1SLAPD-TCL(5) File Formats Manual SLAPD-TCL(5)
2
6 slapd-tcl - Tcl backend to slapd
7
9 /etc/openldap/slapd.conf
10
12 The Tcl backend to slapd(8) works by embedding a Tcl(3tcl) interpreter
13 into slapd(8). Any tcl database section of the configuration file
14 slapd.conf(5) must then specify what Tcl script to use.
15 This backend is experimental.
17
19 This backend's calling conventions have changed since OpenLDAP 2.0.
20 Previously, the 2nd argument to the procs was a message ID. Now they
21 are an "operation ID" string. Also, proc abandon now gets a new aban‐
22 donid argument.
23
25 These slapd.conf options apply to the TCL backend database. That is,
26 they must follow a "database tcl" line and come before any subsequent
27 "backend" or "database" lines. Other database options are described in
28 the slapd.conf(5) manual page.
29 scriptpath <filename.tcl>
31 The full path to the tcl script used for this database.
32 search <proc>
34 add <proc>
35 delete <proc>
36 modify <proc>
37 bind <proc>
38 unbind <proc>
39 modrdn <proc>
40 compare <proc>
41 abandon <proc>
42 The procs for each ldap function. They refer to the tcl procs
43 in the `scriptpath' script that handles them.
44 tclrealm <interpreter name>
46 This is one of the biggest pluses of using the tcl backend. The
47 realm lets you group several databases to the same interpreter.
48 This basically means they share the same global variables and
49 proc space. So global variables, as well as all the procs, are
50 callable between databases. If no tclrealm is specified, it is
51 put into the "default" realm.
52
54 abandon { action opid suffix abandonid }
55 action - Always equal to ABANDON.
56 opid - The opid of this ldap operation.
57 suffix - List of suffix(es) associated with the
58 call. Each one is an entry in a tcl
59 formatted list (surrounded by {}'s).
60 abandonid - The opid of the operation to abandon.
61 add { action opid suffix entry }
63 action - Always equal to ADD.
64 opid - The opid of this ldap operation.
65 suffix - List of suffix(es), as above.
66 entry - Full entry to add. Each "type: val" is
67 an element in a tcl formatted list.
68 bind { action opid suffix dn method cred_len cred }
70 action - Always equal to BIND.
71 opid - The opid of this ldap operation.
72 suffix - List of suffix(es), as above.
73 dn - DN being bound to.
74 method - One of the ldap authentication methods.
75 cred_len - Length of cred.
76 cred - Credentials being used to authenticate,
77 according to RFC. If this value is empty,
78 then it should be considered an anonymous
79 bind (??)
80 compare { action opid suffix dn ava_type ava_value }
82 action - Always equal to COMPARE.
83 opid - The opid of this ldap operation.
84 suffix - List of suffix(es), as above.
85 dn - DN for compare.
86 ava_type - Type for comparison.
87 ava_value - Value to compare.
88 delete { action opid suffix dn }
90 action - Always equal to DELETE.
91 opid - The opid of this ldap operation.
92 suffix - List of suffix(es), as above.
93 dn - DN to delete.
94 modify { action opid suffix dn mods }
96 action - Always equal to MODIFY.
97 opid - The opid of this ldap operation.
98 suffix - List of suffix(es), as above.
99 dn - DN to modify.
100 mods - Tcl list of modifications.
101 The list is formatted in this way:
102 {
104 { {op: type} {type: val} }
105 { {op: type} {type: val} {type: val} }
106 ...
107 }
108 Newlines are not present in the actual var,
110 they are present here for clarification.
111 "op" is the type of modification
112 (ADD, DELETE, REPLACE).
113 modrdn { action opid suffix dn newrdn deleteoldrdn }
115 action - Always equal to MODRDN.
116 opid - The opid of this ldap operation.
117 suffix - List of suffix(es), as above.
118 dn - DN whose RDN is being renamed.
119 newrdn - New RDN.
120 deleteoldrdn - Boolean stating whether or not the
121 old RDN should be removed after being renamed.
122 search { action opid suffix base scope deref sizelimit timelimit fil‐
124 terstr attrsonly attrlist }
125 action - Always equal to SEARCH.
126 opid - The opid of this ldap operation.
127 suffix - List of suffix(es), as above.
128 base - Base for this search.
129 scope - Scope of search, ( 0 | 1 | 2 ).
130 deref - Alias dereferencing ( 0 | 1 | 2 | 3 ).
131 sizelimit - Maximum number of entries to return.
132 timelimit - Time limit for search.
133 filterstr - Filter string as sent by the requester.
134 attrsonly - Boolean for whether to list only the
135 attributes, and not values as well.
136 attrlist - Tcl list if to retrieve.
137 unbind { action opid suffix dn }
139 action - Always equal to UNBIND.
140 opid - The opid of this ldap operation.
141 suffix - List of suffix(es), as above.
142 dn - DN to unbind.
143 An opid (operation ID) is a "connection ID/message ID" string identify‐
145 ing an operation.
146
148 There are only 2 return types. All procs must return a result to show
149 status of the operation. The result is in this form:
150 { RESULT {code: <integer>} {matched: <partialdn>}
152 {info: <string>} {} }
153 This is best accomplished with this type of tcl code
155 lappend ret_val "RESULT"
157 lappend ret_val "code: 0"
158 lappend ret_val ""
159 return $ret_val
160 The final empty string (item in list) is necessary to point to the end
162 of list. The `code', `matched', and `info' values are not necessary,
163 and default values are given if not specified. The `code' value is
164 usually an LDAP error in decimal notation from ldap.h. The `info', may
165 be sent back to the client, depending on the function. In the bind
166 proc, LDAP uses the value of `code' to indicate whether or not the
167 authentication is acceptable.
168 The other type of return is for searches. It is similar format to the
170 shell backend return (as is most of the syntax here). Its format fol‐
171 lows:
172 {dn: o=Company, c=US} {attr: val} {objectclass: val} {}
174 {dn: o=CompanyB, c=US} {attr: val} {objectclass: val} {}
175 Again, newlines are for visual purposes here. Also note the {} marking
177 the end of the entry (same effect as a newline in ldif format). Here
178 is some example code again, showing a full search proc example.
179 # Note that `args' lets you lump all possible args
181 # into one var, used here for simplicity of example
182 proc ldap:search { args } {
183 # ...perform some operations...
184 lappend ret_val "dn: $rdn,$base"
186 lappend ret_val "objectclass: $objcl"
187 lappend ret_val "sn: $rdn"
188 lappend ret_val "mail: $email"
189 lappend ret_val ""
190 # Now setup the result
191 lappend ret_val "RESULT"
192 lappend ret_val "code: 0"
193 lappend ret_val ""
194 return $ret_val
195 }
196 NOTE: Newlines in the return value is acceptable in search entries
198 (i.e. when returning base64 encoded binary entries).
199
201 ldap:debug <msg>
202 Allows you to send debug messages through OpenLDAP's native
203 debugging system, this is sent as a LDAP_DEBUG_ANY and will be
204 logged. Useful for debugging scripts or logging bind failures.
205
207 /etc/openldap/slapd.conf
208 default slapd configuration file
209
211 slapd.conf(5), slapd(8), Tcl(3tcl).
212OpenLDAP 2.3.34 2007/2/16 SLAPD-TCL(5)