1 .TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2012 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd \- Stand-alone LDAP Daemon
12 .BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\|
13 .BR d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| s [ chema ]\||\| t [ est ]}]
15 .BI \-d \ debug-level\fR]
17 .BI \-f \ slapd-config-file\fR]
19 .BI \-F \ slapd-config-directory\fR]
23 .BI \-n \ service-name\fR]
25 .BI \-s \ syslog-level\fR]
27 .BI \-l \ syslog-local-user\fR]
29 .BI \-o \ option\fR[ = value\fR]]
31 .BI \-r \ directory\fR]
41 is the stand-alone LDAP daemon. It listens for LDAP connections on
42 any number of ports (default \fB389\fP), responding
43 to the LDAP operations it receives over these connections.
45 is typically invoked at boot time, usually out of
49 normally forks and disassociates itself from the invoking tty.
50 If configured in the config file (or config directory),
53 process will print its process ID (see
57 file, as well as the command line options during invocation to an
63 flag is given, even with a zero argument,
65 will not fork and disassociate from the invoking tty.
67 See the "OpenLDAP Administrator's Guide" for more details on
72 Listen on IPv4 addresses only.
75 Listen on IPv6 addresses only.
78 Run in Tool mode. The \fItool\fP argument selects whether to run as
87 (\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP
88 option value to be spelled out, as \fBa\fP is reserved to
90 This option should be the first option specified when it is used;
91 any remaining options will be interpreted by the corresponding
92 slap tool program, according to the respective man pages.
93 Note that these tool programs will usually be symbolic links to
95 This option is provided for situations where symbolic links
96 are not provided or not usable.
99 Turn on debugging as defined by
101 If this option is specified, even with a zero argument,
103 will not fork or disassociate from the invoking terminal. Some general
104 operation and status messages are printed for any value of \fIdebug-level\fP.
105 \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
106 different kind of debugging information. See <ldap_log.h> for details.
107 Comma-separated arrays of friendly names can be specified to select
108 debugging output of the corresponding debugging information.
109 All the names recognized by the \fIloglevel\fP directive
110 described in \fBslapd.conf\fP(5) are supported.
111 If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
114 Remember that if you turn on packet logging, packets containing bind passwords
115 will be output, so if you redirect the log to a logfile, that file should
118 .BI \-s \ syslog-level
121 at what debug-level debugging statements should be logged to the
124 The value \fIsyslog-level\fP can be set to any value or combination
125 allowed by the \fB\-d\fP switch.
126 Slapd logs all messages selected by \fIsyslog-leveli\fP
129 severity debug-level \fBDEBUG\fP,
130 on the unit specified with \fB\-l\fP.
132 .BI \-n \ service-name
133 Specifies the service name for logging and other purposes. Defaults
134 to basename of argv[0], i.e.: "slapd".
136 .BI \-l \ syslog-local-user
137 Selects the local user of the
139 facility. Value can be
149 However, this option is only permitted on systems that support
153 Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
155 .BI \-f \ slapd-config-file
156 Specifies the slapd configuration file. The default is
157 .BR ETCDIR/slapd.conf .
159 .BI \-F \ slapd-config-directory
160 Specifies the slapd configuration directory. The default is
166 are specified, the config file will be read and converted to
167 config directory format and written to the specified directory.
168 If neither option is specified, slapd will attempt to read the
169 default config directory before trying to use the default
170 config file. If a valid config directory exists then the
171 default config file is ignored. All of the slap tools that
172 use the config options observe this same behavior.
176 will by default serve
178 (LDAP over TCP on all interfaces on default LDAP port). That is,
179 it will bind using INADDR_ANY and port \fB389\fP.
182 option may be used to specify LDAP (and other scheme) URLs to serve.
183 For example, if slapd is given
184 .BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" ,
185 it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
186 and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
187 INADDR_ANY (any interface).
188 A space separated list of URLs is expected. The URLs should be of
189 the LDAP, LDAPS, or LDAPI schemes, and generally
190 without a DN or other optional parameters (excepting as discussed below).
191 Support for the latter two schemes depends on selected configuration
192 options. Hosts may be specified by name or IPv4 and IPv6 address formats.
193 Ports, if specified, must be numeric. The default ldap:// port is \fB389\fP
194 and the default ldaps:// port is \fB636\fP.
198 is the name of the socket, and no
200 is required, nor allowed; note that directory separators must be
201 URL-encoded, like any other characters that are special to URLs;
208 ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
210 The default location for the IPC socket is LOCALSTATEDIR/run/ldapi
212 The listener permissions are indicated by
213 "x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any
214 of the "rwx" can be "\-" to suppress the related permission, while any
215 of the "7" can be any legal octal digit, according to chmod(1).
216 The listeners can take advantage of the "x\-mod"
217 extension to apply rough limitations to operations, e.g. allow read operations
218 ("r", which applies to search and compare), write operations ("w",
219 which applies to add, delete, modify and modrdn), and execute operations
220 ("x", which means bind is required).
221 "User" permissions apply to authenticated users, while "other" apply
222 to anonymous users; "group" permissions are ignored.
223 For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed
224 for authenticated connections, and bind is required for all operations.
225 This feature is experimental, and requires to be manually enabled
229 Specifies a directory to become the root directory. slapd will
230 change the current working directory to this directory and
233 to this directory. This is done after opening listeners but before
234 reading any configuration file or initializing any backend. When
235 used as a security mechanism, it should be used in conjunction with
243 will run slapd with the specified user name or id, and that user's
244 supplementary group access list as set with initgroups(3). The group ID
245 is also changed to this user's gid, unless the \fB\-g\fP option is used to
246 override. Note when used with
248 slapd will use the user database in the change root environment.
250 Note that on some systems, running as a non-privileged user will prevent
251 passwd back-ends from accessing the encrypted passwords. Note also that
252 any shell back-ends will run as the specified non-privileged user.
256 will run with the specified group name or id. Note when used with
258 slapd will use the group database in the change root environment.
261 This option provides a cookie for the syncrepl replication consumer.
262 The cookie is a comma separated list of \fIname=value\fP pairs.
263 Currently supported syncrepl cookie fields are
269 identifies a replication thread within the consumer server
270 and is used to find the syncrepl specification in
273 .BR slapd\-config (5)
274 having the matching replication identifier in its definition. The
276 must be provided in order for any other specified values to be used.
278 is the server id in a multi-master/mirror-mode configuration.
280 is the commit sequence number received by a previous synchronization
281 and represents the state of the consumer replica content which the
282 syncrepl engine will synchronize to the current provider content.
283 In case of \fImirror-mode\fP or \fImulti-master\fP replication agreement,
286 values, semicolon separated, can appear.
289 part to force a full reload.
291 .BI \-o \ option\fR[ = value\fR]
292 This option provides a generic means to specify options without the need to reserve
293 a separate letter for them.
295 It supports the following options:
298 .BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
299 When SLP support is compiled into slapd, disable it (\fBoff\fP),
300 enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
301 or with specific SLP attributes
303 that must be an SLP attribute list definition according to the SLP standard.
305 For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
306 registers at SLP DAs with the three SLP attributes tree, server-type and server-version
307 that have the values given above.
308 This allows to specifically query the SLP DAs for LDAP servers holding the
310 tree in case multiple trees are available.
315 and have it fork and detach from the terminal and start serving
316 the LDAP databases defined in the default config file, just type:
326 with an alternate configuration file, and turn
327 on voluminous debugging which will be printed on standard error, type:
331 LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
335 To test whether the configuration file is correct or not, type:
339 LIBEXECDIR/slapd \-Tt
346 .BR slapd\-config (5),
347 .BR slapd.access (5),
358 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
360 See http://www.openldap.org/its/