1 .TH SLAPD.CONF 5 "5 August 1999" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to "The SLAPD and SLURPD
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
70 access to <what> [ by <who> <access> <control> ]+
71 Grant access (specified by <access>) to a set of entries and/or
72 attributes (specified by <what>) by one or more requestors (specified
74 See Developer's FAQ (http://www.openldap.org/faq/) for details.
77 attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE] \
78 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>] \
79 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] \
80 [USAGE <attributeUsage>] )
81 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
82 The slapd parser extends the RFC 2252 definition by allowing string
83 forms as well as numeric OIDs to be used for the attribute OID and
87 description.) Currently the syntax name parser is case-sensitive.
88 The known syntax names are:
92 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
93 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
94 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
95 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
96 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
97 NameFormDescription NumericString ObjectClassDescription OID
98 OtherMailbox OctetString PostalAddress ProtocolInformation
99 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
100 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
101 SubstringAssertion NISnetgrouptriple Bootparameter
106 .B concurrency <integer>
107 Specify a desired level of concurrency. Provided to the underlying
108 thread system as a hint. The default is not to provdide any hint.
111 defaultaccess { none | auth | compare | search | read | write }
112 Specify the default access level to grant requestors when
113 no access directives were provided for the database.
114 The default behavior is to grant 'read' access. It is
117 directives be used instead.
119 .B idletimeout <integer>
120 Specify the number of seconds to wait before forcibly closing
121 an idle client connections. A idletimeout of 0 disables this
122 feature. The default is 0.
124 .B include <filename>
125 Read additional configuration information from the given file before
126 continuing with the next line of the current file.
128 .B pidfile <filename>
129 The ( absolute ) name of a file that will hold the
131 server's process ID ( see
133 ) if started without the debugging command line option.
135 .B argsfile <filename>
136 The ( absolute ) name of a file that will hold the
138 server's command line options
139 if started without the debugging command line option.
141 .B loglevel <integer>
142 Specify the level at which debugging statements and operation
143 statistics should be syslogged (currently logged to the
145 LOG_LOCAL4 facility). Log levels are additive, and available levels
155 debug packet handling
158 heavy trace debugging
161 connection management
164 print out packets sent and received
167 search filter processing
170 configuration file processing
173 access control list processing
176 stats log connections/operations/results
179 stats log entries sent
182 print communication with shell backends
191 objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] \
192 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>] \
194 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
195 The slapd parser extends the RFC 2252 definition by allowing string
196 forms as well as numeric OIDs to be used for the object class OID.
200 description.) Object classes are "STRUCTURAL" by default.
202 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
203 Define a string name that equates to the given OID. The string can be used
204 in place of the numeric OID in objectclass and attribute definitions. The
205 name can also be used with a suffix of the form ":xx" in which case the
206 value "oid.xx" will be used.
209 Specify the referral to pass back when
211 cannot find a local database to handle a request.
212 If specified multiple times, each url is provided.
214 .B schemacheck { on | off }
215 Turn schema checking on or off. The default is on.
217 .B sizelimit <integer>
218 Specify the maximum number of entries to return from a search operation.
219 The default size limit is 500.
222 Specify the srvtab file in which the kerberos keys necessary for
223 authenticating clients using kerberos can be found. This option is only
224 meaningful if you are using Kerberos authentication.
226 .B timelimit <integer>
227 Specify the maximum number of seconds (in real time)
229 will spend answering a search request. The default time limit is 3600.
233 is build with support for Transport Layer Security, there are more options
236 .B TLSCipherSuite <cipher-suite-spec>
237 Permits configuring what ciphers will be accepted and the preference order.
238 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
240 TLSCipherSuite HIGH:MEDIUM:+SSLv2
242 To check what ciphers a given spec selects, use:
244 openssl ciphers -v <cipher-suite-spec>
246 .B TLSCertificateFile <filename>
247 Specifies the file that contains the
251 .B TLSCertificateKeyFile <filename>
252 Specifies the file that contains the
254 server private key that matches the certificate stored in the
255 .B TLSCertificateFile
256 file. Currently, the private key must not be protected with a password, so
257 it is of critical importance that it is protected carefully.
258 .SH GENERAL BACKEND OPTIONS
259 Options in this section only apply to the configuration file section
260 for the backend in which they are defined. They are supported by every
263 .B database <databasetype>
264 Mark the beginning of a new database instance definition. <databasetype>
270 depending on which backend will serve the database.
275 will automatically maintain the
276 modifiersName, modifyTimestamp, creatorsName, and
277 createTimestamp attributes for entries. By default, lastmod is on.
280 This option puts the database into "read-only" mode. Any attempts to
281 modify the database will return an "unwilling to perform" error. By
282 default, readonly is off.
285 replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
287 kerberos [credentials=<password>] [srvtab=<filename>]
289 Specify a replication site for this database. Refer to "The SLAPD and
290 SLURPD Administrator's Guide" for detailed information on setting up
295 .B replogfile <filename>
296 Specify the name of the replication log file to log changes to.
297 The replication log is typically written by
303 for more information.
306 Specify the DN of an entry that is not subject to access control
307 or administrative limit restrictions for operations on this database.
310 Specify a password (or hash of the password) for the rootdn.
311 This option accepts all RFC 2307 userPassword formats known to
312 the server including \fB{SSHA}\fP, \fB{SHA}\fP, \fB{SMD5}\fP,
313 \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext schemes.
315 may be used to generate a hash of a password. Cleartext
316 and \fB{CRYPT}\fP passwords are not recommended.
318 .B suffix <dn suffix>
319 Specify the DN suffix of queries that will be passed to this
320 backend database. Multiple suffix lines can be given and at least one is
321 required for each database definition.
324 This option is only applicable in a slave
326 It specifies the DN allowed to make changes to the replica (typically,
329 binds as when making changes to the replica).
332 Specify the referral to pass back when
334 is asked to modify a replicated local database.
335 If specified multiple times, each url is provided.
336 .SH LDBM BACKEND-SPECIFIC OPTIONS
337 Options in this category only apply to the LDBM backend database. That is,
338 they must follow a "database ldbm" line and come before any subsequent
339 "database" lines. The LDBM backend is a high-performance database that
340 makes extensive use of indexing and caching to speed data access.
342 .B cachesize <integer>
343 Specify the size in entries of the in-memory cache maintained
344 by the LDBM backend database instance. The default is 1000 entries.
346 .B dbcachesize <integer>
347 Specify the size in bytes of the in-memory cache associated
348 with each open index file. If not supported by the underlying database
349 method, this option is ignored without comment. The default is 100000 bytes.
352 Specify that no database locking should be performed.
353 Enabling this option may improve performance at the expense of data security.
355 Specify that on-disk database contents should not be immediately
356 synchronized with in memory changes. Enabling this option may improve
357 performance at the expense of data security.
359 .B directory <directory>
360 Specify the directory where the LDBM files containing this database and
361 associated indexes live. A separate directory must be specified for
362 each database. The default is
363 .BR LOCALSTATEDIR/openldap-ldbm .
366 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
367 Specify the indexes to maintain for the given attribute. If only
368 an <attr> is given, the indices specified for \fBdefault\fR
372 Specify the file protection mode that newly created database
373 index files should have. The default is 0600.
374 .SH SHELL BACKEND-SPECIFIC OPTIONS
375 Options in this category only apply to the SHELL backend database. That is,
376 they must follow a "database shell" line and come before any subsequent
377 "database" lines. The Shell backend executes external programs to
378 implement operations, and is designed to make it easy to tie an existing
389 .B compare <pathname>
399 .B abandon <pathname>
400 These options specify the pathname of the command to execute in response
401 to the given LDAP operation. The command given should understand and
402 follow the input/output conventions described in Appendix B of "The SLAPD
403 and SLURPD Administrator's Guide."
405 Note that you need only supply configuration lines for those commands you
406 want the backend to handle. Operations for which a command is not
407 supplied will be refused with an "unwilling to perform" error.
408 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
409 Options in this category only apply to the PASSWD backend database.
410 That is, they must follow a "database passwd" line and come before any
411 subsequent "database" lines. The PASSWD database serves up the user
412 account information listed in the system
417 Specifies an alternate passwd file to use. The default is
420 "The SLAPD and SLURPD Administrator's Guide" contains an annotated
421 example of a configuration file.
426 .BR slapd.replog (5),
433 .BR slappassword (8),
436 "The SLAPD and SLURPD Administrator's Guide"
439 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
441 is derived from University of Michigan LDAP 3.3 Release.