1 .TH SLAPD.CONF 5 "23 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to the "OpenLDAP
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
69 .B access to <what> [ by <who> <access> <control> ]+
70 Grant access (specified by <access>) to a set of entries and/or
71 attributes (specified by <what>) by one or more requestors (specified
73 See the "OpenLDAP's Administrator's Guide" for details.
76 Specify a set of features (separated by white space) to
79 allows Start TLS to force session to anonymous status (see also
83 .B argsfile <filename>
84 The ( absolute ) name of a file that will hold the
86 server's command line options
87 if started without the debugging command line option.
90 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
91 [DESC\ <description>]\
92 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
93 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
94 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
96 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
97 The slapd parser extends the RFC 2252 definition by allowing string
98 forms as well as numeric OIDs to be used for the attribute OID and
102 description.) Currently the syntax name parser is case-sensitive.
103 The known syntax names are:
107 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
108 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
109 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
110 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
111 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
112 NameFormDescription NumericString ObjectClassDescription OID
113 OtherMailbox OctetString PostalAddress ProtocolInformation
114 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
115 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
116 SubstringAssertion NISnetgrouptriple Bootparameter
122 .B concurrency <integer>
123 Specify a desired level of concurrency. Provided to the underlying
124 thread system as a hint. The default is not to provdide any hint.
126 .B defaultaccess { none | auth | compare | search | read | write }
128 Specify the default access level to grant requestors when
129 no access directives were provided for the database.
130 The default behavior is to grant 'read' access. It is
133 directives be used instead.
136 .B defaultsearchbase <dn>
137 Specify a default search base to use when client submits a
138 non-base search request with an empty base DN.
140 .B disallow <features>
141 Specify a set of features (separated by white space) to
142 disallow (default none).
144 disables acceptance of LDAPv2 bind requests.
146 disables acceptance of anonymous bind requests.
148 disables anonymous bind creditials are not empty (e.g.
151 disables anonymous bind when DN is not empty.
153 disables simple (bind) authentication.
155 disables Kerberos V4 (bind) authentication.
157 disables StartTLS if authenticated (see also
161 .B idletimeout <integer>
162 Specify the number of seconds to wait before forcibly closing
163 an idle client connections. A idletimeout of 0 disables this
164 feature. The default is 0.
166 .B include <filename>
167 Read additional configuration information from the given file before
168 continuing with the next line of the current file.
170 .B loglevel <integer>
171 Specify the level at which debugging statements and operation
172 statistics should be syslogged (currently logged to the
174 LOG_LOCAL4 facility). Log levels are additive, and available levels
184 debug packet handling
187 heavy trace debugging
190 connection management
193 print out packets sent and received
196 search filter processing
199 configuration file processing
202 access control list processing
205 stats log connections/operations/results
208 stats log entries sent
211 print communication with shell backends
219 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
220 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
223 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
224 The slapd parser extends the RFC 2252 definition by allowing string
225 forms as well as numeric OIDs to be used for the object class OID.
229 description.) Object classes are "STRUCTURAL" by default.
232 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
233 Define a string name that equates to the given OID. The string can be used
234 in place of the numeric OID in objectclass and attribute definitions. The
235 name can also be used with a suffix of the form ":xx" in which case the
236 value "oid.xx" will be used.
238 .B pidfile <filename>
239 The ( absolute ) name of a file that will hold the
241 server's process ID ( see
243 ) if started without the debugging command line option.
245 .B password-hash <hash>
246 The <hash> to use for userPassword generation. One of
260 Specify the referral to pass back when
262 cannot find a local database to handle a request.
263 If specified multiple times, each url is provided.
265 .B require <conditions>
266 Specify a set of conditions (separated by white space) to
267 require (default none).
268 The directive may be specified globally and/or per-database.
270 requires bind operation prior to directory operations.
272 requires session to be using LDAP version 3.
274 requires authentication prior to directory operations.
276 requires SASL authentication prior to directory operations.
278 requires strong authentication prior to directory operations.
283 conditions are currently same.
285 may be used to require no conditions (useful for clearly globally
286 set conditions within a particular database).
289 Used to specify the fully qualified domain name used for SASL processing.
291 .B sasl-realm <string>
292 Used to specify Cyrus SASL realm.
294 .B sasl-secprops <properties>
295 Used to specify Cyrus SASL security properties.
298 flag (without any other properities) causes the flag properites
299 defaults ("noanonymous,noplain") to be cleared.
302 flag disables mechanisms susceptible to simple passive attacks.
305 flag disables mechanisms susceptible to active attacks.
308 flag disables mechanisms susceptible to passive dictionary attacks.
311 flag disables mechanisms which support anonymous login.
314 flag require forward secrecy between sessions.
317 require mechanisms which pass client credentials (and allow
318 mechanisms which can pass credentials to do so).
321 property specifies the minimum acceptable
322 .I security strength factor
323 as an integer approximate to effective key length used for
324 encryption. 0 (zero) implies no protection, 1 implies integrity
325 protection only, 56 allows DES or other weak ciphers, 112
326 allows triple DES and other strong ciphers, 128 allows RC4,
327 Blowfish and other modern strong ciphers. The default is 0.
330 property specifies the maximum acceptable
331 .I security strength factor
332 as an integer (see minssf description). The default is INT_MAX.
334 .B maxbufsize=<factor>
335 property specifies the maximum security layer receive buffer
336 size allowed. 0 disables security layers. The default is 65536.
338 .B saslregexp <match> <replace>
339 Used by the SASL authorization mechanism to convert a SASL authenticated
340 username to an LDAP DN. When an authorization request is received, the SASL
344 are taken, when available, and combined into a SASL name of the
349 .B uid=<UID>[+realm=<REALM>][,cn=<MECH>],cn=AUTHZ
352 This SASL name is then compared against the
354 regular expression, and if the match is successful, the SASL name is
357 string. If there are wildcard strings in the
359 regular expression that are enclosed in parenthesis, e.g.
367 then the portion of the SASL name that matched the wildcard will be stored
368 in the numbered placeholder variable $1. If there are other wildcard strings
369 in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
370 placeholders can then be used in the
376 .B cn=$1,ou=Accounts,dc=$2,dc=$4.
380 The replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
381 server will use the URI to search its own database, and if the search returns
382 exactly one entry, the SASL name is replaced by the DN of that entry.
385 options can be given in the configuration file to allow for multiple matching
386 and replacement patterns. The matching patterns are checked in the order they
387 appear in the file, stopping at the first successful match.
390 Because the plus sign + is a character recognized by the regular expression engine,
391 and it will appear in SASL names that include a REALM, be careful to escape the
392 plus sign with a double backslash \\\\+ to remove the character's special meaning.
395 .B schemacheck { on | off }
396 Turn schema checking on or off. The default is on.
398 .B security <factors>
399 Specify a set of factors (separated by white space) to require.
400 An integer value is associated with each factor and is roughly
401 equivalent of the encryption key length to require. A value
402 of 112 is equivalent to 3DES, 128 to Blowfish, etc..
403 The directive may be specified globally and/or per-database.
405 specifies the overall security strength factor.
407 specifies the transport security strength factor.
409 specifies the TLS security strength factor.
411 specifies the SASL security strength factor.
413 specifies the overall security strength factor to require for
415 .B update_transport=<n>
416 specifies the transport security strength factor to require for
419 specifies the TLS security strength factor to require for
422 specifies the SASL security strength factor to require for
426 factor is measure of security provided by the underlying transport,
427 e.g. ldapi:// (and eventually IPSEC). It is not normally used.
429 .B sizelimit <integer>
430 Specify the maximum number of entries to return from a search operation.
431 The default size limit is 500.
434 Specify the srvtab file in which the kerberos keys necessary for
435 authenticating clients using kerberos can be found. This option is only
436 meaningful if you are using Kerberos authentication.
438 .B timelimit <integer>
439 Specify the maximum number of seconds (in real time)
440 require forward secrecy between sessions.
442 .B schemacheck { on | off }
443 Turn schema checking on or off. The default is on.
445 .B sizelimit <integer>
446 Specify the maximum number of entries to return from a search operation.
447 The default size limit is 500.
449 .B sasl-realm <realm>
450 Specify SASL realm. Default is empty.
452 .B sasl-secprops <props>
453 Cyrus SASL security properties. Default is "noanonymous,noplain".
456 Specify the srvtab file in which the kerberos keys necessary for
457 authenticating clients using kerberos can be found. This option is only
458 meaningful if you are using Kerberos authentication.
460 .B timelimit <integer>
461 Specify the maximum number of seconds (in real time)
463 will spend answering a search request. The default time limit is 3600.
467 is build with support for Transport Layer Security, there are more options
470 .B TLSCipherSuite <cipher-suite-spec>
471 Permits configuring what ciphers will be accepted and the preference order.
472 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
474 TLSCipherSuite HIGH:MEDIUM:+SSLv2
476 To check what ciphers a given spec selects, use:
478 openssl ciphers -v <cipher-suite-spec>
480 .B TLSCertificateFile <filename>
481 Specifies the file that contains the
485 .B TLSCertificateKeyFile <filename>
486 Specifies the file that contains the
488 server private key that matches the certificate stored in the
489 .B TLSCertificateFile
490 file. Currently, the private key must not be protected with a password, so
491 it is of critical importance that it is protected carefully.
492 .SH GENERAL BACKEND OPTIONS
493 Options in this section only apply to the configuration file section
494 for the backend in which they are defined. They are supported by every
497 .B database <databasetype>
498 Mark the beginning of a new database instance definition. <databasetype>
504 depending on which backend will serve the database.
509 will automatically maintain the
510 modifiersName, modifyTimestamp, creatorsName, and
511 createTimestamp attributes for entries. By default, lastmod is on.
514 This option puts the database into "read-only" mode. Any attempts to
515 modify the database will return an "unwilling to perform" error. By
516 default, readonly is off.
518 .B replica host=<hostname>[:port] [tls=yes|critical]
519 .B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
520 .B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
521 .B [authcId=<authentication ID>] [authcId=<authentication ID>]
523 Specify a replication site for this database. Refer to the "OpenLDAP
524 Administrator's Guide" for detailed information on setting up a replicated
534 and should only be used when adequate security services
535 (e.g TLS or IPSEC) are in place. A
543 will use Kerberos, a kerberos instance should be given in
547 .B replogfile <filename>
548 Specify the name of the replication log file to log changes to.
549 The replication log is typically written by
555 for more information.
558 Specify the distinguished name that is not subject to access control
559 or administrative limit restrictions for operations on this database.
560 This DN may or may not be associated with an entry. An empty root
561 DN (the default) specifies no root access is to be granted. It is
562 recommended that the rootdn only be specified when needed (such as
563 when initially populating a database).
566 Specify a password (or hash of the password) for the rootdn.
567 This option accepts all RFC 2307 userPassword formats known to
570 desription) as well as cleartext.
572 may be used to generate a hash of a password. Cleartext
573 and \fB{CRYPT}\fP passwords are not recommended. If empty
574 (the default), authentication of the root DN is by other means
575 (e.g. SASL). Use of SASL is encouraged.
577 .B suffix <dn suffix>
578 Specify the DN suffix of queries that will be passed to this
579 backend database. Multiple suffix lines can be given and at least one is
580 required for each database definition.
583 This option is only applicable in a slave
585 It specifies the DN allowed to make changes to the replica (typically,
588 binds as when making changes to the replica).
591 Specify the referral to pass back when
593 is asked to modify a replicated local database.
594 If specified multiple times, each url is provided.
595 .SH LDBM BACKEND-SPECIFIC OPTIONS
596 Options in this category only apply to the LDBM backend database. That is,
597 they must follow a "database ldbm" line and come before any subsequent
598 "database" lines. The LDBM backend is a high-performance database that
599 makes extensive use of indexing and caching to speed data access.
601 .B cachesize <integer>
602 Specify the size in entries of the in-memory cache maintained
603 by the LDBM backend database instance. The default is 1000 entries.
605 .B dbcachesize <integer>
606 Specify the size in bytes of the in-memory cache associated
607 with each open index file. If not supported by the underlying database
608 method, this option is ignored without comment. The default is 100000 bytes.
611 Specify that no database locking should be performed.
612 Enabling this option may improve performance at the expense of data security.
614 Specify that on-disk database contents should not be immediately
615 synchronized with in memory changes. Enabling this option may improve
616 performance at the expense of data security.
618 .B directory <directory>
619 Specify the directory where the LDBM files containing this database and
620 associated indexes live. A separate directory must be specified for
621 each database. The default is
622 .BR LOCALSTATEDIR/openldap-ldbm .
625 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
626 Specify the indexes to maintain for the given attribute. If only
627 an <attr> is given, the indices specified for \fBdefault\fR
628 are maintained. A number of special index parameters may be
632 can be decomposed into
639 may be specified to allow use of this index by language subtypes.
642 may be specified to automatically maintain separate indices for each
646 may be specified to allow use of this index by named subtypes.
649 may be specified to automatically maintain separate indices for each
653 Specify the file protection mode that newly created database
654 index files should have. The default is 0600.
655 .SH SHELL BACKEND-SPECIFIC OPTIONS
656 Options in this category only apply to the SHELL backend database. That is,
657 they must follow a "database shell" line and come before any subsequent
658 "database" lines. The Shell backend executes external programs to
659 implement operations, and is designed to make it easy to tie an existing
670 .B compare <pathname>
680 .B abandon <pathname>
681 These options specify the pathname of the command to execute in response
682 to the given LDAP operation.
684 Note that you need only supply configuration lines for those commands you
685 want the backend to handle. Operations for which a command is not
686 supplied will be refused with an "unwilling to perform" error.
687 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
688 Options in this category only apply to the PASSWD backend database.
689 That is, they must follow a "database passwd" line and come before any
690 subsequent "database" lines. The PASSWD database serves up the user
691 account information listed in the system
696 Specifies an alternate passwd file to use. The default is
699 "OpenLDAP Administrator's Guide" contains an annotated
700 example of a configuration file.
705 .BR slapd.replog (5),
712 .BR slappassword (8),
715 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
718 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
720 is derived from University of Michigan LDAP 3.3 Release.