Previous Topic
|
Next Topic
Home
|
Catalog
OpenLDAP Software 2.5 Administrator's Guide
The OpenLDAP Project <
https://www.openldap.org/
>
8 May 2024
Table of Contents
Preface
1. Introduction to OpenLDAP Directory Services
1.1. What is a directory service?
1.2. What is LDAP?
1.3. When should I use LDAP?
1.4. When should I not use LDAP?
1.5. How does LDAP work?
1.6. What about X.500?
1.7. What is the difference between LDAPv2 and LDAPv3?
1.8. LDAP vs RDBMS
1.9. What is slapd and what can it do?
1.10. What is lloadd and what can it do?
2. A Quick-Start Guide
3. The Big Picture - Configuration Choices
3.1. Local Directory Service
3.2. Local Directory Service with Referrals
3.3. Replicated Directory Service
3.4. Distributed Local Directory Service
4. Building and Installing OpenLDAP Software
4.1. Obtaining and Extracting the Software
4.2. Prerequisite software
4.2.1.
Transport Layer Security
4.2.2.
Simple Authentication and Security Layer
4.2.3.
Kerberos Authentication Service
4.2.4. Database Software
4.2.5. Threads
4.2.6. TCP Wrappers
4.3. Running configure
4.4. Building the Software
4.5. Testing the Software
4.6. Installing the Software
5. Configuring slapd
5.1. Configuration Layout
5.2. Configuration Directives
5.2.1. cn=config
5.2.2. cn=module
5.2.3. cn=schema
5.2.4. Backend-specific Directives
5.2.5. Database-specific Directives
5.2.6. MDB Backend Directives
5.2.7. MDB Database Directives
5.3. Configuration Example
5.4. Converting old style
slapd.conf
(5) file to
cn=config
format
5.5. Recovering from a broken configuration
5.5.1. Generate an ldif version of the configuration database and reload from that
5.5.2. Modify config in-place
5.5.3. Recover with plain back-ldif
6. The slapd Configuration File
6.1. Configuration File Format
6.2. Configuration File Directives
6.2.1. Global Directives
6.2.2. General Backend Directives
6.2.3. General Database Directives
6.2.4. MDB Backend Directives
6.2.5. MDB Database Directives
6.3. Configuration File Example
7. Running slapd
7.1. Command-Line Options
7.2. Starting slapd
7.3. Stopping slapd
8. Access Control
8.1. Introduction
8.2. Access Control via Static Configuration
8.2.1. What to control access to
8.2.2. Who to grant access to
8.2.3. The access to grant
8.2.4. Access Control Evaluation
8.2.5. Access Control Examples
8.3. Access Control via Dynamic Configuration
8.3.1. What to control access to
8.3.2. Who to grant access to
8.3.3. The access to grant
8.3.4. Access Control Evaluation
8.3.5. Access Control Examples
8.3.6. Access Control Ordering
8.4. Access Control Common Examples
8.4.1. Basic ACLs
8.4.2. Matching Anonymous and Authenticated users
8.4.3. Controlling rootdn access
8.4.4. Managing access with Groups
8.4.5. Granting access to a subset of attributes
8.4.6. Allowing a user write to all entries below theirs
8.4.7. Allowing entry creation
8.4.8. Tips for using regular expressions in Access Control
8.4.9. Granting and Denying access based on security strength factors (ssf)
8.4.10. When things aren't working as expected
8.5. Sets - Granting rights based on relationships
8.5.1. Groups of Groups
8.5.2. Group ACLs without DN syntax
8.5.3. Following references
9. Limits
9.1. Introduction
9.2. Soft and Hard limits
9.3. Global Limits
9.3.1. Special Size Limits
9.4. Per-Database Limits
9.4.1. Specify who the limits apply to
9.4.2. Specify time limits
9.4.3. Specifying size limits
9.5. Example Limit Configurations
9.5.1. Simple Global Limits
9.5.2. Global Hard and Soft Limits
9.5.3. Giving specific users larger limits
9.5.4. Limiting who can do paged searches
9.6. Glued/Subordinate database configurations
9.7. Further Information
10. Database Creation and Maintenance Tools
10.1. Creating a database over LDAP
10.2. Creating a database off-line
10.2.1. The
slapadd
program
10.2.2. The
slapindex
program
10.2.3. The
slapcat
program
10.3. The LDIF text entry format
11. Backends
11.1. LDAP
11.1.1. Overview
11.1.2. back-ldap Configuration
11.1.3. Further Information
11.2. LDIF
11.2.1. Overview
11.2.2. back-ldif Configuration
11.2.3. Further Information
11.3. LMDB
11.3.1. Overview
11.3.2. back-mdb Configuration
11.3.3. Further Information
11.4. Metadirectory
11.4.1. Overview
11.4.2. back-meta Configuration
11.4.3. Further Information
11.5. Monitor
11.5.1. Overview
11.5.2. back-monitor Configuration
11.5.3. Further Information
11.6. Null
11.6.1. Overview
11.6.2. back-null Configuration
11.6.3. Further Information
11.7. Passwd
11.7.1. Overview
11.7.2. back-passwd Configuration
11.7.3. Further Information
11.8. Perl
11.8.1. Overview
11.8.2. back-perl Configuration
11.8.3. Further Information
11.9. Relay
11.9.1. Overview
11.9.2. back-relay Configuration
11.9.3. Further Information
11.10. SQL
11.10.1. Overview
11.10.2. back-sql Configuration
11.10.3. Further Information
12. Overlays
12.1. Access Logging
12.1.1. Overview
12.1.2. Access Logging Configuration
12.1.3. Further Information
12.2. Audit Logging
12.2.1. Overview
12.2.2. Audit Logging Configuration
12.2.3. Further Information
12.3. Chaining
12.3.1. Overview
12.3.2. Chaining Configuration
12.3.3. Handling Chaining Errors
12.3.4. Read-Back of Chained Modifications
12.3.5. Further Information
12.4. Constraints
12.4.1. Overview
12.4.2. Constraint Configuration
12.4.3. Further Information
12.5. Dynamic Directory Services
12.5.1. Overview
12.5.2. Dynamic Directory Service Configuration
12.5.3. Further Information
12.6. Dynamic Groups
12.6.1. Overview
12.6.2. Dynamic Group Configuration
12.7. Dynamic Lists
12.7.1. Overview
12.7.2. Dynamic List Configuration
12.7.3. Further Information
12.8. Reverse Group Membership Maintenance
12.8.1. Overview
12.8.2. Member Of Configuration
12.8.3. Further Information
12.9. The Proxy Cache Engine
12.9.1. Overview
12.9.2. Proxy Cache Configuration
12.9.3. Further Information
12.10. Password Policies
12.10.1. Overview
12.10.2. Password Policy Configuration
12.10.3. Further Information
12.11. Referential Integrity
12.11.1. Overview
12.11.2. Referential Integrity Configuration
12.11.3. Further Information
12.12. Return Code
12.12.1. Overview
12.12.2. Return Code Configuration
12.12.3. Further Information
12.13. Rewrite/Remap
12.13.1. Overview
12.13.2. Rewrite/Remap Configuration
12.13.3. Further Information
12.14. Sync Provider
12.14.1. Overview
12.14.2. Sync Provider Configuration
12.14.3. Further Information
12.15. Translucent Proxy
12.15.1. Overview
12.15.2. Translucent Proxy Configuration
12.15.3. Further Information
12.16. Attribute Uniqueness
12.16.1. Overview
12.16.2. Attribute Uniqueness Configuration
12.16.3. Further Information
12.17. Value Sorting
12.17.1. Overview
12.17.2. Value Sorting Configuration
12.17.3. Further Information
12.18. Overlay Stacking
12.18.1. Overview
12.18.2. Example Scenarios
13. Schema Specification
13.1. Distributed Schema Files
13.2. Extending Schema
13.2.1. Object Identifiers
13.2.2. Naming Elements
13.2.3. Local schema file
13.2.4. Attribute Type Specification
13.2.5. Object Class Specification
13.2.6. OID Macros
14. Security Considerations
14.1. Network Security
14.1.1. Selective Listening
14.1.2. IP Firewall
14.1.3. TCP Wrappers
14.2. Data Integrity and Confidentiality Protection
14.2.1. Security Strength Factors
14.3. Authentication Methods
14.3.1. "simple" method
14.3.2. SASL method
14.4. Password Storage
14.4.1. SSHA password storage scheme
14.4.2. CRYPT password storage scheme
14.4.3. MD5 password storage scheme
14.4.4. SMD5 password storage scheme
14.4.5. SHA password storage scheme
14.4.6. SASL password storage scheme
14.5. Pass-Through authentication
14.5.1. Configuring slapd to use an authentication provider
14.5.2. Configuring saslauthd
14.5.3. Testing pass-through authentication
15. Using SASL
15.1. SASL Security Considerations
15.2. SASL Authentication
15.2.1. GSSAPI
15.2.2. KERBEROS_V4
15.2.3. DIGEST-MD5
15.2.4. EXTERNAL
15.2.5. Mapping Authentication Identities
15.2.6. Direct Mapping
15.2.7. Search-based mappings
15.3. SASL Proxy Authorization
15.3.1. Uses of Proxy Authorization
15.3.2. SASL Authorization Identities
15.3.3. Proxy Authorization Rules
16. Using TLS
16.1. TLS Certificates
16.1.1. Server Certificates
16.1.2. Client Certificates
16.2. TLS Configuration
16.2.1. Server Configuration
16.2.2. Client Configuration
17. Constructing a Distributed Directory Service
17.1. Subordinate Knowledge Information
17.2. Superior Knowledge Information
17.3. The ManageDsaIT Control
18. Replication
18.1. Replication Technology
18.1.1. LDAP Sync Replication
18.2. Deployment Alternatives
18.2.1. Delta-syncrepl replication
18.2.2. N-Way Multi-Provider Replication
18.2.3. Mirror mode replication
18.2.4. Syncrepl Proxy Mode
18.3. Configuring the different replication types
18.3.1. Syncrepl
18.3.2. Delta-syncrepl
18.3.3. N-Way Multi-Provider
18.3.4. Mirror mode
18.3.5. Syncrepl Proxy
19. Maintenance
19.1. Directory Backups
19.2. Checkpointing
19.3. Migration
20. Monitoring
20.1. Monitor configuration via cn=config(5)
20.2. Monitor configuration via slapd.conf(5)
20.3. Accessing Monitoring Information
20.4. Monitor Information
20.4.1. Backends
20.4.2. Connections
20.4.3. Databases
20.4.4. Listener
20.4.5. Log
20.4.6. Operations
20.4.7. Overlays
20.4.8. SASL
20.4.9. Statistics
20.4.10. Threads
20.4.11. Time
20.4.12. TLS
20.4.13. Waiters
21. Load Balancing with lloadd
21.1. Overview
21.2. When to use the OpenLDAP load balancer
21.3. Runtime configurations
21.4. Build Notes
21.5. Sample Runtime
21.6. Configuring load balancer
21.6.1. Common configuration options
21.6.2. Sample backend config
22. Tuning
22.1. Performance Factors
22.1.1. Memory
22.1.2. Disks
22.1.3. Network Topology
22.1.4. Directory Layout Design
22.1.5. Expected Usage
22.2. Indexes
22.2.1. Understanding how a search works
22.2.2. What to index
22.2.3. Presence indexing
22.2.4. Equality indexing
22.2.5. Substring indexing
22.3. Logging
22.3.1. What log level to use
22.3.2. What to watch out for
22.3.3. Improving throughput
22.4.
slapd
(8) Threads
23. Troubleshooting
23.1. User or Software errors?
23.2. Checklist
23.3. OpenLDAP Bugs
23.4. 3rd party software error
23.5. How to contact the OpenLDAP Project
23.6. How to present your problem
23.7. Debugging
slapd
(8)
23.8. Commercial Support
A. Changes Since Previous Release
A.1. New Guide Sections
A.2. New Features and Enhancements in 2.5
A.2.1. Better
cn=config
functionality
A.2.2. Better
cn=schema
functionality
A.2.3. More sophisticated Syncrepl configurations
A.2.4. Replicating
slapd
Configuration (syncrepl and
cn=config
)
A.2.5. More extensive TLS configuration control
A.2.6. Performance enhancements
A.2.7. New overlays
A.2.8. New features in existing Overlays
A.2.9. New features in slapd
A.2.10. New features in libldap
A.2.11. New clients, tools and tool enhancements
A.2.12. New build options
A.3. Obsolete Features Removed From 2.5
A.3.1. back-bdb and back-hdb
B. Upgrading from 2.4.x
B.1.
cn=config
olc* attributes
B.2. ppolicy overlay
B.3. unique overlay
B.4. ldap and meta backends
B.5. shell backend
B.6. perl and sql backends
B.7. hdb and bdb backends
B.8. mdb backend
B.9. Client utility changes
C. Common errors encountered when using OpenLDAP Software
C.1. Common causes of LDAP errors
C.1.1. ldap_*: Can't contact LDAP server
C.1.2. ldap_*: No such object
C.1.3. ldap_*: Can't chase referral
C.1.4. ldap_*: server is unwilling to perform
C.1.5. ldap_*: Insufficient access
C.1.6. ldap_*: Invalid DN syntax
C.1.7. ldap_*: Referral hop limit exceeded
C.1.8. ldap_*: operations error
C.1.9. ldap_*: other error
C.1.10. ldap_add/modify: Invalid syntax
C.1.11. ldap_add/modify: Object class violation
C.1.12. ldap_add: No such object
C.1.13. ldap add: invalid structural object class chain
C.1.14. ldap_add: no structuralObjectClass operational attribute
C.1.15. ldap_add/modify/rename: Naming violation
C.1.16. ldap_add/delete/modify/rename: no global superior knowledge
C.1.17. ldap_bind: Insufficient access
C.1.18. ldap_bind: Invalid credentials
C.1.19. ldap_bind: Protocol error
C.1.20. ldap_modify: cannot modify object class
C.1.21. ldap_sasl_interactive_bind_s: ...
C.1.22. ldap_sasl_interactive_bind_s: No such Object
C.1.23. ldap_sasl_interactive_bind_s: No such attribute
C.1.24. ldap_sasl_interactive_bind_s: Unknown authentication method
C.1.25. ldap_sasl_interactive_bind_s: Local error (82)
C.1.26. ldap_search: Partial results and referral received
C.1.27. ldap_start_tls: Operations error
C.2. Other Errors
C.2.1. ber_get_next on fd X failed errno=34 (Numerical result out of range)
C.2.2. ber_get_next on fd X failed errno=11 (Resource temporarily unavailable)
C.2.3. daemon: socket() failed errno=97 (Address family not supported)
C.2.4. GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied;
C.2.5. access from unknown denied
C.2.6. ldap_read: want=# error=Resource temporarily unavailable
C.2.7. `make test' fails
C.2.8. ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed
C.2.9. ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
D. Recommended OpenLDAP Software Dependency Versions
D.1. Dependency Versions
E. Real World OpenLDAP Deployments and Examples
F. OpenLDAP Software Contributions
F.1. Client APIs
F.1.1. ldapc++
F.1.2. ldaptcl
F.2. Overlays
F.2.1. acl
F.2.2. addpartial
F.2.3. allop
F.2.4. autogroup
F.2.5. comp_match
F.2.6. denyop
F.2.7. dsaschema
F.2.8. lastmod
F.2.9. nops
F.2.10. nssov
F.2.11. passwd
F.2.12. proxyOld
F.2.13. smbk5pwd
F.2.14. trace
F.2.15. usn
F.3. Tools
F.3.1. Statistic Logging
F.4. SLAPI Plugins
F.4.1. addrdnvalues
G. Configuration File Examples
G.1. slapd.conf
G.2. ldap.conf
G.3. a-n-other.conf
H. LDAP Result Codes
H.1. Non-Error Result Codes
H.2. Result Codes
H.3. success (0)
H.4. operationsError (1)
H.5. protocolError (2)
H.6. timeLimitExceeded (3)
H.7. sizeLimitExceeded (4)
H.8. compareFalse (5)
H.9. compareTrue (6)
H.10. authMethodNotSupported (7)
H.11. strongerAuthRequired (8)
H.12. referral (10)
H.13. adminLimitExceeded (11)
H.14. unavailableCriticalExtension (12)
H.15. confidentialityRequired (13)
H.16. saslBindInProgress (14)
H.17. noSuchAttribute (16)
H.18. undefinedAttributeType (17)
H.19. inappropriateMatching (18)
H.20. constraintViolation (19)
H.21. attributeOrValueExists (20)
H.22. invalidAttributeSyntax (21)
H.23. noSuchObject (32)
H.24. aliasProblem (33)
H.25. invalidDNSyntax (34)
H.26. aliasDereferencingProblem (36)
H.27. inappropriateAuthentication (48)
H.28. invalidCredentials (49)
H.29. insufficientAccessRights (50)
H.30. busy (51)
H.31. unavailable (52)
H.32. unwillingToPerform (53)
H.33. loopDetect (54)
H.34. namingViolation (64)
H.35. objectClassViolation (65)
H.36. notAllowedOnNonLeaf (66)
H.37. notAllowedOnRDN (67)
H.38. entryAlreadyExists (68)
H.39. objectClassModsProhibited (69)
H.40. affectsMultipleDSAs (71)
H.41. other (80)
I. Glossary
I.1. Terms
I.2. Related Organizations
I.3. Related Products
I.4. References
J. Generic configure Instructions
K. OpenLDAP Software Copyright Notices
K.1. OpenLDAP Copyright Notice
K.2. Additional Copyright Notices
K.3. University of Michigan Copyright Notice
L. OpenLDAP Public License