log changes. The replication log is typically written by slapd and read by slurpd. Normally, this directive is only used if slurpd is being used to replicate the database. However, you can also use it to generate a transaction log, if slurpd is not running. In this case, you will need to periodically truncate the file, since it will grow indefinitely otherwise.
本指令指定记录 slapd 改变的复制日志文件名。复制日志通常被 slapd 写而被 slurpd 读。一般情况下,只有在 slurpd 用于复制数据库时才使用本指令。不过在 slurpd 没有运行的情况下,您也可以用它来生成处理日志。在这种情况下,您将需要定期截取文件,否则它将无限增长下去。

See the chapter entitled Replication with slurpd for more information on how to use this directive.
如何使用本指令可参阅用 slurpd 复制一章以得到更多信息。

olcRootDN: <DN>

This directive specifies the DN that is not subject to access control or administrative limit restrictions for operations on this database. The DN need not refer to an entry in this database or even in the directory. The DN may refer to a SASL identity.
本指令指定的 DN 对本数据库的操作不受访问控制或管理权限的限制。该 DN 不需要在本数据库甚至是在目录中指定条目。它可以指定给 SASL ID。

Entry-based Example:(基于条目的示例) 

olcRootDN: "cn=Manager,dc=example,dc=com"

SASL-based Example:(基于 SASL 的示例) 

olcRootDN: "uid=root,cn=example.com,cn=digest-md5,cn=auth"

See the SASL Authentication section for information on SASL authentication identities.
SASL 认证 ID 的信息可参见 SASL 认证部分

olcRootPW: <password>

This directive can be used to specify a password for the DN for the rootdn (when the rootdn is set to a DN within the database).
本指定常被用于指定 rootdn 的 DN 密码(当 rootdn 被设置成在数据库中的 DN时)

Example:(示例) 

olcRootPW: secret

It is also permissible to provide a hash of the password in RFC 2307 form. slappasswd(8) may be used to generate the password hash.
它也允许提供 RFC 2307 格式的密码哈希值。slappasswd(8) 可以用来生成密码哈希值

Example:(示例) 

olcRootPW: {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN

The hash was generated using the command slappasswd -s secret. 该哈希值可以使用命令 slappasswd -s secret 来生成。

olcSizeLimit: <integer>

This directive specifies the maximum number of entries to return from a search operation.
本指令指定搜索返回的条目最大数。

Default:(缺省) 

olcSizeLimit: 500
olcSuffix: <dn suffix>

This directive specifies the DN suffix of queries that will be passed to this backend database. Multiple suffix lines can be given, and usually at least one is required for each database definition. (Some backend types, such as frontend and monitor use a hard-coded suffix which may not be overridden in the configuration.)
本指令指定发送到本后台数据库查询的 DN 后缀。可以给出多个后缀行,并且通常每个数据库定义至少要求一个。(有些使用硬编码后缀的后台类型象前台和监视,可能不会被配置中的覆盖。)

Example:(示例) 

olcSuffix: "dc=example,dc=com"

Queries with a DN ending in "dc=example,dc=com" will be passed to this backend.
以 "dc=example,dc=com" 结尾的查询将发送到本后台。

Note: When the backend to pass a query to is selected, slapd looks at the suffix value(s) in each database definition in the order in which they were configured. Thus, if one database suffix is a prefix of another, it must appear after it in the configuration. 注意:当选择了一个传递给后台的查询时,slapd 在每个数据库定义中按照它们在文件中出现的顺序查找后缀行。因此如果一个数据库后缀是另一个(数据库)的前缀,那么它在配置文件中就必须出现在另一个的后面。

olcSyncrepl
olcSyncrepl: rid=<replica ID>
provider=ldap[s]://<hostname>[[UbuntuHelp:port]]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
[searchbase=<base DN>]
[filter=<filter str>]
[scope=sub|one|base]
[attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>]
[timelimit=<limit>]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=<DN>]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]

This directive specifies the current database as a replica of the master content by establishing the current slapd(8) as a replication consumer site running a syncrepl replication engine. The master database is located at the replication provider site specified by the provider parameter. The replica database is kept up-to-date with the master content using the LDAP Content Synchronization protocol. See draft-zeilenga-ldup-sync-xx.txt (a work in progress) for more information on the protocol.
本指令指定作为主(数据库)内容副本的当前数据库,该数据库是通过运行着 syncrepl 复制引擎的复制客户站点的 slapd(8) 创建的。主数据库是通过 provider 参数所指定的复制提供站点来定位的。副本数据库通过使用 LDAP 内容同步协议来与主(数据库)内容保持一致。有关该协议的更多信息请参阅 draft-zeilenga-ldup-sync-xx.txt (a work in progress)。

The rid parameter is used for identification of the current syncrepl directive within the replication consumer server, where <replica ID> uniquely identifies the syncrepl specification described by the current syncrepl directive. <replica ID> is non-negative and is no more than three decimal digits in length.
rid 参数被用作复制客户服务器中当前同步复制指令的 ID,<replica ID> 唯一标识当前同步复制指令的同步复制详细描述。 <replica ID> 不能是负数,长度也不能超过三位十进制数。

The provider parameter specifies the replication provider site containing the master content as an LDAP URI. The provider parameter specifies a scheme, a host and optionally a port where the provider slapd instance can be found. Either a domain name or IP address may be used for <hostname>. Examples are ldap://provider.example.com:389 or ldaps://192.168.1.1:636. If <port> is not given, the standard LDAP port number (389 or 636) is used. Note that the syncrepl uses a consumer-initiated protocol, and hence its specification is located at the consumer site, whereas the replica specification is located at the provider site. syncrepl and replica directives define two independent replication mechanisms. They do not represent the replication peers of each other.
provider 参数以 LDAP URI 的形式指定包含主(数据库)内容的复制提供站点。指定了一个可以找到从 slapd 服务的主机加端口号(可选)的组合,<hostname> 可以使用域名也可以用 IP 地址。如果没有指定 <port>,那么将使用标准的 LDAP 端口号(389 或 636)。注意 syncrepl 使用的是客户初始化协议,因此它是在客户站点上进行指定的,而 replica 的指定则是在提供站点上。syncrepl 和 replica 指令定义了两个不同的复制机制。它们并不意味着能相互进行复制。

The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes searchbase, scope, filter, attrs, attrsonly, sizelimit, and timelimit parameters as in the normal search specification. The syncrepl search specification has the same value syntax and the same default values as in the ldapsearch(1) client search tool.
syncrepl 复制的内容是指用搜索明细表来作为结果集。客户端的 slapd 将发送搜索请求给提供端的 slapd 以使搜索明细表一致。该搜索明细表按照正常搜索明细表来说包括 searchbase、scope、filter、attrs、attrsonly、sizelimit 和 timelimit 等参数。syncrepl 搜索明细表就象 ldapsearch(1) 客户端搜索工具一样有着相同的值语法和缺省值。

The LDAP Content Synchronization protocol has two operation types: refreshOnly and refreshAndPersist. The operation type is specified by the type parameter. In the refreshOnly operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the interval parameter. It is set to one day by default. In the refreshAndPersist operation, a synchronization search remains persistent in the provider slapd. Further updates to the master replica will generate searchResultEntry to the consumer slapd as the search responses to the persistent synchronization search.
LDAP 内容同步协议有两种操作类型:refreshOnlyrefreshAndPersist。操作类型是由类型参数指定的。在 refreshOnly 操作中,下一个同步搜索操作在每次同步操作完成后的时间间隔内被周期性地重新安排。时间间隔由 interval 参数指定,缺省为一天。在 refreshAndPersist 操作中,同步搜索一直由提供端的 slapd 持续更新。到主复制的更多更新将生成 searchResultEntry 并做为持续同步搜索的搜索结果发送给客户端 slapd。

If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the <retry interval> and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next three times before stop retrying. + in <# of retries> means indefinite number of retries until success.
如果在复制过程中产生错误,客户端将按照 retry 参数尝试重新连接,该参数是 <retry interval> 和 <# of retries> 对的列表。举个例子,retry="60 10 300 3" 就是将客户端在开始的10次里每60秒重试一次,然后在接下来的3次里每300秒重试一次,然后停止重试。在 <# of retries> 中的 + 表示在成功之前不限定重试次数。

The schema checking can be enforced at the LDAP Sync consumer site by turning on the schemachecking parameter. If it is turned on, every replicated entry will be checked for its schema as the entry is stored into the replica content. Every entry in the replica should contain those attributes required by the schema definition. If it is turned off, entries will be stored without checking schema conformance. The default is off.
模式检查可以在 LDAP 同步客户端中通过打开 schemachecking 参数的方式强制执行。如果它被打开的话,那么每个复制条目在其被保存到复制内容时都将被其模式。每个在复制中的条目都应包括被模式定义所要求的那些属性。如果它被关闭的话,那么条目将在没进行模式确认的情况下被保存。缺省是关闭。

The binddn parameter gives the DN to bind as for the syncrepl searches to the provider slapd. It should be a DN which has read access to the replication content in the master database.
binddn 参数指定到提供端 slapd 进行 syncrepl 搜索的 DN。该 DN 应该对主数据库中复制内容有读权限。

The bindmethod is simple or sasl, depending on whether simple password-based authentication or SASL authentication is to be used when connecting to the provider slapd.
bindmethod 是 simple 或是 sasl,这将取决于当连接从 slapd 时所使用的是基于密码的简单认证,还是 SASL 认证。

Simple authentication should not be used unless adequate data integrity and confidentiality protections are in place (e.g. TLS or IPSEC). Simple authentication requires specification of binddn and credentials parameters.
除非有着足够的数据完整性和私密性保护措施(如 TLS 或 IPSEC),否则不应使用简单认证。简单认证要求指定 binddn 和 credentials 参数。

SASL authentication is generally recommended. SASL authentication requires specification of a mechanism using the saslmech parameter. Depending on the mechanism, an authentication identity and/or credentials can be specified using authcid and credentials, respectively. The authzid parameter may be used to specify an authorization identity.
SASL 认证通常是被推荐的。SASL 认证要求使用 saslmech 参数的特定机制。根据该机制,一个认证 ID 或证书将被指定使用各自的 authcid 或证书。authzid 参数可能被用来指定一个授权 ID。

The realm parameter specifies a realm which a certain mechanisms authenticate the identity within. The secprops parameter specifies Cyrus SASL security properties.
realm 参数指定一个在其中运行某种认证 ID 机制的 realm。secprops 参数指定 Cyrus SASL 安全参数。

The syncrepl replication mechanism is supported by the three native backends: back-bdb, back-hdb, and back-ldbm.
syncrepl 复制机制被当前三个后台支持:back-bdb、back-hdb 和 back-ldbm。

See the LDAP Sync Replication chapter of the admin guide for more information on how to use this directive.
请参阅 LDAP 同步复制一章以了解关于如何使用该指令的更多信息。

olcTimeLimit: <integer>

This directive specifies the maximum number of seconds (in real time) slapd will spend answering a search request. If a request is not finished in this time, a result indicating an exceeded timelimit will be returned.
该指令说明了 slapd 在应答搜索请求时花费的最长秒数(真实时间)。如果一个请求在该时间内没有完成将会返回一个表示超时的结果。

Default: 

olcTimeLimit: 3600
olcUpdateDN: <DN>

This directive is only applicable in a slave slapd. It specifies the DN allowed to make changes to the replica. This may be the DN slurpd(8) binds as when making changes to the replica or the DN associated with a SASL identity.
本指令只适用于从 slapd。它指定了允许对副本进行改变的 DN。这可能是 slurpd(8) 在改变复本时所绑定的 DN,或是与 SASL ID 相关联的 DN。

Entry-based Example:(基于条目的示例) 

olcUpdateDN: "cn=Update Daemon,dc=example,dc=com"

SASL-based Example:(基于 SASL 的示例) 

olcUpdateDN: "uid=slurpd,cn=example.com,cn=digest-md5,cn=auth"

See the Replication with slurpd chapter for more information on how to use this directive.
请参阅使用 slurpd 复制一章以了解关于如何使用该指令的更多信息。

olcUpdateref: <URL>

This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided.
本指令只适用于从 slapd。它指定了当客户端对副本提交更新请求时返回给客户端的 URL。如果是多次指定的话就要提供每次的 URL。

Example: 

olcUpdateref:   ldap://master.example.net
Sample Entries
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcReadOnly: FALSE
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,dc=example,dc=com
BDB and HDB Database Directives(BDB 和 HDB 数据库指令)

Directives in this category apply to both the BDB and the HDB database. They are used in an olcDatabase entry in addition to the generic database directives defined above. For a complete reference of BDB/HDB configuration directives, see slapd-bdb(5). In addition to the olcDatabaseConfig objectClass, BDB and HDB database entries must have the olcBdbConfig and olcHdbConfig objectClass, respectively.
本类指令只适用于 BDB 和 HDB 数据库。除了上述定义的常用数据库指令之外它们常用于 olcDatabase 条目中。要查看 BDB/HDB 配置指令的完整参考,请参阅 slapd-bdb(5)。除了 olcDatabaseConfig objectClass 之外,BDB 和 HDB 数据库条目还必须分别有 olcBdbConfigolcHdbconfig objectClass。

olcDbDirectory: <directory>

This directive specifies the directory where the BDB files containing the database and associated indices live.
本指令指定包含数据库和相关索引的 BDB 文件所在的目录。

Default:(缺省) 

olcDbDirectory: /usr/local/var/openldap-data
olcDbCachesize: <integer>

This directive specifies the size in entries of the in-memory cache maintained by the BDB backend database instance.
本指令指定 BDB 后台数据库实例维护的内存缓存中条目数。

Default:(缺省) 

olcDbCachesize: 1000
olcDbCheckpoint: <kbyte> <min>

This directive specifies how often to checkpoint the BDB transaction log. A checkpoint operation flushes the database buffers to disk and writes a checkpoint record in the log. The checkpoint will occur if either <kbyte> data has been written or <min> minutes have passed since the last checkpoint. Both arguments default to zero, in which case they are ignored. When the <min> argument is non-zero, an internal task will run every <min> minutes to perform the checkpoint. See the Berkeley DB reference guide for more details.
本指令指定如何时常对 BDB 事务日志设置检查点。一次检查点操作将数据库缓存中的内容写到磁盘并在日志中写入一条检查点记录。无论是 <kbyte> 数据被写还是离最近一次检查点已经过去 <min> 分钟,都会引发检查点操作。这两个参数缺省为0,在这种情况下它们将被忽略。当 <min> 参数非零时,将会运行一个内部任务,每隔 <min> 分钟就执行一次检查点操作。详情请参阅 Berkeley DB 参考指南。

Example:(示例) 

olcDbCheckpoint: 1024 10
olcDbConfig: <DB_CONFIG setting>

This attribute specifies a configuration directive to be placed in the DB_CONFIG file of the database directory. At server startup time, if no such file exists yet, the DB_CONFIG file will be created and the settings in this attribute will be written to it. If the file exists, its contents will be read and displayed in this attribute. The attribute is multi-valued, to accomodate multiple configuration directives. No default is provided, but it is essential to use proper settings here to get the best server performance.
本属性指定放置在数据库目录的 DB_CONFIG 文件中的一条配置指令。在服务器启动时如果没有该文件存在,DB_CONFIG 文件将被创建同时写入对本属性中的设置。如果文件存在,那么它的内容将被读出并显示在本属性中。本属性是多值的,可以容纳多个配置指令。没有缺省值,但在这里使用适当的设置以获取最佳服务器性能是必须的。

Example:(示例) 

olcDbConfig: set_cachesize 0 10485760 0
olcDbConfig: set_lg_bsize 2097512
olcDbConfig: set_lg_dir /var/tmp/bdb-log
olcDbConfig: set_flags DB_LOG_AUTOREMOVE

In this example, the BDB cache is set to 10MB, the BDB transaction log buffer size is set to 2MB, and the transaction log files are to be stored in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to delete transaction log files as soon as their contents have been checkpointed and they are no longer needed. Without this setting the transaction log files will continue to accumulate until some other cleanup procedure removes them. See the SleepyCat documentation for the db_archive command for details.
在这个例子中,BDB 缓存被设置成 10MB,BDB 事务日志缓冲被设为 2MB,事务日志文件被保存在 /var/tmp/bdb-log 目录中,同时也设置了一个标志,用来告诉 BDB 当事务日志文件的内容被执行检查点操作之后它们将因为不再需要而被删除。没有这个设置,事务日志文件将一直增加到其它清整程序删除它们。详情请参见 SleepyCat 文档中的 db_archive 命令。

Ideally the BDB cache must be at least as large as the working set of the database, the log buffer size should be large enough to accomodate most transactions without overflowing, and the log directory must be on a separate physical disk from the main database files. And both the database directory and the log directory should be separate from disks used for regular system activities such as the root, boot, or swap filesystems. See the FAQ-o-Matic and the SleepyCat documentation for more details.
理论上 BDB 缓存必须设置成至少与数据库运行设置一样大,日志缓冲大小的设置也应该足够容纳最多的事务而没有溢出,日志目录也必须放置在与主数据库文件分开的物理磁盘上。用于正常系统活动的数据库目录和日志目录应该在磁盘中分开放置,如 root、boot 或 swap 文件系统。详情请参见 FAQ-o-Matic 和 SleepyCat 文档。

olcDbNosync: { TRUE | FALSE }

This option causes on-disk database contents to not be immediately synchronized with in memory changes upon change. Setting this option to TRUE may improve performance at the expense of data integrity. This directive has the same effect as using
本选项使得当发生改变时,磁盘上的数据库内容不会立即和内存中的内容进行同步。设置该选项为 TRUE 可以在牺牲数据安全性的情况下提高性能。该指令与使用下列属性时的效果一样 

olcDbConfig: set_flags DB_TXN_NOSYNC
olcDbIDLcacheSize: <integer>

Specify the size of the in-memory index cache, in index slots. The default is zero. A larger value will speed up frequent searches of indexed entries. The optimal size will depend on the data and search characteristics of the database, but using a number three times the entry cache size is a good starting point.
指定内存索引 slot 中索引缓存的大小。缺省为0。较大的值能提高被索引条目搜索的效率。最合适的大小将取决于数据库的数据和搜索字符,不过使用条目缓存大小的三倍将是一个好的起点。

Example:(示例) 

olcDbIDLcacheSize: 3000
olcDbIndex: {<attrlist> | default} [pres,eq,approx,sub,none]

This directive specifies the indices to maintain for the given attribute. If only an <attrlist> is given, the default indices are maintained.
本指令指定维护所给属性的索引。如果给定 <attrlist> ,那么将维护缺省的索引。

Example:(示例) 

olcDbIndex: default pres,eq
olcDbIndex: uid
olcDbIndex: cn,sn pres,eq,sub
olcDbIndex: objectClass eq

The first line sets the default set of indices to maintain to present and equality. The second line causes the default (pres,eq) set of indices to be maintained for the uid attribute type. The third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. The fourth line causes an equality index for the objectClass attribute type.
第1行设置缺省的索引集来维护 present 和 equality,第2行是因为 uid 属性类型才维护缺省的 (pres,eq) 索引集。第3行是因为 cn 和 sn 属性类型才维护 present、equality 和 substring 索引。第4行是因为 objectClass 属性类型才维护 equality 索引。

By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained.
默认情况下,不做任何索引维护。通常建议维护基于 objectClass 的 equality 索引。 

olcDbindex: objectClass eq

If this setting is changed while slapd is running, an internal task will be run to generate the changed index data. All server operations can continue as normal while the indexer does its work. If slapd is stopped before the index task completes, indexing will have to be manually completed using the slapindex tool.
如果该设置在 slapd 运行期间改变,那么将运行一个内部任务以生成改变的索引数据。在索引器工作时所有服务器的操作都将正常进行。如果 slapd 在索引任务完成之前停止的话,索引将不得不通过使用 slapindex 工具来手工完成。

olcDbLinearIndex: { TRUE | FALSE }

If this setting is TRUE slapindex will index one attribute at a time. The default settings is FALSE in which case all indexed attributes of an entry are processed at the same time. When enabled, each indexed attribute is processed individually, using multiple passes through the entire database. This option improves slapindex performance when the database size exceeds the BDB cache size. When the BDB cache is large enough, this option is not needed and will decrease performance. Also by default, slapadd performs full indexing and so a separate slapindex run is not needed. With this option, slapadd does no indexing and slapindex must be used.
如果本设置为 TRUE,那么 slapindex 将一次索引一个属性。缺省设置是 FALSE,在这种情况下条目中所有被索引的属性将在相同时间处理。在启用本设置时,每个被索引属性分别使用多进程索引条目数据库。该选项在数据库大小超过 BDB 缓存大小时会提高 slapindex 的效率。当 BDB 缓存足够大时,本选项将不被需要同时也会降低效率。在缺省情况下 slapadd 将执行全部索引,因此没必要单独运行 slapindex。使用本选项,slapadd 不会进行索引,slapindex 必须要使用。

olcDbMode: <integer>

This directive specifies the file protection mode that newly created database index files should have.
本指令指定新建数据库索引文件应有的文件保护模式:

Default:(缺省) 

olcDbMode: 0600
olcDbSearchStack: <integer>

Specify the depth of the stack used for search filter evaluation. Search filters are evaluated on a stack to accomodate nested AND / OR clauses. An individual stack is allocated for each server thread. The depth of the stack determines how complex a filter can be evaluated without requiring any additional memory allocation. Filters that are nested deeper than the search stack depth will cause a separate stack to be allocated for that particular search operation. These separate allocations can have a major negative impact on server performance, but specifying too much stack will also consume a great deal of memory. Each search uses 512K bytes per level on a 32-bit machine, or 1024K bytes per level on a 64-bit machine. The default stack depth is 16, thus 8MB or 16MB per thread is used on 32 and 64 bit machines, respectively. Also the 512KB size of a single stack slot is set by a compile-time constant which may be changed if needed; the code must be recompiled for the change to take effect.
指定搜索过滤器赋值所用堆栈的深度。搜索过滤器在堆栈上赋值以容纳嵌套的 AND/OR 子句。每个服务器线程分配一个独立的堆栈。堆栈的深度决定在不要求分配任何附加内存的情况下一个可以被赋值的过滤器有多复杂。过滤器嵌套深度比搜索堆栈深度更深将引起分配独立堆栈给特定的搜索选项。这些独立的分配对服务器性能有着非常严重的负面影响,此外指定太多堆栈也消耗大量的内存。在32位机上每个搜索每层要使用 512K 字节,在64位机上则是每层 1024K 字节。缺省堆栈深度是16,因此在32位机或64位机上分别使用每线程 8MB 或 16MB,如果需要也可以通过将编译时常数设为每堆栈 slot 为 512KB 大小。要使改变生效必须重新编译代码。

Default:(缺省) 

olcDbSearchStack: 16
olcDbShmKey: <integer>

Specify a key for a shared memory BDB environment. By default the BDB environment uses memory mapped files. If a non-zero value is specified, it will be used as the key to identify a shared memory region that will house the environment.
指定共享 BDB 环境的 key。缺省 BDB 环境使用内存映象文件。如果指定一个非零值,那么它将作为 key 用于标识共享内存区域 that will house the environment.

Example:(示例) 

olcDbShmKey: 42
Sample Entry(演示条目)
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: "dc=example,dc=com"
olcDbDirectory: /usr/local/var/openldap-data
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 10
olcDbConfig: set_cachesize 0 10485760 0
olcDbConfig: set_lg_bsize 2097152
olcDbConfig: set_lg_dir /var/tmp/bdb-log
olcDbConfig: set_flags DB_LOG_AUTOREMOVE
olcDbIDLcacheSize: 3000
olcDbIndex: objectClass eq

Access Control(访问控制)

Access to slapd entries and attributes is controlled by the olcAccess attribute, whose values are a sequence of access directives. The general form of the olcAccess configuration is:
访问 slapd 条目和属性的权限是被 olcAccess 属性控制的,该属性的值是一系列的权限指令。olcAccess 配置的通用格式如下: 

olcAccess: <access directive>
<access directive> ::= to <what>
[by <who> <access> <control>]+
<what> ::= * |
[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
[filter=<ldapfilter>] [attrs=<attrlist>]
<basic-style> ::= regex | exact
<scope-style> ::= base | one | subtree | children
<attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
<attr> ::= <attrname> | entry | children
<who> ::= * | [anonymous | users | self
| dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
[peername[.<basic-style>]=<regex>]
[sockname[.<basic-style>]=<regex>]
[domain[.<basic-style>]=<regex>]
[sockurl[.<basic-style>]=<regex>]
[set=<setspec>]
[aci=<attrname>]
<access> ::= [self]{<level>|<priv>}
<level> ::= none | auth | compare | search | read | write
<priv> ::= {=|+|-}{w|r|s|c|x|0}+
<control> ::= [stop | continue | break]

where the <what> part selects the entries and/or attributes to which the access applies, the <who> part specifies which entities are granted access, and the <access> part specifies the access granted. Multiple <who> <access> <control> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the slapd.access(5) man page.

What to control access to(未译)

The <what> part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN:

  • to *

to dn[.<basic-style>]=<regex> to dn.<scope-style>=<DN> The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against the target entry's normalized DN. (The second form is not discussed further in this document.) The third form is used to select entries which are within the requested scope of DN. The <DN> is a string representation of the Distinguished Name, as described in RFC2253.

The scope can be either base, one, subtree, or children. Where base matches only the entry with provided DN, one matches the entries whose parent is the provided DN, subtree matches all entries in the subtree whose root is the provided DN, and children matches all entries under the DN (but not the entry named by the DN).

For example, if the directory contained entries named:

  • 0: o=suffix 1: cn=Manager,o=suffix 2: ou=people,o=suffix 3: uid=kdz,ou=people,o=suffix 4: cn=addresses,uid=kdz,ou=people,o=suffix 5: uid=hyc,ou=people,o=suffix

Then:

  • dn.base="ou=people,o=suffix" match 2; dn.one="ou=people,o=suffix" match 3, and 5; dn.subtree="ou=people,o=suffix" match 2, 3, 4, and 5; and dn.children="ou=people,o=suffix" match 3, 4, and 5.

Entries may also be selected using a filter:

  • to filter=<ldap filter>

where <ldap filter> is a string representation of an LDAP search filter, as described in RFC2254. For example:

  • to filter=(objectClass=person)

Note that entries may be selected by both DN and filter by including both qualifiers in the <what> clause.

  • to dn.one="ou=people,o=suffix" filter=(objectClass=person)

Attributes within an entry are selected by including a comma-separated list of attribute names in the <what> selector:

  • attrs=<attribute list>

A specific value of an attribute is selected by using a single attribute name and also using a value selector:

  • attrs=<attribute> val[.<style>]=<regex>

There are two special pseudo attributes entry and children. To read (and hence return) a target entry, the subject must have read access to the target's entry attribute. To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute. To rename an entry, the subject must have write access to entry's entry attribute AND have write access to both the old parent's and new parent's children attributes. The complete examples at the end of this section should help clear things up.

Lastly, there is a special entry selector "*" that is used to select any entry. It is used when no other <what> selector has been provided. It's equivalent to "dn=.*"

Who to grant access to(未译)

The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers: Table 5.3: Access Entity Specifiers

Specifier Entities
* All, including anonymous and authenticated users
anonymous Anonymous (non-authenticated) users
users Authenticated users
self User associated with target entry
dn[.<basic-style>]=<regex> Users matching a regular expression
dn.<scope-style>=<DN> Users within scope of a DN


The DN specifier behaves much like <what> clause DN specifiers.

Other control factors are also supported. For example, a <who> can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:

  • dnattr=<dn-valued attribute name>

The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).

Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily spoofed, the domain factor should not be avoided.

The access to grant(未译)

The kind of <access> granted can be one of the following:

Table 5.4: Access Levels

Level Privileges Description
none =0 no access
auth =x needed to bind
compare =cx needed to compare
search =scx needed to apply search filters
read =rscx needed to read search results
write =wrscx needed to modify/rename


Each level implies all lower levels of access. So, for example, granting someone write access to an entry also grants them read, search, compare, and auth access. However, one may use the privileges specifier to grant specific permissions.

Access Control Evaluation(未译)

When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <what> selectors given in the configuration. For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives (which are held in the frontend database definition). Within this priority, access directives are examined in the order in which they appear in the configuration attribute. Slapd stops with the first <what> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.

Next, slapd compares the entity requesting access to the <who> selectors within the access directive selected above in the order in which they appear. It stops with the first <who> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.

Finally, slapd compares the access granted in the selected <access> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.

The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration. Similarly, if one <who> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.

Access Control Examples(未译)

The access control facility described above is quite powerful. This section shows some examples of its use for descriptive purposes.

A simple example:

  • olcAccess: to * by * read

This access directive grants read access to everyone.

  • olcAccess: to *
  • by self write by anonymous auth by * read

This directive allows the user to modify their entry, allows anonymous to authenticate against these entries, and allows all others to read these entries. Note that only the first by <who> clause which matches applies. Hence, the anonymous users are granted auth, not read. The last clause could just as well have been "by users read".

It is often desirable to restrict operations based upon the level of protection in place. The following shows how security strength factors (SSF) can be used.

  • olcAccess: to *
  • by ssf=128 self write by ssf=64 anonymous auth by ssf=64 users read

This directive allows users to modify their own entries if security protections of strength 128 or better have been established, allows authentication access to anonymous users, and read access when strength 64 or better security protections have been established. If the client has not establish sufficient security protections, the implicit by * none clause would be applied.

The following example shows the use of style specifiers to select the entries by DN in two access directives where ordering is significant.

  • olcAccess: to dn.children="dc=example,dc=com"
  • by * search
    • olcAccess: to dn.children="dc=com"

by * read Read access is granted to entries under the dc=com subtree, except for those entries under the dc=example,dc=com subtree, to which search access is granted. No access is granted to dc=com as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under dc=example,dc=com are also under dc=com entries.

Also note that if no olcAccess: to directive matches or no by <who> clause, access is denied. That is, every olcAccess: to directive ends with an implicit by * none clause and every access list ends with an implicit olcAccess: to * by * none directive.

The next example again shows the importance of ordering, both of the access directives and the by <who> clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <who> selectors.

  • olcAccess: to dn.subtree="dc=example,dc=com" attr=homePhone
  • by self write by dn.children=dc=example,dc=com" search

by peername.regex=IP:10\..+ read

    • olcAccess: to dn.subtree="dc=example,dc=com"

by self write by dn.children="dc=example,dc=com" search by anonymous auth This example applies to entries in the "dc=example,dc=com" subtree. To all attributes except homePhone, an entry can write to itself, entries under example.com entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (which is always done anonymously). The homePhone attribute is writable by the entry, searchable by entries under example.com, readable by clients connecting from network 10, and otherwise not readable (implicit by * none). All other access is denied by the implicit access to * by * none.

Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:

  • olcAccess: to attr=member,entry
  • by dnattr=member selfwrite

The dnattr <who> selector says that the access applies to entries listed in the member attribute. The selfwrite access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.

Access Control Ordering(未译)

Since the ordering of olcAccess directives is essential to their proper evaluation, but LDAP attributes normally do not preserve the ordering of their values, OpenLDAP uses a custom schema extension to maintain a fixed ordering of these values. This ordering is maintained by prepending a "{X}" numeric index to each value, similarly to the approach used for ordering the configuration entries. These index tags are maintained automatically by slapd and do not need to be specified when originally defining the values. For example, when you create the settings

  • olcAccess: to attr=member,entry
  • by dnattr=member selfwrite
    • olcAccess: to dn.children="dc=example,dc=com"

by * search

    • olcAccess: to dn.children="dc=com"

by * read when you read them back using slapcat or ldapsearch they will contain

  • olcAccess: {0}to attr=member,entry
  • by dnattr=member selfwrite
    • olcAccess: {1}to dn.children="dc=example,dc=com"

by * search

    • olcAccess: {2}to dn.children="dc=com"

by * read The numeric index may be used to specify a particular value to change when using ldapmodify to edit the access rules. This index can be used instead of (or in addition to) the actual access value. Using this numeric index is very helpful when multiple access rules are being managed.

For example, if we needed to change the second rule above to grant write access instead of search, we could try this LDIF:

  • changetype: modify delete: olcAccess olcAccess: to dn.children="dc=example,dc=com" by * search - add: olcAccess olcAccess: to dn.children="dc=example,dc=com" by * write -

But this example will not guarantee that the existing values remain in their original order, so it will most likely yield a broken security configuration. Instead, the numeric index should be used:

  • changetype: modify delete: olcAccess

olcAccess: {1} - add: olcAccess olcAccess: {1}to dn.children="dc=example,dc=com" by * write - This example deletes whatever rule is in value #1 of the olcAccess attribute (regardless of its value) and adds a new value that is explicitly inserted as value #1. The result will be

  • olcAccess: {0}to attr=member,entry
  • by dnattr=member selfwrite
    • olcAccess: {1}to dn.children="dc=example,dc=com"

by * write

    • olcAccess: {2}to dn.children="dc=com"

by * read which is exactly what was intended.

Configuration Example(未译)

The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the X.500 tree; both are BDB database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:

  • # example config file - global configuration entry
  • dn: cn=config
  • objectClass: olcGlobal
  • cn: config
  • olcReferral: ldap://root.openldap.org

Line 1 is a comment. Lines 2-4 identify this as the global configuration entry. The olcReferral: directive on line 5 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host root.openldap.org. Line 6 is a blank line, indicating the end of this entry.

  • # internal schema
  • dn: cn=schema,cn=config
  • objectClass: olcSchemaConfig
  • cn: schema

Line 7 is a comment. Lines 8-10 identify this as the root of the schema subtree. The actual schema definitions in this entry are hardcoded into slapd so no additional attributes are specified here. Line 11 is a blank line, indicating the end of this entry.

  • # include the core schema
  • include: file:///usr/local/etc/openldap/schema/core.ldif

Line 12 is a comment. Line 13 is an LDIF include directive which accesses the core schema definitions in LDIF format. Line 14 is a blank line.

Next comes the database definitions. The first database is the special frontend database whose settings are applied globally to all the other databases.

  • # global database parameters
  • dn: olcDatabase=frontend,cn=config
  • objectClass: olcDatabaseConfig
  • olcDatabase: frontend
  • olcAccess: to * by * read

Line 15 is a comment. Lines 16-18 identify this entry as the global database entry. Line 19 is a global access control. It applies to all entries (after any applicable database-specific access controls).

The next entry defines a BDB backend that will handle queries for things in the "dc=example,dc=com" portion of the tree. Indices are to be maintained for several attributes, and the userPassword attribute is to be protected from unauthorized access.

  • # BDB definition for example.com
  • dn: olcDatabase=bdb,cn=config
  • objectClass: olcDatabaseConfig
  • objectClass: olcBdbConfig
  • olcDatabase: bdb
  • olcSuffix: "dc=example,dc=com"
  • olcDbDirectory: /usr/local/var/openldap-data
  • olcRootDN: "cn=Manager,dc=example,dc=com"
  • olcRootPW: secret
  • olcDbIndex: uid pres,eq
  • olcDbIndex: cn,sn,uid pres,eq,approx,sub
  • olcDbIndex: objectClass eq
  • olcAccess: to attr=userPassword
  • by self write
  • by anonymous auth
  • by dn.base="cn=Admin,dc=example,dc=com" write
  • by * none
  • olcAccess: to *
  • by self write
  • by dn.base="cn=Admin,dc=example,dc=com" write
  • by * read

Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry. Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.

Lines 28 and 29 identify the database super-user entry and associated password. This entry is not subject to access control or size or time limit restrictions.

Lines 30 through 32 indicate the indices to maintain for various attributes.

Lines 33 through 41 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the userPassword attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).

Line 42 is a blank line, indicating the end of this entry.

The next section of the example configuration file defines another BDB database. This one handles queries involving the dc=example,dc=net subtree but is managed by the same entity as the first database. Note that without line 51, the read access would be allowed due to the global access rule at line 19.

  • # BDB definition for example.net
  • dn: olcDatabase=bdb,cn=config
  • objectClass: olcDatabaseConfig
  • objectClass: olcBdbConfig
  • olcDatabase: bdb
  • olcSuffix: "dc=example,dc=net"
  • olcDbDirectory: /usr/local/var/openldap-data-net
  • olcRootDN: "cn=Manager,dc=example,dc=com"
  • olcDbIndex: objectClass eq
  • olcAccess: to * by users read
取自“https://wiki.ubuntu.org.cn/index.php?title=OpenLDAPAdminGuide/ConfiguringSlapd&oldid=20820