openldap - LCFG OpenLDAP Component
openldap METHOD [ARGS]
An LCFG component that is used to configure and manage the OpenLDAP service on clients and servers.
To support the different types of operation in which OpenLDAP can be configured (e.g. client, master, slave updated with slaprepl, slave updated with syncrepl, etc.), the openldap component uses the concept of "states". These are utilised mainly so that the correct behaviour is followed when moving from one state to another, e.g. when moving to a state that maintains a database, the database directory should first be emptied.
The following states are defined:
Master server. Indicated by the type=master resource.
Client operation only - i.e. no slapd is run. Indicated by the type=client resource.
Slave server updated by slaprepl or similar tool (defined by the tool_replicate resource). Indicated by type=slave; proxy=false; synccons=false resources. This is the legacy default for a slave server.
Slave server updated by syncrepl. Indicated by type=slave; proxy=false; synccons=true resources. See "SYNCREPL CONFIGURATION" for more details.
Proxy-caching server. Indicated by type=slave; proxy=true; cache=non-empty resources. See "PROXY SERVER CONFIGURATION" for more details.
Proxy-caching server with no local caching. Indicated by type=slave; proxy=true; cache=empty resources. See "PROXY SERVER CONFIGURATION" for more details.
Note that the states slave-slaprepl, slave-synccons, proxycache and proxynocache are all considered to be "slave" states.
The non-standard component methods are described below.
On a client builds the client configuration. On a slave builds the server configuration and synchronizes its database with the database on the master server if not already done. On a master builds the server configuration and creates the master database if not already done. With the -f option on a slave or master will forcibly destroy the existing configuration and database and re-create from scratch. Starts the slapd server on the master and slaves.
Cleans out database transaction log files.
Used by a slave server updated via slaprepl (or alternative replication method as defined by the tool_replicate resource). Force a slave server to synchronize its database with the master server. With no argument only new entries and modified entries will be synchronized, entries that have been deleted from the master server database will not be deleted from the slave server database. With the hard argument deleted entries will also be synchronized. Note that synchronizing deleted entries will take longer to do and will increase the load on the master. With the start argument synchronization is done from the epoch rather than from whenever it was last done. This can be useful if there is something that will not synchronize because the replication tool believes the database is already consistent for some reason. This method also accepts the generic -v option which can be used to verbosely report progress on synchronization. Normally this method would be called automatically at a regular frequency via the cron component.
For this method to work a supported replication tool must be specified in the tool_replicate resource.
On a server (master or slave) backs up the current LDAP database as an LDIF file. The directory the backups are saved to is specified in the backup resource. The backup files should be kept at the same level of security as the original live data. The backups can be safely taken while the service is live. This method is normally invoked automatically at a regular time interval via the cron component.
On a server (master or slave) loads the current LDAP database from dump files produced via the save method. Takes one optional argument which is a timestamp. With no argument the load is done from the most recent dump file in the directory specified in the backup resource. The timestamp argument has the syntax [CC[YY[MM[DD[HH[MM]]]]]]]. For example, 200202 would load from the most recent dump file from Feb 2002, or 2002021211 would load from the most recent dump file for Feb 12 2002 during the 1100 hours period. Invoking this method destroys the existing database and recreates it from the saved data.
The non-standard component resources are described below.
The following resources control the configuration of clients.
These items configure the client's default LDAP server. The default is not universally used, in particular only those tools built on the OpenLDAP C libraries will pay attention to this section of configuration.
The address of the LDAP server the machine should query. You can use the serveruri resource instead if you need to specify the protocol or port.
The URI of the LDAP server the machine should query. You can use the server resource instead if you do not need to specify the protocol or port.
The base DN for searches on that server.
The LDAP version to use for queries.
The DN to bind to the server as (uses an anonymous bind if this is omitted).
The password to use if the bind is not anonymous, and requires a password.
Set to soft to prevent nss_ldap from retrying failed LDAP queries as this can cause it to hang for a long time if no server is present.
Whether to use SSL when querying the server. The default is not to.
The CA certificate file containing the public certificate which is used to verify the identity of the server when using SSL.
This option directs the nss_ldap implementation of initgroups(3) to return NSS_STATUS_NOTFOUND if called with any of the listed users as its argument. The users are specified in a comma-separated list.
The number of times nss_ldap will try to reconnect.
The maximum number of times nss_ldap will attempt to make a new connection before it begins to back-off with sleeps between each attempt.
The total number of connection attempts that would be made is reconnect_tries plus reconnect_maxconntries.
This is the time that nss_ldap will sleep before retrying a connection. If the connection attempt fails multiple times then the sleeptime will be doubled at each attempt up to the value specified in nss_reconnect_maxsleeptime.
The maximum time nss_ldap will sleep between connection attempts.
Space-separated list of attributes for which replacement attributes will be specified.
Replacement attribute, to be used by nss_ldap, for the attribute specified by tag.
The following resources control the configuration of servers.
Type selects which mode the LDAP server is running in:
LDAP server is domain master. A minimal initial dataset is loaded. No other data is loaded.
LDAP server is a slave. For a slave updated using slaprepl or similar, the database will be initially synchronized with the master if a supported replication tool is defined in the tool_replicate resource. Other forms of slaves are also supported - proxy-cache slaves and syncrepl slaves - see the explanation for "states" above and the sections for proxy server and syncrepl configuration below.
No LDAP server is run.
If the debug resource is set slapd will run with core files enabled. slapd has to run as the root user to enable this. This changes the permissions on various files/directories, which will need to be fixed when returning to non-debug operation.
Directory for bdb database files. Default is /var/openldap-data.
Directory where database transaction logs will be stored. Defaults to same location as path_database. Note that, if different, this will also need to be configured via dbconfig resources to correctly write the DB_CONFIG file.
Directory where a servers database backup files are stored.
Maximum number of snapshot save files to retain, the most recent N-1 of these are always held and N or more over this are always removed.
The level at which logging should be performed. The slapd.conf(5) manpage provides details of what information is provided at each level. Note that, due to a historical anomaly, this resource should be set to "loglevel <level>"
List of schemas to include in the slapd configuration. If the schemafile_TAG resource is present this contains the name of the file to use, otherwise it defaults to /etc/openldap/schema/TAG.schema.
Filename of schema file to use for TAG.
The host that LDAP update requests on a slave server should be referred to using the DN in the dbrootdn resource to make the actual update. Should be empty on the master server.
Set to a non-null value to allow LDAP v2 binds.
List of saslRegexp rule tags.
The matching pattern for the saslRegexp rule.
The replace pattern for the saslRegexp rule.
List of access rule tags.
The to part of this access rule.
List of tags, one for each by part of this access rule.
The by part of this access rule.
Naming suffix of the database that the LDAP server stores. Will generally be the same as searchbase.
RootDN of the database. On a slave, this should be the DN used by the replication agent which copies content into the database, on the master it should be the DN which has 'super user' access to the database, or a non-existent DN to disable this form of access.
List of attributes which should be indexed. Note that changing this list will trigger a database shut down and index rebuild. Depending on the complexity this may take a large amount of time.
List of the indices to maintain for attribute TAG. See the slapd.conf(5) manpage for more details.
See the slapd.conf(5) manpage for details.
The default realm for all SASL operations against the server
See the slapd.conf(5) manpage for details.
See the slapd-bdb(5) manpage for details.
See the slapd-bdb(5) manpage for details.
See the slapd-bdb(5) manpage for details.
List of directive tags for configuring DB_CONFIG. See the BDB documentation for more details on DB_CONFIG directives.
A DB_CONFIG directive and value.
Hostname of the server a slave synchronizes with. This does not have to be the master server, it could be another slave for example.
List of servers replication will try and source from in turn. If not defined falls back to sourcing from the server specified in the master resource.
Length of time in seconds for a replication to take before timing out, defaults to 300.
Length of time in seconds for a full replication to take before timing out, defaults to 600.
Boolean value. Indicates whether database should be rebuilt when starting the component. Default is no.
The following resources control the configuration of a server using back-ldap and the proxycache overlay. See slapd-ldap(5) and slapo-pcache(5) for further details.
Set to any non-empty value (normally true or yes) to enable the proxy-cache configuration.
LDAP server(s) to use.
The proxycache values, see slapo-pcache for more details, however the default is "bdb 5000 AUTO 500 300" where AUTO substitutes for the numattrsets and is calculated automatically from the resource definitions of attribute sets below. There should be five values specifying database backend, max entries, number of attribute sets, entry limit and cc period. If this resource is empty, then a proxy slapd server will be run with no local caching.
The maximum cache queries, defaulting to 10000, see slapo-pcache for further details.
List of attribute set tags with each defined below.
The index number of this attribute set, should be an ascending number starting from zero for the first set.
A space separated list of the attributes associated with this set.
List of cache filter template tags with each defined below.
Comment about this cache filter template, added into the configuration file for information only.
The filter definition for the template.
The index number of the attribute set to use for the template.
The TTL (in seconds) for objects cached under the template. An optional negative TTL (for caching queries returning zero entries) can also be specified as a second argument.
Boolean value. Indicates whether database should be rebuilt when starting the component. Default is no. Now deprecated in favour of rebuildonstart resource.
The following resources control the configuration of a server either acting as a syncrepl provider or a syncrepl consumer. Full documentation on configuring syncrepl can be found in the OpenLDAP man pages and the administrator guide.
Boolean value - if true, enables the syncprov overlay to set the server up as a syncrepl provider.
See the slapo-syncprov(5) manpage for details on configuring these resources.
Boolean vealue - if true, adds the syncrepl directive to slapd.conf for configuring a syncrepl consumer.
See the syncrepl section of the slapd.conf(5) manpage and the Replication section of the OpenLDAP Administrator's Guide for details on configuring these resources.
Fedora3, Fedora5, Fedora6, Scientific5
slaprepl(8), slapd(8C), slapadd(8C), slapcat(8C), slapindex(8C), slapd.conf(5), slapd-bdb(5), slapd-ldap(5), slapo-pcache(5), slapo-syncprov(5), http://www.openldap.org/
DICE Infrastructure Unit <inf-unit@inf.ed.ac.uk>