个人工具

OpenLDAPAdminGuide/DatabaseCreationAndMaintenanceTools

来自Ubuntu中文

跳转至: 导航, 搜索

Database Creation and Maintenance Tools(数据库创建维护工具)

This section tells you how to create a slapd database from scratch, and how to do trouble shooting if you run into problems. There are two ways to create a database. First, you can create the database on-line using LDAP. With this method, you simply start up slapd and add entries using the LDAP client of your choice. This method is fine for relatively small databases (a few hundred or thousand entries, depending on your requirements). This method works for database types which support updates.
本部分给您讲述如何从 scratch 中创建 slapd 数据库,以及如何在您运行出问题时解决问题。创建数据库有两种方式,其一是您可以使用 LDAP 在线创建数据库。使用这种方式,您可以简单启动 slapd 并且使用您所选的 LDAP 客户端添加条目。这对于相当较小的数据库来说不失为好的方式(根据您的要求,几百或上千条目)。这种方式适用于支持更新的数据库类型。

The second method of database creation is to do it off-line using special utilities provided with slapd. This method is best if you have many thousands of entries to create, which would take an unacceptably long time using the LDAP method, or if you want to ensure the database is not accessed while it is being created. Note that not all database types support these utilitites.
第二种创建数据库的方式就是使用 slapd 提供的特定程序离线创建。如果您有成千上万个条目要创建的话,这种方式是最好的了。因为使用 LDAP 方式的话将花费大量的时间。或者也可以在您想确保数据库在其被创建时没有被访问。注意不是所有的数据库类型都支持这些工具。

Creating a database over LDAP(创建 LDAP 数据库)

With this method, you use the LDAP client of your choice (e.g., the ldapadd(1)) to add entries, just like you would once the database is created. You should be sure to set the following options in the configuration file before starting slapd(8).
通过这种方式,您可以使用您所选的 LDAP 客户端(如 ldapadd(1))来添加条目,就象一旦数据库被创建之后您要做的那样。您应该确保在启动 slapd(8) 之前在配置文件中设置了下列选项。

suffix <dn>

As described in the General Database Directives section, this option defines which entries are to be held by this database. You should set this to the DN of the root of the subtree you are trying to create. For example:
正如通用数据指令部分所描述的那样,该选项定义哪个条目将被该数据库支持。您应该将其设为您要创建的子树根的 DN。例如:

suffix "dc=example,dc=com"

You should be sure to specify a directory where the index files should be created:
您应该确保指定了创建索引文件所在的目录:

directory <directory>

For example:
例如:

directory /usr/local/var/openldap-data

You need to create this directory with appropriate permissions such that slapd can write to it.
您需要用合适的权限创建该目录,以便 slapd 有写权限。

You need to configure slapd so that you can connect to it as a directory user with permission to add entries. You can configure the directory to support a special super-user or root user just for this purpose. This is done through the following two options in the database definition:
您需要配置 slapd 以便您可以作为一个有权限添加条目的目录用户来连接它。为了能做到这一点,您可以配置目录以支持特定的超级用户或根用户。这可以通过数据库定义中下列两个选项来实现:

rootdn <dn>
rootpw <passwd>

For example:
例如:

rootdn "cn=Manager,dc=example,dc=com"
rootpw secret

These options specify a DN and password that can be used to authenticate as the super-user entry of the database (i.e., the entry allowed to do anything). The DN and password specified here will always work, regardless of whether the entry named actually exists or has the password given. This solves the chicken-and-egg problem of how to authenticate and add entries before any entries yet exist.
这些选项指定一个 DN 及其密码,常用作数据库超级用户条目认证(如该条目允许做任何事)。在这里指定的 DN 和 密码总是可以正常工作的,不管该条目名实际是否实在或是否已经给定密码。这就解决了鸡和蛋的问题-怎样去认证和在任何条目存在之前添加条目。

Finally, you should make sure that the database definition contains the index definitions you want:
最后,您应该确保数据库定义包括的索引定义是您所要的:

index {<attrlist> | default} [pres,eq,approx,sub,none]

For example, to index the cn, sn, uid and objectclass attributes, the following index directives could be used:
例如,要索引 cn、sn、uid 和 objectclass 属性,要使用下列索引指令:

index cn,sn,uid pres,eq,approx,sub
index objectClass eq

This would create presence, equality, approximate, and substring indices for the cn, sn, and uid attributes and an equality index for the objectClass attribute. Note that not all index types are available with all attribute types. See The slapd Configuration File section for more information on this option.
这将为 cn、sn 和 uid 属性创建存在、相等、近似和子字符串索引,并为 objectClass 属性创建相等索引。注意不是所有的索引类型都可以对所有的属性类型进行索引。关于本选项的更多信息请参阅 slapd 配置文件部分。

Once you have configured things to your liking, start up slapd, connect with your LDAP client, and start adding entries. For example, to add an organization entry and an organizational role entry using the ldapadd tool, you could create an LDIF file called entries.ldif with the contents:
一旦您配置好了您所要的东西,那么启动 slapd,用您的 LDAP 客户端连接,并开始添加条目。例如:要用 ldapadd 工具添加一个组织条目和一个组织角色条目,您可以创建一个叫 entries.ldif 的 LDIF 文件,其内容如下:

# Organization for Example Corporation
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation

# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

and then use a command like this to actually create the entry:
然后使用如下命令来真正创建该条目:

ldapadd -f entries.ldif -x -D "cn=Manager,dc=example,dc=com" -w secret

The above command assumes settings provided in the above examples.
上述命令假定按上述示例配置。

Creating a database off-line(离线创建数据库)

The second method of database creation is to do it off-line, using the slapd database tools described below. This method is best if you have many thousands of entries to create, which would take an unacceptably long time to add using the LDAP method described above. These tools read the slapd configuration file and an input file containing a text representation of the entries to add. For database types which support the tools, they produce the database files directly (otherwise you must use the on-line method above). There are several important configuration options you will want to be sure and set in the config file database definition first:
第二种创建数据库的方式是使用下面所述的 slapd 数据库工具离线创建。如果您有成千上万个条目要创建的话,这种方式是最好的了。因为使用上述 LDAP 方式的话将花费大量的时间。这些工具读 slapd 配置文件以及包含要添加条目文本表述的输入文件。对于支持这些工具的数据库类型而言,它们将直接产生数据库文件(否则您必须上述的在线方式)。这里有几个您必须首先确保在配置文件数据库定义部分设置的重要配置选项:

suffix <dn>

As described in the General Database Directives section, this option defines which entries are to be held by this database. You should set this to the DN of the root of the subtree you are trying to create. For example:
正如通用数据指令部分所描述的那样,该选项定义哪个条目将被该数据库支持。您应该将其设为您要创建的子树根的 DN。例如:

suffix "dc=example,dc=com"

You should be sure to specify a directory where the index files should be created:
您应该确保指定了创建索引文件所在的目录:

directory <directory>

For example:
例如:

directory /usr/local/var/openldap-data

Finally, you need to specify which indices you want to build. This is done by one or more index options.
最后,您需要指定您想要构建的索引。这会是一个或多个索引选项。

index {<attrlist> | default} [pres,eq,approx,sub,none]

For example:
例如:

index cn,sn,uid pres,eq,approx,sub
index objectClass eq

This would create presence, equality, approximate, and substring indices for the cn, sn, and uid attributes and an equality index for the objectClass attribute. Note that not all index types are available with all attribute types. See The slapd Configuration File section for more information on this option.
这将为 cn、sn 和 uid 属性创建存在、相等、近似和子字符串索引,并为 objectClass 属性创建相等索引。注意不是所有的索引类型都可以对所有的属性类型进行索引。关于本选项的更多信息请参阅 slapd 配置文件部分。

The slapadd program(slapadd 程序)

Once you've configured things to your liking, you create the primary database and associated indices by running the slapadd(8) program:
一旦您已经配置好了您所需的东西,您可以通过 slapadd(8) 程序来创建主数据库和相关索引:

slapadd -l <inputfile> -f <slapdconfigfile>
[-d <debuglevel>] [-n <integer>|-b <suffix>]

The arguments have the following meanings:
参数有如下含义:

-l <inputfile>

Specifies the LDIF input file containing the entries to add in text form (described below in the The LDIF text entry format section).
指定 LDIF 输入文件,该文件以文本格式包括所要添加的条目(这将在下面 LDIF 文本条目格式部分进行说明)。

-f <slapdconfigfile>

Specifies the slapd configuration file that tells where to create the indices, what indices to create, etc.
指定 slapd 配置文件,该文件将告之在哪创建索引以及创建什么索引等。

-d <debuglevel>

Turn on debugging, as specified by <debuglevel>. The debug levels are the same as for slapd. See the Command-Line Options section in Running slapd. 开启 <debuglevel> 指定的调试级别。调试级别与 slapd 的是一样的。参见运行 slapd 中的命令行选项部分。

-n <databasenumber>

An optional argument that specifies which database to modify. The first database listed in the configuration file is 1, the second 2, etc. By default, the first database in the configuration file is used. Should not be used in conjunction with -b.
这个可选参数指定要修改哪个数据库。在配置文件中列出的第一个数据库是 1,第二个是2 等等。缺省状态下,使用配置文件中的第一个数据库。该选项不能和 -b 一起使用。

-b <suffix>

An optional argument that specifies which database to modify. The provided suffix is matched against a database suffix directive to determine the database number. Should not be used in conjunction with -n.
该可选参数指定要修改哪个数据库。所提供的 suffix 匹配数据库 suffix 指令以决定数据库号。该选项不能和 -n 一起使用。

The slapindex program(slapindex 程序)

Sometimes it may be necessary to regenerate indices (such as after modifying slapd.conf(5)). This is possible using the slapindex(8) program. slapindex is invoked like this
有时必须重新生成索引(如在修改 slapd.conf(5) 之后)。这就可以使用 slapindex(8) 程序。slapindex 用法如下:

slapindex -f <slapdconfigfile>
[-d <debuglevel>] [-n <databasenumber>|-b <suffix>]

Where the -f, -d, -n and -b options are the same as for the slapadd(1) program. slapindex rebuilds all indices based upon the current database contents.
它的 -f、-d、-n 和 -b 选项与 slapadd(1) 程序相同。slapindex 重新生成基于当前数据库内容的全部索引。

The slapcat program(slapcat 程序)

The slapcat program is used to dump the database to an LDIF file. This can be useful when you want to make a human-readable backup of your database or when you want to edit your database off-line. The program is invoked like this:
slapcat 程序用于将数据库复制到一个 LDIF 文件中。当您需要为您的数据库生成一个可读的备份或当您想离线编辑您的数据库时将会很有用。程序用法如下:

slapcat -l <filename> -f <slapdconfigfile>
[-d <debuglevel>] [-n <databasenumber>|-b <suffix>]

where -n or -b is used to select the database in the slapd.conf(5) specified using -f. The corresponding LDIF output is written to standard output or to the file specified using the -l option.
使用 -n 或 -b 来选择用 -f 指定的 slapd.conf 中的数据库。其对应的 LDIF 输出被写到标准输出或用 -l 选项指定的文件中。

The LDIF text entry format(LDIF 文本条目格式)

The LDAP Data Interchange Format (LDIF) is used to represent LDAP entries in a simple text format. This section provides a brief description of the LDIF entry format which complements ldif(5) and the technical specification RFC2849.
LDAP 数据交换格式(LDIF)使用纯文本格式表示 LDAP 条目。本部分简要说明了 LDIF 的条目格式,详细说明请参阅 ldif(5) 及 RFC2849 技术说明。

The basic form of an entry is:
条目的基本格式:

# comment
dn: <distinguished name>
<attrdesc>: <attrvalue>
<attrdesc>: <attrvalue>

...

Lines starting with a '#' character are comments. An attribute description may be a simple attribute type like cn or objectClass or 1.2.3 (an OID associated with an attribute type) or may include options such as cn;lang_en_US or userCertificate;binary.
以 '#' 字符开始的行是注释。属性说明可以是一个象 cn 这样的简单属性类型、objectClass、1.2.3(与属性类型相关的 OID)或者是如 cn;lang_en_US 或 userCertificate;binary 这样的 include 选项。

A line may be continued by starting the next line with a single space or tab character. For example:
在下一行以空格或 tab 字符开始,表示该内容为上一行的继续。例如:

dn: cn=Barbara J Jensen,dc=example,dc=
com
cn: Barbara J
Jensen

is equivalent to:
等同于:

dn: cn=Barbara J Jensen,dc=example,dc=com
cn: Barbara J Jensen

Multiple attribute values are specified on separate lines. e.g.,
多属性值可以在不同的行指定。如:

cn: Barbara J Jensen
cn: Babs Jensen

If an <attrvalue> contains non-printing characters or begins with a space, a colon (':'), or a less than ('<'), the <attrdesc> is followed by a double colon and the base64 encoding of the value. For example, the value " begins with a space" would be encoded like this:
如果一个 <attvalue> 包括不可打印字符或以空格、冒号(':')、或者小于号('<')开始,那么 <attdesc> 将是双冒号加使用 base64 编码的值。例如以“空格开始”的值将编码成:

cn:: IGJlZ2lucyB3aXRoIGEgc3BhY2U=

You can also specify a URL containing the attribute value. For example, the following specifies the jpegPhoto value should be obtained from the file /path/to/file.jpeg.
您也可以指定一个包含属性值的 URL。如下所示,指定了 jpegPhoto 的值将从 /path/to/file.jpeg 文件中获得。

cn:< file:///path/to/file.jpeg

Multiple entries within the same LDIF file are separated by blank lines. Here's an example of an LDIF file containing three entries.
在相同 LDIF 文件中的多个条目之间用空白行分隔。这里有一个包含三个条目的 LDIF 文件的例子。

# Barbara's Entry
dn: cn=Barbara J Jensen,dc=example,dc=com
cn: Barbara J Jensen
cn: Babs Jensen
objectClass: person
sn: Jensen

# Bjorn's Entry
dn: cn=Bjorn J Jensen,dc=example,dc=com
cn: Bjorn J Jensen
cn: Bjorn Jensen
objectClass: person
sn: Jensen
# Base64 encoded JPEG photo
jpegPhoto:: /9j/4AAQSkZJRgABAAAAAQABAAD/2wBDABALD
A4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQ
ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG

# Jennifer's Entry
dn: cn=Jennifer J Jensen,dc=example,dc=com
cn: Jennifer J Jensen
cn: Jennifer Jensen
objectClass: person
sn: Jensen
# JPEG photo from file
jpegPhoto:< file:///path/to/file.jpeg

Notice that the jpegPhoto in Bjorn's entry is base 64 encoded and the jpegPhoto in Jennifer's entry is obtained from the location indicated by the URL.
注意在 Bjorn's 条目中的 jpegPhoto 是用 base64 编码过的,而 Jennifer 条目中的 jpegPhoto 则是通过 URL 获得它的位置的。


Note: Trailing spaces are not trimmed from values in an LDIF file. Nor are multiple internal spaces compressed. If you don't want them in your data, don't put them there.
注意:多余的空格从 LDIF 文件中的值中删除。多个中间的空格也没有被压缩。如果您不想它们出现在您的数据中,那么请不要将它们留在那里。