Dear All,
We all know the docs weaknesses, I've started this to try and address them, as more and more people are using our docs as an excuse not to use OpenLDAP. We all know that is wrong, but my goal is to equal or surpass the quality of the software with the docs.
Details:
Changes:
* Deeper TOC * When to use LDAP and age old question of LDAP vs RDBMS * Incorporated many FAQ-O-MATIC topics (for above also) * Answers to Common mailing list topics and IRC #ldap topics * Generic TLS Cert Generation Methods
== Maybe create an Advanced section for below? (currently in same heading level as the rest) ==
* Included all Overlays and Backends * More Replication discussions/strategies, include N-Way MultiMaster and MirrorMode (no sublevels yet) * Re-ordered layout * New sections: Maintainence, Tuning, Troubleshooting and Example Configuration Files in the Appendix (light on sub-levels).
This is obviously just the start, but a good place to be in I think. It's a lot easier to write peices once we have a topic list to tick off.
Feel free to chop and change ordering etc. It's a start.
Now we need to delegate! ;-)
New version:
Table of Contents
Preface 1. Introduction to OpenLDAP Directory Services 1.1. What is a directory service? 1.2. What is LDAP? 1.3. How does LDAP work? 1.4. What about X.500? 1.5. What is the difference between LDAPv2 and LDAPv3? 1.6. When should I use LDAP? 1.7. When should I not use LDAP? 1.8. LDAP vs RDBMS 1.9. What is slapd and what can it do? 2. A Quick-Start Guide 3. The Big Picture - Configuration Choices 3.1. Local Directory Service 3.2. Local Directory Service with Referrals 3.3. Replicated Directory Service 3.4. Distributed Local Directory Service 4. Building and Installing OpenLDAP Software 4.1. Obtaining and Extracting the Software 4.2. Prerequisite software 4.2.1. Transport Layer Security 4.2.2. Simple Authentication and Security Layer 4.2.3. Kerberos Authentication Service 4.2.4. Database Software 4.2.5. Threads 4.2.6. TCP Wrappers 4.3. Running configure 4.4. Building the Software 4.5. Testing the Software 4.6. Installing the Software 5. Configuring slapd 5.1. Configuration Layout 5.2. Configuration Directives 5.2.1. cn=config 5.2.2. cn=include 5.2.3. cn=module 5.2.4. cn=schema 5.2.5. Backend-specific Directives 5.2.6. Database-specific Directives 5.2.7. BDB and HDB Database Directives 5.3. Access Control 5.3.1. What to control access to 5.3.2. Who to grant access to 5.3.3. The access to grant 5.3.4. Access Control Evaluation 5.3.5. Access Control Examples 5.3.6. Access Control Ordering 5.4. Configuration Example 6. The slapd Configuration File 6.1. Configuration File Format 6.2. Configuration File Directives 6.2.1. Global Directives 6.2.2. General Backend Directives 6.2.3. General Database Directives 6.2.4. BDB and HDB Database Directives 6.3. The access Configuration Directive 6.3.1. What to control access to 6.3.2. Who to grant access to 6.3.3. The access to grant 6.3.4. Access Control Evaluation 6.3.5. Access Control Examples 6.4. Configuration File Example 7. Running slapd 7.1. Command-Line Options 7.2. Starting slapd 7.3. Stopping slapd 8. Database Creation and Maintenance Tools 8.1. Creating a database over LDAP 8.2. Creating a database off-line 8.2.1. The slapadd program 8.2.2. The slapindex program 8.2.3. The slapcat program 8.3. The LDIF text entry format 9. Backends 9.1. Berkeley DB backends 9.1.1. Overview 9.1.2. back-bdb/back-hdb Configuration 9.1.2. Further Information 9.2. LDAP 9.1.1. Overview 9.1.2. back-ldap Configuration 9.1.2. Further Information 9.3. LDIF 9.1.1. Overview 9.1.2. back-ldif Configuration 9.1.2. Further Information 9.4. Metadirectory 9.1.1. Overview 9.1.2. back-meta Configuration 9.1.2. Further Information 9.5. Monitor 9.1.1. Overview 9.1.2. back-monitor Configuration 9.1.2. Further Information 9.6. Relay 9.1.1. Overview 9.1.2. back-relay Configuration 9.1.2. Further Information 9.7. Perl/Shell 9.1.1. Overview 9.1.2. back-perl/back-shell Configuration 9.1.2. Further Information 9.8. SQL 9.1.1. Overview 9.1.2. back-sql Configuration 9.1.2. Further Information 9.9. Senarios 10. Overlays 10.1. Access Logging 10.1.1. Overview 10.1.2. Access Logging Configuration 10.2. Audit Logging 10.2.1. Overview 10.2.2. Audit Logging Configuration 10.3. Constraints 10.3.1. Overview 10.3.2. Constraint Configuration 10.4. Dynamic Directory Services 10.4.1. Overview 10.4.2. Dynamic Directory Service Configuration 10.5. Dynamic Groups 10.5.1. Overview 10.5.2. Dynamic Group Configuration 10.6. Dynamic Lists 10.6.1. Overview 10.6.2. Dynamic List Configuration 10.7. The Proxy Cache Engine 10.7.1. Overview 10.7.2. Proxy Cache Configuration 10.7.1.1. Setting cache parameters 10.7.2.1. Defining attribute sets 10.7.3.1. Specifying cacheable templates 10.7.4.1. Example 10.8. Password Policies 10.8.1. Overview 10.8.2. Password Policy Configuration 10.9. Referential Integrity 10.9.1. Overview 10.9.2. Referential Integrity Configuration 10.10. Return Code 10.10.1. Overview 10.10.2. Return Code Configuration 10.11. Rewrite/Remap 10.11.1. Overview 10.11.2. Rewrite/Remap Configuration 10.12. Sync Provider 10.12.1. Overview 10.12.2. Sync Provider Configuration 10.13. Translucent Proxy 10.13.1. Overview 10.13.2. Translucent Proxy Configuration 10.14. Attribute Uniqueness 10.14.1. Overview 10.14.2. Attribute Uniqueness Configuration 10.15. Value Sorting 10.15.1. Overview 10.15.2. Value Sorting Configuration 10.16. Overlay Stacking 10.16.1. Overview 10.16.2. Example Senarios 11. Schema Specification 11.1. Distributed Schema Files 11.2. Extending Schema 11.2.1. Object Identifiers 11.2.2. Naming Elements 11.2.3. Local schema file 11.2.4. Attribute Type Specification 11.2.5. Object Class Specification 11.2.6. OID Macros 12. Security Considerations 12.1. Network Security 12.1.1. Selective Listening 12.1.2. IP Firewall 12.1.3. TCP Wrappers 12.2. Data Integrity and Confidentiality Protection 11.2.1. Security Strength Factors 12.3. Authentication Methods 12.3.1. "simple" method 12.3.2. SASL method 13. Using SASL 13.1. SASL Security Considerations 13.2. SASL Authentication 13.2.1. GSSAPI 13.2.2. KERBEROS_V4 13.2.3. DIGEST-MD5 13.2.4. Mapping Authentication Identities 13.2.5. Direct Mapping 13.2.6. Search-based mappings 13.3. SASL Proxy Authorization 13.3.1. Uses of Proxy Authorization 13.3.2. SASL Authorization Identities 13.3.3. Proxy Authorization Rules 14. Using TLS 14.1. TLS Certificates 14.1.1. Generic Certificate Generation Methods 14.1.2. Server Certificates 14.1.3. Client Certificates 14.2. TLS Configuration 14.2.1. Server Configuration 14.2.2. Client Configuration 15. Constructing a Distributed Directory Service 15.1. Subordinate Knowledge Information 15.2. Superior Knowledge Information 15.3. The ManageDsaIT Control 16. Replication 16.1. Replication Strategies 16.2. Replication types 16.2.1. slurpd replication 16.2.2. syncrepl replication 16.2.3. delta-syncrepl replication 16.2.4. N-Way Multi-Master 16.2.5. MirrorMode 16.3. Replication with Slurpd 16.3.1. Overview 16.3.2. Replication Logs 16.3.3. Command-Line Options 16.3.4. Configuring slurpd and a slave slapd instance 16.3.4.1. Set up the master slapd 16.3.4.2. Set up the slave slapd 16.3.4.3. Shut down the master server 16.3.4.4. Copy the master slapd's database to the slave 16.3.4.5. Configure the master slapd for replication 16.3.4.6. Restart the master slapd and start the slave slapd 16.3.4.7. Start slurpd 16.3.5. Advanced slurpd Operation 16.3.5.1. Replication errors 16.3.5.2. One-shot mode and reject files 16.4. LDAP Sync Replication 16.4.1. The LDAP Content Synchronization Protocol 16.4.2. Syncrepl Details 16.4.3. Configuring Syncrepl 16.4.3.1. Set up the provider slapd 16.4.3.2. Set up the consumer slapd 16.4.3.3. Start the provider and the consumer slapd 16.4.3.4. Delta SyncRepl Replication Configuration 16.5. N-Way Multi-Master 16.6. MirrorMode 17. Maintenance 17.1. Directory Backups 17.2. Berkeley DB Logs 17.3. Checkpointing 18. Monitoring 18.1. Monitor configuration via cn=config(5) 18.2. Monitor configuration via slapd.conf(5) 18.3. Accessing Monitoring Information 18.4. Monitor Information 18.4.1. Backends 18.4.2. Connections 18.4.3. Databases 18.4.4. Listener 18.4.5. Log 18.4.6. Operations 18.4.7. Overlays 18.4.8. SASL 18.4.9. Statistics 18.4.10. Threads 18.4.11. Time 18.4.12. TLS 18.4.13. Waiters 19. Tuning 19.1. Performance Factors 19.1.1. Memory 19.1.2. Disks 19.1.3. Network Topology 19.1.4. Directory Layout Design 19.1.5. Expected Usage 19.2. Indexes 19.3. Tuning Logging 19.4. BDB/HDB database cache size 20. Troubleshooting 20.1. Checklist 20.2. User or Software errors? 20.3. How to contact the OpenLDAP project 20.4. How to present your problem 20.5. Commercial Support A. Configuration File Examples A.1. slapd.conf A.2. ldap.conf A.3. a-n-other B. Glossary A.1. Terms A.2. Related Organizations A.3. Related Products A.4. References C. Generic configure Instructions D. OpenLDAP Software Copyright Notices C.1. OpenLDAP Copyright Notice C.2. Additional Copyright Notice C.3. University of Michigan Copyright Notice R. OpenLDAP Public License
Thanks,
Gavin.
I forgot a debugging slapd section in Troubleshooting and a Migration section for moving from slapd.conf to slapd.d dirs etc.
Gavin.
<quote who="Gavin Henry">
Dear All,
We all know the docs weaknesses, I've started this to try and address them, as more and more people are using our docs as an excuse not to use OpenLDAP. We all know that is wrong, but my goal is to equal or surpass the quality of the software with the docs.
Details:
Changes:
- Deeper TOC
- When to use LDAP and age old question of LDAP vs RDBMS
- Incorporated many FAQ-O-MATIC topics (for above also)
- Answers to Common mailing list topics and IRC #ldap topics
- Generic TLS Cert Generation Methods
== Maybe create an Advanced section for below? (currently in same heading level as the rest) ==
- Included all Overlays and Backends
- More Replication discussions/strategies, include N-Way MultiMaster and
MirrorMode (no sublevels yet)
- Re-ordered layout
- New sections: Maintainence, Tuning, Troubleshooting and Example
Configuration Files in the Appendix (light on sub-levels).
This is obviously just the start, but a good place to be in I think. It's a lot easier to write peices once we have a topic list to tick off.
Feel free to chop and change ordering etc. It's a start.
Now we need to delegate! ;-)
New version:
Table of Contents
Preface 1. Introduction to OpenLDAP Directory Services 1.1. What is a directory service? 1.2. What is LDAP? 1.3. How does LDAP work? 1.4. What about X.500? 1.5. What is the difference between LDAPv2 and LDAPv3? 1.6. When should I use LDAP? 1.7. When should I not use LDAP? 1.8. LDAP vs RDBMS 1.9. What is slapd and what can it do? 2. A Quick-Start Guide 3. The Big Picture - Configuration Choices 3.1. Local Directory Service 3.2. Local Directory Service with Referrals 3.3. Replicated Directory Service 3.4. Distributed Local Directory Service 4. Building and Installing OpenLDAP Software 4.1. Obtaining and Extracting the Software 4.2. Prerequisite software 4.2.1. Transport Layer Security 4.2.2. Simple Authentication and Security Layer 4.2.3. Kerberos Authentication Service 4.2.4. Database Software 4.2.5. Threads 4.2.6. TCP Wrappers 4.3. Running configure 4.4. Building the Software 4.5. Testing the Software 4.6. Installing the Software 5. Configuring slapd 5.1. Configuration Layout 5.2. Configuration Directives 5.2.1. cn=config 5.2.2. cn=include 5.2.3. cn=module 5.2.4. cn=schema 5.2.5. Backend-specific Directives 5.2.6. Database-specific Directives 5.2.7. BDB and HDB Database Directives 5.3. Access Control 5.3.1. What to control access to 5.3.2. Who to grant access to 5.3.3. The access to grant 5.3.4. Access Control Evaluation 5.3.5. Access Control Examples 5.3.6. Access Control Ordering 5.4. Configuration Example 6. The slapd Configuration File 6.1. Configuration File Format 6.2. Configuration File Directives 6.2.1. Global Directives 6.2.2. General Backend Directives 6.2.3. General Database Directives 6.2.4. BDB and HDB Database Directives 6.3. The access Configuration Directive 6.3.1. What to control access to 6.3.2. Who to grant access to 6.3.3. The access to grant 6.3.4. Access Control Evaluation 6.3.5. Access Control Examples 6.4. Configuration File Example 7. Running slapd 7.1. Command-Line Options 7.2. Starting slapd 7.3. Stopping slapd 8. Database Creation and Maintenance Tools 8.1. Creating a database over LDAP 8.2. Creating a database off-line 8.2.1. The slapadd program 8.2.2. The slapindex program 8.2.3. The slapcat program 8.3. The LDIF text entry format 9. Backends 9.1. Berkeley DB backends 9.1.1. Overview 9.1.2. back-bdb/back-hdb Configuration 9.1.2. Further Information 9.2. LDAP 9.1.1. Overview 9.1.2. back-ldap Configuration 9.1.2. Further Information 9.3. LDIF 9.1.1. Overview 9.1.2. back-ldif Configuration 9.1.2. Further Information 9.4. Metadirectory 9.1.1. Overview 9.1.2. back-meta Configuration 9.1.2. Further Information 9.5. Monitor 9.1.1. Overview 9.1.2. back-monitor Configuration 9.1.2. Further Information 9.6. Relay 9.1.1. Overview 9.1.2. back-relay Configuration 9.1.2. Further Information 9.7. Perl/Shell 9.1.1. Overview 9.1.2. back-perl/back-shell Configuration 9.1.2. Further Information 9.8. SQL 9.1.1. Overview 9.1.2. back-sql Configuration 9.1.2. Further Information 9.9. Senarios 10. Overlays 10.1. Access Logging 10.1.1. Overview 10.1.2. Access Logging Configuration 10.2. Audit Logging 10.2.1. Overview 10.2.2. Audit Logging Configuration 10.3. Constraints 10.3.1. Overview 10.3.2. Constraint Configuration 10.4. Dynamic Directory Services 10.4.1. Overview 10.4.2. Dynamic Directory Service Configuration 10.5. Dynamic Groups 10.5.1. Overview 10.5.2. Dynamic Group Configuration 10.6. Dynamic Lists 10.6.1. Overview 10.6.2. Dynamic List Configuration 10.7. The Proxy Cache Engine 10.7.1. Overview 10.7.2. Proxy Cache Configuration 10.7.1.1. Setting cache parameters 10.7.2.1. Defining attribute sets 10.7.3.1. Specifying cacheable templates 10.7.4.1. Example 10.8. Password Policies 10.8.1. Overview 10.8.2. Password Policy Configuration 10.9. Referential Integrity 10.9.1. Overview 10.9.2. Referential Integrity Configuration 10.10. Return Code 10.10.1. Overview 10.10.2. Return Code Configuration 10.11. Rewrite/Remap 10.11.1. Overview 10.11.2. Rewrite/Remap Configuration 10.12. Sync Provider 10.12.1. Overview 10.12.2. Sync Provider Configuration 10.13. Translucent Proxy 10.13.1. Overview 10.13.2. Translucent Proxy Configuration 10.14. Attribute Uniqueness 10.14.1. Overview 10.14.2. Attribute Uniqueness Configuration 10.15. Value Sorting 10.15.1. Overview 10.15.2. Value Sorting Configuration 10.16. Overlay Stacking 10.16.1. Overview 10.16.2. Example Senarios 11. Schema Specification 11.1. Distributed Schema Files 11.2. Extending Schema 11.2.1. Object Identifiers 11.2.2. Naming Elements 11.2.3. Local schema file 11.2.4. Attribute Type Specification 11.2.5. Object Class Specification 11.2.6. OID Macros 12. Security Considerations 12.1. Network Security 12.1.1. Selective Listening 12.1.2. IP Firewall 12.1.3. TCP Wrappers 12.2. Data Integrity and Confidentiality Protection 11.2.1. Security Strength Factors 12.3. Authentication Methods 12.3.1. "simple" method 12.3.2. SASL method 13. Using SASL 13.1. SASL Security Considerations 13.2. SASL Authentication 13.2.1. GSSAPI 13.2.2. KERBEROS_V4 13.2.3. DIGEST-MD5 13.2.4. Mapping Authentication Identities 13.2.5. Direct Mapping 13.2.6. Search-based mappings 13.3. SASL Proxy Authorization 13.3.1. Uses of Proxy Authorization 13.3.2. SASL Authorization Identities 13.3.3. Proxy Authorization Rules 14. Using TLS 14.1. TLS Certificates 14.1.1. Generic Certificate Generation Methods 14.1.2. Server Certificates 14.1.3. Client Certificates 14.2. TLS Configuration 14.2.1. Server Configuration 14.2.2. Client Configuration 15. Constructing a Distributed Directory Service 15.1. Subordinate Knowledge Information 15.2. Superior Knowledge Information 15.3. The ManageDsaIT Control 16. Replication 16.1. Replication Strategies 16.2. Replication types 16.2.1. slurpd replication 16.2.2. syncrepl replication 16.2.3. delta-syncrepl replication 16.2.4. N-Way Multi-Master 16.2.5. MirrorMode 16.3. Replication with Slurpd 16.3.1. Overview 16.3.2. Replication Logs 16.3.3. Command-Line Options 16.3.4. Configuring slurpd and a slave slapd instance 16.3.4.1. Set up the master slapd 16.3.4.2. Set up the slave slapd 16.3.4.3. Shut down the master server 16.3.4.4. Copy the master slapd's database to theslave 16.3.4.5. Configure the master slapd for replication 16.3.4.6. Restart the master slapd and start the slave slapd 16.3.4.7. Start slurpd 16.3.5. Advanced slurpd Operation 16.3.5.1. Replication errors 16.3.5.2. One-shot mode and reject files 16.4. LDAP Sync Replication 16.4.1. The LDAP Content Synchronization Protocol 16.4.2. Syncrepl Details 16.4.3. Configuring Syncrepl 16.4.3.1. Set up the provider slapd 16.4.3.2. Set up the consumer slapd 16.4.3.3. Start the provider and the consumer slapd 16.4.3.4. Delta SyncRepl Replication Configuration 16.5. N-Way Multi-Master 16.6. MirrorMode 17. Maintenance 17.1. Directory Backups 17.2. Berkeley DB Logs 17.3. Checkpointing 18. Monitoring 18.1. Monitor configuration via cn=config(5) 18.2. Monitor configuration via slapd.conf(5) 18.3. Accessing Monitoring Information 18.4. Monitor Information 18.4.1. Backends 18.4.2. Connections 18.4.3. Databases 18.4.4. Listener 18.4.5. Log 18.4.6. Operations 18.4.7. Overlays 18.4.8. SASL 18.4.9. Statistics 18.4.10. Threads 18.4.11. Time 18.4.12. TLS 18.4.13. Waiters 19. Tuning 19.1. Performance Factors 19.1.1. Memory 19.1.2. Disks 19.1.3. Network Topology 19.1.4. Directory Layout Design 19.1.5. Expected Usage 19.2. Indexes 19.3. Tuning Logging 19.4. BDB/HDB database cache size 20. Troubleshooting 20.1. Checklist 20.2. User or Software errors? 20.3. How to contact the OpenLDAP project 20.4. How to present your problem 20.5. Commercial Support A. Configuration File Examples A.1. slapd.conf A.2. ldap.conf A.3. a-n-other B. Glossary A.1. Terms A.2. Related Organizations A.3. Related Products A.4. References C. Generic configure Instructions D. OpenLDAP Software Copyright Notices C.1. OpenLDAP Copyright Notice C.2. Additional Copyright Notice C.3. University of Michigan Copyright Notice R. OpenLDAP Public License
Thanks,
Gavin.
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
-
Gavin Henry