.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
.B bind_anon_dn
allows unauthenticated (anonymous) bind when DN is not empty.
.B update_anon
-allow unauthenticated (anonymous) update operations to be processed
+allows unauthenticated (anonymous) update operations to be processed
(subject to access controls and other administrative limits).
+.B proxy_authz_anon
+allows unauthenticated (anonymous) proxy authorization control to be processed
+(subject to access controls, authorization and other administrative limits).
.TP
.B argsfile <filename>
The ( absolute ) name of a file that will hold the
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
-RFC 2251 reserves options beginning with `x-' for private experiments.
-Other options should be registered with IANA, see RFC 3383 section 3.4.
+RFC 4520 reserves options beginning with `x-' for private experiments.
+Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
.HP
[NO\-USER\-MODIFICATION]\
[USAGE\ <attributeUsage>]\ )"
.RS
-Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
.RE
The protocol portion of the URI must be strictly
.BR ldap .
+Note that this search is subject to access controls. Specifically,
+the authentication identity must have "auth" access in the subject.
Multiple
.B authz-regexp
.B defaultsearchbase <dn>
Specify a default search base to use when client submits a
non-base search request with an empty base DN.
+Base scoped search requests with an empty base DN are not affected.
.TP
.B disallow <features>
Specify a set of features (separated by white space) to
disallow (default none).
.B bind_anon
-disables acceptance of anonymous bind requests.
+disables acceptance of anonymous bind requests. Note that this setting
+does not prohibit anonymous directory access (See "require authc").
.B bind_simple
disables simple (bind) authentication.
.B tls_2_anon
-disables Start TLS from forcing session to anonymous status (see also
-.BR tls_authc ).
+disables forcing session to anonymous status (see also
+.BR tls_authc )
+upon StartTLS operation receipt.
.B tls_authc
-disables StartTLS if authenticated (see also
+disallows the StartTLS operation if authenticated (see also
.BR tls_2_anon ).
.HP
.hy 0
[MAY\ <oids>]\
[NOT\ <oids>]\ )"
.RS
-Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
Specify the level at which debugging statements and operation
statistics should be syslogged (currently logged to the
.BR syslogd (8)
-LOG_LOCAL4 facility). Log levels are additive, and available levels
-are:
+LOG_LOCAL4 facility).
+They must be considered subsystems rather than increasingly verbose
+log levels.
+Some messages with higher priority are logged regardless
+of the configured loglevel as soon as some logging is configured,
+otherwise anything is logged at all.
+Log levels are additive, and available levels are:
.RS
.RS
.PD 0
.TP
.B 1
-.B (trace)
+.B (0x1 trace)
trace function calls
.TP
.B 2
-.B (packet)
+.B (0x2 packets)
debug packet handling
.TP
.B 4
-.B (args)
-heavy trace debugging
+.B (0x4 args)
+heavy trace debugging (function args)
.TP
.B 8
-.B (conns)
+.B (0x8 conns)
connection management
.TP
.B 16
-.B (BER)
+.B (0x10 BER)
print out packets sent and received
.TP
.B 32
-.B (filter)
+.B (0x20 filter)
search filter processing
.TP
.B 64
-.B (config)
+.B (0x40 config)
configuration file processing
.TP
.B 128
-.B (ACL)
+.B (0x80 ACL)
access control list processing
.TP
.B 256
-.B (stats)
+.B (0x100 stats)
stats log connections/operations/results
.TP
.B 512
-.B (stats2)
+.B (0x200 stats2)
stats log entries sent
.TP
.B 1024
-.B (shell)
+.B (0x400 shell)
print communication with shell backends
.TP
.B 2048
-.B (parse)
+.B (0x800 parse)
entry parsing
+\".TP
+\".B 4096
+\".B (0x1000 cache)
+\"caching (unused)
+\".TP
+\".B 8192
+\".B (0x2000 index)
+\"data indexing (unused)
+.TP
+.B 16384
+.B (0x4000 sync)
+LDAPSync replication
+.TP
+.B 32768
+.B (0x8000 none)
+only messages that get logged whatever log level is set
.PD
.RE
The desired log level can be input as a single integer that combines
-the (ORed) desired levels, as a list of integers (that are ORed internally),
+the (ORed) desired levels, both in decimal or in hexadecimal notation,
+as a list of integers (that are ORed internally),
or as a list of the names that are shown between brackets, such that
.LP
.nf
loglevel 129
+ loglevel 0x81
loglevel 128 1
+ loglevel 0x80 0x1
loglevel acl trace
.fi
.LP
The keyword
.B any
can be used as a shortcut to enable logging at all levels (equivalent to -1).
+The keyword
+.BR none ,
+or the equivalent integer representation, causes those messages
+that are logged regardless of the configured loglevel to be logged.
+In fact, if no loglevel (or a 0 level) is defined, no logging occurs,
+so at least the
+.B none
+level is required to have high priority messages logged.
.RE
.TP
.B moduleload <filename>
.hy 0
.B objectclass "(\ <oid>\
[NAME\ <name>]\
- [DESC\ <description]\
+ [DESC\ <description>]\
[OBSOLETE]\
[SUP\ <oids>]\
[{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
[MUST\ <oids>] [MAY\ <oids>] )"
.RS
-Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the object class OID.
(See the
.B
.B slurpd
server's command line options
if started without the debugging command line option.
+If it appears after a
+.B replogfile
+directive, the args file is specific to the
+.BR slurpd (8)
+instance that handles that replication log.
.TP
.B replica-pidfile
The ( absolute ) name of a file that will hold the
server's process ID ( see
.BR getpid (2)
) if started without the debugging command line option.
+If it appears after a
+.B replogfile
+directive, the pid file is specific to the
+.BR slurpd (8)
+instance that handles that replication log.
.TP
.B replicationinterval
The number of seconds
.B slurpd
waits before checking the replogfile for changes.
+If it appears after a
+.B replogfile
+directive, the replication interval is specific to the
+.BR slurpd (8)
+instance that handles that replication log.
.TP
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
-The directive may be specified globally and/or per-database.
+The directive may be specified globally and/or per-database;
+databases inherit global conditions, so per-database specifications
+are additive.
.B bind
requires bind operation prior to directory operations.
.B LDAPv3
The strong keyword allows protected "simple" authentication
as well as SASL authentication.
.B none
-may be used to require no conditions (useful for clearly globally
-set conditions within a particular database).
+may be used to require no conditions (useful to clear out globally
+set conditions within a particular database); it must occur first
+in the list of conditions.
.TP
.B reverse-lookup on | off
Enable/disable client name unverified reverse lookup (default is
.TP
.B threads <integer>
Specify the maximum size of the primary thread pool.
-The default is 16.
+The default is 16; the minimum value is 2.
.TP
.B timelimit {<integer>|unlimited}
.TP
.BR limits
for an explanation of the different flags.
.TP
-.B ucdata-path <path>
-Specify the path to the directory containing the Unicode character
-tables. The default path is DATADIR/ucdata.
+.B tool-threads <integer>
+Specify the maximum number of threads to use in tool mode.
+This should not be greater than the number of CPUs in the system.
+The default is 1.
+.\"ucdata-path is obsolete / ignored...
+.\".TP
+.\".B ucdata-path <path>
+.\"Specify the path to the directory containing the Unicode character
+.\"tables. The default path is DATADIR/ucdata.
.SH TLS OPTIONS
If
.B slapd
file. Currently, the private key must not be protected with a password, so
it is of critical importance that it is protected carefully.
.TP
+.B TLSDHParamFile <filename>
+This directive specifies the file that contains parameters for Diffie-Hellman
+ephemeral key exchange. This is required in order to use a DSA certificate on
+the server. If multiple sets of parameters are present in the file, all of
+them will be processed. Note that setting this option may also enable
+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
+You should append "!ADH" to your cipher suites if you have changed them
+from the default, otherwise no certificate exchanges or verification will
+be done.
+.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
.BR bdb ,
.BR config ,
.BR dnssrv ,
+.BR hdb ,
.BR ldap ,
.BR ldbm ,
.BR ldif ,
.BR bdb ,
.BR config ,
.BR dnssrv ,
+.BR hdb ,
.BR ldap ,
.BR ldbm ,
.BR ldif ,
.B slapd
will automatically maintain the
modifiersName, modifyTimestamp, creatorsName, and
-createTimestamp attributes for entries. By default, lastmod is on.
+createTimestamp attributes for entries. It also controls
+the entryCSN and entryUUID attributes, which are needed
+by the syncrepl provider. By default, lastmod is on.
.TP
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
Specifies the maximum number of aliases to dereference when trying to
resolve an entry, used to avoid infinite alias loops. The default is 1.
.TP
+.B mirrormode on | off
+This option puts a replica database into "mirror" mode. Update
+operations will be accepted from any user, not just the updatedn. The
+database must already be configured as a slurpd or syncrepl consumer
+before this keyword may be set. This mode must be used with extreme
+care, as it does not offer any consistency guarantees.
+By default, mirrormode is off.
+.TP
.B overlay <overlay-name>
Add the specified overlay to this database. An overlay is a piece of
code that intercepts database operations in order to extend or change
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
-.B [attr[!]=<attr list>]
+.B [attr
s[!]=<attr list>]
.RS
Specify a replication site for this database. Refer to the "OpenLDAP
Administrator's Guide" for detailed information on setting up a replicated
An
.B attr list
can be given after the
-.B attr
+.B attrs
keyword to allow the selective replication of the listed attributes only;
if the optional
.B !
required for each database definition.
If the suffix of one database is "inside" that of another, the database
with the inner suffix must come first in the configuration file.
+.TP
+.B subordinate [advertise]
+Specify that the current backend database is a subordinate of another
+backend database. A subordinate database may have only one suffix. This
+option may be used to glue multiple databases into a single namingContext.
+If the suffix of the current database is within the namingContext of a
+superior database, searches against the superior database will be
+propagated to the subordinate as well. All of the databases
+associated with a single namingContext should have identical rootdns.
+Behavior of other LDAP operations is unaffected by this setting. In
+particular, it is not possible to use moddn to move an entry from
+one subordinate to another subordinate within the namingContext.
+
+If the optional \fBadvertise\fP flag is supplied, the naming context of
+this database is advertised in the root DSE. The default is to hide this
+database context, so that only the superior context is visible.
+
+If the slap tools
+.BR slapcat (8),
+.BR slapadd (8),
+or
+.BR slapindex (8)
+are used on the superior database, any glued subordinates that support
+these tools are opened as well.
+
+Databases that are glued together should usually be configured with the
+same indices (assuming they support indexing), even for attributes that
+only exist in some of these databases. In general, all of the glued
+databases should be configured as similarly as possible, since the intent
+is to provide the appearance of a single directory.
+
+Note that the \fIsubordinate\fP functionality is implemented internally
+by the \fIglue\fP overlay and as such its behavior will interact with other
+overlays in use. By default, the glue overlay is automatically configured as
+the last overlay on the superior backend. Its position on the backend
+can be explicitly configured by setting an \fBoverlay glue\fP directive
+at the desired position. This explicit configuration is necessary e.g.
+when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
+in order to work over all of the glued databases. E.g.
+.RS
+.nf
+ database bdb
+ suffix dc=example,dc=com
+ ...
+ overlay glue
+ overlay syncprov
+.fi
+.RE
.HP
.hy 0
.B syncrepl rid=<replica ID>
.B provider=ldap[s]://<hostname>[:port]
+.B searchbase=<base DN>
.B [type=refreshOnly|refreshAndPersist]
.B [interval=dd:hh:mm:ss]
.B [retry=[<retry interval> <# of retries>]+]
-.B [searchbase=<base DN>]
.B [filter=<filter str>]
-.B [scope=sub|one|base]
+.B [scope=sub|one|base|subord]
.B [attrs=<attr list>]
.B [attrsonly]
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
-.B [starttls=yes|critical]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
.B [saslmech=<mech>]
.B [credentials=<passwd>]
.B [realm=<realm>]
.B [secprops=<properties>]
+.B [starttls=yes|critical]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_ciphersuite=<ciphers>]
+.B [tls_crlcheck=none|peer|all]
+.B [logbase=<base DN>]
+.B [logfilter=<filter str>]
+.B [syncdata=default|accesslog|changelog]
.RS
Specify the current database as a replica which is kept up-to-date with the
master content by establishing the current
.B searchbase, scope, filter, attrs, attrsonly, sizelimit,
and
.B timelimit
-parameters as in the normal search specification.
-The search specification for the LDAP Content Synchronization operation
-has the same value syntax and the same default values as in the
-.BR ldapsearch (1)
-client search tool.
+parameters as in the normal search specification.
+The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
+\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
+\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
+attributes, and \fBattrsonly\fP is unset by default.
+The \fBsizelimit\fP and \fBtimelimit\fP only
+accept "unlimited" and positive integers, and both default to "unlimited".
The LDAP Content Synchronization protocol has two operation types.
In the
.B refreshOnly
consumer site by turning on the
.B schemachecking
parameter. The default is off.
-The
-.B starttls
-parameter specifies use of the StartTLS extended operation
-to establish a TLS session before Binding to the provider. If the
-.B critical
-argument is supplied, the session will be aborted if the StartTLS request
-fails. Otherwise the syncrepl session continues without TLS.
A
.B bindmethod
of
option. A non default SASL realm can be set with the
.B realm
option.
+
+The
+.B starttls
+parameter specifies use of the StartTLS extended operation
+to establish a TLS session before Binding to the provider. If the
+.B critical
+argument is supplied, the session will be aborted if the StartTLS request
+fails. Otherwise the syncrepl session continues without TLS. Note that the
+main slapd TLS settings are not used by the syncrepl engine;
+by default the TLS parameters from ETCDIR/ldap.conf will be used.
+TLS settings may be specified here, in which case the ldap.conf settings
+will be completely ignored.
+
+Rather than replicating whole entries, the consumer can query logs of
+data modifications. This mode of operation is referred to as \fIdelta
+syncrepl\fP. In addition to the above parameters, the
+.B logbase
+and
+.B logfilter
+parameters must be set appropriately for the log that will be used. The
+.B syncdata
+parameter must be set to either "accesslog" if the log conforms to the
+.BR slapo-accesslog (5)
+log format, or "changelog" if the log conforms
+to the obsolete \fIchangelog\fP format. If the
+.B syncdata
+parameter is omitted or set to "default" then the log parameters are
+ignored.
.RE
.TP
.B updatedn <dn>
manual pages.
.TP
.B bdb
-This is the recommended backend for a normal slapd database.
-However, it takes more care than with the LDBM backend to configure
-it properly.
-It uses the Sleepycat Berkeley DB (BDB) package to store data.
+This is the recommended primary backend for a normal slapd database.
+It takes care to configure it properly.
+It uses the transactional database interface of the Sleepycat Berkeley
+DB (BDB) package to store data.
.TP
.B config
This backend is used to manage the configuration of slapd run-time.
It serves up referrals based upon SRV resource records held in the
Domain Name System.
.TP
+.B hdb
+This is a variant of the BDB backend that uses a hierarchical database
+layout which supports subtree renames.
+.TP
.B ldap
This backend acts as a proxy to forward incoming requests to another
LDAP server.
.TP
.B ldbm
-This is the database backend which is easiest to configure.
-However, it does not offer the data durability features of the BDB
-backend.
-It uses Berkeley DB or GDBM to store data.
+This is an easy-to-configure but obsolete database backend. It
+does not offer the data durability features of the BDB and HDB
+backends and hence is deprecated in favor of these robust backends.
+LDBM uses lightweight non-transactional DB interfaces,
+such as those providing by GDBM or Berkeley DB, to store data.
.TP
.B ldif
This database uses the filesystem to build the tree structure
of the database, using plain ascii files to store data.
-Its usage should be limited to very simple databases, where performances
-are not a requirement.
+Its usage should be limited to very simple databases, where performance
+is not a requirement.
.TP
.B meta
This backend performs basic LDAP proxying with respect to a set of
-remote LDAP servers. It is an enhancement of the ldap backend. The
-proxy cache extension of meta backend provides answering of search
-requests from the proxy using results of previously cached requests.
+remote LDAP servers. It is an enhancement of the ldap backend.
.TP
.B monitor
This backend provides information about the running status of the slapd
It runs Perl subroutines to implement LDAP operations.
.TP
.B relay
-This backend redirects LDAP operations to another database
+This backend is experimental.
+It redirects LDAP operations to another database
in the same server, based on the naming context of the request.
Its use requires the
.B rwm
overlay (see
.BR slapo-rwm (5)
for details) to rewrite the naming context of the request.
-It is is primarily intended to implement virtual views on databases
+It is primarily intended to implement virtual views on databases
that actually store data.
.TP
.B shell
.B sql
This backend is experimental.
It services LDAP requests from an SQL database.
+.SH OVERLAYS
+The following overlays can be compiled into slapd.
+They are documented in the
+.BR slapo-<overlay> (5)
+manual pages.
+.TP
+.B accesslog
+Access Logging.
+This overlay can record accesses to a given backend database on another
+database.
+.TP
+.B auditlog
+Audit Logging.
+This overlay records changes on a given backend database to an LDIF log
+file.
+By default it is not built.
+.TP
+.B chain
+Chaining.
+This overlay allows automatic referral chasing when a referral would
+have been returned, either when configured by the server or when
+requested by the client.
+.TP
+.B denyop
+Deny Operation.
+This overlay allows selected operations to be denied, similar to the
+\fBrestrict\fP option.
+.TP
+.B dyngroup
+Dynamic Group.
+This is a demo overlay which extends the Compare operation to detect
+members of a dynamic group.
+It has no effect on any other operations.
+.TP
+.B dynlist
+Dynamic List.
+This overlay allows expansion of dynamic groups and more.
+.TP
+.B lastmod
+Last Modification.
+This overlay maintains a service entry in the database with the DN,
+modification type, modifiersName and modifyTimestamp of the last write
+operation performed on that database.
+.TP
+.B pcache
+Proxycache.
+This overlay allows caching of LDAP search requests in a local database.
+It is most often used with the ldap or meta backends.
+.TP
+.B ppolicy
+Password Policy.
+This overlay provides a variety of password control mechanisms,
+e.g. password aging, password reuse and duplication control, mandatory
+password resets, etc.
+.TP
+.B refint
+Referential Integrity.
+This overlay can be used with a backend database such as
+.BR slapd-bdb (5)
+to maintain the cohesiveness of a schema which utilizes reference
+attributes.
+.TP
+.B retcode
+Return Code.
+This overlay is useful to test the behavior of clients when
+server-generated erroneous and/or unusual responses occur.
+.TP
+.B rwm
+Rewrite/remap.
+This overlay is experimental.
+It performs basic DN/data rewrite and
+objectClass/attributeType mapping.
+.TP
+.B syncprov
+Syncrepl Provider.
+This overlay implements the provider-side support for
+.B syncrepl
+replication, including persistent search functionality.
+.TP
+.B translucent
+Translucent Proxy.
+This overlay can be used with a backend database such as
+.BR slapd-bdb (5)
+to create a "translucent proxy".
+Content of entries retrieved from a remote LDAP server can be partially
+overridden by the database.
+.TP
+.B unique
+Attribute Uniqueness.
+This overlay can be used with a backend database such as
+.BR slapd-bdb (5)
+to enforce the uniqueness of some or all attributes within a subtree.
.SH EXAMPLES
.LP
Here is a short example of a configuration file:
# option ";x-hidden" can be searched for/compared,
# but are not shown. See \fBslapd.access\fP(5).
attributeoptions x-hidden lang-
-access to attr=name;x-hidden by * =cs
+access to attrs=name;x-hidden by * =cs
+
+# Protect passwords. See \fBslapd.access\fP(5).
+access to attrs=userPassword by * auth
+# Read access to other attributes and entries.
+access to * by * read
database bdb
suffix "dc=our-domain,dc=com"
"OpenLDAP Administrator's Guide" contains a longer annotated
example of a configuration file.
The original ETCDIR/slapd.conf is another example.
-.SH OBSOLETED DIRECTIVES
-.TP
-.B subordinate
-This directive was used in OpenLDAP 2.1 and 2.2 to glue a database
-with its superior. The same functionality is now provided by the
-.B glue
-overlay; see
-.BR slapo-glue (5)
-for details.
.SH FILES
.TP
ETCDIR/slapd.conf
.BR ldap (3),
.BR slapd\-bdb (5),
.BR slapd\-dnssrv (5),
+.BR slapd\-hdb (5),
.BR slapd\-ldap (5),
.BR slapd\-ldbm (5),
.BR slapd\-ldif (5),
.BR slurpd (8).
Known overlays are documented in
+.BR slapo\-accesslog (5),
+.BR slapo\-auditlog (5),
+.BR slapo\-chain (5),
+.BR slapo\-dynlist (5),
.BR slapo\-lastmod (5),
.BR slapo\-pcache (5),
.BR slapo\-ppolicy (5),
.BR slapo\-refint (5),
+.BR slapo\-retcode (5),
.BR slapo\-rwm (5),
+.BR slapo\-syncprov (5),
+.BR slapo\-translucent (5),
.BR slapo\-unique (5).
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
projects / openldap / blobdiff