rpms/openldap/devel guide.html, 1.3, 1.4 ldap.init, 1.18, 1.19 openldap.spec, 1.58, 1.59

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Sep 22 18:32:02 UTC 2006


Author: fenlason

Update of /cvs/dist/rpms/openldap/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv19955

Modified Files:
	guide.html ldap.init openldap.spec 
Log Message:
- Include --enable-multimaster to close                      
  bz#185821: adding slapd_multimaster to the configure options
- Upgade guide.html to the correct one for openladp-2.3.27, closing
  bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2
- Remove the quotes from around the slaptestflags in ldap.init              
  This closes one part of
  bz#204593: service ldap fails after having added entries to ldap
- include __db.* in the list of files to check ownership of in    
  ldap.init, as suggested in                                  
  bz#199322: RFE: perform cleanup in ldap.init




View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.3 -r 1.4 guide.html
Index: guide.html
===================================================================
RCS file: /cvs/dist/rpms/openldap/devel/guide.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- guide.html	9 Sep 2004 09:43:01 -0000	1.3
+++ guide.html	22 Sep 2006 18:32:00 -0000	1.4
@@ -7,13 +7,13 @@
      available from http://www.mincom.com/mtr/sdf. -->
 
 <HEAD>
-<TITLE>OpenLDAP 2.2 Administrator's Guide</TITLE>
+<TITLE>OpenLDAP Software 2.3 Administrator's Guide</TITLE>
 </HEAD>
 <BODY>
 
 <DIV CLASS="header">
 <A HREF="http://www.OpenLDAP.org/">
-<P><IMG SRC="LDAPlogo.gif" ALIGN="Left" BORDER=0></P>
+<P><IMG SRC="../images/LDAPlogo.gif" ALIGN="Left" BORDER=0></P>
 </A>
 <DIV CLASS="navigate">
 <P ALIGN="Center"><A HREF="http://www.openldap.org/">Home</A> | <A HREF="../index.html">Catalog</A></P>
@@ -21,9 +21,9 @@
 <BR CLEAR="Left">
 </DIV>
 <DIV CLASS="title">
-<H1 CLASS="doc-title">OpenLDAP 2.2 Administrator's Guide</H1>
+<H1 CLASS="doc-title">OpenLDAP Software 2.3 Administrator's Guide</H1>
 <ADDRESS CLASS="doc-author">The OpenLDAP Project <<A HREF="http://www.openldap.org/">http://www.openldap.org/</A>></ADDRESS>
-<ADDRESS CLASS="doc-modified">25 February 2004</ADDRESS>
+<ADDRESS CLASS="doc-modified">9 August 2005</ADDRESS>
 <BR CLEAR="All">
 </DIV>
 <DIV CLASS="contents">
@@ -71,82 +71,91 @@
 <BR>
 <A HREF="#Installing the Software">4.6. Installing the Software</A></UL>
 <BR>
-<A HREF="#The slapd Configuration File">5. The slapd Configuration File</A><UL>
-<A HREF="#Configuration File Format">5.1. Configuration File Format</A>
+<A HREF="#Configuring slapd">5. Configuring slapd</A><UL>
+<A HREF="#Configuration Layout">5.1. Configuration Layout</A>
 <BR>
-<A HREF="#Configuration File Directives">5.2. Configuration File Directives</A>
+<A HREF="#Configuration Directives">5.2. Configuration Directives</A>
 <BR>
 <A HREF="#Access Control">5.3. Access Control</A>
 <BR>
-<A HREF="#Configuration File Example">5.4. Configuration File Example</A></UL>
+<A HREF="#Configuration Example">5.4. Configuration Example</A></UL>
 <BR>
-<A HREF="#Running slapd">6. Running slapd</A><UL>
-<A HREF="#Command-Line Options">6.1. Command-Line Options</A>
+<A HREF="#The slapd Configuration File">6. The slapd Configuration File</A><UL>
+<A HREF="#Configuration File Format">6.1. Configuration File Format</A>
 <BR>
-<A HREF="#Starting slapd">6.2. Starting slapd</A>
+<A HREF="#Configuration File Directives">6.2. Configuration File Directives</A>
 <BR>
-<A HREF="#Stopping slapd">6.3. Stopping slapd</A></UL>
+<A HREF="#Access Control">6.3. Access Control</A>
 <BR>
-<A HREF="#Database Creation and Maintenance Tools">7. Database Creation and Maintenance Tools</A><UL>
-<A HREF="#Creating a database over LDAP">7.1. Creating a database over LDAP</A>
+<A HREF="#Configuration File Example">6.4. Configuration File Example</A></UL>
 <BR>
-<A HREF="#Creating a database off-line">7.2. Creating a database off-line</A>
+<A HREF="#Running slapd">7. Running slapd</A><UL>
+<A HREF="#Command-Line Options">7.1. Command-Line Options</A>
 <BR>
-<A HREF="#The LDIF text entry format">7.3. The LDIF text entry format</A></UL>
+<A HREF="#Starting slapd">7.2. Starting slapd</A>
 <BR>
-<A HREF="#Schema Specification">8. Schema Specification</A><UL>
-<A HREF="#Distributed Schema Files">8.1. Distributed Schema Files</A>
+<A HREF="#Stopping slapd">7.3. Stopping slapd</A></UL>
 <BR>
-<A HREF="#Extending Schema">8.2. Extending Schema</A></UL>
+<A HREF="#Database Creation and Maintenance Tools">8. Database Creation and Maintenance Tools</A><UL>
+<A HREF="#Creating a database over LDAP">8.1. Creating a database over LDAP</A>
 <BR>
-<A HREF="#Security Considerations">9. Security Considerations</A><UL>
-<A HREF="#Network Security">9.1. Network Security</A>
+<A HREF="#Creating a database off-line">8.2. Creating a database off-line</A>
 <BR>
-<A HREF="#Integrity and Confidentiality Protection">9.2. Integrity and Confidentiality Protection</A>
+<A HREF="#The LDIF text entry format">8.3. The LDIF text entry format</A></UL>
 <BR>
-<A HREF="#Authentication Methods">9.3. Authentication Methods</A></UL>
+<A HREF="#Schema Specification">9. Schema Specification</A><UL>
+<A HREF="#Distributed Schema Files">9.1. Distributed Schema Files</A>
 <BR>
-<A HREF="#Using SASL">10. Using SASL</A><UL>
-<A HREF="#SASL Security Considerations">10.1. SASL Security Considerations</A>
+<A HREF="#Extending Schema">9.2. Extending Schema</A></UL>
 <BR>
-<A HREF="#SASL Authentication">10.2. SASL Authentication</A>
+<A HREF="#Security Considerations">10. Security Considerations</A><UL>
+<A HREF="#Network Security">10.1. Network Security</A>
 <BR>
-<A HREF="#SASL Proxy Authorization">10.3. SASL Proxy Authorization</A></UL>
+<A HREF="#Data Integrity and Confidentiality Protection">10.2. Data Integrity and Confidentiality Protection</A>
 <BR>
-<A HREF="#Using TLS">11. Using TLS</A><UL>
-<A HREF="#TLS Certificates">11.1. TLS Certificates</A>
+<A HREF="#Authentication Methods">10.3. Authentication Methods</A></UL>
 <BR>
-<A HREF="#TLS Configuration">11.2. TLS Configuration</A></UL>
+<A HREF="#Using SASL">11. Using SASL</A><UL>
+<A HREF="#SASL Security Considerations">11.1. SASL Security Considerations</A>
 <BR>
-<A HREF="#Constructing a Distributed Directory Service">12. Constructing a Distributed Directory Service</A><UL>
-<A HREF="#Subordinate Knowledge Information">12.1. Subordinate Knowledge Information</A>
+<A HREF="#SASL Authentication">11.2. SASL Authentication</A>
 <BR>
-<A HREF="#Superior Knowledge Information">12.2. Superior Knowledge Information</A>
+<A HREF="#SASL Proxy Authorization">11.3. SASL Proxy Authorization</A></UL>
 <BR>
-<A HREF="#The ManageDsaIT Control">12.3. The ManageDsaIT Control</A></UL>
+<A HREF="#Using TLS">12. Using TLS</A><UL>
+<A HREF="#TLS Certificates">12.1. TLS Certificates</A>
 <BR>
-<A HREF="#Replication with slurpd">13. Replication with slurpd</A><UL>
-<A HREF="#Overview">13.1. Overview</A>
+<A HREF="#TLS Configuration">12.2. TLS Configuration</A></UL>
 <BR>
-<A HREF="#Replication Logs">13.2. Replication Logs</A>
+<A HREF="#Constructing a Distributed Directory Service">13. Constructing a Distributed Directory Service</A><UL>
+<A HREF="#Subordinate Knowledge Information">13.1. Subordinate Knowledge Information</A>
 <BR>
-<A HREF="#Command-Line Options">13.3. Command-Line Options</A>
+<A HREF="#Superior Knowledge Information">13.2. Superior Knowledge Information</A>
 <BR>
-<A HREF="#Configuring slurpd and a slave slapd instance">13.4. Configuring slurpd and a slave slapd instance</A>
+<A HREF="#The ManageDsaIT Control">13.3. The ManageDsaIT Control</A></UL>
 <BR>
-<A HREF="#Advanced slurpd Operation">13.5. Advanced slurpd Operation</A></UL>
+<A HREF="#Replication with slurpd">14. Replication with slurpd</A><UL>
+<A HREF="#Overview">14.1. Overview</A>
 <BR>
-<A HREF="#LDAP Sync Replication">14. LDAP Sync Replication</A><UL>
-<A HREF="#The LDAP Content Synchronization Protocol">14.1. The LDAP Content Synchronization Protocol</A>
+<A HREF="#Replication Logs">14.2. Replication Logs</A>
 <BR>
-<A HREF="#Syncrepl Details">14.2. Syncrepl Details</A>
+<A HREF="#Command-Line Options">14.3. Command-Line Options</A>
 <BR>
-<A HREF="#Configuring Syncrepl">14.3. Configuring Syncrepl</A></UL>
+<A HREF="#Configuring slurpd and a slave slapd instance">14.4. Configuring slurpd and a slave slapd instance</A>
 <BR>
-<A HREF="#The Proxy Cache Engine">15. The Proxy Cache Engine</A><UL>
-<A HREF="#Overview">15.1. Overview</A>
+<A HREF="#Advanced slurpd Operation">14.5. Advanced slurpd Operation</A></UL>
 <BR>
-<A HREF="#Proxy Cache Configuration">15.2. Proxy Cache Configuration</A></UL>
+<A HREF="#LDAP Sync Replication">15. LDAP Sync Replication</A><UL>
+<A HREF="#The LDAP Content Synchronization Protocol">15.1. The LDAP Content Synchronization Protocol</A>
+<BR>
+<A HREF="#Syncrepl Details">15.2. Syncrepl Details</A>
+<BR>
+<A HREF="#Configuring Syncrepl">15.3. Configuring Syncrepl</A></UL>
+<BR>
+<A HREF="#The Proxy Cache Engine">16. The Proxy Cache Engine</A><UL>
+<A HREF="#Overview">16.1. Overview</A>
+<BR>
+<A HREF="#Proxy Cache Configuration">16.2. Proxy Cache Configuration</A></UL>
 <BR>
 <A HREF="#Generic configure Instructions">A. Generic configure Instructions</A>
 <BR>
@@ -164,11 +173,11 @@
 <HR>
 <H1><A NAME="Preface">Preface</A></H1>
 <H2>Copyright</H2>
-<P>Copyright 1998-2002, The <A HREF="http://www.openldap.org/foundation/">OpenLDAP Foundation</A>, <EM>All Rights Reserved</EM>.</P>
+<P>Copyright 1998-2005, The <A HREF="http://www.openldap.org/foundation/">OpenLDAP Foundation</A>, <EM>All Rights Reserved</EM>.</P>
 <P>Copyright 1992-1996, Regents of the <A HREF="http://www.umich.edu/">University of Michigan</A>, <EM>All Rights Reserved</EM>.</P>
 <P>This document is considered a part of OpenLDAP Software.  This document is subject to terms of conditions set forth in <A HREF="#OpenLDAP Software Copyright Notices">OpenLDAP Software Copyright Notices</A> and the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>. Complete copies of the notices and associated license can be found in Appendix B and C, respectively.</P>
 <H2>Scope of this Document</H2>
-<P>This document provides a guide for installing OpenLDAP 2.1 Software (<A HREF="http://www.openldap.org/software/">http://www.openldap.org/software/</A>) on <TERM>UNIX</TERM> (and UNIX-like) systems.  The document is aimed at experienced system administrators but who may not have prior experience operating <TERM>LDAP</TERM>-based directory software.</P>
+<P>This document provides a guide for installing OpenLDAP Software 2.3 (<A HREF="http://www.openldap.org/software/">http://www.openldap.org/software/</A>) on <TERM>UNIX</TERM> (and UNIX-like) systems.  The document is aimed at experienced system administrators but who may not have prior experience operating <TERM>LDAP</TERM>-based directory software.</P>
 <P>This document is meant to be used in conjunction with other OpenLDAP information resources provided with the software package and on the project's extensive site (<A HREF="http://www.OpenLDAP.org/">http://www.OpenLDAP.org/</A>) on the World Wide Web.  The site makes available a number of resources.</P>
 <TABLE CLASS="columns" BORDER ALIGN='Center'>
 <CAPTION ALIGN=top>OpenLDAP Resources</CAPTION>
@@ -232,7 +241,7 @@
 
 <H2>Acknowledgments</H2>
 <P>The <A HREF="http://www.openldap.org/project/">OpenLDAP Project</A> is comprised of a team of volunteers.  This document would not be possible without their contribution of time and energy.</P>
-<P>The OpenLDAP Project would also like to thank the <A HREF="http://www.umich.edu/~dirsvcs/ldap/">University of Michigan LDAP</A> for building the foundation of LDAP software and information to which OpenLDAP Software is built upon.  This document is based upon U-Mich LDAP document: <EM>The SLAPD and SLURPD Administrators Guide</EM>.</P>
+<P>The OpenLDAP Project would also like to thank the <A HREF="http://www.umich.edu/~dirsvcs/ldap/ldap.html">University of Michigan LDAP</A> for building the foundation of LDAP software and information to which OpenLDAP Software is built upon.  This document is based upon U-Mich LDAP document: <EM>The SLAPD and SLURPD Administrators Guide</EM>.</P>
 <H2>Amendments</H2>
 <P>Suggested enhancements and corrections to this document should be submitted using the <A HREF="http://www.openldap.org/">OpenLDAP</A> <EM><TERM>Issue Tracking System</TERM></EM> (<A HREF="http://www.openldap.org/its/">http://www.openldap.org/its/</A>).</P>
 <H2>About this document</H2>
@@ -257,38 +266,38 @@
 <P><EM>How is the information referenced?</EM> An entry is referenced by its distinguished name, which is constructed by taking the name of the entry itself (called the <TERM>Relative Distinguished Name</TERM> or RDN) and concatenating the names of its ancestor entries. For example, the entry for Barbara Jensen in the Internet naming example above has an RDN of <TT>uid=babs</TT> and a DN of <TT>uid=babs,ou=People,dc=example,dc=com</TT>. The full DN format is described in <A HREF="http://www.rfc-editor.org/rfc/rfc2253.txt">RFC2253</A>, "Lightweight Directory Access Protocol (v3):  UTF-8 String Representation of Distinguished Names."</P>
 <P><EM>How is the information accessed?</EM> LDAP defines operations for interrogating and updating the directory.  Operations are provided for adding and deleting an entry from the directory, changing an existing entry, and changing the name of an entry. Most of the time, though, LDAP is used to search for information in the directory. The LDAP search operation allows some portion of the directory to be searched for entries that match some criteria specified by a search filter. Information can be requested from each entry that matches the criteria.</P>
 <P>For example, you might want to search the entire directory subtree at and below <TT>dc=example,dc=com</TT> for people with the name <TT>Barbara Jensen</TT>, retrieving the email address of each entry found. LDAP lets you do this easily.  Or you might want to search the entries directly below the <TT>st=California,c=US</TT> entry for organizations with the string <TT>Acme</TT> in their name, and that have a fax number. LDAP lets you do this too. The next section describes in more detail what you can do with LDAP and how it might be useful to you.</P>
-<P><EM>How is the information protected from unauthorized access?</EM> Some directory services provide no protection, allowing anyone to see the information. LDAP provides a mechanism for a client to authenticate, or prove its identity to a directory server, paving the way for rich access control to protect the information the server contains.  LDAP also supports privacy and integrity security services.</P>
+<P><EM>How is the information protected from unauthorized access?</EM> Some directory services provide no protection, allowing anyone to see the information. LDAP provides a mechanism for a client to authenticate, or prove its identity to a directory server, paving the way for rich access control to protect the information the server contains. LDAP also supports data security (integrity and confidentiality) services.</P>
[...2615 lines suppressed...]
-<P>Because a general search filter can be used in the syncrepl specification, not all entries in the context will be returned as the synchronization content. The syncrepl engine creates a glue entry to fill in the holes in the replica context if any part of the replica content is subordinate to the holes. The glue entries will not be returned as the search result unless <EM>ManageDsaIT</EM> control is provided.</P>
-<P>It is possible to retrieve <TT>syncProviderSubentry</TT> and <TT>syncConsumerSubentry</TT> by performing an LDAP search with the respective entries as the base object and with the base scope.</P>
-<H2><A NAME="Configuring Syncrepl">14.3. Configuring Syncrepl</A></H2>
-<P>Because syncrepl is a consumer-side replication engine, the syncrepl specification is defined in <EM>slapd.conf</EM> (5) of the consumer server, not in the provider server's configuration file. The initial loading of the replica content can be performed either by starting the syncrepl engine with no synchronization cookie or by populating the consumer replica by adding and demoting an <TERM>LDIF</TERM> file dumped as a backup at the provider. <EM>slapadd</EM> (8) supports the replica promotion and demotion.</P>
+<P>The syncrepl engine, which is a consumer-side replication engine, can work with any backends. The LDAP Sync provider can be configured as an overlay on any backend, but works best with the <EM>back-bdb</EM> or <EM>back-hdb</EM> backend. The provider can not support refreshAndPersist mode on <EM>back-ldbm</EM> due to limits in that backend's locking architecture.</P>
+<P>The LDAP Sync provider maintains a <TT>contextCSN</TT> for each database as the current synchronization state indicator of the provider content.  It is the largest <TT>entryCSN</TT> in the provider context such that no transactions for an entry having smaller <TT>entryCSN</TT> value remains outstanding.  The <TT>contextCSN</TT> could not just be set to the largest issued <TT>entryCSN</TT> because <TT>entryCSN</TT> is obtained before a transaction starts and transactions are not committed in the issue order.</P>
+<P>The provider stores the <TT>contextCSN</TT> of a context in the <TT>contextCSN</TT> attribute of the context suffix entry. The attribute is not written to the database after every update operation though; instead it is maintained primarily in memory. At database start time the provider reads the last saved <TT>contextCSN</TT> into memory and uses the in-memory copy exclusively thereafter. By default, changes to the <TT>contextCSN</TT> as a result of database updates will not be written to the database until the server is cleanly shut down. A checkpoint facility exists to cause the contextCSN to be written out more frequently if desired.</P>
+<P>Note that at startup time, if the provider is unable to read a <TT>contextCSN</TT> from the suffix entry, it will scan the entire database to determine the value, and this scan may take quite a long time on a large database. When a <TT>contextCSN</TT> value is read, the database will still be scanned for any <TT>entryCSN</TT> values greater than it, to make sure the <TT>contextCSN</TT> value truly reflects the greatest committed <TT>entryCSN</TT> in the database. On databases which support inequality indexing, setting an eq index on the <TT>entryCSN</TT> attribute and configuring <EM>contextCSN</EM> checkpoints will greatly speed up this scanning step.</P>
+<P>If no <TT>contextCSN</TT> can be determined by reading and scanning the database, a new value will be generated. Also, if scanning the database yielded a greater <TT>entryCSN</TT> than was previously recorded in the suffix entry's <TT>contextCSN</TT> attribute, a checkpoint will be immediately written with the new value.</P>
+<P>The consumer also stores its replica state, which is the provider's <TT>contextCSN</TT> received as a synchronization cookie, in the <TT>contextCSN</TT> attribute of the suffix entry.  The replica state maintained by a consumer server is used as the synchronization state indicator when it performs subsequent incremental synchronization with the provider server. It is also used as a provider-side synchronization state indicator when it functions as a secondary provider server in a cascading replication configuration.  Since the consumer and provider state information are maintained in the same location within their respective databases, any consumer can be promoted to a provider (and vice versa) without any special actions.</P>
+<P>Because a general search filter can be used in the syncrepl specification, some entries in the context may be omitted from the synchronization content.  The syncrepl engine creates a glue entry to fill in the holes in the replica context if any part of the replica content is subordinate to the holes. The glue entries will not be returned in the search result unless <EM>ManageDsaIT</EM> control is provided.</P>
+<P>Also as a consequence of the search filter used in the syncrepl specification, it is possible for a modification to remove an entry from the replication scope even though the entry has not been deleted on the provider. Logically the entry must be deleted on the consumer but in <EM>refreshOnly</EM> mode the provider cannot detect and propagate this change without the use of the session log.</P>
+<H2><A NAME="Configuring Syncrepl">15.3. Configuring Syncrepl</A></H2>
+<P>Because syncrepl is a consumer-side replication engine, the syncrepl specification is defined in <EM>slapd.conf</EM> (5) of the consumer server, not in the provider server's configuration file.  The initial loading of the replica content can be performed either by starting the syncrepl engine with no synchronization cookie or by populating the consumer replica by adding an <TERM>LDIF</TERM> file dumped as a backup at the provider.</P>
 <P>When loading from a backup, it is not required to perform the initial loading from the up-to-date backup of the provider content. The syncrepl engine will automatically synchronize the initial consumer replica to the current provider content. As a result, it is not required to stop the provider server in order to avoid the replica inconsistency caused by the updates to the provider content during the content backup and loading process.</P>
 <P>When replicating a large scale directory, especially in a bandwidth constrained environment, it is advised to load the consumer replica from a backup instead of performing a full initial load using syncrepl.</P>
-<H3><A NAME="Set up the provider slapd">14.3.1. Set up the provider slapd</A></H3>
-<P>There is no special <EM>slapd.conf</EM> (5) directive for the provider syncrepl server except for the session log directive.  Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated content.</P>
-<P>When creating a provider database from the <TERM>LDIF</TERM> file using <EM>slapadd</EM> (8), <TT>contextCSN</TT> and the <TT>syncProviderSubentry</TT> entry must be created. <EM>slapadd -p -w</EM> will create a new <TT>contextCSN</TT> from the <TT>entryCSN</TT>s of the added entries. It is also possible to create the <TT>syncProviderSubentry</TT> with an appropriate <TT>contextCSN</TT> value by directly including it in the ldif file. <EM>slapadd -p</EM> will preserve the provider's contextCSN or will change it to the consumer's contextCSN if it is to promote a replica to the provider's content. The <TT>syncProviderSubentry</TT> can be included in the ldif output when <EM>slapcat</EM> (8) is given the <EM>-m</EM> flag; the <TT>syncConsumerSubentry</TT> can be retrieved by the <EM>-k</EM> flag of <EM>slapcat</EM> (8).</P>
-<P>The session log is configured by</P>
-<PRE>
-        sessionlog <sid> <limit>
-</PRE>
-<P>directive, where <EM><sid></EM> is the ID of the per-scope session log in the provider server and <EM><limit></EM> is the maximum number of session log entries the session log store can record. <EM><sid></EM> is an integer no longer than 3 decimal digits. If the consumer server sends a synchronization cookie containing <EM>sid=<sid></EM> where <EM><sid></EM> matches the session log ID specified in the directive, the LDAP Sync search is to utilize the session log store.</P>
-<H3><A NAME="Set up the consumer slapd">14.3.2. Set up the consumer slapd</A></H3>
-<P>The syncrepl replication is specified in the database section of <EM>slapd.conf</EM> (5) for the replica context. The syncrepl engine is backend independent and the directive can be defined with any database type.</P>
+<H3><A NAME="Set up the provider slapd">15.3.1. Set up the provider slapd</A></H3>
+<P>The provider is implemented as an overlay, so the overlay itself must first be configured in <EM>slapd.conf</EM> (5) before it can be used. The provider has only two configuration directives, for setting checkpoints on the <TT>contextCSN</TT> and for configuring the session log.  Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated content.</P>
+<P>The <TT>contextCSN</TT> checkpoint is configured by the</P>
+<PRE>
+        syncprov-checkpoint <ops> <minutes>
+</PRE>
+<P>directive. Checkpoints are only tested after successful write operations.  If <EM><ops></EM> operations or more than <EM><minutes></EM> time has passed since the last checkpoint, a new checkpoint is performed.</P>
+<P>The session log is configured by the</P>
+<PRE>
+        syncprov-sessionlog <size>
+</PRE>
+<P>directive, where <EM><size></EM> is the maximum number of session log entries the session log can record. When a session log is configured, it is automatically used for all LDAP Sync searches within the database.</P>
+<P>Note that using the session log requires searching on the <EM>entryUUID</EM> attribute. Setting an eq index on this attribute will greatly benefit the performance of the session log on the provider.</P>
+<P>A more complete example of the <EM>slapd.conf</EM> content is thus:</P>
 <PRE>
+        database bdb
+        suffix dc=Example,dc=com
+        rootdn dc=Example,dc=com
+        directory /var/ldap/db
+        index objectclass,entryCSN,entryUUID eq
+
+        overlay syncprov
+        syncprov-checkpoint 100 10
+        syncprov-sessionlog 100
+</PRE>
+<H3><A NAME="Set up the consumer slapd">15.3.2. Set up the consumer slapd</A></H3>
+<P>The syncrepl replication is specified in the database section of <EM>slapd.conf</EM> (5) for the replica context.  The syncrepl engine is backend independent and the directive can be defined with any database type.</P>
+<PRE>
+        database hdb
+        suffix dc=Example,dc=com
+        rootdn dc=Example,dc=com
+        directory /var/ldap/db
+        index objectclass,entryCSN,entryUUID eq
+
         syncrepl rid=123
                 provider=ldap://provider.example.com:389
                 type=refreshOnly
@@ -3108,50 +4307,50 @@
                 scope=sub
                 attrs="cn,sn,ou,telephoneNumber,title,l"
                 schemachecking=off
-                updatedn="cn=replica,dc=example,dc=com"
                 bindmethod=simple
                 binddn="cn=syncuser,dc=example,dc=com"
                 credentials=secret
 </PRE>
-<P>In this example, the consumer will connect to the provider slapd at port 389 of <A HREF="ldap://provider.example.com">ldap://provider.example.com</A> to perform a polling (<EM>refreshOnly</EM>) mode of synchronization once a day.  It will bind as <TT>cn=syncuser,dc=example,dc=com</TT> using simple authentication with password "secret".  Note that the access control privilege of <TT>cn=syncuser,dc=example,dc=com</TT> should be set appropriately in the provider to retrieve the desired replication content. The consumer will write to its database with the privilege of the <TT>cn=replica,dc=example,dc=com</TT> entry as specified in the <TT>updatedn=</TT> directive. The <TT>updatedn</TT> entry should have write permission to the replica content.</P>
+<P>In this example, the consumer will connect to the provider slapd at port 389 of <A HREF="ldap://provider.example.com">ldap://provider.example.com</A> to perform a polling (<EM>refreshOnly</EM>) mode of synchronization once a day.  It will bind as <TT>cn=syncuser,dc=example,dc=com</TT> using simple authentication with password "secret".  Note that the access control privilege of <TT>cn=syncuser,dc=example,dc=com</TT> should be set appropriately in the provider to retrieve the desired replication content. Also the search limits must be high enough on the provider to allow the syncuser to retrieve a complete copy of the requested content.  The consumer uses the rootdn to write to its database so it always has full permissions to write all content.</P>
 <P>The synchronization search in the above example will search for the entries whose objectClass is organizationalPerson in the entire subtree rooted at <TT>dc=example,dc=com</TT>. The requested attributes are <TT>cn</TT>, <TT>sn</TT>, <TT>ou</TT>, <TT>telephoneNumber</TT>, <TT>title</TT>, and <TT>l</TT>. The schema checking is turned off, so that the consumer <EM>slapd</EM> (8) will not enforce entry schema checking when it process updates from the provider <EM>slapd</EM> (8).</P>
 <P>For more detailed information on the syncrepl directive, see the <A HREF="#syncrepl">syncrepl</A> section of <A HREF="#The slapd Configuration File">The slapd Configuration File</A> chapter of this admin guide.</P>
-<H3><A NAME="Start the provider and the consumer slapd">14.3.3. Start the provider and the consumer slapd</A></H3>
-<P>The provider <EM>slapd</EM> (8) is not required to be restarted. <EM>contextCSN</EM> is automatically generated as needed: it might originally contained in the <TERM>LDIF</TERM> file, generated by <EM>slapadd</EM> (8), generated upon changes in the context, or generated when the first LDAP Sync search arrived at the provider.</P>
-<P>When starting a consumer <EM>slapd</EM> (8), it is possible to provide a synchronization cookie as the <EM>-c cookie</EM> command line option in order to start the synchronization from a specific state. The cookie is a comma separated list of name=value pairs. Currently supported syncrepl cookie fields are <EM>csn=<csn></EM>, <EM>sid=<sid></EM>, and <EM>rid=<rid></EM>. <EM><csn></EM> represents the current synchronization state of the consumer replica. <EM><sid></EM> is the identity of the per-scope session log to which this consumer will be associated. <EM><rid></EM> identifies a consumer replica locally within the consumer server. It is used to relate the cookie to the syncrepl definition in <EM>slapd.conf</EM> (5) which has the matching replica identifier. Both <EM><sid></EM> and <EM><rid></EM> have no more than 3 decimal digits. The command line cookie overrides the synchronization cookie stored in the consumer replica !
 database.</P>
+<H3><A NAME="Start the provider and the consumer slapd">15.3.3. Start the provider and the consumer slapd</A></H3>
+<P>The provider <EM>slapd</EM> (8) is not required to be restarted. <EM>contextCSN</EM> is automatically generated as needed: it might be originally contained in the <TERM>LDIF</TERM> file, generated by <EM>slapadd</EM> (8), generated upon changes in the context, or generated when the first LDAP Sync search arrives at the provider.  If an LDIF file is being loaded which did not previously contain the <EM>contextCSN</EM>, the <EM>-w</EM> option should be used with <EM>slapadd</EM> (8) to cause it to be generated. This will allow the server to startup a little quicker the first time it runs.</P>
+<P>When starting a consumer <EM>slapd</EM> (8), it is possible to provide a synchronization cookie as the <EM>-c cookie</EM> command line option in order to start the synchronization from a specific state.  The cookie is a comma separated list of name=value pairs. Currently supported syncrepl cookie fields are <EM>csn=<csn></EM> and <EM>rid=<rid></EM>. <EM><csn></EM> represents the current synchronization state of the consumer replica.  <EM><rid></EM> identifies a consumer replica locally within the consumer server. It is used to relate the cookie to the syncrepl definition in <EM>slapd.conf</EM> (5) which has the matching replica identifier.  The <EM><rid></EM> must have no more than 3 decimal digits.  The command line cookie overrides the synchronization cookie stored in the consumer replica database.</P>
 <P></P>
 <HR>
-<H1><A NAME="The Proxy Cache Engine">15. The Proxy Cache Engine</A></H1>
+<H1><A NAME="The Proxy Cache Engine">16. The Proxy Cache Engine</A></H1>
 <P>LDAP servers typically hold one or more subtrees of a DIT. Replica (or shadow) servers hold shadow copies of entries held by one or more master servers.  Changes are propagated from the master server to replica (slave) servers using LDAP Sync or <EM>slurpd</EM>(8). An LDAP cache is a special type of replica which holds entries corresponding to search filters instead of subtrees.</P>
-<H2><A NAME="Overview">15.1. Overview</A></H2>
+<H2><A NAME="Overview">16.1. Overview</A></H2>
 <P>The proxy cache extension of slapd is designed to improve the responseiveness of the ldap and meta backends. It handles a search request (query) by first determining whether it is contained in any cached search filter. Contained requests are answered from the proxy cache's local database. Other requests are passed on to the underlying ldap or meta backend and processed as usual.</P>
 <P>E.g. <TT>(shoesize>=9)</TT> is contained in <TT>(shoesize>=8)</TT> and <TT>(sn=Richardson)</TT> is contained in <TT>(sn=Richards*)</TT></P>
 <P>Correct matching rules and syntaxes are used while comparing assertions for query containment. To simplify the query containment problem, a list of cacheable "templates" (defined below) is specified at configuration time. A query is cached or answered only if it belongs to one of these templates. The entries corresponding to cached queries are stored in the proxy cache local database while its associated meta information (filter, scope, base, attributes) is stored in main memory.</P>
 <P>A template is a prototype for generating LDAP search requests. Templates are described by a prototype search filter and a list of attributes which are required in queries generated from the template. The representation for prototype filter is similar to RFC 2254, except that the assertion values are missing. Examples of prototype filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.</P>
 <P>The cache replacement policy removes the least recently used (LRU) query and entries belonging to only that query. Queries are allowed a maximum time to live (TTL) in the cache thus providing weak consistency. A background task periodically checks the cache for expired queries and removes them.</P>
 <P>The Proxy Cache paper (<A HREF="http://www.openldap.org/pub/kapurva/proxycaching.pdf">http://www.openldap.org/pub/kapurva/proxycaching.pdf</A>) provides design and implementation details.</P>
-<H2><A NAME="Proxy Cache Configuration">15.2. Proxy Cache Configuration</A></H2>
+<H2><A NAME="Proxy Cache Configuration">16.2. Proxy Cache Configuration</A></H2>
 <P>The cache configuration specific directives described below must appear after a <TT>overlay proxycache</TT> directive within a <TT>"database meta"</TT> or <TT>database ldap</TT> section of the server's <EM>slapd.conf</EM>(5) file.</P>
-<H3><A NAME="Setting cache parameters">15.2.1. Setting cache parameters</A></H3>
+<H3><A NAME="Setting cache parameters">16.2.1. Setting cache parameters</A></H3>
 <PRE>
  proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
 </PRE>
 <P>This directive enables proxy caching and sets general cache parameters. The <DB> parameter specifies which underlying database is to be used to hold cached entries.  It should be set to <TT>bdb</TT>, <TT>hdb</TT>, or <TT>ldbm</TT>.  The <maxentries> parameter specifies the total number of entries which may be held in the cache.  The <nattrsets> parameter specifies the total number of attribute sets (as specified by the <TT>proxyAttrSet</TT> directive) that may be defined. The <entrylimit> parameter specifies the maximum number of entries in a cachable query.  The <period> specifies the consistency check period (in seconds).  In each period, queries with expired TTLs are removed.</P>
-<H3><A NAME="Defining attribute sets">15.2.2. Defining attribute sets</A></H3>
+<H3><A NAME="Defining attribute sets">16.2.2. Defining attribute sets</A></H3>
 <PRE>
  proxyAttrset <index> <attrs...>
 </PRE>
-<P>Used to associate a set of attributes to an index. Each attribute set is associated with an index number from 0 to <numattrsets>-1. These indices are used by the addtemplate directive to define cacheable templates.</P>
-<H3><A NAME="Specifying cacheable templates">15.2.3. Specifying cacheable templates</A></H3>
+<P>Used to associate a set of attributes to an index. Each attribute set is associated with an index number from 0 to <numattrsets>-1. These indices are used by the proxyTemplate directive to define cacheable templates.</P>
+<H3><A NAME="Specifying cacheable templates">16.2.3. Specifying cacheable templates</A></H3>
 <PRE>
  proxyTemplate <prototype_string> <attrset_index> <TTL>
 </PRE>
 <P>Specifies a cacheable template and the "time to live" (in sec) <TTL> for queries belonging to the template. A template is described by its prototype filter string and set of required attributes identified by <attrset_index>.</P>
-<H3><A NAME="Example">15.2.4. Example</A></H3>
+<H3><A NAME="Example">16.2.4. Example</A></H3>
 <P>An example <EM>slapd.conf</EM>(5) database section for a caching server which proxies for the <TT>"dc=example,dc=com"</TT> subtree held at server <TT>ldap.example.com</TT>.</P>
 <PRE>
         database        ldap
         suffix          "dc=example,dc=com"
+        rootdn          "dc=example,dc=com"
         uri             ldap://ldap.example.com/dc=example%2cdc=com
         overlay proxycache
         proxycache    bdb 100000 1 1000 100
@@ -3165,6 +4364,24 @@
         index       objectClass eq
         index       cn,sn,uid,mail  pres,eq,sub
 </PRE>
+<H4><A NAME="Cacheable Queries">16.2.4.1. Cacheable Queries</A></H4>
+<P>A LDAP search query is cacheable when its filter matches one of the templates as defined in the "proxyTemplate" statements and when it references only the attributes specified in the corresponding attribute set. In the example above the attribute set number 0 defines that only the attributes: <TT>mail postaladdress telephonenumber</TT> are cached for the following proxyTemplates.</P>
+<H4><A NAME="Examples:">16.2.4.2. Examples:</A></H4>
+<PRE>
+        Filter: (&(sn=Richard*)(givenName=jack))
+        Attrs: mail telephoneNumber
+</PRE>
+<P>is cacheable, because it matches the template <TT>(&(sn=)(givenName=))</TT> and its attributes are contained in proxyAttrset 0.</P>
+<PRE>
+        Filter: (&(sn=Richard*)(telephoneNumber))
+        Attrs: givenName
+</PRE>
+<P>is not cacheable, because the filter does not match the template, nor is the attribute givenName stored in the cache</P>
+<PRE>
+        Filter: (|(sn=Richard*)(givenName=jack))
+        Attrs: mail telephoneNumber
+</PRE>
+<P>is not cacheable, because the filter does not match the template ( logical OR "|" condition instead of logical AND "&" )</P>
 <P></P>
 <HR>
 <H1><A NAME="Generic configure Instructions">A. Generic configure Instructions</A></H1>
@@ -3357,7 +4574,7 @@
 <HR>
 <H1><A NAME="OpenLDAP Software Copyright Notices">B. OpenLDAP Software Copyright Notices</A></H1>
 <H2><A NAME="OpenLDAP Copyright Notice">B.1. OpenLDAP Copyright Notice</A></H2>
-<P>Copyright 1998-2003 The OpenLDAP Foundation.<BR><EM>All rights reserved.</EM></P>
+<P>Copyright 1998-2005 The OpenLDAP Foundation.<BR><EM>All rights reserved.</EM></P>
 <P>Redistribution and use in source and binary forms, with or without modification, are permitted <EM>only as authorized</EM> by the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>.</P>
 <P>A copy of this license is available in file <TT>LICENSE</TT> in the top-level directory of the distribution or, alternatively, at <<A HREF="http://www.OpenLDAP.org/license.html">http://www.OpenLDAP.org/license.html</A>>.</P>
 <P>OpenLDAP is a registered trademark of the OpenLDAP Foundation.</P>
@@ -3366,9 +4583,9 @@
 <P>This work also contains materials derived from public sources.</P>
 <P>Additional information about OpenLDAP software can be obtained at <<A HREF="http://www.OpenLDAP.org/">http://www.OpenLDAP.org/</A>>.</P>
 <H2><A NAME="Additional Copyright Notice">B.2. Additional Copyright Notice</A></H2>
-<P>Portions Copyright 1998-2003 Kurt D. Zeilenga.<BR>Portions Copyright 1998-2003 Net Boolean Incorporated.<BR>Portions Copyright 2001-2003 IBM Corporation.<BR><EM>All rights reserved.</EM></P>
+<P>Portions Copyright 1998-2005 Kurt D. Zeilenga.<BR>Portions Copyright 1998-2005 Net Boolean Incorporated.<BR>Portions Copyright 2001-2005 IBM Corporation.<BR><EM>All rights reserved.</EM></P>
 <P>Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>.</P>
-<P>Portions Copyright 1999-2003 Howard Y.H. Chu.<BR>Portions Copyright 1999-2003 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR><EM>All rights reserved.</EM></P>
+<P>Portions Copyright 1999-2005 Howard Y.H. Chu.<BR>Portions Copyright 1999-2005 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR><EM>All rights reserved.</EM></P>
 <P>Redistribution and use in source and binary forms, with or without modification, are permitted provided that this notice is preserved. The names of the copyright holders may not be used to endorse or promote products derived from this software without their specific prior written permission.  This software is provided ``as is'' without express or implied warranty.</P>
 <H2><A NAME="University of Michigan Copyright Notice">B.3. University of Michigan Copyright Notice</A></H2>
 <P>Portions Copyright 1992-1996 Regents of the University of Michigan.<BR><EM>All rights reserved.</EM></P>
@@ -3378,7 +4595,7 @@
 <H1><A NAME="OpenLDAP Public License">C. OpenLDAP Public License</A></H1>
 <PRE>
 The OpenLDAP Public License
-  Version 2.8.1, 25 November 2003
+  Version 2.8, 17 August 2003
 
 Redistribution and use of this software and associated documentation
 ("Software"), with or without modification, are permitted provided
@@ -3422,7 +4639,7 @@
 OpenLDAP is a registered trademark of the OpenLDAP Foundation.
 
 Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
-California, USA.  All rights reserved.  Permission to copy and
+California, USA.  All Rights Reserved.  Permission to copy and
 distribute verbatim copies of this document is granted.
 </PRE>
 </DIV>
@@ -3434,7 +4651,7 @@
 <P>
 <FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
 ________________<BR>
-<SMALL>© Copyright 2004, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
+<SMALL>© Copyright 2005, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
 
 </DIV>
 


Index: ldap.init
===================================================================
RCS file: /cvs/dist/rpms/openldap/devel/ldap.init,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- ldap.init	13 Feb 2006 16:11:17 -0000	1.18
+++ ldap.init	22 Sep 2006 18:32:00 -0000	1.19
@@ -97,7 +97,7 @@
 	# Unaccessible database files.
 	slaptestflags=
 	for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | sed s,^directory,,` ; do
-		for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" \)` ; do
+		for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" \)` ; do
 			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
 		done
 		if ! test -s ${dbdir}/id2entry.dbb ; then
@@ -121,7 +121,7 @@
 		fi
 	done
 	# Check the configuration file.
-	if ! action $"Checking configuration files for $prog: " /sbin/runuser -m -s "$slaptest" -- "$user" "$slaptestflags"; then
+	if ! action $"Checking configuration files for $prog: " /sbin/runuser -m -s "$slaptest" -- "$user" $slaptestflags; then
 		if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then
 			dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | awk '{print $2}'`
 			for directory in $dirs ; do


Index: openldap.spec
===================================================================
RCS file: /cvs/dist/rpms/openldap/devel/openldap.spec,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -r1.58 -r1.59
--- openldap.spec	28 Aug 2006 20:51:47 -0000	1.58
+++ openldap.spec	22 Sep 2006 18:32:00 -0000	1.59
@@ -13,7 +13,7 @@
 Summary: The configuration files, libraries, and documentation for OpenLDAP.
 Name: openldap
 Version: %{version_23}
-Release: 2
+Release: 3
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_23}.tgz
@@ -353,6 +353,7 @@
 	--enable-plugins \
 	--enable-slapd \
 	--enable-slurpd \
+	--enable-multimaster \
 	--enable-bdb \
 	--enable-hdb \
 	--enable-ldap \
@@ -691,6 +692,18 @@
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Mon Sep 18 2006 Jay Fenlason <fenlason at redhat.com> 2.3.27-3
+- Include --enable-multimaster to close
+  bz#185821: adding slapd_multimaster to the configure options
+- Upgade guide.html to the correct one for openladp-2.3.27, closing
+  bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2
+- Remove the quotes from around the slaptestflags in ldap.init
+  This closes one part of
+  bz#204593: service ldap fails after having added entries to ldap
+- include __db.* in the list of files to check ownership of in
+  ldap.init, as suggested in
+  bz#199322: RFE: perform cleanup in ldap.init
+
 * Fri Aug 25 2006 Jay Fenlason <fenlason at redhat.com> 2.3.27-2
 - New upstream release
 - Include the gethostbyname_r patch so that nss_ldap won't hang




More information about the fedora-cvs-commits mailing list