368
H3: Configuration File Example
370
The following is an example configuration file, interspersed
371
with explanatory text. It defines two databases to handle
372
different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
373
database instances. The line numbers shown are provided for
374
reference only and are not included in the actual file. First, the
375
global configuration section:
377
E: 1. # example config file - global configuration section
378
E: 2. include /usr/local/etc/schema/core.schema
379
E: 3. referral ldap://root.openldap.org
380
E: 4. access to * by * read
382
Line 1 is a comment. Line 2 includes another config file
383
which contains {{core}} schema definitions.
384
The {{EX:referral}} directive on line 3
385
means that queries not local to one of the databases defined
386
below will be referred to the LDAP server running on the
387
standard port (389) at the host {{EX:root.openldap.org}}.
389
Line 4 is a global access control. It applies to all
390
entries (after any applicable database-specific access
393
The next section of the configuration file defines a BDB
394
backend that will handle queries for things in the
395
"dc=example,dc=com" portion of the tree. The
396
database is to be replicated to two slave slapds, one on
397
truelies, the other on judgmentday. Indices are to be
398
maintained for several attributes, and the {{EX:userPassword}}
399
attribute is to be protected from unauthorized access.
401
E: 5. # BDB definition for the example.com
403
E: 7. suffix "dc=example,dc=com"
404
E: 8. directory /usr/local/var/openldap-data
405
E: 9. rootdn "cn=Manager,dc=example,dc=com"
407
E: 11. # indexed attribute definitions
408
E: 12. index uid pres,eq
409
E: 13. index cn,sn,uid pres,eq,approx,sub
410
E: 14. index objectClass eq
411
E: 15. # database access control definitions
412
E: 16. access to attrs=userPassword
414
E: 18. by anonymous auth
415
E: 19. by dn.base="cn=Admin,dc=example,dc=com" write
419
E: 23. by dn.base="cn=Admin,dc=example,dc=com" write
422
Line 5 is a comment. The start of the database definition is marked
423
by the database keyword on line 6. Line 7 specifies the DN suffix
424
for queries to pass to this database. Line 8 specifies the directory
425
in which the database files will live.
427
Lines 9 and 10 identify the database {{super-user}} entry and associated
428
password. This entry is not subject to access control or size or
429
time limit restrictions.
431
Lines 12 through 14 indicate the indices to maintain for various
434
Lines 16 through 24 specify access control for entries in this
435
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
436
by the entry itself and by the "admin" entry. It may be used for
437
authentication/authorization purposes, but is otherwise not readable.
438
All other attributes are writable by the entry and the "admin"
439
entry, but may be read by all users (authenticated or not).
441
The next section of the example configuration file defines another
442
BDB database. This one handles queries involving the
443
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
444
as the first database. Note that without line 39, the read access
445
would be allowed due to the global access rule at line 4.
447
E: 33. # BDB definition for example.net
449
E: 35. suffix "dc=example,dc=net"
450
E: 36. directory /usr/local/var/openldap-data-net
451
E: 37. rootdn "cn=Manager,dc=example,dc=com"
452
E: 38. index objectClass eq
453
E: 39. access to * by users read
455
368
H2: Access Control via Dynamic Configuration
457
370
Access to slapd entries and attributes is controlled by the
864
H3: Configuration Example
866
The following is an example configuration, interspersed
867
with explanatory text. It defines two databases to handle
868
different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
869
database instances. The line numbers shown are provided for
870
reference only and are not included in the actual file. First, the
871
global configuration section:
873
E: 1. # example config file - global configuration entry
875
E: 3. objectClass: olcGlobal
877
E: 5. olcReferral: ldap://root.openldap.org
880
Line 1 is a comment. Lines 2-4 identify this as the global
882
The {{EX:olcReferral:}} directive on line 5
883
means that queries not local to one of the databases defined
884
below will be referred to the LDAP server running on the
885
standard port (389) at the host {{EX:root.openldap.org}}.
886
Line 6 is a blank line, indicating the end of this entry.
888
E: 7. # internal schema
889
E: 8. dn: cn=schema,cn=config
890
E: 9. objectClass: olcSchemaConfig
894
Line 7 is a comment. Lines 8-10 identify this as the root of
895
the schema subtree. The actual schema definitions in this entry
896
are hardcoded into slapd so no additional attributes are specified here.
897
Line 11 is a blank line, indicating the end of this entry.
899
E: 12. # include the core schema
900
E: 13. include: file:///usr/local/etc/openldap/schema/core.ldif
903
Line 12 is a comment. Line 13 is an LDIF include directive which
904
accesses the {{core}} schema definitions in LDIF format. Line 14
907
Next comes the database definitions. The first database is the
908
special {{EX:frontend}} database whose settings are applied globally
909
to all the other databases.
911
E: 15. # global database parameters
912
E: 16. dn: olcDatabase=frontend,cn=config
913
E: 17. objectClass: olcDatabaseConfig
914
E: 18. olcDatabase: frontend
915
E: 19. olcAccess: to * by * read
918
Line 15 is a comment. Lines 16-18 identify this entry as the global
919
database entry. Line 19 is a global access control. It applies to all
920
entries (after any applicable database-specific access controls).
922
The next entry defines a BDB backend that will handle queries for things
923
in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
924
for several attributes, and the {{EX:userPassword}} attribute is to be
925
protected from unauthorized access.
927
E: 21. # BDB definition for example.com
928
E: 22. dn: olcDatabase=bdb,cn=config
929
E: 23. objectClass: olcDatabaseConfig
930
E: 24. objectClass: olcBdbConfig
931
E: 25. olcDatabase: bdb
932
E: 26. olcSuffix: "dc=example,dc=com"
933
E: 27. olcDbDirectory: /usr/local/var/openldap-data
934
E: 28. olcRootDN: "cn=Manager,dc=example,dc=com"
935
E: 29. olcRootPW: secret
936
E: 30. olcDbIndex: uid pres,eq
937
E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
938
E: 32. olcDbIndex: objectClass eq
939
E: 33. olcAccess: to attrs=userPassword
941
E: 35. by anonymous auth
942
E: 36. by dn.base="cn=Admin,dc=example,dc=com" write
944
E: 38. olcAccess: to *
946
E: 40. by dn.base="cn=Admin,dc=example,dc=com" write
950
Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
951
configuration entry. Line 26 specifies the DN suffix
952
for queries to pass to this database. Line 27 specifies the directory
953
in which the database files will live.
955
Lines 28 and 29 identify the database {{super-user}} entry and associated
956
password. This entry is not subject to access control or size or
957
time limit restrictions.
959
Lines 30 through 32 indicate the indices to maintain for various
962
Lines 33 through 41 specify access control for entries in this
963
database. For all applicable entries, the {{EX:userPassword}} attribute is writable
964
by the entry itself and by the "admin" entry. It may be used for
965
authentication/authorization purposes, but is otherwise not readable.
966
All other attributes are writable by the entry and the "admin"
967
entry, but may be read by all users (authenticated or not).
969
Line 42 is a blank line, indicating the end of this entry.
971
The next section of the example configuration file defines another
972
BDB database. This one handles queries involving the
973
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
974
as the first database. Note that without line 52, the read access
975
would be allowed due to the global access rule at line 19.
977
E: 43. # BDB definition for example.net
978
E: 44. dn: olcDatabase=bdb,cn=config
979
E: 45. objectClass: olcDatabaseConfig
980
E: 46. objectClass: olcBdbConfig
981
E: 47. olcDatabase: bdb
982
E: 48. olcSuffix: "dc=example,dc=net"
983
E: 49. olcDbDirectory: /usr/local/var/openldap-data-net
984
E: 50. olcRootDN: "cn=Manager,dc=example,dc=com"
985
E: 51. olcDbIndex: objectClass eq
986
E: 52. olcAccess: to * by users read
989
H3: Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format
991
Discuss slap* -f slapd.conf -F slapd.d/ (man slapd-config)
994
777
H2: Access Control Common Examples