.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2014 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2017 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
to any overlays configured on the database. The olcDatabase and
olcOverlay entries may also have miscellaneous child entries for
other settings as needed. There are two special database entries
-that are predefined - one is an entry for the config database itself,
+that are predefined \- one is an entry for the config database itself,
and the other is for the "frontend" database. Settings in the
frontend database are inherited by the other databases, unless
they are explicitly overridden in a specific database.
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
-have closed their connections (if they ever do), or - as before -
+have closed their connections (if they ever do), or \- as before \-
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
.nf
olcTLSCertificateFile: my hardware device:Server-Cert
.fi
-Use certutil -L to list the certificates by name:
+Use certutil \-L to list the certificates by name:
.nf
- certutil -d /path/to/certdbdir -L
+ certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B olcTLSCertificateKeyFile: <filename>
specifes /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
- modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+ modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
.B olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
-the server. If multiple sets of parameters are present in the file, all of
-them will be processed. Note that setting this option may also enable
+the server, or an RSA certificate missing the "key encipherment" key usage.
+Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
-You should append "!ADH" to your cipher suites if you have changed them
-from the default, otherwise no certificate exchanges or verification will
-be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
+Anonymous key exchanges should generally be avoided since they provide no
+actual client or server authentication and provide no protection against
+man-in-the-middle attacks.
+You should append "!ADH" to your cipher suites to ensure that these suites
+are not used.
+When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSProtocolMin: <major>[.<minor>]
(see above).
The
.B extended
-keyword allows to indicate the OID of the specific operation
+keyword allows one to indicate the OID of the specific operation
to be restricted.
.TP
.B olcSchemaDN: <dn>
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|unlimited|disabled}
-allows to set a limit on the total number of entries that a pagedResults
-control allows to return.
+allows one to set a limit on the total number of entries that the pagedResults
+control will return.
By default it is set to the
.B hard
limit.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
-.B [tls_ciphersuite=<ciphers>]
+.B [tls_cipher_suite=<ciphers>]
.B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>]
Further updates to the master replica will generate
.B searchResultEntry
to the consumer slapd as the search responses to the persistent
-synchronization search.
+synchronization search. If the initial search fails due to an error, the
+next synchronization search operation is periodically rescheduled at an
+interval time (specified by
+.B interval
+parameter; 1 day by default)
If an error occurs during replication, the consumer will attempt to
reconnect according to the