[Pkg-openldap-devel] r1101 - openldap/trunk/debian
rra at alioth.debian.org
rra at alioth.debian.org
Fri Feb 15 01:31:21 UTC 2008
Author: rra
Date: 2008-02-15 01:31:20 +0000 (Fri, 15 Feb 2008)
New Revision: 1101
Modified:
openldap/trunk/debian/changelog
openldap/trunk/debian/slapd.README.Debian
Log:
* Reformat, reorganize, and update slapd's README.Debian.
- Include SASL configuration information.
- Remove LDBM information, since upstream no longer even ships LDBM
and the debconf prompting and maintainer scripts already take care
of any lingering databases.
Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog 2008-02-15 00:28:53 UTC (rev 1100)
+++ openldap/trunk/debian/changelog 2008-02-15 01:31:20 UTC (rev 1101)
@@ -21,6 +21,11 @@
[ Russ Allbery ]
* Add a stamp file for the configure rule to avoid rerunning configure
needlessly. Closes: #465588.
+ * Reformat, reorganize, and update slapd's README.Debian.
+ - Include SASL configuration information.
+ - Remove LDBM information, since upstream no longer even ships LDBM
+ and the debconf prompting and maintainer scripts already take care
+ of any lingering databases.
-- Steve Langasek <vorlon at debian.org> Sat, 09 Feb 2008 18:02:00 -0800
Modified: openldap/trunk/debian/slapd.README.Debian
===================================================================
--- openldap/trunk/debian/slapd.README.Debian 2008-02-15 00:28:53 UTC (rev 1100)
+++ openldap/trunk/debian/slapd.README.Debian 2008-02-15 01:31:20 UTC (rev 1101)
@@ -1,108 +1,123 @@
Notes about Debian's slapd package
----------------------------------
-++ Logging
+Using BDB/HDB Backends
- slapd logs to the facility local4. If you want to direct slapd's logs
- to a separate log file, add a line like:
+ HDB is the recommended database backend. It's the same as BDB but
+ allows some additional operations.
+
+ slapd BDB and HDB backends rely on libdb to store data on your disks.
+ libdb uses a configuration file to tune database specific
+ parameters. This file is called DB_CONFIG, and should be created in each
+ directory containing one of your ldap databases, usually /var/lib/ldap.
- local4.debug /var/log/slapd.log
+ It is VERY IMPORTANT to correctly setup a DB_CONFIG file. It is not
+ just a matter of performance: depending on the version of slapd and
+ libdb being used, your slapd may just hang and stop answering queries.
- to /etc/syslog.conf. You may also want to add ";local4.none" to the
- catch-all entry that logs to /var/log/messages so that it doesn't
- continue to receive slapd logs.
+ To correctly set up your DB_CONFIG file, please refer to
+ README.DB_CONFIG.gz in this directory.
-++ BerkeleyDB version
+BerkeleyDB Version
- slapd has been built against version 4.2 of BerkeleyDB. This version
- is faster and more stable than later versions for the use to which
- OpenLDAP puts it. There are remaining performance problems with
- BerkeleyDB 4.6 that have not yet been resolved, but it looks likely
- that eventually slapd will be able to use 4.6. All intermediate
- versions (4.3 through 4.5) either had serious stability bugs or serious
- performance issues.
+ slapd has been built against version 4.2 of BerkeleyDB. This version is
+ faster and more stable than later versions for the use to which OpenLDAP
+ puts it. There are remaining performance problems with BerkeleyDB 4.6
+ that have not yet been resolved, but it looks likely that eventually
+ slapd will be able to use 4.6. All intermediate versions (4.3 through
+ 4.5) either had serious stability bugs or serious performance issues.
- slapd will automatically handle database recovery, so you generally do
- not need the BerkeleyDB 4.2 utilities. However, if you want to perform
- other operations directly on the raw database without using the slapd
- tools, install db4.2-util and use those BerkeleyDB utilities. Utilities
- from other db*-util packages will not work correctly and may render the
- database unusable by slapd.
+ slapd will automatically handle database recovery, so you generally do
+ not need the BerkeleyDB 4.2 utilities. However, if you want to perform
+ other operations directly on the raw database without using the slapd
+ tools, install db4.2-util and use those BerkeleyDB utilities. Utilities
+ from other db*-util packages will not work correctly and may render the
+ database unusable by slapd.
-++ TCP wrappers
+Logging
- The Debian slapd package is compiled with TCP wrappers. This means that
- you are able to restrict access to the LDAP server using
- /etc/hosts.deny or /etc/hosts.allow.
+ slapd logs to the facility local4. If you want to direct slapd's logs to
+ a separate log file, add a line like:
-++ Using BDB/HDB backends
-
- slapd BDB and HDB backends rely on libdb to store data on your
- disks. libdb uses a configuration file to tune database specific
- parameters. This file is called DB_CONFIG, and should be created in
- each directory containing one of your ldap databases, usually
- /var/lib/ldap.
+ local4.debug /var/log/slapd.log
- It is VERY IMPORTANT to correctly setup a DB_CONFIG file. It is not
- just a matter of performance: depending on the version of slapd and
- libdb being used, your slapd may just hang and stop answering
- queries.
+ to /etc/syslog.conf. You may also want to add ";local4.none" to the
+ catch-all entry that logs to /var/log/messages so that it doesn't
+ continue to receive slapd logs.
- To correctly setup your DB_CONFIG file, please refer to
- README.DB_CONFIG.gz in this directory.
+SASL Configuration
-++ Running slapd under a different uid/gid
+ To enable GSSAPI (Kerberos) authentication to slapd, install either the
+ libsasl2-modules-gssapi-mit or libsasl2-modules-gssapi-heimdal packages
+ depending on which Kerberos implementation you want to use.
+
+ SASL configuration files may be placed either in /usr/lib/sasl2 (the
+ standard path, but not a great place for configuration files) or in
+ /etc/ldap/sasl2. A SASL configuration file should be named after the
+ program that will use it. So, for instance, to configure SASL for
+ slapd, create a file named slapd.conf in /etc/ldap/sasl2 or in
+ /usr/lib/sasl2.
+
+TCP Wrappers
+
+ The Debian slapd package is compiled with TCP wrappers. This means that
+ you are able to restrict access to the LDAP server using /etc/hosts.deny
+ or /etc/hosts.allow.
+
+Running slapd under a Different UID/GID
- By default, slapd runs as openldap in the openldap group. Keeping the
- default is easiest. If for some reason you need to run slapd as a
- different user:
+ By default, slapd runs as openldap in the openldap group. Keeping the
+ default is easiest. If for some reason you need to run slapd as a
+ different user:
- - create the user/group for slapd -- usually:
- adduser --system --group <group> --disabled-login <user>
- - stop slapd -- /etc/init.d/slapd stop
- - tell slapd to run under a different uid:
- - edit /etc/default/slapd
- - set SLAPD_USER, SLAPD_GROUP
- (ie, SLAPD_USER="ldap", SLAPD_GROUP="ldap")
- - tell linux slapd can access all database files -- usually:
- chown -R <user>:<group> /var/lib/ldap
- - tell linux slapd can access configuration files -- usually:
- chgrp <group> /etc/ldap/slapd.conf
- chmod 0640 /etc/ldap/slapd.conf
- - tell linux slapd can access /var/run/slapd and writes his pid file
- chgrp <group> /var/run/slapd
- chmod 0770 /var/run/slapd
- - start slapd -- /etc/init.d/slapd start
+ - Create the user/group for slapd -- usually:
- Once you have done so, remember to always run any utilities that access
- or update the database (such as slapadd) as the same user that slapd is
- running as. If you forget, you will need to redo the chown noted above.
+ adduser --system --group <group> --disabled-login <user>
-++ No LDBM backend support
+ - Stop slapd:
- The Debian slapd package no longer includes support for the LDBM
- backend. It has been disabled as a result of concerns over data loss
- and lack of upstream support. For more information, see:
- http://www.openldap.org/faq/index.cgi?_highlightWords=ldbm&file=756
+ /etc/init.d/slapd stop
- The HDB backend is now the recommended backend to use. The BDB backend
- is also supported. Other backends are generally not recommended by
- upstream except in special circumstances.
+ - Tell slapd to run under a different UID by editing /etc/default/slapd
+ and setting SLAPD_USER and SLAPD_GROUP. (For example,
+ SLAPD_USER="ldap", SLAPD_GROUP="ldap")
-++ If slapd depends on other service (such as SQL)
+ - Tell linux slapd can access all database files -- usually:
- In the event that you are running slapd with a different back-end module
- that depends on other programs (such as an SQL database) you may need to
- adjust the runlevels of slapd to start after the SQL database.
+ chown -R <user>:<group> /var/lib/ldap
-++ Creating NSS flat files from LDAP
+ - Tell linux slapd can access configuration files -- usually:
- If you have need to create passwd/shadow/etc files from an LDAP
- directory there is now a script included with these Debian packages
- which may help you. The script is in /usr/share/slapd/ and is named
- 'ldiftopasswd'. In general you should be able to do:
+ chgrp <group> /etc/ldap/slapd.conf
+ chmod 0640 /etc/ldap/slapd.conf
+
+ - Tell linux slapd can access /var/run/slapd and write a PID file:
+
+ chgrp <group> /var/run/slapd
+ chmod 0770 /var/run/slapd
+
+ - Start slapd -- /etc/init.d/slapd start
+
+ Once you have done so, remember to always run any utilities that access
+ or update the database (such as slapadd) as the same user that slapd is
+ running as. If you forget, you will need to redo the chown noted above.
+
+If slapd Depends on Other Service
+
+ In the event that you are running slapd with a different back-end module
+ that depends on other programs (such as an SQL database) you may need to
+ adjust the runlevels of slapd to start after the SQL database.
+
+Creating NSS Flat Files from LDAP
+
+ If you have need to create passwd/shadow/etc files from an LDAP
+ directory there is now a script included with these Debian packages
+ which may help you. The script is in /usr/share/slapd/ and is named
+ ldiftopasswd. In general you should be able to do:
+
ldapsearch | ldiftopasswd
- and it will generate the files for you. You will need appropriate
- privileges, of course.
- -- Russ Allbery <rra at debian.org>, Thu, 20 Dec 2007 23:50:16 -0800
+ and it will generate the files for you. You will need appropriate
+ privileges, of course, and appropriate arguments to ldapsearch.
+
+ -- Russ Allbery <rra at debian.org>, Thu, 14 Feb 2008 17:28:39 -0800
More information about the Pkg-openldap-devel
mailing list