Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
=head1 SYNOPSIS
ldap access
ldap acl dn|principal <hostname>
ldap auth principal group owner
ldap auth-report [sql where clause]
ldap bundle add|list|remove <attribute list>|<workgroup prefix>
ldap drlist add|update|delete|show <mailman-list>
ldap group add|update|delete|listen|sync|show <workgroup>
posixgroup add|show|sync <workgroup>
suprivilegegroup sync <ldap-filter>
ldap log [show]
ldap log set <log-level-list>
ldap restart
ldap start
ldap stop
ldap add
ldap remove
ldap show server|virtual|pool|member <target>
ldap status
ldap yank
ldap ldap-test-updates
ldap versions
ldap <subcommand> help
ldap <subcommand> manual
=head1 DESCRIPTION
Stanford LDAP utility scripts.
=head1 LDAP ACL Commands
=over 4
=item ldap access
Queries an OpenLDAP server's configuration with directory access
control lists stored in the cn=config branch of the directory and
displays access details for principal used to access the command.
Complete documentation for each subcommand while be printed with the
manual option.
=item ldap acl dn|principal
Queries an OpenLDAP server's configuration using directory access
control lists stored in the cn=config branch of the directory and
displays access details for a given principal or distinguished name.
Complete documentation for each subcommand while be printed with the
manual option.
=item ldap auth principal group owner
Update the necessary ACL and group structures to grant access to a
bundle of attributes to a Kerberos principal. The script creates
krb5principalname entries as necessary and updates auth group
membership.
=item ldap auth-report [sql where clause]
Generates a listing of changes made to the directory access with
the 'ldap auth' command.
=item ldap bundle add|list|remove <attribute list>|<workgroup prefix>
Generates the directory ACLs required to support posix and attribute
bundles. This command is a companion to the 'ldap auth' command.
=back
=head1 LDAP DR List Command
=over 4
=item ldap drlist add|update|delete|show <mailman-list>
This script adds, deletes, updates, and displays entries in the
cn=drLists branch of the directory. This branch contains mail
distribution list entries for MailMan lists that can be used in a
disaster when MailMan is not available.
=back
=head1 LDAP Data Synchronization Commands
=over 4
=item ldap group add|update|delete|listen|sync|show <workgroup>
This script adds, updates, or deletes workgroup attributes in
the Stanford Directory that support Posix and Google groups.
The base group entries are created by Workgroup Manager. This
script updates existing entries. The listen command is not
intended to be run from remctl.
=item posix group add|show|sync <workgroup>
This is a remctl wrapper script around ldap-group-maint that is
restricted to performing actions for posixGroups only. It is
intended for use by system administrators.
=item suprivilegegroup sync|help <ldap-filter>
This script ensures that the suPrivilegeGroup attributes in the
cn=accounts branch match the values in the cn=people branch of the
directory. This script has several other options none of which are
appropriate for use interactively. See the script help for
documentation of the complete set of script actions.
=back
=head1 Server Control Commands
=over 4
=item ldap log set <log-level-list>
Set the log level for the slapd process. The log-level-list is a
space separated list of ldap processing elements. If the
log-level-list is not specified the default is 'stats'. Valid values
are:
trace - trace function calls
packets - debug packet handling
args - heavy trace debugging (function args)
conns - connection management
BER - print out packets sent and received
filter - search filter processing
config - configuration file processing
ACL - access control list processing
stats - connections, LDAP operations, results
stats2 - stats log entries sent
shell - print communication with shell backends
parse - entry parsing
sync - LDAPSync replication
none - only messages that get logged whatever log level is set
=item ldap log [show]
Display the current log level.
=item ldap restart
Remove the host from the load balanced pool, shutdown slapd, start
slapd, and add the localhost to the load balanced pool unless the
server was not in the pool command originally.
=item ldap start
Start slapd and place the host in the lb pool.
=item ldap stop
Remove the host from the lb pool and stop slapd. When shutdown of
slapd is requested the script does not exit until slapd has stopped.
=back
=head1 Load Balance Commands
=over 4
=item ldap add
Add the host to the lbdns and hardware load balanced pools.
=item ldap remove
Remove the host from both lbdns and hardware load balanced
pools. For LBDNS pools the script uses dig to interrogate the
DNS and waits until the localhost is out of the lbdns pool
before exiting. For hardware load balanced pools this
function connects to the signal port, issues a QUIT, and waits
the configured time before proceeding. The default is 60
seconds.
=item ldap show server|virtual|pool|member <target>
Displays status information for pool membership for hosts behind a F5
BigIP hardware load balancer. The script uses SOAP calls the the
iControl service on the BigIP. The script generates lists of virtual
servers, pools members, and individual hosts.
=item ldap status
Displays the presence or absense of the signal file. The
signal file is /etc/noldap.
=item ldap versions
Display versions of LDAP related software running on the server.
=item ldap yank
Removes the host from the load balanced pool without waiting.
=item ldap ldap-test-updates
Direct updates to the directory. This script is intended for testing
only and is configured only on test master servers.
=back
=head1 AUTHOR
Bill MacAllister <whm@stanford.edu>
=head1 COPYRIGHT
Copyright 2011,2012 Board of Trustees, Leland Stanford Jr. University.
=cut