1 .TH SLAPD.CONF 5 "23 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to the "OpenLDAP
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
69 .B access to <what> [ by <who> <access> <control> ]+
70 Grant access (specified by <access>) to a set of entries and/or
71 attributes (specified by <what>) by one or more requestors (specified
73 See the "OpenLDAP's Administrator's Guide" for details.
75 .B argsfile <filename>
76 The ( absolute ) name of a file that will hold the
78 server's command line options
79 if started without the debugging command line option.
82 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
83 [DESC\ <description>]\
84 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
85 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
86 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
88 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
89 The slapd parser extends the RFC 2252 definition by allowing string
90 forms as well as numeric OIDs to be used for the attribute OID and
94 description.) Currently the syntax name parser is case-sensitive.
95 The known syntax names are:
99 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
100 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
101 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
102 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
103 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
104 NameFormDescription NumericString ObjectClassDescription OID
105 OtherMailbox OctetString PostalAddress ProtocolInformation
106 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
107 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
108 SubstringAssertion NISnetgrouptriple Bootparameter
114 .B concurrency <integer>
115 Specify a desired level of concurrency. Provided to the underlying
116 thread system as a hint. The default is not to provdide any hint.
118 .B defaultaccess { none | auth | compare | search | read | write }
120 Specify the default access level to grant requestors when
121 no access directives were provided for the database.
122 The default behavior is to grant 'read' access. It is
125 directives be used instead.
128 .B disallow <features>
129 Specify a set of features (separated by white space) to disallow.
131 disables acceptance of LDAPv2 bind requests.
133 disables acceptance of anonymous bind requests.
135 disables anonymous bind creditials are not empty (e.g. when
138 disables anonymous bind when DN is not empty.
140 .B idletimeout <integer>
141 Specify the number of seconds to wait before forcibly closing
142 an idle client connections. A idletimeout of 0 disables this
143 feature. The default is 0.
145 .B include <filename>
146 Read additional configuration information from the given file before
147 continuing with the next line of the current file.
149 .B loglevel <integer>
150 Specify the level at which debugging statements and operation
151 statistics should be syslogged (currently logged to the
153 LOG_LOCAL4 facility). Log levels are additive, and available levels
163 debug packet handling
166 heavy trace debugging
169 connection management
172 print out packets sent and received
175 search filter processing
178 configuration file processing
181 access control list processing
184 stats log connections/operations/results
187 stats log entries sent
190 print communication with shell backends
198 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
199 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
202 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
203 The slapd parser extends the RFC 2252 definition by allowing string
204 forms as well as numeric OIDs to be used for the object class OID.
208 description.) Object classes are "STRUCTURAL" by default.
211 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
212 Define a string name that equates to the given OID. The string can be used
213 in place of the numeric OID in objectclass and attribute definitions. The
214 name can also be used with a suffix of the form ":xx" in which case the
215 value "oid.xx" will be used.
217 .B pidfile <filename>
218 The ( absolute ) name of a file that will hold the
220 server's process ID ( see
222 ) if started without the debugging command line option.
224 .B password-hash <hash>
225 The <hash> to use for userPassword generation. One of
239 Specify the referral to pass back when
241 cannot find a local database to handle a request.
242 If specified multiple times, each url is provided.
244 .B require <conditions>
245 Specify a set of conditions (separated by white space) to require.
246 The directive may be specified globally and/or per-database.
248 requires bind operation prior to directory operations.
250 requires session to be using LDAP version 3.
252 requires authentication prior to directory operations.
254 requires SASL authentication prior to directory operations.
256 requires strong authentication prior to directory operations.
261 conditions are currently same.
263 may be used to require no conditions (useful for clearly globally
264 set conditions within a particular database).
267 Used to specify the fully qualified domain name used for SASL processing.
269 .B sasl-realm <string>
270 Used to specify Cyrus SASL realm.
272 .B sasl-secprops <properties>
273 Used to specify Cyrus SASL security properties.
276 flag (without any other properities) causes the flag properites
277 defaults ("noanonymous,noplain") to be cleared.
280 flag disables mechanisms susceptible to simple passive attacks.
283 flag disables mechanisms susceptible to active attacks.
286 flag disables mechanisms susceptible to passive dictionary attacks.
289 flag disables mechanisms which support anonymous login.
292 flag require forward secrecy between sessions.
295 require mechanisms which pass client credentials (and allow
296 mechanisms which can pass credentials to do so).
299 property specifies the minimum acceptable
300 .I security strength factor
301 as an integer approximate to effective key length used for
302 encryption. 0 (zero) implies no protection, 1 implies integrity
303 protection only, 56 allows DES or other weak ciphers, 112
304 allows triple DES and other strong ciphers, 128 allows RC4,
305 Blowfish and other modern strong ciphers. The default is 0.
308 property specifies the maximum acceptable
309 .I security strength factor
310 as an integer (see minssf description). The default is INT_MAX.
312 .B maxbufsize=<factor>
313 property specifies the maximum security layer receive buffer
314 size allowed. 0 disables security layers. The default is 65536.
316 .B schemacheck { on | off }
317 Turn schema checking on or off. The default is on.
319 .B security <factors>
320 Specify a set of factors (separated by white space) to require.
321 An integer value is associated with each factor and is roughly
322 equivalent of the encryption key length to require. A value
323 of 112 is equivalent to 3DES, 128 to Blowfish, etc..
324 The directive may be specified globally and/or per-database.
326 specifies the overall security strength factor.
328 specifies the transport security strength factor.
330 specifies the TLS security strength factor.
332 specifies the SASL security strength factor.
334 specifies the overall security strength factor to require for
336 .B update_transport=<n>
337 specifies the transport security strength factor to require for
340 specifies the TLS security strength factor to require for
343 specifies the SASL security strength factor to require for
347 factor is measure of security provided by the underlying transport,
348 e.g. ldapi:// (and eventually IPSEC). It is not normally used.
350 .B sizelimit <integer>
351 Specify the maximum number of entries to return from a search operation.
352 The default size limit is 500.
355 Specify the srvtab file in which the kerberos keys necessary for
356 authenticating clients using kerberos can be found. This option is only
357 meaningful if you are using Kerberos authentication.
359 .B timelimit <integer>
360 Specify the maximum number of seconds (in real time)
361 require forward secrecy between sessions.
363 .B schemacheck { on | off }
364 Turn schema checking on or off. The default is on.
366 .B sizelimit <integer>
367 Specify the maximum number of entries to return from a search operation.
368 The default size limit is 500.
370 .B sasl-realm <realm>
371 Specify SASL realm. Default is empty.
373 .B sasl-secprops <props>
374 Cyrus SASL security properties. Default is "noanonymous,noplain".
377 Specify the srvtab file in which the kerberos keys necessary for
378 authenticating clients using kerberos can be found. This option is only
379 meaningful if you are using Kerberos authentication.
381 .B timelimit <integer>
382 Specify the maximum number of seconds (in real time)
384 will spend answering a search request. The default time limit is 3600.
388 is build with support for Transport Layer Security, there are more options
391 .B TLSCipherSuite <cipher-suite-spec>
392 Permits configuring what ciphers will be accepted and the preference order.
393 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
395 TLSCipherSuite HIGH:MEDIUM:+SSLv2
397 To check what ciphers a given spec selects, use:
399 openssl ciphers -v <cipher-suite-spec>
401 .B TLSCertificateFile <filename>
402 Specifies the file that contains the
406 .B TLSCertificateKeyFile <filename>
407 Specifies the file that contains the
409 server private key that matches the certificate stored in the
410 .B TLSCertificateFile
411 file. Currently, the private key must not be protected with a password, so
412 it is of critical importance that it is protected carefully.
413 .SH GENERAL BACKEND OPTIONS
414 Options in this section only apply to the configuration file section
415 for the backend in which they are defined. They are supported by every
418 .B database <databasetype>
419 Mark the beginning of a new database instance definition. <databasetype>
425 depending on which backend will serve the database.
430 will automatically maintain the
431 modifiersName, modifyTimestamp, creatorsName, and
432 createTimestamp attributes for entries. By default, lastmod is on.
435 This option puts the database into "read-only" mode. Any attempts to
436 modify the database will return an "unwilling to perform" error. By
437 default, readonly is off.
439 .B replica host=<hostname>[:port] bindmethod=simple|sasl
440 .B [binddn=<simple DN>] [credentials=<simple password>]
441 .B [saslmech=<SASL mech>] [authcId=<authentication ID>]
443 Specify a replication site for this database. Refer to the "OpenLDAP
444 Administrator's Guide" for detailed information on setting up a replicated
454 and should only be used when adequate security services
455 (e.g TLS or IPSEC) are in place. A
463 will use Kerberos, a kerberos instance should be given in
467 .B replogfile <filename>
468 Specify the name of the replication log file to log changes to.
469 The replication log is typically written by
475 for more information.
478 Specify the distinguished name that is not subject to access control
479 or administrative limit restrictions for operations on this database.
480 This DN may or may not be associated with an entry. An empty root
481 DN, the default, specifies no root access is to be granted.
484 Specify a password (or hash of the password) for the rootdn.
485 This option accepts all RFC 2307 userPassword formats known to
488 desription) as well as cleartext.
490 may be used to generate a hash of a password. Cleartext
491 and \fB{CRYPT}\fP passwords are not recommended. The default
492 is empty imply authentication of the root DN is by other means
493 (e.g. SASL). Use of SASL is encouraged.
495 .B suffix <dn suffix>
496 Specify the DN suffix of queries that will be passed to this
497 backend database. Multiple suffix lines can be given and at least one is
498 required for each database definition.
501 This option is only applicable in a slave
503 It specifies the DN allowed to make changes to the replica (typically,
506 binds as when making changes to the replica).
509 Specify the referral to pass back when
511 is asked to modify a replicated local database.
512 If specified multiple times, each url is provided.
513 .SH LDBM BACKEND-SPECIFIC OPTIONS
514 Options in this category only apply to the LDBM backend database. That is,
515 they must follow a "database ldbm" line and come before any subsequent
516 "database" lines. The LDBM backend is a high-performance database that
517 makes extensive use of indexing and caching to speed data access.
519 .B cachesize <integer>
520 Specify the size in entries of the in-memory cache maintained
521 by the LDBM backend database instance. The default is 1000 entries.
523 .B dbcachesize <integer>
524 Specify the size in bytes of the in-memory cache associated
525 with each open index file. If not supported by the underlying database
526 method, this option is ignored without comment. The default is 100000 bytes.
529 Specify that no database locking should be performed.
530 Enabling this option may improve performance at the expense of data security.
532 Specify that on-disk database contents should not be immediately
533 synchronized with in memory changes. Enabling this option may improve
534 performance at the expense of data security.
536 .B directory <directory>
537 Specify the directory where the LDBM files containing this database and
538 associated indexes live. A separate directory must be specified for
539 each database. The default is
540 .BR LOCALSTATEDIR/openldap-ldbm .
543 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
544 Specify the indexes to maintain for the given attribute. If only
545 an <attr> is given, the indices specified for \fBdefault\fR
546 are maintained. A number of special index parameters may be
550 can be decomposed into
557 may be specified to allow use of this index by language subtypes.
560 may be specified to automatically maintain separate indices for each
564 may be specified to allow use of this index by named subtypes.
567 may be specified to automatically maintain separate indices for each
571 Specify the file protection mode that newly created database
572 index files should have. The default is 0600.
573 .SH SHELL BACKEND-SPECIFIC OPTIONS
574 Options in this category only apply to the SHELL backend database. That is,
575 they must follow a "database shell" line and come before any subsequent
576 "database" lines. The Shell backend executes external programs to
577 implement operations, and is designed to make it easy to tie an existing
588 .B compare <pathname>
598 .B abandon <pathname>
599 These options specify the pathname of the command to execute in response
600 to the given LDAP operation.
602 Note that you need only supply configuration lines for those commands you
603 want the backend to handle. Operations for which a command is not
604 supplied will be refused with an "unwilling to perform" error.
605 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
606 Options in this category only apply to the PASSWD backend database.
607 That is, they must follow a "database passwd" line and come before any
608 subsequent "database" lines. The PASSWD database serves up the user
609 account information listed in the system
614 Specifies an alternate passwd file to use. The default is
617 "OpenLDAP Administrator's Guide" contains an annotated
618 example of a configuration file.
623 .BR slapd.replog (5),
630 .BR slappassword (8),
633 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
636 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
638 is derived from University of Michigan LDAP 3.3 Release.