1 .TH SLAPD.CONF 5 "5 August 1999" "OpenLDAP LDVERSION"
3 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
9 contains configuration information for the
11 daemon. This configuration file is also used by the
13 replication daemon and by the SLAPD tools
21 file consists of a series of global configuration options that apply to
23 as a whole (including all backends), followed by zero or more database
24 backend definitions that contain information specific to a backend
32 # comment - these options apply to every database
33 <global configuration options>
34 # first database definition & configuration options
35 database <backend 1 type>
36 <configuration options specific to backend 1>
37 # subsequent database definitions & configuration options
41 As many backend-specific sections as desired may be included. Global
42 options can be overridden in a backend (for options that appear more
43 than once, the last appearance in the
45 file is used). Blank lines and comment lines beginning with a `#'
46 character are ignored. If a line begins with white space, it is
47 considered a continuation of the previous line.
49 Arguments on configuration lines are separated by white space. If an
50 argument contains white space, the argument should be enclosed in
51 double quotes. If an argument contains a double quote (`"') or a
52 backslash character (`\\'), the character should be preceded by a
55 The specific configuration options available are discussed below in the
56 Global Configuration Options, General Backend Options, LDBM
57 Backend-Specific Options, Shell Backend-Specific Options, and Password
58 Backend-Specific Options sections. Refer to "The SLAPD and SLURPD
59 Administrator's Guide" for more details on the slapd configuration
61 .SH GLOBAL CONFIGURATION OPTIONS
62 Options described in this section apply to all backends, unless specifically
63 overridden in a backend definition. Arguments that should be replaced by
64 actual text are shown in brackets <>.
67 access to <what> [ by <who> <accesslevel> ]+
68 Grant access (specified by <accesslevel>) to a set of entries and/or
69 attributes (specified by <what>) by one or more requestors (specified
70 by <who>). Refer to "The SLAPD and SLURPD Administrator's Guide" for
71 information on using the
73 access-control mechanisms.
76 attribute ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE] \
77 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>] \
78 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] \
79 [USAGE <attributeUsage>] )
80 Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
81 This is the preferred format for attribute type definitions. The slapd
82 parser extends the RFC 2252 definition by allowing string forms as well
83 as numeric OIDs to be used for the attribute OID and attribute syntax OID.
87 description.) Currently the syntax name parser is case-sensitive.
88 The known syntax names are:
92 AttributeTypeDescription Audio Binary BitString Certificate CertificateList
93 CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
94 DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
95 GeneralizedTime Guide IA5String Integer MatchingRuleDescription
96 MatchingRuleUseDescription MailPreference NameAndOptionalUUID
97 NameFormDescription NumericString ObjectClassDescription OID
98 OtherMailbox OctetString PostalAddress ProtocolInformation
99 PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
100 TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
101 SubstringAssertion NISnetgrouptriple Bootparameter
107 attribute <name> [<name2>] { bin | ces | cis | tel | dn }
108 Associate a syntax with an attribute name. This directive is deprecated
109 in favor of the one above. By default, an
110 attribute is assumed to have syntax
112 An optional alternate name can be
113 given for an attribute. The possible syntaxes and their meanings are:
128 telephone number string
137 defaultaccess [self]{ none | compare | search | read | write }
138 Specify the default access to grant requestors not matched by
139 any other access line. The default behavior is to grant read access.
141 .B idletimeout <integer>
142 Specify the number of seconds to wait before forcibly closing
143 an idle client connections. A idletimeout of 0 disables this
144 feature. The default is 0.
146 .B include <filename>
147 Read additional configuration information from the given file before
148 continuing with the next line of the current file.
150 .B pidfile <filename>
151 The ( absolute ) name of a file that will hold the
153 server's process ID ( see
155 ) if started without the debugging command line option.
157 .B argsfile <filename>
158 The ( absolute ) name of a file that will hold the
160 server's command line options
161 if started without the debugging command line option.
164 locale { <locale-name> | on | off }
165 Obey <locale-name>'s character classification and case conversion; i.e. the
167 LC_CTYPE category. See
169 for details about locales. "on" takes the locale from the environment,
170 typically $LANG or $LC_CTYPE, and will only work properly if slapd will
171 run with the same environment variables as when the database was
172 generated. "off" (the default setting) resets to the initial "C" locale.
174 .B loglevel <integer>
175 Specify the level at which debugging statements and operation
176 statistics should be syslogged (currently logged to the
178 LOG_LOCAL4 facility). Log levels are additive, and available levels
188 debug packet handling
191 heavy trace debugging
194 connection management
197 print out packets sent and received
200 search filter processing
203 configuration file processing
206 access control list processing
209 stats log connections/operations/results
212 stats log entries sent
215 print communication with shell backends
224 objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] \
225 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>] \
227 Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
228 This is the preferred format for object class definitions. The slapd
229 parser extends the RFC 2252 definition by allowing string forms as well
230 as numeric OIDs to be used for the object class OID. (See the
233 description.) Object classes are "STRUCTURAL" by default.
236 objectclass <name> requires <attrs> allows <attrs>
237 Define the schema rules for the object class named <name>. These are
238 used in conjunction with the schemacheck option. This directive is
239 deprecated in favor of the one above.
241 .B objectidentifier <name> { <oid> | <name>[:<suffix>] }
242 Define a string name that equates to the given OID. The string can be used
243 in place of the numeric OID in objectclass and attribute definitions. The
244 name can also be used with a suffix of the form ":xx" in which case the
245 value "oid.xx" will be used.
248 Specify the referral to pass back when
250 cannot find a local database to handle a request.
251 If specified multiple times, each url is provided.
253 .B schemacheck { on | off }
254 Turn schema checking on or off. The default is on.
256 .B sizelimit <integer>
257 Specify the maximum number of entries to return from a search operation.
258 The default size limit is 500.
261 Specify the srvtab file in which the kerberos keys necessary for
262 authenticating clients using kerberos can be found. This option is only
263 meaningful if you are using Kerberos authentication.
265 .B timelimit <integer>
266 Specify the maximum number of seconds (in real time)
268 will spend answering a search request. The default time limit is 3600.
272 is build with support for Transport Layer Security, there are more options
275 .B TLSCipherSuite <cipher-suite-spec>
276 Permits configuring what ciphers will be accepted and the preference order.
277 <cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
279 TLSCipherSuite HIGH:MEDIUM:+SSLv2
281 To check what ciphers a given spec selects, use:
283 openssl ciphers -v <cipher-suite-spec>
285 .B TLSCertificateFile <filename>
286 Specifies the file that contains the
290 .B TLSCertificateKeyFile <filename>
291 Specifies the file that contains the
293 server private key that matches the certificate stored in the
294 .B TLSCertificateFile
295 file. Currently, the private key must not be protected with a password, so
296 it is of critical importance that it is protected carefully.
297 .SH GENERAL BACKEND OPTIONS
298 Options in this section only apply to the configuration file section
299 for the backend in which they are defined. They are supported by every
302 .B database <databasetype>
303 Mark the beginning of a new database instance definition. <databasetype>
309 depending on which backend will serve the database.
314 will automatically maintain the
315 modifiersName, modifyTimestamp, creatorsName, and
316 createTimestamp attributes for entries. By default, lastmod is on.
319 This option puts the database into "read-only" mode. Any attempts to
320 modify the database will return an "unwilling to perform" error. By
321 default, readonly is off.
324 replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
326 kerberos [credentials=<password>] [srvtab=<filename>]
328 Specify a replication site for this database. Refer to "The SLAPD and
329 SLURPD Administrator's Guide" for detailed information on setting up
334 .B replogfile <filename>
335 Specify the name of the replication log file to log changes to.
336 The replication log is typically written by
342 for more information.
345 Specify the DN of an entry that is not subject to access control
346 or administrative limit restrictions for operations on this database.
349 Specify a password (or hash of the password) for the rootdn.
350 This option accepts all password formats known to the server
351 including \fB{SHA}\fP, \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext.
352 Cleartext passwords are not recommended.
354 .B suffix <dn suffix>
355 Specify the DN suffix of queries that will be passed to this
356 backend database. Multiple suffix lines can be given and at least one is
357 required for each database definition.
360 This option is only applicable in a slave
362 It specifies the DN allowed to make changes to the replica (typically,
365 binds as when making changes to the replica).
368 Specify the referral to pass back when
370 is asked to modify a replicated local database.
371 If specified multiple times, each url is provided.
372 .SH LDBM BACKEND-SPECIFIC OPTIONS
373 Options in this category only apply to the LDBM backend database. That is,
374 they must follow a "database ldbm" line and come before any subsequent
375 "database" lines. The LDBM backend is a high-performance database that
376 makes extensive use of indexing and caching to speed data access.
378 .B cachesize <integer>
379 Specify the size in entries of the in-memory cache maintained
380 by the LDBM backend database instance. The default is 1000 entries.
382 .B dbcachesize <integer>
383 Specify the size in bytes of the in-memory cache associated
384 with each open index file. If not supported by the underlying database
385 method, this option is ignored without comment. The default is 100000 bytes.
388 Specify that database writes should not be immediately synchronized
389 with in memory changes. Enabling this option may improve performance
390 at the expense of data security.
392 .B directory <directory>
393 Specify the directory where the LDBM files containing the database and
394 associated indexes live. The default is
398 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
399 Specify the indexes to maintain for the given attribute. If only
400 an <attr> is given, all possible indexes are maintained.
403 Specify the file protection mode that newly created database
404 index files should have. The default is 0600.
405 .SH SHELL BACKEND-SPECIFIC OPTIONS
406 Options in this category only apply to the SHELL backend database. That is,
407 they must follow a "database shell" line and come before any subsequent
408 "database" lines. The Shell backend executes external programs to
409 implement operations, and is designed to make it easy to tie an existing
420 .B compare <pathname>
430 .B abandon <pathname>
431 These options specify the pathname of the command to execute in response
432 to the given LDAP operation. The command given should understand and
433 follow the input/output conventions described in Appendix B of "The SLAPD
434 and SLURPD Administrator's Guide."
436 Note that you need only supply configuration lines for those commands you
437 want the backend to handle. Operations for which a command is not
438 supplied will be refused with an "unwilling to perform" error.
439 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
440 Options in this category only apply to the PASSWD backend database.
441 That is, they must follow a "database passwd" line and come before any
442 subsequent "database" lines. The PASSWD database serves up the user
443 account information listed in the system
448 Specifies an alternate passwd file to use. The default is
451 "The SLAPD and SLURPD Administrator's Guide" contains an annotated
452 example of a configuration file.
457 .BR slapd.replog (5),
466 "The SLAPD and SLURPD Administrator's Guide"
469 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
471 is derived from University of Michigan LDAP 3.3 Release.