1 .TH SLAPD.CONF 5 "5 August 1999" "OpenLDAP LDVERSION"
3 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
9 contains configuration information for the
11 daemon. This configuration file is also used by the
13 replication daemon and by the SLAPD tools
21 file consists of a series of global configuration options that apply to
23 as a whole (including all backends), followed by zero or more database
24 backend definitions that contain information specific to a backend
32 # comment - these options apply to every database
33 <global configuration options>
34 # first database definition & configuration options
35 database <backend 1 type>
36 <configuration options specific to backend 1>
37 # subsequent database definitions & configuration options
41 As many backend-specific sections as desired may be included. Global
42 options can be overridden in a backend (for options that appear more
43 than once, the last appearance in the
45 file is used). Blank lines and comment lines beginning with a `#'
46 character are ignored. If a line begins with white space, it is
47 considered a continuation of the previous line.
49 Arguments on configuration lines are separated by white space. If an
50 argument contains white space, the argument should be enclosed in
51 double quotes. If an argument contains a double quote (`"') or a
52 backslash character (`\\'), the character should be preceded by a
55 The specific configuration options available are discussed below in the
56 Global Configuration Options, General Backend Options, LDBM
57 Backend-Specific Options, Shell Backend-Specific Options, and Password
58 Backend-Specific Options sections. Refer to "The SLAPD and SLURPD
59 Administrator's Guide" for more details on the slapd configuration
61 .SH GLOBAL CONFIGURATION OPTIONS
62 Options described in this section apply to all backends, unless specifically
63 overridden in a backend definition. Arguments that should be replaced by
64 actual text are shown in brackets <>.
67 access to <what> [ by <who> <accesslevel> ]+
68 Grant access (specified by <accesslevel>) to a set of entries and/or
69 attributes (specified by <what>) by one or more requestors (specified
70 by <who>). Refer to "The SLAPD and SLURPD Administrator's Guide" for
71 information on using the
73 access-control mechanisms.
76 attribute <name> [<name2>] { bin | ces | cis | tel | dn }
77 Associate a syntax with an attribute name. By default, an
78 attribute is assumed to have syntax
80 An optional alternate name can be
81 given for an attribute. The possible syntaxes and their meanings are:
96 telephone number string
105 defaultaccess [self]{ none | compare | search | read | write }
106 Specify the default access to grant requestors not matched by
107 any other access line. The default behavior is to grant read access.
109 .B idletimeout <integer>
110 Specify the number of seconds to wait before forcibly closing
111 an idle client connections. A idletimeout of 0 disables this
112 feature. The default is 0.
114 .B include <filename>
115 Read additional configuration information from the given file before
116 continuing with the next line of the current file.
118 .B pidfile <filename>
119 The ( absolute ) name of a file that will hold the
121 server's process ID ( see
123 ) if started without the debugging command line option.
125 .B argsfile <filename>
126 The ( absolute ) name of a file that will hold the
128 server's command line options
129 if started without the debugging command line option.
132 locale { <locale-name> | on | off }
133 Obey <locale-name>'s character classification and case conversion; i.e. the
135 LC_CTYPE category. See
137 for details about locales. "on" takes the locale from the environment,
138 typically $LANG or $LC_CTYPE, and will only work properly if slapd will
139 run with the same environment variables as when the database was
140 generated. "off" (the default setting) resets to the initial "C" locale.
142 .B loglevel <integer>
143 Specify the level at which debugging statements and operation
144 statistics should be syslogged (currently logged to the
146 LOG_LOCAL4 facility). Log levels are additive, and available levels
156 debug packet handling
159 heavy trace debugging
162 connection management
165 print out packets sent and received
168 search filter processing
171 configuration file processing
174 access control list processing
177 stats log connections/operations/results
180 stats log entries sent
183 print communication with shell backends
192 objectclass <name> requires <attrs> allows <attrs>
193 Define the schema rules for the object class named <name>. These are
194 used in conjunction with the schemacheck option.
197 Specify the referral to pass back when
199 cannot find a local database to handle a request.
200 If specified multiple times, each url is provided.
202 .B schemacheck { on | off }
203 Turn schema checking on or off. The default is on.
205 .B sizelimit <integer>
206 Specify the maximum number of entries to return from a search operation.
207 The default size limit is 500.
210 Specify the srvtab file in which the kerberos keys necessary for
211 authenticating clients using kerberos can be found. This option is only
212 meaningful if you are using Kerberos authentication.
214 .B timelimit <integer>
215 Specify the maximum number of seconds (in real time)
217 will spend answering a search request. The default time limit is 3600.
221 is build with support for Transport Layer Security, there are more options
224 .B TLSCipherSuite <cipher-suite-spec>
225 Permits configuring what ciphers will be accepted and the preference order.
226 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
228 TLSCipherSuite HIGH:MEDIUM:+SSLv2
230 To check what ciphers a given spec selects, use:
232 openssl ciphers -v <cipher-suite-spec>
234 .B TLSCertificateFile <filename>
235 Specifies the file that contains the
239 .B TLSCertificateKeyFile <filename>
240 Specifies the file that contains the
242 server private key that matches the certificate stored in the
243 .B TLSCertificateFile
244 file. Currently, the private key must not be protected with a password, so
245 it is of critical importance that it is protected carefully.
246 .SH GENERAL BACKEND OPTIONS
247 Options in this section only apply to the configuration file section
248 for the backend in which they are defined. They are supported by every
251 .B database <databasetype>
252 Mark the beginning of a new database instance definition. <databasetype>
258 depending on which backend will serve the database.
263 will automatically maintain the
264 modifiersName, modifyTimestamp, creatorsName, and
265 createTimestamp attributes for entries. By default, lastmod is on.
268 This option puts the database into "read-only" mode. Any attempts to
269 modify the database will return an "unwilling to perform" error. By
270 default, readonly is off.
273 replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
275 kerberos [credentials=<password>] [srvtab=<filename>]
277 Specify a replication site for this database. Refer to "The SLAPD and
278 SLURPD Administrator's Guide" for detailed information on setting up
283 .B replogfile <filename>
284 Specify the name of the replication log file to log changes to.
285 The replication log is typically written by
291 for more information.
294 Specify the DN of an entry that is not subject to access control
295 or administrative limit restrictions for operations on this database.
298 Specify a password (or hash of the password) for the rootdn.
299 This option accepts all password formats known to the server
300 including \fB{SHA}\fP, \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext.
301 Cleartext passwords are not recommended.
303 .B suffix <dn suffix>
304 Specify the DN suffix of queries that will be passed to this
305 backend database. Multiple suffix lines can be given and at least one is
306 required for each database definition.
309 This option is only applicable in a slave
311 It specifies the DN allowed to make changes to the replica (typically,
314 binds as when making changes to the replica).
317 Specify the referral to pass back when
319 is asked to modify a replicated local database.
320 If specified multiple times, each url is provided.
321 .SH LDBM BACKEND-SPECIFIC OPTIONS
322 Options in this category only apply to the LDBM backend database. That is,
323 they must follow a "database ldbm" line and come before any subsequent
324 "database" lines. The LDBM backend is a high-performance database that
325 makes extensive use of indexing and caching to speed data access.
327 .B cachesize <integer>
328 Specify the size in entries of the in-memory cache maintained
329 by the LDBM backend database instance. The default is 1000 entries.
331 .B dbcachesize <integer>
332 Specify the size in bytes of the in-memory cache associated
333 with each open index file. If not supported by the underlying database
334 method, this option is ignored without comment. The default is 100000 bytes.
337 Specify that database writes should not be immediately synchronized
338 with in memory changes. Enabling this option may improve performance
339 at the expense of data security.
341 .B directory <directory>
342 Specify the directory where the LDBM files containing the database and
343 associated indexes live. The default is
347 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
348 Specify the indexes to maintain for the given attribute. If only
349 an <attr> is given, all possible indexes are maintained.
352 Specify the file protection mode that newly created database
353 index files should have. The default is 0600.
354 .SH SHELL BACKEND-SPECIFIC OPTIONS
355 Options in this category only apply to the SHELL backend database. That is,
356 they must follow a "database shell" line and come before any subsequent
357 "database" lines. The Shell backend executes external programs to
358 implement operations, and is designed to make it easy to tie an existing
369 .B compare <pathname>
379 .B abandon <pathname>
380 These options specify the pathname of the command to execute in response
381 to the given LDAP operation. The command given should understand and
382 follow the input/output conventions described in Appendix B of "The SLAPD
383 and SLURPD Administrator's Guide."
385 Note that you need only supply configuration lines for those commands you
386 want the backend to handle. Operations for which a command is not
387 supplied will be refused with an "unwilling to perform" error.
388 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
389 Options in this category only apply to the PASSWD backend database.
390 That is, they must follow a "database passwd" line and come before any
391 subsequent "database" lines. The PASSWD database serves up the user
392 account information listed in the system
397 Specifies an alternate passwd file to use. The default is
400 "The SLAPD and SLURPD Administrator's Guide" contains an annotated
401 example of a configuration file.
406 .BR slapd.replog (5),
415 "The SLAPD and SLURPD Administrator's Guide"
418 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
420 is derived from University of Michigan LDAP 3.3 Release.