1 .TH SLAPD.CONF 5 "20 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to the "OpenLDAP
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
69 .B access to <what> [ by <who> <access> <control> ]+
70 Grant access (specified by <access>) to a set of entries and/or
71 attributes (specified by <what>) by one or more requestors (specified
73 See the "OpenLDAP's Administrator's Guide" for details.
75 .B argsfile <filename>
76 The ( absolute ) name of a file that will hold the
78 server's command line options
79 if started without the debugging command line option.
82 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
83 [DESC\ <description>]\
84 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
85 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
86 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
88 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
89 The slapd parser extends the RFC 2252 definition by allowing string
90 forms as well as numeric OIDs to be used for the attribute OID and
94 description.) Currently the syntax name parser is case-sensitive.
95 The known syntax names are:
99 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
100 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
101 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
102 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
103 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
104 NameFormDescription NumericString ObjectClassDescription OID
105 OtherMailbox OctetString PostalAddress ProtocolInformation
106 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
107 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
108 SubstringAssertion NISnetgrouptriple Bootparameter
114 .B concurrency <integer>
115 Specify a desired level of concurrency. Provided to the underlying
116 thread system as a hint. The default is not to provdide any hint.
118 .B defaultaccess { none | auth | compare | search | read | write }
120 Specify the default access level to grant requestors when
121 no access directives were provided for the database.
122 The default behavior is to grant 'read' access. It is
125 directives be used instead.
128 .B idletimeout <integer>
129 Specify the number of seconds to wait before forcibly closing
130 an idle client connections. A idletimeout of 0 disables this
131 feature. The default is 0.
133 .B include <filename>
134 Read additional configuration information from the given file before
135 continuing with the next line of the current file.
137 .B loglevel <integer>
138 Specify the level at which debugging statements and operation
139 statistics should be syslogged (currently logged to the
141 LOG_LOCAL4 facility). Log levels are additive, and available levels
151 debug packet handling
154 heavy trace debugging
157 connection management
160 print out packets sent and received
163 search filter processing
166 configuration file processing
169 access control list processing
172 stats log connections/operations/results
175 stats log entries sent
178 print communication with shell backends
186 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
187 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
190 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
191 The slapd parser extends the RFC 2252 definition by allowing string
192 forms as well as numeric OIDs to be used for the object class OID.
196 description.) Object classes are "STRUCTURAL" by default.
199 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
200 Define a string name that equates to the given OID. The string can be used
201 in place of the numeric OID in objectclass and attribute definitions. The
202 name can also be used with a suffix of the form ":xx" in which case the
203 value "oid.xx" will be used.
205 .B pidfile <filename>
206 The ( absolute ) name of a file that will hold the
208 server's process ID ( see
210 ) if started without the debugging command line option.
212 .B password-hash <hash>
213 The <hash> to use for userPassword generation. One of
227 Specify the referral to pass back when
229 cannot find a local database to handle a request.
230 If specified multiple times, each url is provided.
232 .B sasl-realm <string>
233 Used to specify Cyrus SASL realm.
235 .B sasl-secprops <string>
236 Used to specify Cyrus SASL security properties.
238 .B schemacheck { on | off }
239 Turn schema checking on or off. The default is on.
241 .B sizelimit <integer>
242 Specify the maximum number of entries to return from a search operation.
243 The default size limit is 500.
245 .B sasl-realm <realm>
246 Specify SASL realm. Default is empty.
248 .B sasl-secprops <props>
249 Cyrus SASL security properties. Default is "noanonymous,noplain".
252 Specify the srvtab file in which the kerberos keys necessary for
253 authenticating clients using kerberos can be found. This option is only
254 meaningful if you are using Kerberos authentication.
256 .B timelimit <integer>
257 Specify the maximum number of seconds (in real time)
259 will spend answering a search request. The default time limit is 3600.
263 is build with support for Transport Layer Security, there are more options
266 .B TLSCipherSuite <cipher-suite-spec>
267 Permits configuring what ciphers will be accepted and the preference order.
268 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
270 TLSCipherSuite HIGH:MEDIUM:+SSLv2
272 To check what ciphers a given spec selects, use:
274 openssl ciphers -v <cipher-suite-spec>
276 .B TLSCertificateFile <filename>
277 Specifies the file that contains the
281 .B TLSCertificateKeyFile <filename>
282 Specifies the file that contains the
284 server private key that matches the certificate stored in the
285 .B TLSCertificateFile
286 file. Currently, the private key must not be protected with a password, so
287 it is of critical importance that it is protected carefully.
288 .SH GENERAL BACKEND OPTIONS
289 Options in this section only apply to the configuration file section
290 for the backend in which they are defined. They are supported by every
293 .B database <databasetype>
294 Mark the beginning of a new database instance definition. <databasetype>
300 depending on which backend will serve the database.
305 will automatically maintain the
306 modifiersName, modifyTimestamp, creatorsName, and
307 createTimestamp attributes for entries. By default, lastmod is on.
310 This option puts the database into "read-only" mode. Any attempts to
311 modify the database will return an "unwilling to perform" error. By
312 default, readonly is off.
314 .B replica host=<hostname>[:port] bindmethod=simple|sasl
315 .B [binddn=<simple DN>] [credentials=<simple password>]
316 .B [saslmech=<SASL mech>] [authcId=<authentication ID>]
318 Specify a replication site for this database. Refer to the "OpenLDAP
319 Administrator's Guide" for detailed information on setting up a replicated
329 and should only be used when adequate security services
330 (e.g TLS or IPSEC) are in place. A
338 will use Kerberos, a kerberos instance should be given in
342 .B replogfile <filename>
343 Specify the name of the replication log file to log changes to.
344 The replication log is typically written by
350 for more information.
353 Specify the distinguished name that is not subject to access control
354 or administrative limit restrictions for operations on this database.
355 This DN may or may not be associated with an entry. An empty root
356 DN, the default, specifies no root access is to be granted.
359 Specify a password (or hash of the password) for the rootdn.
360 This option accepts all RFC 2307 userPassword formats known to
363 desription) as well as cleartext.
365 may be used to generate a hash of a password. Cleartext
366 and \fB{CRYPT}\fP passwords are not recommended. The default
367 is empty imply authentication of the root DN is by other means
368 (e.g. SASL). Use of SASL is encouraged.
370 .B suffix <dn suffix>
371 Specify the DN suffix of queries that will be passed to this
372 backend database. Multiple suffix lines can be given and at least one is
373 required for each database definition.
376 This option is only applicable in a slave
378 It specifies the DN allowed to make changes to the replica (typically,
381 binds as when making changes to the replica).
384 Specify the referral to pass back when
386 is asked to modify a replicated local database.
387 If specified multiple times, each url is provided.
388 .SH LDBM BACKEND-SPECIFIC OPTIONS
389 Options in this category only apply to the LDBM backend database. That is,
390 they must follow a "database ldbm" line and come before any subsequent
391 "database" lines. The LDBM backend is a high-performance database that
392 makes extensive use of indexing and caching to speed data access.
394 .B cachesize <integer>
395 Specify the size in entries of the in-memory cache maintained
396 by the LDBM backend database instance. The default is 1000 entries.
398 .B dbcachesize <integer>
399 Specify the size in bytes of the in-memory cache associated
400 with each open index file. If not supported by the underlying database
401 method, this option is ignored without comment. The default is 100000 bytes.
404 Specify that no database locking should be performed.
405 Enabling this option may improve performance at the expense of data security.
407 Specify that on-disk database contents should not be immediately
408 synchronized with in memory changes. Enabling this option may improve
409 performance at the expense of data security.
411 .B directory <directory>
412 Specify the directory where the LDBM files containing this database and
413 associated indexes live. A separate directory must be specified for
414 each database. The default is
415 .BR LOCALSTATEDIR/openldap-ldbm .
418 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
419 Specify the indexes to maintain for the given attribute. If only
420 an <attr> is given, the indices specified for \fBdefault\fR
421 are maintained. A number of special index parameters may be
425 can be decomposed into
432 may be specified to allow use of this index by language subtypes.
435 may be specified to automatically maintain separate indices for each
439 may be specified to allow use of this index by named subtypes.
442 may be specified to automatically maintain separate indices for each
446 Specify the file protection mode that newly created database
447 index files should have. The default is 0600.
448 .SH SHELL BACKEND-SPECIFIC OPTIONS
449 Options in this category only apply to the SHELL backend database. That is,
450 they must follow a "database shell" line and come before any subsequent
451 "database" lines. The Shell backend executes external programs to
452 implement operations, and is designed to make it easy to tie an existing
463 .B compare <pathname>
473 .B abandon <pathname>
474 These options specify the pathname of the command to execute in response
475 to the given LDAP operation.
477 Note that you need only supply configuration lines for those commands you
478 want the backend to handle. Operations for which a command is not
479 supplied will be refused with an "unwilling to perform" error.
480 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
481 Options in this category only apply to the PASSWD backend database.
482 That is, they must follow a "database passwd" line and come before any
483 subsequent "database" lines. The PASSWD database serves up the user
484 account information listed in the system
489 Specifies an alternate passwd file to use. The default is
492 "OpenLDAP Administrator's Guide" contains an annotated
493 example of a configuration file.
498 .BR slapd.replog (5),
505 .BR slappassword (8),
508 "OpenLDAP Administrator's Guide"
511 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
513 is derived from University of Michigan LDAP 3.3 Release.