People camera sex Updating shared library rc m openldap

Today I worked on configuring forms based authentication for Share Point 2010.

Using forms based authentication automatically means using claims based authentication in Sharepoint 2010.

Berkeley DB-4.5.20 is recommended (built in LFS) or GDBM-1.8.3 Cyrus SASL-2.1.22 and Open SSL-0.9.8g TCP Wrapper-7.6, unix ODBC-2.2.12, GMP-4.2.2, Open SLP, Pth-2.0.7, and one of My SQL-5.0.41, Oracle, or Postgre SQL-8.2.4 User Notes: ./configure --prefix=/usr \ --libexecdir=/usr/sbin \ --sysconfdir=/etc \ --localstatedir=/srv/ldap \ --disable-debug \ --enable-dynamic \ --enable-crypt \ --enable-modules \ --enable-rlookups \ --enable-backends \ --enable-overlays \ --disable-sql && make depend && makemake install && for LINK in lber ldap ldap_r; do chmod -v 0755 /usr/lib/$(readlink /usr/lib/lib$.so) done && install -v -m755 -d /usr/share/doc/openldap-2.3.39/ && install -v -m644 doc/drafts/* /usr/share/doc/openldap-2.3.39/drafts && install -v -m644 doc/rfc/* /usr/share/doc/openldap-2.3.39/rfc && cp -v -R doc/guide/* /usr/share/doc/openldap-2.3.39/guide is a set of lightweight Basic Encoding Rules routines.

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.

version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.

They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

is a set of lightweight Basic Encoding Rules routines.

5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

||

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.is a set of lightweight Basic Encoding Rules routines.5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.

version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.

They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

is a set of lightweight Basic Encoding Rules routines.

5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

||

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.is a set of lightweight Basic Encoding Rules routines.5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.

version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.

They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

is a set of lightweight Basic Encoding Rules routines.

5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

||

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.is a set of lightweight Basic Encoding Rules routines.5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.

version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.

They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

is a set of lightweight Basic Encoding Rules routines.

5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

||

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.is a set of lightweight Basic Encoding Rules routines.5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.

version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.

They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

is a set of lightweight Basic Encoding Rules routines.

5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

||

The modified file is here: # ###### SAMPLE 4 - DIRECTORY with home-grown objectclass & attributes ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # devices objectclass is in core.schema # posix Account is in nis.schema # add ourco.schema # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ourco.schema # NO REFERRALS # DON'T bother with ARGS file # pidfle allows scripts for stopping slapd to work pidfile /var/run/# enable a lot of logging - we might need it loglevel -1 # NO dynamic backend modules # NO TLS-enabled connections ####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since # is reserved for experimentation or change them to My and inc ####################################################################### database bdb suffix "dc=example, dc=com" # ACL1 # only owner and itgroup can see or update access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL1A # only itgroup can see and update access to attrs=homedirectory,uidnumber,gidnumber,loginshell,gecos by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none # ACL2 # allow read of addressbook by owner and itpeople; no-one else see it access to dn.regex="^ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" read by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none # ACL3 # allows itgroup to create addressbook but not see entries access to dn.regex="cn=[^,] ,ou=people,dc=example,dc=com$" attrs=children by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users none break # ACL4 # allow user to create entries in own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=children by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL5 # allow one to create entries in its own addressbook; no-one else can access it # needs write access to the entries ENTRY attribute (ACL5) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" attrs=entry by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # ACL6 # allow access to all entries in own addressbook; no-one else can access it access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" filter=(objectclass=inetorgperson) by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write by users none # LDAP 2.2 replace ACL5 and ACL6 with #access to dn.regex="ou=addressbook,cn=([^,] ),ou=people,dc=example,dc=com$" # attrs=entry,@inetorgperson # by dn.regex,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.is a set of lightweight Basic Encoding Rules routines.5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

,ou=people,dc=example,dc=com" write # by users none # ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=zytrax,dc=com" attr=children by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write by users read # ACL8 access to attr=carlicense,homepostaladdress,homephone,dohicky,ageatbirth by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by * none # ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com" by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by users read by * none # ACL9 access to * by self write by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write by users read by * none # root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as ncessary directory /var/db/openldap/example-com # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include object Class uncomment following # index object Class eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in reference section cachesize 10000 checkpoint 128 15 # stop and start Open LDAP (slapd) # on Linux/Redhat /etc/rc.d/init.d/ldap restart # on BSD [bsd] /usr/local/etc/openldap/stop # then [bsd] /usr/local/etc/rc.d/start # confirm slapd is running ps ax | grep slapd The LDIF below updates our entries by adding the posix Account objectclass and its MUST attributes and the our Object object class and its MUST attributes: None of the LDAP browsers we used allowed us to add new AUXILIARY objects - LDIF is the only way to do this apparently.version: 1 dn: cn=john smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 200 gidnumber: 203 homedirectory: /var/mail/example.com/jsmith objectclass: our Object dohicky: false gobbledegook: john ageatbirth: 0 dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 201 gidnumber: 203 homedirectory: /var/mail/example.com/ssmith objectclass: our Object dohicky: true gobbledegook: sheri dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify objectclass: inetorgperson objectclass: posixaccount uidnumber: 202 gidnumber: 203 homedirectory: /var/mail/example.com/rsmith objectclass: our Object dohicky: false gobbledegook: robert ageatbirth: 17 Assuming we save the above LDIF as in our /tmp directory we load the LDIF file using ldapmodify with a command like this (line below is split for HTML formatting reasons only and should be on a single line): The ldaphost.should be replaced with whatever hostname your LDAP directory is located on.They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.is a set of lightweight Basic Encoding Rules routines.5.1 Simple Directory 5.1.1 Designing the DIT 5.1.2 Select the STRUCTURAL object Class 5.1.3 File 5.1.4 LDIF File 5.1.5 Loading the LDIF 5.1.6 Adding New Entries using LDIF 5.1.7 Modifying Entries using LDIF 5.1.8 Just Fooling Around 5.2 Securing the Directory 5.2.1 Security Policy 5.2.2 Adding Groups 5.2.3 ACL Access Definitions 5.2.4 Testing the ACL 5.3 Expanded Hierarchy 5.3.1 Requirement 5.3.2 Implementation 5.3.3 LDIF 5.3.4 ACL Access Definitions 5.3.5 Testing the ACL 5.4 Creating & Adding Objects 5.4.1 Requirement 5.4.2 Implementation 5.4.3 Attribute Definitions 5.4.4 object Class & Schema Definition 5.4.5 ACL Access Definitions 5.4.6 LDIF 5.4.7 Testing the Changes 5.5 Single Sign On 5.6 Referral and Replication In this section we create a number of attributes, an objectclass and a schema to package them for the future. The attribute's OID uses the suggested numbering convention.

As part of the corporate analysis to exploit still further the wildly successful adoption of LDAP our corporate masters have decided that we will add the following capabilities to our currently operational directory: We have striven mightily to see it we can re-use any existing attributes (essentially, use an existing attribute with the right SYNTAX even though its original 'purpose' was designed for another usage) of the inetorgperson object Class and failed miserably. Here is what we decided, or in most cases had, to do: The attribute's OID uses the suggested numbering convention. We use the standard Printable String data type syntax OID and we define a maximum length of 200 characters (in braces or curly brackets) for the attribute.

Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax.

You will have a warm inner glow for the rest of the day.

There are many annoying things in this life but one of them is what we call the 'squirrel complex' which is defined as being a unnatural desire to hide things - like meaning and usage.

Lord Byron, the poet, was reputedly asked once about the meaning of a line from one of his poems.

You can save these schemas anywhere its just easier if they are all in the same place.