Reimplement LDBM_SYNC/LDBM_NOSYNC code (dbnosync).

[openldap] / doc / man / man5 / slapd.conf.5

.TH SLAPD.CONF 5 "5 August 1999" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.\" Copyright 1998-1999 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.SH NAME
slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The file
.B ETCDIR/slapd.conf
contains configuration information for the
.BR slapd (8)
daemon.  This configuration file is also used by the
.BR slurpd (8)
replication daemon and by the SLAPD tools
.BR slapadd (8),
.BR slapcat (8),
and
.BR slapindex (8).
.LP
The
.B slapd.conf
file consists of a series of global configuration options that apply to
.B slapd
as a whole (including all backends), followed by zero or more database
backend definitions that contain information specific to a backend
instance.
.LP
The general format of
.B slapd.conf
is as follows:
.LP
.nf
    # comment - these options apply to every database
    <global configuration options>
    # first database definition & configuration options
    database    <backend 1 type>
    <configuration options specific to backend 1>
    # subsequent database definitions & configuration options
    ...
.fi
.LP
As many backend-specific sections as desired may be included.  Global
options can be overridden in a backend (for options that appear more
than once, the last appearance in the
.B slapd.conf
file is used).  Blank lines and comment lines beginning with a `#'
character are ignored. If a line begins with white space, it is
considered a continuation of the previous line.
.LP
Arguments on configuration lines are separated by white space. If an
argument contains white space, the argument should be enclosed in
double quotes.  If an argument contains a double quote (`"') or a
backslash character (`\\'), the character should be preceded by a
backslash character.
.LP
The specific configuration options available are discussed below in the
Global Configuration Options, General Backend Options, LDBM
Backend-Specific Options, Shell Backend-Specific Options, and Password
Backend-Specific Options sections.  Refer to "The SLAPD and SLURPD
Administrator's Guide" for more details on the slapd configuration
file.
.SH GLOBAL CONFIGURATION OPTIONS
Options described in this section apply to all backends, unless specifically 
overridden in a backend definition. Arguments that should be replaced by 
actual text are shown in brackets <>.
.TP
.B
access to <what> [ by <who> <accesslevel> ]+
Grant access (specified by <accesslevel>) to a set of entries and/or
attributes (specified by <what>) by one or more requestors (specified
by <who>).  Refer to "The SLAPD and SLURPD Administrator's Guide" for
information on using the
.B slapd
access-control mechanisms.
.TP
.B
attribute ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE] \
[SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>] \
[SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] \
[USAGE <attributeUsage>] )
Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
This is the preferred format for attribute type definitions. The slapd
parser extends the RFC 2252 definition by allowing string forms as well
as numeric OIDs to be used for the attribute OID and attribute syntax OID.
(See the
.B
objectidentifier
description.) Currently the syntax name parser is case-sensitive.
The known syntax names are:
.RS
.RS
.PD 0
AttributeTypeDescription Audio Binary BitString Certificate CertificateList
CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
GeneralizedTime Guide IA5String Integer MatchingRuleDescription
MatchingRuleUseDescription MailPreference NameAndOptionalUUID
NameFormDescription NumericString ObjectClassDescription OID
OtherMailbox OctetString PostalAddress ProtocolInformation
PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
SubstringAssertion NISnetgrouptriple Bootparameter
.PD
.RE
.RE
.TP
.B 
attribute <name> [<name2>] { bin | ces | cis | tel | dn }
Associate a syntax with an attribute name. This directive is deprecated
in favor of the one above. By default, an 
attribute is assumed to have syntax
.BR cis .
An optional alternate name can be 
given for an attribute. The possible syntaxes and their meanings are:
.RS
.RS
.PD 0
.TP
.B bin
binary
.TP
.B ces
case exact string
.TP
.B cis
case ignore string
.TP
.B tel
telephone number string
.TP
.B dn
distinguished name
.PD
.RE
.RE
.TP
.B
defaultaccess [self]{ none | compare | search | read | write }
Specify the default access to grant requestors not matched by 
any other access line.  The default behavior is to grant read access.
.TP
.B idletimeout <integer>
Specify the number of seconds to wait before forcibly closing
an idle client connections.  A idletimeout of 0 disables this
feature.  The default is 0.
.TP
.B include <filename>
Read additional configuration information from the given file before
continuing with the next line of the current file.
.TP
.B pidfile <filename>
The ( absolute ) name of a file that will hold the 
.B slapd
server's process ID ( see
.BR getpid (2)
) if started without the debugging command line option.
.TP
.B argsfile <filename>
The ( absolute ) name of a file that will hold the 
.B slapd
server's command line options
if started without the debugging command line option.
.TP
.B
locale { <locale-name> | on | off }
Obey <locale-name>'s character classification and case conversion; i.e. the
.BR locale (5)
LC_CTYPE category.  See
.BR locale (5)
for details about locales.  "on" takes the locale from the environment,
typically $LANG or $LC_CTYPE, and will only work properly if slapd will
run with the same environment variables as when the database was
generated.  "off" (the default setting) resets to the initial "C" locale.
.TP
.B loglevel <integer>
Specify the level at which debugging statements and operation 
statistics should be syslogged (currently logged to the
.BR syslogd (8) 
LOG_LOCAL4 facility).  Log levels are additive, and available levels
are:
.RS
.RS
.PD 0
.TP
.B 1
trace function calls
.TP
.B 2
debug packet handling
.TP
.B 4
heavy trace debugging
.TP
.B 8
connection management
.TP
.B 16
print out packets sent and received
.TP
.B 32
search filter processing
.TP
.B 64
configuration file processing
.TP
.B 128
access control list processing
.TP
.B 256
stats log connections/operations/results
.TP
.B 512
stats log entries sent
.TP
.B 1024
print communication with shell backends
.TP
.B 2048
entry parsing
.PD
.RE
.RE
.TP
.B
objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] \
[SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>] \
[MAY <oids>] )
Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
This is the preferred format for object class definitions. The slapd
parser extends the RFC 2252 definition by allowing string forms as well
as numeric OIDs to be used for the object class OID. (See the
.B
objectidentifier
description.) Object classes are "STRUCTURAL" by default.
.TP
.B
objectclass <name> requires <attrs> allows <attrs>
Define the schema rules for the object class named <name>.  These are
used in conjunction with the schemacheck option. This directive is
deprecated in favor of the one above.
.TP
.B objectidentifier <name> { <oid> | <name>[:<suffix>] }
Define a string name that equates to the given OID. The string can be used
in place of the numeric OID in objectclass and attribute definitions. The
name can also be used with a suffix of the form ":xx" in which case the
value "oid.xx" will be used.
.TP
.B referral <url>
Specify the referral to pass back when
.BR slapd (8)
cannot find a local database to handle a request.
If specified multiple times, each url is provided.
.TP
.B schemacheck { on | off }
Turn schema checking on or off. The default is on.
.TP
.B sizelimit <integer>
Specify the maximum number of entries to return from a search operation.
The default size limit is 500.
.TP
.B srvtab <filename>
Specify the srvtab file in which the kerberos keys necessary for
authenticating clients using kerberos can be found. This option is only
meaningful if you are using Kerberos authentication.
.TP
.B timelimit <integer>
Specify the maximum number of seconds (in real time)
.B slapd
will spend answering a search request.  The default time limit is 3600.
.SH TLS OPTIONS
If
.B slapd
is build with support for Transport Layer Security, there are more options
you can specify.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
<cipher-suite-spec> should be a cipher specification for OpenSSL.  Example:

TLSCipherSuite HIGH:MEDIUM:+SSLv2

To check what ciphers a given spec selects, use:

openssl ciphers -v <cipher-suite-spec>
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
.B slapd
server certificate.
.TP
.B TLSCertificateKeyFile <filename>
Specifies the file that contains the
.B slapd
server private key that matches the certificate stored in the
.B TLSCertificateFile
file.  Currently, the private key must not be protected with a password, so
it is of critical importance that it is protected carefully. 
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the backend in which they are defined.  They are supported by every
type of backend.
.TP
.B database <databasetype>
Mark the beginning of a new database instance definition. <databasetype>
should be one of
.B ldbm,
.B shell,
or
.B passwd
depending on which backend will serve the database.
.TP
.B lastmod on | off
Controls whether
.B slapd
will automatically maintain the 
modifiersName, modifyTimestamp, creatorsName, and 
createTimestamp attributes for entries.  By default, lastmod is on.
.TP
.B readonly on | off
This option puts the database into "read-only" mode.  Any attempts to 
modify the database will return an "unwilling to perform" error.  By
default, readonly is off.
.TP
.B
replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
.B
kerberos [credentials=<password>] [srvtab=<filename>]
.br
Specify a replication site for this database.  Refer to "The SLAPD and
SLURPD Administrator's Guide" for detailed information on setting up
a replicated
.B slapd
directory service.
.TP
.B replogfile <filename>
Specify the name of the replication log file to log changes to.  
The replication log is typically written by
.BR slapd (8)
and read by
.BR slurpd (8).
See
.BR slapd.replog (5)
for more information.
.TP
.B rootdn <dn>
Specify the DN of an entry that is not subject to access control 
or administrative limit restrictions for operations on this database.
.TP
.B rootpw <password>
Specify a password (or hash of the password) for the rootdn.
This option accepts all password formats known to the server
including \fB{SHA}\fP, \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext.  
Cleartext passwords are not recommended.
.TP
.B suffix <dn suffix>
Specify the DN suffix of queries that will be passed to this 
backend database.  Multiple suffix lines can be given and at least one is 
required for each database definition.
.TP
.B updatedn <dn>
This option is only applicable in a slave
.B slapd.
It specifies the DN allowed to make changes to the replica (typically,
this is the DN
.BR slurpd (8)
binds as when making changes to the replica).
.TP
.B updateref <url>
Specify the referral to pass back when
.BR slapd (8)
is asked to modify a replicated local database.
If specified multiple times, each url is provided.
.SH LDBM BACKEND-SPECIFIC OPTIONS
Options in this category only apply to the LDBM backend database. That is,
they must follow a "database ldbm" line and come before any subsequent
"database" lines.  The LDBM backend is a high-performance database that
makes extensive use of indexing and caching to speed data access. 
.TP
.B cachesize <integer>
Specify the size in entries of the in-memory cache maintained 
by the LDBM backend database instance.  The default is 1000 entries.
.TP
.B dbcachesize <integer>
Specify the size in bytes of the in-memory cache associated 
with each open index file. If not supported by the underlying database 
method, this option is ignored without comment.  The default is 100000 bytes.
.TP
.B dbnolocking
Specify that no database locking should be performed.  
Enabling this option may improve performance at the expense of data security.
.B dbnosync
Specify that on-disk database contents should not be immediately
synchronized with in memory changes.  Enabling this option may improve
performance at the expense of data security.
.TP
.B directory <directory>
Specify the directory where the LDBM files containing the database and
associated indexes live.  The default is
.B /usr/tmp.
.TP
.B
index { <attrlist> | default } [ pres,eq,approx,sub,none ]
Specify the indexes to maintain for the given attribute. If only 
an <attr> is given, all possible indexes are maintained.
.TP
.B mode <integer>
Specify the file protection mode that newly created database 
index files should have.  The default is 0600.
.SH SHELL BACKEND-SPECIFIC OPTIONS
Options in this category only apply to the SHELL backend database. That is,
they must follow a "database shell" line and come before any subsequent
"database" lines.  The Shell backend executes external programs to
implement operations, and is designed to make it easy to tie an existing
database to the
.B slapd
front-end.
.TP
.B bind <pathname>
.TP
.B unbind <pathname>
.TP
.B search <pathname>
.TP
.B compare <pathname>
.TP
.B modify <pathname>
.TP
.B modrdn <pathname>
.TP
.B add <pathname>
.TP
.B delete <pathname>
.TP
.B abandon <pathname>
These options specify the pathname of the command to execute in response 
to the given LDAP operation. The command given should understand and 
follow the input/output conventions described in Appendix B of "The SLAPD
and SLURPD Administrator's Guide."
.LP
Note that you need only supply configuration lines for those commands you
want the backend to handle. Operations for which a command is not
supplied will be refused with an "unwilling to perform" error.
.SH PASSWORD BACKEND-SPECIFIC OPTIONS
Options in this category only apply to the PASSWD backend database.
That is, they must follow a "database passwd" line and come before any
subsequent "database" lines.  The PASSWD database serves up the user
account information listed in the system
.BR passwd (5)
file.
.TP
.B file <filename>
Specifies an alternate passwd file to use.  The default is
.B /etc/passwd.
.SH EXAMPLE
"The SLAPD and SLURPD Administrator's Guide" contains an annotated
example of a configuration file.
.SH FILES
ETCDIR/slapd.conf
.SH SEE ALSO
.BR ldap (3),
.BR slapd.replog (5),
.BR locale (5),
.BR passwd (5),
.BR slapd (8),
.BR slapadd (8),
.BR slapcat (8),
.BR slapindex (8),
.BR slurpd (8),
.LP
"The SLAPD and SLURPD Administrator's Guide"
.SH ACKNOWLEDGEMENTS
.B      OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
.B      OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.