.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2011 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-config \- configuration backend to slapd
+slapd\-config \- configuration backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.d
.SH DESCRIPTION
attribute values.
Backend-specific options are discussed in the
-.B slapd-<backend>(5)
+.B slapd\-<backend>(5)
manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
details on configuring slapd.
.SH GLOBAL CONFIGURATION OPTIONS
(subject to access controls, authorization and other administrative limits).
.TP
.B olcArgsFile: <filename>
-The ( absolute ) name of a file that will hold the
+The (absolute) name of a file that will hold the
.B slapd
-server's command line options
-if started without the debugging command line option.
+server's command line (program name and options).
.TP
.B olcAttributeOptions: <option-name>...
Define tagging attribute options or option tag/range prefixes.
-Options must not end with `-', prefixes must end with `-'.
-The `lang-' prefix is predefined.
+Options must not end with `\-', prefixes must end with `\-'.
+The `lang\-' prefix is predefined.
If you use the
.B olcAttributeOptions
-directive, `lang-' will no longer be defined and you must specify it
+directive, `lang\-' will no longer be defined and you must specify it
explicitly if you want it defined.
An attribute description with a tagging option is a subtype of that
attribute description without the option.
Except for that, options defined this way have no special semantics.
-Prefixes defined this way work like the `lang-' options:
+Prefixes defined this way work like the `lang\-' options:
They define a prefix for tagging options starting with the prefix.
-That is, if you define the prefix `x-foo-', you can use the option
-`x-foo-bar'.
+That is, if you define the prefix `x\-foo\-', you can use the option
+`x\-foo\-bar'.
Furthermore, in a search or compare, a prefix or range name (with
-a trailing `-') matches all options starting with that name, as well
-as the option with the range name sans the trailing `-'.
-That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
+a trailing `\-') matches all options starting with that name, as well
+as the option with the range name sans the trailing `\-'.
+That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
-RFC 4520 reserves options beginning with `x-' for private experiments.
+RFC 4520 reserves options beginning with `x\-' for private experiments.
Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
.TP
+.B olcAuthIDRewrite: <rewrite\-rule>
+Used by the authentication framework to convert simple user names
+to an LDAP DN used for authorization purposes.
+Its purpose is analogous to that of
+.BR olcAuthzRegexp
+(see below).
+The
+.B rewrite\-rule
+is a set of rules analogous to those described in
+.BR slapo\-rwm (5)
+for data rewriting (after stripping the \fIrwm\-\fP prefix).
+.B olcAuthIDRewrite
+and
+.B olcAuthzRegexp
+should not be intermixed.
+.TP
.B olcAuthzPolicy: <policy>
Used to specify which rules to use for Proxy Authorization. Proxy
authorization allows a client to authenticate to the server using one
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
-have closed their connections (if they ever do), or \- as before \-
+have closed their connections (if they ever do), or - as before -
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
.B with another database,
without disrupting the currently active clients.
The default is FALSE. You may wish to use
-.B olcIdletTmeout
+.B olcIdleTimeout
along with this option.
.TP
.B olcIdleTimeout: <integer>
Specify the number of seconds to wait before forcibly closing
an idle client connection. A setting of 0 disables this
-feature. The default is 0.
+feature. The default is 0. You may also want to set the
+.B olcWriteTimeout
+option.
+.TP
+.B olcIndexIntLen: <integer>
+Specify the key length for ordered integer indices. The most significant
+bytes of the binary integer will be used for index keys. The default
+value is 4, which provides exact indexing for 31 bit values.
+A floating point representation is used to index too large values.
.TP
.B olcIndexSubstrIfMaxlen: <integer>
Specify the maximum length for subinitial and subfinal indices. Only
using this filter "cn=*abcdefgh*" would generate index lookups for
"abcd", "cdef", and "efgh".
-Note: Indexing support depends on the particular backend in use.
+.LP
+Note: Indexing support depends on the particular backend in use. Also,
+changing these settings will generally require deleting any indices that
+depend on these parameters and recreating them with
+.BR slapindex (8).
.TP
.B olcLocalSSF: <SSF>
are equivalent.
The keyword
.B any
-can be used as a shortcut to enable logging at all levels (equivalent to -1).
+can be used as a shortcut to enable logging at all levels (equivalent to \-1).
The keyword
.BR none ,
or the equivalent integer representation, causes those messages
provides 31 characters of salt.
.TP
.B olcPidFile: <filename>
-The ( absolute ) name of a file that will hold the
+The (absolute) name of a file that will hold the
.B slapd
-server's process ID ( see
-.BR getpid (2)
-) if started without the debugging command line option.
+server's process ID (see
+.BR getpid (2)).
.TP
.B olcPluginLogFile: <filename>
The ( absolute ) name of a file that will contain log
.B olcReverseLookup: TRUE | FALSE
Enable/disable client name unverified reverse lookup (default is
.BR FALSE
-if compiled with --enable-rlookups).
+if compiled with \-\-enable\-rlookups).
.TP
.B olcRootDSE: <file>
Specify the name of an LDIF(5) file containing user defined attributes
capabilities, in operational attributes.
It has the empty DN, and can be read with e.g.:
.ti +4
-ldapsearch -x -b "" -s base "+"
+ldapsearch \-x \-b "" \-s base "+"
.br
See RFC 4512 section 5.1 for details.
.TP
+.B olcSaslAuxprops: <plugin> [...]
+Specify which auxprop plugins to use for authentication lookups. The
+default is empty, which just uses slapd's internal support. Usually
+no other auxprop plugins are needed.
+.TP
.B olcSaslHost: <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
size allowed. 0 disables security layers. The default is 65536.
.TP
.B olcServerID: <integer> [<URL>]
-Specify an integer ID from 0 to 4095 for this server. These IDs are
+Specify an integer ID from 0 to 4095 for this server (limited
+to 3 hexadecimal digits). The ID may also be specified as a
+hexadecimal ID by prefixing the value with "0x".
+These IDs are
required when using multimaster replication and each master must have a
-unique ID. If the URL is provided, this directive may be specified
+unique ID. Note that this requirement also applies to separate masters
+contributing to a glued set of databases.
+If the URL is provided, this directive may be specified
multiple times, providing a complete list of participating servers
and their IDs. The fully qualified hostname of each server should be
used in the supplied URLs. The IDs are used in the "replica id" field
Specify the maximum incoming LDAP PDU size for authenticated sessions.
The default is 4194303.
.TP
+.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
+Specify the size of the TCP buffer.
+A global value for both read and write TCP buffers related to any listener
+is defined, unless the listener is explicitly specified,
+or either the read or write qualifiers are used.
+See
+.BR tcp (7)
+for details.
+Note that some OS-es implement automatic TCP buffer tuning.
+.TP
.B olcThreads: <integer>
Specify the maximum size of the primary thread pool.
The default is 16; the minimum value is 2.
Specify the maximum number of threads to use in tool mode.
This should not be greater than the number of CPUs in the system.
The default is 1.
-.\"ucdata-path is obsolete / ignored...
-.\".TP
-.\".B ucdata-path <path>
-.\"Specify the path to the directory containing the Unicode character
-.\"tables. The default path is DATADIR/ucdata.
+.TP
+.B olcWriteTimeout: <integer>
+Specify the number of seconds to wait before forcibly closing
+a connection with an outstanding write. This allows recovery from
+various network hang conditions. A setting of 0 disables this
+feature. The default is 0.
.SH TLS OPTIONS
If
.B slapd
To check what ciphers a given spec selects in OpenSSL, use:
.nf
- openssl ciphers -v <cipher-suite-spec>
+ openssl ciphers \-v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
- gnutls-cli -l
+ gnutls-cli \-l
.fi
.TP
.B olcTLSCACertificateFile: <filename>
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
-is compiled with --enable-modules then the module-related entries will
+is compiled with \-\-enable\-modules then the module-related entries will
be available. These entries are named
.B cn=module{x},cn=config
and
.B olcModulePath: <pathspec>
Specify a list of directories to search for loadable modules. Typically
the path is colon-separated but this depends on the operating system.
+The default is MODULEDIR, which is where the standard OpenLDAP install
+will place its modules.
.SH SCHEMA OPTIONS
Schema definitions are created as entries in the
.B cn=schema,cn=config
engine generates the "{x}" index in the RDN automatically, so it
can be omitted when initially loading these entries.
-The special frontend database is always numbered "{-1}" and the config
+The special frontend database is always numbered "{\-1}" and the config
database is always numbered "{0}".
.SH GLOBAL DATABASE OPTIONS
.BR olcLimits
for an explanation of the different flags.
.TP
-.B olcSortVals <attr> [...]
+.B olcSortVals
: <attr> [...]
Specify a list of multi-valued attributes whose values will always
be maintained in sorted order. Using this option will allow Modify,
Compare, and filter evaluations on these attributes to be performed
type of backend. All of the Global Database Options may also be
used here.
.TP
+.B olcAddContentAcl: TRUE | FALSE
+Controls whether Add operations will perform ACL checks on
+the content of the entry being added. This check is off
+by default. See the
+.BR slapd.access (5)
+manual page for more details on ACL requirements for
+Add operations.
+.TP
.B olcHidden: TRUE | FALSE
Controls whether the database will be used to answer
queries. A database that is hidden will never be
the entryCSN and entryUUID attributes, which are needed
by the syncrepl provider. By default, olcLastMod is TRUE.
.TP
-.B olcLimits: <who> <limit> [<limit> [...]]
-Specify time and size limits based on who initiated an operation.
+.B olcLimits: <selector> <limit> [<limit> [...]]
+Specify time and size limits based on the operation's initiator or
+base DN.
The argument
-.B who
+.B <selector>
can be any of
.RS
.RS
.TP
-anonymous | users | [
dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>
+anonymous | users | [
<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
.RE
with
.RS
.TP
+<dnspec> ::= dn[.<type>][.<style>]
+.TP
+<type> ::= self | this
+.TP
<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
.RE
+DN type
+.B self
+is the default and means the bound user, while
+.B this
+means the base DN of the operation.
The term
.B anonymous
matches all unauthenticated clients.
The same behavior is obtained by using the
.B anonymous
form of the
-.B who
+.B <selector>
clause.
The term
.BR group ,
to preserve the original behavior.
In case of no match, the global limits are used.
-The default values are the same as
+The default values are the same as for
.B olcSizeLimit
and
.BR olcTimeLimit ;
may also be provided using the
.B olcRootPW
directive. Note that the rootdn is always needed when using syncrepl.
+The
+.B olcRootDN
+of the
+.B cn=config
+database defaults to
+.B cn=config
+itself.
.TP
.B olcRootPW: <password>
Specify a password (or hash of the password) for the rootdn. The
Specify the DN suffix of queries that will be passed to this
backend database. Multiple suffix lines can be given and at least one is
required for each database definition.
+
If the suffix of one database is "inside" that of another, the database
with the inner suffix must come first in the configuration file.
+You may also want to glue such databases together with the
+.B olcSubordinate
+attribute.
+.TP
+.B olcSyncUseSubentry: TRUE | FALSE
+Store the syncrepl contextCSN in a subentry instead of the context entry
+of the database. The subentry's RDN will be "cn=ldapsync". The default is
+FALSE, meaning the contextCSN is stored in the context entry.
.HP
.hy 0
.B olcSyncrepl: rid=<replica ID>
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
+.B [network\-timeout=<seconds>]
+.B [timeout=<seconds>]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
.B [saslmech=<mech>]
.B [credentials=<passwd>]
.B [realm=<realm>]
.B [secprops=<properties>]
+.B [keepalive=<idle>:<probes>:<interval>]
.B [starttls=yes|critical]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_ciphersuite=<ciphers>]
.B [tls_crlcheck=none|peer|all]
+.B [suffixmassage=<real DN>]
.B [logbase=<base DN>]
.B [logfilter=<filter str>]
.B [syncdata=default|accesslog|changelog]
identifies the current
.B syncrepl
directive within the replication consumer site.
-It is a non-negative integer having no more than three digits.
+It is a non-negative integer having no more than three decimal digits.
.B provider
specifies the replication provider site containing the master content
.B schemachecking
parameter. The default is off.
+The
+.B network\-timeout
+parameter sets how long the consumer will wait to establish a
+network connection to the provider. Once a connection is
+established, the
+.B timeout
+parameter determines how long the consumer will wait for the initial
+Bind request to complete. The defaults for these parameters come
+from
+.BR ldap.conf (5).
+
A
.B bindmethod
of
.B authzid
parameter may be used to specify an authorization identity.
Specific security properties (as with the
-.B sasl-secprops
+.B sasl\-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
that is being replicated (\fBaccess\fP directive), and appropriate time
and size limits (\fBlimits\fP directive).
+The
+.B keepalive
+parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
+used to check whether a socket is alive;
+.I idle
+is the number of seconds a connection needs to remain idle before TCP
+starts sending keepalive probes;
+.I probes
+is the maximum number of keepalive probes TCP should send before dropping
+the connection;
+.I interval
+is interval in seconds between individual keepalive probes.
+Only some systems support the customization of these values;
+the
+.B keepalive
+parameter is ignored otherwise, and system-wide settings are used.
The
.B starttls
tls_reqcert setting defaults to "demand" and the other TLS settings
default to the same as the main slapd TLS settings.
+The
+.B suffixmassage
+parameter allows the consumer to pull entries from a remote directory
+whose DN suffix differs from the local directory. The portion of the
+remote entries' DNs that matches the \fIsearchbase\fP will be replaced
+with the suffixmassage DN.
+
Rather than replicating whole entries, the consumer can query logs of
data modifications. This mode of operation is referred to as \fIdelta
syncrepl\fP. In addition to the above parameters, the
parameters must be set appropriately for the log that will be used. The
.B syncdata
parameter must be set to either "accesslog" if the log conforms to the
-.BR slapo-accesslog (5)
+.BR slapo\-accesslog (5)
log format, or "changelog" if the log conforms
to the obsolete \fIchangelog\fP format. If the
.B syncdata
objectClass: olcGlobal
cn: config
olcPidFile: LOCALSTATEDIR/run/slapd.pid
-olcAttributeOptions: x-hidden lang-
+olcAttributeOptions: x\-hidden lang\-
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# Subtypes of "name" (e.g. "cn" and "ou") with the
-# option ";x-hidden" can be searched for/compared,
+# option ";x\-hidden" can be searched for/compared,
# but are not shown. See \fBslapd.access\fP(5).
-olcAccess: to attrs=name;x-hidden by * =cs
+olcAccess: to attrs=name;x\-hidden by * =cs
# Protect passwords. See \fBslapd.access\fP(5).
olcAccess: to attrs=userPassword by * auth
# Read access to other attributes and entries.
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
-olcSuffix: "dc=our-domain,dc=com"
+olcSuffix: "dc=our\-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 0700 recommended.
-olcDbDirectory: LOCALSTATEDIR/openldap-data
+olcDbDirectory: LOCALSTATEDIR/openldap\-data
# Indices to maintain
olcDbIndex: objectClass eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
objectClass: olcLdapConfig
olcDatabase: ldap
olcSuffix: ""
-olcDbUri: ldap://ldap.some-server.com/
+olcDbUri: ldap://ldap.some\-server.com/
.fi
.RE
.LP
the configuration:
.RS
.nf
-slapadd -F ETCDIR/slapd.d -n 0 -l config.ldif
+slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
.fi
.RE
format using slapd or any of the slap tools:
.RS
.nf
-slaptest -f ETCDIR/slapd.conf -F ETCDIR/slapd.d
+slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
.fi
.RE
projects / openldap / blobdiff