Back-End and Database Sections

 < Day Day Up > 

First of all let us see the difference between back end and database. In Chapter 7, when we discussed the installation of the OpenLDAP server, we had to configure which back end we would like to use. There are different back ends available:

  • ldbm back end: Lightweight database management system

  • bdb back end: High-performance database management system

  • shell back end: User-supplied shell scripts

  • sql back end: User-supplied SQL scripts

  • perl back end: User-supplied Perl scripts

  • meta back end: Back end that forwards requests to another LDAP server

We will not describe the back ends here (have a look at the documentation delivered with OpenLDAP instead). If you have the compiled file in the back end, you can use it in your directory server. The database is a collection of files that holds the data. For example, assume you have five databases: three ldbm databases and two bdb databases. Therefore, you have two different back ends (ldbm and bdb) for five different databases. In other words, the database is the physical implementation of the back end.

You can configure the back ends and the databases separately. The definitions in the back ends hold for all databases of the back-end type, if not redefined in the database section. The configuration file therefore holds three different directives:

  1. Global directives valid for all back-end and database directives (if not redefined)

  2. Back-encl directives valid for all database directives (if not redefined)

  3. Database directives

The syntax of the back-end directive is:

 backend <backend type> <backend directives> 

The syntax of the database directive is:

 database < database type> < database directives> 

The database and back-end directives are described in detail in the documentation relative to the single back ends. I will mention only the some of them (see the documentation delivered with OpenLDAP to learn more about it). In Appendix F we will see the directives to configure replication, and Appendix G discusses the meta back end.

System administrator access is configured using the credentials rootdn and rootpw. The syntax is:

 rootdn <DN> rootpw <password> 

Note that the password should not appear in clear text. OpenLDAP delivers the utility "crypt" to encrypt the password. The system administrator is the only user not subject to the access limitations defined by the previous ACLs. In a running OpenLDAP directory server, you may comment-out these lines for security reasons and enable them if needed for administrative purposes. You could also choose to configure a separate LDAP administration server. You may also consider using SASL (Simple Authentication Security Layer); in this case the rootdn will refer to an SASL identity and the rootpw auditing becomes more difficult. See the SASL section delivered with OpenLDAP for more details.

A further important parameter is the base DN describing the root of the directory tree. The directory server can serve more directory trees. The syntax is:

 suffix <DN> 

You must specify which filesystem directory database lives in. The syntax is:

 directory <directory> 

for example:

 directory /usr/local/var/abc_ldap_org 

the mode directive indicates the mode in which the database files should be opened. I recommend allowing access to these files only to the owner of the ldap daemon process. The syntax is:

 mode <mode> 

for example:

 mode 0600 

The last directive I will show you is the directive to speed up access to the directory. You can define indexes to do so. The directive is:

 index {<attrlist> | default} [pres,eq,approx,sub,none] 

This directive instructs the back end to maintain an index for this attribute. The functionality of maintaining indexes depends on the back end. These indexes are used if comparisons are to be performed. Because you may perform different types of comparisons, you can specify for which type of comparison an index must be maintained. These types are:

  • pres: Presence; tests only if the attribute does exist

  • eq: Equality; tests if the attribute is equal to a given value

  • approx: Performs an approximate comparison (language dependent)

  • sub: Performs a substring match

  • none: No matching for this attribute (to exclude an attribute otherwise maintained by the default clause)

With index default, you define that the LDAP server should maintain the specified indexes for all attributes. This behavior can be overwritten subsequently with a more specific one or reset with the index <attribute> none directive.

Following is an example of a complete configuration file matching the example of the LdapABC organization used in this book. The list of directives is not limited to those mentioned in this section; there are actually many more directives, depending on the back end you use (some of which are discussed in Appendix F and Appendix G). By the time you read this book, there may be even more because work on OpenLDAP continues.

 01   # Example Configuration File 02   # 03   # Global Section 02   include /usr/local/etc/schema/core.schema 03   include /usr/local/etc/schema/cosine.schema 04   include /usr/local/etc/schema/inetorgperson.schema 05   include /usr/local/etc/schema/ldapabcadmin.schema 06 03   03 referral ldap:// 04   access to * by * read 05 06   # ldbm definition for dc=ldapabc,dc=org 07   database ldbm 08 09   # definition of the namespace 10   suffix dc=LdapAbc,dc=org 11 12   # System Administrator Credentials 13   rootdn cn=Administrator,dc=LdapAbc,dc=org 14   rootpw {SSHA}Dh1hgJPc+2akIahgBJyxLAvwc+UXFhg 15 16   # Database Location 17   directory /usr/local/var/LdapAbc 18 19   # Definition of Indexes 20   index uid pres,eq 21   index objectClass eq 22   index cn,sn,uid pres,eq,approx,sub 23 24   # ACI Information 25   access to attr=userPassword 26          by self write 27          by anonymous auth 28          by * none 29 30   access to * 31          by self write 32          by users read 33 

 < Day Day Up > 

The ABCs of LDAP. How to Install, Run, and Administer LDAP Services
The ABCs of LDAP: How to Install, Run, and Administer LDAP Services
ISBN: 0849313465
EAN: 2147483647
Year: 2003
Pages: 149

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: