1 .TH SLAPD.CONF 5 "5 August 1999" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-1999 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to "The SLAPD and SLURPD
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
70 access to <what> [ by <who> <access> <control> ]+
71 Grant access (specified by <access>) to a set of entries and/or
72 attributes (specified by <what>) by one or more requestors (specified
74 See Developer's FAQ (http://www.openldap.org/faq/) for details.
77 attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE] \
78 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>] \
79 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] \
80 [USAGE <attributeUsage>] )
81 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
82 This is the preferred format for attribute type definitions. The slapd
83 parser extends the RFC 2252 definition by allowing string forms as well
84 as numeric OIDs to be used for the attribute OID and attribute syntax OID.
87 description.) Currently the syntax name parser is case-sensitive.
88 The known syntax names are:
92 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
93 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
94 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
95 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
96 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
97 NameFormDescription NumericString ObjectClassDescription OID
98 OtherMailbox OctetString PostalAddress ProtocolInformation
99 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
100 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
101 SubstringAssertion NISnetgrouptriple Bootparameter
107 attribute[type] <name> [<name2>] { bin | ces | cis | tel | dn }
108 Associate a syntax with an attribute name. This directive is deprecated
109 in favor of the one above. By default, an
110 attribute is assumed to have syntax
112 An optional alternate name can be
113 given for an attribute. The possible syntaxes and their meanings are:
128 telephone number string
137 defaultaccess { none | auth | compare | search | read | write }
138 Specify the default access level to grant requestors when
139 no access directives were provided for the database.
140 The default behavior is to grant 'read' access. It is
143 directives be used instead.
145 .B idletimeout <integer>
146 Specify the number of seconds to wait before forcibly closing
147 an idle client connections. A idletimeout of 0 disables this
148 feature. The default is 0.
150 .B include <filename>
151 Read additional configuration information from the given file before
152 continuing with the next line of the current file.
154 .B pidfile <filename>
155 The ( absolute ) name of a file that will hold the
157 server's process ID ( see
159 ) if started without the debugging command line option.
161 .B argsfile <filename>
162 The ( absolute ) name of a file that will hold the
164 server's command line options
165 if started without the debugging command line option.
168 locale { <locale-name> | on | off }
169 Obey <locale-name>'s character classification and case conversion; i.e. the
171 LC_CTYPE category. See
173 for details about locales. "on" takes the locale from the environment,
174 typically $LANG or $LC_CTYPE, and will only work properly if slapd will
175 run with the same environment variables as when the database was
176 generated. "off" (the default setting) resets to the initial "C" locale.
178 .B loglevel <integer>
179 Specify the level at which debugging statements and operation
180 statistics should be syslogged (currently logged to the
182 LOG_LOCAL4 facility). Log levels are additive, and available levels
192 debug packet handling
195 heavy trace debugging
198 connection management
201 print out packets sent and received
204 search filter processing
207 configuration file processing
210 access control list processing
213 stats log connections/operations/results
216 stats log entries sent
219 print communication with shell backends
228 objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] \
229 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>] \
231 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
232 This is the preferred format for object class definitions. The slapd
233 parser extends the RFC 2252 definition by allowing string forms as well
234 as numeric OIDs to be used for the object class OID. (See the
237 description.) Object classes are "STRUCTURAL" by default.
240 objectclass <name> requires <attrs> allows <attrs>
241 Define the schema rules for the object class named <name>. These are
242 used in conjunction with the schemacheck option. This directive is
243 deprecated in favor of the one above.
245 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
246 Define a string name that equates to the given OID. The string can be used
247 in place of the numeric OID in objectclass and attribute definitions. The
248 name can also be used with a suffix of the form ":xx" in which case the
249 value "oid.xx" will be used.
252 Specify the referral to pass back when
254 cannot find a local database to handle a request.
255 If specified multiple times, each url is provided.
257 .B schemacheck { on | off }
258 Turn schema checking on or off. The default is on.
260 .B sizelimit <integer>
261 Specify the maximum number of entries to return from a search operation.
262 The default size limit is 500.
265 Specify the srvtab file in which the kerberos keys necessary for
266 authenticating clients using kerberos can be found. This option is only
267 meaningful if you are using Kerberos authentication.
269 .B timelimit <integer>
270 Specify the maximum number of seconds (in real time)
272 will spend answering a search request. The default time limit is 3600.
276 is build with support for Transport Layer Security, there are more options
279 .B TLSCipherSuite <cipher-suite-spec>
280 Permits configuring what ciphers will be accepted and the preference order.
281 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
283 TLSCipherSuite HIGH:MEDIUM:+SSLv2
285 To check what ciphers a given spec selects, use:
287 openssl ciphers -v <cipher-suite-spec>
289 .B TLSCertificateFile <filename>
290 Specifies the file that contains the
294 .B TLSCertificateKeyFile <filename>
295 Specifies the file that contains the
297 server private key that matches the certificate stored in the
298 .B TLSCertificateFile
299 file. Currently, the private key must not be protected with a password, so
300 it is of critical importance that it is protected carefully.
301 .SH GENERAL BACKEND OPTIONS
302 Options in this section only apply to the configuration file section
303 for the backend in which they are defined. They are supported by every
306 .B database <databasetype>
307 Mark the beginning of a new database instance definition. <databasetype>
313 depending on which backend will serve the database.
318 will automatically maintain the
319 modifiersName, modifyTimestamp, creatorsName, and
320 createTimestamp attributes for entries. By default, lastmod is on.
323 This option puts the database into "read-only" mode. Any attempts to
324 modify the database will return an "unwilling to perform" error. By
325 default, readonly is off.
328 replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
330 kerberos [credentials=<password>] [srvtab=<filename>]
332 Specify a replication site for this database. Refer to "The SLAPD and
333 SLURPD Administrator's Guide" for detailed information on setting up
338 .B replogfile <filename>
339 Specify the name of the replication log file to log changes to.
340 The replication log is typically written by
346 for more information.
349 Specify the DN of an entry that is not subject to access control
350 or administrative limit restrictions for operations on this database.
353 Specify a password (or hash of the password) for the rootdn.
354 This option accepts all RFC 2307 userPassword formats known to
355 the server including \fB{SSHA}\fP, \fB{SHA}\fP, \fB{SMD5}\fP,
356 \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext schemes. Cleartext
357 passwords are not recommended.
359 .B suffix <dn suffix>
360 Specify the DN suffix of queries that will be passed to this
361 backend database. Multiple suffix lines can be given and at least one is
362 required for each database definition.
365 This option is only applicable in a slave
367 It specifies the DN allowed to make changes to the replica (typically,
370 binds as when making changes to the replica).
373 Specify the referral to pass back when
375 is asked to modify a replicated local database.
376 If specified multiple times, each url is provided.
377 .SH LDBM BACKEND-SPECIFIC OPTIONS
378 Options in this category only apply to the LDBM backend database. That is,
379 they must follow a "database ldbm" line and come before any subsequent
380 "database" lines. The LDBM backend is a high-performance database that
381 makes extensive use of indexing and caching to speed data access.
383 .B cachesize <integer>
384 Specify the size in entries of the in-memory cache maintained
385 by the LDBM backend database instance. The default is 1000 entries.
387 .B dbcachesize <integer>
388 Specify the size in bytes of the in-memory cache associated
389 with each open index file. If not supported by the underlying database
390 method, this option is ignored without comment. The default is 100000 bytes.
393 Specify that no database locking should be performed.
394 Enabling this option may improve performance at the expense of data security.
396 Specify that on-disk database contents should not be immediately
397 synchronized with in memory changes. Enabling this option may improve
398 performance at the expense of data security.
400 .B directory <directory>
401 Specify the directory where the LDBM files containing this database and
402 associated indexes live. A separate directory must be specified for
403 each database. The default is
407 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
408 Specify the indexes to maintain for the given attribute. If only
409 an <attr> is given, all possible indexes are maintained.
412 Specify the file protection mode that newly created database
413 index files should have. The default is 0600.
414 .SH SHELL BACKEND-SPECIFIC OPTIONS
415 Options in this category only apply to the SHELL backend database. That is,
416 they must follow a "database shell" line and come before any subsequent
417 "database" lines. The Shell backend executes external programs to
418 implement operations, and is designed to make it easy to tie an existing
429 .B compare <pathname>
439 .B abandon <pathname>
440 These options specify the pathname of the command to execute in response
441 to the given LDAP operation. The command given should understand and
442 follow the input/output conventions described in Appendix B of "The SLAPD
443 and SLURPD Administrator's Guide."
445 Note that you need only supply configuration lines for those commands you
446 want the backend to handle. Operations for which a command is not
447 supplied will be refused with an "unwilling to perform" error.
448 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
449 Options in this category only apply to the PASSWD backend database.
450 That is, they must follow a "database passwd" line and come before any
451 subsequent "database" lines. The PASSWD database serves up the user
452 account information listed in the system
457 Specifies an alternate passwd file to use. The default is
460 "The SLAPD and SLURPD Administrator's Guide" contains an annotated
461 example of a configuration file.
466 .BR slapd.replog (5),
475 "The SLAPD and SLURPD Administrator's Guide"
478 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
480 is derived from University of Michigan LDAP 3.3 Release.