.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
.B bind_anon_dn
allows unauthenticated (anonymous) bind when DN is not empty.
.B update_anon
-allow unauthenticated (anonymous) update operations to be processed
+allows unauthenticated (anonymous) update operations to be processed
(subject to access controls and other administrative limits).
.TP
.B argsfile <filename>
.B defaultsearchbase <dn>
Specify a default search base to use when client submits a
non-base search request with an empty base DN.
+Base scoped search requests with an empty base DN are not affected.
.TP
.B disallow <features>
Specify a set of features (separated by white space) to
disallow (default none).
.B bind_anon
-disables acceptance of anonymous bind requests.
+disables acceptance of anonymous bind requests. Note that this setting
+does not prohibit anonymous directory access (See "require authc").
.B bind_simple
disables simple (bind) authentication.
.B tls_2_anon
-disables Start TLS from forcing session to anonymous status (see also
-.BR tls_authc ).
+disables forcing session to anonymous status (see also
+.BR tls_authc ) upon StartTLS operation receipt.
.B tls_authc
-disables StartTLS if authenticated (see also
+dissallow the StartTLS operation if authenticated (see also
.BR tls_2_anon ).
.HP
.hy 0
Specify the level at which debugging statements and operation
statistics should be syslogged (currently logged to the
.BR syslogd (8)
-LOG_LOCAL4 facility). Log levels are additive, and available levels
-are:
+LOG_LOCAL4 facility).
+They must be considered subsystems rather than increasingly verbose
+log levels.
+Some messages with higher priority are logged regardless
+of the configured loglevel as soon as some logging is configured,
+otherwise anything is logged at all.
+Log levels are additive, and available levels are:
.RS
.RS
.PD 0
.TP
.B 1
-.B (trace)
+.B (0x1 trace)
trace function calls
.TP
.B 2
-.B (packet)
+.B (0x2 packet)
debug packet handling
.TP
.B 4
-.B (args)
-heavy trace debugging
+.B (0x4 args)
+heavy trace debugging (function args)
.TP
.B 8
-.B (conns)
+.B (0x8 conns)
connection management
.TP
.B 16
-.B (BER)
+.B (0x10 BER)
print out packets sent and received
.TP
.B 32
-.B (filter)
+.B (0x20 filter)
search filter processing
.TP
.B 64
-.B (config)
+.B (0x40 config)
configuration file processing
.TP
.B 128
-.B (ACL)
+.B (0x80 ACL)
access control list processing
.TP
.B 256
-.B (stats)
+.B (0x100 stats)
stats log connections/operations/results
.TP
.B 512
-.B (stats2)
+.B (0x200 stats2)
stats log entries sent
.TP
.B 1024
-.B (shell)
+.B (0x400 shell)
print communication with shell backends
.TP
.B 2048
-.B (parse)
+.B (0x800 parse)
entry parsing
+.TP
+.B 4096
+.B (0x1000 cache)
+caching (unused)
+.TP
+.B 8192
+.B (0x2000 index)
+data indexing (unused)
+.TP
+.B 16384
+.B (0x4000 sync)
+LDAPSync replication
+.TP
+.B 32768
+.B (0x8000 none)
+only messages that get logged whatever log level is set
.PD
.RE
The desired log level can be input as a single integer that combines
-the (ORed) desired levels, as a list of integers (that are ORed internally),
+the (ORed) desired levels, both in decimal or in hexadecimal notation,
+as a list of integers (that are ORed internally),
or as a list of the names that are shown between brackets, such that
.LP
.nf
loglevel 129
+ loglevel 0x81
loglevel 128 1
+ loglevel 0x80 0x1
loglevel acl trace
.fi
.LP
The keyword
.B any
can be used as a shortcut to enable logging at all levels (equivalent to -1).
+The keyword
+.BR none ,
+or the equivalent integer representation, causes those messages
+that are logged regardless of the configured loglevel to be logged.
+In fact, if no loglevel (or a 0 level) is defined, no logging occurs,
+so at least the
+.B none
+level is required to have high priority messages logged.
.RE
.TP
.B moduleload <filename>
.hy 0
.B objectclass "(\ <oid>\
[NAME\ <name>]\
- [DESC\ <description]\
+ [DESC\ <description>]\
[OBSOLETE]\
[SUP\ <oids>]\
[{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
.TP
.B threads <integer>
Specify the maximum size of the primary thread pool.
-The default is 16.
+The default is 16; the minimum value is 2.
.TP
.B timelimit {<integer>|unlimited}
.TP
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
the server. If multiple sets of parameters are present in the file, all of
-them will be processed.
+them will be processed. Note that setting this option may also enable
+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
+You should append "!ADH" to your cipher suites if you have changed them
+from the default, otherwise no certificate exchanges or verification will
+be done.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
.B searchbase, scope, filter, attrs, attrsonly, sizelimit,
and
.B timelimit
-parameters as in the normal search specification.
-The search specification for the LDAP Content Synchronization operation
-has the same value syntax and the same default values as in the
-.BR ldapsearch (1)
-client search tool.
+parameters as in the normal search specification.
+The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
+\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
+\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
+attributes, and \fBattrsonly\fP is unset by default.
+The \fBsizelimit\fP and \fBtimelimit\fP only
+accept "unlimited" and positive integers, and both default to "unlimited".
The LDAP Content Synchronization protocol has two operation types.
In the
.B refreshOnly
manual pages.
.TP
.B bdb
-This is the recommended backend for a normal slapd database.
-However, it takes more care than with the LDBM backend to configure
-it properly.
-It uses the Sleepycat Berkeley DB (BDB) package to store data.
+This is the recommended primary backend for a normal slapd database.
+It takes care to configure it properly.
+It uses the transactional database interface of the Sleepycat Berkeley
+DB (BDB) package to store data.
.TP
.B config
This backend is used to manage the configuration of slapd run-time.
LDAP server.
.TP
.B ldbm
-This is the database backend which is easiest to configure.
-However, it does not offer the data durability features of the BDB
-backend.
-It uses Berkeley DB or GDBM to store data.
+This is an easy-to-configure but obsolete database backend. It
+does not offer the data durability features of the BDB and HDB
+backends and hence is deprecated in favor of these robust backends.
+LDBM uses lightweight non-transactional DB interfaces,
+such as those providing by GDBM or Berkeley DB, to store data.
.TP
.B ldif
This database uses the filesystem to build the tree structure
overlay (see
.BR slapo-rwm (5)
for details) to rewrite the naming context of the request.
-It is is primarily intended to implement virtual views on databases
+It is primarily intended to implement virtual views on databases
that actually store data.
.TP
.B shell
.B chain
Chaining.
This overlay allows automatic referral chasing when a referral would
-have been returned.
+have been returned, either when configured by the server or when
+requested by the client.
.TP
.B denyop
Deny Operation.