1 .TH SLAPD.CONF 5 "17 October 2000" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to the "OpenLDAP
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
69 .B access to <what> [ by <who> <access> <control> ]+
70 Grant access (specified by <access>) to a set of entries and/or
71 attributes (specified by <what>) by one or more requestors (specified
73 See the "OpenLDAP's Administrator's Guide" for details.
76 Specify a set of features (separated by white space) to
79 allows Start TLS to force session to anonymous status (see also
83 .B argsfile <filename>
84 The ( absolute ) name of a file that will hold the
86 server's command line options
87 if started without the debugging command line option.
90 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
91 [DESC\ <description>]\
92 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
93 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
94 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
96 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
97 The slapd parser extends the RFC 2252 definition by allowing string
98 forms as well as numeric OIDs to be used for the attribute OID and
102 description.) Currently the syntax name parser is case-sensitive.
103 The known syntax names are:
107 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
108 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
109 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
110 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
111 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
112 NameFormDescription NumericString ObjectClassDescription OID
113 OtherMailbox OctetString PostalAddress ProtocolInformation
114 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
115 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
116 SubstringAssertion NISnetgrouptriple Bootparameter
122 .B concurrency <integer>
123 Specify a desired level of concurrency. Provided to the underlying
124 thread system as a hint. The default is not to provide any hint.
126 .B defaultsearchbase <dn>
127 Specify a default search base to use when client submits a
128 non-base search request with an empty base DN.
130 .B disallow <features>
131 Specify a set of features (separated by white space) to
132 disallow (default none).
134 disables acceptance of LDAPv2 bind requests.
136 disables acceptance of anonymous bind requests.
138 disables anonymous bind creditials are not empty (e.g.
141 disables anonymous bind when DN is not empty.
143 disables simple (bind) authentication.
145 disables Kerberos V4 (bind) authentication.
147 disables StartTLS if authenticated (see also
151 .B idletimeout <integer>
152 Specify the number of seconds to wait before forcibly closing
153 an idle client connections. A idletimeout of 0 disables this
154 feature. The default is 0.
156 .B include <filename>
157 Read additional configuration information from the given file before
158 continuing with the next line of the current file.
160 .B loglevel <integer>
161 Specify the level at which debugging statements and operation
162 statistics should be syslogged (currently logged to the
164 LOG_LOCAL4 facility). Log levels are additive, and available levels
174 debug packet handling
177 heavy trace debugging
180 connection management
183 print out packets sent and received
186 search filter processing
189 configuration file processing
192 access control list processing
195 stats log connections/operations/results
198 stats log entries sent
201 print communication with shell backends
209 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
210 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
213 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
214 The slapd parser extends the RFC 2252 definition by allowing string
215 forms as well as numeric OIDs to be used for the object class OID.
219 description.) Object classes are "STRUCTURAL" by default.
222 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
223 Define a string name that equates to the given OID. The string can be used
224 in place of the numeric OID in objectclass and attribute definitions. The
225 name can also be used with a suffix of the form ":xx" in which case the
226 value "oid.xx" will be used.
228 .B password-hash <hash>
229 The <hash> to use for userPassword generation. One of
242 .B pidfile <filename>
243 The ( absolute ) name of a file that will hold the
245 server's process ID ( see
247 ) if started without the debugging command line option.
250 Specify the referral to pass back when
252 cannot find a local database to handle a request.
253 If specified multiple times, each url is provided.
255 .B require <conditions>
256 Specify a set of conditions (separated by white space) to
257 require (default none).
258 The directive may be specified globally and/or per-database.
260 requires bind operation prior to directory operations.
262 requires session to be using LDAP version 3.
264 requires authentication prior to directory operations.
266 requires SASL authentication prior to directory operations.
268 requires strong authentication prior to directory operations.
273 conditions are currently same.
275 may be used to require no conditions (useful for clearly globally
276 set conditions within a particular database).
279 Used to specify the fully qualified domain name used for SASL processing.
281 .B sasl-realm <realm>
282 Specify SASL realm. Default is empty.
284 .B sasl-regexp <match> <replace>
285 Used by the SASL authorization mechanism to convert a SASL authenticated
286 username to an LDAP DN. When an authorization request is received, the SASL
290 are taken, when available, and combined into a SASL name of the
295 .B uid=<UID>[,cn=<REALM>][,cn=<MECH>],cn=AUTHZ
298 This SASL name is then compared against the
300 regular expression, and if the match is successful, the SASL name is
303 string. If there are wildcard strings in the
305 regular expression that are enclosed in parenthesis, e.g.
309 .B uid=(.*)\\\\+realm=.*
313 then the portion of the SASL name that matched the wildcard will be stored
314 in the numbered placeholder variable $1. If there are other wildcard strings
315 in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
316 placeholders can then be used in the
322 .B cn=$1,ou=Accounts,dc=$2,dc=$4.
326 The replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
327 server will use the URI to search its own database, and if the search returns
328 exactly one entry, the SASL name is replaced by the DN of that entry.
331 options can be given in the configuration file to allow for multiple matching
332 and replacement patterns. The matching patterns are checked in the order they
333 appear in the file, stopping at the first successful match.
336 Because the plus sign + is a character recognized by the regular expression engine,
337 and it will appear in SASL names that include a REALM, be careful to escape the
338 plus sign with a backslash \\+ to remove the character's special meaning.
341 .B sasl-secprops <properties>
342 Used to specify Cyrus SASL security properties.
345 flag (without any other properities) causes the flag properites
346 default, "noanonymous,noplain", to be cleared.
349 flag disables mechanisms susceptible to simple passive attacks.
352 flag disables mechanisms susceptible to active attacks.
355 flag disables mechanisms susceptible to passive dictionary attacks.
358 flag disables mechanisms which support anonymous login.
361 flag require forward secrecy between sessions.
364 require mechanisms which pass client credentials (and allow
365 mechanisms which can pass credentials to do so).
368 property specifies the minimum acceptable
369 .I security strength factor
370 as an integer approximate to effective key length used for
371 encryption. 0 (zero) implies no protection, 1 implies integrity
372 protection only, 56 allows DES or other weak ciphers, 112
373 allows triple DES and other strong ciphers, 128 allows RC4,
374 Blowfish and other modern strong ciphers. The default is 0.
377 property specifies the maximum acceptable
378 .I security strength factor
379 as an integer (see minssf description). The default is INT_MAX.
382 property specifies the maximum security layer receive buffer
383 size allowed. 0 disables security layers. The default is 65536.
385 .B schemacheck { on | off }
386 Turn schema checking on or off. The default is on.
388 .B security <factors>
389 Specify a set of factors (separated by white space) to require.
390 An integer value is associated with each factor and is roughly
391 equivalent of the encryption key length to require. A value
392 of 112 is equivalent to 3DES, 128 to Blowfish, etc..
393 The directive may be specified globally and/or per-database.
395 specifies the overall security strength factor.
397 specifies the transport security strength factor.
399 specifies the TLS security strength factor.
401 specifies the SASL security strength factor.
403 specifies the overall security strength factor to require for
405 .B update_transport=<n>
406 specifies the transport security strength factor to require for
409 specifies the TLS security strength factor to require for
412 specifies the SASL security strength factor to require for
416 factor is measure of security provided by the underlying transport,
417 e.g. ldapi:// (and eventually IPSEC). It is not normally used.
419 .B sizelimit <integer>
420 Specify the maximum number of entries to return from a search operation.
421 The default size limit is 500.
424 Specify the srvtab file in which the kerberos keys necessary for
425 authenticating clients using kerberos can be found. This option is only
426 meaningful if you are using Kerberos authentication.
428 .B schemacheck { on | off }
429 Turn schema checking on or off. The default is on.
431 .B sizelimit <integer>
432 Specify the maximum number of entries to return from a search operation.
433 The default size limit is 500.
436 Specify the srvtab file in which the kerberos keys necessary for
437 authenticating clients using kerberos can be found. This option is only
438 meaningful if you are using Kerberos authentication.
441 Specify the maximum size of the primary thread pool.
444 .B timelimit <integer>
445 Specify the maximum number of seconds (in real time)
447 will spend answering a search request. The default time limit is 3600.
451 is build with support for Transport Layer Security, there are more options
454 .B TLSCipherSuite <cipher-suite-spec>
455 Permits configuring what ciphers will be accepted and the preference order.
456 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
458 TLSCipherSuite HIGH:MEDIUM:+SSLv2
460 To check what ciphers a given spec selects, use:
462 openssl ciphers -v <cipher-suite-spec>
464 .B TLSCertificateFile <filename>
465 Specifies the file that contains the
469 .B TLSCertificateKeyFile <filename>
470 Specifies the file that contains the
472 server private key that matches the certificate stored in the
473 .B TLSCertificateFile
474 file. Currently, the private key must not be protected with a password, so
475 it is of critical importance that it is protected carefully.
476 .SH GENERAL BACKEND OPTIONS
477 Options in this section only apply to the configuration file section
478 for the backend in which they are defined. They are supported by every
481 .B database <databasetype>
482 Mark the beginning of a new database instance definition. <databasetype>
488 depending on which backend will serve the database.
493 will automatically maintain the
494 modifiersName, modifyTimestamp, creatorsName, and
495 createTimestamp attributes for entries. By default, lastmod is on.
498 This option puts the database into "read-only" mode. Any attempts to
499 modify the database will return an "unwilling to perform" error. By
500 default, readonly is off.
502 .B replica host=<hostname>[:port] [tls=yes|critical]
503 .B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
504 .B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
505 .B [authcId=<authentication ID>] [authcId=<authentication ID>]
507 Specify a replication site for this database. Refer to the "OpenLDAP
508 Administrator's Guide" for detailed information on setting up a replicated
518 and should only be used when adequate security services
519 (e.g TLS or IPSEC) are in place. A
527 will use Kerberos, a kerberos instance should be given in
531 .B replogfile <filename>
532 Specify the name of the replication log file to log changes to.
533 The replication log is typically written by
539 for more information. The specified file should be located
540 in a directory with limited read/write/execute access as the replication
541 logs may contain sensitive information.
544 Specify the distinguished name that is not subject to access control
545 or administrative limit restrictions for operations on this database.
546 This DN may or may not be associated with an entry. An empty root
547 DN (the default) specifies no root access is to be granted. It is
548 recommended that the rootdn only be specified when needed (such as
549 when initially populating a database). If the rootdn is within
550 a namingContext (suffix) of the database, a simple bind password
551 may also be provided using the
556 Specify a password (or hash of the password) for the rootdn. If
557 the rootdn is not within the namingContext of the database, the
558 provided password is ignored.
559 This option accepts all RFC 2307 userPassword formats known to
562 desription) as well as cleartext.
564 may be used to generate a hash of a password. Cleartext
565 and \fB{CRYPT}\fP passwords are not recommended. If empty
566 (the default), authentication of the root DN is by other means
567 (e.g. SASL). Use of SASL is encouraged.
569 .B suffix <dn suffix>
570 Specify the DN suffix of queries that will be passed to this
571 backend database. Multiple suffix lines can be given and at least one is
572 required for each database definition.
575 This option is only applicable in a slave
577 It specifies the DN allowed to make changes to the replica (typically,
580 binds as when making changes to the replica).
583 Specify the referral to pass back when
585 is asked to modify a replicated local database.
586 If specified multiple times, each url is provided.
587 .SH LDBM BACKEND-SPECIFIC OPTIONS
588 Options in this category only apply to the LDBM backend database. That is,
589 they must follow a "database ldbm" line and come before any subsequent
590 "database" lines. The LDBM backend is a high-performance database that
591 makes extensive use of indexing and caching to speed data access.
593 .B cachesize <integer>
594 Specify the size in entries of the in-memory cache maintained
595 by the LDBM backend database instance. The default is 1000 entries.
597 .B dbcachesize <integer>
598 Specify the size in bytes of the in-memory cache associated
599 with each open index file. If not supported by the underlying database
600 method, this option is ignored without comment. The default is 100000 bytes.
603 Specify that no database locking should be performed.
604 Enabling this option may improve performance at the expense of data security.
606 Specify that on-disk database contents should not be immediately
607 synchronized with in memory changes. Enabling this option may improve
608 performance at the expense of data security.
610 .B directory <directory>
611 Specify the directory where the LDBM files containing this database and
612 associated indexes live. A separate directory must be specified for
613 each database. The default is
614 .BR LOCALSTATEDIR/openldap-ldbm .
617 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
618 Specify the indexes to maintain for the given attribute. If only
619 an <attr> is given, the indices specified for \fBdefault\fR
620 are maintained. A number of special index parameters may be
624 can be decomposed into
631 may be specified to allow use of this index by language subtypes.
634 may be specified to automatically maintain separate indices for each
638 may be specified to allow use of this index by named subtypes.
641 may be specified to automatically maintain separate indices for each
645 Specify the file protection mode that newly created database
646 index files should have. The default is 0600.
647 .SH SHELL BACKEND-SPECIFIC OPTIONS
648 Options in this category only apply to the SHELL backend database. That is,
649 they must follow a "database shell" line and come before any subsequent
650 "database" lines. The Shell backend executes external programs to
651 implement operations, and is designed to make it easy to tie an existing
662 .B compare <pathname>
672 .B abandon <pathname>
673 These options specify the pathname of the command to execute in response
674 to the given LDAP operation.
676 Note that you need only supply configuration lines for those commands you
677 want the backend to handle. Operations for which a command is not
678 supplied will be refused with an "unwilling to perform" error.
679 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
680 Options in this category only apply to the PASSWD backend database.
681 That is, they must follow a "database passwd" line and come before any
682 subsequent "database" lines. The PASSWD database serves up the user
683 account information listed in the system
688 Specifies an alternate passwd file to use. The default is
691 "OpenLDAP Administrator's Guide" contains an annotated
692 example of a configuration file.
697 .BR slapd.replog (5),
704 .BR slappassword (8),
707 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
710 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
712 is derived from University of Michigan LDAP 3.3 Release.