.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-config \- configuration backend
+slapd-config \- configuration backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.d
.SH DESCRIPTION
root entry are used to carry various other settings:
.RS
.TP
-.B cn=Include
-old-style include files
-.TP
.B cn=Module
dynamically loaded modules
.TP
database-specific settings
.RE
-The
-.B cn=Include
-entries will only appear in configurations that were
-converted from slapd.conf format. There can be multiple entries, one
-for each included file. These entries only serve as placeholders to
-document the fact that files were previously included. After those
-files have been read and parsed, their content is merged into the
-main configuration and then the include files are ignored thereafter.
-These entries may form an arbitrarily deep subtree, reflecting any
-nesting of the original include files.
-
The
.B cn=Module
entries will only appear in configurations where slapd
.B with another database,
without disrupting the currently active clients.
The default is FALSE. You may wish to use
-.B olcIdletTmeout
+.B olcIdleTimeout
along with this option.
.TP
.B olcIdleTimeout: <integer>
an idle client connection. A setting of 0 disables this
feature. The default is 0.
.TP
+.B olcIndexIntLen: <integer>
+Specify the key length for ordered integer indices. The most significant
+bytes of the binary integer will be used for index keys. The default
+value is 4, which provides exact indexing for 31 bit values.
+A floating point representation is used to index too large values.
+.TP
.B olcIndexSubstrIfMaxlen: <integer>
Specify the maximum length for subinitial and subfinal indices. Only
this many characters of an attribute value will be processed by the
using this filter "cn=*abcdefgh*" would generate index lookups for
"abcd", "cdef", and "efgh".
+.LP
+Note: Indexing support depends on the particular backend in use. Also,
+changing these settings will generally require deleting any indices that
+depend on these parameters and recreating them with
+.BR slapindex (8).
+
.TP
.B olcLocalSSF: <SSF>
Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
.B minssf
option description. The default is 71.
.TP
+.B olcLogFile: <filename>
+Specify a file for recording debug log messages. By default these messages
+only go to stderr and are not recorded anywhere else. Specifying a logfile
+copies messages to both stderr and the logfile.
+.TP
.B olcLogLevel: <integer> [...]
Specify the level at which debugging statements and operation
statistics should be syslogged (currently logged to the
They must be considered subsystems rather than increasingly verbose
log levels.
Some messages with higher priority are logged regardless
-of the configured loglevel as soon as some logging is configured,
-otherwise anything is logged at all.
+of the configured loglevel as soon as any logging is configured.
Log levels are additive, and available levels are:
.RS
.RS
8 random characters of salt. The default is "%s", which
provides 31 characters of salt.
.TP
-.B olcPasswordHash: <hash> [<hash>...]
-This option configures one or more hashes to be used in generation of user
-passwords stored in the userPassword attribute during processing of
-LDAP Password Modify Extended Operations (RFC 3062).
-The <hash> must be one of
-.BR {SSHA} ,
-.BR {SHA} ,
-.BR {SMD5} ,
-.BR {MD5} ,
-.BR {CRYPT} ,
-and
-.BR {CLEARTEXT} .
-The default is
-.BR {SSHA} .
-
-.B {SHA}
-and
-.B {SSHA}
-use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
-
-.B {MD5}
-and
-.B {SMD5}
-use the MD5 algorithm (RFC 1321), the latter with a seed.
-
-.B {CRYPT}
-uses the
-.BR crypt (3).
-
-.B {CLEARTEXT}
-indicates that the new password should be
-added to userPassword as clear text.
-
-Note that this option does not alter the normal user applications
-handling of userPassword during LDAP Add, Modify, or other LDAP operations.
-.TP
.B olcPidFile: <filename>
The ( absolute ) name of a file that will hold the
.B slapd
.BR slapd (8)
cannot find a local database to handle a request.
If multiple values are specified, each url is provided.
-.\" slurpd-related keywords are all deprecated
-.\".TP
-.\".B replica-argsfile
-.\"The ( absolute ) name of a file that will hold the
-.\".B slurpd
-.\"server's command line options
-.\"if started without the debugging command line option.
-.\"If it appears after a
-.\".B replogfile
-.\"directive, the args file is specific to the
-.\".BR slurpd (8)
-.\"instance that handles that replication log.
-.\".TP
-.\".B replica-pidfile
-.\"The ( absolute ) name of a file that will hold the
-.\".B slurpd
-.\"server's process ID ( see
-.\".BR getpid (2)
-.\") if started without the debugging command line option.
-.\"If it appears after a
-.\".B replogfile
-.\"directive, the pid file is specific to the
-.\".BR slurpd (8)
-.\"instance that handles that replication log.
-.\".TP
-.\".B replicationinterval
-.\"The number of seconds
-.\".B slurpd
-.\"waits before checking the replogfile for changes.
-.\"If it appears after a
-.\".B replogfile
-.\"directive, the replication interval is specific to the
-.\".BR slurpd (8)
-.\"instance that handles that replication log.
.TP
.B olcReverseLookup: TRUE | FALSE
Enable/disable client name unverified reverse lookup (default is
Specify the name of an LDIF(5) file containing user defined attributes
for the root DSE. These attributes are returned in addition to the
attributes normally produced by slapd.
+
+The root DSE is an entry with information about the server and its
+capabilities, in operational attributes.
+It has the empty DN, and can be read with e.g.:
+.ti +4
+ldapsearch -x -b "" -s base "+"
+.br
+See RFC 4512 section 5.1 for details.
.TP
.B olcSaslHost: <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.TP
+.B olcServerID: <integer> [<URL>]
+Specify an integer ID from 0 to 4095 for this server. These IDs are
+required when using multimaster replication and each master must have a
+unique ID. If the URL is provided, this directive may be specified
+multiple times, providing a complete list of participating servers
+and their IDs. The fully qualified hostname of each server should be
+used in the supplied URLs. The IDs are used in the "replica id" field
+of all CSNs generated by the specified server. The default value is zero.
+Example:
+.LP
+.nf
+ olcServerID: 1 ldap://ldap1.example.com
+ olcServerID: 2 ldap://ldap2.example.com
+.fi
+.TP
.B olcSockbufMaxIncoming: <integer>
Specify the maximum incoming LDAP PDU size for anonymous sessions.
The default is 262143.
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
-To check what ciphers a given spec selects, use:
+To check what ciphers a given spec selects in OpenSSL, use:
+
+.nf
+ openssl ciphers -v <cipher-suite-spec>
+.fi
-openssl ciphers -v <cipher-suite-spec>
+To obtain the list of ciphers in GNUtls use:
+
+.nf
+ gnutls-cli -l
+.fi
.TP
.B olcTLSCACertificateFile: <filename>
Specifies the file that contains certificates for all of the Certificate
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the olcTLSCACertificateFile is defined. If both are specified, both
-locations will be used.
+locations will be used. This directive is not supported
+when using GNUtls.
.TP
.B olcTLSCertificateFile: <filename>
Specifies the file that contains the
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
-be done.
+be done. When using GNUtls these parameters are always generated randomly
+so this directive is ignored.
.TP
.B olcTLSRandFile: <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
+This directive is ignored with GNUtls.
.TP
.B olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in an
used to verify if the client certificates have not been revoked. This
requires
.B olcTLSCACertificatePath
-parameter to be set.
+parameter to be set. This parameter is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
.B all
Check the CRL for a whole certificate chain
.RE
+.TP
+.B olcTLSCRLFile: <filename>
+Specifies a file containing a Certificate Revocation List to be used
+for verifying that certificates have not been revoked. This parameter
+is only valid when using GNUtls.
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
Base scoped search requests with an empty base DN are not affected.
This setting is only allowed in the frontend entry.
.TP
+.B olcPasswordHash: <hash> [<hash>...]
+This option configures one or more hashes to be used in generation of user
+passwords stored in the userPassword attribute during processing of
+LDAP Password Modify Extended Operations (RFC 3062).
+The <hash> must be one of
+.BR {SSHA} ,
+.BR {SHA} ,
+.BR {SMD5} ,
+.BR {MD5} ,
+.BR {CRYPT} ,
+and
+.BR {CLEARTEXT} .
+The default is
+.BR {SSHA} .
+
+.B {SHA}
+and
+.B {SSHA}
+use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
+
+.B {MD5}
+and
+.B {SMD5}
+use the MD5 algorithm (RFC 1321), the latter with a seed.
+
+.B {CRYPT}
+uses the
+.BR crypt (3).
+
+.B {CLEARTEXT}
+indicates that the new password should be
+added to userPassword as clear text.
+
+Note that this option does not alter the normal user applications
+handling of userPassword during LDAP Add, Modify, or other LDAP operations.
+This setting is only allowed in the frontend entry.
+.TP
.B olcReadOnly: TRUE | FALSE
This option puts the database into "read-only" mode. Any attempts to
modify the database will return an "unwilling to perform" error. By
.BR olcLimits
for an explanation of the different flags.
.TP
+.B olcSortVals <attr> [...]
+Specify a list of multi-valued attributes whose values will always
+be maintained in sorted order. Using this option will allow Modify,
+Compare, and filter evaluations on these attributes to be performed
+more efficiently. The resulting sort order depends on the
+attributes' syntax and matching rules and may not correspond to
+lexical order or any other recognizable order.
+This setting is only allowed in the frontend entry.
+.TP
.B olcTimeLimit: {<integer>|unlimited}
.TP
.B olcTimeLimit: time[.{soft|hard}]=<integer> [...]
type of backend. All of the Global Database Options may also be
used here.
.TP
+.B olcHidden: TRUE | FALSE
+Controls whether the database will be used to answer
+queries. A database that is hidden will never be
+selected to answer any queries, and any suffix configured
+on the database will be ignored in checks for conflicts
+with other databases. By default, olcHidden is FALSE.
+.TP
.B olcLastMod: TRUE | FALSE
Controls whether
.B slapd
.TP
.B olcMaxDerefDepth: <depth>
Specifies the maximum number of aliases to dereference when trying to
-resolve an entry, used to avoid infinite alias loops. The default is 1.
+resolve an entry, used to avoid infinite alias loops. The default is 15.
.TP
.B olcMirrorMode: TRUE | FALSE
This option puts a replica database into "mirror" mode. Update
operations will be accepted from any user, not just the updatedn. The
database must already be configured as syncrepl consumer
-before this keyword may be set. This mode must be used with extreme
-care, as it does not offer any consistency guarantees. This feature
-is intended to be used with an external frontend that guarantees that
-writes are only directed to a single master, switching to an alternate
-server only if the original master goes down.
+before this keyword may be set. This mode also requires a
+.B olcServerID
+(see above) to be configured.
By default, this setting is FALSE.
.TP
.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
Configure a SLAPI plugin. See the
.BR slapd.plugin (5)
manpage for more details.
-.\".HP
-.\".hy 0
-.\".B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
-.\".B [starttls=yes|critical]
-.\".B [suffix=<suffix> [...]]
-.\".B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
-.\".B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
-.\".B [authcId=<authentication ID>] [authzId=<authorization ID>]
-.\".B [attrs[!]=<attr list>]
-.\".RS
-.\"Specify a replication site for this database. Refer to the "OpenLDAP
-.\"Administrator's Guide" for detailed information on setting up a replicated
-.\".B slapd
-.\"directory service. Zero or more
-.\".B suffix
-.\"instances can be used to select the subtrees that will be replicated
-.\"(defaults to all the database).
-.\".B host
-.\"is deprecated in favor of the
-.\".B uri
-.\"option.
-.\".B uri
-.\"allows the replica LDAP server to be specified as an LDAP URI.
-.\"A
-.\".B bindmethod
-.\"of
-.\".B simple
-.\"requires the options
-.\".B binddn
-.\"and
-.\".B credentials
-.\"and should only be used when adequate security services
-.\"(e.g TLS or IPSEC) are in place. A
-.\".B bindmethod
-.\"of
-.\".B sasl
-.\"requires the option
-.\".B saslmech.
-.\"Specific security properties (as with the
-.\".B sasl-secprops
-.\"keyword above) for a SASL bind can be set with the
-.\".B secprops
-.\"option. A non-default SASL realm can be set with the
-.\".B realm
-.\"option.
-.\"If the
-.\".B mechanism
-.\"will use Kerberos, a kerberos instance should be given in
-.\".B authcId.
-.\"An
-.\".B attr list
-.\"can be given after the
-.\".B attrs
-.\"keyword to allow the selective replication of the listed attributes only;
-.\"if the optional
-.\".B !
-.\"mark is used, the list is considered exclusive, i.e. the listed attributes
-.\"are not replicated.
-.\"If an objectClass is listed, all the related attributes
-.\"are (are not) replicated.
-.\".RE
-.\".TP
-.\".B replogfile <filename>
-.\"Specify the name of the replication log file to log changes to.
-.\"The replication log is typically written by
-.\".BR slapd (8)
-.\"and read by
-.\".BR slurpd (8).
-.\"See
-.\".BR slapd.replog (5)
-.\"for more information. The specified file should be located
-.\"in a directory with limited read/write/execute access as the replication
-.\"logs may contain sensitive information.
.TP
.B olcRootDN: <dn>
Specify the distinguished name that is not subject to access control
This option is only applicable in a slave
database.
It specifies the DN permitted to update (subject to access controls)
-the replica (typically, this is the DN
-.BR slurpd (8)
-binds to update the replica). Generally, this DN
+the replica. It is only needed in certain push-mode
+replication scenarios. Generally, this DN
.I should not
be the same as the
.B rootdn
.BR slapdn (8),
.BR slapindex (8),
.BR slappasswd (8),
-.BR slaptest (8),
-.BR slurpd (8).
+.BR slaptest (8).
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
projects / openldap / blobdiff