X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fguide%2Fadmin%2Fslapdconfig.sdf;h=7b6bf2464c9e85849190237aca9b42dcf7620428;hb=14745b74d29fe80f2988908b3f3fa3a4532937d9;hp=564a0305b16507df394667b5de84b82185903730;hpb=37767962f2b071dfe5efac9114a867d83e638aef;p=openldap

diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf
index 564a0305b1..7b6bf2464c 100644
--- a/doc/guide/admin/slapdconfig.sdf
+++ b/doc/guide/admin/slapdconfig.sdf
@@ -285,9 +285,9 @@ perform" error.
 H4: replica
 
 >	replica host=<hostname>[:<port>]
->		[bindmethod={ simple | kerberos | sasl }]
+>		[bindmethod={simple|kerberos|sasl}]
 >		["binddn=<DN>"]
->		[mech=<mech>]
+>		[saslmech=<mech>]
 >		[authcid=<identity>]
 >		[authzid=<identity>]
 >		[credentials=<password>]
@@ -323,7 +323,7 @@ mechanisms.  Kerberos authentication requires {{EX:binddn}} and
 {{EX:srvtab}} parameters.
 
 SASL authentication is generally recommended.  SASL authentication
-requires specification of a mechanism using the {{EX:mech}} parameter.
+requires specification of a mechanism using the {{EX:saslmech}} parameter.
 Depending on the mechanism, an authentication identity and/or
 credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
 respectively.  The {{EX:authzid}} parameter may be used to specify
@@ -405,6 +405,79 @@ looks at the suffix line(s) in each database definition in the
 order they appear in the file. Thus, if one database suffix is a
 prefix of another, it must appear after it in the config file.
 
+H4: syncrepl
+
+>	syncrepl id=<replica ID>
+>		provider=ldap[s]://<hostname>[:port]
+>		[updatedn=<dn>]
+>		[binddn=<dn>]
+>		[bindmethod=simple|sasl]
+>		[binddn=<simple DN>]
+>		[credentials=<simple passwd>]
+>		[saslmech=<SASL mech>]
+>		[secprops=<properties>]
+>		[realm=<realm>]
+>		[authcId=<authentication ID>]
+>		[authzId=<authorization ID>]
+>		[searchbase=<base DN>]
+>		[filter=<filter str>]
+>		[attrs=<attr list>]
+>		[scope=sub|one|base]
+>		[schemachecking=on|off]
+>		[type=refreshOnly|refreshAndPersist]
+>		[interval=dd:hh:mm]
+
+This directive specifies an LDAP Sync replication between this
+database and the specified replication provider site. The id=
+parameter identifies the LDAP Sync specification in the database.
+The {{EX:provider=}} parameter specifies a replication provider site as
+an LDAP URI.
+
+The LDAP Sync replication specification is based on the search
+specification which defines the content of the replica. The replica
+consists of the entries matching the search specification. As with
+the normal searches, the search specification consists of
+{{EX:searchbase}}, {{EX:scope}}, {{EX:filter}}, and EX:attrs}}
+parameters.
+
+The LDAP Sync replication has two types of operating modes. In the
+{{EX:refreshOnly}} mode, the next synchronization session is
+rescheduled at the interval time after the current session finishes.
+The default interval is set to one day. In the {{EX:refreshAndPersist}}
+mode, the LDAP Sync search remains persistent in the provider LDAP
+server. Further updates to the provider replica will generate
+searchResultEntry to the consumer.
+
+The schema checking can be enforced at the LDAP Sync consumer site
+by turning on the {{EX:schemachecking}} parameter. The default is off.
+
+The {{EX:binddn=}} parameter gives the DN for the LDAP Sync search
+to bind as to the provider slapd. The content of the replica will
+be subject to the access control privileges of the DN.
+
+The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}}, depending
+on whether simple password-based authentication or SASL authentication
+is to be used when connecting to the provider slapd.
+
+Simple authentication should not be used unless adequate integrity
+and data confidential protections are in place (e.g. TLS or IPSEC).
+Simple authentication requires specification of {{EX:binddn}} and
+{{EX:credentials}} parameters.
+
+SASL authentication is generally recommended. SASL authentication
+requires specification of a mechanism using the {{EX:mech}} parameter.
+Depending on the mechanism, an authentication identity and/or
+credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
+respectively.  The {{EX:authzid}} parameter may be used to specify
+a proxy authorization identity.
+
+The LDAP Sync replication is supported in three native backends:
+back-bdb, back-hdb, and back-ldbm.
+
+See the {{SECT:LDAP Sync Replication}} chapter for more information
+on how to use this directive.
+
+
 H4: updatedn <dn>
 
 This directive is only applicable in a slave slapd. It specifies
@@ -558,7 +631,7 @@ access line is:
 >		[filter=<ldapfilter>] [attrs=<attrlist>]
 >	<basic-style> ::= regex | exact
 >	<scope-style> ::= base | one | subtree | children
->	<attrlist> ::= <attr> | <attr> , <attrlist>
+>	<attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
 >	<attr> ::= <attrname> | entry | children
 >	<who> ::= * | [anonymous | users | self
 >			| dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] 
@@ -646,8 +719,13 @@ list of attribute names in the <what> selector:
 
 >	attrs=<attribute list>
 
-There are two special {{psuedo}} attributes {{EX:entry}} and
-{{EX:children}}.  To read (and hence return) an target entry, the
+A specific value of an attribute is selected by using a single
+attribute name and also using a value selector:
+
+>	attrs=<attribute> val[.<style>]=<regex>
+
+There are two special {{pseudo}} attributes {{EX:entry}} and
+{{EX:children}}.  To read (and hence return) a target entry, the
 subject must have {{EX:read}} access to the target's {{entry}}
 attribute.  To add or delete an entry, the subject must have
 {{EX:write}} access to the entry's {{EX:entry}} attribute AND must