1 .TH SLAPD.CONF 5 "23 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to the "OpenLDAP
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
69 .B access to <what> [ by <who> <access> <control> ]+
70 Grant access (specified by <access>) to a set of entries and/or
71 attributes (specified by <what>) by one or more requestors (specified
73 See the "OpenLDAP's Administrator's Guide" for details.
76 Specify a set of features (separated by white space) to
79 allows Start TLS to force session to anonymous status (see also
83 .B argsfile <filename>
84 The ( absolute ) name of a file that will hold the
86 server's command line options
87 if started without the debugging command line option.
90 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
91 [DESC\ <description>]\
92 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
93 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
94 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
96 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
97 The slapd parser extends the RFC 2252 definition by allowing string
98 forms as well as numeric OIDs to be used for the attribute OID and
102 description.) Currently the syntax name parser is case-sensitive.
103 The known syntax names are:
107 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
108 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
109 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
110 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
111 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
112 NameFormDescription NumericString ObjectClassDescription OID
113 OtherMailbox OctetString PostalAddress ProtocolInformation
114 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
115 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
116 SubstringAssertion NISnetgrouptriple Bootparameter
122 .B concurrency <integer>
123 Specify a desired level of concurrency. Provided to the underlying
124 thread system as a hint. The default is not to provdide any hint.
126 .B defaultaccess { none | auth | compare | search | read | write }
128 Specify the default access level to grant requestors when
129 no access directives were provided for the database.
130 The default behavior is to grant 'read' access. It is
133 directives be used instead.
136 .B defaultsearchbase <dn>
137 Specify a default search base to use when client submits a
138 non-base search request with an empty base DN.
140 .B disallow <features>
141 Specify a set of features (separated by white space) to
142 disallow (default none).
144 disables acceptance of LDAPv2 bind requests.
146 disables acceptance of anonymous bind requests.
148 disables anonymous bind creditials are not empty (e.g.
151 disables anonymous bind when DN is not empty.
153 disables simple (bind) authentication.
155 disables Kerberos V4 (bind) authentication.
157 disables StartTLS if authenticated (see also
161 .B idletimeout <integer>
162 Specify the number of seconds to wait before forcibly closing
163 an idle client connections. A idletimeout of 0 disables this
164 feature. The default is 0.
166 .B include <filename>
167 Read additional configuration information from the given file before
168 continuing with the next line of the current file.
170 .B loglevel <integer>
171 Specify the level at which debugging statements and operation
172 statistics should be syslogged (currently logged to the
174 LOG_LOCAL4 facility). Log levels are additive, and available levels
184 debug packet handling
187 heavy trace debugging
190 connection management
193 print out packets sent and received
196 search filter processing
199 configuration file processing
202 access control list processing
205 stats log connections/operations/results
208 stats log entries sent
211 print communication with shell backends
219 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
220 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
223 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
224 The slapd parser extends the RFC 2252 definition by allowing string
225 forms as well as numeric OIDs to be used for the object class OID.
229 description.) Object classes are "STRUCTURAL" by default.
232 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
233 Define a string name that equates to the given OID. The string can be used
234 in place of the numeric OID in objectclass and attribute definitions. The
235 name can also be used with a suffix of the form ":xx" in which case the
236 value "oid.xx" will be used.
238 .B password-hash <hash>
239 The <hash> to use for userPassword generation. One of
252 .B pidfile <filename>
253 The ( absolute ) name of a file that will hold the
255 server's process ID ( see
257 ) if started without the debugging command line option.
260 Specify the referral to pass back when
262 cannot find a local database to handle a request.
263 If specified multiple times, each url is provided.
265 .B require <conditions>
266 Specify a set of conditions (separated by white space) to
267 require (default none).
268 The directive may be specified globally and/or per-database.
270 requires bind operation prior to directory operations.
272 requires session to be using LDAP version 3.
274 requires authentication prior to directory operations.
276 requires SASL authentication prior to directory operations.
278 requires strong authentication prior to directory operations.
283 conditions are currently same.
285 may be used to require no conditions (useful for clearly globally
286 set conditions within a particular database).
289 Used to specify the fully qualified domain name used for SASL processing.
291 .B sasl-realm <realm>
292 Specify SASL realm. Default is empty.
294 .B sasl-secprops <properties>
295 Used to specify Cyrus SASL security properties.
298 flag (without any other properities) causes the flag properites
299 default, "noanonymous,noplain", to be cleared.
302 flag disables mechanisms susceptible to simple passive attacks.
305 flag disables mechanisms susceptible to active attacks.
308 flag disables mechanisms susceptible to passive dictionary attacks.
311 flag disables mechanisms which support anonymous login.
314 flag require forward secrecy between sessions.
317 require mechanisms which pass client credentials (and allow
318 mechanisms which can pass credentials to do so).
321 property specifies the minimum acceptable
322 .I security strength factor
323 as an integer approximate to effective key length used for
324 encryption. 0 (zero) implies no protection, 1 implies integrity
325 protection only, 56 allows DES or other weak ciphers, 112
326 allows triple DES and other strong ciphers, 128 allows RC4,
327 Blowfish and other modern strong ciphers. The default is 0.
330 property specifies the maximum acceptable
331 .I security strength factor
332 as an integer (see minssf description). The default is INT_MAX.
335 property specifies the maximum security layer receive buffer
336 size allowed. 0 disables security layers. The default is 65536.
338 .B schemacheck { on | off }
339 Turn schema checking on or off. The default is on.
341 .B security <factors>
342 Specify a set of factors (separated by white space) to require.
343 An integer value is associated with each factor and is roughly
344 equivalent of the encryption key length to require. A value
345 of 112 is equivalent to 3DES, 128 to Blowfish, etc..
346 The directive may be specified globally and/or per-database.
348 specifies the overall security strength factor.
350 specifies the transport security strength factor.
352 specifies the TLS security strength factor.
354 specifies the SASL security strength factor.
356 specifies the overall security strength factor to require for
358 .B update_transport=<n>
359 specifies the transport security strength factor to require for
362 specifies the TLS security strength factor to require for
365 specifies the SASL security strength factor to require for
369 factor is measure of security provided by the underlying transport,
370 e.g. ldapi:// (and eventually IPSEC). It is not normally used.
372 .B sizelimit <integer>
373 Specify the maximum number of entries to return from a search operation.
374 The default size limit is 500.
377 Specify the srvtab file in which the kerberos keys necessary for
378 authenticating clients using kerberos can be found. This option is only
379 meaningful if you are using Kerberos authentication.
381 .B timelimit <integer>
382 Specify the maximum number of seconds (in real time)
383 require forward secrecy between sessions.
385 .B schemacheck { on | off }
386 Turn schema checking on or off. The default is on.
388 .B sizelimit <integer>
389 Specify the maximum number of entries to return from a search operation.
390 The default size limit is 500.
393 Specify the srvtab file in which the kerberos keys necessary for
394 authenticating clients using kerberos can be found. This option is only
395 meaningful if you are using Kerberos authentication.
397 .B timelimit <integer>
398 Specify the maximum number of seconds (in real time)
400 will spend answering a search request. The default time limit is 3600.
404 is build with support for Transport Layer Security, there are more options
407 .B TLSCipherSuite <cipher-suite-spec>
408 Permits configuring what ciphers will be accepted and the preference order.
409 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
411 TLSCipherSuite HIGH:MEDIUM:+SSLv2
413 To check what ciphers a given spec selects, use:
415 openssl ciphers -v <cipher-suite-spec>
417 .B TLSCertificateFile <filename>
418 Specifies the file that contains the
422 .B TLSCertificateKeyFile <filename>
423 Specifies the file that contains the
425 server private key that matches the certificate stored in the
426 .B TLSCertificateFile
427 file. Currently, the private key must not be protected with a password, so
428 it is of critical importance that it is protected carefully.
429 .SH GENERAL BACKEND OPTIONS
430 Options in this section only apply to the configuration file section
431 for the backend in which they are defined. They are supported by every
434 .B database <databasetype>
435 Mark the beginning of a new database instance definition. <databasetype>
441 depending on which backend will serve the database.
446 will automatically maintain the
447 modifiersName, modifyTimestamp, creatorsName, and
448 createTimestamp attributes for entries. By default, lastmod is on.
451 This option puts the database into "read-only" mode. Any attempts to
452 modify the database will return an "unwilling to perform" error. By
453 default, readonly is off.
455 .B replica host=<hostname>[:port] [tls=yes|critical]
456 .B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
457 .B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
458 .B [authcId=<authentication ID>] [authcId=<authentication ID>]
460 Specify a replication site for this database. Refer to the "OpenLDAP
461 Administrator's Guide" for detailed information on setting up a replicated
471 and should only be used when adequate security services
472 (e.g TLS or IPSEC) are in place. A
480 will use Kerberos, a kerberos instance should be given in
484 .B replogfile <filename>
485 Specify the name of the replication log file to log changes to.
486 The replication log is typically written by
492 for more information.
495 Specify the distinguished name that is not subject to access control
496 or administrative limit restrictions for operations on this database.
497 This DN may or may not be associated with an entry. An empty root
498 DN (the default) specifies no root access is to be granted. It is
499 recommended that the rootdn only be specified when needed (such as
500 when initially populating a database). If the rootdn is within
501 a namingContext (suffix) of the database, a simple bind password
502 may also be provided using the
507 Specify a password (or hash of the password) for the rootdn. If
508 the rootdn is not within the namingContext of the database, the
509 provided password is ignored.
510 This option accepts all RFC 2307 userPassword formats known to
513 desription) as well as cleartext.
515 may be used to generate a hash of a password. Cleartext
516 and \fB{CRYPT}\fP passwords are not recommended. If empty
517 (the default), authentication of the root DN is by other means
518 (e.g. SASL). Use of SASL is encouraged.
520 .B suffix <dn suffix>
521 Specify the DN suffix of queries that will be passed to this
522 backend database. Multiple suffix lines can be given and at least one is
523 required for each database definition.
526 This option is only applicable in a slave
528 It specifies the DN allowed to make changes to the replica (typically,
531 binds as when making changes to the replica).
534 Specify the referral to pass back when
536 is asked to modify a replicated local database.
537 If specified multiple times, each url is provided.
538 .SH LDBM BACKEND-SPECIFIC OPTIONS
539 Options in this category only apply to the LDBM backend database. That is,
540 they must follow a "database ldbm" line and come before any subsequent
541 "database" lines. The LDBM backend is a high-performance database that
542 makes extensive use of indexing and caching to speed data access.
544 .B cachesize <integer>
545 Specify the size in entries of the in-memory cache maintained
546 by the LDBM backend database instance. The default is 1000 entries.
548 .B dbcachesize <integer>
549 Specify the size in bytes of the in-memory cache associated
550 with each open index file. If not supported by the underlying database
551 method, this option is ignored without comment. The default is 100000 bytes.
554 Specify that no database locking should be performed.
555 Enabling this option may improve performance at the expense of data security.
557 Specify that on-disk database contents should not be immediately
558 synchronized with in memory changes. Enabling this option may improve
559 performance at the expense of data security.
561 .B directory <directory>
562 Specify the directory where the LDBM files containing this database and
563 associated indexes live. A separate directory must be specified for
564 each database. The default is
565 .BR LOCALSTATEDIR/openldap-ldbm .
568 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
569 Specify the indexes to maintain for the given attribute. If only
570 an <attr> is given, the indices specified for \fBdefault\fR
571 are maintained. A number of special index parameters may be
575 can be decomposed into
582 may be specified to allow use of this index by language subtypes.
585 may be specified to automatically maintain separate indices for each
589 may be specified to allow use of this index by named subtypes.
592 may be specified to automatically maintain separate indices for each
596 Specify the file protection mode that newly created database
597 index files should have. The default is 0600.
598 .SH SHELL BACKEND-SPECIFIC OPTIONS
599 Options in this category only apply to the SHELL backend database. That is,
600 they must follow a "database shell" line and come before any subsequent
601 "database" lines. The Shell backend executes external programs to
602 implement operations, and is designed to make it easy to tie an existing
613 .B compare <pathname>
623 .B abandon <pathname>
624 These options specify the pathname of the command to execute in response
625 to the given LDAP operation.
627 Note that you need only supply configuration lines for those commands you
628 want the backend to handle. Operations for which a command is not
629 supplied will be refused with an "unwilling to perform" error.
630 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
631 Options in this category only apply to the PASSWD backend database.
632 That is, they must follow a "database passwd" line and come before any
633 subsequent "database" lines. The PASSWD database serves up the user
634 account information listed in the system
639 Specifies an alternate passwd file to use. The default is
642 "OpenLDAP Administrator's Guide" contains an annotated
643 example of a configuration file.
648 .BR slapd.replog (5),
655 .BR slappassword (8),
658 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
661 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
663 is derived from University of Michigan LDAP 3.3 Release.