1 .TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2010 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd \- Stand-alone LDAP Daemon
12 .BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\|
13 .BR d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| s [ chema ]\||\| t [ est ]}]
15 .BI \-d \ debug-level\fR]
17 .BI \-f \ slapd-config-file\fR]
19 .BI \-F \ slapd-config-directory\fR]
23 .BI \-n \ service-name\fR]
25 .BI \-s \ syslog-level\fR]
27 .BI \-l \ syslog-local-user\fR]
29 .BI \-o \ option\fR[ = value\fR]]
31 .BI \-r \ directory\fR]
41 is the stand-alone LDAP daemon. It listens for LDAP connections on
42 any number of ports (default \fB389\fP), responding
43 to the LDAP operations it receives over these connections.
45 is typically invoked at boot time, usually out of
49 normally forks and disassociates itself from the invoking tty.
50 If configured in the config file (or config directory),
53 process will print its process ID (see
57 file, as well as the command line options during invocation to an
63 flag is given, even with a zero argument,
65 will not fork and disassociate from the invoking tty.
67 See the "OpenLDAP Administrator's Guide" for more details on
72 Listen on IPv4 addresses only.
75 Listen on IPv6 addresses only.
78 Run in Tool mode. The \fItool\fP argument selects whether to run as
87 (\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP
88 option value to be spelled out, as \fBa\fP is reserved to
90 This option should be the first option specified when it is used;
91 any remaining options will be interpreted by the corresponding
92 slap tool program, according to the respective man pages.
93 Note that these tool programs will usually be symbolic links to
95 This option is provided for situations where symbolic links
96 are not provided or not usable.
99 Turn on debugging as defined by
101 If this option is specified, even with a zero argument,
103 will not fork or disassociate from the invoking terminal. Some general
104 operation and status messages are printed for any value of \fIdebug-level\fP.
105 \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
106 different kind of debugging information. See <ldap_log.h> for details.
107 Comma-separated arrays of friendly names can be specified to select
108 debugging output of the corresponding debugging information.
109 All the names recognized by the \fIloglevel\fP directive
110 described in \fBslapd.conf\fP(5) are supported.
111 If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
114 Remember that if you turn on packet logging, packets containing bind passwords
115 will be output, so if you redirect the log to a logfile, that file should
118 .BI \-s \ syslog-level
121 at what debug-level debugging statements should be logged to the
124 The value \fIsyslog-level\fP can be set to any value or combination
125 allowed by the \fB\-d\fP switch.
126 Slapd logs all messages selected by \fIsyslog-leveli\fP
129 severity debug-level \fBDEBUG\fP,
130 on the unit specified with \fB\-l\fP.
132 .BI \-n \ service-name
133 Specifies the service name for logging and other purposes. Defaults
134 to basename of argv[0], i.e.: "slapd".
136 .BI \-l \ syslog-local-user
137 Selects the local user of the
139 facility. Value can be
149 However, this option is only permitted on systems that support
153 Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
155 .BI \-f \ slapd-config-file
156 Specifies the slapd configuration file. The default is
157 .BR ETCDIR/slapd.conf .
159 .BI \-F \ slapd-config-directory
160 Specifies the slapd configuration directory. The default is
166 are specified, the config file will be read and converted to
167 config directory format and written to the specified directory.
168 If neither option is specified, slapd will attempt to read the
169 default config directory before trying to use the default
170 config file. If a valid config directory exists then the
171 default config file is ignored. All of the slap tools that
172 use the config options observe this same behavior.
176 will by default serve
178 (LDAP over TCP on all interfaces on default LDAP port). That is,
179 it will bind using INADDR_ANY and port \fB389\fP.
182 option may be used to specify LDAP (and other scheme) URLs to serve.
183 For example, if slapd is given
184 .BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" ,
185 it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
186 and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
187 INADDR_ANY (any interface).
188 A space separated list of URLs is expected. The URLs should be of
189 the LDAP, LDAPS, or LDAPI schemes, and generally
190 without a DN or other optional parameters (excepting as discussed below).
191 Support for the latter two schemes depends on selected configuration
192 options. Hosts may be specified by name or IPv4 and IPv6 address formats.
193 Ports, if specified, must be numeric. The default ldap:// port is \fB389\fP
194 and the default ldaps:// port is \fB636\fP.
196 The listener permissions are indicated by
197 "x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any
198 of the "rwx" can be "\-" to suppress the related permission, while any
199 of the "7" can be any legal octal digit, according to chmod(1).
200 The listeners can take advantage of the "x\-mod"
201 extension to apply rough limitations to operations, e.g. allow read operations
202 ("r", which applies to search and compare), write operations ("w",
203 which applies to add, delete, modify and modrdn), and execute operations
204 ("x", which means bind is required).
205 "User" permissions apply to authenticated users, while "other" apply
206 to anonymous users; "group" permissions are ignored.
207 For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed
208 for authenticated connections, and bind is required for all operations.
209 This feature is experimental, and requires to be manually enabled
213 Specifies a directory to become the root directory. slapd will
214 change the current working directory to this directory and
217 to this directory. This is done after opening listeners but before
218 reading any configuration file or initializing any backend. When
219 used as a security mechanism, it should be used in conjunction with
227 will run slapd with the specified user name or id, and that user's
228 supplementary group access list as set with initgroups(3). The group ID
229 is also changed to this user's gid, unless the \fB\-g\fP option is used to
230 override. Note when used with
232 slapd will use the user database in the change root environment.
234 Note that on some systems, running as a non-privileged user will prevent
235 passwd back-ends from accessing the encrypted passwords. Note also that
236 any shell back-ends will run as the specified non-privileged user.
240 will run with the specified group name or id. Note when used with
242 slapd will use the group database in the change root environment.
245 This option provides a cookie for the syncrepl replication consumer.
246 The cookie is a comma separated list of \fIname=value\fP pairs.
247 Currently supported syncrepl cookie fields are
253 identifies a replication thread within the consumer server
254 and is used to find the syncrepl specification in
257 .BR slapd\-config (5)
258 having the matching replication identifier in its definition. The
260 must be provided in order for any other specified values to be used.
262 is the server id in a multi-master/mirror-mode configuration.
264 is the commit sequence number received by a previous synchronization
265 and represents the state of the consumer replica content which the
266 syncrepl engine will synchronize to the current provider content.
267 In case of \fImirror-mode\fP or \fImulti-master\fP replication agreement,
270 values, semicolon separated, can appear.
273 part to force a full reload.
275 .BI \-o \ option\fR[ = value\fR]
276 This option provides a generic means to specify options without the need to reserve
277 a separate letter for them.
279 It supports the following options:
282 .BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
283 When SLP support is compiled into slapd, disable it (\fBoff\fP),
284 enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
285 or with specific SLP attributes
287 that must be an SLP attribute list definition according to the SLP standard.
289 For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
290 registers at SLP DAs with the three SLP attributes tree, server-type and server-version
291 that have the values given above.
292 This allows to specifically query the SLP DAs for LDAP servers holding the
294 tree in case multiple trees are available.
299 and have it fork and detach from the terminal and start serving
300 the LDAP databases defined in the default config file, just type:
310 with an alternate configuration file, and turn
311 on voluminous debugging which will be printed on standard error, type:
315 LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
319 To test whether the configuration file is correct or not, type:
323 LIBEXECDIR/slapd \-Tt
330 .BR slapd\-config (5),
331 .BR slapd.access (5),
342 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
344 See http://www.openldap.org/its/