1 .TH SLAPD.CONF 5 "20 January 1999" "OpenLDAP LDVERSION"
3 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
9 contains configuration information for the
11 daemon. This configuration file is also used by the
13 replication daemon and by the LDBM indexing utilities
16 .BR ldif2id2entry (8),
18 .BR ldif2id2children (8).
22 file consists of a series of global configuration options that apply to
24 as a whole (including all backends), followed by zero or more database
25 backend definitions that contain information specific to a backend
33 # comment - these options apply to every database
34 <global configuration options>
35 # first database definition & configuration options
36 database <backend 1 type>
37 <configuration options specific to backend 1>
38 # subsequent database definitions & configuration options
42 As many backend-specific sections as desired may be included. Global
43 options can be overridden in a backend (for options that appear more
44 than once, the last appearance in the
46 file is used). Blank lines and comment lines beginning with a `#'
47 character are ignored. If a line begins with white space, it is
48 considered a continuation of the previous line.
50 Arguments on configuration lines are separated by white space. If an
51 argument contains white space, the argument should be enclosed in
52 double quotes. If an argument contains a double quote (`"') or a
53 backslash character (`\\'), the character should be preceded by a
56 The specific configuration options available are discussed below in the
57 Global Configuration Options, General Backend Options, LDBM
58 Backend-Specific Options, Shell Backend-Specific Options, and Password
59 Backend-Specific Options sections. Refer to "The SLAPD and SLURPD
60 Administrator's Guide" for more details on the slapd configuration
62 .SH GLOBAL CONFIGURATION OPTIONS
63 Options described in this section apply to all backends, unless specifically
64 overridden in a backend definition. Arguments that should be replaced by
65 actual text are shown in brackets <>.
68 access to <what> [ by <who> <accesslevel> ]+
69 Grant access (specified by <accesslevel>) to a set of entries and/or
70 attributes (specified by <what>) by one or more requestors (specified
71 by <who>). Refer to "The SLAPD and SLURPD Administrator's Guide" for
72 information on using the
74 access-control mechanisms.
77 attribute <name> [<name2>] { bin | ces | cis | tel | dn }
78 Associate a syntax with an attribute name. By default, an
79 attribute is assumed to have syntax
81 An optional alternate name can be
82 given for an attribute. The possible syntaxes and their meanings are:
97 telephone number string
106 defaultaccess [self]{ none | compare | search | read | write }
107 Specify the default access to grant requestors not matched by
108 any other access line. The default behavior is to grant read access.
110 .B idletimeout <integer>
111 Specify the number of seconds to wait before forcibly closing
112 an idle client connections. A idletimeout of 0 disables this
113 feature. The default is 0.
115 .B include <filename>
116 Read additional configuration information from the given file before
117 continuing with the next line of the current file.
119 .B pidfile <filename>
120 The ( absolute ) name of a file that will hold the
122 server's process ID ( see
124 ) if started without the debugging command line option.
126 .B argsfile <filename>
127 The ( absolute ) name of a file that will hold the
129 server's command line options
130 if started without the debugging command line option.
133 locale { <locale-name> | on | off }
134 Obey <locale-name>'s character classification and case conversion; i.e. the
136 LC_CTYPE category. See
138 for details about locales. "on" takes the locale from the environment,
139 typically $LANG or $LC_CTYPE, and will only work properly if slapd will
140 run with the same environment variables as when the database was
141 generated. "off" (the default setting) resets to the initial "C" locale.
143 .B loglevel <integer>
144 Specify the level at which debugging statements and operation
145 statistics should be syslogged (currently logged to the
147 LOG_LOCAL4 facility). Log levels are additive, and available levels
157 debug packet handling
160 heavy trace debugging
163 connection management
166 print out packets sent and received
169 search filter processing
172 configuration file processing
175 access control list processing
178 stats log connections/operations/results
181 stats log entries sent
184 print communication with shell backends
193 objectclass <name> requires <attrs> allows <attrs>
194 Define the schema rules for the object class named <name>. These are
195 used in conjunction with the schemacheck option.
198 Specify the referral to pass back when
200 cannot find a local database to handle a request.
201 If specified multiple times, each url is provided.
203 .B schemacheck { on | off }
204 Turn schema checking on or off. The default is on.
206 .B sizelimit <integer>
207 Specify the maximum number of entries to return from a search operation.
208 The default size limit is 500.
211 Specify the srvtab file in which the kerberos keys necessary for
212 authenticating clients using kerberos can be found. This option is only
213 meaningful if you are using Kerberos authentication.
215 .B timelimit <integer>
216 Specify the maximum number of seconds (in real time)
218 will spend answering a search request. The default time limit is 3600.
222 is build with support for Transport Layer Security, there are more options
225 .B TLSCipherSuite <cipher-suite-spec>
226 Permits configuring what ciphers will be accepted and the preference order.
227 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
229 TLSCipherSuite HIGH:MEDIUM:+SSLv2
231 To check what ciphers a given spec selects, use:
233 openssl ciphers -v <cipher-suite-spec>
235 .B TLSCertificateFile <filename>
236 Specifies the file that contains the
240 .B TLSCertificateKeyFile <filename>
241 Specifies the file that contains the
243 server private key that matches the certificate stored in the
244 .B TLSCertificateFile
245 file. Currently, the private key must not be protected with a password, so
246 it is of critical importance that it is protected carefully.
247 .SH GENERAL BACKEND OPTIONS
248 Options in this section only apply to the configuration file section
249 for the backend in which they are defined. They are supported by every
252 .B database <databasetype>
253 Mark the beginning of a new database instance definition. <databasetype>
259 depending on which backend will serve the database.
264 will automatically maintain the
265 modifiersName, modifyTimestamp, creatorsName, and
266 createTimestamp attributes for entries. By default, lastmod is off.
269 This option puts the database into "read-only" mode. Any attempts to
270 modify the database will return an "unwilling to perform" error. By
271 default, readonly is off.
274 replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
276 kerberos [credentials=<password>] [srvtab=<filename>]
278 Specify a replication site for this database. Refer to "The SLAPD and
279 SLURPD Administrator's Guide" for detailed information on setting up
284 .B replogfile <filename>
285 Specify the name of the replication log file to log changes to.
286 The replication log is typically written by
292 for more information.
295 Specify the DN of an entry that is not subject to access control
296 or administrative limit restrictions for operations on this database.
299 Specify a password (or hash of the password) for the rootdn.
300 This option accepts all password formats known to the server
301 including \fB{SHA}\fP, \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext.
302 Cleartext passwords are not recommended.
304 .B suffix <dn suffix>
305 Specify the DN suffix of queries that will be passed to this
306 backend database. Multiple suffix lines can be given and at least one is
307 required for each database definition.
310 This option is only applicable in a slave
312 It specifies the DN allowed to make changes to the replica (typically,
315 binds as when making changes to the replica).
318 Specify the referral to pass back when
320 is asked to modify a replicated local database.
321 If specified multiple times, each url is provided.
322 .SH LDBM BACKEND-SPECIFIC OPTIONS
323 Options in this category only apply to the LDBM backend database. That is,
324 they must follow a "database ldbm" line and come before any subsequent
325 "database" lines. The LDBM backend is a high-performance database that
326 makes extensive use of indexing and caching to speed data access.
328 .B cachesize <integer>
329 Specify the size in entries of the in-memory cache maintained
330 by the LDBM backend database instance. The default is 1000 entries.
332 .B dbcachesize <integer>
333 Specify the size in bytes of the in-memory cache associated
334 with each open index file. If not supported by the underlying database
335 method, this option is ignored without comment. The default is 100000 bytes.
338 Specify that database writes should not be immediately synchronized
339 with in memory changes. Enabling this option may improve performance
340 at the expense of data security.
342 .B directory <directory>
343 Specify the directory where the LDBM files containing the database and
344 associated indexes live. The default is
348 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
349 Specify the indexes to maintain for the given attribute. If only
350 an <attr> is given, all possible indexes are maintained.
353 Specify the file protection mode that newly created database
354 index files should have. The default is 0600.
355 .SH SHELL BACKEND-SPECIFIC OPTIONS
356 Options in this category only apply to the SHELL backend database. That is,
357 they must follow a "database shell" line and come before any subsequent
358 "database" lines. The Shell backend executes external programs to
359 implement operations, and is designed to make it easy to tie an existing
370 .B compare <pathname>
380 .B abandon <pathname>
381 These options specify the pathname of the command to execute in response
382 to the given LDAP operation. The command given should understand and
383 follow the input/output conventions described in Appendix B of "The SLAPD
384 and SLURPD Administrator's Guide."
386 Note that you need only supply configuration lines for those commands you
387 want the backend to handle. Operations for which a command is not
388 supplied will be refused with an "unwilling to perform" error.
389 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
390 Options in this category only apply to the PASSWD backend database.
391 That is, they must follow a "database passwd" line and come before any
392 subsequent "database" lines. The PASSWD database serves up the user
393 account information listed in the system
398 Specifies an alternate passwd file to use. The default is
401 "The SLAPD and SLURPD Administrator's Guide" contains an annotated
402 example of a configuration file.
407 .BR slapd.replog (5),
413 "The SLAPD and SLURPD Administrator's Guide"
416 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
418 is derived from University of Michigan LDAP 3.3 Release.