1 .TH SLAPD.CONF 5 "20 August 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, LDBM
60 Backend-Specific Options, Shell Backend-Specific Options, and Password
61 Backend-Specific Options sections. Refer to the "OpenLDAP
62 Administrator's Guide" for more details on the slapd configuration
64 .SH GLOBAL CONFIGURATION OPTIONS
65 Options described in this section apply to all backends, unless specifically
66 overridden in a backend definition. Arguments that should be replaced by
67 actual text are shown in brackets <>.
69 .B access to <what> [ by <who> <access> <control> ]+
70 Grant access (specified by <access>) to a set of entries and/or
71 attributes (specified by <what>) by one or more requestors (specified
73 See the "OpenLDAP's Administrator's Guide" for details.
75 .B argsfile <filename>
76 The ( absolute ) name of a file that will hold the
78 server's command line options
79 if started without the debugging command line option.
82 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
83 [DESC\ <description>]\
84 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
85 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
86 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
88 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
89 The slapd parser extends the RFC 2252 definition by allowing string
90 forms as well as numeric OIDs to be used for the attribute OID and
94 description.) Currently the syntax name parser is case-sensitive.
95 The known syntax names are:
99 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
100 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
101 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
102 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
103 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
104 NameFormDescription NumericString ObjectClassDescription OID
105 OtherMailbox OctetString PostalAddress ProtocolInformation
106 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
107 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
108 SubstringAssertion NISnetgrouptriple Bootparameter
114 .B concurrency <integer>
115 Specify a desired level of concurrency. Provided to the underlying
116 thread system as a hint. The default is not to provdide any hint.
118 .B defaultaccess { none | auth | compare | search | read | write }
120 Specify the default access level to grant requestors when
121 no access directives were provided for the database.
122 The default behavior is to grant 'read' access. It is
125 directives be used instead.
128 .B idletimeout <integer>
129 Specify the number of seconds to wait before forcibly closing
130 an idle client connections. A idletimeout of 0 disables this
131 feature. The default is 0.
133 .B include <filename>
134 Read additional configuration information from the given file before
135 continuing with the next line of the current file.
137 .B loglevel <integer>
138 Specify the level at which debugging statements and operation
139 statistics should be syslogged (currently logged to the
141 LOG_LOCAL4 facility). Log levels are additive, and available levels
151 debug packet handling
154 heavy trace debugging
157 connection management
160 print out packets sent and received
163 search filter processing
166 configuration file processing
169 access control list processing
172 stats log connections/operations/results
175 stats log entries sent
178 print communication with shell backends
186 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
187 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
190 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
191 The slapd parser extends the RFC 2252 definition by allowing string
192 forms as well as numeric OIDs to be used for the object class OID.
196 description.) Object classes are "STRUCTURAL" by default.
199 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
200 Define a string name that equates to the given OID. The string can be used
201 in place of the numeric OID in objectclass and attribute definitions. The
202 name can also be used with a suffix of the form ":xx" in which case the
203 value "oid.xx" will be used.
205 .B pidfile <filename>
206 The ( absolute ) name of a file that will hold the
208 server's process ID ( see
210 ) if started without the debugging command line option.
212 .B password-hash <hash>
213 The <hash> to use for userPassword generation. One of
227 Specify the referral to pass back when
229 cannot find a local database to handle a request.
230 If specified multiple times, each url is provided.
232 .B sasl-realm <string>
233 Used to specify Cyrus SASL realm.
235 .B sasl-secprops <string>
236 Used to specify Cyrus SASL security properties.
238 .B schemacheck { on | off }
239 Turn schema checking on or off. The default is on.
241 .B sizelimit <integer>
242 Specify the maximum number of entries to return from a search operation.
243 The default size limit is 500.
246 Specify the srvtab file in which the kerberos keys necessary for
247 authenticating clients using kerberos can be found. This option is only
248 meaningful if you are using Kerberos authentication.
250 .B timelimit <integer>
251 Specify the maximum number of seconds (in real time)
253 will spend answering a search request. The default time limit is 3600.
257 is build with support for Transport Layer Security, there are more options
260 .B TLSCipherSuite <cipher-suite-spec>
261 Permits configuring what ciphers will be accepted and the preference order.
262 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
264 TLSCipherSuite HIGH:MEDIUM:+SSLv2
266 To check what ciphers a given spec selects, use:
268 openssl ciphers -v <cipher-suite-spec>
270 .B TLSCertificateFile <filename>
271 Specifies the file that contains the
275 .B TLSCertificateKeyFile <filename>
276 Specifies the file that contains the
278 server private key that matches the certificate stored in the
279 .B TLSCertificateFile
280 file. Currently, the private key must not be protected with a password, so
281 it is of critical importance that it is protected carefully.
282 .SH GENERAL BACKEND OPTIONS
283 Options in this section only apply to the configuration file section
284 for the backend in which they are defined. They are supported by every
287 .B database <databasetype>
288 Mark the beginning of a new database instance definition. <databasetype>
294 depending on which backend will serve the database.
299 will automatically maintain the
300 modifiersName, modifyTimestamp, creatorsName, and
301 createTimestamp attributes for entries. By default, lastmod is on.
304 This option puts the database into "read-only" mode. Any attempts to
305 modify the database will return an "unwilling to perform" error. By
306 default, readonly is off.
308 .B replica host=<hostname>[:port] bindmethod=simple|sasl
309 .B [binddn=<simple DN>] [credentials=<simple password>]
310 .B [saslmech=<SASL mech>] [authcId=<authentication ID>]
312 Specify a replication site for this database. Refer to the "OpenLDAP
313 Administrator's Guide" for detailed information on setting up a replicated
323 and should only be used when adequate security services
324 (e.g TLS or IPSEC) are in place. A
332 will use Kerberos, a kerberos instance should be given in
336 .B replogfile <filename>
337 Specify the name of the replication log file to log changes to.
338 The replication log is typically written by
344 for more information.
347 Specify the distinguished name that is not subject to access control
348 or administrative limit restrictions for operations on this database.
349 This DN may or may not be associated with an entry. An empty root
350 DN, the default, specifies no root access is to be granted.
353 Specify a password (or hash of the password) for the rootdn.
354 This option accepts all RFC 2307 userPassword formats known to
357 desription) as well as cleartext.
359 may be used to generate a hash of a password. Cleartext
360 and \fB{CRYPT}\fP passwords are not recommended. The default
361 is empty imply authentication of the root DN is by other means
362 (e.g. SASL). Use of SASL is encouraged.
364 .B suffix <dn suffix>
365 Specify the DN suffix of queries that will be passed to this
366 backend database. Multiple suffix lines can be given and at least one is
367 required for each database definition.
370 This option is only applicable in a slave
372 It specifies the DN allowed to make changes to the replica (typically,
375 binds as when making changes to the replica).
378 Specify the referral to pass back when
380 is asked to modify a replicated local database.
381 If specified multiple times, each url is provided.
382 .SH LDBM BACKEND-SPECIFIC OPTIONS
383 Options in this category only apply to the LDBM backend database. That is,
384 they must follow a "database ldbm" line and come before any subsequent
385 "database" lines. The LDBM backend is a high-performance database that
386 makes extensive use of indexing and caching to speed data access.
388 .B cachesize <integer>
389 Specify the size in entries of the in-memory cache maintained
390 by the LDBM backend database instance. The default is 1000 entries.
392 .B dbcachesize <integer>
393 Specify the size in bytes of the in-memory cache associated
394 with each open index file. If not supported by the underlying database
395 method, this option is ignored without comment. The default is 100000 bytes.
398 Specify that no database locking should be performed.
399 Enabling this option may improve performance at the expense of data security.
401 Specify that on-disk database contents should not be immediately
402 synchronized with in memory changes. Enabling this option may improve
403 performance at the expense of data security.
405 .B directory <directory>
406 Specify the directory where the LDBM files containing this database and
407 associated indexes live. A separate directory must be specified for
408 each database. The default is
409 .BR LOCALSTATEDIR/openldap-ldbm .
412 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
413 Specify the indexes to maintain for the given attribute. If only
414 an <attr> is given, the indices specified for \fBdefault\fR
418 Specify the file protection mode that newly created database
419 index files should have. The default is 0600.
420 .SH SHELL BACKEND-SPECIFIC OPTIONS
421 Options in this category only apply to the SHELL backend database. That is,
422 they must follow a "database shell" line and come before any subsequent
423 "database" lines. The Shell backend executes external programs to
424 implement operations, and is designed to make it easy to tie an existing
435 .B compare <pathname>
445 .B abandon <pathname>
446 These options specify the pathname of the command to execute in response
447 to the given LDAP operation.
449 Note that you need only supply configuration lines for those commands you
450 want the backend to handle. Operations for which a command is not
451 supplied will be refused with an "unwilling to perform" error.
452 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
453 Options in this category only apply to the PASSWD backend database.
454 That is, they must follow a "database passwd" line and come before any
455 subsequent "database" lines. The PASSWD database serves up the user
456 account information listed in the system
461 Specifies an alternate passwd file to use. The default is
464 "OpenLDAP Administrator's Guide" contains an annotated
465 example of a configuration file.
470 .BR slapd.replog (5),
477 .BR slappassword (8),
480 "OpenLDAP Administrator's Guide"
483 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
485 is derived from University of Michigan LDAP 3.3 Release.