Specify a set of features (separated by white space) to
allow (default none).
.B bind_v2
-allows acceptance of LDAPv2 bind requests.
+allows acceptance of LDAPv2 bind requests. Note that
+.BR slapd (8)
+does not truely implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
.B bind_anon_cred
allows anonymous bind when credentials are not empty (e.g.
when DN is empty).
.B concurrency <integer>
Specify a desired level of concurrency. Provided to the underlying
thread system as a hint. The default is not to provide any hint.
+.TP
+.B conn_max_pending <integer>
+Specify the maximum number of pending requests for an anonymous session.
+If requests are submitted faster than the server can process them, they
+will be queued up to this limit. If the limit is exceeded, the session
+is closed. The default is 100.
+.TP
+.B conn_max_pending_auth <integer>
+Specify the maximum number of pending requests for an authenticated session.
+The default is 1000.
.\".TP
.\".B debug <subsys> <level>
.\"Specify a logging level for a particular subsystem. The subsystems include
disables acceptance of anonymous bind requests.
.B bind_simple
disables simple (bind) authentication.
-.B bind_simple_unprotected
-disables simple (bind) authentication when confidentiality
-protection (e.g. TLS) is not in place. The
-.B security
-directive's
-.B simple_bind
-option provides fine grain control over the confidentiality
-protection required for simple bind.
.B bind_krbv4
disables Kerberos V4 (bind) authentication.
.B tls_2_anon
<style> ::= exact | base | one | subtree | children | regex | anonymous
.RE
-.B Anonymous
-is hit when a search is performed without prior binding;
+The term
+.B anonymous
+matches all unauthenticated clients.
+the term
.B users
-is hit when a search is performed by a successfully bound user;
+matches all authenticated clients;
otherwise a
.B regex
dn pattern is assumed unless otherwise specified by qualifying
cannot find a local database to handle a request.
If specified multiple times, each url is provided.
.TP
+.B replica-argsfile
+The ( absolute ) name of a file that will hold the
+.B slurpd
+server's command line options
+if started without the debugging command line option.
+.TP
+.B replica-pidfile
+The ( absolute ) name of a file that will hold the
+.B slurpd
+server's process ID ( see
+.BR getpid (2)
+) if started without the debugging command line option.
+.TP
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
.B nodict
flag disables mechanisms susceptible to passive dictionary attacks.
The
-.B noanonyous
+.B noanonymous
flag disables mechanisms which support anonymous login.
The
.B forwardsec
modify the database will return an "unwilling to perform" error. By
default, readonly is off.
.HP
-.B replica host=<hostname>[:port] [tls=yes|critical]
+.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
+.B [starttls=yes|critical]
.B [suffix=<suffix> [...]]
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
directory service. Zero or more
.B suffix
instances can be used to select the subtrees that will be replicated
-(defaults to all the database). A
+(defaults to all the database).
+.B host
+is deprecated in favor of the
+.B uri
+option.
+.B uri
+allows the replica LDAP server to be specified as an LDAP URI.
+A
.B bindmethod
of
.B simple
.TP
.B updatedn <dn>
This option is only applicable in a slave
-.B slapd.
-It specifies the DN allowed to make changes to the replica (typically,
-this is the DN
+.B slapd.
+It specifies the DN permitted to update (subject to access controls)
+the replica (typically, this is the DN
.BR slurpd (8)
-binds as when making changes to the replica).
+binds to update the replica).
.TP
.B updateref <url>
Specify the referral to pass back when