1 .TH SLAPD.CONF 5 "26 January 2002" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
12 contains configuration information for the
14 daemon. This configuration file is also used by the
16 replication daemon and by the SLAPD tools
24 file consists of a series of global configuration options that apply to
26 as a whole (including all backends), followed by zero or more database
27 backend definitions that contain information specific to a backend
35 # comment - these options apply to every database
36 <global configuration options>
37 # first database definition & configuration options
38 database <backend 1 type>
39 <configuration options specific to backend 1>
40 # subsequent database definitions & configuration options
44 As many backend-specific sections as desired may be included. Global
45 options can be overridden in a backend (for options that appear more
46 than once, the last appearance in the
48 file is used). Blank lines and comment lines beginning with a `#'
49 character are ignored. If a line begins with white space, it is
50 considered a continuation of the previous line.
52 Arguments on configuration lines are separated by white space. If an
53 argument contains white space, the argument should be enclosed in
54 double quotes. If an argument contains a double quote (`"') or a
55 backslash character (`\\'), the character should be preceded by a
58 The specific configuration options available are discussed below in the
59 Global Configuration Options, General Backend Options, General Database
60 Options, LDBM Database-Specific Options,
61 Shell Database-Specific Options, and Password
62 Database-Specific Options sections. Refer to the "OpenLDAP
63 Administrator's Guide" for more details on the slapd configuration
65 .SH GLOBAL CONFIGURATION OPTIONS
66 Options described in this section apply to all backends, unless specifically
67 overridden in a backend definition. Arguments that should be replaced by
68 actual text are shown in brackets <>.
70 .B access to <what> [ by <who> <access> <control> ]+
71 Grant access (specified by <access>) to a set of entries and/or
72 attributes (specified by <what>) by one or more requestors (specified
74 See the "OpenLDAP's Administrator's Guide" for details.
77 Specify a set of features (separated by white space) to
80 allows acceptance of LDAPv2 bind requests.
82 allows anonymous bind when credentials are not empty (e.g.
85 allows unauthenticated (anonymous) bind when DN is not empty.
87 .B argsfile <filename>
88 The ( absolute ) name of a file that will hold the
90 server's command line options
91 if started without the debugging command line option.
94 .B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
95 [DESC\ <description>]\
96 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
97 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
98 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
100 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
101 The slapd parser extends the RFC 2252 definition by allowing string
102 forms as well as numeric OIDs to be used for the attribute OID and
103 attribute syntax OID.
106 description.) Currently the syntax name parser is case-sensitive.
107 The known syntax names are:
111 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
112 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
113 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
114 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
115 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
116 NameFormDescription NumericString ObjectClassDescription OID
117 OtherMailbox OctetString PostalAddress ProtocolInformation
118 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
119 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
120 SubstringAssertion NISnetgrouptriple Bootparameter
126 .B concurrency <integer>
127 Specify a desired level of concurrency. Provided to the underlying
128 thread system as a hint. The default is not to provide any hint.
130 .\".B debug <subsys> <level>
131 .\"Specify a logging level for a particular subsystem. The subsystems include
133 .\"a global level for all subsystems,
137 .\"the backend databases,
139 .\"the entry cache manager,
141 .\"the config file reader,
143 .\"the connection manager,
145 .\"the Cyrus SASL library interface,
147 .\"the search filter processor,
149 .\"the DN normalization library,
151 .\"the database indexer,
153 .\"the ASN.1 BER library,
155 .\"the dynamic module loader,
157 .\"the LDAP operation processors,
159 .\"the SASL authentication subsystem,
161 .\"the schema processor, and
163 .\"the TLS library interface. This is not an exhaustive list; there are many
164 .\"other subsystems and more are added over time.
166 .\"The levels are, in order of decreasing priority:
167 .\".B emergency, alert, critical, error, warning, notice, information, entry,
168 .\".B args, results, detail1, detail2
169 .\"An integer may be used instead, with 0 corresponding to
175 .\"level logs function entry points,
177 .\"adds function call parameters, and
179 .\"adds the function results to the logs.
184 .\"levels add even more low level detail from individual functions.
186 .B defaultsearchbase <dn>
187 Specify a default search base to use when client submits a
188 non-base search request with an empty base DN.
190 .B disallow <features>
191 Specify a set of features (separated by white space) to
192 disallow (default none).
194 disables acceptance of anonymous bind requests.
196 disables simple (bind) authentication.
198 disables Kerberos V4 (bind) authentication.
200 disables Start TLS from forcing session to anonymous status (see also
203 disables StartTLS if authenticated (see also
206 .B idletimeout <integer>
207 Specify the number of seconds to wait before forcibly closing
208 an idle client connection. A idletimeout of 0 disables this
209 feature. The default is 0.
211 .B include <filename>
212 Read additional configuration information from the given file before
213 continuing with the next line of the current file.
215 .B limits <who> <limit> [<limit> [...]]
216 Specify time and size limits based on who initiated an operation.
223 anonymous | users | [dn[.<style>]=]<pattern>
229 <style> ::= exact | base | one | subtree | children | regex | anonymous
233 is hit when a search is performed without prior binding;
235 is hit when a search is performed by a successfully bound user;
238 dn pattern is assumed unless otherwise specified by qualifying
239 the (optional) key string
245 (which are synonims), to require an exact match; with
247 to require exactly one level of depth match; with
249 to allow any level of depth match, including the exact match; with
251 to allow any level of depth match, not including the exact match;
253 explicitly requires the (default) match based on regular expression
254 pattern, as detailed in
258 matches unbound operations; the
261 The same behavior is obtained by using the
267 The currently supported limits are
272 The syntax for time limits is
273 .BR time[.{soft|hard}]=<integer> ,
276 is the number of seconds slapd will spend answering a search request.
277 If no time limit is explicitly requested by the client, the
279 limit is used; if the requested time limit exceedes the
281 limit, an "Unwilling to perform" is returned.
284 limit is set to 0 or to the keyword "soft", the soft limit is used
285 in either case; if it is set to -1 or to the keyword "none",
286 no hard limit is enforced.
287 Explicit requests for time limits smaller or equal to the
290 If no flag is set, the value is assigned to the
294 limit is set to zero, to preserve the original behavior.
296 The syntax for size limits is
297 .BR size[.{soft|hard|unchecked}]=<integer> ,
300 is the maximum number of entries slapd will return answering a search
302 If no size limit is explicitly requested by the client, the
304 limit is used; if the requested size limit exceedes the
306 limit, an "Unwilling to perform" is returned.
309 limit is set to 0 or to the keyword "soft", the soft limit is used
310 in either case; if it is set to -1 or to the keyword "none",
311 no hard limit is enforced.
312 Explicit requests for size limits smaller or equal to the
317 flag sets a limit on the number of candidates a search request is allowed
319 If the selected candidates exceed the
321 limit, the search will abort with "Unwilling to perform".
322 If it is set to -1 or to the keyword "none", no limit is applied (the default).
323 If no flag is set, the value is assigned to the
327 limit is set to zero, to preserve the original behavior.
329 In case of no match, the global limits are used.
330 The default values are the same of
338 .B logfile <filename>
339 Specify a file for recording debug log messages. By default these messages
340 only go to stderr and are not recorded anywhere else. Specifying a logfile
341 copies messages to both stderr and the logfile.
343 .B loglevel <integer>
344 Specify the level at which debugging statements and operation
345 statistics should be syslogged (currently logged to the
347 LOG_LOCAL4 facility). Log levels are additive, and available levels
357 debug packet handling
360 heavy trace debugging
363 connection management
366 print out packets sent and received
369 search filter processing
372 configuration file processing
375 access control list processing
378 stats log connections/operations/results
381 stats log entries sent
384 print communication with shell backends
392 .B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
393 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
396 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
397 The slapd parser extends the RFC 2252 definition by allowing string
398 forms as well as numeric OIDs to be used for the object class OID.
402 description.) Object classes are "STRUCTURAL" by default.
405 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
406 Define a string name that equates to the given OID. The string can be used
407 in place of the numeric OID in objectclass and attribute definitions. The
408 name can also be used with a suffix of the form ":xx" in which case the
409 value "oid.xx" will be used.
411 .B password-hash <hash>
412 This option sets the hash to be used in generation of user
413 passwords, stored in userPassword, during processing of
414 LDAP Password Modify Extended Operations (RFC 3052).
415 The <hash> must be one of
425 Note that this option does not alter the normal user applications
426 handling of userPassword during LDAP Add, Modify, or other LDAP operations.
428 .B password\-crypt\-salt\-format <format>
429 Specify the format of the salt passed to
431 when generating {CRYPT} passwords (see
433 during processing of LDAP Password Modify Extended Operations (RFC 3062).
435 This string needs to be in
437 format and may include one (and only one) %s conversion.
438 This conversion will be substituted with a string random
439 characters from [A\-Za\-z0\-9./]. For example, "%.2s"
440 provides a two character salt and "$1$%.8s" tells some
441 versions of crypt(3) to use an MD5 algorithm and provides
442 8 random characters of salt. The default is "%s", which
443 provides 31 characters of salt.
445 .B pidfile <filename>
446 The ( absolute ) name of a file that will hold the
448 server's process ID ( see
450 ) if started without the debugging command line option.
453 Specify the referral to pass back when
455 cannot find a local database to handle a request.
456 If specified multiple times, each url is provided.
458 .B require <conditions>
459 Specify a set of conditions (separated by white space) to
460 require (default none).
461 The directive may be specified globally and/or per-database.
463 requires bind operation prior to directory operations.
465 requires session to be using LDAP version 3.
467 requires authentication prior to directory operations.
469 requires SASL authentication prior to directory operations.
471 requires strong authentication prior to directory operations.
476 conditions are currently same.
478 may be used to require no conditions (useful for clearly globally
479 set conditions within a particular database).
481 .B reverse-lookup on | off
482 Enable/disable client name reverse lookup (default is
484 if compiled with --enable-rlookups).
487 Specify the name of an LDIF(5) file containing user defined attributes
488 for the root DSE. These attributes are returned in addition to the
489 attributes normally produced by slapd.
492 Used to specify the fully qualified domain name used for SASL processing.
494 .B sasl-realm <realm>
495 Specify SASL realm. Default is empty.
497 .B sasl-regexp <match> <replace>
498 Used by the SASL authorization mechanism to convert a SASL authenticated
499 username to an LDAP DN. When an authorization request is received, the SASL
503 are taken, when available, and combined into a SASL name of the
508 .B uid=<UID>[,cn=<REALM>][,cn=<MECH>],cn=AUTHZ
511 This SASL name is then compared against the
513 regular expression, and if the match is successful, the SASL name is
516 string. If there are wildcard strings in the
518 regular expression that are enclosed in parenthesis, e.g.
522 .B uid=(.*)\\\\+realm=.*
526 then the portion of the SASL name that matched the wildcard will be stored
527 in the numbered placeholder variable $1. If there are other wildcard strings
528 in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
529 placeholders can then be used in the
535 .B cn=$1,ou=Accounts,dc=$2,dc=$4.
539 The replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
540 server will use the URI to search its own database, and if the search returns
541 exactly one entry, the SASL name is replaced by the DN of that entry.
544 options can be given in the configuration file to allow for multiple matching
545 and replacement patterns. The matching patterns are checked in the order they
546 appear in the file, stopping at the first successful match.
549 Because the plus sign + is a character recognized by the regular expression engine,
550 and it will appear in SASL names that include a REALM, be careful to escape the
551 plus sign with a backslash \\+ to remove the character's special meaning.
554 .B sasl-secprops <properties>
555 Used to specify Cyrus SASL security properties.
558 flag (without any other properities) causes the flag properites
559 default, "noanonymous,noplain", to be cleared.
562 flag disables mechanisms susceptible to simple passive attacks.
565 flag disables mechanisms susceptible to active attacks.
568 flag disables mechanisms susceptible to passive dictionary attacks.
571 flag disables mechanisms which support anonymous login.
574 flag require forward secrecy between sessions.
577 require mechanisms which pass client credentials (and allow
578 mechanisms which can pass credentials to do so).
581 property specifies the minimum acceptable
582 .I security strength factor
583 as an integer approximate to effective key length used for
584 encryption. 0 (zero) implies no protection, 1 implies integrity
585 protection only, 56 allows DES or other weak ciphers, 112
586 allows triple DES and other strong ciphers, 128 allows RC4,
587 Blowfish and other modern strong ciphers. The default is 0.
590 property specifies the maximum acceptable
591 .I security strength factor
592 as an integer (see minssf description). The default is INT_MAX.
595 property specifies the maximum security layer receive buffer
596 size allowed. 0 disables security layers. The default is 65536.
598 .B security <factors>
599 Specify a set of factors (separated by white space) to require.
600 An integer value is associated with each factor and is roughly
601 equivalent of the encryption key length to require. A value
602 of 112 is equivalent to 3DES, 128 to Blowfish, etc..
603 The directive may be specified globally and/or per-database.
605 specifies the overall security strength factor.
607 specifies the transport security strength factor.
609 specifies the TLS security strength factor.
611 specifies the SASL security strength factor.
613 specifies the overall security strength factor to require for
615 .B update_transport=<n>
616 specifies the transport security strength factor to require for
619 specifies the TLS security strength factor to require for
622 specifies the SASL security strength factor to require for
626 factor is measure of security provided by the underlying transport,
627 e.g. ldapi:// (and eventually IPSEC). It is not normally used.
629 .B sizelimit <integer>
631 .B sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
632 Specify the maximum number of entries to return from a search operation.
633 The default size limit is 500.
634 The second format allows a fine grain setting of the size limits.
635 Extra args can be added on the same line.
638 for an explanation of the different flags.
640 .B sockbuf_max_incoming <integer>
641 Specify the maximum incoming LDAP PDU size for anonymous sessions.
642 The default is 262143.
644 .B sockbuf_max_incoming_auth <integer>
645 Specify the maximum incoming LDAP PDU size for authenticated sessions.
646 The default is 4194303.
649 Specify the srvtab file in which the kerberos keys necessary for
650 authenticating clients using kerberos can be found. This option is only
651 meaningful if you are using Kerberos authentication.
654 Specify the maximum size of the primary thread pool.
657 .B timelimit <integer>
659 .B timelimit time[.{soft|hard}]=<integer> [...]
660 Specify the maximum number of seconds (in real time)
662 will spend answering a search request. The default time limit is 3600.
663 The second format allows a fine grain setting of the time limits.
664 Extra args can be added on the same line.
667 for an explanation of the different flags.
671 is built with support for Transport Layer Security, there are more options
674 .B TLSCipherSuite <cipher-suite-spec>
675 Permits configuring what ciphers will be accepted and the preference order.
676 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
678 TLSCipherSuite HIGH:MEDIUM:+SSLv2
680 To check what ciphers a given spec selects, use:
682 openssl ciphers -v <cipher-suite-spec>
684 .B TLSCACertificateFile <filename>
685 Specifies the file that contains certificates for all of the Certificate
690 .B TLSCertificateFile <filename>
691 Specifies the file that contains the
695 .B TLSCertificateKeyFile <filename>
696 Specifies the file that contains the
698 server private key that matches the certificate stored in the
699 .B TLSCertificateFile
700 file. Currently, the private key must not be protected with a password, so
701 it is of critical importance that it is protected carefully.
703 .B TLSRandFile <filename>
704 Specifies the file to obtain random bits from when /dev/[u]random
705 is not available. Generally set to the name of the EGD/PRNGD socket.
706 The environment variable RANDFILE can also be used to specify the filename.
708 .B TLSVerifyClient <level>
709 Specifies what checks to perform on client certificates in an
710 incoming TLS session, if any.
713 can be specified as one of the following keywords:
719 will not ask the client for a certificate.
722 The client certificate is requested. If no certificate is provided,
723 the session proceeds normally. If a bad certificate is provided,
724 it will be ignored and the session proceeds normally.
727 The client certificate is requested. If no certificate is provided,
728 the session proceeds normally. If a bad certificate is provided,
729 the session is immediately terminated.
731 .B demand | hard | true
732 These keywords are all equivalent, for compatibility reasons.
733 The client certificate is requested. If no certificate is provided,
734 or a bad certificate is provided, the session is immediately terminated.
736 Note that a valid client certificate is required in order to use the
737 SASL EXTERNAL authentication mechanism with a TLS session. As such,
740 setting must be chosen to enable SASL EXTERNAL authentication.
742 .SH GENERAL BACKEND OPTIONS
743 Options in this section only apply to the configuration file section
744 for the specified backend. They are supported by every
747 .B backend <databasetype>
748 Mark the beginning of a backend definition. <databasetype>
763 depending on which backend will serve the database.
765 .SH GENERAL DATABASE OPTIONS
766 Options in this section only apply to the configuration file section
767 for the database in which they are defined. They are supported by every
770 .B database <databasetype>
771 Mark the beginning of a new database instance definition. <databasetype>
786 depending on which backend will serve the database.
791 will automatically maintain the
792 modifiersName, modifyTimestamp, creatorsName, and
793 createTimestamp attributes for entries. By default, lastmod is on.
796 This option puts the database into "read-only" mode. Any attempts to
797 modify the database will return an "unwilling to perform" error. By
798 default, readonly is off.
800 .B replica host=<hostname>[:port] [tls=yes|critical]
801 .B [suffix=<suffix> [...]]
802 .B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
803 .B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
804 .B [authcId=<authentication ID>] [authcId=<authentication ID>]
805 .B [attr[!]=<attr list>]
807 Specify a replication site for this database. Refer to the "OpenLDAP
808 Administrator's Guide" for detailed information on setting up a replicated
810 directory service. Zero or more
812 instances can be used to select the subtrees that will be replicated
813 (defaults to all the database). A
821 and should only be used when adequate security services
822 (e.g TLS or IPSEC) are in place. A
830 will use Kerberos, a kerberos instance should be given in
834 can be given after the
836 keyword to allow the selective replication of the listed attributes only;
839 mark is used, the list is considered exclusive, i.e. the listed attributes
841 If an objectClass is listed, all the related attributes
842 are (are not) replicated.
845 .B replogfile <filename>
846 Specify the name of the replication log file to log changes to.
847 The replication log is typically written by
853 for more information. The specified file should be located
854 in a directory with limited read/write/execute access as the replication
855 logs may contain sensitive information.
858 Specify the distinguished name that is not subject to access control
859 or administrative limit restrictions for operations on this database.
860 This DN may or may not be associated with an entry. An empty root
861 DN (the default) specifies no root access is to be granted. It is
862 recommended that the rootdn only be specified when needed (such as
863 when initially populating a database). If the rootdn is within
864 a namingContext (suffix) of the database, a simple bind password
865 may also be provided using the
870 Specify a password (or hash of the password) for the rootdn. If
871 the rootdn is not within the namingContext of the database, the
872 provided password is ignored.
873 This option accepts all RFC 2307 userPassword formats known to
876 desription) as well as cleartext.
878 may be used to generate a hash of a password. Cleartext
879 and \fB{CRYPT}\fP passwords are not recommended. If empty
880 (the default), authentication of the root DN is by other means
881 (e.g. SASL). Use of SASL is encouraged.
883 .B suffix <dn suffix>
884 Specify the DN suffix of queries that will be passed to this
885 backend database. Multiple suffix lines can be given and at least one is
886 required for each database definition.
889 Specify that the current backend database is a subordinate of another
890 backend database. A subordinate database may have only one suffix. This
891 option may be used to glue multiple databases into a single namingContext.
892 If the suffix of the current database is within the namingContext of a
893 superior database, searches against the superior database will be
894 propagated to the subordinate as well. All of the databases
895 associated with a single namingContext should have identical rootdns.
896 Behavior of other LDAP operations is unaffected by this setting. In
897 particular, it is not possible to use moddn to move an entry from
898 one subordinate to another subordinate within the namingContext.
901 This option is only applicable in a slave
903 It specifies the DN allowed to make changes to the replica (typically,
906 binds as when making changes to the replica).
909 Specify the referral to pass back when
911 is asked to modify a replicated local database.
912 If specified multiple times, each url is provided.
913 .\" .SH LDBM BACKEND-SPECIFIC OPTIONS
914 .\" Options in this category only apply to the LDBM backend. That is,
915 .\" they must follow "backend ldbm" line and come before any subsequent
916 .\" "backend" or "database" lines. The LDBM backend is a high-performance
917 .\" database that makes extensive use of indexing and caching to speed
919 .SH BDB DATABASE-SPECIFIC OPTIONS
920 Options in this category only apply to the BDB databases. That is,
921 they must follow "database bdb" line and come before any subsequent
922 "backend" or "database" lines.
924 .B cachesize <integer>
925 Specify the size in entries of the in-memory cache maintained
926 by the BDB backend database instance. The default is 1000 entries.
928 .B checkpoint <kbyte> <min>
929 Specify the frequency for checkpointing the database transaction log.
930 A checkpoint operation flushes the database buffers to disk and writes
931 a checkpoint record in the log. The checkpoint will occur if either
932 <kbyte> data has been written or <min> minutes have passed since the
933 last checkpoint. Both arguments default to zero, in which case they are ignored.
934 See the Berkeley DB reference guide for more details.
937 Specify that on-disk database contents should not be immediately
938 synchronized with in memory changes. Enabling this option may improve
939 performance at the expense of data security.
941 .B directory <directory>
942 Specify the directory where the BDB files containing this database and
943 associated indexes live. A separate directory must be specified for
944 each database. The default is
945 .BR LOCALSTATEDIR/openldap-data .
948 Allow reads of modified but not yet committed data. Usually transactions
949 are isolated to prevent other operations from accessing uncommitted data.
950 This option may improve performance, but may also return inconsistent
951 results if the data comes from a transaction that is later aborted. In
952 this case, the modified data is discarded and a subsequent search will
953 return a different result.
956 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
957 See the description for LDBM.
959 .B lockdetect {oldest|youngest|fewest|random|default}
960 Specify which transaction to abort when a deadlock is detected. The
961 default is the same as
965 Specify the file protection mode that newly created database
966 index files should have. The default is 0600.
968 .SH LDBM DATABASE-SPECIFIC OPTIONS
969 Options in this category only apply to the LDBM databases. That is,
970 they must follow "database ldbm" line and come before any subsequent
971 "backend" or "database" lines.
973 .B cachesize <integer>
974 Specify the size in entries of the in-memory cache maintained
975 by the LDBM backend database instance. The default is 1000 entries.
977 .B dbcachesize <integer>
978 Specify the size in bytes of the in-memory cache associated
979 with each open index file. If not supported by the underlying database
980 method, this option is ignored without comment. The default is 100000 bytes.
983 Specify that no database locking should be performed.
984 Enabling this option may improve performance at the expense of data security.
985 Do NOT run any slap tools while slapd is running.
988 Specify that on-disk database contents should not be immediately
989 synchronized with in memory changes. Enabling this option may improve
990 performance at the expense of data security.
992 .B dbsync <frequency> <maxdelays> <delayinterval>
993 Flush dirty database buffers to disk every
997 (ie. indvidual updates are no longer written to disk). It attempts to avoid
998 syncs during periods of peak activity by waiting
1000 seconds if the server is busy, repeating this delay up to
1002 times before proceeding.
1003 It is an attempt to provide higher write performance with some amount of data
1004 security. Note that it may still be possible to get an inconsistent
1005 database if the underlying engine fills its cache and writes out individual
1006 pages and slapd crashes or is killed before the next sync.
1010 are optional and default to
1014 respectively, giving a total elapsed delay of 60 seconds before a sync
1019 must be 1 or greater.
1021 .B directory <directory>
1022 Specify the directory where the LDBM files containing this database and
1023 associated indexes live. A separate directory must be specified for
1024 each database. The default is
1025 .BR LOCALSTATEDIR/openldap-data .
1028 index {<attrlist>|default} [pres,eq,approx,sub,<special>]
1029 Specify the indexes to maintain for the given attribute (or
1030 list of attributes). Some attributes only support a subset
1031 of indexes. If only an <attr> is given, the indices specified
1032 for \fBdefault\fR are maintained. Note that setting a default
1033 does not imply that all attributes will be indexed.
1035 A number of special index parameters may be
1039 can be decomposed into
1046 may be specified to disallow use of this index by language subtypes.
1049 may be specified to disallow use of this index by named subtypes.
1050 Note: changing index settings requires rebuilding indices, see
1054 Specify the file protection mode that newly created database
1055 index files should have. The default is 0600.
1056 .SH SHELL DATABASE-SPECIFIC OPTIONS
1057 Options in this category only apply to the SHELL backend database. That is,
1058 they must follow a "database shell" line and come before any subsequent
1059 "backend" or "database" lines. The Shell backend executes external programs to
1060 implement operations, and is designed to make it easy to tie an existing
1067 .B unbind <pathname>
1069 .B search <pathname>
1071 .B compare <pathname>
1073 .B modify <pathname>
1075 .B modrdn <pathname>
1079 .B delete <pathname>
1081 .B abandon <pathname>
1082 These options specify the pathname of the command to execute in response
1083 to the given LDAP operation.
1085 Note that you need only supply configuration lines for those commands you
1086 want the backend to handle. Operations for which a command is not
1087 supplied will be refused with an "unwilling to perform" error.
1088 .SH PASSWORD DATABASE-SPECIFIC OPTIONS
1089 Options in this category only apply to the PASSWD backend database.
1090 That is, they must follow a "database passwd" line and come before any
1091 subsequent "backend" or "database" lines. The PASSWD database serves up the user
1092 account information listed in the system
1097 Specifies an alternate passwd file to use. The default is
1099 .SH OTHER DATABASE-SPECIFIC OPTIONS
1100 Other databases may allow specific configuration options; they will be
1101 documented separately since most of these databases are very specific
1104 "OpenLDAP Administrator's Guide" contains an annotated
1105 example of a configuration file.
1110 .BR slapd.replog (5),
1111 .BR slapd.access (5),
1118 .BR slappassword (8),
1121 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1122 .SH ACKNOWLEDGEMENTS
1124 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
1126 is derived from University of Michigan LDAP 3.3 Release.