openldap - LCFG OpenLDAP Component
openldap METHOD [ARGS]
An LCFG component that is used to configure and manage the OpenLDAP service on clients and servers.
The non-standard component methods are described below.
On a client builds the client configuration. On a slave builds the server configuration and synchronizes its database with the database on the master server if not already done. On a master builds the server configuration and creates the master database if not already done. With the -f option on a slave or master will forcibly destroy the existing configuration and database and re-create from scratch. Starts the slapd server on the master and slaves.
Cleans out database transaction log files.
Force a slave server to synchronize its database with the master server. With no argument only new entries and modified entries will be synchronized, entries that have been deleted from the master server database will not be deleted from the slave server database. With the hard argument deleted entries will also be synchronized. Note that synchronizing deleted entries will take longer to do and will increase the load on the master. With the start argument synchronization is done from the epoch rather than from whenever it was last done. This can be useful if there is something that will not synchronize because the replication tool believes the database is already consistent for some reason. This method also accepts the generic -v option which can be used to verbosely report progress on synchronization. Normally this method would be called automatically at a regular frequency via the cron component.
For this method to work a supported replication tool must be specified in the tool_replicate resource.
On a server (master or slave) backs up the current LDAP database as an LDIF file. The directory the backups are saved to is specified in the backup resource. The backup files should be kept at the same level of security as the original live data. The backups can be safely taken while the service is live. This method is normally invoked automatically at a regular time interval via the cron component.
On a server (master or slave) loads the current LDAP database from dump files produced via the save method. Takes one optional argument which is a timestamp. With no argument the load is done from the most recent dump file in the directory specified in the backup resource. The timestamp argument has the syntax [CC[YY[MM[DD[HH[MM]]]]]]]. For example, 200202 would load from the most recent dump file from Feb 2002, or 2002021211 would load from the most recent dump file for Feb 12 2002 during the 1100 hours period. Invoking this method destroys the existing database and recreates it from the saved data.
The non-standard component resources are described below.
The following resources control the configuration of clients.
These items configure the client's default LDAP server. The default is not universally used, in particular only those tools built on the OpenLDAP C libraries will pay attention to this section of configuration.
The address of the LDAP server the machine should query.
The base DN for searches on that server.
The LDAP version to use for queries.
The DN to bind to the server as (uses an anonymous bind if this is omitted).
The password to use if the bind is not anonymous, and requires a password.
Set to soft to prevent nss_ldap from retrying failed LDAP queries as this can cause it to hang for a long time if no server is present.
This option directs the nss_ldap implementation of initgroups(3) to return NSS_STATUS_NOTFOUND if called with any of the listed users as its argument. The users are specified in a comma-separated list.
The number of times nss_ldap will try to reconnect.
The maximum number of times nss_ldap will attempt to make a new connection before it begins to back-off with sleeps between each attempt.
The total number of connection attempts that would be made is reconnect_tries plus reconnect_maxconntries.
This is the time that nss_ldap will sleep before retrying a connection. If the connection attempt fails multiple times then the sleeptime will be doubled at each attempt up to the value specified in nss_reconnect_maxsleeptime.
The maximum time nss_ldap will sleep between connection attempts.
Space-separated list of attributes for which replacement attributes will be specified.
Replacement attribute, to be used by nss_ldap, for the attribute specified by tag.
The following resources control the configuration of servers.
Type selects which mode the LDAP server is running in:
LDAP server is domain master. A minimal initial dataset is loaded. No other data is loaded.
LDAP server is a slave. The database will be initially synchronized with the master if a supported replication tool is defined in the tool_replicate resource.
No LDAP server is run.
Directory where a servers database backup files are stored.
Maximum number of snapshot save files to retain, the most recent N-1 of these are always held and N or more over this are always removed.
The level at which logging should be performed. The slapd.conf(5) manpage provides details of what information is provided at each level.
List of schemas to include in the slapd configuration. If the schemafile_TAG resource is present this contains the name of the file to use, otherwise it defaults to /etc/openldap/schema/TAG.schema.
Filename of schema file to use for TAG.
The host that LDAP update requests on a slave server should be referred to using the DN in the dbrootdn resource to make the actual update. Should be empty on the master server.
Set to a non-null value to allow LDAP v2 binds.
List of saslRegexp rule tags.
The matching pattern for the saslRegexp rule.
The replace pattern for the saslRegexp rule.
List of access rule tags.
The to part of this access rule.
List of tags, one for each by part of this access rule.
The by part of this access rule.
Naming suffix of the database that the LDAP server stores. Will generally be the same as searchbase.
RootDN of the database. On a slave, this should be the DN used by the replication agent which copies content into the database, on the master it should be the DN which has 'super user' access to the database, or a non-existent DN to disable this form of access.
List of attributes which should be indexed. Note that changing this list will trigger a database shut down and index rebuild. Depending on the complexity this may take a large amount of time.
List of the indices to maintain for attribute TAG. See the slapd.conf(5) manpage for more details.
See the slapd.conf(5) manpage for details.
The default realm for all SASL operations against the server
See the slapd.conf(5) manpage for details.
See the slapd-bdb(5) manpage for details.
List of directive tags for configuring DB_CONFIG. See the BDB documentation for more details on DB_CONFIG directives.
A DB_CONFIG directive and value.
Hostname of the server a slave synchronizes with. This does not have to be the master server, it could be another slave for example.
List of servers replication will try and source from in turn. If not defined falls back to sourcing from the server specified in the master resource.
Length of time in seconds for a replication to take before timing out, defaults to 300.
Length of time in seconds for a full replication to take before timing out, defaults to 600.
The following resources control the configuration of a server using back-ldap and the proxycache overlay.
Set to any non-empty value (normally true or yes) to enable the proxy-cache configuration.
The proxycache values, see slapo-pcache for more details, however the default is "bdb 5000 AUTO 500 300" where AUTO substitutes for the numattrsets and is calculated automatically from the resource definitions of attribute sets below. There should be five values specifying database backend, max entries, number of attribute sets, entry limit and cc period.
The maximum cache queries, defaulting to 10000, see slapo-pcache for further details.
List of attribute set tags with each defined below.
The index number of this attribute set, should be an ascending number starting from zero for the first set.
A space separated list of the attributes associated with this set.
List of cache filter template tags with each defined below.
Comment about this cache filter template, added into the configuration file for information only.
The filter definition for the template.
The index number of the attribute set to use for the template.
The TTL (in seconds) for objects cached under the template.
Fedora3,Fedora5,Fedora6
ldapreplicate, slapd, slurpd, slapadd, slapcat, slapindex
DICE Infrastructure Unit <inf-unit@inf.ed.ac.uk>