1 .TH SLAPD.CONF 5 "23 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to the "OpenLDAP
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
69 .B access to <what> [ by <who> <access> <control> ]+
70 Grant access (specified by <access>) to a set of entries and/or
71 attributes (specified by <what>) by one or more requestors (specified
73 See the "OpenLDAP's Administrator's Guide" for details.
76 Specify a set of features (separated by white space) to
79 allows Start TLS to force session to anonymous status (see also
83 .B argsfile <filename>
84 The ( absolute ) name of a file that will hold the
86 server's command line options
87 if started without the debugging command line option.
90 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
91 [DESC\ <description>]\
92 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
93 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
94 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
96 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
97 The slapd parser extends the RFC 2252 definition by allowing string
98 forms as well as numeric OIDs to be used for the attribute OID and
102 description.) Currently the syntax name parser is case-sensitive.
103 The known syntax names are:
107 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
108 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
109 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
110 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
111 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
112 NameFormDescription NumericString ObjectClassDescription OID
113 OtherMailbox OctetString PostalAddress ProtocolInformation
114 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
115 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
116 SubstringAssertion NISnetgrouptriple Bootparameter
122 .B concurrency <integer>
123 Specify a desired level of concurrency. Provided to the underlying
124 thread system as a hint. The default is not to provdide any hint.
126 .B defaultaccess { none | auth | compare | search | read | write }
128 Specify the default access level to grant requestors when
129 no access directives were provided for the database.
130 The default behavior is to grant 'read' access. It is
133 directives be used instead.
136 .B defaultsearchbase <dn>
137 Specify a default search base to use when client submits a
138 non-base search request with an empty base DN.
140 .B disallow <features>
141 Specify a set of features (separated by white space) to
142 disallow (default none).
144 disables acceptance of LDAPv2 bind requests.
146 disables acceptance of anonymous bind requests.
148 disables anonymous bind creditials are not empty (e.g.
151 disables anonymous bind when DN is not empty.
153 disables simple (bind) authentication.
155 disables Kerberos V4 (bind) authentication.
157 disables StartTLS if authenticated (see also
161 .B idletimeout <integer>
162 Specify the number of seconds to wait before forcibly closing
163 an idle client connections. A idletimeout of 0 disables this
164 feature. The default is 0.
166 .B include <filename>
167 Read additional configuration information from the given file before
168 continuing with the next line of the current file.
170 .B loglevel <integer>
171 Specify the level at which debugging statements and operation
172 statistics should be syslogged (currently logged to the
174 LOG_LOCAL4 facility). Log levels are additive, and available levels
184 debug packet handling
187 heavy trace debugging
190 connection management
193 print out packets sent and received
196 search filter processing
199 configuration file processing
202 access control list processing
205 stats log connections/operations/results
208 stats log entries sent
211 print communication with shell backends
219 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
220 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
223 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
224 The slapd parser extends the RFC 2252 definition by allowing string
225 forms as well as numeric OIDs to be used for the object class OID.
229 description.) Object classes are "STRUCTURAL" by default.
232 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
233 Define a string name that equates to the given OID. The string can be used
234 in place of the numeric OID in objectclass and attribute definitions. The
235 name can also be used with a suffix of the form ":xx" in which case the
236 value "oid.xx" will be used.
238 .B password-hash <hash>
239 The <hash> to use for userPassword generation. One of
252 .B pidfile <filename>
253 The ( absolute ) name of a file that will hold the
255 server's process ID ( see
257 ) if started without the debugging command line option.
260 Specify the referral to pass back when
262 cannot find a local database to handle a request.
263 If specified multiple times, each url is provided.
265 .B require <conditions>
266 Specify a set of conditions (separated by white space) to
267 require (default none).
268 The directive may be specified globally and/or per-database.
270 requires bind operation prior to directory operations.
272 requires session to be using LDAP version 3.
274 requires authentication prior to directory operations.
276 requires SASL authentication prior to directory operations.
278 requires strong authentication prior to directory operations.
283 conditions are currently same.
285 may be used to require no conditions (useful for clearly globally
286 set conditions within a particular database).
289 Used to specify the fully qualified domain name used for SASL processing.
291 .B sasl-realm <realm>
292 Specify SASL realm. Default is empty.
294 .B sasl-regexp <match> <replace>
295 Used by the SASL authorization mechanism to convert a SASL authenticated
296 username to an LDAP DN. When an authorization request is received, the SASL
300 are taken, when available, and combined into a SASL name of the
305 .B uid=<UID>[+realm=<REALM>][,cn=<MECH>],cn=AUTHZ
308 This SASL name is then compared against the
310 regular expression, and if the match is successful, the SASL name is
313 string. If there are wildcard strings in the
315 regular expression that are enclosed in parenthesis, e.g.
319 .B uid=(.*)\\\\+realm=.*
323 then the portion of the SASL name that matched the wildcard will be stored
324 in the numbered placeholder variable $1. If there are other wildcard strings
325 in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
326 placeholders can then be used in the
332 .B cn=$1,ou=Accounts,dc=$2,dc=$4.
336 The replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
337 server will use the URI to search its own database, and if the search returns
338 exactly one entry, the SASL name is replaced by the DN of that entry.
341 options can be given in the configuration file to allow for multiple matching
342 and replacement patterns. The matching patterns are checked in the order they
343 appear in the file, stopping at the first successful match.
346 Because the plus sign + is a character recognized by the regular expression engine,
347 and it will appear in SASL names that include a REALM, be careful to escape the
348 plus sign with a double backslash \\\\+ to remove the character's special meaning.
351 .B sasl-secprops <properties>
352 Used to specify Cyrus SASL security properties.
355 flag (without any other properities) causes the flag properites
356 default, "noanonymous,noplain", to be cleared.
359 flag disables mechanisms susceptible to simple passive attacks.
362 flag disables mechanisms susceptible to active attacks.
365 flag disables mechanisms susceptible to passive dictionary attacks.
368 flag disables mechanisms which support anonymous login.
371 flag require forward secrecy between sessions.
374 require mechanisms which pass client credentials (and allow
375 mechanisms which can pass credentials to do so).
378 property specifies the minimum acceptable
379 .I security strength factor
380 as an integer approximate to effective key length used for
381 encryption. 0 (zero) implies no protection, 1 implies integrity
382 protection only, 56 allows DES or other weak ciphers, 112
383 allows triple DES and other strong ciphers, 128 allows RC4,
384 Blowfish and other modern strong ciphers. The default is 0.
387 property specifies the maximum acceptable
388 .I security strength factor
389 as an integer (see minssf description). The default is INT_MAX.
391 .B maxbufsize=<factor>
392 property specifies the maximum security layer receive buffer
393 size allowed. 0 disables security layers. The default is 65536.
395 .B schemacheck { on | off }
396 Turn schema checking on or off. The default is on.
398 .B security <factors>
399 Specify a set of factors (separated by white space) to require.
400 An integer value is associated with each factor and is roughly
401 equivalent of the encryption key length to require. A value
402 of 112 is equivalent to 3DES, 128 to Blowfish, etc..
403 The directive may be specified globally and/or per-database.
405 specifies the overall security strength factor.
407 specifies the transport security strength factor.
409 specifies the TLS security strength factor.
411 specifies the SASL security strength factor.
413 specifies the overall security strength factor to require for
415 .B update_transport=<n>
416 specifies the transport security strength factor to require for
419 specifies the TLS security strength factor to require for
422 specifies the SASL security strength factor to require for
426 factor is measure of security provided by the underlying transport,
427 e.g. ldapi:// (and eventually IPSEC). It is not normally used.
429 .B sizelimit <integer>
430 Specify the maximum number of entries to return from a search operation.
431 The default size limit is 500.
434 Specify the srvtab file in which the kerberos keys necessary for
435 authenticating clients using kerberos can be found. This option is only
436 meaningful if you are using Kerberos authentication.
438 .B timelimit <integer>
439 Specify the maximum number of seconds (in real time)
440 require forward secrecy between sessions.
442 .B schemacheck { on | off }
443 Turn schema checking on or off. The default is on.
445 .B sizelimit <integer>
446 Specify the maximum number of entries to return from a search operation.
447 The default size limit is 500.
450 Specify the srvtab file in which the kerberos keys necessary for
451 authenticating clients using kerberos can be found. This option is only
452 meaningful if you are using Kerberos authentication.
454 .B timelimit <integer>
455 Specify the maximum number of seconds (in real time)
457 will spend answering a search request. The default time limit is 3600.
461 is build with support for Transport Layer Security, there are more options
464 .B TLSCipherSuite <cipher-suite-spec>
465 Permits configuring what ciphers will be accepted and the preference order.
466 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
468 TLSCipherSuite HIGH:MEDIUM:+SSLv2
470 To check what ciphers a given spec selects, use:
472 openssl ciphers -v <cipher-suite-spec>
474 .B TLSCertificateFile <filename>
475 Specifies the file that contains the
479 .B TLSCertificateKeyFile <filename>
480 Specifies the file that contains the
482 server private key that matches the certificate stored in the
483 .B TLSCertificateFile
484 file. Currently, the private key must not be protected with a password, so
485 it is of critical importance that it is protected carefully.
486 .SH GENERAL BACKEND OPTIONS
487 Options in this section only apply to the configuration file section
488 for the backend in which they are defined. They are supported by every
491 .B database <databasetype>
492 Mark the beginning of a new database instance definition. <databasetype>
498 depending on which backend will serve the database.
503 will automatically maintain the
504 modifiersName, modifyTimestamp, creatorsName, and
505 createTimestamp attributes for entries. By default, lastmod is on.
508 This option puts the database into "read-only" mode. Any attempts to
509 modify the database will return an "unwilling to perform" error. By
510 default, readonly is off.
512 .B replica host=<hostname>[:port] [tls=yes|critical]
513 .B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
514 .B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
515 .B [authcId=<authentication ID>] [authcId=<authentication ID>]
517 Specify a replication site for this database. Refer to the "OpenLDAP
518 Administrator's Guide" for detailed information on setting up a replicated
528 and should only be used when adequate security services
529 (e.g TLS or IPSEC) are in place. A
537 will use Kerberos, a kerberos instance should be given in
541 .B replogfile <filename>
542 Specify the name of the replication log file to log changes to.
543 The replication log is typically written by
549 for more information.
552 Specify the distinguished name that is not subject to access control
553 or administrative limit restrictions for operations on this database.
554 This DN may or may not be associated with an entry. An empty root
555 DN (the default) specifies no root access is to be granted. It is
556 recommended that the rootdn only be specified when needed (such as
557 when initially populating a database).
560 Specify a password (or hash of the password) for the rootdn.
561 This option accepts all RFC 2307 userPassword formats known to
564 desription) as well as cleartext.
566 may be used to generate a hash of a password. Cleartext
567 and \fB{CRYPT}\fP passwords are not recommended. If empty
568 (the default), authentication of the root DN is by other means
569 (e.g. SASL). Use of SASL is encouraged.
571 .B suffix <dn suffix>
572 Specify the DN suffix of queries that will be passed to this
573 backend database. Multiple suffix lines can be given and at least one is
574 required for each database definition.
577 This option is only applicable in a slave
579 It specifies the DN allowed to make changes to the replica (typically,
582 binds as when making changes to the replica).
585 Specify the referral to pass back when
587 is asked to modify a replicated local database.
588 If specified multiple times, each url is provided.
589 .SH LDBM BACKEND-SPECIFIC OPTIONS
590 Options in this category only apply to the LDBM backend database. That is,
591 they must follow a "database ldbm" line and come before any subsequent
592 "database" lines. The LDBM backend is a high-performance database that
593 makes extensive use of indexing and caching to speed data access.
595 .B cachesize <integer>
596 Specify the size in entries of the in-memory cache maintained
597 by the LDBM backend database instance. The default is 1000 entries.
599 .B dbcachesize <integer>
600 Specify the size in bytes of the in-memory cache associated
601 with each open index file. If not supported by the underlying database
602 method, this option is ignored without comment. The default is 100000 bytes.
605 Specify that no database locking should be performed.
606 Enabling this option may improve performance at the expense of data security.
608 Specify that on-disk database contents should not be immediately
609 synchronized with in memory changes. Enabling this option may improve
610 performance at the expense of data security.
612 .B directory <directory>
613 Specify the directory where the LDBM files containing this database and
614 associated indexes live. A separate directory must be specified for
615 each database. The default is
616 .BR LOCALSTATEDIR/openldap-ldbm .
619 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
620 Specify the indexes to maintain for the given attribute. If only
621 an <attr> is given, the indices specified for \fBdefault\fR
622 are maintained. A number of special index parameters may be
626 can be decomposed into
633 may be specified to allow use of this index by language subtypes.
636 may be specified to automatically maintain separate indices for each
640 may be specified to allow use of this index by named subtypes.
643 may be specified to automatically maintain separate indices for each
647 Specify the file protection mode that newly created database
648 index files should have. The default is 0600.
649 .SH SHELL BACKEND-SPECIFIC OPTIONS
650 Options in this category only apply to the SHELL backend database. That is,
651 they must follow a "database shell" line and come before any subsequent
652 "database" lines. The Shell backend executes external programs to
653 implement operations, and is designed to make it easy to tie an existing
664 .B compare <pathname>
674 .B abandon <pathname>
675 These options specify the pathname of the command to execute in response
676 to the given LDAP operation.
678 Note that you need only supply configuration lines for those commands you
679 want the backend to handle. Operations for which a command is not
680 supplied will be refused with an "unwilling to perform" error.
681 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
682 Options in this category only apply to the PASSWD backend database.
683 That is, they must follow a "database passwd" line and come before any
684 subsequent "database" lines. The PASSWD database serves up the user
685 account information listed in the system
690 Specifies an alternate passwd file to use. The default is
693 "OpenLDAP Administrator's Guide" contains an annotated
694 example of a configuration file.
699 .BR slapd.replog (5),
706 .BR slappassword (8),
709 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
712 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
714 is derived from University of Michigan LDAP 3.3 Release.