diff --git a/Doc/Common/glossary.xml b/Doc/Common/glossary.xml
index ec54d24df2d6609a1ba1610c2ad0d81ad6cb9808..87e97747808e951cdd8363e0210acdcff31c5a5e 100644
--- a/Doc/Common/glossary.xml
+++ b/Doc/Common/glossary.xml
@@ -388,6 +388,16 @@
Data Interchange Format</link></para>
</glossdef>
</glossentry>
+
+ <glossentry xml:id="glo_RDN">
+ <glossterm><acronym>RDN</acronym></glossterm>
+
+ <glossdef>
+ <para><link
+ xlink:href="http://www.zytrax.com/books/ldap/apd/index.html#rdn">Relative
+ Distinguished Name</link></para>
+ </glossdef>
+ </glossentry>
</glosslist>
</glossdef>
</glossentry>
diff --git a/Doc/Sdi/ldap.xml b/Doc/Sdi/ldap.xml
index ee5cde6e6803a55bd2ec09042e16557fe82e9ffa..61c5d3b102064ddc6aeae3058a0bf943065564df 100644
--- a/Doc/Sdi/ldap.xml
+++ b/Doc/Sdi/ldap.xml
@@ -170,7 +170,7 @@ Ldapmodify erlaubt icht-objectclass konforme Daten</programlisting>
populated with thew following company structure of organisational units
and persons:</para>
- <figure xml:id="ldapBetrayerComTree">
+ <figure xml:id="sdiLdapBetrayerComTree">
<title>An example <acronym>LDAP</acronym> Tree</title>
<mediaobject>
@@ -183,15 +183,9 @@ Ldapmodify erlaubt icht-objectclass konforme Daten</programlisting>
<section xml:id="sdiBrowseExistingLdap">
<title>Browse an existing <xref linkend="glo_LDAP"/> Server</title>
- <!--aptitude install dialog
-dpkg-reconfigure slapd
-
-
--->
-
- <para>Before setting up we take a tour on <link
- xlink:href="https://directory.apache.org/studio/downloads.html">Apache
- Directory Studio</link>:</para>
+ <para>Before setting up we take a tour on <productname
+ xlink:href="http://directory.apache.org/studio">Apache Directory
+ Studio</productname>:</para>
<itemizedlist>
<listitem>
@@ -272,105 +266,146 @@ dpkg-reconfigure slapd
</listitem>
</orderedlist>
</tip>
+
+ <para>You may have to install the dialog package as a prerequisite to
+ the <productname>openldap</productname> server package:</para>
+
+ <programlisting language="none">aptitude install dialog
+aptitude install slapd</programlisting>
+
+ <para>based on the <xref linkend="glo_DNS"/> domain
+ <code>mi.hdm-stuttgart.de</code> the default <command>slapd</command>
+ package installer configures a <xref linkend="glo_DIT"/> having
+ <code>dc=mi,dc=hdm-stuttgart,dc=de</code> as root by default. Change
+ this to <code>dc=betrayer,dc=com</code> by executing
+ <command>dpkg-reconfigure</command> <option>slapd</option>.</para>
</section>
<section xml:id="ldapCompanyLdif">
- <title>Adding some content file</title>
-
- <para>The following file defines a part of our <code>betrayer.com</code>
- directory structure:</para>
-
- <programlisting language="shell">dn:dc=betrayer,dc=com
-changetype: add
-objectclass: dcObject
-objectclass: organizationalUnit
-dc: betrayer
-ou: config
-ou: betrayer Dot com
-
-dn: ou=departments,dc=betrayer;dc=com
-changetype: add
-objectClass: top
-objectClass: organizationalUnit
-ou: departments
-
-dn: ou=software,ou=departments,dc=betrayer;dc=com
-changetype: add
-objectClass: top
-objectClass: organizationalUnit
-ou: software
-
-dn: ou=devel,ou=software,ou=departments,dc=betrayer;dc=com
-changetype: add
-objectClass: top
-objectClass: organizationalUnit
-ou: devel
-
-dn: uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com
-changetype: add
-objectClass: inetOrgPerson
-uid: beam
-cn: Jim Beam
-givenName: Jim
-sn: Beam
-mail: beam@betrayer.com</programlisting>
-
- <para>For your convenience we have installed the <uri
+ <title>Populating your <xref linkend="glo_DIT"/>.</title>
+
+ <para>Add the content outlined in <xref
+ linkend="sdiLdapBetrayerComTree"/>.</para>
+
+ <para>For your convenience we have installed the <productname
xlink:href="http://directory.apache.org/studio">Apache Directory
- Studio</uri> Eclipse plugin. It provides an <acronym>LDIF</acronym>
- editor which may assist you to complete the <code>betrayer.com</code>
- directory entries. You should also add some more persons to the
- <quote>leaf</quote> organisational units.</para>
+ Studio</productname> Eclipse plugin which allows for convenient editing
+ of <xref linkend="glo_LDAP"/> trees.</para>
<tip>
<para>You may want to adjust occurrences of
<code>dc=betrayer;dc=com</code> by your configured <xref
linkend="glo_DIT"/> root.</para>
- </tip>
- </section>
-
- <section xml:id="sdiLdapPopulateData">
- <title>Populating the <acronym>LDAP</acronym> server</title>
-
- <para>You may use <uri
- xlink:href="http://directory.apache.org/studio">Apache Directory
- Studio</uri> for testing a bind to your new <acronym>LDAP</acronym>
- server by using <code>cn=admin,dc=...</code> using your server
- installation password.</para>
- <para>After successful connecting the previously established
- <acronym>LDIF</acronym> file may be used to populate the server with
- initial data. This may also be achieved on the server side by omitting
- the <code>changetype</code> lines in the <acronym>LDIF</acronym> file
- and:</para>
-
- <itemizedlist>
- <listitem>
- <para>Shutdown the <acronym>LDAP</acronym> server</para>
- </listitem>
+ <orderedlist>
+ <listitem>
+ <para>You need your initial configuration <code>admin</code>
+ password to perform a bind operation using the
+ <code>cn=admin,dc=betrayer,dc=com</code> <xref
+ linkend="glo_DN"/>.</para>
+ </listitem>
- <listitem>
- <para>using <command>slapadd</command> as user <code>ldap</code> to
- read the <acronym>LDIF</acronym> data into the server.</para>
- </listitem>
+ <listitem>
+ <para>If you choose <quote>Use existing entry as template</quote>
+ don't forget to purge your copy's <property>entryCsn</property>
+ attribute belonging to your template data record being unique
+ within your <xref linkend="glo_DIT"/>.</para>
+ </listitem>
- <listitem>
- <para>Startup the <acronym>LDAP</acronym> server.</para>
- </listitem>
- </itemizedlist>
+ <listitem>
+ <para>Suitable <property>objectClass</property> and other
+ attribute choices:</para>
+
+ <glosslist>
+ <glossentry>
+ <glossterm>Organisational units
+ <property>department</property>,
+ <property>software</property>, <property>financial</property>,
+ <property>devel</property>,
+ <property>testing</property></glossterm>
+
+ <glossdef>
+ <glosslist>
+ <glossentry>
+ <glossterm><property>objectClass</property>:</glossterm>
+
+ <glossdef>
+ <para><property>organizationalUnit</property></para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm><xref linkend="glo_RDN"/>
+ attribute:</glossterm>
+
+ <glossdef>
+ <para><property>uid</property></para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Employees Jim Smith, Audrey Bean:</glossterm>
+
+ <glossdef>
+ <glosslist>
+ <glossentry>
+ <glossterm><property>objectClass</property>:</glossterm>
+
+ <glossdef>
+ <para><property>inetOrgPerson</property></para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm><xref linkend="glo_RDN"/>
+ attribute:</glossterm>
+
+ <glossdef>
+ <para><property>uid</property></para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Other attributes:</glossterm>
+
+ <glossdef>
+ <para><property>sn</property>,
+ <property>cn</property>,
+ <property>givenName</property>,
+ m<property>ail</property></para>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </glossdef>
+ </glossentry>
+ </glosslist>
+ </listitem>
+ </orderedlist>
+ </tip>
</section>
<section xml:id="sdiLdapTestBind">
- <title>Testing a bind operation</title>
+ <title>Testing a bind operation as non - <code>admin</code> user</title>
- <para>Use <uri xlink:href="http://directory.apache.org/studio">Apache
- Directory Studio</uri> to supply a password to e.g.
- <code>uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com</code>.</para>
-
- <para>Then try to bind as
+ <para>Use <productname
+ xlink:href="http://directory.apache.org/studio">Apache Directory
+ Studio</productname> to supply a <property>userPassword</property> to
+ e.g.
<code>uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer;dc=com</code>
- using <uri xlink:href="http://directory.apache.org/studio">Apache
- Directory Studio</uri>.</para>
+ (still binding as <code>cn=admin,dc=betrayer,dc=com</code>).</para>
+
+ <para>Then configure a second <productname
+ xlink:href="http://directory.apache.org/studio">Apache Directory
+ Studio</productname> profile binding as
+ <code>uid=beam,ou=devel,ou=software,ou=departments,dc=betrayer,dc=com</code>.</para>
+
+ <tip>
+ <para>Beware: Some hash types may not be supported. SMD5 is known to
+ work.</para>
+ </tip>
</section>
<section xml:id="ldapTest">
@@ -391,7 +426,7 @@ mail: beam@betrayer.com</programlisting>
<para>Actually OpenLdap still supports an alternate configuration file
based approach which may be activated. Its use however is discouraged
- and according to the documentation:</para>
+ according to the documentation:</para>
<note xlink:href="http://www.openldap.org/doc/admin24/slapdconf2.html">
<para>The older style slapd.conf(5) file is still supported, but its
@@ -425,26 +460,27 @@ olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw</emphasis>
...</programlisting>
<para>The above lines appear near in the tail section. We see two
- databases representing two different <xref linkend="glo_DIT"/>s namely
- <code>cn=config</code> (the configuration database) and
- <code>dc=hdm-stuttgart,dc=de</code> (containing actual directory
- data).</para>
+ databases <code>{0}</code> and <code>{1}</code> representing two
+ different <xref linkend="glo_DIT"/>s namely <code>cn=config</code> (the
+ configuration database) and <code>dc=hdm-stuttgart,dc=de</code>
+ (containing our <quote>actual</quote> directory data).</para>
- <para>The configuration database does have an <code>admin</code> entry
- <code>olcRootDN: cn=admin,cn=config</code> but a corresponding
+ <para>The configuration database does have a <code>olcRootDN:
+ cn=admin,cn=config</code> entry but a corresponding
<parameter>olcRootPW</parameter> attribute is yet missing. This limits
configuration access to <code>localhost</code>.</para>
- <para>External access requires adding this credential attribute value.
- This first-time configuration change must be done locally by means of an
- <xref linkend="glo_LDIF"/> file:</para>
+ <para>External access e.g. by <productname
+ xlink:href="http://directory.apache.org/studio">Apache Directory
+ Studio</productname> requires adding this credential attribute. This
+ first-time (bootstrapping) configuration must be done locally by means
+ of an <xref linkend="glo_LDIF"/> file using a different user's hash
+ value:</para>
<programlisting language="none">root@sdi8a:~# cat ~/add_olcRootPW.ldif
dn: olcDatabase={0}config,cn=config
add: olcRootPW
-olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw
-
-</programlisting>
+olcRootPW: {ssha}pHE+EPOG2gyRyOgjvFqsWOb5zGsGl9CD</programlisting>
<para>Activating this configuration my be effected by using <command
xlink:href="http://www.openldap.org/software/man.cgi?query=ldapmodify&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html">ldapmodify</command>:</para>
@@ -495,9 +531,13 @@ modifying entry "olcDatabase={0}config,cn=config"</programlisting>
level: Depending on your success during subsequent exercises you may
want to adjust <parameter
xlink:href="http://www.zytrax.com/books/ldap/ch6/#loglevel">olcLogLevel</parameter>
- appropriately. Mind <link
+ in <code>cn=config</code> appropriately.</para>
+
+ <para>Consider <link
xlink:href="http://serverfault.com/questions/324608/how-do-i-get-openldap-on-centos-6-to-write-anything-to-its-log-files#answer-499902">using
- olcLogFile</link>.</para>
+ olcLogFile</link>. Caveat: You <xref linkend="glo_LDAP"/> server daemon
+ does runs from a non - root <property>uid</property>. Thus you have to
+ assure sufficient writing permissions.</para>
</section>
<section xml:id="ldapFilter">
@@ -548,6 +588,30 @@ modifying entry "olcDatabase={0}config,cn=config"</programlisting>
based installation</link>.</para>
</section>
+ <section xml:id="diSectLdapBackupRestore">
+ <title>Backup and recovery / restore</title>
+
+ <para>Take the hard way to test backup and restore:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Set up a <quote>replica</quote> <xref linkend="glo_LDAP"/>
+ Server on your second host system.</para>
+ </listitem>
+
+ <listitem>
+ <para>Export both databases (configuration and <quote>real</quote>
+ data) from your production server using <command
+ xlink:href="http://linux.die.net/man/8/slapcat">slapcat</command>.</para>
+ </listitem>
+
+ <listitem>
+ <para> Restore the exported data on your replica using <command
+ xlink:href="http://linux.die.net/man/8/slapadd">slapadd</command>.</para>
+ </listitem>
+ </orderedlist>
+ </section>
+
<section xml:id="ldapReplication">
<title>Replication</title>