Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




LDAP Administration Guide
Previous Page Home Next Page

5.4. Configuration Example

The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the X.500 tree; both are BDB database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:

  1.    # example config file - global configuration entry
  2.    dn: cn=config
  3.    objectClass: olcGlobal
  4.    cn: config
  5.    olcReferral: ldap://

Line 1 is a comment. Lines 2-4 identify this as the global configuration entry. The olcReferral: directive on line 5 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host Line 6 is a blank line, indicating the end of this entry.

  7.    # internal schema
  8.    dn: cn=schema,cn=config
  9.    objectClass: olcSchemaConfig
 10.    cn: schema

Line 7 is a comment. Lines 8-10 identify this as the root of the schema subtree. The actual schema definitions in this entry are hardcoded into slapd so no additional attributes are specified here. Line 11 is a blank line, indicating the end of this entry.

 12.    # include the core schema
 13.    include: file:///usr/local/etc/openldap/schema/core.ldif

Line 12 is a comment. Line 13 is an LDIF include directive which accesses the core schema definitions in LDIF format. Line 14 is a blank line.

Next comes the database definitions. The first database is the special frontend database whose settings are applied globally to all the other databases.

 15.    # global database parameters
 16.    dn: olcDatabase=frontend,cn=config
 17.    objectClass: olcDatabaseConfig
 18.    olcDatabase: frontend
 19.    olcAccess: to * by * read

Line 15 is a comment. Lines 16-18 identify this entry as the global database entry. Line 19 is a global access control. It applies to all entries (after any applicable database-specific access controls).

The next entry defines a BDB backend that will handle queries for things in the "dc=example,dc=com" portion of the tree. Indices are to be maintained for several attributes, and the userPassword attribute is to be protected from unauthorized access.

 21.    # BDB definition for
 22.    dn: olcDatabase=bdb,cn=config
 23.    objectClass: olcDatabaseConfig
 24.    objectClass: olcBdbConfig
 25.    olcDatabase: bdb
 26.    olcSuffix: "dc=example,dc=com"
 27.    olcDbDirectory: /usr/local/var/openldap-data
 28.    olcRootDN: "cn=Manager,dc=example,dc=com"
 29.    olcRootPW: secret
 30.    olcDbIndex: uid pres,eq
 31.    olcDbIndex: cn,sn,uid pres,eq,approx,sub
 32.    olcDbIndex: objectClass eq
 33.    olcAccess: to attrs=userPassword
 34.      by self write
 35.      by anonymous auth
 36.      by dn.base="cn=Admin,dc=example,dc=com" write
 37.      by * none
 38.    olcAccess: to *
 39.      by self write
 40.      by dn.base="cn=Admin,dc=example,dc=com" write
 41.      by * read

Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry. Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.

Lines 28 and 29 identify the database super-user entry and associated password. This entry is not subject to access control or size or time limit restrictions.

Lines 30 through 32 indicate the indices to maintain for various attributes.

Lines 33 through 41 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the userPassword attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).

Line 42 is a blank line, indicating the end of this entry.

The next section of the example configuration file defines another BDB database. This one handles queries involving the dc=example,dc=net subtree but is managed by the same entity as the first database. Note that without line 52, the read access would be allowed due to the global access rule at line 19.

 43.    # BDB definition for
 44.    dn: olcDatabase=bdb,cn=config
 45.    objectClass: olcDatabaseConfig
 46.    objectClass: olcBdbConfig
 47.    olcDatabase: bdb
 48.    olcSuffix: "dc=example,dc=net"
 49.    olcDbDirectory: /usr/local/var/openldap-data-net
 50.    olcRootDN: "cn=Manager,dc=example,dc=com"
 51.    olcDbIndex: objectClass eq
 52.    olcAccess: to * by users read

LDAP Administration Guide
Previous Page Home Next Page

  Published under the terms of the OpenLDAP Public License Design by Interspire