1 .TH SLAPD.CONF 5 "5 August 1999" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-1999 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to "The SLAPD and SLURPD
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
70 access to <what> [ by <who> <accesslevel> ]+
71 Grant access (specified by <accesslevel>) to a set of entries and/or
72 attributes (specified by <what>) by one or more requestors (specified
73 by <who>). Refer to "The SLAPD and SLURPD Administrator's Guide" for
74 information on using the
76 access-control mechanisms.
79 attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE] \
80 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>] \
81 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] \
82 [USAGE <attributeUsage>] )
83 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
84 This is the preferred format for attribute type definitions. The slapd
85 parser extends the RFC 2252 definition by allowing string forms as well
86 as numeric OIDs to be used for the attribute OID and attribute syntax OID.
89 description.) Currently the syntax name parser is case-sensitive.
90 The known syntax names are:
94 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
95 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
96 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
97 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
98 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
99 NameFormDescription NumericString ObjectClassDescription OID
100 OtherMailbox OctetString PostalAddress ProtocolInformation
101 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
102 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
103 SubstringAssertion NISnetgrouptriple Bootparameter
109 attribute[type] <name> [<name2>] { bin | ces | cis | tel | dn }
110 Associate a syntax with an attribute name. This directive is deprecated
111 in favor of the one above. By default, an
112 attribute is assumed to have syntax
114 An optional alternate name can be
115 given for an attribute. The possible syntaxes and their meanings are:
130 telephone number string
139 defaultaccess [self]{ none | compare | search | read | write }
140 Specify the default access to grant requestors not matched by
141 any other access line. The default behavior is to grant read access.
143 .B idletimeout <integer>
144 Specify the number of seconds to wait before forcibly closing
145 an idle client connections. A idletimeout of 0 disables this
146 feature. The default is 0.
148 .B include <filename>
149 Read additional configuration information from the given file before
150 continuing with the next line of the current file.
152 .B pidfile <filename>
153 The ( absolute ) name of a file that will hold the
155 server's process ID ( see
157 ) if started without the debugging command line option.
159 .B argsfile <filename>
160 The ( absolute ) name of a file that will hold the
162 server's command line options
163 if started without the debugging command line option.
166 locale { <locale-name> | on | off }
167 Obey <locale-name>'s character classification and case conversion; i.e. the
169 LC_CTYPE category. See
171 for details about locales. "on" takes the locale from the environment,
172 typically $LANG or $LC_CTYPE, and will only work properly if slapd will
173 run with the same environment variables as when the database was
174 generated. "off" (the default setting) resets to the initial "C" locale.
176 .B loglevel <integer>
177 Specify the level at which debugging statements and operation
178 statistics should be syslogged (currently logged to the
180 LOG_LOCAL4 facility). Log levels are additive, and available levels
190 debug packet handling
193 heavy trace debugging
196 connection management
199 print out packets sent and received
202 search filter processing
205 configuration file processing
208 access control list processing
211 stats log connections/operations/results
214 stats log entries sent
217 print communication with shell backends
226 objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] \
227 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>] \
229 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
230 This is the preferred format for object class definitions. The slapd
231 parser extends the RFC 2252 definition by allowing string forms as well
232 as numeric OIDs to be used for the object class OID. (See the
235 description.) Object classes are "STRUCTURAL" by default.
238 objectclass <name> requires <attrs> allows <attrs>
239 Define the schema rules for the object class named <name>. These are
240 used in conjunction with the schemacheck option. This directive is
241 deprecated in favor of the one above.
243 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
244 Define a string name that equates to the given OID. The string can be used
245 in place of the numeric OID in objectclass and attribute definitions. The
246 name can also be used with a suffix of the form ":xx" in which case the
247 value "oid.xx" will be used.
250 Specify the referral to pass back when
252 cannot find a local database to handle a request.
253 If specified multiple times, each url is provided.
255 .B schemacheck { on | off }
256 Turn schema checking on or off. The default is on.
258 .B sizelimit <integer>
259 Specify the maximum number of entries to return from a search operation.
260 The default size limit is 500.
263 Specify the srvtab file in which the kerberos keys necessary for
264 authenticating clients using kerberos can be found. This option is only
265 meaningful if you are using Kerberos authentication.
267 .B timelimit <integer>
268 Specify the maximum number of seconds (in real time)
270 will spend answering a search request. The default time limit is 3600.
274 is build with support for Transport Layer Security, there are more options
277 .B TLSCipherSuite <cipher-suite-spec>
278 Permits configuring what ciphers will be accepted and the preference order.
279 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
281 TLSCipherSuite HIGH:MEDIUM:+SSLv2
283 To check what ciphers a given spec selects, use:
285 openssl ciphers -v <cipher-suite-spec>
287 .B TLSCertificateFile <filename>
288 Specifies the file that contains the
292 .B TLSCertificateKeyFile <filename>
293 Specifies the file that contains the
295 server private key that matches the certificate stored in the
296 .B TLSCertificateFile
297 file. Currently, the private key must not be protected with a password, so
298 it is of critical importance that it is protected carefully.
299 .SH GENERAL BACKEND OPTIONS
300 Options in this section only apply to the configuration file section
301 for the backend in which they are defined. They are supported by every
304 .B database <databasetype>
305 Mark the beginning of a new database instance definition. <databasetype>
311 depending on which backend will serve the database.
316 will automatically maintain the
317 modifiersName, modifyTimestamp, creatorsName, and
318 createTimestamp attributes for entries. By default, lastmod is on.
321 This option puts the database into "read-only" mode. Any attempts to
322 modify the database will return an "unwilling to perform" error. By
323 default, readonly is off.
326 replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
328 kerberos [credentials=<password>] [srvtab=<filename>]
330 Specify a replication site for this database. Refer to "The SLAPD and
331 SLURPD Administrator's Guide" for detailed information on setting up
336 .B replogfile <filename>
337 Specify the name of the replication log file to log changes to.
338 The replication log is typically written by
344 for more information.
347 Specify the DN of an entry that is not subject to access control
348 or administrative limit restrictions for operations on this database.
351 Specify a password (or hash of the password) for the rootdn.
352 This option accepts all password formats known to the server
353 including \fB{SHA}\fP, \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext.
354 Cleartext passwords are not recommended.
356 .B suffix <dn suffix>
357 Specify the DN suffix of queries that will be passed to this
358 backend database. Multiple suffix lines can be given and at least one is
359 required for each database definition.
362 This option is only applicable in a slave
364 It specifies the DN allowed to make changes to the replica (typically,
367 binds as when making changes to the replica).
370 Specify the referral to pass back when
372 is asked to modify a replicated local database.
373 If specified multiple times, each url is provided.
374 .SH LDBM BACKEND-SPECIFIC OPTIONS
375 Options in this category only apply to the LDBM backend database. That is,
376 they must follow a "database ldbm" line and come before any subsequent
377 "database" lines. The LDBM backend is a high-performance database that
378 makes extensive use of indexing and caching to speed data access.
380 .B cachesize <integer>
381 Specify the size in entries of the in-memory cache maintained
382 by the LDBM backend database instance. The default is 1000 entries.
384 .B dbcachesize <integer>
385 Specify the size in bytes of the in-memory cache associated
386 with each open index file. If not supported by the underlying database
387 method, this option is ignored without comment. The default is 100000 bytes.
390 Specify that no database locking should be performed.
391 Enabling this option may improve performance at the expense of data security.
393 Specify that on-disk database contents should not be immediately
394 synchronized with in memory changes. Enabling this option may improve
395 performance at the expense of data security.
397 .B directory <directory>
398 Specify the directory where the LDBM files containing the database and
399 associated indexes live. The default is
403 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
404 Specify the indexes to maintain for the given attribute. If only
405 an <attr> is given, all possible indexes are maintained.
408 Specify the file protection mode that newly created database
409 index files should have. The default is 0600.
410 .SH SHELL BACKEND-SPECIFIC OPTIONS
411 Options in this category only apply to the SHELL backend database. That is,
412 they must follow a "database shell" line and come before any subsequent
413 "database" lines. The Shell backend executes external programs to
414 implement operations, and is designed to make it easy to tie an existing
425 .B compare <pathname>
435 .B abandon <pathname>
436 These options specify the pathname of the command to execute in response
437 to the given LDAP operation. The command given should understand and
438 follow the input/output conventions described in Appendix B of "The SLAPD
439 and SLURPD Administrator's Guide."
441 Note that you need only supply configuration lines for those commands you
442 want the backend to handle. Operations for which a command is not
443 supplied will be refused with an "unwilling to perform" error.
444 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
445 Options in this category only apply to the PASSWD backend database.
446 That is, they must follow a "database passwd" line and come before any
447 subsequent "database" lines. The PASSWD database serves up the user
448 account information listed in the system
453 Specifies an alternate passwd file to use. The default is
456 "The SLAPD and SLURPD Administrator's Guide" contains an annotated
457 example of a configuration file.
462 .BR slapd.replog (5),
471 "The SLAPD and SLURPD Administrator's Guide"
474 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
476 is derived from University of Michigan LDAP 3.3 Release.