X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapd-config.5;h=69e024d6cd45ca5e0554b16ec8e3e94c2f75710e;hb=9d2e03f0527b31ac2fc994fddb7d858d010d566d;hp=c13dd05f5cf5caf133b786685cb70b7889c60d00;hpb=d47db9eb03fa8b524d1a3720772e75981976096a;p=openldap

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index c13dd05f5c..69e024d6cd 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -1,9 +1,9 @@
 .TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2010 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
-slapd-config \- configuration backend
+slapd\-config \- configuration backend to slapd
 .SH SYNOPSIS
 ETCDIR/slapd.d
 .SH DESCRIPTION
@@ -109,7 +109,7 @@ reading the attribute via LDAP, the items will be returned as individual
 attribute values.
 
 Backend-specific options are discussed in the
-.B slapd-<backend>(5)
+.B slapd\-<backend>(5)
 manual pages.  Refer to the "OpenLDAP Administrator's Guide" for more
 details on configuring slapd.
 .SH GLOBAL CONFIGURATION OPTIONS
@@ -142,37 +142,52 @@ allows unauthenticated (anonymous) proxy authorization control to be processed
 (subject to access controls, authorization and other administrative limits).
 .TP
 .B olcArgsFile: <filename>
-The ( absolute ) name of a file that will hold the 
+The (absolute) name of a file that will hold the 
 .B slapd
-server's command line options
-if started without the debugging command line option.
+server's command line (program name and options).
 .TP
 .B olcAttributeOptions: <option-name>...
 Define tagging attribute options or option tag/range prefixes.
-Options must not end with `-', prefixes must end with `-'.
-The `lang-' prefix is predefined.
+Options must not end with `\-', prefixes must end with `\-'.
+The `lang\-' prefix is predefined.
 If you use the
 .B olcAttributeOptions
-directive, `lang-' will no longer be defined and you must specify it
+directive, `lang\-' will no longer be defined and you must specify it
 explicitly if you want it defined.
 
 An attribute description with a tagging option is a subtype of that
 attribute description without the option.
 Except for that, options defined this way have no special semantics.
-Prefixes defined this way work like the `lang-' options:
+Prefixes defined this way work like the `lang\-' options:
 They define a prefix for tagging options starting with the prefix.
-That is, if you define the prefix `x-foo-', you can use the option
-`x-foo-bar'.
+That is, if you define the prefix `x\-foo\-', you can use the option
+`x\-foo\-bar'.
 Furthermore, in a search or compare, a prefix or range name (with
-a trailing `-') matches all options starting with that name, as well
-as the option with the range name sans the trailing `-'.
-That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
+a trailing `\-') matches all options starting with that name, as well
+as the option with the range name sans the trailing `\-'.
+That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
 
-RFC 4520 reserves options beginning with `x-' for private experiments.
+RFC 4520 reserves options beginning with `x\-' for private experiments.
 Other options should be registered with IANA, see RFC 4520 section 3.5.
 OpenLDAP also has the `binary' option built in, but this is a transfer
 option, not a tagging option.
 .TP
+.B olcAuthIDRewrite: <rewrite\-rule>
+Used by the authentication framework to convert simple user names
+to an LDAP DN used for authorization purposes.
+Its purpose is analogous to that of
+.BR olcAuthzRegexp
+(see below).
+The
+.B rewrite\-rule
+is a set of rules analogous to those described in
+.BR slapo\-rwm (5)
+for data rewriting (after stripping the \fIrwm\-\fP prefix).
+.B olcAuthIDRewrite
+and
+.B olcAuthzRegexp
+should not be intermixed.
+.TP
 .B olcAuthzPolicy: <policy>
 Used to specify which rules to use for Proxy Authorization.  Proxy
 authorization allows a client to authenticate to the server using one
@@ -431,13 +446,27 @@ upon StartTLS operation receipt.
 disallows the StartTLS operation if authenticated (see also
 .BR tls_2_anon ).
 .TP
+.B olcExtraAttrs: <attr>
+Lists what attributes need to be added to search requests.
+Local storage backends return the entire entry to the frontend.
+The frontend takes care of only returning the requested attributes
+that are allowed by ACLs.
+However, features like access checking and so may need specific
+attributes that are not automatically returned by remote storage
+backends, like proxy backends and so on.
+.B <attr>
+is an attribute that is needed for internal purposes
+and thus always needs to be collected, even when not explicitly
+requested by clients.
+This attribute is multi-valued.
+.TP
 .B olcGentleHUP: { TRUE | FALSE }
 A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
 .B Slapd
 will stop listening for new connections, but will not close the
 connections to the current clients.  Future write operations return
 unwilling-to-perform, though.  Slapd terminates when all clients
-have closed their connections (if they ever do), or \- as before \-
+have closed their connections (if they ever do), or - as before -
 if it receives a SIGTERM signal.  This can be useful if you wish to
 terminate the server and start a new
 .B slapd
@@ -445,13 +474,21 @@ server
 .B with another database,
 without disrupting the currently active clients.
 The default is FALSE.  You may wish to use
-.B olcIdletTmeout
+.B olcIdleTimeout
 along with this option.
 .TP
 .B olcIdleTimeout: <integer>
 Specify the number of seconds to wait before forcibly closing
 an idle client connection.  A setting of 0 disables this
-feature.  The default is 0.
+feature.  The default is 0. You may also want to set the
+.B olcWriteTimeout
+option.
+.TP
+.B olcIndexIntLen: <integer>
+Specify the key length for ordered integer indices. The most significant
+bytes of the binary integer will be used for index keys. The default
+value is 4, which provides exact indexing for 31 bit values.
+A floating point representation is used to index too large values.
 .TP
 .B olcIndexSubstrIfMaxlen: <integer>
 Specify the maximum length for subinitial and subfinal indices. Only
@@ -479,6 +516,12 @@ lookup. The default is 2. For example, with the default values, a search
 using this filter "cn=*abcdefgh*" would generate index lookups for
 "abcd", "cdef", and "efgh".
 
+.LP
+Note: Indexing support depends on the particular backend in use. Also,
+changing these settings will generally require deleting any indices that
+depend on these parameters and recreating them with
+.BR slapindex (8).
+
 .TP
 .B olcLocalSSF: <SSF>
 Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
@@ -488,6 +531,11 @@ see
 .B minssf
 option description.  The default is 71.
 .TP
+.B olcLogFile: <filename>
+Specify a file for recording debug log messages. By default these messages
+only go to stderr and are not recorded anywhere else. Specifying a logfile
+copies messages to both stderr and the logfile.
+.TP
 .B olcLogLevel: <integer> [...]
 Specify the level at which debugging statements and operation 
 statistics should be syslogged (currently logged to the
@@ -496,8 +544,7 @@ LOG_LOCAL4 facility).
 They must be considered subsystems rather than increasingly verbose 
 log levels.
 Some messages with higher priority are logged regardless 
-of the configured loglevel as soon as some logging is configured,
-otherwise anything is logged at all.
+of the configured loglevel as soon as any logging is configured.
 Log levels are additive, and available levels are:
 .RS
 .RS
@@ -584,7 +631,7 @@ or as a list of the names that are shown between brackets, such that
 are equivalent.
 The keyword 
 .B any
-can be used as a shortcut to enable logging at all levels (equivalent to -1).
+can be used as a shortcut to enable logging at all levels (equivalent to \-1).
 The keyword
 .BR none ,
 or the equivalent integer representation, causes those messages
@@ -612,48 +659,11 @@ versions of crypt(3) to use an MD5 algorithm and provides
 8 random characters of salt.  The default is "%s", which
 provides 31 characters of salt.
 .TP
-.B olcPasswordHash: <hash> [<hash>...]
-This option configures one or more hashes to be used in generation of user
-passwords stored in the userPassword attribute during processing of
-LDAP Password Modify Extended Operations (RFC 3062).
-The <hash> must be one of
-.BR {SSHA} ,
-.BR {SHA} ,
-.BR {SMD5} ,
-.BR {MD5} ,
-.BR {CRYPT} ,
-and
-.BR {CLEARTEXT} .
-The default is
-.BR {SSHA} .
-
-.B {SHA}
-and
-.B {SSHA}
-use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
-
-.B {MD5}
-and
-.B {SMD5}
-use the MD5 algorithm (RFC 1321), the latter with a seed.
-
-.B {CRYPT}
-uses the
-.BR crypt (3).
-
-.B {CLEARTEXT}
-indicates that the new password should be
-added to userPassword as clear text.
-
-Note that this option does not alter the normal user applications
-handling of userPassword during LDAP Add, Modify, or other LDAP operations.
-.TP
 .B olcPidFile: <filename>
-The ( absolute ) name of a file that will hold the 
+The (absolute) name of a file that will hold the 
 .B slapd
-server's process ID ( see
-.BR getpid (2)
-) if started without the debugging command line option.
+server's process ID (see
+.BR getpid (2)).
 .TP
 .B olcPluginLogFile: <filename>
 The ( absolute ) name of a file that will contain log
@@ -668,50 +678,29 @@ Specify the referral to pass back when
 .BR slapd (8)
 cannot find a local database to handle a request.
 If multiple values are specified, each url is provided.
-.\" slurpd-related keywords are all deprecated
-.\".TP
-.\".B replica-argsfile
-.\"The ( absolute ) name of a file that will hold the 
-.\".B slurpd
-.\"server's command line options
-.\"if started without the debugging command line option.
-.\"If it appears after a
-.\".B replogfile
-.\"directive, the args file is specific to the 
-.\".BR slurpd (8)
-.\"instance that handles that replication log.
-.\".TP
-.\".B replica-pidfile
-.\"The ( absolute ) name of a file that will hold the 
-.\".B slurpd
-.\"server's process ID ( see
-.\".BR getpid (2)
-.\") if started without the debugging command line option.
-.\"If it appears after a
-.\".B replogfile
-.\"directive, the pid file is specific to the 
-.\".BR slurpd (8)
-.\"instance that handles that replication log.
-.\".TP
-.\".B replicationinterval
-.\"The number of seconds 
-.\".B slurpd 
-.\"waits before checking the replogfile for changes.
-.\"If it appears after a
-.\".B replogfile
-.\"directive, the replication interval is specific to the 
-.\".BR slurpd (8)
-.\"instance that handles that replication log.
 .TP
 .B olcReverseLookup: TRUE | FALSE
 Enable/disable client name unverified reverse lookup (default is 
 .BR FALSE 
-if compiled with --enable-rlookups).
+if compiled with \-\-enable\-rlookups).
 .TP
 .B olcRootDSE: <file>
 Specify the name of an LDIF(5) file containing user defined attributes
 for the root DSE.  These attributes are returned in addition to the
 attributes normally produced by slapd.
+
+The root DSE is an entry with information about the server and its
+capabilities, in operational attributes.
+It has the empty DN, and can be read with e.g.:
+.ti +4
+ldapsearch \-x \-b "" \-s base "+"
+.br
+See RFC 4512 section 5.1 for details.
+.TP
+.B olcSaslAuxprops: <plugin> [...]
+Specify which auxprop plugins to use for authentication lookups. The
+default is empty, which just uses slapd's internal support. Usually
+no other auxprop plugins are needed.
 .TP
 .B olcSaslHost: <fqdn>
 Used to specify the fully qualified domain name used for SASL processing.
@@ -763,6 +752,26 @@ The
 property specifies the maximum security layer receive buffer
 size allowed.  0 disables security layers.  The default is 65536.
 .TP
+.B olcServerID: <integer> [<URL>]
+Specify an integer ID from 0 to 4095 for this server (limited
+to 3 hexadecimal digits).  The ID may also be specified as a
+hexadecimal ID by prefixing the value with "0x".
+These IDs are
+required when using multimaster replication and each master must have a
+unique ID. Note that this requirement also applies to separate masters
+contributing to a glued set of databases.
+If the URL is provided, this directive may be specified
+multiple times, providing a complete list of participating servers
+and their IDs. The fully qualified hostname of each server should be
+used in the supplied URLs. The IDs are used in the "replica id" field
+of all CSNs generated by the specified server. The default value is zero.
+Example:
+.LP
+.nf
+	olcServerID: 1 ldap://ldap1.example.com
+	olcServerID: 2 ldap://ldap2.example.com
+.fi
+.TP
 .B olcSockbufMaxIncoming: <integer>
 Specify the maximum incoming LDAP PDU size for anonymous sessions.
 The default is 262143.
@@ -771,6 +780,16 @@ The default is 262143.
 Specify the maximum incoming LDAP PDU size for authenticated sessions.
 The default is 4194303.
 .TP
+.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
+Specify the size of the TCP buffer.
+A global value for both read and write TCP buffers related to any listener
+is defined, unless the listener is explicitly specified,
+or either the read or write qualifiers are used.
+See
+.BR tcp (7)
+for details.
+Note that some OS-es implement automatic TCP buffer tuning.
+.TP
 .B olcThreads: <integer>
 Specify the maximum size of the primary thread pool.
 The default is 16; the minimum value is 2.
@@ -779,11 +798,12 @@ The default is 16; the minimum value is 2.
 Specify the maximum number of threads to use in tool mode.
 This should not be greater than the number of CPUs in the system.
 The default is 1.
-.\"ucdata-path is obsolete / ignored...
-.\".TP
-.\".B ucdata-path <path>
-.\"Specify the path to the directory containing the Unicode character
-.\"tables. The default path is DATADIR/ucdata.
+.TP
+.B olcWriteTimeout: <integer>
+Specify the number of seconds to wait before forcibly closing
+a connection with an outstanding write.  This allows recovery from
+various network hang conditions.  A setting of 0 disables this
+feature.  The default is 0.
 .SH TLS OPTIONS
 If
 .B slapd
@@ -796,9 +816,17 @@ Permits configuring what ciphers will be accepted and the preference order.
 
 olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
 
-To check what ciphers a given spec selects, use:
+To check what ciphers a given spec selects in OpenSSL, use:
+
+.nf
+	openssl ciphers \-v <cipher-suite-spec>
+.fi
+
+To obtain the list of ciphers in GNUtls use:
 
-openssl ciphers -v <cipher-suite-spec>
+.nf
+	gnutls-cli \-l
+.fi
 .TP
 .B olcTLSCACertificateFile: <filename>
 Specifies the file that contains certificates for all of the Certificate
@@ -810,7 +838,8 @@ will recognize.
 Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
 or the olcTLSCACertificateFile is defined. If both are specified, both
-locations will be used.
+locations will be used. This directive is not supported
+when using GNUtls.
 .TP
 .B olcTLSCertificateFile: <filename>
 Specifies the file that contains the
@@ -836,12 +865,14 @@ them will be processed.  Note that setting this option may also enable
 Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
 You should append "!ADH" to your cipher suites if you have changed them
 from the default, otherwise no certificate exchanges or verification will
-be done.
+be done. When using GNUtls these parameters are always generated randomly
+so this directive is ignored.
 .TP
 .B olcTLSRandFile: <filename>
 Specifies the file to obtain random bits from when /dev/[u]random
 is not available.  Generally set to the name of the EGD/PRNGD socket.
 The environment variable RANDFILE can also be used to specify the filename.
+This directive is ignored with GNUtls.
 .TP
 .B olcTLSVerifyClient: <level>
 Specifies what checks to perform on client certificates in an
@@ -883,7 +914,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
 used to verify if the client certificates have not been revoked. This
 requires
 .B olcTLSCACertificatePath
-parameter to be set.
+parameter to be set. This parameter is ignored with GNUtls.
 .B <level>
 can be specified as one of the following keywords:
 .RS
@@ -897,10 +928,15 @@ Check the CRL of the peer certificate
 .B all
 Check the CRL for a whole certificate chain
 .RE
+.TP
+.B olcTLSCRLFile: <filename>
+Specifies a file containing a Certificate Revocation List to be used
+for verifying that certificates have not been revoked. This parameter
+is only valid when using GNUtls.
 .SH DYNAMIC MODULE OPTIONS
 If
 .B slapd
-is compiled with --enable-modules then the module-related entries will
+is compiled with \-\-enable\-modules then the module-related entries will
 be available. These entries are named
 .B cn=module{x},cn=config
 and
@@ -920,6 +956,8 @@ option.
 .B olcModulePath: <pathspec>
 Specify a list of directories to search for loadable modules. Typically
 the path is colon-separated but this depends on the operating system.
+The default is MODULEDIR, which is where the standard OpenLDAP install
+will place its modules. 
 .SH SCHEMA OPTIONS
 Schema definitions are created as entries in the
 .B cn=schema,cn=config
@@ -1030,7 +1068,7 @@ and must have the olcDatabaseConfig objectClass. Normally the config
 engine generates the "{x}" index in the RDN automatically, so it
 can be omitted when initially loading these entries.
 
-The special frontend database is always numbered "{-1}" and the config
+The special frontend database is always numbered "{\-1}" and the config
 database is always numbered "{0}".
 
 .SH GLOBAL DATABASE OPTIONS
@@ -1070,6 +1108,43 @@ non-base search request with an empty base DN.
 Base scoped search requests with an empty base DN are not affected.
 This setting is only allowed in the frontend entry.
 .TP
+.B olcPasswordHash: <hash> [<hash>...]
+This option configures one or more hashes to be used in generation of user
+passwords stored in the userPassword attribute during processing of
+LDAP Password Modify Extended Operations (RFC 3062).
+The <hash> must be one of
+.BR {SSHA} ,
+.BR {SHA} ,
+.BR {SMD5} ,
+.BR {MD5} ,
+.BR {CRYPT} ,
+and
+.BR {CLEARTEXT} .
+The default is
+.BR {SSHA} .
+
+.B {SHA}
+and
+.B {SSHA}
+use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
+
+.B {MD5}
+and
+.B {SMD5}
+use the MD5 algorithm (RFC 1321), the latter with a seed.
+
+.B {CRYPT}
+uses the
+.BR crypt (3).
+
+.B {CLEARTEXT}
+indicates that the new password should be
+added to userPassword as clear text.
+
+Note that this option does not alter the normal user applications
+handling of userPassword during LDAP Add, Modify, or other LDAP operations.
+This setting is only allowed in the frontend entry.
+.TP
 .B olcReadOnly: TRUE | FALSE
 This option puts the database into "read-only" mode.  Any attempts to 
 modify the database will return an "unwilling to perform" error.  By
@@ -1180,6 +1255,15 @@ See
 .BR olcLimits
 for an explanation of the different flags.
 .TP
+.B olcSortVals: <attr> [...]
+Specify a list of multi-valued attributes whose values will always
+be maintained in sorted order. Using this option will allow Modify,
+Compare, and filter evaluations on these attributes to be performed
+more efficiently. The resulting sort order depends on the
+attributes' syntax and matching rules and may not correspond to
+lexical order or any other recognizable order.
+This setting is only allowed in the frontend entry.
+.TP
 .B olcTimeLimit: {<integer>|unlimited}
 .TP
 .B olcTimeLimit: time[.{soft|hard}]=<integer> [...]
@@ -1201,6 +1285,21 @@ which they are defined.  They are supported by every
 type of backend. All of the Global Database Options may also be
 used here.
 .TP
+.B olcAddContentAcl: TRUE | FALSE
+Controls whether Add operations will perform ACL checks on
+the content of the entry being added. This check is off
+by default. See the
+.BR slapd.access (5)
+manual page for more details on ACL requirements for
+Add operations.
+.TP
+.B olcHidden: TRUE | FALSE
+Controls whether the database will be used to answer
+queries. A database that is hidden will never be
+selected to answer any queries, and any suffix configured
+on the database will be ignored in checks for conflicts
+with other databases. By default, olcHidden is FALSE.
+.TP
 .B olcLastMod: TRUE | FALSE
 Controls whether
 .B slapd
@@ -1210,23 +1309,33 @@ createTimestamp attributes for entries. It also controls
 the entryCSN and entryUUID attributes, which are needed
 by the syncrepl provider. By default, olcLastMod is TRUE.
 .TP
-.B olcLimits: <who> <limit> [<limit> [...]]
-Specify time and size limits based on who initiated an operation.
+.B olcLimits: <selector> <limit> [<limit> [...]]
+Specify time and size limits based on the operation's initiator or
+base DN.
 The argument
-.B who
+.B <selector>
 can be any of
 .RS
 .RS
 .TP
-anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>
+anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
 
 .RE
 with
 .RS
 .TP
+<dnspec> ::= dn[.<type>][.<style>]
+.TP
+<type>  ::= self | this
+.TP
 <style> ::= exact | base | onelevel | subtree | children | regex | anonymous
 
 .RE
+DN type
+.B self
+is the default and means the bound user, while
+.B this
+means the base DN of the operation.
 The term
 .B anonymous
 matches all unauthenticated clients.
@@ -1260,7 +1369,7 @@ field is ignored.
 The same behavior is obtained by using the 
 .B anonymous
 form of the
-.B who
+.B <selector>
 clause.
 The term
 .BR group ,
@@ -1374,7 +1483,7 @@ limit is set to
 to preserve the original behavior.
 
 In case of no match, the global limits are used.
-The default values are the same as
+The default values are the same as for
 .B olcSizeLimit
 and
 .BR olcTimeLimit ;
@@ -1430,96 +1539,21 @@ switch.
 .TP
 .B olcMaxDerefDepth: <depth>
 Specifies the maximum number of aliases to dereference when trying to
-resolve an entry, used to avoid infinite alias loops. The default is 1.
+resolve an entry, used to avoid infinite alias loops. The default is 15.
 .TP
 .B olcMirrorMode: TRUE | FALSE
 This option puts a replica database into "mirror" mode.  Update
 operations will be accepted from any user, not just the updatedn.  The
 database must already be configured as syncrepl consumer
-before this keyword may be set.  This mode must be used with extreme
-care, as it does not offer any consistency guarantees.  This feature
-is intended to be used with an external frontend that guarantees that
-writes are only directed to a single master, switching to an alternate
-server only if the original master goes down.
+before this keyword may be set.  This mode also requires a
+.B olcServerID
+(see above) to be configured.
 By default, this setting is FALSE.
 .TP
 .B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
 Configure a SLAPI plugin. See the
 .BR slapd.plugin (5)
 manpage for more details.
-.\".HP
-.\".hy 0
-.\".B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port] 
-.\".B [starttls=yes|critical]
-.\".B [suffix=<suffix> [...]]
-.\".B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
-.\".B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
-.\".B [authcId=<authentication ID>] [authzId=<authorization ID>]
-.\".B [attrs[!]=<attr list>]
-.\".RS
-.\"Specify a replication site for this database.  Refer to the "OpenLDAP 
-.\"Administrator's Guide" for detailed information on setting up a replicated
-.\".B slapd
-.\"directory service. Zero or more
-.\".B suffix
-.\"instances can be used to select the subtrees that will be replicated
-.\"(defaults to all the database). 
-.\".B host
-.\"is deprecated in favor of the
-.\".B uri
-.\"option.
-.\".B uri
-.\"allows the replica LDAP server to be specified as an LDAP URI. 
-.\"A
-.\".B bindmethod
-.\"of
-.\".B simple
-.\"requires the options
-.\".B binddn 
-.\"and
-.\".B credentials  
-.\"and should only be used when adequate security services 
-.\"(e.g TLS or IPSEC) are in place. A
-.\".B bindmethod 
-.\"of
-.\".B sasl 
-.\"requires the option
-.\".B saslmech. 
-.\"Specific security properties (as with the
-.\".B sasl-secprops
-.\"keyword above) for a SASL bind can be set with the
-.\".B secprops
-.\"option. A non-default SASL realm can be set with the
-.\".B realm
-.\"option.
-.\"If the 
-.\".B mechanism
-.\"will use Kerberos, a kerberos instance should be given in 
-.\".B authcId.
-.\"An
-.\".B attr list
-.\"can be given after the 
-.\".B attrs
-.\"keyword to allow the selective replication of the listed attributes only;
-.\"if the optional 
-.\".B !
-.\"mark is used, the list is considered exclusive, i.e. the listed attributes
-.\"are not replicated.
-.\"If an objectClass is listed, all the related attributes
-.\"are (are not) replicated.
-.\".RE
-.\".TP
-.\".B replogfile <filename>
-.\"Specify the name of the replication log file to log changes to.  
-.\"The replication log is typically written by
-.\".BR slapd (8)
-.\"and read by
-.\".BR slurpd (8).
-.\"See
-.\".BR slapd.replog (5)
-.\"for more information.  The specified file should be located
-.\"in a directory with limited read/write/execute access as the replication
-.\"logs may contain sensitive information.
 .TP
 .B olcRootDN: <dn>
 Specify the distinguished name that is not subject to access control 
@@ -1604,8 +1638,17 @@ See the Overlays section below for more details.
 Specify the DN suffix of queries that will be passed to this 
 backend database.  Multiple suffix lines can be given and at least one is 
 required for each database definition.
+
 If the suffix of one database is "inside" that of another, the database
 with the inner suffix must come first in the configuration file.
+You may also want to glue such databases together with the
+.B olcSubordinate
+attribute.
+.TP
+.B olcSyncUseSubentry: TRUE | FALSE
+Store the syncrepl contextCSN in a subentry instead of the context entry
+of the database. The subentry's RDN will be "cn=ldapsync". The default is
+FALSE, meaning the contextCSN is stored in the context entry.
 .HP
 .hy 0
 .B olcSyncrepl: rid=<replica ID>
@@ -1622,6 +1665,8 @@ with the inner suffix must come first in the configuration file.
 .B [sizelimit=<limit>]
 .B [timelimit=<limit>]
 .B [schemachecking=on|off]
+.B [network\-timeout=<seconds>]
+.B [timeout=<seconds>]
 .B [bindmethod=simple|sasl]
 .B [binddn=<dn>]
 .B [saslmech=<mech>]
@@ -1630,6 +1675,7 @@ with the inner suffix must come first in the configuration file.
 .B [credentials=<passwd>]
 .B [realm=<realm>]
 .B [secprops=<properties>]
+.B [keepalive=<idle>:<probes>:<interval>]
 .B [starttls=yes|critical]
 .B [tls_cert=<file>]
 .B [tls_key=<file>]
@@ -1661,7 +1707,7 @@ replication engine.
 identifies the current
 .B syncrepl
 directive within the replication consumer site.
-It is a non-negative integer having no more than three digits.
+It is a non-negative integer having no more than three decimal digits.
 
 .B provider
 specifies the replication provider site containing the master content
@@ -1724,6 +1770,17 @@ consumer site by turning on the
 .B schemachecking
 parameter. The default is off.
 
+The
+.B network\-timeout
+parameter sets how long the consumer will wait to establish a
+network connection to the provider. Once a connection is
+established, the
+.B timeout
+parameter determines how long the consumer will wait for the initial
+Bind request to complete. The defaults for these parameters come
+from 
+.BR ldap.conf (5).
+
 A
 .B bindmethod
 of 
@@ -1749,7 +1806,7 @@ The
 .B authzid
 parameter may be used to specify an authorization identity.
 Specific security properties (as with the
-.B sasl-secprops
+.B sasl\-secprops
 keyword above) for a SASL bind can be set with the
 .B secprops
 option. A non default SASL realm can be set with the
@@ -1760,6 +1817,22 @@ should grant that identity appropriate access privileges to the data
 that is being replicated (\fBaccess\fP directive), and appropriate time 
 and size limits (\fBlimits\fP directive).
 
+The
+.B keepalive
+parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
+used to check whether a socket is alive;
+.I idle
+is the number of seconds a connection needs to remain idle before TCP 
+starts sending keepalive probes;
+.I probes
+is the maximum number of keepalive probes TCP should send before dropping
+the connection;
+.I interval
+is interval in seconds between individual keepalive probes.
+Only some systems support the customization of these values;
+the
+.B keepalive
+parameter is ignored otherwise, and system-wide settings are used.
 
 The
 .B starttls
@@ -1780,7 +1853,7 @@ and
 parameters must be set appropriately for the log that will be used. The
 .B syncdata
 parameter must be set to either "accesslog" if the log conforms to the
-.BR slapo-accesslog (5)
+.BR slapo\-accesslog (5)
 log format, or "changelog" if the log conforms
 to the obsolete \fIchangelog\fP format. If the
 .B syncdata
@@ -1792,9 +1865,8 @@ ignored.
 This option is only applicable in a slave
 database.
 It specifies the DN permitted to update (subject to access controls)
-the replica (typically, this is the DN
-.BR slurpd (8)
-binds to update the replica).  Generally, this DN
+the replica.  It is only needed in certain push-mode
+replication scenarios.  Generally, this DN
 .I should not
 be the same as the
 .B rootdn 
@@ -1841,7 +1913,7 @@ dn: cn=config
 objectClass: olcGlobal
 cn: config
 olcPidFile: LOCALSTATEDIR/run/slapd.pid
-olcAttributeOptions: x-hidden lang-
+olcAttributeOptions: x\-hidden lang\-
 
 dn: cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -1854,9 +1926,9 @@ objectClass: olcDatabaseConfig
 objectClass: olcFrontendConfig
 olcDatabase: frontend
 # Subtypes of "name" (e.g. "cn" and "ou") with the
-# option ";x-hidden" can be searched for/compared,
+# option ";x\-hidden" can be searched for/compared,
 # but are not shown.  See \fBslapd.access\fP(5).
-olcAccess: to attrs=name;x-hidden by * =cs
+olcAccess: to attrs=name;x\-hidden by * =cs
 # Protect passwords.  See \fBslapd.access\fP(5).
 olcAccess: to attrs=userPassword  by * auth
 # Read access to other attributes and entries.
@@ -1874,11 +1946,11 @@ dn: olcDatabase=bdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcBdbConfig
 olcDatabase: bdb
-olcSuffix: "dc=our-domain,dc=com"
+olcSuffix: "dc=our\-domain,dc=com"
 # The database directory MUST exist prior to
 # running slapd AND should only be accessible
 # by the slapd/tools. Mode 0700 recommended.
-olcDbDirectory: LOCALSTATEDIR/openldap-data
+olcDbDirectory: LOCALSTATEDIR/openldap\-data
 # Indices to maintain
 olcDbIndex:     objectClass  eq
 olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
@@ -1890,7 +1962,7 @@ objectClass: olcDatabaseConfig
 objectClass: olcLdapConfig
 olcDatabase: ldap
 olcSuffix: ""
-olcDbUri: ldap://ldap.some-server.com/
+olcDbUri: ldap://ldap.some\-server.com/
 .fi
 .RE
 .LP
@@ -1899,7 +1971,7 @@ ETCDIR/slapd.d directory has been created, this command will initialize
 the configuration:
 .RS
 .nf
-slapadd -F ETCDIR/slapd.d -n 0 -l config.ldif
+slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
 .fi
 .RE
 
@@ -1911,7 +1983,7 @@ Alternatively, an existing slapd.conf file can be converted to the new
 format using slapd or any of the slap tools:
 .RS
 .nf
-slaptest -f ETCDIR/slapd.conf -F ETCDIR/slapd.d
+slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
 .fi
 .RE
 
@@ -1939,8 +2011,7 @@ default slapd configuration directory
 .BR slapdn (8),
 .BR slapindex (8),
 .BR slappasswd (8),
-.BR slaptest (8),
-.BR slurpd (8).
+.BR slaptest (8).
 .LP
 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
 .SH ACKNOWLEDGEMENTS