.B bind_anon_dn
allows unauthenticated (anonymous) bind when DN is not empty.
.B update_anon
-allow unauthenticated (anonymous) update operations to be processed
+allows unauthenticated (anonymous) update operations to be processed
(subject to access controls and other administrative limits).
+.B proxy_authz_anon
+allows unauthenticated (anonymous) proxy authorization control to be processed
+(subject to access controls, authorization and other administrative limits).
.TP
.B argsfile <filename>
The ( absolute ) name of a file that will hold the
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
-RFC 2251 reserves options beginning with `x-' for private experiments.
-Other options should be registered with IANA, see RFC 3383 section 3.4.
+RFC 4520 reserves options beginning with `x-' for private experiments.
+Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
.HP
[NO\-USER\-MODIFICATION]\
[USAGE\ <attributeUsage>]\ )"
.RS
-Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
.RE
The protocol portion of the URI must be strictly
.BR ldap .
+Note that this search is subject to access controls. Specifically,
+the authentication identity must have "auth" access in the subject.
Multiple
.B authz-regexp
Specify a set of features (separated by white space) to
disallow (default none).
.B bind_anon
-disables acceptance of anonymous bind requests.
+disables acceptance of anonymous bind requests. Note that this setting
+does not prohibit anonymous directory access (See "require authc").
.B bind_simple
disables simple (bind) authentication.
.B tls_2_anon
disables forcing session to anonymous status (see also
-.BR tls_authc ) upon StartTLS operation receipt.
+.BR tls_authc )
+upon StartTLS operation receipt.
.B tls_authc
-dissallow the StartTLS operation if authenticated (see also
+disallows the StartTLS operation if authenticated (see also
.BR tls_2_anon ).
.HP
.hy 0
[MAY\ <oids>]\
[NOT\ <oids>]\ )"
.RS
-Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
trace function calls
.TP
.B 2
-.B (0x2 packet)
+.B (0x2 packets)
debug packet handling
.TP
.B 4
[{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
[MUST\ <oids>] [MAY\ <oids>] )"
.RS
-Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the object class OID.
(See the
.B
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
-The directive may be specified globally and/or per-database.
+The directive may be specified globally and/or per-database;
+databases inherit global conditions, so per-database specifications
+are additive.
.B bind
requires bind operation prior to directory operations.
.B LDAPv3
The strong keyword allows protected "simple" authentication
as well as SASL authentication.
.B none
-may be used to require no conditions (useful for clearly globally
-set conditions within a particular database).
+may be used to require no conditions (useful to clear out globally
+set conditions within a particular database); it must occur first
+in the list of conditions.
.TP
.B reverse-lookup on | off
Enable/disable client name unverified reverse lookup (default is
.TP
.B threads <integer>
Specify the maximum size of the primary thread pool.
-The default is 16.
+The default is 16; the minimum value is 2.
.TP
.B timelimit {<integer>|unlimited}
.TP
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
the server. If multiple sets of parameters are present in the file, all of
-them will be processed.
+them will be processed. Note that setting this option may also enable
+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
+You should append "!ADH" to your cipher suites if you have changed them
+from the default, otherwise no certificate exchanges or verification will
+be done.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
.B slapd
will automatically maintain the
modifiersName, modifyTimestamp, creatorsName, and
-createTimestamp attributes for entries. By default, lastmod is on.
+createTimestamp attributes for entries. It also controls
+the entryCSN and entryUUID attributes, which are needed
+by the syncrepl provider. By default, lastmod is on.
.TP
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
Specifies the maximum number of aliases to dereference when trying to
resolve an entry, used to avoid infinite alias loops. The default is 1.
.TP
+.B mirrormode on | off
+This option puts a replica database into "mirror" mode. Update
+operations will be accepted from any user, not just the updatedn. The
+database must already be configured as a slurpd or syncrepl consumer
+before this keyword may be set. This mode must be used with extreme
+care, as it does not offer any consistency guarantees.
+By default, mirrormode is off.
+.TP
.B overlay <overlay-name>
Add the specified overlay to this database. An overlay is a piece of
code that intercepts database operations in order to extend or change
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
-.B [attr[!]=<attr list>]
+.B [attr
s[!]=<attr list>]
.RS
Specify a replication site for this database. Refer to the "OpenLDAP
Administrator's Guide" for detailed information on setting up a replicated
An
.B attr list
can be given after the
-.B attr
+.B attrs
keyword to allow the selective replication of the listed attributes only;
if the optional
.B !
.hy 0
.B syncrepl rid=<replica ID>
.B provider=ldap[s]://<hostname>[:port]
+.B searchbase=<base DN>
.B [type=refreshOnly|refreshAndPersist]
.B [interval=dd:hh:mm:ss]
.B [retry=[<retry interval> <# of retries>]+]
-.B [searchbase=<base DN>]
.B [filter=<filter str>]
-.B [scope=sub|one|base]
+.B [scope=sub|one|base|subord]
.B [attrs=<attr list>]
.B [attrsonly]
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
-.B [starttls=yes|critical]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
.B [saslmech=<mech>]
.B [credentials=<passwd>]
.B [realm=<realm>]
.B [secprops=<properties>]
+.B [starttls=yes|critical]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_ciphersuite=<ciphers>]
+.B [tls_crlcheck=none|peer|all]
.B [logbase=<base DN>]
.B [logfilter=<filter str>]
.B [syncdata=default|accesslog|changelog]
consumer site by turning on the
.B schemachecking
parameter. The default is off.
-The
-.B starttls
-parameter specifies use of the StartTLS extended operation
-to establish a TLS session before Binding to the provider. If the
-.B critical
-argument is supplied, the session will be aborted if the StartTLS request
-fails. Otherwise the syncrepl session continues without TLS.
A
.B bindmethod
of
.B realm
option.
+The
+.B starttls
+parameter specifies use of the StartTLS extended operation
+to establish a TLS session before Binding to the provider. If the
+.B critical
+argument is supplied, the session will be aborted if the StartTLS request
+fails. Otherwise the syncrepl session continues without TLS. Note that the
+main slapd TLS settings are not used by the syncrepl engine;
+by default the TLS parameters from ETCDIR/ldap.conf will be used.
+TLS settings may be specified here, in which case the ldap.conf settings
+will be completely ignored.
+
Rather than replicating whole entries, the consumer can query logs of
data modifications. This mode of operation is referred to as \fIdelta
syncrepl\fP. In addition to the above parameters, the
manual pages.
.TP
.B bdb
-This is the recommended backend for a normal slapd database.
-However, it takes more care than with the LDBM backend to configure
-it properly.
-It uses the Sleepycat Berkeley DB (BDB) package to store data.
+This is the recommended primary backend for a normal slapd database.
+It takes care to configure it properly.
+It uses the transactional database interface of the Sleepycat Berkeley
+DB (BDB) package to store data.
.TP
.B config
This backend is used to manage the configuration of slapd run-time.
LDAP server.
.TP
.B ldbm
-This is the database backend which is easiest to configure.
-However, it does not offer the data durability features of the BDB
-backend.
-It uses Berkeley DB or GDBM to store data.
+This is an easy-to-configure but obsolete database backend. It
+does not offer the data durability features of the BDB and HDB
+backends and hence is deprecated in favor of these robust backends.
+LDBM uses lightweight non-transactional DB interfaces,
+such as those providing by GDBM or Berkeley DB, to store data.
.TP
.B ldif
This database uses the filesystem to build the tree structure
# option ";x-hidden" can be searched for/compared,
# but are not shown. See \fBslapd.access\fP(5).
attributeoptions x-hidden lang-
-access to attr=name;x-hidden by * =cs
+access to attrs=name;x-hidden by * =cs
# Protect passwords. See \fBslapd.access\fP(5).
access to attrs=userPassword by * auth
projects / openldap / blobdiff