[deployment-guide: 44/185] Updated the "OpenLDAP" sections.
Jaromir Hradilek
jhradile at fedoraproject.org
Sun May 15 21:13:43 UTC 2011
commit 60150bba923148064f7dc6d133e340dafb6f7a3b
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Wed Jan 26 18:36:16 2011 +0100
Updated the "OpenLDAP" sections.
Many thanks to Jan Vcelak for his review and valuable comments.
en-US/OpenLDAP.xml | 118 ++++++++++++++++++++++------------------------------
1 files changed, 50 insertions(+), 68 deletions(-)
---
diff --git a/en-US/OpenLDAP.xml b/en-US/OpenLDAP.xml
index 27477a8..b249528 100644
--- a/en-US/OpenLDAP.xml
+++ b/en-US/OpenLDAP.xml
@@ -74,7 +74,7 @@
Information directly associated with an entry. For example, if an organization is represented as an LDAP entry, attributes associated with this organization might include an address, a fax number, etc. Similarly, people can be represented as entries with common attributes such as personal telephone number or email address.
</para>
<para>
- While certain attributes are optional, other are required. Required attributes are specified using the <option>objectClass</option> definition, and can be found in schema files located in the <filename class="directory">/etc/openldap/schema/</filename> directory.
+ An attribute can either have a single value, or an unordered space-separated list of values. While certain attributes are optional, other are required. Required attributes are specified using the <option>objectClass</option> definition, and can be found in schema files located in the <filename class="directory">/etc/openldap/slapd.d/cn=config/cn=schema/</filename> directory.
</para>
<para>
The assertion of an attribute and its corresponding value is also referred to as a <firstterm>Relative Distinguished Name</firstterm> (<acronym>RDN</acronym>). Unlike distinguished names that are unique globally, a relative distinguished name is only unique per entry.
@@ -97,8 +97,8 @@
The <firstterm>LDAP Data Interchange Format</firstterm> (<acronym>LDIF</acronym>) is a plain text representation of an LDAP entry. It takes the following form:
</para>
<screen><optional><replaceable>id</replaceable></optional> dn: <replaceable>distinguished_name</replaceable>
-<replaceable>attribute_type</replaceable>: <replaceable>attribute_value</replaceable>
-<replaceable>attribute_type</replaceable>: <replaceable>attribute_value</replaceable>
+<replaceable>attribute_type</replaceable>: <replaceable>attribute_value</replaceable>…
+<replaceable>attribute_type</replaceable>: <replaceable>attribute_value</replaceable>…
…</screen>
<para>
The optional <replaceable>id</replaceable> is a number determined by the application that is used to edit the entry. Each entry can contain as many <replaceable>attribute_type</replaceable> and <replaceable>attribute_value</replaceable> pairs as needed, as long as they are all defined in a corresponding schema file. A blank line indicates the end of an entry.
@@ -167,7 +167,7 @@
</step>
<step>
<para>
- Edit the LDIF files in the <filename class="directory">/etc/openldap/slapd.d/</filename> directory as described in <xref linkend="s2-ldap-configuration" />.
+ Customize the configuration as described in <xref linkend="s2-ldap-configuration" />.
</para>
</step>
<step>
@@ -261,10 +261,10 @@
</tgroup>
</table>
<para>
- Additionally, the following packages are commonly used along with the LDAP server, and extend its functionality:
+ Additionally, the following packages are commonly used along with the LDAP server:
</para>
<table id="table-ldap-packages-additional">
- <title>List of additional LDAP packages</title>
+ <title>List of commonly installed additional LDAP packages</title>
<tgroup cols="2">
<colspec colname="package" colnum="1" colwidth="30*" />
<colspec colname="description" colnum="2" colwidth="60*" />
@@ -297,14 +297,6 @@
</para>
</entry>
</row>
- <row>
- <entry>
- <package>php-ldap</package>
- </entry>
- <entry>
- A package containing the <systemitem class="resource">ldap</systemitem> module, which allows PHP scripts to access information stored in an LDAP directory.
- </entry>
- </row>
</tbody>
</tgroup>
</table>
@@ -315,7 +307,7 @@
<para>
For example, to perform the basic LDAP server installation, type the following at a shell prompt:
</para>
- <screen>~]# <command>yum install openldap openldap-clients openldap-servers compat-openldap</command></screen>
+ <screen>~]# <command>yum install openldap openldap-clients openldap-servers</command></screen>
<para>
Note that you must have superuser privileges (that is, you must be logged in as <systemitem class="username">root</systemitem>) to run this command. For more information on how to install new packages in &MAJOROS;, refer to <xref linkend="sec-Installing" />.
</para>
@@ -378,6 +370,14 @@
</row>
<row>
<entry>
+ <command>slapdn</command>
+ </entry>
+ <entry>
+ Allows you to check a list of Distinguished Names (DNs) based on available schema syntax.
+ </entry>
+ </row>
+ <row>
+ <entry>
<command>slapindex</command>
</entry>
<entry>
@@ -408,28 +408,12 @@
Allows you to check the LDAP server configuration.
</entry>
</row>
- <row>
- <entry>
- <command>slapd_db_archive</command>,
- <command>slapd_db_checkpoint</command>,
- <command>slapd_db_deadlock</command>,
- <command>slapd_db_dump</command>,
- <command>slapd_db_hotbackup</command>,
- <command>slapd_db_load</command>,
- <command>slapd_db_printlog</command>,
- <command>slapd_db_recover</command>,
- <command>slapd_db_sql</command>,
- <command>slapd_db_stat</command>,
- <command>slapd_db_upgrade</command>,
- <command>slapd_db_verify</command>
- </entry>
- <entry>
- Provides a set of tools to work with <firstterm>Berkeley DB</firstterm> (BDB).
- </entry>
- </row>
</tbody>
</tgroup>
</table>
+ <para>
+ For a detailed description of these utilities and their usage, refer to the corresponding manual pages as referred to in <xref linkend="s3-ldap-installed-docs" />.
+ </para>
<important>
<title>Important: Make Sure the Files Have Correct Owner</title>
<para>
@@ -575,7 +559,7 @@ Stopping slapd: [ OK ]</screen>
<section id="s2-ldap-configuration">
<title>Configuring an OpenLDAP Server</title>
<para>
- OpenLDAP configuration files are installed into the <filename>/etc/openldap/</filename> directory. The following is a brief list highlighting the most important directories and files:
+ By default, the OpenLDAP configuration is stored in the <filename>/etc/openldap/</filename> directory. The following table highlights the most important directories and files within this directory:
</para>
<table id="table-ldap-configuration-files">
<title>List of OpenLDAP configuration files and directories</title>
@@ -616,20 +600,7 @@ Stopping slapd: [ OK ]</screen>
<filename class="directory">/etc/openldap/slapd.d/</filename>
</entry>
<entry>
- The directory containing the <systemitem class="service">slapd</systemitem> configuration files.
- </entry>
- </row>
- <row>
- <entry>
- <indexterm>
- <primary>OpenLDAP</primary>
- <secondary>directories</secondary>
- <tertiary><filename class="directory">/etc/openldap/schema/</filename></tertiary>
- </indexterm>
- <filename class="directory">/etc/openldap/schema/</filename>
- </entry>
- <entry>
- The directory containing the schema files used by the <systemitem class="service">slapd</systemitem> service. The <filename class="directory">redhat/</filename> subdirectory holds customized schemas distributed by &OSORG; for &MAJOROS;.
+ The directory containing the <systemitem class="service">slapd</systemitem> configuration.
</entry>
</row>
</tbody>
@@ -639,6 +610,15 @@ Stopping slapd: [ OK ]</screen>
Note that OpenLDAP no longer reads its configuration from the <filename>/etc/openldap/slapd.conf</filename> file. Instead, it uses a configuration database located in the <filename class="directory">/etc/openldap/slapd.d/</filename> directory. If you have an existing <filename>slapd.conf</filename> file from a previous installation, you can convert it to the new format by running the following command:
</para>
<screen>~]# <command>slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/</command></screen>
+ <para>
+ The <systemitem class="service">slapd</systemitem> configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in <xref linkend="s3-ldap-packages-openldap-servers" />.
+ </para>
+ <important>
+ <title>Important: Do Not Edit LDIF Files Directly</title>
+ <para>
+ An error in an LDIF file can render the <systemitem class="service">slapd</systemitem> service unable to start. Because of this, it is strongly advised that you avoid editing the LDIF files within the <filename class="directory">/etc/openldap/slapd.d/</filename> directly.
+ </para>
+ </important>
<section id="s3-ldap-configuration-global">
<title>Changing the Global Configuration</title>
<indexterm>
@@ -646,13 +626,8 @@ Stopping slapd: [ OK ]</screen>
<secondary>configuration</secondary>
<tertiary>global</tertiary>
</indexterm>
- <indexterm>
- <primary>OpenLDAP</primary>
- <secondary>files</secondary>
- <tertiary><filename>/etc/openldap/slapd.d/cn=config.ldif</filename></tertiary>
- </indexterm>
<para>
- The <filename>/etc/openldap/slapd.d/cn=config.ldif</filename> file contains global configuration options for the LDAP server. The following directives are commonly used in this file:
+ The following directives are commonly used in the global configuration of the LDAP server:
</para>
<variablelist>
<varlistentry>
@@ -950,6 +925,14 @@ Stopping slapd: [ OK ]</screen>
</listitem>
</varlistentry>
</variablelist>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>files</secondary>
+ <tertiary><filename>/etc/openldap/slapd.d/cn=config.ldif</filename></tertiary>
+ </indexterm>
+ <para>
+ The global configuration options for the LDAP server are stored in the <filename>/etc/openldap/slapd.d/cn=config.ldif</filename> file.
+ </para>
</section>
<section id="s3-ldap-configuration-database">
<title>Changing the Database-Specific Configuration</title>
@@ -959,7 +942,7 @@ Stopping slapd: [ OK ]</screen>
<tertiary>database</tertiary>
</indexterm>
<para>
- By default, the OpenLDAP server uses Berkeley DB (BDB) as a database back end. The configuration for this database is stored in the <filename>/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif</filename> file, and commonly contains the following directives:
+ The following directives are commonly used in a database-specific configuration:
</para>
<variablelist>
<varlistentry>
@@ -1059,9 +1042,17 @@ Re-enter new password:
</listitem>
</varlistentry>
</variablelist>
+ <indexterm>
+ <primary>OpenLDAP</primary>
+ <secondary>files</secondary>
+ <tertiary><filename>/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif</filename></tertiary>
+ </indexterm>
+ <para>
+ By default, the OpenLDAP server uses Berkeley DB (BDB) as a database back end. The configuration for this database is stored in the <filename>/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif</filename> file.
+ </para>
</section>
<section id="s3-ldap-configuration-schema">
- <title>Working with Schema Files</title>
+ <title>Extending Schema</title>
<indexterm>
<primary>OpenLDAP</primary>
<secondary>schema</secondary>
@@ -1069,19 +1060,10 @@ Re-enter new password:
<indexterm>
<primary>OpenLDAP</primary>
<secondary>directories</secondary>
- <tertiary><filename class="directory">/etc/openldap/schema/</filename></tertiary>
+ <tertiary><filename class="directory">/etc/openldap/slapd.d/cn=config/cn=schema/</filename></tertiary>
</indexterm>
<para>
- The <filename>/etc/openldap/schema/</filename> directory contains LDAP definitions, previously located in the <filename>slapd.at.conf</filename> and <filename>slapd.oc.conf</filename> files, with the attribute syntax definitions and object class definitions located in the different schema files. The schema definitions that are hard-coded in <systemitem class="service">slapd</systemitem> are now covered by the <filename>cn=schema</filename> entry located in the <filename class="directory">/etc/openldap/slapd.d/cn=config/</filename> directory.
- </para>
- <warning>
- <title>Warning: Be Careful when Editing Schema Files</title>
- <para>
- Do not modify schema items defined in the schema files installed by OpenLDAP.
- </para>
- </warning>
- <para>
- It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, refer to <ulink url="http://www.openldap.org/doc/admin/schema.html" />.
+ Since OpenLDAP 2.3, the <filename class="directory">/etc/openldap/slapd.d/</filename> directory also contains LDAP definitions that were previously located in <filename class="directory">/etc/openldap/schema/</filename>. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, refer to <ulink url="http://www.openldap.org/doc/admin/schema.html" />.
</para>
</section>
</section>
More information about the docs-commits
mailing list