X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=doc%2Fman%2Fman5%2Fslapd.conf.5;h=9c30fe57804a6b1fba0d2c1ab1302a32767d16a9;hb=8d346721a60684aeaa7b1e3b2111c972393bfad3;hp=7471d622cec7c4ff90d0166da66b22e479c28dcd;hpb=04ea399c7c003e93877d4c30e9a9e7468f478842;p=openldap diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 7471d622ce..9c30fe5780 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1,5 +1,5 @@ .TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 1998-2013 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 1998-2014 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME @@ -1151,13 +1151,40 @@ browser. Press 'Enter' for the new password. .B TLSDHParamFile This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS these parameters are always generated randomly so -this directive is ignored. This directive is ignored when using Mozilla NSS. +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly +so this directive is ignored. +.TP +.B TLSECName +Specify the name of a curve to use for Elliptic curve Diffie-Hellman +ephemeral key exchange. This is required to enable ECDHE algorithms in +OpenSSL. This option is not used with GnuTLS; the curves may be +chosen in the GnuTLS ciphersuite specification. This option is also +ignored for Mozilla NSS. +.TP +.B TLSProtocolMin [.] +Specifies minimum SSL/TLS protocol version that will be negotiated. +If the server doesn't support at least that version, +the SSL handshake will fail. +To require TLS 1.x or higher, set this option to 3.(x+1), +e.g., + +.nf + TLSProtocolMin 3.2 +.fi + +would require TLS 1.1. +Specifying a minimum that is higher than that supported by the +OpenLDAP implementation will result in it requiring the +highest level that it does support. +This directive is ignored with GnuTLS. .TP .B TLSRandFile Specifies the file to obtain random bits from when /dev/[u]random @@ -1238,6 +1265,7 @@ should be one of .BR hdb , .BR ldap , .BR ldif , +.BR mdb , .BR meta , .BR monitor , .BR null , @@ -1267,6 +1295,7 @@ should be one of .BR hdb , .BR ldap , .BR ldif , +.BR mdb , .BR meta , .BR monitor , .BR null , @@ -1700,7 +1729,7 @@ when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP in order to work over all of the glued databases. E.g. .RS .nf - database bdb + database mdb suffix dc=example,dc=com ... overlay glue @@ -1723,6 +1752,7 @@ the contextCSN is stored in the context entry. .B [filter=] .B [scope=sub|one|base|subord] .B [attrs=] +.B [exattrs=] .B [attrsonly] .B [sizelimit=] .B [timelimit=] @@ -1746,6 +1776,7 @@ the contextCSN is stored in the context entry. .B [tls_reqcert=never|allow|try|demand] .B [tls_ciphersuite=] .B [tls_crlcheck=none|peer|all] +.B [tls_protocol_min=[.]] .B [suffixmassage=] .B [logbase=] .B [logfilter=] @@ -1805,6 +1836,19 @@ Note, however, that any provider-side limits for the replication identity will be enforced by the provider regardless of the limits requested by the LDAP Content Synchronization operation, much like for any other search operation. +.B exattrs +option may also be used to specify attributes that should be omitted +from incoming entries. +The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to +\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The +\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational +attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default. +The \fBsizelimit\fP and \fBtimelimit\fP only +accept "unlimited" and positive integers, and both default to "unlimited". +Note, however, that any provider-side limits for the replication identity +will be enforced by the provider regardless of the limits requested +by the LDAP Content Synchronization operation, much like for any other +search operation. The LDAP Content Synchronization protocol has two operation types. In the @@ -1992,7 +2036,7 @@ access to attrs=userPassword by * auth # Read access to other attributes and entries. access to * by * read -database bdb +database mdb suffix "dc=our\-domain,dc=com" # The database directory MUST exist prior to # running slapd AND should only be accessible @@ -2026,7 +2070,6 @@ default slapd configuration file .BR slapd.backends (5), .BR slapd.overlays (5), .BR slapd.plugin (5), -.BR slapd.replog (5), .BR slapd (8), .BR slapacl (8), .BR slapadd (8),