options can be overridden in a backend (for options that appear more
than once, the last appearance in the
.B slapd.conf
-file is used). Blank lines and comment lines beginning with a `#'
-character are ignored. If a line begins with white space, it is
-considered a continuation of the previous line.
+file is used).
+.LP
+If a line begins with white space, it is considered a continuation
+of the previous line. Blank lines and comment lines beginning with
+a `#' character are ignored. (Note: continuation lines are unwrapped
+before comment processing is applied.)
.LP
Arguments on configuration lines are separated by white space. If an
argument contains white space, the argument should be enclosed in
.B bind_v2
allows acceptance of LDAPv2 bind requests. Note that
.BR slapd (8)
-does not truely implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
+does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
.B bind_anon_cred
allows anonymous bind when credentials are not empty (e.g.
when DN is empty).
option, not a tagging option.
.HP
.hy 0
-.B attributetype "(\ <oid> [NAME\ <name>] [OBSOLETE]\
+.B attributetype "(\ <oid>\
+ [NAME\ <name>]\
[DESC\ <description>]\
- [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
- [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
- [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )"
+ [OBSOLETE]\
+ [SUP\ <oid>]\
+ [EQUALITY\ <oid>]\
+ [ORDERING\ <oid>]\
+ [SUBSTR\ <oid>]\
+ [SYNTAX\ <oidlen>]\
+ [SINGLE\-VALUE]\
+ [COLLECTIVE]\
+ [NO\-USER\-MODIFICATION]\
+ [USAGE\ <attributeUsage>]\ )"
.RS
Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
.B tls_authc
disables StartTLS if authenticated (see also
.BR tls_2_anon ).
+.HP
+.hy 0
+.B ditcontentrule "(\ <oid>\
+ [NAME\ <name>]\
+ [DESC\ <description>]\
+ [OBSOLETE]\
+ [AUX\ <oids>]\
+ [MUST\ <oids>]\
+ [MAY\ <oids>]\
+ [NOT\ <oids>]\ )"
+.RS
+Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
+The slapd parser extends the RFC 2252 definition by allowing string
+forms as well as numeric OIDs to be used for the attribute OID and
+attribute syntax OID.
+(See the
+.B objectidentifier
+description.)
+.RE
.TP
.B gentlehup { on | off }
A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
.B exact
or
.B base
-(which are synonims), to require an exact match; with
+(which are synonyms), to require an exact match; with
.BR one,
to require exactly one level of depth match; with
.BR subtree,
is the number of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client, the
.BR soft
-limit is used; if the requested time limit exceedes the
+limit is used; if the requested time limit exceeds the
.BR hard
limit, an "Administrative limit exceeded" is returned.
If the
request.
If no size limit is explicitly requested by the client, the
.BR soft
-limit is used; if the requested size limit exceedes the
+limit is used; if the requested size limit exceeds the
.BR hard
limit, an "Administrative limit exceeded" is returned.
If the
Specify a list of directories to search for loadable modules. Typically
the path is colon-separated but this depends on the operating system.
.HP
-.B objectclass "( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
- [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
- [MAY <oids>] )"
+.hy 0
+.B objectclass "(\ <oid>\
+ [NAME\ <name>]\
+ [DESC\ <description]\
+ [OBSOLETE]\
+ [SUP\ <oids>]\
+ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
+ [MUST\ <oids>] [MAY\ <oids>] )"
.RS
Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
Used to specify Cyrus SASL security properties.
The
.B none
-flag (without any other properities) causes the flag properites
+flag (without any other properties) causes the flag properties
default, "noanonymous,noplain", to be cleared.
The
.B noplain
.TP
.B maxderefdepth <depth>
Specifies the maximum number of aliases to dereference when trying to
-resolve an entry, used to avoid inifinite alias loops. The default is 1.
+resolve an entry, used to avoid infinite alias loops. The default is 1.
.TP
.B readonly on | off
This option puts the database into "read-only" mode. Any attempts to
modify the database will return an "unwilling to perform" error. By
default, readonly is off.
.HP
+.hy 0
.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
.B [starttls=yes|critical]
.B [suffix=<suffix> [...]]
This option accepts all RFC 2307 userPassword formats known to
the server (see
.B password-hash
-desription) as well as cleartext.
+description) as well as cleartext.
.BR slappasswd (8)
may be used to generate a hash of a password. Cleartext
and \fB{CRYPT}\fP passwords are not recommended. If empty
Behavior of other LDAP operations is unaffected by this setting. In
particular, it is not possible to use moddn to move an entry from
one subordinate to another subordinate within the namingContext.
-.TP
-.B updatedn <dn>
-This option is only applicable in a slave
-.B slapd.
-It specifies the DN permitted to update (subject to access controls)
-the replica (typically, this is the DN
-.BR slurpd (8)
-binds to update the replica).
-.TP
-.B updateref <url>
-Specify the referral to pass back when
-.BR slapd (8)
-is asked to modify a replicated local database.
-If specified multiple times, each url is provided.
.HP
+.hy 0
.B syncrepl id=<replica ID>
.B provider=ldap[s]://<hostname>[:port]
-.B [updatedn=<dn>]
-.B [binddn=<dn>]
-.B [bindmethod=simple|sasl] [binddn=<simple DN>] [credentials=<simple passwd>]
-.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
-.B [authcId=<authentication ID>] [authzId=<authorization ID>]
+.B [type=refreshOnly|refreshAndPersist]
+.B [interval=dd:hh:mm:ss]
.B [searchbase=<base DN>]
.B [filter=<filter str>]
+.B [scope=sub|one|base]
.B [attrs=<attr list>]
+.B [attrsonly]
+.B [sizelimit=<limit>]
+.B [timelimit=<limit>]
.B [schemachecking=on|off]
-.B [scope=sub|one|base]
-.B [type=refreshOnly|refreshAndPersist]
-.B [interval=dd:hh:mm]
+.B [updatedn=<dn>]
+.B [bindmethod=simple|sasl]
+.B [binddn=<dn>]
+.B [saslmech=<mech>]
+.B [authcid=<identity>]
+.B [authzid=<identity>]
+.B [credentials=<passwd>]
+.B [realm=<realm>]
+.B [secprops=<properties>]
.RS
-Specify an LDAP Sync replication session between the specified replication provider
-site and this database (a replication consumer).
-The replication consumer communicates with the replication provider to perform
-an initial population and the following periodic or persistent synchronizations.
-The LDAP Sync replication engine is based on the LDAP Content Sync protocol :
-a stateful, pull, incremental, and partial synchronization protocol which
-supports both polling and listening modes of operations.
-It currently supports entry-level synchronization.
-A directory server wide
+Specify the current database as a replica which is kept up-to-date with the
+master content by establishing the current
+.BR slapd (8)
+as a replication consumer site running a
+.B syncrepl
+replication engine.
+The replica content is kept synchronized to the master content using
+the LDAP Content Synchronization protocol. Refer to the
+"OpenLDAP Administrator's Guide" for detailed information on
+setting up a replicated
+.B slapd
+directory service using the
+.B syncrepl
+replication engine.
.B id
-uniquely identifies this LDAP Sync replication specification
-in the directory server instance. The specification of an LDAP Sync replication
-session is based on the search specification which defines the replica content.
-The replicated entries are those directory entries of the subtree under the
-.B searchbase
-with the
-.B scope
-that match the
-.B filter.
-Only the attributes specified in the
-.B attrs
-are included in the replica content.
-There are two synchronization modes depending on the incremental
-synchronization semantics after the intial content population.
-The incremental synchronization is performed periodically with
-the
-.B interval
-when the sync
-.B type
-is
-.B refreshOnly.
-Alternatively, the provider sends synchronization messages to the consumer
-upon updates to the replicated contents when the sync
-.B type
-is
-.B refreshAndPersist.
-The replication provider site is specified by
+identifies the current
+.B syncrepl
+directive within the database.
+It is a non-negative integer having no more than three digits.
.B provider
-as an LDAP URI.
-If
-.B schemachecking
-is
-.B on,
-every replicated entry will be checked for its schema
-when it is stored in the consumer replica.
-The consumer slapd should retrieve attributes of an entry
-that are required by the schema definition.
-If
+specifies the replication provider site containing the master content
+as an LDAP URI. If <port> is not given, the standard LDAP port number
+(389 or 636) is used. The content of the
+.B syncrepl
+replica is defined using a search
+specification as its result set. The consumer
+.B slapd
+will send search requests to the provider
+.B slapd
+according to the search specification. The search specification includes
+.B searchbase, scope, filter, attrs, attrsonly, sizelimit,
+and
+.B timelimit
+parameters as in the normal search specification.
+The search specification for the LDAP Content Synchronization operation
+has the same value syntax and the same default values as in the
+.BR ldapsearch (1)
+client search tool.
+The LDAP Content Synchronization protocol has two operation types.
+In the
+.B refreshOnly
+operation, the next synchronization search operation
+is periodically rescheduled at an interval time (specified by
+.B interval
+parameter; 1 day by default)
+after each synchronization operation finishes.
+In the
+.B refreshAndPersist
+operation, a synchronization search remains persistent in the provider slapd.
+Further updates to the master replica will generate
+.B searchResultEntry
+to the consumer slapd as the search responses to the persistent
+synchronization search. The schema checking can be enforced at the LDAP Sync
+consumer site by turning on the
.B schemachecking
-is
-.B off,
-entries will be stored without checking the schema conformance.
+parameter. The default is off.
+The
+.B updatedn
+parameter specifies the DN in the consumer site
+which is allowed to make changes to the replica.
+The DN should have read/write access to the replica database.
A
.B bindmethod
of
.B binddn
and
.B credentials
-and should only be used when adequate security services (e.g. TLS or IPSEC) are in place.
+and should only be used when adequate security services
+(e.g. TLS or IPSEC) are in place.
A
.B bindmethod
of
.B sasl
requires the option
.B saslmech.
+Depending on the mechanism, an authentication identity and/or
+credentials can be specified using
+.B authcid
+and
+.B credentials.
+The
+.B authzid
+parameter may be used to specify an authorization identity.
Specific security properties (as with the
-.B sasl secprops
+.B sasl-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
.B realm
option.
-If the
-.B mechanism
-will use Kerberos, a kerberos instance should be given in
-.B authcId.
-.B updatedn
-specifies the DN used to update (subject to access controls) the
-replica at the consumer replica.
+.RE
+.TP
+.B updatedn <dn>
+This option is only applicable in a slave
+.B slapd.
+It specifies the DN permitted to update (subject to access controls)
+the replica (typically, this is the DN
+.BR slurpd (8)
+binds to update the replica).
+.TP
+.B updateref <url>
+Specify the referral to pass back when
+.BR slapd (8)
+is asked to modify a replicated local database.
+If specified multiple times, each url is provided.
+
.SH DATABASE-SPECIFIC OPTIONS
Each database may allow specific configuration options; they are
documented separately in the backends' manual pages.
.BR slapd-shell (5),
.BR slapd-sql (5),
.BR slapd-tcl (5),
-.BR slapd.replog (5),
.BR slapd.access (5),
+.BR slapd.plugin (5),
+.BR slapd.replog (5),
.BR slapd (8),
.BR slapadd (8),
.BR slapcat (8),
projects / openldap / blobdiff