OpenLDAP Software 2.4 Administrator's Guide

Preface

1. Introduction to OpenLDAP Directory Services

1.1. What is a directory service?

1.2. What is LDAP?

1.3. When should I use LDAP?

1.4. When should I not use LDAP?

1.5. How does LDAP work?

1.6. What about X.500?

1.7. What is the difference between LDAPv2 and LDAPv3?

1.8. LDAP vs RDBMS

1.9. What is slapd and what can it do?

2. A Quick-Start Guide

3. The Big Picture - Configuration Choices

3.1. Local Directory Service

3.2. Local Directory Service with Referrals

3.3. Replicated Directory Service

3.4. Distributed Local Directory Service

4. Building and Installing OpenLDAP Software

4.1. Obtaining and Extracting the Software

4.2. Prerequisite software

4.2.1. Transport Layer Security

4.2.2. Simple Authentication and Security Layer

4.2.3. Kerberos Authentication Service

4.2.4. Database Software

4.2.5. Threads

4.2.6. TCP Wrappers

4.3. Running configure

4.4. Building the Software

4.5. Testing the Software

4.6. Installing the Software

5. Configuring slapd

5.1. Configuration Layout

5.2. Configuration Directives

5.2.1. cn=config

5.2.2. cn=module

5.2.3. cn=schema

5.2.4. Backend-specific Directives

5.2.5. Database-specific Directives

5.2.6. BDB and HDB Database Directives

5.3. Configuration Example

5.4. Converting old style slapd.conf(5) file to cn=config format

6. The slapd Configuration File

6.1. Configuration File Format

6.2. Configuration File Directives

6.2.1. Global Directives

6.2.2. General Backend Directives

6.2.3. General Database Directives

6.2.4. BDB and HDB Database Directives

6.3. Configuration File Example

7. Running slapd

7.1. Command-Line Options

8.2. Access Control via Static Configuration

8.2.1. What to control access to

8.2.2. Who to grant access to

8.2.3. The access to grant

8.2.4. Access Control Evaluation

8.2.5. Access Control Examples

8.3. Access Control via Dynamic Configuration

8.3.1. What to control access to

8.3.2. Who to grant access to

8.3.3. The access to grant

8.3.4. Access Control Evaluation

8.3.5. Access Control Examples

8.3.6. Access Control Ordering

8.4. Access Control Common Examples

8.4.1. Basic ACLs

8.4.2. Matching Anonymous and Authenticated users

8.4.3. Controlling rootdn access

8.4.4. Managing access with Groups

8.4.5. Granting access to a subset of attributes

8.4.6. Allowing a user write to all entries below theirs

8.4.7. Allowing entry creation

8.4.8. Tips for using regular expressions in Access Control

8.4.9. Granting and Denying access based on security strength factors (ssf)

8.4.10. When things aren't working as expected

8.5. Sets - Granting rights based on relationships

8.5.1. Groups of Groups

8.5.2. Group ACLs without DN syntax

8.5.3. Following references

9. Limits

9.1. Introduction

9.2. Soft and Hard limits

9.3. Global Limits

9.4. Per-Database Limits

9.4.1. Specify who the limits apply to

9.4.2. Specify time limits

9.4.3. Specifying size limits

9.4.4. Size limits and Paged Results

9.5. Example Limit Configurations

9.5.1. Simple Global Limits

9.5.2. Global Hard and Soft Limits

9.5.3. Giving specific users larger limits

9.5.4. Limiting who can do paged searches

9.6. Further Information

10. Database Creation and Maintenance Tools

10.1. Creating a database over LDAP

10.2. Creating a database off-line

10.2.1. The slapadd program

10.2.2. The slapindex program

10.2.3. The slapcat program

10.3. The LDIF text entry format

11. Backends

11.1. Berkeley DB Backends

11.1.1. Overview

11.1.2. back-bdb/back-hdb Configuration

11.1.3. Further Information

11.2. LDAP

11.2.1. Overview

11.2.2. back-ldap Configuration

11.2.3. Further Information

11.3. LDIF

11.3.1. Overview

11.3.2. back-ldif Configuration

11.3.3. Further Information

11.4. LMDB

11.4.1. Overview

11.4.2. back-mdb Configuration

11.4.3. Further Information

11.5. Metadirectory

11.5.1. Overview

11.5.2. back-meta Configuration

11.5.3. Further Information

11.6. Monitor

11.6.1. Overview

11.6.2. back-monitor Configuration

11.6.3. Further Information

11.7. Null

11.7.1. Overview

11.7.2. back-null Configuration

11.7.3. Further Information

11.8. Passwd

11.8.1. Overview

11.8.2. back-passwd Configuration

11.8.3. Further Information

11.9. Perl/Shell

11.9.1. Overview

11.9.2. back-perl/back-shell Configuration

11.9.3. Further Information

11.10. Relay

11.10.1. Overview

11.10.2. back-relay Configuration

11.10.3. Further Information

11.11. SQL

11.11.1. Overview

11.11.2. back-sql Configuration

11.11.3. Further Information

12. Overlays

12.1. Access Logging

12.1.1. Overview

12.1.2. Access Logging Configuration

12.1.3. Further Information

12.2. Audit Logging

12.2.1. Overview

12.2.2. Audit Logging Configuration

12.2.3. Further Information

12.3. Chaining

12.3.1. Overview

12.3.2. Chaining Configuration

12.3.3. Handling Chaining Errors

12.3.4. Read-Back of Chained Modifications

12.3.5. Further Information

12.4. Constraints

12.4.1. Overview

12.4.2. Constraint Configuration

12.4.3. Further Information

12.5. Dynamic Directory Services

12.5.1. Overview

12.5.2. Dynamic Directory Service Configuration

12.5.3. Further Information

12.6. Dynamic Groups

12.6.1. Overview

12.6.2. Dynamic Group Configuration

12.7. Dynamic Lists

12.7.1. Overview

12.7.2. Dynamic List Configuration

12.7.3. Further Information

12.8. Reverse Group Membership Maintenance

12.8.1. Overview

12.8.2. Member Of Configuration

12.8.3. Further Information

12.9. The Proxy Cache Engine

12.9.1. Overview

12.9.2. Proxy Cache Configuration

12.9.3. Further Information

12.10. Password Policies

12.10.1. Overview

12.10.2. Password Policy Configuration

12.10.3. Further Information

12.11. Referential Integrity

12.11.1. Overview

12.11.2. Referential Integrity Configuration

12.11.3. Further Information

12.12. Return Code

12.12.1. Overview

12.12.2. Return Code Configuration

12.12.3. Further Information

12.13. Rewrite/Remap

12.13.1. Overview

12.13.2. Rewrite/Remap Configuration

12.13.3. Further Information

12.14. Sync Provider

12.14.1. Overview

12.14.2. Sync Provider Configuration

12.14.3. Further Information

12.15. Translucent Proxy

12.15.1. Overview

12.15.2. Translucent Proxy Configuration

12.15.3. Further Information

12.16. Attribute Uniqueness

12.16.1. Overview

12.16.2. Attribute Uniqueness Configuration

12.16.3. Further Information

12.17. Value Sorting

12.17.1. Overview

12.17.2. Value Sorting Configuration

12.17.3. Further Information

12.18. Overlay Stacking

12.18.1. Overview

12.18.2. Example Scenarios

13. Schema Specification

13.1. Distributed Schema Files

13.2. Extending Schema

13.2.1. Object Identifiers

13.2.2. Naming Elements

13.2.3. Local schema file

13.2.4. Attribute Type Specification

13.2.5. Object Class Specification

13.2.6. OID Macros

14. Security Considerations

14.1. Network Security

14.1.1. Selective Listening

14.1.2. IP Firewall

14.1.3. TCP Wrappers

14.2. Data Integrity and Confidentiality Protection

14.2.1. Security Strength Factors

14.3. Authentication Methods

14.3.1. "simple" method

14.3.2. SASL method

14.4. Password Storage

14.4.1. SSHA password storage scheme

14.4.2. CRYPT password storage scheme

14.4.3. MD5 password storage scheme

14.4.4. SMD5 password storage scheme

14.4.5. SHA password storage scheme

14.4.6. SASL password storage scheme

14.5. Pass-Through authentication

14.5.1. Configuring slapd to use an authentication provider

14.5.2. Configuring saslauthd

14.5.3. Testing pass-through authentication

15. Using SASL

15.1. SASL Security Considerations

15.2. SASL Authentication

15.2.5. Mapping Authentication Identities

15.2.6. Direct Mapping

15.2.7. Search-based mappings

15.3. SASL Proxy Authorization

15.3.1. Uses of Proxy Authorization

15.3.2. SASL Authorization Identities

15.3.3. Proxy Authorization Rules

16. Using TLS

16.1. TLS Certificates

16.1.1. Server Certificates

16.1.2. Client Certificates

16.2. TLS Configuration

16.2.1. Server Configuration

16.2.2. Client Configuration

17. Constructing a Distributed Directory Service

17.1. Subordinate Knowledge Information

17.2. Superior Knowledge Information

17.3. The ManageDsaIT Control

18. Replication

18.1. Replication Technology

18.1.1. LDAP Sync Replication

18.2. Deployment Alternatives

18.2.1. Delta-syncrepl replication

18.2.2. N-Way Multi-Provider Replication

18.2.3. MirrorMode replication

18.2.4. Syncrepl Proxy Mode

18.3. Configuring the different replication types

18.3.1. Syncrepl

18.3.2. Delta-syncrepl

18.3.3. N-Way Multi-Provider

18.3.4. MirrorMode

18.3.5. Syncrepl Proxy

19. Maintenance

19.1. Directory Backups

19.2. Berkeley DB Logs

19.3. Checkpointing

19.4. Migration

20. Monitoring

20.1. Monitor configuration via cn=config(5)

20.2. Monitor configuration via slapd.conf(5)

20.3. Accessing Monitoring Information

20.4. Monitor Information

21.1. Performance Factors

21.1.1. Memory

21.1.2. Disks

21.1.3. Network Topology

21.1.4. Directory Layout Design

21.1.5. Expected Usage

21.2. Indexes

21.2.1. Understanding how a search works

21.2.2. What to index

21.2.3. Presence indexing

21.3. Logging

21.3.1. What log level to use

21.3.2. What to watch out for

21.3.3. Improving throughput

21.4. Caching

21.4.1. Berkeley DB Cache

21.4.2. slapd(8) Entry Cache (cachesize)

21.4.3. IDL Cache (idlcachesize)

21.5. slapd(8) Threads

22. Troubleshooting

22.1. User or Software errors?

22.2. Checklist

22.3. OpenLDAP Bugs

22.4. 3rd party software error

22.5. How to contact the OpenLDAP Project

22.6. How to present your problem

22.7. Debugging slapd(8)

22.8. Commercial Support

A. Changes Since Previous Release

A.1. New Guide Sections

A.2. New Features and Enhancements in 2.4

A.2.1. Better cn=config functionality

A.2.2. Better cn=schema functionality

A.2.3. More sophisticated Syncrepl configurations

A.2.4. N-Way Multiprovider Replication

A.2.5. Replicating slapd Configuration (syncrepl and cn=config)

A.2.6. Push-Mode Replication

A.2.7. More extensive TLS configuration control

A.2.8. Performance enhancements

A.2.9. New overlays

A.2.10. New features in existing Overlays

A.2.11. New features in slapd

A.2.12. New features in libldap

A.2.13. New clients, tools and tool enhancements

A.2.14. New build options

A.3. Obsolete Features Removed From 2.4

A.3.1. Slurpd

A.3.2. back-ldbm

B. Upgrading from 2.3.x

B.1. cn=config olc* attributes

B.2. ACLs: searches require privileges on the search base

C. Common errors encountered when using OpenLDAP Software

C.1. Common causes of LDAP errors

C.1.1. ldap_*: Can't contact LDAP server

C.1.2. ldap_*: No such object

C.1.3. ldap_*: Can't chase referral

C.1.4. ldap_*: server is unwilling to perform

C.1.5. ldap_*: Insufficient access

C.1.6. ldap_*: Invalid DN syntax

C.1.7. ldap_*: Referral hop limit exceeded

C.1.8. ldap_*: operations error

C.1.9. ldap_*: other error

C.1.10. ldap_add/modify: Invalid syntax

C.1.11. ldap_add/modify: Object class violation

C.1.12. ldap_add: No such object

C.1.13. ldap add: invalid structural object class chain

C.1.14. ldap_add: no structuralObjectClass operational attribute

C.1.15. ldap_add/modify/rename: Naming violation

C.1.16. ldap_add/delete/modify/rename: no global superior knowledge

C.1.17. ldap_bind: Insufficient access

C.1.18. ldap_bind: Invalid credentials

C.1.19. ldap_bind: Protocol error

C.1.20. ldap_modify: cannot modify object class

C.1.21. ldap_sasl_interactive_bind_s: ...

C.1.22. ldap_sasl_interactive_bind_s: No such Object

C.1.23. ldap_sasl_interactive_bind_s: No such attribute

C.1.24. ldap_sasl_interactive_bind_s: Unknown authentication method

C.1.25. ldap_sasl_interactive_bind_s: Local error (82)

C.1.26. ldap_search: Partial results and referral received

C.1.27. ldap_start_tls: Operations error

C.2. Other Errors

C.2.1. ber_get_next on fd X failed errno=34 (Numerical result out of range)

C.2.2. ber_get_next on fd X failed errno=11 (Resource temporarily unavailable)

C.2.3. daemon: socket() failed errno=97 (Address family not supported)

C.2.4. GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied;

C.2.5. access from unknown denied

C.2.6. ldap_read: want=# error=Resource temporarily unavailable

C.2.7. `make test' fails

C.2.8. ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed

C.2.9. ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

D. Recommended OpenLDAP Software Dependency Versions

D.1. Dependency Versions

E. Real World OpenLDAP Deployments and Examples

F. OpenLDAP Software Contributions

F.3.1. Statistic Logging

F.4. SLAPI Plugins

F.4.1. addrdnvalues

G. Configuration File Examples

H.1. Non-Error Result Codes

H.2. Result Codes

H.3. success (0)

H.4. operationsError (1)

H.5. protocolError (2)

H.6. timeLimitExceeded (3)

H.7. sizeLimitExceeded (4)

H.8. compareFalse (5)

H.9. compareTrue (6)

H.10. authMethodNotSupported (7)

H.11. strongerAuthRequired (8)

H.12. referral (10)

H.13. adminLimitExceeded (11)

H.14. unavailableCriticalExtension (12)

H.15. confidentialityRequired (13)

H.16. saslBindInProgress (14)

H.17. noSuchAttribute (16)

H.18. undefinedAttributeType (17)

H.19. inappropriateMatching (18)

H.20. constraintViolation (19)

H.21. attributeOrValueExists (20)

H.22. invalidAttributeSyntax (21)

H.23. noSuchObject (32)

H.24. aliasProblem (33)

H.25. invalidDNSyntax (34)

H.26. aliasDereferencingProblem (36)

H.27. inappropriateAuthentication (48)

H.28. invalidCredentials (49)

H.29. insufficientAccessRights (50)

H.30. busy (51)

H.31. unavailable (52)

H.32. unwillingToPerform (53)

H.33. loopDetect (54)

H.34. namingViolation (64)

H.35. objectClassViolation (65)

H.36. notAllowedOnNonLeaf (66)

H.37. notAllowedOnRDN (67)

H.38. entryAlreadyExists (68)

H.39. objectClassModsProhibited (69)

H.40. affectsMultipleDSAs (71)

H.41. other (80)

I. Glossary

I.1. Terms

I.2. Related Organizations

I.3. Related Products

I.4. References

J. Generic configure Instructions

K. OpenLDAP Software Copyright Notices

K.1. OpenLDAP Copyright Notice

K.2. Additional Copyright Notices

K.3. University of Michigan Copyright Notice

L. OpenLDAP Public License

OpenLDAP Software 2.4 Administrator's Guide

Table of Contents