# $OpenLDAP$
-# Copyright 1999-2015 The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2017 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: The slapd Configuration File
> sizelimit 500
-See the {{SECT:Limits}} section of this guide and slapd.conf(5)
+See the {{SECT:Limits}} section of this guide and {{slapd.conf}}(5)
for more details.
H4: timelimit <integer>
> timelimit 3600
-See the {{SECT:Limits}} section of this guide and slapd.conf(5)
+See the {{SECT:Limits}} section of this guide and {{slapd.conf}}(5)
for more details.
declaration.
-H4: limits <who> <limit> [<limit> [...]]
+H4: limits <selector> <limit> [<limit> [...]]
-Specify time and size limits based on who initiated an operation.
+Specify time and size limits based on the operation's initiator or base
+DN.
-See the {{SECT:Limits}} section of this guide and slapd.conf(5)
+See the {{SECT:Limits}} section of this guide and {{slapd.conf}}(5)
for more details.
> syncrepl rid=<replica ID>
> provider=ldap[s]://<hostname>[:port]
+> searchbase=<base DN>
> [type=refreshOnly|refreshAndPersist]
> [interval=dd:hh:mm:ss]
> [retry=[<retry interval> <# of retries>]+]
-> searchbase=<base DN>
> [filter=<filter str>]
> [scope=sub|one|base]
> [attrs=<attr list>]
+> [exattrs=<attr list>]
> [attrsonly]
> [sizelimit=<limit>]
> [timelimit=<limit>]
> [schemachecking=on|off]
+> [network-timeout=<seconds>]
+> [timeout=<seconds>]
> [bindmethod=simple|sasl]
> [binddn=<DN>]
> [saslmech=<mech>]
> [credentials=<passwd>]
> [realm=<realm>]
> [secprops=<properties>]
+> [keepalive=<idle>:<probes>:<interval>]
> [starttls=yes|critical]
> [tls_cert=<file>]
> [tls_key=<file>]
> [tls_cacert=<file>]
> [tls_cacertdir=<path>]
> [tls_reqcert=never|allow|try|demand]
-> [tls_ciphersuite=<ciphers>]
+> [tls_cipher_suite=<ciphers>]
> [tls_crlcheck=none|peer|all]
+> [tls_protocol_min=<major>[.<minor>]]
+> [suffixmassage=<real DN>]
> [logbase=<base DN>]
> [logfilter=<filter str>]
> [syncdata=default|accesslog|changelog]
specification as its result set. The consumer slapd will
send search requests to the provider slapd according to the search
specification. The search specification includes {{EX:searchbase}},
-{{EX:scope}}, {{EX:filter}}, {{EX:attrs}}, {{EX:attrsonly}},
+{{EX:scope}}, {{EX:filter}}, {{EX:attrs}}, {{EX:exattrs}}, {{EX:attrsonly}},
{{EX:sizelimit}}, and {{EX:timelimit}} parameters as in the normal
search specification. The {{EX:searchbase}} parameter has no
default value and must always be specified. The {{EX:scope}} defaults
{{EX:attrs}} defaults to {{EX:"*,+"}} to replicate all user and operational
attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}}
and {{EX:timelimit}} default to "unlimited", and only positive integers
-or "unlimited" may be specified.
+or "unlimited" may be specified. The {{EX:exattrs}} option may also be used
+to specify attributes that should be omitted from incoming entries.
The {{TERM[expand]LDAP Sync}} protocol has two operation
types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}.
If it is turned off, entries will be stored without checking
schema conformance. The default is off.
+The {{EX:network-timeout}} parameter sets how long the consumer will
+wait to establish a network connection to the provider. Once a
+connection is established, the {{EX:timeout}} parameter determines how
+long the consumer will wait for the initial Bind request to complete. The
+defaults for these parameters come from {{ldap.conf}}(5).
+
The {{EX:binddn}} parameter gives the DN to bind as for the
syncrepl searches to the provider slapd. It should be a DN
which has read access to the replication content in the
mechanisms authenticate the identity within. The {{EX:secprops}}
parameter specifies Cyrus SASL security properties.
+The {{EX:keepalive} parameter sets the values of idle, probes, and interval
+used to check whether a socket is alive; idle is the number of seconds a
+connection needs to remain idle before TCP starts sending keepalive probes;
+probes is the maximum number of keepalive probes TCP should send before
+dropping the connection; interval is interval in seconds between individual
+keepalive probes. Only some systems support the customization of these
+values; the keepalive parameter is ignored otherwise, and system-wide
+settings are used. For example, keepalive="240:10:30" will send a keepalive
+probe 10 times, every 30 seconds, after 240 seconds of idle activity. If
+no response to the probes is received, the connection will be dropped.
+
The {{EX:starttls}} parameter specifies use of the StartTLS extended
operation to establish a TLS session before authenticating to the provider.
If the {{EX:critical}} argument is supplied, the session will be aborted
if the StartTLS request fails. Otherwise the syncrepl session continues
-without TLS. Note that the main slapd TLS settings are not used by the
-syncrepl engine; by default the TLS parameters from a {{ldap.conf}}(5)
-configuration file will be used. TLS settings may be specified here,
-in which case any {{ldap.conf}}(5) settings will be completely ignored.
+without TLS. The tls_reqcert setting defaults to {{EX:"demand"}} and the
+other TLS settings default to the same as the main slapd TLS settings.
+
+The {{EX:suffixmassage}} parameter allows the consumer to pull entries
+from a remote directory whose DN suffix differs from the local directory.
+The portion of the remote entries' DNs that matches the searchbase will
+be replaced with the suffixmassage DN.
Rather than replicating whole entries, the consumer can query logs
of data modifications. This mode of operation is referred to as
projects / openldap / blobdiff