1 .TH SLAPD-SOCK 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2007-2016 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd\-sock \- Socket backend/overlay to slapd
12 uses an external program to handle queries, similarly to
14 However, in this case the external program listens on a Unix domain socket.
15 This makes it possible to have a pool of processes, which persist between
16 requests. This allows multithreaded operation and a higher level of
17 efficiency. The external program must have been started independently;
19 itself will not start it.
21 This module may also be used as an overlay on top of some other database.
22 Use as an overlay allows external actions to be triggered in response to
23 operations on the main database.
27 options apply to the SOCK backend database.
28 That is, they must follow a "database sock" line and come before any
29 subsequent "backend" or "database" lines.
30 Other database options are described in the
34 Alternatively, to use this module as an overlay, these directives must
35 follow an "overlay sock" line within an existing database definition.
37 .B extensions [ binddn | peername | ssf | connid ]*
38 Enables the sending of additional meta-attributes with each request.
41 peername: IP=<address>:<port>
43 connid: <connection ID>
46 .B socketpath <pathname>
47 Gives the path to a Unix domain socket to which the commands will
48 be sent and from which replies are received.
50 When used as an overlay, these additional directives are defined:
52 .B sockops [ bind | unbind | search | compare | modify | modrdn | add | delete ]*
53 Specify which request types to send to the external program. The default is
54 empty (no requests are sent).
56 .B sockresps [ result | search ]*
57 Specify which response types to send to the external program. "result"
58 sends just the results of an operation. "search" sends all entries that
59 the database returned for a search request. The default is empty
60 (no responses are sent).
63 Specify DN patterns for which the overlay will act. Only operations on
64 DNs matching the specified regular expression will be processed. The default
65 is empty (all DNs are processed).
68 The protocol is essentially the same as
70 with the addition of a newline to terminate the command parameters. The
71 following commands are sent:
76 <repeat { "suffix:" <database suffix DN> }>
77 <entry in LDIF format>
86 <repeat { "suffix:" <database suffix DN> }>
88 method: <method number>
89 credlen: <length of <credentials>>
99 <repeat { "suffix:" <database suffix DN> }>
110 <repeat { "suffix:" <database suffix DN> }>
120 <repeat { "suffix:" <database suffix DN> }>
123 <"add"/"delete"/"replace">: <attribute>
124 <repeat { <attribute>: <value> }>
135 <repeat { "suffix:" <database suffix DN> }>
138 deleteoldrdn: <0 or 1>
139 <if new superior is specified: "newSuperior: <DN>">
148 <repeat { "suffix:" <database suffix DN> }>
150 scope: <0-2, see ldap.h>
151 deref: <0-3, see ldap.h>
152 sizelimit: <size limit>
153 timelimit: <time limit>
156 attrs: <"all" or space-separated attribute list>
165 <repeat { "suffix:" <database suffix DN> }>
170 The commands - except \fBunbind\fP - should output:
175 matched: <matched DN>
179 where only RESULT is mandatory, and then close the socket.
180 The \fBsearch\fP RESULT should be preceded by the entries in LDIF
181 format, each entry followed by a blank line.
182 Lines starting with `#' or `DEBUG:' are ignored.
184 When used as an overlay, the external program should return a
185 CONTINUE response if request processing should continue normally, or
186 a regular RESULT response if the external program wishes to bypass the
189 If the overlay is configured to send response messages to the external
190 program, they will appear as an extended RESULT message or as an
191 ENTRY message, defined below. The RESULT message is similar to
192 the one above, but also includes the msgid and any configured
199 matched: <matched DN>
205 Typically both the msgid and the connid will be needed to match
206 a result message to a request. The ENTRY message has the form
211 <entry in LDIF format>
219 backend does not honor all ACL semantics as described in
220 .BR slapd.access (5).
221 In general, access to objects is checked by using a dummy object
222 that contains only the DN, so access rules that rely on the contents
223 of the object are not honored.
228 operation does not require
232 pseudo-attribute of the parent entry.
240 pseudo-attribute of the entry whose identity is being assessed;
242 access to the credentials is not checked, but rather delegated
243 to the underlying program.
252 of the object whose value is being asserted;
254 access to the attribute whose value is being asserted is not checked.
258 operation does not require
262 pseudo-attribute of the parent entry.
272 access to the specific attributes that are modified is not checked.
276 operation does not require
280 pseudo-attribute of the parent entry, nor to that of the new parent,
283 access to the distinguished values of the naming attributes
288 operation does not require
292 pseudo_attribute of the searchBase;
294 access to the attributes and values used in the filter is not checked.
297 There is an example script in the slapd/back\-sock/ directory
298 in the OpenLDAP source tree.
302 default slapd configuration file
305 .BR slapd\-config (5),
308 Brian Candler, with enhancements by Howard Chu