LDAP System Administration

Home > Other > LDAP System Administration > Page 32
LDAP System Administration Page 32

by Gerald Carter


  Table B-1. OpenLDAP logging levels

  Level

  Information recorded

  -1

  All logging information

  0

  No logging information

  1

  Trace function calls

  2

  Packet-handling debugging information

  4

  Heavy trace debugging

  8

  Connection management

  16

  Packets sent and received

  32

  Search filter processing

  64

  Configuration file processing

  128

  Access control list processing

  256

  Statistics for connection, operations, and results

  512

  Statistics for results returned to clients

  1024

  Communication with shell backends

  2048

  Entry-parsing debugging information

  Slap Tools

  The collection of slap tools included with OpenLDAP are provided to import and export data directly from the DB files used for supporting an OpenLDAP server.

  slapadd(8c)

  This tool reads LDIF entries from a file or standard input and writes the new records to a slapd database (see Table B-2).

  Table B-2. Summary of slapadd command-line arguments

  Option

  Description

  -c

  Continues processing input in the event of errors.

  -b suffix-n integer

  Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (the first database listed is numbered 0). These options are mutually exclusive.

  -d integer

  Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels.

  -f filename

  Specifies which configuration file to read.

  -l filename

  Specifies the LDIF file to use for input. In the absence of this option, slapadd reads data from standard input.

  -v

  Enables verbose mode.

  slapcat(8c)

  This tool reads records from a slapd database and writes them to a file or standard output (see Table B-3).

  Table B-3. Summary of slapcat command-line arguments

  Option

  Description

  -c

  Continues processing input in the event of errors.

  -b suffix-n integer

  Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (the first database listed is numbered 0). These options are mutually exclusive.

  -d integer

  Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels.

  -f filename

  Specifies which configuration file to read.

  -l filename

  Specifies the name of the file to which the LDIF entries should be written. In the absence of this option, slapcat writes data to standard output.

  -v

  Enables verbose mode.

  slapindex(8c)

  This tool regenerates the indexes in a slapd database (see Table B-4).

  Table B-4. Summary of slapindex command-line arguments

  Option

  Description

  -c

  Continues processing input in the event of errors.

  -b suffix-n integer

  Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (the first database listed is numbered 0). These options are mutually exclusive.

  -d integer

  Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels.

  -f filename

  Specifies which configuration file to read.

  -v

  Enables verbose mode.

  slappasswd(8c)

  This tool generates a password hash suitable for use as an Lq in slapd.conf (see Table B-5).

  Table B-5. Summary of slappasswd command-line arguments

  Option

  Description

  -c crypt-salt-format

  Defines the format of the salt used when invoking the crypt( ) function to generate a password suitable for use with {CRYPT}. The string must be in the snprintf( ) format and must contain a single %s conversion.

  -h hash

  Defines the hash algorithm to use. Possible values are {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}.

  -s secret

  Specifies the password to hash.

  -u

  Instructs slappasswd to generate password syntaxes for the userPassword attribute (the default) and is included for forward compatibility. No other syntaxes are currently supported.

  -v

  Enables verbose mode.

  LDAP Tools

  OpenLDAP's set of LDAP client tools can be used to communicate with any LDAPv3 server (see Table B-6).

  Table B-6. Command-line options common to ldapsearch, ldapcompare, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn

  Option

  Description

  -d integer

  Specifies what debugging information to log. See the loglevel slapd.conf parameter for a listing of log levels.

  -D binddn

  Specifies the DN to use for binding to the LDAP server.

  -e [!]ctrl[=ctrlparam]

  Defines an LDAP control to be used on the current operation. See also the -M option for the manageDSAit control.

  -f filename

  Specifies the file containing the LDIF entries to be used in the operations.

  -H URI

  Defines the LDAP URI to be used in the connection request.

  -I

  Enables the SASL "interactive" mode. By default, the client prompts for information only when necessary.

  -k

  Enables Kerberos 4 authentication.

  -K

  Enables only the first step of the Kerberos 4 bind for authentication.

  -M-MM

  Enable the Manager DSA IT control. This option is necessary when modifying an entry that is a referral or an alias. -MM requires that the Manager DSA IT control be supported by the server.

  -n

  Does not perform the search; just displays what would be done.

  -O security_properties

  Defines the SASL security properties for authentication. See previous information on the sasl-secprops parameter in slapd.conf.

  -P [2|3]

  Defines which protocol version to use in the connection (Version 2 or 3). The default is LDAP v3.

  -Q

  Suppresses SASL-related messages such as how the authentication mechanism is used, username, and realm.

  -R sasl_realm

  Defines the realm to be used by the SASL authentication mechanism.

  -U username

  Defines the username to be used by the SASL authentication mechanism.

  -v

  Enables verbose mode.

  -w password

  Specifies the password to be used for authentication.

  -W

  Instructs the client to prompt for the password.

  -x

  Enables simple authentication. The default is to use SASL authentication.

  -X id

  Defines the SASL authorization identity. The identity has the form dn:dn oru:user. The default is to use the same authorization identity that the user authenticated.

  -y passwdfile

  Instructs the ldap tool to read the password for a simple bind from the given filename.

  -Y sasl_mechanism

  Tells the client which SASL mechanism should be used. The bind request will fail if the server does not support the chosen mechanism.


  -Z-ZZ

  Issue a StartTLS request. Use of -ZZ makes the support of this request mandatory for a successful connection.

  ldapadd(1), ldapmodify(1)

  These tools send updates to directory servers (see Table B-7).

  Table B-7. ldapadd/ldapmodify options

  Option

  Description

  -a

  Adds entries. This option is the default for ldapadd.

  -r

  Replaces (or modifies) entries and values. This is the default for ldapmodify.

  -F

  Forces all change records to be used from the input.

  ldapcompare(1)

  This tool asks a directory server to compare two values:

  ldapcompare [options] DN .

  There are no additional command-line flags for this tool.

  ldapdelete(1)

  This tool deletes entries from an LDAP directory (see Table B-8).

  Table B-8. ldapdelete [option] DN

  Option

  Description

  -r

  Deletes the subtree whose root is designated by DN. The delete is not performed atomically.

  ldapmodrdn(1)

  This tool changes the RDN of an entry in an LDAP directory (see Table B-9).

  Table B-9. ldapmodrdn [options] [dn rdn]

  Option

  Description

  -c

  Instructs ldapmodrdn to continue if errors occur. By default, it terminates if there is an error.

  -r

  Removes the old RDN value. The default behavior is to add another value of the RDN and leave the old value intact. The default behavior makes it easier to modify a directory without leaving orphaned entries.

  -s new_superior_node

  Defines the new superior, or parent, entry under which the renamed entry should be located.

  ldappasswd(1)

  This tool changes the password stored in a directory entry (see Table B-10).

  Table B-10. ldappasswd [options] [user]

  Option

  Description

  -a secret

  The old password value

  -A

  Prompt for the old password

  -s new_secret

  The new password value

  -S

  Prompt for the new password

  ldapsearch(1)

  This tool issues LDAP search queries to directory servers (see Table B-11).

  Table B-11. ldapsearch [options] [filter [attributes...]]

  Option

  Description

  -a [never|always|search|find]

  Specifies how to handle aliases when they are located during a search. Possible values include never (default), always, search, or find.

  -A

  For any entries found, returns the attribute names, but not their values.

  -b basedn

  Defines the base DN for the directory search.

  -F prefix

  Defines the URL prefix for filenames. The default is to use the value stored in $LDAP_FILE_URI_PREFIX.

  -l limit

  Defines a time limit (in seconds) for the server in the search.

  -L-LL-LLL

  Print the resulting output in LDIF v1 format. -LL causes the result to be printed in LDIF format without comments. -LLL prints the resulting output in LDIF format without comments and without version information.

  -s [sub|base|one]

  Defines the scope of the search to be base, one, or sub (the default).

  -S attribute

  Causes the ldapsearch client to sort the results by the value of attribute.

  -t-tt

  Write binary values to files in a temporary directory defined by the -T option. -tt specifies that all values should be written to files in a temporary directory defined by the -T option.

  -T directory

  Defines the directory used to store the resulting output files. The default is the directory specified by $LDAP_TMPDIR.

  -u

  Includes user-friendly entry names in the output.

  -z limit

  Specifies the maximum number of entries to return.

  Appendix C. Common Attributes and Objects

  This appendix is provided as a quick reference for schema items used throughout this book. It is by no means a complete set of attributes and object classes that you may encounter in the wild. The schema items not listed here should not be assumed to be less important or less commonly used. These are just the primary ones I have focused on in the examples.

  Schema Files

  Table C-1 tells you where you can find schema files.

  Table C-1. Where to find schema files

  Software

  Schema files included

  Bind 9 (schema file located at http://www.venaas.no/ldap/bind-sdb/)

  dnszone.schema

  LDAP System Administration (http://www.oreilly.com/catalog/ldapsa/)

  idpool.schema

  printer.schema

  OpenLDAP (http://www.openldap.org/)

  core.schema

  corba.schema

  cosine.schema

  inetorgperson.schema

  java.schema

  misc.schema

  nis.schema

  openldap.schema

  Samba (http://www.samba.org/)

  samba.schema

  Sendmail (http://www.sendmail.org/)

  sendmail.schema

  FreeRadius (http://www.freeradius.org)

  RADIUS-LDAPv3.schema

  Attributes

  Table C-2 outlines some common attributes presented in this book.

  Table C-2. Common attributes presented in this book

  Name

  Single value

  Description

  cn

  Common name of entity

  dc

  Single domain component of an FQDN

  displayName

  ✓

  Preferred name to use when displaying entry

  gidNumber

  ✓

  Numeric Unix group ID

  givenName

  First name by which an entity is known

  mail

  Email address represented as an RFC 822 mailbox

  ou

  organizationalUnit to which this entry belongs

  sn

  Last name by which an entity is known

  telephoneNumber

  Telephone number (supports international dialing format)

  uid

  Login name for a user account

  uidNumber

  ✓

  Numeric Unix user ID

  userPassword

  Password asssociated with an entry

  Object Classes

  This section describes some object classes presented in this book.

  Name

  account — (cosine.schema)

  Type

  STRUCTURAL

  Parent

  top

  Attributes

  Mandatory: uid

  Optional: description, seeAlso, localityName, organizationName, organizationalUnitName, host

  Name

  dcObject — (core.schema)

  Type

  AUXILIARY

  Parent

  top

  Attributes

  Mandatory: dc

  Optional: None

  Name

  dNSZone — (dnszone.schema)

  Type

  STRUCTURAL

  Parent

  top

  Attributes

  Mandatory: zoneName, relativeDomainName

  Optional: DNSTTL, DNSClass, ARecord, MDRecord, MXRecord, NSRecord, SOARecord, CNAMERecord, PTRRecord, HINFORecord, MINFORecord, TXTRecord, SIGRecord, KEYRecord, AAAARecord, LOCRecord, NXTRecord, SRVRecord, NAPTRRecord, KXRecord, CERTRecord, A6Record, DNAMERecord

  Name

  gidPool — (idpool.schema)

  Type

  AUXILIARY

  Parent

  top


  Attributes

  Mandatory: gidNumber, cn

  Optional: None

  Name

  inetLocalMailReciptient — (misc.schema)

  Type

  AUXILIARY

  Parent

  top

  Attributes

  Mandatory: None

  Optional: mailLocalAddress, mailHost, mailRoutingAddress

 

‹ Prev