LDAP System Administration
Page 32
Table B-1. OpenLDAP logging levels
Level
Information recorded
-1
All logging information
0
No logging information
1
Trace function calls
2
Packet-handling debugging information
4
Heavy trace debugging
8
Connection management
16
Packets sent and received
32
Search filter processing
64
Configuration file processing
128
Access control list processing
256
Statistics for connection, operations, and results
512
Statistics for results returned to clients
1024
Communication with shell backends
2048
Entry-parsing debugging information
Slap Tools
The collection of slap tools included with OpenLDAP are provided to import and export data directly from the DB files used for supporting an OpenLDAP server.
slapadd(8c)
This tool reads LDIF entries from a file or standard input and writes the new records to a slapd database (see Table B-2).
Table B-2. Summary of slapadd command-line arguments
Option
Description
-c
Continues processing input in the event of errors.
-b suffix-n integer
Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (the first database listed is numbered 0). These options are mutually exclusive.
-d integer
Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels.
-f filename
Specifies which configuration file to read.
-l filename
Specifies the LDIF file to use for input. In the absence of this option, slapadd reads data from standard input.
-v
Enables verbose mode.
slapcat(8c)
This tool reads records from a slapd database and writes them to a file or standard output (see Table B-3).
Table B-3. Summary of slapcat command-line arguments
Option
Description
-c
Continues processing input in the event of errors.
-b suffix-n integer
Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (the first database listed is numbered 0). These options are mutually exclusive.
-d integer
Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels.
-f filename
Specifies which configuration file to read.
-l filename
Specifies the name of the file to which the LDIF entries should be written. In the absence of this option, slapcat writes data to standard output.
-v
Enables verbose mode.
slapindex(8c)
This tool regenerates the indexes in a slapd database (see Table B-4).
Table B-4. Summary of slapindex command-line arguments
Option
Description
-c
Continues processing input in the event of errors.
-b suffix-n integer
Specify which database in the configuration file to use by the directory's suffix (-b) or by its location (-n) in the slapd.conf file (the first database listed is numbered 0). These options are mutually exclusive.
-d integer
Specifies which debugging information to log. See the loglevel parameter in slapd.conf for a listing of log levels.
-f filename
Specifies which configuration file to read.
-v
Enables verbose mode.
slappasswd(8c)
This tool generates a password hash suitable for use as an Lq in slapd.conf (see Table B-5).
Table B-5. Summary of slappasswd command-line arguments
Option
Description
-c crypt-salt-format
Defines the format of the salt used when invoking the crypt( ) function to generate a password suitable for use with {CRYPT}. The string must be in the snprintf( ) format and must contain a single %s conversion.
-h hash
Defines the hash algorithm to use. Possible values are {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}.
-s secret
Specifies the password to hash.
-u
Instructs slappasswd to generate password syntaxes for the userPassword attribute (the default) and is included for forward compatibility. No other syntaxes are currently supported.
-v
Enables verbose mode.
LDAP Tools
OpenLDAP's set of LDAP client tools can be used to communicate with any LDAPv3 server (see Table B-6).
Table B-6. Command-line options common to ldapsearch, ldapcompare, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn
Option
Description
-d integer
Specifies what debugging information to log. See the loglevel slapd.conf parameter for a listing of log levels.
-D binddn
Specifies the DN to use for binding to the LDAP server.
-e [!]ctrl[=ctrlparam]
Defines an LDAP control to be used on the current operation. See also the -M option for the manageDSAit control.
-f filename
Specifies the file containing the LDIF entries to be used in the operations.
-H URI
Defines the LDAP URI to be used in the connection request.
-I
Enables the SASL "interactive" mode. By default, the client prompts for information only when necessary.
-k
Enables Kerberos 4 authentication.
-K
Enables only the first step of the Kerberos 4 bind for authentication.
-M-MM
Enable the Manager DSA IT control. This option is necessary when modifying an entry that is a referral or an alias. -MM requires that the Manager DSA IT control be supported by the server.
-n
Does not perform the search; just displays what would be done.
-O security_properties
Defines the SASL security properties for authentication. See previous information on the sasl-secprops parameter in slapd.conf.
-P [2|3]
Defines which protocol version to use in the connection (Version 2 or 3). The default is LDAP v3.
-Q
Suppresses SASL-related messages such as how the authentication mechanism is used, username, and realm.
-R sasl_realm
Defines the realm to be used by the SASL authentication mechanism.
-U username
Defines the username to be used by the SASL authentication mechanism.
-v
Enables verbose mode.
-w password
Specifies the password to be used for authentication.
-W
Instructs the client to prompt for the password.
-x
Enables simple authentication. The default is to use SASL authentication.
-X id
Defines the SASL authorization identity. The identity has the form dn:dn oru:user. The default is to use the same authorization identity that the user authenticated.
-y passwdfile
Instructs the ldap tool to read the password for a simple bind from the given filename.
-Y sasl_mechanism
Tells the client which SASL mechanism should be used. The bind request will fail if the server does not support the chosen mechanism.
-Z-ZZ
Issue a StartTLS request. Use of -ZZ makes the support of this request mandatory for a successful connection.
ldapadd(1), ldapmodify(1)
These tools send updates to directory servers (see Table B-7).
Table B-7. ldapadd/ldapmodify options
Option
Description
-a
Adds entries. This option is the default for ldapadd.
-r
Replaces (or modifies) entries and values. This is the default for ldapmodify.
-F
Forces all change records to be used from the input.
ldapcompare(1)
This tool asks a directory server to compare two values:
ldapcompare [options] DN
There are no additional command-line flags for this tool.
ldapdelete(1)
This tool deletes entries from an LDAP directory (see Table B-8).
Table B-8. ldapdelete [option] DN
Option
Description
-r
Deletes the subtree whose root is designated by DN. The delete is not performed atomically.
ldapmodrdn(1)
This tool changes the RDN of an entry in an LDAP directory (see Table B-9).
Table B-9. ldapmodrdn [options] [dn rdn]
Option
Description
-c
Instructs ldapmodrdn to continue if errors occur. By default, it terminates if there is an error.
-r
Removes the old RDN value. The default behavior is to add another value of the RDN and leave the old value intact. The default behavior makes it easier to modify a directory without leaving orphaned entries.
-s new_superior_node
Defines the new superior, or parent, entry under which the renamed entry should be located.
ldappasswd(1)
This tool changes the password stored in a directory entry (see Table B-10).
Table B-10. ldappasswd [options] [user]
Option
Description
-a secret
The old password value
-A
Prompt for the old password
-s new_secret
The new password value
-S
Prompt for the new password
ldapsearch(1)
This tool issues LDAP search queries to directory servers (see Table B-11).
Table B-11. ldapsearch [options] [filter [attributes...]]
Option
Description
-a [never|always|search|find]
Specifies how to handle aliases when they are located during a search. Possible values include never (default), always, search, or find.
-A
For any entries found, returns the attribute names, but not their values.
-b basedn
Defines the base DN for the directory search.
-F prefix
Defines the URL prefix for filenames. The default is to use the value stored in $LDAP_FILE_URI_PREFIX.
-l limit
Defines a time limit (in seconds) for the server in the search.
-L-LL-LLL
Print the resulting output in LDIF v1 format. -LL causes the result to be printed in LDIF format without comments. -LLL prints the resulting output in LDIF format without comments and without version information.
-s [sub|base|one]
Defines the scope of the search to be base, one, or sub (the default).
-S attribute
Causes the ldapsearch client to sort the results by the value of attribute.
-t-tt
Write binary values to files in a temporary directory defined by the -T option. -tt specifies that all values should be written to files in a temporary directory defined by the -T option.
-T directory
Defines the directory used to store the resulting output files. The default is the directory specified by $LDAP_TMPDIR.
-u
Includes user-friendly entry names in the output.
-z limit
Specifies the maximum number of entries to return.
Appendix C. Common Attributes and Objects
This appendix is provided as a quick reference for schema items used throughout this book. It is by no means a complete set of attributes and object classes that you may encounter in the wild. The schema items not listed here should not be assumed to be less important or less commonly used. These are just the primary ones I have focused on in the examples.
Schema Files
Table C-1 tells you where you can find schema files.
Table C-1. Where to find schema files
Software
Schema files included
Bind 9 (schema file located at http://www.venaas.no/ldap/bind-sdb/)
dnszone.schema
LDAP System Administration (http://www.oreilly.com/catalog/ldapsa/)
idpool.schema
printer.schema
OpenLDAP (http://www.openldap.org/)
core.schema
corba.schema
cosine.schema
inetorgperson.schema
java.schema
misc.schema
nis.schema
openldap.schema
Samba (http://www.samba.org/)
samba.schema
Sendmail (http://www.sendmail.org/)
sendmail.schema
FreeRadius (http://www.freeradius.org)
RADIUS-LDAPv3.schema
Attributes
Table C-2 outlines some common attributes presented in this book.
Table C-2. Common attributes presented in this book
Name
Single value
Description
cn
Common name of entity
dc
Single domain component of an FQDN
displayName
✓
Preferred name to use when displaying entry
gidNumber
✓
Numeric Unix group ID
givenName
First name by which an entity is known
mail
Email address represented as an RFC 822 mailbox
ou
organizationalUnit to which this entry belongs
sn
Last name by which an entity is known
telephoneNumber
Telephone number (supports international dialing format)
uid
Login name for a user account
uidNumber
✓
Numeric Unix user ID
userPassword
Password asssociated with an entry
Object Classes
This section describes some object classes presented in this book.
Name
account — (cosine.schema)
Type
STRUCTURAL
Parent
top
Attributes
Mandatory: uid
Optional: description, seeAlso, localityName, organizationName, organizationalUnitName, host
Name
dcObject — (core.schema)
Type
AUXILIARY
Parent
top
Attributes
Mandatory: dc
Optional: None
Name
dNSZone — (dnszone.schema)
Type
STRUCTURAL
Parent
top
Attributes
Mandatory: zoneName, relativeDomainName
Optional: DNSTTL, DNSClass, ARecord, MDRecord, MXRecord, NSRecord, SOARecord, CNAMERecord, PTRRecord, HINFORecord, MINFORecord, TXTRecord, SIGRecord, KEYRecord, AAAARecord, LOCRecord, NXTRecord, SRVRecord, NAPTRRecord, KXRecord, CERTRecord, A6Record, DNAMERecord
Name
gidPool — (idpool.schema)
Type
AUXILIARY
Parent
top
Attributes
Mandatory: gidNumber, cn
Optional: None
Name
inetLocalMailReciptient — (misc.schema)
Type
AUXILIARY
Parent
top
Attributes
Mandatory: None
Optional: mailLocalAddress, mailHost, mailRoutingAddress