.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2013 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2017 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
description.)
The slapd parser also honors the
.B X\-SUBST
-extension (an OpenLDAP-specific extension), which allows to use the
+extension (an OpenLDAP-specific extension), which allows one to use the
.B ldapsyntax
statement to define a non-implemented syntax along with another syntax,
the extension value
The
.I substitute-syntax
must be defined.
-This allows to define attribute types that make use of non-implemented syntaxes
+This allows one to define attribute types that make use of non-implemented syntaxes
using the correct syntax OID.
Unless
.B X\-SUBST
The desired log level can be input as a single integer that combines
the (ORed) desired levels, both in decimal or in hexadecimal notation,
as a list of integers (that are ORed internally),
-or as a list of the names that are shown between brackets, such that
+or as a list of the names that are shown between parentheses, such that
.LP
.nf
loglevel 129
default is empty, which just uses slapd's internal support. Usually
no other auxprop plugins are needed.
.TP
+.B sasl\-auxprops\-dontusecopy <attr> [...]
+Specify which attribute(s) should be subject to the don't use copy control. This
+is necessary for some SASL mechanisms such as OTP to work in a replicated
+environment. The attribute "cmusaslsecretOTP" is the default value.
+.TP
+.B sasl\-auxprops\-dontusecopy\-ignore on | off
+Used to disable replication of the attribute(s) defined by
+sasl-auxprops-dontusecopy and instead use a local value for the attribute. This
+allows the SASL mechanism to continue to work if the master is offline. This can
+cause replication inconsistency. Defaults to off.
+.TP
.B sasl\-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
Specify an integer ID from 0 to 4095 for this server (limited
to 3 hexadecimal digits). The ID may also be specified as a
hexadecimal ID by prefixing the value with "0x".
-These IDs are
+Non-zero IDs are
required when using multimaster replication and each master must have a
-unique ID. Note that this requirement also applies to separate masters
+unique non-zero ID. Note that this requirement also applies to separate masters
contributing to a glued set of databases.
If the URL is provided, this directive may be specified
multiple times, providing a complete list of participating servers
and their IDs. The fully qualified hostname of each server should be
used in the supplied URLs. The IDs are used in the "replica id" field
-of all CSNs generated by the specified server. The default value is zero.
+of all CSNs generated by the specified server. The default value is zero, which
+is only valid for single master replication.
Example:
.LP
.nf
Specify the maximum size of the primary thread pool.
The default is 16; the minimum value is 2.
.TP
+.B threadqueues <integer>
+Specify the number of work queues to use for the primary thread pool.
+The default is 1 and this is typically adequate for up to 8 CPU cores.
+The value should not exceed the number of CPUs in the system.
+.TP
.B timelimit {<integer>|unlimited}
.TP
.B timelimit time[.{soft|hard}]=<integer> [...]
.nf
TLSCertificateFile my hardware device:Server-Cert
.fi
-Use certutil -L to list the certificates by name:
+Use certutil \-L to list the certificates by name:
.nf
- certutil -d /path/to/certdbdir -L
+ certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B TLSCertificateKeyFile <filename>
a file that contains the password for the key for the certificate specified with
TLSCertificateFile. The modutil command can be used to turn off password
protection for the cert/key database. For example, if TLSCACertificatePath
-specifes /etc/openldap/certdb as the location of the cert/key database, use
+specifies /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
- modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+ modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|unlimited|disabled}
-allows to set a limit on the total number of entries that a pagedResults
-control allows to return.
+allows one to set a limit on the total number of entries that the pagedResults
+control will return.
By default it is set to the
.B hard
limit.
(see above).
The
.B extended
-keyword allows to indicate the OID of the specific operation
+keyword allows one to indicate the OID of the specific operation
to be restricted.
.TP
.B rootdn <dn>
.B [filter=<filter str>]
.B [scope=sub|one|base|subord]
.B [attrs=<attr list>]
+.B [exattrs=<attr list>]
.B [attrsonly]
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
-.B [tls_ciphersuite=<ciphers>]
+.B [tls_cipher_suite=<ciphers>]
.B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>]
.B [logbase=<base DN>]
.B [logfilter=<filter str>]
.B [syncdata=default|accesslog|changelog]
+.B [lazycommit]
.RS
Specify the current database as a replica which is kept up-to-date with the
master content by establishing the current
will be enforced by the provider regardless of the limits requested
by the LDAP Content Synchronization operation, much like for any other
search operation.
+.B exattrs
+option may also be used to specify attributes that should be omitted
+from incoming entries.
+The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
+\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
+\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
+attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
+The \fBsizelimit\fP and \fBtimelimit\fP only
+accept "unlimited" and positive integers, and both default to "unlimited".
+Note, however, that any provider-side limits for the replication identity
+will be enforced by the provider regardless of the limits requested
+by the LDAP Content Synchronization operation, much like for any other
+search operation.
The LDAP Content Synchronization protocol has two operation types.
In the
Further updates to the master replica will generate
.B searchResultEntry
to the consumer slapd as the search responses to the persistent
-synchronization search.
+synchronization search. If the initial search fails due to an error, the
+next synchronization search operation is periodically rescheduled at an
+interval time (specified by
+.B interval
+parameter; 1 day by default)
If an error occurs during replication, the consumer will attempt to
reconnect according to the
.B syncdata
parameter is omitted or set to "default" then the log parameters are
ignored.
+
+The
+.B lazycommit
+parameter tells the underlying database that it can store changes without
+performing a full flush after each change. This may improve performance
+for the consumer, while sacrificing safety or durability.
.RE
.TP
.B updatedn <dn>
projects / openldap / blobdiff