[Pkg-openldap-devel] r1128 - in openldap/trunk: . build clients clients/tools contrib contrib/ldapc++ contrib/ldapc++/examples contrib/ldapc++/src contrib/ldapc++/src/ac contrib/slapd-modules contrib/slapd-modules/acl contrib/slapd-modules/allop contrib/slapd-modules/comp_match contrib/slapd-modules/denyop contrib/slapd-modules/dsaschema contrib/slapd-modules/lastmod contrib/slapd-modules/passwd contrib/slapd-modules/smbk5pwd contrib/slapd-modules/trace contrib/slapd-tools contrib/slapi-plugins/addrdnvalues debian doc doc/devel doc/guide doc/guide/admin doc/guide/images/src doc/guide/release doc/man doc/man/man1 doc/man/man3 doc/man/man5 doc/man/man8 include include/ac libraries libraries/liblber libraries/libldap libraries/libldap_r libraries/liblunicode libraries/liblunicode/ucdata libraries/liblunicode/ure libraries/liblunicode/utbm libraries/liblutil libraries/librewrite servers servers/slapd servers/slapd/back-bdb servers/slapd/back-dnssrv servers/slapd/back-hdb servers/slapd/back-ldap servers/slapd/back-ldif servers/slapd/back-meta servers/slapd/back-monitor servers/slapd/back-null servers/slapd/back-passwd servers/slapd/back-perl servers/slapd/back-relay servers/slapd/back-shell servers/slapd/back-sql servers/slapd/back-sql/rdbms_depend/timesten/dnreverse servers/slapd/overlays servers/slapd/schema servers/slapd/shell-backends servers/slapd/slapi tests tests/data tests/data/regressions/its4184 tests/data/regressions/its4326 tests/data/regressions/its4336 tests/data/regressions/its4337 tests/data/regressions/its4448 tests/progs tests/scripts
matthijs at alioth.debian.org
matthijs at alioth.debian.org
Sun May 25 14:29:34 UTC 2008
Author: matthijs
Date: 2008-05-25 14:29:31 +0000 (Sun, 25 May 2008)
New Revision: 1128
Added:
openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp
openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h
openldap/trunk/contrib/ldapc++/src/LdifReader.cpp
openldap/trunk/contrib/ldapc++/src/LdifReader.h
openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp
openldap/trunk/contrib/ldapc++/src/LdifWriter.h
openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp
openldap/trunk/contrib/ldapc++/src/SaslInteraction.h
openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp
openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h
openldap/trunk/contrib/slapd-modules/autogroup/
openldap/trunk/doc/guide/admin/access-control.sdf
openldap/trunk/doc/guide/admin/config_repl.png
openldap/trunk/doc/guide/admin/set-following-references.png
openldap/trunk/doc/guide/admin/set-memberUid.png
openldap/trunk/doc/guide/admin/set-recursivegroup.png
openldap/trunk/doc/guide/images/src/README.fonts
openldap/trunk/doc/guide/images/src/config_dit.dia
openldap/trunk/doc/guide/images/src/config_local.dia
openldap/trunk/doc/guide/images/src/config_ref.dia
openldap/trunk/doc/guide/images/src/config_repl.dia
openldap/trunk/doc/guide/images/src/delta-syncrepl.dia
openldap/trunk/doc/guide/images/src/intro_dctree.dia
openldap/trunk/doc/guide/images/src/intro_tree.dia
openldap/trunk/doc/guide/images/src/mirrormode.dia
openldap/trunk/doc/guide/images/src/n-way-multi-master.dia
openldap/trunk/doc/guide/images/src/set-following-references.svg
openldap/trunk/doc/guide/images/src/set-memberUid.svg
openldap/trunk/doc/guide/images/src/set-recursivegroup.svg
openldap/trunk/doc/guide/images/src/syncrepl-firewalls.dia
openldap/trunk/doc/guide/images/src/syncrepl-pull.dia
openldap/trunk/doc/guide/images/src/syncrepl-push.dia
openldap/trunk/doc/guide/images/src/syncrepl.dia
openldap/trunk/doc/man/man5/slapd-sock.5
openldap/trunk/servers/slapd/back-sock/
openldap/trunk/tests/data/slapd-2db.conf
Removed:
openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp
openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h
openldap/trunk/doc/guide/admin/config_repl.gif
Modified:
openldap/trunk/ANNOUNCEMENT
openldap/trunk/CHANGES
openldap/trunk/COPYRIGHT
openldap/trunk/INSTALL
openldap/trunk/Makefile.in
openldap/trunk/README
openldap/trunk/build/config.guess
openldap/trunk/build/config.sub
openldap/trunk/build/crupdate
openldap/trunk/build/dir.mk
openldap/trunk/build/info.mk
openldap/trunk/build/lib-shared.mk
openldap/trunk/build/lib-static.mk
openldap/trunk/build/lib.mk
openldap/trunk/build/ltmain.sh
openldap/trunk/build/man.mk
openldap/trunk/build/missing
openldap/trunk/build/mkdep
openldap/trunk/build/mkdep.aix
openldap/trunk/build/mkrelease
openldap/trunk/build/mkvers.bat
openldap/trunk/build/mkversion
openldap/trunk/build/mod.mk
openldap/trunk/build/openldap.m4
openldap/trunk/build/rules.mk
openldap/trunk/build/srv.mk
openldap/trunk/build/top.mk
openldap/trunk/build/version.h
openldap/trunk/build/version.sh
openldap/trunk/build/version.var
openldap/trunk/clients/Makefile.in
openldap/trunk/clients/tools/Makefile.in
openldap/trunk/clients/tools/common.c
openldap/trunk/clients/tools/common.h
openldap/trunk/clients/tools/ldapcompare.c
openldap/trunk/clients/tools/ldapdelete.c
openldap/trunk/clients/tools/ldapexop.c
openldap/trunk/clients/tools/ldapmodify.c
openldap/trunk/clients/tools/ldapmodrdn.c
openldap/trunk/clients/tools/ldappasswd.c
openldap/trunk/clients/tools/ldapsearch.c
openldap/trunk/clients/tools/ldapwhoami.c
openldap/trunk/configure
openldap/trunk/configure.in
openldap/trunk/contrib/ConfigOIDs
openldap/trunk/contrib/ldapc++/COPYRIGHT
openldap/trunk/contrib/ldapc++/Makefile.am
openldap/trunk/contrib/ldapc++/Makefile.in
openldap/trunk/contrib/ldapc++/configure
openldap/trunk/contrib/ldapc++/configure.in
openldap/trunk/contrib/ldapc++/doxygen.rc
openldap/trunk/contrib/ldapc++/examples/Makefile.am
openldap/trunk/contrib/ldapc++/examples/Makefile.in
openldap/trunk/contrib/ldapc++/examples/main.cpp
openldap/trunk/contrib/ldapc++/examples/readSchema.cpp
openldap/trunk/contrib/ldapc++/examples/urlTest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp
openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h
openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp
openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h
openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp
openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h
openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp
openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h
openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp
openldap/trunk/contrib/ldapc++/src/LDAPConnection.h
openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp
openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h
openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp
openldap/trunk/contrib/ldapc++/src/LDAPControl.h
openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp
openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h
openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp
openldap/trunk/contrib/ldapc++/src/LDAPEntry.h
openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp
openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h
openldap/trunk/contrib/ldapc++/src/LDAPException.cpp
openldap/trunk/contrib/ldapc++/src/LDAPException.h
openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp
openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h
openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp
openldap/trunk/contrib/ldapc++/src/LDAPMessage.h
openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp
openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h
openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp
openldap/trunk/contrib/ldapc++/src/LDAPModList.h
openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp
openldap/trunk/contrib/ldapc++/src/LDAPModification.h
openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp
openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h
openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp
openldap/trunk/contrib/ldapc++/src/LDAPRebind.h
openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp
openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h
openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp
openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h
openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp
openldap/trunk/contrib/ldapc++/src/LDAPResult.h
openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp
openldap/trunk/contrib/ldapc++/src/LDAPSchema.h
openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp
openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h
openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp
openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h
openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp
openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h
openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp
openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h
openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp
openldap/trunk/contrib/ldapc++/src/LDAPUrl.h
openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp
openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h
openldap/trunk/contrib/ldapc++/src/Makefile.am
openldap/trunk/contrib/ldapc++/src/Makefile.in
openldap/trunk/contrib/ldapc++/src/StringList.cpp
openldap/trunk/contrib/ldapc++/src/StringList.h
openldap/trunk/contrib/ldapc++/src/ac/time.h
openldap/trunk/contrib/ldapc++/src/config.h.in
openldap/trunk/contrib/ldapc++/src/debug.h
openldap/trunk/contrib/slapd-modules/acl/README
openldap/trunk/contrib/slapd-modules/acl/posixgroup.c
openldap/trunk/contrib/slapd-modules/allop/README
openldap/trunk/contrib/slapd-modules/allop/allop.c
openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5
openldap/trunk/contrib/slapd-modules/comp_match/Makefile
openldap/trunk/contrib/slapd-modules/denyop/denyop.c
openldap/trunk/contrib/slapd-modules/dsaschema/README
openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c
openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c
openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5
openldap/trunk/contrib/slapd-modules/passwd/README
openldap/trunk/contrib/slapd-modules/passwd/kerberos.c
openldap/trunk/contrib/slapd-modules/passwd/netscape.c
openldap/trunk/contrib/slapd-modules/passwd/radius.c
openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
openldap/trunk/contrib/slapd-modules/trace/trace.c
openldap/trunk/contrib/slapd-tools/README
openldap/trunk/contrib/slapi-plugins/addrdnvalues/README
openldap/trunk/debian/changelog
openldap/trunk/debian/rules
openldap/trunk/doc/Makefile.in
openldap/trunk/doc/devel/args
openldap/trunk/doc/guide/COPYRIGHT
openldap/trunk/doc/guide/admin/Makefile
openldap/trunk/doc/guide/admin/README.spellcheck
openldap/trunk/doc/guide/admin/abstract.sdf
openldap/trunk/doc/guide/admin/admin.sdf
openldap/trunk/doc/guide/admin/appendix-changes.sdf
openldap/trunk/doc/guide/admin/appendix-common-errors.sdf
openldap/trunk/doc/guide/admin/appendix-configs.sdf
openldap/trunk/doc/guide/admin/appendix-contrib.sdf
openldap/trunk/doc/guide/admin/appendix-deployments.sdf
openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf
openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf
openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
openldap/trunk/doc/guide/admin/aspell.en.pws
openldap/trunk/doc/guide/admin/backends.sdf
openldap/trunk/doc/guide/admin/config.sdf
openldap/trunk/doc/guide/admin/dbtools.sdf
openldap/trunk/doc/guide/admin/glossary.sdf
openldap/trunk/doc/guide/admin/guide.html
openldap/trunk/doc/guide/admin/guide.sdf
openldap/trunk/doc/guide/admin/index.sdf
openldap/trunk/doc/guide/admin/install.sdf
openldap/trunk/doc/guide/admin/intro.sdf
openldap/trunk/doc/guide/admin/maintenance.sdf
openldap/trunk/doc/guide/admin/master.sdf
openldap/trunk/doc/guide/admin/monitoringslapd.sdf
openldap/trunk/doc/guide/admin/overlays.sdf
openldap/trunk/doc/guide/admin/preface.sdf
openldap/trunk/doc/guide/admin/quickstart.sdf
openldap/trunk/doc/guide/admin/referrals.sdf
openldap/trunk/doc/guide/admin/replication.sdf
openldap/trunk/doc/guide/admin/runningslapd.sdf
openldap/trunk/doc/guide/admin/sasl.sdf
openldap/trunk/doc/guide/admin/schema.sdf
openldap/trunk/doc/guide/admin/security.sdf
openldap/trunk/doc/guide/admin/slapdconf2.sdf
openldap/trunk/doc/guide/admin/slapdconfig.sdf
openldap/trunk/doc/guide/admin/title.sdf
openldap/trunk/doc/guide/admin/tls.sdf
openldap/trunk/doc/guide/admin/troubleshooting.sdf
openldap/trunk/doc/guide/admin/tuning.sdf
openldap/trunk/doc/guide/plain.sdf
openldap/trunk/doc/guide/preamble.sdf
openldap/trunk/doc/guide/release/copyright-plain.sdf
openldap/trunk/doc/guide/release/copyright.sdf
openldap/trunk/doc/guide/release/install.sdf
openldap/trunk/doc/guide/release/license-plain.sdf
openldap/trunk/doc/guide/release/license.sdf
openldap/trunk/doc/man/Makefile.in
openldap/trunk/doc/man/man1/Makefile.in
openldap/trunk/doc/man/man1/ldapcompare.1
openldap/trunk/doc/man/man1/ldapdelete.1
openldap/trunk/doc/man/man1/ldapmodify.1
openldap/trunk/doc/man/man1/ldapmodrdn.1
openldap/trunk/doc/man/man1/ldappasswd.1
openldap/trunk/doc/man/man1/ldapsearch.1
openldap/trunk/doc/man/man1/ldapwhoami.1
openldap/trunk/doc/man/man3/Makefile.in
openldap/trunk/doc/man/man3/lber-decode.3
openldap/trunk/doc/man/man3/lber-encode.3
openldap/trunk/doc/man/man3/lber-memory.3
openldap/trunk/doc/man/man3/lber-sockbuf.3
openldap/trunk/doc/man/man3/lber-types.3
openldap/trunk/doc/man/man3/ldap.3
openldap/trunk/doc/man/man3/ldap_abandon.3
openldap/trunk/doc/man/man3/ldap_add.3
openldap/trunk/doc/man/man3/ldap_bind.3
openldap/trunk/doc/man/man3/ldap_compare.3
openldap/trunk/doc/man/man3/ldap_controls.3
openldap/trunk/doc/man/man3/ldap_delete.3
openldap/trunk/doc/man/man3/ldap_error.3
openldap/trunk/doc/man/man3/ldap_extended_operation.3
openldap/trunk/doc/man/man3/ldap_first_attribute.3
openldap/trunk/doc/man/man3/ldap_first_entry.3
openldap/trunk/doc/man/man3/ldap_first_message.3
openldap/trunk/doc/man/man3/ldap_first_reference.3
openldap/trunk/doc/man/man3/ldap_get_dn.3
openldap/trunk/doc/man/man3/ldap_get_option.3
openldap/trunk/doc/man/man3/ldap_get_values.3
openldap/trunk/doc/man/man3/ldap_memory.3
openldap/trunk/doc/man/man3/ldap_modify.3
openldap/trunk/doc/man/man3/ldap_modrdn.3
openldap/trunk/doc/man/man3/ldap_open.3
openldap/trunk/doc/man/man3/ldap_parse_reference.3
openldap/trunk/doc/man/man3/ldap_parse_result.3
openldap/trunk/doc/man/man3/ldap_parse_sort_control.3
openldap/trunk/doc/man/man3/ldap_parse_vlv_control.3
openldap/trunk/doc/man/man3/ldap_rename.3
openldap/trunk/doc/man/man3/ldap_result.3
openldap/trunk/doc/man/man3/ldap_schema.3
openldap/trunk/doc/man/man3/ldap_search.3
openldap/trunk/doc/man/man3/ldap_sort.3
openldap/trunk/doc/man/man3/ldap_sync.3
openldap/trunk/doc/man/man3/ldap_tls.3
openldap/trunk/doc/man/man3/ldap_url.3
openldap/trunk/doc/man/man5/Makefile.in
openldap/trunk/doc/man/man5/ldap.conf.5
openldap/trunk/doc/man/man5/ldif.5
openldap/trunk/doc/man/man5/slapd-bdb.5
openldap/trunk/doc/man/man5/slapd-config.5
openldap/trunk/doc/man/man5/slapd-dnssrv.5
openldap/trunk/doc/man/man5/slapd-ldap.5
openldap/trunk/doc/man/man5/slapd-ldbm.5
openldap/trunk/doc/man/man5/slapd-ldif.5
openldap/trunk/doc/man/man5/slapd-meta.5
openldap/trunk/doc/man/man5/slapd-monitor.5
openldap/trunk/doc/man/man5/slapd-null.5
openldap/trunk/doc/man/man5/slapd-passwd.5
openldap/trunk/doc/man/man5/slapd-shell.5
openldap/trunk/doc/man/man5/slapd.access.5
openldap/trunk/doc/man/man5/slapd.backends.5
openldap/trunk/doc/man/man5/slapd.conf.5
openldap/trunk/doc/man/man5/slapd.overlays.5
openldap/trunk/doc/man/man5/slapd.plugin.5
openldap/trunk/doc/man/man5/slapo-accesslog.5
openldap/trunk/doc/man/man5/slapo-auditlog.5
openldap/trunk/doc/man/man5/slapo-chain.5
openldap/trunk/doc/man/man5/slapo-constraint.5
openldap/trunk/doc/man/man5/slapo-dds.5
openldap/trunk/doc/man/man5/slapo-dyngroup.5
openldap/trunk/doc/man/man5/slapo-dynlist.5
openldap/trunk/doc/man/man5/slapo-memberof.5
openldap/trunk/doc/man/man5/slapo-pcache.5
openldap/trunk/doc/man/man5/slapo-ppolicy.5
openldap/trunk/doc/man/man5/slapo-refint.5
openldap/trunk/doc/man/man5/slapo-retcode.5
openldap/trunk/doc/man/man5/slapo-rwm.5
openldap/trunk/doc/man/man5/slapo-syncprov.5
openldap/trunk/doc/man/man5/slapo-translucent.5
openldap/trunk/doc/man/man5/slapo-unique.5
openldap/trunk/doc/man/man5/slapo-valsort.5
openldap/trunk/doc/man/man8/Makefile.in
openldap/trunk/doc/man/man8/slapacl.8
openldap/trunk/doc/man/man8/slapadd.8
openldap/trunk/doc/man/man8/slapauth.8
openldap/trunk/doc/man/man8/slapcat.8
openldap/trunk/doc/man/man8/slapd.8
openldap/trunk/doc/man/man8/slapdn.8
openldap/trunk/doc/man/man8/slapindex.8
openldap/trunk/doc/man/man8/slappasswd.8
openldap/trunk/doc/man/man8/slaptest.8
openldap/trunk/include/Makefile.in
openldap/trunk/include/ac/alloca.h
openldap/trunk/include/ac/assert.h
openldap/trunk/include/ac/bytes.h
openldap/trunk/include/ac/crypt.h
openldap/trunk/include/ac/ctype.h
openldap/trunk/include/ac/dirent.h
openldap/trunk/include/ac/errno.h
openldap/trunk/include/ac/fdset.h
openldap/trunk/include/ac/localize.h
openldap/trunk/include/ac/param.h
openldap/trunk/include/ac/regex.h
openldap/trunk/include/ac/setproctitle.h
openldap/trunk/include/ac/signal.h
openldap/trunk/include/ac/socket.h
openldap/trunk/include/ac/stdarg.h
openldap/trunk/include/ac/stdlib.h
openldap/trunk/include/ac/string.h
openldap/trunk/include/ac/sysexits.h
openldap/trunk/include/ac/syslog.h
openldap/trunk/include/ac/termios.h
openldap/trunk/include/ac/time.h
openldap/trunk/include/ac/unistd.h
openldap/trunk/include/ac/wait.h
openldap/trunk/include/avl.h
openldap/trunk/include/getopt-compat.h
openldap/trunk/include/lber.h
openldap/trunk/include/lber_pvt.h
openldap/trunk/include/lber_types.hin
openldap/trunk/include/ldap.h
openldap/trunk/include/ldap_cdefs.h
openldap/trunk/include/ldap_config.hin
openldap/trunk/include/ldap_defaults.h
openldap/trunk/include/ldap_features.hin
openldap/trunk/include/ldap_int_thread.h
openldap/trunk/include/ldap_log.h
openldap/trunk/include/ldap_pvt.h
openldap/trunk/include/ldap_pvt_thread.h
openldap/trunk/include/ldap_pvt_uc.h
openldap/trunk/include/ldap_queue.h
openldap/trunk/include/ldap_rq.h
openldap/trunk/include/ldap_schema.h
openldap/trunk/include/ldap_utf8.h
openldap/trunk/include/ldif.h
openldap/trunk/include/lutil.h
openldap/trunk/include/lutil_hash.h
openldap/trunk/include/lutil_ldap.h
openldap/trunk/include/lutil_lockf.h
openldap/trunk/include/lutil_md5.h
openldap/trunk/include/lutil_sha1.h
openldap/trunk/include/portable.hin
openldap/trunk/include/rewrite.h
openldap/trunk/include/slapi-plugin.h
openldap/trunk/include/sysexits-compat.h
openldap/trunk/libraries/Makefile.in
openldap/trunk/libraries/liblber/Makefile.in
openldap/trunk/libraries/liblber/assert.c
openldap/trunk/libraries/liblber/bprint.c
openldap/trunk/libraries/liblber/debug.c
openldap/trunk/libraries/liblber/decode.c
openldap/trunk/libraries/liblber/dtest.c
openldap/trunk/libraries/liblber/encode.c
openldap/trunk/libraries/liblber/etest.c
openldap/trunk/libraries/liblber/idtest.c
openldap/trunk/libraries/liblber/io.c
openldap/trunk/libraries/liblber/lber-int.h
openldap/trunk/libraries/liblber/memory.c
openldap/trunk/libraries/liblber/nt_err.c
openldap/trunk/libraries/liblber/options.c
openldap/trunk/libraries/liblber/sockbuf.c
openldap/trunk/libraries/liblber/stdio.c
openldap/trunk/libraries/libldap/Makefile.in
openldap/trunk/libraries/libldap/abandon.c
openldap/trunk/libraries/libldap/add.c
openldap/trunk/libraries/libldap/addentry.c
openldap/trunk/libraries/libldap/apitest.c
openldap/trunk/libraries/libldap/bind.c
openldap/trunk/libraries/libldap/cancel.c
openldap/trunk/libraries/libldap/charray.c
openldap/trunk/libraries/libldap/compare.c
openldap/trunk/libraries/libldap/controls.c
openldap/trunk/libraries/libldap/cyrus.c
openldap/trunk/libraries/libldap/dds.c
openldap/trunk/libraries/libldap/delete.c
openldap/trunk/libraries/libldap/dnssrv.c
openldap/trunk/libraries/libldap/dntest.c
openldap/trunk/libraries/libldap/error.c
openldap/trunk/libraries/libldap/extended.c
openldap/trunk/libraries/libldap/filter.c
openldap/trunk/libraries/libldap/free.c
openldap/trunk/libraries/libldap/ftest.c
openldap/trunk/libraries/libldap/getattr.c
openldap/trunk/libraries/libldap/getdn.c
openldap/trunk/libraries/libldap/getentry.c
openldap/trunk/libraries/libldap/getvalues.c
openldap/trunk/libraries/libldap/init.c
openldap/trunk/libraries/libldap/ldap-int.h
openldap/trunk/libraries/libldap/ldap_sync.c
openldap/trunk/libraries/libldap/messages.c
openldap/trunk/libraries/libldap/modify.c
openldap/trunk/libraries/libldap/modrdn.c
openldap/trunk/libraries/libldap/open.c
openldap/trunk/libraries/libldap/options.c
openldap/trunk/libraries/libldap/os-ip.c
openldap/trunk/libraries/libldap/os-local.c
openldap/trunk/libraries/libldap/pagectrl.c
openldap/trunk/libraries/libldap/passwd.c
openldap/trunk/libraries/libldap/ppolicy.c
openldap/trunk/libraries/libldap/print.c
openldap/trunk/libraries/libldap/references.c
openldap/trunk/libraries/libldap/request.c
openldap/trunk/libraries/libldap/result.c
openldap/trunk/libraries/libldap/sasl.c
openldap/trunk/libraries/libldap/sbind.c
openldap/trunk/libraries/libldap/schema.c
openldap/trunk/libraries/libldap/search.c
openldap/trunk/libraries/libldap/sort.c
openldap/trunk/libraries/libldap/sortctrl.c
openldap/trunk/libraries/libldap/stctrl.c
openldap/trunk/libraries/libldap/string.c
openldap/trunk/libraries/libldap/t61.c
openldap/trunk/libraries/libldap/test.c
openldap/trunk/libraries/libldap/tls.c
openldap/trunk/libraries/libldap/turn.c
openldap/trunk/libraries/libldap/txn.c
openldap/trunk/libraries/libldap/unbind.c
openldap/trunk/libraries/libldap/url.c
openldap/trunk/libraries/libldap/urltest.c
openldap/trunk/libraries/libldap/utf-8-conv.c
openldap/trunk/libraries/libldap/utf-8.c
openldap/trunk/libraries/libldap/util-int.c
openldap/trunk/libraries/libldap/vlvctrl.c
openldap/trunk/libraries/libldap/whoami.c
openldap/trunk/libraries/libldap_r/Makefile.in
openldap/trunk/libraries/libldap_r/ldap_thr_debug.h
openldap/trunk/libraries/libldap_r/rdwr.c
openldap/trunk/libraries/libldap_r/rmutex.c
openldap/trunk/libraries/libldap_r/rq.c
openldap/trunk/libraries/libldap_r/thr_cthreads.c
openldap/trunk/libraries/libldap_r/thr_debug.c
openldap/trunk/libraries/libldap_r/thr_lwp.c
openldap/trunk/libraries/libldap_r/thr_nt.c
openldap/trunk/libraries/libldap_r/thr_posix.c
openldap/trunk/libraries/libldap_r/thr_pth.c
openldap/trunk/libraries/libldap_r/thr_stub.c
openldap/trunk/libraries/libldap_r/thr_thr.c
openldap/trunk/libraries/libldap_r/threads.c
openldap/trunk/libraries/libldap_r/tpool.c
openldap/trunk/libraries/liblunicode/Makefile.in
openldap/trunk/libraries/liblunicode/ucdata/ucdata.c
openldap/trunk/libraries/liblunicode/ucdata/ucdata.h
openldap/trunk/libraries/liblunicode/ucdata/ucgendat.c
openldap/trunk/libraries/liblunicode/ucdata/ucpgba.c
openldap/trunk/libraries/liblunicode/ucdata/ucpgba.h
openldap/trunk/libraries/liblunicode/ucstr.c
openldap/trunk/libraries/liblunicode/ure/ure.c
openldap/trunk/libraries/liblunicode/ure/ure.h
openldap/trunk/libraries/liblunicode/ure/urestubs.c
openldap/trunk/libraries/liblunicode/utbm/utbm.c
openldap/trunk/libraries/liblunicode/utbm/utbm.h
openldap/trunk/libraries/liblunicode/utbm/utbmstub.c
openldap/trunk/libraries/liblutil/Makefile.in
openldap/trunk/libraries/liblutil/avl.c
openldap/trunk/libraries/liblutil/base64.c
openldap/trunk/libraries/liblutil/csn.c
openldap/trunk/libraries/liblutil/detach.c
openldap/trunk/libraries/liblutil/entropy.c
openldap/trunk/libraries/liblutil/fetch.c
openldap/trunk/libraries/liblutil/getopt.c
openldap/trunk/libraries/liblutil/getpass.c
openldap/trunk/libraries/liblutil/getpeereid.c
openldap/trunk/libraries/liblutil/hash.c
openldap/trunk/libraries/liblutil/ldif.c
openldap/trunk/libraries/liblutil/lockf.c
openldap/trunk/libraries/liblutil/md5.c
openldap/trunk/libraries/liblutil/memcmp.c
openldap/trunk/libraries/liblutil/ntservice.c
openldap/trunk/libraries/liblutil/passfile.c
openldap/trunk/libraries/liblutil/passwd.c
openldap/trunk/libraries/liblutil/ptest.c
openldap/trunk/libraries/liblutil/sasl.c
openldap/trunk/libraries/liblutil/setproctitle.c
openldap/trunk/libraries/liblutil/sha1.c
openldap/trunk/libraries/liblutil/signal.c
openldap/trunk/libraries/liblutil/sockpair.c
openldap/trunk/libraries/liblutil/tavl.c
openldap/trunk/libraries/liblutil/testavl.c
openldap/trunk/libraries/liblutil/testtavl.c
openldap/trunk/libraries/liblutil/utils.c
openldap/trunk/libraries/liblutil/uuid.c
openldap/trunk/libraries/librewrite/Makefile.in
openldap/trunk/libraries/librewrite/config.c
openldap/trunk/libraries/librewrite/context.c
openldap/trunk/libraries/librewrite/info.c
openldap/trunk/libraries/librewrite/ldapmap.c
openldap/trunk/libraries/librewrite/map.c
openldap/trunk/libraries/librewrite/params.c
openldap/trunk/libraries/librewrite/parse.c
openldap/trunk/libraries/librewrite/rewrite-int.h
openldap/trunk/libraries/librewrite/rewrite-map.h
openldap/trunk/libraries/librewrite/rewrite.c
openldap/trunk/libraries/librewrite/rule.c
openldap/trunk/libraries/librewrite/session.c
openldap/trunk/libraries/librewrite/subst.c
openldap/trunk/libraries/librewrite/var.c
openldap/trunk/libraries/librewrite/xmap.c
openldap/trunk/servers/Makefile.in
openldap/trunk/servers/slapd/DB_CONFIG
openldap/trunk/servers/slapd/Makefile.in
openldap/trunk/servers/slapd/abandon.c
openldap/trunk/servers/slapd/aci.c
openldap/trunk/servers/slapd/acl.c
openldap/trunk/servers/slapd/aclparse.c
openldap/trunk/servers/slapd/ad.c
openldap/trunk/servers/slapd/add.c
openldap/trunk/servers/slapd/alock.c
openldap/trunk/servers/slapd/alock.h
openldap/trunk/servers/slapd/at.c
openldap/trunk/servers/slapd/attr.c
openldap/trunk/servers/slapd/ava.c
openldap/trunk/servers/slapd/back-bdb/Makefile.in
openldap/trunk/servers/slapd/back-bdb/add.c
openldap/trunk/servers/slapd/back-bdb/attr.c
openldap/trunk/servers/slapd/back-bdb/back-bdb.h
openldap/trunk/servers/slapd/back-bdb/bind.c
openldap/trunk/servers/slapd/back-bdb/cache.c
openldap/trunk/servers/slapd/back-bdb/compare.c
openldap/trunk/servers/slapd/back-bdb/config.c
openldap/trunk/servers/slapd/back-bdb/dbcache.c
openldap/trunk/servers/slapd/back-bdb/delete.c
openldap/trunk/servers/slapd/back-bdb/dn2entry.c
openldap/trunk/servers/slapd/back-bdb/dn2id.c
openldap/trunk/servers/slapd/back-bdb/error.c
openldap/trunk/servers/slapd/back-bdb/extended.c
openldap/trunk/servers/slapd/back-bdb/filterindex.c
openldap/trunk/servers/slapd/back-bdb/id2entry.c
openldap/trunk/servers/slapd/back-bdb/idl.c
openldap/trunk/servers/slapd/back-bdb/idl.h
openldap/trunk/servers/slapd/back-bdb/index.c
openldap/trunk/servers/slapd/back-bdb/init.c
openldap/trunk/servers/slapd/back-bdb/key.c
openldap/trunk/servers/slapd/back-bdb/modify.c
openldap/trunk/servers/slapd/back-bdb/modrdn.c
openldap/trunk/servers/slapd/back-bdb/monitor.c
openldap/trunk/servers/slapd/back-bdb/nextid.c
openldap/trunk/servers/slapd/back-bdb/operational.c
openldap/trunk/servers/slapd/back-bdb/proto-bdb.h
openldap/trunk/servers/slapd/back-bdb/referral.c
openldap/trunk/servers/slapd/back-bdb/search.c
openldap/trunk/servers/slapd/back-bdb/tools.c
openldap/trunk/servers/slapd/back-bdb/trans.c
openldap/trunk/servers/slapd/back-dnssrv/Makefile.in
openldap/trunk/servers/slapd/back-dnssrv/bind.c
openldap/trunk/servers/slapd/back-dnssrv/compare.c
openldap/trunk/servers/slapd/back-dnssrv/config.c
openldap/trunk/servers/slapd/back-dnssrv/init.c
openldap/trunk/servers/slapd/back-dnssrv/proto-dnssrv.h
openldap/trunk/servers/slapd/back-dnssrv/referral.c
openldap/trunk/servers/slapd/back-dnssrv/search.c
openldap/trunk/servers/slapd/back-hdb/Makefile.in
openldap/trunk/servers/slapd/back-hdb/back-bdb.h
openldap/trunk/servers/slapd/back-ldap/Makefile.in
openldap/trunk/servers/slapd/back-ldap/add.c
openldap/trunk/servers/slapd/back-ldap/back-ldap.h
openldap/trunk/servers/slapd/back-ldap/bind.c
openldap/trunk/servers/slapd/back-ldap/chain.c
openldap/trunk/servers/slapd/back-ldap/compare.c
openldap/trunk/servers/slapd/back-ldap/config.c
openldap/trunk/servers/slapd/back-ldap/delete.c
openldap/trunk/servers/slapd/back-ldap/distproc.c
openldap/trunk/servers/slapd/back-ldap/extended.c
openldap/trunk/servers/slapd/back-ldap/init.c
openldap/trunk/servers/slapd/back-ldap/modify.c
openldap/trunk/servers/slapd/back-ldap/modrdn.c
openldap/trunk/servers/slapd/back-ldap/monitor.c
openldap/trunk/servers/slapd/back-ldap/proto-ldap.h
openldap/trunk/servers/slapd/back-ldap/search.c
openldap/trunk/servers/slapd/back-ldap/unbind.c
openldap/trunk/servers/slapd/back-ldif/Makefile.in
openldap/trunk/servers/slapd/back-ldif/ldif.c
openldap/trunk/servers/slapd/back-meta/Makefile.in
openldap/trunk/servers/slapd/back-meta/add.c
openldap/trunk/servers/slapd/back-meta/back-meta.h
openldap/trunk/servers/slapd/back-meta/bind.c
openldap/trunk/servers/slapd/back-meta/candidates.c
openldap/trunk/servers/slapd/back-meta/compare.c
openldap/trunk/servers/slapd/back-meta/config.c
openldap/trunk/servers/slapd/back-meta/conn.c
openldap/trunk/servers/slapd/back-meta/delete.c
openldap/trunk/servers/slapd/back-meta/dncache.c
openldap/trunk/servers/slapd/back-meta/init.c
openldap/trunk/servers/slapd/back-meta/map.c
openldap/trunk/servers/slapd/back-meta/modify.c
openldap/trunk/servers/slapd/back-meta/modrdn.c
openldap/trunk/servers/slapd/back-meta/proto-meta.h
openldap/trunk/servers/slapd/back-meta/search.c
openldap/trunk/servers/slapd/back-meta/suffixmassage.c
openldap/trunk/servers/slapd/back-meta/unbind.c
openldap/trunk/servers/slapd/back-monitor/Makefile.in
openldap/trunk/servers/slapd/back-monitor/back-monitor.h
openldap/trunk/servers/slapd/back-monitor/backend.c
openldap/trunk/servers/slapd/back-monitor/bind.c
openldap/trunk/servers/slapd/back-monitor/cache.c
openldap/trunk/servers/slapd/back-monitor/compare.c
openldap/trunk/servers/slapd/back-monitor/conn.c
openldap/trunk/servers/slapd/back-monitor/database.c
openldap/trunk/servers/slapd/back-monitor/entry.c
openldap/trunk/servers/slapd/back-monitor/init.c
openldap/trunk/servers/slapd/back-monitor/listener.c
openldap/trunk/servers/slapd/back-monitor/log.c
openldap/trunk/servers/slapd/back-monitor/modify.c
openldap/trunk/servers/slapd/back-monitor/operation.c
openldap/trunk/servers/slapd/back-monitor/operational.c
openldap/trunk/servers/slapd/back-monitor/overlay.c
openldap/trunk/servers/slapd/back-monitor/proto-back-monitor.h
openldap/trunk/servers/slapd/back-monitor/rww.c
openldap/trunk/servers/slapd/back-monitor/search.c
openldap/trunk/servers/slapd/back-monitor/sent.c
openldap/trunk/servers/slapd/back-monitor/thread.c
openldap/trunk/servers/slapd/back-monitor/time.c
openldap/trunk/servers/slapd/back-null/Makefile.in
openldap/trunk/servers/slapd/back-null/null.c
openldap/trunk/servers/slapd/back-passwd/Makefile.in
openldap/trunk/servers/slapd/back-passwd/back-passwd.h
openldap/trunk/servers/slapd/back-passwd/config.c
openldap/trunk/servers/slapd/back-passwd/init.c
openldap/trunk/servers/slapd/back-passwd/proto-passwd.h
openldap/trunk/servers/slapd/back-passwd/search.c
openldap/trunk/servers/slapd/back-perl/Makefile.in
openldap/trunk/servers/slapd/back-perl/SampleLDAP.pm
openldap/trunk/servers/slapd/back-perl/add.c
openldap/trunk/servers/slapd/back-perl/asperl_undefs.h
openldap/trunk/servers/slapd/back-perl/bind.c
openldap/trunk/servers/slapd/back-perl/close.c
openldap/trunk/servers/slapd/back-perl/compare.c
openldap/trunk/servers/slapd/back-perl/config.c
openldap/trunk/servers/slapd/back-perl/delete.c
openldap/trunk/servers/slapd/back-perl/init.c
openldap/trunk/servers/slapd/back-perl/modify.c
openldap/trunk/servers/slapd/back-perl/modrdn.c
openldap/trunk/servers/slapd/back-perl/perl_back.h
openldap/trunk/servers/slapd/back-perl/proto-perl.h
openldap/trunk/servers/slapd/back-perl/search.c
openldap/trunk/servers/slapd/back-relay/Makefile.in
openldap/trunk/servers/slapd/back-relay/back-relay.h
openldap/trunk/servers/slapd/back-relay/init.c
openldap/trunk/servers/slapd/back-relay/op.c
openldap/trunk/servers/slapd/back-relay/proto-back-relay.h
openldap/trunk/servers/slapd/back-shell/Makefile.in
openldap/trunk/servers/slapd/back-shell/add.c
openldap/trunk/servers/slapd/back-shell/bind.c
openldap/trunk/servers/slapd/back-shell/compare.c
openldap/trunk/servers/slapd/back-shell/config.c
openldap/trunk/servers/slapd/back-shell/delete.c
openldap/trunk/servers/slapd/back-shell/fork.c
openldap/trunk/servers/slapd/back-shell/init.c
openldap/trunk/servers/slapd/back-shell/modify.c
openldap/trunk/servers/slapd/back-shell/modrdn.c
openldap/trunk/servers/slapd/back-shell/proto-shell.h
openldap/trunk/servers/slapd/back-shell/result.c
openldap/trunk/servers/slapd/back-shell/search.c
openldap/trunk/servers/slapd/back-shell/searchexample.conf
openldap/trunk/servers/slapd/back-shell/searchexample.sh
openldap/trunk/servers/slapd/back-shell/shell.h
openldap/trunk/servers/slapd/back-shell/unbind.c
openldap/trunk/servers/slapd/back-sql/Makefile.in
openldap/trunk/servers/slapd/back-sql/add.c
openldap/trunk/servers/slapd/back-sql/api.c
openldap/trunk/servers/slapd/back-sql/back-sql.h
openldap/trunk/servers/slapd/back-sql/bind.c
openldap/trunk/servers/slapd/back-sql/compare.c
openldap/trunk/servers/slapd/back-sql/config.c
openldap/trunk/servers/slapd/back-sql/delete.c
openldap/trunk/servers/slapd/back-sql/entry-id.c
openldap/trunk/servers/slapd/back-sql/init.c
openldap/trunk/servers/slapd/back-sql/modify.c
openldap/trunk/servers/slapd/back-sql/modrdn.c
openldap/trunk/servers/slapd/back-sql/operational.c
openldap/trunk/servers/slapd/back-sql/proto-sql.h
openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile
openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp
openldap/trunk/servers/slapd/back-sql/schema-map.c
openldap/trunk/servers/slapd/back-sql/search.c
openldap/trunk/servers/slapd/back-sql/sql-wrap.c
openldap/trunk/servers/slapd/back-sql/util.c
openldap/trunk/servers/slapd/backend.c
openldap/trunk/servers/slapd/backglue.c
openldap/trunk/servers/slapd/backover.c
openldap/trunk/servers/slapd/bconfig.c
openldap/trunk/servers/slapd/bind.c
openldap/trunk/servers/slapd/cancel.c
openldap/trunk/servers/slapd/ch_malloc.c
openldap/trunk/servers/slapd/compare.c
openldap/trunk/servers/slapd/component.c
openldap/trunk/servers/slapd/component.h
openldap/trunk/servers/slapd/config.c
openldap/trunk/servers/slapd/config.h
openldap/trunk/servers/slapd/connection.c
openldap/trunk/servers/slapd/controls.c
openldap/trunk/servers/slapd/cr.c
openldap/trunk/servers/slapd/ctxcsn.c
openldap/trunk/servers/slapd/daemon.c
openldap/trunk/servers/slapd/delete.c
openldap/trunk/servers/slapd/dn.c
openldap/trunk/servers/slapd/entry.c
openldap/trunk/servers/slapd/extended.c
openldap/trunk/servers/slapd/filter.c
openldap/trunk/servers/slapd/filterentry.c
openldap/trunk/servers/slapd/frontend.c
openldap/trunk/servers/slapd/globals.c
openldap/trunk/servers/slapd/index.c
openldap/trunk/servers/slapd/init.c
openldap/trunk/servers/slapd/ldapsync.c
openldap/trunk/servers/slapd/limits.c
openldap/trunk/servers/slapd/lock.c
openldap/trunk/servers/slapd/main.c
openldap/trunk/servers/slapd/matchedValues.c
openldap/trunk/servers/slapd/modify.c
openldap/trunk/servers/slapd/modrdn.c
openldap/trunk/servers/slapd/mods.c
openldap/trunk/servers/slapd/module.c
openldap/trunk/servers/slapd/mr.c
openldap/trunk/servers/slapd/mra.c
openldap/trunk/servers/slapd/nt_svc.c
openldap/trunk/servers/slapd/oc.c
openldap/trunk/servers/slapd/oidm.c
openldap/trunk/servers/slapd/operation.c
openldap/trunk/servers/slapd/operational.c
openldap/trunk/servers/slapd/overlays/Makefile.in
openldap/trunk/servers/slapd/overlays/accesslog.c
openldap/trunk/servers/slapd/overlays/auditlog.c
openldap/trunk/servers/slapd/overlays/collect.c
openldap/trunk/servers/slapd/overlays/constraint.c
openldap/trunk/servers/slapd/overlays/dds.c
openldap/trunk/servers/slapd/overlays/dyngroup.c
openldap/trunk/servers/slapd/overlays/dynlist.c
openldap/trunk/servers/slapd/overlays/memberof.c
openldap/trunk/servers/slapd/overlays/overlays.c
openldap/trunk/servers/slapd/overlays/pcache.c
openldap/trunk/servers/slapd/overlays/ppolicy.c
openldap/trunk/servers/slapd/overlays/refint.c
openldap/trunk/servers/slapd/overlays/retcode.c
openldap/trunk/servers/slapd/overlays/rwm.c
openldap/trunk/servers/slapd/overlays/rwm.h
openldap/trunk/servers/slapd/overlays/rwmconf.c
openldap/trunk/servers/slapd/overlays/rwmdn.c
openldap/trunk/servers/slapd/overlays/rwmmap.c
openldap/trunk/servers/slapd/overlays/seqmod.c
openldap/trunk/servers/slapd/overlays/syncprov.c
openldap/trunk/servers/slapd/overlays/translucent.c
openldap/trunk/servers/slapd/overlays/unique.c
openldap/trunk/servers/slapd/overlays/valsort.c
openldap/trunk/servers/slapd/passwd.c
openldap/trunk/servers/slapd/phonetic.c
openldap/trunk/servers/slapd/proto-slap.h
openldap/trunk/servers/slapd/referral.c
openldap/trunk/servers/slapd/result.c
openldap/trunk/servers/slapd/root_dse.c
openldap/trunk/servers/slapd/sasl.c
openldap/trunk/servers/slapd/saslauthz.c
openldap/trunk/servers/slapd/schema.c
openldap/trunk/servers/slapd/schema/README
openldap/trunk/servers/slapd/schema/cosine.ldif
openldap/trunk/servers/slapd/schema/duaconf.schema
openldap/trunk/servers/slapd/schema/dyngroup.schema
openldap/trunk/servers/slapd/schema/inetorgperson.ldif
openldap/trunk/servers/slapd/schema/inetorgperson.schema
openldap/trunk/servers/slapd/schema/misc.schema
openldap/trunk/servers/slapd/schema/nadf.schema
openldap/trunk/servers/slapd/schema/nis.ldif
openldap/trunk/servers/slapd/schema/nis.schema
openldap/trunk/servers/slapd/schema/openldap.ldif
openldap/trunk/servers/slapd/schema/openldap.schema
openldap/trunk/servers/slapd/schema_check.c
openldap/trunk/servers/slapd/schema_init.c
openldap/trunk/servers/slapd/schema_prep.c
openldap/trunk/servers/slapd/schemaparse.c
openldap/trunk/servers/slapd/search.c
openldap/trunk/servers/slapd/sets.c
openldap/trunk/servers/slapd/sets.h
openldap/trunk/servers/slapd/shell-backends/Makefile.in
openldap/trunk/servers/slapd/shell-backends/passwd-shell.c
openldap/trunk/servers/slapd/shell-backends/shellutil.c
openldap/trunk/servers/slapd/shell-backends/shellutil.h
openldap/trunk/servers/slapd/sl_malloc.c
openldap/trunk/servers/slapd/slap.h
openldap/trunk/servers/slapd/slapacl.c
openldap/trunk/servers/slapd/slapadd.c
openldap/trunk/servers/slapd/slapauth.c
openldap/trunk/servers/slapd/slapcat.c
openldap/trunk/servers/slapd/slapcommon.c
openldap/trunk/servers/slapd/slapcommon.h
openldap/trunk/servers/slapd/slapdn.c
openldap/trunk/servers/slapd/slapi/Makefile.in
openldap/trunk/servers/slapd/slapi/plugin.c
openldap/trunk/servers/slapd/slapi/printmsg.c
openldap/trunk/servers/slapd/slapi/proto-slapi.h
openldap/trunk/servers/slapd/slapi/slapi.h
openldap/trunk/servers/slapd/slapi/slapi_dn.c
openldap/trunk/servers/slapd/slapi/slapi_ext.c
openldap/trunk/servers/slapd/slapi/slapi_ops.c
openldap/trunk/servers/slapd/slapi/slapi_overlay.c
openldap/trunk/servers/slapd/slapi/slapi_pblock.c
openldap/trunk/servers/slapd/slapi/slapi_utils.c
openldap/trunk/servers/slapd/slapindex.c
openldap/trunk/servers/slapd/slappasswd.c
openldap/trunk/servers/slapd/slaptest.c
openldap/trunk/servers/slapd/starttls.c
openldap/trunk/servers/slapd/str2filter.c
openldap/trunk/servers/slapd/syncrepl.c
openldap/trunk/servers/slapd/syntax.c
openldap/trunk/servers/slapd/txn.c
openldap/trunk/servers/slapd/unbind.c
openldap/trunk/servers/slapd/user.c
openldap/trunk/servers/slapd/value.c
openldap/trunk/servers/slapd/zn_malloc.c
openldap/trunk/tests/Makefile.in
openldap/trunk/tests/data/ditcontentrules.conf
openldap/trunk/tests/data/dn.out
openldap/trunk/tests/data/do_add.1
openldap/trunk/tests/data/do_add.2
openldap/trunk/tests/data/do_add.3
openldap/trunk/tests/data/do_add.4
openldap/trunk/tests/data/dynlist.out
openldap/trunk/tests/data/emptydn.out
openldap/trunk/tests/data/emptydn.out.slapadd
openldap/trunk/tests/data/regressions/its4184/its4184
openldap/trunk/tests/data/regressions/its4326/its4326
openldap/trunk/tests/data/regressions/its4326/slapd.conf
openldap/trunk/tests/data/regressions/its4336/its4336
openldap/trunk/tests/data/regressions/its4336/slapd.conf
openldap/trunk/tests/data/regressions/its4337/its4337
openldap/trunk/tests/data/regressions/its4337/slapd.conf
openldap/trunk/tests/data/regressions/its4448/its4448
openldap/trunk/tests/data/regressions/its4448/slapd-meta.conf
openldap/trunk/tests/data/relay.out
openldap/trunk/tests/data/retcode.conf
openldap/trunk/tests/data/slapd-aci.conf
openldap/trunk/tests/data/slapd-acl.conf
openldap/trunk/tests/data/slapd-cache-master.conf
openldap/trunk/tests/data/slapd-chain1.conf
openldap/trunk/tests/data/slapd-chain2.conf
openldap/trunk/tests/data/slapd-component.conf
openldap/trunk/tests/data/slapd-dds.conf
openldap/trunk/tests/data/slapd-deltasync-master.conf
openldap/trunk/tests/data/slapd-deltasync-slave.conf
openldap/trunk/tests/data/slapd-dn.conf
openldap/trunk/tests/data/slapd-dnssrv.conf
openldap/trunk/tests/data/slapd-dynlist.conf
openldap/trunk/tests/data/slapd-emptydn.conf
openldap/trunk/tests/data/slapd-glue-ldap.conf
openldap/trunk/tests/data/slapd-glue-syncrepl1.conf
openldap/trunk/tests/data/slapd-glue-syncrepl2.conf
openldap/trunk/tests/data/slapd-glue.conf
openldap/trunk/tests/data/slapd-idassert.conf
openldap/trunk/tests/data/slapd-ldapglue.conf
openldap/trunk/tests/data/slapd-ldapgluegroups.conf
openldap/trunk/tests/data/slapd-ldapgluepeople.conf
openldap/trunk/tests/data/slapd-limits.conf
openldap/trunk/tests/data/slapd-master.conf
openldap/trunk/tests/data/slapd-meta-target1.conf
openldap/trunk/tests/data/slapd-meta-target2.conf
openldap/trunk/tests/data/slapd-meta.conf
openldap/trunk/tests/data/slapd-nis-master.conf
openldap/trunk/tests/data/slapd-passwd.conf
openldap/trunk/tests/data/slapd-ppolicy.conf
openldap/trunk/tests/data/slapd-proxycache.conf
openldap/trunk/tests/data/slapd-pw.conf
openldap/trunk/tests/data/slapd-ref-slave.conf
openldap/trunk/tests/data/slapd-referrals.conf
openldap/trunk/tests/data/slapd-refint.conf
openldap/trunk/tests/data/slapd-relay.conf
openldap/trunk/tests/data/slapd-repl-slave-remote.conf
openldap/trunk/tests/data/slapd-retcode.conf
openldap/trunk/tests/data/slapd-schema.conf
openldap/trunk/tests/data/slapd-sql-syncrepl-master.conf
openldap/trunk/tests/data/slapd-sql.conf
openldap/trunk/tests/data/slapd-syncrepl-master.conf
openldap/trunk/tests/data/slapd-syncrepl-multiproxy.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist-ldap.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist1.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist2.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist3.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-refresh1.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-refresh2.conf
openldap/trunk/tests/data/slapd-translucent-local.conf
openldap/trunk/tests/data/slapd-translucent-remote.conf
openldap/trunk/tests/data/slapd-unique.conf
openldap/trunk/tests/data/slapd-valsort.conf
openldap/trunk/tests/data/slapd-whoami.conf
openldap/trunk/tests/data/slapd.conf
openldap/trunk/tests/data/slapd2.conf
openldap/trunk/tests/data/test.schema
openldap/trunk/tests/progs/Makefile.in
openldap/trunk/tests/progs/slapd-addel.c
openldap/trunk/tests/progs/slapd-bind.c
openldap/trunk/tests/progs/slapd-common.c
openldap/trunk/tests/progs/slapd-common.h
openldap/trunk/tests/progs/slapd-modify.c
openldap/trunk/tests/progs/slapd-modrdn.c
openldap/trunk/tests/progs/slapd-read.c
openldap/trunk/tests/progs/slapd-search.c
openldap/trunk/tests/progs/slapd-tester.c
openldap/trunk/tests/run.in
openldap/trunk/tests/scripts/acfilter.sh
openldap/trunk/tests/scripts/all
openldap/trunk/tests/scripts/conf.sh
openldap/trunk/tests/scripts/defines.sh
openldap/trunk/tests/scripts/its-all
openldap/trunk/tests/scripts/passwd-search
openldap/trunk/tests/scripts/relay
openldap/trunk/tests/scripts/sql-all
openldap/trunk/tests/scripts/sql-test000-read
openldap/trunk/tests/scripts/sql-test001-concurrency
openldap/trunk/tests/scripts/sql-test900-write
openldap/trunk/tests/scripts/sql-test901-syncrepl
openldap/trunk/tests/scripts/start-server
openldap/trunk/tests/scripts/start-server-nolog
openldap/trunk/tests/scripts/start-server2
openldap/trunk/tests/scripts/start-server2-nolog
openldap/trunk/tests/scripts/startup_nis_ldap_server.sh
openldap/trunk/tests/scripts/test000-rootdse
openldap/trunk/tests/scripts/test001-slapadd
openldap/trunk/tests/scripts/test002-populate
openldap/trunk/tests/scripts/test003-search
openldap/trunk/tests/scripts/test004-modify
openldap/trunk/tests/scripts/test005-modrdn
openldap/trunk/tests/scripts/test006-acls
openldap/trunk/tests/scripts/test008-concurrency
openldap/trunk/tests/scripts/test009-referral
openldap/trunk/tests/scripts/test010-passwd
openldap/trunk/tests/scripts/test011-glue-slapadd
openldap/trunk/tests/scripts/test012-glue-populate
openldap/trunk/tests/scripts/test013-language
openldap/trunk/tests/scripts/test014-whoami
openldap/trunk/tests/scripts/test015-xsearch
openldap/trunk/tests/scripts/test016-subref
openldap/trunk/tests/scripts/test017-syncreplication-refresh
openldap/trunk/tests/scripts/test018-syncreplication-persist
openldap/trunk/tests/scripts/test019-syncreplication-cascade
openldap/trunk/tests/scripts/test020-proxycache
openldap/trunk/tests/scripts/test021-certificate
openldap/trunk/tests/scripts/test022-ppolicy
openldap/trunk/tests/scripts/test023-refint
openldap/trunk/tests/scripts/test024-unique
openldap/trunk/tests/scripts/test025-limits
openldap/trunk/tests/scripts/test026-dn
openldap/trunk/tests/scripts/test027-emptydn
openldap/trunk/tests/scripts/test028-idassert
openldap/trunk/tests/scripts/test029-ldapglue
openldap/trunk/tests/scripts/test030-relay
openldap/trunk/tests/scripts/test031-component-filter
openldap/trunk/tests/scripts/test032-chain
openldap/trunk/tests/scripts/test033-glue-syncrepl
openldap/trunk/tests/scripts/test034-translucent
openldap/trunk/tests/scripts/test035-meta
openldap/trunk/tests/scripts/test036-meta-concurrency
openldap/trunk/tests/scripts/test037-manage
openldap/trunk/tests/scripts/test038-retcode
openldap/trunk/tests/scripts/test039-glue-ldap-concurrency
openldap/trunk/tests/scripts/test040-subtree-rename
openldap/trunk/tests/scripts/test041-aci
openldap/trunk/tests/scripts/test042-valsort
openldap/trunk/tests/scripts/test043-delta-syncrepl
openldap/trunk/tests/scripts/test044-dynlist
openldap/trunk/tests/scripts/test045-syncreplication-proxied
openldap/trunk/tests/scripts/test046-dds
openldap/trunk/tests/scripts/test047-ldap
openldap/trunk/tests/scripts/test048-syncrepl-multiproxy
openldap/trunk/tests/scripts/test049-sync-config
openldap/trunk/tests/scripts/test050-syncrepl-multimaster
openldap/trunk/tests/scripts/test051-config-undo
openldap/trunk/tests/scripts/test052-memberof
Log:
* Update to 2.4.9.
Modified: openldap/trunk/ANNOUNCEMENT
===================================================================
--- openldap/trunk/ANNOUNCEMENT 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/ANNOUNCEMENT 2008-05-25 14:29:31 UTC (rev 1128)
@@ -106,6 +106,6 @@
---
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
-Copyright 1999-2007 The OpenLDAP Foundation, Redwood City,
+Copyright 1999-2008 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
Modified: openldap/trunk/CHANGES
===================================================================
--- openldap/trunk/CHANGES 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/CHANGES 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,127 @@
OpenLDAP 2.4 Change Log
+OpenLDAP 2.4.9 Release (2008/05/07)
+ Fixed libldap to use unsigned port (ITS#5436)
+ Fixed libldap error message for missing close paren (ITS#5458)
+ Fixed libldap_r tpool pause checks (ITS#5364, #5407)
+ Fixed slapcat error checking (ITS#5387)
+ Fixed slapd abstract objectClass inheritance check (ITS#5474)
+ Fixed slapd add operations requiring naming attrs (ITS#5412)
+ Fixed slapd connection handling (ITS#5469)
+ Fixed slapd delta-syncrepl resync (ITS#5378)
+ Fixed slapd frontendDB backend selection (ITS#5419)
+ Fixed slapd pagedresults stale state (ITS#5409)
+ Fixed slapd pointer dereference (ITS#5388)
+ Fixed slapd null argument dereference (ITS#5435)
+ Fixed slapd REP_ENTRY flags (ITS#5340)
+ Fixed slapd sets attribute description parsing (ITS#5402)
+ Fixed slapd syncrepl hang on back-config (ITS#5407)
+ Fixed slapd syncrepl compare_csns crash (ITS#5413)
+ Fixed slapd syncrepl contextCSN update clash (ITS#5426)
+ Fixed slapd syncrepl/glue failure (ITS#5430)
+ Fixed slapd syncrepl crash on empty CSN (ITS#5432)
+ Fixed slapd syncrepl refreshAndPersist (ITS#5454)
+ Fixed slapd syncrepl modrdn processing (ITS#5397)
+ Fixed slapd syncrepl MMR partial refresh (ITS#5470)
+ Fixed slapd value list termination (ITS#5450)
+ Fixed slapd/slapo-accesslog rq mutex usage (ITS#5442)
+ Fixed slapd-bdb ID_NOCACHE handling (ITS#5439)
+ Fixed slapd-bdb entryinfo state if db_lock fails (ITS#5455)
+ Fixed slapd-bdb referral rewrite (ITS#5339)
+ Fixed slapd-config overlay stacking (ITS#5346)
+ Fixed slapd-config attribute publishing (ITS#5383)
+ Fixed slapd-ldap connection handler (ITS#5404)
+ Fixed slapd-ldif file name handling & multi-suffix/dir catch (ITS#5408)
+ Fixed slapd-meta connections on error (ITS#5440)
+ Fixed slapd-meta crash on search (ITS#5481)
+ Fixed slapo-accesslog null callback stack crash (ITS#5490)
+ Fixed slapo-auditlog unnecessary syscall (ITS#5441)
+ Added slapo-dynlist mapping to dynamic attrs generation (ITS#5466)
+ Fixed slapo-refint dnSubtreeMatch (ITS#5427)
+ Fixed slapo-refint global referential integrity (ITS#5428)
+ Fixed slapo-syncprov psearch on closed connection (ITS#5401)
+ Fixed slapo-syncprov psearch task delay (ITS#5405)
+ Fixed slapo-syncprov psearch filter identity (ITS#5418, #5486)
+ Fixed slapo-syncprov/glue contextCSN update (ITS#5433)
+ Fixed slapo-syncprov/glue search ops (ITS#5434)
+ Fixed slapo-syncprov null cookie (ITS#5437,#5444)
+ Fixed slapo-syncprov double-free (ITS#5445)
+ Fixed slapo-syncprov free syncop correctly (ITS#5484)
+ Fixed slapo-syncprov glue deadlock (ITS#5451)
+ Build Environment
+ Fixed leave function naming for OSF1 (ITS#5411)
+ Documentation
+ Fixed slapd.access(5) authz-regexp documented behavior (ITS#5400)
+ Fixed slapd.meta(5) idassert-* documentation (ITS#5406)
+ admin24 delta-syncrepl documentation (ITS#5476)
+ admin24 set documentation (ITS#5278,ITS#5279,ITS#5281)
+ admin24 slapo-ppolicy documentation (ITS#5479)
+ admin24 syncrepl directives update (ITS#5425)
+
+OpenLDAP 2.4.8 Release (2008/02/19)
+ Fixed ldapmodify verbose logging (ITS#5247)
+ Fixed ldapdelete with sizelimit (ITS#5294)
+ Fixed ldapdelete with subentries control (ITS#5293)
+ Fixed ldapsearch exit code init (ITS#5317)
+ Fixed libldap extended decoding (ITS#5304)
+ Fixed libldap filter abort (ITS#5300)
+ Fixed libldap ldap_parse_sasl_bind_result (ITS#5263)
+ Fixed libldap result codes for open (ITS#5338)
+ Fixed libldap search timeout crash (ITS#5291)
+ Fixed libldap paged results crash (ITS#5315)
+ Fixed libldap cipher suite with GnuTLS (ITS#5341)
+ Fixed slapd support for 2.1 CSN (ITS#5348)
+ Fixed slapd include handling (ITS#5276)
+ Fixed slapd modrdn check for valid new DN (ITS#5344)
+ Fixed slapd multi-step SASL binds (ITS#5298)
+ Fixed slapd non-atomic signal variables (ITS#5248)
+ Fixed slapd overlay ordering when moving to slapd.d (ITS#5284)
+ Fixed slapd NULL printf (ITS#5264)
+ Fixed slapd NULL set values (ITS#5286)
+ Fixed slapd segv with SASL/OTP (ITS#5259)
+ Fixed slapd timestamp race condition (ITS#5370)
+ Fixed slapd cn=config crash on delete (ITS#5343)
+ Fixed slapd cn=config global acls (ITS#5352)
+ Fixed slapd truncated cookie (ITS#5362)
+ Fixed slapd sasl with CLEARTEXT (ITS#5368)
+ Fixed slapd str2entry with no attrs (ITS#5308)
+ Fixed slapd TLSVerifyClient default (ITS#5360)
+ Fixed slapd HAVE_TLS dependency (ITS#5379)
+ Fixed slapd delta-syncrepl refresh mode (ITS#5376)
+ Fixed slapd ACL sets URI attrs (ITS#5384)
+ Fixed slapd invalid entryUUID filter (ITS#5386)
+ Fixed slapd-bdb idlcache on adds (ITS#5086)
+ Fixed slapd-bdb crash with modrdn (ITS#5358)
+ Fixed slapd-bdb segv with bdb4.6 (ITS#5322)
+ Fixed slapd-bdb modrdn to same dn (ITS#5319)
+ Fixed slapd-bdb MMR (ITS#5332)
+ Added slapd-bdb/slapd-hdb DB encryption (ITS#5359)
+ Fixed slapd-ldif delete (ITS#5265)
+ Fixed slapd-meta link to slapd-ldap (ITS#5355)
+ Fixed slapd-meta setting of sm_nvalues (ITS#5375)
+ Fixed slapd-monitor crash (ITS#5311)
+ Fixed slapd-relay compare (ITS#4937)
+ Added slapd-sock (ITS#4094)
+ Fixed slapo-accesslog cleanup on successful response (ITS#5374)
+ Added slapo-autogroup contrib module (ITS#5145)
+ Added slapo-constraint cross-attribute constraints (ITS#4987)
+ Fixed slapo-memberof objectClass inheritance (ITS#5299)
+ Added slapo-memberof global overlay support (ITS#5301)
+ Fixed slapo-memberof leak (ITS#5302)
+ Fixed slapo-ppolicy only password check with policy (ITS#5285)
+ Fixed slapo-ppolicy del/replace password without new one (ITS#5373)
+ Fixed slapo-syncprov hang on checkpoint (ITS#5261)
+ Added slapo-translucent local searching (ITS#5283)
+ Removed lint
+ Build Environment
+ Fixed libldap_r threaded library linking (ITS#4982)
+ Fixed libldap use of %n (ITS#5324)
+ Fixed test047 to skip if rwm is not available (ITS#5292)
+ Documentation
+ DB_CONFIG.example URL wrong in comments (ITS#5288)
+ Add cn=config example for auditlog (ITS#5245)
+ ldapmodify(1) clarification for RFC2849 (ITS#5312)
+
OpenLDAP 2.4.7 Release (2007/12/14)
Added slapd ordered indexing of integer attributes (ITS#5239)
Fixed slapd paged results control handling (ITS#5191)
Modified: openldap/trunk/COPYRIGHT
===================================================================
--- openldap/trunk/COPYRIGHT 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/COPYRIGHT 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 1998-2007 The OpenLDAP Foundation
+Copyright 1998-2008 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -25,7 +25,7 @@
---
-Portions Copyright 1998-2006 Kurt D. Zeilenga.
+Portions Copyright 1998-2008 Kurt D. Zeilenga.
Portions Copyright 1998-2006 Net Boolean Incorporated.
Portions Copyright 2001-2006 IBM Corporation.
All rights reserved.
@@ -39,8 +39,8 @@
Portions Copyright 1999-2007 Howard Y.H. Chu.
Portions Copyright 1999-2007 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2007 Gavin Henry
-Portions Copyright 2007 Suretec Systems
+Portions Copyright 2008 Gavin Henry
+Portions Copyright 2008 Suretec Systems
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/INSTALL
===================================================================
--- openldap/trunk/INSTALL 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/INSTALL 2008-05-25 14:29:31 UTC (rev 1128)
@@ -107,7 +107,7 @@
This work is part of OpenLDAP Software <http://www.openldap.org/>.
-Copyright 1998-2007 The OpenLDAP Foundation.
+Copyright 1998-2008 The OpenLDAP Foundation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/Makefile.in
===================================================================
--- openldap/trunk/Makefile.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/Makefile.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
# Master Makefile for OpenLDAP
-# $OpenLDAP: pkg/ldap/Makefile.in,v 1.30.2.2 2007/08/31 23:13:44 quanah Exp $
+# $OpenLDAP: pkg/ldap/Makefile.in,v 1.30.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/README
===================================================================
--- openldap/trunk/README 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/README 2008-05-25 14:29:31 UTC (rev 1128)
@@ -74,11 +74,11 @@
<http://www.openldap.org/its/> to be considered.
---
-$OpenLDAP: pkg/ldap/README,v 1.40.2.6 2007/10/11 18:55:56 quanah Exp $
+$OpenLDAP: pkg/ldap/README,v 1.40.2.7 2008/02/11 23:26:37 kurt Exp $
This work is part of OpenLDAP Software <http://www.openldap.org/>.
-Copyright 1998-2007 The OpenLDAP Foundation.
+Copyright 1998-2008 The OpenLDAP Foundation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/config.guess
===================================================================
--- openldap/trunk/build/config.guess 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/config.guess 2008-05-25 14:29:31 UTC (rev 1128)
@@ -4,7 +4,7 @@
# 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
timestamp='2003-07-02-OpenLDAP'
-# $OpenLDAP: pkg/ldap/build/config.guess,v 1.19.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/config.guess,v 1.19.2.3 2008/02/11 23:26:37 kurt Exp $
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -29,7 +29,7 @@
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
-## Portions Copyright 1998-2007 The OpenLDAP Foundation.
+## Portions Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/config.sub
===================================================================
--- openldap/trunk/build/config.sub 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/config.sub 2008-05-25 14:29:31 UTC (rev 1128)
@@ -4,7 +4,7 @@
# 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
timestamp='2003-07-04-OpenLDAP'
-# $OpenLDAP: pkg/ldap/build/config.sub,v 1.19.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/config.sub,v 1.19.2.3 2008/02/11 23:26:37 kurt Exp $
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
@@ -34,7 +34,7 @@
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
-## Portions Copyright 1998-2007 The OpenLDAP Foundation.
+## Portions Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/crupdate
===================================================================
--- openldap/trunk/build/crupdate 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/crupdate 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/crupdate,v 1.7.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/crupdate,v 1.7.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -18,5 +18,5 @@
set -e # exit immediately if any errors occur
-find . -type f -not -name 'LICENSE*' -print -exec perl -pi -e 's/Copyright ([0-9]{4})([,\-][0-9]{2,4})*,? The OpenLDAP Foundation/Copyright $1-2007 The OpenLDAP Foundation/g;' {} \;
+find . -type f -not -name 'LICENSE*' -print -exec perl -pi -e 's/Copyright ([0-9]{4})([,\-][0-9]{2,4})*,? The OpenLDAP Foundation/Copyright $1-2008 The OpenLDAP Foundation/g;' {} \;
Modified: openldap/trunk/build/dir.mk
===================================================================
--- openldap/trunk/build/dir.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/dir.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/dir.mk,v 1.17.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/dir.mk,v 1.17.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/info.mk
===================================================================
--- openldap/trunk/build/info.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/info.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/info.mk,v 1.12.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/info.mk,v 1.12.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/lib-shared.mk
===================================================================
--- openldap/trunk/build/lib-shared.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/lib-shared.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib-shared.mk,v 1.22.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/lib-shared.mk,v 1.22.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/lib-static.mk
===================================================================
--- openldap/trunk/build/lib-static.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/lib-static.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib-static.mk,v 1.13.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/lib-static.mk,v 1.13.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/lib.mk
===================================================================
--- openldap/trunk/build/lib.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/lib.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib.mk,v 1.23.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/lib.mk,v 1.23.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/ltmain.sh
===================================================================
--- openldap/trunk/build/ltmain.sh 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/ltmain.sh 2008-05-25 14:29:31 UTC (rev 1128)
@@ -28,7 +28,7 @@
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
-## Portions Copyright 1998-2007 The OpenLDAP Foundation.
+## Portions Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/man.mk
===================================================================
--- openldap/trunk/build/man.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/man.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/man.mk,v 1.32.2.3 2007/11/09 02:55:50 hyc Exp $
+# $OpenLDAP: pkg/ldap/build/man.mk,v 1.32.2.4 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/missing
===================================================================
--- openldap/trunk/build/missing 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/missing 2008-05-25 14:29:31 UTC (rev 1128)
@@ -29,7 +29,7 @@
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkdep
===================================================================
--- openldap/trunk/build/mkdep 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkdep 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
#! /bin/sh -
-# $OpenLDAP: pkg/ldap/build/mkdep,v 1.32.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mkdep,v 1.32.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkdep.aix
===================================================================
--- openldap/trunk/build/mkdep.aix 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkdep.aix 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
#! /bin/sh
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkrelease
===================================================================
--- openldap/trunk/build/mkrelease 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkrelease 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/mkrelease,v 1.23.2.3 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mkrelease,v 1.23.2.4 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkvers.bat
===================================================================
--- openldap/trunk/build/mkvers.bat 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkvers.bat 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-:: $OpenLDAP: pkg/ldap/build/mkvers.bat,v 1.7.2.2 2007/08/31 23:13:50 quanah Exp $
+:: $OpenLDAP: pkg/ldap/build/mkvers.bat,v 1.7.2.3 2008/02/11 23:26:37 kurt Exp $
:: This work is part of OpenLDAP Software <http://www.openldap.org/>.
::
-:: Copyright 1998-2007 The OpenLDAP Foundation.
+:: Copyright 1998-2008 The OpenLDAP Foundation.
:: All rights reserved.
::
:: Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkversion
===================================================================
--- openldap/trunk/build/mkversion 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkversion 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,9 @@
#! /bin/sh
# Create a version.c file
-# $OpenLDAP: pkg/ldap/build/mkversion,v 1.14.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mkversion,v 1.14.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@
cat << __EOF__
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -68,7 +68,7 @@
*/
static const char copyright[] =
-"Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.\n"
+"Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.\n"
"COPYING RESTRICTIONS APPLY\n";
$static $const char $SYMBOL[] =
Modified: openldap/trunk/build/mod.mk
===================================================================
--- openldap/trunk/build/mod.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mod.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/mod.mk,v 1.25.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mod.mk,v 1.25.2.3 2008/02/11 23:26:37 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/openldap.m4
===================================================================
--- openldap/trunk/build/openldap.m4 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/openldap.m4 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
dnl OpenLDAP Autoconf Macros
-dnl $OpenLDAP: pkg/ldap/build/openldap.m4,v 1.157.2.4 2007/09/01 00:38:35 hyc Exp $
+dnl $OpenLDAP: pkg/ldap/build/openldap.m4,v 1.157.2.5 2008/02/11 23:26:37 kurt Exp $
dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
dnl
-dnl Copyright 1998-2007 The OpenLDAP Foundation.
+dnl Copyright 1998-2008 The OpenLDAP Foundation.
dnl All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/rules.mk
===================================================================
--- openldap/trunk/build/rules.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/rules.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/rules.mk,v 1.15.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/rules.mk,v 1.15.2.3 2008/02/11 23:26:38 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/srv.mk
===================================================================
--- openldap/trunk/build/srv.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/srv.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/srv.mk,v 1.18.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/srv.mk,v 1.18.2.3 2008/02/11 23:26:38 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/top.mk
===================================================================
--- openldap/trunk/build/top.mk 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/top.mk 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/top.mk,v 1.103.2.4 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/top.mk,v 1.103.2.5 2008/02/11 23:26:38 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/version.h
===================================================================
--- openldap/trunk/build/version.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/version.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -13,6 +13,6 @@
*/
static const char copyright[] =
-"Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.\n"
+"Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.\n"
"COPYING RESTRICTIONS APPLY.\n";
Modified: openldap/trunk/build/version.sh
===================================================================
--- openldap/trunk/build/version.sh 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/version.sh 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.sh,v 1.16.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/version.sh,v 1.16.2.3 2008/02/11 23:26:38 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/version.var
===================================================================
--- openldap/trunk/build/version.var 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/version.var 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.19 2007/12/13 20:56:24 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.26 2008/05/07 19:26:02 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -15,9 +15,9 @@
ol_package=OpenLDAP
ol_major=2
ol_minor=4
-ol_patch=7
-ol_api_inc=20407
+ol_patch=9
+ol_api_inc=20409
ol_api_current=2
-ol_api_revision=3
+ol_api_revision=5
ol_api_age=0
-ol_release_date="2007/12/14"
+ol_release_date="2008/05/07"
Modified: openldap/trunk/clients/Makefile.in
===================================================================
--- openldap/trunk/clients/Makefile.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/Makefile.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
# Clients Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/clients/Makefile.in,v 1.17.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/clients/Makefile.in,v 1.17.2.3 2008/02/11 23:26:38 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/clients/tools/Makefile.in
===================================================================
--- openldap/trunk/clients/tools/Makefile.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/Makefile.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
# Makefile for LDAP tools
-# $OpenLDAP: pkg/ldap/clients/tools/Makefile.in,v 1.45.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/clients/tools/Makefile.in,v 1.45.2.3 2008/02/11 23:26:38 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/clients/tools/common.c
===================================================================
--- openldap/trunk/clients/tools/common.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/common.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* common.c - common routines for the ldap client tools */
-/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.4 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.7 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 2003 Kurt D. Zeilenga.
* Portions Copyright 2003 IBM Corporation.
* All rights reserved.
@@ -149,8 +149,8 @@
};
/* "features" */
-static int gotintr;
-static int abcan;
+enum { Intr_None = 0, Intr_Abandon, Intr_Cancel, Intr_Ignore };
+static volatile sig_atomic_t gotintr, abcan;
#ifdef LDAP_CONTROL_X_SESSION_TRACKING
@@ -223,6 +223,17 @@
#ifdef HAVE_TLS
ldap_pvt_tls_destroy();
#endif
+
+ if ( ldapuri != NULL ) {
+ ber_memfree( ldapuri );
+ ldapuri = NULL;
+ }
+
+ if ( pr_cookie.bv_val != NULL ) {
+ ber_memfree( pr_cookie.bv_val );
+ pr_cookie.bv_val = NULL;
+ pr_cookie.bv_len = 0;
+ }
}
void
@@ -558,19 +569,19 @@
/* this shouldn't go here, really; but it's a feature... */
} else if ( strcasecmp( control, "abandon" ) == 0 ) {
- abcan = LDAP_REQ_ABANDON;
+ abcan = Intr_Abandon;
if ( crit ) {
gotintr = abcan;
}
} else if ( strcasecmp( control, "cancel" ) == 0 ) {
- abcan = LDAP_REQ_EXTENDED;
+ abcan = Intr_Cancel;
if ( crit ) {
gotintr = abcan;
}
} else if ( strcasecmp( control, "ignore" ) == 0 ) {
- abcan = -1;
+ abcan = Intr_Ignore;
if ( crit ) {
gotintr = abcan;
}
@@ -746,7 +757,7 @@
case 'P':
ival = strtol( optarg, &next, 10 );
if ( next == NULL || next[0] != '\0' ) {
- fprintf( stderr, "%s: unabel to parse protocol version \"%s\"\n", prog, optarg );
+ fprintf( stderr, "%s: unable to parse protocol version \"%s\"\n", prog, optarg );
exit( EXIT_FAILURE );
}
switch( ival ) {
@@ -1720,19 +1731,19 @@
int rc;
switch ( gotintr ) {
- case LDAP_REQ_EXTENDED:
+ case Intr_Cancel:
rc = ldap_cancel_s( ld, msgid, NULL, NULL );
fprintf( stderr, "got interrupt, cancel got %d: %s\n",
rc, ldap_err2string( rc ) );
return -1;
- case LDAP_REQ_ABANDON:
+ case Intr_Abandon:
rc = ldap_abandon_ext( ld, msgid, NULL, NULL );
fprintf( stderr, "got interrupt, abandon got %d: %s\n",
rc, ldap_err2string( rc ) );
return -1;
- case -1:
+ case Intr_Ignore:
/* just unbind, ignoring the request */
return -1;
}
Modified: openldap/trunk/clients/tools/common.h
===================================================================
--- openldap/trunk/clients/tools/common.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/common.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* common.h - common definitions for the ldap client tools */
-/* $OpenLDAP: pkg/ldap/clients/tools/common.h,v 1.24.2.2 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/common.h,v 1.24.2.3 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/clients/tools/ldapcompare.c
===================================================================
--- openldap/trunk/clients/tools/ldapcompare.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapcompare.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldapcompare.c -- LDAP compare tool */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapcompare.c,v 1.43.2.3 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapcompare.c,v 1.43.2.4 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* All rights reserved.
Modified: openldap/trunk/clients/tools/ldapdelete.c
===================================================================
--- openldap/trunk/clients/tools/ldapdelete.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapdelete.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldapdelete.c - simple program to delete an entry using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapdelete.c,v 1.118.2.4 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapdelete.c,v 1.118.2.7 2008/02/12 00:32:01 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* All rights reserved.
*
@@ -51,6 +51,7 @@
static int prune = 0;
+static int sizelimit = -1;
static int dodelete LDAP_P((
@@ -59,7 +60,8 @@
static int deletechildren LDAP_P((
LDAP *ld,
- const char *dn ));
+ const char *dn,
+ int subentries ));
void
usage( void )
@@ -76,11 +78,13 @@
const char options[] = "r"
- "cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z";
int
handle_private_option( int i )
{
+ int ival;
+ char *next;
switch ( i ) {
#if 0
int crit;
@@ -115,6 +119,29 @@
prune = 1;
break;
+ case 'z': /* size limit */
+ if ( strcasecmp( optarg, "none" ) == 0 ) {
+ sizelimit = 0;
+
+ } else if ( strcasecmp( optarg, "max" ) == 0 ) {
+ sizelimit = LDAP_MAXINT;
+
+ } else {
+ ival = strtol( optarg, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr,
+ _("Unable to parse size limit \"%s\"\n"), optarg );
+ exit( EXIT_FAILURE );
+ }
+ sizelimit = ival;
+ }
+ if( sizelimit < 0 || sizelimit > LDAP_MAXINT ) {
+ fprintf( stderr, _("%s: invalid sizelimit (%d) specified\n"),
+ prog, sizelimit );
+ exit( EXIT_FAILURE );
+ }
+ break;
+
default:
return 0;
}
@@ -212,6 +239,7 @@
char *matcheddn = NULL, *text = NULL, **refs = NULL;
LDAPControl **ctrls = NULL;
LDAPMessage *res;
+ int subentries = 0;
if ( verbose ) {
printf( _("%sdeleting entry \"%s\"\n"),
@@ -225,7 +253,10 @@
/* If prune is on, remove a whole subtree. Delete the children of the
* DN recursively, then the DN requested.
*/
- if ( prune ) deletechildren( ld, dn );
+ if ( prune ) {
+retry:;
+ deletechildren( ld, dn, subentries );
+ }
rc = ldap_delete_ext( ld, dn, NULL, NULL, &id );
if ( rc != LDAP_SUCCESS ) {
@@ -257,7 +288,18 @@
rc = ldap_parse_result( ld, res, &code, &matcheddn, &text, &refs, &ctrls, 1 );
- if( rc != LDAP_SUCCESS ) {
+ switch ( rc ) {
+ case LDAP_SUCCESS:
+ break;
+
+ case LDAP_NOT_ALLOWED_ON_NONLEAF:
+ if ( prune && !subentries ) {
+ subentries = 1;
+ goto retry;
+ }
+ /* fallthru */
+
+ default:
fprintf( stderr, "%s: ldap_parse_result: %s (%d)\n",
prog, ldap_err2string( rc ), rc );
return rc;
@@ -290,7 +332,7 @@
if (ctrls) {
tool_print_ctrls( ld, ctrls );
ldap_controls_free( ctrls );
- }
+ }
ber_memfree( text );
ber_memfree( matcheddn );
@@ -304,27 +346,55 @@
*/
static int deletechildren(
LDAP *ld,
- const char *dn )
+ const char *base,
+ int subentries )
{
LDAPMessage *res, *e;
int entries;
- int rc;
+ int rc = LDAP_SUCCESS, srch_rc;
static char *attrs[] = { LDAP_NO_ATTRS, NULL };
- LDAPControl c, *ctrls[2];
+ LDAPControl c, *ctrls[2], **ctrlsp = NULL;
BerElement *ber = NULL;
- LDAPMessage *res_se;
- if ( verbose ) printf ( _("deleting children of: %s\n"), dn );
+ if ( verbose ) printf ( _("deleting children of: %s\n"), base );
+ if ( subentries ) {
+ /*
+ * Do a one level search at base for subentry children.
+ */
+
+ if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) {
+ return EXIT_FAILURE;
+ }
+ rc = ber_printf( ber, "b", 1 );
+ if ( rc == -1 ) {
+ ber_free( ber, 1 );
+ fprintf( stderr, _("Subentries control encoding error!\n"));
+ return EXIT_FAILURE;
+ }
+ if ( ber_flatten2( ber, &c.ldctl_value, 0 ) == -1 ) {
+ return EXIT_FAILURE;
+ }
+ c.ldctl_oid = LDAP_CONTROL_SUBENTRIES;
+ c.ldctl_iscritical = 1;
+ ctrls[0] = &c;
+ ctrls[1] = NULL;
+ ctrlsp = ctrls;
+ }
+
/*
- * Do a one level search at dn for children. For each, delete its children.
+ * Do a one level search at base for children. For each, delete its children.
*/
-
- rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
- NULL, NULL, NULL, -1, &res );
- if ( rc != LDAP_SUCCESS ) {
- tool_perror( "ldap_search", rc, NULL, NULL, NULL, NULL );
- return( rc );
+more:;
+ srch_rc = ldap_search_ext_s( ld, base, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
+ ctrlsp, NULL, NULL, sizelimit, &res );
+ switch ( srch_rc ) {
+ case LDAP_SUCCESS:
+ case LDAP_SIZELIMIT_EXCEEDED:
+ break;
+ default:
+ tool_perror( "ldap_search", srch_rc, NULL, NULL, NULL, NULL );
+ return( srch_rc );
}
entries = ldap_count_entries( ld, res );
@@ -344,8 +414,8 @@
return rc;
}
- rc = deletechildren( ld, dn );
- if ( rc == -1 ) {
+ rc = deletechildren( ld, dn, 0 );
+ if ( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL );
ber_memfree( dn );
return rc;
@@ -356,7 +426,7 @@
}
rc = ldap_delete_ext_s( ld, dn, NULL, NULL );
- if ( rc == -1 ) {
+ if ( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL );
ber_memfree( dn );
return rc;
@@ -373,72 +443,9 @@
ldap_msgfree( res );
- /*
- * Do a one level search at dn for subentry children.
- */
-
- if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) {
- return EXIT_FAILURE;
+ if ( srch_rc == LDAP_SIZELIMIT_EXCEEDED ) {
+ goto more;
}
- rc = ber_printf( ber, "b", 1 );
- if ( rc == -1 ) {
- ber_free( ber, 1 );
- fprintf( stderr, _("Subentries control encoding error!\n"));
- return EXIT_FAILURE;
- }
- if ( ber_flatten2( ber, &c.ldctl_value, 0 ) == -1 ) {
- return EXIT_FAILURE;
- }
- c.ldctl_oid = LDAP_CONTROL_SUBENTRIES;
- c.ldctl_iscritical = 1;
- ctrls[0] = &c;
- ctrls[1] = NULL;
- rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
- ctrls, NULL, NULL, -1, &res_se );
- if ( rc != LDAP_SUCCESS ) {
- tool_perror( "ldap_search", rc, NULL, NULL, NULL, NULL );
- return( rc );
- }
- ber_free( ber, 1 );
-
- entries = ldap_count_entries( ld, res_se );
-
- if ( entries > 0 ) {
- int i;
-
- for (e = ldap_first_entry( ld, res_se ), i = 0; e != NULL;
- e = ldap_next_entry( ld, e ), i++ )
- {
- char *dn = ldap_get_dn( ld, e );
-
- if( dn == NULL ) {
- ldap_get_option( ld, LDAP_OPT_RESULT_CODE, &rc );
- tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL );
- ber_memfree( dn );
- return rc;
- }
-
- if ( verbose ) {
- printf( _("\tremoving %s\n"), dn );
- }
-
- rc = ldap_delete_ext_s( ld, dn, NULL, NULL );
- if ( rc == -1 ) {
- tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL );
- ber_memfree( dn );
- return rc;
-
- }
-
- if ( verbose ) {
- printf( _("\t%s removed\n"), dn );
- }
-
- ber_memfree( dn );
- }
- }
-
- ldap_msgfree( res_se );
return rc;
}
Modified: openldap/trunk/clients/tools/ldapexop.c
===================================================================
--- openldap/trunk/clients/tools/ldapexop.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapexop.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldapexop.c -- a tool for performing well-known extended operations */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapexop.c,v 1.9.2.2 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapexop.c,v 1.9.2.3 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/clients/tools/ldapmodify.c
===================================================================
--- openldap/trunk/clients/tools/ldapmodify.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapmodify.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldapmodify.c - generic program to modify or add entries using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodify.c,v 1.186.2.3 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodify.c,v 1.186.2.7 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 2006 Howard Chu.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
@@ -70,15 +70,14 @@
#include "common.h"
-static int ldapadd, force = 0;
+static int ldapadd;
static char *rejfile = NULL;
static LDAP *ld = NULL;
#define M_SEP 0x7f
-/* strings found in replog/LDIF entries (mostly lifted from slurpd/slurp.h) */
+/* strings found in LDIF entries */
static struct berval BV_VERSION = BER_BVC("version");
-static struct berval BV_REPLICA = BER_BVC("replica");
static struct berval BV_DN = BER_BVC("dn");
static struct berval BV_CONTROL = BER_BVC("control");
static struct berval BV_CHANGETYPE = BER_BVC("changetype");
@@ -144,7 +143,6 @@
fprintf( stderr,
_(" [!]txn=<commit|abort> (transaction)\n"));
#endif
- fprintf( stderr, _(" -F force all changes records to be used\n"));
fprintf( stderr, _(" -S file write skipped modifications to `file'\n"));
tool_common_usage();
@@ -152,7 +150,7 @@
}
-const char options[] = "aE:FrS:"
+const char options[] = "aE:rS:"
"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
@@ -217,10 +215,6 @@
ldapadd = 1;
break;
- case 'F': /* force all changes records to be used */
- force = 1;
- break;
-
case 'r': /* replace (obsolete) */
break;
@@ -408,10 +402,10 @@
process_ldif_rec( char *rbuf, int linenum )
{
char *line, *dn, *newrdn, *newsup;
- int rc, modop, replicaport;
+ int rc, modop;
int expect_modop, expect_sep;
int deleteoldrdn;
- int saw_replica, use_record, new_entry, delete_entry, got_all;
+ int new_entry, delete_entry, got_all;
LDAPMod **pmods, *lm = NULL;
int version;
LDAPControl **pctrls;
@@ -422,11 +416,10 @@
new_entry = ldapadd;
- rc = got_all = saw_replica = delete_entry = modop = expect_modop = 0;
+ rc = got_all = delete_entry = modop = expect_modop = 0;
expect_sep = 0;
version = 0;
deleteoldrdn = 1;
- use_record = force;
pmods = NULL;
pctrls = NULL;
dn = newrdn = newsup = NULL;
@@ -464,27 +457,7 @@
freeval[i] = freev;
if ( dn == NULL ) {
- if ( !use_record && !BVICMP( btype+i, &BV_REPLICA )) {
- char *p;
- ++saw_replica;
- if (( p = strchr( vals[i].bv_val, ':' )) == NULL ) {
- replicaport = 0;
- } else {
- *p++ = '\0';
- if ( lutil_atoi( &replicaport, p ) != 0 ) {
- fprintf( stderr, _("%s: unable to parse replica port \"%s\" (line %d) entry: \"%s\"\n"),
- prog, p, linenum+i, dn == NULL ? "" : dn );
- rc = LDAP_PARAM_ERROR;
- break;
- }
- }
- if ( ldaphost != NULL &&
- strcasecmp( vals[i].bv_val, ldaphost ) == 0 &&
- replicaport == ldapport )
- {
- use_record = 1;
- }
- } else if ( linenum+i == 1 && !BVICMP( btype+i, &BV_VERSION )) {
+ if ( linenum+i == 1 && !BVICMP( btype+i, &BV_VERSION )) {
int v;
if( vals[i].bv_len == 0 || lutil_atoi( &v, vals[i].bv_val) != 0 || v != 1 ) {
fprintf( stderr,
@@ -496,13 +469,6 @@
} else if ( !BVICMP( btype+i, &BV_DN )) {
dn = vals[i].bv_val;
idn = i;
- if ( !use_record && saw_replica ) {
- printf(_("%s: skipping change record for entry: %s at line %d\n"),
- prog, dn, linenum+i);
- printf(_("\t(LDAP host/port does not match replica: lines)\n"));
- rc = 0;
- goto leave;
- }
}
/* skip all lines until we see "dn:" */
}
@@ -1136,13 +1102,14 @@
tool_perror( newentry ? "ldap_add" : "ldap_modify",
rc, NULL, NULL, NULL, NULL );
goto done;
- } else if ( verbose ) {
- printf( _("modify complete\n") );
}
-
rc = process_response( ld, msgid,
newentry ? LDAP_RES_ADD : LDAP_RES_MODIFY, dn );
+ if ( verbose && rc == LDAP_SUCCESS ) {
+ printf( _("modify complete\n") );
+ }
+
} else {
rc = LDAP_SUCCESS;
}
@@ -1168,12 +1135,12 @@
fprintf( stderr, _("%s: delete failed: %s\n"), prog, dn );
tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL );
goto done;
- } else if ( verbose ) {
- printf( _("delete complete") );
}
-
rc = process_response( ld, msgid, LDAP_RES_DELETE, dn );
+ if ( verbose && rc == LDAP_SUCCESS ) {
+ printf( _("delete complete\n") );
+ }
} else {
rc = LDAP_SUCCESS;
}
@@ -1207,12 +1174,12 @@
fprintf( stderr, _("%s: rename failed: %s\n"), prog, dn );
tool_perror( "ldap_rename", rc, NULL, NULL, NULL, NULL );
goto done;
- } else {
- printf( _("rename completed\n") );
}
-
rc = process_response( ld, msgid, LDAP_RES_RENAME, dn );
+ if ( verbose && rc == LDAP_SUCCESS ) {
+ printf( _("rename complete\n") );
+ }
} else {
rc = LDAP_SUCCESS;
}
Modified: openldap/trunk/clients/tools/ldapmodrdn.c
===================================================================
--- openldap/trunk/clients/tools/ldapmodrdn.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapmodrdn.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldapmodrdn.c - generic program to modify an entry's RDN using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodrdn.c,v 1.116.2.3 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodrdn.c,v 1.116.2.4 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
Modified: openldap/trunk/clients/tools/ldappasswd.c
===================================================================
--- openldap/trunk/clients/tools/ldappasswd.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldappasswd.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldappasswd -- a tool for change LDAP passwords */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldappasswd.c,v 1.136.2.3 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldappasswd.c,v 1.136.2.4 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
Modified: openldap/trunk/clients/tools/ldapsearch.c
===================================================================
--- openldap/trunk/clients/tools/ldapsearch.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapsearch.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldapsearch -- a tool for searching LDAP directories */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapsearch.c,v 1.234.2.5 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapsearch.c,v 1.234.2.9 2008/02/12 19:59:52 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@@ -95,6 +95,8 @@
static int timelimit = -1;
static int sizelimit = -1;
+static char *control;
+
static char *def_tmpdir;
static char *def_urlpre;
@@ -255,7 +257,7 @@
handle_private_option( int i )
{
int crit, ival;
- char *control, *cvalue, *next;
+ char *cvalue, *next;
switch ( i ) {
case 'a': /* set alias deref option */
if ( strcasecmp( optarg, "never" ) == 0 ) {
@@ -623,7 +625,7 @@
{
char *filtpattern, **attrs = NULL, line[BUFSIZ];
FILE *fp = NULL;
- int rc, i, first;
+ int rc, rc1, i, first;
LDAP *ld = NULL;
BerElement *seber = NULL, *vrber = NULL;
@@ -979,6 +981,7 @@
attrs, attrsonly, NULL, NULL, NULL, -1 );
} else {
+ rc = 0;
first = 1;
while ( fgets( line, sizeof( line ), fp ) != NULL ) {
line[ strlen( line ) - 1 ] = '\0';
@@ -987,11 +990,13 @@
} else {
first = 0;
}
- rc = dosearch( ld, base, scope, filtpattern, line,
+ rc1 = dosearch( ld, base, scope, filtpattern, line,
attrs, attrsonly, NULL, NULL, NULL, -1 );
- if ( rc != 0 && !contoper ) {
- break;
+ if ( rc1 != 0 ) {
+ rc = rc1;
+ if ( !contoper )
+ break;
}
}
if ( fp != stdin ) {
@@ -1040,6 +1045,12 @@
tool_unbind( ld );
tool_destroy();
+ if ( base != NULL ) {
+ ber_memfree( base );
+ }
+ if ( control != NULL ) {
+ ber_memfree( control );
+ }
if ( c ) {
for ( ; save_nctrls-- > 0; ) {
Modified: openldap/trunk/clients/tools/ldapwhoami.c
===================================================================
--- openldap/trunk/clients/tools/ldapwhoami.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapwhoami.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* ldapwhoami.c -- a tool for asking the directory "Who Am I?" */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapwhoami.c,v 1.42.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapwhoami.c,v 1.42.2.3 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
Modified: openldap/trunk/configure
===================================================================
--- openldap/trunk/configure 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/configure 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,9 @@
#! /bin/sh
-# From configure.in OpenLDAP: pkg/ldap/configure.in,v 1.631.2.7 2007/10/16 23:43:09 quanah Exp .
+# From configure.in OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.59.
#
-# Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.
+# Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.
# Restrictions apply, see COPYRIGHT and LICENSE files.
#
# Copyright (C) 2003 Free Software Foundation, Inc.
@@ -465,7 +465,7 @@
# include <unistd.h>
#endif"
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os target target_cpu target_vendor target_os INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar OPENLDAP_LIBRELEASE OPENLDAP_LIBVERSION OPENLDAP_RELEASE_DATE top_builddir ldap_subdir CC AR CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE EGREP LN_S ECHO ac_ct_AR RANLIB ac_ct_RANLIB DLLTOOL ac_ct_DLLTOOL AS ac_ct_AS OBJDUMP ac_ct_OBJDUMP CPP LIBTOOL PERLBIN OL_MKDEP OL_MKDEP_FLAGS LTSTATIC LIBOBJS LIBSRCS PLAT WITH_SASL WITH_TLS WITH_MODULES_ENABLED WITH_ACI_ENABLED BUILD_THREAD BUILD_LIBS_DYNAMIC BUILD_SLAPD BUILD_SLAPI SLAPD_SLAPI_DEPEND BUILD_BDB BUILD_DNSSRV BUILD_HDB BUILD_LDAP BUILD_META BUILD_MONITOR BUILD_NULL BUILD_PASSWD BUILD_RELAY BUILD_PERL BUILD_SHELL BUILD_SQL BUILD_ACCESSLOG BUILD_AUDITLOG BUILD_CONSTRAINT BUILD_DDS BUILD_DENYOP BUILD_DYNGROUP BUILD_DYNLIST BUILD_LASTMOD BUILD_MEMBEROF BUILD_PPOLICY BUILD_PROXYCACHE BUILD_REFINT BUILD_RETCODE BUILD_RWM BUILD_SEQMOD BUILD_SYNCPROV BUILD_TRANSLUCENT BUILD_UNIQUE BUILD_VALSORT LDAP_LIBS SLAPD_LIBS BDB_LIBS LTHREAD_LIBS LUTIL_LIBS WRAP_LIBS SLAPD_MODULES_CPPFLAGS SLAPD_MODULES_LDFLAGS SLAPD_NO_STATIC SLAPD_STATIC_BACKENDS SLAPD_DYNAMIC_BACKENDS SLAPD_STATIC_OVERLAYS SLAPD_DYNAMIC_OVERLAYS PERL_CPPFLAGS SLAPD_PERL_LDFLAGS MOD_PERL_LDFLAGS KRB4_LIBS KRB5_LIBS SASL_LIBS TLS_LIBS MODULES_LIBS SLAPI_LIBS LIBSLAPI LIBSLAPITOOLS AUTH_LIBS ICU_LIBS SLAPD_SLP_LIBS SLAPD_GMP_LIBS SLAPD_SQL_LDFLAGS SLAPD_SQL_LIBS SLAPD_SQL_INCLUDES LTLIBOBJS'
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os target target_cpu target_vendor target_os INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar OPENLDAP_LIBRELEASE OPENLDAP_LIBVERSION OPENLDAP_RELEASE_DATE top_builddir ldap_subdir CC AR CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE EGREP LN_S ECHO ac_ct_AR RANLIB ac_ct_RANLIB DLLTOOL ac_ct_DLLTOOL AS ac_ct_AS OBJDUMP ac_ct_OBJDUMP CPP LIBTOOL PERLBIN OL_MKDEP OL_MKDEP_FLAGS LTSTATIC LIBOBJS LIBSRCS PLAT WITH_SASL WITH_TLS WITH_MODULES_ENABLED WITH_ACI_ENABLED BUILD_THREAD BUILD_LIBS_DYNAMIC BUILD_SLAPD BUILD_SLAPI SLAPD_SLAPI_DEPEND BUILD_BDB BUILD_DNSSRV BUILD_HDB BUILD_LDAP BUILD_META BUILD_MONITOR BUILD_NULL BUILD_PASSWD BUILD_RELAY BUILD_PERL BUILD_SHELL BUILD_SOCK BUILD_SQL BUILD_ACCESSLOG BUILD_AUDITLOG BUILD_CONSTRAINT BUILD_DDS BUILD_DENYOP BUILD_DYNGROUP BUILD_DYNLIST BUILD_LASTMOD BUILD_MEMBEROF BUILD_PPOLICY BUILD_PROXYCACHE BUILD_REFINT BUILD_RETCODE BUILD_RWM BUILD_SEQMOD BUILD_SYNCPROV BUILD_TRANSLUCENT BUILD_UNIQUE BUILD_VALSORT LDAP_LIBS SLAPD_LIBS BDB_LIBS LTHREAD_LIBS LUTIL_LIBS WRAP_LIBS SLAPD_MODULES_CPPFLAGS SLAPD_MODULES_LDFLAGS SLAPD_NO_STATIC SLAPD_STATIC_BACKENDS SLAPD_DYNAMIC_BACKENDS SLAPD_STATIC_OVERLAYS SLAPD_DYNAMIC_OVERLAYS PERL_CPPFLAGS SLAPD_PERL_LDFLAGS MOD_PERL_LDFLAGS KRB4_LIBS KRB5_LIBS SASL_LIBS TLS_LIBS MODULES_LIBS SLAPI_LIBS LIBSLAPI LIBSLAPITOOLS AUTH_LIBS ICU_LIBS SLAPD_SLP_LIBS SLAPD_GMP_LIBS SLAPD_SQL_LDFLAGS SLAPD_SQL_LIBS SLAPD_SQL_INCLUDES LTLIBOBJS'
ac_subst_files=''
# Initialize some variables set by options.
@@ -1041,6 +1041,7 @@
--enable-perl enable perl backend no|yes|mod [no]
--enable-relay enable relay backend no|yes|mod [yes]
--enable-shell enable shell backend no|yes|mod [no]
+ --enable-sock enable sock backend no|yes|mod [no]
--enable-sql enable sql backend no|yes|mod [no]
SLAPD Overlay Options:
@@ -1205,7 +1206,7 @@
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
-Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.
_ACEOF
exit 0
@@ -2788,6 +2789,7 @@
perl \
relay \
shell \
+ sock \
sql"
# Check whether --enable-xxslapbackends or --disable-xxslapbackends was given.
@@ -3070,6 +3072,29 @@
ol_enable_shell=${ol_enable_backends:-no}
fi;
# end --enable-shell
+# OpenLDAP --enable-sock
+
+ # Check whether --enable-sock or --disable-sock was given.
+if test "${enable_sock+set}" = set; then
+ enableval="$enable_sock"
+
+ ol_arg=invalid
+ for ol_val in no yes mod ; do
+ if test "$enableval" = "$ol_val" ; then
+ ol_arg="$ol_val"
+ fi
+ done
+ if test "$ol_arg" = "invalid" ; then
+ { { echo "$as_me:$LINENO: error: bad value $enableval for --enable-sock" >&5
+echo "$as_me: error: bad value $enableval for --enable-sock" >&2;}
+ { (exit 1); exit 1; }; }
+ fi
+ ol_enable_sock="$ol_arg"
+
+else
+ ol_enable_sock=${ol_enable_backends:-no}
+fi;
+# end --enable-sock
# OpenLDAP --enable-sql
# Check whether --enable-sql or --disable-sql was given.
@@ -3683,6 +3708,7 @@
test $ol_enable_perl = no &&
test $ol_enable_relay = no &&
test $ol_enable_shell = no &&
+ test $ol_enable_sock = no &&
test $ol_enable_sql = no ; then
if test $ol_enable_slapd = yes ; then
@@ -3747,6 +3773,7 @@
BUILD_PERL=no
BUILD_RELAY=no
BUILD_SHELL=no
+BUILD_SOCK=no
BUILD_SQL=no
BUILD_ACCESSLOG=no
@@ -5594,7 +5621,7 @@
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 5597 "configure"' > conftest.$ac_ext
+ echo '#line 5624 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -7574,11 +7601,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7577: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7604: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:7581: \$? = $ac_status" >&5
+ echo "$as_me:7608: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -7836,11 +7863,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7839: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7866: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:7843: \$? = $ac_status" >&5
+ echo "$as_me:7870: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -7898,11 +7925,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7901: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7928: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:7905: \$? = $ac_status" >&5
+ echo "$as_me:7932: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -10146,7 +10173,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 10149 "configure"
+#line 10176 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -10244,7 +10271,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 10247 "configure"
+#line 10274 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -40474,6 +40501,23 @@
fi
+if test "$ol_enable_sock" != no ; then
+ BUILD_SLAPD=yes
+ BUILD_SOCK=$ol_enable_sock
+ if test "$ol_enable_sock" = mod ; then
+ SLAPD_DYNAMIC_BACKENDS="$SLAPD_DYNAMIC_BACKENDS back-sock"
+ MFLAG=SLAPD_MOD_DYNAMIC
+ else
+ SLAPD_STATIC_BACKENDS="$SLAPD_STATIC_BACKENDS back-sock"
+ MFLAG=SLAPD_MOD_STATIC
+ fi
+
+cat >>confdefs.h <<_ACEOF
+#define SLAPD_SOCK $MFLAG
+_ACEOF
+
+fi
+
if test "$ol_link_sql" != no ; then
BUILD_SLAPD=yes
BUILD_SQL=$ol_enable_sql
@@ -40875,6 +40919,7 @@
+
# Check whether --with-xxinstall or --without-xxinstall was given.
if test "${with_xxinstall+set}" = set; then
withval="$with_xxinstall"
@@ -40882,7 +40927,7 @@
fi;
- ac_config_files="$ac_config_files Makefile:build/top.mk:Makefile.in:build/dir.mk doc/Makefile:build/top.mk:doc/Makefile.in:build/dir.mk doc/man/Makefile:build/top.mk:doc/man/Makefile.in:build/dir.mk doc/man/man1/Makefile:build/top.mk:doc/man/man1/Makefile.in:build/man.mk doc/man/man3/Makefile:build/top.mk:doc/man/man3/Makefile.in:build/man.mk doc/man/man5/Makefile:build/top.mk:doc/man/man5/Makefile.in:build/man.mk doc/man/man8/Makefile:build/top.mk:doc/man/man8/Makefile.in:build/man.mk clients/Makefile:build/top.mk:clients/Makefile.in:build/dir.mk clients/tools/Makefile:build/top.mk:clients/tools/Makefile.in:build/rules.mk include/Makefile:build/top.mk:include/Makefile.in libraries/Makefile:build/top.mk:libraries/Makefile.in:build/dir.mk libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap_r/Makefile:build/top.mk:libraries/libldap_r/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk servers/Makefile:build/top.mk:servers/Makefile.in:build/dir.mk servers/slapd/Makefile:build/top.mk:servers/slapd/Makefile.in:build/srv.mk servers/slapd/back-bdb/Makefile:build/top.mk:servers/slapd/back-bdb/Makefile.in:build/mod.mk servers/slapd/back-dnssrv/Makefile:build/top.mk:servers/slapd/back-dnssrv/Makefile.in:build/mod.mk servers/slapd/back-hdb/Makefile:build/top.mk:servers/slapd/back-hdb/Makefile.in:build/mod.mk servers/slapd/back-ldap/Makefile:build/top.mk:servers/slapd/back-ldap/Makefile.in:build/mod.mk servers/slapd/back-ldif/Makefile:build/top.mk:servers/slapd/back-ldif/Makefile.in:build/mod.mk servers/slapd/back-meta/Makefile:build/top.mk:servers/slapd/back-meta/Makefile.in:build/mod.mk servers/slapd/back-monitor/Makefile:build/top.mk:servers/slapd/back-monitor/Makefile.in:build/mod.mk servers/slapd/back-null/Makefile:build/top.mk:servers/slapd/back-null/Makefile.in:build/mod.mk servers/slapd/back-passwd/Makefile:build/top.mk:servers/slapd/back-passwd/Makefile.in:build/mod.mk servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk tests/run tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk"
+ ac_config_files="$ac_config_files Makefile:build/top.mk:Makefile.in:build/dir.mk doc/Makefile:build/top.mk:doc/Makefile.in:build/dir.mk doc/man/Makefile:build/top.mk:doc/man/Makefile.in:build/dir.mk doc/man/man1/Makefile:build/top.mk:doc/man/man1/Makefile.in:build/man.mk doc/man/man3/Makefile:build/top.mk:doc/man/man3/Makefile.in:build/man.mk doc/man/man5/Makefile:build/top.mk:doc/man/man5/Makefile.in:build/man.mk doc/man/man8/Makefile:build/top.mk:doc/man/man8/Makefile.in:build/man.mk clients/Makefile:build/top.mk:clients/Makefile.in:build/dir.mk clients/tools/Makefile:build/top.mk:clients/tools/Makefile.in:build/rules.mk include/Makefile:build/top.mk:include/Makefile.in libraries/Makefile:build/top.mk:libraries/Makefile.in:build/dir.mk libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap_r/Makefile:build/top.mk:libraries/libldap_r/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk servers/Makefile:build/top.mk:servers/Makefile.in:build/dir.mk servers/slapd/Makefile:build/top.mk:servers/slapd/Makefile.in:build/srv.mk servers/slapd/back-bdb/Makefile:build/top.mk:servers/slapd/back-bdb/Makefile.in:build/mod.mk servers/slapd/back-dnssrv/Makefile:build/top.mk:servers/slapd/back-dnssrv/Makefile.in:build/mod.mk servers/slapd/back-hdb/Makefile:build/top.mk:servers/slapd/back-hdb/Makefile.in:build/mod.mk servers/slapd/back-ldap/Makefile:build/top.mk:servers/slapd/back-ldap/Makefile.in:build/mod.mk servers/slapd/back-ldif/Makefile:build/top.mk:servers/slapd/back-ldif/Makefile.in:build/mod.mk servers/slapd/back-meta/Makefile:build/top.mk:servers/slapd/back-meta/Makefile.in:build/mod.mk servers/slapd/back-monitor/Makefile:build/top.mk:servers/slapd/back-monitor/Makefile.in:build/mod.mk servers/slapd/back-null/Makefile:build/top.mk:servers/slapd/back-null/Makefile.in:build/mod.mk servers/slapd/back-passwd/Makefile:build/top.mk:servers/slapd/back-passwd/Makefile.in:build/mod.mk servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk tests/run tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk"
ac_config_commands="$ac_config_commands default"
@@ -41425,6 +41470,7 @@
"servers/slapd/back-perl/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk" ;;
"servers/slapd/back-relay/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk" ;;
"servers/slapd/back-shell/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk" ;;
+ "servers/slapd/back-sock/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk" ;;
"servers/slapd/back-sql/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk" ;;
"servers/slapd/shell-backends/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk" ;;
"servers/slapd/slapi/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk" ;;
@@ -41619,6 +41665,7 @@
s, at BUILD_RELAY@,$BUILD_RELAY,;t t
s, at BUILD_PERL@,$BUILD_PERL,;t t
s, at BUILD_SHELL@,$BUILD_SHELL,;t t
+s, at BUILD_SOCK@,$BUILD_SOCK,;t t
s, at BUILD_SQL@,$BUILD_SQL,;t t
s, at BUILD_ACCESSLOG@,$BUILD_ACCESSLOG,;t t
s, at BUILD_AUDITLOG@,$BUILD_AUDITLOG,;t t
@@ -42362,7 +42409,7 @@
cat > $BACKENDSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -42413,7 +42460,7 @@
cat > $OVERLAYSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/configure.in
===================================================================
--- openldap/trunk/configure.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/configure.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.7 2007/10/16 23:43:09 quanah Exp $
+dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp $
dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
dnl
-dnl Copyright 1998-2007 The OpenLDAP Foundation.
+dnl Copyright 1998-2008 The OpenLDAP Foundation.
dnl All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
@@ -23,9 +23,9 @@
define([AC_LIBTOOL_LANG_GCJ_CONFIG], [:])dnl
dnl ================================================================
dnl Configure.in for OpenLDAP
-AC_COPYRIGHT([[Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.
+AC_COPYRIGHT([[Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.]])
-AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.7 2007/10/16 23:43:09 quanah Exp $])
+AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp $])
AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>])
AC_CONFIG_SRCDIR(build/version.sh)dnl
@@ -96,7 +96,7 @@
/* begin of portable.h.pre */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation
+ * Copyright 1998-2008 The OpenLDAP Foundation
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -291,6 +291,7 @@
perl \
relay \
shell \
+ sock \
sql"
AC_ARG_ENABLE(xxslapbackends,[
@@ -320,6 +321,8 @@
yes, [no yes mod], ol_enable_backends)dnl
OL_ARG_ENABLE(shell,[ --enable-shell enable shell backend],
no, [no yes mod], ol_enable_backends)dnl
+OL_ARG_ENABLE(sock,[ --enable-sock enable sock backend],
+ no, [no yes mod], ol_enable_backends)dnl
OL_ARG_ENABLE(sql,[ --enable-sql enable sql backend],
no, [no yes mod], ol_enable_backends)dnl
@@ -462,6 +465,7 @@
test $ol_enable_perl = no &&
test $ol_enable_relay = no &&
test $ol_enable_shell = no &&
+ test $ol_enable_sock = no &&
test $ol_enable_sql = no ; then
dnl no slapd backend
@@ -519,6 +523,7 @@
BUILD_PERL=no
BUILD_RELAY=no
BUILD_SHELL=no
+BUILD_SOCK=no
BUILD_SQL=no
BUILD_ACCESSLOG=no
@@ -2635,6 +2640,19 @@
AC_DEFINE_UNQUOTED(SLAPD_SHELL,$MFLAG,[define to support SHELL backend])
fi
+if test "$ol_enable_sock" != no ; then
+ BUILD_SLAPD=yes
+ BUILD_SOCK=$ol_enable_sock
+ if test "$ol_enable_sock" = mod ; then
+ SLAPD_DYNAMIC_BACKENDS="$SLAPD_DYNAMIC_BACKENDS back-sock"
+ MFLAG=SLAPD_MOD_DYNAMIC
+ else
+ SLAPD_STATIC_BACKENDS="$SLAPD_STATIC_BACKENDS back-sock"
+ MFLAG=SLAPD_MOD_STATIC
+ fi
+ AC_DEFINE_UNQUOTED(SLAPD_SOCK,$MFLAG,[define to support SOCK backend])
+fi
+
if test "$ol_link_sql" != no ; then
BUILD_SLAPD=yes
BUILD_SQL=$ol_enable_sql
@@ -2903,6 +2921,7 @@
AC_SUBST(BUILD_RELAY)
AC_SUBST(BUILD_PERL)
AC_SUBST(BUILD_SHELL)
+ AC_SUBST(BUILD_SOCK)
AC_SUBST(BUILD_SQL)
dnl overlays
AC_SUBST(BUILD_ACCESSLOG)
@@ -3003,6 +3022,7 @@
[servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk]
[servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk]
[servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk]
+[servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk]
[servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk]
[servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk]
[servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk]
@@ -3020,7 +3040,7 @@
cat > $BACKENDSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -3071,7 +3091,7 @@
cat > $OVERLAYSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/ConfigOIDs
===================================================================
--- openldap/trunk/contrib/ConfigOIDs 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ConfigOIDs 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
List of OpenLDAP Configuration OIDs allocated to contrib modules
OLcfgCt{Oc|At}:1 smbk5pwd
+OLcfgCt{Oc|At}:2 autogroup
Modified: openldap/trunk/contrib/ldapc++/COPYRIGHT
===================================================================
--- openldap/trunk/contrib/ldapc++/COPYRIGHT 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/COPYRIGHT 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 1998-2007 The OpenLDAP Foundation
+Copyright 1998-2008 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/ldapc++/Makefile.am
===================================================================
--- openldap/trunk/contrib/ldapc++/Makefile.am 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/Makefile.am 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,5 @@
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/Makefile.am,v 1.2.6.1 2008/04/14 23:20:12 quanah Exp $
+
##
# Copyright 2000-2003, OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/Makefile.in
===================================================================
--- openldap/trunk/contrib/ldapc++/Makefile.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/Makefile.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -14,6 +14,8 @@
@SET_MAKE@
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/Makefile.in,v 1.11.2.3 2008/04/14 23:20:12 quanah Exp $
+
# Copyright 2000-2003, OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT file
VPATH = @srcdir@
Modified: openldap/trunk/contrib/ldapc++/configure
===================================================================
--- openldap/trunk/contrib/ldapc++/configure 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/configure 2008-05-25 14:29:31 UTC (rev 1128)
@@ -19719,18 +19719,24 @@
fi
-if test "${ac_cv_header_ldap_h+set}" = set; then
- { echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
+
+
+for ac_header in termios.h ldap.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
else
# Is the header compilable?
-{ echo "$as_me:$LINENO: checking ldap.h usability" >&5
-echo $ECHO_N "checking ldap.h usability... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
@@ -19738,7 +19744,7 @@
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
-#include <ldap.h>
+#include <$ac_header>
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
@@ -19770,15 +19776,15 @@
echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
-{ echo "$as_me:$LINENO: checking ldap.h presence" >&5
-echo $ECHO_N "checking ldap.h presence... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
-#include <ldap.h>
+#include <$ac_header>
_ACEOF
if { (ac_try="$ac_cpp conftest.$ac_ext"
case "(($ac_try" in
@@ -19811,41 +19817,49 @@
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
yes:no: )
- { echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
- { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
ac_header_preproc=yes
;;
no:yes:* )
- { echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
- { echo "$as_me:$LINENO: WARNING: ldap.h: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: ldap.h: check for missing prerequisite headers?" >&2;}
- { echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
- { echo "$as_me:$LINENO: WARNING: ldap.h: section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: ldap.h: section \"Present But Cannot Be Compiled\"" >&2;}
- { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
- { echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
;;
esac
-{ echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- ac_cv_header_ldap_h=$ac_header_preproc
+ eval "$as_ac_Header=\$ac_header_preproc"
fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+fi
+done
+
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
Modified: openldap/trunk/contrib/ldapc++/configure.in
===================================================================
--- openldap/trunk/contrib/ldapc++/configure.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/configure.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,8 @@
+dnl $OpenLDAP: pkg/ldap/contrib/ldapc++/configure.in,v 1.8.2.5 2008/04/14 23:20:12 quanah Exp $
+
dnl Copyright 2000-2003, OpenLDAP Foundation, All Rights Reserved.
dnl COPYING RESTRICTIONS APPLY, see COPYRIGHT file
-
-
+
dnl Process this file with autoconf to produce a configure script.
dnl disable config.cache
@@ -67,7 +68,7 @@
])
dnl Checks for header files.
AC_HEADER_TIME
-AC_CHECK_HEADER(ldap.h)
+AC_CHECK_HEADERS(termios.h ldap.h)
AC_EGREP_HEADER(ldap_add_ext,ldap.h,[
dnl NOOP
:
Modified: openldap/trunk/contrib/ldapc++/doxygen.rc
===================================================================
--- openldap/trunk/contrib/ldapc++/doxygen.rc 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/doxygen.rc 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,173 +1,492 @@
-# Doxyfile 1.0.0
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/doxygen.rc,v 1.2.10.2 2008/04/14 23:20:12 quanah Exp $
-# This file describes the settings to be used by doxygen for a project
+# Doxyfile 1.5.4
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
#
# All text after a hash (#) is considered a comment and will be ignored
# The format is:
# TAG = value [value, ...]
+# For lists items can also be appended using:
+# TAG += value [value, ...]
# Values that contain spaces should be placed between quotes (" ")
#---------------------------------------------------------------------------
-# General configuration options
+# Project related configuration options
#---------------------------------------------------------------------------
-# The PROJECT_NAME tag is a single word (or a sequence of word surrounded
-# by quotes) that should identify the project.
+# This tag specifies the encoding used for all characters in the config file that
+# follow. The default is UTF-8 which is also the encoding used for all text before
+# the first occurrence of this tag. Doxygen uses libiconv (or the iconv built into
+# libc) for the transcoding. See http://www.gnu.org/software/libiconv for the list of
+# possible encodings.
-PROJECT_NAME = ldapsdk
+DOXYFILE_ENCODING = UTF-8
-# The PROJECT_NUMBER tag can be used to enter a project or revision number.
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
+# by quotes) that should identify the project.
+
+PROJECT_NAME = ldapsdk
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
# if some version control system is used.
-PROJECT_NUMBER = 0.0.1
+PROJECT_NUMBER = 0.0.1
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
# base path where the generated documentation will be put.
# If a relative path is entered, it will be relative to the location
# where doxygen was started. If left blank the current directory will be used.
-OUTPUT_DIRECTORY = srcdoc
+OUTPUT_DIRECTORY = srcdoc
-# The OUTPUT_LANGUAGE tag is used to specify the language in which all
-# documentation generated by doxygen is written. Doxygen will use this
-# information to generate all constant output in the proper language.
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
+# 4096 sub-directories (in 2 levels) under the output directory of each output
+# format and will distribute the generated files over these directories.
+# Enabling this option can be useful when feeding doxygen a huge amount of
+# source files, where putting all generated files in the same directory would
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
# The default language is English, other supported languages are:
-# Dutch, French, Italian, Czech, Swedish, German and Japanese
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
+# Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian,
+# Italian, Japanese, Japanese-en (Japanese with English messages), Korean,
+# Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian,
+# Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian.
-OUTPUT_LANGUAGE = English
+OUTPUT_LANGUAGE = English
-# The QUIET tag can be used to turn on/off the messages that are generated
-# by doxygen. Possible values are YES and NO. If left blank NO is used.
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
+# include brief member descriptions after the members that are listed in
+# the file and class documentation (similar to JavaDoc).
+# Set to NO to disable this.
-QUIET = NO
+BRIEF_MEMBER_DESC = YES
-# The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated by doxygen. Possible values are YES and NO. If left blank
-# NO is used.
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
+# the brief description of a member or function before the detailed description.
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# brief descriptions will be completely suppressed.
-WARNINGS = YES
+REPEAT_BRIEF = yes
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
-# top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it.
+# This tag implements a quasi-intelligent brief description abbreviator
+# that is used to form the text in various listings. Each string
+# in this list, if found as the leading text of the brief description, will be
+# stripped from the text and the result after processing the whole list, is
+# used as the annotated text. Otherwise, the brief description is used as-is.
+# If left blank, the following values are used ("$name" is automatically
+# replaced with the name of the entity): "The $name class" "The $name widget"
+# "The $name file" "is" "provides" "specifies" "contains"
+# "represents" "a" "an" "the"
-DISABLE_INDEX = NO
+ABBREVIATE_BRIEF =
-# If the EXTRACT_ALL tag is set to YES all classes and functions will be
-# included in the documentation, even if no documentation was available.
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# Doxygen will generate a detailed section even if there is only a brief
+# description.
-EXTRACT_ALL = YES
+ALWAYS_DETAILED_SEC = yes
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
+# path before files name in the file list and in the header files. If set
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
+# can be used to strip a user-defined part of the path. Stripping is
+# only done if one of the specified strings matches the left-hand part of
+# the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the
+# path to strip.
+
+STRIP_FROM_PATH =
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of
+# the path mentioned in the documentation of a class, which tells
+# the reader which header file to include in order to use a class.
+# If left blank only the name of the header file containing the class
+# definition is used. Otherwise one should specify the include paths that
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH =
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
+# (but less readable) file names. This can be useful is your file systems
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen
+# will interpret the first line (until the first dot) of a JavaDoc-style
+# comment as the brief description. If set to NO, the JavaDoc
+# comments will behave just like regular Qt-style comments
+# (thus requiring an explicit @brief command for a brief description.)
+
+JAVADOC_AUTOBRIEF = YES
+
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will
+# interpret the first line (until the first dot) of a Qt-style
+# comment as the brief description. If set to NO, the comments
+# will behave just like regular Qt-style comments (thus requiring
+# an explicit \brief command for a brief description.)
+
+QT_AUTOBRIEF = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen
+# treat a multi-line C++ special comment block (i.e. a block of //! or ///
+# comments) as a brief description. This used to be the default behaviour.
+# The new default is to treat a multi-line C++ comment block as a detailed
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member
+# documentation.
+
+DETAILS_AT_TOP = NO
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented
+# member inherits the documentation from any documented member that it
+# re-implements.
+
+INHERIT_DOCS = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce
+# a new page for each member. If set to NO, the documentation of a member will
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab.
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE = 4
+
+# This tag can be used to specify a number of aliases that acts
+# as commands in the documentation. An alias has the form "name=value".
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to
+# put the command \sideeffect (or @sideeffect) in the documentation, which
+# will result in a user-defined paragraph with heading "Side Effects:".
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES =
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
+# sources only. Doxygen will then generate output that is more tailored for C.
+# For instance, some of the names that are used will be different. The list
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C = NO
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java
+# sources only. Doxygen will then generate output that is more tailored for Java.
+# For instance, namespaces will be presented as packages, qualified scopes
+# will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to
+# include (a tag file for) the STL sources as input, then you should
+# set this tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
+# func(std::string) {}). This also make the inheritance and collaboration
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only.
+# Doxygen will parse them like normal C++ but will assume all classes use public
+# instead of private inheritance when no explicit protection keyword is present.
+
+SIP_SUPPORT = NO
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES, then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of
+# the same type (for instance a group of public functions) to be put as a
+# subgroup of that type (e.g. under the Public Functions section). Set it to
+# NO to prevent subgrouping. Alternatively, this can be done per class using
+# the \nosubgrouping command.
+
+SUBGROUPING = YES
+
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct (or union) is
+# documented as struct with the name of the typedef. So
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
+# with name TypeT. When disabled the typedef will appear as a member of a file,
+# namespace, or class. And the struct will be named TypeS. This can typically
+# be useful for C code where the coding convention is that all structs are
+# typedef'ed and only the typedef is referenced never the struct's name.
+
+TYPEDEF_HIDES_STRUCT = NO
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# documentation are documented, even if no documentation was available.
+# Private class members and static file members will be hidden unless
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
# will be included in the documentation.
-EXTRACT_PRIVATE = YES
+EXTRACT_PRIVATE = YES
-# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
-# undocumented members inside documented classes or files.
+# If the EXTRACT_STATIC tag is set to YES all static members of a file
+# will be included in the documentation.
-HIDE_UNDOC_MEMBERS = NO
+EXTRACT_STATIC = NO
-# If the HIDE_UNDOC_CLASSESS tag is set to YES, Doxygen will hide all
-# undocumented classes.
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs)
+# defined locally in source files will be included in the documentation.
+# If set to NO only classes defined in header files are included.
-HIDE_UNDOC_CLASSES = NO
+EXTRACT_LOCAL_CLASSES = YES
-# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
-# include brief member descriptions after the members that are listed in
-# the file and class documentation (similar to JavaDoc).
-# Set to NO to disable this.
+# This flag is only useful for Objective-C code. When set to YES local
+# methods, which are defined in the implementation section but not in
+# the interface are included in the documentation.
+# If set to NO (the default) only methods in the interface are included.
-BRIEF_MEMBER_DESC = YES
+EXTRACT_LOCAL_METHODS = NO
-# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
-# the brief description of a member or function before the detailed description.
-# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
-# brief descriptions will be completely suppressed.
+# If this flag is set to YES, the members of anonymous namespaces will be extracted
+# and appear in the documentation as a namespace called 'anonymous_namespace{file}',
+# where file will be replaced with the base name of the file that contains the anonymous
+# namespace. By default anonymous namespace are hidden.
-REPEAT_BRIEF = yes
+EXTRACT_ANON_NSPACES = NO
-# If the ALWAYS_DETAILS_SEC and REPEAT_BRIEF tags are both set to YES then
-# Doxygen will generate a detailed section even if there is only a brief
-# description.
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
+# undocumented members of documented classes, files or namespaces.
+# If set to NO (the default) these members will be included in the
+# various overviews, but no documentation section is generated.
+# This option has no effect if EXTRACT_ALL is enabled.
-ALWAYS_DETAILED_SEC = yes
+HIDE_UNDOC_MEMBERS = NO
-# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
-# path before files name in the file list and in the header files. If set
-# to NO the shortest path that makes the file name unique will be used.
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy.
+# If set to NO (the default) these classes will be included in the various
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
-FULL_PATH_NAMES = NO
+HIDE_UNDOC_CLASSES = NO
-# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
-# can be used to strip a user defined part of the path. Stripping is
-# only done if one of the specified strings matches the left-hand part of
-# the path.
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all
+# friend (class|struct|union) declarations.
+# If set to NO (the default) these declarations will be included in the
+# documentation.
-STRIP_FROM_PATH =
+HIDE_FRIEND_COMPOUNDS = NO
-# The INTERNAL_DOCS tag determines if documentation
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any
+# documentation blocks found inside the body of a function.
+# If set to NO (the default) these blocks will be appended to the
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS = NO
+
+# The INTERNAL_DOCS tag determines if documentation
# that is typed after a \internal command is included. If the tag is set
-# to NO (the default) then the documentation will be excluded.
+# to NO (the default) then the documentation will be excluded.
# Set it to YES to include the internal documentation.
-INTERNAL_DOCS = NO
+INTERNAL_DOCS = NO
-# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
-# generate a class diagram (in Html and LaTeX) for classes with base or
-# super classes. Setting the tag to NO turns the diagrams off.
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate
+# file names in lower-case letters. If set to YES upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
+# and Mac users are advised to set this option to NO.
-CLASS_DIAGRAMS = YES
+CASE_SENSE_NAMES = NO
-# If the SOURCE_BROWSER tag is set to YES then a list of source files will
-# be generated. Documented entities will be cross-referenced with these sources.
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen
+# will show members with their full class and namespace scopes in the
+# documentation. If set to YES the scope will be hidden.
-SOURCE_BROWSER = no
+HIDE_SCOPE_NAMES = NO
-# Setting the INLINE_SOURCES tag to YES will include the body
-# of functions and classes directly in the documentation.
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen
+# will put a list of the files that are included by a file in the documentation
+# of that file.
-INLINE_SOURCES = NO
+SHOW_INCLUDE_FILES = YES
-# If the CASE_SENSE_NAMES tag is set to NO (the default) then Doxygen
-# will only generate file names in lower case letters. If set to
-# YES upper case letters are also allowed. This is useful if you have
-# classes or files whose names only differ in case and if your file system
-# supports case sensitive file names.
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
+# is inserted in the documentation for inline members.
-CASE_SENSE_NAMES = NO
+INLINE_INFO = YES
-# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
-# will generate a verbatim copy of the header file for each class for
-# which an include is specified. Set to NO to disable this.
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen
+# will sort the (detailed) documentation of file and class members
+# alphabetically by member name. If set to NO the members will appear in
+# declaration order.
-VERBATIM_HEADERS = YES
+SORT_MEMBER_DOCS = YES
-# If the JAVADOC_AUTOBRIEF tag is set to YES (the default) then Doxygen
-# will interpret the first line (until the first dot) of a JavaDoc-style
-# comment as the brief description. If set to NO, the Javadoc-style will
-# behave just like the Qt-style comments.
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the
+# brief documentation of file, namespace and class members alphabetically
+# by member name. If set to NO (the default) the members will appear in
+# declaration order.
-JAVADOC_AUTOBRIEF = YES
+SORT_BRIEF_DOCS = NO
-# if the INHERIT_DOCS tag is set to YES (the default) then an undocumented
-# member inherits the documentation from any documented member that it
-# reimplements.
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be
+# sorted by fully-qualified names, including namespaces. If set to
+# NO (the default), the class list will be sorted only by class name,
+# not including the namespace part.
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the
+# alphabetical list.
-INHERIT_DOCS = YES
+SORT_BY_SCOPE_NAME = NO
-# if the INLINE_INFO tag is set to YES (the default) then a tag [inline]
-# is inserted in the documentation for inline members.
+# The GENERATE_TODOLIST tag can be used to enable (YES) or
+# disable (NO) the todo list. This list is created by putting \todo
+# commands in the documentation.
-INLINE_INFO = YES
+GENERATE_TODOLIST = YES
-# the TAB_SIZE tag can be used to set the number of spaces in a tab.
-# Doxygen uses this value to replace tabs by spaces in code fragments.
+# The GENERATE_TESTLIST tag can be used to enable (YES) or
+# disable (NO) the test list. This list is created by putting \test
+# commands in the documentation.
-TAB_SIZE = 4
+GENERATE_TESTLIST = YES
+# The GENERATE_BUGLIST tag can be used to enable (YES) or
+# disable (NO) the bug list. This list is created by putting \bug
+# commands in the documentation.
+
+GENERATE_BUGLIST = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or
+# disable (NO) the deprecated list. This list is created by putting
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS =
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines
+# the initial value of a variable or define consists of for it to appear in
+# the documentation. If the initializer consists of more lines than specified
+# here it will be hidden. Use a value of 0 to hide initializers completely.
+# The appearance of the initializer of individual variables and defines in the
+# documentation can be controlled using \showinitializer or \hideinitializer
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated
+# at the bottom of the documentation of classes and structs. If set to YES the
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES = YES
+
+# If the sources in your project are distributed over multiple directories
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES = NO
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from the
+# version control system). Doxygen will invoke the program by executing (via
+# popen()) the command <command> <input-file>, where <command> is the value of
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file
+# provided by doxygen. Whatever the program writes to standard output
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER =
+
#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated by doxygen. Possible values are YES and NO. If left blank
+# NO is used.
+
+WARNINGS = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED = YES
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some
+# parameters in a documented function, or documenting parameters that
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for
+# functions that are documented, but have no documentation for their parameters
+# or return value. If set to NO (the default) doxygen will only warn about
+# wrong or incomplete parameter documentation, but not about the absence of
+# documentation.
+
+WARN_NO_PARAMDOC = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that
+# doxygen can produce. The string should contain the $file, $line, and $text
+# tags, which will be replaced by the file and line number from which the
+# warning originated and the warning text. Optionally the format may contain
+# $version, which will be replaced by the version of the file (if it could
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT = "$file:$line: $text "
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning
+# and error messages should be written. If left blank the output is written
+# to stderr.
+
+WARN_LOGFILE =
+
+#---------------------------------------------------------------------------
# configuration options related to the input files
#---------------------------------------------------------------------------
@@ -176,291 +495,819 @@
# directories like "/usr/src/myproject". Separate the files or directories
# with spaces.
-INPUT = ./src
+INPUT = ./src
+# This tag can be used to specify the character encoding of the source files that
+# doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default
+# input encoding. Doxygen uses libiconv (or the iconv built into libc) for the transcoding.
+# See http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+INPUT_ENCODING = UTF-8
+
# If the value of the INPUT tag contains directories, you can use the
# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
# and *.h) to filter out the source-files in the directories. If left
-# blank all files are included.
+# blank the following patterns are tested:
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
-FILE_PATTERNS = *.cpp *.h
+FILE_PATTERNS = *.cpp \
+ *.h
-# The RECURSIVE tag can be used to turn specify whether or not subdirectories
-# should be searched for input files as well. Possible values are YES and NO.
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories
+# should be searched for input files as well. Possible values are YES and NO.
# If left blank NO is used.
-RECURSIVE = yes
+RECURSIVE = yes
-# The EXCLUDE tag can be used to specify files and/or directories that should
+# The EXCLUDE tag can be used to specify files and/or directories that should
# excluded from the INPUT source files. This way you can easily exclude a
# subdirectory from a directory tree whose root is specified with the INPUT tag.
-EXCLUDE =
+EXCLUDE =
-# If the value of the INPUT tag contains directories, you can use the
-# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
-# certain files from those directories.
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
+# directories that are symbolic links (a Unix filesystem feature) are excluded
+# from the input.
-EXCLUDE_PATTERNS =
+EXCLUDE_SYMLINKS = NO
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories. Note that the wildcards are matched
+# against the file with absolute path, so to exclude all test directories
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS =
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the output.
+# The symbol name can be a fully qualified name, a word, or if the wildcard * is used,
+# a substring. Examples: ANamespace, AClass, AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS =
+
# The EXAMPLE_PATH tag can be used to specify one or more files or
# directories that contain example code fragments that are included (see
# the \include command).
-EXAMPLE_PATH =
+EXAMPLE_PATH =
-# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
# and *.h) to filter out the source-files in the directories. If left
# blank all files are included.
-EXAMPLE_PATTERNS =
+EXAMPLE_PATTERNS =
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude
+# commands irrespective of the value of the RECURSIVE tag.
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE = NO
+
# The IMAGE_PATH tag can be used to specify one or more files or
# directories that contain image that are included in the documentation (see
# the \image command).
-IMAGE_PATH =
+IMAGE_PATH =
-# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
# invoke to filter for each input file. Doxygen will invoke the filter program
-# by executing (via popen()) the command <filter> <input-file>, where <filter>
-# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
-# input file. Doxygen will then use the output that the filter program writes
-# to standard output.
+# by executing (via popen()) the command <filter> <input-file>, where <filter>
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
+# input file. Doxygen will then use the output that the filter program writes
+# to standard output. If FILTER_PATTERNS is specified, this tag will be
+# ignored.
-INPUT_FILTER =
+INPUT_FILTER =
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form:
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
+# is applied to all files.
+
+FILTER_PATTERNS =
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will be used to filter the input files when producing source
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES = NO
+
#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will
+# be generated. Documented entities will be cross-referenced with these sources.
+# Note: To get rid of all source code in the generated output, make sure also
+# VERBATIM_HEADERS is set to NO. If you have enabled CALL_GRAPH or CALLER_GRAPH
+# then you must also enable this option. If you don't then doxygen will produce
+# a warning and turn it on anyway
+
+SOURCE_BROWSER = no
+
+# Setting the INLINE_SOURCES tag to YES will include the body
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
+# doxygen to hide any special comment blocks from generated source code
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES (the default)
+# then for each documented function all documented
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES (the default)
+# then for each documented function all documented entities
+# called/used by that function will be listed.
+
+REFERENCES_RELATION = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code. Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code
+# will point to the HTML generated by the htags(1) tool instead of doxygen
+# built-in source browser. The htags tool is part of GNU's global source
+# tagging system (see http://www.gnu.org/software/global/global.html). You
+# will need version 4.8.6 or higher.
+
+USE_HTAGS = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
+# will generate a verbatim copy of the header file for each class for
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
+# of all compounds will be generated. Enable this if the project
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX = NO
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX = 5
+
+# In case all classes in a project start with a common prefix, all
+# classes will be put under the same header in the alphabetical index.
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX =
+
+#---------------------------------------------------------------------------
# configuration options related to the HTML output
#---------------------------------------------------------------------------
-# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
-# generate HTML output
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
+# generate HTML output.
-GENERATE_HTML = YES
+GENERATE_HTML = YES
-# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
# put in front of it. If left blank `html' will be used as the default path.
-HTML_OUTPUT =
+HTML_OUTPUT =
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION = .html
+
# The HTML_HEADER tag can be used to specify a personal HTML header for
# each generated HTML page. If it is left blank doxygen will generate a
# standard header.
-HTML_HEADER =
+HTML_HEADER =
# The HTML_FOOTER tag can be used to specify a personal HTML footer for
# each generated HTML page. If it is left blank doxygen will generate a
# standard footer.
-HTML_FOOTER =
+HTML_FOOTER =
-# The HTML_STYLESHEET tag can be used to specify a user defined cascading
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading
# style sheet that is used by each HTML page. It can be used to
-# fine-tune the look of the HTML output. If the tag is left blank doxygen
-# will generate a default style sheet
+# fine-tune the look of the HTML output. If the tag is left blank doxygen
+# will generate a default style sheet. Note that doxygen will try to copy
+# the style sheet file to the HTML output directory, so don't put your own
+# stylesheet in the HTML output directory as well, or it will be erased!
-HTML_STYLESHEET =
+HTML_STYLESHEET =
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
-# files or namespaces will be aligned in HTML using tables. If set to
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
+# files or namespaces will be aligned in HTML using tables. If set to
# NO a bullet list will be used.
-HTML_ALIGN_MEMBERS = YES
+HTML_ALIGN_MEMBERS = YES
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files
-# will be generated that can be used as input for tools like the
-# Microsoft HTML help workshop to generate a compressed HTML help file (.chm)
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files
+# will be generated that can be used as input for tools like the
+# Microsoft HTML help workshop to generate a compressed HTML help file (.chm)
# of the generated HTML documentation.
-GENERATE_HTMLHELP = NO
+GENERATE_HTMLHELP = NO
-# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
-# of all compounds will be generated. Enable this if the project
-# contains a lot of classes, structs, unions or interfaces.
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded. For this to work a browser that supports
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox
+# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
-ALPHABETICAL_INDEX = NO
+HTML_DYNAMIC_SECTIONS = NO
-# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
-# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
-# in which this list will be split (can be a number in the range [1..20])
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
+# be used to specify the file name of the resulting .chm file. You
+# can add a path in front of the file if the result should not be
+# written to the html output directory.
-COLS_IN_ALPHA_INDEX = 5
+CHM_FILE =
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can
+# be used to specify the location (absolute path including file name) of
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION =
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag
+# controls if a separate .chi index file is generated (YES) or that
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag
+# controls whether a binary table of contents is generated (YES) or a
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
+# top of each HTML page. The value NO (the default) enables the index and
+# the value YES disables it.
+
+DISABLE_INDEX = NO
+
+# This tag can be used to set the number of enum values (range [1..20])
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE = 4
+
+# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
+# generated containing a tree-like index structure (just like the one that
+# is generated for HTML Help). For this to work a browser that supports
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+,
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are
+# probably better off using the HTML help feature.
+
+GENERATE_TREEVIEW = NO
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
+# used to set the initial width (in pixels) of the frame in which the tree
+# is shown.
+
+TREEVIEW_WIDTH = 250
+
#---------------------------------------------------------------------------
# configuration options related to the LaTeX output
#---------------------------------------------------------------------------
-# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
# generate Latex output.
-GENERATE_LATEX = no
+GENERATE_LATEX = no
-# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
# put in front of it. If left blank `latex' will be used as the default path.
-LATEX_OUTPUT =
+LATEX_OUTPUT =
-# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
-# LaTeX documents. This may be useful for small projects and may help to
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to
+# generate index for LaTeX. If left blank `makeindex' will be used as the
+# default command name.
+
+MAKEINDEX_CMD_NAME = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
+# LaTeX documents. This may be useful for small projects and may help to
# save some trees in general.
-COMPACT_LATEX = NO
+COMPACT_LATEX = NO
-# The PAPER_TYPE tag can be used to set the paper type that is used
+# The PAPER_TYPE tag can be used to set the paper type that is used
# by the printer. Possible values are: a4, a4wide, letter, legal and
# executive. If left blank a4wide will be used.
-PAPER_TYPE = a4wide
+PAPER_TYPE = a4wide
-# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
# packages that should be included in the LaTeX output.
-EXTRA_PACKAGES =
+EXTRA_PACKAGES =
# The LATEX_HEADER tag can be used to specify a personal LaTeX header for
-# the generated latex document. The header should contain everything until
+# the generated latex document. The header should contain everything until
# the first chapter. If it is left blank doxygen will generate a
# standard header. Notice: only use this tag if you know what you are doing!
-LATEX_HEADER =
+LATEX_HEADER =
-# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
-# is prepared for conversion to pdf (using ps2pdf). The pdf file will
-# contain links (just like the HTML output) instead of page references
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will
+# contain links (just like the HTML output) instead of page references
# This makes the output suitable for online browsing using a pdf viewer.
-PDF_HYPERLINKS = NO
+PDF_HYPERLINKS = NO
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of
+# plain latex in the generated Makefile. Set this option to YES to get a
+# higher quality PDF documentation.
+
+USE_PDFLATEX = NO
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode.
+# command to the generated LaTeX files. This will instruct LaTeX to keep
+# running if errors occur, instead of asking the user for help.
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE = NO
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not
+# include the index chapters (such as File Index, Compound Index, etc.)
+# in the output.
+
+LATEX_HIDE_INDICES = NO
+
#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output
+# The RTF output is optimized for Word 97 and may not look very pretty with
+# other RTF readers or editors.
+
+GENERATE_RTF = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact
+# RTF documents. This may be useful for small projects and may help to
+# save some trees in general.
+
+COMPACT_RTF = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated
+# will contain hyperlink fields. The RTF file will
+# contain links (just like the HTML output) instead of page references.
+# This makes the output suitable for online browsing using WORD or other
+# programs which support those fields.
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# config file, i.e. a series of assignments. You only have to provide
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE =
+
+# Set optional variables used in the generation of an rtf document.
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE =
+
+#---------------------------------------------------------------------------
# configuration options related to the man page output
#---------------------------------------------------------------------------
-# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
# generate man pages
-GENERATE_MAN = no
+GENERATE_MAN = no
-# The MAN_OUTPUT tag is used to specify where the man pages will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# The MAN_OUTPUT tag is used to specify where the man pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
# put in front of it. If left blank `man' will be used as the default path.
-MAN_OUTPUT =
+MAN_OUTPUT =
-# The MAN_EXTENSION tag determines the extension that is added to
+# The MAN_EXTENSION tag determines the extension that is added to
# the generated man pages (default is the subroutine's section .3)
-MAN_EXTENSION = .3
+MAN_EXTENSION = .3
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output,
+# then it will generate one additional man file for each entity
+# documented in the real man page(s). These additional files
+# only source the real man page, but without them the man command
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS = NO
+
#---------------------------------------------------------------------------
-# Configuration options related to the preprocessor
+# configuration options related to the XML output
#---------------------------------------------------------------------------
-# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
-# evaluate all C-preprocessor directives found in the sources and include
+# If the GENERATE_XML tag is set to YES Doxygen will
+# generate an XML file that captures the structure of
+# the code including all documentation.
+
+GENERATE_XML = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema,
+# which can be used by a validating XML parser to check the
+# syntax of the XML files.
+
+XML_SCHEMA =
+
+# The XML_DTD tag can be used to specify an XML DTD,
+# which can be used by a validating XML parser to check the
+# syntax of the XML files.
+
+XML_DTD =
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will
+# dump the program listings (including syntax highlighting
+# and cross-referencing information) to the XML output. Note that
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will
+# generate an AutoGen Definitions (see autogen.sf.net) file
+# that captures the structure of the code including all
+# documentation. Note that this feature is still experimental
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will
+# generate a Perl module file that captures the structure of
+# the code including all documentation. Note that this
+# feature is still experimental and incomplete at the
+# moment.
+
+GENERATE_PERLMOD = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
+# nicely formatted so it can be parsed by a human reader. This is useful
+# if you want to understand what is going on. On the other hand, if this
+# tag is set to NO the size of the Perl module output will be much smaller
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY = YES
+
+# The names of the make variables in the generated doxyrules.make file
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX.
+# This is useful so different doxyrules.make files included by the same
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
+# evaluate all C-preprocessor directives found in the sources and include
# files.
-ENABLE_PREPROCESSING = YES
+ENABLE_PREPROCESSING = YES
-# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
# names in the source code. If set to NO (the default) only conditional
-# compilation will be performed.
+# compilation will be performed. Macro expansion can be done in a controlled
+# way by setting EXPAND_ONLY_PREDEF to YES.
-MACRO_EXPANSION = NO
+MACRO_EXPANSION = NO
-# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
+# then the macro expansion is limited to the macros specified with the
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
# in the INCLUDE_PATH (see below) will be search if a #include is found.
-SEARCH_INCLUDES = YES
+SEARCH_INCLUDES = YES
-# The INCLUDE_PATH tag can be used to specify one or more directories that
-# contain include files that are not input files but should be processed by
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by
# the preprocessor.
-INCLUDE_PATH =
+INCLUDE_PATH =
-# The PREDEFINED tag can be used to specify one or more macro names that
-# are defined before the preprocessor is started (similar to the -D option of
-# gcc). The argument of the tag is a list of macros of the form: name
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will
+# be used.
+
+INCLUDE_FILE_PATTERNS =
+
+# The PREDEFINED tag can be used to specify one or more macro names that
+# are defined before the preprocessor is started (similar to the -D option of
+# gcc). The argument of the tag is a list of macros of the form: name
# or name=definition (no spaces). If the definition and the = are
-# omitted =1 is assumed.
+# omitted =1 is assumed. To prevent a macro definition from being
+# undefined via #undef or recursively expanded use the := operator
+# instead of the = operator.
-PREDEFINED =
+PREDEFINED =
-# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
-# then the macro expansion is limited to the macros specified with the
-# PREDEFINED tag.
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
+# this tag can be used to specify a list of macro names that should be expanded.
+# The macro definition that is found in the sources will be used.
+# Use the PREDEFINED tag if you want to use a different macro definition.
-EXPAND_ONLY_PREDEF = NO
+EXPAND_AS_DEFINED =
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
+# doxygen's preprocessor will remove all function-like macros that are alone
+# on a line, have an all uppercase name, and do not end with a semicolon. Such
+# function macros are typically used for boiler-plate code, and will confuse
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS = YES
+
#---------------------------------------------------------------------------
-# Configuration options related to external references
+# Configuration::additions related to external references
#---------------------------------------------------------------------------
-# The TAGFILES tag can be used to specify one or more tagfiles.
+# The TAGFILES option can be used to specify one or more tagfiles.
+# Optionally an initial location of the external documentation
+# can be added for each tagfile. The format of a tag file without
+# this location is as follows:
+# TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where "loc1" and "loc2" can be relative or absolute paths or
+# URLs. If a location is present for each tag, the installdox tool
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen
+# is run, you must also specify the path to the tagfile here.
-TAGFILES =
+TAGFILES =
-# When a file name is specified after GENERATE_TAGFILE, doxygen will create
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create
# a tag file that is based on the input files it reads.
-GENERATE_TAGFILE =
+GENERATE_TAGFILE =
-# If the ALLEXTERNALS tag is set to YES all external classes will be listed
-# in the class index. If set to NO only the inherited external classes
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed
+# in the class index. If set to NO only the inherited external classes
# will be listed.
-ALLEXTERNALS = NO
+ALLEXTERNALS = NO
-# The PERL_PATH should be the absolute path and name of the perl script
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will
+# be listed.
+
+EXTERNAL_GROUPS = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script
# interpreter (i.e. the result of `which perl').
-PERL_PATH = /usr/bin/perl
+PERL_PATH = /usr/bin/perl
#---------------------------------------------------------------------------
-# Configuration options related to the search engine
+# Configuration options related to the dot tool
#---------------------------------------------------------------------------
-# The SEARCHENGINE tag specifies whether or not a search engine should be
-# used. If set to NO the values of all tags below this one will be ignored.
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
+# or super classes. Setting the tag to NO turns the diagrams off. Note that
+# this option is superseded by the HAVE_DOT option below. This is only a
+# fallback. It is recommended to install and use dot, since it yields more
+# powerful graphs.
-SEARCHENGINE = NO
+CLASS_DIAGRAMS = YES
-# The CGI_NAME tag should be the name of the CGI script that
-# starts the search engine (doxysearch) with the correct parameters.
-# A script with this name will be generated by doxygen.
+# You can define message sequence charts within doxygen comments using the \msc
+# command. Doxygen will then run the mscgen tool (see http://www.mcternan.me.uk/mscgen/) to
+# produce the chart and insert it in the documentation. The MSCGEN_PATH tag allows you to
+# specify the directory where the mscgen tool resides. If left empty the tool is assumed to
+# be found in the default search path.
-CGI_NAME = search.cgi
+MSCGEN_PATH =
-# The CGI_URL tag should be the absolute URL to the directory where the
-# cgi binaries are located. See the documentation of your http daemon for
-# details.
+# If set to YES, the inheritance and collaboration graphs will hide
+# inheritance and usage relations if the target is undocumented
+# or is not a class.
-CGI_URL =
+HIDE_UNDOC_RELATIONS = YES
-# The DOC_URL tag should be the absolute URL to the directory where the
-# documentation is located. If left blank the absolute path to the
-# documentation, with file:// prepended to it, will be used.
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz, a graph visualization
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section
+# have no effect if this option is set to NO (the default)
-DOC_URL =
+HAVE_DOT = NO
-# The DOC_ABSPATH tag should be the absolute path to the directory where the
-# documentation is located. If left blank the directory on the local machine
-# will be used.
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect inheritance relations. Setting this tag to YES will force the
+# the CLASS_DIAGRAMS tag to NO.
-DOC_ABSPATH =
+CLASS_GRAPH = YES
-# The BIN_ABSPATH tag must point to the directory where the doxysearch binary
-# is installed.
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect implementation dependencies (inheritance, containment, and
+# class references variables) of the class with other documented classes.
-BIN_ABSPATH = /usr/local/bin/
+COLLABORATION_GRAPH = YES
-# The EXT_DOC_PATHS tag can be used to specify one or more paths to
-# documentation generated for other projects. This allows doxysearch to search
-# the documentation for these projects as well.
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for groups, showing the direct groups dependencies
-EXT_DOC_PATHS =
+GROUP_GRAPHS = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
+# Language.
+
+UML_LOOK = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT
+# tags are set to YES then doxygen will generate a graph for each documented
+# file showing the direct and indirect include dependencies of the file with
+# other documented files.
+
+INCLUDE_GRAPH = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each
+# documented header file showing the documented files that directly or
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH = YES
+
+# If the CALL_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will
+# generate a call dependency graph for every global function or class method.
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable call graphs for selected
+# functions only using the \callgraph command.
+
+CALL_GRAPH = NO
+
+# If the CALLER_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will
+# generate a caller dependency graph for every global function or class method.
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable caller graphs for selected
+# functions only using the \callergraph command.
+
+CALLER_GRAPH = NO
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
+# then doxygen will show the dependencies a directory has on other directories
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH =
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the
+# \dotfile command).
+
+DOTFILE_DIRS =
+
+# The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
+# nodes that will be shown in the graph. If the number of nodes in a graph
+# becomes larger than this value, doxygen will truncate the graph, which is
+# visualized by representing a node as a red box. Note that doxygen if the number
+# of direct children of the root node in a graph is already larger than
+# MAX_DOT_GRAPH_NOTES then the graph will not be shown at all. Also note
+# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+
+DOT_GRAPH_MAX_NODES = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the
+# graphs generated by dot. A depth value of 3 means that only nodes reachable
+# from the root by following a path via at most 3 edges will be shown. Nodes
+# that lay further from the root node will be omitted. Note that setting this
+# option to 1 or 2 may greatly reduce the computation time needed for large
+# code bases. Also note that the size of a graph can be further restricted by
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+
+MAX_DOT_GRAPH_DEPTH = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is disabled by default, which results in a white background.
+# Warning: Depending on the platform used, enabling this option may lead to
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
+# read).
+
+DOT_TRANSPARENT = YES
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10)
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will
+# generate a legend page explaining the meaning of the various boxes and
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will
+# remove the intermediate dot files that are used to generate
+# the various graphs.
+
+DOT_CLEANUP = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE = NO
Modified: openldap/trunk/contrib/ldapc++/examples/Makefile.am
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/Makefile.am 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/Makefile.am 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,5 @@
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/Makefile.am,v 1.2.4.3 2008/04/14 23:18:59 quanah Exp $
+
##
# Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/examples/Makefile.in
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/Makefile.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/Makefile.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -14,6 +14,8 @@
@SET_MAKE@
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/Makefile.in,v 1.3.2.3 2008/04/14 23:18:59 quanah Exp $
+
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
Modified: openldap/trunk/contrib/ldapc++/examples/main.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/main.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/main.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/main.cpp,v 1.1.8.3 2008/04/14 23:18:59 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -3,6 +4,6 @@
*/
-#include<iostream>
-#include<sstream>
+#include <iostream>
+#include <sstream>
#include "LDAPConnection.h"
#include "LDAPConstraints.h"
@@ -14,9 +15,8 @@
#include "LDAPEntry.h"
#include "LDAPException.h"
#include "LDAPModification.h"
-#include "LDAPReferralException.h"
-#include"debug.h"
+#include "debug.h"
int main(){
LDAPConstraints* cons=new LDAPConstraints;
@@ -69,7 +69,7 @@
lc->unbind();
delete lc;
- }catch (LDAPException e){
+ }catch (LDAPException &e){
std::cout << "-------------- caught Exception ---------"<< std::endl;
std::cout << e << std::endl;
}
Modified: openldap/trunk/contrib/ldapc++/examples/readSchema.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/readSchema.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/readSchema.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,11 @@
-#include<iostream>
-#include<sstream>
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/readSchema.cpp,v 1.1.6.3 2008/04/14 23:18:59 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include <iostream>
+#include <sstream>
#include "LDAPConnection.h"
#include "LDAPConstraints.h"
#include "LDAPSearchReference.h"
@@ -9,10 +15,9 @@
#include "LDAPEntry.h"
#include "LDAPException.h"
#include "LDAPModification.h"
-#include "LDAPReferralException.h"
#include "LDAPSchema.h"
-#include"debug.h"
+#include "debug.h"
int main(){
LDAPConnection *lc=new LDAPConnection("192.168.3.128",389);
Modified: openldap/trunk/contrib/ldapc++/examples/urlTest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/urlTest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/urlTest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,9 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/urlTest.cpp,v 1.1.2.3 2008/04/14 23:18:59 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
#include <LDAPUrl.h>
#include <LDAPException.h>
#include <cstdlib>
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAddRequest.cpp,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAddRequest.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAsynConnection.cpp,v 1.13.2.6 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000-2006, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -24,15 +25,20 @@
using namespace std;
-LDAPAsynConnection::LDAPAsynConnection(const string& hostname, int port,
+LDAPAsynConnection::LDAPAsynConnection(const string& url, int port,
LDAPConstraints *cons ){
DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPAsynConnection::LDAPAsynConnection()"
<< endl);
DEBUG(LDAP_DEBUG_CONSTRUCT | LDAP_DEBUG_PARAMETER,
- " host:" << hostname << endl << " port:" << port << endl);
+ " URL:" << url << endl << " port:" << port << endl);
cur_session=0;
m_constr = 0;
- this->init(hostname, port);
+ // Is this an LDAP URI?
+ if ( url.find("://") == std::string::npos ) {
+ this->init(url, port);
+ } else {
+ this->initialize(url);
+ }
this->setConstraints(cons);
}
@@ -95,6 +101,41 @@
}
}
+LDAPMessageQueue* LDAPAsynConnection::saslBind(const std::string &mech,
+ const std::string &cred,
+ const LDAPConstraints *cons)
+{
+ DEBUG(LDAP_DEBUG_TRACE, "LDAPAsynConnection::saslBind()" << endl);
+ LDAPSaslBindRequest *req = new LDAPSaslBindRequest(mech, cred, this, cons);
+ try{
+ LDAPMessageQueue *ret = req->sendRequest();
+ return ret;
+ }catch(LDAPException e){
+ delete req;
+ throw;
+ }
+
+}
+
+LDAPMessageQueue* LDAPAsynConnection::saslInteractiveBind(
+ const std::string &mech,
+ int flags,
+ SaslInteractionHandler *sih,
+ const LDAPConstraints *cons)
+{
+ DEBUG(LDAP_DEBUG_TRACE, "LDAPAsynConnection::saslInteractiveBind"
+ << std::endl);
+ LDAPSaslInteractiveBind *req =
+ new LDAPSaslInteractiveBind(mech, flags, sih, this, cons);
+ try {
+ LDAPMessageQueue *ret = req->sendRequest();
+ return ret;
+ }catch(LDAPException e){
+ delete req;
+ throw;
+ }
+}
+
LDAPMessageQueue* LDAPAsynConnection::search(const string& base,int scope,
const string& filter,
const StringList& attrs,
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAsynConnection.h,v 1.11.2.4 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -21,6 +22,7 @@
#include <LDAPModList.h>
#include <LDAPUrl.h>
#include <LDAPUrlList.h>
+#include <SaslInteractionHandler.h>
//* Main class for an asynchronous LDAP connection
/**
@@ -59,9 +61,6 @@
* Search
*/
static const int SEARCH_SUB=2;
-// static const int SEARCH_SUB=LDAP_SCOPE_SUBTREE;
-// static const int SEARCH_ONE=LDAP_SCOPE_ONELEVEL;
-// static const int SEARCH_SUB=LDAP_SCOPE_SUBTREE;
/** Construtor that initializes a connection to a server
* @param hostname Name (or IP-Adress) of the destination host
@@ -69,7 +68,7 @@
* @param cons Default constraints to use with operations over
* this connection
*/
- LDAPAsynConnection(const std::string& hostname=std::string("localhost"),
+ LDAPAsynConnection(const std::string& url=std::string("localhost"),
int port=0, LDAPConstraints *cons=new LDAPConstraints() );
//* Destructor
@@ -116,9 +115,19 @@
* @param dn the distiguished name to bind as
* @param passwd cleartext password to use
*/
- LDAPMessageQueue* bind(const std::string& dn="", const std::string& passwd="",
+ LDAPMessageQueue* bind(const std::string& dn="",
+ const std::string& passwd="",
const LDAPConstraints *cons=0);
+ LDAPMessageQueue* saslBind(const std::string& mech,
+ const std::string& cred,
+ const LDAPConstraints *cons=0);
+
+ LDAPMessageQueue* saslInteractiveBind(const std::string& mech,
+ int flags=0,
+ SaslInteractionHandler *sih=0,
+ const LDAPConstraints *cons=0);
+
/** Performing a search on a directory tree.
*
* Use the search method to perform a search on the LDAP-Directory
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.cpp,v 1.3.4.3 2008/05/01 21:28:42 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -18,17 +19,6 @@
usage = 0;
}
-LDAPAttrType::LDAPAttrType (const LDAPAttrType &at){
- DEBUG(LDAP_DEBUG_CONSTRUCT,
- "LDAPAttrType::LDAPAttrType( )" << endl);
-
- oid = at.oid;
- desc = at.desc;
- names = at.names;
- single = at.single;
- usage = at.usage;
-}
-
LDAPAttrType::LDAPAttrType (string at_item) {
DEBUG(LDAP_DEBUG_CONSTRUCT,
@@ -45,6 +35,11 @@
this->setOid( a->at_oid );
this->setSingle( a->at_single_value );
this->setUsage( a->at_usage );
+ this->setSuperiorOid( a->at_sup_oid );
+ this->setEqualityOid( a->at_equality_oid );
+ this->setOrderingOid( a->at_ordering_oid );
+ this->setSubstringOid( a->at_substr_oid );
+ this->setSyntaxOid( a->at_syntax_oid );
}
// else? -> error
}
@@ -57,17 +52,17 @@
single = (at_single == 1);
}
-void LDAPAttrType::setNames (char **at_names) {
- names = StringList (at_names);
+void LDAPAttrType::setNames ( char **at_names ) {
+ names = StringList(at_names);
}
-void LDAPAttrType::setDesc (char *at_desc) {
+void LDAPAttrType::setDesc (const char *at_desc) {
desc = string ();
if (at_desc)
desc = at_desc;
}
-void LDAPAttrType::setOid (char *at_oid) {
+void LDAPAttrType::setOid (const char *at_oid) {
oid = string ();
if (at_oid)
oid = at_oid;
@@ -77,23 +72,48 @@
usage = at_usage;
}
-bool LDAPAttrType::isSingle () {
- return single;
+void LDAPAttrType::setSuperiorOid( const char *oid ){
+ if ( oid )
+ superiorOid = oid;
}
-string LDAPAttrType::getOid () {
+void LDAPAttrType::setEqualityOid( const char *oid ){
+ if ( oid )
+ equalityOid = oid;
+}
+
+void LDAPAttrType::setOrderingOid( const char *oid ){
+ if ( oid )
+ orderingOid = oid;
+}
+
+void LDAPAttrType::setSubstringOid( const char *oid ){
+ if ( oid )
+ substringOid = oid;
+}
+
+void LDAPAttrType::setSyntaxOid( const char *oid ){
+ if ( oid )
+ syntaxOid = oid;
+}
+
+bool LDAPAttrType::isSingle() const {
+ return single;
+}
+
+string LDAPAttrType::getOid() const {
return oid;
}
-string LDAPAttrType::getDesc () {
+string LDAPAttrType::getDesc() const {
return desc;
}
-StringList LDAPAttrType::getNames () {
+StringList LDAPAttrType::getNames() const {
return names;
}
-string LDAPAttrType::getName () {
+string LDAPAttrType::getName() const {
if (names.empty())
return "";
@@ -101,6 +121,28 @@
return *(names.begin());
}
-int LDAPAttrType::getUsage () {
+int LDAPAttrType::getUsage() const {
return usage;
}
+
+std::string LDAPAttrType::getSuperiorOid() const {
+ return superiorOid;
+}
+
+std::string LDAPAttrType::getEqualityOid() const {
+ return equalityOid;
+}
+
+std::string LDAPAttrType::getOrderingOid() const {
+ return orderingOid;
+}
+
+std::string LDAPAttrType::getSubstringOid() const {
+ return substringOid;
+}
+
+std::string LDAPAttrType::getSyntaxOid() const {
+ return syntaxOid;
+}
+
+
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.h,v 1.3.4.3 2008/05/01 21:28:42 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -22,10 +23,11 @@
class LDAPAttrType{
private :
StringList names;
- string desc, oid;
+ std::string desc, oid, superiorOid, equalityOid;
+ std::string orderingOid, substringOid, syntaxOid;
bool single;
int usage;
-
+
public :
/**
@@ -34,11 +36,6 @@
LDAPAttrType();
/**
- * Copy constructor
- */
- LDAPAttrType (const LDAPAttrType& oc);
-
- /**
* Constructs new object and fills the data structure by parsing the
* argument.
* @param at_item description of attribute type is string returned
@@ -57,40 +54,50 @@
/**
* Returns attribute description
*/
- string getDesc ();
+ string getDesc() const;
/**
* Returns attribute oid
*/
- string getOid ();
+ string getOid() const;
/**
* Returns attribute name (first one if there are more of them)
*/
- string getName ();
+ string getName() const;
/**
* Returns all attribute names
*/
- StringList getNames();
+ StringList getNames() const;
/**
* Returns true if attribute type allows only single value
*/
- bool isSingle();
+ bool isSingle() const;
/**
* Return the 'usage' value:
* (0=userApplications, 1=directoryOperation, 2=distributedOperation,
* 3=dSAOperation)
*/
- int getUsage ();
+ int getUsage () const;
+ std::string getSuperiorOid() const;
+ std::string getEqualityOid() const;
+ std::string getOrderingOid() const;
+ std::string getSubstringOid() const;
+ std::string getSyntaxOid() const;
- void setNames (char **at_names);
- void setDesc (char *at_desc);
- void setOid (char *at_oid);
- void setSingle (int at_single_value);
- void setUsage (int at_usage );
+ void setNames( char **at_names);
+ void setDesc(const char *at_desc);
+ void setOid(const char *at_oid);
+ void setSingle(int at_single_value);
+ void setUsage(int at_usage );
+ void setSuperiorOid( const char *oid );
+ void setEqualityOid( const char *oid );
+ void setOrderingOid( const char *oid );
+ void setSubstringOid( const char *oid );
+ void setSyntaxOid( const char *oid );
};
#endif // LDAP_ATTRTYPE_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttribute.cpp,v 1.6.10.2 2008/04/14 23:09:26 quanah Exp $
/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttribute.h,v 1.6.8.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000-2002, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttributeList.cpp,v 1.7.6.3 2008/04/14 23:09:26 quanah Exp $
/*
- * Copyright 2000-2002, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
@@ -139,6 +140,24 @@
}
}
+void LDAPAttributeList::replaceAttribute(const LDAPAttribute& attr)
+{
+ DEBUG(LDAP_DEBUG_TRACE,"LDAPAttribute::replaceAttribute()" << endl);
+ DEBUG(LDAP_DEBUG_TRACE | LDAP_DEBUG_PARAMETER,
+ " attr:" << attr << endl);
+
+ LDAPAttributeList::iterator i;
+ for( i = m_attrs.begin(); i != m_attrs.end(); i++){
+ if(attr.getName().size() == i->getName().size()){
+ if(equal(attr.getName().begin(), attr.getName().end(), i->getName().begin(),
+ nocase_compare)){
+ m_attrs.erase(i);
+ break;
+ }
+ }
+ }
+ m_attrs.push_back(attr);
+}
LDAPMod** LDAPAttributeList::toLDAPModArray() const{
DEBUG(LDAP_DEBUG_TRACE,"LDAPAttribute::toLDAPModArray()" << endl);
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttributeList.h,v 1.9.6.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000-2002, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -84,7 +85,6 @@
*/
const LDAPAttribute* getAttributeByName(const std::string& name) const;
-
/**
* Adds one element to the end of the list.
* @param attr The attribute to add to the list.
@@ -92,6 +92,12 @@
void addAttribute(const LDAPAttribute& attr);
/**
+ * Replace an Attribute in the List
+ * @param attr The attribute to add to the list.
+ */
+ void replaceAttribute(const LDAPAttribute& attr);
+
+ /**
* Translates the list of Attributes to a 0-terminated array of
* LDAPMod-structures as needed by the C-API
*/
Modified: openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPBindRequest.cpp,v 1.6.8.3 2008/04/14 23:09:26 quanah Exp $
/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
@@ -9,8 +10,11 @@
#include "LDAPBindRequest.h"
#include "LDAPException.h"
+#include "SaslInteractionHandler.h"
+#include "SaslInteraction.h"
#include <cstdlib>
+#include <sasl/sasl.h>
using namespace std;
@@ -73,10 +77,97 @@
}
}
-LDAPRequest* LDAPBindRequest::followReferral(LDAPMsg* /*urls*/){
- DEBUG(LDAP_DEBUG_TRACE,"LDAPBindRequest::followReferral()" << endl);
- DEBUG(LDAP_DEBUG_TRACE,
- "ReferralChasing for bind-operation not implemented yet" << endl);
- return 0;
+LDAPSaslBindRequest::LDAPSaslBindRequest(const std::string& mech,
+ const std::string& cred,
+ LDAPAsynConnection *connect,
+ const LDAPConstraints *cons,
+ bool isReferral) : LDAPRequest(connect, cons, isReferral),m_mech(mech), m_cred(cred) {}
+
+LDAPMessageQueue* LDAPSaslBindRequest::sendRequest()
+{
+ DEBUG(LDAP_DEBUG_TRACE,"LDAPSaslBindRequest::sendRequest()" << endl);
+ int msgID=0;
+
+ BerValue tmpcred;
+ tmpcred.bv_val = (char*) malloc( m_cred.size() * sizeof(char));
+ m_cred.copy(tmpcred.bv_val,string::npos);
+ tmpcred.bv_len = m_cred.size();
+
+ LDAPControl** tmpSrvCtrls=m_cons->getSrvCtrlsArray();
+ LDAPControl** tmpClCtrls=m_cons->getClCtrlsArray();
+ int err=ldap_sasl_bind(m_connection->getSessionHandle(), "", m_mech.c_str(),
+ &tmpcred, tmpSrvCtrls, tmpClCtrls, &msgID);
+ LDAPControlSet::freeLDAPControlArray(tmpSrvCtrls);
+ LDAPControlSet::freeLDAPControlArray(tmpClCtrls);
+ free(tmpcred.bv_val);
+
+ if(err != LDAP_SUCCESS){
+ throw LDAPException(err);
+ }else{
+ m_msgID=msgID;
+ return new LDAPMessageQueue(this);
+ }
}
+LDAPSaslBindRequest::~LDAPSaslBindRequest()
+{
+ DEBUG(LDAP_DEBUG_DESTROY,"LDAPSaslBindRequest::~LDAPSaslBindRequest()" << endl);
+}
+
+LDAPSaslInteractiveBind::LDAPSaslInteractiveBind( const std::string& mech,
+ int flags, SaslInteractionHandler *sih, LDAPAsynConnection *connect,
+ const LDAPConstraints *cons, bool isReferral) :
+ LDAPRequest(connect, cons, isReferral),
+ m_mech(mech), m_flags(flags), m_sih(sih), m_res(0)
+{
+}
+
+static int my_sasl_interact(LDAP *l, unsigned flags, void *cbh, void *interact)
+{
+ DEBUG(LDAP_DEBUG_TRACE, "LDAPSaslInteractiveBind::my_sasl_interact()"
+ << std::endl );
+ std::list<SaslInteraction*> interactions;
+
+ sasl_interact_t *iter = (sasl_interact_t*) interact;
+ while ( iter->id != SASL_CB_LIST_END ) {
+ SaslInteraction *si = new SaslInteraction(iter);
+ interactions.push_back( si );
+ iter++;
+ }
+ ((SaslInteractionHandler*)cbh)->handleInteractions(interactions);
+ return LDAP_SUCCESS;
+}
+
+/* This kind of fakes an asynchronous operation, ldap_sasl_interactive_bind_s
+ * is synchronous */
+LDAPMessageQueue *LDAPSaslInteractiveBind::sendRequest()
+{
+ DEBUG(LDAP_DEBUG_TRACE, "LDAPSaslInteractiveBind::sendRequest()" <<
+ m_mech << std::endl);
+
+ LDAPControl** tmpSrvCtrls=m_cons->getSrvCtrlsArray();
+ LDAPControl** tmpClCtrls=m_cons->getClCtrlsArray();
+ int res = ldap_sasl_interactive_bind_s( m_connection->getSessionHandle(),
+ "", m_mech.c_str(), tmpSrvCtrls, tmpClCtrls, m_flags,
+ my_sasl_interact, m_sih );
+
+ DEBUG(LDAP_DEBUG_TRACE, "ldap_sasl_interactive_bind_s returned: "
+ << res << std::endl);
+ if(res != LDAP_SUCCESS){
+ throw LDAPException(res);
+ } else {
+ m_res = new LDAPResult(LDAPMsg::BIND_RESPONSE, res, "");
+ }
+ return new LDAPMessageQueue(this);
+}
+
+LDAPMsg* LDAPSaslInteractiveBind::getNextMessage() const
+{
+ return m_res;
+}
+
+LDAPSaslInteractiveBind::~LDAPSaslInteractiveBind()
+{
+ DEBUG(LDAP_DEBUG_DESTROY,"LDAPSaslInteractiveBind::~LDAPSaslInteractiveBind()" << endl);
+}
+
Modified: openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPBindRequest.h,v 1.4.10.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -7,6 +8,8 @@
#define LDAP_BIND_REQUEST_H
#include <LDAPRequest.h>
+#include <LDAPResult.h>
+#include <SaslInteractionHandler.h>
class LDAPBindRequest : LDAPRequest {
private:
@@ -15,14 +18,44 @@
std::string m_mech;
public:
- LDAPBindRequest(const LDAPBindRequest& req);
+ LDAPBindRequest( const LDAPBindRequest& req);
//just for simple authentication
LDAPBindRequest(const std::string&, const std::string& passwd,
LDAPAsynConnection *connect, const LDAPConstraints *cons,
bool isReferral=false);
virtual ~LDAPBindRequest();
virtual LDAPMessageQueue *sendRequest();
- virtual LDAPRequest* followReferral(LDAPMsg* urls);
};
+
+class LDAPSaslBindRequest : LDAPRequest
+{
+ public:
+ LDAPSaslBindRequest( const std::string& mech, const std::string& cred,
+ LDAPAsynConnection *connect, const LDAPConstraints *cons,
+ bool isReferral=false);
+ virtual LDAPMessageQueue *sendRequest();
+ virtual ~LDAPSaslBindRequest();
+
+ private:
+ std::string m_mech;
+ std::string m_cred;
+};
+
+class LDAPSaslInteractiveBind : LDAPRequest
+{
+ public:
+ LDAPSaslInteractiveBind( const std::string& mech, int flags,
+ SaslInteractionHandler *sih, LDAPAsynConnection *connect,
+ const LDAPConstraints *cons, bool isReferral=false);
+ virtual LDAPMessageQueue *sendRequest();
+ virtual LDAPMsg* getNextMessage() const;
+ virtual ~LDAPSaslInteractiveBind();
+
+ private:
+ std::string m_mech;
+ int m_flags;
+ SaslInteractionHandler *m_sih;
+ LDAPResult *m_res;
+};
#endif //LDAP_BIND_REQUEST_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPCompareRequest.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPCompareRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConnection.cpp,v 1.10.4.3 2008/04/14 23:28:11 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -7,7 +8,6 @@
#include "LDAPResult.h"
#include "LDAPException.h"
-#include "LDAPReferralException.h"
#include "LDAPUrlList.h"
#include "LDAPConnection.h"
@@ -60,6 +60,40 @@
delete msg; // memcheck
}
+void LDAPConnection::saslInteractiveBind( const std::string &mech,
+ int flags,
+ SaslInteractionHandler *sih,
+ const LDAPConstraints *cons)
+{
+ DEBUG(LDAP_DEBUG_TRACE,"LDAPConnection::bind" << endl);
+ LDAPMessageQueue* msg=0;
+ LDAPResult* res=0;
+ try{
+ msg = LDAPAsynConnection::saslInteractiveBind(mech, flags, sih, cons);
+ res = (LDAPResult*)msg->getNext();
+ }catch(LDAPException e){
+ delete msg;
+ delete res;
+ throw;
+ }
+ int resCode=res->getResultCode();
+ if(resCode != LDAPResult::SUCCESS) {
+ if(resCode == LDAPResult::REFERRAL){
+ LDAPUrlList urls = res->getReferralUrls();
+ delete res;
+ delete msg;
+ throw LDAPReferralException(urls);
+ }else{
+ string srvMsg = res->getErrMsg();
+ delete res;
+ delete msg;
+ throw LDAPException(resCode, srvMsg);
+ }
+ }
+ delete res;
+ delete msg;
+}
+
void LDAPConnection::unbind(){
LDAPAsynConnection::unbind();
}
Modified: openldap/trunk/contrib/ldapc++/src/LDAPConnection.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConnection.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConnection.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConnection.h,v 1.8.4.2 2008/04/14 23:28:11 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -88,6 +89,10 @@
*/
void bind(const std::string& dn="", const std::string& passwd="",
LDAPConstraints* cons=0);
+ void saslInteractiveBind(const std::string& mech,
+ int flags=0,
+ SaslInteractionHandler *sih=0,
+ const LDAPConstraints *cons=0);
/**
* Performs the UNBIND-operation on the destination server
Modified: openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConstraints.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConstraints.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPControl.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControl.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControl.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.h,v 1.5.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControlSet.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControlSet.h,v 1.6.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPDeleteRequest.cpp,v 1.7.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPDeleteRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntry.cpp,v 1.5.8.4 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -22,8 +23,11 @@
LDAPEntry::LDAPEntry(const string& dn, const LDAPAttributeList *attrs){
DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPEntry::LDAPEntry()" << endl);
DEBUG(LDAP_DEBUG_CONSTRUCT | LDAP_DEBUG_PARAMETER,
- " dn:" << dn << endl << " attrs:" << *attrs << endl);
- m_attrs=new LDAPAttributeList(*attrs);
+ " dn:" << dn << endl);
+ if ( attrs )
+ m_attrs=new LDAPAttributeList(*attrs);
+ else
+ m_attrs=new LDAPAttributeList();
m_dn=dn;
}
@@ -40,6 +44,13 @@
delete m_attrs;
}
+LDAPEntry& LDAPEntry::operator=(const LDAPEntry& from){
+ m_dn = from.m_dn;
+ delete m_attrs;
+ m_attrs = new LDAPAttributeList( *(from.m_attrs));
+ return *this;
+}
+
void LDAPEntry::setDN(const string& dn){
DEBUG(LDAP_DEBUG_TRACE,"LDAPEntry::setDN()" << endl);
DEBUG(LDAP_DEBUG_TRACE | LDAP_DEBUG_PARAMETER,
@@ -67,6 +78,21 @@
return m_attrs;
}
+const LDAPAttribute* LDAPEntry::getAttributeByName(const std::string& name) const
+{
+ return m_attrs->getAttributeByName(name);
+}
+
+void LDAPEntry::addAttribute(const LDAPAttribute& attr)
+{
+ m_attrs->addAttribute(attr);
+}
+
+void LDAPEntry::replaceAttribute(const LDAPAttribute& attr)
+{
+ m_attrs->replaceAttribute(attr);
+}
+
ostream& operator << (ostream& s, const LDAPEntry& le){
s << "DN: " << le.m_dn << ": " << *(le.m_attrs);
return s;
Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntry.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntry.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntry.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntry.h,v 1.6.8.5 2008/04/14 23:30:47 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -17,11 +18,11 @@
*/
class LDAPEntry{
- public :
+ public :
/**
* Copy-constructor
*/
- LDAPEntry(const LDAPEntry& entry);
+ LDAPEntry(const LDAPEntry& entry);
/**
* Constructs a new entry (also used as standard constructor).
@@ -29,8 +30,8 @@
* @param dn The Distinguished Name for the new entry.
* @param attrs The attributes for the new entry.
*/
- LDAPEntry(const std::string& dn=std::string(),
- const LDAPAttributeList *attrs=new LDAPAttributeList());
+ LDAPEntry(const std::string& dn=std::string(),
+ const LDAPAttributeList *attrs=0);
/**
* Used internally only.
@@ -38,44 +39,71 @@
* The constructor is used internally to create a LDAPEntry from
* the C-API's data structurs.
*/
- LDAPEntry(const LDAPAsynConnection *ld, LDAPMessage *msg);
+ LDAPEntry(const LDAPAsynConnection *ld, LDAPMessage *msg);
/**
* Destructor
*/
- ~LDAPEntry();
-
+ ~LDAPEntry();
+
/**
+ * Assignment operator
+ */
+ LDAPEntry& operator=(const LDAPEntry& from);
+
+ /**
* Sets the DN-attribute.
* @param dn: The new DN for the entry.
*/
- void setDN(const std::string& dn);
+ void setDN(const std::string& dn);
/**
* Sets the attributes of the entry.
* @param attr: A pointer to a std::list of the new attributes.
*/
- void setAttributes(LDAPAttributeList *attrs);
+ void setAttributes(LDAPAttributeList *attrs);
+ /**
+ * Get an Attribute by its AttributeType (simple wrapper around
+ * LDAPAttributeList::getAttributeByName() )
+ * @param name The name of the Attribute to look for
+ * @return a pointer to the LDAPAttribute with the AttributeType
+ * "name" or 0, if there is no Attribute of that Type
+ */
+ const LDAPAttribute* getAttributeByName(const std::string& name) const;
+
/**
+ * Adds one Attribute to the List of Attributes (simple wrapper around
+ * LDAPAttributeList::addAttribute() ).
+ * @param attr The attribute to add to the list.
+ */
+ void addAttribute(const LDAPAttribute& attr);
+
+ /**
+ * Replace an Attribute in the List of Attributes (simple wrapper
+ * around LDAPAttributeList::replaceAttribute() ).
+ * @param attr The attribute to add to the list.
+ */
+ void replaceAttribute(const LDAPAttribute& attr);
+
+ /**
* @returns The current DN of the entry.
*/
- const std::string& getDN() const ;
+ const std::string& getDN() const ;
/**
* @returns A const pointer to the attributes of the entry.
*/
- const LDAPAttributeList* getAttributes() const;
+ const LDAPAttributeList* getAttributes() const;
/**
* This method can be used to dump the data of a LDAPResult-Object.
* It is only useful for debugging purposes at the moment
*/
- friend std::ostream& operator << (std::ostream& s, const LDAPEntry& le);
+ friend std::ostream& operator << (std::ostream& s, const LDAPEntry& le);
private :
-
- LDAPAttributeList *m_attrs;
- std::string m_dn;
+ LDAPAttributeList *m_attrs;
+ std::string m_dn;
};
#endif //LDAP_ENTRY_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntryList.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntryList.h,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPException.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPException.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPException.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPException.cpp,v 1.8.2.5 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -3,22 +4,24 @@
*/
-
-
#include <ldap.h>
#include "config.h"
#include "LDAPException.h"
-#include "LDAPReferralException.h"
#include "LDAPAsynConnection.h"
+#include "LDAPResult.h"
using namespace std;
-LDAPException::LDAPException(int res_code, const string& err_string){
+LDAPException::LDAPException(int res_code, const string& err_string) throw()
+ : std::runtime_error(err_string)
+{
m_res_code=res_code;
m_res_string=string(ldap_err2string(res_code));
m_err_string=err_string;
}
-LDAPException::LDAPException(const LDAPAsynConnection *lc){
+LDAPException::LDAPException(const LDAPAsynConnection *lc) throw()
+ : std::runtime_error("")
+{
LDAP *l = lc->getSessionHandle();
ldap_get_option(l,LDAP_OPT_RESULT_CODE,&m_res_code);
@@ -43,22 +46,32 @@
}
}
-LDAPException::~LDAPException(){
+LDAPException::~LDAPException() throw()
+{
}
-int LDAPException::getResultCode() const{
+int LDAPException::getResultCode() const throw()
+{
return m_res_code;
}
-const string& LDAPException::getResultMsg() const{
+const string& LDAPException::getResultMsg() const throw()
+{
return m_res_string;
}
-const string& LDAPException::getServerMsg() const{
+const string& LDAPException::getServerMsg() const throw()
+{
return m_err_string;
}
-ostream& operator << (ostream& s, LDAPException e){
+const char* LDAPException::what() const throw()
+{
+ return this->m_res_string.c_str();
+}
+
+ostream& operator << (ostream& s, LDAPException e) throw()
+{
s << "Error " << e.m_res_code << ": " << e.m_res_string;
if (!e.m_err_string.empty()) {
s << endl << "additional info: " << e.m_err_string ;
@@ -66,3 +79,18 @@
return s;
}
+
+LDAPReferralException::LDAPReferralException(const LDAPUrlList& urls) throw()
+ : LDAPException(LDAPResult::REFERRAL) , m_urlList(urls)
+{
+}
+
+LDAPReferralException::~LDAPReferralException() throw()
+{
+}
+
+const LDAPUrlList& LDAPReferralException::getUrls() throw()
+{
+ return m_urlList;
+}
+
Modified: openldap/trunk/contrib/ldapc++/src/LDAPException.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPException.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPException.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPException.h,v 1.5.8.3 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -9,14 +10,18 @@
#include <iostream>
#include <string>
+#include <stdexcept>
+#include <LDAPUrlList.h>
+
class LDAPAsynConnection;
/**
* This class is only thrown as an Exception and used to signalize error
* conditions during LDAP-operations
*/
-class LDAPException{
+class LDAPException : public std::runtime_error
+{
public :
/**
@@ -26,7 +31,7 @@
* that happend (optional)
*/
LDAPException(int res_code,
- const std::string& err_string=std::string());
+ const std::string& err_string=std::string()) throw();
/**
* Constructs a LDAPException-object from the error state of a
@@ -34,38 +39,69 @@
* @param lc A LDAP-Connection for that an error has happend. The
* Constructor tries to read its error state.
*/
- LDAPException(const LDAPAsynConnection *lc);
+ LDAPException(const LDAPAsynConnection *lc) throw();
/**
* Destructor
*/
- virtual ~LDAPException();
+ virtual ~LDAPException() throw();
/**
* @return The Result code of the object
*/
- int getResultCode() const;
+ int getResultCode() const throw();
/**
* @return The error message that is corresponding to the result
* code .
*/
- const std::string& getResultMsg() const;
+ const std::string& getResultMsg() const throw();
/**
* @return The addional error message of the error (if it was set)
*/
- const std::string& getServerMsg() const;
+ const std::string& getServerMsg() const throw();
+
+ virtual const char* what() const throw();
+
/**
* This method can be used to dump the data of a LDAPResult-Object.
* It is only useful for debugging purposes at the moment
*/
- friend std::ostream& operator << (std::ostream &s, LDAPException e);
+ friend std::ostream& operator << (std::ostream &s, LDAPException e) throw();
private :
int m_res_code;
std::string m_res_string;
std::string m_err_string;
};
+
+/**
+ * This class extends LDAPException and is used to signalize Referrals
+ * there were received during synchronous LDAP-operations
+ */
+class LDAPReferralException : public LDAPException
+{
+
+ public :
+ /**
+ * Creates an object that is initialized with a list of URLs
+ */
+ LDAPReferralException(const LDAPUrlList& urls) throw();
+
+ /**
+ * Destructor
+ */
+ ~LDAPReferralException() throw();
+
+ /**
+ * @return The List of URLs of the Referral/Search Reference
+ */
+ const LDAPUrlList& getUrls() throw();
+
+ private :
+ LDAPUrlList m_urlList;
+};
+
#endif //LDAP_EXCEPTION_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPExtRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPExtResult.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPExtResult.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessage.cpp,v 1.4.10.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -8,6 +9,7 @@
#include "LDAPResult.h"
#include "LDAPExtResult.h"
+#include "LDAPSaslBindResult.h"
#include "LDAPRequest.h"
#include "LDAPSearchResult.h"
#include "LDAPSearchReference.h"
@@ -22,6 +24,13 @@
m_hasControls=false;
}
+LDAPMsg::LDAPMsg(int type, int id=0){
+ DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPMsg::LDAPMsg()" << endl);
+ msgType = type;
+ msgID = id;
+ m_hasControls=false;
+}
+
LDAPMsg* LDAPMsg::create(const LDAPRequest *req, LDAPMessage *msg){
DEBUG(LDAP_DEBUG_TRACE,"LDAPMsg::create()" << endl);
switch(ldap_msgtype(msg)){
@@ -34,6 +43,8 @@
case EXTENDED_RESPONSE :
return new LDAPExtResult(req,msg);
break;
+ case BIND_RESPONSE :
+ return new LDAPSaslBindResult(req,msg);
default :
return new LDAPResult(req, msg);
}
Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessage.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessage.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessage.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessage.h,v 1.4.10.3 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -21,7 +22,7 @@
*/
class LDAPMsg{
public:
- //public Constants defining the Message types
+ //public Constants defining the response message types
static const int BIND_RESPONSE=LDAP_RES_BIND;
static const int SEARCH_ENTRY=LDAP_RES_SEARCH_ENTRY;
static const int SEARCH_DONE=LDAP_RES_SEARCH_RESULT;
@@ -32,6 +33,17 @@
static const int MODDN_RESPONSE=LDAP_RES_MODDN;
static const int COMPARE_RESPONSE=LDAP_RES_COMPARE;
static const int EXTENDED_RESPONSE=LDAP_RES_EXTENDED;
+ //public Constants defining the request message types
+ static const int BIND_REQUEST=LDAP_REQ_BIND;
+ static const int UNBIND_REQUEST=LDAP_REQ_UNBIND;
+ static const int SEARCH_REQUEST=LDAP_REQ_SEARCH;
+ static const int MODIFY_REQUEST=LDAP_REQ_MODIFY;
+ static const int ADD_REQUEST=LDAP_REQ_ADD;
+ static const int DELETE_REQUEST=LDAP_REQ_DELETE;
+ static const int MODRDN_REQUEST=LDAP_REQ_MODRDN;
+ static const int COMPARE_REQUEST=LDAP_REQ_COMPARE;
+ static const int ABANDON_REQUEST=LDAP_REQ_ABANDON;
+ static const int EXTENDED_REQUEST=LDAP_REQ_EXTENDED;
/**
* The destructor has no implemenation, because this is an abstract
@@ -98,6 +110,7 @@
* Only for internal use.
*/
LDAPMsg(LDAPMessage *msg);
+ LDAPMsg(int msgType, int msgID);
/**
* This attribute stores Server-Control that were returned with the
Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessageQueue.cpp,v 1.6.10.6 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -6,10 +7,8 @@
#include "config.h"
#include "debug.h"
-#include <ldap.h>
#include "LDAPMessageQueue.h"
#include "LDAPRequest.h"
-#include "LDAPAsynConnection.h"
#include "LDAPResult.h"
#include "LDAPSearchReference.h"
#include "LDAPSearchRequest.h"
@@ -40,110 +39,102 @@
LDAPMsg *LDAPMessageQueue::getNext(){
DEBUG(LDAP_DEBUG_TRACE,"LDAPMessageQueue::getNext()" << endl);
- LDAPMessage *msg;
+
+ if ( m_activeReq.empty() ) {
+ return 0;
+ }
+
LDAPRequest *req=m_activeReq.top();
- int msg_id = req->getMsgID();
- int res;
- const LDAPAsynConnection *con=req->getConnection();
- res=ldap_result(con->getSessionHandle(),msg_id,0,0,&msg);
- if (res <= 0){
- if(msg != 0){
- ldap_msgfree(msg);
- }
- throw LDAPException(con);
- }else{
- const LDAPConstraints *constr=req->getConstraints();
- LDAPMsg *ret=0;
- //this can throw an exception (Decoding Error)
- try{
- ret = LDAPMsg::create(req,msg);
- ldap_msgfree(msg);
- }catch(LDAPException e){
- //do some clean up
- delete req;
- m_activeReq.top();
- throw;
- }
- switch (ret->getMessageType()) {
- case LDAPMsg::SEARCH_REFERENCE :
- if (constr->getReferralChase() ){
- //throws Exception (limit Exceeded)
- LDAPRequest *refReq=chaseReferral(ret);
- if(refReq != 0){
- m_activeReq.push(refReq);
- m_issuedReq.push_back(refReq);
- delete ret;
- return getNext();
- }
+ LDAPMsg *ret=0;
+
+ try{
+ ret = req->getNextMessage();
+ }catch(LDAPException e){
+ //do some clean up
+ m_activeReq.pop();
+ throw;
+ }
+
+ const LDAPConstraints *constr=req->getConstraints();
+ switch (ret->getMessageType()) {
+ case LDAPMsg::SEARCH_REFERENCE :
+ if (constr->getReferralChase() ){
+ //throws Exception (limit Exceeded)
+ LDAPRequest *refReq=chaseReferral(ret);
+ if(refReq != 0){
+ m_activeReq.push(refReq);
+ m_issuedReq.push_back(refReq);
+ delete ret;
+ return getNext();
}
- return ret;
- break;
- case LDAPMsg::SEARCH_ENTRY :
- return ret;
- break;
- case LDAPMsg::SEARCH_DONE :
- if(req->isReferral()){
- req->unbind();
- }
- switch ( ((LDAPResult*)ret)->getResultCode()) {
- case LDAPResult::REFERRAL :
- if(constr->getReferralChase()){
- //throws Exception (limit Exceeded)
- LDAPRequest *refReq=chaseReferral(ret);
- if(refReq != 0){
- m_activeReq.pop();
- m_activeReq.push(refReq);
- m_issuedReq.push_back(refReq);
- delete ret;
- return getNext();
- }
- }
- return ret;
- break;
- case LDAPResult::SUCCESS :
- if(req->isReferral()){
- delete ret;
+ }
+ return ret;
+ break;
+ case LDAPMsg::SEARCH_ENTRY :
+ return ret;
+ break;
+ case LDAPMsg::SEARCH_DONE :
+ if(req->isReferral()){
+ req->unbind();
+ }
+ switch ( ((LDAPResult*)ret)->getResultCode()) {
+ case LDAPResult::REFERRAL :
+ if(constr->getReferralChase()){
+ //throws Exception (limit Exceeded)
+ LDAPRequest *refReq=chaseReferral(ret);
+ if(refReq != 0){
m_activeReq.pop();
+ m_activeReq.push(refReq);
+ m_issuedReq.push_back(refReq);
+ delete ret;
return getNext();
- }else{
- m_activeReq.pop();
- return ret;
}
- break;
- default:
+ }
+ return ret;
+ break;
+ case LDAPResult::SUCCESS :
+ if(req->isReferral()){
+ delete ret;
m_activeReq.pop();
- return ret;
- break;
- }
- break;
- //must be some kind of LDAPResultMessage
- default:
- if(req->isReferral()){
- req->unbind();
- }
- LDAPResult* res_p=(LDAPResult*)ret;
- switch (res_p->getResultCode()) {
- case LDAPResult::REFERRAL :
- if(constr->getReferralChase()){
- //throws Exception (limit Exceeded)
- LDAPRequest *refReq=chaseReferral(ret);
- if(refReq != 0){
- m_activeReq.pop();
- m_activeReq.push(refReq);
- m_issuedReq.push_back(refReq);
- delete ret;
- return getNext();
- }
- }
- return ret;
- break;
- default:
+ return getNext();
+ }else{
m_activeReq.pop();
return ret;
- }
- break;
- }
- }
+ }
+ break;
+ default:
+ m_activeReq.pop();
+ return ret;
+ break;
+ }
+ break;
+ //must be some kind of LDAPResultMessage
+ default:
+ if(req->isReferral()){
+ req->unbind();
+ }
+ LDAPResult* res_p=(LDAPResult*)ret;
+ switch (res_p->getResultCode()) {
+ case LDAPResult::REFERRAL :
+ if(constr->getReferralChase()){
+ //throws Exception (limit Exceeded)
+ LDAPRequest *refReq=chaseReferral(ret);
+ if(refReq != 0){
+ m_activeReq.pop();
+ m_activeReq.push(refReq);
+ m_issuedReq.push_back(refReq);
+ delete ret;
+ return getNext();
+ }
+ }
+ return ret;
+ break;
+ default:
+ m_activeReq.pop();
+ return ret;
+ }
+ break;
+ }
}
// TODO Maybe moved to LDAPRequest::followReferral seems more reasonable
Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessageQueue.h,v 1.5.10.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModDNRequest.cpp,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModDNRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModList.cpp,v 1.5.6.3 2008/04/14 23:29:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -37,3 +38,11 @@
}
return ret;
}
+
+bool LDAPModList::empty() const {
+ return m_modList.empty();
+}
+
+unsigned int LDAPModList::size() const {
+ return m_modList.size();
+}
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModList.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModList.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModList.h,v 1.7.6.2 2008/04/14 23:29:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -15,9 +16,9 @@
* This container class is used to store multiple LDAPModification-objects.
*/
class LDAPModList{
- typedef std::list<LDAPModification> ListType;
+ typedef std::list<LDAPModification> ListType;
- public :
+ public :
/**
* Constructs an empty list.
*/
@@ -40,7 +41,17 @@
*/
LDAPMod** toLDAPModArray();
- private :
+ /**
+ * @returns true, if the ModList contains no Operations
+ */
+ bool empty() const;
+
+ /**
+ * @returns number of Modifications in the ModList
+ */
+ unsigned int size() const;
+
+ private :
ListType m_modList;
};
#endif //LDAP_MOD_LIST_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModification.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModification.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModification.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModification.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModification.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModifyRequest.cpp,v 1.8.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModifyRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.cpp,v 1.3.6.2 2008/05/01 21:28:42 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -90,31 +91,31 @@
oid = oc_oid;
}
-string LDAPObjClass::getOid () {
+string LDAPObjClass::getOid() const {
return oid;
}
-string LDAPObjClass::getDesc () {
+string LDAPObjClass::getDesc() const {
return desc;
}
-StringList LDAPObjClass::getNames () {
+StringList LDAPObjClass::getNames() const {
return names;
}
-StringList LDAPObjClass::getMust () {
+StringList LDAPObjClass::getMust() const {
return must;
}
-StringList LDAPObjClass::getMay () {
+StringList LDAPObjClass::getMay() const {
return may;
}
-StringList LDAPObjClass::getSup () {
+StringList LDAPObjClass::getSup() const {
return sup;
}
-string LDAPObjClass::getName () {
+string LDAPObjClass::getName() const {
if (names.empty())
return "";
@@ -122,7 +123,7 @@
return *(names.begin());
}
-int LDAPObjClass::getKind () {
+int LDAPObjClass::getKind() const {
return kind;
}
Modified: openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.h,v 1.3.6.2 2008/05/01 21:28:42 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -55,42 +56,42 @@
/**
* Returns object class description
*/
- string getDesc ();
+ string getDesc() const;
/**
* Returns object class oid
*/
- string getOid ();
+ string getOid() const;
/**
* Returns object class name (first one if there are more of them)
*/
- string getName ();
+ string getName() const;
/**
* Returns object class kind: 0=ABSTRACT, 1=STRUCTURAL, 2=AUXILIARY
*/
- int getKind ();
+ int getKind() const;
/**
* Returns all object class names
*/
- StringList getNames();
+ StringList getNames() const;
/**
* Returns list of required attributes
*/
- StringList getMust();
+ StringList getMust() const;
/**
* Returns list of allowed (and not required) attributes
*/
- StringList getMay();
+ StringList getMay() const;
/**
* Returns list of the OIDs of the superior ObjectClasses
*/
- StringList getSup();
+ StringList getSup() const;
void setNames (char **oc_names);
void setMay (char **oc_may);
Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebind.cpp,v 1.1.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebind.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebind.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebind.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebind.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebindAuth.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebindAuth.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPReferenceList.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPReferenceList.h,v 1.7.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Deleted: openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,24 +0,0 @@
-/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-
-
-#include <iostream>
-#include "LDAPException.h"
-#include "LDAPReferralException.h"
-#include "LDAPResult.h"
-#include "LDAPRequest.h"
-#include "LDAPUrl.h"
-
-LDAPReferralException::LDAPReferralException(const LDAPUrlList& urls) :
- LDAPException(LDAPResult::REFERRAL) , m_urlList(urls){
-}
-
-LDAPReferralException::~LDAPReferralException(){
-}
-
-const LDAPUrlList& LDAPReferralException::getUrls(){
- return m_urlList;
-}
-
Deleted: openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,42 +0,0 @@
-/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-
-
-#ifndef LDAP_REFERRAL_EXCEPTION_H
-#define LDAP_REFERRAL_EXCEPTION_H
-
-#include <list>
-#include <LDAPMessage.h>
-#include <LDAPUrlList.h>
-
-class LDAPUrlList;
-
-/**
- * This class extends LDAPException and is used to signalize Referrals
- * there were received during synchronous LDAP-operations
- */
-class LDAPReferralException : public LDAPException{
-
- public :
- /**
- * Creates an object that is initialized with a list of URLs
- */
- LDAPReferralException(const LDAPUrlList& urls);
-
- /**
- * Destructor
- */
- ~LDAPReferralException();
-
- /**
- * @return The List of URLs of the Referral/Search Reference
- */
- const LDAPUrlList& getUrls();
-
- private :
- LDAPUrlList m_urlList;
-};
-
-#endif //LDAP_REFERRAL_EXCEPTION_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRequest.cpp,v 1.3.10.3 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -47,6 +48,36 @@
delete m_cons;
}
+LDAPMsg* LDAPRequest::getNextMessage() const
+{
+ DEBUG(LDAP_DEBUG_DESTROY,"LDAPRequest::getNextMessage()" << endl);
+ int res;
+ LDAPMessage *msg;
+
+ res=ldap_result(this->m_connection->getSessionHandle(),
+ this->m_msgID,0,0,&msg);
+
+ if (res <= 0){
+ if(msg != 0){
+ ldap_msgfree(msg);
+ }
+ throw LDAPException(this->m_connection);
+ }else{
+ LDAPMsg *ret=0;
+ //this can throw an exception (Decoding Error)
+ ret = LDAPMsg::create(this,msg);
+ ldap_msgfree(msg);
+ return ret;
+ }
+}
+
+LDAPRequest* LDAPRequest::followReferral(LDAPMsg* /*urls*/){
+ DEBUG(LDAP_DEBUG_TRACE,"LDAPBindRequest::followReferral()" << endl);
+ DEBUG(LDAP_DEBUG_TRACE,
+ "ReferralChasing not implemented for this operation" << endl);
+ return 0;
+}
+
const LDAPConstraints* LDAPRequest::getConstraints() const{
DEBUG(LDAP_DEBUG_TRACE,"LDAPRequest::getConstraints()" << endl);
return m_cons;
Modified: openldap/trunk/contrib/ldapc++/src/LDAPRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRequest.h,v 1.4.10.3 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -40,6 +41,7 @@
const LDAPConstraints* getConstraints() const;
const LDAPAsynConnection* getConnection() const;
+ virtual LDAPMsg *getNextMessage() const;
int getType()const;
int getMsgID() const;
int getHopCount() const;
@@ -63,7 +65,7 @@
* functions of the C-API to send the Request to a LDAP-Server
*/
virtual LDAPMessageQueue* sendRequest()=0;
- virtual LDAPRequest* followReferral(LDAPMsg* ref)=0;
+ virtual LDAPRequest* followReferral(LDAPMsg* ref);
/**
* Compare this request with another on. And returns true if they
Modified: openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPResult.cpp,v 1.5.2.3 2008/04/14 23:09:26 quanah Exp $
/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
@@ -53,6 +54,11 @@
}
}
+LDAPResult::LDAPResult(int type, int resultCode, const std::string &msg) :
+ LDAPMsg(type,0), m_resCode(resultCode), m_errMsg(msg)
+{}
+
+
LDAPResult::~LDAPResult(){
DEBUG(LDAP_DEBUG_DESTROY,"LDAPResult::~LDAPResult()" << endl);
}
Modified: openldap/trunk/contrib/ldapc++/src/LDAPResult.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPResult.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPResult.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPResult.h,v 1.5.10.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -103,6 +104,7 @@
* Message.
*/
LDAPResult(const LDAPRequest *req, LDAPMessage *msg);
+ LDAPResult(int type, int resultCode, const std::string &msg);
/**
* The destructor.
Copied: openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LDAPSaslBindResult.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,45 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSaslBindResult.cpp,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "debug.h"
+#include <lber.h>
+#include "LDAPRequest.h"
+#include "LDAPException.h"
+
+#include "LDAPResult.h"
+#include "LDAPSaslBindResult.h"
+
+using namespace std;
+
+LDAPSaslBindResult::LDAPSaslBindResult(const LDAPRequest* req, LDAPMessage* msg) :
+ LDAPResult(req, msg){
+ DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPSaslBindResult::LDAPSaslBindResult()"
+ << std::endl);
+ BerValue* data = 0;
+ LDAP* lc = req->getConnection()->getSessionHandle();
+ int err = ldap_parse_sasl_bind_result(lc, msg, &data, 0);
+ if( err != LDAP_SUCCESS && err != LDAP_SASL_BIND_IN_PROGRESS ){
+ ber_bvfree(data);
+ throw LDAPException(err);
+ }else{
+ if(data){
+ DEBUG(LDAP_DEBUG_TRACE, " creds present" << std::endl);
+ m_creds=string(data->bv_val, data->bv_len);
+ ber_bvfree(data);
+ } else {
+ DEBUG(LDAP_DEBUG_TRACE, " no creds present" << std::endl);
+ }
+ }
+}
+
+LDAPSaslBindResult::~LDAPSaslBindResult(){
+ DEBUG(LDAP_DEBUG_DESTROY,"LDAPSaslBindResult::~LDAPSaslBindResult()" << endl);
+}
+
+const string& LDAPSaslBindResult::getServerCreds() const{
+ return m_creds;
+}
+
Copied: openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LDAPSaslBindResult.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,43 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSaslBindResult.h,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef LDAP_SASL_BIND_RESULT_H
+#define LDAP_SASL_BIND_RESULT_H
+
+#include <ldap.h>
+
+#include <LDAPResult.h>
+
+class LDAPRequest;
+
+/**
+ * Object of this class are created by the LDAPMsg::create method if
+ * results for an Extended Operation were returned by a LDAP server.
+ */
+class LDAPSaslBindResult : public LDAPResult {
+ public :
+ /**
+ * Constructor that creates an LDAPExtResult-object from the C-API
+ * structures
+ */
+ LDAPSaslBindResult(const LDAPRequest* req, LDAPMessage* msg);
+
+ /**
+ * The Destructor
+ */
+ virtual ~LDAPSaslBindResult();
+
+ /**
+ * @returns If the result contained data this method will return
+ * the data to the caller as a std::string.
+ */
+ const std::string& getServerCreds() const;
+
+ private:
+ std::string m_creds;
+};
+
+#endif // LDAP_SASL_BIND_RESULT_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSchema.cpp,v 1.2.6.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -3,10 +4,13 @@
*/
-#include "debug.h"
-#include "StringList.h"
#include "LDAPSchema.h"
#include <ctype.h>
+#include <ldap.h>
+#include "debug.h"
+#include "StringList.h"
+
+
using namespace std;
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSchema.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSchema.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSchema.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSchema.h,v 1.1.8.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -6,7 +7,6 @@
#ifndef LDAP_SCHEMA_H
#define LDAP_SCHEMA_H
-#include <ldap.h>
#include <string>
#include <map>
@@ -44,8 +44,8 @@
* Fill the object_classes map
* @param oc description of one objectclass (string returned by search
* command), in form:
- * "( SuSE.YaST.OC:5 NAME 'userTemplate' SUP objectTemplate STRUCTURAL
- * DESC 'User object template' MUST ( cn ) MAY ( secondaryGroup ))"
+ * "( 1.2.3.4.5 NAME '<name>' SUP <supname> STRUCTURAL
+ * DESC '<description>' MUST ( <attrtype> ) MAY ( <attrtype> ))"
*/
void setObjectClasses (const StringList &oc);
@@ -53,7 +53,7 @@
* Fill the attr_types map
* @param at description of one attribute type
* (string returned by search command), in form:
- * "( SuSE.YaST.Attr:19 NAME ( 'skelDir' ) DESC ''
+ * "( 1.2.3.4.6 NAME ( '<name>' ) DESC '<desc>'
* EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )"
*/
void setAttributeTypes (const StringList &at);
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchReference.cpp,v 1.4.2.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchReference.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchRequest.cpp,v 1.7.2.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResult.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResult.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResults.cpp,v 1.1.10.2 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -7,7 +8,6 @@
#include "LDAPException.h"
#include "LDAPSearchResult.h"
#include "LDAPResult.h"
-#include "LDAPReferralException.h"
#include "LDAPSearchResults.h"
Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResults.h,v 1.3.10.2 2008/04/14 23:30:47 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -28,14 +29,14 @@
/**
* For internal use only.
*
- * This method read Search result entries from a
+ * This method reads Search result entries from a
* LDAPMessageQueue-object.
* @param msg The message queue to read
*/
LDAPResult* readMessageQueue(LDAPMessageQueue* msg);
/**
- * The methode is used by the client-application to read the
+ * The method is used by the client-application to read the
* result entries of the SEARCH-Operation. Every call of this
* method returns one entry. If all entries were read it return 0.
* @throws LDAPReferralException If a Search Reference was
Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrl.cpp,v 1.3.10.5 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000-2006, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -6,6 +7,7 @@
#include "LDAPUrl.h"
#include <sstream>
+#include <iomanip>
#include "debug.h"
using namespace std;
@@ -163,7 +165,7 @@
DEBUG(LDAP_DEBUG_TRACE, "LDAPUrl::parseUrl()" << std::endl);
// reading Scheme
std::string::size_type pos = m_urlString.find(':');
- std::string::size_type startpos = m_urlString.find(':');
+ std::string::size_type startpos = pos;
if (pos == std::string::npos) {
throw LDAPUrlException(LDAPUrlException::INVALID_URL,
"No colon found in URL");
@@ -190,28 +192,42 @@
startpos = pos + 3;
}
if ( m_urlString[startpos] == '/' ) {
+ // no hostname and port
startpos++;
} else {
+ std::string::size_type hostend;
+ std::string::size_type portstart;
pos = m_urlString.find('/', startpos);
- std::string hostport = m_urlString.substr(startpos,
- pos - startpos);
- DEBUG(LDAP_DEBUG_TRACE, " hostport: <" << hostport << ">"
- << std::endl);
- std::string::size_type portstart = m_urlString.find(':', startpos);
- if (portstart == std::string::npos || portstart > pos ) {
- percentDecode(hostport, m_Host);
+
+ // IPv6 Address?
+ if ( m_urlString[startpos] == '[' ) {
+ // skip
+ startpos++;
+ hostend = m_urlString.find(']', startpos);
+ if ( hostend == std::string::npos ){
+ throw LDAPUrlException(LDAPUrlException::INVALID_URL);
+ }
+ portstart = hostend + 1;
+ } else {
+ hostend = m_urlString.find(':', startpos);
+ if ( hostend == std::string::npos || portstart > pos ) {
+ hostend = pos;
+ }
+ portstart = hostend;
+ }
+ std::string host = m_urlString.substr(startpos, hostend - startpos);
+ DEBUG(LDAP_DEBUG_TRACE, " host: <" << host << ">" << std::endl);
+ percentDecode(host, m_Host);
+
+ if (portstart >= m_urlString.length() || portstart >= pos ) {
if ( m_Scheme == "ldap" || m_Scheme == "cldap" ) {
m_Port = LDAP_DEFAULT_PORT;
} else if ( m_Scheme == "ldaps" ) {
m_Port = LDAPS_DEFAULT_PORT;
}
} else {
- std::string tmp = m_urlString.substr(startpos,
- portstart - startpos);
- percentDecode(tmp, m_Host);
- DEBUG(LDAP_DEBUG_TRACE, "Host: <" << m_Host << ">" << std::endl);
std::string port = m_urlString.substr(portstart+1,
- pos-portstart-1);
+ (pos == std::string::npos ? pos : pos-portstart-1) );
if ( port.length() > 0 ) {
std::istringstream i(port);
i >> m_Port;
@@ -222,8 +238,8 @@
DEBUG(LDAP_DEBUG_TRACE, " Port: <" << m_Port << ">"
<< std::endl);
}
+ startpos = pos + 1;
}
- startpos = pos + 1;
int parserMode = base;
while ( pos != std::string::npos ) {
pos = m_urlString.find('?', startpos);
@@ -327,8 +343,15 @@
{
std::ostringstream url;
std::string encoded = "";
- this->percentEncode(m_Host, encoded, PCT_ENCFLAG_SLASH);
- url << m_Scheme << "://" << encoded;
+
+ url << m_Scheme << "://";
+ // IPv6 ?
+ if ( m_Host.find( ':', 0 ) != std::string::npos ) {
+ url << "[" << this->percentEncode(m_Host, encoded) << "]";
+ } else {
+ url << this->percentEncode(m_Host, encoded, PCT_ENCFLAG_SLASH);
+ }
+
if ( m_Port != 0 ) {
url << ":" << m_Port;
}
@@ -393,7 +416,7 @@
}
-void LDAPUrl::percentEncode( const std::string &src,
+std::string& LDAPUrl::percentEncode( const std::string &src,
std::string &dest,
int flags) const
{
@@ -453,12 +476,13 @@
break;
}
if ( escape ) {
- o << "%" << (int)(unsigned char)*i ;
+ o << "%" << std::setw(2) << std::setfill('0') << (int)(unsigned char)*i ;
} else {
o.put(*i);
}
}
dest = o.str();
+ return dest;
}
const code2string_s LDAPUrlException::code2string[] = {
Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrl.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrl.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrl.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrl.h,v 1.6.8.4 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000-2006, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -138,7 +139,7 @@
* @param dest The encoded result string
* @param flags
*/
- void percentEncode( const std::string& src,
+ std::string& percentEncode( const std::string& src,
std::string& dest,
int flags=0 ) const;
Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrlList.cpp,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000-2002 OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrlList.h,v 1.8.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Copied: openldap/trunk/contrib/ldapc++/src/LdifReader.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifReader.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifReader.cpp (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifReader.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,348 @@
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "LdifReader.h"
+#include "LDAPMessage.h"
+#include "LDAPEntry.h"
+#include "LDAPAttributeList.h"
+#include "LDAPAttribute.h"
+#include "LDAPUrl.h"
+#include "debug.h"
+
+#include <string>
+#include <sstream>
+#include <stdexcept>
+
+#include <sasl/saslutil.h> // For base64 routines
+
+typedef std::pair<std::string, std::string> stringpair;
+
+LdifReader::LdifReader( std::istream &input )
+ : m_ldifstream(input), m_lineNumber(0)
+{
+ DEBUG(LDAP_DEBUG_TRACE, "<> LdifReader::LdifReader()" << std::endl);
+ this->m_version = 0;
+ // read the first record to find out version and type of the LDIF
+ this->readNextRecord(true);
+ this->m_currentIsFirst = true;
+}
+
+int LdifReader::readNextRecord( bool first )
+{
+ DEBUG(LDAP_DEBUG_TRACE, "-> LdifReader::readRecord()" << std::endl);
+ std::string line;
+ std::string type;
+ std::string value;
+ int numLine = 0;
+ int recordType = 0;
+
+ if ( (! first) && this->m_currentIsFirst == true )
+ {
+ this->m_currentIsFirst = false;
+ return m_curRecType;
+ }
+
+ m_currentRecord.clear();
+
+ while ( !this->getLdifLine(line) )
+ {
+ DEBUG(LDAP_DEBUG_TRACE, " Line: " << line << std::endl );
+
+ // skip comments and empty lines between entries
+ if ( line[0] == '#' || ( numLine == 0 && line.size() == 0 ) )
+ {
+ DEBUG(LDAP_DEBUG_TRACE, "skipping empty line or comment" << std::endl );
+ continue;
+ }
+ if ( line.size() == 0 )
+ {
+ // End of Entry
+ break;
+ }
+
+ this->splitLine(line, type, value);
+
+ if ( numLine == 0 )
+ {
+ if ( type == "version" )
+ {
+ std::istringstream valuestream(value);
+ valuestream >> this->m_version;
+ if ( this->m_version != 1 ) // there is no other Version than LDIFv1
+ {
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": Unsuported LDIF Version";
+ throw( std::runtime_error(err.str()) );
+ }
+ continue;
+ }
+ if ( type == "dn" ) // Record should start with the DN ...
+ {
+ DEBUG(LDAP_DEBUG_TRACE, " Record DN:" << value << std::endl);
+ }
+ else if ( type == "include" ) // ... or it might be an "include" line
+ {
+ DEBUG(LDAP_DEBUG_TRACE, " Include directive: " << value << std::endl);
+ if ( this->m_version == 1 )
+ {
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": \"include\" not allowed in LDIF version 1.";
+ throw( std::runtime_error(err.str()) );
+ }
+ else
+ {
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": \"include\" not yet suppported.";
+ throw( std::runtime_error(err.str()) );
+ }
+ }
+ else
+ {
+ DEBUG(LDAP_DEBUG_TRACE, " Record doesn't start with a DN"
+ << std::endl);
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": LDIF record does not start with a DN.";
+ throw( std::runtime_error(err.str()) );
+ }
+ }
+ if ( numLine == 1 ) // might contain "changtype" to indicate a change request
+ {
+ if ( type == "changetype" )
+ {
+ if ( first )
+ {
+ this->m_ldifTypeRequest = true;
+ }
+ else if (! this->m_ldifTypeRequest )
+ {
+ // Change Request in Entry record LDIF, should we accept it?
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": Change Request in an entry-only LDIF.";
+ throw( std::runtime_error(err.str()) );
+ }
+ if ( value == "modify" )
+ {
+ recordType = LDAPMsg::MODIFY_REQUEST;
+ }
+ else if ( value == "add" )
+ {
+ recordType = LDAPMsg::ADD_REQUEST;
+ }
+ else if ( value == "delete" )
+ {
+ recordType = LDAPMsg::DELETE_REQUEST;
+ }
+ else if ( value == "modrdn" )
+ {
+ recordType = LDAPMsg::MODRDN_REQUEST;
+ }
+ else
+ {
+ DEBUG(LDAP_DEBUG_TRACE, " Unknown change request <"
+ << value << ">" << std::endl);
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": Unknown changetype: \"" << value << "\".";
+ throw( std::runtime_error(err.str()) );
+ }
+ }
+ else
+ {
+ if ( first )
+ {
+ this->m_ldifTypeRequest = false;
+ }
+ else if (this->m_ldifTypeRequest )
+ {
+ // Entry record in Change record LDIF, should we accept
+ // it (e.g. as AddRequest)?
+ }
+ recordType = LDAPMsg::SEARCH_ENTRY;
+ }
+ }
+ m_currentRecord.push_back( stringpair(type, value) );
+ numLine++;
+ }
+ DEBUG(LDAP_DEBUG_TRACE, "<- LdifReader::readRecord() return: "
+ << recordType << std::endl);
+ m_curRecType = recordType;
+ return recordType;
+}
+
+LDAPEntry LdifReader::getEntryRecord()
+{
+ if ( m_curRecType != LDAPMsg::SEARCH_ENTRY )
+ {
+ // Error
+ }
+ std::list<stringpair>::const_iterator i = m_currentRecord.begin();
+ LDAPEntry resEntry(i->second);
+ i++;
+ LDAPAttribute curAttr(i->first);
+ LDAPAttributeList *curAl = new LDAPAttributeList();
+ for ( ; i != m_currentRecord.end(); i++ )
+ {
+ if ( i->first == curAttr.getName() )
+ {
+ curAttr.addValue(i->second);
+ }
+ else
+ {
+ if ( curAl->getAttributeByName( i->first ) )
+ {
+ // Attribute exists already -> Syntax Error
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": Attribute \"" << i->first
+ << "\" specified multiple times.";
+ throw( std::runtime_error(err.str()) );
+ }
+ else
+ {
+ curAl->addAttribute( curAttr );
+ curAttr = LDAPAttribute( i->first, i->second );
+ }
+ }
+ }
+ curAl->addAttribute( curAttr );
+ resEntry.setAttributes( curAl );
+ return resEntry;
+}
+
+int LdifReader::getLdifLine(std::string &ldifline)
+{
+ DEBUG(LDAP_DEBUG_TRACE, "-> LdifReader::getLdifLine()" << std::endl);
+
+ this->m_lineNumber++;
+ if ( ! getline(m_ldifstream, ldifline) )
+ {
+ return -1;
+ }
+ while ( m_ldifstream &&
+ (m_ldifstream.peek() == ' ' || m_ldifstream.peek() == '\t'))
+ {
+ std::string cat;
+ m_ldifstream.ignore();
+ getline(m_ldifstream, cat);
+ ldifline += cat;
+ this->m_lineNumber++;
+ }
+
+ DEBUG(LDAP_DEBUG_TRACE, "<- LdifReader::getLdifLine()" << std::endl);
+ return 0;
+}
+
+void LdifReader::splitLine(
+ const std::string& line,
+ std::string &type,
+ std::string &value) const
+{
+ std::string::size_type pos = line.find(':');
+ if ( pos == std::string::npos )
+ {
+ DEBUG(LDAP_DEBUG_ANY, "Invalid LDIF line. No `:` separator"
+ << std::endl );
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber << ": Invalid LDIF line. No `:` separator";
+ throw( std::runtime_error( err.str() ));
+ }
+
+ type = line.substr(0, pos);
+ if ( pos == line.size() )
+ {
+ // empty value
+ value = "";
+ return;
+ }
+
+ pos++;
+ char delim = line[pos];
+ if ( delim == ':' || delim == '<' )
+ {
+ pos++;
+ }
+
+ for( ; pos < line.size() && isspace(line[pos]); pos++ )
+ { /* empty */ }
+
+ value = line.substr(pos);
+
+ if ( delim == ':' )
+ {
+ // Base64 encoded value
+ DEBUG(LDAP_DEBUG_TRACE, " base64 encoded value" << std::endl );
+ char outbuf[value.size()];
+ int rc = sasl_decode64(value.c_str(), value.size(),
+ outbuf, value.size(), NULL);
+ if( rc == SASL_OK )
+ {
+ value = std::string(outbuf);
+ }
+ else if ( rc == SASL_BADPROT )
+ {
+ value = "";
+ DEBUG( LDAP_DEBUG_TRACE, " invalid base64 content" << std::endl );
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber << ": Can't decode Base64 data";
+ throw( std::runtime_error( err.str() ));
+ }
+ else if ( rc == SASL_BUFOVER )
+ {
+ value = "";
+ DEBUG( LDAP_DEBUG_TRACE, " not enough space in output buffer"
+ << std::endl );
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": Can't decode Base64 data. Buffer too small";
+ throw( std::runtime_error( err.str() ));
+ }
+ }
+ else if ( delim == '<' )
+ {
+ // URL value
+ DEBUG(LDAP_DEBUG_TRACE, " url value" << std::endl );
+ std::ostringstream err;
+ err << "Line " << this->m_lineNumber
+ << ": URLs are currently not supported";
+ throw( std::runtime_error( err.str() ));
+ }
+ else
+ {
+ // "normal" value
+ DEBUG(LDAP_DEBUG_TRACE, " string value" << std::endl );
+ }
+ DEBUG(LDAP_DEBUG_TRACE, " Type: <" << type << ">" << std::endl );
+ DEBUG(LDAP_DEBUG_TRACE, " Value: <" << value << ">" << std::endl );
+ return;
+}
+
+std::string LdifReader::readIncludeLine( const std::string& line ) const
+{
+ std::string::size_type pos = sizeof("file:") - 1;
+ std::string scheme = line.substr( 0, pos );
+ std::string file;
+
+ // only file:// URLs supported currently
+ if ( scheme != "file:" )
+ {
+ DEBUG( LDAP_DEBUG_TRACE, "unsupported scheme: " << scheme
+ << std::endl);
+ }
+ else if ( line[pos] == '/' )
+ {
+ if ( line[pos+1] == '/' )
+ {
+ pos += 2;
+ }
+ file = line.substr(pos, std::string::npos);
+ DEBUG( LDAP_DEBUG_TRACE, "target file: " << file << std::endl);
+ }
+ return file;
+}
Copied: openldap/trunk/contrib/ldapc++/src/LdifReader.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifReader.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifReader.h (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifReader.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef LDIF_READER_H
+#define LDIF_READER_H
+
+#include <LDAPEntry.h>
+#include <iosfwd>
+#include <list>
+
+typedef std::list< std::pair<std::string, std::string> > LdifRecord;
+class LdifReader
+{
+ public:
+ LdifReader( std::istream &input );
+
+ inline bool isEntryRecords() const
+ {
+ return !m_ldifTypeRequest;
+ }
+
+ inline bool isChangeRecords() const
+ {
+ return m_ldifTypeRequest;
+ }
+
+ inline int getVersion() const
+ {
+ return m_version;
+ }
+
+ LDAPEntry getEntryRecord();
+ int readNextRecord( bool first=false );
+ //LDAPRequest getChangeRecord();
+
+ private:
+ int getLdifLine(std::string &line);
+
+ void splitLine(const std::string& line,
+ std::string &type,
+ std::string &value ) const;
+
+ std::string readIncludeLine( const std::string &line) const;
+
+ std::istream &m_ldifstream;
+ LdifRecord m_currentRecord;
+ int m_version;
+ int m_curRecType;
+ int m_lineNumber;
+ bool m_ldifTypeRequest;
+ bool m_currentIsFirst;
+};
+
+#endif /* LDIF_READER_H */
Copied: openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifWriter.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,116 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LdifWriter.cpp,v 1.2.2.1 2008/04/14 22:58:58 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "LdifWriter.h"
+#include "StringList.h"
+#include "LDAPAttribute.h"
+#include "debug.h"
+#include <sstream>
+#include <stdexcept>
+
+LdifWriter::LdifWriter( std::ostream& output, int version ) :
+ m_ldifstream(output), m_version(version), m_addSeparator(false)
+{
+ if ( version )
+ {
+ if ( version == 1 )
+ {
+ m_ldifstream << "version: " << version << std::endl;
+ m_addSeparator = true;
+ } else {
+ std::ostringstream err;
+ err << "Unsuported LDIF Version";
+ throw( std::runtime_error(err.str()) );
+ }
+ }
+
+}
+
+void LdifWriter::writeRecord(const LDAPEntry& le)
+{
+ std::ostringstream line;
+
+ if ( m_addSeparator )
+ {
+ m_ldifstream << std::endl;
+ } else {
+ m_addSeparator = true;
+ }
+
+ line << "dn: " << le.getDN();
+ this->breakline( line.str(), m_ldifstream );
+
+ const LDAPAttributeList *al = le.getAttributes();
+ LDAPAttributeList::const_iterator i = al->begin();
+ for ( ; i != al->end(); i++ )
+ {
+ StringList values = i->getValues();
+ StringList::const_iterator j = values.begin();
+ for( ; j != values.end(); j++)
+ {
+ // clear output stream
+ line.str("");
+ line << i->getName() << ": " << *j;
+ this->breakline( line.str(), m_ldifstream );
+ }
+ }
+}
+
+void LdifWriter::writeIncludeRecord( const std::string& target )
+{
+ DEBUG(LDAP_DEBUG_TRACE, "writeIncludeRecord: " << target << std::endl);
+ std::string scheme = target.substr( 0, sizeof("file:")-1 );
+
+ if ( m_version == 1 )
+ {
+ std::ostringstream err;
+ err << "\"include\" not allowed in LDIF version 1.";
+ throw( std::runtime_error(err.str()) );
+ }
+
+ if ( m_addSeparator )
+ {
+ m_ldifstream << std::endl;
+ } else {
+ m_addSeparator = true;
+ }
+
+ m_ldifstream << "include: ";
+ if ( scheme != "file:" )
+ {
+ m_ldifstream << "file://";
+ }
+
+ m_ldifstream << target << std::endl;
+}
+
+void LdifWriter::breakline( const std::string &line, std::ostream &out )
+{
+ std::string::size_type pos = 0;
+ std::string::size_type linelength = 76;
+ bool first = true;
+
+ if ( line.length() >= linelength )
+ {
+ while ( pos < line.length() )
+ {
+ if (! first )
+ {
+ out << " ";
+ }
+ out << line.substr(pos, linelength) << std::endl;
+ pos += linelength;
+ if ( first )
+ {
+ first = false;
+ linelength--; //account for the leading space
+ }
+ }
+ } else {
+ out << line << std::endl;
+ }
+}
+
Copied: openldap/trunk/contrib/ldapc++/src/LdifWriter.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifWriter.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifWriter.h (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifWriter.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,31 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LdifWriter.h,v 1.2.2.1 2008/04/14 22:58:58 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef LDIF_WRITER_H
+#define LDIF_WRITER_H
+
+#include <LDAPEntry.h>
+#include <iosfwd>
+#include <list>
+
+class LdifWriter
+{
+ public:
+ LdifWriter( std::ostream& output, int version = 0 );
+ void writeRecord(const LDAPEntry& le);
+ void writeIncludeRecord(const std::string& target);
+
+ private:
+ void breakline( const std::string &line, std::ostream &out );
+
+ std::ostream& m_ldifstream;
+ int m_version;
+ bool m_addSeparator;
+
+};
+
+#endif /* LDIF_WRITER_H */
+
Modified: openldap/trunk/contrib/ldapc++/src/Makefile.am
===================================================================
--- openldap/trunk/contrib/ldapc++/src/Makefile.am 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/Makefile.am 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,6 @@
-##
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/src/Makefile.am,v 1.10.2.5 2008/04/14 23:02:35 quanah Exp $
+
+###
# Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT file
##
@@ -6,73 +8,81 @@
lib_LTLIBRARIES = libldapcpp.la
libldapcpp_la_SOURCES = LDAPAddRequest.cpp \
- LDAPAsynConnection.cpp \
- LDAPAttribute.cpp \
- LDAPAttributeList.cpp \
- LDAPAttrType.cpp \
- LDAPBindRequest.cpp \
- LDAPCompareRequest.cpp \
- LDAPConnection.cpp \
- LDAPConstraints.cpp \
- LDAPControl.cpp \
- LDAPControlSet.cpp \
- LDAPDeleteRequest.cpp \
- LDAPEntry.cpp \
- LDAPEntryList.cpp \
- LDAPException.cpp \
- LDAPExtRequest.cpp \
- LDAPExtResult.cpp \
- LDAPMessage.cpp \
- LDAPMessageQueue.cpp \
- LDAPModDNRequest.cpp \
- LDAPModification.cpp \
- LDAPModifyRequest.cpp \
- LDAPModList.cpp \
- LDAPObjClass.cpp \
- LDAPRebind.cpp \
- LDAPRebindAuth.cpp \
- LDAPReferralException.cpp \
- LDAPReferenceList.cpp \
- LDAPRequest.cpp \
- LDAPResult.cpp \
- LDAPSchema.cpp \
- LDAPSearchReference.cpp \
- LDAPSearchRequest.cpp \
- LDAPSearchResult.cpp \
- LDAPSearchResults.cpp \
- LDAPUrl.cpp \
- LDAPUrlList.cpp \
- StringList.cpp
+ LDAPAsynConnection.cpp \
+ LDAPAttribute.cpp \
+ LDAPAttributeList.cpp \
+ LDAPAttrType.cpp \
+ LDAPBindRequest.cpp \
+ LDAPCompareRequest.cpp \
+ LDAPConnection.cpp \
+ LDAPConstraints.cpp \
+ LDAPControl.cpp \
+ LDAPControlSet.cpp \
+ LDAPDeleteRequest.cpp \
+ LDAPEntry.cpp \
+ LDAPEntryList.cpp \
+ LDAPException.cpp \
+ LDAPExtRequest.cpp \
+ LDAPExtResult.cpp \
+ LDAPMessage.cpp \
+ LDAPMessageQueue.cpp \
+ LDAPModDNRequest.cpp \
+ LDAPModification.cpp \
+ LDAPModifyRequest.cpp \
+ LDAPModList.cpp \
+ LDAPObjClass.cpp \
+ LDAPRebind.cpp \
+ LDAPRebindAuth.cpp \
+ LDAPReferenceList.cpp \
+ LDAPRequest.cpp \
+ LDAPResult.cpp \
+ LDAPSaslBindResult.cpp \
+ LDAPSchema.cpp \
+ LDAPSearchReference.cpp \
+ LDAPSearchRequest.cpp \
+ LDAPSearchResult.cpp \
+ LDAPSearchResults.cpp \
+ LDAPUrl.cpp \
+ LDAPUrlList.cpp \
+ LdifReader.cpp \
+ LdifWriter.cpp \
+ SaslInteraction.cpp \
+ SaslInteractionHandler.cpp \
+ StringList.cpp
include_HEADERS = LDAPAsynConnection.h \
- LDAPAttribute.h \
- LDAPAttributeList.h \
- LDAPAttrType.h \
- LDAPConnection.h \
- LDAPConstraints.h \
- LDAPControl.h \
- LDAPControlSet.h \
- LDAPEntry.h \
- LDAPEntryList.h \
- LDAPException.h \
- LDAPExtResult.h \
- LDAPMessage.h \
- LDAPMessageQueue.h \
- LDAPModification.h \
- LDAPModList.h \
- LDAPObjClass.h \
- LDAPRebind.h \
- LDAPRebindAuth.h \
- LDAPReferralException.h \
- LDAPReferenceList.h \
- LDAPResult.h \
- LDAPSchema.h \
- LDAPSearchReference.h \
- LDAPSearchResult.h \
- LDAPSearchResults.h \
- LDAPUrl.h \
- LDAPUrlList.h \
- StringList.h
+ LDAPAttribute.h \
+ LDAPAttributeList.h \
+ LDAPAttrType.h \
+ LDAPConnection.h \
+ LDAPConstraints.h \
+ LDAPControl.h \
+ LDAPControlSet.h \
+ LDAPEntry.h \
+ LDAPEntryList.h \
+ LDAPException.h \
+ LDAPExtResult.h \
+ LDAPMessage.h \
+ LDAPMessageQueue.h \
+ LDAPModification.h \
+ LDAPModList.h \
+ LDAPObjClass.h \
+ LDAPRebind.h \
+ LDAPRebindAuth.h \
+ LDAPReferenceList.h \
+ LDAPResult.h \
+ LDAPSaslBindResult.h \
+ LDAPSchema.h \
+ LDAPSearchReference.h \
+ LDAPSearchResult.h \
+ LDAPSearchResults.h \
+ LDAPUrl.h \
+ LDAPUrlList.h \
+ LdifReader.h \
+ LdifWriter.h \
+ SaslInteraction.h \
+ SaslInteractionHandler.h \
+ StringList.h
noinst_HEADERS = LDAPAddRequest.h \
LDAPBindRequest.h \
Modified: openldap/trunk/contrib/ldapc++/src/Makefile.in
===================================================================
--- openldap/trunk/contrib/ldapc++/src/Makefile.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/Makefile.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -14,6 +14,9 @@
@SET_MAKE@
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/src/Makefile.in,v 1.9.2.7 2008/04/14 23:02:35 quanah Exp $
+
+###
# Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -66,10 +69,11 @@
LDAPMessage.lo LDAPMessageQueue.lo LDAPModDNRequest.lo \
LDAPModification.lo LDAPModifyRequest.lo LDAPModList.lo \
LDAPObjClass.lo LDAPRebind.lo LDAPRebindAuth.lo \
- LDAPReferralException.lo LDAPReferenceList.lo LDAPRequest.lo \
- LDAPResult.lo LDAPSchema.lo LDAPSearchReference.lo \
+ LDAPReferenceList.lo LDAPRequest.lo LDAPResult.lo \
+ LDAPSaslBindResult.lo LDAPSchema.lo LDAPSearchReference.lo \
LDAPSearchRequest.lo LDAPSearchResult.lo LDAPSearchResults.lo \
- LDAPUrl.lo LDAPUrlList.lo StringList.lo
+ LDAPUrl.lo LDAPUrlList.lo LdifReader.lo LdifWriter.lo \
+ SaslInteraction.lo SaslInteractionHandler.lo StringList.lo
libldapcpp_la_OBJECTS = $(am_libldapcpp_la_OBJECTS)
libldapcpp_la_LINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CXXLD) $(AM_CXXFLAGS) \
@@ -201,73 +205,81 @@
top_srcdir = @top_srcdir@
lib_LTLIBRARIES = libldapcpp.la
libldapcpp_la_SOURCES = LDAPAddRequest.cpp \
- LDAPAsynConnection.cpp \
- LDAPAttribute.cpp \
- LDAPAttributeList.cpp \
- LDAPAttrType.cpp \
- LDAPBindRequest.cpp \
- LDAPCompareRequest.cpp \
- LDAPConnection.cpp \
- LDAPConstraints.cpp \
- LDAPControl.cpp \
- LDAPControlSet.cpp \
- LDAPDeleteRequest.cpp \
- LDAPEntry.cpp \
- LDAPEntryList.cpp \
- LDAPException.cpp \
- LDAPExtRequest.cpp \
- LDAPExtResult.cpp \
- LDAPMessage.cpp \
- LDAPMessageQueue.cpp \
- LDAPModDNRequest.cpp \
- LDAPModification.cpp \
- LDAPModifyRequest.cpp \
- LDAPModList.cpp \
- LDAPObjClass.cpp \
- LDAPRebind.cpp \
- LDAPRebindAuth.cpp \
- LDAPReferralException.cpp \
- LDAPReferenceList.cpp \
- LDAPRequest.cpp \
- LDAPResult.cpp \
- LDAPSchema.cpp \
- LDAPSearchReference.cpp \
- LDAPSearchRequest.cpp \
- LDAPSearchResult.cpp \
- LDAPSearchResults.cpp \
- LDAPUrl.cpp \
- LDAPUrlList.cpp \
- StringList.cpp
+ LDAPAsynConnection.cpp \
+ LDAPAttribute.cpp \
+ LDAPAttributeList.cpp \
+ LDAPAttrType.cpp \
+ LDAPBindRequest.cpp \
+ LDAPCompareRequest.cpp \
+ LDAPConnection.cpp \
+ LDAPConstraints.cpp \
+ LDAPControl.cpp \
+ LDAPControlSet.cpp \
+ LDAPDeleteRequest.cpp \
+ LDAPEntry.cpp \
+ LDAPEntryList.cpp \
+ LDAPException.cpp \
+ LDAPExtRequest.cpp \
+ LDAPExtResult.cpp \
+ LDAPMessage.cpp \
+ LDAPMessageQueue.cpp \
+ LDAPModDNRequest.cpp \
+ LDAPModification.cpp \
+ LDAPModifyRequest.cpp \
+ LDAPModList.cpp \
+ LDAPObjClass.cpp \
+ LDAPRebind.cpp \
+ LDAPRebindAuth.cpp \
+ LDAPReferenceList.cpp \
+ LDAPRequest.cpp \
+ LDAPResult.cpp \
+ LDAPSaslBindResult.cpp \
+ LDAPSchema.cpp \
+ LDAPSearchReference.cpp \
+ LDAPSearchRequest.cpp \
+ LDAPSearchResult.cpp \
+ LDAPSearchResults.cpp \
+ LDAPUrl.cpp \
+ LDAPUrlList.cpp \
+ LdifReader.cpp \
+ LdifWriter.cpp \
+ SaslInteraction.cpp \
+ SaslInteractionHandler.cpp \
+ StringList.cpp
include_HEADERS = LDAPAsynConnection.h \
- LDAPAttribute.h \
- LDAPAttributeList.h \
- LDAPAttrType.h \
- LDAPConnection.h \
- LDAPConstraints.h \
- LDAPControl.h \
- LDAPControlSet.h \
- LDAPEntry.h \
- LDAPEntryList.h \
- LDAPException.h \
- LDAPExtResult.h \
- LDAPMessage.h \
- LDAPMessageQueue.h \
- LDAPModification.h \
- LDAPModList.h \
- LDAPObjClass.h \
- LDAPRebind.h \
- LDAPRebindAuth.h \
- LDAPReferralException.h \
- LDAPReferenceList.h \
- LDAPResult.h \
- LDAPSchema.h \
- LDAPSearchReference.h \
- LDAPSearchResult.h \
- LDAPSearchResults.h \
- LDAPUrl.h \
- LDAPUrlList.h \
- StringList.h
+ LDAPAttribute.h \
+ LDAPAttributeList.h \
+ LDAPAttrType.h \
+ LDAPConnection.h \
+ LDAPConstraints.h \
+ LDAPControl.h \
+ LDAPControlSet.h \
+ LDAPEntry.h \
+ LDAPEntryList.h \
+ LDAPException.h \
+ LDAPExtResult.h \
+ LDAPMessage.h \
+ LDAPMessageQueue.h \
+ LDAPModification.h \
+ LDAPModList.h \
+ LDAPObjClass.h \
+ LDAPRebind.h \
+ LDAPRebindAuth.h \
+ LDAPReferenceList.h \
+ LDAPResult.h \
+ LDAPSaslBindResult.h \
+ LDAPSchema.h \
+ LDAPSearchReference.h \
+ LDAPSearchResult.h \
+ LDAPSearchResults.h \
+ LDAPUrl.h \
+ LDAPUrlList.h \
+ LdifReader.h \
+ LdifWriter.h \
+ SaslInteraction.h \
+ SaslInteractionHandler.h \
+ StringList.h
noinst_HEADERS = LDAPAddRequest.h \
LDAPBindRequest.h \
@@ -395,9 +407,9 @@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPRebind.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPRebindAuth.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPReferenceList.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPReferralException.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPRequest.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPResult.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSaslBindResult.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSchema.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSearchReference.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSearchRequest.Plo at am__quote@
@@ -405,6 +417,10 @@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSearchResults.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPUrl.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPUrlList.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LdifReader.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LdifWriter.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/SaslInteraction.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/SaslInteractionHandler.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/StringList.Plo at am__quote@
.cpp.o:
Copied: openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteraction.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,44 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteraction.cpp,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include <SaslInteraction.h>
+#include <iostream>
+#include "debug.h"
+
+SaslInteraction::SaslInteraction( sasl_interact_t *interact ) :
+ m_interact(interact) {}
+
+SaslInteraction::~SaslInteraction()
+{
+ DEBUG(LDAP_DEBUG_TRACE, "SaslInteraction::~SaslInteraction()" << std::endl);
+}
+
+unsigned long SaslInteraction::getId() const
+{
+ return m_interact->id;
+}
+
+const std::string SaslInteraction::getPrompt() const
+{
+ return std::string(m_interact->prompt);
+}
+
+const std::string SaslInteraction::getChallenge() const
+{
+ return std::string(m_interact->challenge);
+}
+
+const std::string SaslInteraction::getDefaultResult() const
+{
+ return std::string(m_interact->defresult);
+}
+
+void SaslInteraction::setResult(const std::string &res)
+{
+ m_result = res;
+ m_interact->result = m_result.data();
+ m_interact->len = m_result.size();
+}
Copied: openldap/trunk/contrib/ldapc++/src/SaslInteraction.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteraction.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteraction.h (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteraction.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,29 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteraction.h,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef SASL_INTERACTION_H
+#define SASL_INTERACTION_H
+
+#include <string>
+#include <sasl/sasl.h>
+
+class SaslInteraction {
+ public:
+ SaslInteraction( sasl_interact_t *interact );
+ ~SaslInteraction();
+ unsigned long getId() const;
+ const std::string getPrompt() const;
+ const std::string getChallenge() const;
+ const std::string getDefaultResult() const;
+
+ void setResult(const std::string &res);
+
+ private:
+ sasl_interact_t *m_interact;
+ std::string m_result;
+
+};
+#endif /* SASL_INTERACTION_H */
Copied: openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteractionHandler.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,99 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteractionHandler.cpp,v 1.3.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include <iostream>
+#include <iomanip>
+#include <limits>
+#include "config.h"
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#include <string.h>
+#include "SaslInteractionHandler.h"
+#include "SaslInteraction.h"
+#include "debug.h"
+
+void DefaultSaslInteractionHandler::handleInteractions(
+ const std::list<SaslInteraction*> &cb )
+{
+ DEBUG(LDAP_DEBUG_TRACE, "DefaultSaslInteractionHandler::handleCallbacks()"
+ << std::endl );
+ std::list<SaslInteraction*>::const_iterator i;
+
+ for (i = cb.begin(); i != cb.end(); i++ ) {
+ bool noecho;
+
+ cleanupList.push_back(*i);
+
+ std::cout << (*i)->getPrompt();
+ if (! (*i)->getDefaultResult().empty() ) {
+ std::cout << "(" << (*i)->getDefaultResult() << ")" ;
+ }
+ std:: cout << ": ";
+
+ switch ( (*i)->getId() ) {
+ case SASL_CB_PASS:
+ case SASL_CB_ECHOPROMPT:
+ noecho = true;
+ noecho = true;
+ break;
+ default:
+ noecho = false;
+ break;
+ }
+#ifdef HAVE_TERMIOS_H
+ /* turn off terminal echo if needed */
+ struct termios old_attr;
+ if ( noecho ) {
+ struct termios attr;
+ if (tcgetattr(STDIN_FILENO, &attr) < 0) {
+ perror("tcgetattr");
+ }
+
+ /* save terminal attributes */
+ memcpy(&old_attr, &attr, sizeof(attr));
+
+ /* disable echo */
+ attr.c_lflag &= ~(ECHO);
+
+ /* write attributes to terminal */
+ if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &attr) < 0) {
+ perror("tcsetattr");
+ }
+ }
+#endif /* HAVE_TERMIOS_H */
+ std::string input;
+ std::cin >> std::noskipws >> input;
+ std::cin >> std::skipws;
+ (*i)->setResult(input);
+ if( std::cin.fail() ) {
+ std::cin.clear();
+ }
+ /* ignore the rest of the input line */
+ std::cin.ignore(std::numeric_limits<std::streamsize>::max(), '\n');
+
+#ifdef HAVE_TERMIOS_H
+ /* restore terminal settings */
+ if ( noecho ) {
+ tcsetattr(STDIN_FILENO, TCSANOW, &old_attr);
+ std::cout << std::endl;
+ }
+#endif /* HAVE_TERMIOS_H */
+ }
+}
+
+DefaultSaslInteractionHandler::~DefaultSaslInteractionHandler()
+{
+ DEBUG(LDAP_DEBUG_TRACE, "DefaultSaslInteractionHandler::~DefaultSaslInteractionHandler()"
+ << std::endl );
+
+ std::list<SaslInteraction*>::const_iterator i;
+ for (i = cleanupList.begin(); i != cleanupList.end(); i++ ) {
+ delete(*i);
+ }
+}
Copied: openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteractionHandler.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,27 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteractionHandler.h,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef SASL_INTERACTION_HANDLER_H
+#define SASL_INTERACTION_HANDLER_H
+#include <list>
+
+class SaslInteraction;
+
+class SaslInteractionHandler {
+ public:
+ virtual void handleInteractions( const std::list<SaslInteraction*> &cb )=0;
+ virtual ~SaslInteractionHandler() {}
+};
+
+class DefaultSaslInteractionHandler {
+ public:
+ virtual void handleInteractions( const std::list<SaslInteraction*> &cb );
+ virtual ~DefaultSaslInteractionHandler();
+
+ private:
+ std::list<SaslInteraction*> cleanupList;
+};
+#endif /* SASL_INTERACTION_HANDLER_H */
Modified: openldap/trunk/contrib/ldapc++/src/StringList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/StringList.cpp 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/StringList.cpp 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/StringList.cpp,v 1.6.6.2 2008/04/14 23:09:26 quanah Exp $
/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
Modified: openldap/trunk/contrib/ldapc++/src/StringList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/StringList.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/StringList.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/StringList.h,v 1.7.6.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/ldapc++/src/ac/time.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/ac/time.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/ac/time.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
/* Generic time.h */
-/* $OpenLDAP: pkg/ldap/contrib/ldapc++/src/ac/time.h,v 1.7.2.3 2007/10/02 02:24:57 ralf Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/ldapc++/src/ac/time.h,v 1.7.2.4 2008/02/11 23:26:38 kurt Exp $ */
/*
- * Copyright 1998-2007 The OpenLDAP Foundation, Redwood City, California, USA
+ * Copyright 1998-2008 The OpenLDAP Foundation, Redwood City, California, USA
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted only
Modified: openldap/trunk/contrib/ldapc++/src/config.h.in
===================================================================
--- openldap/trunk/contrib/ldapc++/src/config.h.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/config.h.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -6,6 +6,9 @@
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
+/* Define to 1 if you have the <ldap.h> header file. */
+#undef HAVE_LDAP_H
+
/* Define to 1 if you have the `resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV
@@ -30,6 +33,9 @@
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
+/* Define to 1 if you have the <termios.h> header file. */
+#undef HAVE_TERMIOS_H
+
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
Modified: openldap/trunk/contrib/ldapc++/src/debug.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/debug.h 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/debug.h 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/debug.h,v 1.5.10.1 2008/04/14 23:09:26 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
Modified: openldap/trunk/contrib/slapd-modules/acl/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/acl/README 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/acl/README 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2005-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2005-2008 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/acl/posixgroup.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/acl/posixgroup.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/acl/posixgroup.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/acl/posixgroup.c,v 1.3.2.3 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/acl/posixgroup.c,v 1.3.2.4 2008/02/11 23:26:38 kurt Exp $ */
/*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/allop/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/README 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/allop/README 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/allop/allop.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/allop.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/allop/allop.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* allop.c - returns all operational attributes when appropriate */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/allop.c,v 1.3.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/allop.c,v 1.3.2.3 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
.TH SLAPO-ALLOP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/slapo-allop.5,v 1.2.2.2 2007/08/31 23:13:51 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/slapo-allop.5,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $
.SH NAME
slapo-allop \- All Operational Attributes overlay
.SH SYNOPSIS
Copied: openldap/trunk/contrib/slapd-modules/autogroup (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/slapd-modules/autogroup)
Modified: openldap/trunk/contrib/slapd-modules/comp_match/Makefile
===================================================================
--- openldap/trunk/contrib/slapd-modules/comp_match/Makefile 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/comp_match/Makefile 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/contrib/slapd-modules/comp_match/Makefile,v 1.11.2.2 2007/08/31 23:13:51 quanah Exp $
+# $OpenLDAP: pkg/ldap/contrib/slapd-modules/comp_match/Makefile,v 1.11.2.3 2008/02/11 23:26:38 kurt Exp $
# This work is part of OpenLDAP Software <http://www.openldap.org/>.
#
-# Copyright 2003-2007 The OpenLDAP Foundation.
+# Copyright 2003-2008 The OpenLDAP Foundation.
# Portions Copyright 2004 by IBM Corporation.
# All rights reserved.
Modified: openldap/trunk/contrib/slapd-modules/denyop/denyop.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/denyop/denyop.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/denyop/denyop.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* denyop.c - Denies operations */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/denyop/denyop.c,v 1.2.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/denyop/denyop.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/dsaschema/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/dsaschema/README 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/dsaschema/README 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/dsaschema/dsaschema.c,v 1.5.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/dsaschema/dsaschema.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
/*
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* lastmod.c - returns last modification info */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/lastmod/lastmod.c,v 1.2.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/lastmod/lastmod.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5
===================================================================
--- openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.TH SLAPO_LASTMOD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.SH NAME
Modified: openldap/trunk/contrib/slapd-modules/passwd/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/README 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/README 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/passwd/kerberos.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/kerberos.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/kerberos.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/kerberos.c,v 1.5.2.2 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/kerberos.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
/*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/passwd/netscape.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/netscape.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/netscape.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/netscape.c,v 1.5.2.2 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/netscape.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
/*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/passwd/radius.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/radius.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/radius.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/radius.c,v 1.2.2.3 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/radius.c,v 1.2.2.4 2008/02/11 23:26:38 kurt Exp $ */
/*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
/* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.5 2007/10/09 00:18:47 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.10 2008/04/14 21:58:37 quanah Exp $ */
/*
* Copyright 2004-2005 by Howard Chu, Symas Corp.
* All rights reserved.
@@ -91,8 +91,8 @@
#ifdef DO_SAMBA
/* How many seconds before forcing a password change? */
time_t smb_must_change;
- /* How many seconds after allowing a password change? */
- time_t smb_can_change;
+ /* How many seconds after allowing a password change? */
+ time_t smb_can_change;
#endif
} smbk5pwd_t;
@@ -215,7 +215,7 @@
/* clear out the current key */
ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
- NULL, NULL );
+ NULL, 0, NULL, NULL );
/* free the callback */
cb = op->o_callback;
@@ -234,8 +234,8 @@
*/
if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
slap_callback *cb;
- ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op,
- NULL );
+ ldap_pvt_thread_pool_setkey( op->o_threadctx,
+ smbk5pwd_op_cleanup, op, 0, NULL, NULL );
cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
cb->sc_cleanup = smbk5pwd_op_cleanup;
cb->sc_next = op->o_callback;
@@ -268,7 +268,7 @@
const struct berval *cred,
const char **text )
{
- void *ctx;
+ void *ctx, *op_tmp;
Operation *op;
int rc;
Entry *e;
@@ -281,9 +281,10 @@
/* Find our thread context, find our Operation */
ctx = ldap_pvt_thread_pool_context();
- if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) ||
- !op )
+ if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL )
+ || !op_tmp )
return LUTIL_PASSWD_ERR;
+ op = op_tmp;
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
@@ -532,9 +533,9 @@
qpw->rs_mods = ml;
keys = ch_malloc( 2 * sizeof(struct berval) );
- keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
+ keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
keys[0].bv_len = snprintf(keys[0].bv_val,
- STRLENOF( "9223372036854775807L" ) + 1,
+ LDAP_PVT_INTTYPE_CHARS(long),
"%ld", slap_get_time());
BER_BVZERO( &keys[1] );
@@ -554,9 +555,9 @@
qpw->rs_mods = ml;
keys = ch_malloc( 2 * sizeof(struct berval) );
- keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
+ keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
keys[0].bv_len = snprintf(keys[0].bv_val,
- STRLENOF( "9223372036854775807L" ) + 1,
+ LDAP_PVT_INTTYPE_CHARS(long),
"%ld", slap_get_time() + pi->smb_must_change);
BER_BVZERO( &keys[1] );
@@ -570,28 +571,28 @@
ml->sml_nvalues = NULL;
}
- if (pi->smb_can_change)
- {
- ml = ch_malloc(sizeof(Modifications));
- ml->sml_next = qpw->rs_mods;
- qpw->rs_mods = ml;
+ if (pi->smb_can_change)
+ {
+ ml = ch_malloc(sizeof(Modifications));
+ ml->sml_next = qpw->rs_mods;
+ qpw->rs_mods = ml;
- keys = ch_malloc( 2 * sizeof(struct berval) );
- keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
- keys[0].bv_len = snprintf(keys[0].bv_val,
- STRLENOF( "9223372036854775807L" ) + 1,
- "%ld", slap_get_time() + pi->smb_can_change);
- BER_BVZERO( &keys[1] );
+ keys = ch_malloc( 2 * sizeof(struct berval) );
+ keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
+ keys[0].bv_len = snprintf(keys[0].bv_val,
+ LDAP_PVT_INTTYPE_CHARS(long),
+ "%ld", slap_get_time() + pi->smb_can_change);
+ BER_BVZERO( &keys[1] );
- ml->sml_desc = ad_sambaPwdCanChange;
- ml->sml_op = LDAP_MOD_REPLACE;
+ ml->sml_desc = ad_sambaPwdCanChange;
+ ml->sml_op = LDAP_MOD_REPLACE;
#ifdef SLAP_MOD_INTERNAL
- ml->sml_flags = SLAP_MOD_INTERNAL;
+ ml->sml_flags = SLAP_MOD_INTERNAL;
#endif
- ml->sml_numvals = 1;
- ml->sml_values = keys;
- ml->sml_nvalues = NULL;
- }
+ ml->sml_numvals = 1;
+ ml->sml_values = keys;
+ ml->sml_nvalues = NULL;
+ }
}
#endif /* DO_SAMBA */
be_entry_release_r( op, e );
@@ -625,11 +626,11 @@
"( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' "
"DESC 'Credentials validity interval' "
"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
- { "smbk5pwd-can-change", "time",
- 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func,
- "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' "
- "DESC 'Credentials minimum validity interval' "
- "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+ { "smbk5pwd-can-change", "time",
+ 2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func,
+ "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' "
+ "DESC 'Credentials minimum validity interval' "
+ "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
};
@@ -676,13 +677,13 @@
#endif /* ! DO_SAMBA */
break;
- case PC_SMB_CAN_CHANGE:
+ case PC_SMB_CAN_CHANGE:
#ifdef DO_SAMBA
- c->value_int = pi->smb_can_change;
+ c->value_int = pi->smb_can_change;
#else /* ! DO_SAMBA */
- c->value_int = 0;
+ c->value_int = 0;
#endif /* ! DO_SAMBA */
- break;
+ break;
case PC_SMB_ENABLE:
c->rvalue_vals = NULL;
@@ -843,7 +844,7 @@
{ "sambaNTPassword", &ad_sambaNTPassword },
{ "sambaPwdLastSet", &ad_sambaPwdLastSet },
{ "sambaPwdMustChange", &ad_sambaPwdMustChange },
- { "sambaPwdCanChange", &ad_sambaPwdCanChange },
+ { "sambaPwdCanChange", &ad_sambaPwdCanChange },
{ NULL }
},
#endif /* DO_SAMBA */
Modified: openldap/trunk/contrib/slapd-modules/trace/trace.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/trace/trace.c 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/trace/trace.c 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
/* trace.c - traces overlay invocation */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/trace/trace.c,v 1.2.2.2 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/trace/trace.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2006-2007 The OpenLDAP Foundation.
+ * Copyright 2006-2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-tools/README
===================================================================
--- openldap/trunk/contrib/slapd-tools/README 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-tools/README 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapi-plugins/addrdnvalues/README
===================================================================
--- openldap/trunk/contrib/slapi-plugins/addrdnvalues/README 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapi-plugins/addrdnvalues/README 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2003-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2003-2008 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/debian/changelog 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-openldap2.3 (2.4.7-7) UNRELEASED; urgency=low
+openldap2.3 (2.4.9-1) unstable; urgency=low
[ Updated debconf translations ]
* French, thanks to Christian Perrier <bubulle at debian.org>.
@@ -13,7 +13,7 @@
* Galician, thanks to Jacobo Tarrio <jtarrio at trasno.net>. Closes: #480218.
* Japanese, thanks to Kenshi Muto <kmuto at debian.org>. Closes: #480247.
- -- Steve Langasek <vorlon at debian.org> Thu, 28 Feb 2008 22:32:44 -0800
+ -- Matthijs Mohlmann <matthijs at cacholong.nl> Sun, 25 May 2008 11:58:39 +0200
openldap2.3 (2.4.7-6) unstable; urgency=low
Modified: openldap/trunk/debian/rules
===================================================================
--- openldap/trunk/debian/rules 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/debian/rules 2008-05-25 14:29:31 UTC (rev 1128)
@@ -41,7 +41,7 @@
# These variables are used only by get-orig-source, which will normally only
# be run by maintainers.
-VERSION = 2.4.7
+VERSION = 2.4.9
URL = http://www.openldap.org/software/download/OpenLDAP/openldap-release/
# Download the upstream source and make changes as required for DFSG reasons.
Modified: openldap/trunk/doc/Makefile.in
===================================================================
--- openldap/trunk/doc/Makefile.in 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/Makefile.in 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
## doc Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/Makefile.in,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
+# $OpenLDAP: pkg/ldap/doc/Makefile.in,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/doc/devel/args
===================================================================
--- openldap/trunk/doc/devel/args 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/devel/args 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
Tools ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
ldapcompare * DE**HI*K M*OPQR UVWXYZ de *h**k *nop* vwxyz
-ldapdelete *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *nop* vwxy
+ldapdelete *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *nop* vwxyz
ldapmodify *CDE**HI*K M*OPQRS UVWXYZabcde *h**k *nop*r t vwxy
ldapmodrdn *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *nop*rs vwxy
ldappasswd A*CDE**HI* *O QRS UVWXYZa def*h** * o * s vwxy
@@ -56,4 +56,4 @@
---
-$OpenLDAP: pkg/ldap/doc/devel/args,v 1.29.2.2 2007/08/31 23:13:52 quanah Exp $
+$OpenLDAP: pkg/ldap/doc/devel/args,v 1.29.2.3 2008/02/09 00:53:37 quanah Exp $
Modified: openldap/trunk/doc/guide/COPYRIGHT
===================================================================
--- openldap/trunk/doc/guide/COPYRIGHT 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/COPYRIGHT 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 1998-2007 The OpenLDAP Foundation
+Copyright 1998-2008 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -12,11 +12,11 @@
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Individual files and/or contributed packages may be copyright by
-other parties and subject to additional restrictions.
+other parties and/or subject to additional restrictions.
This work is derived from the University of Michigan LDAP v3.3
distribution. Information concerning this software is available
-at <http://www.umich.edu/~dirsvcs/ldap/>.
+at <http://www.umich.edu/~dirsvcs/ldap/ldap.html>.
This work also contains materials derived from public sources.
@@ -25,9 +25,9 @@
---
-Portions Copyright 1998-2005 Kurt D. Zeilenga.
-Portions Copyright 1998-2005 Net Boolean Incorporated.
-Portions Copyright 2001-2005 IBM Corporation.
+Portions Copyright 1998-2006 Kurt D. Zeilenga.
+Portions Copyright 1998-2006 Net Boolean Incorporated.
+Portions Copyright 2001-2006 IBM Corporation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -39,8 +39,8 @@
Portions Copyright 1999-2007 Howard Y.H. Chu.
Portions Copyright 1999-2007 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2007 Gavin Henry
-Portions Copyright 2007 Suretec Systems
+Portions Copyright 2007-2008 Gavin Henry
+Portions Copyright 2007-2008 Suretec Systems Limited.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/doc/guide/admin/Makefile
===================================================================
--- openldap/trunk/doc/guide/admin/Makefile 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/Makefile 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
## Makefile for OpenLDAP Administrator's Guide
-# $OpenLDAP: pkg/openldap-guide/admin/Makefile,v 1.5.2.6 2007/11/29 22:51:25 quanah Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/Makefile,v 1.5.2.9 2008/04/14 20:43:48 quanah Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 2005-2007 The OpenLDAP Foundation.
+## Copyright 2005-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -21,6 +21,7 @@
../plain.sdf \
../preamble.sdf \
abstract.sdf \
+ access-control.sdf \
appendix-changes.sdf \
appendix-common-errors.sdf \
appendix-configs.sdf \
@@ -61,11 +62,14 @@
config_dit.png \
config_local.png \
config_ref.png \
- config_repl.gif \
+ config_repl.png \
dual_dc.png \
intro_dctree.png \
intro_tree.png \
- refint.png
+ refint.png \
+ set-following-references.png \
+ set-memberUid.png \
+ set-recursivegroup.png
guide.html: guide.sdf sdf-src sdf-img
sdf -2html guide.sdf
Modified: openldap/trunk/doc/guide/admin/README.spellcheck
===================================================================
--- openldap/trunk/doc/guide/admin/README.spellcheck 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/README.spellcheck 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/README.spellcheck,v 1.2.2.2 2007/10/23 19:06:09 quanah Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/README.spellcheck,v 1.2.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# README.spellcheck
Modified: openldap/trunk/doc/guide/admin/abstract.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/abstract.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/abstract.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/abstract.sdf,v 1.7.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/abstract.sdf,v 1.7.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# OpenLDAP Administrator's Guide: Abstract
Copied: openldap/trunk/doc/guide/admin/access-control.sdf (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/access-control.sdf)
===================================================================
--- openldap/trunk/doc/guide/admin/access-control.sdf (rev 0)
+++ openldap/trunk/doc/guide/admin/access-control.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,1539 @@
+# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.3.2.1 2008/04/14 20:35:10 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Access Control
+
+H2: Introduction
+
+As the directory gets populated with more and more data of varying sensitivity,
+controlling the kinds of access granted to the directory becomes more and more
+critical. For instance, the directory may contain data of a confidential nature
+that you may need to protect by contract or by law. Or, if using the directory
+to control access to other services, inappropriate access to the directory may
+create avenues of attack to your sites security that result in devastating
+damage to your assets.
+
+Access to your directory can be configured via two methods, the first using
+{{SECT:The slapd Configuration File}} and the second using the {{slapd-config}}(5)
+format ({{SECT:Configuring slapd}}).
+
+The default access control policy is allow read by all clients. Regardless of
+what access control policy is defined, the {{rootdn}} is always allowed full
+rights (i.e. auth, search, compare, read and write) on everything and anything.
+
+As a consequence, it's useless (and results in a performance penalty) to explicitly
+list the {{rootdn}} among the {{<by>}} clauses.
+
+The following sections will describe Access Control Lists in more details and
+follow with some examples and recommendations.
+
+H2: Access Control via Static Configuration
+
+Access to entries and attributes is controlled by the
+access configuration file directive. The general form of an
+access line is:
+
+> <access directive> ::= access to <what>
+> [by <who> [<access>] [<control>] ]+
+> <what> ::= * |
+> [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+> [filter=<ldapfilter>] [attrs=<attrlist>]
+> <basic-style> ::= regex | exact
+> <scope-style> ::= base | one | subtree | children
+> <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
+> <attr> ::= <attrname> | entry | children
+> <who> ::= * | [anonymous | users | self
+> | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+> [dnattr=<attrname>]
+> [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
+> [peername[.<basic-style>]=<regex>]
+> [sockname[.<basic-style>]=<regex>]
+> [domain[.<basic-style>]=<regex>]
+> [sockurl[.<basic-style>]=<regex>]
+> [set=<setspec>]
+> [aci=<attrname>]
+> <access> ::= [self]{<level>|<priv>}
+> <level> ::= none | disclose | auth | compare | search | read | write | manage
+> <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+> <control> ::= [stop | continue | break]
+
+where the <what> part selects the entries and/or attributes to which
+the access applies, the {{EX:<who>}} part specifies which entities
+are granted access, and the {{EX:<access>}} part specifies the
+access granted. Multiple {{EX:<who> <access> <control>}} triplets
+are supported, allowing many entities to be granted different access
+to the same set of entries and attributes. Not all of these access
+control options are described here; for more details see the
+{{slapd.access}}(5) man page.
+
+
+H3: What to control access to
+
+The <what> part of an access specification determines the entries
+and attributes to which the access control applies. Entries are
+commonly selected in two ways: by DN and by filter. The following
+qualifiers select entries by DN:
+
+> to *
+> to dn[.<basic-style>]=<regex>
+> to dn.<scope-style>=<DN>
+
+The first form is used to select all entries. The second form may
+be used to select entries by matching a regular expression against
+the target entry's {{normalized DN}}. (The second form is not
+discussed further in this document.) The third form is used to
+select entries which are within the requested scope of DN. The
+<DN> is a string representation of the Distinguished Name, as
+described in {{REF:RFC4514}}.
+
+The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
+or {{EX:children}}. Where {{EX:base}} matches only the entry with
+provided DN, {{EX:one}} matches the entries whose parent is the
+provided DN, {{EX:subtree}} matches all entries in the subtree whose
+root is the provided DN, and {{EX:children}} matches all entries
+under the DN (but not the entry named by the DN).
+
+For example, if the directory contained entries named:
+
+> 0: o=suffix
+> 1: cn=Manager,o=suffix
+> 2: ou=people,o=suffix
+> 3: uid=kdz,ou=people,o=suffix
+> 4: cn=addresses,uid=kdz,ou=people,o=suffix
+> 5: uid=hyc,ou=people,o=suffix
+
+\Then:
+. {{EX:dn.base="ou=people,o=suffix"}} match 2;
+. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
+. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
+. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
+
+
+Entries may also be selected using a filter:
+
+> to filter=<ldap filter>
+
+where <ldap filter> is a string representation of an LDAP
+search filter, as described in {{REF:RFC4515}}. For example:
+
+> to filter=(objectClass=person)
+
+Note that entries may be selected by both DN and filter by
+including both qualifiers in the <what> clause.
+
+> to dn.one="ou=people,o=suffix" filter=(objectClass=person)
+
+Attributes within an entry are selected by including a comma-separated
+list of attribute names in the <what> selector:
+
+> attrs=<attribute list>
+
+A specific value of an attribute is selected by using a single
+attribute name and also using a value selector:
+
+> attrs=<attribute> val[.<style>]=<regex>
+
+There are two special {{pseudo}} attributes {{EX:entry}} and
+{{EX:children}}. To read (and hence return) a target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute. To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
+have {{EX:write}} access to the entry's parent's {{EX:children}}
+attribute. To rename an entry, the subject must have {{EX:write}}
+access to entry's {{EX:entry}} attribute AND have {{EX:write}}
+access to both the old parent's and new parent's {{EX:children}}
+attributes. The complete examples at the end of this section should
+help clear things up.
+
+Lastly, there is a special entry selector {{EX:"*"}} that is used to
+select any entry. It is used when no other {{EX:<what>}}
+selector has been provided. It's equivalent to "{{EX:dn=.*}}"
+
+
+H3: Who to grant access to
+
+The <who> part identifies the entity or entities being granted
+access. Note that access is granted to "entities" not "entries."
+The following table summarizes entity specifiers:
+
+!block table; align=Center; coltags="EX,N"; \
+ title="Table 6.3: Access Entity Specifiers"
+Specifier|Entities
+*|All, including anonymous and authenticated users
+anonymous|Anonymous (non-authenticated) users
+users|Authenticated users
+self|User associated with target entry
+dn[.<basic-style>]=<regex>|Users matching a regular expression
+dn.<scope-style>=<DN>|Users within scope of a DN
+!endblock
+
+The DN specifier behaves much like <what> clause DN specifiers.
+
+Other control factors are also supported. For example, a {{EX:<who>}}
+can be restricted by an entry listed in a DN-valued attribute in
+the entry to which the access applies:
+
+> dnattr=<dn-valued attribute name>
+
+The dnattr specification is used to give access to an entry
+whose DN is listed in an attribute of the entry (e.g., give
+access to a group entry to whoever is listed as the owner of
+the group entry).
+
+Some factors may not be appropriate in all environments (or any).
+For example, the domain factor relies on IP to domain name lookups.
+As these can easily be spoofed, the domain factor should be avoided.
+
+
+H3: The access to grant
+
+The kind of <access> granted can be one of the following:
+
+!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
+ title="Table 6.4: Access Levels"
+Level Privileges Description
+none =0 no access
+disclose =d needed for information disclosure on error
+auth =dx needed to authenticate (bind)
+compare =cdx needed to compare
+search =scdx needed to apply search filters
+read =rscdx needed to read search results
+write =wrscdx needed to modify/rename
+manage =mwrscdx needed to manage
+!endblock
+
+Each level implies all lower levels of access. So, for example,
+granting someone {{EX:write}} access to an entry also grants them
+{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
+{{EX:disclose}} access. However, one may use the privileges specifier
+to grant specific permissions.
+
+
+H3: Access Control Evaluation
+
+When evaluating whether some requester should be given access to
+an entry and/or attribute, slapd compares the entry and/or attribute
+to the {{EX:<what>}} selectors given in the configuration file.
+For each entry, access controls provided in the database which holds
+the entry (or the first database if not held in any database) apply
+first, followed by the global access directives. Within this
+priority, access directives are examined in the order in which they
+appear in the config file. Slapd stops with the first {{EX:<what>}}
+selector that matches the entry and/or attribute. The corresponding
+access directive is the one slapd will use to evaluate access.
+
+Next, slapd compares the entity requesting access to the {{EX:<who>}}
+selectors within the access directive selected above in the order
+in which they appear. It stops with the first {{EX:<who>}} selector
+that matches the requester. This determines the access the entity
+requesting access has to the entry and/or attribute.
+
+Finally, slapd compares the access granted in the selected
+{{EX:<access>}} clause to the access requested by the client. If
+it allows greater or equal access, access is granted. Otherwise,
+access is denied.
+
+The order of evaluation of access directives makes their placement
+in the configuration file important. If one access directive is
+more specific than another in terms of the entries it selects, it
+should appear first in the config file. Similarly, if one {{EX:<who>}}
+selector is more specific than another it should come first in the
+access directive. The access control examples given below should
+help make this clear.
+
+
+
+H3: Access Control Examples
+
+The access control facility described above is quite powerful. This
+section shows some examples of its use for descriptive purposes.
+
+A simple example:
+
+> access to * by * read
+
+This access directive grants read access to everyone.
+
+> access to *
+> by self write
+> by anonymous auth
+> by * read
+
+This directive allows the user to modify their entry, allows anonymous
+to authentication against these entries, and allows all others to
+read these entries. Note that only the first {{EX:by <who>}} clause
+which matches applies. Hence, the anonymous users are granted
+{{EX:auth}}, not {{EX:read}}. The last clause could just as well
+have been "{{EX:by users read}}".
+
+It is often desirable to restrict operations based upon the level
+of protection in place. The following shows how security strength
+factors (SSF) can be used.
+
+> access to *
+> by ssf=128 self write
+> by ssf=64 anonymous auth
+> by ssf=64 users read
+
+This directive allows users to modify their own entries if security
+protections have of strength 128 or better have been established,
+allows authentication access to anonymous users, and read access
+when 64 or better security protections have been established. If
+client has not establish sufficient security protections, the
+implicit {{EX:by * none}} clause would be applied.
+
+The following example shows the use of a style specifiers to select
+the entries by DN in two access directives where ordering is
+significant.
+
+> access to dn.children="dc=example,dc=com"
+> by * search
+> access to dn.children="dc=com"
+> by * read
+
+Read access is granted to entries under the {{EX:dc=com}} subtree,
+except for those entries under the {{EX:dc=example,dc=com}} subtree,
+to which search access is granted. No access is granted to
+{{EX:dc=com}} as neither access directive matches this DN. If the
+order of these access directives was reversed, the trailing directive
+would never be reached, since all entries under {{EX:dc=example,dc=com}}
+are also under {{EX:dc=com}} entries.
+
+Also note that if no {{EX:access to}} directive matches or no {{EX:by
+<who>}} clause, {{B:access is denied}}. That is, every {{EX:access
+to}} directive ends with an implicit {{EX:by * none}} clause and
+every access list ends with an implicit {{EX:access to * by * none}}
+directive.
+
+The next example again shows the importance of ordering, both of
+the access directives and the {{EX:by <who>}} clauses. It also
+shows the use of an attribute selector to grant access to a specific
+attribute and various {{EX:<who>}} selectors.
+
+> access to dn.subtree="dc=example,dc=com" attrs=homePhone
+> by self write
+> by dn.children="dc=example,dc=com" search
+> by peername.regex=IP:10\..+ read
+> access to dn.subtree="dc=example,dc=com"
+> by self write
+> by dn.children="dc=example,dc=com" search
+> by anonymous auth
+
+This example applies to entries in the "{{EX:dc=example,dc=com}}"
+subtree. To all attributes except {{EX:homePhone}}, an entry can
+write to itself, entries under {{EX:example.com}} entries can search
+by them, anybody else has no access (implicit {{EX:by * none}})
+excepting for authentication/authorization (which is always done
+anonymously). The {{EX:homePhone}} attribute is writable by the
+entry, searchable by entries under {{EX:example.com}}, readable by
+clients connecting from network 10, and otherwise not readable
+(implicit {{EX:by * none}}). All other access is denied by the
+implicit {{EX:access to * by * none}}.
+
+Sometimes it is useful to permit a particular DN to add or
+remove itself from an attribute. For example, if you would like to
+create a group and allow people to add and remove only
+their own DN from the member attribute, you could accomplish
+it with an access directive like this:
+
+> access to attrs=member,entry
+> by dnattr=member selfwrite
+
+The dnattr {{EX:<who>}} selector says that the access applies to
+entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
+selector says that such members can only add or delete their
+own DN from the attribute, not other values. The addition of
+the entry attribute is required because access to the entry is
+required to access any of the entry's attributes.
+
+!if 0
+For more details on how to use the {{EX:access}} directive,
+consult the {{Advanced Access Control}} chapter.
+!endif
+
+
+H3: Configuration File Example
+
+The following is an example configuration file, interspersed
+with explanatory text. It defines two databases to handle
+different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
+database instances. The line numbers shown are provided for
+reference only and are not included in the actual file. First, the
+global configuration section:
+
+E: 1. # example config file - global configuration section
+E: 2. include /usr/local/etc/schema/core.schema
+E: 3. referral ldap://root.openldap.org
+E: 4. access to * by * read
+
+Line 1 is a comment. Line 2 includes another config file
+which contains {{core}} schema definitions.
+The {{EX:referral}} directive on line 3
+means that queries not local to one of the databases defined
+below will be referred to the LDAP server running on the
+standard port (389) at the host {{EX:root.openldap.org}}.
+
+Line 4 is a global access control. It applies to all
+entries (after any applicable database-specific access
+controls).
+
+The next section of the configuration file defines a BDB
+backend that will handle queries for things in the
+"dc=example,dc=com" portion of the tree. The
+database is to be replicated to two slave slapds, one on
+truelies, the other on judgmentday. Indices are to be
+maintained for several attributes, and the {{EX:userPassword}}
+attribute is to be protected from unauthorized access.
+
+E: 5. # BDB definition for the example.com
+E: 6. database bdb
+E: 7. suffix "dc=example,dc=com"
+E: 8. directory /usr/local/var/openldap-data
+E: 9. rootdn "cn=Manager,dc=example,dc=com"
+E: 10. rootpw secret
+E: 11. # indexed attribute definitions
+E: 12. index uid pres,eq
+E: 13. index cn,sn,uid pres,eq,approx,sub
+E: 14. index objectClass eq
+E: 15. # database access control definitions
+E: 16. access to attrs=userPassword
+E: 17. by self write
+E: 18. by anonymous auth
+E: 19. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 20. by * none
+E: 21. access to *
+E: 22. by self write
+E: 23. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 24. by * read
+
+Line 5 is a comment. The start of the database definition is marked
+by the database keyword on line 6. Line 7 specifies the DN suffix
+for queries to pass to this database. Line 8 specifies the directory
+in which the database files will live.
+
+Lines 9 and 10 identify the database {{super-user}} entry and associated
+password. This entry is not subject to access control or size or
+time limit restrictions.
+
+Lines 12 through 14 indicate the indices to maintain for various
+attributes.
+
+Lines 16 through 24 specify access control for entries in this
+database. As this is the first database, the controls also apply
+to entries not held in any database (such as the Root DSE). For
+all applicable entries, the {{EX:userPassword}} attribute is writable
+by the entry itself and by the "admin" entry. It may be used for
+authentication/authorization purposes, but is otherwise not readable.
+All other attributes are writable by the entry and the "admin"
+entry, but may be read by all users (authenticated or not).
+
+The next section of the example configuration file defines another
+BDB database. This one handles queries involving the
+{{EX:dc=example,dc=net}} subtree but is managed by the same entity
+as the first database. Note that without line 39, the read access
+would be allowed due to the global access rule at line 4.
+
+E: 33. # BDB definition for example.net
+E: 34. database bdb
+E: 35. suffix "dc=example,dc=net"
+E: 36. directory /usr/local/var/openldap-data-net
+E: 37. rootdn "cn=Manager,dc=example,dc=com"
+E: 38. index objectClass eq
+E: 39. access to * by users read
+
+H2: Access Control via Dynamic Configuration
+
+Access to slapd entries and attributes is controlled by the
+olcAccess attribute, whose values are a sequence of access directives.
+The general form of the olcAccess configuration is:
+
+> olcAccess: <access directive>
+> <access directive> ::= to <what>
+> [by <who> [<access>] [<control>] ]+
+> <what> ::= * |
+> [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+> [filter=<ldapfilter>] [attrs=<attrlist>]
+> <basic-style> ::= regex | exact
+> <scope-style> ::= base | one | subtree | children
+> <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
+> <attr> ::= <attrname> | entry | children
+> <who> ::= * | [anonymous | users | self
+> | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+> [dnattr=<attrname>]
+> [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
+> [peername[.<basic-style>]=<regex>]
+> [sockname[.<basic-style>]=<regex>]
+> [domain[.<basic-style>]=<regex>]
+> [sockurl[.<basic-style>]=<regex>]
+> [set=<setspec>]
+> [aci=<attrname>]
+> <access> ::= [self]{<level>|<priv>}
+> <level> ::= none | disclose | auth | compare | search | read | write | manage
+> <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+> <control> ::= [stop | continue | break]
+
+where the <what> part selects the entries and/or attributes to which
+the access applies, the {{EX:<who>}} part specifies which entities
+are granted access, and the {{EX:<access>}} part specifies the
+access granted. Multiple {{EX:<who> <access> <control>}} triplets
+are supported, allowing many entities to be granted different access
+to the same set of entries and attributes. Not all of these access
+control options are described here; for more details see the
+{{slapd.access}}(5) man page.
+
+
+H3: What to control access to
+
+The <what> part of an access specification determines the entries
+and attributes to which the access control applies. Entries are
+commonly selected in two ways: by DN and by filter. The following
+qualifiers select entries by DN:
+
+> to *
+> to dn[.<basic-style>]=<regex>
+> to dn.<scope-style>=<DN>
+
+The first form is used to select all entries. The second form may
+be used to select entries by matching a regular expression against
+the target entry's {{normalized DN}}. (The second form is not
+discussed further in this document.) The third form is used to
+select entries which are within the requested scope of DN. The
+<DN> is a string representation of the Distinguished Name, as
+described in {{REF:RFC4514}}.
+
+The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
+or {{EX:children}}. Where {{EX:base}} matches only the entry with
+provided DN, {{EX:one}} matches the entries whose parent is the
+provided DN, {{EX:subtree}} matches all entries in the subtree whose
+root is the provided DN, and {{EX:children}} matches all entries
+under the DN (but not the entry named by the DN).
+
+For example, if the directory contained entries named:
+
+> 0: o=suffix
+> 1: cn=Manager,o=suffix
+> 2: ou=people,o=suffix
+> 3: uid=kdz,ou=people,o=suffix
+> 4: cn=addresses,uid=kdz,ou=people,o=suffix
+> 5: uid=hyc,ou=people,o=suffix
+
+\Then:
+. {{EX:dn.base="ou=people,o=suffix"}} match 2;
+. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
+. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
+. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
+
+
+Entries may also be selected using a filter:
+
+> to filter=<ldap filter>
+
+where <ldap filter> is a string representation of an LDAP
+search filter, as described in {{REF:RFC4515}}. For example:
+
+> to filter=(objectClass=person)
+
+Note that entries may be selected by both DN and filter by
+including both qualifiers in the <what> clause.
+
+> to dn.one="ou=people,o=suffix" filter=(objectClass=person)
+
+Attributes within an entry are selected by including a comma-separated
+list of attribute names in the <what> selector:
+
+> attrs=<attribute list>
+
+A specific value of an attribute is selected by using a single
+attribute name and also using a value selector:
+
+> attrs=<attribute> val[.<style>]=<regex>
+
+There are two special {{pseudo}} attributes {{EX:entry}} and
+{{EX:children}}. To read (and hence return) a target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute. To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
+have {{EX:write}} access to the entry's parent's {{EX:children}}
+attribute. To rename an entry, the subject must have {{EX:write}}
+access to entry's {{EX:entry}} attribute AND have {{EX:write}}
+access to both the old parent's and new parent's {{EX:children}}
+attributes. The complete examples at the end of this section should
+help clear things up.
+
+Lastly, there is a special entry selector {{EX:"*"}} that is used to
+select any entry. It is used when no other {{EX:<what>}}
+selector has been provided. It's equivalent to "{{EX:dn=.*}}"
+
+
+H3: Who to grant access to
+
+The <who> part identifies the entity or entities being granted
+access. Note that access is granted to "entities" not "entries."
+The following table summarizes entity specifiers:
+
+!block table; align=Center; coltags="EX,N"; \
+ title="Table 5.3: Access Entity Specifiers"
+Specifier|Entities
+*|All, including anonymous and authenticated users
+anonymous|Anonymous (non-authenticated) users
+users|Authenticated users
+self|User associated with target entry
+dn[.<basic-style>]=<regex>|Users matching a regular expression
+dn.<scope-style>=<DN>|Users within scope of a DN
+!endblock
+
+The DN specifier behaves much like <what> clause DN specifiers.
+
+Other control factors are also supported. For example, a {{EX:<who>}}
+can be restricted by an entry listed in a DN-valued attribute in
+the entry to which the access applies:
+
+> dnattr=<dn-valued attribute name>
+
+The dnattr specification is used to give access to an entry
+whose DN is listed in an attribute of the entry (e.g., give
+access to a group entry to whoever is listed as the owner of
+the group entry).
+
+Some factors may not be appropriate in all environments (or any).
+For example, the domain factor relies on IP to domain name lookups.
+As these can easily be spoofed, the domain factor should be avoided.
+
+
+H3: The access to grant
+
+The kind of <access> granted can be one of the following:
+
+!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
+ title="Table 5.4: Access Levels"
+Level Privileges Description
+none =0 no access
+disclose =d needed for information disclosure on error
+auth =dx needed to authenticate (bind)
+compare =cdx needed to compare
+search =scdx needed to apply search filters
+read =rscdx needed to read search results
+write =wrscdx needed to modify/rename
+manage =mwrscdx needed to manage
+!endblock
+
+Each level implies all lower levels of access. So, for example,
+granting someone {{EX:write}} access to an entry also grants them
+{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
+{{EX:disclose}} access. However, one may use the privileges specifier
+to grant specific permissions.
+
+
+H3: Access Control Evaluation
+
+When evaluating whether some requester should be given access to
+an entry and/or attribute, slapd compares the entry and/or attribute
+to the {{EX:<what>}} selectors given in the configuration. For
+each entry, access controls provided in the database which holds
+the entry (or the first database if not held in any database) apply
+first, followed by the global access directives (which are held in
+the {{EX:frontend}} database definition). Within this priority,
+access directives are examined in the order in which they appear
+in the configuration attribute. Slapd stops with the first
+{{EX:<what>}} selector that matches the entry and/or attribute. The
+corresponding access directive is the one slapd will use to evaluate
+access.
+
+Next, slapd compares the entity requesting access to the {{EX:<who>}}
+selectors within the access directive selected above in the order
+in which they appear. It stops with the first {{EX:<who>}} selector
+that matches the requester. This determines the access the entity
+requesting access has to the entry and/or attribute.
+
+Finally, slapd compares the access granted in the selected
+{{EX:<access>}} clause to the access requested by the client. If
+it allows greater or equal access, access is granted. Otherwise,
+access is denied.
+
+The order of evaluation of access directives makes their placement
+in the configuration file important. If one access directive is
+more specific than another in terms of the entries it selects, it
+should appear first in the configuration. Similarly, if one {{EX:<who>}}
+selector is more specific than another it should come first in the
+access directive. The access control examples given below should
+help make this clear.
+
+
+
+H3: Access Control Examples
+
+The access control facility described above is quite powerful. This
+section shows some examples of its use for descriptive purposes.
+
+A simple example:
+
+> olcAccess: to * by * read
+
+This access directive grants read access to everyone.
+
+> olcAccess: to *
+> by self write
+> by anonymous auth
+> by * read
+
+This directive allows the user to modify their entry, allows anonymous
+to authenticate against these entries, and allows all others to
+read these entries. Note that only the first {{EX:by <who>}} clause
+which matches applies. Hence, the anonymous users are granted
+{{EX:auth}}, not {{EX:read}}. The last clause could just as well
+have been "{{EX:by users read}}".
+
+It is often desirable to restrict operations based upon the level
+of protection in place. The following shows how security strength
+factors (SSF) can be used.
+
+> olcAccess: to *
+> by ssf=128 self write
+> by ssf=64 anonymous auth
+> by ssf=64 users read
+
+This directive allows users to modify their own entries if security
+protections of strength 128 or better have been established,
+allows authentication access to anonymous users, and read access
+when strength 64 or better security protections have been established. If
+the client has not establish sufficient security protections, the
+implicit {{EX:by * none}} clause would be applied.
+
+The following example shows the use of style specifiers to select
+the entries by DN in two access directives where ordering is
+significant.
+
+> olcAccess: to dn.children="dc=example,dc=com"
+> by * search
+> olcAccess: to dn.children="dc=com"
+> by * read
+
+Read access is granted to entries under the {{EX:dc=com}} subtree,
+except for those entries under the {{EX:dc=example,dc=com}} subtree,
+to which search access is granted. No access is granted to
+{{EX:dc=com}} as neither access directive matches this DN. If the
+order of these access directives was reversed, the trailing directive
+would never be reached, since all entries under {{EX:dc=example,dc=com}}
+are also under {{EX:dc=com}} entries.
+
+Also note that if no {{EX:olcAccess: to}} directive matches or no {{EX:by
+<who>}} clause, {{B:access is denied}}. That is, every {{EX:olcAccess:
+to}} directive ends with an implicit {{EX:by * none}} clause and
+every access list ends with an implicit {{EX:olcAccess: to * by * none}}
+directive.
+
+The next example again shows the importance of ordering, both of
+the access directives and the {{EX:by <who>}} clauses. It also
+shows the use of an attribute selector to grant access to a specific
+attribute and various {{EX:<who>}} selectors.
+
+> olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
+> by self write
+> by dn.children=dc=example,dc=com" search
+> by peername.regex=IP:10\..+ read
+> olcAccess: to dn.subtree="dc=example,dc=com"
+> by self write
+> by dn.children="dc=example,dc=com" search
+> by anonymous auth
+
+This example applies to entries in the "{{EX:dc=example,dc=com}}"
+subtree. To all attributes except {{EX:homePhone}}, an entry can
+write to itself, entries under {{EX:example.com}} entries can search
+by them, anybody else has no access (implicit {{EX:by * none}})
+excepting for authentication/authorization (which is always done
+anonymously). The {{EX:homePhone}} attribute is writable by the
+entry, searchable by entries under {{EX:example.com}}, readable by
+clients connecting from network 10, and otherwise not readable
+(implicit {{EX:by * none}}). All other access is denied by the
+implicit {{EX:access to * by * none}}.
+
+Sometimes it is useful to permit a particular DN to add or
+remove itself from an attribute. For example, if you would like to
+create a group and allow people to add and remove only
+their own DN from the member attribute, you could accomplish
+it with an access directive like this:
+
+> olcAccess: to attrs=member,entry
+> by dnattr=member selfwrite
+
+The dnattr {{EX:<who>}} selector says that the access applies to
+entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
+selector says that such members can only add or delete their
+own DN from the attribute, not other values. The addition of
+the entry attribute is required because access to the entry is
+required to access any of the entry's attributes.
+
+
+
+H3: Access Control Ordering
+
+Since the ordering of {{EX:olcAccess}} directives is essential to their
+proper evaluation, but LDAP attributes normally do not preserve the
+ordering of their values, OpenLDAP uses a custom schema extension to
+maintain a fixed ordering of these values. This ordering is maintained
+by prepending a {{EX:"{X}"}} numeric index to each value, similarly to
+the approach used for ordering the configuration entries. These index
+tags are maintained automatically by slapd and do not need to be specified
+when originally defining the values. For example, when you create the
+settings
+
+> olcAccess: to attrs=member,entry
+> by dnattr=member selfwrite
+> olcAccess: to dn.children="dc=example,dc=com"
+> by * search
+> olcAccess: to dn.children="dc=com"
+> by * read
+
+when you read them back using slapcat or ldapsearch they will contain
+
+> olcAccess: {0}to attrs=member,entry
+> by dnattr=member selfwrite
+> olcAccess: {1}to dn.children="dc=example,dc=com"
+> by * search
+> olcAccess: {2}to dn.children="dc=com"
+> by * read
+
+The numeric index may be used to specify a particular value to change
+when using ldapmodify to edit the access rules. This index can be used
+instead of (or in addition to) the actual access value. Using this
+numeric index is very helpful when multiple access rules are being managed.
+
+For example, if we needed to change the second rule above to grant
+write access instead of search, we could try this LDIF:
+
+> changetype: modify
+> delete: olcAccess
+> olcAccess: to dn.children="dc=example,dc=com" by * search
+> -
+> add: olcAccess
+> olcAccess: to dn.children="dc=example,dc=com" by * write
+> -
+
+But this example {{B:will not}} guarantee that the existing values remain in
+their original order, so it will most likely yield a broken security
+configuration. Instead, the numeric index should be used:
+
+> changetype: modify
+> delete: olcAccess
+> olcAccess: {1}
+> -
+> add: olcAccess
+> olcAccess: {1}to dn.children="dc=example,dc=com" by * write
+> -
+
+This example deletes whatever rule is in value #1 of the {{EX:olcAccess}}
+attribute (regardless of its value) and adds a new value that is
+explicitly inserted as value #1. The result will be
+
+> olcAccess: {0}to attrs=member,entry
+> by dnattr=member selfwrite
+> olcAccess: {1}to dn.children="dc=example,dc=com"
+> by * write
+> olcAccess: {2}to dn.children="dc=com"
+> by * read
+
+which is exactly what was intended.
+
+!if 0
+For more details on how to use the {{EX:access}} directive,
+consult the {{Advanced Access Control}} chapter.
+!endif
+
+
+H3: Configuration Example
+
+The following is an example configuration, interspersed
+with explanatory text. It defines two databases to handle
+different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
+database instances. The line numbers shown are provided for
+reference only and are not included in the actual file. First, the
+global configuration section:
+
+E: 1. # example config file - global configuration entry
+E: 2. dn: cn=config
+E: 3. objectClass: olcGlobal
+E: 4. cn: config
+E: 5. olcReferral: ldap://root.openldap.org
+E: 6.
+
+Line 1 is a comment. Lines 2-4 identify this as the global
+configuration entry.
+The {{EX:olcReferral:}} directive on line 5
+means that queries not local to one of the databases defined
+below will be referred to the LDAP server running on the
+standard port (389) at the host {{EX:root.openldap.org}}.
+Line 6 is a blank line, indicating the end of this entry.
+
+E: 7. # internal schema
+E: 8. dn: cn=schema,cn=config
+E: 9. objectClass: olcSchemaConfig
+E: 10. cn: schema
+E: 11.
+
+Line 7 is a comment. Lines 8-10 identify this as the root of
+the schema subtree. The actual schema definitions in this entry
+are hardcoded into slapd so no additional attributes are specified here.
+Line 11 is a blank line, indicating the end of this entry.
+
+E: 12. # include the core schema
+E: 13. include: file:///usr/local/etc/openldap/schema/core.ldif
+E: 14.
+
+Line 12 is a comment. Line 13 is an LDIF include directive which
+accesses the {{core}} schema definitions in LDIF format. Line 14
+is a blank line.
+
+Next comes the database definitions. The first database is the
+special {{EX:frontend}} database whose settings are applied globally
+to all the other databases.
+
+E: 15. # global database parameters
+E: 16. dn: olcDatabase=frontend,cn=config
+E: 17. objectClass: olcDatabaseConfig
+E: 18. olcDatabase: frontend
+E: 19. olcAccess: to * by * read
+E: 20.
+
+Line 15 is a comment. Lines 16-18 identify this entry as the global
+database entry. Line 19 is a global access control. It applies to all
+entries (after any applicable database-specific access controls).
+
+The next entry defines a BDB backend that will handle queries for things
+in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
+for several attributes, and the {{EX:userPassword}} attribute is to be
+protected from unauthorized access.
+
+E: 21. # BDB definition for example.com
+E: 22. dn: olcDatabase=bdb,cn=config
+E: 23. objectClass: olcDatabaseConfig
+E: 24. objectClass: olcBdbConfig
+E: 25. olcDatabase: bdb
+E: 26. olcSuffix: "dc=example,dc=com"
+E: 27. olcDbDirectory: /usr/local/var/openldap-data
+E: 28. olcRootDN: "cn=Manager,dc=example,dc=com"
+E: 29. olcRootPW: secret
+E: 30. olcDbIndex: uid pres,eq
+E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
+E: 32. olcDbIndex: objectClass eq
+E: 33. olcAccess: to attrs=userPassword
+E: 34. by self write
+E: 35. by anonymous auth
+E: 36. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 37. by * none
+E: 38. olcAccess: to *
+E: 39. by self write
+E: 40. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 41. by * read
+E: 42.
+
+Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
+configuration entry. Line 26 specifies the DN suffix
+for queries to pass to this database. Line 27 specifies the directory
+in which the database files will live.
+
+Lines 28 and 29 identify the database {{super-user}} entry and associated
+password. This entry is not subject to access control or size or
+time limit restrictions.
+
+Lines 30 through 32 indicate the indices to maintain for various
+attributes.
+
+Lines 33 through 41 specify access control for entries in this
+database. As this is the first database, the controls also apply
+to entries not held in any database (such as the Root DSE). For
+all applicable entries, the {{EX:userPassword}} attribute is writable
+by the entry itself and by the "admin" entry. It may be used for
+authentication/authorization purposes, but is otherwise not readable.
+All other attributes are writable by the entry and the "admin"
+entry, but may be read by all users (authenticated or not).
+
+Line 42 is a blank line, indicating the end of this entry.
+
+The next section of the example configuration file defines another
+BDB database. This one handles queries involving the
+{{EX:dc=example,dc=net}} subtree but is managed by the same entity
+as the first database. Note that without line 52, the read access
+would be allowed due to the global access rule at line 19.
+
+E: 43. # BDB definition for example.net
+E: 44. dn: olcDatabase=bdb,cn=config
+E: 45. objectClass: olcDatabaseConfig
+E: 46. objectClass: olcBdbConfig
+E: 47. olcDatabase: bdb
+E: 48. olcSuffix: "dc=example,dc=net"
+E: 49. olcDbDirectory: /usr/local/var/openldap-data-net
+E: 50. olcRootDN: "cn=Manager,dc=example,dc=com"
+E: 51. olcDbIndex: objectClass eq
+E: 52. olcAccess: to * by users read
+
+
+H3: Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format
+
+Discuss slap* -f slapd.conf -F slapd.d/ (man slapd-config)
+
+
+H2: Access Control Common Examples
+
+H3: Basic ACLs
+
+Generally one should start with some basic ACLs such as:
+
+> access to attr=userPassword
+> by self =xw
+> by anonymous auth
+> by * none
+>
+>
+> access to *
+> by self write
+> by users read
+> by * none
+
+The first ACL allows users to update (but not read) their passwords, anonymous
+users to authenticate against this attribute, and (implicitly) denying all
+access to others.
+
+The second ACL allows users full access to their entry, authenticated users read
+access to anything, and (implicitly) denying all access to others (in this case,
+anonymous users).
+
+
+H3: Matching Anonymous and Authenticated users
+
+An anonymous user has a empty DN. While the {{dn.exact=""}} or {{dn.regex="^$"}}
+ could be used, {{slapd}}(8)) offers an anonymous shorthand which should be
+used instead.
+
+> access to *
+> by anonymous none
+> by * read
+
+denies all access to anonymous users while granting others read.
+
+Authenticated users have a subject DN. While {{dn.regex=".+"}} will match any
+authenticated user, OpenLDAP provides the users short hand which should be used
+instead.
+
+> access to *
+> by users read
+> by * none
+
+This ACL grants read permissions to authenticated users while denying others
+(i.e.: anonymous users).
+
+
+H3: Controlling rootdn access
+
+You could specify the {{rootdn}} in {{slapd.conf}}(5) or {[slapd.d}} without
+specifying a {{rootpw}}. Then you have to add an actual directory entry with
+the same dn, e.g.:
+
+> dn: cn=Manager,o=MyOrganization
+> cn: Manager
+> sn: Manager
+> objectClass: person
+> objectClass: top
+> userPassword: {SSHA}someSSHAdata
+
+Then binding as the {{rootdn}} will require a regular bind to that DN, which
+in turn requires auth access to that entry's DN and {{userPassword}}, and this
+can be restricted via ACLs. E.g.:
+
+> access to dn.base="cn=Manager,o=MyOrganization"
+> by peername.regex=127\.0\.0\.1 auth
+> by peername.regex=192\.168\.0\..* auth
+> by users none
+> by * none
+
+The ACLs above will only allow binding using rootdn from localhost and
+192.168.0.0/24.
+
+
+H3: Managing access with Groups
+
+There are a few ways to do this. One approach is illustrated here. Consider the
+following DIT layout:
+
+> +-dc=example,dc=com
+> +---cn=administrators,dc=example,dc=com
+> +---cn=fred blogs,dc=example,dc=com
+
+and the following group object (in LDIF format):
+
+> dn: cn=administrators,dc=example,dc=com
+> cn: administrators of this region
+> objectclass: groupOfNames (important for the group acl feature)
+> member: cn=fred blogs,dc=example,dc=com
+> member: cn=somebody else,dc=example,dc=com
+
+One can then grant access to the members of this this group by adding appropriate
+{{by group}} clause to an access directive in {{slapd.conf}}(5). For instance,
+
+> access to dn.children="dc=example,dc=com"
+> by self write
+> by group.exact="cn=Administrators,dc=example,dc=com" write
+> by * auth
+
+Like by {[dn}} clauses, one can also use {{expand}} to expand the group name
+based upon the regular expression matching of the target, that is, the to {{dn.regex}}).
+For instance,
+
+> access to dn.regex="(.+,)?ou=People,(dc=[^,]+,dc=[^,]+)$"
+> attrs=children,entry,uid
+> by group.expand="cn=Managers,$2" write
+> by users read
+> by * auth
+
+
+The above illustration assumed that the group members are to be found in the
+{{member}} attribute type of the {{groupOfNames}} object class. If you need to
+use a different group object and/or a different attribute type then use the
+following {{slapd.conf}}(5) (abbreviated) syntax:
+
+> access to <what>
+> by group/<objectclass>/<attributename>=<DN> <access>
+
+For example:
+
+> access to *
+> by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com" write
+
+In this case, we have an ObjectClass {{organizationalRole}} which contains the
+administrator DN's in the {{roleOccupant}} attribute. For instance:
+
+> dn: cn=Administrator,dc=example,dc=com
+> cn: Administrator
+> objectclass: organizationalRole
+> roleOccupant: cn=Jane Doe,dc=example,dc=com
+
+Note: the specified member attribute type MUST be of DN or {{NameAndOptionalUID}} syntax,
+and the specified object class SHOULD allow the attribute type.
+
+Dynamic Groups are also supported in Access Control. Please see {{slapo-dynlist}}(5)
+and the {{SECT:Dynamic Lists}} overlay section.
+
+
+H3: Granting access to a subset of attributes
+
+You can grant access to a set of attributes by specifying a list of attribute names
+in the ACL {{to}} clause. To be useful, you also need to grant access to the
+{{entry}} itself. Also note how {{children}} controls the ability to add, delete,
+and rename entries.
+
+> # mail: self may write, authenticated users may read
+> access to attrs=mail
+> by self write
+> by users read
+> by * none
+>
+> # cn, sn: self my write, all may read
+> access to attrs=cn,sn
+> by self write
+> by * read
+>
+> # immediate children: only self can add/delete entries under this entry
+> access to attrs=children
+> by self write
+>
+> # entry itself: self may write, all may read
+> access to attrs=entry
+> by self write
+> by * read
+>
+> # other attributes: self may write, others have no access
+> access to *
+> by self write
+> by * none
+
+ObjectClass names may also be specified in this list, which will affect
+all the attributes that are required and/or allowed by that {{objectClass}}.
+Actually, names in {{attrlist}} that are prefixed by {{@}} are directly treated
+as objectClass names. A name prefixed by {{!}} is also treated as an objectClass,
+but in this case the access rule affects the attributes that are not required
+nor allowed by that {{objectClass}}.
+
+
+H3: Allowing a user write to all entries below theirs
+
+For a setup where a user can write to its own record and to all of its children:
+
+> access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
+> by dn.exact,expand="$2" write
+> by anonymous auth
+
+(Add more examples for above)
+
+
+H3: Allowing entry creation
+
+Let's say, you have it like this:
+
+> o=<basedn>
+> ou=domains
+> associatedDomain=<somedomain>
+> ou=users
+> uid=<someuserid>
+> uid=<someotheruserid>
+> ou=addressbooks
+> uid=<someuserid>
+> cn=<someone>
+> cn=<someoneelse>
+
+and, for another domain <someotherdomain>:
+
+> o=<basedn>
+> ou=domains
+> associatedDomain=<someotherdomain>
+> ou=users
+> uid=<someuserid>
+> uid=<someotheruserid>
+> ou=addressbooks
+> uid=<someotheruserid>
+> cn=<someone>
+> cn=<someoneelse>
+
+then, if you wanted user {{uid=<someuserid>}} to {{B:ONLY}} create an entry
+for its own thing, you could write an ACL like this:
+
+> # this rule lets users of "associatedDomain=<matcheddomain>"
+> # write under "ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>",
+> # i.e. a user can write ANY entry below its domain's address book;
+> # this permission is necessary, but not sufficient, the next
+> # will restrict this permission further
+>
+>
+> access to dn.regex="^ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$" attrs=children
+> by dn.regex="^uid=([^,]+),ou=users,associatedDomain=$1,ou=domains,o=<basedn>$$" write
+> by * none
+>
+>
+> # Note that above the "by" clause needs a "regex" style to make sure
+> # it expands to a DN that starts with a "uid=<someuserid>" pattern
+> # while substituting the associatedDomain submatch from the "what" clause.
+>
+>
+> # This rule lets a user with "uid=<matcheduid>" of "<associatedDomain=matcheddomain>"
+> # write (i.e. add, modify, delete) the entry whose DN is exactly
+> # "uid=<matcheduid>,ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>"
+> # and ANY entry as subtree of it
+>
+>
+> access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
+> by dn.exact,expand="uid=$2,ou=users,associatedDomain=$3,ou=domains,o=<basedn>" write
+> by * none
+>
+>
+> # Note that above the "by" clause uses the "exact" style with the "expand"
+> # modifier because now the whole pattern can be rebuilt by means of the
+> # submatches from the "what" clause, so a "regex" compilation and evaluation
+> # is no longer required.
+
+
+H3: Tips for using regular expressions in Access Control
+
+Always use {{dn.regex=<pattern>}} when you intend to use regular expression
+matching. {{dn=<pattern>}} alone defaults to {{dn.exact<pattern>}}.
+
+Use {{(.+)}} instead of {{(.*)}} when you want at least one char to be matched.
+{{(.*)}} matches the empty string as well.
+
+Don't use regular expressions for matches that can be done otherwise in a safer
+and cheaper manner. Examples:
+
+> dn.regex=".*dc=example,dc=com"
+
+is unsafe and expensive:
+
+ * unsafe because any string containing {{dc=example,dc=com }}will match,
+not only those that end with the desired pattern; use {{.*dc=example,dc=com$}} instead.
+ * unsafe also because it would allow any {{attributeType}} ending with {{dc}}
+ as naming attribute for the first RDN in the string, e.g. a custom attributeType
+{{mydc}} would match as well. If you really need a regular expression that allows
+just {{dc=example,dc=com}} or any of its subtrees, use {{^(.+,)?dc=example,dc=com$}},
+which means: anything to the left of dc=..., if any (the question mark after the
+pattern within brackets), must end with a comma;
+ * expensive because if you don't need submatches, you could use scoping styles, e.g.
+
+> dn.subtree="dc=example,dc=com"
+
+to include {{dc=example,dc=com}} in the matching patterns,
+
+> dn.children="dc=example,dc=com"
+
+to exclude {{dc=example,dc=com}} from the matching patterns, or
+
+> dn.onelevel="dc=example,dc=com"
+
+to allow exactly one sublevel matches only.
+
+Always use {{^}} and {{$}} in regexes, whenever appropriate, because
+{{ou=(.+),ou=(.+),ou=addressbooks,o=basedn}} will match
+{{something=bla,ou=xxx,ou=yyy,ou=addressbooks,o=basedn,ou=addressbooks,o=basedn,dc=some,dc=org}}
+
+Always use {{([^,]+)}} to indicate exactly one RDN, because {{(.+)}} can
+include any number of RDNs; e.g. {{ou=(.+),dc=example,dc=com}} will match
+{{ou=My,o=Org,dc=example,dc=com}}, which might not be what you want.
+
+Never add the rootdn to the by clauses. ACLs are not even processed for operations
+performed with rootdn identity (otherwise there would be no reason to define a
+rootdn at all).
+
+Use shorthands. The user directive matches authenticated users and the anonymous
+directive matches anonymous users.
+
+Don't use the {{dn.regex}} form for <by> clauses if all you need is scoping
+and/or substring replacement; use scoping styles (e.g. {{exact}}, {{onelevel}},
+{{children}} or {{subtree}}) and the style modifier expand to cause substring expansion.
+
+For instance,
+
+> access to dn.regex=".+,dc=([^,]+),dc=([^,]+)$"
+> by dn.regex="^[^,],ou=Admin,dc=$1,dc=$2$$" write
+
+although correct, can be safely and efficiently replaced by
+
+> access to dn.regex=".+,(dc=[^,]+,dc=[^,]+)$"
+> by dn.onelevel,expand="ou=Admin,$1" write
+
+where the regex in the {{<what>}} clause is more compact, and the one in the {{<by>}}
+clause is replaced by a much more efficient scoping style of onelevel with substring expansion.
+
+
+H3: Granting and Denying access based on security strength factors (ssf)
+
+You can restrict access based on the security strength factor (SSF)
+
+> access to dn="cn=example,cn=edu"
+> by * ssf=256 read
+
+0 (zero) implies no protection,
+1 implies integrity protection only,
+56 DES or other weak ciphers,
+112 triple DES and other strong ciphers,
+128 RC4, Blowfish and other modern strong ciphers.
+
+Other possibilities:
+
+> transport_ssf=<n>
+> tls_ssf=<n>
+> sasl_ssf=<n>
+
+256 is recommended.
+
+See {{slapd.conf}}(5) for information on {{ssf}}.
+
+
+H3: When things aren't working as expected
+
+Consider this example:
+
+> access to *
+> by anonymous auth
+>
+> access to *
+> by self write
+>
+> access to *
+> by users read
+
+You may think this will allow any user to login, to read everything and change
+his own data if he is logged in. But in this example only the login works and
+an ldapsearch returns no data. The Problem is that SLAPD goes through its access
+config line by line and stops as soon as it finds a match in the part of the
+access rule.(here: {{to *}})
+
+To get what we wanted the file has to read:
+
+> access to *
+> by anonymous auth
+> by self write
+> by users read
+
+The general rule is: "special access rules first, generic access rules last"
+
+See also {{slapd.access}}(8), loglevel 128 and {{slapacl}}(8) for debugging
+information.
+
+
+H2: Sets - Granting rights based on relationships
+
+Sets are best illustrated via examples. The following sections will present
+a few set ACL examples in order to facilitate their understanding.
+
+(Sets in Access Controls FAQ Entry: {{URL:http://www.openldap.org/faq/data/cache/1133.html}})
+
+Note: Sets are considered experimental.
+
+
+H3: Groups of Groups
+
+The OpenLDAP ACL for groups doesn't expand groups within groups, which are
+groups that have another group as a member. For example:
+
+> dn: cn=sudoadm,ou=group,dc=example,dc=com
+> cn: sudoadm
+> objectClass: groupOfNames
+> member: uid=john,ou=people,dc=example,dc=com
+> member: cn=accountadm,ou=group,dc=example,dc=com
+>
+> dn: cn=accountadm,ou=group,dc=example,dc=com
+> cn: accountadm
+> objectClass: groupOfNames
+> member: uid=mary,ou=people,dc=example,dc=com
+
+If we use standard group ACLs with the above entries and allow members of the
+{{F:sudoadm}} group to write somewhere, {{F:mary}} won't be included:
+
+> access to dn.subtree="ou=sudoers,dc=example,dc=com"
+> by group.exact="cn=sudoadm,ou=group,dc=example,dc=com" write
+> by * read
+
+With sets we can make the ACL be recursive and consider group within groups. So
+for each member that is a group, it is further expanded:
+
+> access to dn.subtree="ou=sudoers,dc=example,dc=com"
+> by set="[cn=sudoadm,ou=group,dc=example,dc=com]/member* & user" write
+> by * read
+
+This set ACL means: take the {{F:cn=sudoadm}} DN, check its {{F:member}}
+attribute(s) (where the "{{F:*}}" means recursively) and intersect the result
+with the authenticated user's DN. If the result is non-empty, the ACL is
+considered a match and write access is granted.
+
+The following drawing explains how this set is built:
+!import "set-recursivegroup.png"; align="center"; title="Building a recursive group"
+FT[align="Center"] Figure X.Y: Populating a recursive group set
+
+First we get the {{F:uid=john}} DN. This entry doesn't have a {{F:member}}
+attribute, so the expansion stops here. Now we get to {{F:cn=accountadm}}.
+This one does have a {{F:member}} attribute, which is {{F:uid=mary}}. The
+{{F:uid=mary}} entry, however, doesn't have member, so we stop here again. The
+end comparison is:
+
+> {"uid=john,ou=people,dc=example,dc=com","uid=mary,ou=people,dc=example,dc=com"} & user
+
+If the authenticated user's DN is any one of those two, write access is
+granted. So this set will include {{F:mary}} in the {{F:sudoadm}} group and she
+will be allowed the write access.
+
+H3: Group ACLs without DN syntax
+
+The traditional group ACLs, and even the previous example about recursive groups, require
+that the members are specified as DNs instead of just usernames.
+
+With sets, however, it's also possible to use simple names in group ACLs, as this example will
+show.
+
+Let's say we want to allow members of the {{F:sudoadm}} group to write to the
+{{F:ou=suders}} branch of our tree. But our group definition now is using {{F:memberUid}} for
+the group members:
+
+> dn: cn=sudoadm,ou=group,dc=example,dc=com
+> cn: sudoadm
+> objectClass: posixGroup
+> gidNumber: 1000
+> memberUid: john
+
+With this type of group, we can't use group ACLs. But with a set ACL we can
+grant the desired access:
+
+> access to dn.subtree="ou=sudoers,dc=example,dc=com"
+> by set="[cn=sudoadm,ou=group,dc=example,dc=com]/memberUid & user/uid" write
+> by * read
+
+We use a simple intersection where we compare the {{F:uid}} attribute
+of the connecting (and authenticated) user with the {{F:memberUid}} attributes
+of the group. If they match, the intersection is non-empty and the ACL will
+grant write access.
+
+This drawing illustrates this set when the connecting user is authenticated as
+{{F:uid=john,ou=people,dc=example,dc=com}}:
+!import "set-memberUid.png"; align="center"; title="Sets with memberUid"
+FT[align="Center"] Figure X.Y: Sets with {{F:memberUid}}
+
+In this case, it's a match. If it were {{F:mary}} authenticating, however, she
+would be denied write access to {{F:ou=sudoers}} because her {{F:uid}}
+attribute is not listed in the group's {{F:memberUid}}.
+
+H3: Following references
+
+We will now show a quite powerful example of what can be done with sets. This
+example tends to make OpenLDAP administrators smile after they have understood
+it and its implications.
+
+Let's start with an user entry:
+
+> dn: uid=john,ou=people,dc=example,dc=com
+> uid: john
+> objectClass: inetOrgPerson
+> givenName: John
+> sn: Smith
+> cn: john
+> manager: uid=mary,ou=people,dc=example,dc=com
+
+Writing an ACL to allow the manager to update some attributes is quite simple
+using sets:
+
+> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+> attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+> by self write
+> by set="this/manager & user" write
+> by * read
+
+In that set, {{F:this}} expands to the entry being accessed, so that
+{{F:this/manager}} expands to {{F:uid=mary,ou=people,dc=example,dc=com}} when
+john's entry is accessed. If the manager herself is accessing John's entry,
+the ACL will match and write access to those attributes will be granted.
+
+So far, this same behavior can be obtained with the {{F:dnattr}} keyword. With
+sets, however, we can further enhance this ACL. Let's say we want to allow the
+secretary of the manager to also update these attributes. This is how we do it:
+
+> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+> attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+> by self write
+> by set="this/manager & user" write
+> by set="this/manager/secretary & user" write
+> by * read
+
+Now we need a picture to help explain what is happening here (entries shortened
+for clarity):
+
+!import "set-following-references.png"; align="center"; title="Sets jumping through entries"
+FT[align="Center"] Figure X.Y: Sets jumping through entries
+
+In this example, Jane is the secretary of Mary, which is the manager of John.
+This whole relationship is defined with the {{F:manager}} and {{F:secretary}}
+attributes, which are both of the distinguishedName syntax (i.e., full DNs).
+So, when the {{F:uid=john}} entry is being accessed, the
+{{F:this/manager/secretary}} set becomes
+{{F:{"uid=jane,ou=people,dc=example,dc=com"}}} (follow the references in the
+picture):
+
+> this = [uid=john,ou=people,dc=example,dc=com]
+> this/manager = \
+> [uid=john,ou=people,dc=example,dc=com]/manager = uid=mary,ou=people,dc=example,dc=com
+> this/manager/secretary = \
+> [uid=mary,ou=people,dc=example,dc=com]/secretary = uid=jane,ou=people,dc=example,dc=com
+
+The end result is that when Jane accesses John's entry, she will be granted
+write access to the specified attributes. Better yet, this will happen to any
+entry she accesses which has Mary as the manager.
+
+This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further
+restrict it. For example, let's only allow executive secretaries to have this power:
+
+> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+> attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+> by self write
+> by set="this/manager & user" write
+> by set="this/manager/secretary &
+> [cn=executive,ou=group,dc=example,dc=com]/member* &
+> user" write
+> by * read
+
+It's almost the same ACL as before, but we now also require that the connecting user be a member
+of the (possibly nested) {{F:cn=executive}} group.
+
+
Modified: openldap/trunk/doc/guide/admin/admin.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/admin.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/admin.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/admin.sdf,v 1.2.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/admin.sdf,v 1.2.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# guide.sdf
Modified: openldap/trunk/doc/guide/admin/appendix-changes.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-changes.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-changes.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-changes.sdf,v 1.8.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-changes.sdf,v 1.8.2.6 2008/04/14 22:36:18 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Changes Since Previous Release
@@ -15,6 +15,7 @@
* {{SECT:When should I use LDAP?}}
* {{SECT:When should I not use LDAP?}}
* {{SECT:LDAP vs RDBMS}}
+* {{SECT:Access Control}}
* {{SECT:Backends}}
* {{SECT:Overlays}}
* {{SECT:Replication}}
@@ -178,7 +179,11 @@
* monitoring of back-{b,h}db: cache fill-in, non-indexed searches,
* session tracking control (draft-wahl-ldap-session)
* subtree delete in back-sql (draft-armijo-ldap-treedelete)
+* sorted values in multivalued attributes for faster matching
+* lightweight dispatcher for greater throughput under heavy load and on
+multiprocessor machines. (33% faster than 2.3 on AMD quad-socket dual-core server.)
+
H3: New features in libldap
* ldap_sync client API (LDAP Content Sync Operation, RFC 4533)
Modified: openldap/trunk/doc/guide/admin/appendix-common-errors.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-common-errors.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-common-errors.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-common-errors.sdf,v 1.4.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-common-errors.sdf,v 1.4.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Common errors encountered when using OpenLDAP Software
Modified: openldap/trunk/doc/guide/admin/appendix-configs.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-configs.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-configs.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-configs.sdf,v 1.2.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-configs.sdf,v 1.2.2.4 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Configuration File Examples
Modified: openldap/trunk/doc/guide/admin/appendix-contrib.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-contrib.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-contrib.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-contrib.sdf,v 1.1.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-contrib.sdf,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: OpenLDAP Software Contributions
Modified: openldap/trunk/doc/guide/admin/appendix-deployments.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-deployments.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-deployments.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-deployments.sdf,v 1.1.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-deployments.sdf,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Real World OpenLDAP Deployments and Examples
Modified: openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.4 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: LDAP Result Codes
Modified: openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-recommended-versions.sdf,v 1.3.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-recommended-versions.sdf,v 1.3.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Recommended OpenLDAP Software Dependency Versions
Modified: openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-upgrading.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-upgrading.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.4 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Upgrading from 2.3.x
Modified: openldap/trunk/doc/guide/admin/aspell.en.pws
===================================================================
--- openldap/trunk/doc/guide/admin/aspell.en.pws 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/aspell.en.pws 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,1492 +1,1599 @@
-personal_ws-1.1 en 1491
-nattrsets
-inappropriateAuthentication
+personal_ws-1.1 en 1598
+commonName
+bla
+Masarati
+subjectAltName
api
-olcAttributeTypes
BhY
-reqEnd
-olcOverlayConfig
-shoesize
-olcTLSCACertificateFile
+olcSyncrepl
+olcSyncRepl
+adamsom
+adamson
+CER
+intermediateResponse
+bjensen
+cdx
CGI
-cdx
DCE
DAP
-attributename
-lsei
-dbconfig
+chainingRequired
arg
-kurt
-authzID
-authzid
-authzId
+ddd
DAs
-ddd
-userApplications
+TLSCACertificateFile
BNF
-attrs
-mixin
-wholeSubtree
-chainingRequired
-ldapport
-hallvard
+TLSEphemeralDHParamFile
+ppolicy
ASN
-acknowledgements
+ava
Chu
-ava
-monitorCounter
del
+libexecdir
DDR
-testObject
-OrgPerson
-IGJlZ
-olcUpdateref
+numericoid
+dsaschema
ECC
-deleteDN
cli
-ltdl
-CAPI
+DIB
dev
-serverctrls
-olcDbDirectory
-xvfB
+reqNewSuperior
+librewrite
+memberOf
+memberof
BSI
-modv
-nonleaf
-errCode
-PhotoURI
+updateref
buf
-cdef
-monitorConnectionLocalAddress
+changetype
dir
EGD
+pwdMustChange
+Debian
dit
-retoidp
-ando
+AlmostASearchRequest
+EXEEXT
edu
-caseExactSubstringsMatch
-bvstrdup
-AUTHNAME
-memrealloc
-auditExtended
-replog
-ludp
-metainformation
+Heimdal
+organizationalPerson
+olcTimeLimit
+CAPI
+tokenization
+INSTALLFLAGS
CRL
+reqcert
CRP
-olcReferral
-XLDFLAGS
-metadirectory
+postread
csn
-siiiib
-stateful
-olcModulePath
-maxentries
-authc
-seeAlso
-searchbase
-searchBase
-realnamingcontext
+xvfB
+neverDerefaliases
+dns
+DN's
+DNs
dn's
-DNs
-DN's
-dns
-dereference
-sortKey
-authzTo
-lossy
+cdef
+Helvetica
+DOP
+requestdata
gcc
+gecos
+reqData
CWD
-lssl
-organizationalRole
+ando
+reqDeleteOldRDN
DSA
-derefInSearching
-pwdGraceUseTime
+msgfree
DSE
-groupOfURLs
-modrdn
-ModRDN
-modrDN
-pwdFailureCountInterval
-homePhone
+keycol
+dlopen
eng
-paramName
-errUnsolicitedData
-Heimdal
+AttributeValue
+attributevalue
EOF
-authz
-XINCPATH
-LTFINISH
-plaintext
-indices
-reqAssertion
-olcDbUri
+DUA
+inputfile
+DSP
+refreshDone
dst
+NOSYNC
env
-oplist
-MirrorMode
-mirrormode
-objclass
-Bint
dup
hdb
+LDIFv
+syslog
+monitorTimestamp
+subschemaSubentry
+interoperate
gid
-stderr
-caseIgnoreOrderingMatch
-moduledir
gif
-jpegPhoto
-lsasl
-judgmentday
-prepend
-subentry
-dbcache
-mkversion
-objectClasses
-objectclasses
-adminLimitExceeded
-searchResultReference
+memfree
+struct
+IAB
fmt
-qdescrs
-olcSuffix
-objectClassModsProhibited
-unavailableCriticalExtension
-supportedControl
+SysNet
+olcConstraintAttribute
GHz
-libpath
-INADDR
-compareDN
-sizelimit
-unixODBC
-notAllowedOnNonLeaf
-APIs
-blen
-attrsOnly
-attrsonly
-slappasswd
-referralsPreferred
-oids
-OIDs
-wBDARESEhgVG
-syncIdSet
-olcTLSCipherSuite
-username
-aliasProblem
-sizeLimitExceeded
-subst
+Bint
+memalloc
+FSF
+usernames
+strtol
idl
-chroot
+IDN
+DESTDIR
iff
-auditDelete
-numbits
+contextCSN
+auditModify
+auditSearch
+openldap
+OpenLDAP
+resultCode
+resultcode
+sysconfig
+indices
+blen
+APIs
+lresolv
+Contribware
+directoryString
+database's
+iscritical
+gss
ZKKuqbEKJfKSXhUbHG
-reqRespControls
-TLSCertificateKeyFile
-olcAccess
-aliasDereferencingProblem
-proxyTemplates
-neverDerefaliases
-RootDN
-rootdn
-loglevel
+invalidAttributeSyntax
+subtree
+Kartik
+newparent
+memcalloc
+ing
+filtertype
+regcomp
+ldapmodify
+includedir
+IPC
+resync
+ldapsearch
+reqAttr
+dynlist
args
-caseExactOrderingMatch
-olcDbQuarantine
-RELEASEDATE
-baseDN
-basedn
+hardcoded
argv
-gss
-schemachecking
-whoami
-WhoAmI
-syslogd
-dataflow
-subentries
-attrpair
-balancer
-entryAlreadyExists
-BerkeleyDB's
+kdz
notAllowedOnRDN
-singleLevel
-entryDN
-dSAOperation
-includedir
-inplace
-LDAPAPIFeatureInfo
-logbase
-ldapmaster
-ing
-moduleload
-IPC
-Makefile
-getpid
-GETREALM
-numericString
-MANSECT
-XXXX
-domainstyle
-bvarray
-Choi
-iscritical
-subschema
-slapindex
-plugin
-distinguishedNameMatch
-derefAliases
-baseObject
-kdz
-reqMod
+hostport
+starttls
+StartTLS
ldb
-srcdir
-pwdExpireWarning
+servercredp
ldd
-localstatedir
-sockbuf
-PENs
ipv
IPv
-ghenry
hyc
-multimaster
-noop
-DEFS
joe
-testAttr
-syncrepl
-pwdFailureTime
-timestamp
-whitespaces
+bindmethods
+armijo
+ldp
ISP
-ldp
-monitorInfo
-PDUs
-bjensen
-newPasswd
-irresponsive
len
-perl
-dynlist
-browseable
-posixGroup
-attrvalue
-pers
-retcode
-rootpw
-matchedDN
-auditReadObject
-idletimeout
-intermediateResponse
-myOID
-structuralObjectClass
-integerMatch
-openldap
-OpenLDAP
-moddn
-rewriteEngine
-AVAs
-accesslog
-searchDN
-reqOld
+carLicense
+Choi
+Clatworthy
+scherr
+virtualnamingcontext
+ITU
+XXXX
+Stringprep
+Apurva
+labeledURI
+DEFS
MDn
-aspell
-TLSCACertificateFile
+attrstyle
+directoryOperation
+creatorsName
mem
-peername
-syncUUIDs
-database's
+oldpasswdfile
+oldPasswdFile
+uniqueMember
krb
-bool
-logins
+libpath
+acknowledgements
jts
-memberAttr
-newpasswdfile
-newPasswdFile
-ucdata
+createTimestamp
LLL
-confdir
-invalidCredentials
-BerValues
-olcDbLinearIndex
-Elfrink
-AUTOREMOVE
-countp
-realloc
-bsize
-CThreads
-structs
+MIB
+OpenSSL
+openssl
+LOF
+AVAs
+associatedDomain
+organizationalRole
+initgroups
+olcDbCachesize
+olcDbCacheSize
+ETCDIR
+colaligns
+olcReadOnly
+olcReadonly
+reqResult
+LDAPMatchingRule
+bool
+LRL
+CPPFLAGS
+schemadir
desc
-LTCOMPILE
-bindmethod
-olcDbCheckpoint
-addprinc
-modme
-refreshOnly
-PIII
-pwdPolicySubentry
-supportedSASLmechanism
-supportedSASLMechanism
-FIXME
-realanonymous
-caseExactMatch
-olcSizeLimit
-Bourne
-attr
-objectidentifier
-objectIdentifier
-refint
-msgtype
-OBJEXT
-LRL
-subtrees
-realdnattr
-entrymods
-admittable
-libtool's
-dupbv
-searchResultEntry
lud
-modifyTimestamp
-TLSEphemeralDHParamFile
+newrdn
LRU
-syncprov
-strvals
-preread
-auth
+memvfree
+dbtools
nis
-regexec
-adamsom
-objclasses
-deallocation
-strdup
-gsMatch
-adamson
-UniqueName
+rewriteRule
+postoperation
LVL
-ppErrStr
-DESTDIR
oid
-saslpasswd
-interoperate
-bindwhen
-Solaris
-oOjM
msg
-submatch
-refreshAndPersist
-monitorServer
-attributeUsage
-soelim
-objectIdentiferMatch
+attr
+caseExactOrderingMatch
+Subbarao
+aeeiib
+oidlen
+submatches
olc
PEM
-Autoconf
-alloc
PDU
OLF
-inetorgperson
-inetOrgPerson
-deleteoldrdn
-monitorCounterObject
+LDAPSchemaExtensionItem
+auth
+Pierangelo
+authzFrom
pid
-CPAN
-sharedstatedir
+subdirectories
OLP
-LDFLAGS
-dereferencing
-allop
-errcodep
-xeXBkeFxlZ
-accessor's
-extendedop
+pwdPolicyChecker
+subst
+singleLevel
+cleartext
+numattrsets
+requestDN
+caseExactSubstringsMatch
+PKI
+olcSyncProvConfig
ple
NTP
-reqSizeLimit
-ORed
+auditModRDN
+checkpointing
NUL
-namingContexts
num
-reqAttrsOnly
-ldappasswd
-online
-libdir
-unindexed
-ObjectClassDescription
-attrdesc
-jsmith
-efgh
-exopPasswdDN
-ranlib
-olcAttributeOptions
-lineno
-storages
-nameAndOptionalUID
+objectIdentifierMatch
+sharedstatedir
png
-INCPATH
-organizationalPerson
-integerOrderingMatch
+CPAN
OSI
-subschemaSubentry
-cond
-conf
+extendedop
+distinguishedName
+distinguishedname
+preinstalled
rfc
-bvec
+LDAPCONF
rdn
-ECHOPROMPT
-RDBM
-subany
-runningslapd
-configs
-datagram
-crlcheck
-conn
-builddir
+wZFQrDD
OTP
-entrylimit
-attrdescN
-logold
+olcSizeLimit
pos
sbi
PRD
-reqEntries
pre
-bvals
-unixusers
-olcReadonly
-olcReadOnly
-pwdChangedTime
-mySQL
-DITs
+sudoadm
+stringal
+retoidp
sdf
-suffixmassage
-referralDN
+efgh
+accesslog
sed
-statslog
-perror
-ldapexop
-bvecadd
-distributedOperation
+cond
+qdescrs
+modifyDN
+conf
+ldapmodrdn
sel
-versa
+bvec
TBC
-telephonenumber
-telephoneNumber
-DLDAP
-peernamestyle
+stringbv
Sep
SHA
-filename
-rpath
-argsfile
ptr
-INCDIR
+conn
pwd
-dctree
+DISP
+newsup
rnd
-quanah
-lastmod
TCL
-sprintf
shm
-logops
-dnattr
-subdir
-searchAttrDN
-cctrls
+DITs
tcp
-kadmin
-undefinedAttributeType
-strlen
-spellcheck
-ludpp
-typedef
-olcDbIDLcacheSize
-ostring
-toolsets
-mwrscdx
+INCPATH
+RPC
+myOID
+supportedSASLMechanism
+supportedSASLmechanism
+realnamingcontext
SMD
UCD
-cancelled
-crit
-organizationalUnit
-lucyB
+keytab
+portnumber
+uncached
slp
-rdns
-CPUs
+derefInSearching
+UMich's
TGT
-modulepath
-quickstart
-mySNMP
+numbits
+sasldb
+UCS
+searchDN
+keytbl
tgz
UDP
-RDBMs
-rdbms
-Matic
-qdstring
-gunzip
-librewrite
+freemods
+prepend
+errText
+groupnaam
UFl
src
-lastName
+matchedDN
ufn
-cron
-RelativeLDAPDN
+allusersgroup
+FIXME
sql
-pwdPolicyChecker
uid
-olcDbConfig
-refreshDone
+crit
+objectClassViolation
ssf
-replogfile
+ldapfilter
rwm
TOC
vec
-LDAPDN
-compareAttrDN
-endmacro
+pwdChangedTime
tls
-repl
-monitoringslapd
-referralsp
+peernamestyle
+xpasswd
tmp
SRP
-olcDbNosync
-conns
SSL
-PDkzODdASFxOQ
+dupbv
+CPUs
SRV
+entrymods
rwx
sss
-deallocators
-Contribware
-URLlist
+reqNewRDN
+nopresent
+rebindproc
+olcOverlayConfig
str
-subinitial
-CSNs
-sbin
-dbtools
-datasource
-sbio
-posp
-errText
-prepended
-labeledURI
-scdx
-startup
-const
-wBDABALD
-octetStringSubstringsStringMatch
+syncIdSet
+cron
+accesslevel
+accessor's
+keyval
+alloc
+saslpasswd
+README
+maxentries
ttl
-bvalue
-bvdup
-stringa
-stringb
-hasSubordinates
-oldPasswd
+undefinedAttributeType
+peercred
sys
-pwdPolicy
-slapd
-affectsMultipleDSAs
-sasl
-slapauth
-MANCOMPRESS
-octetStringOrderingStringMatch
-updatedn
-UpdateDN
-slapdindex
-searchFilter
+allop
+memberUid
+CSNs
+wildcards
uri
-slapi
tty
-liblunicode
url
-entryExpireTimestamp
-priv
-slapo
+XED
+sortKey
UTF
vlv
-ctrl
TXN
-virtualnamingcontext
-eatBlanks
-slimit
-ldaprc
+auditExtended
usr
txt
-proc
-generalizedTime
-loopback
-unmassaged
-mechs
-freemods
-initgroups
-auditCompare
+UTR
+XER
+olcDbIDLcacheSize
+namespace
+LDAPControl
+dbconfig
+olcAttributeOptions
+dsaparam
+searchResult
+ctrl
+ldapwhoami
+extensibleObject
+clientctrls
+monitorServer
+MANCOMPRESSSUFFIX
+memberAttr
+multiclassing
+memberURL
+sudoers
+pwdMaxFailure
+pseudorootdn
GDBM
+LIBRELEASE
DSAs
DSA's
-dsaschema
-compareFalse
-resultCode
-resultcode
-noSuchObject
-params
-groupnummer
-searchEntryDN
-negttl
-chainingPreferred
-TABs
-retdatap
-errAuxObject
-postoperation
+realloc
+booleanMatch
+compareTrue
+mySQL
+passwd
+printf
+idassert
+rwxrwxrwx
+al
realself
-olcPasswordHash
-concat
-debuglevel
-addAttrDN
-credp
-ldaphost
-pwdMaxFailure
-octetStringMatch
-extparam
-auditWriteObject
-colaligns
-Diffie
-offsite
-attributevalue
-AttributeValue
-SIGTERM
-MyCompany
-al
-AAQSkZJRgABAAAAAQABAAD
cd
-contextCSN
ar
-pthreads
-monitorTimestamp
+olcDatabaseConfig
de
-reqAuthzID
-backend's
-backends
-requestName
+derated
+auditDelete
cn
-lcrypto
-infodir
-groupstyle
-ldapsearch
+versa
cp
-displayName
+bv
eg
-bv
-olcBackendConfig
+fd
dn
-fd
-LDAPSync
-olcReplicationInterval
fG
-gidNumber
+DS
fi
-Instanstantiation
+allmail
+du
eq
-FIPS
+pwdAllowUserChange
dx
et
eu
+syncUUIDs
hh
-olcLogLevel
-slurpd
-logevels
+regexec
IG
-addDN
-tbls
-ldapmodify
+msgidp
kb
-syslog
+organizationalUnit
+Warper
+logfilter
io
ip
-dynacl
-aXRoIGEgc
-enum
-slapdconf
-reqFilter
+referralsRequired
ld
-xyz
-TLSCertificateFile
-idassert
-failover
-kerberos
-lookups
+Matic
+regexes
+subfinal
+pseudorootpw
md
+preread
+pwdMinLength
iZ
-SysNet
-BerValue
-idlcachesize
-struct
-UCASE
-errno
-syslogged
+ldapdelete
+xyz
+RDBMs
+rdbms
+extparam
mk
ng
oc
-invalidAttributeSyntax
-errOp
-pwdMaxAge
-insufficientAccessRights
-truelies
+FIPS
NL
+logfiles
mr
-reindex
-newentry
ok
mv
-preinstalled
-regex
-saslmech
+LTVERSION
+someotheruserid
rc
-config
+realdn
ou
-policyDN
+yyy
sb
-olcSyncrepl
+enum
+auditContext
QN
-strtol
-runtime
-NOSYNC
-slapover
+contrib
RL
-sockname
-noSuchAttribute
-MANCOMPRESSSUFFIX
-makeinfo
-coltags
+errMatchedDN
+auditContainer
ro
rp
-EXEEXT
-sockurl
th
sn
ru
UG
ss
+behera
+TP
su
-TP
-reqMethod
-XLIBS
-PhotoObject
+invalidCredentials
tt
-keycol
-namingContext
-rlookups
-searchstack
-NOECHOPROMPT
-sldb
+wildcard
wi
-AlmostASearchRequest
+syslogd
+newPasswd
xf
-param
-MChAODQ
-caseExactIA
+deallocation
+whitespaces
+retdatap
+attrlist
+Vu
Za
-Vu
-idlecachesize
-objectClassViolation
-allusers
+PDkzODdASFxOQ
+MyOrganization
ws
-errSleepTime
-INSTALLFLAGS
-pthread
-pwdHistory
+cacert
+notAllowedOnNonLeaf
+attrname
+olcTLSCipherSuite
x's
-Debian
-slen
-errUnsolicitedOID
-dyngroup
-filtertype
-rewriteRules
-criticality
-preoperation
-smbk
-subord
-reqVersion
+xw
+octetStringMatch
+mechs
+ZZ
+LDVERSION
+testAttr
+backend
+backend's
+backends
+BerValues
+Solaris
+structs
+reqTimeLimit
+judgmentday
+reqAuthzID
errp
-ZZ
-entryCSNs
-dlopen
-continuated
-newsuperior
-newSuperior
-Preprocessor
-XXLIBS
-deallocate
-reqScope
-llber
-bitstringa
-sbindir
-apache's
-noidlen
-monitorContext
-testrun
-resync
+ostring
+policyDN
+testObject
+pwdMaxAge
+bindDn
+bindDN
+binddn
+distributedOperation
+schemachecking
+strvals
+dataflow
+robert
fqdn
-authPassword
-LDAPMatchingRule
-olcIdleTimeout
-treedelete
-auditAdd
-reqSession
-derated
-LDVERSION
+admittable
+Makefile
IANA
-olcDbSearchStack
-bitstrings
-rscdx
-schemas
-minssf
-ldapadd
-pseudorootdn
-lldap
-gssapi
-applicatio
-nelems
-liblutil
-wrscdx
-scherr
-internet
-logfilter
-lutil
-themself
-libexec
-dnpattern
-proxying
-reqType
-Kartik
-libexecdir
-inetd
-pwdSafeModify
-contrib
-FQDNs
-bjorn
-myldap
-myLDAP
-peercred
-SNMP
-myObjectClass
-thru
-olcLastMod
-commonName
-testTwo
-olcFrontendConfig
-LDAPObjectClass
-attributeTypes
-LTINSTALL
-hostname
-Symas
-numattrsets
-msgid
-ldapmodrdn
-ldapbis
-attributeoptions
-serverID
-memberOf
-memberof
-pseudorootpw
-allmail
-CFLAGS
-operationsError
-substr
-pwdAllowUserChange
-rewriteRule
-XXXXXXXXXX
-credlen
-departmentNumber
-rewriteMap
-logfile
-vals
-LDAPAVA
-modifyAttrDN
-dcedn
-olcOverlay
+localhost
+offsite
+bindir
+fred
+olcUpdateref
+bindwhen
+UMLDAP
+searchResultDone
+MAXLEN
+pwdInHistory
+reqAttrsOnly
+sysconfdir
+searchResultReference
+olcAttributeTypes
+everytime
+protocolError
+errno
+errOp
+serverctrls
+recursivegroup
+integerMatch
+moduledir
+dynstyle
+bindpw
+AUTHNAME
+UniqueName
+saslmech
+pthreads
+IEEE
+regex
+SIGINT
+slappasswd
+errAbsObject
+errABsObject
+ldapexop
+objectidentifier
+objectIdentifier
+deallocators
+MirrorMode
+mirrormode
+loopDetect
+SIGHUP
+authMethodNotSupported
+IDNA
+bvecfree
+pwdLockoutDuration
+attrset
+displayName
+subentry
+reqScope
+oldPasswd
exop
-berelement
-BerElement
-olcRootDN
-octetString
-SampleLDAP
+filtercomp
expr
-allusersgroup
-PostgreSQL
-bvstr
-filesystem
-pathtest
-objectClass
-objectclass
-submatches
-newrdn
-armijo
-addBlanks
-reqMessage
+syntaxes
+memrealloc
+returnCode
+returncode
+OpenLDAP's
exts
-SSHA
+bitstringa
+caseIgnoreOrderingMatch
+searchFilterAttrDN
func
-filterlist
-modifyDN
jane
-syncuser
-Masarati
-LDAPSyntax
-oldpasswdfile
-oldPasswdFile
-reqDN
-SSFs
+IESG
+llber
+attrval
ietf
-unwillingToPerform
-oidlen
-searchFilterAttrDN
-CPPFLAGS
-slapadd
-Clatworthy
-urldesc
-substrings
-Apurva
-slapacl
-multiclassing
-monitoredInfo
-LTLINK
-addrdnvalues
-KTNAME
-ETCDIR
-reqId
-setspec
-scanf
-TLSv
-distinguishedname
-distinguishedName
-BerVarray
-caseIgnoreSubstrin
-ldapwhoami
-URLattr
-generalizedTimeOrderingMatch
-requestdata
-timelimit
-subr
+olcSchemaConfig
+bitstrings
+bvalues
+realdnattr
+attrpair
+affectsMultipleDSAs
+Preprocessor
+lastName
+lldap
cachesize
-olcRootPW
-SSLv
-proxyOld
-domainScope
-LDAPMessage
-LTVERSION
-memalloc
-refreshDeletes
-BerkeleyDB
-pathspec
-uint
-Poitou
-whitespace
-dynstyle
-slaptest
-zeilenga
-WebUpdate
-numericoid
-changelog
-ChangeLog
-creatorsName
-ascii
-wahl
-uniqueMember
-slapcat
-lwrap
-ldapfilter
-errDisconnect
-sermersheim
-rootdns
-searchResult
-libtool
-servercredp
-AttributeTypeDescription
-LTFLAGS
-simplebinddn
-authcDN
-TLSCipherSuite
-supportedSASLMechanisms
-rootdse
-rootDSE
-dsaparam
-cachefree
-UMich's
-uidNumber
-schemadir
-attribute's
-extern
-varchar
-olcDbCacheSize
-olcDbCachesize
-authcid
-authcID
-POSIX
+slapauth
+attributetype
+attributeType
+GSER
+olcDbNosync
+typedef
+bjorn
+datagram
+strcasecmp
+selfstyle
+preoperation
+FQDNs
+exopPasswdDN
+userid
+subentries
+monitoredObject
+TLSVerifyClient
+noidlen
+LDAPNOINIT
+pwdGraceAuthNLimit
+pwdGraceAuthnLimit
hnPk
-ldapext
-authzFrom
-Google
-olcSchemaConfig
-newsup
-sbiod
-XXXLIBS
-LDAPBASE
-Supr
-olcDatabaseConfig
-rwxrwxrwx
-aeeiib
-SUPs
-reqStart
-sasldb
-somevalue
-LIBRELEASE
-randkey
-starttls
-StartTLS
-LDAPSchemaExtensionItem
+userPassword
+noanonymous
+LIBVERSION
+symas
+dcedn
+sublevel
+chroot
+posixGroup
+nretries
+testgroup
+ldaphost
+frontend
+someotherdomain
+proxying
+organisations
+rewriteMap
+monitoredInfo
+modrdn
+ModRDN
+modrDN
+HREF
+inline
+multiproxy
+reqSizeLimit
+kerberos
+loglevel
+bvstrdup
reqReferral
-shtool
-Pierangelo
-attrstyle
-backend
-portnumber
-subjectAltName
-errObject
-gsskrb
-valsort
-bervals
-berval's
-derefFindingBaseObj
-checkpointed
-keytab
-groupnaam
-frontend
-sctrls
-dbnum
-olcLdapConfig
-sessionlog
-attrset
-organizationPerson
-entryCSN
-strcast
-kbyte
-modifiersName
-keytbl
-olcHdbConfig
-constraintViolation
-README
-memcalloc
+rlookups
+siiiib
+LTSTATIC
+timeLimitExceeded
+timelimitExceeded
+XKYnrjvGT
+subtrees
+unixODBC
+hostnames
+AutoConfig
+libtool
+submatch
+reqDN
+dnstyle
inet
-saslargs
-givenname
-givenName
-olcDbMode
-pidfile
-olcLimits
-memvfree
-tuple
-superset
-directoryString
-ktadd
-proxyTemplate
-proxytemplate
-wildcards
-monitoredObject
-TTLs
-LxsdLy
-olcTimeLimit
-stringal
+schemas
+pwdPolicySubEntry
+pwdPolicySubentry
+reqId
+scanf
+olcBackend
+TLSCACertificatePath
+Arial
init
-Locators
-bvalues
-reqResult
+runtime
+onelevel
impl
-strongerAuthRequired
-outvalue
-returnCode
-returncode
-attributeDescription
-attrval
-dnssrv
-ciphersuite
-auditlog
-reqControls
-protocolError
-notypes
-myAttributeType
-stringbv
-keyval
-calloc
-chmod
-Subbarao
-setstyle
-subdirectories
-errlist
-addpartial
-slapdn
-uncached
-ldapapiinfo
-groupOfUniqueNames
-dhparam
-slapd's
-slapds
-inputfile
-RDBMSes
-wildcard
-Locator
-errAbsObject
-errABsObject
-SASL's
+Autoconf
+stderr
+ascii
+MANCOMPRESS
+authPassword
+attrdescN
+aspell
+allusers
+statslog
+alwaysDerefAliases
+RELEASEDATE
+olcModuleList
+pwdSafeModify
html
-searchResultDone
-olcBdbConfig
-ldapmod
-LDAPMod
-olcHidden
-userPassword
-TLSRandFile
-use'd
-auditBind
-requestDN
-lockdetect
-selfstyle
-liblber
-ERXRTc
-printf
-AutoConfig
-localhost
+multimaster
+testrun
+rewriteEngine
+slapdindex
+LTFINISH
+olcOverlay
lber
-noprompt
-databasenumber
-hasSubordintes
-URIs
-denyop
+serverID
+blogs
+numResponses
lang
-auditSearch
-ldapdelete
-reqTimeLimit
-cacertdir
-queryid
-Warper
-XDEFS
-urls
-URL's
-postalAddress
-postaladdress
-passwd
-plugins
-george
+POSIX
+pathname
+noSuchObject
+proxyOld
+berelement
+BerElement
+sbiod
+plugin
http
-uppercased
-Poobah
-libldap
-invalidDNSyntax
+olcModuleLoad
ldap
ldbm
-ursula
-LDAPModifying
+numericStringSubstringsMatch
+internet
+storages
+whoami
+WhoAmI
+criticality
+addBlanks
+logins
+syncrepl
+dbnum
+operationsError
+homePhone
+testTwo
+ldif
+entryAlreadyExists
+plaintext
+someoneelse
+errDisconnect
+username
+accessee
+LDAPURLDesc
+ISOC
+IRTF
+jpeg
+ktadd
+tuple
+refint
+makeinfo
+chmod
+auditWriteObject
+Jong
+addressbooks
+setspec
+syncprov
+dctree
+hallvard
+cctrls
+debuglevel
+dSAOperation
+datadir
+slapadd
+reqFilter
+matcheddomain
+CThreads
+slapacl
+requestName
+randkey
+Cryptosystem
+groupOfNames
+themself
+jsmith
+filesystems
+lineno
+SASL's
+lockdetect
+addrdnvalues
+Hyuk
+rewriteContext
+soelim
slapdconfig
-sysconfig
-dnSubtreeMatch
-olcSaslSecProps
-olcSaslSecprops
-auditModify
-groupOfNames
-jensen
-reloadHint
-prepending
-olcGlobal
-matchingRule
-matchingrule
-SmVuc
-MSSQL
-nisMailAlias
-hostnames
-ctrlp
+entrylimit
+departmentNumber
+immSupr
+addressbook
+pidfile
+online
+logold
+proxyattrset
+proxyAttrSet
+proxyAttrset
+mary
+crlcheck
+olcBdbConfig
+kadmin
+mech
+slapcat
+insufficientAccessRights
+XDEFS
+olcDbLinearIndex
+MKDEPFLAG
+rootdns
+caseExactIA
+notypes
+numericStringMatch
+octothorpe
lltdl
-ctrls
+rootDSE
+rootdse
+logops
rewriter
-secprops
-namespace
-whsp
-realusers
-dnstyle
-suffixalias
-proxyAttrset
-proxyAttrSet
-proxyattrset
-pwdMustChange
-ldif
-bvfree
-sleeptime
-pwdCheckQuality
-msgidp
-confidentialityRequired
-pwdAttribute
-authMethodNotSupported
chown
+attributeUsage
+slapdconf
+olcDbUri
+subany
+Authorizaiton
+bvalue
+manpage
+olcLimits
PRNGD
-LDAPRDN
-entryUUIDs
-proxycache
-proxyCache
-SERATGCgaGBYWGDEjJR
-noanonymous
-accessee
-createTimestamp
-nretries
-auditAbandon
-LDAPAttributeType
+BerVarray
+abcdefgh
+matchingrule
+matchingRule
+modifiersName
+inetOrgPerson
+inetorgperson
+secprops
logdb
+postaladdress
+postalAddress
+quanah
+ManageDsaIT
+manageDSAit
+subinitial
procs
-realdn
-alwaysDerefAliases
-ppolicy
-jpeg
-functionalities
-pcache
-caseIgnoreMatch
-sysconfdir
-checkpointing
-rebindproc
-dryrun
-noplain
-exattrs
-Jong
-ldaptcl
-proxied
-firstName
-accesslevel
+varchar
+RDBMSes
+XLDFLAGS
+caseExactMatch
+urldesc
+liblutil
+olcObjectIdentifier
+subdir
+suffixmassage
+auditAdd
+pwdMinAge
+olcModulePath
+URLattr
+reqSession
login
-rewriteContext
-dcObject
-newparent
-numericStringMatch
-TLSVerifyClient
-subtree
-multi
-immSupr
-manpage
-assciated
-wZFQrDD
-serverctrlsp
-onelevel
-abcd
-reqcert
-referralsRequired
-Hyuk
-olcServerID
-reqDerefAliases
+RetCodes
+userApplications
+NDBM
newSuperiorDN
-passwdfile
-errMatchedDN
-everytime
+browseable
+auditBind
+setstyle
+newSuperior
+newsuperior
+concat
+realanonymous
+invalue
+refreshOnly
+filesystem
+Naur
+unwillingToPerform
+PhotoURI
+MyCompany
mkdep
-olcDbindex
-olcDbIndex
-syntaxOID
-reqData
-databasetype
-woid
-numericStringOrderingMatch
-clientctrls
-inappropriateMatching
-RetCodes
-ldapc
-pwdAccountLockedTime
-attrtype
-LIBVERSION
+idlcachesize
+irresponsive
+readOnly
+readonly
+CLDAP
proto
-endif
-logfiles
-reqNewRDN
-ldapi
-notoc
-matcheddnp
mkdir
-mech
-pwdMinAge
-ldaps
-userCertificate
-LDAPv
-IPsec
-tokenization
-olcModuleList
-robert
-generalizedTimeMatch
-UMLDAP
-OpenLDAP's
-lookup
-ABNF
-olcDbShmKey
-pwdLockoutDuration
-TLSCACertificatePath
-ldapuri
-ldapurl
-ACIs
-behera
-olcObjectIdentifier
-endblock
+peername
+pwdFailureTime
+compareDN
+reqVersion
+negttl
+logevels
+AAQSkZJRgABAAAAAQABAAD
+strcast
+failover
+constraintViolation
+cacheable
+sambaPwdCanChange
+errCode
+queryid
+olcReferral
+dynacl
+mkln
+structuralObjectClass
proxyAuthz
-pagedResults
-saslBindInProgress
-bitstring
-ACLs
-berptr
-olcModuleLoad
-namingViolation
-attributetype
-attributeType
-auditModRDN
-cacert
-memberUid
-freebuf
+config
IDSET
-pwdGraceAuthnLimit
-invalue
-XKYnrjvGT
-srvtab
-referralAttrDN
-requestoid
+ODBC
+searchFilter
+wholeSubtree
+SASLprep
+nisMailAlias
+attributeDescription
+groupnummer
+lsei
+kurt
+OrgPerson
+generalizedTime
+filename
+pwdCheckQuality
+methodp
+Verdana
+deref
+proxied
+endmacro
+backload
+ECHOPROMPT
+bvarray
+ltdl
+slapdconfigfile
+modv
+ObjectClassDescription
+truelies
+slurpd
basename
-substring
-booleanMatch
-babs
+groupOfUniqueNames
+DHAVE
+ludp
+entryUUID
+ldapapiinfo
+SampleLDAP
+compareAttrDN
+lssl
+newentry
+applicatio
+addpartial
+confdir
+entryDN
+pwdFailureCountInterval
+XXXLIBS
+Kumar
+LTHREAD
+distinguishedNameMatch
+timestamp
+UUIDs
+olcDbCheckpoint
+LTINSTALL
+gssapi
+continuated
+localstatedir
+devel
+errcodep
+Elfrink
+olcPidFile
+attribute's
pPasswd
-msgfree
-slapdconfigfile
+metadirectory
+assciated
+myObjectClass
+OIDs
+oids
+sermersheim
+chainingPreferred
+CFLAGS
+minssf
+ModName
+attrs
+typeA
+objclasses
+typeB
+nelems
+subord
+namingViolation
+inappropriateAuthentication
+mixin
+suders
+syntaxOID
+olcTLSCACertificateFile
+IGJlZ
+TLSCipherSuite
+auditlog
+runningslapd
+myLDAP
+myldap
+configs
+datasource
+refreshAndPersist
+authc
+PENs
+referralDN
+MANAGERDN
+noop
+errObject
+XXLIBS
+reqAssertion
+PDUs
+baseObject
+bvecadd
+perl
+inplace
+lossy
+pers
+authz
+pwdReset
+wrscdx
+adminLimitExceeded
+LDAPMessage
+serverctrlsp
+simplebinddn
+nonleaf
+compareFalse
+lsasl
+caseIgnoreSubstringsMatch
+AUTOREMOVE
+mydc
+searchResultEntry
+PIII
+olcDbShmKey
+substr
+reqRespControls
+XXXXXXXXXX
+MANSECT
+bindmethod
+KTNAME
+referralsp
+pwdExpireWarning
+suretecsystems
+timeval
+LTLINK
+gsMatch
+attributeTypes
+pwdCheckModule
olcDatabase
-builtin
-hardcoded
-SIGINT
-MAXLEN
-xpasswd
-cleartext
-extensibleObject
+PKCS
+syncuser
+oOjM
+extern
+dcObject
+supportedControl
+addprinc
+logbase
+filterlist
+generalizedTimeMatch
+Google
+sessionlog
+balancer
+NSSR
+PKIX
+urandom
+derefFindingBaseObj
+Poitou
+dereferencing
+dereferenced
+ORed
+caseIgnoreSubstrin
+superset
+Locators
+qdstring
+olcAccess
+dereferences
+shoesize
+monitorContext
+RDBM
+PostgreSQL
+ppErrStr
+olcFrontendConfig
+aliasDereferencingProblem
+gsskrb
+unindexed
+whitespace
+seeAlso
+monitorRuntimeConfig
+olcAuditlogFile
+namingContexts
+referralAttrDN
+idlecachesize
+moddn
+calloc
+LDFLAGS
+attributeOrValueExists
+olcHdbConfig
+bsize
+auditObject
+dnssrv
+dynamicObject
+objectclass
+objectClass
+sizeLimitExceeded
+accountadm
+reqControls
+modme
+shtool
+aXRoIGEgc
+RDNs
+rdns
+modifyTimestamp
+objectIdentiferMatch
+sleeptime
+derefAliases
+pagedResults
+denyop
+sctrls
+ldapport
+octetString
+repl
+ERXRTc
+LxsdLy
+lastmod
+integerOrderingMatch
+searchEntryDN
pwdLockout
-SIGHUP
-reqDeleteOldRDN
-reqAttr
-subfinal
+sbin
+olcSuffix
+sbio
+posp
+TLSCertificateKeyFile
+george
+LDAPSyntax
+apache's
+scdx
+someuserid
+attrtype
+msgtype
+pathtest
+ldapcompare
+coltags
+sasl
+unixusers
+bvfree
+xeXBkeFxlZ
+priv
+proxyTemplates
+bvals
+givenName
+givenname
+jensen
+auditReadObject
+proc
+unavailableCriticalExtension
+slapdn
+noSuchAttribute
+retcode
+slapds
+slapd's
+DLDAP
+TABs
+dyngroup
+pathspec
+domainstyle
+requestoid
+rpath
+Blowfish
+dryrun
+Poobah
+searchable
+SDSE
+olcDbDirectory
+ludpp
+spellcheck
+logsuccess
+lucyB
+entryUUIDs
+reqEntries
+sockbuf
+olcSaslSecprops
+olcSaslSecProps
+dnSubtreeMatch
+conns
+pcache
+ChangeLog
+changelog
+ursula
+monitorConnectionLocalAddress
+requestor's
+requestors
+TLSCertificateFile
+pwdPolicy
+infodir
+suretec
+tbls
+const
+bvdup
+mkversion
+olcDbSearchStack
+numericStringOrderingMatch
+checkpointed
+strongerAuthRequired
+treedelete
+olcObjectClasses
+berptr
+errSleepTime
+substrings
+slapd
+sambaNTPassword
+slapi
+lcrypto
+slapo
+mwrscdx
+credlen
+deleteDN
+substring
+prepending
+sldb
+credp
+numEntries
+searchBase
+searchbase
berval
-octothorpe
+slen
+lookup
+databasetype
+rewriteRules
+smbk
+userCertificate
+entryCSN
+errAuxObject
+replogfile
+reloadhint
+reloadHint
+moduleload
+hasSubordinates
+contextp
+LDAPModifying
+nameAndOptionalUID
+addDN
+berval's
+bervals
+passwdfile
+reqDerefAliases
+authcDN
+groupstyle
+cancelled
+stateful
+proxytemplate
+proxyTemplate
+entryExpireTimestamp
+referralsPreferred
+authcID
+authcid
+AuthcId
+MChAODQ
+lookups
+GnuTLS
+GNUtls
+gnutls
LTONLY
-filesystems
-urandom
-NDBM
-abcdefgh
-olcBackend
-errmsgp
-boolean
-updateref
-regcomp
-contextp
-filtercomp
-LDAPNOINIT
-deref
-preallocated
-syntaxes
-memberURL
-monitorRuntimeConfig
-bindDn
-bindDN
-binddn
-methodp
-timeLimitExceeded
-timelimitExceeded
-pwdInHistory
-LTSTATIC
-requestors
-requestor's
-LDAPCONF
+SNMP
+timelimit
+UCASE
+thru
saslauthd
-MKDEPFLAG
-gecos
-entryUUID
-gnutls
-GNUtls
-GnuTLS
-postread
-timeval
-DHAVE
-loopDetect
-caseIgnoreSubstringsMatch
+logpurge
+SMTP
+srvtab
+ldapadd
+sprintf
+monitorCounterObject
+Instanstantiation
+olcDbConfig
+olcLastMod
+vals
+param
+matcheddnp
+malloc
+XLIBS
+freeit
+invalidDNSyntax
+zeilenga
+addAttrDN
+syncdata
+somedomain
+attrsonly
+attrsOnly
+numericString
+libexec
+entryCSNs
+noprompt
+LTCOMPILE
+ldapbis
+SSHA
+mandir
+RXER
+SSFs
+octetStringOrderingStringMatch
+auditCompare
+pEntry
+endblock
+LDAPAVA
+startup
+olcReplicationInterval
+TLSv
+libtool's
+slapindex
+rscdx
+dhparam
+subr
+SSLv
+SIGTERM
+liblunicode
+uint
+stringa
+reindex
+stringb
+lutil
+inetd
+SERATGCgaGBYWGDEjJR
+wahl
+olcDbQuarantine
+reqEnd
+modifyAttrDN
+monitorContainer
+searchstack
+cachefree
+errUnsolicitedOID
+WebUpdate
+RelativeLDAPDN
+URLlist
+monitorInfo
+argsfile
+attrvalue
+deallocate
+msgid
+modulepath
+logfile
+Supr
+inappropriateMatching
+SUPs
+myAttributeType
+BerValue
+basedn
+baseDN
+bvstr
+replog
+adressbooks
+databasenumber
+subschema
+PhotoObject
+INADDR
+pthread
+errlist
+olcDbIndex
+olcDbindex
+ldapext
+caseIgnoreMatch
+suffixalias
+sbindir
+gidNumber
+LDAPSync
+bitstring
+objclass
+oplist
+LDAPObjectClass
+sockurl
+somevalue
+getpid
monitorIsShadow
-syncdata
-BDB's
-olcPidFile
-hostport
-backload
-bindir
-olcObjectClasses
-auditObject
-LDIFv
-strcasecmp
-LTHREAD
-dereferenced
+confidentialityRequired
+groupOfURLs
+preallocated
+hostname
+TTLs
+attrdesc
+ghenry
+reqType
+slapover
+BerkeleyDB's
+attributename
+lwrap
+reqStart
+errUnsolicitedData
+objectclasses
+objectClasses
+countp
+dereference
+sizelimit
+use'd
+rootdn
+RootDN
+LTFLAGS
+Bourne
+URIs
+pwdAttribute
+uppercased
+cacertdir
+ciphersuite
+URL's
+urls
+olcAuditLogConfig
+reqMod
+pwdHistory
entryTtl
-LDAPControl
-pwdMinLength
-ldapcompare
-readonly
-readOnly
+olcIdleTimeout
+TLSRandFile
+unmassaged
+LDAPMod
+ldapmod
+srcdir
+someSSHAdata
+whsp
+exattrs
+reqOld
+kbyte
+monitorCounter
+quickstart
+UUID
+olcConstraintConfig
+roleOccupant
+rootpw
+veryclean
+syslogged
+olcRootDN
+idletimeout
+sockname
+telephoneNumber
+telephonenumber
+objectClassModsProhibited
+nattrsets
+saslargs
+OBJEXT
+LDAPAttributeType
+newPasswdFile
+newpasswdfile
+boolean
+liblber
+ucdata
+toolsets
+builddir
+builtin
+matcheduid
+Locator
+ldapmaster
+olcMirrorMode
+libldap
+refreshDeletes
+aliasProblem
+eMail
+outvalue
+LDAPRDN
+olcBackendConfig
+wBDABALD
+libdir
+deleteoldrdn
+abcd
+olcRootPW
+dnattr
+AttributeTypeDescription
+strdup
+domainScope
+prepended
+saslBindInProgress
+olcDbMode
+selfwrite
+olcLdapConfig
+pwdGraceUseTime
+titleCatalog
+woid
+organizationPerson
+ldaptcl
+INCDIR
+ACDF
+realusers
+ranlib
+eatBlanks
+reqMessage
+paramName
+ctrlp
+freebuf
+ctrls
+firstName
+ABNF
+dnpattern
+perror
+MSSQL
+SmVuc
+ACIs
+errmsgp
+authzDN
+gunzip
+jpegPhoto
+supportedSASLMechanisms
+ACLs
+reqMethod
+authzId
+authzid
+authzID
+hasSubordintes
+proxyCache
+proxycache
+slaptest
+olcLogLevel
+LDAPDN
+XINCPATH
+monitoringslapd
+babs
+DSAIT
+olcHidden
+mySNMP
+metainformation
+BerkeleyDB
+ldapuri
+auditAbandon
RANDFILE
-attrlist
+ldapurl
+strlen
+pwdAccountLockedTime
+searchAttrDN
+dbcache
+sambaPwdLastSet
+wBDARESEhgVG
+multi
+aaa
+ldaprc
+updatedn
+UpdateDN
+LDAPBASE
+LDAPAPIFeatureInfo
+authzTo
+valsort
+plugins
+Diffie
+ldappasswd
+olcGlobal
+ABI
aci
-directoryOperation
-compareTrue
-selfwrite
-pwdReset
+endif
+unescaped
acl
-attrname
ADH
-searchable
-bindmethods
-logpurge
-reqNewSuperior
-multiproxy
-dereferences
-datadir
-malloc
-UUIDs
-veryclean
-userid
-Kumar
+olcPasswordHash
+ldapc
+loopback
+ldapi
+BDB's
+GETREALM
+functionalities
+noplain
+NOECHOPROMPT
AES
+ldaps
+notoc
bdb
-attributeOrValueExists
-manageDSAit
-ManageDsaIT
-bindpw
-monitorContainer
-pEntry
+LDAPv
+IPsec
+olcServerID
+BCP
baz
-memfree
-lresolv
-objectIdentifierMatch
-Blowfish
-mkln
-numericStringSubstringsMatch
-testgroup
-openssl
-OpenSSL
-ModName
-cacheable
-freeit
-pathname
+params
+generalizedTimeOrderingMatch
+octetStringSubstringsStringMatch
ber
+slimit
ali
-mandir
-changetype
+attributeoptions
+uidNumber
CAs
CA's
-typeA
-bvecfree
-ODBC
-typeB
-unescaped
-devel
-pwdCheckModule
-LDAPURLDesc
-authzDN
+namingContext
Modified: openldap/trunk/doc/guide/admin/backends.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/backends.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/backends.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/backends.sdf,v 1.8.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/backends.sdf,v 1.8.2.5 2008/04/14 19:00:49 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Backends
@@ -44,7 +44,7 @@
their own private connection to the remote LDAP server. Anonymous sessions
will share a single anonymous connection to the remote server. For sessions
bound through other mechanisms, all sessions with the same DN will share the
-same connection. This connection pooling strategy can enhance the proxy’s
+same connection. This connection pooling strategy can enhance the proxy's
efficiency by reducing the overhead of repeatedly making/breaking multiple
connections.
Modified: openldap/trunk/doc/guide/admin/config.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/config.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/config.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/config.sdf,v 1.14.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/config.sdf,v 1.14.2.6 2008/04/14 20:43:48 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: The Big Picture - Configuration Choices
@@ -47,9 +47,10 @@
information on multiple directory servers. In its most basic
configuration, the {{master}} is a syncrepl provider and one or more
{{slave}} (or {{shadow}}) are syncrepl consumers. An example
-master-slave configuration is shown in figure 3.3.
+master-slave configuration is shown in figure 3.3. Multi-Master
+configurations are also supported.
-!import "config_repl.gif"; align="center"; title="Replicated Directory Services"
+!import "config_repl.png"; align="center"; title="Replicated Directory Services"
FT[align="Center"] Figure 3.3: Replicated Directory Services
This configuration can be used in conjunction with either of the
Deleted: openldap/trunk/doc/guide/admin/config_repl.gif
===================================================================
(Binary files differ)
Copied: openldap/trunk/doc/guide/admin/config_repl.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/config_repl.png)
===================================================================
(Binary files differ)
Modified: openldap/trunk/doc/guide/admin/dbtools.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/dbtools.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/dbtools.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/dbtools.sdf,v 1.24.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/dbtools.sdf,v 1.24.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Database Creation and Maintenance Tools
Modified: openldap/trunk/doc/guide/admin/glossary.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/glossary.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/glossary.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/glossary.sdf,v 1.5.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2006-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/glossary.sdf,v 1.5.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2006-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Glossary
Modified: openldap/trunk/doc/guide/admin/guide.html
===================================================================
--- openldap/trunk/doc/guide/admin/guide.html 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/guide.html 2008-05-25 14:29:31 UTC (rev 1128)
@@ -23,7 +23,7 @@
<DIV CLASS="title">
<H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1>
<ADDRESS CLASS="doc-author">The OpenLDAP Project <<A HREF="http://www.openldap.org/">http://www.openldap.org/</A>></ADDRESS>
-<ADDRESS CLASS="doc-modified">13 December 2007</ADDRESS>
+<ADDRESS CLASS="doc-modified">7 May 2008</ADDRESS>
<BR CLEAR="All">
</DIV>
<DIV CLASS="contents">
@@ -100,25 +100,8 @@
<BR>
<A HREF="#Database-specific Directives">5.2.5. Database-specific Directives</A>
<BR>
-<A HREF="#BDB and HDB Database Directives">5.2.6. BDB and HDB Database Directives</A></UL>
+<A HREF="#BDB and HDB Database Directives">5.2.6. BDB and HDB Database Directives</A></UL></UL>
<BR>
-<A HREF="#Access Control">5.3. Access Control</A><UL>
-<A HREF="#What to control access to">5.3.1. What to control access to</A>
-<BR>
-<A HREF="#Who to grant access to">5.3.2. Who to grant access to</A>
-<BR>
-<A HREF="#The access to grant">5.3.3. The access to grant</A>
-<BR>
-<A HREF="#Access Control Evaluation">5.3.4. Access Control Evaluation</A>
-<BR>
-<A HREF="#Access Control Examples">5.3.5. Access Control Examples</A>
-<BR>
-<A HREF="#Access Control Ordering">5.3.6. Access Control Ordering</A></UL>
-<BR>
-<A HREF="#Configuration Example">5.4. Configuration Example</A>
-<BR>
-<A HREF="#Converting from slapd.conf(8) to a {{B:cn=config}} directory format">5.5. Converting from slapd.conf(8) to a <B>cn=config</B> directory format</A></UL>
-<BR>
<A HREF="#The slapd Configuration File">6. The slapd Configuration File</A><UL>
<A HREF="#Configuration File Format">6.1. Configuration File Format</A>
<BR>
@@ -129,403 +112,443 @@
<BR>
<A HREF="#General Database Directives">6.2.3. General Database Directives</A>
<BR>
-<A HREF="#BDB and HDB Database Directives">6.2.4. BDB and HDB Database Directives</A></UL>
+<A HREF="#BDB and HDB Database Directives">6.2.4. BDB and HDB Database Directives</A></UL></UL>
<BR>
-<A HREF="#The access Configuration Directive">6.3. The access Configuration Directive</A><UL>
-<A HREF="#What to control access to">6.3.1. What to control access to</A>
+<A HREF="#Access Control">7. Access Control</A><UL>
+<A HREF="#Introduction">7.1. Introduction</A>
<BR>
-<A HREF="#Who to grant access to">6.3.2. Who to grant access to</A>
+<A HREF="#Access Control via Static Configuration">7.2. Access Control via Static Configuration</A><UL>
+<A HREF="#What to control access to">7.2.1. What to control access to</A>
<BR>
-<A HREF="#The access to grant">6.3.3. The access to grant</A>
+<A HREF="#Who to grant access to">7.2.2. Who to grant access to</A>
<BR>
-<A HREF="#Access Control Evaluation">6.3.4. Access Control Evaluation</A>
+<A HREF="#The access to grant">7.2.3. The access to grant</A>
<BR>
-<A HREF="#Access Control Examples">6.3.5. Access Control Examples</A></UL>
+<A HREF="#Access Control Evaluation">7.2.4. Access Control Evaluation</A>
<BR>
-<A HREF="#Configuration File Example">6.4. Configuration File Example</A></UL>
+<A HREF="#Access Control Examples">7.2.5. Access Control Examples</A>
<BR>
-<A HREF="#Running slapd">7. Running slapd</A><UL>
-<A HREF="#Command-Line Options">7.1. Command-Line Options</A>
+<A HREF="#Configuration File Example">7.2.6. Configuration File Example</A></UL>
<BR>
-<A HREF="#Starting slapd">7.2. Starting slapd</A>
+<A HREF="#Access Control via Dynamic Configuration">7.3. Access Control via Dynamic Configuration</A><UL>
+<A HREF="#What to control access to">7.3.1. What to control access to</A>
<BR>
-<A HREF="#Stopping slapd">7.3. Stopping slapd</A></UL>
+<A HREF="#Who to grant access to">7.3.2. Who to grant access to</A>
<BR>
-<A HREF="#Database Creation and Maintenance Tools">8. Database Creation and Maintenance Tools</A><UL>
-<A HREF="#Creating a database over LDAP">8.1. Creating a database over LDAP</A>
+<A HREF="#The access to grant">7.3.3. The access to grant</A>
<BR>
-<A HREF="#Creating a database off-line">8.2. Creating a database off-line</A><UL>
-<A HREF="#The {{EX:slapadd}} program">8.2.1. The <TT>slapadd</TT> program</A>
+<A HREF="#Access Control Evaluation">7.3.4. Access Control Evaluation</A>
<BR>
-<A HREF="#The {{EX:slapindex}} program">8.2.2. The <TT>slapindex</TT> program</A>
+<A HREF="#Access Control Examples">7.3.5. Access Control Examples</A>
<BR>
-<A HREF="#The {{EX:slapcat}} program">8.2.3. The <TT>slapcat</TT> program</A></UL>
+<A HREF="#Access Control Ordering">7.3.6. Access Control Ordering</A>
<BR>
-<A HREF="#The LDIF text entry format">8.3. The LDIF text entry format</A></UL>
+<A HREF="#Configuration Example">7.3.7. Configuration Example</A>
<BR>
-<A HREF="#Backends">9. Backends</A><UL>
-<A HREF="#Berkeley DB Backends">9.1. Berkeley DB Backends</A><UL>
-<A HREF="#Overview">9.1.1. Overview</A>
+<A HREF="#Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">7.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></UL>
<BR>
-<A HREF="#back-bdb/back-hdb Configuration">9.1.2. back-bdb/back-hdb Configuration</A>
+<A HREF="#Access Control Common Examples">7.4. Access Control Common Examples</A><UL>
+<A HREF="#Basic ACLs">7.4.1. Basic ACLs</A>
<BR>
-<A HREF="#Further Information">9.1.3. Further Information</A></UL>
+<A HREF="#Matching Anonymous and Authenticated users">7.4.2. Matching Anonymous and Authenticated users</A>
<BR>
-<A HREF="#LDAP">9.2. LDAP</A><UL>
-<A HREF="#Overview">9.2.1. Overview</A>
+<A HREF="#Controlling rootdn access">7.4.3. Controlling rootdn access</A>
<BR>
-<A HREF="#back-ldap Configuration">9.2.2. back-ldap Configuration</A>
+<A HREF="#Managing access with Groups">7.4.4. Managing access with Groups</A>
<BR>
-<A HREF="#Further Information">9.2.3. Further Information</A></UL>
+<A HREF="#Granting access to a subset of attributes">7.4.5. Granting access to a subset of attributes</A>
<BR>
-<A HREF="#LDIF">9.3. LDIF</A><UL>
-<A HREF="#Overview">9.3.1. Overview</A>
+<A HREF="#Allowing a user write to all entries below theirs">7.4.6. Allowing a user write to all entries below theirs</A>
<BR>
-<A HREF="#back-ldif Configuration">9.3.2. back-ldif Configuration</A>
+<A HREF="#Allowing entry creation">7.4.7. Allowing entry creation</A>
<BR>
-<A HREF="#Further Information">9.3.3. Further Information</A></UL>
+<A HREF="#Tips for using regular expressions in Access Control">7.4.8. Tips for using regular expressions in Access Control</A>
<BR>
-<A HREF="#Metadirectory">9.4. Metadirectory</A><UL>
-<A HREF="#Overview">9.4.1. Overview</A>
+<A HREF="#Granting and Denying access based on security strength factors (ssf)">7.4.9. Granting and Denying access based on security strength factors (ssf)</A>
<BR>
-<A HREF="#back-meta Configuration">9.4.2. back-meta Configuration</A>
+<A HREF="#When things aren\'t working as expected">7.4.10. When things aren't working as expected</A></UL>
<BR>
-<A HREF="#Further Information">9.4.3. Further Information</A></UL>
+<A HREF="#Sets - Granting rights based on relationships">7.5. Sets - Granting rights based on relationships</A><UL>
+<A HREF="#Groups of Groups">7.5.1. Groups of Groups</A>
<BR>
-<A HREF="#Monitor">9.5. Monitor</A><UL>
-<A HREF="#Overview">9.5.1. Overview</A>
+<A HREF="#Group ACLs without DN syntax">7.5.2. Group ACLs without DN syntax</A>
<BR>
-<A HREF="#back-monitor Configuration">9.5.2. back-monitor Configuration</A>
+<A HREF="#Following references">7.5.3. Following references</A></UL></UL>
<BR>
-<A HREF="#Further Information">9.5.3. Further Information</A></UL>
+<A HREF="#Running slapd">8. Running slapd</A><UL>
+<A HREF="#Command-Line Options">8.1. Command-Line Options</A>
<BR>
-<A HREF="#Null">9.6. Null</A><UL>
-<A HREF="#Overview">9.6.1. Overview</A>
+<A HREF="#Starting slapd">8.2. Starting slapd</A>
<BR>
-<A HREF="#back-null Configuration">9.6.2. back-null Configuration</A>
+<A HREF="#Stopping slapd">8.3. Stopping slapd</A></UL>
<BR>
-<A HREF="#Further Information">9.6.3. Further Information</A></UL>
+<A HREF="#Database Creation and Maintenance Tools">9. Database Creation and Maintenance Tools</A><UL>
+<A HREF="#Creating a database over LDAP">9.1. Creating a database over LDAP</A>
<BR>
-<A HREF="#Passwd">9.7. Passwd</A><UL>
-<A HREF="#Overview">9.7.1. Overview</A>
+<A HREF="#Creating a database off-line">9.2. Creating a database off-line</A><UL>
+<A HREF="#The {{EX:slapadd}} program">9.2.1. The <TT>slapadd</TT> program</A>
<BR>
-<A HREF="#back-passwd Configuration">9.7.2. back-passwd Configuration</A>
+<A HREF="#The {{EX:slapindex}} program">9.2.2. The <TT>slapindex</TT> program</A>
<BR>
-<A HREF="#Further Information">9.7.3. Further Information</A></UL>
+<A HREF="#The {{EX:slapcat}} program">9.2.3. The <TT>slapcat</TT> program</A></UL>
<BR>
-<A HREF="#Perl/Shell">9.8. Perl/Shell</A><UL>
-<A HREF="#Overview">9.8.1. Overview</A>
+<A HREF="#The LDIF text entry format">9.3. The LDIF text entry format</A></UL>
<BR>
-<A HREF="#back-perl/back-shell Configuration">9.8.2. back-perl/back-shell Configuration</A>
+<A HREF="#Backends">10. Backends</A><UL>
+<A HREF="#Berkeley DB Backends">10.1. Berkeley DB Backends</A><UL>
+<A HREF="#Overview">10.1.1. Overview</A>
<BR>
-<A HREF="#Further Information">9.8.3. Further Information</A></UL>
+<A HREF="#back-bdb/back-hdb Configuration">10.1.2. back-bdb/back-hdb Configuration</A>
<BR>
-<A HREF="#Relay">9.9. Relay</A><UL>
-<A HREF="#Overview">9.9.1. Overview</A>
+<A HREF="#Further Information">10.1.3. Further Information</A></UL>
<BR>
-<A HREF="#back-relay Configuration">9.9.2. back-relay Configuration</A>
+<A HREF="#LDAP">10.2. LDAP</A><UL>
+<A HREF="#Overview">10.2.1. Overview</A>
<BR>
-<A HREF="#Further Information">9.9.3. Further Information</A></UL>
+<A HREF="#back-ldap Configuration">10.2.2. back-ldap Configuration</A>
<BR>
-<A HREF="#SQL">9.10. SQL</A><UL>
-<A HREF="#Overview">9.10.1. Overview</A>
+<A HREF="#Further Information">10.2.3. Further Information</A></UL>
<BR>
-<A HREF="#back-sql Configuration">9.10.2. back-sql Configuration</A>
-<BR>
-<A HREF="#Further Information">9.10.3. Further Information</A></UL></UL>
-<BR>
-<A HREF="#Overlays">10. Overlays</A><UL>
-<A HREF="#Access Logging">10.1. Access Logging</A><UL>
-<A HREF="#Overview">10.1.1. Overview</A>
-<BR>
-<A HREF="#Access Logging Configuration">10.1.2. Access Logging Configuration</A></UL>
-<BR>
-<A HREF="#Audit Logging">10.2. Audit Logging</A><UL>
-<A HREF="#Overview">10.2.1. Overview</A>
-<BR>
-<A HREF="#Audit Logging Configuration">10.2.2. Audit Logging Configuration</A></UL>
-<BR>
-<A HREF="#Chaining">10.3. Chaining</A><UL>
+<A HREF="#LDIF">10.3. LDIF</A><UL>
<A HREF="#Overview">10.3.1. Overview</A>
<BR>
-<A HREF="#Chaining Configuration">10.3.2. Chaining Configuration</A>
+<A HREF="#back-ldif Configuration">10.3.2. back-ldif Configuration</A>
<BR>
-<A HREF="#Handling Chaining Errors">10.3.3. Handling Chaining Errors</A></UL>
+<A HREF="#Further Information">10.3.3. Further Information</A></UL>
<BR>
-<A HREF="#Constraints">10.4. Constraints</A><UL>
+<A HREF="#Metadirectory">10.4. Metadirectory</A><UL>
<A HREF="#Overview">10.4.1. Overview</A>
<BR>
-<A HREF="#Constraint Configuration">10.4.2. Constraint Configuration</A></UL>
+<A HREF="#back-meta Configuration">10.4.2. back-meta Configuration</A>
<BR>
-<A HREF="#Dynamic Directory Services">10.5. Dynamic Directory Services</A><UL>
+<A HREF="#Further Information">10.4.3. Further Information</A></UL>
+<BR>
+<A HREF="#Monitor">10.5. Monitor</A><UL>
<A HREF="#Overview">10.5.1. Overview</A>
<BR>
-<A HREF="#Dynamic Directory Service Configuration">10.5.2. Dynamic Directory Service Configuration</A></UL>
+<A HREF="#back-monitor Configuration">10.5.2. back-monitor Configuration</A>
<BR>
-<A HREF="#Dynamic Groups">10.6. Dynamic Groups</A><UL>
+<A HREF="#Further Information">10.5.3. Further Information</A></UL>
+<BR>
+<A HREF="#Null">10.6. Null</A><UL>
<A HREF="#Overview">10.6.1. Overview</A>
<BR>
-<A HREF="#Dynamic Group Configuration">10.6.2. Dynamic Group Configuration</A></UL>
+<A HREF="#back-null Configuration">10.6.2. back-null Configuration</A>
<BR>
-<A HREF="#Dynamic Lists">10.7. Dynamic Lists</A><UL>
+<A HREF="#Further Information">10.6.3. Further Information</A></UL>
+<BR>
+<A HREF="#Passwd">10.7. Passwd</A><UL>
<A HREF="#Overview">10.7.1. Overview</A>
<BR>
-<A HREF="#Dynamic List Configuration">10.7.2. Dynamic List Configuration</A></UL>
+<A HREF="#back-passwd Configuration">10.7.2. back-passwd Configuration</A>
<BR>
-<A HREF="#Reverse Group Membership Maintenance">10.8. Reverse Group Membership Maintenance</A><UL>
+<A HREF="#Further Information">10.7.3. Further Information</A></UL>
+<BR>
+<A HREF="#Perl/Shell">10.8. Perl/Shell</A><UL>
<A HREF="#Overview">10.8.1. Overview</A>
<BR>
-<A HREF="#Member Of Configuration">10.8.2. Member Of Configuration</A></UL>
+<A HREF="#back-perl/back-shell Configuration">10.8.2. back-perl/back-shell Configuration</A>
<BR>
-<A HREF="#The Proxy Cache Engine">10.9. The Proxy Cache Engine</A><UL>
+<A HREF="#Further Information">10.8.3. Further Information</A></UL>
+<BR>
+<A HREF="#Relay">10.9. Relay</A><UL>
<A HREF="#Overview">10.9.1. Overview</A>
<BR>
-<A HREF="#Proxy Cache Configuration">10.9.2. Proxy Cache Configuration</A></UL>
+<A HREF="#back-relay Configuration">10.9.2. back-relay Configuration</A>
<BR>
-<A HREF="#Password Policies">10.10. Password Policies</A><UL>
+<A HREF="#Further Information">10.9.3. Further Information</A></UL>
+<BR>
+<A HREF="#SQL">10.10. SQL</A><UL>
<A HREF="#Overview">10.10.1. Overview</A>
<BR>
-<A HREF="#Password Policy Configuration">10.10.2. Password Policy Configuration</A></UL>
+<A HREF="#back-sql Configuration">10.10.2. back-sql Configuration</A>
<BR>
-<A HREF="#Referential Integrity">10.11. Referential Integrity</A><UL>
-<A HREF="#Overview">10.11.1. Overview</A>
+<A HREF="#Further Information">10.10.3. Further Information</A></UL></UL>
<BR>
-<A HREF="#Referential Integrity Configuration">10.11.2. Referential Integrity Configuration</A></UL>
+<A HREF="#Overlays">11. Overlays</A><UL>
+<A HREF="#Access Logging">11.1. Access Logging</A><UL>
+<A HREF="#Overview">11.1.1. Overview</A>
<BR>
-<A HREF="#Return Code">10.12. Return Code</A><UL>
-<A HREF="#Overview">10.12.1. Overview</A>
+<A HREF="#Access Logging Configuration">11.1.2. Access Logging Configuration</A></UL>
<BR>
-<A HREF="#Return Code Configuration">10.12.2. Return Code Configuration</A></UL>
+<A HREF="#Audit Logging">11.2. Audit Logging</A><UL>
+<A HREF="#Overview">11.2.1. Overview</A>
<BR>
-<A HREF="#Rewrite/Remap">10.13. Rewrite/Remap</A><UL>
-<A HREF="#Overview">10.13.1. Overview</A>
+<A HREF="#Audit Logging Configuration">11.2.2. Audit Logging Configuration</A></UL>
<BR>
-<A HREF="#Rewrite/Remap Configuration">10.13.2. Rewrite/Remap Configuration</A></UL>
+<A HREF="#Chaining">11.3. Chaining</A><UL>
+<A HREF="#Overview">11.3.1. Overview</A>
<BR>
-<A HREF="#Sync Provider">10.14. Sync Provider</A><UL>
-<A HREF="#Overview">10.14.1. Overview</A>
+<A HREF="#Chaining Configuration">11.3.2. Chaining Configuration</A>
<BR>
-<A HREF="#Sync Provider Configuration">10.14.2. Sync Provider Configuration</A></UL>
+<A HREF="#Handling Chaining Errors">11.3.3. Handling Chaining Errors</A></UL>
<BR>
-<A HREF="#Translucent Proxy">10.15. Translucent Proxy</A><UL>
-<A HREF="#Overview">10.15.1. Overview</A>
+<A HREF="#Constraints">11.4. Constraints</A><UL>
+<A HREF="#Overview">11.4.1. Overview</A>
<BR>
-<A HREF="#Translucent Proxy Configuration">10.15.2. Translucent Proxy Configuration</A></UL>
+<A HREF="#Constraint Configuration">11.4.2. Constraint Configuration</A></UL>
<BR>
-<A HREF="#Attribute Uniqueness">10.16. Attribute Uniqueness</A><UL>
-<A HREF="#Overview">10.16.1. Overview</A>
+<A HREF="#Dynamic Directory Services">11.5. Dynamic Directory Services</A><UL>
+<A HREF="#Overview">11.5.1. Overview</A>
<BR>
-<A HREF="#Attribute Uniqueness Configuration">10.16.2. Attribute Uniqueness Configuration</A></UL>
+<A HREF="#Dynamic Directory Service Configuration">11.5.2. Dynamic Directory Service Configuration</A></UL>
<BR>
-<A HREF="#Value Sorting">10.17. Value Sorting</A><UL>
-<A HREF="#Overview">10.17.1. Overview</A>
+<A HREF="#Dynamic Groups">11.6. Dynamic Groups</A><UL>
+<A HREF="#Overview">11.6.1. Overview</A>
<BR>
-<A HREF="#Value Sorting Configuration">10.17.2. Value Sorting Configuration</A></UL>
+<A HREF="#Dynamic Group Configuration">11.6.2. Dynamic Group Configuration</A></UL>
<BR>
-<A HREF="#Overlay Stacking">10.18. Overlay Stacking</A><UL>
-<A HREF="#Overview">10.18.1. Overview</A>
+<A HREF="#Dynamic Lists">11.7. Dynamic Lists</A><UL>
+<A HREF="#Overview">11.7.1. Overview</A>
<BR>
-<A HREF="#Example Scenarios">10.18.2. Example Scenarios</A></UL></UL>
+<A HREF="#Dynamic List Configuration">11.7.2. Dynamic List Configuration</A></UL>
<BR>
-<A HREF="#Schema Specification">11. Schema Specification</A><UL>
-<A HREF="#Distributed Schema Files">11.1. Distributed Schema Files</A>
+<A HREF="#Reverse Group Membership Maintenance">11.8. Reverse Group Membership Maintenance</A><UL>
+<A HREF="#Overview">11.8.1. Overview</A>
<BR>
-<A HREF="#Extending Schema">11.2. Extending Schema</A><UL>
-<A HREF="#Object Identifiers">11.2.1. Object Identifiers</A>
+<A HREF="#Member Of Configuration">11.8.2. Member Of Configuration</A></UL>
<BR>
-<A HREF="#Naming Elements">11.2.2. Naming Elements</A>
+<A HREF="#The Proxy Cache Engine">11.9. The Proxy Cache Engine</A><UL>
+<A HREF="#Overview">11.9.1. Overview</A>
<BR>
-<A HREF="#Local schema file">11.2.3. Local schema file</A>
+<A HREF="#Proxy Cache Configuration">11.9.2. Proxy Cache Configuration</A></UL>
<BR>
-<A HREF="#Attribute Type Specification">11.2.4. Attribute Type Specification</A>
+<A HREF="#Password Policies">11.10. Password Policies</A><UL>
+<A HREF="#Overview">11.10.1. Overview</A>
<BR>
-<A HREF="#Object Class Specification">11.2.5. Object Class Specification</A>
+<A HREF="#Password Policy Configuration">11.10.2. Password Policy Configuration</A></UL>
<BR>
-<A HREF="#OID Macros">11.2.6. OID Macros</A></UL></UL>
+<A HREF="#Referential Integrity">11.11. Referential Integrity</A><UL>
+<A HREF="#Overview">11.11.1. Overview</A>
<BR>
-<A HREF="#Security Considerations">12. Security Considerations</A><UL>
-<A HREF="#Network Security">12.1. Network Security</A><UL>
-<A HREF="#Selective Listening">12.1.1. Selective Listening</A>
+<A HREF="#Referential Integrity Configuration">11.11.2. Referential Integrity Configuration</A></UL>
<BR>
-<A HREF="#IP Firewall">12.1.2. IP Firewall</A>
+<A HREF="#Return Code">11.12. Return Code</A><UL>
+<A HREF="#Overview">11.12.1. Overview</A>
<BR>
-<A HREF="#TCP Wrappers">12.1.3. TCP Wrappers</A></UL>
+<A HREF="#Return Code Configuration">11.12.2. Return Code Configuration</A></UL>
<BR>
-<A HREF="#Data Integrity and Confidentiality Protection">12.2. Data Integrity and Confidentiality Protection</A><UL>
-<A HREF="#Security Strength Factors">12.2.1. Security Strength Factors</A></UL>
+<A HREF="#Rewrite/Remap">11.13. Rewrite/Remap</A><UL>
+<A HREF="#Overview">11.13.1. Overview</A>
<BR>
-<A HREF="#Authentication Methods">12.3. Authentication Methods</A><UL>
-<A HREF="#"simple" method">12.3.1. "simple" method</A>
+<A HREF="#Rewrite/Remap Configuration">11.13.2. Rewrite/Remap Configuration</A></UL>
<BR>
-<A HREF="#SASL method">12.3.2. SASL method</A></UL></UL>
+<A HREF="#Sync Provider">11.14. Sync Provider</A><UL>
+<A HREF="#Overview">11.14.1. Overview</A>
<BR>
-<A HREF="#Using SASL">13. Using SASL</A><UL>
-<A HREF="#SASL Security Considerations">13.1. SASL Security Considerations</A>
+<A HREF="#Sync Provider Configuration">11.14.2. Sync Provider Configuration</A></UL>
<BR>
-<A HREF="#SASL Authentication">13.2. SASL Authentication</A><UL>
-<A HREF="#GSSAPI">13.2.1. GSSAPI</A>
+<A HREF="#Translucent Proxy">11.15. Translucent Proxy</A><UL>
+<A HREF="#Overview">11.15.1. Overview</A>
<BR>
-<A HREF="#KERBEROS_V4">13.2.2. KERBEROS_V4</A>
+<A HREF="#Translucent Proxy Configuration">11.15.2. Translucent Proxy Configuration</A></UL>
<BR>
-<A HREF="#DIGEST-MD5">13.2.3. DIGEST-MD5</A>
+<A HREF="#Attribute Uniqueness">11.16. Attribute Uniqueness</A><UL>
+<A HREF="#Overview">11.16.1. Overview</A>
<BR>
-<A HREF="#Mapping Authentication Identities">13.2.4. Mapping Authentication Identities</A>
+<A HREF="#Attribute Uniqueness Configuration">11.16.2. Attribute Uniqueness Configuration</A></UL>
<BR>
-<A HREF="#Direct Mapping">13.2.5. Direct Mapping</A>
+<A HREF="#Value Sorting">11.17. Value Sorting</A><UL>
+<A HREF="#Overview">11.17.1. Overview</A>
<BR>
-<A HREF="#Search-based mappings">13.2.6. Search-based mappings</A></UL>
+<A HREF="#Value Sorting Configuration">11.17.2. Value Sorting Configuration</A></UL>
<BR>
-<A HREF="#SASL Proxy Authorization">13.3. SASL Proxy Authorization</A><UL>
-<A HREF="#Uses of Proxy Authorization">13.3.1. Uses of Proxy Authorization</A>
+<A HREF="#Overlay Stacking">11.18. Overlay Stacking</A><UL>
+<A HREF="#Overview">11.18.1. Overview</A>
<BR>
-<A HREF="#SASL Authorization Identities">13.3.2. SASL Authorization Identities</A>
+<A HREF="#Example Scenarios">11.18.2. Example Scenarios</A></UL></UL>
<BR>
-<A HREF="#Proxy Authorization Rules">13.3.3. Proxy Authorization Rules</A></UL></UL>
+<A HREF="#Schema Specification">12. Schema Specification</A><UL>
+<A HREF="#Distributed Schema Files">12.1. Distributed Schema Files</A>
<BR>
-<A HREF="#Using TLS">14. Using TLS</A><UL>
-<A HREF="#TLS Certificates">14.1. TLS Certificates</A><UL>
-<A HREF="#Server Certificates">14.1.1. Server Certificates</A>
+<A HREF="#Extending Schema">12.2. Extending Schema</A><UL>
+<A HREF="#Object Identifiers">12.2.1. Object Identifiers</A>
<BR>
-<A HREF="#Client Certificates">14.1.2. Client Certificates</A></UL>
+<A HREF="#Naming Elements">12.2.2. Naming Elements</A>
<BR>
-<A HREF="#TLS Configuration">14.2. TLS Configuration</A><UL>
-<A HREF="#Server Configuration">14.2.1. Server Configuration</A>
+<A HREF="#Local schema file">12.2.3. Local schema file</A>
<BR>
-<A HREF="#Client Configuration">14.2.2. Client Configuration</A></UL></UL>
+<A HREF="#Attribute Type Specification">12.2.4. Attribute Type Specification</A>
<BR>
-<A HREF="#Constructing a Distributed Directory Service">15. Constructing a Distributed Directory Service</A><UL>
-<A HREF="#Subordinate Knowledge Information">15.1. Subordinate Knowledge Information</A>
+<A HREF="#Object Class Specification">12.2.5. Object Class Specification</A>
<BR>
-<A HREF="#Superior Knowledge Information">15.2. Superior Knowledge Information</A>
+<A HREF="#OID Macros">12.2.6. OID Macros</A></UL></UL>
<BR>
-<A HREF="#The ManageDsaIT Control">15.3. The ManageDsaIT Control</A></UL>
+<A HREF="#Security Considerations">13. Security Considerations</A><UL>
+<A HREF="#Network Security">13.1. Network Security</A><UL>
+<A HREF="#Selective Listening">13.1.1. Selective Listening</A>
<BR>
-<A HREF="#Replication">16. Replication</A><UL>
-<A HREF="#Replication Strategies">16.1. Replication Strategies</A><UL>
-<A HREF="#Push Based">16.1.1. Push Based</A>
+<A HREF="#IP Firewall">13.1.2. IP Firewall</A>
<BR>
-<A HREF="#Pull Based">16.1.2. Pull Based</A></UL>
+<A HREF="#TCP Wrappers">13.1.3. TCP Wrappers</A></UL>
<BR>
-<A HREF="#Replication Types">16.2. Replication Types</A><UL>
-<A HREF="#syncrepl replication">16.2.1. syncrepl replication</A>
+<A HREF="#Data Integrity and Confidentiality Protection">13.2. Data Integrity and Confidentiality Protection</A><UL>
+<A HREF="#Security Strength Factors">13.2.1. Security Strength Factors</A></UL>
<BR>
-<A HREF="#delta-syncrepl replication">16.2.2. delta-syncrepl replication</A>
+<A HREF="#Authentication Methods">13.3. Authentication Methods</A><UL>
+<A HREF="#"simple" method">13.3.1. "simple" method</A>
<BR>
-<A HREF="#N-Way Multi-Master replication">16.2.3. N-Way Multi-Master replication</A>
+<A HREF="#SASL method">13.3.2. SASL method</A></UL></UL>
<BR>
-<A HREF="#MirrorMode replication">16.2.4. MirrorMode replication</A></UL>
+<A HREF="#Using SASL">14. Using SASL</A><UL>
+<A HREF="#SASL Security Considerations">14.1. SASL Security Considerations</A>
<BR>
-<A HREF="#LDAP Sync Replication">16.3. LDAP Sync Replication</A><UL>
-<A HREF="#The LDAP Content Synchronization Protocol">16.3.1. The LDAP Content Synchronization Protocol</A>
+<A HREF="#SASL Authentication">14.2. SASL Authentication</A><UL>
+<A HREF="#GSSAPI">14.2.1. GSSAPI</A>
<BR>
-<A HREF="#Syncrepl Details">16.3.2. Syncrepl Details</A>
+<A HREF="#KERBEROS_V4">14.2.2. KERBEROS_V4</A>
<BR>
-<A HREF="#Configuring Syncrepl">16.3.3. Configuring Syncrepl</A></UL>
+<A HREF="#DIGEST-MD5">14.2.3. DIGEST-MD5</A>
<BR>
-<A HREF="#N-Way Multi-Master">16.4. N-Way Multi-Master</A>
+<A HREF="#Mapping Authentication Identities">14.2.4. Mapping Authentication Identities</A>
<BR>
-<A HREF="#MirrorMode">16.5. MirrorMode</A><UL>
-<A HREF="#Arguments for MirrorMode">16.5.1. Arguments for MirrorMode</A>
+<A HREF="#Direct Mapping">14.2.5. Direct Mapping</A>
<BR>
-<A HREF="#Arguments against MirrorMode">16.5.2. Arguments against MirrorMode</A>
+<A HREF="#Search-based mappings">14.2.6. Search-based mappings</A></UL>
<BR>
-<A HREF="#MirrorMode Configuration">16.5.3. MirrorMode Configuration</A>
+<A HREF="#SASL Proxy Authorization">14.3. SASL Proxy Authorization</A><UL>
+<A HREF="#Uses of Proxy Authorization">14.3.1. Uses of Proxy Authorization</A>
<BR>
-<A HREF="#MirrorMode Summary">16.5.4. MirrorMode Summary</A></UL></UL>
+<A HREF="#SASL Authorization Identities">14.3.2. SASL Authorization Identities</A>
<BR>
-<A HREF="#Maintenance">17. Maintenance</A><UL>
-<A HREF="#Directory Backups">17.1. Directory Backups</A>
+<A HREF="#Proxy Authorization Rules">14.3.3. Proxy Authorization Rules</A></UL></UL>
<BR>
-<A HREF="#Berkeley DB Logs">17.2. Berkeley DB Logs</A>
+<A HREF="#Using TLS">15. Using TLS</A><UL>
+<A HREF="#TLS Certificates">15.1. TLS Certificates</A><UL>
+<A HREF="#Server Certificates">15.1.1. Server Certificates</A>
<BR>
-<A HREF="#Checkpointing">17.3. Checkpointing</A>
+<A HREF="#Client Certificates">15.1.2. Client Certificates</A></UL>
<BR>
-<A HREF="#Migration">17.4. Migration</A></UL>
+<A HREF="#TLS Configuration">15.2. TLS Configuration</A><UL>
+<A HREF="#Server Configuration">15.2.1. Server Configuration</A>
<BR>
-<A HREF="#Monitoring">18. Monitoring</A><UL>
-<A HREF="#Monitor configuration via cn=config(5)">18.1. Monitor configuration via cn=config(5)</A>
+<A HREF="#Client Configuration">15.2.2. Client Configuration</A></UL></UL>
<BR>
-<A HREF="#Monitor configuration via slapd.conf(5)">18.2. Monitor configuration via slapd.conf(5)</A>
+<A HREF="#Constructing a Distributed Directory Service">16. Constructing a Distributed Directory Service</A><UL>
+<A HREF="#Subordinate Knowledge Information">16.1. Subordinate Knowledge Information</A>
<BR>
-<A HREF="#Accessing Monitoring Information">18.3. Accessing Monitoring Information</A>
+<A HREF="#Superior Knowledge Information">16.2. Superior Knowledge Information</A>
<BR>
-<A HREF="#Monitor Information">18.4. Monitor Information</A><UL>
-<A HREF="#Backends">18.4.1. Backends</A>
+<A HREF="#The ManageDsaIT Control">16.3. The ManageDsaIT Control</A></UL>
<BR>
-<A HREF="#Connections">18.4.2. Connections</A>
+<A HREF="#Replication">17. Replication</A><UL>
+<A HREF="#Push Based">17.1. Push Based</A><UL>
+<A HREF="#Replacing Slurpd">17.1.1. Replacing Slurpd</A></UL>
<BR>
-<A HREF="#Databases">18.4.3. Databases</A>
+<A HREF="#Pull Based">17.2. Pull Based</A><UL>
+<A HREF="#LDAP Sync Replication">17.2.1. LDAP Sync Replication</A>
<BR>
-<A HREF="#Listener">18.4.4. Listener</A>
+<A HREF="#Delta-syncrepl replication">17.2.2. Delta-syncrepl replication</A></UL>
<BR>
-<A HREF="#Log">18.4.5. Log</A>
+<A HREF="#Mixture of both Pull and Push based">17.3. Mixture of both Pull and Push based</A><UL>
+<A HREF="#N-Way Multi-Master replication">17.3.1. N-Way Multi-Master replication</A>
<BR>
-<A HREF="#Operations">18.4.6. Operations</A>
+<A HREF="#MirrorMode replication">17.3.2. MirrorMode replication</A></UL>
<BR>
-<A HREF="#Overlays">18.4.7. Overlays</A>
+<A HREF="#Configuring the different replication types">17.4. Configuring the different replication types</A><UL>
+<A HREF="#Syncrepl">17.4.1. Syncrepl</A>
<BR>
-<A HREF="#SASL">18.4.8. SASL</A>
+<A HREF="#Delta-syncrepl">17.4.2. Delta-syncrepl</A>
<BR>
-<A HREF="#Statistics">18.4.9. Statistics</A>
+<A HREF="#N-Way Multi-Master">17.4.3. N-Way Multi-Master</A>
<BR>
-<A HREF="#Threads">18.4.10. Threads</A>
+<A HREF="#MirrorMode">17.4.4. MirrorMode</A></UL></UL>
<BR>
-<A HREF="#Time">18.4.11. Time</A>
+<A HREF="#Maintenance">18. Maintenance</A><UL>
+<A HREF="#Directory Backups">18.1. Directory Backups</A>
<BR>
-<A HREF="#TLS">18.4.12. TLS</A>
+<A HREF="#Berkeley DB Logs">18.2. Berkeley DB Logs</A>
<BR>
-<A HREF="#Waiters">18.4.13. Waiters</A></UL></UL>
+<A HREF="#Checkpointing">18.3. Checkpointing</A>
<BR>
-<A HREF="#Tuning">19. Tuning</A><UL>
-<A HREF="#Performance Factors">19.1. Performance Factors</A><UL>
-<A HREF="#Memory">19.1.1. Memory</A>
+<A HREF="#Migration">18.4. Migration</A></UL>
<BR>
-<A HREF="#Disks">19.1.2. Disks</A>
+<A HREF="#Monitoring">19. Monitoring</A><UL>
+<A HREF="#Monitor configuration via cn=config(5)">19.1. Monitor configuration via cn=config(5)</A>
<BR>
-<A HREF="#Network Topology">19.1.3. Network Topology</A>
+<A HREF="#Monitor configuration via slapd.conf(5)">19.2. Monitor configuration via slapd.conf(5)</A>
<BR>
-<A HREF="#Directory Layout Design">19.1.4. Directory Layout Design</A>
+<A HREF="#Accessing Monitoring Information">19.3. Accessing Monitoring Information</A>
<BR>
-<A HREF="#Expected Usage">19.1.5. Expected Usage</A></UL>
+<A HREF="#Monitor Information">19.4. Monitor Information</A><UL>
+<A HREF="#Backends">19.4.1. Backends</A>
<BR>
-<A HREF="#Indexes">19.2. Indexes</A><UL>
-<A HREF="#Understanding how a search works">19.2.1. Understanding how a search works</A>
+<A HREF="#Connections">19.4.2. Connections</A>
<BR>
-<A HREF="#What to index">19.2.2. What to index</A>
+<A HREF="#Databases">19.4.3. Databases</A>
<BR>
-<A HREF="#Presence indexing">19.2.3. Presence indexing</A></UL>
+<A HREF="#Listener">19.4.4. Listener</A>
<BR>
-<A HREF="#Logging">19.3. Logging</A><UL>
-<A HREF="#What log level to use">19.3.1. What log level to use</A>
+<A HREF="#Log">19.4.5. Log</A>
<BR>
-<A HREF="#What to watch out for">19.3.2. What to watch out for</A>
+<A HREF="#Operations">19.4.6. Operations</A>
<BR>
-<A HREF="#Improving throughput">19.3.3. Improving throughput</A></UL>
+<A HREF="#Overlays">19.4.7. Overlays</A>
<BR>
-<A HREF="#BDB/HDB Database Caching">19.4. BDB/HDB Database Caching</A><UL>
-<A HREF="#Berkeley DB Cache">19.4.1. Berkeley DB Cache</A>
+<A HREF="#SASL">19.4.8. SASL</A>
<BR>
-<A HREF="#{{slapd}}(8) Entry Cache">19.4.2. <EM>slapd</EM>(8) Entry Cache</A>
+<A HREF="#Statistics">19.4.9. Statistics</A>
<BR>
-<A HREF="#{{TERM:IDL}} Cache">19.4.3. <TERM>IDL</TERM> Cache</A></UL></UL>
+<A HREF="#Threads">19.4.10. Threads</A>
<BR>
-<A HREF="#Troubleshooting">20. Troubleshooting</A><UL>
-<A HREF="#User or Software errors">20.1. User or Software errors?</A>
+<A HREF="#Time">19.4.11. Time</A>
<BR>
-<A HREF="#Checklist">20.2. Checklist</A>
+<A HREF="#TLS">19.4.12. TLS</A>
<BR>
-<A HREF="#OpenLDAP Bugs">20.3. OpenLDAP Bugs</A>
+<A HREF="#Waiters">19.4.13. Waiters</A></UL></UL>
<BR>
-<A HREF="#3rd party software error">20.4. 3rd party software error</A>
+<A HREF="#Tuning">20. Tuning</A><UL>
+<A HREF="#Performance Factors">20.1. Performance Factors</A><UL>
+<A HREF="#Memory">20.1.1. Memory</A>
<BR>
-<A HREF="#How to contact the OpenLDAP Project">20.5. How to contact the OpenLDAP Project</A>
+<A HREF="#Disks">20.1.2. Disks</A>
<BR>
-<A HREF="#How to present your problem">20.6. How to present your problem</A>
+<A HREF="#Network Topology">20.1.3. Network Topology</A>
<BR>
-<A HREF="#Debugging {{slapd}}(8)">20.7. Debugging <EM>slapd</EM>(8)</A>
+<A HREF="#Directory Layout Design">20.1.4. Directory Layout Design</A>
<BR>
-<A HREF="#Commercial Support">20.8. Commercial Support</A></UL>
+<A HREF="#Expected Usage">20.1.5. Expected Usage</A></UL>
<BR>
+<A HREF="#Indexes">20.2. Indexes</A><UL>
+<A HREF="#Understanding how a search works">20.2.1. Understanding how a search works</A>
+<BR>
+<A HREF="#What to index">20.2.2. What to index</A>
+<BR>
+<A HREF="#Presence indexing">20.2.3. Presence indexing</A></UL>
+<BR>
+<A HREF="#Logging">20.3. Logging</A><UL>
+<A HREF="#What log level to use">20.3.1. What log level to use</A>
+<BR>
+<A HREF="#What to watch out for">20.3.2. What to watch out for</A>
+<BR>
+<A HREF="#Improving throughput">20.3.3. Improving throughput</A></UL>
+<BR>
+<A HREF="#Caching">20.4. Caching</A><UL>
+<A HREF="#Berkeley DB Cache">20.4.1. Berkeley DB Cache</A>
+<BR>
+<A HREF="#{{slapd}}(8) Entry Cache (cachesize)">20.4.2. <EM>slapd</EM>(8) Entry Cache (cachesize)</A>
+<BR>
+<A HREF="#{{TERM:IDL}} Cache (idlcachesize)">20.4.3. <TERM>IDL</TERM> Cache (idlcachesize)</A>
+<BR>
+<A HREF="#{{slapd}}(8) Threads">20.4.4. <EM>slapd</EM>(8) Threads</A></UL></UL>
+<BR>
+<A HREF="#Troubleshooting">21. Troubleshooting</A><UL>
+<A HREF="#User or Software errors">21.1. User or Software errors?</A>
+<BR>
+<A HREF="#Checklist">21.2. Checklist</A>
+<BR>
+<A HREF="#OpenLDAP Bugs">21.3. OpenLDAP Bugs</A>
+<BR>
+<A HREF="#3rd party software error">21.4. 3rd party software error</A>
+<BR>
+<A HREF="#How to contact the OpenLDAP Project">21.5. How to contact the OpenLDAP Project</A>
+<BR>
+<A HREF="#How to present your problem">21.6. How to present your problem</A>
+<BR>
+<A HREF="#Debugging {{slapd}}(8)">21.7. Debugging <EM>slapd</EM>(8)</A>
+<BR>
+<A HREF="#Commercial Support">21.8. Commercial Support</A></UL>
+<BR>
<A HREF="#Changes Since Previous Release">A. Changes Since Previous Release</A><UL>
<A HREF="#New Guide Sections">A.1. New Guide Sections</A>
<BR>
@@ -1187,8 +1210,8 @@
<P ALIGN="Center">Figure 3.2: Local service with referrals</P>
<P>Use this configuration if you want to provide local service and participate in the Global Directory, or you want to delegate responsibility for <EM>subordinate</EM> entries to another server.</P>
<H2><A NAME="Replicated Directory Service">3.3. Replicated Directory Service</A></H2>
-<P>slapd(8) includes support for <EM>LDAP Sync</EM>-based replication, called <EM>syncrepl</EM>, which may be used to maintain shadow copies of directory information on multiple directory servers. In its most basic configuration, the <EM>master</EM> is a syncrepl provider and one or more <EM>slave</EM> (or <EM>shadow</EM>) are syncrepl consumers. An example master-slave configuration is shown in figure 3.3.</P>
-<P><CENTER><IMG SRC="config_repl.gif" ALIGN="center"></CENTER></P>
+<P>slapd(8) includes support for <EM>LDAP Sync</EM>-based replication, called <EM>syncrepl</EM>, which may be used to maintain shadow copies of directory information on multiple directory servers. In its most basic configuration, the <EM>master</EM> is a syncrepl provider and one or more <EM>slave</EM> (or <EM>shadow</EM>) are syncrepl consumers. An example master-slave configuration is shown in figure 3.3. Multi-Master configurations are also supported.</P>
+<P><CENTER><IMG SRC="config_repl.png" ALIGN="center"></CENTER></P>
<P ALIGN="Center">Figure 3.3: Replicated Directory Services</P>
<P>This configuration can be used in conjunction with either of the first two configurations in situations where a single <EM>slapd</EM>(8) instance does not provide the required reliability or availability.</P>
<H2><A NAME="Distributed Local Directory Service">3.4. Distributed Local Directory Service</A></H2>
@@ -1824,7 +1847,7 @@
</PRE>
<P>This marks the beginning of a new <TERM>BDB</TERM> database instance.</P>
<H4><A NAME="olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+">5.2.5.2. olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+</A></H4>
-<P>This directive grants access (specified by <accesslevel>) to a set of entries and/or attributes (specified by <what>) by one or more requestors (specified by <who>). See the <A HREF="#Access Control">Access Control</A> section of this chapter for a summary of basic usage.</P>
+<P>This directive grants access (specified by <accesslevel>) to a set of entries and/or attributes (specified by <what>) by one or more requestors (specified by <who>). See the <A HREF="#Access Control">Access Control</A> section of this guide for basic usage.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>If no <TT>olcAccess</TT> directives are specified, the default access control policy, <TT>to * by * read</TT>, allows all users (both authenticated and anonymous) read access.
<HR WIDTH="80%" ALIGN="Left"></P>
@@ -1915,7 +1938,7 @@
<P>The <TT>rid</TT> parameter is used for identification of the current <TT>syncrepl</TT> directive within the replication consumer server, where <TT><replica ID></TT> uniquely identifies the syncrepl specification described by the current <TT>syncrepl</TT> directive. <TT><replica ID></TT> is non-negative and is no more than three decimal digits in length.</P>
<P>The <TT>provider</TT> parameter specifies the replication provider site containing the master content as an LDAP URI. The <TT>provider</TT> parameter specifies a scheme, a host and optionally a port where the provider slapd instance can be found. Either a domain name or IP address may be used for <hostname>. Examples are <TT>ldap://provider.example.com:389</TT> or <TT>ldaps://192.168.1.1:636</TT>. If <port> is not given, the standard LDAP port number (389 or 636) is used. Note that the syncrepl uses a consumer-initiated protocol, and hence its specification is located at the consumer site, whereas the <TT>replica</TT> specification is located at the provider site. <TT>syncrepl</TT> and <TT>replica</TT> directives define two independent replication mechanisms. They do not represent the replication peers of each other.</P>
<P>The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes <TT>searchbase</TT>, <TT>scope</TT>, <TT>filter</TT>, <TT>attrs</TT>, <TT>attrsonly</TT>, <TT>sizelimit</TT>, and <TT>timelimit</TT> parameters as in the normal search specification. The <TT>searchbase</TT> parameter has no default value and must always be specified. The <TT>scope</TT> defaults to <TT>sub</TT>, the <TT>filter</TT> defaults to <TT>(objectclass=*)</TT>, <TT>attrs</TT> defaults to <TT>"*,+"</TT> to replicate all user and operational attributes, and <TT>attrsonly</TT> is unset by default. Both <TT>sizelimit</TT> and <TT>timelimit</TT> default to "unlimited", and only positive integers or "unlimited" may be specified.</P>
-<P>The <TERM>LDAP Content Sychronization</TERM> protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider <EM>slapd</EM> instance. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
+<P>The <TERM>LDAP Content Synchronization</TERM> protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider <EM>slapd</EM> instance. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
<P>If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the <retry interval> and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next three times before stop retrying. + in <# of retries> means indefinite number of retries until success.</P>
<P>The schema checking can be enforced at the LDAP Sync consumer site by turning on the <TT>schemachecking</TT> parameter. If it is turned on, every replicated entry will be checked for its schema as the entry is stored into the replica content. Every entry in the replica should contain those attributes required by the schema definition. If it is turned off, entries will be stored without checking schema conformance. The default is off.</P>
<P>The <TT>binddn</TT> parameter gives the DN to bind as for the syncrepl searches to the provider slapd. It should be a DN which has read access to the replication content in the master database.</P>
@@ -1982,7 +2005,7 @@
olcDbConfig: set_lg_dir /var/tmp/bdb-log
olcDbConfig: set_flags DB_LOG_AUTOREMOVE
</PRE>
-<P>In this example, the BDB cache is set to 10MB, the BDB transaction log buffer size is set to 2MB, and the transaction log files are to be stored in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to delete transaction log files as soon as their contents have been checkpointed and they are no longer needed. Without this setting the transaction log files will continue to accumulate until some other cleanup procedure removes them. See the Berkeley DB documentation for the <TT>db_archive</TT> command for details.</P>
+<P>In this example, the BDB cache is set to 10MB, the BDB transaction log buffer size is set to 2MB, and the transaction log files are to be stored in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to delete transaction log files as soon as their contents have been checkpointed and they are no longer needed. Without this setting the transaction log files will continue to accumulate until some other cleanup procedure removes them. See the Berkeley DB documentation for the <TT>db_archive</TT> command for details. For a complete list of Berkeley DB flags please see - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html">http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html</A></P>
<P>Ideally the BDB cache must be at least as large as the working set of the database, the log buffer size should be large enough to accommodate most transactions without overflowing, and the log directory must be on a separate physical disk from the main database files. And both the database directory and the log directory should be separate from disks used for regular system activities such as the root, boot, or swap filesystems. See the FAQ-o-Matic and the Berkeley DB documentation for more details.</P>
<H4><A NAME="olcDbNosync: { TRUE | FALSE }">5.2.6.5. olcDbNosync: { TRUE | FALSE }</A></H4>
<P>This option causes on-disk database contents to not be immediately synchronized with in memory changes upon change. Setting this option to <TT>TRUE</TT> may improve performance at the expense of data integrity. This directive has the same effect as using</P>
@@ -2051,443 +2074,6 @@
olcDbIDLcacheSize: 3000
olcDbIndex: objectClass eq
</PRE>
-<H2><A NAME="Access Control">5.3. Access Control</A></H2>
-<P>Access to slapd entries and attributes is controlled by the olcAccess attribute, whose values are a sequence of access directives. The general form of the olcAccess configuration is:</P>
-<PRE>
- olcAccess: <access directive>
- <access directive> ::= to <what>
- [by <who> [<access>] [<control>] ]+
- <what> ::= * |
- [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
- [filter=<ldapfilter>] [attrs=<attrlist>]
- <basic-style> ::= regex | exact
- <scope-style> ::= base | one | subtree | children
- <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
- <attr> ::= <attrname> | entry | children
- <who> ::= * | [anonymous | users | self
- | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
- [dnattr=<attrname>]
- [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
- [peername[.<basic-style>]=<regex>]
- [sockname[.<basic-style>]=<regex>]
- [domain[.<basic-style>]=<regex>]
- [sockurl[.<basic-style>]=<regex>]
- [set=<setspec>]
- [aci=<attrname>]
- <access> ::= [self]{<level>|<priv>}
- <level> ::= none | disclose | auth | compare | search | read | write | manage
- <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
- <control> ::= [stop | continue | break]
-</PRE>
-<P>where the <what> part selects the entries and/or attributes to which the access applies, the <TT><who></TT> part specifies which entities are granted access, and the <TT><access></TT> part specifies the access granted. Multiple <TT><who> <access> <control></TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
-<H3><A NAME="What to control access to">5.3.1. What to control access to</A></H3>
-<P>The <what> part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN:</P>
-<PRE>
- to *
- to dn[.<basic-style>]=<regex>
- to dn.<scope-style>=<DN>
-</PRE>
-<P>The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against the target entry's <EM>normalized DN</EM>. (The second form is not discussed further in this document.) The third form is used to select entries which are within the requested scope of DN. The <DN> is a string representation of the Distinguished Name, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4514.txt">RFC4514</A>.</P>
-<P>The scope can be either <TT>base</TT>, <TT>one</TT>, <TT>subtree</TT>, or <TT>children</TT>. Where <TT>base</TT> matches only the entry with provided DN, <TT>one</TT> matches the entries whose parent is the provided DN, <TT>subtree</TT> matches all entries in the subtree whose root is the provided DN, and <TT>children</TT> matches all entries under the DN (but not the entry named by the DN).</P>
-<P>For example, if the directory contained entries named:</P>
-<PRE>
- 0: o=suffix
- 1: cn=Manager,o=suffix
- 2: ou=people,o=suffix
- 3: uid=kdz,ou=people,o=suffix
- 4: cn=addresses,uid=kdz,ou=people,o=suffix
- 5: uid=hyc,ou=people,o=suffix
-</PRE>
-<P>Then:</P>
-<UL>
-<TT>dn.base="ou=people,o=suffix"</TT> match 2;
-<BR>
-<TT>dn.one="ou=people,o=suffix"</TT> match 3, and 5;
-<BR>
-<TT>dn.subtree="ou=people,o=suffix"</TT> match 2, 3, 4, and 5; and
-<BR>
-<TT>dn.children="ou=people,o=suffix"</TT> match 3, 4, and 5.</UL>
-<P>Entries may also be selected using a filter:</P>
-<PRE>
- to filter=<ldap filter>
-</PRE>
-<P>where <ldap filter> is a string representation of an LDAP search filter, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>. For example:</P>
-<PRE>
- to filter=(objectClass=person)
-</PRE>
-<P>Note that entries may be selected by both DN and filter by including both qualifiers in the <what> clause.</P>
-<PRE>
- to dn.one="ou=people,o=suffix" filter=(objectClass=person)
-</PRE>
-<P>Attributes within an entry are selected by including a comma-separated list of attribute names in the <what> selector:</P>
-<PRE>
- attrs=<attribute list>
-</PRE>
-<P>A specific value of an attribute is selected by using a single attribute name and also using a value selector:</P>
-<PRE>
- attrs=<attribute> val[.<style>]=<regex>
-</PRE>
-<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
-<P>Lastly, there is a special entry selector <TT>"*"</TT> that is used to select any entry. It is used when no other <TT><what></TT> selector has been provided. It's equivalent to "<TT>dn=.*</TT>"</P>
-<H3><A NAME="Who to grant access to">5.3.2. Who to grant access to</A></H3>
-<P>The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers:</P>
-<TABLE CLASS="columns" BORDER ALIGN='Center'>
-<CAPTION ALIGN=top>Table 5.3: Access Entity Specifiers</CAPTION>
-<TR CLASS="heading">
-<TD>
-<STRONG>Specifier</STRONG>
-</TD>
-<TD>
-<STRONG>Entities</STRONG>
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>*</TT>
-</TD>
-<TD>
-All, including anonymous and authenticated users
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>anonymous</TT>
-</TD>
-<TD>
-Anonymous (non-authenticated) users
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>users</TT>
-</TD>
-<TD>
-Authenticated users
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>self</TT>
-</TD>
-<TD>
-User associated with target entry
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>dn[.<basic-style>]=<regex></TT>
-</TD>
-<TD>
-Users matching a regular expression
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>dn.<scope-style>=<DN></TT>
-</TD>
-<TD>
-Users within scope of a DN
-</TD>
-</TR>
-</TABLE>
-
-<P>The DN specifier behaves much like <what> clause DN specifiers.</P>
-<P>Other control factors are also supported. For example, a <TT><who></TT> can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:</P>
-<PRE>
- dnattr=<dn-valued attribute name>
-</PRE>
-<P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
-<P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
-<H3><A NAME="The access to grant">5.3.3. The access to grant</A></H3>
-<P>The kind of <access> granted can be one of the following:</P>
-<TABLE CLASS="columns" BORDER ALIGN='Center'>
-<CAPTION ALIGN=top>Table 5.4: Access Levels</CAPTION>
-<TR CLASS="heading">
-<TD ALIGN='Left'>
-<STRONG>Level</STRONG>
-</TD>
-<TD ALIGN='Right'>
-<STRONG>Privileges</STRONG>
-</TD>
-<TD ALIGN='Left'>
-<STRONG>Description</STRONG>
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>none</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=0</TT>
-</TD>
-<TD ALIGN='Left'>
-no access
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>disclose</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=d</TT>
-</TD>
-<TD ALIGN='Left'>
-needed for information disclosure on error
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>auth</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=dx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to authenticate (bind)
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>compare</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=cdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to compare
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>search</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=scdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to apply search filters
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>read</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=rscdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to read search results
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>write</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=wrscdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to modify/rename
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>manage</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=mwrscdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to manage
-</TD>
-</TR>
-</TABLE>
-
-<P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access. However, one may use the privileges specifier to grant specific permissions.</P>
-<H3><A NAME="Access Control Evaluation">5.3.4. Access Control Evaluation</A></H3>
-<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT><what></TT> selectors given in the configuration. For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives (which are held in the <TT>frontend</TT> database definition). Within this priority, access directives are examined in the order in which they appear in the configuration attribute. Slapd stops with the first <TT><what></TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
-<P>Next, slapd compares the entity requesting access to the <TT><who></TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT><who></TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
-<P>Finally, slapd compares the access granted in the selected <TT><access></TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
-<P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration. Similarly, if one <TT><who></TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
-<H3><A NAME="Access Control Examples">5.3.5. Access Control Examples</A></H3>
-<P>The access control facility described above is quite powerful. This section shows some examples of its use for descriptive purposes.</P>
-<P>A simple example:</P>
-<PRE>
- olcAccess: to * by * read
-</PRE>
-<P>This access directive grants read access to everyone.</P>
-<PRE>
- olcAccess: to *
- by self write
- by anonymous auth
- by * read
-</PRE>
-<P>This directive allows the user to modify their entry, allows anonymous to authenticate against these entries, and allows all others to read these entries. Note that only the first <TT>by <who></TT> clause which matches applies. Hence, the anonymous users are granted <TT>auth</TT>, not <TT>read</TT>. The last clause could just as well have been "<TT>by users read</TT>".</P>
-<P>It is often desirable to restrict operations based upon the level of protection in place. The following shows how security strength factors (SSF) can be used.</P>
-<PRE>
- olcAccess: to *
- by ssf=128 self write
- by ssf=64 anonymous auth
- by ssf=64 users read
-</PRE>
-<P>This directive allows users to modify their own entries if security protections of strength 128 or better have been established, allows authentication access to anonymous users, and read access when strength 64 or better security protections have been established. If the client has not establish sufficient security protections, the implicit <TT>by * none</TT> clause would be applied.</P>
-<P>The following example shows the use of style specifiers to select the entries by DN in two access directives where ordering is significant.</P>
-<PRE>
- olcAccess: to dn.children="dc=example,dc=com"
- by * search
- olcAccess: to dn.children="dc=com"
- by * read
-</PRE>
-<P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted. No access is granted to <TT>dc=com</TT> as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
-<P>Also note that if no <TT>olcAccess: to</TT> directive matches or no <TT>by <who></TT> clause, <B>access is denied</B>. That is, every <TT>olcAccess: to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>olcAccess: to * by * none</TT> directive.</P>
-<P>The next example again shows the importance of ordering, both of the access directives and the <TT>by <who></TT> clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <TT><who></TT> selectors.</P>
-<PRE>
- olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
- by self write
- by dn.children=dc=example,dc=com" search
- by peername.regex=IP:10\..+ read
- olcAccess: to dn.subtree="dc=example,dc=com"
- by self write
- by dn.children="dc=example,dc=com" search
- by anonymous auth
-</PRE>
-<P>This example applies to entries in the "<TT>dc=example,dc=com</TT>" subtree. To all attributes except <TT>homePhone</TT>, an entry can write to itself, entries under <TT>example.com</TT> entries can search by them, anybody else has no access (implicit <TT>by * none</TT>) excepting for authentication/authorization (which is always done anonymously). The <TT>homePhone</TT> attribute is writable by the entry, searchable by entries under <TT>example.com</TT>, readable by clients connecting from network 10, and otherwise not readable (implicit <TT>by * none</TT>). All other access is denied by the implicit <TT>access to * by * none</TT>.</P>
-<P>Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:</P>
-<PRE>
- olcAccess: to attrs=member,entry
- by dnattr=member selfwrite
-</PRE>
-<P>The dnattr <TT><who></TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
-<H3><A NAME="Access Control Ordering">5.3.6. Access Control Ordering</A></H3>
-<P>Since the ordering of <TT>olcAccess</TT> directives is essential to their proper evaluation, but LDAP attributes normally do not preserve the ordering of their values, OpenLDAP uses a custom schema extension to maintain a fixed ordering of these values. This ordering is maintained by prepending a <TT>"{X}"</TT> numeric index to each value, similarly to the approach used for ordering the configuration entries. These index tags are maintained automatically by slapd and do not need to be specified when originally defining the values. For example, when you create the settings</P>
-<PRE>
- olcAccess: to attrs=member,entry
- by dnattr=member selfwrite
- olcAccess: to dn.children="dc=example,dc=com"
- by * search
- olcAccess: to dn.children="dc=com"
- by * read
-</PRE>
-<P>when you read them back using slapcat or ldapsearch they will contain</P>
-<PRE>
- olcAccess: {0}to attrs=member,entry
- by dnattr=member selfwrite
- olcAccess: {1}to dn.children="dc=example,dc=com"
- by * search
- olcAccess: {2}to dn.children="dc=com"
- by * read
-</PRE>
-<P>The numeric index may be used to specify a particular value to change when using ldapmodify to edit the access rules. This index can be used instead of (or in addition to) the actual access value. Using this numeric index is very helpful when multiple access rules are being managed.</P>
-<P>For example, if we needed to change the second rule above to grant write access instead of search, we could try this LDIF:</P>
-<PRE>
- changetype: modify
- delete: olcAccess
- olcAccess: to dn.children="dc=example,dc=com" by * search
- -
- add: olcAccess
- olcAccess: to dn.children="dc=example,dc=com" by * write
- -
-</PRE>
-<P>But this example <B>will not</B> guarantee that the existing values remain in their original order, so it will most likely yield a broken security configuration. Instead, the numeric index should be used:</P>
-<PRE>
- changetype: modify
- delete: olcAccess
- olcAccess: {1}
- -
- add: olcAccess
- olcAccess: {1}to dn.children="dc=example,dc=com" by * write
- -
-</PRE>
-<P>This example deletes whatever rule is in value #1 of the <TT>olcAccess</TT> attribute (regardless of its value) and adds a new value that is explicitly inserted as value #1. The result will be</P>
-<PRE>
- olcAccess: {0}to attrs=member,entry
- by dnattr=member selfwrite
- olcAccess: {1}to dn.children="dc=example,dc=com"
- by * write
- olcAccess: {2}to dn.children="dc=com"
- by * read
-</PRE>
-<P>which is exactly what was intended.</P>
-<H2><A NAME="Configuration Example">5.4. Configuration Example</A></H2>
-<P>The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
-<PRE>
- 1. # example config file - global configuration entry
- 2. dn: cn=config
- 3. objectClass: olcGlobal
- 4. cn: config
- 5. olcReferral: ldap://root.openldap.org
- 6.
-</PRE>
-<P>Line 1 is a comment. Lines 2-4 identify this as the global configuration entry. The <TT>olcReferral:</TT> directive on line 5 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host <TT>root.openldap.org</TT>. Line 6 is a blank line, indicating the end of this entry.</P>
-<PRE>
- 7. # internal schema
- 8. dn: cn=schema,cn=config
- 9. objectClass: olcSchemaConfig
- 10. cn: schema
- 11.
-</PRE>
-<P>Line 7 is a comment. Lines 8-10 identify this as the root of the schema subtree. The actual schema definitions in this entry are hardcoded into slapd so no additional attributes are specified here. Line 11 is a blank line, indicating the end of this entry.</P>
-<PRE>
- 12. # include the core schema
- 13. include: file:///usr/local/etc/openldap/schema/core.ldif
- 14.
-</PRE>
-<P>Line 12 is a comment. Line 13 is an LDIF include directive which accesses the <EM>core</EM> schema definitions in LDIF format. Line 14 is a blank line.</P>
-<P>Next comes the database definitions. The first database is the special <TT>frontend</TT> database whose settings are applied globally to all the other databases.</P>
-<PRE>
- 15. # global database parameters
- 16. dn: olcDatabase=frontend,cn=config
- 17. objectClass: olcDatabaseConfig
- 18. olcDatabase: frontend
- 19. olcAccess: to * by * read
- 20.
-</PRE>
-<P>Line 15 is a comment. Lines 16-18 identify this entry as the global database entry. Line 19 is a global access control. It applies to all entries (after any applicable database-specific access controls).</P>
-<P>The next entry defines a BDB backend that will handle queries for things in the "dc=example,dc=com" portion of the tree. Indices are to be maintained for several attributes, and the <TT>userPassword</TT> attribute is to be protected from unauthorized access.</P>
-<PRE>
- 21. # BDB definition for example.com
- 22. dn: olcDatabase=bdb,cn=config
- 23. objectClass: olcDatabaseConfig
- 24. objectClass: olcBdbConfig
- 25. olcDatabase: bdb
- 26. olcSuffix: "dc=example,dc=com"
- 27. olcDbDirectory: /usr/local/var/openldap-data
- 28. olcRootDN: "cn=Manager,dc=example,dc=com"
- 29. olcRootPW: secret
- 30. olcDbIndex: uid pres,eq
- 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
- 32. olcDbIndex: objectClass eq
- 33. olcAccess: to attrs=userPassword
- 34. by self write
- 35. by anonymous auth
- 36. by dn.base="cn=Admin,dc=example,dc=com" write
- 37. by * none
- 38. olcAccess: to *
- 39. by self write
- 40. by dn.base="cn=Admin,dc=example,dc=com" write
- 41. by * read
- 42.
-</PRE>
-<P>Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry. Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.</P>
-<P>Lines 28 and 29 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
-<P>Lines 30 through 32 indicate the indices to maintain for various attributes.</P>
-<P>Lines 33 through 41 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).</P>
-<P>Line 42 is a blank line, indicating the end of this entry.</P>
-<P>The next section of the example configuration file defines another BDB database. This one handles queries involving the <TT>dc=example,dc=net</TT> subtree but is managed by the same entity as the first database. Note that without line 52, the read access would be allowed due to the global access rule at line 19.</P>
-<PRE>
- 43. # BDB definition for example.net
- 44. dn: olcDatabase=bdb,cn=config
- 45. objectClass: olcDatabaseConfig
- 46. objectClass: olcBdbConfig
- 47. olcDatabase: bdb
- 48. olcSuffix: "dc=example,dc=net"
- 49. olcDbDirectory: /usr/local/var/openldap-data-net
- 50. olcRootDN: "cn=Manager,dc=example,dc=com"
- 51. olcDbIndex: objectClass eq
- 52. olcAccess: to * by users read
-</PRE>
-<H2><A NAME="Converting from slapd.conf(8) to a {{B:cn=config}} directory format">5.5. Converting from slapd.conf(8) to a <B>cn=config</B> directory format</A></H2>
-<P>Discuss slap* -f slapd.conf -F slapd.d/ (man slapd-config)</P>
<P></P>
<HR>
<H1><A NAME="The slapd Configuration File">6. The slapd Configuration File</A></H1>
@@ -2527,7 +2113,7 @@
<H3><A NAME="Global Directives">6.2.1. Global Directives</A></H3>
<P>Directives described in this section apply to all backends and databases unless specifically overridden in a backend or database definition. Arguments that should be replaced by actual text are shown in brackets <TT><></TT>.</P>
<H4><A NAME="access to <what> [ by <who> [<accesslevel>] [<control>] ]+">6.2.1.1. access to <what> [ by <who> [<accesslevel>] [<control>] ]+</A></H4>
-<P>This directive grants access (specified by <accesslevel>) to a set of entries and/or attributes (specified by <what>) by one or more requestors (specified by <who>). See the <A HREF="#The access Configuration Directive">The access Configuration Directive</A> section of this chapter for a summary of basic usage.</P>
+<P>This directive grants access (specified by <accesslevel>) to a set of entries and/or attributes (specified by <what>) by one or more requestors (specified by <who>). See the <A HREF="#Access Control">Access Control</A> section of this guide for basic usage.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>If no <TT>access</TT> directives are specified, the default access control policy, <TT>access to * by * read</TT>, allows all both authenticated and anonymous users read access.
<HR WIDTH="80%" ALIGN="Left"></P>
@@ -2868,21 +2454,34 @@
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]
+ [starttls=yes|critical]
+ [tls_cert=<file>]
+ [tls_key=<file>]
+ [tls_cacert=<file>]
+ [tls_cacertdir=<path>]
+ [tls_reqcert=never|allow|try|demand]
+ [tls_ciphersuite=<ciphers>]
+ [tls_crlcheck=none|peer|all]
+ [logbase=<base DN>]
+ [logfilter=<filter str>]
+ [syncdata=default|accesslog|changelog]
</PRE>
<P>This directive specifies the current database as a replica of the master content by establishing the current <EM>slapd</EM>(8) as a replication consumer site running a syncrepl replication engine. The master database is located at the replication provider site specified by the <TT>provider</TT> parameter. The replica database is kept up-to-date with the master content using the LDAP Content Synchronization protocol. See <A HREF="http://www.rfc-editor.org/rfc/rfc4533.txt">RFC4533</A> for more information on the protocol.</P>
<P>The <TT>rid</TT> parameter is used for identification of the current <TT>syncrepl</TT> directive within the replication consumer server, where <TT><replica ID></TT> uniquely identifies the syncrepl specification described by the current <TT>syncrepl</TT> directive. <TT><replica ID></TT> is non-negative and is no more than three decimal digits in length.</P>
<P>The <TT>provider</TT> parameter specifies the replication provider site containing the master content as an LDAP URI. The <TT>provider</TT> parameter specifies a scheme, a host and optionally a port where the provider slapd instance can be found. Either a domain name or IP address may be used for <hostname>. Examples are <TT>ldap://provider.example.com:389</TT> or <TT>ldaps://192.168.1.1:636</TT>. If <port> is not given, the standard LDAP port number (389 or 636) is used. Note that the syncrepl uses a consumer-initiated protocol, and hence its specification is located at the consumer site, whereas the <TT>replica</TT> specification is located at the provider site. <TT>syncrepl</TT> and <TT>replica</TT> directives define two independent replication mechanisms. They do not represent the replication peers of each other.</P>
-<P>The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes <TT>searchbase</TT>, <TT>scope</TT>, <TT>filter</TT>, <TT>attrs</TT>, <TT>attrsonly</TT>, <TT>sizelimit</TT>, and <TT>timelimit</TT> parameters as in the normal search specification. The <TT>searchbase</TT> parameter has no default value and must always be specified. The <TT>scope</TT> defaults to <TT>sub</TT>, the <TT>filter</TT> defaults to <TT>(objectclass=*)</TT>, <TT>attrs</TT> defaults to <TT>"*,+"</TT> to replicate all user and operational attributes, and <TT>attrsonly</TT> is unset by default. Both <TT>sizelimit</TT> and <TT>timelimit</TT> default to "unlimited", and only integers or "unlimited" may be specified.</P>
-<P>The LDAP Content Synchronization protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider slapd. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
+<P>The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes <TT>searchbase</TT>, <TT>scope</TT>, <TT>filter</TT>, <TT>attrs</TT>, <TT>attrsonly</TT>, <TT>sizelimit</TT>, and <TT>timelimit</TT> parameters as in the normal search specification. The <TT>searchbase</TT> parameter has no default value and must always be specified. The <TT>scope</TT> defaults to <TT>sub</TT>, the <TT>filter</TT> defaults to <TT>(objectclass=*)</TT>, <TT>attrs</TT> defaults to <TT>"*,+"</TT> to replicate all user and operational attributes, and <TT>attrsonly</TT> is unset by default. Both <TT>sizelimit</TT> and <TT>timelimit</TT> default to "unlimited", and only positive integers or "unlimited" may be specified.</P>
+<P>The <TERM>LDAP Content Synchronization</TERM> protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider <EM>slapd</EM> instance. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
<P>If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the <retry interval> and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next three times before stop retrying. + in <# of retries> means indefinite number of retries until success.</P>
<P>The schema checking can be enforced at the LDAP Sync consumer site by turning on the <TT>schemachecking</TT> parameter. If it is turned on, every replicated entry will be checked for its schema as the entry is stored into the replica content. Every entry in the replica should contain those attributes required by the schema definition. If it is turned off, entries will be stored without checking schema conformance. The default is off.</P>
<P>The <TT>binddn</TT> parameter gives the DN to bind as for the syncrepl searches to the provider slapd. It should be a DN which has read access to the replication content in the master database.</P>
-<P>The <TT>bindmethod</TT> is <TT>simple</TT> or <TT>sasl</TT>, depending on whether simple password-based authentication or <TERM>SASL</TERM> authentication is to be used when connecting to the provider slapd.</P>
+<P>The <TT>bindmethod</TT> is <TT>simple</TT> or <TT>sasl</TT>, depending on whether simple password-based authentication or <TERM>SASL</TERM> authentication is to be used when connecting to the provider <EM>slapd</EM> instance.</P>
<P>Simple authentication should not be used unless adequate data integrity and confidentiality protections are in place (e.g. TLS or IPsec). Simple authentication requires specification of <TT>binddn</TT> and <TT>credentials</TT> parameters.</P>
<P>SASL authentication is generally recommended. SASL authentication requires specification of a mechanism using the <TT>saslmech</TT> parameter. Depending on the mechanism, an authentication identity and/or credentials can be specified using <TT>authcid</TT> and <TT>credentials</TT>, respectively. The <TT>authzid</TT> parameter may be used to specify an authorization identity.</P>
<P>The <TT>realm</TT> parameter specifies a realm which a certain mechanisms authenticate the identity within. The <TT>secprops</TT> parameter specifies Cyrus SASL security properties.</P>
-<P>The syncrepl replication mechanism is supported by the two primary database backends: back-bdb and back-hdb.</P>
-<P>See the <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> chapter of the admin guide for more information on how to use this directive.</P>
+<P>The <TT>starttls</TT> parameter specifies use of the StartTLS extended operation to establish a TLS session before authenticating to the provider. If the <TT>critical</TT> argument is supplied, the session will be aborted if the StartTLS request fails. Otherwise the syncrepl session continues without TLS. Note that the main slapd TLS settings are not used by the syncrepl engine; by default the TLS parameters from a <EM>ldap.conf</EM>(5) configuration file will be used. TLS settings may be specified here, in which case any <EM>ldap.conf</EM>(5) settings will be completely ignored.</P>
+<P>Rather than replicating whole entries, the consumer can query logs of data modifications. This mode of operation is referred to as <EM>delta syncrepl</EM>. In addition to the above parameters, the <TT>logbase</TT> and <TT>logfilter</TT> parameters must be set appropriately for the log that will be used. The <TT>syncdata</TT> parameter must be set to either <TT>"accesslog"</TT> if the log conforms to the <EM>slapo-accesslog</EM>(5) log format, or <TT>"changelog"</TT> if the log conforms to the obsolete <EM>changelog</EM> format. If the <TT>syncdata</TT> parameter is omitted or set to <TT>"default"</TT> then the log parameters are ignored.</P>
+<P>The <EM>syncrepl</EM> replication mechanism is supported by the <EM>bdb</EM> and <EM>hdb</EM> backends.</P>
+<P>See the <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> chapter of this guide for more information on how to use this directive.</P>
<H4><A NAME="updateref <URL>">6.2.3.7. updateref <URL></A></H4>
<P>This directive is only applicable in a <EM>slave</EM> (or <EM>shadow</EM>) <EM>slapd</EM>(8) instance. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each <TERM>URL</TERM> is provided.</P>
<P>Example:</P>
@@ -2897,51 +2496,60 @@
<PRE>
directory /usr/local/var/openldap-data
</PRE>
-<H2><A NAME="The access Configuration Directive">6.3. The access Configuration Directive</A></H2>
+<P></P>
+<HR>
+<H1><A NAME="Access Control">7. Access Control</A></H1>
+<H2><A NAME="Introduction">7.1. Introduction</A></H2>
+<P>As the directory gets populated with more and more data of varying sensitivity, controlling the kinds of access granted to the directory becomes more and more critical. For instance, the directory may contain data of a confidential nature that you may need to protect by contract or by law. Or, if using the directory to control access to other services, inappropriate access to the directory may create avenues of attack to your sites security that result in devastating damage to your assets.</P>
+<P>Access to your directory can be configured via two methods, the first using <A HREF="#The slapd Configuration File">The slapd Configuration File</A> and the second using the <EM>slapd-config</EM>(5) format (<A HREF="#Configuring slapd">Configuring slapd</A>).</P>
+<P>The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the <EM>rootdn</EM> is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.</P>
+<P>As a consequence, it's useless (and results in a performance penalty) to explicitly list the <EM>rootdn</EM> among the <EM><by></EM> clauses.</P>
+<P>The following sections will describe Access Control Lists in more details and follow with some examples and recommendations.</P>
+<H2><A NAME="Access Control via Static Configuration">7.2. Access Control via Static Configuration</A></H2>
<P>Access to entries and attributes is controlled by the access configuration file directive. The general form of an access line is:</P>
<PRE>
- <access directive> ::= access to <what>
- [by <who> [<access>] [<control>] ]+
- <what> ::= * |
- [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
- [filter=<ldapfilter>] [attrs=<attrlist>]
- <basic-style> ::= regex | exact
- <scope-style> ::= base | one | subtree | children
- <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
- <attr> ::= <attrname> | entry | children
- <who> ::= * | [anonymous | users | self
- | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
- [dnattr=<attrname>]
- [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
- [peername[.<basic-style>]=<regex>]
- [sockname[.<basic-style>]=<regex>]
- [domain[.<basic-style>]=<regex>]
- [sockurl[.<basic-style>]=<regex>]
- [set=<setspec>]
- [aci=<attrname>]
- <access> ::= [self]{<level>|<priv>}
- <level> ::= none | disclose | auth | compare | search | read | write | manage
- <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
- <control> ::= [stop | continue | break]
+ <access directive> ::= access to <what>
+ [by <who> [<access>] [<control>] ]+
+ <what> ::= * |
+ [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+ [filter=<ldapfilter>] [attrs=<attrlist>]
+ <basic-style> ::= regex | exact
+ <scope-style> ::= base | one | subtree | children
+ <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
+ <attr> ::= <attrname> | entry | children
+ <who> ::= * | [anonymous | users | self
+ | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+ [dnattr=<attrname>]
+ [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
+ [peername[.<basic-style>]=<regex>]
+ [sockname[.<basic-style>]=<regex>]
+ [domain[.<basic-style>]=<regex>]
+ [sockurl[.<basic-style>]=<regex>]
+ [set=<setspec>]
+ [aci=<attrname>]
+ <access> ::= [self]{<level>|<priv>}
+ <level> ::= none | disclose | auth | compare | search | read | write | manage
+ <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+ <control> ::= [stop | continue | break]
</PRE>
<P>where the <what> part selects the entries and/or attributes to which the access applies, the <TT><who></TT> part specifies which entities are granted access, and the <TT><access></TT> part specifies the access granted. Multiple <TT><who> <access> <control></TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
-<H3><A NAME="What to control access to">6.3.1. What to control access to</A></H3>
+<H3><A NAME="What to control access to">7.2.1. What to control access to</A></H3>
<P>The <what> part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN:</P>
<PRE>
- to *
- to dn[.<basic-style>]=<regex>
- to dn.<scope-style>=<DN>
+ to *
+ to dn[.<basic-style>]=<regex>
+ to dn.<scope-style>=<DN>
</PRE>
<P>The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against the target entry's <EM>normalized DN</EM>. (The second form is not discussed further in this document.) The third form is used to select entries which are within the requested scope of DN. The <DN> is a string representation of the Distinguished Name, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4514.txt">RFC4514</A>.</P>
<P>The scope can be either <TT>base</TT>, <TT>one</TT>, <TT>subtree</TT>, or <TT>children</TT>. Where <TT>base</TT> matches only the entry with provided DN, <TT>one</TT> matches the entries whose parent is the provided DN, <TT>subtree</TT> matches all entries in the subtree whose root is the provided DN, and <TT>children</TT> matches all entries under the DN (but not the entry named by the DN).</P>
<P>For example, if the directory contained entries named:</P>
<PRE>
- 0: o=suffix
- 1: cn=Manager,o=suffix
- 2: ou=people,o=suffix
- 3: uid=kdz,ou=people,o=suffix
- 4: cn=addresses,uid=kdz,ou=people,o=suffix
- 5: uid=hyc,ou=people,o=suffix
+ 0: o=suffix
+ 1: cn=Manager,o=suffix
+ 2: ou=people,o=suffix
+ 3: uid=kdz,ou=people,o=suffix
+ 4: cn=addresses,uid=kdz,ou=people,o=suffix
+ 5: uid=hyc,ou=people,o=suffix
</PRE>
<P>Then:</P>
<UL>
@@ -2954,27 +2562,27 @@
<TT>dn.children="ou=people,o=suffix"</TT> match 3, 4, and 5.</UL>
<P>Entries may also be selected using a filter:</P>
<PRE>
- to filter=<ldap filter>
+ to filter=<ldap filter>
</PRE>
<P>where <ldap filter> is a string representation of an LDAP search filter, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>. For example:</P>
<PRE>
- to filter=(objectClass=person)
+ to filter=(objectClass=person)
</PRE>
<P>Note that entries may be selected by both DN and filter by including both qualifiers in the <what> clause.</P>
<PRE>
- to dn.one="ou=people,o=suffix" filter=(objectClass=person)
+ to dn.one="ou=people,o=suffix" filter=(objectClass=person)
</PRE>
<P>Attributes within an entry are selected by including a comma-separated list of attribute names in the <what> selector:</P>
<PRE>
- attrs=<attribute list>
+ attrs=<attribute list>
</PRE>
<P>A specific value of an attribute is selected by using a single attribute name and also using a value selector:</P>
<PRE>
- attrs=<attribute> val[.<style>]=<regex>
+ attrs=<attribute> val[.<style>]=<regex>
</PRE>
<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
<P>Lastly, there is a special entry selector <TT>"*"</TT> that is used to select any entry. It is used when no other <TT><what></TT> selector has been provided. It's equivalent to "<TT>dn=.*</TT>"</P>
-<H3><A NAME="Who to grant access to">6.3.2. Who to grant access to</A></H3>
+<H3><A NAME="Who to grant access to">7.2.2. Who to grant access to</A></H3>
<P>The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 6.3: Access Entity Specifiers</CAPTION>
@@ -3039,11 +2647,11 @@
<P>The DN specifier behaves much like <what> clause DN specifiers.</P>
<P>Other control factors are also supported. For example, a <TT><who></TT> can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:</P>
<PRE>
- dnattr=<dn-valued attribute name>
+ dnattr=<dn-valued attribute name>
</PRE>
<P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
<P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
-<H3><A NAME="The access to grant">6.3.3. The access to grant</A></H3>
+<H3><A NAME="The access to grant">7.2.3. The access to grant</A></H3>
<P>The kind of <access> granted can be one of the following:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 6.4: Access Levels</CAPTION>
@@ -3060,10 +2668,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>none</TT>
+<TT>none =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=0</TT>
+<TT>0</TT>
</TD>
<TD ALIGN='Left'>
no access
@@ -3071,10 +2679,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>disclose</TT>
+<TT>disclose =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=d</TT>
+<TT>d</TT>
</TD>
<TD ALIGN='Left'>
needed for information disclosure on error
@@ -3082,10 +2690,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>auth</TT>
+<TT>auth =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=dx</TT>
+<TT>dx</TT>
</TD>
<TD ALIGN='Left'>
needed to authenticate (bind)
@@ -3093,10 +2701,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>compare</TT>
+<TT>compare =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=cdx</TT>
+<TT>cdx</TT>
</TD>
<TD ALIGN='Left'>
needed to compare
@@ -3104,10 +2712,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>search</TT>
+<TT>search =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=scdx</TT>
+<TT>scdx</TT>
</TD>
<TD ALIGN='Left'>
needed to apply search filters
@@ -3115,10 +2723,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>read</TT>
+<TT>read =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=rscdx</TT>
+<TT>rscdx</TT>
</TD>
<TD ALIGN='Left'>
needed to read search results
@@ -3126,10 +2734,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>write</TT>
+<TT>write =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=wrscdx</TT>
+<TT>wrscdx</TT>
</TD>
<TD ALIGN='Left'>
needed to modify/rename
@@ -3137,10 +2745,10 @@
</TR>
<TR>
<TD ALIGN='Left'>
-<TT>manage</TT>
+<TT>manage =</TT>
</TD>
<TD ALIGN='Right'>
-<TT>=mwrscdx</TT>
+<TT>mwrscdx</TT>
</TD>
<TD ALIGN='Left'>
needed to manage
@@ -3149,61 +2757,61 @@
</TABLE>
<P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access. However, one may use the privileges specifier to grant specific permissions.</P>
-<H3><A NAME="Access Control Evaluation">6.3.4. Access Control Evaluation</A></H3>
+<H3><A NAME="Access Control Evaluation">7.2.4. Access Control Evaluation</A></H3>
<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT><what></TT> selectors given in the configuration file. For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives. Within this priority, access directives are examined in the order in which they appear in the config file. Slapd stops with the first <TT><what></TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
<P>Next, slapd compares the entity requesting access to the <TT><who></TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT><who></TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
<P>Finally, slapd compares the access granted in the selected <TT><access></TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
<P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the config file. Similarly, if one <TT><who></TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
-<H3><A NAME="Access Control Examples">6.3.5. Access Control Examples</A></H3>
+<H3><A NAME="Access Control Examples">7.2.5. Access Control Examples</A></H3>
<P>The access control facility described above is quite powerful. This section shows some examples of its use for descriptive purposes.</P>
<P>A simple example:</P>
<PRE>
- access to * by * read
+ access to * by * read
</PRE>
<P>This access directive grants read access to everyone.</P>
<PRE>
- access to *
- by self write
- by anonymous auth
- by * read
+ access to *
+ by self write
+ by anonymous auth
+ by * read
</PRE>
<P>This directive allows the user to modify their entry, allows anonymous to authentication against these entries, and allows all others to read these entries. Note that only the first <TT>by <who></TT> clause which matches applies. Hence, the anonymous users are granted <TT>auth</TT>, not <TT>read</TT>. The last clause could just as well have been "<TT>by users read</TT>".</P>
<P>It is often desirable to restrict operations based upon the level of protection in place. The following shows how security strength factors (SSF) can be used.</P>
<PRE>
- access to *
- by ssf=128 self write
- by ssf=64 anonymous auth
- by ssf=64 users read
+ access to *
+ by ssf=128 self write
+ by ssf=64 anonymous auth
+ by ssf=64 users read
</PRE>
<P>This directive allows users to modify their own entries if security protections have of strength 128 or better have been established, allows authentication access to anonymous users, and read access when 64 or better security protections have been established. If client has not establish sufficient security protections, the implicit <TT>by * none</TT> clause would be applied.</P>
<P>The following example shows the use of a style specifiers to select the entries by DN in two access directives where ordering is significant.</P>
<PRE>
- access to dn.children="dc=example,dc=com"
- by * search
- access to dn.children="dc=com"
- by * read
+ access to dn.children="dc=example,dc=com"
+ by * search
+ access to dn.children="dc=com"
+ by * read
</PRE>
<P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted. No access is granted to <TT>dc=com</TT> as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
<P>Also note that if no <TT>access to</TT> directive matches or no <TT>by <who></TT> clause, <B>access is denied</B>. That is, every <TT>access to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>access to * by * none</TT> directive.</P>
<P>The next example again shows the importance of ordering, both of the access directives and the <TT>by <who></TT> clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <TT><who></TT> selectors.</P>
<PRE>
- access to dn.subtree="dc=example,dc=com" attrs=homePhone
- by self write
- by dn.children="dc=example,dc=com" search
- by peername.regex=IP:10\..+ read
- access to dn.subtree="dc=example,dc=com"
- by self write
- by dn.children="dc=example,dc=com" search
- by anonymous auth
+ access to dn.subtree="dc=example,dc=com" attrs=homePhone
+ by self write
+ by dn.children="dc=example,dc=com" search
+ by peername.regex=IP:10\..+ read
+ access to dn.subtree="dc=example,dc=com"
+ by self write
+ by dn.children="dc=example,dc=com" search
+ by anonymous auth
</PRE>
<P>This example applies to entries in the "<TT>dc=example,dc=com</TT>" subtree. To all attributes except <TT>homePhone</TT>, an entry can write to itself, entries under <TT>example.com</TT> entries can search by them, anybody else has no access (implicit <TT>by * none</TT>) excepting for authentication/authorization (which is always done anonymously). The <TT>homePhone</TT> attribute is writable by the entry, searchable by entries under <TT>example.com</TT>, readable by clients connecting from network 10, and otherwise not readable (implicit <TT>by * none</TT>). All other access is denied by the implicit <TT>access to * by * none</TT>.</P>
<P>Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:</P>
<PRE>
- access to attrs=member,entry
- by dnattr=member selfwrite
+ access to attrs=member,entry
+ by dnattr=member selfwrite
</PRE>
<P>The dnattr <TT><who></TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
-<H2><A NAME="Configuration File Example">6.4. Configuration File Example</A></H2>
+<H3><A NAME="Configuration File Example">7.2.6. Configuration File Example</A></H3>
<P>The following is an example configuration file, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
<PRE>
1. # example config file - global configuration section
@@ -3227,14 +2835,14 @@
14. index objectClass eq
15. # database access control definitions
16. access to attrs=userPassword
- 17. by self write
- 18. by anonymous auth
- 19. by dn.base="cn=Admin,dc=example,dc=com" write
- 20. by * none
+ 17. by self write
+ 18. by anonymous auth
+ 19. by dn.base="cn=Admin,dc=example,dc=com" write
+ 20. by * none
21. access to *
- 22. by self write
- 23. by dn.base="cn=Admin,dc=example,dc=com" write
- 24. by * read
+ 22. by self write
+ 23. by dn.base="cn=Admin,dc=example,dc=com" write
+ 24. by * read
</PRE>
<P>Line 5 is a comment. The start of the database definition is marked by the database keyword on line 6. Line 7 specifies the DN suffix for queries to pass to this database. Line 8 specifies the directory in which the database files will live.</P>
<P>Lines 9 and 10 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
@@ -3250,11 +2858,843 @@
38. index objectClass eq
39. access to * by users read
</PRE>
+<H2><A NAME="Access Control via Dynamic Configuration">7.3. Access Control via Dynamic Configuration</A></H2>
+<P>Access to slapd entries and attributes is controlled by the olcAccess attribute, whose values are a sequence of access directives. The general form of the olcAccess configuration is:</P>
+<PRE>
+ olcAccess: <access directive>
+ <access directive> ::= to <what>
+ [by <who> [<access>] [<control>] ]+
+ <what> ::= * |
+ [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+ [filter=<ldapfilter>] [attrs=<attrlist>]
+ <basic-style> ::= regex | exact
+ <scope-style> ::= base | one | subtree | children
+ <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
+ <attr> ::= <attrname> | entry | children
+ <who> ::= * | [anonymous | users | self
+ | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+ [dnattr=<attrname>]
+ [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
+ [peername[.<basic-style>]=<regex>]
+ [sockname[.<basic-style>]=<regex>]
+ [domain[.<basic-style>]=<regex>]
+ [sockurl[.<basic-style>]=<regex>]
+ [set=<setspec>]
+ [aci=<attrname>]
+ <access> ::= [self]{<level>|<priv>}
+ <level> ::= none | disclose | auth | compare | search | read | write | manage
+ <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+ <control> ::= [stop | continue | break]
+</PRE>
+<P>where the <what> part selects the entries and/or attributes to which the access applies, the <TT><who></TT> part specifies which entities are granted access, and the <TT><access></TT> part specifies the access granted. Multiple <TT><who> <access> <control></TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
+<H3><A NAME="What to control access to">7.3.1. What to control access to</A></H3>
+<P>The <what> part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN:</P>
+<PRE>
+ to *
+ to dn[.<basic-style>]=<regex>
+ to dn.<scope-style>=<DN>
+</PRE>
+<P>The first form is used to select all entries. The second form may be used to select entries by matching a regular expression against the target entry's <EM>normalized DN</EM>. (The second form is not discussed further in this document.) The third form is used to select entries which are within the requested scope of DN. The <DN> is a string representation of the Distinguished Name, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4514.txt">RFC4514</A>.</P>
+<P>The scope can be either <TT>base</TT>, <TT>one</TT>, <TT>subtree</TT>, or <TT>children</TT>. Where <TT>base</TT> matches only the entry with provided DN, <TT>one</TT> matches the entries whose parent is the provided DN, <TT>subtree</TT> matches all entries in the subtree whose root is the provided DN, and <TT>children</TT> matches all entries under the DN (but not the entry named by the DN).</P>
+<P>For example, if the directory contained entries named:</P>
+<PRE>
+ 0: o=suffix
+ 1: cn=Manager,o=suffix
+ 2: ou=people,o=suffix
+ 3: uid=kdz,ou=people,o=suffix
+ 4: cn=addresses,uid=kdz,ou=people,o=suffix
+ 5: uid=hyc,ou=people,o=suffix
+</PRE>
+<P>Then:</P>
+<UL>
+<TT>dn.base="ou=people,o=suffix"</TT> match 2;
+<BR>
+<TT>dn.one="ou=people,o=suffix"</TT> match 3, and 5;
+<BR>
+<TT>dn.subtree="ou=people,o=suffix"</TT> match 2, 3, 4, and 5; and
+<BR>
+<TT>dn.children="ou=people,o=suffix"</TT> match 3, 4, and 5.</UL>
+<P>Entries may also be selected using a filter:</P>
+<PRE>
+ to filter=<ldap filter>
+</PRE>
+<P>where <ldap filter> is a string representation of an LDAP search filter, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>. For example:</P>
+<PRE>
+ to filter=(objectClass=person)
+</PRE>
+<P>Note that entries may be selected by both DN and filter by including both qualifiers in the <what> clause.</P>
+<PRE>
+ to dn.one="ou=people,o=suffix" filter=(objectClass=person)
+</PRE>
+<P>Attributes within an entry are selected by including a comma-separated list of attribute names in the <what> selector:</P>
+<PRE>
+ attrs=<attribute list>
+</PRE>
+<P>A specific value of an attribute is selected by using a single attribute name and also using a value selector:</P>
+<PRE>
+ attrs=<attribute> val[.<style>]=<regex>
+</PRE>
+<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
+<P>Lastly, there is a special entry selector <TT>"*"</TT> that is used to select any entry. It is used when no other <TT><what></TT> selector has been provided. It's equivalent to "<TT>dn=.*</TT>"</P>
+<H3><A NAME="Who to grant access to">7.3.2. Who to grant access to</A></H3>
+<P>The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers:</P>
+<TABLE CLASS="columns" BORDER ALIGN='Center'>
+<CAPTION ALIGN=top>Table 5.3: Access Entity Specifiers</CAPTION>
+<TR CLASS="heading">
+<TD>
+<STRONG>Specifier</STRONG>
+</TD>
+<TD>
+<STRONG>Entities</STRONG>
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>*</TT>
+</TD>
+<TD>
+All, including anonymous and authenticated users
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>anonymous</TT>
+</TD>
+<TD>
+Anonymous (non-authenticated) users
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>users</TT>
+</TD>
+<TD>
+Authenticated users
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>self</TT>
+</TD>
+<TD>
+User associated with target entry
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>dn[.<basic-style>]=<regex></TT>
+</TD>
+<TD>
+Users matching a regular expression
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>dn.<scope-style>=<DN></TT>
+</TD>
+<TD>
+Users within scope of a DN
+</TD>
+</TR>
+</TABLE>
+
+<P>The DN specifier behaves much like <what> clause DN specifiers.</P>
+<P>Other control factors are also supported. For example, a <TT><who></TT> can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:</P>
+<PRE>
+ dnattr=<dn-valued attribute name>
+</PRE>
+<P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
+<P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
+<H3><A NAME="The access to grant">7.3.3. The access to grant</A></H3>
+<P>The kind of <access> granted can be one of the following:</P>
+<TABLE CLASS="columns" BORDER ALIGN='Center'>
+<CAPTION ALIGN=top>Table 5.4: Access Levels</CAPTION>
+<TR CLASS="heading">
+<TD ALIGN='Left'>
+<STRONG>Level</STRONG>
+</TD>
+<TD ALIGN='Right'>
+<STRONG>Privileges</STRONG>
+</TD>
+<TD ALIGN='Left'>
+<STRONG>Description</STRONG>
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>none</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=0</TT>
+</TD>
+<TD ALIGN='Left'>
+no access
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>disclose</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=d</TT>
+</TD>
+<TD ALIGN='Left'>
+needed for information disclosure on error
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>auth</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=dx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to authenticate (bind)
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>compare</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=cdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to compare
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>search</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=scdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to apply search filters
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>read</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=rscdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to read search results
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>write</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=wrscdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to modify/rename
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>manage</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=mwrscdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to manage
+</TD>
+</TR>
+</TABLE>
+
+<P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access. However, one may use the privileges specifier to grant specific permissions.</P>
+<H3><A NAME="Access Control Evaluation">7.3.4. Access Control Evaluation</A></H3>
+<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT><what></TT> selectors given in the configuration. For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives (which are held in the <TT>frontend</TT> database definition). Within this priority, access directives are examined in the order in which they appear in the configuration attribute. Slapd stops with the first <TT><what></TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
+<P>Next, slapd compares the entity requesting access to the <TT><who></TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT><who></TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
+<P>Finally, slapd compares the access granted in the selected <TT><access></TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
+<P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration. Similarly, if one <TT><who></TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
+<H3><A NAME="Access Control Examples">7.3.5. Access Control Examples</A></H3>
+<P>The access control facility described above is quite powerful. This section shows some examples of its use for descriptive purposes.</P>
+<P>A simple example:</P>
+<PRE>
+ olcAccess: to * by * read
+</PRE>
+<P>This access directive grants read access to everyone.</P>
+<PRE>
+ olcAccess: to *
+ by self write
+ by anonymous auth
+ by * read
+</PRE>
+<P>This directive allows the user to modify their entry, allows anonymous to authenticate against these entries, and allows all others to read these entries. Note that only the first <TT>by <who></TT> clause which matches applies. Hence, the anonymous users are granted <TT>auth</TT>, not <TT>read</TT>. The last clause could just as well have been "<TT>by users read</TT>".</P>
+<P>It is often desirable to restrict operations based upon the level of protection in place. The following shows how security strength factors (SSF) can be used.</P>
+<PRE>
+ olcAccess: to *
+ by ssf=128 self write
+ by ssf=64 anonymous auth
+ by ssf=64 users read
+</PRE>
+<P>This directive allows users to modify their own entries if security protections of strength 128 or better have been established, allows authentication access to anonymous users, and read access when strength 64 or better security protections have been established. If the client has not establish sufficient security protections, the implicit <TT>by * none</TT> clause would be applied.</P>
+<P>The following example shows the use of style specifiers to select the entries by DN in two access directives where ordering is significant.</P>
+<PRE>
+ olcAccess: to dn.children="dc=example,dc=com"
+ by * search
+ olcAccess: to dn.children="dc=com"
+ by * read
+</PRE>
+<P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted. No access is granted to <TT>dc=com</TT> as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
+<P>Also note that if no <TT>olcAccess: to</TT> directive matches or no <TT>by <who></TT> clause, <B>access is denied</B>. That is, every <TT>olcAccess: to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>olcAccess: to * by * none</TT> directive.</P>
+<P>The next example again shows the importance of ordering, both of the access directives and the <TT>by <who></TT> clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <TT><who></TT> selectors.</P>
+<PRE>
+ olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
+ by self write
+ by dn.children=dc=example,dc=com" search
+ by peername.regex=IP:10\..+ read
+ olcAccess: to dn.subtree="dc=example,dc=com"
+ by self write
+ by dn.children="dc=example,dc=com" search
+ by anonymous auth
+</PRE>
+<P>This example applies to entries in the "<TT>dc=example,dc=com</TT>" subtree. To all attributes except <TT>homePhone</TT>, an entry can write to itself, entries under <TT>example.com</TT> entries can search by them, anybody else has no access (implicit <TT>by * none</TT>) excepting for authentication/authorization (which is always done anonymously). The <TT>homePhone</TT> attribute is writable by the entry, searchable by entries under <TT>example.com</TT>, readable by clients connecting from network 10, and otherwise not readable (implicit <TT>by * none</TT>). All other access is denied by the implicit <TT>access to * by * none</TT>.</P>
+<P>Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:</P>
+<PRE>
+ olcAccess: to attrs=member,entry
+ by dnattr=member selfwrite
+</PRE>
+<P>The dnattr <TT><who></TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
+<H3><A NAME="Access Control Ordering">7.3.6. Access Control Ordering</A></H3>
+<P>Since the ordering of <TT>olcAccess</TT> directives is essential to their proper evaluation, but LDAP attributes normally do not preserve the ordering of their values, OpenLDAP uses a custom schema extension to maintain a fixed ordering of these values. This ordering is maintained by prepending a <TT>"{X}"</TT> numeric index to each value, similarly to the approach used for ordering the configuration entries. These index tags are maintained automatically by slapd and do not need to be specified when originally defining the values. For example, when you create the settings</P>
+<PRE>
+ olcAccess: to attrs=member,entry
+ by dnattr=member selfwrite
+ olcAccess: to dn.children="dc=example,dc=com"
+ by * search
+ olcAccess: to dn.children="dc=com"
+ by * read
+</PRE>
+<P>when you read them back using slapcat or ldapsearch they will contain</P>
+<PRE>
+ olcAccess: {0}to attrs=member,entry
+ by dnattr=member selfwrite
+ olcAccess: {1}to dn.children="dc=example,dc=com"
+ by * search
+ olcAccess: {2}to dn.children="dc=com"
+ by * read
+</PRE>
+<P>The numeric index may be used to specify a particular value to change when using ldapmodify to edit the access rules. This index can be used instead of (or in addition to) the actual access value. Using this numeric index is very helpful when multiple access rules are being managed.</P>
+<P>For example, if we needed to change the second rule above to grant write access instead of search, we could try this LDIF:</P>
+<PRE>
+ changetype: modify
+ delete: olcAccess
+ olcAccess: to dn.children="dc=example,dc=com" by * search
+ -
+ add: olcAccess
+ olcAccess: to dn.children="dc=example,dc=com" by * write
+ -
+</PRE>
+<P>But this example <B>will not</B> guarantee that the existing values remain in their original order, so it will most likely yield a broken security configuration. Instead, the numeric index should be used:</P>
+<PRE>
+ changetype: modify
+ delete: olcAccess
+ olcAccess: {1}
+ -
+ add: olcAccess
+ olcAccess: {1}to dn.children="dc=example,dc=com" by * write
+ -
+</PRE>
+<P>This example deletes whatever rule is in value #1 of the <TT>olcAccess</TT> attribute (regardless of its value) and adds a new value that is explicitly inserted as value #1. The result will be</P>
+<PRE>
+ olcAccess: {0}to attrs=member,entry
+ by dnattr=member selfwrite
+ olcAccess: {1}to dn.children="dc=example,dc=com"
+ by * write
+ olcAccess: {2}to dn.children="dc=com"
+ by * read
+</PRE>
+<P>which is exactly what was intended.</P>
+<H3><A NAME="Configuration Example">7.3.7. Configuration Example</A></H3>
+<P>The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
+<PRE>
+ 1. # example config file - global configuration entry
+ 2. dn: cn=config
+ 3. objectClass: olcGlobal
+ 4. cn: config
+ 5. olcReferral: ldap://root.openldap.org
+ 6.
+</PRE>
+<P>Line 1 is a comment. Lines 2-4 identify this as the global configuration entry. The <TT>olcReferral:</TT> directive on line 5 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host <TT>root.openldap.org</TT>. Line 6 is a blank line, indicating the end of this entry.</P>
+<PRE>
+ 7. # internal schema
+ 8. dn: cn=schema,cn=config
+ 9. objectClass: olcSchemaConfig
+ 10. cn: schema
+ 11.
+</PRE>
+<P>Line 7 is a comment. Lines 8-10 identify this as the root of the schema subtree. The actual schema definitions in this entry are hardcoded into slapd so no additional attributes are specified here. Line 11 is a blank line, indicating the end of this entry.</P>
+<PRE>
+ 12. # include the core schema
+ 13. include: file:///usr/local/etc/openldap/schema/core.ldif
+ 14.
+</PRE>
+<P>Line 12 is a comment. Line 13 is an LDIF include directive which accesses the <EM>core</EM> schema definitions in LDIF format. Line 14 is a blank line.</P>
+<P>Next comes the database definitions. The first database is the special <TT>frontend</TT> database whose settings are applied globally to all the other databases.</P>
+<PRE>
+ 15. # global database parameters
+ 16. dn: olcDatabase=frontend,cn=config
+ 17. objectClass: olcDatabaseConfig
+ 18. olcDatabase: frontend
+ 19. olcAccess: to * by * read
+ 20.
+</PRE>
+<P>Line 15 is a comment. Lines 16-18 identify this entry as the global database entry. Line 19 is a global access control. It applies to all entries (after any applicable database-specific access controls).</P>
+<P>The next entry defines a BDB backend that will handle queries for things in the "dc=example,dc=com" portion of the tree. Indices are to be maintained for several attributes, and the <TT>userPassword</TT> attribute is to be protected from unauthorized access.</P>
+<PRE>
+ 21. # BDB definition for example.com
+ 22. dn: olcDatabase=bdb,cn=config
+ 23. objectClass: olcDatabaseConfig
+ 24. objectClass: olcBdbConfig
+ 25. olcDatabase: bdb
+ 26. olcSuffix: "dc=example,dc=com"
+ 27. olcDbDirectory: /usr/local/var/openldap-data
+ 28. olcRootDN: "cn=Manager,dc=example,dc=com"
+ 29. olcRootPW: secret
+ 30. olcDbIndex: uid pres,eq
+ 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
+ 32. olcDbIndex: objectClass eq
+ 33. olcAccess: to attrs=userPassword
+ 34. by self write
+ 35. by anonymous auth
+ 36. by dn.base="cn=Admin,dc=example,dc=com" write
+ 37. by * none
+ 38. olcAccess: to *
+ 39. by self write
+ 40. by dn.base="cn=Admin,dc=example,dc=com" write
+ 41. by * read
+ 42.
+</PRE>
+<P>Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry. Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.</P>
+<P>Lines 28 and 29 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
+<P>Lines 30 through 32 indicate the indices to maintain for various attributes.</P>
+<P>Lines 33 through 41 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).</P>
+<P>Line 42 is a blank line, indicating the end of this entry.</P>
+<P>The next section of the example configuration file defines another BDB database. This one handles queries involving the <TT>dc=example,dc=net</TT> subtree but is managed by the same entity as the first database. Note that without line 52, the read access would be allowed due to the global access rule at line 19.</P>
+<PRE>
+ 43. # BDB definition for example.net
+ 44. dn: olcDatabase=bdb,cn=config
+ 45. objectClass: olcDatabaseConfig
+ 46. objectClass: olcBdbConfig
+ 47. olcDatabase: bdb
+ 48. olcSuffix: "dc=example,dc=net"
+ 49. olcDbDirectory: /usr/local/var/openldap-data-net
+ 50. olcRootDN: "cn=Manager,dc=example,dc=com"
+ 51. olcDbIndex: objectClass eq
+ 52. olcAccess: to * by users read
+</PRE>
+<H3><A NAME="Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">7.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></H3>
+<P>Discuss slap* -f slapd.conf -F slapd.d/ (man slapd-config)</P>
+<H2><A NAME="Access Control Common Examples">7.4. Access Control Common Examples</A></H2>
+<H3><A NAME="Basic ACLs">7.4.1. Basic ACLs</A></H3>
+<P>Generally one should start with some basic ACLs such as:</P>
+<PRE>
+ access to attr=userPassword
+ by self =xw
+ by anonymous auth
+ by * none
+
+
+ access to *
+ by self write
+ by users read
+ by * none
+</PRE>
+<P>The first ACL allows users to update (but not read) their passwords, anonymous users to authenticate against this attribute, and (implicitly) denying all access to others.</P>
+<P>The second ACL allows users full access to their entry, authenticated users read access to anything, and (implicitly) denying all access to others (in this case, anonymous users).</P>
+<H3><A NAME="Matching Anonymous and Authenticated users">7.4.2. Matching Anonymous and Authenticated users</A></H3>
+<P>An anonymous user has a empty DN. While the <EM>dn.exact=""</EM> or <EM>dn.regex="^$"</EM> could be used, <EM>slapd</EM>(8)) offers an anonymous shorthand which should be used instead.</P>
+<PRE>
+ access to *
+ by anonymous none
+ by * read
+</PRE>
+<P>denies all access to anonymous users while granting others read.</P>
+<P>Authenticated users have a subject DN. While <EM>dn.regex=".+"</EM> will match any authenticated user, OpenLDAP provides the users short hand which should be used instead.</P>
+<PRE>
+ access to *
+ by users read
+ by * none
+</PRE>
+<P>This ACL grants read permissions to authenticated users while denying others (i.e.: anonymous users).</P>
+<H3><A NAME="Controlling rootdn access">7.4.3. Controlling rootdn access</A></H3>
+<P>You could specify the <EM>rootdn</EM> in <EM>slapd.conf</EM>(5) or {[slapd.d}} without specifying a <EM>rootpw</EM>. Then you have to add an actual directory entry with the same dn, e.g.:</P>
+<PRE>
+ dn: cn=Manager,o=MyOrganization
+ cn: Manager
+ sn: Manager
+ objectClass: person
+ objectClass: top
+ userPassword: {SSHA}someSSHAdata
+</PRE>
+<P>Then binding as the <EM>rootdn</EM> will require a regular bind to that DN, which in turn requires auth access to that entry's DN and <EM>userPassword</EM>, and this can be restricted via ACLs. E.g.:</P>
+<PRE>
+ access to dn.base="cn=Manager,o=MyOrganization"
+ by peername.regex=127\.0\.0\.1 auth
+ by peername.regex=192\.168\.0\..* auth
+ by users none
+ by * none
+</PRE>
+<P>The ACLs above will only allow binding using rootdn from localhost and 192.168.0.0/24.</P>
+<H3><A NAME="Managing access with Groups">7.4.4. Managing access with Groups</A></H3>
+<P>There are a few ways to do this. One approach is illustrated here. Consider the following DIT layout:</P>
+<PRE>
+ +-dc=example,dc=com
+ +---cn=administrators,dc=example,dc=com
+ +---cn=fred blogs,dc=example,dc=com
+</PRE>
+<P>and the following group object (in LDIF format):</P>
+<PRE>
+ dn: cn=administrators,dc=example,dc=com
+ cn: administrators of this region
+ objectclass: groupOfNames (important for the group acl feature)
+ member: cn=fred blogs,dc=example,dc=com
+ member: cn=somebody else,dc=example,dc=com
+</PRE>
+<P>One can then grant access to the members of this this group by adding appropriate <EM>by group</EM> clause to an access directive in <EM>slapd.conf</EM>(5). For instance,</P>
+<PRE>
+ access to dn.children="dc=example,dc=com"
+ by self write
+ by group.exact="cn=Administrators,dc=example,dc=com" write
+ by * auth
+</PRE>
+<P>Like by {[dn}} clauses, one can also use <EM>expand</EM> to expand the group name based upon the regular expression matching of the target, that is, the to <EM>dn.regex</EM>). For instance,</P>
+<PRE>
+ access to dn.regex="(.+,)?ou=People,(dc=[^,]+,dc=[^,]+)$"
+ attrs=children,entry,uid
+ by group.expand="cn=Managers,$2" write
+ by users read
+ by * auth
+</PRE>
+<P>The above illustration assumed that the group members are to be found in the <EM>member</EM> attribute type of the <EM>groupOfNames</EM> object class. If you need to use a different group object and/or a different attribute type then use the following <EM>slapd.conf</EM>(5) (abbreviated) syntax:</P>
+<PRE>
+ access to <what>
+ by group/<objectclass>/<attributename>=<DN> <access>
+</PRE>
+<P>For example:</P>
+<PRE>
+ access to *
+ by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com" write
+</PRE>
+<P>In this case, we have an ObjectClass <EM>organizationalRole</EM> which contains the administrator DN's in the <EM>roleOccupant</EM> attribute. For instance:</P>
+<PRE>
+ dn: cn=Administrator,dc=example,dc=com
+ cn: Administrator
+ objectclass: organizationalRole
+ roleOccupant: cn=Jane Doe,dc=example,dc=com
+</PRE>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>the specified member attribute type MUST be of DN or <EM>NameAndOptionalUID</EM> syntax, and the specified object class SHOULD allow the attribute type.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>Dynamic Groups are also supported in Access Control. Please see <EM>slapo-dynlist</EM>(5) and the <A HREF="#Dynamic Lists">Dynamic Lists</A> overlay section.</P>
+<H3><A NAME="Granting access to a subset of attributes">7.4.5. Granting access to a subset of attributes</A></H3>
+<P>You can grant access to a set of attributes by specifying a list of attribute names in the ACL <EM>to</EM> clause. To be useful, you also need to grant access to the <EM>entry</EM> itself. Also note how <EM>children</EM> controls the ability to add, delete, and rename entries.</P>
+<PRE>
+ # mail: self may write, authenticated users may read
+ access to attrs=mail
+ by self write
+ by users read
+ by * none
+
+ # cn, sn: self my write, all may read
+ access to attrs=cn,sn
+ by self write
+ by * read
+
+ # immediate children: only self can add/delete entries under this entry
+ access to attrs=children
+ by self write
+
+ # entry itself: self may write, all may read
+ access to attrs=entry
+ by self write
+ by * read
+
+ # other attributes: self may write, others have no access
+ access to *
+ by self write
+ by * none
+</PRE>
+<P>ObjectClass names may also be specified in this list, which will affect all the attributes that are required and/or allowed by that <EM>objectClass</EM>. Actually, names in <EM>attrlist</EM> that are prefixed by <EM>@</EM> are directly treated as objectClass names. A name prefixed by <EM>!</EM> is also treated as an objectClass, but in this case the access rule affects the attributes that are not required nor allowed by that <EM>objectClass</EM>.</P>
+<H3><A NAME="Allowing a user write to all entries below theirs">7.4.6. Allowing a user write to all entries below theirs</A></H3>
+<P>For a setup where a user can write to its own record and to all of its children:</P>
+<PRE>
+ access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
+ by dn.exact,expand="$2" write
+ by anonymous auth
+</PRE>
+<P>(Add more examples for above)</P>
+<H3><A NAME="Allowing entry creation">7.4.7. Allowing entry creation</A></H3>
+<P>Let's say, you have it like this:</P>
+<PRE>
+ o=<basedn>
+ ou=domains
+ associatedDomain=<somedomain>
+ ou=users
+ uid=<someuserid>
+ uid=<someotheruserid>
+ ou=addressbooks
+ uid=<someuserid>
+ cn=<someone>
+ cn=<someoneelse>
+</PRE>
+<P>and, for another domain <someotherdomain>:</P>
+<PRE>
+ o=<basedn>
+ ou=domains
+ associatedDomain=<someotherdomain>
+ ou=users
+ uid=<someuserid>
+ uid=<someotheruserid>
+ ou=addressbooks
+ uid=<someotheruserid>
+ cn=<someone>
+ cn=<someoneelse>
+</PRE>
+<P>then, if you wanted user <EM>uid=<someuserid></EM> to <B>ONLY</B> create an entry for its own thing, you could write an ACL like this:</P>
+<PRE>
+ # this rule lets users of "associatedDomain=<matcheddomain>"
+ # write under "ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>",
+ # i.e. a user can write ANY entry below its domain's address book;
+ # this permission is necessary, but not sufficient, the next
+ # will restrict this permission further
+
+
+ access to dn.regex="^ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$" attrs=children
+ by dn.regex="^uid=([^,]+),ou=users,associatedDomain=$1,ou=domains,o=<basedn>$$" write
+ by * none
+
+
+ # Note that above the "by" clause needs a "regex" style to make sure
+ # it expands to a DN that starts with a "uid=<someuserid>" pattern
+ # while substituting the associatedDomain submatch from the "what" clause.
+
+
+ # This rule lets a user with "uid=<matcheduid>" of "<associatedDomain=matcheddomain>"
+ # write (i.e. add, modify, delete) the entry whose DN is exactly
+ # "uid=<matcheduid>,ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>"
+ # and ANY entry as subtree of it
+
+
+ access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
+ by dn.exact,expand="uid=$2,ou=users,associatedDomain=$3,ou=domains,o=<basedn>" write
+ by * none
+
+
+ # Note that above the "by" clause uses the "exact" style with the "expand"
+ # modifier because now the whole pattern can be rebuilt by means of the
+ # submatches from the "what" clause, so a "regex" compilation and evaluation
+ # is no longer required.
+</PRE>
+<H3><A NAME="Tips for using regular expressions in Access Control">7.4.8. Tips for using regular expressions in Access Control</A></H3>
+<P>Always use <EM>dn.regex=<pattern></EM> when you intend to use regular expression matching. <EM>dn=<pattern></EM> alone defaults to <EM>dn.exact<pattern></EM>.</P>
+<P>Use <EM>(.+)</EM> instead of <EM>(.*)</EM> when you want at least one char to be matched. <EM>(.*)</EM> matches the empty string as well.</P>
+<P>Don't use regular expressions for matches that can be done otherwise in a safer and cheaper manner. Examples:</P>
+<PRE>
+ dn.regex=".*dc=example,dc=com"
+</PRE>
+<P>is unsafe and expensive:</P>
+<UL>
+<LI>unsafe because any string containing <EM>dc=example,dc=com </EM>will match, not only those that end with the desired pattern; use <EM>.*dc=example,dc=com$</EM> instead.
+<LI>unsafe also because it would allow any <EM>attributeType</EM> ending with <EM>dc</EM> as naming attribute for the first RDN in the string, e.g. a custom attributeType <EM>mydc</EM> would match as well. If you really need a regular expression that allows just <EM>dc=example,dc=com</EM> or any of its subtrees, use <EM>^(.+,)?dc=example,dc=com$</EM>, which means: anything to the left of dc=..., if any (the question mark after the pattern within brackets), must end with a comma;
+<LI>expensive because if you don't need submatches, you could use scoping styles, e.g.</UL>
+<PRE>
+ dn.subtree="dc=example,dc=com"
+</PRE>
+<P>to include <EM>dc=example,dc=com</EM> in the matching patterns,</P>
+<PRE>
+ dn.children="dc=example,dc=com"
+</PRE>
+<P>to exclude <EM>dc=example,dc=com</EM> from the matching patterns, or</P>
+<PRE>
+ dn.onelevel="dc=example,dc=com"
+</PRE>
+<P>to allow exactly one sublevel matches only.</P>
+<P>Always use <EM>^</EM> and <EM>$</EM> in regexes, whenever appropriate, because <EM>ou=(.+),ou=(.+),ou=addressbooks,o=basedn</EM> will match <EM>something=bla,ou=xxx,ou=yyy,ou=addressbooks,o=basedn,ou=addressbooks,o=basedn,dc=some,dc=org</EM></P>
+<P>Always use <EM>([^,]+)</EM> to indicate exactly one RDN, because <EM>(.+)</EM> can include any number of RDNs; e.g. <EM>ou=(.+),dc=example,dc=com</EM> will match <EM>ou=My,o=Org,dc=example,dc=com</EM>, which might not be what you want.</P>
+<P>Never add the rootdn to the by clauses. ACLs are not even processed for operations performed with rootdn identity (otherwise there would be no reason to define a rootdn at all).</P>
+<P>Use shorthands. The user directive matches authenticated users and the anonymous directive matches anonymous users.</P>
+<P>Don't use the <EM>dn.regex</EM> form for <by> clauses if all you need is scoping and/or substring replacement; use scoping styles (e.g. <EM>exact</EM>, <EM>onelevel</EM>, <EM>children</EM> or <EM>subtree</EM>) and the style modifier expand to cause substring expansion.</P>
+<P>For instance,</P>
+<PRE>
+ access to dn.regex=".+,dc=([^,]+),dc=([^,]+)$"
+ by dn.regex="^[^,],ou=Admin,dc=$1,dc=$2$$" write
+</PRE>
+<P>although correct, can be safely and efficiently replaced by</P>
+<PRE>
+ access to dn.regex=".+,(dc=[^,]+,dc=[^,]+)$"
+ by dn.onelevel,expand="ou=Admin,$1" write
+</PRE>
+<P>where the regex in the <EM><what></EM> clause is more compact, and the one in the <EM><by></EM> clause is replaced by a much more efficient scoping style of onelevel with substring expansion.</P>
+<H3><A NAME="Granting and Denying access based on security strength factors (ssf)">7.4.9. Granting and Denying access based on security strength factors (ssf)</A></H3>
+<P>You can restrict access based on the security strength factor (SSF)</P>
+<PRE>
+ access to dn="cn=example,cn=edu"
+ by * ssf=256 read
+</PRE>
+<P>0 (zero) implies no protection, 1 implies integrity protection only, 56 DES or other weak ciphers, 112 triple DES and other strong ciphers, 128 RC4, Blowfish and other modern strong ciphers.</P>
+<P>Other possibilities:</P>
+<PRE>
+ transport_ssf=<n>
+ tls_ssf=<n>
+ sasl_ssf=<n>
+</PRE>
+<P>256 is recommended.</P>
+<P>See <EM>slapd.conf</EM>(5) for information on <EM>ssf</EM>.</P>
+<H3><A NAME="When things aren\'t working as expected">7.4.10. When things aren't working as expected</A></H3>
+<P>Consider this example:</P>
+<PRE>
+ access to *
+ by anonymous auth
+
+ access to *
+ by self write
+
+ access to *
+ by users read
+</PRE>
+<P>You may think this will allow any user to login, to read everything and change his own data if he is logged in. But in this example only the login works and an ldapsearch returns no data. The Problem is that SLAPD goes through its access config line by line and stops as soon as it finds a match in the part of the access rule.(here: <EM>to *</EM>)</P>
+<P>To get what we wanted the file has to read:</P>
+<PRE>
+ access to *
+ by anonymous auth
+ by self write
+ by users read
+</PRE>
+<P>The general rule is: "special access rules first, generic access rules last"</P>
+<P>See also <EM>slapd.access</EM>(8), loglevel 128 and <EM>slapacl</EM>(8) for debugging information.</P>
+<H2><A NAME="Sets - Granting rights based on relationships">7.5. Sets - Granting rights based on relationships</A></H2>
+<P>Sets are best illustrated via examples. The following sections will present a few set ACL examples in order to facilitate their understanding.</P>
+<P>(Sets in Access Controls FAQ Entry: <A HREF="http://www.openldap.org/faq/data/cache/1133.html">http://www.openldap.org/faq/data/cache/1133.html</A>)</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Sets are considered experimental.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H3><A NAME="Groups of Groups">7.5.1. Groups of Groups</A></H3>
+<P>The OpenLDAP ACL for groups doesn't expand groups within groups, which are groups that have another group as a member. For example:</P>
+<PRE>
+ dn: cn=sudoadm,ou=group,dc=example,dc=com
+ cn: sudoadm
+ objectClass: groupOfNames
+ member: uid=john,ou=people,dc=example,dc=com
+ member: cn=accountadm,ou=group,dc=example,dc=com
+
+ dn: cn=accountadm,ou=group,dc=example,dc=com
+ cn: accountadm
+ objectClass: groupOfNames
+ member: uid=mary,ou=people,dc=example,dc=com
+</PRE>
+<P>If we use standard group ACLs with the above entries and allow members of the <TT>sudoadm</TT> group to write somewhere, <TT>mary</TT> won't be included:</P>
+<PRE>
+ access to dn.subtree="ou=sudoers,dc=example,dc=com"
+ by group.exact="cn=sudoadm,ou=group,dc=example,dc=com" write
+ by * read
+</PRE>
+<P>With sets we can make the ACL be recursive and consider group within groups. So for each member that is a group, it is further expanded:</P>
+<PRE>
+ access to dn.subtree="ou=sudoers,dc=example,dc=com"
+ by set="[cn=sudoadm,ou=group,dc=example,dc=com]/member* & user" write
+ by * read
+</PRE>
+<P>This set ACL means: take the <TT>cn=sudoadm</TT> DN, check its <TT>member</TT> attribute(s) (where the "<TT>*</TT>" means recursively) and intersect the result with the authenticated user's DN. If the result is non-empty, the ACL is considered a match and write access is granted.</P>
+<P>The following drawing explains how this set is built:</P>
+<P><CENTER><IMG SRC="set-recursivegroup.png" ALIGN="center"></CENTER></P>
+<P ALIGN="Center">Figure X.Y: Populating a recursive group set</P>
+<P>First we get the <TT>uid=john</TT> DN. This entry doesn't have a <TT>member</TT> attribute, so the expansion stops here. Now we get to <TT>cn=accountadm</TT>. This one does have a <TT>member</TT> attribute, which is <TT>uid=mary</TT>. The <TT>uid=mary</TT> entry, however, doesn't have member, so we stop here again. The end comparison is:</P>
+<PRE>
+ {"uid=john,ou=people,dc=example,dc=com","uid=mary,ou=people,dc=example,dc=com"} & user
+</PRE>
+<P>If the authenticated user's DN is any one of those two, write access is granted. So this set will include <TT>mary</TT> in the <TT>sudoadm</TT> group and she will be allowed the write access.</P>
+<H3><A NAME="Group ACLs without DN syntax">7.5.2. Group ACLs without DN syntax</A></H3>
+<P>The traditional group ACLs, and even the previous example about recursive groups, require that the members are specified as DNs instead of just usernames.</P>
+<P>With sets, however, it's also possible to use simple names in group ACLs, as this example will show.</P>
+<P>Let's say we want to allow members of the <TT>sudoadm</TT> group to write to the <TT>ou=suders</TT> branch of our tree. But our group definition now is using <TT>memberUid</TT> for the group members:</P>
+<PRE>
+ dn: cn=sudoadm,ou=group,dc=example,dc=com
+ cn: sudoadm
+ objectClass: posixGroup
+ gidNumber: 1000
+ memberUid: john
+</PRE>
+<P>With this type of group, we can't use group ACLs. But with a set ACL we can grant the desired access:</P>
+<PRE>
+ access to dn.subtree="ou=sudoers,dc=example,dc=com"
+ by set="[cn=sudoadm,ou=group,dc=example,dc=com]/memberUid & user/uid" write
+ by * read
+</PRE>
+<P>We use a simple intersection where we compare the <TT>uid</TT> attribute of the connecting (and authenticated) user with the <TT>memberUid</TT> attributes of the group. If they match, the intersection is non-empty and the ACL will grant write access.</P>
+<P>This drawing illustrates this set when the connecting user is authenticated as <TT>uid=john,ou=people,dc=example,dc=com</TT>:</P>
+<P><CENTER><IMG SRC="set-memberUid.png" ALIGN="center"></CENTER></P>
+<P ALIGN="Center">Figure X.Y: Sets with <TT>memberUid</TT></P>
+<P>In this case, it's a match. If it were <TT>mary</TT> authenticating, however, she would be denied write access to <TT>ou=sudoers</TT> because her <TT>uid</TT> attribute is not listed in the group's <TT>memberUid</TT>.</P>
+<H3><A NAME="Following references">7.5.3. Following references</A></H3>
+<P>We will now show a quite powerful example of what can be done with sets. This example tends to make OpenLDAP administrators smile after they have understood it and its implications.</P>
+<P>Let's start with an user entry:</P>
+<PRE>
+ dn: uid=john,ou=people,dc=example,dc=com
+ uid: john
+ objectClass: inetOrgPerson
+ givenName: John
+ sn: Smith
+ cn: john
+ manager: uid=mary,ou=people,dc=example,dc=com
+</PRE>
+<P>Writing an ACL to allow the manager to update some attributes is quite simple using sets:</P>
+<PRE>
+ access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+ attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+ by self write
+ by set="this/manager & user" write
+ by * read
+</PRE>
+<P>In that set, <TT>this</TT> expands to the entry being accessed, so that <TT>this/manager</TT> expands to <TT>uid=mary,ou=people,dc=example,dc=com</TT> when john's entry is accessed. If the manager herself is accessing John's entry, the ACL will match and write access to those attributes will be granted.</P>
+<P>So far, this same behavior can be obtained with the <TT>dnattr</TT> keyword. With sets, however, we can further enhance this ACL. Let's say we want to allow the secretary of the manager to also update these attributes. This is how we do it:</P>
+<PRE>
+ access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+ attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+ by self write
+ by set="this/manager & user" write
+ by set="this/manager/secretary & user" write
+ by * read
+</PRE>
+<P>Now we need a picture to help explain what is happening here (entries shortened for clarity):</P>
+<P><CENTER><IMG SRC="set-following-references.png" ALIGN="center"></CENTER></P>
+<P ALIGN="Center">Figure X.Y: Sets jumping through entries</P>
+<P>In this example, Jane is the secretary of Mary, which is the manager of John. This whole relationship is defined with the <TT>manager</TT> and <TT>secretary</TT> attributes, which are both of the distinguishedName syntax (i.e., full DNs). So, when the <TT>uid=john</TT> entry is being accessed, the <TT>this/manager/secretary</TT> set becomes <TT>{"uid=jane,ou=people,dc=example,dc=com"</TT>} (follow the references in the picture):</P>
+<PRE>
+ this = [uid=john,ou=people,dc=example,dc=com]
+ this/manager = \
+ [uid=john,ou=people,dc=example,dc=com]/manager = uid=mary,ou=people,dc=example,dc=com
+ this/manager/secretary = \
+ [uid=mary,ou=people,dc=example,dc=com]/secretary = uid=jane,ou=people,dc=example,dc=com
+</PRE>
+<P>The end result is that when Jane accesses John's entry, she will be granted write access to the specified attributes. Better yet, this will happen to any entry she accesses which has Mary as the manager.</P>
+<P>This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further restrict it. For example, let's only allow executive secretaries to have this power:</P>
+<PRE>
+ access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+ attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+ by self write
+ by set="this/manager & user" write
+ by set="this/manager/secretary &
+ [cn=executive,ou=group,dc=example,dc=com]/member* &
+ user" write
+ by * read
+</PRE>
+<P>It's almost the same ACL as before, but we now also require that the connecting user be a member of the (possibly nested) <TT>cn=executive</TT> group.</P>
<P></P>
<HR>
-<H1><A NAME="Running slapd">7. Running slapd</A></H1>
+<H1><A NAME="Running slapd">8. Running slapd</A></H1>
<P><EM>slapd</EM>(8) is designed to be run as a standalone service. This allows the server to take advantage of caching, manage concurrency issues with underlying databases, and conserve system resources. Running from <EM>inetd</EM>(8) is <EM>NOT</EM> an option.</P>
-<H2><A NAME="Command-Line Options">7.1. Command-Line Options</A></H2>
+<H2><A NAME="Command-Line Options">8.1. Command-Line Options</A></H2>
<P><EM>slapd</EM>(8) supports a number of command-line options as detailed in the manual page. This section details a few commonly used options.</P>
<PRE>
-f <filename>
@@ -3419,13 +3859,13 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>slapd must have been compiled with <TT>-DLDAP_DEBUG</TT> defined for any debugging information beyond the two stats levels to be available.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="Starting slapd">7.2. Starting slapd</A></H2>
+<H2><A NAME="Starting slapd">8.2. Starting slapd</A></H2>
<P>In general, slapd is run like this:</P>
<PRE>
/usr/local/libexec/slapd [<option>]*
</PRE>
<P>where <TT>/usr/local/libexec</TT> is determined by <TT>configure</TT> and <option> is one of the options described above (or in <EM>slapd</EM>(8)). Unless you have specified a debugging level (including level <TT>0</TT>), slapd will automatically fork and detach itself from its controlling terminal and run in the background.</P>
-<H2><A NAME="Stopping slapd">7.3. Stopping slapd</A></H2>
+<H2><A NAME="Stopping slapd">8.3. Stopping slapd</A></H2>
<P>To kill off <EM>slapd</EM>(8) safely, you should give a command like this</P>
<PRE>
kill -INT `cat /usr/local/var/slapd.pid`
@@ -3434,10 +3874,10 @@
<P>Killing slapd by a more drastic method may cause information loss or database corruption.</P>
<P></P>
<HR>
-<H1><A NAME="Database Creation and Maintenance Tools">8. Database Creation and Maintenance Tools</A></H1>
+<H1><A NAME="Database Creation and Maintenance Tools">9. Database Creation and Maintenance Tools</A></H1>
<P>This section tells you how to create a slapd database from scratch, and how to do trouble shooting if you run into problems. There are two ways to create a database. First, you can create the database on-line using <TERM>LDAP</TERM>. With this method, you simply start up slapd and add entries using the LDAP client of your choice. This method is fine for relatively small databases (a few hundred or thousand entries, depending on your requirements). This method works for database types which support updates.</P>
<P>The second method of database creation is to do it off-line using special utilities provided with <EM>slapd</EM>(8). This method is best if you have many thousands of entries to create, which would take an unacceptably long time using the LDAP method, or if you want to ensure the database is not accessed while it is being created. Note that not all database types support these utilities.</P>
-<H2><A NAME="Creating a database over LDAP">8.1. Creating a database over LDAP</A></H2>
+<H2><A NAME="Creating a database over LDAP">9.1. Creating a database over LDAP</A></H2>
<P>With this method, you use the LDAP client of your choice (e.g., the <EM>ldapadd</EM>(1)) to add entries, just like you would once the database is created. You should be sure to set the following options in the configuration file before starting <EM>slapd</EM>(8).</P>
<PRE>
suffix <dn>
@@ -3497,7 +3937,7 @@
ldapadd -f entries.ldif -x -D "cn=Manager,dc=example,dc=com" -w secret
</PRE>
<P>The above command assumes settings provided in the above examples.</P>
-<H2><A NAME="Creating a database off-line">8.2. Creating a database off-line</A></H2>
+<H2><A NAME="Creating a database off-line">9.2. Creating a database off-line</A></H2>
<P>The second method of database creation is to do it off-line, using the slapd database tools described below. This method is best if you have many thousands of entries to create, which would take an unacceptably long time to add using the LDAP method described above. These tools read the slapd configuration file and an input file containing a text representation of the entries to add. For database types which support the tools, they produce the database files directly (otherwise you must use the on-line method above). There are several important configuration options you will want to be sure and set in the config file database definition first:</P>
<PRE>
suffix <dn>
@@ -3524,7 +3964,7 @@
index objectClass eq
</PRE>
<P>This would create presence, equality, approximate, and substring indices for the <TT>cn</TT>, <TT>sn</TT>, and <TT>uid</TT> attributes and an equality index for the <TT>objectClass</TT> attribute. Note that not all index types are available with all attribute types. See <A HREF="#The slapd Configuration File">The slapd Configuration File</A> section for more information on this option.</P>
-<H3><A NAME="The {{EX:slapadd}} program">8.2.1. The <TT>slapadd</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapadd}} program">9.2.1. The <TT>slapadd</TT> program</A></H3>
<P>Once you've configured things to your liking, you create the primary database and associated indices by running the <EM>slapadd</EM>(8) program:</P>
<PRE>
slapadd -l <inputfile> -f <slapdconfigfile>
@@ -3555,21 +3995,21 @@
-b <suffix>
</PRE>
<P>An optional argument that specifies which database to modify. The provided suffix is matched against a database <TT>suffix</TT> directive to determine the database number. Should not be used in conjunction with <TT>-n</TT>.</P>
-<H3><A NAME="The {{EX:slapindex}} program">8.2.2. The <TT>slapindex</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapindex}} program">9.2.2. The <TT>slapindex</TT> program</A></H3>
<P>Sometimes it may be necessary to regenerate indices (such as after modifying <EM>slapd.conf</EM>(5)). This is possible using the <EM>slapindex</EM>(8) program. <EM>slapindex</EM> is invoked like this</P>
<PRE>
slapindex -f <slapdconfigfile>
[-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
</PRE>
<P>Where the <TT>-f</TT>, <TT>-d</TT>, <TT>-n</TT> and <TT>-b</TT> options are the same as for the <EM>slapadd</EM>(1) program. <EM>slapindex</EM> rebuilds all indices based upon the current database contents.</P>
-<H3><A NAME="The {{EX:slapcat}} program">8.2.3. The <TT>slapcat</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapcat}} program">9.2.3. The <TT>slapcat</TT> program</A></H3>
<P>The <TT>slapcat</TT> program is used to dump the database to an <TERM>LDIF</TERM> file. This can be useful when you want to make a human-readable backup of your database or when you want to edit your database off-line. The program is invoked like this:</P>
<PRE>
slapcat -l <filename> -f <slapdconfigfile>
[-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
</PRE>
<P>where <TT>-n</TT> or <TT>-b</TT> is used to select the database in the <EM>slapd.conf</EM>(5) specified using <TT>-f</TT>. The corresponding <TERM>LDIF</TERM> output is written to standard output or to the file specified using the <TT>-l</TT> option.</P>
-<H2><A NAME="The LDIF text entry format">8.3. The LDIF text entry format</A></H2>
+<H2><A NAME="The LDIF text entry format">9.3. The LDIF text entry format</A></H2>
<P>The <TERM>LDAP Data Interchange Format</TERM> (LDIF) is used to represent LDAP entries in a simple text format. This section provides a brief description of the LDIF entry format which complements <EM>ldif</EM>(5) and the technical specification <A HREF="http://www.rfc-editor.org/rfc/rfc2849.txt">RFC2849</A>.</P>
<P>The basic form of an entry is:</P>
<PRE>
@@ -3641,55 +4081,55 @@
<HR WIDTH="80%" ALIGN="Left"></P>
<P></P>
<HR>
-<H1><A NAME="Backends">9. Backends</A></H1>
-<H2><A NAME="Berkeley DB Backends">9.1. Berkeley DB Backends</A></H2>
-<H3><A NAME="Overview">9.1.1. Overview</A></H3>
+<H1><A NAME="Backends">10. Backends</A></H1>
+<H2><A NAME="Berkeley DB Backends">10.1. Berkeley DB Backends</A></H2>
+<H3><A NAME="Overview">10.1.1. Overview</A></H3>
<P>The <EM>bdb</EM> backend to <EM>slapd</EM>(8) is the recommended primary backend for a normal <EM>slapd</EM> database. It uses the Oracle Berkeley DB (<TERM>BDB</TERM>) package to store data. It makes extensive use of indexing and caching (see the <A HREF="#Tuning">Tuning</A> section) to speed data access.</P>
<P><EM>hdb</EM> is a variant of the <EM>bdb</EM> backend that uses a hierarchical database layout which supports subtree renames. It is otherwise identical to the <EM>bdb</EM> behavior, and all the same configuration options apply.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>An <EM>hdb</EM> database needs a large <EM>idlcachesize</EM> for good search performance, typically three times the <EM>cachesize</EM> (entry cache size) or larger.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="back-bdb/back-hdb Configuration">9.1.2. back-bdb/back-hdb Configuration</A></H3>
+<H3><A NAME="back-bdb/back-hdb Configuration">10.1.2. back-bdb/back-hdb Configuration</A></H3>
<P>MORE LATER</P>
-<H3><A NAME="Further Information">9.1.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.1.3. Further Information</A></H3>
<P><EM>slapd-bdb</EM>(5)</P>
-<H2><A NAME="LDAP">9.2. LDAP</A></H2>
-<H3><A NAME="Overview">9.2.1. Overview</A></H3>
+<H2><A NAME="LDAP">10.2. LDAP</A></H2>
+<H3><A NAME="Overview">10.2.1. Overview</A></H3>
<P>The LDAP backend to <EM>slapd</EM>(8) is not an actual database; instead it acts as a proxy to forward incoming requests to another LDAP server. While processing requests it will also chase referrals, so that referrals are fully processed instead of being returned to the <EM>slapd</EM> client.</P>
-<P>Sessions that explicitly <EM>Bind</EM> to the <EM>back-ldap</EM> database always create their own private connection to the remote LDAP server. Anonymous sessions will share a single anonymous connection to the remote server. For sessions bound through other mechanisms, all sessions with the same DN will share the same connection. This connection pooling strategy can enhance the proxy’s efficiency by reducing the overhead of repeatedly making/breaking multiple connections.</P>
+<P>Sessions that explicitly <EM>Bind</EM> to the <EM>back-ldap</EM> database always create their own private connection to the remote LDAP server. Anonymous sessions will share a single anonymous connection to the remote server. For sessions bound through other mechanisms, all sessions with the same DN will share the same connection. This connection pooling strategy can enhance the proxy's efficiency by reducing the overhead of repeatedly making/breaking multiple connections.</P>
<P>The ldap database can also act as an information service, i.e. the identity of locally authenticated clients is asserted to the remote server, possibly in some modified form. For this purpose, the proxy binds to the remote server with some administrative identity, and, if required, authorizes the asserted identity.</P>
-<H3><A NAME="back-ldap Configuration">9.2.2. back-ldap Configuration</A></H3>
+<H3><A NAME="back-ldap Configuration">10.2.2. back-ldap Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.2.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.2.3. Further Information</A></H3>
<P><EM>slapd-ldap</EM>(5)</P>
-<H2><A NAME="LDIF">9.3. LDIF</A></H2>
-<H3><A NAME="Overview">9.3.1. Overview</A></H3>
+<H2><A NAME="LDIF">10.3. LDIF</A></H2>
+<H3><A NAME="Overview">10.3.1. Overview</A></H3>
<P>The LDIF backend to <EM>slapd</EM>(8) is a basic storage backend that stores entries in text files in LDIF format, and exploits the filesystem to create the tree structure of the database. It is intended as a cheap, low performance easy to use backend.</P>
<P>When using the <EM>cn=config</EM> dynamic configuration database with persistent storage, the configuration data is stored using this backend. See <EM>slapd-config</EM>(5) for more information</P>
-<H3><A NAME="back-ldif Configuration">9.3.2. back-ldif Configuration</A></H3>
+<H3><A NAME="back-ldif Configuration">10.3.2. back-ldif Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.3.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.3.3. Further Information</A></H3>
<P><EM>slapd-ldif</EM>(5)</P>
-<H2><A NAME="Metadirectory">9.4. Metadirectory</A></H2>
-<H3><A NAME="Overview">9.4.1. Overview</A></H3>
+<H2><A NAME="Metadirectory">10.4. Metadirectory</A></H2>
+<H3><A NAME="Overview">10.4.1. Overview</A></H3>
<P>The meta backend to <EM>slapd</EM>(8) performs basic LDAP proxying with respect to a set of remote LDAP servers, called "targets". The information contained in these servers can be presented as belonging to a single Directory Information Tree (<TERM>DIT</TERM>).</P>
<P>A basic knowledge of the functionality of the <EM>slapd-ldap</EM>(5) backend is recommended. This backend has been designed as an enhancement of the ldap backend. The two backends share many features (actually they also share portions of code). While the ldap backend is intended to proxy operations directed to a single server, the meta backend is mainly intended for proxying of multiple servers and possibly naming context masquerading.</P>
<P>These features, although useful in many scenarios, may result in excessive overhead for some applications, so its use should be carefully considered.</P>
-<H3><A NAME="back-meta Configuration">9.4.2. back-meta Configuration</A></H3>
+<H3><A NAME="back-meta Configuration">10.4.2. back-meta Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.4.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.4.3. Further Information</A></H3>
<P><EM>slapd-meta</EM>(5)</P>
-<H2><A NAME="Monitor">9.5. Monitor</A></H2>
-<H3><A NAME="Overview">9.5.1. Overview</A></H3>
+<H2><A NAME="Monitor">10.5. Monitor</A></H2>
+<H3><A NAME="Overview">10.5.1. Overview</A></H3>
<P>The monitor backend to <EM>slapd</EM>(8) is not an actual database; if enabled, it is automatically generated and dynamically maintained by slapd with information about the running status of the daemon.</P>
<P>To inspect all monitor information, issue a subtree search with base <EM>cn=Monitor</EM>, requesting that attributes "+" and "*" are returned. The monitor backend produces mostly operational attributes, and LDAP only returns operational attributes that are explicitly requested. Requesting attribute "+" is an extension which requests all operational attributes.</P>
<P>See the <A HREF="#Monitoring">Monitoring</A> section.</P>
-<H3><A NAME="back-monitor Configuration">9.5.2. back-monitor Configuration</A></H3>
+<H3><A NAME="back-monitor Configuration">10.5.2. back-monitor Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.5.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.5.3. Further Information</A></H3>
<P><EM>slapd-monitor</EM>(5)</P>
-<H2><A NAME="Null">9.6. Null</A></H2>
-<H3><A NAME="Overview">9.6.1. Overview</A></H3>
+<H2><A NAME="Null">10.6. Null</A></H2>
+<H3><A NAME="Overview">10.6.1. Overview</A></H3>
<P>The Null backend to <EM>slapd</EM>(8) is surely the most useful part of slapd:</P>
<UL>
<LI>Searches return success but no entries.
@@ -3698,88 +4138,222 @@
<LI>Binds other than as the rootdn fail unless the database option "bind on" is given.
<LI>The slapadd(8) and slapcat(8) tools are equally exciting.</UL>
<P>Inspired by the <TT>/dev/null</TT> device.</P>
-<H3><A NAME="back-null Configuration">9.6.2. back-null Configuration</A></H3>
+<H3><A NAME="back-null Configuration">10.6.2. back-null Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.6.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.6.3. Further Information</A></H3>
<P><EM>slapd-null</EM>(5)</P>
-<H2><A NAME="Passwd">9.7. Passwd</A></H2>
-<H3><A NAME="Overview">9.7.1. Overview</A></H3>
+<H2><A NAME="Passwd">10.7. Passwd</A></H2>
+<H3><A NAME="Overview">10.7.1. Overview</A></H3>
<P>The PASSWD backend to <EM>slapd</EM>(8) serves up the user account information listed in the system <EM>passwd</EM>(5) file.</P>
<P>This backend is provided for demonstration purposes only. The DN of each entry is "uid=<username>,<suffix>".</P>
-<H3><A NAME="back-passwd Configuration">9.7.2. back-passwd Configuration</A></H3>
+<H3><A NAME="back-passwd Configuration">10.7.2. back-passwd Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.7.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.7.3. Further Information</A></H3>
<P><EM>slapd-passwd</EM>(5)</P>
-<H2><A NAME="Perl/Shell">9.8. Perl/Shell</A></H2>
-<H3><A NAME="Overview">9.8.1. Overview</A></H3>
+<H2><A NAME="Perl/Shell">10.8. Perl/Shell</A></H2>
+<H3><A NAME="Overview">10.8.1. Overview</A></H3>
<P>The Perl backend to <EM>slapd</EM>(8) works by embedding a <EM>perl</EM>(1) interpreter into <EM>slapd</EM>(8). Any perl database section of the configuration file <EM>slapd.conf</EM>(5) must then specify what Perl module to use. Slapd then creates a new Perl object that handles all the requests for that particular instance of the backend.</P>
<P>The Shell backend to <EM>slapd</EM>(8) executes external programs to implement operations, and is designed to make it easy to tie an existing database to the slapd front-end. This backend is is primarily intended to be used in prototypes.</P>
-<H3><A NAME="back-perl/back-shell Configuration">9.8.2. back-perl/back-shell Configuration</A></H3>
+<H3><A NAME="back-perl/back-shell Configuration">10.8.2. back-perl/back-shell Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.8.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.8.3. Further Information</A></H3>
<P><EM>slapd-shell</EM>(5) and <EM>slapd-perl</EM>(5)</P>
-<H2><A NAME="Relay">9.9. Relay</A></H2>
-<H3><A NAME="Overview">9.9.1. Overview</A></H3>
+<H2><A NAME="Relay">10.9. Relay</A></H2>
+<H3><A NAME="Overview">10.9.1. Overview</A></H3>
<P>The primary purpose of this <EM>slapd</EM>(8) backend is to map a naming context defined in a database running in the same <EM>slapd</EM>(8) instance into a virtual naming context, with attributeType and objectClass manipulation, if required. It requires the rwm overlay.</P>
<P>This backend and the above mentioned overlay are experimental.</P>
-<H3><A NAME="back-relay Configuration">9.9.2. back-relay Configuration</A></H3>
+<H3><A NAME="back-relay Configuration">10.9.2. back-relay Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.9.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.9.3. Further Information</A></H3>
<P><EM>slapd-relay</EM>(5)</P>
-<H2><A NAME="SQL">9.10. SQL</A></H2>
-<H3><A NAME="Overview">9.10.1. Overview</A></H3>
+<H2><A NAME="SQL">10.10. SQL</A></H2>
+<H3><A NAME="Overview">10.10.1. Overview</A></H3>
<P>The primary purpose of this <EM>slapd</EM>(8) backend is to PRESENT information stored in some RDBMS as an LDAP subtree without any programming (some SQL and maybe stored procedures can’t be considered programming, anyway ;).</P>
<P>That is, for example, when you (some ISP) have account information you use in an RDBMS, and want to use modern solutions that expect such information in LDAP (to authenticate users, make email lookups etc.). Or you want to synchronize or distribute information between different sites/applications that use RDBMSes and/or LDAP. Or whatever else...</P>
<P>It is <B>NOT</B> designed as a general-purpose backend that uses RDBMS instead of BerkeleyDB (as the standard BDB backend does), though it can be used as such with several limitations. Please see <A HREF="#LDAP vs RDBMS">LDAP vs RDBMS</A> for discussion.</P>
<P>The idea is to use some meta-information to translate LDAP queries to SQL queries, leaving relational schema untouched, so that old applications can continue using it without any modifications. This allows SQL and LDAP applications to interoperate without replication, and exchange data as needed.</P>
<P>The SQL backend is designed to be tunable to virtually any relational schema without having to change source (through that meta-information mentioned). Also, it uses ODBC to connect to RDBMSes, and is highly configurable for SQL dialects RDBMSes may use, so it may be used for integration and distribution of data on different RDBMSes, OSes, hosts etc., in other words, in highly heterogeneous environment.</P>
<P>This backend is experimental.</P>
-<H3><A NAME="back-sql Configuration">9.10.2. back-sql Configuration</A></H3>
+<H3><A NAME="back-sql Configuration">10.10.2. back-sql Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">9.10.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.10.3. Further Information</A></H3>
<P><EM>slapd-sql</EM>(5)</P>
<P></P>
<HR>
-<H1><A NAME="Overlays">10. Overlays</A></H1>
+<H1><A NAME="Overlays">11. Overlays</A></H1>
<P>Overlays are software components that provide hooks to functions analogous to those provided by backends, which can be stacked on top of the backend calls and as callbacks on top of backend responses to alter their behavior.</P>
-<P>Overlays may be compiled statically into slapd, or when module support is enabled, they may be dynamically loaded. Most of the overlays are only allowed to be configured on individual databases, but some may also be configured globally.</P>
-<P>Essentially they represent a means to:</P>
+<P>Overlays may be compiled statically into <EM>slapd</EM>, or when module support is enabled, they may be dynamically loaded. Most of the overlays are only allowed to be configured on individual databases.</P>
+<P>Some can be stacked on the <TT>frontend</TT> as well, for global use. This means that they can be executed after a request is parsed and validated, but right before the appropriate database is selected. The main purpose is to affect operations regardless of the database they will be handled by, and, in some cases, to influence the selection of the database by massaging the request DN.</P>
+<P>Essentially, overlays represent a means to:</P>
<UL>
<LI>customize the behavior of existing backends without changing the backend code and without requiring one to write a new custom backend with complete functionality
<LI>write functionality of general usefulness that can be applied to different backend types</UL>
+<P>When using <EM>slapd.conf</EM>(5), overlays that are configured before any other databases are considered global, as mentioned above. In fact they are implicitly stacked on top of the <TT>frontend</TT> database. They can also be explicitly configured as such:</P>
+<PRE>
+ database frontend
+ overlay <overlay name>
+</PRE>
<P>Overlays are usually documented by separate specific man pages in section 5; the naming convention is</P>
<PRE>
slapo-<overlay name>
</PRE>
-<P>Not all distributed overlays have a man page yet. Feel free to contribute one, if you think you well understood the behavior of the component and the implications of all the related configuration directives.</P>
+<P>All distributed core overlays have a man page. Feel free to contribute to any, if you think there is anything missing in describing the behavior of the component and the implications of all the related configuration directives.</P>
<P>Official overlays are located in</P>
<PRE>
servers/slapd/overlays/
</PRE>
-<P>That directory also contains the file slapover.txt, which describes the rationale of the overlay implementation, and may serve as guideline for the development of custom overlays.</P>
+<P>That directory also contains the file slapover.txt, which describes the rationale of the overlay implementation, and may serve as a guideline for the development of custom overlays.</P>
<P>Contribware overlays are located in</P>
<PRE>
contrib/slapd-modules/<overlay name>/
</PRE>
<P>along with other types of run-time loadable components; they are officially distributed, but not maintained by the project.</P>
-<P>They can be stacked on the frontend as well; this means that they can be executed after a request is parsed and validated, but right before the appropriate database is selected. The main purpose is to affect operations regardless of the database they will be handled by, and, in some cases, to influence the selection of the database by massaging the request DN.</P>
-<P>All the current overlays in 2.4 are listed and described in detail in the following sections.</P>
-<H2><A NAME="Access Logging">10.1. Access Logging</A></H2>
-<H3><A NAME="Overview">10.1.1. Overview</A></H3>
+<P>All the current overlays in OpenLDAP are listed and described in detail in the following sections.</P>
+<H2><A NAME="Access Logging">11.1. Access Logging</A></H2>
+<H3><A NAME="Overview">11.1.1. Overview</A></H3>
<P>This overlay can record accesses to a given backend database on another database.</P>
-<H3><A NAME="Access Logging Configuration">10.1.2. Access Logging Configuration</A></H3>
-<H2><A NAME="Audit Logging">10.2. Audit Logging</A></H2>
-<P>This overlay records changes on a given backend database to an LDIF log file.</P>
-<H3><A NAME="Overview">10.2.1. Overview</A></H3>
-<H3><A NAME="Audit Logging Configuration">10.2.2. Audit Logging Configuration</A></H3>
-<H2><A NAME="Chaining">10.3. Chaining</A></H2>
-<H3><A NAME="Overview">10.3.1. Overview</A></H3>
+<P>This allows all of the activity on a given database to be reviewed using arbitrary LDAP queries, instead of just logging to local flat text files. Configuration options are available for selecting a subset of operation types to log, and to automatically prune older log records from the logging database. Log records are stored with audit schema to assure their readability whether viewed as LDIF or in raw form.</P>
+<P>It is also used for <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A></P>
+<H3><A NAME="Access Logging Configuration">11.1.2. Access Logging Configuration</A></H3>
+<P>The following is a basic example that implements Access Logging:</P>
+<PRE>
+ database bdb
+ suffix dc=example,dc=com
+ ...
+ overlay accesslog
+ logdb cn=log
+ logops writes reads
+ logold (objectclass=person)
+
+ database bdb
+ suffix cn=log
+ ...
+ index reqStart eq
+ access to *
+ by dn.base="cn=admin,dc=example,dc=com" read
+</PRE>
+<P>The following is an example used for <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A>:</P>
+<PRE>
+ database hdb
+ suffix cn=accesslog
+ directory /usr/local/var/openldap-accesslog
+ rootdn cn=accesslog
+ index default eq
+ index entryCSN,objectClass,reqEnd,reqResult,reqStart
+</PRE>
+<P>Accesslog overlay definitions for the primary db</P>
+<PRE>
+ database bdb
+ suffix dc=example,dc=com
+ ...
+ overlay accesslog
+ logdb cn=accesslog
+ logops writes
+ logsuccess TRUE
+ # scan the accesslog DB every day, and purge entries older than 7 days
+ logpurge 07+00:00 01+00:00
+</PRE>
+<P>An example search result against <B>cn=accesslog</B> might look like:</P>
+<PRE>
+ [ghenry at suretec ghenry]# ldapsearch -x -b cn=accesslog
+ # extended LDIF
+ #
+ # LDAPv3
+ # base <cn=accesslog> with scope subtree
+ # filter: (objectclass=*)
+ # requesting: ALL
+ #
+
+ # accesslog
+ dn: cn=accesslog
+ objectClass: auditContainer
+ cn: accesslog
+
+ # 20080110163829.000004Z, accesslog
+ dn: reqStart=20080110163829.000004Z,cn=accesslog
+ objectClass: auditModify
+ reqStart: 20080110163829.000004Z
+ reqEnd: 20080110163829.000005Z
+ reqType: modify
+ reqSession: 196696
+ reqAuthzID: cn=admin,dc=suretecsystems,dc=com
+ reqDN: uid=suretec-46022f8$,ou=Users,dc=suretecsystems,dc=com
+ reqResult: 0
+ reqMod: sambaPwdCanChange:- ###CENSORED###
+ reqMod: sambaPwdCanChange:+ ###CENSORED###
+ reqMod: sambaNTPassword:- ###CENSORED###
+ reqMod: sambaNTPassword:+ ###CENSORED###
+ reqMod: sambaPwdLastSet:- ###CENSORED###
+ reqMod: sambaPwdLastSet:+ ###CENSORED###
+ reqMod: entryCSN:= 20080110163829.095157Z#000000#000#000000
+ reqMod: modifiersName:= cn=admin,dc=suretecsystems,dc=com
+ reqMod: modifyTimestamp:= 20080110163829Z
+
+ # search result
+ search: 2
+ result: 0 Success
+
+ # numResponses: 3
+ # numEntries: 2
+</PRE>
+<P>For more information, please see <EM>slapo-accesslog(5)</EM> and the <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A> section.</P>
+<H2><A NAME="Audit Logging">11.2. Audit Logging</A></H2>
+<P>The Audit Logging overlay can be used to record all changes on a given backend database to a specified log file.</P>
+<H3><A NAME="Overview">11.2.1. Overview</A></H3>
+<P>If the need arises whereby changes need to be logged as standard LDIF, then the auditlog overlay <B>slapo-auditlog (5)</B> can be used. Full examples are available in the man page <B>slapo-auditlog (5)</B></P>
+<H3><A NAME="Audit Logging Configuration">11.2.2. Audit Logging Configuration</A></H3>
+<P>If the directory is running vi <TT>slapd.d</TT>, then the following LDIF could be used to add the overlay to the overlay list in <B>cn=config</B> and set what file the <TERM>LDIF</TERM> gets logged to (adjust to suit)</P>
+<PRE>
+ dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcAuditLogConfig
+ olcOverlay: auditlog
+ olcAuditlogFile: /tmp/auditlog.ldif
+</PRE>
+<P>In this example for testing, we are logging changes to <TT>/tmp/auditlog.ldif</TT></P>
+<P>A typical <TERM>LDIF</TERM> file created by <B>slapo-auditlog (5)</B> would look like:</P>
+<PRE>
+ # add 1196797576 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+ dn: dc=suretecsystems,dc=com
+ changetype: add
+ objectClass: dcObject
+ objectClass: organization
+ dc: suretecsystems
+ o: Suretec Systems Ltd.
+ structuralObjectClass: organization
+ entryUUID: 1606f8f8-f06e-1029-8289-f0cc9d81e81a
+ creatorsName: cn=admin,dc=suretecsystems,dc=com
+ modifiersName: cn=admin,dc=suretecsystems,dc=com
+ createTimestamp: 20051123130912Z
+ modifyTimestamp: 20051123130912Z
+ entryCSN: 20051123130912.000000Z#000001#000#000000
+ auditContext: cn=accesslog
+ # end add 1196797576
+
+ # add 1196797577 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+ dn: ou=Groups,dc=suretecsystems,dc=com
+ changetype: add
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: Groups
+ structuralObjectClass: organizationalUnit
+ entryUUID: 160aaa2a-f06e-1029-828a-f0cc9d81e81a
+ creatorsName: cn=admin,dc=suretecsystems,dc=com
+ modifiersName: cn=admin,dc=suretecsystems,dc=com
+ createTimestamp: 20051123130912Z
+ modifyTimestamp: 20051123130912Z
+ entryCSN: 20051123130912.000000Z#000002#000#000000
+ # end add 1196797577
+</PRE>
+<H2><A NAME="Chaining">11.3. Chaining</A></H2>
+<H3><A NAME="Overview">11.3.1. Overview</A></H3>
<P>The chain overlay provides basic chaining capability to the underlying database.</P>
<P>What is chaining? It indicates the capability of a DSA to follow referrals on behalf of the client, so that distributed systems are viewed as a single virtual DSA by clients that are otherwise unable to "chase" (i.e. follow) referrals by themselves.</P>
-<P>The chain overlay is built on top of the ldap backend; it is compiled by default when --enable-ldap.</P>
-<H3><A NAME="Chaining Configuration">10.3.2. Chaining Configuration</A></H3>
+<P>The chain overlay is built on top of the ldap backend; it is compiled by default when <B>--enable-ldap</B>.</P>
+<H3><A NAME="Chaining Configuration">11.3.2. Chaining Configuration</A></H3>
<P>In order to demonstrate how this overlay works, we shall discuss a typical scenario which might be one master server and three Syncrepl slaves.</P>
-<P>On each replica, add this near the top of the file (global), before any database definitions:</P>
+<P>On each replica, add this near the top of the <EM>slapd.conf</EM>(5) file (global), before any database definitions:</P>
<PRE>
overlay chain
chain-uri "ldap://ldapmaster.example.com"
@@ -3795,7 +4369,7 @@
updateref "ldap://ldapmaster.example.com/"
</PRE>
<P>The <B>chain-tls</B> statement enables TLS from the slave to the ldap master. The DITs are exactly the same between these machines, therefore whatever user bound to the slave will also exist on the master. If that DN does not have update privileges on the master, nothing will happen.</P>
-<P>You will need to restart the slave after these changes. Then, if you are using <EM>loglevel 256</EM>, you can monitor an <EM>ldapmodify</EM> on the slave and the master.</P>
+<P>You will need to restart the slave after these <EM>slapd.conf</EM> changes. Then, if you are using <EM>loglevel stats</EM> (256), you can monitor an <EM>ldapmodify</EM> on the slave and the master. (If you're using <EM>cn=config</EM> no restart is required.)</P>
<P>Now start an <EM>ldapmodify</EM> on the slave and watch the logs. You should expect something like:</P>
<PRE>
Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389)
@@ -3825,28 +4399,103 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>You can clearly see the PROXYAUTHZ line on the master, indicating the proper identity assertion for the update on the master. Also note the slave immediately receiving the Syncrepl update from the master.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Handling Chaining Errors">10.3.3. Handling Chaining Errors</A></H3>
+<H3><A NAME="Handling Chaining Errors">11.3.3. Handling Chaining Errors</A></H3>
<P>By default, if chaining fails, the original referral is returned to the client under the assumption that the client might want to try and follow the referral.</P>
<P>With the following directive however, if the chaining fails at the provider side, the actual error is returned to the client.</P>
<PRE>
chain-return-error TRUE
</PRE>
-<H2><A NAME="Constraints">10.4. Constraints</A></H2>
-<H3><A NAME="Overview">10.4.1. Overview</A></H3>
-<P>This overlay enforces a regular expression constraint on all values of specified attributes. It is used to enforce a more rigorous syntax when the underlying attribute syntax is too general.</P>
-<H3><A NAME="Constraint Configuration">10.4.2. Constraint Configuration</A></H3>
-<H2><A NAME="Dynamic Directory Services">10.5. Dynamic Directory Services</A></H2>
-<H3><A NAME="Overview">10.5.1. Overview</A></H3>
-<P>This overlay supports dynamic objects, which have a limited life after which they expire and are automatically deleted.</P>
-<H3><A NAME="Dynamic Directory Service Configuration">10.5.2. Dynamic Directory Service Configuration</A></H3>
-<H2><A NAME="Dynamic Groups">10.6. Dynamic Groups</A></H2>
-<H3><A NAME="Overview">10.6.1. Overview</A></H3>
+<H2><A NAME="Constraints">11.4. Constraints</A></H2>
+<H3><A NAME="Overview">11.4.1. Overview</A></H3>
+<P>This overlay enforces a regular expression constraint on all values of specified attributes during an LDAP modify request that contains add or modify commands. It is used to enforce a more rigorous syntax when the underlying attribute syntax is too general.</P>
+<H3><A NAME="Constraint Configuration">11.4.2. Constraint Configuration</A></H3>
+<P>Configuration via <EM>slapd.conf</EM>(5) would look like:</P>
+<PRE>
+ overlay constraint
+ constraint_attribute mail regex ^[:alnum:]+ at mydomain.com$
+ constraint_attribute title uri
+ ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+</PRE>
+<P>A specification like the above would reject any <EM>mail</EM> attribute which did not look like <EM><alpha-numeric string>@mydomain.com</EM>.</P>
+<P>It would also reject any title attribute whose values were not listed in the title attribute of any <EM>titleCatalog</EM> entries in the given scope.</P>
+<P>An example for use with <EM>cn=config</EM>:</P>
+<PRE>
+ dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcConstraintConfig
+ olcOverlay: constraint
+ olcConstraintAttribute: mail regex ^[:alnum:]+ at mydomain.com$
+ olcConstraintAttribute: title uri ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+</PRE>
+<H2><A NAME="Dynamic Directory Services">11.5. Dynamic Directory Services</A></H2>
+<H3><A NAME="Overview">11.5.1. Overview</A></H3>
+<P>The <EM>dds</EM> overlay to <EM>slapd</EM>(8) implements dynamic objects as per <A HREF="http://www.rfc-editor.org/rfc/rfc2589.txt">RFC2589</A>. The name <EM>dds</EM> stands for Dynamic Directory Services. It allows to define dynamic objects, characterized by the <EM>dynamicObject</EM> objectClass.</P>
+<P>Dynamic objects have a limited lifetime, determined by a time-to-live (TTL) that can be refreshed by means of a specific refresh extended operation. This operation allows to set the Client Refresh Period (CRP), namely the period between refreshes that is required to preserve the dynamic object from expiration. The expiration time is computed by adding the requested TTL to the current time. When dynamic objects reach the end of their lifetime without being further refreshed, they are automatically <EM>deleted</EM>. There is no guarantee of immediate deletion, so clients should not count on it.</P>
+<H3><A NAME="Dynamic Directory Service Configuration">11.5.2. Dynamic Directory Service Configuration</A></H3>
+<P>A usage of dynamic objects might be to implement dynamic meetings; in this case, all the participants to the meeting are allowed to refresh the meeting object, but only the creator can delete it (otherwise it will be deleted when the TTL expires).</P>
+<P>If we add the overlay to an example database, specifying a Max TTL of 1 day, a min of 10 seconds, with a default TTL of 1 hour. We'll also specify an interval of 120 (less than 60s might be too small) seconds between expiration checks and a tolerance of 5 second (lifetime of a dynamic object will be <EM>entryTtl + tolerance</EM>).</P>
+<PRE>
+ overlay dds
+ dds-max-ttl 1d
+ dds-min-ttl 10s
+ dds-default-ttl 1h
+ dds-interval 120s
+ dds-tolerance 5s
+</PRE>
+<P>and add an index:</P>
+<PRE>
+ entryExpireTimestamp
+</PRE>
+<P>Creating a meeting is as simple as adding the following:</P>
+<PRE>
+ dn: cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com
+ objectClass: groupOfNames
+ objectClass: dynamicObject
+ cn: OpenLDAP Documentation Meeting
+ member: uid=ghenry,ou=People,dc=example,dc=com
+ member: uid=hyc,ou=People,dc=example,dc=com
+</PRE>
+<H4><A NAME="Dynamic Directory Service ACLs">11.5.2.1. Dynamic Directory Service ACLs</A></H4>
+<P>Allow users to start a meeting and to join it; restrict refresh to the <EM>member</EM>; restrict delete to the creator:</P>
+<PRE>
+ access to attrs=userPassword
+ by self write
+ by * read
+
+ access to dn.base="ou=Meetings,dc=example,dc=com"
+ attrs=children
+ by users write
+
+ access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+ attrs=entry
+ by dnattr=creatorsName write
+ by * read
+
+ access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+ attrs=participant
+ by dnattr=creatorsName write
+ by users selfwrite
+ by * read
+
+ access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+ attrs=entryTtl
+ by dnattr=member manage
+ by * read
+</PRE>
+<P>In simple terms, the user who created the <EM>OpenLDAP Documentation Meeting</EM> can add new attendees, refresh the meeting using (basically complete control):</P>
+<PRE>
+ ldapexop -x -H ldap://ldaphost "refresh" "cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com" "120" -D "uid=ghenry,ou=People,dc=example,dc=com" -W
+</PRE>
+<P>Any user can join the meeting, but not add another attendee, but they can refresh the meeting. The ACLs above are quite straight forward to understand.</P>
+<H2><A NAME="Dynamic Groups">11.6. Dynamic Groups</A></H2>
+<H3><A NAME="Overview">11.6.1. Overview</A></H3>
<P>This overlay extends the Compare operation to detect members of a dynamic group. This overlay is now deprecated as all of its functions are available using the <A HREF="#Dynamic Lists">Dynamic Lists</A> overlay.</P>
-<H3><A NAME="Dynamic Group Configuration">10.6.2. Dynamic Group Configuration</A></H3>
-<H2><A NAME="Dynamic Lists">10.7. Dynamic Lists</A></H2>
-<H3><A NAME="Overview">10.7.1. Overview</A></H3>
+<H3><A NAME="Dynamic Group Configuration">11.6.2. Dynamic Group Configuration</A></H3>
+<H2><A NAME="Dynamic Lists">11.7. Dynamic Lists</A></H2>
+<H3><A NAME="Overview">11.7.1. Overview</A></H3>
<P>This overlay allows expansion of dynamic groups and lists. Instead of having the group members or list attributes hard coded, this overlay allows us to define an LDAP search whose results will make up the group or list.</P>
-<H3><A NAME="Dynamic List Configuration">10.7.2. Dynamic List Configuration</A></H3>
+<H3><A NAME="Dynamic List Configuration">11.7.2. Dynamic List Configuration</A></H3>
<P>This module can behave both as a dynamic list and dynamic group, depending on the configuration. The syntax is as follows:</P>
<PRE>
overlay dynlist
@@ -3856,7 +4505,7 @@
<UL>
<LI><TT><group-oc></TT>: specifies which object class triggers the subsequent LDAP search. Whenever an entry with this object class is retrieved, the search is performed.
<LI><TT><URL-ad></TT>: is the name of the attribute which holds the search URI. It has to be a subtype of <TT>labeledURI</TT>. The attributes and values present in the search result are added to the entry unless <TT>member-ad</TT> is used (see below).
-<LI><TT>member-ad</TT>: if present, changes the overlay behaviour into a dynamic group. Instead of inserting the results of the search in the entry, the distinguished name of the results are added as values of this attribute.</UL>
+<LI><TT>member-ad</TT>: if present, changes the overlay behavior into a dynamic group. Instead of inserting the results of the search in the entry, the distinguished name of the results are added as values of this attribute.</UL>
<P>Here is an example which will allow us to have an email alias which automatically expands to all user's emails according to our LDAP filter:</P>
<P>In <EM>slapd.conf</EM>(5):</P>
<PRE>
@@ -3888,17 +4537,17 @@
objectClass: groupOfNames
labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
</PRE>
-<P>The behaviour is similar to the dynamic list configuration we had before: whenever an entry with the <TT>groupOfNames</TT> object class is retrieved, the search specified in the <TT>labeledURI</TT> attribute is performed. But this time, only the distinguished names of the results are added, and as values of the <TT>member</TT> attribute.</P>
+<P>The behavior is similar to the dynamic list configuration we had before: whenever an entry with the <TT>groupOfNames</TT> object class is retrieved, the search specified in the <TT>labeledURI</TT> attribute is performed. But this time, only the distinguished names of the results are added, and as values of the <TT>member</TT> attribute.</P>
<P>This is what we get:</P>
<P><CENTER><IMG SRC="allusersgroup-en.png" ALIGN="center"></CENTER></P>
<P ALIGN="Center">Figure X.Y: Dynamic Group for all users</P>
-<P>Note that a side effect of this scheme of dymamic groups is that the members need to be specified as full DNs. So, if you are planning in using this for <TT>posixGroup</TT>s, be sure to use RFC2307bis and some attribute which can hold distinguished names. The <TT>memberUid</TT> attribute used in the <TT>posixGroup</TT> object class can hold only names, not DNs, and is therefore not suitable for dynamic groups.</P>
-<H2><A NAME="Reverse Group Membership Maintenance">10.8. Reverse Group Membership Maintenance</A></H2>
-<H3><A NAME="Overview">10.8.1. Overview</A></H3>
+<P>Note that a side effect of this scheme of dynamic groups is that the members need to be specified as full DNs. So, if you are planning in using this for <TT>posixGroup</TT>s, be sure to use RFC2307bis and some attribute which can hold distinguished names. The <TT>memberUid</TT> attribute used in the <TT>posixGroup</TT> object class can hold only names, not DNs, and is therefore not suitable for dynamic groups.</P>
+<H2><A NAME="Reverse Group Membership Maintenance">11.8. Reverse Group Membership Maintenance</A></H2>
+<H3><A NAME="Overview">11.8.1. Overview</A></H3>
<P>In some scenarios, it may be desirable for a client to be able to determine which groups an entry is a member of, without performing an additional search. Examples of this are applications using the <TERM>DIT</TERM> for access control based on group authorization.</P>
<P>The <B>memberof</B> overlay updates an attribute (by default <B>memberOf</B>) whenever changes occur to the membership attribute (by default <B>member</B>) of entries of the objectclass (by default <B>groupOfNames</B>) configured to trigger updates.</P>
<P>Thus, it provides maintenance of the list of groups an entry is a member of, when usual maintenance of groups is done by modifying the members on the group entry.</P>
-<H3><A NAME="Member Of Configuration">10.8.2. Member Of Configuration</A></H3>
+<H3><A NAME="Member Of Configuration">11.8.2. Member Of Configuration</A></H3>
<P>The typical use of this overlay requires just enabling the overlay for a specific database. For example, with the following minimal slapd.conf:</P>
<PRE>
include /usr/share/openldap/schema/core.schema
@@ -3954,33 +4603,33 @@
memberOf: cn=testgroup,ou=Group,dc=example,dc=com
</PRE>
<P>Note that the <B>memberOf</B> attribute is an operational attribute, so it must be requested explicitly.</P>
-<H2><A NAME="The Proxy Cache Engine">10.9. The Proxy Cache Engine</A></H2>
+<H2><A NAME="The Proxy Cache Engine">11.9. The Proxy Cache Engine</A></H2>
<P><TERM>LDAP</TERM> servers typically hold one or more subtrees of a <TERM>DIT</TERM>. Replica (or shadow) servers hold shadow copies of entries held by one or more master servers. Changes are propagated from the master server to replica (slave) servers using LDAP Sync replication. An LDAP cache is a special type of replica which holds entries corresponding to search filters instead of subtrees.</P>
-<H3><A NAME="Overview">10.9.1. Overview</A></H3>
+<H3><A NAME="Overview">11.9.1. Overview</A></H3>
<P>The proxy cache extension of slapd is designed to improve the responsiveness of the ldap and meta backends. It handles a search request (query) by first determining whether it is contained in any cached search filter. Contained requests are answered from the proxy cache's local database. Other requests are passed on to the underlying ldap or meta backend and processed as usual.</P>
<P>E.g. <TT>(shoesize>=9)</TT> is contained in <TT>(shoesize>=8)</TT> and <TT>(sn=Richardson)</TT> is contained in <TT>(sn=Richards*)</TT></P>
<P>Correct matching rules and syntaxes are used while comparing assertions for query containment. To simplify the query containment problem, a list of cacheable "templates" (defined below) is specified at configuration time. A query is cached or answered only if it belongs to one of these templates. The entries corresponding to cached queries are stored in the proxy cache local database while its associated meta information (filter, scope, base, attributes) is stored in main memory.</P>
<P>A template is a prototype for generating LDAP search requests. Templates are described by a prototype search filter and a list of attributes which are required in queries generated from the template. The representation for prototype filter is similar to <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>, except that the assertion values are missing. Examples of prototype filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.</P>
<P>The cache replacement policy removes the least recently used (LRU) query and entries belonging to only that query. Queries are allowed a maximum time to live (TTL) in the cache thus providing weak consistency. A background task periodically checks the cache for expired queries and removes them.</P>
<P>The Proxy Cache paper (<A HREF="http://www.openldap.org/pub/kapurva/proxycaching.pdf">http://www.openldap.org/pub/kapurva/proxycaching.pdf</A>) provides design and implementation details.</P>
-<H3><A NAME="Proxy Cache Configuration">10.9.2. Proxy Cache Configuration</A></H3>
+<H3><A NAME="Proxy Cache Configuration">11.9.2. Proxy Cache Configuration</A></H3>
<P>The cache configuration specific directives described below must appear after a <TT>overlay proxycache</TT> directive within a <TT>"database meta"</TT> or <TT>database ldap</TT> section of the server's <EM>slapd.conf</EM>(5) file.</P>
-<H4><A NAME="Setting cache parameters">10.9.2.1. Setting cache parameters</A></H4>
+<H4><A NAME="Setting cache parameters">11.9.2.1. Setting cache parameters</A></H4>
<PRE>
proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
</PRE>
<P>This directive enables proxy caching and sets general cache parameters. The <DB> parameter specifies which underlying database is to be used to hold cached entries. It should be set to <TT>bdb</TT> or <TT>hdb</TT>. The <maxentries> parameter specifies the total number of entries which may be held in the cache. The <nattrsets> parameter specifies the total number of attribute sets (as specified by the <TT>proxyAttrSet</TT> directive) that may be defined. The <entrylimit> parameter specifies the maximum number of entries in a cacheable query. The <period> specifies the consistency check period (in seconds). In each period, queries with expired TTLs are removed.</P>
-<H4><A NAME="Defining attribute sets">10.9.2.2. Defining attribute sets</A></H4>
+<H4><A NAME="Defining attribute sets">11.9.2.2. Defining attribute sets</A></H4>
<PRE>
proxyAttrset <index> <attrs...>
</PRE>
<P>Used to associate a set of attributes to an index. Each attribute set is associated with an index number from 0 to <numattrsets>-1. These indices are used by the proxyTemplate directive to define cacheable templates.</P>
-<H4><A NAME="Specifying cacheable templates">10.9.2.3. Specifying cacheable templates</A></H4>
+<H4><A NAME="Specifying cacheable templates">11.9.2.3. Specifying cacheable templates</A></H4>
<PRE>
proxyTemplate <prototype_string> <attrset_index> <TTL>
</PRE>
<P>Specifies a cacheable template and the "time to live" (in sec) <TTL> for queries belonging to the template. A template is described by its prototype filter string and set of required attributes identified by <attrset_index>.</P>
-<H4><A NAME="Example">10.9.2.4. Example</A></H4>
+<H4><A NAME="Example">11.9.2.4. Example</A></H4>
<P>An example <EM>slapd.conf</EM>(5) database section for a caching server which proxies for the <TT>"dc=example,dc=com"</TT> subtree held at server <TT>ldap.example.com</TT>.</P>
<PRE>
database ldap
@@ -3999,9 +4648,9 @@
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
</PRE>
-<H5><A NAME="Cacheable Queries">10.9.2.4.1. Cacheable Queries</A></H5>
+<H5><A NAME="Cacheable Queries">11.9.2.4.1. Cacheable Queries</A></H5>
<P>A LDAP search query is cacheable when its filter matches one of the templates as defined in the "proxyTemplate" statements and when it references only the attributes specified in the corresponding attribute set. In the example above the attribute set number 0 defines that only the attributes: <TT>mail postaladdress telephonenumber</TT> are cached for the following proxyTemplates.</P>
-<H5><A NAME="Examples:">10.9.2.4.2. Examples:</A></H5>
+<H5><A NAME="Examples:">11.9.2.4.2. Examples:</A></H5>
<PRE>
Filter: (&(sn=Richard*)(givenName=jack))
Attrs: mail telephoneNumber
@@ -4017,16 +4666,89 @@
Attrs: mail telephoneNumber
</PRE>
<P>is not cacheable, because the filter does not match the template ( logical OR "|" condition instead of logical AND "&" )</P>
-<H2><A NAME="Password Policies">10.10. Password Policies</A></H2>
-<H3><A NAME="Overview">10.10.1. Overview</A></H3>
-<P>This overlay provides a variety of password control mechanisms, e.g. password aging, password reuse and duplication control, mandatory password resets, etc.</P>
-<H3><A NAME="Password Policy Configuration">10.10.2. Password Policy Configuration</A></H3>
-<H2><A NAME="Referential Integrity">10.11. Referential Integrity</A></H2>
-<H3><A NAME="Overview">10.11.1. Overview</A></H3>
+<H2><A NAME="Password Policies">11.10. Password Policies</A></H2>
+<H3><A NAME="Overview">11.10.1. Overview</A></H3>
+<P>This overlay follows the specifications contained in the draft RFC titled draft-behera-ldap-password-policy-09. While the draft itself is expired, it has been implemented in several directory servers, including slapd. Nonetheless, it is important to note that it is a draft, meaning that it is subject to change and is a work-in-progress.</P>
+<P>The key abilities of the password policy overlay are as follows:</P>
+<UL>
+<LI>Enforce a minimum length for new passwords
+<LI>Make sure passwords are not changed too frequently
+<LI>Cause passwords to expire, provide warnings before they need to be changed, and allow a fixed number of 'grace' logins to allow them to be changed after they have expired
+<LI>Maintain a history of passwords to prevent password re-use
+<LI>Prevent password guessing by locking a password for a specified period of time after repeated authentication failures
+<LI>Force a password to be changed at the next authentication
+<LI>Set an administrative lock on an account
+<LI>Support multiple password policies on a default or a per-object basis.
+<LI>Perform arbitrary quality checks using an external loadable module. This is a non-standard extension of the draft RFC.</UL>
+<H3><A NAME="Password Policy Configuration">11.10.2. Password Policy Configuration</A></H3>
+<P>Instantiate the module in the database where it will be used, after adding the new ppolicy schema and loading the ppolicy module. The following example shows the ppolicy module being added to the database that handles the naming context "dc=example,dc=com". In this example we are also specifying the DN of a policy object to use if none other is specified in a user's object.</P>
+<PRE>
+ database bdb
+ suffix "dc=example,dc=com"
+ [...additional database configuration directives go here...]
+
+ overlay ppolicy
+ ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
+</PRE>
+<P>Now we need a container for the policy objects. In our example the password policy objects are going to be placed in a section of the tree called "ou=policies,dc=example,dc=com":</P>
+<PRE>
+ dn: ou=policies,dc=example,dc=com
+ objectClass: organizationalUnit
+ objectClass: top
+ ou: policies
+</PRE>
+<P>The default policy object that we are creating defines the following policies:</P>
+<UL>
+<LI>The user is allowed to change his own password. Note that the directory ACLs for this attribute can also affect this ability (pwdAllowUserChange: TRUE).
+<LI>The name of the password attribute is "userPassword" (pwdAttribute: userPassword). Note that this is the only value that is accepted by OpenLDAP for this attribute.
+<LI>The server will check the syntax of the password. If the server is unable to check the syntax (i.e., it was hashed or otherwise encoded by the client) it will return an error refusing the password (pwdCheckQuality: 2).
+<LI>When a client includes the Password Policy Request control with a bind request, the server will respond with a password expiration warning if it is going to expire in ten minutes or less (pwdExpireWarning: 600). The warnings themselves are returned in a Password Policy Response control.
+<LI>When the password for a DN has expired, the server will allow five additional "grace" logins (pwdGraceAuthNLimit: 5).
+<LI>The server will maintain a history of the last five passwords that were used for a DN (pwdInHistory: 5).
+<LI>The server will lock the account after the maximum number of failed bind attempts has been exceeded (pwdLockout: TRUE).
+<LI>When the server has locked an account, the server will keep it locked until an administrator unlocks it (pwdLockoutDuration: 0)
+<LI>The server will reset its failed bind count after a period of 30 seconds.
+<LI>Passwords will not expire (pwdMaxAge: 0).
+<LI>Passwords can be changed as often as desired (pwdMinAge: 0).
+<LI>Passwords must be at least 5 characters in length (pwdMinLength: 5).
+<LI>The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
+<LI>The current password does not need to be included with password change requests (pwdSafeModify: FALSE)
+<LI>The server will only allow five failed binds in a row for a particular DN (pwdMaxFailure: 5).</UL>
+<P>The actual policy would be:</P>
+<PRE>
+ dn: cn=default,ou=policies,dc=example,dc=com
+ cn: default
+ objectClass: pwdPolicy
+ objectClass: person
+ objectClass: top
+ pwdAllowUserChange: TRUE
+ pwdAttribute: userPassword
+ pwdCheckQuality: 2
+ pwdExpireWarning: 600
+ pwdFailureCountInterval: 30
+ pwdGraceAuthNLimit: 5
+ pwdInHistory: 5
+ pwdLockout: TRUE
+ pwdLockoutDuration: 0
+ pwdMaxAge: 0
+ pwdMaxFailure: 5
+ pwdMinAge: 0
+ pwdMinLength: 5
+ pwdMustChange: FALSE
+ pwdSafeModify: FALSE
+ sn: dummy value
+</PRE>
+<P>You can create additional policy objects as needed.</P>
+<P>There are two ways password policy can be applied to individual objects:</P>
+<P>1. The pwdPolicySubentry in a user's object - If a user's object has a pwdPolicySubEntry attribute specifying the DN of a policy object, then the policy defined by that object is applied.</P>
+<P>2. Default password policy - If there is no specific pwdPolicySubentry set for an object, and the password policy module was configured with the DN of a default policy object and if that object exists, then the policy defined in that object is applied.</P>
+<P>Please see <EM>slapo-ppolicy(5)</EM> for complete explanations of features and discussion of "Password Management Issues" at <A HREF="http://www.connexitor.com/forums/viewtopic.php?f=6&t=25">http://www.connexitor.com/forums/viewtopic.php?f=6&t=25</A></P>
+<H2><A NAME="Referential Integrity">11.11. Referential Integrity</A></H2>
+<H3><A NAME="Overview">11.11.1. Overview</A></H3>
<P>This overlay can be used with a backend database such as slapd-bdb(5) to maintain the cohesiveness of a schema which utilizes reference attributes.</P>
<P>Whenever a <EM>modrdn</EM> or <EM>delete</EM> is performed, that is, when an entry's DN is renamed or an entry is removed, the server will search the directory for references to this DN (in selected attributes: see below) and update them accordingly. If it was a <EM>delete</EM> operation, the reference is deleted. If it was a <EM>modrdn</EM> operation, then the reference is updated with the new DN.</P>
<P>For example, a very common administration task is to maintain group membership lists, specially when users are removed from the directory. When an user account is deleted or renamed, all groups this user is a member of have to be updated. LDAP administrators usually have scripts for that. But we can use the <TT>refint</TT> overlay to automate this task. In this example, if the user is removed from the directory, the overlay will take care to remove the user from all the groups he/she was a member of. No more scripting for this.</P>
-<H3><A NAME="Referential Integrity Configuration">10.11.2. Referential Integrity Configuration</A></H3>
+<H3><A NAME="Referential Integrity Configuration">11.11.2. Referential Integrity Configuration</A></H3>
<P>The configuration for this overlay is as follows:</P>
<PRE>
overlay refint
@@ -4049,42 +4771,43 @@
<P ALIGN="Center">Figure X.Y: Maintaining referential integrity in groups</P>
<P>Notice that if we rename (<TT>modrdn</TT>) the <TT>john</TT> entry to, say, <TT>jsmith</TT>, the refint overlay will also rename the reference in the <TT>member</TT> attribute, so the group membership stays correct.</P>
<P>If we removed all users from the directory who are a member of this group, then the end result would be a single member in the group: <TT>cn=admin,dc=example,dc=com</TT>. This is the <TT>refint_nothing</TT> parameter kicking into action so that the schema is not violated.</P>
-<H2><A NAME="Return Code">10.12. Return Code</A></H2>
-<H3><A NAME="Overview">10.12.1. Overview</A></H3>
+<H2><A NAME="Return Code">11.12. Return Code</A></H2>
+<H3><A NAME="Overview">11.12.1. Overview</A></H3>
<P>This overlay is useful to test the behavior of clients when server-generated erroneous and/or unusual responses occur.</P>
-<H3><A NAME="Return Code Configuration">10.12.2. Return Code Configuration</A></H3>
-<H2><A NAME="Rewrite/Remap">10.13. Rewrite/Remap</A></H2>
-<H3><A NAME="Overview">10.13.1. Overview</A></H3>
+<H3><A NAME="Return Code Configuration">11.12.2. Return Code Configuration</A></H3>
+<H2><A NAME="Rewrite/Remap">11.13. Rewrite/Remap</A></H2>
+<H3><A NAME="Overview">11.13.1. Overview</A></H3>
<P>It performs basic DN/data rewrite and objectClass/attributeType mapping.</P>
-<H3><A NAME="Rewrite/Remap Configuration">10.13.2. Rewrite/Remap Configuration</A></H3>
-<H2><A NAME="Sync Provider">10.14. Sync Provider</A></H2>
-<H3><A NAME="Overview">10.14.1. Overview</A></H3>
+<H3><A NAME="Rewrite/Remap Configuration">11.13.2. Rewrite/Remap Configuration</A></H3>
+<H2><A NAME="Sync Provider">11.14. Sync Provider</A></H2>
+<H3><A NAME="Overview">11.14.1. Overview</A></H3>
<P>This overlay implements the provider-side support for syncrepl replication, including persistent search functionality</P>
-<H3><A NAME="Sync Provider Configuration">10.14.2. Sync Provider Configuration</A></H3>
-<H2><A NAME="Translucent Proxy">10.15. Translucent Proxy</A></H2>
-<H3><A NAME="Overview">10.15.1. Overview</A></H3>
+<H3><A NAME="Sync Provider Configuration">11.14.2. Sync Provider Configuration</A></H3>
+<H2><A NAME="Translucent Proxy">11.15. Translucent Proxy</A></H2>
+<H3><A NAME="Overview">11.15.1. Overview</A></H3>
<P>This overlay can be used with a backend database such as slapd-bdb (5) to create a "translucent proxy".</P>
<P>Content of entries retrieved from a remote LDAP server can be partially overridden by the database.</P>
-<H3><A NAME="Translucent Proxy Configuration">10.15.2. Translucent Proxy Configuration</A></H3>
-<H2><A NAME="Attribute Uniqueness">10.16. Attribute Uniqueness</A></H2>
-<H3><A NAME="Overview">10.16.1. Overview</A></H3>
+<H3><A NAME="Translucent Proxy Configuration">11.15.2. Translucent Proxy Configuration</A></H3>
+<H2><A NAME="Attribute Uniqueness">11.16. Attribute Uniqueness</A></H2>
+<H3><A NAME="Overview">11.16.1. Overview</A></H3>
<P>This overlay can be used with a backend database such as slapd-bdb (5) to enforce the uniqueness of some or all attributes within a subtree.</P>
-<H3><A NAME="Attribute Uniqueness Configuration">10.16.2. Attribute Uniqueness Configuration</A></H3>
-<H2><A NAME="Value Sorting">10.17. Value Sorting</A></H2>
-<H3><A NAME="Overview">10.17.1. Overview</A></H3>
+<H3><A NAME="Attribute Uniqueness Configuration">11.16.2. Attribute Uniqueness Configuration</A></H3>
+<H2><A NAME="Value Sorting">11.17. Value Sorting</A></H2>
+<H3><A NAME="Overview">11.17.1. Overview</A></H3>
<P>This overlay can be used to enforce a specific order for the values of an attribute when it is returned in a search.</P>
-<H3><A NAME="Value Sorting Configuration">10.17.2. Value Sorting Configuration</A></H3>
-<H2><A NAME="Overlay Stacking">10.18. Overlay Stacking</A></H2>
-<H3><A NAME="Overview">10.18.1. Overview</A></H3>
-<H3><A NAME="Example Scenarios">10.18.2. Example Scenarios</A></H3>
-<H4><A NAME="Samba">10.18.2.1. Samba</A></H4>
+<H3><A NAME="Value Sorting Configuration">11.17.2. Value Sorting Configuration</A></H3>
+<H2><A NAME="Overlay Stacking">11.18. Overlay Stacking</A></H2>
+<H3><A NAME="Overview">11.18.1. Overview</A></H3>
+<P>Overlays can be stacked, which means that more than one overlay can be instantiated for each database, or for the <TT>frontend</TT>. As a consequence, each overlays function is called, if defined, when overlay execution is invoked. Multiple overlays are executed in reverse order (as a stack) with respect to their definition in slapd.conf (5), or with respect to their ordering in the config database, as documented in slapd-config (5).</P>
+<H3><A NAME="Example Scenarios">11.18.2. Example Scenarios</A></H3>
+<H4><A NAME="Samba">11.18.2.1. Samba</A></H4>
<P></P>
<HR>
-<H1><A NAME="Schema Specification">11. Schema Specification</A></H1>
+<H1><A NAME="Schema Specification">12. Schema Specification</A></H1>
<P>This chapter describes how to extend the user schema used by <EM>slapd</EM>(8). The chapter assumes the reader is familiar with the <TERM>LDAP</TERM>/<TERM>X.500</TERM> information model.</P>
<P>The first section, <A HREF="#Distributed Schema Files">Distributed Schema Files</A> details optional schema definitions provided in the distribution and where to obtain other definitions. The second section, <A HREF="#Extending Schema">Extending Schema</A>, details how to define new schema items.</P>
<P>This chapter does not discuss how to extend system schema used by <EM>slapd</EM>(8) as this requires source code modification. System schema includes all operational attribute types or any object class which allows or requires an operational attribute (directly or indirectly).</P>
-<H2><A NAME="Distributed Schema Files">11.1. Distributed Schema Files</A></H2>
+<H2><A NAME="Distributed Schema Files">12.1. Distributed Schema Files</A></H2>
<P>OpenLDAP Software is distributed with a set of schema specifications for your use. Each set is defined in a file suitable for inclusion (using the <TT>include</TT> directive) in your <EM>slapd.conf</EM>(5) file. These schema files are normally installed in the <TT>/usr/local/etc/openldap/schema</TT> directory.</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 8.1: Provided Schema Specifications</CAPTION>
@@ -4157,7 +4880,7 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>You should not modify any of the schema items defined in provided files.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="Extending Schema">11.2. Extending Schema</A></H2>
+<H2><A NAME="Extending Schema">12.2. Extending Schema</A></H2>
<P>Schema used by <EM>slapd</EM>(8) may be extended to support additional syntaxes, matching rules, attribute types, and object classes. This chapter details how to add user application attribute types and object classes using the syntaxes and matching rules already supported by slapd. slapd can also be extended to support additional syntaxes, matching rules and system schema, but this requires some programming and hence is not discussed here.</P>
<P>There are five steps to defining new schema:</P>
<OL>
@@ -4166,7 +4889,7 @@
<LI>create local schema file
<LI>define custom attribute types (if necessary)
<LI>define custom object classes</OL>
-<H3><A NAME="Object Identifiers">11.2.1. Object Identifiers</A></H3>
+<H3><A NAME="Object Identifiers">12.2.1. Object Identifiers</A></H3>
<P>Each schema element is identified by a globally unique <TERM>Object Identifier</TERM> (OID). OIDs are also used to identify other objects. They are commonly found in protocols described by <TERM>ASN.1</TERM>. In particular, they are heavily used by the <TERM>Simple Network Management Protocol</TERM> (SNMP). As OIDs are hierarchical, your organization can obtain one OID and branch it as needed. For example, if your organization were assigned OID <TT>1.1</TT>, you could branch the tree as follows:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 8.2: Example OID hierarchy</CAPTION>
@@ -4245,12 +4968,12 @@
<STRONG>Note: </STRONG>PENs obtained using this form may be used for any purpose including identifying LDAP schema elements.
<HR WIDTH="80%" ALIGN="Left"></P>
<P>Alternatively, OID name space may be available from a national authority (e.g., <A HREF="http://www.ansi.org/">ANSI</A>, <A HREF="http://www.bsi-global.com/">BSI</A>).</P>
-<H3><A NAME="Naming Elements">11.2.2. Naming Elements</A></H3>
+<H3><A NAME="Naming Elements">12.2.2. Naming Elements</A></H3>
<P>In addition to assigning a unique object identifier to each schema element, you should provide a least one textual name for each element. Names should be registered with the <A HREF="http://www.iana.org/">IANA</A> or prefixed with "x-" to place in the "private use" name space.</P>
<P>The name should be both descriptive and not likely to clash with names of other schema elements. In particular, any name you choose should not clash with present or future Standard Track names (this is assured if you registered names or use names beginning with "x-").</P>
<P>It is noted that you can obtain your own registered name prefix so as to avoid having to register your names individually. See <A HREF="http://www.rfc-editor.org/rfc/rfc4520.txt">RFC4520</A> for details.</P>
<P>In the examples below, we have used a short prefix '<TT>x-my-</TT>'. Such a short prefix would only be suitable for a very large, global organization. In general, we recommend something like '<TT>x-de-Firm-</TT>' (German company) or '<TT>x-com-Example</TT>' (elements associated with organization associated with <TT>example.com</TT>).</P>
-<H3><A NAME="Local schema file">11.2.3. Local schema file</A></H3>
+<H3><A NAME="Local schema file">12.2.3. Local schema file</A></H3>
<P>The <TT>objectclass</TT> and <TT>attributeTypes</TT> configuration file directives can be used to define schema rules on entries in the directory. It is customary to create a file to contain definitions of your custom schema items. We recommend you create a file <TT>local.schema</TT> in <TT>/usr/local/etc/openldap/schema/local.schema</TT> and then include this file in your <EM>slapd.conf</EM>(5) file immediately after other schema <TT>include</TT> directives.</P>
<PRE>
# include schema
@@ -4260,7 +4983,7 @@
# include local schema
include /usr/local/etc/openldap/schema/local.schema
</PRE>
-<H3><A NAME="Attribute Type Specification">11.2.4. Attribute Type Specification</A></H3>
+<H3><A NAME="Attribute Type Specification">12.2.4. Attribute Type Specification</A></H3>
<P>The <EM>attributetype</EM> directive is used to define a new attribute type. The directive uses the same Attribute Type Description (as defined in <A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A>) used by the attributeTypes attribute found in the subschema subentry, e.g.:</P>
<PRE>
attributetype <<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A> Attribute Type Description>
@@ -4605,7 +5328,7 @@
<P>The second attribute, <TT>cn</TT>, is a subtype of <TT>name</TT> hence it inherits the syntax, matching rules, and usage of <TT>name</TT>. <TT>commonName</TT> is an alternative name.</P>
<P>Neither attribute is restricted to a single value. Both are meant for usage by user applications. Neither is obsolete nor collective.</P>
<P>The following subsections provide a couple of examples.</P>
-<H4><A NAME="x-my-UniqueName">11.2.4.1. x-my-UniqueName</A></H4>
+<H4><A NAME="x-my-UniqueName">12.2.4.1. x-my-UniqueName</A></H4>
<P>Many organizations maintain a single unique name for each user. Though one could use <TT>displayName</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>), this attribute is really meant to be controlled by the user, not the organization. We could just copy the definition of <TT>displayName</TT> from <TT>inetorgperson.schema</TT> and replace the OID, name, and description, e.g:</P>
<PRE>
attributetype ( 1.1.2.1.1 NAME 'x-my-UniqueName'
@@ -4621,7 +5344,7 @@
DESC 'unique name with my organization'
SUP name )
</PRE>
-<H4><A NAME="x-my-Photo">11.2.4.2. x-my-Photo</A></H4>
+<H4><A NAME="x-my-Photo">12.2.4.2. x-my-Photo</A></H4>
<P>Many organizations maintain a photo of each each user. A <TT>x-my-Photo</TT> attribute type could be defined to hold a photo. Of course, one could use just use <TT>jpegPhoto</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>) (or a subtype) to hold the photo. However, you can only do this if the photo is in <EM>JPEG File Interchange Format</EM>. Alternatively, an attribute type which uses the <EM>Octet String</EM> syntax can be defined, e.g.:</P>
<PRE>
attributetype ( 1.1.2.1.2 NAME 'x-my-Photo'
@@ -4637,7 +5360,7 @@
DESC 'URI and optional label referring to a photo'
SUP labeledURI )
</PRE>
-<H3><A NAME="Object Class Specification">11.2.5. Object Class Specification</A></H3>
+<H3><A NAME="Object Class Specification">12.2.5. Object Class Specification</A></H3>
<P>The <EM>objectclasses</EM> directive is used to define a new object class. The directive uses the same Object Class Description (as defined in <A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A>) used by the objectClasses attribute found in the subschema subentry, e.g.:</P>
<PRE>
objectclass <<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A> Object Class Description>
@@ -4657,7 +5380,7 @@
whsp ")"
</PRE>
<P>where whsp is a space ('<TT> </TT>'), numericoid is a globally unique OID in dotted-decimal form (e.g. <TT>1.1.0</TT>), qdescrs is one or more names, and oids is one or more names and/or OIDs.</P>
-<H4><A NAME="x-my-PhotoObject">11.2.5.1. x-my-PhotoObject</A></H4>
+<H4><A NAME="x-my-PhotoObject">12.2.5.1. x-my-PhotoObject</A></H4>
<P>To define an <EM>auxiliary</EM> object class which allows x-my-Photo to be added to any existing entry.</P>
<PRE>
objectclass ( 1.1.2.2.1 NAME 'x-my-PhotoObject'
@@ -4665,7 +5388,7 @@
AUXILIARY
MAY x-my-Photo )
</PRE>
-<H4><A NAME="x-my-Person">11.2.5.2. x-my-Person</A></H4>
+<H4><A NAME="x-my-Person">12.2.5.2. x-my-Person</A></H4>
<P>If your organization would like have a private <EM>structural</EM> object class to instantiate users, you can subclass one of the existing person classes, such as <TT>inetOrgPerson</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>), and add any additional attributes which you desire.</P>
<PRE>
objectclass ( 1.1.2.2.2 NAME 'x-my-Person'
@@ -4675,7 +5398,7 @@
MAY x-my-Photo )
</PRE>
<P>The object class inherits the required/allowed attribute types of <TT>inetOrgPerson</TT> but requires <TT>x-my-UniqueName</TT> and <TT>givenName</TT> and allows <TT>x-my-Photo</TT>.</P>
-<H3><A NAME="OID Macros">11.2.6. OID Macros</A></H3>
+<H3><A NAME="OID Macros">12.2.6. OID Macros</A></H3>
<P>To ease the management and use of OIDs, <EM>slapd</EM>(8) supports <EM>Object Identifier</EM> macros. The <TT>objectIdentifier</TT> directive is used to equate a macro (name) with a OID. The OID may possibly be derived from a previously defined OID macro. The <EM>slapd.conf</EM>(5) syntax is:</P>
<PRE>
objectIdentifier <name> { <oid> | <name>[:<suffix>] }
@@ -4697,21 +5420,21 @@
</PRE>
<P></P>
<HR>
-<H1><A NAME="Security Considerations">12. Security Considerations</A></H1>
+<H1><A NAME="Security Considerations">13. Security Considerations</A></H1>
<P>OpenLDAP Software is designed to run in a wide variety of computing environments from tightly-controlled closed networks to the global Internet. Hence, OpenLDAP Software supports many different security mechanisms. This chapter describes these mechanisms and discusses security considerations for using OpenLDAP Software.</P>
-<H2><A NAME="Network Security">12.1. Network Security</A></H2>
-<H3><A NAME="Selective Listening">12.1.1. Selective Listening</A></H3>
+<H2><A NAME="Network Security">13.1. Network Security</A></H2>
+<H3><A NAME="Selective Listening">13.1.1. Selective Listening</A></H3>
<P>By default, <EM>slapd</EM>(8) will listen on both the IPv4 and IPv6 "any" addresses. It is often desirable to have <EM>slapd</EM> listen on select address/port pairs. For example, listening only on the IPv4 address <TT>127.0.0.1</TT> will disallow remote access to the directory server. E.g.:</P>
<PRE>
slapd -h ldap://127.0.0.1
</PRE>
<P>While the server can be configured to listen on a particular interface address, this doesn't necessarily restrict access to the server to only those networks accessible via that interface. To selective restrict remote access, it is recommend that an <A HREF="#IP Firewall">IP Firewall</A> be used to restrict access.</P>
<P>See <A HREF="#Command-line Options">Command-line Options</A> and <EM>slapd</EM>(8) for more information.</P>
-<H3><A NAME="IP Firewall">12.1.2. IP Firewall</A></H3>
+<H3><A NAME="IP Firewall">13.1.2. IP Firewall</A></H3>
<P><TERM>IP</TERM> firewall capabilities of the server system can be used to restrict access based upon the client's IP address and/or network interface used to communicate with the client.</P>
<P>Generally, <EM>slapd</EM>(8) listens on port 389/tcp for <A HREF="ldap://">ldap://</A> sessions and port 636/tcp for <A HREF="ldaps://">ldaps://</A>) sessions. <EM>slapd</EM>(8) may be configured to listen on other ports.</P>
<P>As specifics of how to configure IP firewall are dependent on the particular kind of IP firewall used, no examples are provided here. See the document associated with your IP firewall.</P>
-<H3><A NAME="TCP Wrappers">12.1.3. TCP Wrappers</A></H3>
+<H3><A NAME="TCP Wrappers">13.1.3. TCP Wrappers</A></H3>
<P><EM>slapd</EM>(8) supports <TERM>TCP</TERM> Wrappers. TCP Wrappers provide a rule-based access control system for controlling TCP/IP access to the server. For example, the <EM>host_options</EM>(5) rule:</P>
<PRE>
slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
@@ -4720,10 +5443,10 @@
<P>allows only incoming connections from the private network <TT>10.0.0.0</TT> and localhost (<TT>127.0.0.1</TT>) to access the directory service. Note that IP addresses are used as <EM>slapd</EM>(8) is not normally configured to perform reverse lookups.</P>
<P>It is noted that TCP wrappers require the connection to be accepted. As significant processing is required just to deny a connection, it is generally advised that IP firewall protection be used instead of TCP wrappers.</P>
<P>See <EM>hosts_access</EM>(5) for more information on TCP wrapper rules.</P>
-<H2><A NAME="Data Integrity and Confidentiality Protection">12.2. Data Integrity and Confidentiality Protection</A></H2>
+<H2><A NAME="Data Integrity and Confidentiality Protection">13.2. Data Integrity and Confidentiality Protection</A></H2>
<P><TERM>Transport Layer Security</TERM> (TLS) can be used to provide data integrity and confidentiality protection. OpenLDAP supports negotiation of <TERM>TLS</TERM> (<TERM>SSL</TERM>) via both StartTLS and <A HREF="ldaps://">ldaps://</A>. See the <A HREF="#Using TLS">Using TLS</A> chapter for more information. StartTLS is the standard track mechanism.</P>
<P>A number of <TERM>Simple Authentication and Security Layer</TERM> (SASL) mechanisms, such as <TERM>DIGEST-MD5</TERM> and <TERM>GSSAPI</TERM>, also provide data integrity and confidentiality protection. See the <A HREF="#Using SASL">Using SASL</A> chapter for more information.</P>
-<H3><A NAME="Security Strength Factors">12.2.1. Security Strength Factors</A></H3>
+<H3><A NAME="Security Strength Factors">13.2.1. Security Strength Factors</A></H3>
<P>The server uses <TERM>Security Strength Factor</TERM>s (SSF) to indicate the relative strength of protection. A SSF of zero (0) indicates no protections are in place. A SSF of one (1) indicates integrity protection are in place. A SSF greater than one (>1) roughly correlates to the effective encryption key length. For example, <TERM>DES</TERM> is 56, <TERM>3DES</TERM> is 112, and <TERM>AES</TERM> 128, 192, or 256.</P>
<P>A number of administrative controls rely on SSFs associated with TLS and SASL protection in place on an LDAP session.</P>
<P><TT>security</TT> controls disallow operations when appropriate protections are not in place. For example:</P>
@@ -4732,8 +5455,8 @@
</PRE>
<P>requires integrity protection for all operations and encryption protection, 3DES equivalent, for update operations (e.g. add, delete, modify, etc.). See <EM>slapd.conf</EM>(5) for details.</P>
<P>For fine-grained control, SSFs may be used in access controls. See <A HREF="#The access Configuration Directive">The access Configuration Directive</A> section of the <A HREF="#The slapd Configuration File">The slapd Configuration File</A> for more information.</P>
-<H2><A NAME="Authentication Methods">12.3. Authentication Methods</A></H2>
-<H3><A NAME=""simple" method">12.3.1. "simple" method</A></H3>
+<H2><A NAME="Authentication Methods">13.3. Authentication Methods</A></H2>
+<H3><A NAME=""simple" method">13.3.1. "simple" method</A></H3>
<P>The LDAP "simple" method has three modes of operation:</P>
<UL>
<LI>anonymous,
@@ -4747,26 +5470,26 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>An unsuccessful bind always results in the session having an <EM>anonymous</EM> authorization association.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="SASL method">12.3.2. SASL method</A></H3>
+<H3><A NAME="SASL method">13.3.2. SASL method</A></H3>
<P>The LDAP <TERM>SASL</TERM> method allows use of any SASL authentication mechanism. The <A HREF="#Using SASL">Using SASL</A> discusses use of SASL.</P>
<P></P>
<HR>
-<H1><A NAME="Using SASL">13. Using SASL</A></H1>
+<H1><A NAME="Using SASL">14. Using SASL</A></H1>
<P>OpenLDAP clients and servers are capable of authenticating via the <TERM>Simple Authentication and Security Layer</TERM> (<TERM>SASL</TERM>) framework, which is detailed in <A HREF="http://www.rfc-editor.org/rfc/rfc4422.txt">RFC4422</A>. This chapter describes how to make use of SASL in OpenLDAP.</P>
<P>There are several industry standard authentication mechanisms that can be used with SASL, including <TERM>GSSAPI</TERM> for <TERM>Kerberos</TERM> V, <TERM>DIGEST-MD5</TERM>, and <TERM>PLAIN</TERM> and <TERM>EXTERNAL</TERM> for use with <TERM>Transport Layer Security</TERM> (TLS).</P>
<P>The standard client tools provided with OpenLDAP Software, such as <EM>ldapsearch</EM>(1) and <EM>ldapmodify</EM>(1), will by default attempt to authenticate the user to the <TERM>LDAP</TERM> directory server using SASL. Basic authentication service can be set up by the LDAP administrator with a few steps, allowing users to be authenticated to the slapd server as their LDAP entry. With a few extra steps, some users and services can be allowed to exploit SASL's proxy authorization feature, allowing them to authenticate themselves and then switch their identity to that of another user or service.</P>
<P>This chapter assumes you have read <EM>Cyrus SASL for System Administrators</EM>, provided with the <A HREF="http://asg.web.cmu.edu/sasl/sasl-library.html">Cyrus SASL</A> package (in <TT>doc/sysadmin.html</TT>) and have a working Cyrus SASL installation. You should use the Cyrus SASL <TT>sample_client</TT> and <TT>sample_server</TT> to test your SASL installation before attempting to make use of it with OpenLDAP Software.</P>
<P>Note that in the following text the term <EM>user</EM> is used to describe a person or application entity who is connecting to the LDAP server via an LDAP client, such as <EM>ldapsearch</EM>(1). That is, the term <EM>user</EM> not only applies to both an individual using an LDAP client, but to an application entity which issues LDAP client operations without direct user control. For example, an e-mail server which uses LDAP operations to access information held in an LDAP server is an application entity.</P>
-<H2><A NAME="SASL Security Considerations">13.1. SASL Security Considerations</A></H2>
+<H2><A NAME="SASL Security Considerations">14.1. SASL Security Considerations</A></H2>
<P>SASL offers many different authentication mechanisms. This section briefly outlines security considerations.</P>
<P>Some mechanisms, such as PLAIN and LOGIN, offer no greater security over LDAP <EM>simple</EM> authentication. Like LDAP <EM>simple</EM> authentication, such mechanisms should not be used unless you have adequate security protections in place. It is recommended that these mechanisms be used only in conjunction with <TERM>Transport Layer Security</TERM> (TLS). Use of PLAIN and LOGIN are not discussed further in this document.</P>
<P>The DIGEST-MD5 mechanism is the mandatory-to-implement authentication mechanism for LDAPv3. Though DIGEST-MD5 is not a strong authentication mechanism in comparison with trusted third party authentication systems (such as <TERM>Kerberos</TERM> or public key systems), it does offer significant protections against a number of attacks. Unlike the <TERM>CRAM-MD5</TERM> mechanism, it prevents chosen plaintext attacks. DIGEST-MD5 is favored over the use of plaintext password mechanisms. The CRAM-MD5 mechanism is deprecated in favor of DIGEST-MD5. Use of <A HREF="#DIGEST-MD5">DIGEST-MD5</A> is discussed below.</P>
<P>The GSSAPI mechanism utilizes <TERM>GSS-API</TERM> <TERM>Kerberos</TERM> V to provide secure authentication services. The KERBEROS_V4 mechanism is available for those using Kerberos IV. Kerberos is viewed as a secure, distributed authentication system suitable for both small and large enterprises. Use of <A HREF="#GSSAPI">GSSAPI</A> and <A HREF="#KERBEROS_V4">KERBEROS_V4</A> are discussed below.</P>
<P>The EXTERNAL mechanism utilizes authentication services provided by lower level network services such as <TERM>TLS</TERM> (TLS). When used in conjunction with <TERM>TLS</TERM> <TERM>X.509</TERM>-based public key technology, EXTERNAL offers strong authentication. Use of EXTERNAL is discussed in the <A HREF="#Using TLS">Using TLS</A> chapter.</P>
<P>There are other strong authentication mechanisms to choose from, including <TERM>OTP</TERM> (one time passwords) and <TERM>SRP</TERM> (secure remote passwords). These mechanisms are not discussed in this document.</P>
-<H2><A NAME="SASL Authentication">13.2. SASL Authentication</A></H2>
+<H2><A NAME="SASL Authentication">14.2. SASL Authentication</A></H2>
<P>Getting basic SASL authentication running involves a few steps. The first step configures your slapd server environment so that it can communicate with client programs using the security system in place at your site. This usually involves setting up a service key, a public key, or other form of secret. The second step concerns mapping authentication identities to LDAP <TERM>DN</TERM>'s, which depends on how entries are laid out in your directory. An explanation of the first step will be given in the next section using Kerberos V4 as an example mechanism. The steps necessary for your site's authentication mechanism will be similar, but a guide to every mechanism available under SASL is beyond the scope of this chapter. The second step is described in the section <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A>.</P>
-<H3><A NAME="GSSAPI">13.2.1. GSSAPI</A></H3>
+<H3><A NAME="GSSAPI">14.2.1. GSSAPI</A></H3>
<P>This section describes the use of the SASL GSSAPI mechanism and Kerberos V with OpenLDAP. It will be assumed that you have Kerberos V deployed, you are familiar with the operation of the system, and that your users are trained in its use. This section also assumes you have familiarized yourself with the use of the GSSAPI mechanism by reading <EM>Configuring GSSAPI and Cyrus SASL</EM> (provided with Cyrus SASL in the <TT>doc/gssapi</TT> file) and successfully experimented with the Cyrus provided <TT>sample_server</TT> and <TT>sample_client</TT> applications. General information about Kerberos is available at <A HREF="http://web.mit.edu/kerberos/www/">http://web.mit.edu/kerberos/www/</A>.</P>
<P>To use the GSSAPI mechanism with <EM>slapd</EM>(8) one must create a service key with a principal for <EM>ldap</EM> service within the realm for the host on which the service runs. For example, if you run <EM>slapd</EM> on <TT>directory.example.com</TT> and your realm is <TT>EXAMPLE.COM</TT>, you need to create a service key with the principal:</P>
<PRE>
@@ -4787,7 +5510,7 @@
uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
</PRE>
<P>The authentication request DN can be used directly ACLs and <TT>groupOfNames</TT> "member" attributes, since it is of legitimate LDAP DN format. Or alternatively, the authentication DN could be mapped before use. See the section <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A> for details.</P>
-<H3><A NAME="KERBEROS_V4">13.2.2. KERBEROS_V4</A></H3>
+<H3><A NAME="KERBEROS_V4">14.2.2. KERBEROS_V4</A></H3>
<P>This section describes the use of the SASL KERBEROS_V4 mechanism with OpenLDAP. It will be assumed that you are familiar with the workings of the Kerberos IV security system, and that your site has Kerberos IV deployed. Your users should be familiar with authentication policy, how to receive credentials in a Kerberos ticket cache, and how to refresh expired credentials.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>KERBEROS_V4 and Kerberos IV are deprecated in favor of GSSAPI and Kerberos V.
@@ -4810,7 +5533,7 @@
uid=adamsom,cn=example.com,cn=kerberos_v4,cn=auth
</PRE>
<P>This authentication request DN can be used directly ACLs or, alternatively, mapped prior to use. See the section <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A> for details.</P>
-<H3><A NAME="DIGEST-MD5">13.2.3. DIGEST-MD5</A></H3>
+<H3><A NAME="DIGEST-MD5">14.2.3. DIGEST-MD5</A></H3>
<P>This section describes the use of the SASL DIGEST-MD5 mechanism using secrets stored either in the directory itself or in Cyrus SASL's own database. DIGEST-MD5 relies on the client and the server sharing a "secret", usually a password. The server generates a challenge and the client a response proving that it knows the shared secret. This is much more secure than simply sending the secret over the wire.</P>
<P>Cyrus SASL supports several shared-secret mechanisms. To do this, it needs access to the plaintext password (unlike mechanisms which pass plaintext passwords over the wire, where the server can store a hashed version of the password).</P>
<P>The server's copy of the shared-secret may be stored in Cyrus SASL's own <EM>sasldb</EM> database, in an external system accessed via <EM>saslauthd</EM>, or in LDAP database itself. In either case it is very important to apply file access controls and LDAP access controls to prevent exposure of the passwords. The configuration and commands discussed in this section assume the use of Cyrus SASL 2.1.</P>
@@ -4849,7 +5572,7 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>in each of the above cases, no authorization identity (e.g. <TT>-X</TT>) was provided. Unless you are attempting <A HREF="#SASL Proxy Authorization">SASL Proxy Authorization</A>, no authorization identity should be specified. The server will infer an authorization identity from authentication identity (as described below).
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Mapping Authentication Identities">13.2.4. Mapping Authentication Identities</A></H3>
+<H3><A NAME="Mapping Authentication Identities">14.2.4. Mapping Authentication Identities</A></H3>
<P>The authentication mechanism in the slapd server will use SASL library calls to obtain the authenticated user's "username", based on whatever underlying authentication mechanism was used. This username is in the namespace of the authentication mechanism, and not in the normal LDAP namespace. As stated in the sections above, that username is reformatted into an authentication request DN of the form</P>
<PRE>
uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
@@ -4871,7 +5594,7 @@
<P>The authentication request DN is compared to the search pattern using the regular expression functions <EM>regcomp</EM>() and <EM>regexec</EM>(), and if it matches, it is rewritten as the replacement pattern. If there are multiple <TT>authz-regexp</TT> directives, only the first whose search pattern matches the authentication identity is used. The string that is output from the replacement pattern should be the authentication DN of the user or an LDAP URL. If replacement string produces a DN, the entry named by this DN need not be held by this server. If the replace string produces an LDAP URL, that LDAP URL must evaluate to one and only one entry held by this server.</P>
<P>The search pattern can contain any of the regular expression characters listed in <EM>regexec</EM>(3C). The main characters of note are dot ".", asterisk "*", and the open and close parenthesis "(" and ")". Essentially, the dot matches any character, the asterisk allows zero or more repeats of the immediately preceding character or pattern, and terms in parenthesis are remembered for the replacement pattern.</P>
<P>The replacement pattern will produce either a DN or URL referring to the user. Anything from the authentication request DN that matched a string in parenthesis in the search pattern is stored in the variable "$1". That variable "$1" can appear in the replacement pattern, and will be replaced by the string from the authentication request DN. If there were multiple sets of parentheses in the search pattern, the variables $2, $3, etc are used.</P>
-<H3><A NAME="Direct Mapping">13.2.5. Direct Mapping</A></H3>
+<H3><A NAME="Direct Mapping">14.2.5. Direct Mapping</A></H3>
<P>Where possible, direct mapping of the authentication request DN to the user's DN is generally recommended. Aside from avoiding the expense of searching for the user's DN, it allows mapping to DNs which refer to entries not held by this server.</P>
<P>Suppose the authentication request DN is written as:</P>
<PRE>
@@ -4895,7 +5618,7 @@
</PRE>
<P>Be careful about setting the search pattern too leniently, however, since it may mistakenly allow persons to become authenticated as a DN to which they should not have access. It is better to write several strict directives than one lenient directive which has security holes. If there is only one authentication mechanism in place at your site, and zero or one realms in use, you might be able to map between authentication identities and LDAP DN's with a single <TT>authz-regexp</TT> directive.</P>
<P>Don't forget to allow for the case where the realm is omitted as well as the case with an explicitly specified realm. This may well require a separate <TT>authz-regexp</TT> directive for each case, with the explicit-realm entry being listed first.</P>
-<H3><A NAME="Search-based mappings">13.2.6. Search-based mappings</A></H3>
+<H3><A NAME="Search-based mappings">14.2.6. Search-based mappings</A></H3>
<P>There are a number of cases where mapping to a LDAP URL may be appropriate. For instance, some sites may have person objects located in multiple areas of the LDAP tree, such as if there were an <TT>ou=accounting</TT> tree and an <TT>ou=engineering</TT> tree, with persons interspersed between them. Or, maybe the desired mapping must be based upon information in the user's information. Consider the need to map the above authentication request DN to user whose entry is as follows:</P>
<PRE>
dn: cn=Mark Adamson,ou=People,dc=Example,dc=COM
@@ -4937,10 +5660,10 @@
<P>Note that the explicitly-named realms are handled first, to avoid the realm name becoming part of the UID. Also note the use of scope and filters to limit matching to desirable entries.</P>
<P>Note as well that <TT>authz-regexp</TT> internal search are subject to access controls. Specifically, the authentication identity must have <TT>auth</TT> access.</P>
<P>See <EM>slapd.conf</EM>(5) for more detailed information.</P>
-<H2><A NAME="SASL Proxy Authorization">13.3. SASL Proxy Authorization</A></H2>
+<H2><A NAME="SASL Proxy Authorization">14.3. SASL Proxy Authorization</A></H2>
<P>The SASL offers a feature known as <EM>proxy authorization</EM>, which allows an authenticated user to request that they act on the behalf of another user. This step occurs after the user has obtained an authentication DN, and involves sending an authorization identity to the server. The server will then make a decision on whether or not to allow the authorization to occur. If it is allowed, the user's LDAP connection is switched to have a binding DN derived from the authorization identity, and the LDAP session proceeds with the access of the new authorization DN.</P>
<P>The decision to allow an authorization to proceed depends on the rules and policies of the site where LDAP is running, and thus cannot be made by SASL alone. The SASL library leaves it up to the server to make the decision. The LDAP administrator sets the guidelines of who can authorize to what identity by adding information into the LDAP database entries. By default, the authorization features are disabled, and must be explicitly configured by the LDAP administrator before use.</P>
-<H3><A NAME="Uses of Proxy Authorization">13.3.1. Uses of Proxy Authorization</A></H3>
+<H3><A NAME="Uses of Proxy Authorization">14.3.1. Uses of Proxy Authorization</A></H3>
<P>This sort of service is useful when one entity needs to act on the behalf of many other users. For example, users may be directed to a web page to make changes to their personal information in their LDAP entry. The users authenticate to the web server to establish their identity, but the web server CGI cannot authenticate to the LDAP server as that user to make changes for them. Instead, the web server authenticates itself to the LDAP server as a service identity, say,</P>
<PRE>
cn=WebUpdate,dc=example,dc=com
@@ -4948,7 +5671,7 @@
<P>and then it will SASL authorize to the DN of the user. Once so authorized, the CGI makes changes to the LDAP entry of the user, and as far as the slapd server can tell for its ACLs, it is the user themself on the other end of the connection. The user could have connected to the LDAP server directly and authenticated as themself, but that would require the user to have more knowledge of LDAP clients, knowledge which the web page provides in an easier format.</P>
<P>Proxy authorization can also be used to limit access to an account that has greater access to the database. Such an account, perhaps even the root DN specified in <EM>slapd.conf</EM>(5), can have a strict list of people who can authorize to that DN. Changes to the LDAP database could then be only allowed by that DN, and in order to become that DN, users must first authenticate as one of the persons on the list. This allows for better auditing of who made changes to the LDAP database. If people were allowed to authenticate directly to the privileged account, possibly through the <TT>rootpw</TT> <EM>slapd.conf</EM>(5) directive or through a <TT>userPassword</TT> attribute, then auditing becomes more difficult.</P>
<P>Note that after a successful proxy authorization, the original authentication DN of the LDAP connection is overwritten by the new DN from the authorization request. If a service program is able to authenticate itself as its own authentication DN and then authorize to other DN's, and it is planning on switching to several different identities during one LDAP session, it will need to authenticate itself each time before authorizing to another DN (or use a different proxy authorization mechanism). The slapd server does not keep record of the service program's ability to switch to other DN's. On authentication mechanisms like Kerberos this will not require multiple connections being made to the Kerberos server, since the user's TGT and "ldap" session key are valid for multiple uses for the several hours of the ticket lifetime.</P>
-<H3><A NAME="SASL Authorization Identities">13.3.2. SASL Authorization Identities</A></H3>
+<H3><A NAME="SASL Authorization Identities">14.3.2. SASL Authorization Identities</A></H3>
<P>The SASL authorization identity is sent to the LDAP server via the <TT>-X</TT> switch for <EM>ldapsearch</EM>(1) and other tools, or in the <TT>*authzid</TT> parameter to the <EM>lutil_sasl_defaults</EM>() call. The identity can be in one of two forms, either</P>
<PRE>
u:<username>
@@ -4963,7 +5686,7 @@
</PRE>
<P>That authorization request DN is then run through the same <TT>authz-regexp</TT> process to convert it into a legitimate authorization DN from the database. If it cannot be converted due to a failed search from an LDAP URL, the authorization request fails with "inappropriate access". Otherwise, the DN string is now a legitimate authorization DN ready to undergo approval.</P>
<P>If the authorization identity was provided in the second form, with a <TT>"dn:"</TT> prefix, the string after the prefix is already in authorization DN form, ready to undergo approval.</P>
-<H3><A NAME="Proxy Authorization Rules">13.3.3. Proxy Authorization Rules</A></H3>
+<H3><A NAME="Proxy Authorization Rules">14.3.3. Proxy Authorization Rules</A></H3>
<P>Once slapd has the authorization DN, the actual approval process begins. There are two attributes that the LDAP administrator can put into LDAP entries to allow authorization:</P>
<PRE>
authzTo
@@ -4977,7 +5700,7 @@
authzTo: ldap:///dc=example,dc=com??sub?(objectclass=person)
</PRE>
<P>then any user who authenticated as <TT>cn=WebUpdate,dc=example,dc=com</TT> could authorize to any other LDAP entry under the search base <TT>dc=example,dc=com</TT> which has an objectClass of <TT>Person</TT>.</P>
-<H4><A NAME="Notes on Proxy Authorization Rules">13.3.3.1. Notes on Proxy Authorization Rules</A></H4>
+<H4><A NAME="Notes on Proxy Authorization Rules">14.3.3.1. Notes on Proxy Authorization Rules</A></H4>
<P>An LDAP URL in a <TT>authzTo</TT> or <TT>authzFrom</TT> attribute will return a set of DNs. Each DN returned will be checked. Searches which return a large set can cause the authorization process to take an uncomfortably long time. Also, searches should be performed on attributes that have been indexed by slapd.</P>
<P>To help produce more sweeping rules for <TT>authzFrom</TT> and <TT>authzTo</TT>, the values of these attributes are allowed to be DNs with regular expression characters in them. This means a source rule like</P>
<PRE>
@@ -4985,76 +5708,76 @@
</PRE>
<P>would allow that authenticated user to authorize to any DN that matches the regular expression pattern given. This regular expression comparison can be evaluated much faster than an LDAP search for <TT>(uid=*)</TT>.</P>
<P>Also note that the values in an authorization rule must be one of the two forms: an LDAP URL or a DN (with or without regular expression characters). Anything that does not begin with "<TT>ldap://</TT>" is taken as a DN. It is not permissible to enter another authorization identity of the form "<TT>u:<username></TT>" as an authorization rule.</P>
-<H4><A NAME="Policy Configuration">13.3.3.2. Policy Configuration</A></H4>
+<H4><A NAME="Policy Configuration">14.3.3.2. Policy Configuration</A></H4>
<P>The decision of which type of rules to use, <TT>authzFrom</TT> or <TT>authzTo</TT>, will depend on the site's situation. For example, if the set of people who may become a given identity can easily be written as a search filter, then a single destination rule could be written. If the set of people is not easily defined by a search filter, and the set of people is small, it may be better to write a source rule in the entries of each of those people who should be allowed to perform the proxy authorization.</P>
<P>By default, processing of proxy authorization rules is disabled. The <TT>authz-policy</TT> directive must be set in the <EM>slapd.conf</EM>(5) file to enable authorization. This directive can be set to <TT>none</TT> for no rules (the default), <TT>to</TT> for source rules, <TT>from</TT> for destination rules, or <TT>both</TT> for both source and destination rules.</P>
<P>Source rules are extremely powerful. If ordinary users have access to write the <TT>authzTo</TT> attribute in their own entries, then they can write rules that would allow them to authorize as anyone else. As such, when using source rules, the <TT>authzTo</TT> attribute should be protected with an ACL that only allows privileged users to set its values.</P>
<P></P>
<HR>
-<H1><A NAME="Using TLS">14. Using TLS</A></H1>
+<H1><A NAME="Using TLS">15. Using TLS</A></H1>
<P>OpenLDAP clients and servers are capable of using the <TERM>Transport Layer Security</TERM> (<TERM>TLS</TERM>) framework to provide integrity and confidentiality protections and to support LDAP authentication using the <TERM>SASL</TERM> <TERM>EXTERNAL</TERM> mechanism. TLS is defined in <A HREF="http://www.rfc-editor.org/rfc/rfc4346.txt">RFC4346</A>.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>For generating certifcates, please reference <A HREF="http://www.openldap.org/faq/data/cache/185.html">http://www.openldap.org/faq/data/cache/185.html</A>
<HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="TLS Certificates">14.1. TLS Certificates</A></H2>
+<H2><A NAME="TLS Certificates">15.1. TLS Certificates</A></H2>
<P>TLS uses <TERM>X.509</TERM> certificates to carry client and server identities. All servers are required to have valid certificates, whereas client certificates are optional. Clients must have a valid certificate in order to authenticate via SASL EXTERNAL. For more information on creating and managing certificates, see the <A HREF="http://www.openssl.org/">OpenSSL</A> documentation.</P>
-<H3><A NAME="Server Certificates">14.1.1. Server Certificates</A></H3>
+<H3><A NAME="Server Certificates">15.1.1. Server Certificates</A></H3>
<P>The <TERM>DN</TERM> of a server certificate must use the <TT>CN</TT> attribute to name the server, and the <TT>CN</TT> must carry the server's fully qualified domain name. Additional alias names and wildcards may be present in the <TT>subjectAltName</TT> certificate extension. More details on server certificate names are in <A HREF="http://www.rfc-editor.org/rfc/rfc4513.txt">RFC4513</A>.</P>
-<H3><A NAME="Client Certificates">14.1.2. Client Certificates</A></H3>
+<H3><A NAME="Client Certificates">15.1.2. Client Certificates</A></H3>
<P>The DN of a client certificate can be used directly as an authentication DN. Since X.509 is a part of the <TERM>X.500</TERM> standard and LDAP is also based on X.500, both use the same DN formats and generally the DN in a user's X.509 certificate should be identical to the DN of their LDAP entry. However, sometimes the DNs may not be exactly the same, and so the mapping facility described in <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A> can be applied to these DNs as well.</P>
-<H2><A NAME="TLS Configuration">14.2. TLS Configuration</A></H2>
+<H2><A NAME="TLS Configuration">15.2. TLS Configuration</A></H2>
<P>After obtaining the required certificates, a number of options must be configured on both the client and the server to enable TLS and make use of the certificates. At a minimum, the clients must be configured with the name of the file containing all of the <TERM>Certificate Authority</TERM> (CA) certificates it will trust. The server must be configured with the <TERM>CA</TERM> certificates and also its own server certificate and private key.</P>
<P>Typically a single CA will have issued the server certificate and all of the trusted client certificates, so the server only needs to trust that one signing CA. However, a client may wish to connect to a variety of secure servers managed by different organizations, with server certificates generated by many different CAs. As such, a client is likely to need a list of many different trusted CAs in its configuration.</P>
-<H3><A NAME="Server Configuration">14.2.1. Server Configuration</A></H3>
+<H3><A NAME="Server Configuration">15.2.1. Server Configuration</A></H3>
<P>The configuration directives for slapd belong in the global directives section of <EM>slapd.conf</EM>(5).</P>
-<H4><A NAME="TLSCACertificateFile <filename>">14.2.1.1. TLSCACertificateFile <filename></A></H4>
+<H4><A NAME="TLSCACertificateFile <filename>">15.2.1.1. TLSCACertificateFile <filename></A></H4>
<P>This directive specifies the <TERM>PEM</TERM>-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.</P>
-<H4><A NAME="TLSCACertificatePath <path>">14.2.1.2. TLSCACertificatePath <path></A></H4>
+<H4><A NAME="TLSCACertificatePath <path>">15.2.1.2. TLSCACertificatePath <path></A></H4>
<P>This directive specifies the path of a directory that contains individual <TERM>CA</TERM> certificates in separate files. In addition, this directory must be specially managed using the OpenSSL <EM>c_rehash</EM> utility. When using this feature, the OpenSSL library will attempt to locate certificate files based on a hash of their name and serial number. The <EM>c_rehash</EM> utility is used to generate symbolic links with the hashed names that point to the actual certificate files. As such, this option can only be used with a filesystem that actually supports symbolic links. In general, it is simpler to use the <TT>TLSCACertificateFile</TT> directive instead.</P>
-<H4><A NAME="TLSCertificateFile <filename>">14.2.1.3. TLSCertificateFile <filename></A></H4>
+<H4><A NAME="TLSCertificateFile <filename>">15.2.1.3. TLSCertificateFile <filename></A></H4>
<P>This directive specifies the file that contains the slapd server certificate. Certificates are generally public information and require no special protection.</P>
-<H4><A NAME="TLSCertificateKeyFile <filename>">14.2.1.4. TLSCertificateKeyFile <filename></A></H4>
+<H4><A NAME="TLSCertificateKeyFile <filename>">15.2.1.4. TLSCertificateKeyFile <filename></A></H4>
<P>This directive specifies the file that contains the private key that matches the certificate stored in the <TT>TLSCertificateFile</TT> file. Private keys themselves are sensitive data and are usually password encrypted for protection. However, the current implementation doesn't support encrypted keys so the key must not be encrypted and the file itself must be protected carefully.</P>
-<H4><A NAME="TLSCipherSuite <cipher-suite-spec>">14.2.1.5. TLSCipherSuite <cipher-suite-spec></A></H4>
+<H4><A NAME="TLSCipherSuite <cipher-suite-spec>">15.2.1.5. TLSCipherSuite <cipher-suite-spec></A></H4>
<P>This directive configures what ciphers will be accepted and the preference order. <TT><cipher-suite-spec></TT> should be a cipher specification for OpenSSL. You can use the command</P>
<PRE>
openssl ciphers -v ALL
</PRE>
<P>to obtain a verbose list of available cipher specifications. Besides the individual cipher names, the specifiers <TT>HIGH</TT>, <TT>MEDIUM</TT>, <TT>LOW</TT>, <TT>EXPORT</TT>, and <TT>EXPORT40</TT> may be helpful, along with <TT>TLSv1</TT>, <TT>SSLv3</TT>, and <TT>SSLv2</TT>.</P>
-<H4><A NAME="TLSRandFile <filename>">14.2.1.6. TLSRandFile <filename></A></H4>
+<H4><A NAME="TLSRandFile <filename>">15.2.1.6. TLSRandFile <filename></A></H4>
<P>This directive specifies the file to obtain random bits from when <TT>/dev/urandom</TT> is not available. If the system provides <TT>/dev/urandom</TT> then this option is not needed, otherwise a source of random data must be configured. Some systems (e.g. Linux) provide <TT>/dev/urandom</TT> by default, while others (e.g. Solaris) require the installation of a patch to provide it, and others may not support it at all. In the latter case, EGD or PRNGD should be installed, and this directive should specify the name of the EGD/PRNGD socket. The environment variable <TT>RANDFILE</TT> can also be used to specify the filename. Also, in the absence of these options, the <TT>.rnd</TT> file in the slapd user's home directory may be used if it exists. To use the <TT>.rnd</TT> file, just create the file and copy a few hundred bytes of arbitrary data into the file. The file is only used to provide a seed for the pseudo-random number generator, and it doesn't need very much data to work.</P>
-<H4><A NAME="TLSEphemeralDHParamFile <filename>">14.2.1.7. TLSEphemeralDHParamFile <filename></A></H4>
+<H4><A NAME="TLSEphemeralDHParamFile <filename>">15.2.1.7. TLSEphemeralDHParamFile <filename></A></H4>
<P>This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on the server side (i.e. <TT>TLSCertificateKeyFile</TT> points to a DSA key). Multiple sets of parameters can be included in the file; all of them will be processed. Parameters can be generated using the following command</P>
<PRE>
openssl dhparam [-dsaparam] -out <filename> <numbits>
</PRE>
-<H4><A NAME="TLSVerifyClient { never | allow | try | demand }">14.2.1.8. TLSVerifyClient { never | allow | try | demand }</A></H4>
+<H4><A NAME="TLSVerifyClient { never | allow | try | demand }">15.2.1.8. TLSVerifyClient { never | allow | try | demand }</A></H4>
<P>This directive specifies what checks to perform on client certificates in an incoming TLS session, if any. This option is set to <TT>never</TT> by default, in which case the server never asks the client for a certificate. With a setting of <TT>allow</TT> the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided. With a setting of <TT>try</TT> the certificate is requested, and if none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated. With a setting of <TT>demand</TT> the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminated.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>The server must request a client certificate in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default <TT>TLSVerifyClient</TT> setting must be configured before SASL EXTERNAL authentication may be attempted, and the SASL EXTERNAL mechanism will only be offered to the client if a valid client certificate was received.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Client Configuration">14.2.2. Client Configuration</A></H3>
+<H3><A NAME="Client Configuration">15.2.2. Client Configuration</A></H3>
<P>Most of the client configuration directives parallel the server directives. The names of the directives are different, and they go into <EM>ldap.conf</EM>(5) instead of <EM>slapd.conf</EM>(5), but their functionality is mostly the same. Also, while most of these options may be configured on a system-wide basis, they may all be overridden by individual users in their <EM>.ldaprc</EM> files.</P>
<P>The LDAP Start TLS operation is used in LDAP to initiate TLS negotiation. All OpenLDAP command line tools support a <TT>-Z</TT> and <TT>-ZZ</TT> flag to indicate whether a Start TLS operation is to be issued. The latter flag indicates that the tool is to cease processing if TLS cannot be started while the former allows the command to continue.</P>
<P>In LDAPv2 environments, TLS is normally started using the LDAP Secure URI scheme (<TT>ldaps://</TT>) instead of the normal LDAP URI scheme (<TT>ldap://</TT>). OpenLDAP command line tools allow either scheme to used with the <TT>-H</TT> flag and with the <TT>URI</TT> <EM>ldap.conf</EM>(5) option.</P>
-<H4><A NAME="TLS_CACERT <filename>">14.2.2.1. TLS_CACERT <filename></A></H4>
+<H4><A NAME="TLS_CACERT <filename>">15.2.2.1. TLS_CACERT <filename></A></H4>
<P>This is equivalent to the server's <TT>TLSCACertificateFile</TT> option. As noted in the <A HREF="#TLS Configuration">TLS Configuration</A> section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.</P>
-<H4><A NAME="TLS_CACERTDIR <path>">14.2.2.2. TLS_CACERTDIR <path></A></H4>
+<H4><A NAME="TLS_CACERTDIR <path>">15.2.2.2. TLS_CACERTDIR <path></A></H4>
<P>This is equivalent to the server's <TT>TLSCACertificatePath</TT> option. The specified directory must be managed with the OpenSSL <EM>c_rehash</EM> utility as well.</P>
-<H4><A NAME="TLS_CERT <filename>">14.2.2.3. TLS_CERT <filename></A></H4>
+<H4><A NAME="TLS_CERT <filename>">15.2.2.3. TLS_CERT <filename></A></H4>
<P>This directive specifies the file that contains the client certificate. This is a user-only directive and can only be specified in a user's <EM>.ldaprc</EM> file.</P>
-<H4><A NAME="TLS_KEY <filename>">14.2.2.4. TLS_KEY <filename></A></H4>
+<H4><A NAME="TLS_KEY <filename>">15.2.2.4. TLS_KEY <filename></A></H4>
<P>This directive specifies the file that contains the private key that matches the certificate stored in the <TT>TLS_CERT</TT> file. The same constraints mentioned for <TT>TLSCertificateKeyFile</TT> apply here. This is also a user-only directive.</P>
-<H4><A NAME="TLS_RANDFILE <filename>">14.2.2.5. TLS_RANDFILE <filename></A></H4>
+<H4><A NAME="TLS_RANDFILE <filename>">15.2.2.5. TLS_RANDFILE <filename></A></H4>
<P>This directive is the same as the server's <TT>TLSRandFile</TT> option.</P>
-<H4><A NAME="TLS_REQCERT { never | allow | try | demand }">14.2.2.6. TLS_REQCERT { never | allow | try | demand }</A></H4>
+<H4><A NAME="TLS_REQCERT { never | allow | try | demand }">15.2.2.6. TLS_REQCERT { never | allow | try | demand }</A></H4>
<P>This directive is equivalent to the server's <TT>TLSVerifyClient</TT> option. However, for clients the default value is <TT>demand</TT> and there generally is no good reason to change this setting.</P>
<P></P>
<HR>
-<H1><A NAME="Constructing a Distributed Directory Service">15. Constructing a Distributed Directory Service</A></H1>
+<H1><A NAME="Constructing a Distributed Directory Service">16. Constructing a Distributed Directory Service</A></H1>
<P>For many sites, running one or more <EM>slapd</EM>(8) that hold an entire subtree of data is sufficient. But often it is desirable to have one <EM>slapd</EM> refer to other directory services for a certain part of the tree (which may or may not be running <EM>slapd</EM>).</P>
<P><EM>slapd</EM> supports <EM>subordinate</EM> and <EM>superior</EM> knowledge information. Subordinate knowledge information is held in <TT>referral</TT> objects (<A HREF="http://www.rfc-editor.org/rfc/rfc3296.txt">RFC3296</A>).</P>
-<H2><A NAME="Subordinate Knowledge Information">15.1. Subordinate Knowledge Information</A></H2>
+<H2><A NAME="Subordinate Knowledge Information">16.1. Subordinate Knowledge Information</A></H2>
<P>Subordinate knowledge information may be provided to delegate a subtree. Subordinate knowledge information is maintained in the directory as a special <EM>referral</EM> object at the delegate point. The referral object acts as a delegation point, gluing two services together. This mechanism allows for hierarchical directory services to be constructed.</P>
<P>A referral object has a structural object class of <TT>referral</TT> and has the same <TERM>Distinguished Name</TERM> as the delegated subtree. Generally, the referral object will also provide the auxiliary object class <TT>extensibleObject</TT>. This allows the entry to contain appropriate <TERM>Relative Distinguished Name</TERM> values. This is best demonstrated by example.</P>
<P>If the server <TT>a.example.net</TT> holds <TT>dc=example,dc=net</TT> and wished to delegate the subtree <TT>ou=subtree,dc=example,dc=net</TT> to another server <TT>b.example.net</TT>, the following named referral object would be added to <TT>a.example.net</TT>:</P>
@@ -5067,7 +5790,7 @@
</PRE>
<P>The server uses this information to generate referrals and search continuations to subordinate servers.</P>
<P>For those familiar with <TERM>X.500</TERM>, a <EM>named referral</EM> object is similar to an X.500 knowledge reference held in a <EM>subr</EM> <TERM>DSE</TERM>.</P>
-<H2><A NAME="Superior Knowledge Information">15.2. Superior Knowledge Information</A></H2>
+<H2><A NAME="Superior Knowledge Information">16.2. Superior Knowledge Information</A></H2>
<P>Superior knowledge information may be specified using the <TT>referral</TT> directive. The value is a list of <TERM>URI</TERM>s referring to superior directory services. For servers without immediate superiors, such as for <TT>a.example.net</TT> in the example above, the server can be configured to use a directory service with <EM>global knowledge</EM>, such as the <EM>OpenLDAP Root Service</EM> (<A HREF="http://www.openldap.org/faq/index.cgi?file=393">http://www.openldap.org/faq/index.cgi?file=393</A>).</P>
<PRE>
referral ldap://root.openldap.org/
@@ -5078,7 +5801,7 @@
</PRE>
<P>The server uses this information to generate referrals for operations acting upon entries not within or subordinate to any of the naming contexts held by the server.</P>
<P>For those familiar with <TERM>X.500</TERM>, this use of the <TT>ref</TT> attribute is similar to an X.500 knowledge reference held in a <EM>Supr</EM> <TERM>DSE</TERM>.</P>
-<H2><A NAME="The ManageDsaIT Control">15.3. The ManageDsaIT Control</A></H2>
+<H2><A NAME="The ManageDsaIT Control">16.3. The ManageDsaIT Control</A></H2>
<P>Adding, modifying, and deleting referral objects is generally done using <EM>ldapmodify</EM>(1) or similar tools which support the ManageDsaIT control. The ManageDsaIT control informs the server that you intend to manage the referral object as a regular entry. This keeps the server from sending a referral result for requests which interrogate or update referral objects.</P>
<P>The ManageDsaIT control should not be specified when managing regular entries.</P>
<P>The <TT>-M</TT> option of <EM>ldapmodify</EM>(1) (and other tools) enables ManageDsaIT. For example:</P>
@@ -5097,12 +5820,11 @@
<HR WIDTH="80%" ALIGN="Left"></P>
<P></P>
<HR>
-<H1><A NAME="Replication">16. Replication</A></H1>
+<H1><A NAME="Replication">17. Replication</A></H1>
<P>Replicated directories are a fundamental requirement for delivering a resilient enterprise deployment.</P>
<P><A HREF="http://www.openldap.org/">OpenLDAP</A> has various configuration options for creating a replicated directory. The following sections will discuss these.</P>
-<H2><A NAME="Replication Strategies">16.1. Replication Strategies</A></H2>
-<H3><A NAME="Push Based">16.1.1. Push Based</A></H3>
-<H5><A NAME="Replacing Slurpd">16.1.1..1. Replacing Slurpd</A></H5>
+<H2><A NAME="Push Based">17.1. Push Based</A></H2>
+<H3><A NAME="Replacing Slurpd">17.1.1. Replacing Slurpd</A></H3>
<P><EM>Slurpd</EM> replication has been deprecated in favor of Syncrepl replication and has been completely removed from OpenLDAP 2.4.</P>
<P><EM>Why was it replaced?</EM></P>
<P>The <EM>slurpd</EM> daemon was the original replication mechanism inherited from UMich's LDAP and operates in push mode: the master pushes changes to the slaves. It has been replaced for many reasons, in brief:</P>
@@ -5186,39 +5908,15 @@
<P>DETAILED EXPLANATION OF ABOVE LIKE IN OTHER SECTIONS (line numbers?)</P>
<P>ANOTHER DIAGRAM HERE</P>
<P>As you can see, you can let your imagination go wild using Syncrepl and <EM>slapd-ldap(8)</EM> tailoring your replication to fit your specific network topology.</P>
-<H3><A NAME="Pull Based">16.1.2. Pull Based</A></H3>
-<H4><A NAME="syncrepl replication">16.1.2.1. syncrepl replication</A></H4>
-<H4><A NAME="delta-syncrepl replication">16.1.2.2. delta-syncrepl replication</A></H4>
-<H2><A NAME="Replication Types">16.2. Replication Types</A></H2>
-<H3><A NAME="syncrepl replication">16.2.1. syncrepl replication</A></H3>
-<H3><A NAME="delta-syncrepl replication">16.2.2. delta-syncrepl replication</A></H3>
-<H3><A NAME="N-Way Multi-Master replication">16.2.3. N-Way Multi-Master replication</A></H3>
-<P>Multi-Master replication is a replication technique using Syncrepl to replicate data to multiple Master Directory servers.</P>
-<UL>
-<LI>Advantages of Multi-Master replication:<UL>
-<LI>If any master fails, other masters will continue to accept updates
-<LI>Avoids a single point of failure
-<LI>Masters can be located in several physical sites i.e. distributed across the network/globe.
-<LI>Good for Automatic failover/High Availability</UL>
-<LI>Disadvantages of Multi-Master replication:<UL>
-<LI>It has <B>NOTHING</B> to do with load balancing
-<LI><A HREF="http://www.openldap.org/faq/data/cache/1240.html">http://www.openldap.org/faq/data/cache/1240.html</A>
-<LI>If connectivity with a master is lost because of a network partition, then "automatic failover" can just compound the problem
-<LI>Typically, a particular machine cannot distinguish between losing contact with a peer because that peer crashed, or because the network link has failed
-<LI>If a network is partitioned and multiple clients start writing to each of the "masters" then reconciliation will be a pain; it may be best to simply deny writes to the clients that are partitioned from the single master
-<LI>Masters <B>must</B> propagate writes to <B>all</B> the other servers, which means the network traffic and write load is constant and spreads across all of the servers</UL></UL>
-<P>This is discussed in full in the <A HREF="#N-Way Multi-Master">N-Way Multi-Master</A> section below</P>
-<H3><A NAME="MirrorMode replication">16.2.4. MirrorMode replication</A></H3>
-<P>MirrorMode is a hybrid configuration that provides all of the consistency guarantees of single-master replication, while also providing the high availability of multi-master. In MirrorMode two masters are set up to replicate from each other (as a multi-master configuration) but an external frontend is employed to direct all writes to only one of the two servers. The second master will only be used for writes if the first master crashes, at which point the frontend will switch to directing all writes to the second master. When a crashed master is repaired and restarted it will automatically catch up to any changes on the running master and resync.</P>
-<P>This is discussed in full in the <A HREF="#MirrorMode">MirrorMode</A> section below</P>
-<H2><A NAME="LDAP Sync Replication">16.3. LDAP Sync Replication</A></H2>
+<H2><A NAME="Pull Based">17.2. Pull Based</A></H2>
+<H3><A NAME="LDAP Sync Replication">17.2.1. LDAP Sync Replication</A></H3>
<P>The <TERM>LDAP Sync</TERM> Replication engine, <TERM>syncrepl</TERM> for short, is a consumer-side replication engine that enables the consumer <TERM>LDAP</TERM> server to maintain a shadow copy of a <TERM>DIT</TERM> fragment. A syncrepl engine resides at the consumer-side as one of the <EM>slapd</EM>(8) threads. It creates and maintains a consumer replica by connecting to the replication provider to perform the initial DIT content load followed either by periodic content polling or by timely updates upon content changes.</P>
<P>Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for short) protocol as the replica synchronization protocol. It provides a stateful replication which supports both pull-based and push-based synchronization and does not mandate the use of a history store.</P>
<P>Syncrepl keeps track of the status of the replication content by maintaining and exchanging synchronization cookies. Because the syncrepl consumer and provider maintain their content status, the consumer can poll the provider content to perform incremental synchronization by asking for the entries required to make the consumer replica up-to-date with the provider content. Syncrepl also enables convenient management of replicas by maintaining replica status. The consumer replica can be constructed from a consumer-side or a provider-side backup at any synchronization status. Syncrepl can automatically resynchronize the consumer replica up-to-date with the current provider content.</P>
<P>Syncrepl supports both pull-based and push-based synchronization. In its basic refreshOnly synchronization mode, the provider uses pull-based synchronization where the consumer servers need not be tracked and no history information is maintained. The information required for the provider to process periodic polling requests is contained in the synchronization cookie of the request itself. To optimize the pull-based synchronization, syncrepl utilizes the present phase of the LDAP Sync protocol as well as its delete phase, instead of falling back on frequent full reloads. To further optimize the pull-based synchronization, the provider can maintain a per-scope session log as a history store. In its refreshAndPersist mode of synchronization, the provider uses a push-based synchronization. The provider keeps track of the consumer servers that have requested a persistent search and sends them necessary updates as the provider replication content gets modified.</P>
<P>With syncrepl, a consumer server can create a replica without changing the provider's configurations and without restarting the provider server, if the consumer server has appropriate access privileges for the DIT fragment to be replicated. The consumer server can stop the replication also without the need for provider-side changes and restart.</P>
<P>Syncrepl supports both partial and sparse replications. The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list. The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection.</P>
-<H3><A NAME="The LDAP Content Synchronization Protocol">16.3.1. The LDAP Content Synchronization Protocol</A></H3>
+<H4><A NAME="The LDAP Content Synchronization Protocol">17.2.1.1. The LDAP Content Synchronization Protocol</A></H4>
<P>The LDAP Sync protocol allows a client to maintain a synchronized copy of a DIT fragment. The LDAP Sync operation is defined as a set of controls and other protocol elements which extend the LDAP search operation. This section introduces the LDAP Content Sync protocol only briefly. For more information, refer to <A HREF="http://www.rfc-editor.org/rfc/rfc4533.txt">RFC4533</A>.</P>
<P>The LDAP Sync protocol supports both polling and listening for changes by defining two respective synchronization operations: <EM>refreshOnly</EM> and <EM>refreshAndPersist</EM>. Polling is implemented by the <EM>refreshOnly</EM> operation. The client copy is synchronized to the server copy at the time of polling. The server finishes the search operation by returning <EM>SearchResultDone</EM> at the end of the search operation as in the normal search. The listening is implemented by the <EM>refreshAndPersist</EM> operation. Instead of finishing the search after returning all entries currently matching the search criteria, the synchronization search remains persistent in the server. Subsequent updates to the synchronization content in the server cause additional entry updates to be sent to the client.</P>
<P>The <EM>refreshOnly</EM> operation and the refresh stage of the <EM>refreshAndPersist</EM> operation can be performed with a present phase or a delete phase.</P>
@@ -5228,7 +5926,7 @@
<P>At the end of the <EM>refreshOnly</EM> synchronization, the server sends a synchronization cookie to the client as a state indicator of the client copy after the synchronization is completed. The client will present the received cookie when it requests the next incremental synchronization to the server.</P>
<P>When <EM>refreshAndPersist</EM> synchronization is used, the server sends a synchronization cookie at the end of the refresh stage by sending a Sync Info message with TRUE refreshDone. It also sends a synchronization cookie by attaching it to <EM>SearchResultEntry</EM> generated in the persist stage of the synchronization search. During the persist stage, the server can also send a Sync Info message containing the synchronization cookie at any time the server wants to update the client-side state indicator. The server also updates a synchronization indicator of the client at the end of the persist stage.</P>
<P>In the LDAP Sync protocol, entries are uniquely identified by the <TT>entryUUID</TT> attribute value. It can function as a reliable identifier of the entry. The DN of the entry, on the other hand, can be changed over time and hence cannot be considered as the reliable identifier. The <TT>entryUUID</TT> is attached to each <EM>SearchResultEntry</EM> or <EM>SearchResultReference</EM> as a part of the synchronization control.</P>
-<H3><A NAME="Syncrepl Details">16.3.2. Syncrepl Details</A></H3>
+<H4><A NAME="Syncrepl Details">17.2.1.2. Syncrepl Details</A></H4>
<P>The syncrepl engine utilizes both the <EM>refreshOnly</EM> and the <EM>refreshAndPersist</EM> operations of the LDAP Sync protocol. If a syncrepl specification is included in a database definition, <EM>slapd</EM>(8) launches a syncrepl engine as a <EM>slapd</EM>(8) thread and schedules its execution. If the <EM>refreshOnly</EM> operation is specified, the syncrepl engine will be rescheduled at the interval time after a synchronization operation is completed. If the <EM>refreshAndPersist</EM> operation is specified, the engine will remain active and process the persistent synchronization messages from the provider.</P>
<P>The syncrepl engine utilizes both the present phase and the delete phase of the refresh synchronization. It is possible to configure a per-scope session log in the provider server which stores the <TT>entryUUID</TT>s of a finite number of entries deleted from a replication content. Multiple replicas of single provider content share the same per-scope session log. The syncrepl engine uses the delete phase if the session log is present and the state of the consumer server is recent enough that no session log entries are truncated after the last synchronization of the client. The syncrepl engine uses the present phase if no session log is configured for the replication content or if the consumer replica is too outdated to be covered by the session log. The current design of the session log store is memory based, so the information contained in the session log is not persistent over multiple provider invocations. It is not currently supported to access the session log store by using LDAP operations. It is also not currently supported to impose access control to the session log.</P>
<P>As a further optimization, even in the case the synchronization search is not associated with any session log, no entries will be transmitted to the consumer server when there has been no update in the replication context.</P>
@@ -5240,11 +5938,61 @@
<P>The consumer also stores its replica state, which is the provider's <TT>contextCSN</TT> received as a synchronization cookie, in the <TT>contextCSN</TT> attribute of the suffix entry. The replica state maintained by a consumer server is used as the synchronization state indicator when it performs subsequent incremental synchronization with the provider server. It is also used as a provider-side synchronization state indicator when it functions as a secondary provider server in a cascading replication configuration. Since the consumer and provider state information are maintained in the same location within their respective databases, any consumer can be promoted to a provider (and vice versa) without any special actions.</P>
<P>Because a general search filter can be used in the syncrepl specification, some entries in the context may be omitted from the synchronization content. The syncrepl engine creates a glue entry to fill in the holes in the replica context if any part of the replica content is subordinate to the holes. The glue entries will not be returned in the search result unless <EM>ManageDsaIT</EM> control is provided.</P>
<P>Also as a consequence of the search filter used in the syncrepl specification, it is possible for a modification to remove an entry from the replication scope even though the entry has not been deleted on the provider. Logically the entry must be deleted on the consumer but in <EM>refreshOnly</EM> mode the provider cannot detect and propagate this change without the use of the session log.</P>
-<H3><A NAME="Configuring Syncrepl">16.3.3. Configuring Syncrepl</A></H3>
+<P>For configuration, please see the <A HREF="#Syncrepl">Syncrepl</A> section.</P>
+<H3><A NAME="Delta-syncrepl replication">17.2.2. Delta-syncrepl replication</A></H3>
+<UL>
+<LI>Disadvantages of Syncrepl replication:</UL>
+<P>OpenLDAP's syncrepl replication is an object-based replication mechanism. When any attribute value in a replicated object is changed on the provider, each consumer fetches and processes the complete changed object {B:both changed and unchanged attribute values} during replication. This works well, but has drawbacks in some situations.</P>
+<P>For example, suppose you have a database consisting of 100,000 objects of 1 KB each. Further, suppose you routinely run a batch job to change the value of a single two-byte attribute value that appears in each of the 100,000 objects on the master. Not counting LDAP and TCP/IP protocol overhead, each time you run this job each consumer will transfer and process {B:1 GB} of data to process {B:200KB of changes! }</P>
+<P>99.98% of the data that is transmitted and processed in a case like this will be redundant, since it represents values that did not change. This is a waste of valuable transmission and processing bandwidth and can cause an unacceptable replication backlog to develop. While this situation is extreme, it serves to demonstrate a very real problem that is encountered in some LDAP deployments.</P>
+<UL>
+<LI>Where Delta-syncrepl comes in:</UL>
+<P>Delta-syncrepl, a changelog-based variant of syncrepl, is designed to address situations like the one described above. Delta-syncrepl works by maintaining a changelog of a selectable depth on the provider. The replication consumer on each consumer checks the changelog for the changes it needs and, as long as the changelog contains the needed changes, the delta-syncrepl consumer fetches them from the changelog and applies them to its database. If, however, a replica is too far out of sync (or completely empty), conventional syncrepl is used to bring it up to date and replication then switches to the delta-syncrepl mode.</P>
+<P>For configuration, please see the <A HREF="#Delta-syncrepl">Delta-syncrepl</A> section.</P>
+<H2><A NAME="Mixture of both Pull and Push based">17.3. Mixture of both Pull and Push based</A></H2>
+<H3><A NAME="N-Way Multi-Master replication">17.3.1. N-Way Multi-Master replication</A></H3>
+<P>Multi-Master replication is a replication technique using Syncrepl to replicate data to multiple Master Directory servers.</P>
+<UL>
+<LI>Advantages of Multi-Master replication:<UL>
+<LI>If any master fails, other masters will continue to accept updates
+<LI>Avoids a single point of failure
+<LI>Masters can be located in several physical sites i.e. distributed across the network/globe.
+<LI>Good for Automatic failover/High Availability</UL>
+<LI>Disadvantages of Multi-Master replication:<UL>
+<LI>It has <B>NOTHING</B> to do with load balancing
+<LI><A HREF="http://www.openldap.org/faq/data/cache/1240.html">http://www.openldap.org/faq/data/cache/1240.html</A>
+<LI>If connectivity with a master is lost because of a network partition, then "automatic failover" can just compound the problem
+<LI>Typically, a particular machine cannot distinguish between losing contact with a peer because that peer crashed, or because the network link has failed
+<LI>If a network is partitioned and multiple clients start writing to each of the "masters" then reconciliation will be a pain; it may be best to simply deny writes to the clients that are partitioned from the single master
+<LI>Masters <B>must</B> propagate writes to <B>all</B> the other servers, which means the network traffic and write load is constant and spreads across all of the servers</UL></UL>
+<P>For configuration, please see the <A HREF="#N-Way Multi-Master">N-Way Multi-Master</A> section below</P>
+<H3><A NAME="MirrorMode replication">17.3.2. MirrorMode replication</A></H3>
+<P>MirrorMode is a hybrid configuration that provides all of the consistency guarantees of single-master replication, while also providing the high availability of multi-master. In MirrorMode two masters are set up to replicate from each other (as a multi-master configuration) but an external frontend is employed to direct all writes to only one of the two servers. The second master will only be used for writes if the first master crashes, at which point the frontend will switch to directing all writes to the second master. When a crashed master is repaired and restarted it will automatically catch up to any changes on the running master and resync.</P>
+<H4><A NAME="Arguments for MirrorMode">17.3.2.1. Arguments for MirrorMode</A></H4>
+<UL>
+<LI>Provides a high-availability (HA) solution for directory writes (replicas handle reads)
+<LI>As long as one Master is operational, writes can safely be accepted
+<LI>Master nodes replicate from each other, so they are always up to date and can be ready to take over (hot standby)
+<LI>Syncrepl also allows the master nodes to re-synchronize after any downtime
+<LI>Delta-Syncrepl can be used</UL>
+<H4><A NAME="Arguments against MirrorMode">17.3.2.2. Arguments against MirrorMode</A></H4>
+<UL>
+<LI>MirrorMode is not what is termed as a Multi-Master solution. This is because writes have to go to one of the mirror nodes at a time
+<LI>MirrorMode can be termed as Active-Active Hot-Standby, therefor an external server (slapd in proxy mode) or device (hardware load balancer) to manage which master is currently active
+<LI>While syncrepl can recover from a completely empty database, slapadd is much faster
+<LI>Does not provide faster or more scalable write performance (neither could any Multi-Master solution)
+<LI>Backups are managed slightly differently<UL>
+<LI>If backing up the Berkeley database itself and periodically backing up the transaction log files, then the same member of the mirror pair needs to be used to collect logfiles until the next database backup is taken
+<LI>To ensure that both databases are consistent, each database might have to be put in read-only mode while performing a slapcat.
+<LI>When using slapcat, the generated LDIF files can be rather large. This can happen with a non-MirrorMode deployment also.</UL></UL>
+<P>For configuration, please see the <A HREF="#MirrorMode">MirrorMode</A> section below</P>
+<H2><A NAME="Configuring the different replication types">17.4. Configuring the different replication types</A></H2>
+<H3><A NAME="Syncrepl">17.4.1. Syncrepl</A></H3>
+<H4><A NAME="Syncrepl configuration">17.4.1.1. Syncrepl configuration</A></H4>
<P>Because syncrepl is a consumer-side replication engine, the syncrepl specification is defined in <EM>slapd.conf</EM>(5) of the consumer server, not in the provider server's configuration file. The initial loading of the replica content can be performed either by starting the syncrepl engine with no synchronization cookie or by populating the consumer replica by adding an <TERM>LDIF</TERM> file dumped as a backup at the provider.</P>
<P>When loading from a backup, it is not required to perform the initial loading from the up-to-date backup of the provider content. The syncrepl engine will automatically synchronize the initial consumer replica to the current provider content. As a result, it is not required to stop the provider server in order to avoid the replica inconsistency caused by the updates to the provider content during the content backup and loading process.</P>
<P>When replicating a large scale directory, especially in a bandwidth constrained environment, it is advised to load the consumer replica from a backup instead of performing a full initial load using syncrepl.</P>
-<H4><A NAME="Set up the provider slapd">16.3.3.1. Set up the provider slapd</A></H4>
+<H4><A NAME="Set up the provider slapd">17.4.1.2. Set up the provider slapd</A></H4>
<P>The provider is implemented as an overlay, so the overlay itself must first be configured in <EM>slapd.conf</EM>(5) before it can be used. The provider has only two configuration directives, for setting checkpoints on the <TT>contextCSN</TT> and for configuring the session log. Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated content.</P>
<P>The <TT>contextCSN</TT> checkpoint is configured by the</P>
<PRE>
@@ -5269,7 +6017,7 @@
syncprov-checkpoint 100 10
syncprov-sessionlog 100
</PRE>
-<H4><A NAME="Set up the consumer slapd">16.3.3.2. Set up the consumer slapd</A></H4>
+<H4><A NAME="Set up the consumer slapd">17.4.1.3. Set up the consumer slapd</A></H4>
<P>The syncrepl replication is specified in the database section of <EM>slapd.conf</EM>(5) for the replica context. The syncrepl engine is backend independent and the directive can be defined with any database type.</P>
<PRE>
database hdb
@@ -5294,46 +6042,234 @@
<P>In this example, the consumer will connect to the provider <EM>slapd</EM>(8) at port 389 of <A HREF="ldap://provider.example.com">ldap://provider.example.com</A> to perform a polling (<EM>refreshOnly</EM>) mode of synchronization once a day. It will bind as <TT>cn=syncuser,dc=example,dc=com</TT> using simple authentication with password "secret". Note that the access control privilege of <TT>cn=syncuser,dc=example,dc=com</TT> should be set appropriately in the provider to retrieve the desired replication content. Also the search limits must be high enough on the provider to allow the syncuser to retrieve a complete copy of the requested content. The consumer uses the rootdn to write to its database so it always has full permissions to write all content.</P>
<P>The synchronization search in the above example will search for the entries whose objectClass is organizationalPerson in the entire subtree rooted at <TT>dc=example,dc=com</TT>. The requested attributes are <TT>cn</TT>, <TT>sn</TT>, <TT>ou</TT>, <TT>telephoneNumber</TT>, <TT>title</TT>, and <TT>l</TT>. The schema checking is turned off, so that the consumer <EM>slapd</EM>(8) will not enforce entry schema checking when it process updates from the provider <EM>slapd</EM>(8).</P>
<P>For more detailed information on the syncrepl directive, see the <A HREF="#syncrepl">syncrepl</A> section of <A HREF="#The slapd Configuration File">The slapd Configuration File</A> chapter of this admin guide.</P>
-<H4><A NAME="Start the provider and the consumer slapd">16.3.3.3. Start the provider and the consumer slapd</A></H4>
+<H4><A NAME="Start the provider and the consumer slapd">17.4.1.4. Start the provider and the consumer slapd</A></H4>
<P>The provider <EM>slapd</EM>(8) is not required to be restarted. <EM>contextCSN</EM> is automatically generated as needed: it might be originally contained in the <TERM>LDIF</TERM> file, generated by <EM>slapadd</EM> (8), generated upon changes in the context, or generated when the first LDAP Sync search arrives at the provider. If an LDIF file is being loaded which did not previously contain the <EM>contextCSN</EM>, the <EM>-w</EM> option should be used with <EM>slapadd</EM> (8) to cause it to be generated. This will allow the server to startup a little quicker the first time it runs.</P>
<P>When starting a consumer <EM>slapd</EM>(8), it is possible to provide a synchronization cookie as the <EM>-c cookie</EM> command line option in order to start the synchronization from a specific state. The cookie is a comma separated list of name=value pairs. Currently supported syncrepl cookie fields are <EM>csn=<csn></EM> and <EM>rid=<rid></EM>. <EM><csn></EM> represents the current synchronization state of the consumer replica. <EM><rid></EM> identifies a consumer replica locally within the consumer server. It is used to relate the cookie to the syncrepl definition in <EM>slapd.conf</EM>(5) which has the matching replica identifier. The <EM><rid></EM> must have no more than 3 decimal digits. The command line cookie overrides the synchronization cookie stored in the consumer replica database.</P>
-<H2><A NAME="N-Way Multi-Master">16.4. N-Way Multi-Master</A></H2>
-<P>Import and expand from link:</P>
-<P><A HREF="http://blog.suretecsystems.com/archives/40-OpenLDAP-Weekly-News-Issue-5.html#extended">http://blog.suretecsystems.com/archives/40-OpenLDAP-Weekly-News-Issue-5.html#extended</A></P>
-<H2><A NAME="MirrorMode">16.5. MirrorMode</A></H2>
-<H3><A NAME="Arguments for MirrorMode">16.5.1. Arguments for MirrorMode</A></H3>
-<UL>
-<LI>Provides a high-availability (HA) solution for directory writes (replicas handle reads)
-<LI>As long as one Master is operational, writes can safely be accepted
-<LI>Master nodes replicate from each other, so they are always up to date and can be ready to take over (hot standby)
-<LI>Syncrepl also allows the master nodes to re-synchronize after any downtime
-<LI>Delta-Syncrepl can be used</UL>
-<H3><A NAME="Arguments against MirrorMode">16.5.2. Arguments against MirrorMode</A></H3>
-<UL>
-<LI>MirrorMode is not what is termed as a Multi-Master solution. This is because writes have to go to one of the mirror nodes at a time
-<LI>MirrorMode can be termed as Active-Active Hot-Standby, therefor an external server (slapd in proxy mode) or device (hardware load balancer) to manage which master is currently active
-<LI>While syncrepl can recover from a completely empty database, slapadd is much faster
-<LI>Does not provide faster or more scalable write performance (neither could any Multi-Master solution)
-<LI>Backups are managed slightly differently<UL>
-<LI>If backing up the Berkeley database itself and periodically backing up the transaction log files, then the same member of the mirror pair needs to be used to collect logfiles until the next database backup is taken
-<LI>To ensure that both databases are consistent, each database might have to be put in read-only mode while performing a slapcat.
-<LI>When using slapcat, the generated LDIF files can be rather large. This can happen with a non-MirrorMode deployment also.</UL></UL>
-<H3><A NAME="MirrorMode Configuration">16.5.3. MirrorMode Configuration</A></H3>
+<H3><A NAME="Delta-syncrepl">17.4.2. Delta-syncrepl</A></H3>
+<H4><A NAME="Delta-syncrepl Master configuration">17.4.2.1. Delta-syncrepl Master configuration</A></H4>
+<P>Setting up delta-syncrepl requires configuration changes on both the master and replica servers:</P>
+<PRE>
+ # Give the replica DN unlimited read access. This ACL may need to be
+ # merged with other ACL statements.
+
+ access to *
+ by dn.base="cn=replicator,dc=symas,dc=com" read
+ by * break
+
+ # Set the module path location
+ modulepath /opt/symas/lib/openldap
+
+ # Load the hdb backend
+ moduleload back_hdb.la
+
+ # Load the accesslog overlay
+ moduleload accesslog.la
+
+ #Load the syncprov overlay
+ moduleload syncprov.la
+
+ # Accesslog database definitions
+ database hdb
+ suffix cn=accesslog
+ directory /db/accesslog
+ rootdn cn=accesslog
+ index default eq
+ index entryCSN,objectClass,reqEnd,reqResult,reqStart
+
+ overlay syncprov
+ syncprov-nopresent TRUE
+ syncprov-reloadhint TRUE
+
+ # Let the replica DN have limitless searches
+ limits dn.exact="cn=replicator,dc=symas,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+
+ # Primary database definitions
+ database hdb
+ suffix "dc=symas,dc=com"
+ rootdn "cn=manager,dc=symas,dc=com"
+
+ ## Whatever other configuration options are desired
+
+ # syncprov specific indexing
+ index entryCSN eq
+ index entryUUID eq
+
+ # syncrepl Provider for primary db
+ overlay syncprov
+ syncprov-checkpoint 1000 60
+
+ # accesslog overlay definitions for primary db
+ overlay accesslog
+ logdb cn=accesslog
+ logops writes
+ logsuccess TRUE
+ # scan the accesslog DB every day, and purge entries older than 7 days
+ logpurge 07+00:00 01+00:00
+
+ # Let the replica DN have limitless searches
+ limits dn.exact="cn=replicator,dc=symas,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+</PRE>
+<P>For more information, always consult the relevant man pages (slapo-accesslog and slapd.conf)</P>
+<H4><A NAME="Delta-syncrepl Replica configuration">17.4.2.2. Delta-syncrepl Replica configuration</A></H4>
+<PRE>
+ # Primary replica database configuration
+ database hdb
+ suffix "dc=symas,dc=com"
+ rootdn "cn=manager,dc=symas,dc=com"
+
+ ## Whatever other configuration bits for the replica, like indexing
+ ## that you want
+
+ # syncrepl specific indices
+ index entryUUID eq
+
+ # syncrepl directives
+ syncrepl rid=0
+ provider=ldap://ldapmaster.symas.com:389
+ bindmethod=simple
+ binddn="cn=replicator,dc=symas,dc=com"
+ credentials=secret
+ searchbase="dc=symas,dc=com"
+ logbase="cn=accesslog"
+ logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
+ schemachecking=on
+ type=refreshAndPersist
+ retry="60 +"
+ syncdata=accesslog
+
+ # Refer updates to the master
+ updateref ldap://ldapmaster.symas.com
+</PRE>
+<P>The above configuration assumes that you have a replicator identity defined in your database that can be used to bind to the master with. In addition, all of the databases (primary master, primary replica, and the accesslog storage database) should also have properly tuned <EM>DB_CONFIG</EM> files that meet your needs.</P>
+<H3><A NAME="N-Way Multi-Master">17.4.3. N-Way Multi-Master</A></H3>
+<P>For the following example we will be using 3 Master nodes. Keeping in line with <B>test050-syncrepl-multimaster</B> of the OpenLDAP test suite, we will be configuring <EM>slapd(8)</EM> via <B>cn=config</B></P>
+<P>This sets up the config database:</P>
+<PRE>
+ dn: cn=config
+ objectClass: olcGlobal
+ cn: config
+ olcServerID: 1
+
+ dn: olcDatabase={0}config,cn=config
+ objectClass: olcDatabaseConfig
+ olcDatabase: {0}config
+ olcRootPW: secret
+</PRE>
+<P>second and third servers will have a different olcServerID obviously:</P>
+<PRE>
+ dn: cn=config
+ objectClass: olcGlobal
+ cn: config
+ olcServerID: 2
+
+ dn: olcDatabase={0}config,cn=config
+ objectClass: olcDatabaseConfig
+ olcDatabase: {0}config
+ olcRootPW: secret
+</PRE>
+<P>This sets up syncrepl as a provider (since these are all masters):</P>
+<PRE>
+ dn: cn=module,cn=config
+ objectClass: olcModuleList
+ cn: module
+ olcModulePath: /usr/local/libexec/openldap
+ olcModuleLoad: syncprov.la
+</PRE>
+<P>Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):</P>
+<PRE>
+ dn: cn=config
+ changetype: modify
+ replace: olcServerID
+ olcServerID: 1 $URI1
+ olcServerID: 2 $URI2
+ olcServerID: 3 $URI3
+
+ dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcSyncProvConfig
+ olcOverlay: syncprov
+
+ dn: olcDatabase={0}config,cn=config
+ changetype: modify
+ add: olcSyncRepl
+ olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
+ credentials=secret searchbase="cn=config" type=refreshAndPersist
+ retry="5 5 300 5" timeout=1
+ olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
+ credentials=secret searchbase="cn=config" type=refreshAndPersist
+ retry="5 5 300 5" timeout=1
+ olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
+ credentials=secret searchbase="cn=config" type=refreshAndPersist
+ retry="5 5 300 5" timeout=1
+ -
+ add: olcMirrorMode
+ olcMirrorMode: TRUE
+</PRE>
+<P>Now start up the Master and a consumer/s, also add the above LDIF to the first consumer, second consumer etc. It will then replicate <B>cn=config</B>. You now have N-Way Multimaster on the config database.</P>
+<P>We still have to replicate the actual data, not just the config, so add to the master (all active and configured consumers/masters will pull down this config, as they are all syncing). Also, replace all <EM>${</EM>} variables with whatever is applicable to your setup:</P>
+<PRE>
+ dn: olcDatabase={1}$BACKEND,cn=config
+ objectClass: olcDatabaseConfig
+ objectClass: olc${BACKEND}Config
+ olcDatabase: {1}$BACKEND
+ olcSuffix: $BASEDN
+ olcDbDirectory: ./db
+ olcRootDN: $MANAGERDN
+ olcRootPW: $PASSWD
+ olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
+ credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+ interval=00:00:00:10 retry="5 5 300 5" timeout=1
+ olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
+ credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+ interval=00:00:00:10 retry="5 5 300 5" timeout=1
+ olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
+ credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+ interval=00:00:00:10 retry="5 5 300 5" timeout=1
+ olcMirrorMode: TRUE
+
+ dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcSyncProvConfig
+ olcOverlay: syncprov
+</PRE>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>You must have all your server set to the same time via <A HREF="http://www.ntp.org/">http://www.ntp.org/</A>
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H3><A NAME="MirrorMode">17.4.4. MirrorMode</A></H3>
<P>MirrorMode configuration is actually very easy. If you have ever setup a normal slapd syncrepl provider, then the only change is the following two directives:</P>
<PRE>
mirrormode on
serverID 1
</PRE>
<P><HR WIDTH="80%" ALIGN="Left">
-<STRONG>Note: </STRONG>You need to make sure that the <EM>serverID</EM> of each mirror node pair is different and that the <EM>provider</EM> syncrepl directive points to the opposite mirror node.
+<STRONG>Note: </STRONG>You need to make sure that the <EM>serverID</EM> of each mirror node pair is different and add it as a global configuration option.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H4><A NAME="Mirror Node Configuration">16.5.3.1. Mirror Node Configuration</A></H4>
-<P>This is the same as the <A HREF="#Set up the provider slapd">Set up the provider slapd</A> section, reference <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A> if using <EM>delta-syncrepl</EM>.</P>
-<P>Here's a specific cut down example using <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> in <EM>refreshAndPersist</EM> mode (<EM>delta-syncrepl</EM> can be used also):</P>
+<H4><A NAME="Mirror Node Configuration">17.4.4.1. Mirror Node Configuration</A></H4>
+<P>This is the same as the <A HREF="#Set up the provider slapd">Set up the provider slapd</A> section.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Delta-syncrepl is not yet supported with MirrorMode.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>Here's a specific cut down example using <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> in <EM>refreshAndPersist</EM> mode:</P>
<P>MirrorMode node 1:</P>
<PRE>
+ # Global section
+ serverID 1
+ # database section
+
# syncrepl directives
- syncrepl rid=1
+ syncrepl rid=001
+ provider=ldap://ldap-ridr1.example.com
+ bindmethod=simple
+ binddn="cn=mirrormode,dc=example,dc=com"
+ credentials=mirrormode
+ searchbase="dc=example,dc=com"
+ schemachecking=on
+ type=refreshAndPersist
+ retry="60 +"
+
+ syncrepl rid=002
provider=ldap://ldap-rid2.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
@@ -5344,13 +6280,16 @@
retry="60 +"
mirrormode on
- serverID 1
</PRE>
<P>MirrorMode node 2:</P>
<PRE>
+ # Global section
+ serverID 2
+ # database section
+
# syncrepl directives
- syncrepl rid=1
- provider=ldap://ldap-rid1.example.com
+ syncrepl rid=001
+ provider=ldap://ldap-ridr1.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
@@ -5359,24 +6298,33 @@
type=refreshAndPersist
retry="60 +"
+ syncrepl rid=002
+ provider=ldap://ldap-rid2.example.com
+ bindmethod=simple
+ binddn="cn=mirrormode,dc=example,dc=com"
+ credentials=mirrormode
+ searchbase="dc=example,dc=com"
+ schemachecking=on
+ type=refreshAndPersist
+ retry="60 +"
+
mirrormode on
- serverID 2
</PRE>
-<P>It's simple really; each MirrorMode node is setup <B>exactly</B> the same, except that the <B>provider</B> directive is set to point to the other MirrorMode node and the <EM>serverID</EM> is unique.</P>
-<H4><A NAME="Failover Configuration">16.5.3.2. Failover Configuration</A></H4>
+<P>It's simple really; each MirrorMode node is setup <B>exactly</B> the same, except that the <EM>serverID</EM> is unique.</P>
+<H5><A NAME="Failover Configuration">17.4.4.1.1. Failover Configuration</A></H5>
<P>There are generally 2 choices for this; 1. Hardware proxies/load-balancing or dedicated proxy software, 2. using a Back-LDAP proxy as a syncrepl provider</P>
<P>A typical enterprise example might be:</P>
<P><CENTER><IMG SRC="dual_dc.png" ALIGN="center"></CENTER></P>
<P ALIGN="Center">Figure X.Y: MirrorMode in a Dual Data Center Configuration</P>
-<H4><A NAME="Normal Consumer Configuration">16.5.3.3. Normal Consumer Configuration</A></H4>
+<H5><A NAME="Normal Consumer Configuration">17.4.4.1.2. Normal Consumer Configuration</A></H5>
<P>This is exactly the same as the <A HREF="#Set up the consumer slapd">Set up the consumer slapd</A> section. It can either setup in normal <A HREF="#syncrepl replication">syncrepl replication</A> mode, or in <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A> mode.</P>
-<H3><A NAME="MirrorMode Summary">16.5.4. MirrorMode Summary</A></H3>
+<H4><A NAME="MirrorMode Summary">17.4.4.2. MirrorMode Summary</A></H4>
<P>Hopefully you will now have a directory architecture that provides all of the consistency guarantees of single-master replication, whilst also providing the high availability of multi-master replication.</P>
<P></P>
<HR>
-<H1><A NAME="Maintenance">17. Maintenance</A></H1>
+<H1><A NAME="Maintenance">18. Maintenance</A></H1>
<P>System Administration is all about maintenance, so it is only fair that we discuss how to correctly maintain an OpenLDAP deployment.</P>
-<H2><A NAME="Directory Backups">17.1. Directory Backups</A></H2>
+<H2><A NAME="Directory Backups">18.1. Directory Backups</A></H2>
<P>Backup strategies largely depend on the amount of change in the database and how much of that change an administrator might be willing to lose in a catastrophic failure. There are two basic methods that can be used:</P>
<P>1. Backup the Berkeley database itself and periodically back up the transaction log files:</P>
<P>Berkeley DB produces transaction logs that can be used to reconstruct changes from a given point in time. For example, if an administrator were willing to only lose one hour's worth of changes, they could take down the server in the middle of the night, copy the Berkeley database files offsite, and bring the server back online. Then, on an hourly basis, they could force a database checkpoint, capture the log files that have been generated in the past hour, and copy them offsite. The accumulated log files, in combination with the previous database backup, could be used with db_recover to reconstruct the database up to the time the last collection of log files was copied offsite. This method affords good protection, with minimal space overhead.</P>
@@ -5388,7 +6336,7 @@
</PRE>
<P>For back-bdb and back-hdb, this command may be ran while slapd(8) is running.</P>
<P>MORE on actual Berkeley DB backups later covering db_recover etc.</P>
-<H2><A NAME="Berkeley DB Logs">17.2. Berkeley DB Logs</A></H2>
+<H2><A NAME="Berkeley DB Logs">18.2. Berkeley DB Logs</A></H2>
<P>Berkeley DB log files grow, and the administrator has to deal with it. The procedure is known as log file archival or log file rotation.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>The actual log file rotation is handled by the Berkeley DB engine.
@@ -5401,10 +6349,11 @@
<P>The files with names <TT>__db.001</TT>, <TT>__db.002</TT>, etc are just shared memory regions (or whatever). These ARE NOT 'logs', they must be left alone. Don't be afraid of them, they do not grow like logs do.</P>
<P>To understand the <TT>db_archive</TT> interface, the reader should refer to chapter 9 of the Berkeley DB guide. In particular, the following chapters are recommended:</P>
<UL>
-<LI>Database and log file archival
-<LI>Log file removal
-<LI>Recovery procedures
-<LI>Hot failover</UL>
+<LI>Database and log file archival - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html</A>
+<LI>Log file removal - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/logfile.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/logfile.html</A>
+<LI>Recovery procedures - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/recovery.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/recovery.html</A>
+<LI>Hot failover - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/hotfail.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/hotfail.html</A>
+<LI>Complete list of Berkeley DB flags - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html">http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html</A></UL>
<P>Advanced installations can use special environment settings to fine-tune some Berkeley DB options (change the log file limit, etc). This can be done by using the <TT>DB_CONFIG</TT> file. This magic file can be created in BDB backend directory set up by <EM>slapd.conf</EM>(5). More information on this file can be found in File naming chapter. Specific directives can be found in C Interface, look for <EM>DB_ENV->set_XXXX</EM> calls.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>options set in <TT>DB_CONFIG</TT> file override options set by OpenLDAP. Use them with extreme caution. Do not use them unless You know what You are doing.
@@ -5415,24 +6364,24 @@
<LI>to fine-tune some specific options (such as shared memory region sizes);
<LI>to set the log file limit (please read Log file limits before doing this).</UL>
<P>To figure out the best-practice BDB backup scenario, the reader is highly recommended to read the whole Chapter 9: Berkeley DB Transactional Data Store Applications. This chapter is a set of small pages with examples in C language. Non-programming people can skip this examples without loss of knowledge.</P>
-<H2><A NAME="Checkpointing">17.3. Checkpointing</A></H2>
+<H2><A NAME="Checkpointing">18.3. Checkpointing</A></H2>
<P>MORE/TIDY</P>
<P>If you put "checkpoint 1024 5" in slapd.conf (to checkpoint after 1024kb or 5 minutes, for example), this does not checkpoint every 5 minutes as you may think. The explanation from Howard is:</P>
<P>'In OpenLDAP 2.1 and 2.2 the checkpoint directive acts as follows - *when there is a write operation*, and more than <check> minutes have occurred since the last checkpoint, perform the checkpoint. If more than <check> minutes pass after a write without any other write operations occurring, no checkpoint is performed, so it's possible to lose the last write that occurred.''</P>
<P>In other words, a write operation occurring less than "check" minutes after the last checkpoint will not be checkpointed until the next write occurs after "check" minutes have passed since the checkpoint.</P>
<P>This has been modified in 2.3 to indeed checkpoint every so often; in the meantime a workaround is to invoke "db_checkpoint" from a cron script every so often, say 5 minutes.</P>
-<H2><A NAME="Migration">17.4. Migration</A></H2>
+<H2><A NAME="Migration">18.4. Migration</A></H2>
<P>Exporting to a new system......</P>
<P></P>
<HR>
-<H1><A NAME="Monitoring">18. Monitoring</A></H1>
+<H1><A NAME="Monitoring">19. Monitoring</A></H1>
<P><EM>slapd</EM>(8) supports an optional <TERM>LDAP</TERM> monitoring interface you can use to obtain information regarding the current state of your <EM>slapd</EM> instance. For instance, the interface allows you to determine how many clients are connected to the server currently. The monitoring information is provided by a specialized backend, the <EM>monitor</EM> backend. A manual page, <EM>slapd-monitor</EM>(5) is available.</P>
<P>When the monitoring interface is enabled, LDAP clients may be used to access information provided by the <EM>monitor</EM> backend, subject to access and other controls.</P>
<P>When enabled, the <EM>monitor</EM> backend dynamically generates and returns objects in response to search requests in the <EM>cn=Monitor</EM> subtree. Each object contains information about a particular aspect of the server. The information is held in a combination of user applications and operational attributes. This information can be access with <EM>ldapsearch(1)</EM>, with any general-purpose LDAP browser, or with specialized monitoring tools. The <A HREF="#Accessing Monitoring Information">Accessing Monitoring Information</A> section provides a brief tutorial on how to use <EM>ldapsearch</EM>(1) to access monitoring information, while the <A HREF="#Monitor information">Monitor information</A> section details monitoring information base and its organization.</P>
<P>While support for the monitor backend is included in default builds of slapd(8), this support requires some configuration to become active. This may be done using either <TT>cn=config</TT> or <EM>slapd.conf</EM>(5). The former is discussed in the <A HREF="#Monitor configuration via cn=config">Monitor configuration via cn=config</A> section of this of this chapter. The latter is discussed in the <A HREF="#Monitor configuration via slapd.conf(5)">Monitor configuration via slapd.conf(5)</A> section of this chapter. These sections assume monitor backend is built into <EM>slapd</EM> (e.g., <TT>--enable-monitor=yes</TT>, the default). If the monitor backend was built as a module (e.g., <TT>--enable-monitor=mod</TT>, this module must loaded. Loading of modules is discussed in the <A HREF="#Configuring slapd">Configuring slapd</A> and <A HREF="#The slapd Configuration File">The slapd Configuration File</A> chapters.</P>
-<H2><A NAME="Monitor configuration via cn=config(5)">18.1. Monitor configuration via cn=config(5)</A></H2>
+<H2><A NAME="Monitor configuration via cn=config(5)">19.1. Monitor configuration via cn=config(5)</A></H2>
<P><EM>This section has yet to be written.</EM></P>
-<H2><A NAME="Monitor configuration via slapd.conf(5)">18.2. Monitor configuration via slapd.conf(5)</A></H2>
+<H2><A NAME="Monitor configuration via slapd.conf(5)">19.2. Monitor configuration via slapd.conf(5)</A></H2>
<P>Configuration of the slapd.conf(5) to support LDAP monitoring is quite simple.</P>
<P>First, ensure <EM>core.schema</EM> schema configuration file is included by your <EM>slapd.conf</EM>(5) file. The <EM>monitor</EM> backend requires it.</P>
<P>Second, instantiate the <EM>monitor backend</EM> by adding a <EM>database monitor</EM> directive below your existing database sections. For instance:</P>
@@ -5454,7 +6403,7 @@
-b 'cn=Monitor' -s base 1.1
</PRE>
<P>Note that unlike general purpose database backends, the database suffix is hardcoded. It's always <TT>cn=Monitor</TT>. So no <EM>suffix</EM> directive should be provided. Also note that general purpose database backends, the monitor backend cannot be instantiated multiple times. That is, there can only be one (or zero) occurrences of <TT>database monitor</TT> in the server's configuration.</P>
-<H2><A NAME="Accessing Monitoring Information">18.3. Accessing Monitoring Information</A></H2>
+<H2><A NAME="Accessing Monitoring Information">19.3. Accessing Monitoring Information</A></H2>
<P>As previously discussed, when enabled, the <EM>monitor</EM> backend dynamically generates and returns objects in response to search requests in the <EM>cn=Monitor</EM> subtree. Each object contains information about a particular aspect of the server. The information is held in a combination of user applications and operational attributes. This information can be access with <EM>ldapsearch(1)</EM>, with any general-purpose LDAP browser, or with specialized monitoring tools.</P>
<P>This section provides a provides a brief tutorial on how to use <EM>ldapsearch</EM>(1) to access monitoring information.</P>
<P>To inspect any particular monitor object, one performs search operation on the object with a baseObject scope and a <TT>(objectClass=*)</TT> filter. As the monitoring information is contained in a combination of user applications and operational attributes, the return all user applications attributes (e.g., <TT>'*'</TT>) and all operational attributes (e.g., <TT>'+'</TT>) should be requested. For instance, to read the <TT>cn=Monitor</TT> object itself, the <EM>ldapsearch</EM>(1) command (modified to fit your configuration) can be used:</P>
@@ -5502,7 +6451,7 @@
ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W -b 'cn=Monitor' -s sub 1.1
</PRE>
<P>If you run this command you will discover that there are many objects in the <EM>cn=Monitor</EM> subtree. The following section describes some of the commonly available monitoring objects.</P>
-<H2><A NAME="Monitor Information">18.4. Monitor Information</A></H2>
+<H2><A NAME="Monitor Information">19.4. Monitor Information</A></H2>
<P>The <EM>monitor</EM> backend provides a wealth of information useful for monitoring the slapd(8) contained in set of monitor objects. Each object contains information about a particular aspect of the server, such as a backends, a connection, or a thread. Some objects serve as containers for other objects and used to construct a hierarchy of objects.</P>
<P>In this hierarchy, the most superior object is {cn=Monitor}. While this object primarily serves as a container for other objects, most of which are containers, this object provides information about this server. In particular, it provides the slapd(8) version string. Example:</P>
<PRE>
@@ -5512,7 +6461,7 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>Examples in this section (and its subsections) have been trimmed to show only key information.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Backends">18.4.1. Backends</A></H3>
+<H3><A NAME="Backends">19.4.1. Backends</A></H3>
<P>The <TT>cn=Backends,cn=Monitor</TT> object, itself, provides a list of available backends. The list of available backends all builtin backends, as well as backends loaded by modules. For example:</P>
<PRE>
dn: cn=Backends,cn=Monitor
@@ -5605,7 +6554,7 @@
</TR>
</TABLE>
-<H3><A NAME="Connections">18.4.2. Connections</A></H3>
+<H3><A NAME="Connections">19.4.2. Connections</A></H3>
<P>The main entry is empty; it should contain some statistics on the number of connections.</P>
<P>Dynamic child entries are created for each open connection, with stats on the activity on that connection (the format will be detailed later). There are two special child entries that show the number of total and current connections respectively.</P>
<P>For example:</P>
@@ -5627,7 +6576,7 @@
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
</PRE>
-<H3><A NAME="Databases">18.4.3. Databases</A></H3>
+<H3><A NAME="Databases">19.4.3. Databases</A></H3>
<P>The main entry contains the naming context of each configured database; the child entries contain, for each database, the type and the naming context.</P>
<P>For example:</P>
<PRE>
@@ -5641,7 +6590,7 @@
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
</PRE>
-<H3><A NAME="Listener">18.4.4. Listener</A></H3>
+<H3><A NAME="Listener">19.4.4. Listener</A></H3>
<P>It contains the description of the devices the server is currently listening on:</P>
<PRE>
dn: cn=Listener 0,cn=Listeners,cn=Monitor
@@ -5651,7 +6600,7 @@
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
</PRE>
-<H3><A NAME="Log">18.4.5. Log</A></H3>
+<H3><A NAME="Log">19.4.5. Log</A></H3>
<P>It contains the currently active log items. The <EM>Log</EM> subsystem allows user modify operations on the <EM>description</EM> attribute, whose values <EM>MUST</EM> be in the list of admittable log switches:</P>
<PRE>
Trace
@@ -5669,7 +6618,7 @@
Sync
</PRE>
<P>These values can be added, replaced or deleted; they affect what messages are sent to the syslog device. Custom values could be added by custom modules.</P>
-<H3><A NAME="Operations">18.4.6. Operations</A></H3>
+<H3><A NAME="Operations">19.4.6. Operations</A></H3>
<P>It shows some statistics on the operations performed by the server:</P>
<PRE>
Initiated
@@ -5689,7 +6638,7 @@
Extended
</PRE>
<P>There are too many types to list example here, so please try for yourself using <A HREF="#Monitor search example">Monitor search example</A></P>
-<H3><A NAME="Overlays">18.4.7. Overlays</A></H3>
+<H3><A NAME="Overlays">19.4.7. Overlays</A></H3>
<P>The main entry contains the type of overlays available at run-time; the child entries, for each overlay, contain the type of the overlay.</P>
<P>It should also contain the modules that have been loaded if dynamic overlays are enabled:</P>
<PRE>
@@ -5703,9 +6652,9 @@
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE
</PRE>
-<H3><A NAME="SASL">18.4.8. SASL</A></H3>
+<H3><A NAME="SASL">19.4.8. SASL</A></H3>
<P>Currently empty.</P>
-<H3><A NAME="Statistics">18.4.9. Statistics</A></H3>
+<H3><A NAME="Statistics">19.4.9. Statistics</A></H3>
<P>It shows some statistics on the data sent by the server:</P>
<PRE>
Bytes
@@ -5723,7 +6672,7 @@
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
</PRE>
-<H3><A NAME="Threads">18.4.10. Threads</A></H3>
+<H3><A NAME="Threads">19.4.10. Threads</A></H3>
<P>It contains the maximum number of threads enabled at startup and the current backload.</P>
<P>e.g.</P>
<PRE>
@@ -5735,7 +6684,7 @@
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
</PRE>
-<H3><A NAME="Time">18.4.11. Time</A></H3>
+<H3><A NAME="Time">19.4.11. Time</A></H3>
<P>It contains two child entries with the start time and the current time of the server.</P>
<P>e.g.</P>
<P>Start time:</P>
@@ -5756,9 +6705,9 @@
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
</PRE>
-<H3><A NAME="TLS">18.4.12. TLS</A></H3>
+<H3><A NAME="TLS">19.4.12. TLS</A></H3>
<P>Currently empty.</P>
-<H3><A NAME="Waiters">18.4.13. Waiters</A></H3>
+<H3><A NAME="Waiters">19.4.13. Waiters</A></H3>
<P>It contains the number of current read waiters.</P>
<P>e.g.</P>
<P>Read waiters:</P>
@@ -5782,29 +6731,35 @@
<P>Add new monitored things here and discuss, referencing man pages and present examples</P>
<P></P>
<HR>
-<H1><A NAME="Tuning">19. Tuning</A></H1>
+<H1><A NAME="Tuning">20. Tuning</A></H1>
<P>This is perhaps one of the most important chapters in the guide, because if you have not tuned <EM>slapd</EM>(8) correctly or grasped how to design your directory and environment, you can expect very poor performance.</P>
<P>Reading, understanding and experimenting using the instructions and information in the following sections, will enable you to fully understand how to tailor your directory server to your specific requirements.</P>
<P>It should be noted that the following information has been collected over time from our community based FAQ. So obviously the benefit of this real world experience and advice should be of great value to the reader.</P>
-<H2><A NAME="Performance Factors">19.1. Performance Factors</A></H2>
+<H2><A NAME="Performance Factors">20.1. Performance Factors</A></H2>
<P>Various factors can play a part in how your directory performs on your chosen hardware and environment. We will attempt to discuss these here.</P>
-<H3><A NAME="Memory">19.1.1. Memory</A></H3>
+<H3><A NAME="Memory">20.1.1. Memory</A></H3>
<P>Scale your cache to use available memory and increase system memory if you can.</P>
-<P>More info here.</P>
-<H3><A NAME="Disks">19.1.2. Disks</A></H3>
-<P>Use fast subsystems. Put each database and logs on separate disks.</P>
-<P>Example showing config settings</P>
-<H3><A NAME="Network Topology">19.1.3. Network Topology</A></H3>
+<P>See <A HREF="#Caching">Caching</A></P>
+<H3><A NAME="Disks">20.1.2. Disks</A></H3>
+<P>Use fast subsystems. Put each database and logs on separate disks configurable via <EM>DB_CONFIG</EM>:</P>
+<PRE>
+ # Data Directory
+ set_data_dir /data/db
+
+ # Transaction Log settings
+ set_lg_dir /logs
+</PRE>
+<H3><A NAME="Network Topology">20.1.3. Network Topology</A></H3>
<P>http://www.openldap.org/faq/data/cache/363.html</P>
<P>Drawing here.</P>
-<H3><A NAME="Directory Layout Design">19.1.4. Directory Layout Design</A></H3>
+<H3><A NAME="Directory Layout Design">20.1.4. Directory Layout Design</A></H3>
<P>Reference to other sections and good/bad drawing here.</P>
-<H3><A NAME="Expected Usage">19.1.5. Expected Usage</A></H3>
+<H3><A NAME="Expected Usage">20.1.5. Expected Usage</A></H3>
<P>Discussion.</P>
-<H2><A NAME="Indexes">19.2. Indexes</A></H2>
-<H3><A NAME="Understanding how a search works">19.2.1. Understanding how a search works</A></H3>
+<H2><A NAME="Indexes">20.2. Indexes</A></H2>
+<H3><A NAME="Understanding how a search works">20.2.1. Understanding how a search works</A></H3>
<P>If you're searching on a filter that has been indexed, then the search reads the index and pulls exactly the entries that are referenced by the index. If the filter term has not been indexed, then the search must read every single entry in the target scope and test to see if each entry matches the filter. Obviously indexing can save a lot of work when it's used correctly.</P>
-<H3><A NAME="What to index">19.2.2. What to index</A></H3>
+<H3><A NAME="What to index">20.2.2. What to index</A></H3>
<P>You should create indices to match the actual filter terms used in search queries.</P>
<PRE>
index cn,sn,givenname,mail eq
@@ -5812,58 +6767,67 @@
<P>Each attribute index can be tuned further by selecting the set of index types to generate. For example, substring and approximate search for organizations (o) may make little sense (and isn't like done very often). And searching for <EM>userPassword</EM> likely makes no sense what so ever.</P>
<P>General rule: don't go overboard with indexes. Unused indexes must be maintained and hence can only slow things down.</P>
<P>See <EM>slapd.conf</EM>(8) and <EM>slapdindex</EM>(8) for more information</P>
-<H3><A NAME="Presence indexing">19.2.3. Presence indexing</A></H3>
+<H3><A NAME="Presence indexing">20.2.3. Presence indexing</A></H3>
<P>If your client application uses presence filters and if the target attribute exists on the majority of entries in your target scope, then all of those entries are going to be read anyway, because they are valid members of the result set. In a subtree where 100% of the entries are going to contain the same attributes, the presence index does absolutely NOTHING to benefit the search, because 100% of the entries match that presence filter.</P>
<P>So the resource cost of generating the index is a complete waste of CPU time, disk, and memory. Don't do it unless you know that it will be used, and that the attribute in question occurs very infrequently in the target data.</P>
<P>Almost no applications use presence filters in their search queries. Presence indexing is pointless when the target attribute exists on the majority of entries in the database. In most LDAP deployments, presence indexing should not be done, it's just wasted overhead.</P>
<P>See the <EM>Logging</EM> section below on what to watch our for if you have a frequently searched for attribute that is unindexed.</P>
-<H2><A NAME="Logging">19.3. Logging</A></H2>
-<H3><A NAME="What log level to use">19.3.1. What log level to use</A></H3>
-<P>The default of <EM>loglevel 256</EM> is really the best bet. There's a corollary to this when problems *do* arise, don't try to trace them using syslog. Use the debug flag instead, and capture slapd's stderr output. syslog is too slow for debug tracing, and it's inherently lossy - it will throw away messages when it can't keep up.</P>
+<H2><A NAME="Logging">20.3. Logging</A></H2>
+<H3><A NAME="What log level to use">20.3.1. What log level to use</A></H3>
+<P>The default of <EM>loglevel stats</EM> (256) is really the best bet. There's a corollary to this when problems *do* arise, don't try to trace them using syslog. Use the debug flag instead, and capture slapd's stderr output. syslog is too slow for debug tracing, and it's inherently lossy - it will throw away messages when it can't keep up.</P>
<P>Contrary to popular belief, <EM>loglevel 0</EM> is not ideal for production as you won't be able to track when problems first arise.</P>
-<H3><A NAME="What to watch out for">19.3.2. What to watch out for</A></H3>
+<H3><A NAME="What to watch out for">20.3.2. What to watch out for</A></H3>
<P>The most common message you'll see that you should pay attention to is:</P>
<PRE>
- "<= bdb_equality_candidates: (foo) index_param failed (18)"
+ "<= bdb_equality_candidates: (foo) index_param failed (18)"
</PRE>
<P>That means that some application tried to use an equality filter (<EM>foo=<somevalue></EM>) and attribute <EM>foo</EM> does not have an equality index. If you see a lot of these messages, you should add the index. If you see one every month or so, it may be acceptable to ignore it.</P>
-<P>The default syslog level is 256 which logs the basic parameters of each request; it usually produces 1-3 lines of output. On Solaris and systems that only provide synchronous syslog, you may want to turn it off completely, but usually you want to leave it enabled so that you'll be able to see index messages whenever they arise. On Linux you can configure syslogd to run asynchronously, in which case the performance hit for moderate syslog traffic pretty much disappears.</P>
-<H3><A NAME="Improving throughput">19.3.3. Improving throughput</A></H3>
+<P>The default syslog level is stats (256) which logs the basic parameters of each request; it usually produces 1-3 lines of output. On Solaris and systems that only provide synchronous syslog, you may want to turn it off completely, but usually you want to leave it enabled so that you'll be able to see index messages whenever they arise. On Linux you can configure syslogd to run asynchronously, in which case the performance hit for moderate syslog traffic pretty much disappears.</P>
+<H3><A NAME="Improving throughput">20.3.3. Improving throughput</A></H3>
<P>You can improve logging performance on some systems by configuring syslog not to sync the file system with every write (<EM>man syslogd/syslog.conf</EM>). In Linux, you can prepend the log file name with a "-" in <EM>syslog.conf</EM>. For example, if you are using the default LOCAL4 logging you could try:</P>
<PRE>
- # LDAP logs
- LOCAL4.* -/var/log/ldap
+ # LDAP logs
+ LOCAL4.* -/var/log/ldap
</PRE>
<P>For syslog-ng, add or modify the following line in <EM>syslog-ng.conf</EM>:</P>
<PRE>
- options { sync(n); };
+ options { sync(n); };
</PRE>
<P>where n is the number of lines which will be buffered before a write.</P>
-<H2><A NAME="BDB/HDB Database Caching">19.4. BDB/HDB Database Caching</A></H2>
+<H2><A NAME="Caching">20.4. Caching</A></H2>
<P>We all know what caching is, don't we?</P>
<P>In brief, "A cache is a block of memory for temporary storage of data likely to be used again" - <A HREF="http://en.wikipedia.org/wiki/Cache">http://en.wikipedia.org/wiki/Cache</A></P>
<P>There are 3 types of caches, BerkeleyDB's own cache, <EM>slapd</EM>(8) entry cache and <TERM>IDL</TERM> (IDL) cache.</P>
-<H3><A NAME="Berkeley DB Cache">19.4.1. Berkeley DB Cache</A></H3>
-<P>BerkeleyDB's own data cache operates on page-sized blocks of raw data.</P>
+<H3><A NAME="Berkeley DB Cache">20.4.1. Berkeley DB Cache</A></H3>
+<P>There are two ways to tune for the BDB cachesize:</P>
+<P>(a) BDB cache size necessary to load the database via slapadd in optimal time</P>
+<P>(b) BDB cache size necessary to have a high performing running slapd once the data is loaded</P>
+<P>For (a), the optimal cachesize is the size of the entire database. If you already have the database loaded, this is simply a</P>
+<PRE>
+ du -c -h *.bdb
+</PRE>
+<P>in the directory containing the OpenLDAP (<EM>/usr/local/var/openldap-data</EM>) data.</P>
+<P>For (b), the optimal cachesize is just the size of the <EM>id2entry.bdb</EM> file, plus about 10% for growth.</P>
+<P>The tuning of <EM>DB_CONFIG</EM> should be done for each BDB type database instantiated (back-bdb, back-hdb).</P>
<P>Note that while the <TERM>BDB</TERM> cache is just raw chunks of memory and configured as a memory size, the <EM>slapd</EM>(8) entry cache holds parsed entries, and the size of each entry is variable.</P>
<P>There is also an IDL cache which is used for Index Data Lookups. If you can fit all of your database into slapd's entry cache, and all of your index lookups fit in the IDL cache, that will provide the maximum throughput.</P>
<P>If not, but you can fit the entire database into the BDB cache, then you should do that and shrink the slapd entry cache as appropriate.</P>
<P>Failing that, you should balance the BDB cache against the entry cache.</P>
<P>It is worth noting that it is not absolutely necessary to configure a BerkeleyDB cache equal in size to your entire database. All that you need is a cache that's large enough for your "working set."</P>
<P>That means, large enough to hold all of the most frequently accessed data, plus a few less-frequently accessed items.</P>
-<P>ORACLE LINKS HERE</P>
-<H4><A NAME="Calculating Cachesize">19.4.1.1. Calculating Cachesize</A></H4>
+<P>For more information, please see: <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/am_conf/cachesize.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/am_conf/cachesize.html</A></P>
+<H4><A NAME="Calculating Cachesize">20.4.1.1. Calculating Cachesize</A></H4>
<P>The back-bdb database lives in two main files, <TT>dn2id.bdb</TT> and <TT>id2entry.bdb</TT>. These are B-tree databases. We have never documented the back-bdb internal layout before, because it didn't seem like something anyone should have to worry about, nor was it necessarily cast in stone. But here's how it works today, in OpenLDAP 2.4.</P>
<P>A B-tree is a balanced tree; it stores data in its leaf nodes and bookkeeping data in its interior nodes (If you don't know what tree data structures look like in general, Google for some references, because that's getting far too elementary for the purposes of this discussion).</P>
<P>For decent performance, you need enough cache memory to contain all the nodes along the path from the root of the tree down to the particular data item you're accessing. That's enough cache for a single search. For the general case, you want enough cache to contain all the internal nodes in the database.</P>
<PRE>
- db_stat -d
+ db_stat -d
</PRE>
<P>will tell you how many internal pages are present in a database. You should check this number for both dn2id and id2entry.</P>
<P>Also note that <EM>id2entry</EM> always uses 16KB per "page", while <EM>dn2id</EM> uses whatever the underlying filesystem uses, typically 4 or 8KB. To avoid thrashing the, your cache must be at least as large as the number of internal pages in both the <EM>dn2id</EM> and <EM>id2entry</EM> databases, plus some extra space to accommodate the actual leaf data pages.</P>
<P>For example, in my OpenLDAP 2.4 test database, I have an input LDIF file that's about 360MB. With the back-hdb backend this creates a <EM>dn2id.bdb</EM> that's 68MB, and an <EM>id2entry</EM> that's 800MB. db_stat tells me that <EM>dn2id</EM> uses 4KB pages, has 433 internal pages, and 6378 leaf pages. The id2entry uses 16KB pages, has 52 internal pages, and 45912 leaf pages. In order to efficiently retrieve any single entry in this database, the cache should be at least</P>
<PRE>
- (433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB.
+ (433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB.
</PRE>
<P>This doesn't take into account other library overhead, so this is even lower than the barest minimum. The default cache size, when nothing is configured, is only 256KB.</P>
<P>This 2.5MB number also doesn't take indexing into account. Each indexed attribute uses another database file of its own, using a Hash structure.</P>
@@ -5878,49 +6842,33 @@
<P>With only this index enabled, I'd figure at least a 4MB cache for this backend. (Of course you're using a single cache shared among all of the database files, so the cache pages will most likely get used for something other than what you accounted for, but this gives you a fighting chance.)</P>
<P>With this 4MB cache I can slapcat this entire database on my 1.3GHz PIII in 1 minute, 40 seconds. With the cache doubled to 8MB, it still takes the same 1:40s. Once you've got enough cache to fit the B-tree internal pages, increasing it further won't have any effect until the cache really is large enough to hold 100% of the data pages. I don't have enough free RAM to hold all the 800MB id2entry data, so 4MB is good enough.</P>
<P>With back-bdb and back-hdb you can use "db_stat -m" to check how well the database cache is performing.</P>
-<H3><A NAME="{{slapd}}(8) Entry Cache">19.4.2. <EM>slapd</EM>(8) Entry Cache</A></H3>
+<P>For more information on <EM>db_stat</EM>: <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/utility/db_stat.html">http://www.oracle.com/technology/documentation/berkeley-db/db/utility/db_stat.html</A></P>
+<H3><A NAME="{{slapd}}(8) Entry Cache (cachesize)">20.4.2. <EM>slapd</EM>(8) Entry Cache (cachesize)</A></H3>
<P>The <EM>slapd</EM>(8) entry cache operates on decoded entries. The rationale - entries in the entry cache can be used directly, giving the fastest response. If an entry isn't in the entry cache but can be extracted from the BDB page cache, that will avoid an I/O but it will still require parsing, so this will be slower.</P>
<P>If the entry is in neither cache then BDB will have to flush some of its current cached pages and bring in the needed pages, resulting in a couple of expensive I/Os as well as parsing.</P>
+<P>The most optimal value is of course, the entire number of entries in the database. However, most directory servers don't consistently serve out their entire database, so setting this to a lesser number that more closely matches the believed working set of data is sufficient. This is the second most important parameter for the DB.</P>
<P>As far as balancing the entry cache vs the BDB cache - parsed entries in memory are generally about twice as large as they are on disk.</P>
<P>As we have already mentioned, not having a proper database cache size will cause performance issues. These issues are not an indication of corruption occurring in the database. It is merely the fact that the cache is thrashing itself that causes performance/response time to slowdown.</P>
-<P>MOVE BELOW AROUND:</P>
-<P>If you want to setup the cache size, please read:</P>
-<P>(Xref) How do I configure the BDB backend? (Xref) What are the DB_CONFIG configuration directives? http://www.sleepycat.com/docs/utility/db_recover.html</P>
-<P>A default config can be found in the answer:</P>
-<P>(Xref) What are the DB_CONFIG configuration directives?</P>
-<P>just change the set_lg_dir to point to your .log directory or comment that line.</P>
-<P>Quick guide:</P>
-<UL>
-<LI>Create a DB_CONFIG file in your ldap home directory (/var/lib/ldap/DB_CONFIG) with the correct "set_cachesize" value
-<LI>stop your ldap server and run db_recover -h /var/lib/ldap
-<LI>start your ldap server and check the new cache size with:</UL>
-<P>db_stat -h /var/lib/ldap -m | head -n 2</P>
-<UL>
-<LI>this procedure is only needed if you use OpenLDAP 2.2 with the BDB or HDB backends; In OpenLDAP 2.3 DB recovery is performed automatically whenever the DB_CONFIG file is changed or when an unclean shutdown is detected.<UL><UL>
-<LI>On Tuesday, February 22, 2005 12:15 PM -0500 Dusty Doris <openldap at mail.doris.cc> wrote:</UL></UL></UL>
-<P>Few questions, if you change the cachesize and idlecachesize entries, do you have to do anything special aside from restarting slapd, such as run slapindex or db_recover?</P>
-<P>Also, is there any way to tell how much memory these caches are taking up to make sure they are not set too large? What happens if you set your cachesize too large and you don't have enough available memory to store these? Will that cause an issue with openldap, or will it just not cache those entries that would make it exceed its available memory. Will it just use some sort of FIFO on those caches?</P>
-<P>It will consume the memory resources of your system, and likely cause issues.</P>
-<P>Finally, what do most people try to achieve with these values? Would the goal be to make these as big as the directory? So, if I have 400,000 dn's in my directory, would it be safe to set these at 400000 or would something like 20,000 be good enough to get a nice performance increase?</P>
-<P>I try to cache the most actively used entries. Unless you expect all 400,000 entries of your DB to be accessed regularly, there is no need to cache that many entries. My entry cache is set to 20,000 (out of a little over 400,000 entries).</P>
-<P>The idlcache has to do with how many unique result sets of searches you want to store in memory. Setting up this cache will allow your most frequently placed searches to get results much faster, but I doubt you want to try and cache the results of every search that hits your system. ;)</P>
-<UL><UL><UL>
-<LI>Quanah</UL></UL></UL>
-<H3><A NAME="{{TERM:IDL}} Cache">19.4.3. <TERM>IDL</TERM> Cache</A></H3>
-<P>http://www.openldap.org/faq/data/cache/1076.html</P>
+<H3><A NAME="{{TERM:IDL}} Cache (idlcachesize)">20.4.3. <TERM>IDL</TERM> Cache (idlcachesize)</A></H3>
+<P>Each IDL holds the search results from a given query, so the IDL cache will end up holding the most frequently requested search results. For back-bdb, it is generally recommended to match the "cachesize" setting. For back-hdb, it is generally recommended to be 3x"cachesize".</P>
+<P>{NOTE: The idlcachesize setting directly affects search performance}</P>
+<H3><A NAME="{{slapd}}(8) Threads">20.4.4. <EM>slapd</EM>(8) Threads</A></H3>
+<P><EM>slapd</EM>(8) can process requests via a configurable number of thread, which in turn affects the in/out rate of connections.</P>
+<P>This value should generally be a function of the number of "real" cores on the system, for example on a server with 2 CPUs with one core each, set this to 8, or 4 threads per real core. This is a "read" maximized value. The more threads that are configured per core, the slower <EM>slapd</EM>(8) responds for "read" operations. On the flip side, it appears to handle write operations faster in a heavy write/low read scenario.</P>
+<P>The upper bound for good read performance appears to be 16 threads (which also happens to be the default setting).</P>
<P></P>
<HR>
-<H1><A NAME="Troubleshooting">20. Troubleshooting</A></H1>
+<H1><A NAME="Troubleshooting">21. Troubleshooting</A></H1>
<P>If you're having trouble using OpenLDAP, get onto the OpenLDAP-Software mailing list, or:</P>
<UL>
<LI>Browse the list archives at <A HREF="http://www.openldap.org/lists/#archives">http://www.openldap.org/lists/#archives</A>
<LI>Search the FAQ at <A HREF="http://www.openldap.org/faq/">http://www.openldap.org/faq/</A>
<LI>Search the Issue Tracking System at <A HREF="http://www.openldap.org/its/">http://www.openldap.org/its/</A></UL>
<P>Chances are the problem has been solved and explained in detail many times before.</P>
-<H2><A NAME="User or Software errors">20.1. User or Software errors?</A></H2>
+<H2><A NAME="User or Software errors">21.1. User or Software errors?</A></H2>
<P>More often than not, an error is caused by a configuration problem or a misunderstanding of what you are trying to implement and/or achieve.</P>
<P>We will now attempt to discuss common user errors.</P>
-<H2><A NAME="Checklist">20.2. Checklist</A></H2>
+<H2><A NAME="Checklist">21.2. Checklist</A></H2>
<P>The following checklist can help track down your problem. Please try to use if <B>before</B> posting to the list, or in the rare circumstances of reporting a bug.</P>
<UL>
</UL><OL>
@@ -5943,7 +6891,7 @@
<BR>
<LI><B>Have your certificates expired?</B></OL>
-<H2><A NAME="OpenLDAP Bugs">20.3. OpenLDAP Bugs</A></H2>
+<H2><A NAME="OpenLDAP Bugs">21.3. OpenLDAP Bugs</A></H2>
<P>Sometimes you may encounter an actual OpenLDAP bug, in which case please visit our Issue Tracking system <A HREF="http://www.openldap.org/its/">http://www.openldap.org/its/</A> and report it. However, make sure it's not already a known bug or a common user problem.</P>
<UL>
<LI>bugs in historic versions of OpenLDAP will not be considered;
@@ -5953,22 +6901,22 @@
<STRONG>Note: </STRONG>Our Issue Tracking system is <B>NOT</B> for OpenLDAP <B>Support</B>, please join our mailing Lists: <A HREF="http://www.openldap.org/lists/">http://www.openldap.org/lists/</A> for that.
<HR WIDTH="80%" ALIGN="Left"></P>
<P>The information you should provide in your bug report is discussed in our FAQ-O-MATIC at <A HREF="http://www.openldap.org/faq/data/cache/59.html">http://www.openldap.org/faq/data/cache/59.html</A></P>
-<H2><A NAME="3rd party software error">20.4. 3rd party software error</A></H2>
+<H2><A NAME="3rd party software error">21.4. 3rd party software error</A></H2>
<P>The OpenLDAP Project only supports OpenLDAP software.</P>
<P>You may however seek commercial support (<A HREF="http://www.openldap.org/support/">http://www.openldap.org/support/</A>) or join the general LDAP forum for non-commercial discussions and information relating to LDAP at: <A HREF="http://www.umich.edu/~dirsvcs/ldap/mailinglist.html">http://www.umich.edu/~dirsvcs/ldap/mailinglist.html</A></P>
-<H2><A NAME="How to contact the OpenLDAP Project">20.5. How to contact the OpenLDAP Project</A></H2>
+<H2><A NAME="How to contact the OpenLDAP Project">21.5. How to contact the OpenLDAP Project</A></H2>
<UL>
<LI>Mailing Lists: <A HREF="http://www.openldap.org/lists/">http://www.openldap.org/lists/</A>
<LI>Project: <A HREF="http://www.openldap.org/project/">http://www.openldap.org/project/</A>
<LI>Issue Tracking: <A HREF="http://www.openldap.org/its/">http://www.openldap.org/its/</A></UL>
-<H2><A NAME="How to present your problem">20.6. How to present your problem</A></H2>
-<H2><A NAME="Debugging {{slapd}}(8)">20.7. Debugging <EM>slapd</EM>(8)</A></H2>
+<H2><A NAME="How to present your problem">21.6. How to present your problem</A></H2>
+<H2><A NAME="Debugging {{slapd}}(8)">21.7. Debugging <EM>slapd</EM>(8)</A></H2>
<P>After reading through the above sections and before e-mailing the OpenLDAP lists, you might want to try out some of the following to track down the cause of your problems:</P>
<UL>
-<LI>Loglevel 256 is generally a good first loglevel to try for getting information useful to list members on issues
+<LI>Loglevel stats (256) is generally a good first loglevel to try for getting information useful to list members on issues
<LI>Running <EM>slapd -d -1</EM> can often track down fairly simple issues, such as missing schemas and incorrect file permissions for the <EM>slapd</EM> user to things like certs
<LI>Check your logs for errors, as discussed at <A HREF="http://www.openldap.org/faq/data/cache/358.html">http://www.openldap.org/faq/data/cache/358.html</A></UL>
-<H2><A NAME="Commercial Support">20.8. Commercial Support</A></H2>
+<H2><A NAME="Commercial Support">21.8. Commercial Support</A></H2>
<P>The firms listed at <A HREF="http://www.openldap.org/support/">http://www.openldap.org/support/</A> offer technical support services catering to OpenLDAP community.</P>
<P>The listing of any given firm should not be viewed as an endorsement or recommendation of any kind, nor as otherwise indicating there exists a business relationship or an affiliation between any listed firm and the OpenLDAP Foundation or the OpenLDAP Project or its contributors.</P>
<P></P>
@@ -5981,6 +6929,7 @@
<LI><A HREF="#When should I use LDAP">When should I use LDAP?</A>
<LI><A HREF="#When should I not use LDAP">When should I not use LDAP?</A>
<LI><A HREF="#LDAP vs RDBMS">LDAP vs RDBMS</A>
+<LI><A HREF="#Access Control">Access Control</A>
<LI><A HREF="#Backends">Backends</A>
<LI><A HREF="#Overlays">Overlays</A>
<LI><A HREF="#Replication">Replication</A>
@@ -6054,7 +7003,9 @@
<UL>
<LI>monitoring of back-{b,h}db: cache fill-in, non-indexed searches,
<LI>session tracking control (draft-wahl-ldap-session)
-<LI>subtree delete in back-sql (draft-armijo-ldap-treedelete)</UL>
+<LI>subtree delete in back-sql (draft-armijo-ldap-treedelete)
+<LI>sorted values in multivalued attributes for faster matching
+<LI>lightweight dispatcher for greater throughput under heavy load and on multiprocessor machines. (33% faster than 2.3 on AMD quad-socket dual-core server.)</UL>
<H3><A NAME="New features in libldap">A.2.12. New features in libldap</A></H3>
<UL>
<LI>ldap_sync client API (LDAP Content Sync Operation, RFC 4533)</UL>
@@ -7022,7 +7973,7 @@
CRAM-MD5
</TD>
<TD>
-SASL MD5 Challedge/Response Authentication Mechanism
+SASL MD5 Challenge/Response Authentication Mechanism
</TD>
</TR>
<TR>
@@ -7366,7 +8317,7 @@
LDAP Sync
</TD>
<TD>
-LDAP Content Sychronization
+LDAP Content Synchronization
</TD>
</TR>
<TR>
@@ -8309,6 +9260,20 @@
</TR>
<TR>
<TD>
+<A HREF="http://www.rfc-editor.org/rfc/rfc2589.txt">RFC2589</A>
+</TD>
+<TD>
+Lightweight Directory Access Protocol (v3): Extensions for Dynamic Directory Services
+</TD>
+<TD>
+PS
+</TD>
+<TD>
+<A HREF="http://www.rfc-editor.org/rfc/rfc2589.txt">http://www.rfc-editor.org/rfc/rfc2589.txt</A>
+</TD>
+</TR>
+<TR>
+<TD>
<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>
</TD>
<TD>
@@ -8452,7 +9417,7 @@
<A HREF="http://www.rfc-editor.org/rfc/rfc4510.txt">RFC4510</A>
</TD>
<TD>
-Lightweight Directory Access Protocol (LDAP) Technical Specification Roadmap
+Lightweight Directory Access Protocol (LDAP): Technical Specification Roadmap
</TD>
<TD>
PS
@@ -8809,7 +9774,7 @@
<HR>
<H1><A NAME="OpenLDAP Software Copyright Notices">K. OpenLDAP Software Copyright Notices</A></H1>
<H2><A NAME="OpenLDAP Copyright Notice">K.1. OpenLDAP Copyright Notice</A></H2>
-<P>Copyright 1998-2007 The OpenLDAP Foundation.<BR><EM>All rights reserved.</EM></P>
+<P>Copyright 1998-2008 The OpenLDAP Foundation.<BR><EM>All rights reserved.</EM></P>
<P>Redistribution and use in source and binary forms, with or without modification, are permitted <EM>only as authorized</EM> by the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>.</P>
<P>A copy of this license is available in file <TT>LICENSE</TT> in the top-level directory of the distribution or, alternatively, at <<A HREF="http://www.OpenLDAP.org/license.html">http://www.OpenLDAP.org/license.html</A>>.</P>
<P>OpenLDAP is a registered trademark of the OpenLDAP Foundation.</P>
@@ -8818,9 +9783,9 @@
<P>This work also contains materials derived from public sources.</P>
<P>Additional information about OpenLDAP software can be obtained at <<A HREF="http://www.OpenLDAP.org/">http://www.OpenLDAP.org/</A>>.</P>
<H2><A NAME="Additional Copyright Notice">K.2. Additional Copyright Notice</A></H2>
-<P>Portions Copyright 1998-2006 Kurt D. Zeilenga.<BR>Portions Copyright 1998-2006 Net Boolean Incorporated.<BR>Portions Copyright 2001-2006 IBM Corporation.<BR><EM>All rights reserved.</EM></P>
+<P>Portions Copyright 1998-2008 Kurt D. Zeilenga.<BR>Portions Copyright 1998-2006 Net Boolean Incorporated.<BR>Portions Copyright 2001-2006 IBM Corporation.<BR><EM>All rights reserved.</EM></P>
<P>Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>.</P>
-<P>Portions Copyright 1999-2007 Howard Y.H. Chu.<BR>Portions Copyright 1999-2007 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR>Portions Copyright 2007 Gavin Henry<BR>Portions Copyright 2007 Suretec Systems<BR><EM>All rights reserved.</EM></P>
+<P>Portions Copyright 1999-2007 Howard Y.H. Chu.<BR>Portions Copyright 1999-2007 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR>Portions Copyright 2007-2008 Gavin Henry<BR>Portions Copyright 2007-2008 Suretec Systems Limited.<BR><EM>All rights reserved.</EM></P>
<P>Redistribution and use in source and binary forms, with or without modification, are permitted provided that this notice is preserved. The names of the copyright holders may not be used to endorse or promote products derived from this software without their specific prior written permission. This software is provided ``as is'' without express or implied warranty.</P>
<H2><A NAME="University of Michigan Copyright Notice">K.3. University of Michigan Copyright Notice</A></H2>
<P>Portions Copyright 1992-1996 Regents of the University of Michigan.<BR><EM>All rights reserved.</EM></P>
@@ -8886,7 +9851,7 @@
<P>
<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
________________<BR>
-<SMALL>© Copyright 2007, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
+<SMALL>© Copyright 2008, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
</DIV>
Modified: openldap/trunk/doc/guide/admin/guide.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/guide.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/guide.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/guide.sdf,v 1.7.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/guide.sdf,v 1.7.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# guide.sdf
Modified: openldap/trunk/doc/guide/admin/index.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/index.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/index.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/index.sdf,v 1.7.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/index.sdf,v 1.7.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# index.sdf
Modified: openldap/trunk/doc/guide/admin/install.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/install.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/install.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/install.sdf,v 1.38.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/install.sdf,v 1.38.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Building and Installing OpenLDAP Software
Modified: openldap/trunk/doc/guide/admin/intro.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/intro.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/intro.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/intro.sdf,v 1.45.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/intro.sdf,v 1.45.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Introduction to OpenLDAP Directory Services
Modified: openldap/trunk/doc/guide/admin/maintenance.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/maintenance.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/maintenance.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/maintenance.sdf,v 1.7.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/maintenance.sdf,v 1.7.2.6 2008/04/14 22:37:01 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Maintenance
@@ -86,10 +86,11 @@
chapter 9 of the Berkeley DB guide. In particular, the following chapters are
recommended:
-* Database and log file archival
-* Log file removal
-* Recovery procedures
-* Hot failover
+* Database and log file archival - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html}}
+* Log file removal - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/logfile.html}}
+* Recovery procedures - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/recovery.html}}
+* Hot failover - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/hotfail.html}}
+* Complete list of Berkeley DB flags - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html}}
Advanced installations can use special environment settings to fine-tune some
Berkeley DB options (change the log file limit, etc). This can be done by using
Modified: openldap/trunk/doc/guide/admin/master.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/master.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/master.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/master.sdf,v 1.18.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/master.sdf,v 1.18.2.7 2008/04/14 20:35:10 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# master file for the OpenLDAP Administrator's Guide
@@ -42,6 +42,9 @@
!include "slapdconfig.sdf"; chapter
PB:
+!include "access-control.sdf"; chapter
+PB:
+
!include "runningslapd.sdf"; chapter
PB:
Modified: openldap/trunk/doc/guide/admin/monitoringslapd.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/monitoringslapd.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/monitoringslapd.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/monitoringslapd.sdf,v 1.9.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/monitoringslapd.sdf,v 1.9.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Monitoring
Modified: openldap/trunk/doc/guide/admin/overlays.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/overlays.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/overlays.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.8.2.5 2007/11/27 19:06:07 quanah Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.8.2.19 2008/04/21 21:35:19 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Overlays
@@ -8,34 +8,47 @@
those provided by backends, which can be stacked on top of the backend calls
and as callbacks on top of backend responses to alter their behavior.
-Overlays may be compiled statically into slapd, or when module support
+Overlays may be compiled statically into {{slapd}}, or when module support
is enabled, they may be dynamically loaded. Most of the overlays
-are only allowed to be configured on individual databases, but some
-may also be configured globally.
+are only allowed to be configured on individual databases.
-Essentially they represent a means to:
+Some can be stacked on the {{EX:frontend}} as well, for global use. This means that
+they can be executed after a request is parsed and validated, but right before the
+appropriate database is selected. The main purpose is to affect operations
+regardless of the database they will be handled by, and, in some cases,
+to influence the selection of the database by massaging the request DN.
+Essentially, overlays represent a means to:
+
* customize the behavior of existing backends without changing the backend
code and without requiring one to write a new custom backend with
complete functionality
* write functionality of general usefulness that can be applied to
different backend types
+When using {{slapd.conf}}(5), overlays that are configured before any other
+databases are considered global, as mentioned above. In fact they are implicitly
+stacked on top of the {{EX:frontend}} database. They can also be explicitly
+configured as such:
+
+> database frontend
+> overlay <overlay name>
+
Overlays are usually documented by separate specific man pages in section 5;
the naming convention is
> slapo-<overlay name>
-Not all distributed overlays have a man page yet. Feel free to contribute one,
-if you think you well understood the behavior of the component and the
-implications of all the related configuration directives.
+All distributed core overlays have a man page. Feel free to contribute to any,
+if you think there is anything missing in describing the behavior of the component
+and the implications of all the related configuration directives.
Official overlays are located in
> servers/slapd/overlays/
That directory also contains the file slapover.txt, which describes the
-rationale of the overlay implementation, and may serve as guideline for the
+rationale of the overlay implementation, and may serve as a guideline for the
development of custom overlays.
Contribware overlays are located in
@@ -45,13 +58,7 @@
along with other types of run-time loadable components; they are officially
distributed, but not maintained by the project.
-They can be stacked on the frontend as well; this means that they can be
-executed after a request is parsed and validated, but right before the
-appropriate database is selected. The main purpose is to affect operations
-regardless of the database they will be handled by, and, in some cases,
-to influence the selection of the database by massaging the request DN.
-
-All the current overlays in 2.4 are listed and described in detail in the
+All the current overlays in OpenLDAP are listed and described in detail in the
following sections.
@@ -63,22 +70,160 @@
This overlay can record accesses to a given backend database on another
database.
+This allows all of the activity on a given database to be reviewed using arbitrary
+LDAP queries, instead of just logging to local flat text files. Configuration
+options are available for selecting a subset of operation types to log, and to
+automatically prune older log records from the logging database. Log records
+are stored with audit schema to assure their readability whether viewed as LDIF
+or in raw form.
+It is also used for {{SECT:delta-syncrepl replication}}
+
H3: Access Logging Configuration
+The following is a basic example that implements Access Logging:
+> database bdb
+> suffix dc=example,dc=com
+> ...
+> overlay accesslog
+> logdb cn=log
+> logops writes reads
+> logold (objectclass=person)
+>
+> database bdb
+> suffix cn=log
+> ...
+> index reqStart eq
+> access to *
+> by dn.base="cn=admin,dc=example,dc=com" read
+
+The following is an example used for {{SECT:delta-syncrepl replication}}:
+
+> database hdb
+> suffix cn=accesslog
+> directory /usr/local/var/openldap-accesslog
+> rootdn cn=accesslog
+> index default eq
+> index entryCSN,objectClass,reqEnd,reqResult,reqStart
+
+Accesslog overlay definitions for the primary db
+
+> database bdb
+> suffix dc=example,dc=com
+> ...
+> overlay accesslog
+> logdb cn=accesslog
+> logops writes
+> logsuccess TRUE
+> # scan the accesslog DB every day, and purge entries older than 7 days
+> logpurge 07+00:00 01+00:00
+
+An example search result against {{B:cn=accesslog}} might look like:
+
+> [ghenry at suretec ghenry]# ldapsearch -x -b cn=accesslog
+> # extended LDIF
+> #
+> # LDAPv3
+> # base <cn=accesslog> with scope subtree
+> # filter: (objectclass=*)
+> # requesting: ALL
+> #
+>
+> # accesslog
+> dn: cn=accesslog
+> objectClass: auditContainer
+> cn: accesslog
+>
+> # 20080110163829.000004Z, accesslog
+> dn: reqStart=20080110163829.000004Z,cn=accesslog
+> objectClass: auditModify
+> reqStart: 20080110163829.000004Z
+> reqEnd: 20080110163829.000005Z
+> reqType: modify
+> reqSession: 196696
+> reqAuthzID: cn=admin,dc=suretecsystems,dc=com
+> reqDN: uid=suretec-46022f8$,ou=Users,dc=suretecsystems,dc=com
+> reqResult: 0
+> reqMod: sambaPwdCanChange:- ###CENSORED###
+> reqMod: sambaPwdCanChange:+ ###CENSORED###
+> reqMod: sambaNTPassword:- ###CENSORED###
+> reqMod: sambaNTPassword:+ ###CENSORED###
+> reqMod: sambaPwdLastSet:- ###CENSORED###
+> reqMod: sambaPwdLastSet:+ ###CENSORED###
+> reqMod: entryCSN:= 20080110163829.095157Z#000000#000#000000
+> reqMod: modifiersName:= cn=admin,dc=suretecsystems,dc=com
+> reqMod: modifyTimestamp:= 20080110163829Z
+>
+> # search result
+> search: 2
+> result: 0 Success
+>
+> # numResponses: 3
+> # numEntries: 2
+
+For more information, please see {{slapo-accesslog(5)}} and the {{SECT:delta-syncrepl replication}} section.
+
+
H2: Audit Logging
-This overlay records changes on a given backend database to an LDIF log
-file.
-
-
+The Audit Logging overlay can be used to record all changes on a given backend database to a specified log file.
+
H3: Overview
+If the need arises whereby changes need to be logged as standard LDIF, then the auditlog overlay {{B:slapo-auditlog (5)}}
+can be used. Full examples are available in the man page {{B:slapo-auditlog (5)}}
H3: Audit Logging Configuration
+If the directory is running vi {{F:slapd.d}}, then the following LDIF could be used to add the overlay to the overlay list
+in {{B:cn=config}} and set what file the {{TERM:LDIF}} gets logged to (adjust to suit)
+> dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config
+> changetype: add
+> objectClass: olcOverlayConfig
+> objectClass: olcAuditLogConfig
+> olcOverlay: auditlog
+> olcAuditlogFile: /tmp/auditlog.ldif
+
+
+In this example for testing, we are logging changes to {{F:/tmp/auditlog.ldif}}
+
+A typical {{TERM:LDIF}} file created by {{B:slapo-auditlog (5)}} would look like:
+
+> # add 1196797576 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+> dn: dc=suretecsystems,dc=com
+> changetype: add
+> objectClass: dcObject
+> objectClass: organization
+> dc: suretecsystems
+> o: Suretec Systems Ltd.
+> structuralObjectClass: organization
+> entryUUID: 1606f8f8-f06e-1029-8289-f0cc9d81e81a
+> creatorsName: cn=admin,dc=suretecsystems,dc=com
+> modifiersName: cn=admin,dc=suretecsystems,dc=com
+> createTimestamp: 20051123130912Z
+> modifyTimestamp: 20051123130912Z
+> entryCSN: 20051123130912.000000Z#000001#000#000000
+> auditContext: cn=accesslog
+> # end add 1196797576
+>
+> # add 1196797577 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+> dn: ou=Groups,dc=suretecsystems,dc=com
+> changetype: add
+> objectClass: top
+> objectClass: organizationalUnit
+> ou: Groups
+> structuralObjectClass: organizationalUnit
+> entryUUID: 160aaa2a-f06e-1029-828a-f0cc9d81e81a
+> creatorsName: cn=admin,dc=suretecsystems,dc=com
+> modifiersName: cn=admin,dc=suretecsystems,dc=com
+> createTimestamp: 20051123130912Z
+> modifyTimestamp: 20051123130912Z
+> entryCSN: 20051123130912.000000Z#000002#000#000000
+> # end add 1196797577
+
+
H2: Chaining
@@ -93,7 +238,7 @@
referrals by themselves.
The chain overlay is built on top of the ldap backend; it is compiled by
-default when --enable-ldap.
+default when {{B:--enable-ldap}}.
H3: Chaining Configuration
@@ -101,8 +246,8 @@
In order to demonstrate how this overlay works, we shall discuss a typical
scenario which might be one master server and three Syncrepl slaves.
-On each replica, add this near the top of the file (global), before any database
-definitions:
+On each replica, add this near the top of the {{slapd.conf}}(5) file
+(global), before any database definitions:
> overlay chain
> chain-uri "ldap://ldapmaster.example.com"
@@ -122,8 +267,10 @@
bound to the slave will also exist on the master. If that DN does not have
update privileges on the master, nothing will happen.
-You will need to restart the slave after these changes. Then, if you are using
-{{loglevel 256}}, you can monitor an {{ldapmodify}} on the slave and the master.
+You will need to restart the slave after these {{slapd.conf}} changes.
+Then, if you are using {{loglevel stats}} (256), you can monitor an
+{{ldapmodify}} on the slave and the master. (If you're using {{cn=config}}
+no restart is required.)
Now start an {{ldapmodify}} on the slave and watch the logs. You should expect
something like:
@@ -173,25 +320,122 @@
H3: Overview
This overlay enforces a regular expression constraint on all values
-of specified attributes. It is used to enforce a more rigorous
-syntax when the underlying attribute syntax is too general.
+of specified attributes during an LDAP modify request that contains add or modify
+commands. It is used to enforce a more rigorous syntax when the underlying attribute
+syntax is too general.
H3: Constraint Configuration
+
+Configuration via {{slapd.conf}}(5) would look like:
+
+> overlay constraint
+> constraint_attribute mail regex ^[:alnum:]+ at mydomain.com$
+> constraint_attribute title uri
+> ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+
+A specification like the above would reject any {{mail}} attribute which did not
+look like {{<alpha-numeric string>@mydomain.com}}.
+
+It would also reject any title attribute whose values were not listed in the
+title attribute of any {{titleCatalog}} entries in the given scope.
+
+An example for use with {{cn=config}}:
+
+> dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config
+> changetype: add
+> objectClass: olcOverlayConfig
+> objectClass: olcConstraintConfig
+> olcOverlay: constraint
+> olcConstraintAttribute: mail regex ^[:alnum:]+ at mydomain.com$
+> olcConstraintAttribute: title uri ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+
-
H2: Dynamic Directory Services
H3: Overview
-This overlay supports dynamic objects, which have a limited life after
-which they expire and are automatically deleted.
-
-
+The {{dds}} overlay to {{slapd}}(8) implements dynamic objects as per {{REF:RFC2589}}.
+The name {{dds}} stands for Dynamic Directory Services. It allows to define
+dynamic objects, characterized by the {{dynamicObject}} objectClass.
+
+Dynamic objects have a limited lifetime, determined by a time-to-live (TTL)
+that can be refreshed by means of a specific refresh extended operation. This
+operation allows to set the Client Refresh Period (CRP), namely the period
+between refreshes that is required to preserve the dynamic object from expiration.
+The expiration time is computed by adding the requested TTL to the current time.
+When dynamic objects reach the end of their lifetime without being further
+refreshed, they are automatically {{deleted}}. There is no guarantee of immediate
+deletion, so clients should not count on it.
+
H3: Dynamic Directory Service Configuration
+A usage of dynamic objects might be to implement dynamic meetings; in this case,
+all the participants to the meeting are allowed to refresh the meeting object,
+but only the creator can delete it (otherwise it will be deleted when the TTL expires).
+If we add the overlay to an example database, specifying a Max TTL of 1 day, a
+min of 10 seconds, with a default TTL of 1 hour. We'll also specify an interval
+of 120 (less than 60s might be too small) seconds between expiration checks and a
+tolerance of 5 second (lifetime of a dynamic object will be {{entryTtl + tolerance}}).
+
+> overlay dds
+> dds-max-ttl 1d
+> dds-min-ttl 10s
+> dds-default-ttl 1h
+> dds-interval 120s
+> dds-tolerance 5s
+
+and add an index:
+
+> entryExpireTimestamp
+
+Creating a meeting is as simple as adding the following:
+
+> dn: cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com
+> objectClass: groupOfNames
+> objectClass: dynamicObject
+> cn: OpenLDAP Documentation Meeting
+> member: uid=ghenry,ou=People,dc=example,dc=com
+> member: uid=hyc,ou=People,dc=example,dc=com
+
+H4: Dynamic Directory Service ACLs
+
+Allow users to start a meeting and to join it; restrict refresh to the {{member}};
+restrict delete to the creator:
+
+> access to attrs=userPassword
+> by self write
+> by * read
+>
+> access to dn.base="ou=Meetings,dc=example,dc=com"
+> attrs=children
+> by users write
+>
+> access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+> attrs=entry
+> by dnattr=creatorsName write
+> by * read
+>
+> access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+> attrs=participant
+> by dnattr=creatorsName write
+> by users selfwrite
+> by * read
+>
+> access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+> attrs=entryTtl
+> by dnattr=member manage
+> by * read
+
+In simple terms, the user who created the {{OpenLDAP Documentation Meeting}} can add new attendees,
+refresh the meeting using (basically complete control):
+
+> ldapexop -x -H ldap://ldaphost "refresh" "cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com" "120" -D "uid=ghenry,ou=People,dc=example,dc=com" -W
+
+Any user can join the meeting, but not add another attendee, but they can refresh the meeting. The ACLs above are quite straight forward to understand.
+
H2: Dynamic Groups
@@ -230,7 +474,7 @@
has to be a subtype of {{F:labeledURI}}. The attributes and values present in
the search result are added to the entry unless {{F:member-ad}} is used (see
below).
-* {{F:member-ad}}: if present, changes the overlay behaviour into a dynamic group.
+* {{F:member-ad}}: if present, changes the overlay behavior into a dynamic group.
Instead of inserting the results of the search in the entry, the distinguished name
of the results are added as values of this attribute.
@@ -275,7 +519,7 @@
> objectClass: groupOfNames
> labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
-The behaviour is similar to the dynamic list configuration we had before:
+The behavior is similar to the dynamic list configuration we had before:
whenever an entry with the {{F:groupOfNames}} object class is retrieved, the
search specified in the {{F:labeledURI}} attribute is performed. But this time,
only the distinguished names of the results are added, and as values of the
@@ -285,7 +529,7 @@
!import "allusersgroup-en.png"; align="center"; title="Dynamic group for all users"
FT[align="Center"] Figure X.Y: Dynamic Group for all users
-Note that a side effect of this scheme of dymamic groups is that the members
+Note that a side effect of this scheme of dynamic groups is that the members
need to be specified as full DNs. So, if you are planning in using this for
{{F:posixGroup}}s, be sure to use RFC2307bis and some attribute which can hold
distinguished names. The {{F:memberUid}} attribute used in the {{F:posixGroup}}
@@ -520,14 +764,113 @@
H3: Overview
-This overlay provides a variety of password control mechanisms,
-e.g. password aging, password reuse and duplication control, mandatory
-password resets, etc.
+This overlay follows the specifications contained in the draft RFC titled
+draft-behera-ldap-password-policy-09. While the draft itself is expired, it has
+been implemented in several directory servers, including slapd. Nonetheless,
+it is important to note that it is a draft, meaning that it is subject to change
+and is a work-in-progress.
+The key abilities of the password policy overlay are as follows:
+* Enforce a minimum length for new passwords
+* Make sure passwords are not changed too frequently
+* Cause passwords to expire, provide warnings before they need to be changed, and allow a fixed number of 'grace' logins to allow them to be changed after they have expired
+* Maintain a history of passwords to prevent password re-use
+* Prevent password guessing by locking a password for a specified period of time after repeated authentication failures
+* Force a password to be changed at the next authentication
+* Set an administrative lock on an account
+* Support multiple password policies on a default or a per-object basis.
+* Perform arbitrary quality checks using an external loadable module. This is a non-standard extension of the draft RFC.
+
+
H3: Password Policy Configuration
+Instantiate the module in the database where it will be used, after adding the
+new ppolicy schema and loading the ppolicy module. The following example shows
+the ppolicy module being added to the database that handles the naming
+context "dc=example,dc=com". In this example we are also specifying the DN of
+a policy object to use if none other is specified in a user's object.
+> database bdb
+> suffix "dc=example,dc=com"
+> [...additional database configuration directives go here...]
+>
+> overlay ppolicy
+> ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
+
+
+Now we need a container for the policy objects. In our example the password
+policy objects are going to be placed in a section of the tree called
+"ou=policies,dc=example,dc=com":
+
+> dn: ou=policies,dc=example,dc=com
+> objectClass: organizationalUnit
+> objectClass: top
+> ou: policies
+
+
+The default policy object that we are creating defines the following policies:
+
+* The user is allowed to change his own password. Note that the directory ACLs for this attribute can also affect this ability (pwdAllowUserChange: TRUE).
+* The name of the password attribute is "userPassword" (pwdAttribute: userPassword). Note that this is the only value that is accepted by OpenLDAP for this attribute.
+* The server will check the syntax of the password. If the server is unable to check the syntax (i.e., it was hashed or otherwise encoded by the client) it will return an error refusing the password (pwdCheckQuality: 2).
+* When a client includes the Password Policy Request control with a bind request, the server will respond with a password expiration warning if it is going to expire in ten minutes or less (pwdExpireWarning: 600). The warnings themselves are returned in a Password Policy Response control.
+* When the password for a DN has expired, the server will allow five additional "grace" logins (pwdGraceAuthNLimit: 5).
+* The server will maintain a history of the last five passwords that were used for a DN (pwdInHistory: 5).
+* The server will lock the account after the maximum number of failed bind attempts has been exceeded (pwdLockout: TRUE).
+* When the server has locked an account, the server will keep it locked until an administrator unlocks it (pwdLockoutDuration: 0)
+* The server will reset its failed bind count after a period of 30 seconds.
+* Passwords will not expire (pwdMaxAge: 0).
+* Passwords can be changed as often as desired (pwdMinAge: 0).
+* Passwords must be at least 5 characters in length (pwdMinLength: 5).
+* The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
+* The current password does not need to be included with password change requests (pwdSafeModify: FALSE)
+* The server will only allow five failed binds in a row for a particular DN (pwdMaxFailure: 5).
+
+
+The actual policy would be:
+
+> dn: cn=default,ou=policies,dc=example,dc=com
+> cn: default
+> objectClass: pwdPolicy
+> objectClass: person
+> objectClass: top
+> pwdAllowUserChange: TRUE
+> pwdAttribute: userPassword
+> pwdCheckQuality: 2
+> pwdExpireWarning: 600
+> pwdFailureCountInterval: 30
+> pwdGraceAuthNLimit: 5
+> pwdInHistory: 5
+> pwdLockout: TRUE
+> pwdLockoutDuration: 0
+> pwdMaxAge: 0
+> pwdMaxFailure: 5
+> pwdMinAge: 0
+> pwdMinLength: 5
+> pwdMustChange: FALSE
+> pwdSafeModify: FALSE
+> sn: dummy value
+
+You can create additional policy objects as needed.
+
+
+There are two ways password policy can be applied to individual objects:
+
+1. The pwdPolicySubentry in a user's object - If a user's object has a
+pwdPolicySubEntry attribute specifying the DN of a policy object, then
+the policy defined by that object is applied.
+
+2. Default password policy - If there is no specific pwdPolicySubentry set
+for an object, and the password policy module was configured with the DN of a
+default policy object and if that object exists, then the policy defined in
+that object is applied.
+
+Please see {{slapo-ppolicy(5)}} for complete explanations of features and discussion of
+ "Password Management Issues" at {{URL:http://www.connexitor.com/forums/viewtopic.php?f=6&t=25}}
+
+
+
H2: Referential Integrity
@@ -678,7 +1021,15 @@
H3: Overview
+Overlays can be stacked, which means that more than one overlay
+can be instantiated for each database, or for the {{EX:frontend}}.
+As a consequence, each overlays function is called, if defined,
+when overlay execution is invoked.
+Multiple overlays are executed in reverse order (as a stack)
+with respect to their definition in slapd.conf (5), or with respect
+to their ordering in the config database, as documented in slapd-config (5).
+
H3: Example Scenarios
Modified: openldap/trunk/doc/guide/admin/preface.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/preface.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/preface.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/preface.sdf,v 1.25.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/preface.sdf,v 1.25.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
Modified: openldap/trunk/doc/guide/admin/quickstart.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/quickstart.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/quickstart.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/quickstart.sdf,v 1.44.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/quickstart.sdf,v 1.44.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: A Quick-Start Guide
Modified: openldap/trunk/doc/guide/admin/referrals.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/referrals.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/referrals.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/referrals.sdf,v 1.25.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/referrals.sdf,v 1.25.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Constructing a Distributed Directory Service
Modified: openldap/trunk/doc/guide/admin/replication.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/replication.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/replication.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/replication.sdf,v 1.32.2.9 2007/12/10 15:31:27 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/replication.sdf,v 1.32.2.15 2008/04/21 17:10:13 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Replication
@@ -10,14 +10,11 @@
{{PRD:OpenLDAP}} has various configuration options for creating a replicated
directory. The following sections will discuss these.
-H2: Replication Strategies
+H2: Push Based
-H3: Push Based
+H3: Replacing Slurpd
-
-H5: Replacing Slurpd
-
{{Slurpd}} replication has been deprecated in favor of Syncrepl replication and
has been completely removed from OpenLDAP 2.4.
@@ -131,72 +128,10 @@
{{slapd-ldap(8)}} tailoring your replication to fit your specific network
topology.
-H3: Pull Based
+H2: Pull Based
+H3: LDAP Sync Replication
-H4: syncrepl replication
-
-
-H4: delta-syncrepl replication
-
-
-H2: Replication Types
-
-
-H3: syncrepl replication
-
-
-H3: delta-syncrepl replication
-
-
-H3: N-Way Multi-Master replication
-
-Multi-Master replication is a replication technique using Syncrepl to replicate
-data to multiple Master Directory servers.
-
-* Advantages of Multi-Master replication:
-
-- If any master fails, other masters will continue to accept updates
-- Avoids a single point of failure
-- Masters can be located in several physical sites i.e. distributed across the
-network/globe.
-- Good for Automatic failover/High Availability
-
-* Disadvantages of Multi-Master replication:
-
-- It has {{B:NOTHING}} to do with load balancing
-- {{URL:http://www.openldap.org/faq/data/cache/1240.html}}
-- If connectivity with a master is lost because of a network partition, then
-"automatic failover" can just compound the problem
-- Typically, a particular machine cannot distinguish between losing contact
- with a peer because that peer crashed, or because the network link has failed
-- If a network is partitioned and multiple clients start writing to each of the
-"masters" then reconciliation will be a pain; it may be best to simply deny
-writes to the clients that are partitioned from the single master
-- Masters {{B:must}} propagate writes to {{B:all}} the other servers, which
-means the network traffic and write load is constant and spreads across all
-of the servers
-
-
-This is discussed in full in the {{SECT:N-Way Multi-Master}} section below
-
-H3: MirrorMode replication
-
-MirrorMode is a hybrid configuration that provides all of the consistency
-guarantees of single-master replication, while also providing the high
-availability of multi-master. In MirrorMode two masters are set up to
-replicate from each other (as a multi-master configuration) but an
-external frontend is employed to direct all writes to only one of
-the two servers. The second master will only be used for writes if
-the first master crashes, at which point the frontend will switch to
-directing all writes to the second master. When a crashed master is
-repaired and restarted it will automatically catch up to any changes
-on the running master and resync.
-
-This is discussed in full in the {{SECT:MirrorMode}} section below
-
-H2: LDAP Sync Replication
-
The {{TERM:LDAP Sync}} Replication engine, {{TERM:syncrepl}} for
short, is a consumer-side replication engine that enables the
consumer {{TERM:LDAP}} server to maintain a shadow copy of a
@@ -253,7 +188,7 @@
syncrepl replication connection.
-H3: The LDAP Content Synchronization Protocol
+H4: The LDAP Content Synchronization Protocol
The LDAP Sync protocol allows a client to maintain a synchronized
copy of a DIT fragment. The LDAP Sync operation is defined as a set
@@ -344,7 +279,7 @@
synchronization control.
-H3: Syncrepl Details
+H4: Syncrepl Details
The syncrepl engine utilizes both the {{refreshOnly}} and the
{{refreshAndPersist}} operations of the LDAP Sync protocol. If a
@@ -450,9 +385,131 @@
but in {{refreshOnly}} mode the provider cannot detect and propagate
this change without the use of the session log.
+For configuration, please see the {{SECT:Syncrepl}} section.
-H3: Configuring Syncrepl
+H3: Delta-syncrepl replication
+
+* Disadvantages of Syncrepl replication:
+
+OpenLDAP's syncrepl replication is an object-based replication mechanism.
+When any attribute value in a replicated object is changed on the provider,
+each consumer fetches and processes the complete changed object {B:both changed and unchanged attribute values}
+ during replication. This works well, but has drawbacks in some situations.
+
+For example, suppose you have a database consisting of 100,000 objects of 1 KB
+each. Further, suppose you routinely run a batch job to change the value of
+a single two-byte attribute value that appears in each of the 100,000 objects
+on the master. Not counting LDAP and TCP/IP protocol overhead, each time you
+run this job each consumer will transfer and process {B:1 GB} of data to process
+{B:200KB of changes! }
+
+99.98% of the data that is transmitted and processed in a case like this will
+be redundant, since it represents values that did not change. This is a waste
+of valuable transmission and processing bandwidth and can cause an unacceptable
+replication backlog to develop. While this situation is extreme, it serves to
+demonstrate a very real problem that is encountered in some LDAP deployments.
+
+
+* Where Delta-syncrepl comes in:
+
+Delta-syncrepl, a changelog-based variant of syncrepl, is designed to address
+situations like the one described above. Delta-syncrepl works by maintaining a
+changelog of a selectable depth on the provider. The replication consumer on
+each consumer checks the changelog for the changes it needs and, as long as
+the changelog contains the needed changes, the delta-syncrepl consumer fetches
+them from the changelog and applies them to its database. If, however, a replica
+is too far out of sync (or completely empty), conventional syncrepl is used to
+bring it up to date and replication then switches to the delta-syncrepl mode.
+
+For configuration, please see the {{SECT:Delta-syncrepl}} section.
+
+
+H2: Mixture of both Pull and Push based
+
+H3: N-Way Multi-Master replication
+
+Multi-Master replication is a replication technique using Syncrepl to replicate
+data to multiple Master Directory servers.
+
+* Advantages of Multi-Master replication:
+
+- If any master fails, other masters will continue to accept updates
+- Avoids a single point of failure
+- Masters can be located in several physical sites i.e. distributed across the
+network/globe.
+- Good for Automatic failover/High Availability
+
+* Disadvantages of Multi-Master replication:
+
+- It has {{B:NOTHING}} to do with load balancing
+- {{URL:http://www.openldap.org/faq/data/cache/1240.html}}
+- If connectivity with a master is lost because of a network partition, then
+"automatic failover" can just compound the problem
+- Typically, a particular machine cannot distinguish between losing contact
+ with a peer because that peer crashed, or because the network link has failed
+- If a network is partitioned and multiple clients start writing to each of the
+"masters" then reconciliation will be a pain; it may be best to simply deny
+writes to the clients that are partitioned from the single master
+- Masters {{B:must}} propagate writes to {{B:all}} the other servers, which
+means the network traffic and write load is constant and spreads across all
+of the servers
+
+
+For configuration, please see the {{SECT:N-Way Multi-Master}} section below
+
+H3: MirrorMode replication
+
+MirrorMode is a hybrid configuration that provides all of the consistency
+guarantees of single-master replication, while also providing the high
+availability of multi-master. In MirrorMode two masters are set up to
+replicate from each other (as a multi-master configuration) but an
+external frontend is employed to direct all writes to only one of
+the two servers. The second master will only be used for writes if
+the first master crashes, at which point the frontend will switch to
+directing all writes to the second master. When a crashed master is
+repaired and restarted it will automatically catch up to any changes
+on the running master and resync.
+
+H4: Arguments for MirrorMode
+
+* Provides a high-availability (HA) solution for directory writes (replicas handle reads)
+* As long as one Master is operational, writes can safely be accepted
+* Master nodes replicate from each other, so they are always up to date and
+can be ready to take over (hot standby)
+* Syncrepl also allows the master nodes to re-synchronize after any downtime
+* Delta-Syncrepl can be used
+
+
+H4: Arguments against MirrorMode
+
+* MirrorMode is not what is termed as a Multi-Master solution. This is because
+writes have to go to one of the mirror nodes at a time
+* MirrorMode can be termed as Active-Active Hot-Standby, therefor an external
+server (slapd in proxy mode) or device (hardware load balancer) to manage which
+master is currently active
+* While syncrepl can recover from a completely empty database, slapadd is much
+faster
+* Does not provide faster or more scalable write performance (neither could
+ any Multi-Master solution)
+* Backups are managed slightly differently
+- If backing up the Berkeley database itself and periodically backing up the
+transaction log files, then the same member of the mirror pair needs to be
+used to collect logfiles until the next database backup is taken
+- To ensure that both databases are consistent, each database might have to be
+put in read-only mode while performing a slapcat.
+- When using slapcat, the generated LDIF files can be rather large. This can
+happen with a non-MirrorMode deployment also.
+
+For configuration, please see the {{SECT:MirrorMode}} section below
+
+
+H2: Configuring the different replication types
+
+H3: Syncrepl
+
+H4: Syncrepl configuration
+
Because syncrepl is a consumer-side replication engine, the syncrepl
specification is defined in {{slapd.conf}}(5) of the consumer
server, not in the provider server's configuration file. The initial
@@ -597,46 +654,216 @@
cookie stored in the consumer replica database.
-H2: N-Way Multi-Master
+H3: Delta-syncrepl
-Import and expand from link:
+H4: Delta-syncrepl Master configuration
-{{URL:http://blog.suretecsystems.com/archives/40-OpenLDAP-Weekly-News-Issue-5.html#extended}}
+Setting up delta-syncrepl requires configuration changes on both the master and
+replica servers:
-H2: MirrorMode
+> # Give the replica DN unlimited read access. This ACL may need to be
+> # merged with other ACL statements.
+>
+> access to *
+> by dn.base="cn=replicator,dc=symas,dc=com" read
+> by * break
+>
+> # Set the module path location
+> modulepath /opt/symas/lib/openldap
+>
+> # Load the hdb backend
+> moduleload back_hdb.la
+>
+> # Load the accesslog overlay
+> moduleload accesslog.la
+>
+> #Load the syncprov overlay
+> moduleload syncprov.la
+>
+> # Accesslog database definitions
+> database hdb
+> suffix cn=accesslog
+> directory /db/accesslog
+> rootdn cn=accesslog
+> index default eq
+> index entryCSN,objectClass,reqEnd,reqResult,reqStart
+>
+> overlay syncprov
+> syncprov-nopresent TRUE
+> syncprov-reloadhint TRUE
+>
+> # Let the replica DN have limitless searches
+> limits dn.exact="cn=replicator,dc=symas,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+>
+> # Primary database definitions
+> database hdb
+> suffix "dc=symas,dc=com"
+> rootdn "cn=manager,dc=symas,dc=com"
+>
+> ## Whatever other configuration options are desired
+>
+> # syncprov specific indexing
+> index entryCSN eq
+> index entryUUID eq
+>
+> # syncrepl Provider for primary db
+> overlay syncprov
+> syncprov-checkpoint 1000 60
+>
+> # accesslog overlay definitions for primary db
+> overlay accesslog
+> logdb cn=accesslog
+> logops writes
+> logsuccess TRUE
+> # scan the accesslog DB every day, and purge entries older than 7 days
+> logpurge 07+00:00 01+00:00
+>
+> # Let the replica DN have limitless searches
+> limits dn.exact="cn=replicator,dc=symas,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
-H3: Arguments for MirrorMode
+For more information, always consult the relevant man pages (slapo-accesslog and slapd.conf)
-* Provides a high-availability (HA) solution for directory writes (replicas handle reads)
-* As long as one Master is operational, writes can safely be accepted
-* Master nodes replicate from each other, so they are always up to date and
-can be ready to take over (hot standby)
-* Syncrepl also allows the master nodes to re-synchronize after any downtime
-* Delta-Syncrepl can be used
+H4: Delta-syncrepl Replica configuration
-H3: Arguments against MirrorMode
+> # Primary replica database configuration
+> database hdb
+> suffix "dc=symas,dc=com"
+> rootdn "cn=manager,dc=symas,dc=com"
+>
+> ## Whatever other configuration bits for the replica, like indexing
+> ## that you want
+>
+> # syncrepl specific indices
+> index entryUUID eq
+>
+> # syncrepl directives
+> syncrepl rid=0
+> provider=ldap://ldapmaster.symas.com:389
+> bindmethod=simple
+> binddn="cn=replicator,dc=symas,dc=com"
+> credentials=secret
+> searchbase="dc=symas,dc=com"
+> logbase="cn=accesslog"
+> logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
+> schemachecking=on
+> type=refreshAndPersist
+> retry="60 +"
+> syncdata=accesslog
+>
+> # Refer updates to the master
+> updateref ldap://ldapmaster.symas.com
-* MirrorMode is not what is termed as a Multi-Master solution. This is because
-writes have to go to one of the mirror nodes at a time
-* MirrorMode can be termed as Active-Active Hot-Standby, therefor an external
-server (slapd in proxy mode) or device (hardware load balancer) to manage which
-master is currently active
-* While syncrepl can recover from a completely empty database, slapadd is much
-faster
-* Does not provide faster or more scalable write performance (neither could
- any Multi-Master solution)
-* Backups are managed slightly differently
-- If backing up the Berkeley database itself and periodically backing up the
-transaction log files, then the same member of the mirror pair needs to be
-used to collect logfiles until the next database backup is taken
-- To ensure that both databases are consistent, each database might have to be
-put in read-only mode while performing a slapcat.
-- When using slapcat, the generated LDIF files can be rather large. This can
-happen with a non-MirrorMode deployment also.
-H3: MirrorMode Configuration
+The above configuration assumes that you have a replicator identity defined
+in your database that can be used to bind to the master with. In addition,
+all of the databases (primary master, primary replica, and the accesslog
+storage database) should also have properly tuned {{DB_CONFIG}} files that meet
+your needs.
+
+H3: N-Way Multi-Master
+
+For the following example we will be using 3 Master nodes. Keeping in line with
+{{B:test050-syncrepl-multimaster}} of the OpenLDAP test suite, we will be configuring
+{{slapd(8)}} via {{B:cn=config}}
+
+This sets up the config database:
+
+> dn: cn=config
+> objectClass: olcGlobal
+> cn: config
+> olcServerID: 1
+>
+> dn: olcDatabase={0}config,cn=config
+> objectClass: olcDatabaseConfig
+> olcDatabase: {0}config
+> olcRootPW: secret
+
+second and third servers will have a different olcServerID obviously:
+
+> dn: cn=config
+> objectClass: olcGlobal
+> cn: config
+> olcServerID: 2
+>
+> dn: olcDatabase={0}config,cn=config
+> objectClass: olcDatabaseConfig
+> olcDatabase: {0}config
+> olcRootPW: secret
+
+This sets up syncrepl as a provider (since these are all masters):
+
+> dn: cn=module,cn=config
+> objectClass: olcModuleList
+> cn: module
+> olcModulePath: /usr/local/libexec/openldap
+> olcModuleLoad: syncprov.la
+
+Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
+
+> dn: cn=config
+> changetype: modify
+> replace: olcServerID
+> olcServerID: 1 $URI1
+> olcServerID: 2 $URI2
+> olcServerID: 3 $URI3
+>
+> dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
+> changetype: add
+> objectClass: olcOverlayConfig
+> objectClass: olcSyncProvConfig
+> olcOverlay: syncprov
+>
+> dn: olcDatabase={0}config,cn=config
+> changetype: modify
+> add: olcSyncRepl
+> olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
+> credentials=secret searchbase="cn=config" type=refreshAndPersist
+> retry="5 5 300 5" timeout=1
+> olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
+> credentials=secret searchbase="cn=config" type=refreshAndPersist
+> retry="5 5 300 5" timeout=1
+> olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
+> credentials=secret searchbase="cn=config" type=refreshAndPersist
+> retry="5 5 300 5" timeout=1
+> -
+> add: olcMirrorMode
+> olcMirrorMode: TRUE
+
+Now start up the Master and a consumer/s, also add the above LDIF to the first consumer, second consumer etc. It will then replicate {{B:cn=config}}. You now have N-Way Multimaster on the config database.
+
+We still have to replicate the actual data, not just the config, so add to the master (all active and configured consumers/masters will pull down this config, as they are all syncing). Also, replace all {{${}}} variables with whatever is applicable to your setup:
+
+> dn: olcDatabase={1}$BACKEND,cn=config
+> objectClass: olcDatabaseConfig
+> objectClass: olc${BACKEND}Config
+> olcDatabase: {1}$BACKEND
+> olcSuffix: $BASEDN
+> olcDbDirectory: ./db
+> olcRootDN: $MANAGERDN
+> olcRootPW: $PASSWD
+> olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
+> credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+> interval=00:00:00:10 retry="5 5 300 5" timeout=1
+> olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
+> credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+> interval=00:00:00:10 retry="5 5 300 5" timeout=1
+> olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
+> credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+> interval=00:00:00:10 retry="5 5 300 5" timeout=1
+> olcMirrorMode: TRUE
+>
+> dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
+> changetype: add
+> objectClass: olcOverlayConfig
+> objectClass: olcSyncProvConfig
+> olcOverlay: syncprov
+
+Note: You must have all your server set to the same time via {{http://www.ntp.org/}}
+
+H3: MirrorMode
+
MirrorMode configuration is actually very easy. If you have ever setup a normal
slapd syncrepl provider, then the only change is the following two directives:
@@ -644,21 +871,35 @@
> serverID 1
Note: You need to make sure that the {{serverID}} of each mirror node pair is
-different and that the {{provider}} syncrepl directive points to the opposite
-mirror node.
+different and add it as a global configuration option.
H4: Mirror Node Configuration
-This is the same as the {{SECT:Set up the provider slapd}} section, reference
-{{SECT:delta-syncrepl replication}} if using {{delta-syncrepl}}.
+This is the same as the {{SECT:Set up the provider slapd}} section.
+Note: Delta-syncrepl is not yet supported with MirrorMode.
+
Here's a specific cut down example using {{SECT:LDAP Sync Replication}} in
-{{refreshAndPersist}} mode ({{delta-syncrepl}} can be used also):
+{{refreshAndPersist}} mode:
MirrorMode node 1:
+> # Global section
+> serverID 1
+> # database section
+>
> # syncrepl directives
-> syncrepl rid=1
+> syncrepl rid=001
+> provider=ldap://ldap-ridr1.example.com
+> bindmethod=simple
+> binddn="cn=mirrormode,dc=example,dc=com"
+> credentials=mirrormode
+> searchbase="dc=example,dc=com"
+> schemachecking=on
+> type=refreshAndPersist
+> retry="60 +"
+>
+> syncrepl rid=002
> provider=ldap://ldap-rid2.example.com
> bindmethod=simple
> binddn="cn=mirrormode,dc=example,dc=com"
@@ -669,13 +910,16 @@
> retry="60 +"
>
> mirrormode on
-> serverID 1
MirrorMode node 2:
+> # Global section
+> serverID 2
+> # database section
+>
> # syncrepl directives
-> syncrepl rid=1
-> provider=ldap://ldap-rid1.example.com
+> syncrepl rid=001
+> provider=ldap://ldap-ridr1.example.com
> bindmethod=simple
> binddn="cn=mirrormode,dc=example,dc=com"
> credentials=mirrormode
@@ -683,15 +927,23 @@
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"
+>
+> syncrepl rid=002
+> provider=ldap://ldap-rid2.example.com
+> bindmethod=simple
+> binddn="cn=mirrormode,dc=example,dc=com"
+> credentials=mirrormode
+> searchbase="dc=example,dc=com"
+> schemachecking=on
+> type=refreshAndPersist
+> retry="60 +"
>
> mirrormode on
-> serverID 2
It's simple really; each MirrorMode node is setup {{B:exactly}} the same, except
-that the {{B:provider}} directive is set to point to the other MirrorMode node
-and the {{serverID}} is unique.
+that the {{serverID}} is unique.
-H4: Failover Configuration
+H5: Failover Configuration
There are generally 2 choices for this; 1. Hardware proxies/load-balancing or
dedicated proxy software, 2. using a Back-LDAP proxy as a syncrepl provider
@@ -701,13 +953,13 @@
!import "dual_dc.png"; align="center"; title="MirrorMode Enterprise Configuration"
FT[align="Center"] Figure X.Y: MirrorMode in a Dual Data Center Configuration
-H4: Normal Consumer Configuration
+H5: Normal Consumer Configuration
This is exactly the same as the {{SECT:Set up the consumer slapd}} section. It
can either setup in normal {{SECT:syncrepl replication}} mode, or in
{{SECT:delta-syncrepl replication}} mode.
-H3: MirrorMode Summary
+H4: MirrorMode Summary
Hopefully you will now have a directory architecture that provides all of the
consistency guarantees of single-master replication, whilst also providing the
Modified: openldap/trunk/doc/guide/admin/runningslapd.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/runningslapd.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/runningslapd.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/runningslapd.sdf,v 1.16.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/runningslapd.sdf,v 1.16.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Running slapd
Modified: openldap/trunk/doc/guide/admin/sasl.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/sasl.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/sasl.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.6 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.7 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Using SASL
Modified: openldap/trunk/doc/guide/admin/schema.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/schema.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/schema.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/schema.sdf,v 1.41.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/schema.sdf,v 1.41.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Schema Specification
Modified: openldap/trunk/doc/guide/admin/security.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/security.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/security.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/security.sdf,v 1.16.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/security.sdf,v 1.16.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Security Considerations
Copied: openldap/trunk/doc/guide/admin/set-following-references.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/set-following-references.png)
===================================================================
(Binary files differ)
Copied: openldap/trunk/doc/guide/admin/set-memberUid.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/set-memberUid.png)
===================================================================
(Binary files differ)
Copied: openldap/trunk/doc/guide/admin/set-recursivegroup.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/set-recursivegroup.png)
===================================================================
(Binary files differ)
Modified: openldap/trunk/doc/guide/admin/slapdconf2.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/slapdconf2.sdf 2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/slapdconf2.sdf 2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/slapdconf2.sdf,v 1.20.2.9 2007/11/27 20:31:23 quanah Exp $
-# Copyright 2005-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/slapdconf2.sdf,v 1.20.2.12 2008/04/14 22:37:01 quanah Exp $
+# Copyright 2005-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Configuring slapd
@@ -399,8 +399,7 @@
This directive grants access (specified by <accesslevel>) to a
set of entries and/or attributes (specified by <what>) by one or
more requestors (specified by <who>).
-See the {{SECT:Access Control}} section of this chapter for a
-summary of basic usage.
+See the {{SECT:Access Control}} section of this guide for basic usage.
!if 0
More detailed discussion of this directive can be found in the
@@ -777,7 +776,8 @@
checkpointed and they are no longer needed. Without this setting the
transaction log files will continue to accumulate until some other
cleanup procedure removes them. See the Berkeley DB documentation for the
-{{EX:db_archive}} command for details.
+{{EX:db_archive}} command for details. For a complete list of Berkeley DB
+flags please see - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html}}
Ideally the BDB cache must be
at least as large as the working set of the database, the log buffer size
@@ -946,534 +946,3 @@
>olcDbConfig: set_flags DB_LOG_AUTOREMOVE
>olcDbIDLcacheSize: 3000
>olcDbIndex: objectClass eq
-
-
-H2: Access Control
-
-Access to slapd entries and attributes is controlled by the
-olcAccess attribute, whose values are a sequence of access directives.
-The general form of the olcAccess configuration is:
-
-> olcAccess: <access directive>
-> <access directive> ::= to <what>
-> [by <who> [<access>] [<control>] ]+
-> <what> ::= * |
-> [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
-> [filter=<ldapfilter>] [attrs=<attrlist>]
-> <basic-style> ::= regex | exact
-> <scope-style> ::= base | one | subtree | children
-> <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
-> <attr> ::= <attrname> | entry | children
-> <who> ::= * | [anonymous | users | self
-> | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
-> [dnattr=<attrname>]
-> [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
-> [peername[.<basic-style>]=<regex>]
-> [sockname[.<basic-style>]=<regex>]
-> [domain[.<basic-style>]=<regex>]
-> [sockurl[.<basic-style>]=<regex>]
-> [set=<setspec>]
-> [aci=<attrname>]
-> <access> ::= [self]{<level>|<priv>}
-> <level> ::= none | disclose | auth | compare | search | read | write | manage
-> <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
-> <control> ::= [stop | continue | break]
-
-where the <what> part selects the entries and/or attributes to which
-the access applies, the {{EX:<who>}} part specifies which entities
-are granted access, and the {{EX:<access>}} part specifies the
-access granted. Multiple {{EX:<who> <access> <control>}} triplets
-are supported, allowing many entities to be granted different access
-to the same set of entries and attributes. Not all of these access
-control options are described here; for more details see the
-{{slapd.access}}(5) man page.
-
-
-H3: What to control access to
-
-The <what> part of an access specification determines the entries
-and attributes to which the access control applies. Entries are
-commonly selected in two ways: by DN and by filter. The following
-qualifiers select entries by DN:
-
-> to *
-> to dn[.<basic-style>]=<regex>
-> to dn.<scope-style>=<DN>
-
-The first form is used to select all entries. The second form may
-be used to select entries by matching a regular expression against
-the target entry's {{normalized DN}}. (The second form is not
-discussed further in this document.) The third form is used to
-select entries which are within the requested scope of DN. The
-<DN> is a string representation of the Distinguished Name, as
-described in {{REF:RFC4514}}.
-
-The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
-or {{EX:children}}. Where {{EX:base}} matches only the entry with
-provided DN, {{EX:one}} matches the entries whose parent is the
-provided DN, {{EX:subtree}} matches all entries in the subtree whose
-root is the provided DN, and {{EX:children}} matches all entries
-under the DN (but not the entry named by the DN).
-
-For example, if the directory contained entries named:
-
-> 0: o=suffix
-> 1: cn=Manager,o=suffix
-> 2: ou=people,o=suffix
-> 3: uid=kdz,ou=people,o=suffix
-> 4: cn=addresses,uid=kdz,ou=people,o=suffix
-> 5: uid=hyc,ou=people,o=suffix
-
-\Then:
-. {{EX:dn.base="ou=people,o=suffix"}} match 2;
-. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
-. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
-. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
-
-
-Entries may also be selected using a filter:
-
-> to filter=<ldap filter>
-
-where <ldap filter> is a string representation of an LDAP
-search filter, as described in {{REF:RFC4515}}. For example:
-
-> to filter=(objectClass=person)
-
-Note that entries may be selected by both DN and filter by
-including both qualifiers in the <what> clause.
-
-> to dn.one="ou=people,o=suffix" filter=(objectClass=person)
-
-Attributes within an entry are selected by including a comma-separated
-list of attribute names in the <what> selector:
-
-> attrs=<attribute list>
-
-A specific value of an attribute is selected by using a single
-attribute name and also using a value selector:
-
-> attrs=<attribute> val[.<style>]=<regex>
-
-There are two special {{pseudo}} attributes {{EX:entry}} and
-{{EX:children}}. To read (and hence return) a target entry, the
-subject must have {{EX:read}} access to the target's {{entry}}
-attribute. To add or delete an entry, the subject must have
-{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
-have {{EX:write}} access to the entry's parent's {{EX:children}}
-attribute. To rename an entry, the subject must have {{EX:write}}
-access to entry's {{EX:entry}} attribute AND have {{EX:write}}
-access to both the old parent's and new parent's {{EX:children}}
-attributes. The complete examples at the end of this section should
-help clear things up.
-
-Lastly, there is a special entry selector {{EX:"*"}} that is used to
-select any entry. It is used when no other {{EX:<what>}}
-selector has been provided. It's equivalent to "{{EX:dn=.*}}"
-
-
-H3: Who to grant access to
-
-The <who> part identifies the entity or entities being granted
-access. Note that access is granted to "entities" not "entries."
-The following table summarizes entity specifiers:
-
-!block table; align=Center; coltags="EX,N"; \
- title="Table 5.3: Access Entity Specifiers"
-Specifier|Entities
-*|All, including anonymous and authenticated users
-anonymous|Anonymous (non-authenticated) users
-users|Authenticated users
-self|User associated with target entry
-dn[.<basic-style>]=<regex>|Users matching a regular expression
-dn.<scope-style>=<DN>|Users within scope of a DN
-!endblock
-
-The DN specifier behaves much like <what> clause DN specifiers.
-
-Other control factors are also supported. For example, a {{EX:<who>}}
-can be restricted by an entry listed in a DN-valued attribute in
-the entry to which the access applies:
-
-> dnattr=<dn-valued attribute name>
-
-The dnattr specification is used to give access to an entry
-whose DN is listed in an attribute of the entry (e.g., give
-access to a group entry to whoever is listed as the owner of
-the group entry).
-
-Some factors may not be appropriate in all environments (or any).
-For example, the domain factor relies on IP to domain name lookups.
-As these can easily be spoofed, the domain factor should be avoided.
-
-
-H3: The access to grant
-
-The kind of <access> granted can be one of the following:
-
-!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
- title="Table 5.4: Access Levels"
-Level Privileges Description
-none =0 no access
-disclose =d needed for information disclosure on error
-auth =dx needed to authenticate (bind)
-compare =cdx needed to compare
-search =scdx needed to apply search filters
-read =rscdx needed to read search results
-write =wrscdx needed to modify/rename
-manage =mwrscdx needed to manage
-!endblock
-
-Each level implies all lower levels of access. So, for example,
-granting someone {{EX:write}} access to an entry also grants them
-{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
-{{EX:disclose}} access. However, one may use the privileges specifier
-to grant specific permissions.
-
-
-H3: Access Control Evaluation
-
-When evaluating whether some requester should be given access to
-an entry and/or attribute, slapd compares the entry and/or attribute
-to the {{EX:<what>}} selectors given in the configuration. For
-each entry, access controls provided in the database which holds
-the entry (or the first database if not held in any database) apply
-first, followed by the global access directives (which are held in
-the {{EX:frontend}} database definition). Within this priority,
-access directives are examined in the order in which they appear
-in the configuration attribute. Slapd stops with the first
-{{EX:<what>}} selector that matches the entry and/or attribute. The
-corresponding access directive is the one slapd will use to evaluate
-access.
-
-Next, slapd compares the entity requesting access to the {{EX:<who>}}
-selectors within the access directive selected above in the order
-in which they appear. It stops with the first {{EX:<who>}} selector
-that matches the requester. This determines the access the entity
-requesting access has to the entry and/or attribute.
-
-Finally, slapd compares the access granted in the selected
-{{EX:<access>}} clause to the access requested by the client. If
-it allows greater or equal access, access is granted. Otherwise,
-access is denied.
-
-The order of evaluation of access directives makes their placement
-in the configuration file important. If one access directive is
-more specific than another in terms of the entries it selects, it
-should appear first in the configuration. Similarly, if one {{EX:<who>}}
-selector is more specific than another it should come first in the
-access directive. The access control examples given below should
-help make this clear.
-
-
-
-H3: Access Control Examples
-
-The access control facility described above is quite powerful. This
-section shows some examples of its use for descriptive purposes.
-
-A simple example:
-
-> olcAccess: to * by * read
-
-This access directive grants read access to everyone.
-
-> olcAccess: to *
-> by self write
-> by anonymous auth
-> by * read
-
-This directive allows the user to modify their entry, allows anonymous
-to authenticate against these entries, and allows all others to
-read these entries. Note that only the first {{EX:by <who>}} clause
-which matches applies. Hence, the anonymous users are granted
-{{EX:auth}}, not {{EX:read}}. The last clause could just as well
-have been "{{EX:by users read}}".
-
-It is often desirable to restrict operations based upon the level
-of protection in place. The following shows how security strength
-factors (SSF) can be used.
-
-> olcAccess: to *
-> by ssf=128 self write
-> by ssf=64 anonymous auth
-> by ssf=64 users read
-
-This directive allows users to modify their own entries if security
-protections of strength 128 or better have been established,
-allows authentication access to anonymous users, and read access
-when strength 64 or better security protections have been established. If
-the client has not establish sufficient security protections, the
-implicit {{EX:by * none}} clause would be applied.
-
-The following example shows the use of style specifiers to select
-the entries by DN in two access directives where ordering is
-significant.
-
-> olcAccess: to dn.children="dc=example,dc=com"
-> by * search
-> olcAccess: to dn.children="dc=com"
-> by * read
-
-Read access is granted to entries under the {{EX:dc=com}} subtree,
-except for those entries under the {{EX:dc=example,dc=com}} subtree,
-to which search access is granted. No access is granted to
-{{EX:dc=com}} as neither access directive matches this DN. If the
-order of these access directives was reversed, the trailing directive
-would never be reached, since all entries under {{EX:dc=example,dc=com}}
-are also under {{EX:dc=com}} entries.
-
-Also note that if no {{EX:olcAccess: to}} directive matches or no {{EX:by
-<who>}} clause, {{B:access is denied}}. That is, every {{EX:olcAccess:
-to}} directive ends with an implicit {{EX:by * none}} clause and
-every access list ends with an implicit {{EX:olcAccess: to * by * none}}
-directive.
-
-The next example again shows the importance of ordering, both of
-the access directives and the {{EX:by <who>}} clauses. It also
-shows the use of an attribute selector to grant access to a specific
-attribute and various {{EX:<who>}} selectors.
-
-> olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
-> by self write
-> by dn.children=dc=example,dc=com" search
-> by peername.regex=IP:10\..+ read
-> olcAccess: to dn.subtree="dc=example,dc=com"
-> by self write
-> by dn.children="dc=example,dc=com" search
-> by anonymous auth
-
-This example applies to entries in the "{{EX:dc=example,dc=com}}"
-subtree. To all attributes except {{EX:homePhone}}, an entry can
-write to itself, entries under {{EX:example.com}} entries can search
-by them, anybody else has no access (implicit {{EX:by * none}})
-excepting for authentication/authorization (which is always done
-anonymously). The {{EX:homePhone}} attribute is writable by the
-entry, searchable by entries under {{EX:example.com}}, readable by
-clients connecting from network 10, and otherwise not readable
-(implicit {{EX:by * none}}). All other access is denied by the
-implicit {{EX:access to * by * none}}.
-
-Sometimes it is useful to permit a particular DN to add or
-remove itself from an attribute. For example, if you would like to
-create a group and allow people to add and remove only
-their own DN from the member attribute, you could accomplish
-it with an access directive like this:
-
-> olcAccess: to attrs=member,entry
-> by dnattr=member selfwrite
-
-The dnattr {{EX:<who>}} selector says that the access applies to
-entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
-selector says that such members can only add or delete their
-own DN from the attribute, not other values. The addition of
-the entry attribute is required because access to the entry is
-required to access any of the entry's attributes.
-
-
-
-H3: Access Control Ordering
-
-Since the ordering of {{EX:olcAccess}} directives is essential to their
-proper evaluation, but LDAP attributes normally do not preserve the
-ordering of their values, OpenLDAP uses a custom schema extension to
-maintain a fixed ordering of these values. This ordering is maintained
-by prepending a {{EX:"{X}"}} numeric index to each value, similarly to
-the approach used for ordering the configuration entries. These index
-tags are maintained automatically by slapd and do not need to be specified
-when originally defining the values. For example, when you create the
-settings
-
-> olcAccess: to attrs=member,entry
-> by dnattr=member selfwrite
-> olcAccess: to dn.children="dc=example,dc=com"
-> by * search
-> olcAccess: to dn.children="dc=com"
-> by * read
-
-when you read them back using slapcat or ldapsearch they will contain
-
-> olcAccess: {0}to attrs=member,entry
-> by dnattr=member selfwrite
-> olcAccess: {1}to dn.children="dc=example,dc=com"
-> by * search
-> olcAccess: {2}to dn.children="dc=com"
-> by * read
-
-The numeric index may be used to specify a particular value to change
-when using ldapmodify to edit the access rules. This index can be used
-instead of (or in addition to) the actual access value. Using this
-numeric index is very helpful when multiple access rules are being managed.
-
-For example, if we needed to change the second rule above to grant
-write access instead of search, we could try this LDIF:
-
-> changetype: modify
-> delete: olcAccess
-> olcAccess: to dn.children="dc=example,dc=com" by * search
-> -
-> add: olcAccess
-> olcAccess: to dn.children="dc=example,dc=com" by * write
-> -
-
-But this example {{B:will not}} guarantee that the existing values remain in
-their original order, so it will most likely yield a broken security
-configuration. Instead, the numeric index should be used:
-
-> changetype: modify
-> delete: olcAccess
-> olcAccess: {1}
-> -
-> add: olcAccess
-> olcAccess: {1}to dn.children="dc=example,dc=com" by * write
-> -
-
-This example deletes whatever rule is in value #1 of the {{EX:olcAccess}}
-attribute (regardless of its value) and adds a new value that is
-explicitly inserted as value #1. The result will be
-
-> olcAccess: {0}to attrs=member,entry
-> by dnattr=member selfwrite
-> olcAccess: {1}to dn.children="dc=example,dc=com"
-> by * write
-> olcAccess: {2}to dn.children="dc=com"
-> by * read
-
-which is exactly what was intended.
-
-!if 0
-For more details on how to use the {{EX:access}} directive,
-consult the {{Advanced Access Control}} chapter.
-!endif
-
-
-H2: Configuration Example
-
-The following is an example configuration, interspersed
-with explanatory text. It defines two databases to handle
-different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
-database instances. The line numbers shown are provided for
-reference only and are not included in the actual file. First, the
-global configuration section:
-
-E: 1. # example config file - global configuration entry
-E: 2. dn: cn=config
-E: 3. objectClass: olcGlobal
-E: 4. cn: config
-E: 5. olcReferral: ldap://root.openldap.org
-E: 6.
-
-Line 1 is a comment. Lines 2-4 identify this as the global
-configuration entry.
-The {{EX:olcReferral:}} directive on line 5
-means that queries not local to one of the databases defined
-below will be referred to the LDAP server running on the
-standard port (389) at the host {{EX:root.openldap.org}}.
-Line 6 is a blank line, indicating the end of this entry.
-
-E: 7. # internal schema
-E: 8. dn: cn=schema,cn=config
-E: 9. objectClass: olcSchemaConfig
-E: 10. cn: schema
-E: 11.
-
-Line 7 is a comment. Lines 8-10 identify this as the root of
-the schema subtree. The actual schema definitions in this entry
-are hardcoded into slapd so no additional attributes are specified here.
-