The Global Section

The configuration that appears in the global section applies to all back-end and database sections, unless they are redefined in the back-end or database section.

• Access control information

• Schema information

• Log information

• Resource limitations

• Referrals

Access Control Information

Access control information describes who can do what with which data. Following is the syntax:

 access to <what> [ by <who> <accesslevel> <control> ]+ 

You can also define default access rights when nothing else about access modes is defined using the directive:

 defaultaccess { none | compare | search | read | write } 

Following is the syntax definition of an ACI list:

 <access directive> ::= access to <what>     [by <who> <access> <control>]+   <what> ::= * | [ dn[.<target style>]=<regex>]     [filter=<ldapfilter>] [attrs=<attrlist>]   <target style> ::= regex | base | one | subtree | children   <attrlist> ::= <attr> | <attr> , <attrlist>   <attr> ::= <attrname> | entry | children   <who> ::= [* | anonymous | users | self     dn[.<subject style>]=<regex>]     [dnattr=<attrname> ]     [group[/<objectclass>[/<attrname>][.<basic style>]]=<regex> ]     [peername[.<basic style>]=<regex>]     [sockname[.<basic style>]=<regex>]     [domain[.<basic style>]=<regex>]     [sockurl[.<basic style>]=<regex>]     [set=<setspec>]     [aci=<attrname>] <subject style> ::= regex | exact | base | one | subtree | children   <basic style> ::= regex | exact   <access> ::= [self]{<level>|<priv>}   <level> ::= none | auth | compare | search | read | write   <priv> ::= {= | + |-}{w|r|s|c|x} +   <control> ::= [stop | continue | break] 

Schema Information

You can put schema information directly in the configuration file, therefore you could define it with:

 objectclass < RFC2252 compliant Object Class definition> attributetype < RFC2252 compliant Attribute Type definition> 

Your directory server can use object classes and attribute types. You can also include these definitions with the include directive. This method is the preferred one, because it keeps the configuration file shorter and clearer. The syntax of the include directive is:

 include <filename> 

Log Information

The next step is to configure log information. OpenLDAP uses syslog for logging. Syslog is standard on UNIX systems; have a look at the description of the syslog utility if you need more information. You can configure the log level describing how much information the log file will contain. The syntax is:

 loglevel <integer> 

Following is a list of log level values and what they mean:

Resource Limitations

Resource limitations are used to prevent an application from monopolizing a service. There are several limits we can impose to enforce correct use of the service the directory server offers to clients.

We can configure a timeout after which an idle connection to a client is closed automatically.

 idletimeout <number of seconds> 

We can configure the maximal number of entries a query will return with the directive. Exceeding this size, the client will get a result code indicating that the size limit has been exceeded.

 sizelimit <number of entries> 

And we can define the maximal time in seconds the server can take to answer a request. After this limit, the client will get a result code indicating that the time limit has been exceeded.

 timelimit <number of entries> 

Referrals

Referrals have been treated in Chapter 3 section referrals. This one here is intended as superior knowledge information, i.e., it tells the client who to ask if the server itself does not answer the request. The syntax is:

 referral <ldapurl>