The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the X.500 tree; both are BDB database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:
1. # example config file - global configuration entry
2. dn: cn=config
3. objectClass: olcGlobal
4. cn: config
5. olcReferral: ldap://root.openldap.org
Line 1 is a comment. Lines 2-4 identify this as the global configuration entry. The olcReferral: directive on line 5 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host root.openldap.org. Line 6 is a blank line, indicating the end of this entry.
7. # internal schema
8. dn: cn=schema,cn=config
9. objectClass: olcSchemaConfig
10. cn: schema
Line 7 is a comment. Lines 8-10 identify this as the root of the schema subtree. The actual schema definitions in this entry are hardcoded into slapd so no additional attributes are specified here. Line 11 is a blank line, indicating the end of this entry.
12. # include the core schema
13. include: file:///usr/local/etc/openldap/schema/core.ldif
Line 12 is a comment. Line 13 is an LDIF include directive which accesses the core schema definitions in LDIF format. Line 14 is a blank line.
Next comes the database definitions. The first database is the special frontend database whose settings are applied globally to all the other databases.
15. # global database parameters
16. dn: olcDatabase=frontend,cn=config
17. objectClass: olcDatabaseConfig
18. olcDatabase: frontend
19. olcAccess: to * by * read
Line 15 is a comment. Lines 16-18 identify this entry as the global database entry. Line 19 is a global access control. It applies to all entries (after any applicable database-specific access controls).
The next entry defines a BDB backend that will handle queries for things in the "dc=example,dc=com" portion of the tree. Indices are to be maintained for several attributes, and the userPassword attribute is to be protected from unauthorized access.
21. # BDB definition for example.com
22. dn: olcDatabase=bdb,cn=config
23. objectClass: olcDatabaseConfig
24. objectClass: olcBdbConfig
25. olcDatabase: bdb
26. olcSuffix: "dc=example,dc=com"
27. olcDbDirectory: /usr/local/var/openldap-data
28. olcRootDN: "cn=Manager,dc=example,dc=com"
29. olcRootPW: secret
30. olcDbIndex: uid pres,eq
31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
32. olcDbIndex: objectClass eq
33. olcAccess: to attrs=userPassword
34. by self write
35. by anonymous auth
36. by dn.base="cn=Admin,dc=example,dc=com" write
37. by * none
38. olcAccess: to *
39. by self write
40. by dn.base="cn=Admin,dc=example,dc=com" write
41. by * read
Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry. Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.
Lines 28 and 29 identify the database super-user entry and associated password. This entry is not subject to access control or size or time limit restrictions.
Lines 30 through 32 indicate the indices to maintain for various attributes.
Lines 33 through 41 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the userPassword attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).
Line 42 is a blank line, indicating the end of this entry.
The next section of the example configuration file defines another BDB database. This one handles queries involving the dc=example,dc=net subtree but is managed by the same entity as the first database. Note that without line 52, the read access would be allowed due to the global access rule at line 19.
43. # BDB definition for example.net
44. dn: olcDatabase=bdb,cn=config
45. objectClass: olcDatabaseConfig
46. objectClass: olcBdbConfig
47. olcDatabase: bdb
48. olcSuffix: "dc=example,dc=net"
49. olcDbDirectory: /usr/local/var/openldap-data-net
50. olcRootDN: "cn=Manager,dc=example,dc=com"
51. olcDbIndex: objectClass eq
52. olcAccess: to * by users read