一定要用你的域名的正确部分取代<MY-DOMAIN>; 和 <COM>;。<MY ORGANIZATION>;应该用你所在组织的名称来代替。在你剪切和粘贴的时候一定要记得包含前导或者后跟的空格。
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
----------------------------------------------------------------------------------------------------------
注意:如果不指定access指令,默认的访问控制策略,access to * by * read,将会允许所有通过验证的和匿名的用户拥有读权限。
----------------------------------------------------------------------------------------------------------
5.2.1.2 attributetype <RFC2252 Attribute Type Description>;
该指令指定了debug声明和统计数据应当被记入日志文件的级别(currently logged to the syslogd( LOG_LOCAL4 facility)。你必须将OpenLDAP配置为--enable-debug (默认)该指令才会工作(except for the two statistics levels, which are always enabled)。log levels是可以相加的。要想知道数字与debuglevel的对应关系,可以用-? 为参数启动slapd,你也可以参考下面的这个表。<integer>;的可能值是:
表5.1: Debugging Levels
Level Description
-1 nable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
示例:
loglevel -1
这将导致大量的调试信息被记入日志文件。
默认:
loglevel 256
5.2.1.6. objectclass <RFC2252 Object Class Description>;
This directive specifies a replication site for this database. The uri= parameter specifies a scheme, a host and optionally a port where the slave slapd instance can be found. Either a domain name or IP address may be used for <hostname>;. If <port>; is not given, the standard LDAP port number (389 or 636) is used.
host is deprecated in favor of the uri parameter.
uri allows the replica LDAP server to be specified as an LDAP URI such as ldap://slave.example.com:389 or ldaps://slave.example.com:636.
The binddn= parameter gives the DN to bind as for updates to the slave slapd. It should be a DN which has read/write access to the slave slapd's database. It must also match the updatedn directive in the slave slapd's config file. Generally, this DN should not be the same as the rootdn of the master database. Since DNs are likely to contain embedded spaces, the entire "binddn=<DN>;" string should be enclosed in double quotes.
The bindmethod is simple or kerberos or sasl, depending on whether simple password-based authentication or Kerberos authentication or SASL authentication is to be used when connecting to the slave slapd.
Simple authentication should not be used unless adequate integrity and privacy protections are in place (e.g. TLS or IPSEC). Simple authentication requires specification of binddn and credentials parameters.
Kerberos authentication is deprecated in favor of SASL authentication mechanisms, in particular the KERBEROS_V4 and GSSAPI mechanisms. Kerberos authentication requires binddn and srvtab parameters.
SASL authentication is generally recommended. SASL authentication requires specification of a mechanism using the saslmech parameter. Depending on the mechanism, an authentication identity and/or credentials can be specified using authcid and credentials respectively. The authzid parameter may be used to specify an authorization identity.
See the chapter entitled Replication with slurpd for more information on how to use this directive.
5.2.3.4. replogfile <filename>;
This directive specifies the name of the replication log file to which slapd will log changes. The replication log is typically written by slapd and read by slurpd. Normally, this directive is only used if slurpd is being used to replicate the database. However, you can also use it to generate a transaction log, if slurpd is not running. In this case, you will need to periodically truncate the file, since it will grow indefinitely otherwise.
See the chapter entitled Replication with slurpd for more information on how to use this directive.
-----------------------------------------------------------------------------------------------------------
注意:当请求传递的对象,即后端选定之后,slapd在每个数据库定义中顺序查找suffix行。因此,如果一个数据库后缀是另一个的前缀的话,在配置文件中它必须出现在另一个之后。
Note: When the backend to pass a query to is selected, slapd looks at the suffix line(s) in each database definition in the order they appear in the file. Thus, if one database suffix is a prefix of another, it must appear after it in the config file.
-----------------------------------------------------------------------------------------------------------
This directive specifies the current database as a replica of the master content by establishing the current slapd( as a replication consumer site running a syncrepl replication engine. The master database is located at the replication provider site specified by the provider parameter. The replica database is kept up-to-date with the master content using the LDAP Content Synchronization protocol. See draft-zeilenga-ldup-sync-xx.txt (a work in progress) for more information on the protocol.
The rid parameter is used for identification of the current syncrepl directive within the replication consumer server, where <replica ID>; uniquely identifies the syncrepl specification described by the current syncrepl directive. <replica ID>; is non-negative and is no more than three decimal digits in length.
The provider parameter specifies the replication provider site containing the master content as an LDAP URI. The provider parameter specifies a scheme, a host and optionally a port where the provider slapd instance can be found. Either a domain name or IP address may be used for <hostname>;. Examples are ldap://provider.example.com:389 or ldaps://192.168.1.1:636. If <port>; is not given, the standard LDAP port number (389 or 636) is used. Note that the syncrepl uses a consumer-initiated protocol, and hence its specification is located at the consumer site, whereas the replica specification is located at the provider site. syncrepl and replica directives define two independent replication mechanisms. They do not represent the replication peers of each other.
The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes searchbase, scope, filter, attrs, attrsonly, sizelimit, and timelimit parameters as in the normal search specification. The syncrepl search specification has the same value syntax and the same default values as in the ldapsearch(1) client search tool.
The LDAP Content Synchronization protocol has two operation types: refreshOnly and refreshAndPersist. The operation type is specified by the type parameter. In the refreshOnly operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the interval parameter. It is set to one day by default. In the refreshAndPersist operation, a synchronization search remains persistent in the provider slapd. Further updates to the master replica will generate searchResultEntry to the consumer slapd as the search responses to the persistent synchronization search.
The schema checking can be enforced at the LDAP Sync consumer site by turning on the schemachecking parameter. If it is turned on, every replicated entry will be checked for its schema as the entry is stored into the replica content. Every entry in the replica should contain those attributes required by the schema definition. If it is turned off, entries will be stored without checking schema conformance. The default is off.
The updatedn parameter specifies the DN in the consumer site which is allowed to make changes to the replica. This DN is used locally by the syncrepl engine when updating the replica with the entries received from the provider site by using the internal operation mechanism. The update of the replica content is subject to the access control privileges of the DN. The DN should have read/write access to the replica database. Generally, this DN should not be the same as rootdn.
The binddn parameter gives the DN to bind as for the syncrepl searches to the provider slapd. It should be a DN which has read access to the replication content in the master database.
The bindmethod is simple or sasl, depending on whether simple password-based authentication or SASL authentication is to be used when connecting to the provider slapd.
Simple authentication should not be used unless adequate integrity and privacy protections are in place (e.g. TLS or IPSEC). Simple authentication requires specification of binddn and credentials parameters.
SASL authentication is generally recommended. SASL authentication requires specification of a mechanism using the saslmech parameter. Depending on the mechanism, an authentication identity and/or credentials can be specified using authcid and credentials, respectively. The authzid parameter may be used to specify an authorization identity.
The realm parameter specifies a realm which a certain mechanisms authenticate the identity within. The secprops parameter specifies Cyrus SASL security properties.
The syncrepl replication mechanism is supported by the three native backends: back-bdb, back-hdb, and back-ldbm.
See the LDAP Sync Replication chapter of the admin guide for more information on how to use this directive.
5.2.3.9. updatedn <DN>;
This directive is only applicable in a slave slapd. It specifies the DN allowed to make changes to the replica. This may be the DN slurpd( binds as when making changes to the replica or the DN associated with a SASL identity.
See the Replication with slurpd chapter for more information on how to use this directive.
5.2.3.10. updateref <URL>;
This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided.
This directive specifies a session log store in the syncrepl replication provider server which contains information on the entries that have been scoped out of the replication content identified by <sid>;. The first syncrepl search request having the same <sid>; value in the cookie establishes the session log store in the provider server. The number of the entries in the session log store is limited by <limit>;. Excessive entries are removed from the store in the FIFO order. Both <sid>; and <limit>; are non-negative integers. <sid>; has no more than three decimal digits.
The LDAP Content Synchronization operation that falls into a pre-existing session can use the session log store in order to reduce the amount of synchronization traffic. If the replica is not so outdated that it can be made up-to-date by the information in the session store, the provider slapd will send the consumer slapd the identities of the scoped-out entries together with the in-scope entries added to or modified within the replication content. If the replica status is outdated too much and beyond the coverage of the history store, then the provider slapd will send the identities of the unchanged in-scope entries along with the changed in-scope entries. The consumer slapd will then remove those entries in the replica which are not identified as present in the provider content.
5.2.5.6. index {<attrlist>; | default} [pres,eq,approx,sub,none]
该指令指定了为所给属性所维护的索引。如果仅给出一个<attrlist>;,默认的索引也会被维护。
示例:
index default pres,eq
index uid
index cn,sn pres,eq,sub
index objectClass eq
The first line sets the default set of indices to maintain to present and equality. The second line causes the default (pres,eq) set of indices to be maintained for the uid attribute type. The third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. The fourth line causes an equality index for the objectClass attribute type.
By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained.
表 5.3: 访问实体符号
Specifier Entities
* All, including anonymous and authenticated users
anonymous Anonymous (non-authenticated) users
users Authenticated users
self User associated with target entry
dn[.<basic-style>;]=<regex>; Users matching a regular expression
dn.<scope-style>;=<DN>; Users within scope of a DN
此处的DN符号表现得非常像<what>;子句中的DN符号:
其他的控制因素也被支持。比如,a <who>; can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:
access to dn.subtree="dc=example,dc=com" attr=homePhone
by self write
by dn.children="dc=example,dc=com" search
by peername=IP:10\..+ read
access to dn.subtree="dc=example,dc=com"
by self write
by dn.children="dc=example,dc=com" search
by anonymous auth
本例对"dc=example,dc=com"子树中的条目起作用。除了homePhone之外,一个条目可以写它所有的属性,example.com 下的条目可以被它自己搜索,其他任何人都没有权限访问(暗含by * none),例外是经过认证/授权的用户可以(总是匿名进行)。homePhone属性对条目自身而言是可写的,对example.com下的条目是可搜索的,对来自10网络的客户总是可读的,否则就是不可读的(暗含by * none)。所有其他的访问都将被拒绝,因为暗含有access to * by * none子句。
1. # example config file - global configuration section
2. include /usr/local/etc/schema/core.schema
3. referral ldap://root.openldap.org
4. access to * by * read
# Organization for Example Corporation
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager