-.TH SLAPD.CONF 5 "22 September 1998" "OpenLDAP LDVERSION"
+.TH SLAPD.CONF 5 "5 August 1999" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
.BR slapd (8)
daemon. This configuration file is also used by the
.BR slurpd (8)
-replication daemon and by the LDBM indexing utilities
-.BR ldif2ldbm (8),
-.BR ldif2index (8),
-.BR ldif2id2entry (8),
+replication daemon and by the SLAPD tools
+.BR slapadd (8),
+.BR slapcat (8),
and
-.BR ldif2id2children (8).
+.BR slapindex (8).
.LP
The
.B slapd.conf
actual text are shown in brackets <>.
.TP
.B
-access to <what> [ by <who> <accesslevel> ]+
-Grant access (specified by <accesslevel>) to a set of entries and/or
+access to <what> [ by <who> <access> <control> ]+
+Grant access (specified by <access>) to a set of entries and/or
attributes (specified by <what>) by one or more requestors (specified
-by <who>). Refer to "The SLAPD and SLURPD Administrator's Guide" for
-information on using the
-.B slapd
-access-control mechanisms.
+by <who>).
+See Developer's FAQ (http://www.openldap.org/faq/) for details.
.TP
.B
-attribute <name> [<name2>] { bin | ces | cis | tel | dn }
-Associate a syntax with an attribute name. By default, an
+attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE] \
+[SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>] \
+[SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] \
+[USAGE <attributeUsage>] )
+Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
+This is the preferred format for attribute type definitions. The slapd
+parser extends the RFC 2252 definition by allowing string forms as well
+as numeric OIDs to be used for the attribute OID and attribute syntax OID.
+(See the
+.B objectidentifier
+description.) Currently the syntax name parser is case-sensitive.
+The known syntax names are:
+.RS
+.RS
+.PD 0
+AttributeTypeDescription Audio Binary BitString Certificate CertificateList
+CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
+DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
+GeneralizedTime Guide IA5String Integer MatchingRuleDescription
+MatchingRuleUseDescription MailPreference NameAndOptionalUUID
+NameFormDescription NumericString ObjectClassDescription OID
+OtherMailbox OctetString PostalAddress ProtocolInformation
+PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
+TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
+SubstringAssertion NISnetgrouptriple Bootparameter
+.PD
+.RE
+.RE
+.TP
+.B
+attribute[type] <name> [<name2>] { bin | ces | cis | tel | dn }
+Associate a syntax with an attribute name. This directive is deprecated
+in favor of the one above. By default, an
attribute is assumed to have syntax
.BR cis .
An optional alternate name can be
.RE
.TP
.B
-defaultaccess { none | compare | search | read | write | delete }
-Specify the default access to grant requestors not matched by
-any other access line. The default behavior is to grant read access.
+defaultaccess { none | auth | compare | search | read | write }
+Specify the default access level to grant requestors when
+no access directives were provided for the database.
+The default behavior is to grant 'read' access. It is
+recommended that
+.B access
+directives be used instead.
+.TP
+.B idletimeout <integer>
+Specify the number of seconds to wait before forcibly closing
+an idle client connections. A idletimeout of 0 disables this
+feature. The default is 0.
.TP
.B include <filename>
Read additional configuration information from the given file before
continuing with the next line of the current file.
.TP
+.B pidfile <filename>
+The ( absolute ) name of a file that will hold the
+.B slapd
+server's process ID ( see
+.BR getpid (2)
+) if started without the debugging command line option.
+.TP
+.B argsfile <filename>
+The ( absolute ) name of a file that will hold the
+.B slapd
+server's command line options
+if started without the debugging command line option.
+.TP
+.B
+locale { <locale-name> | on | off }
+Obey <locale-name>'s character classification and case conversion; i.e. the
+.BR locale (5)
+LC_CTYPE category. See
+.BR locale (5)
+for details about locales. "on" takes the locale from the environment,
+typically $LANG or $LC_CTYPE, and will only work properly if slapd will
+run with the same environment variables as when the database was
+generated. "off" (the default setting) resets to the initial "C" locale.
+.TP
.B loglevel <integer>
Specify the level at which debugging statements and operation
statistics should be syslogged (currently logged to the
.RE
.TP
.B
+objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] \
+[SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>] \
+[MAY <oids>] )
+Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
+This is the preferred format for object class definitions. The slapd
+parser extends the RFC 2252 definition by allowing string forms as well
+as numeric OIDs to be used for the object class OID. (See the
+.B
+objectidentifier
+description.) Object classes are "STRUCTURAL" by default.
+.TP
+.B
objectclass <name> requires <attrs> allows <attrs>
Define the schema rules for the object class named <name>. These are
-used in conjunction with the schemacheck option.
+used in conjunction with the schemacheck option. This directive is
+deprecated in favor of the one above.
+.TP
+.B objectidentifier <name> { <oid> | <name>[:<suffix>] }
+Define a string name that equates to the given OID. The string can be used
+in place of the numeric OID in objectclass and attribute definitions. The
+name can also be used with a suffix of the form ":xx" in which case the
+value "oid.xx" will be used.
.TP
.B referral <url>
Specify the referral to pass back when
.BR slapd (8)
cannot find a local database to handle a request.
+If specified multiple times, each url is provided.
.TP
.B schemacheck { on | off }
-Turn schema checking on or off. The default is off.
+Turn schema checking on or off. The default is on.
.TP
.B sizelimit <integer>
Specify the maximum number of entries to return from a search operation.
Specify the maximum number of seconds (in real time)
.B slapd
will spend answering a search request. The default time limit is 3600.
+.SH TLS OPTIONS
+If
+.B slapd
+is build with support for Transport Layer Security, there are more options
+you can specify.
+.TP
+.B TLSCipherSuite <cipher-suite-spec>
+Permits configuring what ciphers will be accepted and the preference order.
+<cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
+
+TLSCipherSuite HIGH:MEDIUM:+SSLv2
+
+To check what ciphers a given spec selects, use:
+
+openssl ciphers -v <cipher-suite-spec>
+.TP
+.B TLSCertificateFile <filename>
+Specifies the file that contains the
+.B slapd
+server certificate.
+.TP
+.B TLSCertificateKeyFile <filename>
+Specifies the file that contains the
+.B slapd
+server private key that matches the certificate stored in the
+.B TLSCertificateFile
+file. Currently, the private key must not be protected with a password, so
+it is of critical importance that it is protected carefully.
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the backend in which they are defined. They are supported by every
.B slapd
will automatically maintain the
modifiersName, modifyTimestamp, creatorsName, and
-createTimestamp attributes for entries. By default, lastmod is off.
+createTimestamp attributes for entries. By default, lastmod is on.
.TP
.B readonly on | off
This option puts the database into "read-only" mode. Any attempts to
.TP
.B rootpw <password>
Specify a password (or hash of the password) for the rootdn.
-This option accepts all password formats known to the server
-including \fB{SHA}\fP, \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext.
-Cleartext passwords are not recommended.
+This option accepts all RFC 2307 userPassword formats known to
+the server including \fB{SSHA}\fP, \fB{SHA}\fP, \fB{SMD5}\fP,
+\fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext schemes. Cleartext
+passwords are not recommended.
.TP
.B suffix <dn suffix>
Specify the DN suffix of queries that will be passed to this
this is the DN
.BR slurpd (8)
binds as when making changes to the replica).
+.TP
+.B updateref <url>
+Specify the referral to pass back when
+.BR slapd (8)
+is asked to modify a replicated local database.
+If specified multiple times, each url is provided.
.SH LDBM BACKEND-SPECIFIC OPTIONS
Options in this category only apply to the LDBM backend database. That is,
they must follow a "database ldbm" line and come before any subsequent
with each open index file. If not supported by the underlying database
method, this option is ignored without comment. The default is 100000 bytes.
.TP
-.B dbcachenowsync
-Specify that database writes should not be immediately synchronized
-with in memory changes. Enabling this option may improve performance
-at the expense of data security.
+.B dbnolocking
+Specify that no database locking should be performed.
+Enabling this option may improve performance at the expense of data security.
+.B dbnosync
+Specify that on-disk database contents should not be immediately
+synchronized with in memory changes. Enabling this option may improve
+performance at the expense of data security.
.TP
.B directory <directory>
-Specify the directory where the LDBM files containing the database and
-associated indexes live. The default is
-.B /usr/tmp.
+Specify the directory where the LDBM files containing this database and
+associated indexes live. A separate directory must be specified for
+each database. The default is
+.BR LOCALSTATEDIR/openldap-ldbm .
.TP
.B
index { <attrlist> | default } [ pres,eq,approx,sub,none ]
.SH SEE ALSO
.BR ldap (3),
.BR slapd.replog (5),
+.BR locale (5),
.BR passwd (5),
.BR slapd (8),
+.BR slapadd (8),
+.BR slapcat (8),
+.BR slapindex (8),
.BR slurpd (8),
.LP
"The SLAPD and SLURPD Administrator's Guide"
projects / openldap / blobdiff