.B ETCDIR/slapd.conf
contains configuration information for the
.BR slapd (8)
-daemon. This configuration file is also used by the
-.BR slurpd (8)
-replication daemon and by the SLAPD tools
+daemon. This configuration file is also used by the SLAPD tools
.BR slapacl (8),
.BR slapadd (8),
.BR slapauth (8),
Read additional configuration information from the given file before
continuing with the next line of the current file.
.TP
+.B index_intlen <integer>
+Specify the key length for ordered integer indices. The most significant
+bytes of the binary integer will be used for index keys. The default
+value is 4, which provides exact indexing for 31 bit values.
+A floating point representation is used to index too large values.
+.TP
.B index_substr_if_minlen <integer>
Specify the minimum length for subinitial and subfinal indices. An
attribute value must have at least this many characters in order to be
using this filter "cn=*abcdefgh*" would generate index lookups for
"abcd", "cdef", and "efgh".
-.\"-- NEW_LOGGING option --
-.\".TP
-.\".B logfile <filename>
-.\"Specify a file for recording debug log messages. By default these messages
-.\"only go to stderr and are not recorded anywhere else. Specifying a logfile
-.\"copies messages to both stderr and the logfile.
+.LP
+Note: Indexing support depends on the particular backend in use. Also,
+changing these settings will generally require deleting any indices that
+depend on these parameters and recreating them with
+.BR slapindex (8).
+
.TP
.B localSSF <SSF>
Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
.B minssf
option description. The default is 71.
.TP
+.B logfile <filename>
+Specify a file for recording debug log messages. By default these messages
+only go to stderr and are not recorded anywhere else. Specifying a logfile
+copies messages to both stderr and the logfile.
+.TP
.B loglevel <integer> [...]
Specify the level at which debugging statements and operation
statistics should be syslogged (currently logged to the
They must be considered subsystems rather than increasingly verbose
log levels.
Some messages with higher priority are logged regardless
-of the configured loglevel as soon as some logging is configured,
-otherwise anything is logged at all.
+of the configured loglevel as soon as any logging is configured.
Log levels are additive, and available levels are:
.RS
.RS
.TP
.B 256
.B (0x100 stats)
-stats log connections/operations/results
+connections, LDAP operations, results (recommended)
.TP
.B 512
.B (0x200 stats2)
.BR none ,
or the equivalent integer representation, causes those messages
that are logged regardless of the configured loglevel to be logged.
-In fact, if no loglevel (or a 0 level) is defined, no logging occurs,
+In fact, if loglevel is set to 0, no logging occurs,
so at least the
.B none
level is required to have high priority messages logged.
+
+The loglevel defaults to \fBstats\fP.
+This level should usually also be included when using other loglevels, to
+help analyze the logs.
.RE
.TP
.B moduleload <filename>
cannot find a local database to handle a request.
If specified multiple times, each url is provided.
.TP
-.B replica-argsfile
-The ( absolute ) name of a file that will hold the
-.B slurpd
-server's command line options
-if started without the debugging command line option.
-If it appears after a
-.B replogfile
-directive, the args file is specific to the
-.BR slurpd (8)
-instance that handles that replication log.
-.TP
-.B replica-pidfile
-The ( absolute ) name of a file that will hold the
-.B slurpd
-server's process ID ( see
-.BR getpid (2)
-) if started without the debugging command line option.
-If it appears after a
-.B replogfile
-directive, the pid file is specific to the
-.BR slurpd (8)
-instance that handles that replication log.
-.TP
-.B replicationinterval
-The number of seconds
-.B slurpd
-waits before checking the replogfile for changes.
-If it appears after a
-.B replogfile
-directive, the replication interval is specific to the
-.BR slurpd (8)
-instance that handles that replication log.
-.TP
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
Specify the name of an LDIF(5) file containing user defined attributes
for the root DSE. These attributes are returned in addition to the
attributes normally produced by slapd.
+
+The root DSE is an entry with information about the server and its
+capabilities, in operational attributes.
+It has the empty DN, and can be read with e.g.:
+.ti +4
+ldapsearch -x -b "" -s base "+"
+.br
+See RFC 4512 section 5.1 for details.
.TP
.B sasl-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
factor is measure of security provided by the underlying transport,
e.g. ldapi:// (and eventually IPSEC). It is not normally used.
.TP
+.B serverID <integer> [<URL>]
+Specify an integer ID from 0 to 4095 for this server (limited
+to 3 hexadecimal digits).
+These IDs are
+required when using multimaster replication and each master must have a
+unique ID. If the URL is provided, this directive may be specified
+multiple times, providing a complete list of participating servers
+and their IDs. The fully qualified hostname of each server should be
+used in the supplied URLs. The IDs are used in the "replica id" field
+of all CSNs generated by the specified server. The default value is zero.
+Example:
+.LP
+.nf
+ serverID 1
+.fi
+.TP
.B sizelimit {<integer>|unlimited}
.TP
.B sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
Specify the maximum incoming LDAP PDU size for authenticated sessions.
The default is 4194303.
.TP
+.B sortvals <attr> [...]
+Specify a list of multi-valued attributes whose values will always
+be maintained in sorted order. Using this option will allow Modify,
+Compare, and filter evaluations on these attributes to be performed
+more efficiently. The resulting sort order depends on the
+attributes' syntax and matching rules and may not correspond to
+lexical order or any other recognizable order.
+.TP
.B threads <integer>
Specify the maximum size of the primary thread pool.
The default is 16; the minimum value is 2.
To check what ciphers a given spec selects, use:
-openssl ciphers -v <cipher-suite-spec>
+.nf
+ openssl ciphers -v <cipher-suite-spec>
+.fi
+
+To obtain the list of ciphers in GNUtls use:
+
+.nf
+ gnutls-cli -l
+.fi
+
.TP
.B TLSCACertificateFile <filename>
Specifies the file that contains certificates for all of the Certificate
.B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
-or the TLSCACertificateFile is used.
+or the TLSCACertificateFile is used. This directive is not supported
+when using GNUtls.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
-be done.
+be done. When using GNUtls these parameters are always generated randomly so
+this directive is ignored.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
+This directive is ignored with GNUtls.
.TP
.B TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an
used to verify if the client certificates have not been revoked. This
requires
.B TLSCACertificatePath
-parameter to be set.
+parameter to be set. This directive is ignored with GNUtls.
.B <level>
can be specified as one of the following keywords:
.RS
.B all
Check the CRL for a whole certificate chain
.RE
+.TP
+.B TLSCRLFile <filename>
+Specifies a file containing a Certificate Revocation List to be used
+for verifying that certificates have not been revoked. This directive is
+only valid when using GNUtls.
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the specified backend. They are supported by every
.BR dnssrv ,
.BR hdb ,
.BR ldap ,
-.BR ldbm ,
.BR ldif ,
.BR meta ,
.BR monitor ,
.BR dnssrv ,
.BR hdb ,
.BR ldap ,
-.BR ldbm ,
.BR ldif ,
.BR meta ,
.BR monitor ,
.BR sql ,
depending on which backend will serve the database.
.TP
+.B hidden on | off
+Controls whether the database will be used to answer
+queries. A database that is hidden will never be
+selected to answer any queries, and any suffix configured
+on the database will be ignored in checks for conflicts
+with other databases. By default, hidden is off.
+.TP
.B lastmod on | off
Controls whether
.B slapd
size limit of regular searches unless extended by the
.B prtotal
switch.
+
+The \fBlimits\fP statement is typically used to let an unlimited
+number of entries be returned by searches performed
+with the identity used by the consumer for synchronization purposes
+by means of the RFC 4533 LDAP Content Synchronization protocol
+(see \fBsyncrepl\fP for details).
.RE
.TP
.B maxderefdepth <depth>
Specifies the maximum number of aliases to dereference when trying to
-resolve an entry, used to avoid infinite alias loops. The default is 1.
+resolve an entry, used to avoid infinite alias loops. The default is 15.
.TP
.B mirrormode on | off
This option puts a replica database into "mirror" mode. Update
operations will be accepted from any user, not just the updatedn. The
-database must already be configured as a slurpd or syncrepl consumer
-before this keyword may be set. This mode must be used with extreme
-care, as it does not offer any consistency guarantees. This feature
-is intended to be used with an external frontend that guarantees that
-writes are only directed to a single master, switching to an alternate
-server only if the original master goes down.
+database must already be configured as a syncrepl consumer
+before this keyword may be set. This mode also requires a
+.B serverID
+(see above) to be configured.
By default, mirrormode is off.
.TP
+.B monitoring on | off
+This option enables database-specific monitoring in the entry related
+to the current database in the "cn=Databases,cn=Monitor" subtree
+of the monitor database, if the monitor database is enabled.
+Currently, only the BDB and the HDB databases provide database-specific
+monitoring.
+The default depends on the backend type.
+.TP
.B overlay <overlay-name>
Add the specified overlay to this database. An overlay is a piece of
code that intercepts database operations in order to extend or change
will receive control last of all. See the
.BR slapd.overlays (5)
manual page for an overview of the available overlays.
+Note that all of the database's
+regular settings should be configured before any overlay settings.
.TP
.B readonly on | off
This option puts the database into "read-only" mode. Any attempts to
are (are not) replicated.
.RE
.TP
-.B replogfile <filename>
-Specify the name of the replication log file to log changes to.
-The replication log is typically written by
-.BR slapd (8)
-and read by
-.BR slurpd (8).
-See
-.BR slapd.replog (5)
-for more information. The specified file should be located
-in a directory with limited read/write/execute access as the replication
-logs may contain sensitive information.
-.TP
.B restrict <oplist>
Specify a whitespace separated list of operations that are restricted.
If defined inside a database specification, restrictions apply only
a namingContext (suffix) of the database, a simple bind password
may also be provided using the
.B rootpw
-directive. Note that the rootdn is always needed when using syncrepl.
+directive. Many optional features, including syncrepl, require the
+rootdn to be defined for the database.
.TP
.B rootpw <password>
Specify a password (or hash of the password) for the rootdn. The
identifies the current
.B syncrepl
directive within the replication consumer site.
-It is a non-negative integer having no more than three digits.
+It is a non-negative integer not greater than 4095 (limited
+to three hexadecimal digits).
.B provider
specifies the replication provider site containing the master content
will send search requests to the provider
.B slapd
according to the search specification. The search specification includes
-.B searchbase, scope, filter, attrs, attrsonly, sizelimit,
+.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
and
.B timelimit
parameters as in the normal search specification.
The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
-\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
+\fB(objectclass=*)\fP, while there is no default \fBsearchbase\fP. The
\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
attributes, and \fBattrsonly\fP is unset by default.
The \fBsizelimit\fP and \fBtimelimit\fP only
accept "unlimited" and positive integers, and both default to "unlimited".
+The \fBsizelimit\fP and \fBtimelimit\fP parameters define
+a consumer requested limitation on the number of entries that can be returned
+by the LDAP Content Synchronization operation; as such, it is intended
+to implement partial replication based on the size of the replicated database
+and on the time required by the synchronization.
Note, however, that any provider-side limits for the replication identity
will be enforced by the provider regardless of the limits requested
by the LDAP Content Synchronization operation, much like for any other
The schema checking can be enforced at the LDAP Sync
consumer site by turning on the
.B schemachecking
-parameter. The default is off.
+parameter. The default is \fBoff\fP.
+Schema checking \fBon\fP means that replicated entries must have
+a structural objectClass, must obey to objectClass requirements
+in terms of required/allowed attributes, and that naming attributes
+and distinguished values must be present.
+As a consequence, schema checking should be \fBoff\fP when partial
+replication is used.
A
.B bindmethod
.B credentials
and should only be used when adequate security services
(e.g. TLS or IPSEC) are in place.
+.B REMEMBER: simple bind credentials must be in cleartext!
A
.B bindmethod
of
option. A non default SASL realm can be set with the
.B realm
option.
+The identity used for synchronization by the consumer should be allowed
+to receive an unlimited number of entries in response to a search request.
The provider, other than allow authentication of the syncrepl identity,
should grant that identity appropriate access privileges to the data
that is being replicated (\fBaccess\fP directive), and appropriate time
-and size limits (\fBlimits\fP directive).
-
+and size limits.
+This can be accomplished by either allowing unlimited \fBsizelimit\fP
+and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
+in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
+for details).
The
.B starttls
to establish a TLS session before Binding to the provider. If the
.B critical
argument is supplied, the session will be aborted if the StartTLS request
-fails. Otherwise the syncrepl session continues without TLS. Note that the
-main slapd TLS settings are not used by the syncrepl engine;
-by default the TLS parameters from ETCDIR/ldap.conf will be used.
-TLS settings may be specified here, in which case the ldap.conf settings
-will be completely ignored.
+fails. Otherwise the syncrepl session continues without TLS. The
+tls_reqcert setting defaults to "demand" and the other TLS settings
+default to the same as the main slapd TLS settings.
Rather than replicating whole entries, the consumer can query logs of
data modifications. This mode of operation is referred to as \fIdelta
.TP
.B updatedn <dn>
This option is only applicable in a slave
-database updated using
-.BR slurpd(8).
+database.
It specifies the DN permitted to update (subject to access controls)
-the replica (typically, this is the DN
-.BR slurpd (8)
-binds to update the replica). Generally, this DN
+the replica. It is only needed in certain push-mode
+replication scenarios. Generally, this DN
.I should not
be the same as the
.B rootdn
.RS
.nf
include SYSCONFDIR/schema/core.schema
-pidfile LOCALSTATEDIR/slapd.pid
+pidfile LOCALSTATEDIR/run/slapd.pid
# Subtypes of "name" (e.g. "cn" and "ou") with the
# option ";x-hidden" can be searched for/compared,
.BR slapdn (8),
.BR slapindex (8),
.BR slappasswd (8),
-.BR slaptest (8),
-.BR slurpd (8).
+.BR slaptest (8).
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.
+.so ../Project
projects / openldap / blobdiff