2 # Copyright 2005-2009 The OpenLDAP Foundation, All Rights Reserved.
3 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
7 Once the software has been built and installed, you are ready
8 to configure {{slapd}}(8) for use at your site. Unlike previous
9 OpenLDAP releases, the slapd(8) runtime configuration in 2.3 (and later)
10 is fully LDAP-enabled and can be managed using the standard LDAP
11 operations with data in {{TERM:LDIF}}. The LDAP configuration engine
12 allows all of slapd's configuration options to be changed on the fly,
13 generally without requiring a server restart for the changes
14 to take effect. The old style {{slapd.conf}}(5) file is still
15 supported, but must be converted to the new {{slapd-config}}(5) format
16 to allow runtime changes to be saved. While the old style
17 configuration uses a single file, normally installed as
18 {{F:/usr/local/etc/openldap/slapd.conf}}, the new style
19 uses a slapd backend database to store the configuration. The
20 configuration database normally resides in the
21 {{F:/usr/local/etc/openldap/slapd.d}} directory. When
22 converting from the slapd.conf format to slapd.d format, any
23 include files will also be integrated into the resulting configuration
26 An alternate configuration directory (or file) can be specified via
27 a command-line option to {{slapd}}(8). This chapter describes the
28 general format of the configuration system, followed by a detailed
29 description of commonly used config settings.
31 Note: some of the backends and of the distributed overlays
32 do not support runtime configuration yet. In those cases,
33 the old style {{slapd.conf}}(5) file must be used.
36 H2: Configuration Layout
38 The slapd configuration is stored as a special LDAP directory with
39 a predefined schema and DIT. There are specific objectClasses used to
40 carry global configuration options, schema definitions, backend and
41 database definitions, and assorted other items. A sample config tree
42 is shown in Figure 5.1.
44 !import "config_dit.png"; align="center"; title="Sample configuration tree"
45 FT[align="Center"] Figure 5.1: Sample configuration tree.
47 Other objects may be part of the configuration but were omitted from
48 the illustration for clarity.
50 The {{slapd-config}} configuration tree has a very specific structure. The
51 root of the tree is named {{EX:cn=config}} and contains global configuration
52 settings. Additional settings are contained in separate child entries:
53 * Dynamically loaded modules
54 .. These may only be used if the {{EX:--enable-modules}} option was
55 used to configure the software.
57 .. The {{EX:cn=schema,cn=config}} entry contains the system schema (all
58 the schema that is hard-coded in slapd).
59 .. Child entries of {{EX:cn=schema,cn=config}} contain user schema as
60 loaded from config files or added at runtime.
61 * Backend-specific configuration
62 * Database-specific configuration
63 .. Overlays are defined in children of the Database entry.
64 .. Databases and Overlays may also have other miscellaneous children.
66 The usual rules for LDIF files apply to the configuration information:
67 Comment lines beginning with a '{{EX:#}}' character
68 are ignored. If a line begins with a single space, it is considered a
69 continuation of the previous line (even if the previous line is a
70 comment) and the single leading space is removed. Entries are separated by blank lines.
72 The general layout of the config LDIF is as follows:
74 > # global configuration settings
76 > objectClass: olcGlobal
78 > <global config settings>
80 > # schema definitions
81 > dn: cn=schema,cn=config
82 > objectClass: olcSchemaConfig
86 > dn: cn={X}core,cn=schema,cn=config
87 > objectClass: olcSchemaConfig
91 > # additional user-specified schema
94 > # backend definitions
95 > dn: olcBackend=<typeA>,cn=config
96 > objectClass: olcBackendConfig
98 > <backend-specific settings>
100 > # database definitions
101 > dn: olcDatabase={X}<typeA>,cn=config
102 > objectClass: olcDatabaseConfig
103 > olcDatabase: {X}<typeA>
104 > <database-specific settings>
106 > # subsequent definitions and settings
109 Some of the entries listed above have a numeric index {{EX:"{X}"}} in
110 their names. While most configuration settings have an inherent ordering
111 dependency (i.e., one setting must take effect before a subsequent one
112 may be set), LDAP databases are inherently unordered. The numeric index
113 is used to enforce a consistent ordering in the configuration database,
114 so that all ordering dependencies are preserved. In most cases the index
115 does not have to be provided; it will be automatically generated based
116 on the order in which entries are created.
118 Configuration directives are specified as values of individual
120 Most of the attributes and objectClasses used in the slapd
121 configuration have a prefix of {{EX:"olc"}} (OpenLDAP Configuration)
122 in their names. Generally there is a one-to-one correspondence
123 between the attributes and the old-style {{EX:slapd.conf}} configuration
124 keywords, using the keyword as the attribute name, with the "olc"
127 A configuration directive may take arguments. If so, the arguments are
128 separated by whitespace. If an argument contains whitespace,
129 the argument should be enclosed in double quotes {{EX:"like this"}}.
130 In the descriptions that follow, arguments that should be replaced
131 by actual text are shown in brackets {{EX:<>}}.
133 The distribution contains an example configuration file that will
134 be installed in the {{F: /usr/local/etc/openldap}} directory.
135 A number of files containing schema definitions (attribute types
136 and object classes) are also provided in the
137 {{F: /usr/local/etc/openldap/schema}} directory.
140 H2: Configuration Directives
142 This section details commonly used configuration directives. For
143 a complete list, see the {{slapd-config}}(5) manual page. This section
144 will treat the configuration directives in a top-down order, starting
145 with the global directives in the {{EX:cn=config}} entry. Each
146 directive will be described along with its default value (if any) and
147 an example of its use.
152 Directives contained in this entry generally apply to the server as a whole.
153 Most of them are system or connection oriented, not database related. This
154 entry must have the {{EX:olcGlobal}} objectClass.
157 H4: olcIdleTimeout: <integer>
159 Specify the number of seconds to wait before forcibly closing
160 an idle client connection. A value of 0, the default,
161 disables this feature.
164 H4: olcLogLevel: <level>
166 This directive specifies the level at which debugging statements
167 and operation statistics should be syslogged (currently logged to
168 the {{syslogd}}(8) {{EX:LOG_LOCAL4}} facility). You must have
169 configured OpenLDAP {{EX:--enable-debug}} (the default) for this
170 to work (except for the two statistics levels, which are always
171 enabled). Log levels may be specified as integers or by keyword.
172 Multiple log levels may be used and the levels are additive.
173 To display what levels
174 correspond to what kind of debugging, invoke slapd with {{EX:-d?}}
175 or consult the table below. The possible values for <level> are:
177 !block table; colaligns="RL"; align=Center; \
178 title="Table 5.1: Debugging Levels"
179 Level Keyword Description
180 -1 Any enable all debugging
182 1 Trace trace function calls
183 2 Packets debug packet handling
184 4 Args heavy trace debugging
185 8 Conns connection management
186 16 BER print out packets sent and received
187 32 Filter search filter processing
188 64 Config configuration processing
189 128 ACL access control list processing
190 256 Stats stats log connections/operations/results
191 512 Stats2 stats log entries sent
192 1024 Shell print communication with shell backends
193 2048 Parse print entry parsing debugging
194 4096 Cache database cache processing
195 8192 Index database indexing
196 16384 Sync syncrepl consumer processing
203 This will cause lots and lots of debugging information to be
206 E: olcLogLevel: Conns Filter
208 Just log the connection and search filter processing.
212 E: olcLogLevel: Stats
215 H4: olcReferral <URI>
217 This directive specifies the referral to pass back when slapd
218 cannot find a local database to handle a request.
222 > olcReferral: ldap://root.openldap.org
224 This will refer non-local queries to the global root LDAP server
225 at the OpenLDAP Project. Smart LDAP clients can re-ask their
226 query at that server, but note that most of these clients are
227 only going to know how to handle simple LDAP URLs that
228 contain a host part and optionally a distinguished name part.
234 >objectClass: olcGlobal
238 >olcReferral: ldap://root.openldap.org
243 If support for dynamically loaded modules was enabled when configuring
244 slapd, {{EX:cn=module}} entries may be used to specify sets of modules to load.
245 Module entries must have the {{EX:olcModuleList}} objectClass.
248 H4: olcModuleLoad: <filename>
250 Specify the name of a dynamically loadable module to load. The filename
251 may be an absolute path name or a simple filename. Non-absolute names
252 are searched for in the directories specified by the {{EX:olcModulePath}}
256 H4: olcModulePath: <pathspec>
258 Specify a list of directories to search for loadable modules. Typically the
259 path is colon-separated but this depends on the operating system.
264 >dn: cn=module{0},cn=config
265 >objectClass: olcModuleList
267 >olcModuleLoad: /usr/local/lib/smbk5pwd.la
269 >dn: cn=module{1},cn=config
270 >objectClass: olcModuleList
272 >olcModulePath: /usr/local/lib:/usr/local/lib/slapd
273 >olcModuleLoad: accesslog.la
274 >olcModuleLoad: pcache.la
279 The cn=schema entry holds all of the schema definitions that are hard-coded
280 in slapd. As such, the values in this entry are generated by slapd so no
281 schema values need to be provided in the config file. The entry must still
282 be defined though, to serve as a base for the user-defined schema to add
283 in underneath. Schema entries must have the {{EX:olcSchemaConfig}}
287 H4: olcAttributeTypes: <{{REF:RFC4512}} Attribute Type Description>
289 This directive defines an attribute type.
290 Please see the {{SECT:Schema Specification}} chapter
291 for information regarding how to use this directive.
294 H4: olcObjectClasses: <{{REF:RFC4512}} Object Class Description>
296 This directive defines an object class.
297 Please see the {{SECT:Schema Specification}} chapter for
298 information regarding how to use this directive.
303 >dn: cn=schema,cn=config
304 >objectClass: olcSchemaConfig
307 >dn: cn=test,cn=schema,cn=config
308 >objectClass: olcSchemaConfig
310 >olcAttributeTypes: ( 1.1.1
312 > EQUALITY integerMatch
313 > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
314 >olcAttributeTypes: ( 1.1.2 NAME 'testTwo' EQUALITY caseIgnoreMatch
315 > SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
316 >olcObjectClasses: ( 1.1.3 NAME 'testObject'
317 > MAY ( testAttr $ testTwo ) AUXILIARY )
320 H3: Backend-specific Directives
322 Backend directives apply to all database instances of the
323 same type and, depending on the directive, may be overridden
324 by database directives. Backend entries must have the
325 {{EX:olcBackendConfig}} objectClass.
327 H4: olcBackend: <type>
329 This directive names a backend-specific configuration entry.
330 {{EX:<type>}} should be one of the
331 supported backend types listed in Table 5.2.
333 !block table; align=Center; coltags="EX,N"; \
334 title="Table 5.2: Database Backends"
336 bdb Berkeley DB transactional backend
337 config Slapd configuration backend
338 dnssrv DNS SRV backend
339 hdb Hierarchical variant of bdb backend
340 ldap Lightweight Directory Access Protocol (Proxy) backend
341 ldif Lightweight Data Interchange Format backend
342 meta Meta Directory backend
343 monitor Monitor backend
344 passwd Provides read-only access to {{passwd}}(5)
345 perl Perl Programmable backend
346 shell Shell (extern program) backend
347 sql SQL Programmable backend
354 There are no other directives defined for this entry. Specific backend
355 types may define additional attributes for their particular use but so
356 far none have ever been defined. As such, these directives usually do
357 not appear in any actual configurations.
362 > dn: olcBackend=bdb,cn=config
363 > objectClass: olcBackendConfig
367 H3: Database-specific Directives
369 Directives in this section are supported by every type of database.
370 Database entries must have the {{EX:olcDatabaseConfig}} objectClass.
372 H4: olcDatabase: [{<index>}]<type>
374 This directive names a specific database instance. The numeric {<index>} may
375 be provided to distinguish multiple databases of the same type. Usually the
376 index can be omitted, and slapd will generate it automatically.
377 {{EX:<type>}} should be one of the
378 supported backend types listed in Table 5.2 or the {{EX:frontend}} type.
380 The {{EX:frontend}} is a special database that is used to hold
381 database-level options that should be applied to all the other
382 databases. Subsequent database definitions may also override some
385 The {{EX:config}} database is also special; both the {{EX:config}} and
386 the {{EX:frontend}} databases are always created implicitly even if they
387 are not explicitly configured, and they are created before any other
394 This marks the beginning of a new {{TERM:BDB}} database instance.
397 H4: olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+
399 This directive grants access (specified by <accesslevel>) to a
400 set of entries and/or attributes (specified by <what>) by one or
401 more requestors (specified by <who>).
402 See the {{SECT:Access Control}} section of this guide for basic usage.
405 More detailed discussion of this directive can be found in the
406 {{SECT:Advanced Access Control}} chapter.
409 Note: If no {{EX:olcAccess}} directives are specified, the default
410 access control policy, {{EX:to * by * read}}, allows all
411 users (both authenticated and anonymous) read access.
413 Note: Access controls defined in the frontend are appended to all
414 other databases' controls.
417 H4: olcReadonly { TRUE | FALSE }
419 This directive puts the database into "read-only" mode. Any
420 attempts to modify the database will return an "unwilling to
430 This directive specifies the DN that is not subject to
431 access control or administrative limit restrictions for
432 operations on this database. The DN need not refer to
433 an entry in this database or even in the directory. The
434 DN may refer to a SASL identity.
438 > olcRootDN: "cn=Manager,dc=example,dc=com"
442 > olcRootDN: "uid=root,cn=example.com,cn=digest-md5,cn=auth"
444 See the {{SECT:SASL Authentication}} section for information on
445 SASL authentication identities.
448 H4: olcRootPW: <password>
450 This directive can be used to specify a password for the DN for
451 the rootdn (when the rootdn is set to a DN within the database).
457 It is also permissible to provide a hash of the password in
458 {{REF:RFC2307}} form. {{slappasswd}}(8) may be used to generate
463 > olcRootPW: {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
465 The hash was generated using the command {{EX:slappasswd -s secret}}.
468 H4: olcSizeLimit: <integer>
470 This directive specifies the maximum number of entries to return
471 from a search operation.
477 See the {{SECT:Limits}} section of this guide and slapd-config(5)
481 H4: olcSuffix: <dn suffix>
483 This directive specifies the DN suffix of queries that will be
484 passed to this backend database. Multiple suffix lines can be
485 given, and usually at least one is required for each database
486 definition. (Some backend types, such as {{EX:frontend}} and
487 {{EX:monitor}} use a hard-coded suffix which may not be overridden
488 in the configuration.)
492 > olcSuffix: "dc=example,dc=com"
494 Queries with a DN ending in "dc=example,dc=com"
495 will be passed to this backend.
497 Note: When the backend to pass a query to is selected, slapd
498 looks at the suffix value(s) in each database definition in the
499 order in which they were configured. Thus, if one database suffix is a
500 prefix of another, it must appear after it in the configuration.
505 > olcSyncrepl: rid=<replica ID>
506 > provider=ldap[s]://<hostname>[:port]
507 > [type=refreshOnly|refreshAndPersist]
508 > [interval=dd:hh:mm:ss]
509 > [retry=[<retry interval> <# of retries>]+]
510 > searchbase=<base DN>
511 > [filter=<filter str>]
512 > [scope=sub|one|base]
513 > [attrs=<attr list>]
515 > [sizelimit=<limit>]
516 > [timelimit=<limit>]
517 > [schemachecking=on|off]
518 > [bindmethod=simple|sasl]
521 > [authcid=<identity>]
522 > [authzid=<identity>]
523 > [credentials=<passwd>]
525 > [secprops=<properties>]
526 > [starttls=yes|critical]
529 > [tls_cacert=<file>]
530 > [tls_cacertdir=<path>]
531 > [tls_reqcert=never|allow|try|demand]
532 > [tls_ciphersuite=<ciphers>]
533 > [tls_crlcheck=none|peer|all]
534 > [logbase=<base DN>]
535 > [logfilter=<filter str>]
536 > [syncdata=default|accesslog|changelog]
539 This directive specifies the current database as a replica of the
540 master content by establishing the current {{slapd}}(8) as a
541 replication consumer site running a syncrepl replication engine.
542 The master database is located at the replication provider site
543 specified by the {{EX:provider}} parameter. The replica database is
544 kept up-to-date with the master content using the LDAP Content
545 Synchronization protocol. See {{REF:RFC4533}}
546 for more information on the protocol.
548 The {{EX:rid}} parameter is used for identification of the current
549 {{EX:syncrepl}} directive within the replication consumer server,
550 where {{EX:<replica ID>}} uniquely identifies the syncrepl specification
551 described by the current {{EX:syncrepl}} directive. {{EX:<replica ID>}}
552 is non-negative and is no more than three decimal digits in length.
554 The {{EX:provider}} parameter specifies the replication provider site
555 containing the master content as an LDAP URI. The {{EX:provider}}
556 parameter specifies a scheme, a host and optionally a port where the
557 provider slapd instance can be found. Either a domain name or IP
558 address may be used for <hostname>. Examples are
559 {{EX:ldap://provider.example.com:389}} or {{EX:ldaps://192.168.1.1:636}}.
560 If <port> is not given, the standard LDAP port number (389 or 636) is used.
561 Note that the syncrepl uses a consumer-initiated protocol, and hence its
562 specification is located at the consumer site, whereas the {{EX:replica}}
563 specification is located at the provider site. {{EX:syncrepl}} and
564 {{EX:replica}} directives define two independent replication
565 mechanisms. They do not represent the replication peers of each other.
567 The content of the syncrepl replica is defined using a search
568 specification as its result set. The consumer slapd will
569 send search requests to the provider slapd according to the search
570 specification. The search specification includes {{EX:searchbase}},
571 {{EX:scope}}, {{EX:filter}}, {{EX:attrs}}, {{EX:attrsonly}},
572 {{EX:sizelimit}}, and {{EX:timelimit}} parameters as in the normal
573 search specification. The {{EX:searchbase}} parameter has no
574 default value and must always be specified. The {{EX:scope}} defaults
575 to {{EX:sub}}, the {{EX:filter}} defaults to {{EX:(objectclass=*)}},
576 {{EX:attrs}} defaults to {{EX:"*,+"}} to replicate all user and operational
577 attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}}
578 and {{EX:timelimit}} default to "unlimited", and only positive integers
579 or "unlimited" may be specified.
581 The {{TERM[expand]LDAP Sync}} protocol has two operation
582 types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}.
583 The operation type is specified by the {{EX:type}} parameter.
584 In the {{EX:refreshOnly}} operation, the next synchronization search operation
585 is periodically rescheduled at an interval time after each
586 synchronization operation finishes. The interval is specified
587 by the {{EX:interval}} parameter. It is set to one day by default.
588 In the {{EX:refreshAndPersist}} operation, a synchronization search
589 remains persistent in the provider {{slapd}} instance. Further updates to the
590 master replica will generate {{EX:searchResultEntry}} to the consumer slapd
591 as the search responses to the persistent synchronization search.
593 If an error occurs during replication, the consumer will attempt to reconnect
594 according to the retry parameter which is a list of the <retry interval>
595 and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer
596 retry every 60 seconds for the first 10 times and then retry every 300 seconds
597 for the next three times before stop retrying. + in <# of retries> means
598 indefinite number of retries until success.
600 The schema checking can be enforced at the LDAP Sync consumer site
601 by turning on the {{EX:schemachecking}} parameter.
602 If it is turned on, every replicated entry will be checked for its
603 schema as the entry is stored into the replica content.
604 Every entry in the replica should contain those attributes
605 required by the schema definition.
606 If it is turned off, entries will be stored without checking
607 schema conformance. The default is off.
609 The {{EX:binddn}} parameter gives the DN to bind as for the
610 syncrepl searches to the provider slapd. It should be a DN
611 which has read access to the replication content in the
614 The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
615 depending on whether simple password-based authentication or
616 {{TERM:SASL}} authentication is to be used when connecting
617 to the provider {{slapd}} instance.
619 Simple authentication should not be used unless adequate data
620 integrity and confidentiality protections are in place (e.g. TLS
621 or IPsec). Simple authentication requires specification of {{EX:binddn}}
622 and {{EX:credentials}} parameters.
624 SASL authentication is generally recommended. SASL authentication
625 requires specification of a mechanism using the {{EX:saslmech}} parameter.
626 Depending on the mechanism, an authentication identity and/or
627 credentials can be specified using {{EX:authcid}} and {{EX:credentials}},
628 respectively. The {{EX:authzid}} parameter may be used to specify
629 an authorization identity.
631 The {{EX:realm}} parameter specifies a realm which a certain
632 mechanisms authenticate the identity within. The {{EX:secprops}}
633 parameter specifies Cyrus SASL security properties.
635 The {{EX:starttls}} parameter specifies use of the StartTLS extended
636 operation to establish a TLS session before authenticating to the provider.
637 If the {{EX:critical}} argument is supplied, the session will be aborted
638 if the StartTLS request fails. Otherwise the syncrepl session continues
639 without TLS. Note that the main slapd TLS settings are not used by the
640 syncrepl engine; by default the TLS parameters from a {{ldap.conf}}(5)
641 configuration file will be used. TLS settings may be specified here,
642 in which case any {{ldap.conf}}(5) settings will be completely ignored.
644 Rather than replicating whole entries, the consumer can query logs
645 of data modifications. This mode of operation is referred to as
646 {{delta syncrepl}}. In addition to the above parameters, the
647 {{EX:logbase}} and {{EX:logfilter}} parameters must be set appropriately
648 for the log that will be used. The {{EX:syncdata}} parameter must
649 be set to either {{EX:"accesslog"}} if the log conforms to the
650 {{slapo-accesslog}}(5) log format, or {{EX:"changelog"}} if the log
651 conforms to the obsolete {{changelog}} format. If the {{EX:syncdata}}
652 parameter is omitted or set to {{EX:"default"}} then the log
653 parameters are ignored.
655 The {{syncrepl}} replication mechanism is supported by the {{bdb}} and
658 See the {{SECT:LDAP Sync Replication}} chapter of this guide for
659 more information on how to use this directive.
662 H4: olcTimeLimit: <integer>
664 This directive specifies the maximum number of seconds (in real
665 time) slapd will spend answering a search request. If a
666 request is not finished in this time, a result indicating an
667 exceeded timelimit will be returned.
673 See the {{SECT:Limits}} section of this guide and slapd-config(5)
677 H4: olcUpdateref: <URL>
679 This directive is only applicable in a slave slapd. It
680 specifies the URL to return to clients which submit update
681 requests upon the replica.
682 If specified multiple times, each {{TERM:URL}} is provided.
686 > olcUpdateref: ldap://master.example.net
691 >dn: olcDatabase=frontend,cn=config
692 >objectClass: olcDatabaseConfig
693 >objectClass: olcFrontendConfig
694 >olcDatabase: frontend
697 >dn: olcDatabase=config,cn=config
698 >objectClass: olcDatabaseConfig
700 >olcRootDN: cn=Manager,dc=example,dc=com
703 H3: BDB and HDB Database Directives
705 Directives in this category apply to both the {{TERM:BDB}}
706 and the {{TERM:HDB}} database.
707 They are used in an olcDatabase entry in addition to the generic
708 database directives defined above. For a complete reference
709 of BDB/HDB configuration directives, see {{slapd-bdb}}(5). In
710 addition to the {{EX:olcDatabaseConfig}} objectClass, BDB and HDB
711 database entries must have the {{EX:olcBdbConfig}} and
712 {{EX:olcHdbConfig}} objectClass, respectively.
715 H4: olcDbDirectory: <directory>
717 This directive specifies the directory where the BDB files
718 containing the database and associated indices live.
722 > olcDbDirectory: /usr/local/var/openldap-data
725 H4: olcDbCachesize: <integer>
727 This directive specifies the size in entries of the in-memory
728 cache maintained by the BDB backend database instance.
732 > olcDbCachesize: 1000
735 H4: olcDbCheckpoint: <kbyte> <min>
737 This directive specifies how often to checkpoint the BDB transaction log.
738 A checkpoint operation flushes the database buffers to disk and writes a
739 checkpoint record in the log.
740 The checkpoint will occur if either <kbyte> data has been written or
741 <min> minutes have passed since the last checkpoint. Both arguments default
742 to zero, in which case they are ignored. When the <min> argument is
743 non-zero, an internal task will run every <min> minutes to perform the
744 checkpoint. See the Berkeley DB reference guide for more details.
748 > olcDbCheckpoint: 1024 10
751 H4: olcDbConfig: <DB_CONFIG setting>
753 This attribute specifies a configuration directive to be placed in the
754 {{EX:DB_CONFIG}} file of the database directory. At server startup time, if
755 no such file exists yet, the {{EX:DB_CONFIG}} file will be created and the
756 settings in this attribute will be written to it. If the file exists,
757 its contents will be read and displayed in this attribute. The attribute
758 is multi-valued, to accommodate multiple configuration directives. No default
759 is provided, but it is essential to use proper settings here to get the
760 best server performance.
762 Any changes made to this attribute will be written to the {{EX:DB_CONFIG}}
763 file and will cause the database environment to be reset so the changes
764 can take immediate effect. If the environment cache is large and has not
765 been recently checkpointed, this reset operation may take a long time. It
766 may be advisable to manually perform a single checkpoint using the Berkeley DB
767 {{db_checkpoint}} utility before using LDAP Modify to change this
772 > olcDbConfig: set_cachesize 0 10485760 0
773 > olcDbConfig: set_lg_bsize 2097512
774 > olcDbConfig: set_lg_dir /var/tmp/bdb-log
775 > olcDbConfig: set_flags DB_LOG_AUTOREMOVE
777 In this example, the BDB cache is set to 10MB, the BDB transaction log
778 buffer size is set to 2MB, and the transaction log files are to be stored
779 in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to
780 delete transaction log files as soon as their contents have been
781 checkpointed and they are no longer needed. Without this setting the
782 transaction log files will continue to accumulate until some other
783 cleanup procedure removes them. See the Berkeley DB documentation for the
784 {{EX:db_archive}} command for details. For a complete list of Berkeley DB
785 flags please see - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html}}
787 Ideally the BDB cache must be
788 at least as large as the working set of the database, the log buffer size
789 should be large enough to accommodate most transactions without overflowing,
790 and the log directory must be on a separate physical disk from the main
791 database files. And both the database directory and the log directory
792 should be separate from disks used for regular system activities such as
793 the root, boot, or swap filesystems. See the FAQ-o-Matic and the Berkeley DB
794 documentation for more details.
797 H4: olcDbNosync: { TRUE | FALSE }
799 This option causes on-disk database contents to not be immediately
800 synchronized with in memory changes upon change. Setting this option
801 to {{EX:TRUE}} may improve performance at the expense of data integrity. This
802 directive has the same effect as using
803 > olcDbConfig: set_flags DB_TXN_NOSYNC
806 H4: olcDbIDLcacheSize: <integer>
808 Specify the size of the in-memory index cache, in index slots. The
809 default is zero. A larger value will speed up frequent searches of
810 indexed entries. The optimal size will depend on the data and search
811 characteristics of the database, but using a number three times
812 the entry cache size is a good starting point.
816 > olcDbIDLcacheSize: 3000
819 H4: olcDbIndex: {<attrlist> | default} [pres,eq,approx,sub,none]
821 This directive specifies the indices to maintain for the given
822 attribute. If only an {{EX:<attrlist>}} is given, the default
823 indices are maintained. The index keywords correspond to the
824 common types of matches that may be used in an LDAP search filter.
828 > olcDbIndex: default pres,eq
830 > olcDbIndex: cn,sn pres,eq,sub
831 > olcDbIndex: objectClass eq
833 The first line sets the default set of indices to maintain to
834 present and equality. The second line causes the default (pres,eq)
835 set of indices to be maintained for the {{EX:uid}} attribute type.
836 The third line causes present, equality, and substring indices to
837 be maintained for {{EX:cn}} and {{EX:sn}} attribute types. The
838 fourth line causes an equality index for the {{EX:objectClass}}
841 There is no index keyword for inequality matches. Generally these
842 matches do not use an index. However, some attributes do support
843 indexing for inequality matches, based on the equality index.
845 A substring index can be more explicitly specified as {{EX:subinitial}},
846 {{EX:subany}}, or {{EX:subfinal}}, corresponding to the three
848 of a substring match filter. A subinitial index only indexes
849 substrings that appear at the beginning of an attribute value.
850 A subfinal index only indexes substrings that appear at the end
851 of an attribute value, while subany indexes substrings that occur
854 Note that by default, setting an index for an attribute also
855 affects every subtype of that attribute. E.g., setting an equality
856 index on the {{EX:name}} attribute causes {{EX:cn}}, {{EX:sn}}, and every other
857 attribute that inherits from {{EX:name}} to be indexed.
859 By default, no indices are maintained. It is generally advised
860 that minimally an equality index upon objectClass be maintained.
862 > olcDbindex: objectClass eq
864 Additional indices should be configured corresponding to the
865 most common searches that are used on the database.
866 Presence indexing should not be configured for an attribute
867 unless the attribute occurs very rarely in the database, and
868 presence searches on the attribute occur very frequently during
869 normal use of the directory. Most applications don't use presence
870 searches, so usually presence indexing is not very useful.
872 If this setting is changed while slapd is running, an internal task
873 will be run to generate the changed index data. All server operations
874 can continue as normal while the indexer does its work. If slapd is
875 stopped before the index task completes, indexing will have to be
876 manually completed using the slapindex tool.
879 H4: olcDbLinearIndex: { TRUE | FALSE }
881 If this setting is {{EX:TRUE}} slapindex will index one attribute
882 at a time. The default settings is {{EX:FALSE}} in which case all
883 indexed attributes of an entry are processed at the same time. When
884 enabled, each indexed attribute is processed individually, using
885 multiple passes through the entire database. This option improves
886 slapindex performance when the database size exceeds the BDB cache
887 size. When the BDB cache is large enough, this option is not needed
888 and will decrease performance. Also by default, slapadd performs
889 full indexing and so a separate slapindex run is not needed. With
890 this option, slapadd does no indexing and slapindex must be used.
893 H4: olcDbMode: { <octal> | <symbolic> }
895 This directive specifies the file protection mode that newly
896 created database index files should have. This can be in the form
897 {{EX:0600}} or {{EX:-rw-------}}
904 H4: olcDbSearchStack: <integer>
906 Specify the depth of the stack used for search filter evaluation.
907 Search filters are evaluated on a stack to accommodate nested {{EX:AND}} /
908 {{EX:OR}} clauses. An individual stack is allocated for each server thread.
909 The depth of the stack determines how complex a filter can be evaluated
910 without requiring any additional memory allocation. Filters that are
911 nested deeper than the search stack depth will cause a separate stack to
912 be allocated for that particular search operation. These separate allocations
913 can have a major negative impact on server performance, but specifying
914 too much stack will also consume a great deal of memory. Each search
915 uses 512K bytes per level on a 32-bit machine, or 1024K bytes per level
916 on a 64-bit machine. The default stack depth is 16, thus 8MB or 16MB
917 per thread is used on 32 and 64 bit machines, respectively. Also the
918 512KB size of a single stack slot is set by a compile-time constant which
919 may be changed if needed; the code must be recompiled for the change
924 > olcDbSearchStack: 16
927 H4: olcDbShmKey: <integer>
929 Specify a key for a shared memory BDB environment. By default the BDB
930 environment uses memory mapped files. If a non-zero value is specified,
931 it will be used as the key to identify a shared memory region that will
932 house the environment.
941 >dn: olcDatabase=hdb,cn=config
942 >objectClass: olcDatabaseConfig
943 >objectClass: olcHdbConfig
945 >olcSuffix: "dc=example,dc=com"
946 >olcDbDirectory: /usr/local/var/openldap-data
947 >olcDbCacheSize: 1000
948 >olcDbCheckpoint: 1024 10
949 >olcDbConfig: set_cachesize 0 10485760 0
950 >olcDbConfig: set_lg_bsize 2097152
951 >olcDbConfig: set_lg_dir /var/tmp/bdb-log
952 >olcDbConfig: set_flags DB_LOG_AUTOREMOVE
953 >olcDbIDLcacheSize: 3000
954 >olcDbIndex: objectClass eq