OpenLDAP Software 2.6 Administrator's Guide

Preface

1. Introduction to OpenLDAP Directory Services

1.1. What is a directory service?

1.2. What is LDAP?

1.3. When should I use LDAP?

1.4. When should I not use LDAP?

1.5. How does LDAP work?

1.6. What about X.500?

1.7. What is the difference between LDAPv2 and LDAPv3?

1.8. LDAP vs RDBMS

1.9. What is slapd and what can it do?

1.10. What is lloadd and what can it do?

2. A Quick-Start Guide

3. The Big Picture - Configuration Choices

3.1. Local Directory Service

3.2. Local Directory Service with Referrals

3.3. Replicated Directory Service

3.4. Distributed Local Directory Service

4. Building and Installing OpenLDAP Software

4.1. Obtaining and Extracting the Software

4.2. Prerequisite software

4.2.1. Transport Layer Security

4.2.2. Simple Authentication and Security Layer

4.2.3. Kerberos Authentication Service

4.2.4. Database Software

4.2.5. Threads

4.2.6. TCP Wrappers

4.3. Running configure

4.4. Building the Software

4.5. Testing the Software

4.6. Installing the Software

5. Configuring slapd

5.1. Configuration Layout

5.2. Configuration Directives

5.2.1. cn=config

5.2.2. cn=module

5.2.3. cn=schema

5.2.4. Backend-specific Directives

5.2.5. Database-specific Directives

5.2.6. MDB Backend Directives

5.2.7. MDB Database Directives

5.3. Configuration Example

5.4. Converting old style slapd.conf(5) file to cn=config format

5.5. Recovering from a broken configuration

5.5.1. Generate an ldif version of the configuration database and reload from that

5.5.2. Modify config in-place

5.5.3. Recover with plain back-ldif

6. The slapd Configuration File

6.1. Configuration File Format

6.2. Configuration File Directives

6.2.1. Global Directives

6.2.2. General Backend Directives

6.2.3. General Database Directives

6.2.4. MDB Backend Directives

6.2.5. MDB Database Directives

6.3. Configuration File Example

7. Running slapd

7.1. Command-Line Options

8.2. Access Control via Static Configuration

8.2.1. What to control access to

8.2.2. Who to grant access to

8.2.3. The access to grant

8.2.4. Access Control Evaluation

8.2.5. Access Control Examples

8.3. Access Control via Dynamic Configuration

8.3.1. What to control access to

8.3.2. Who to grant access to

8.3.3. The access to grant

8.3.4. Access Control Evaluation

8.3.5. Access Control Examples

8.3.6. Access Control Ordering

8.4. Access Control Common Examples

8.4.1. Basic ACLs

8.4.2. Matching Anonymous and Authenticated users

8.4.3. Controlling rootdn access

8.4.4. Controlling the LDAP Proxied Authorization Control

8.4.5. Managing access with Groups

8.4.6. Granting access to a subset of attributes

8.4.7. Allowing a user write to all entries below theirs

8.4.8. Allowing entry creation

8.4.9. Tips for using regular expressions in Access Control

8.4.10. Granting and Denying access based on security strength factors (ssf)

8.4.11. When things aren't working as expected

8.5. Sets - Granting rights based on relationships

8.5.1. Groups of Groups

8.5.2. Group ACLs without DN syntax

8.5.3. Following references

9. Limits

9.1. Introduction

9.2. Soft and Hard limits

9.3. Global Limits

9.3.1. Special Size Limits

9.4. Per-Database Limits

9.4.1. Specify who the limits apply to

9.4.2. Specify time limits

9.4.3. Specifying size limits

9.5. Example Limit Configurations

9.5.1. Simple Global Limits

9.5.2. Global Hard and Soft Limits

9.5.3. Giving specific users larger limits

9.5.4. Limiting who can do paged searches

9.6. Glued/Subordinate database configurations

9.7. Further Information

10. Database Creation and Maintenance Tools

10.1. Creating a database over LDAP

10.2. Creating a database off-line

10.2.1. The slapadd program

10.2.2. The slapindex program

10.2.3. The slapcat program

10.3. The LDIF text entry format

11. Backends

11.1. LDAP

11.1.1. Overview

11.1.2. back-ldap Configuration

11.1.3. Further Information

11.2. LDIF

11.2.1. Overview

11.2.2. back-ldif Configuration

11.2.3. Further Information

11.3. LMDB

11.3.1. Overview

11.3.2. back-mdb Configuration

11.3.3. Further Information

11.4. Metadirectory

11.4.1. Overview

11.4.2. back-meta Configuration

11.4.3. Further Information

11.5. Monitor

11.5.1. Overview

11.5.2. back-monitor Configuration

11.5.3. Further Information

11.6. Null

11.6.1. Overview

11.6.2. back-null Configuration

11.6.3. Further Information

11.7. Passwd

11.7.1. Overview

11.7.2. back-passwd Configuration

11.7.3. Further Information

11.8. Perl

11.8.1. Overview

11.8.2. back-perl Configuration

11.8.3. Further Information

11.9. Relay

11.9.1. Overview

11.9.2. back-relay Configuration

11.9.3. Further Information

11.10. SQL

11.10.1. Overview

11.10.2. back-sql Configuration

11.10.3. Further Information

12. Overlays

12.1. Access Logging

12.1.1. Overview

12.1.2. Access Logging Configuration

12.1.3. Further Information

12.2. Audit Logging

12.2.1. Overview

12.2.2. Audit Logging Configuration

12.2.3. Further Information

12.3. Chaining

12.3.1. Overview

12.3.2. Chaining Configuration

12.3.3. Handling Chaining Errors

12.3.4. Read-Back of Chained Modifications

12.3.5. Further Information

12.4. Constraints

12.4.1. Overview

12.4.2. Constraint Configuration

12.4.3. Further Information

12.5. Dynamic Directory Services

12.5.1. Overview

12.5.2. Dynamic Directory Service Configuration

12.5.3. Further Information

12.6. Dynamic Groups

12.6.1. Overview

12.6.2. Dynamic Group Configuration

12.7. Dynamic Lists

12.7.1. Overview

12.7.2. Dynamic List Configuration

12.7.3. Further Information

12.8. Reverse Group Membership Maintenance

12.8.1. Overview

12.8.2. Member Of Configuration

12.8.3. Further Information

12.9. The Proxy Cache Engine

12.9.1. Overview

12.9.2. Proxy Cache Configuration

12.9.3. Further Information

12.10. Password Policies

12.10.1. Overview

12.10.2. Password Policy Configuration

12.10.3. Further Information

12.11. Referential Integrity

12.11.1. Overview

12.11.2. Referential Integrity Configuration

12.11.3. Further Information

12.12. Return Code

12.12.1. Overview

12.12.2. Return Code Configuration

12.12.3. Further Information

12.13. Rewrite/Remap

12.13.1. Overview

12.13.2. Rewrite/Remap Configuration

12.13.3. Further Information

12.14. Sync Provider

12.14.1. Overview

12.14.2. Sync Provider Configuration

12.14.3. Further Information

12.15. Translucent Proxy

12.15.1. Overview

12.15.2. Translucent Proxy Configuration

12.15.3. Further Information

12.16. Attribute Uniqueness

12.16.1. Overview

12.16.2. Attribute Uniqueness Configuration

12.16.3. Further Information

12.17. Value Sorting

12.17.1. Overview

12.17.2. Value Sorting Configuration

12.17.3. Further Information

12.18. Overlay Stacking

12.18.1. Overview

12.18.2. Example Scenarios

13. Schema Specification

13.1. Distributed Schema Files

13.2. Extending Schema

13.2.1. Object Identifiers

13.2.2. Naming Elements

13.2.3. Local schema file

13.2.4. Attribute Type Specification

13.2.5. Object Class Specification

13.2.6. OID Macros

14. Security Considerations

14.1. Network Security

14.1.1. Selective Listening

14.1.2. IP Firewall

14.1.3. TCP Wrappers

14.2. Data Integrity and Confidentiality Protection

14.2.1. Security Strength Factors

14.3. Authentication Methods

14.3.1. "simple" method

14.3.2. SASL method

14.4. Password Storage

14.4.1. SSHA password storage scheme

14.4.2. CRYPT password storage scheme

14.4.3. MD5 password storage scheme

14.4.4. SMD5 password storage scheme

14.4.5. SHA password storage scheme

14.4.6. SASL password storage scheme

14.5. Pass-Through authentication

14.5.1. Configuring slapd to use an authentication provider

14.5.2. Configuring saslauthd

14.5.3. Testing pass-through authentication

15. Using SASL

15.1. SASL Security Considerations

15.2. SASL Authentication

15.2.5. Mapping Authentication Identities

15.2.6. Direct Mapping

15.2.7. Search-based mappings

15.3. SASL Proxy Authorization

15.3.1. Uses of Proxy Authorization

15.3.2. SASL Authorization Identities

15.3.3. Proxy Authorization Rules

16. Using TLS

16.1. TLS Certificates

16.1.1. Server Certificates

16.1.2. Client Certificates

16.2. TLS Configuration

16.2.1. Server Configuration

16.2.2. Client Configuration

17. Constructing a Distributed Directory Service

17.1. Subordinate Knowledge Information

17.2. Superior Knowledge Information

17.3. The ManageDsaIT Control

18. Replication

18.1. Replication Technology

18.1.1. LDAP Sync Replication

18.2. Deployment Alternatives

18.2.1. Delta-syncrepl replication

18.2.2. N-Way Multi-Provider Replication

18.2.3. Mirror mode replication

18.2.4. Syncrepl Proxy Mode

18.3. Configuring the different replication types

18.3.1. Syncrepl

18.3.2. Delta-syncrepl

18.3.3. N-Way Multi-Provider

18.3.4. Mirror mode

18.3.5. Syncrepl Proxy

19. Maintenance

19.1. Directory Backups

19.2. Checkpointing

19.3. Migration

20. Monitoring

20.1. Monitor configuration via cn=config(5)

20.2. Monitor configuration via slapd.conf(5)

20.3. Accessing Monitoring Information

20.4. Monitor Information

21. Load Balancing with lloadd

21.1. Overview

21.2. When to use the OpenLDAP load balancer

21.3. Directing operations to backends

21.3.1. Default behaviour

21.3.2. Alternate selection strategies

21.3.3. Coherence

21.4. Runtime configurations

21.5. Build Notes

21.6. Sample Runtime

21.7. Configuring load balancer

21.7.1. Common configuration options

21.7.2. Sample backend config

22. Tuning

22.1. Performance Factors

22.1.1. Memory

22.1.2. Disks

22.1.3. Network Topology

22.1.4. Directory Layout Design

22.1.5. Expected Usage

22.2. Indexes

22.2.1. Understanding how a search works

22.2.2. What to index

22.2.3. Presence indexing

22.2.4. Equality indexing

22.2.5. Substring indexing

22.3. Logging

22.3.1. What log level to use

22.3.2. What to watch out for

22.3.3. Improving throughput

22.4. slapd(8) Threads

23. Troubleshooting

23.1. User or Software errors?

23.2. Checklist

23.3. OpenLDAP Bugs

23.4. 3rd party software error

23.5. How to contact the OpenLDAP Project

23.6. How to present your problem

23.7. Debugging slapd(8)

23.8. Commercial Support

A. Changes Since Previous Release

A.1. New Features and Enhancements in 2.6

A.1.1. New features in slapd

A.1.2. New features in lloadd

A.2. Obsolete Features Removed From 2.6

A.2.1. back-ndb

B. Upgrading from 2.5.x

C. Common errors encountered when using OpenLDAP Software

C.1. Common causes of LDAP errors

C.1.1. ldap_*: Can't contact LDAP server

C.1.2. ldap_*: No such object

C.1.3. ldap_*: Can't chase referral

C.1.4. ldap_*: server is unwilling to perform

C.1.5. ldap_*: Insufficient access

C.1.6. ldap_*: Invalid DN syntax

C.1.7. ldap_*: Referral hop limit exceeded

C.1.8. ldap_*: operations error

C.1.9. ldap_*: other error

C.1.10. ldap_add/modify: Invalid syntax

C.1.11. ldap_add/modify: Object class violation

C.1.12. ldap_add: No such object

C.1.13. ldap add: invalid structural object class chain

C.1.14. ldap_add: no structuralObjectClass operational attribute

C.1.15. ldap_add/modify/rename: Naming violation

C.1.16. ldap_add/delete/modify/rename: no global superior knowledge

C.1.17. ldap_bind: Insufficient access

C.1.18. ldap_bind: Invalid credentials

C.1.19. ldap_bind: Protocol error

C.1.20. ldap_modify: cannot modify object class

C.1.21. ldap_sasl_interactive_bind_s: ...

C.1.22. ldap_sasl_interactive_bind_s: No such Object

C.1.23. ldap_sasl_interactive_bind_s: No such attribute

C.1.24. ldap_sasl_interactive_bind_s: Unknown authentication method

C.1.25. ldap_sasl_interactive_bind_s: Local error (82)

C.1.26. ldap_search: Partial results and referral received

C.1.27. ldap_start_tls: Operations error

C.2. Other Errors

C.2.1. ber_get_next on fd X failed errno=34 (Numerical result out of range)

C.2.2. ber_get_next on fd X failed errno=11 (Resource temporarily unavailable)

C.2.3. daemon: socket() failed errno=97 (Address family not supported)

C.2.4. GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied;

C.2.5. access from unknown denied

C.2.6. ldap_read: want=# error=Resource temporarily unavailable

C.2.7. `make test' fails

C.2.8. ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed

C.2.9. ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

D. Recommended OpenLDAP Software Dependency Versions

D.1. Dependency Versions

E. Real World OpenLDAP Deployments and Examples

F. OpenLDAP Software Contributions

F.3.1. Statistic Logging

F.4. SLAPI Plugins

F.4.1. addrdnvalues

G. Configuration File Examples

H.1. Non-Error Result Codes

H.2. Result Codes

H.3. success (0)

H.4. operationsError (1)

H.5. protocolError (2)

H.6. timeLimitExceeded (3)

H.7. sizeLimitExceeded (4)

H.8. compareFalse (5)

H.9. compareTrue (6)

H.10. authMethodNotSupported (7)

H.11. strongerAuthRequired (8)

H.12. referral (10)

H.13. adminLimitExceeded (11)

H.14. unavailableCriticalExtension (12)

H.15. confidentialityRequired (13)

H.16. saslBindInProgress (14)

H.17. noSuchAttribute (16)

H.18. undefinedAttributeType (17)

H.19. inappropriateMatching (18)

H.20. constraintViolation (19)

H.21. attributeOrValueExists (20)

H.22. invalidAttributeSyntax (21)

H.23. noSuchObject (32)

H.24. aliasProblem (33)

H.25. invalidDNSyntax (34)

H.26. aliasDereferencingProblem (36)

H.27. inappropriateAuthentication (48)

H.28. invalidCredentials (49)

H.29. insufficientAccessRights (50)

H.30. busy (51)

H.31. unavailable (52)

H.32. unwillingToPerform (53)

H.33. loopDetect (54)

H.34. namingViolation (64)

H.35. objectClassViolation (65)

H.36. notAllowedOnNonLeaf (66)

H.37. notAllowedOnRDN (67)

H.38. entryAlreadyExists (68)

H.39. objectClassModsProhibited (69)

H.40. affectsMultipleDSAs (71)

H.41. other (80)

I. Glossary

I.1. Terms

I.2. Related Organizations

I.3. Related Products

I.4. References

J. Generic configure Instructions

K. OpenLDAP Software Copyright Notices

K.1. OpenLDAP Copyright Notice

K.2. Additional Copyright Notices

K.3. University of Michigan Copyright Notice

L. OpenLDAP Public License

OpenLDAP Software 2.6 Administrator's Guide

Table of Contents