.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
# comment - these options apply to every database
<global configuration options>
# first database definition & configuration options
- database <backend 1 type>
+ database <backend 1 type>
<configuration options specific to backend 1>
# subsequent database definitions & configuration options
...
Specify a set of features (separated by white space) to
allow (default none).
.B bind_v2
-allows acceptance of LDAPv2 bind requests.
+allows acceptance of LDAPv2 bind requests. Note that
+.BR slapd (8)
+does not truely implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
.B bind_anon_cred
allows anonymous bind when credentials are not empty (e.g.
when DN is empty).
.B concurrency <integer>
Specify a desired level of concurrency. Provided to the underlying
thread system as a hint. The default is not to provide any hint.
+.TP
+.B conn_max_pending <integer>
+Specify the maximum number of pending requests for an anonymous session.
+If requests are submitted faster than the server can process them, they
+will be queued up to this limit. If the limit is exceeded, the session
+is closed. The default is 100.
+.TP
+.B conn_max_pending_auth <integer>
+Specify the maximum number of pending requests for an authenticated session.
+The default is 1000.
.\".TP
.\".B debug <subsys> <level>
.\"Specify a logging level for a particular subsystem. The subsystems include
disables acceptance of anonymous bind requests.
.B bind_simple
disables simple (bind) authentication.
-.B bind_simple_unprotected
-disables simple (bind) authentication when confidentiality
-protection (e.g. TLS) is not in place. The
-.B security
-directive's
-.B simple_bind
-option provides fine grain control over the confidentiality
-protection required for simple bind.
.B bind_krbv4
disables Kerberos V4 (bind) authentication.
.B tls_2_anon
<style> ::= exact | base | one | subtree | children | regex | anonymous
.RE
-.B Anonymous
-is hit when a search is performed without prior binding;
+The term
+.B anonymous
+matches all unauthenticated clients.
+the term
.B users
-is hit when a search is performed by a successfully bound user;
+matches all authenticated clients;
otherwise a
.B regex
dn pattern is assumed unless otherwise specified by qualifying
cannot find a local database to handle a request.
If specified multiple times, each url is provided.
.TP
+.B replica-argsfile
+The ( absolute ) name of a file that will hold the
+.B slurpd
+server's command line options
+if started without the debugging command line option.
+.TP
+.B replica-pidfile
+The ( absolute ) name of a file that will hold the
+.B slurpd
+server's process ID ( see
+.BR getpid (2)
+) if started without the debugging command line option.
+.TP
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
set conditions within a particular database).
.TP
.B reverse-lookup on | off
-Enable/disable client name reverse lookup (default is
-.BR on
+Enable/disable client name unverified reverse lookup (default is
+.BR off
if compiled with --enable-rlookups).
.TP
.B rootDSE <file>
.B nodict
flag disables mechanisms susceptible to passive dictionary attacks.
The
-.B noanonyous
+.B noanonymous
flag disables mechanisms which support anonymous login.
The
.B forwardsec
.TP
.B threads <integer>
Specify the maximum size of the primary thread pool.
-The default is 32.
+The default is 16.
.TP
.B timelimit {<integer>|unlimited}
.TP
modify the database will return an "unwilling to perform" error. By
default, readonly is off.
.HP
-.B replica host=<hostname>[:port] [tls=yes|critical]
+.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
+.B [starttls=yes|critical]
.B [suffix=<suffix> [...]]
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
directory service. Zero or more
.B suffix
instances can be used to select the subtrees that will be replicated
-(defaults to all the database). A
+(defaults to all the database).
+.B host
+is deprecated in favor of the
+.B uri
+option.
+.B uri
+allows the replica LDAP server to be specified as an LDAP URI.
+A
.B bindmethod
of
.B simple
If the suffix of one database is "inside" that of another, the database
with the inner suffix must come first in the configuration file.
.TP
-.B suffixalias <alias> <aliased suffix>
-Specify an alternate suffix that may be used to reference an already defined
-database suffix. Operations specifying DNs residing under the alias
-will execute as if they had specified the aliased suffix.
-.TP
.B subordinate
Specify that the current backend database is a subordinate of another
backend database. A subordinate database may have only one suffix. This
.TP
.B updatedn <dn>
This option is only applicable in a slave
-.B slapd.
-It specifies the DN allowed to make changes to the replica (typically,
-this is the DN
+.B slapd.
+It specifies the DN permitted to update (subject to access controls)
+the replica (typically, this is the DN
.BR slurpd (8)
-binds as when making changes to the replica).
+binds to update the replica).
.TP
.B updateref <url>
Specify the referral to pass back when
If specified multiple times, each url is provided.
.SH DATABASE-SPECIFIC OPTIONS
Each database may allow specific configuration options; they are
-documented separately in the
+documented separately in the backends' manual pages.
+.SH BACKENDS
+The following backends can be compiled into slapd.
+They are documented in the
.BR slapd-<backend> (5)
manual pages.
+.TP
+.B bdb
+This is the recommended backend for a normal slapd database.
+However, it takes more care than with the LDBM backend to configure
+it properly.
+It uses the Sleepycat Berkeley DB (BDB) package to store data.
+.TP
+.B ldbm
+This is the database backend which is easiest to configure.
+However, it does not offer the data durability features of the BDB
+backend.
+It uses Berkeley DB or GDBM to store data.
+.TP
+.B dnssrv
+This backend is experimental.
+It serves up referrals based upon SRV resource records held in the
+Domain Name System.
+.TP
+.B ldap
+This backend acts as a proxy to forward incoming requests to another
+LDAP server.
+.TP
+.B meta
+This backend performs basic LDAP proxying with respect to a set of
+remote LDAP servers.
+It is an enhancement of the ldap backend.
+.TP
+.B monitor
+This backend provides information about the running status of the slapd
+daemon.
+.TP
+.B null
+Operations in this backend succeed but do nothing.
+.TP
+.B passwd
+This backend is provided for demonstration purposes only.
+It serves up user account information from the system
+.BR passwd (5)
+file.
+.TP
+.B perl
+This backend embeds a
+.BR perl (1)
+interpreter into slapd.
+It runs Perl subroutines to implement LDAP operations.
+.TP
+.B shell
+This backend executes external programs to implement LDAP operations.
+It is is primarily intended to be used in prototypes.
+.TP
+.B sql
+This backend is experimental.
+It services LDAP requests from an SQL database.
+.TP
+.B tcl
+This backend is experimental.
+It embeds a
+.BR Tcl (3tcl)
+interpreter into slapd.
+It runs Tcl commands to implement LDAP operations.
.SH EXAMPLES
.LP
Here is a short example of a configuration file:
suffix "dc=our-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
-# by the slapd/tools. Mode 700 recommended.
+# by the slapd/tools. Mode 0700 recommended.
directory LOCALSTATEDIR/openldap-data
# Indices to maintain
index objectClass eq
.BR slapd-ldap (5),
.BR slapd-ldbm (5),
.BR slapd-meta (5),
+.BR slapd-monitor (5),
.BR slapd-null (5),
.BR slapd-passwd (5),
.BR slapd-perl (5),
.BR slapd-tcl (5),
.BR slapd.replog (5),
.BR slapd.access (5),
-.BR locale (5),
.BR slapd (8),
.BR slapadd (8),
.BR slapcat (8),
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
+.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
+.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.