X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapd.conf.5;h=ff4242e19dac3b6b28021438a37d1fd968e0dfaf;hb=a7f9086ade0e1e4d8ae32d96b4b5c216d1a39902;hp=c0b0058dc6156216ce1c63d0d232fcc4d2614a07;hpb=85a1ff4eba94fb4a6a994703beb4d3cdb3355ac1;p=openldap

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index c0b0058dc6..ff4242e19d 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1,5 +1,5 @@
 .TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
@@ -11,9 +11,7 @@ The file
 .B ETCDIR/slapd.conf
 contains configuration information for the
 .BR slapd (8)
-daemon.  This configuration file is also used by the
-.BR slurpd (8)
-replication daemon and by the SLAPD tools
+daemon.  This configuration file is also used by the SLAPD tools
 .BR slapacl (8),
 .BR slapadd (8),
 .BR slapauth (8),
@@ -54,7 +52,10 @@ than once, the last appearance in the
 file is used).
 .LP
 If a line begins with white space, it is considered a continuation
-of the previous line.  Blank lines and comment lines beginning with
+of the previous line.  No physical line should be over 2000 bytes
+long.
+.LP
+Blank lines and comment lines beginning with
 a `#' character are ignored.  Note: continuation lines are unwrapped
 before comment processing is applied.
 .LP
@@ -67,7 +68,7 @@ backslash character.
 The specific configuration options available are discussed below in the
 Global Configuration Options, General Backend Options, and General Database
 Options.  Backend-specific options are discussed in the
-.B slapd-<backend>(5)
+.B slapd\-<backend>(5)
 manual pages.  Refer to the "OpenLDAP Administrator's Guide" for more
 details on the slapd configuration file.
 .SH GLOBAL CONFIGURATION OPTIONS
@@ -107,34 +108,33 @@ allows unauthenticated (anonymous) proxy authorization control to be processed
 (subject to access controls, authorization and other administrative limits).
 .TP
 .B argsfile <filename>
-The ( absolute ) name of a file that will hold the 
+The (absolute) name of a file that will hold the 
 .B slapd
-server's command line options
-if started without the debugging command line option.
+server's command line (program name and options).
 .TP
 .B attributeoptions [option-name]...
 Define tagging attribute options or option tag/range prefixes.
-Options must not end with `-', prefixes must end with `-'.
-The `lang-' prefix is predefined.
+Options must not end with `\-', prefixes must end with `\-'.
+The `lang\-' prefix is predefined.
 If you use the
 .B attributeoptions
-directive, `lang-' will no longer be defined and you must specify it
+directive, `lang\-' will no longer be defined and you must specify it
 explicitly if you want it defined.
 
 An attribute description with a tagging option is a subtype of that
 attribute description without the option.
 Except for that, options defined this way have no special semantics.
-Prefixes defined this way work like the `lang-' options:
+Prefixes defined this way work like the `lang\-' options:
 They define a prefix for tagging options starting with the prefix.
-That is, if you define the prefix `x-foo-', you can use the option
-`x-foo-bar'.
+That is, if you define the prefix `x\-foo\-', you can use the option
+`x\-foo\-bar'.
 Furthermore, in a search or compare, a prefix or range name (with
-a trailing `-') matches all options starting with that name, as well
-as the option with the range name sans the trailing `-'.
-That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
+a trailing `\-') matches all options starting with that name, as well
+as the option with the range name sans the trailing `\-'.
+That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
 
-RFC 2251 reserves options beginning with `x-' for private experiments.
-Other options should be registered with IANA, see RFC 3383 section 3.4.
+RFC 4520 reserves options beginning with `x\-' for private experiments.
+Other options should be registered with IANA, see RFC 4520 section 3.5.
 OpenLDAP also has the `binary' option built in, but this is a transfer
 option, not a tagging option.
 .HP
@@ -153,8 +153,8 @@ option, not a tagging option.
  [NO\-USER\-MODIFICATION]\
  [USAGE\ <attributeUsage>]\ )"
 .RS
-Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
 forms as well as numeric OIDs to be used for the attribute OID and
 attribute syntax OID.
 (See the
@@ -162,7 +162,7 @@ attribute syntax OID.
 description.) 
 .RE
 .TP
-.B authz-policy <policy>
+.B authz\-policy <policy>
 Used to specify which rules to use for Proxy Authorization.  Proxy
 authorization allows a client to authenticate to the server using one
 user's credentials, but specify a different identity to use for authorization
@@ -216,7 +216,7 @@ and
 .I authzTo
 describes an 
 .B identity 
-or a set of identities; it can take three forms:
+or a set of identities; it can take five forms:
 .RS
 .TP
 .B ldap:///<base>??[<scope>]?<filter>
@@ -225,7 +225,7 @@ or a set of identities; it can take three forms:
 .B dn[.<dnstyle>]:<pattern>
 .RE
 .RS
-.B u[<mech>[<realm>]]:<pattern>
+.B u[.<mech>[/<realm>]]:<pattern>
 .RE
 .RS
 .B group[/objectClass[/attributeType]]:<pattern>
@@ -311,18 +311,21 @@ and
 can impact security, users are strongly encouraged 
 to explicitly set the type of identity specification that is being used.
 A subset of these rules can be used as third arg in the 
-.B authz-regexp
+.B authz\-regexp
 statement (see below); significantly, the 
-.I URI
+.IR URI ,
+provided it results in exactly one entry,
 and the
 .I dn.exact:<dn> 
 forms.
 .RE
 .TP
-.B authz-regexp <match> <replace>
+.B authz\-regexp <match> <replace>
 Used by the authentication framework to convert simple user names,
-such as provided by SASL subsystem, to an LDAP DN used for
-authorization purposes.  Note that the resultant DN need not refer
+such as provided by SASL subsystem, or extracted from certificates
+in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
+"proxied authorization" control, to an LDAP DN used for
+authorization purposes.  Note that the resulting DN need not refer
 to an existing entry to be considered valid.  When an authorization
 request is received from the SASL subsystem, the SASL 
 .BR USERNAME ,
@@ -374,9 +377,11 @@ e.g.
 .RE
 The protocol portion of the URI must be strictly
 .BR ldap .
+Note that this search is subject to access controls.  Specifically,
+the authentication identity must have "auth" access in the subject.
 
 Multiple 
-.B authz-regexp 
+.B authz\-regexp 
 options can be given in the configuration file to allow for multiple matching 
 and replacement patterns. The matching patterns are checked in the order they 
 appear in the file, stopping at the first successful match.
@@ -421,6 +426,12 @@ upon StartTLS operation receipt.
 .B tls_authc
 disallows the StartTLS operation if authenticated (see also
 .BR tls_2_anon ).
+.B proxy_authz_non_critical
+disables acceptance of the proxied authorization control (RFC4370)
+when criticality is FALSE.
+.B dontusecopy_non_critical
+disables acceptance of the dontUseCopy control (a work in progress)
+when criticality is FALSE.
 .HP
 .hy 0
 .B ditcontentrule "(\ <oid>\
@@ -432,8 +443,8 @@ disallows the StartTLS operation if authenticated (see also
  [MAY\ <oids>]\
  [NOT\ <oids>]\ )"
 .RS
-Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
 forms as well as numeric OIDs to be used for the attribute OID and
 attribute syntax OID.
 (See the
@@ -447,7 +458,7 @@ A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
 will stop listening for new connections, but will not close the
 connections to the current clients.  Future write operations return
 unwilling-to-perform, though.  Slapd terminates when all clients
-have closed their connections (if they ever do), or \- as before \-
+have closed their connections (if they ever do), or - as before -
 if it receives a SIGTERM signal.  This can be useful if you wish to
 terminate the server and start a new
 .B slapd
@@ -461,12 +472,20 @@ along with this option.
 .B idletimeout <integer>
 Specify the number of seconds to wait before forcibly closing
 an idle client connection.  A idletimeout of 0 disables this
-feature.  The default is 0.
+feature.  The default is 0. You may also want to set the
+.B writetimeout
+option.
 .TP
 .B include <filename>
 Read additional configuration information from the given file before
 continuing with the next line of the current file.
 .TP
+.B index_intlen <integer>
+Specify the key length for ordered integer indices. The most significant
+bytes of the binary integer will be used for index keys. The default
+value is 4, which provides exact indexing for 31 bit values.
+A floating point representation is used to index too large values.
+.TP
 .B index_substr_if_minlen <integer>
 Specify the minimum length for subinitial and subfinal indices. An
 attribute value must have at least this many characters in order to be
@@ -493,12 +512,43 @@ lookup. The default is 2. For example, with the default values, a search
 using this filter "cn=*abcdefgh*" would generate index lookups for
 "abcd", "cdef", and "efgh".
 
-.\"-- NEW_LOGGING option --
-.\".TP
-.\".B logfile <filename>
-.\"Specify a file for recording debug log messages. By default these messages
-.\"only go to stderr and are not recorded anywhere else. Specifying a logfile
-.\"copies messages to both stderr and the logfile.
+.LP
+Note: Indexing support depends on the particular backend in use. Also,
+changing these settings will generally require deleting any indices that
+depend on these parameters and recreating them with
+.BR slapindex (8).
+
+.HP
+.hy 0
+.B ldapsyntax "(\ <oid>\
+ [DESC\ <description>]\
+ [X\-SUBST <substitute-syntax>]\ )"
+.RS
+Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
+forms as well as numeric OIDs to be used for the syntax OID.
+(See the
+.B objectidentifier
+description.) 
+The slapd parser also honors the
+.B X\-SUBST
+extension (an OpenLDAP-specific extension), which allows to use the
+.B ldapsyntax
+statement to define a non-implemented syntax along with another syntax,
+the extension value
+.IR substitute-syntax ,
+as its temporary replacement.
+The
+.I substitute-syntax
+must be defined.
+This allows to define attribute types that make use of non-implemented syntaxes
+using the correct syntax OID.
+Unless 
+.B X\-SUBST
+is used, this configuration statement would result in an error,
+since no handlers would be associated to the resulting syntax structure.
+.RE
+
 .TP
 .B localSSF <SSF>
 Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
@@ -508,6 +558,11 @@ see
 .B minssf
 option description.  The default is 71.
 .TP
+.B logfile <filename>
+Specify a file for recording debug log messages. By default these messages
+only go to stderr and are not recorded anywhere else. Specifying a logfile
+copies messages to both stderr and the logfile.
+.TP
 .B loglevel <integer> [...]
 Specify the level at which debugging statements and operation 
 statistics should be syslogged (currently logged to the
@@ -516,8 +571,7 @@ LOG_LOCAL4 facility).
 They must be considered subsystems rather than increasingly verbose 
 log levels.
 Some messages with higher priority are logged regardless 
-of the configured loglevel as soon as some logging is configured,
-otherwise anything is logged at all.
+of the configured loglevel as soon as any logging is configured.
 Log levels are additive, and available levels are:
 .RS
 .RS
@@ -557,7 +611,7 @@ access control list processing
 .TP
 .B 256
 .B (0x100 stats)
-stats log connections/operations/results
+connections, LDAP operations, results (recommended)
 .TP
 .B 512
 .B (0x200 stats2)
@@ -604,15 +658,19 @@ or as a list of the names that are shown between brackets, such that
 are equivalent.
 The keyword 
 .B any
-can be used as a shortcut to enable logging at all levels (equivalent to -1).
+can be used as a shortcut to enable logging at all levels (equivalent to \-1).
 The keyword
 .BR none ,
 or the equivalent integer representation, causes those messages
 that are logged regardless of the configured loglevel to be logged.
-In fact, if no loglevel (or a 0 level) is defined, no logging occurs, 
+In fact, if loglevel is set to 0, no logging occurs, 
 so at least the 
 .B none
 level is required to have high priority messages logged.
+
+The loglevel defaults to \fBstats\fP.
+This level should usually also be included when using other loglevels, to
+help analyze the logs.
 .RE
 .TP
 .B moduleload <filename>
@@ -622,11 +680,13 @@ are searched for in the directories specified by the
 .B modulepath
 option. This option and the
 .B modulepath
-option are only usable if slapd was compiled with --enable-modules.
+option are only usable if slapd was compiled with \-\-enable\-modules.
 .TP
 .B modulepath <pathspec>
 Specify a list of directories to search for loadable modules. Typically
 the path is colon-separated but this depends on the operating system.
+The default is MODULEDIR, which is where the standard OpenLDAP install
+will place its modules.
 .HP
 .hy 0
 .B objectclass "(\ <oid>\
@@ -637,8 +697,8 @@ the path is colon-separated but this depends on the operating system.
  [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
  [MUST\ <oids>] [MAY\ <oids>] )"
 .RS
-Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
-The slapd parser extends the RFC 2252 definition by allowing string
+Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
 forms as well as numeric OIDs to be used for the object class OID.
 (See the
 .B
@@ -652,7 +712,7 @@ in place of the numeric OID in objectclass and attribute definitions. The
 name can also be used with a suffix of the form ":xx" in which case the
 value "oid.xx" will be used.
 .TP
-.B password-hash <hash> [<hash>...]
+.B password\-hash <hash> [<hash>...]
 This option configures one or more hashes to be used in generation of user
 passwords stored in the userPassword attribute during processing of
 LDAP Password Modify Extended Operations (RFC 3062).
@@ -706,11 +766,10 @@ versions of crypt(3) to use an MD5 algorithm and provides
 provides 31 characters of salt.
 .TP
 .B pidfile <filename>
-The ( absolute ) name of a file that will hold the 
+The (absolute) name of a file that will hold the 
 .B slapd
-server's process ID ( see
-.BR getpid (2)
-) if started without the debugging command line option.
+server's process ID (see
+.BR getpid (2)).
 .TP
 .B referral <url>
 Specify the referral to pass back when
@@ -718,43 +777,12 @@ Specify the referral to pass back when
 cannot find a local database to handle a request.
 If specified multiple times, each url is provided.
 .TP
-.B replica-argsfile
-The ( absolute ) name of a file that will hold the 
-.B slurpd
-server's command line options
-if started without the debugging command line option.
-If it appears after a
-.B replogfile
-directive, the args file is specific to the 
-.BR slurpd (8)
-instance that handles that replication log.
-.TP
-.B replica-pidfile
-The ( absolute ) name of a file that will hold the 
-.B slurpd
-server's process ID ( see
-.BR getpid (2)
-) if started without the debugging command line option.
-If it appears after a
-.B replogfile
-directive, the pid file is specific to the 
-.BR slurpd (8)
-instance that handles that replication log.
-.TP
-.B replicationinterval
-The number of seconds 
-.B slurpd 
-waits before checking the replogfile for changes.
-If it appears after a
-.B replogfile
-directive, the replication interval is specific to the 
-.BR slurpd (8)
-instance that handles that replication log.
-.TP
 .B require <conditions>
 Specify a set of conditions (separated by white space) to
 require (default none).
-The directive may be specified globally and/or per-database.
+The directive may be specified globally and/or per-database;
+databases inherit global conditions, so per-database specifications
+are additive.
 .B bind
 requires bind operation prior to directory operations.
 .B LDAPv3
@@ -768,26 +796,40 @@ requires strong authentication prior to directory operations.
 The strong keyword allows protected "simple" authentication
 as well as SASL authentication.
 .B none
-may be used to require no conditions (useful for clearly globally
-set conditions within a particular database).
+may be used to require no conditions (useful to clear out globally
+set conditions within a particular database); it must occur first
+in the list of conditions.
 .TP
-.B reverse-lookup on | off
+.B reverse\-lookup on | off
 Enable/disable client name unverified reverse lookup (default is 
 .BR off 
-if compiled with --enable-rlookups).
+if compiled with \-\-enable\-rlookups).
 .TP
 .B rootDSE <file>
 Specify the name of an LDIF(5) file containing user defined attributes
 for the root DSE.  These attributes are returned in addition to the
 attributes normally produced by slapd.
-.TP
-.B sasl-host <fqdn>
+
+The root DSE is an entry with information about the server and its
+capabilities, in operational attributes.
+It has the empty DN, and can be read with e.g.:
+.ti +4
+ldapsearch \-x \-b "" \-s base "+"
+.br
+See RFC 4512 section 5.1 for details.
+.TP
+.B sasl\-auxprops <plugin> [...]
+Specify which auxprop plugins to use for authentication lookups. The
+default is empty, which just uses slapd's internal support. Usually
+no other auxprop plugins are needed.
+.TP
+.B sasl\-host <fqdn>
 Used to specify the fully qualified domain name used for SASL processing.
 .TP
-.B sasl-realm <realm>
+.B sasl\-realm <realm>
 Specify SASL realm.  Default is empty.
 .TP
-.B sasl-secprops <properties>
+.B sasl\-secprops <properties>
 Used to specify Cyrus SASL security properties.
 The
 .B none
@@ -838,7 +880,7 @@ controls the entries on this server.  The default is "cn=Subschema".
 .B security <factors>
 Specify a set of security strength factors (separated by white space)
 to require (see
-.BR sasl-secprops 's
+.BR sasl\-secprops 's
 .B minssf
 option for a description of security strength factors).
 The directive may be specified globally and/or per-database.
@@ -871,6 +913,25 @@ Note that the
 factor is measure of security provided by the underlying transport,
 e.g. ldapi:// (and eventually IPSEC).  It is not normally used.
 .TP
+.B serverID <integer> [<URL>]
+Specify an integer ID from 0 to 4095 for this server (limited
+to 3 hexadecimal digits).  The ID may also be specified as a
+hexadecimal ID by prefixing the value with "0x".
+These IDs are
+required when using multimaster replication and each master must have a
+unique ID. Note that this requirement also applies to separate masters
+contributing to a glued set of databases.
+If the URL is provided, this directive may be specified
+multiple times, providing a complete list of participating servers
+and their IDs. The fully qualified hostname of each server should be
+used in the supplied URLs. The IDs are used in the "replica id" field
+of all CSNs generated by the specified server. The default value is zero.
+Example:
+.LP
+.nf
+	serverID 1
+.fi
+.TP
 .B sizelimit {<integer>|unlimited}
 .TP
 .B sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
@@ -893,6 +954,24 @@ The default is 262143.
 Specify the maximum incoming LDAP PDU size for authenticated sessions.
 The default is 4194303.
 .TP
+.B sortvals <attr> [...]
+Specify a list of multi-valued attributes whose values will always
+be maintained in sorted order. Using this option will allow Modify,
+Compare, and filter evaluations on these attributes to be performed
+more efficiently. The resulting sort order depends on the
+attributes' syntax and matching rules and may not correspond to
+lexical order or any other recognizable order.
+.TP
+.B tcp-buffer [listener=<URL>] [{read|write}=]<size>
+Specify the size of the TCP buffer.
+A global value for both read and write TCP buffers related to any listener
+is defined, unless the listener is explicitly specified,
+or either the read or write qualifiers are used.
+See
+.BR tcp (7)
+for details.
+Note that some OS-es implement automatic TCP buffer tuning.
+.TP
 .B threads <integer>
 Specify the maximum size of the primary thread pool.
 The default is 16; the minimum value is 2.
@@ -912,7 +991,7 @@ See
 .BR limits
 for an explanation of the different flags.
 .TP
-.B tool-threads <integer>
+.B tool\-threads <integer>
 Specify the maximum number of threads to use in tool mode.
 This should not be greater than the number of CPUs in the system.
 The default is 1.
@@ -921,6 +1000,12 @@ The default is 1.
 .\".B ucdata-path <path>
 .\"Specify the path to the directory containing the Unicode character
 .\"tables. The default path is DATADIR/ucdata.
+.TP
+.B writetimeout <integer>
+Specify the number of seconds to wait before forcibly closing
+a connection with an outstanding write. This allows recovery from
+various network hang conditions.  A writetimeout of 0 disables this
+feature.  The default is 0.
 .SH TLS OPTIONS
 If
 .B slapd
@@ -935,7 +1020,16 @@ TLSCipherSuite HIGH:MEDIUM:+SSLv2
 
 To check what ciphers a given spec selects, use:
 
-openssl ciphers -v <cipher-suite-spec>
+.nf
+	openssl ciphers \-v <cipher-suite-spec>
+.fi
+
+To obtain the list of ciphers in GNUtls use:
+
+.nf
+	gnutls-cli \-l
+.fi
+
 .TP
 .B TLSCACertificateFile <filename>
 Specifies the file that contains certificates for all of the Certificate
@@ -946,7 +1040,8 @@ will recognize.
 .B TLSCACertificatePath <path>
 Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
-or the TLSCACertificateFile is used.
+or the TLSCACertificateFile is used. This directive is not supported
+when using GNUtls.
 .TP
 .B TLSCertificateFile <filename>
 Specifies the file that contains the
@@ -969,12 +1064,14 @@ them will be processed.  Note that setting this option may also enable
 Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
 You should append "!ADH" to your cipher suites if you have changed them
 from the default, otherwise no certificate exchanges or verification will
-be done.
+be done. When using GNUtls these parameters are always generated randomly so
+this directive is ignored.
 .TP
 .B TLSRandFile <filename>
 Specifies the file to obtain random bits from when /dev/[u]random
 is not available.  Generally set to the name of the EGD/PRNGD socket.
 The environment variable RANDFILE can also be used to specify the filename.
+This directive is ignored with GNUtls.
 .TP
 .B TLSVerifyClient <level>
 Specifies what checks to perform on client certificates in an
@@ -1016,7 +1113,7 @@ Specifies if the Certificate Revocation List (CRL) of the CA should be
 used to verify if the client certificates have not been revoked. This
 requires
 .B TLSCACertificatePath
-parameter to be set.
+parameter to be set. This directive is ignored with GNUtls.
 .B <level>
 can be specified as one of the following keywords:
 .RS
@@ -1030,6 +1127,11 @@ Check the CRL of the peer certificate
 .B all
 Check the CRL for a whole certificate chain
 .RE
+.TP
+.B TLSCRLFile <filename>
+Specifies a file containing a Certificate Revocation List to be used
+for verifying that certificates have not been revoked. This directive is
+only valid when using GNUtls.
 .SH GENERAL BACKEND OPTIONS
 Options in this section only apply to the configuration file section
 for the specified backend.  They are supported by every
@@ -1043,7 +1145,6 @@ should be one of
 .BR dnssrv ,
 .BR hdb ,
 .BR ldap ,
-.BR ldbm ,
 .BR ldif ,
 .BR meta ,
 .BR monitor ,
@@ -1073,7 +1174,6 @@ should be one of
 .BR dnssrv ,
 .BR hdb ,
 .BR ldap ,
-.BR ldbm ,
 .BR ldif ,
 .BR meta ,
 .BR monitor ,
@@ -1085,31 +1185,65 @@ should be one of
 or
 .BR sql ,
 depending on which backend will serve the database.
+
+LDAP operations, even subtree searches, normally access only one
+database.
+That can be changed by gluing databases together with the
+.B subordinate
+keyword.
+Access controls and some overlays can also involve multiple databases.
+.TP
+.B add_content_acl on | off
+Controls whether Add operations will perform ACL checks on
+the content of the entry being added. This check is off
+by default. See the
+.BR slapd.access (5)
+manual page for more details on ACL requirements for
+Add operations.
+.TP
+.B hidden on | off
+Controls whether the database will be used to answer
+queries. A database that is hidden will never be
+selected to answer any queries, and any suffix configured
+on the database will be ignored in checks for conflicts
+with other databases. By default, hidden is off.
 .TP
 .B lastmod on | off
 Controls whether
 .B slapd
 will automatically maintain the 
 modifiersName, modifyTimestamp, creatorsName, and 
-createTimestamp attributes for entries.  By default, lastmod is on.
+createTimestamp attributes for entries. It also controls
+the entryCSN and entryUUID attributes, which are needed
+by the syncrepl provider. By default, lastmod is on.
 .TP
-.B limits <who> <limit> [<limit> [...]]
-Specify time and size limits based on who initiated an operation.
+.B limits <selector> <limit> [<limit> [...]]
+Specify time and size limits based on the operation's initiator or
+base DN.
 The argument
-.B who
+.B <selector>
 can be any of
 .RS
 .RS
 .TP
-anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>
+anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
 
 .RE
 with
 .RS
 .TP
+<dnspec> ::= dn[.<type>][.<style>]
+.TP
+<type>  ::= self | this
+.TP
 <style> ::= exact | base | onelevel | subtree | children | regex | anonymous
 
 .RE
+DN type
+.B self
+is the default and means the bound user, while
+.B this
+means the base DN of the operation.
 The term
 .B anonymous
 matches all unauthenticated clients.
@@ -1143,7 +1277,7 @@ field is ignored.
 The same behavior is obtained by using the 
 .B anonymous
 form of the
-.B who
+.B <selector>
 clause.
 The term
 .BR group ,
@@ -1245,7 +1379,7 @@ If it is set to the keyword
 .IR unlimited , 
 no limit is applied (the default).
 If it is set to
-.IR disable ,
+.IR disabled ,
 the search is not even performed; this can be used to disallow searches
 for a specific set of users.
 If no limit specifier is set, the value is assigned to the
@@ -1257,7 +1391,7 @@ limit is set to
 to preserve the original behavior.
 
 In case of no match, the global limits are used.
-The default values are the same of
+The default values are the same as for
 .B sizelimit
 and
 .BR timelimit ;
@@ -1309,105 +1443,51 @@ is requested cannot exceed the
 size limit of regular searches unless extended by the
 .B prtotal
 switch.
+
+The \fBlimits\fP statement is typically used to let an unlimited
+number of entries be returned by searches performed
+with the identity used by the consumer for synchronization purposes
+by means of the RFC 4533 LDAP Content Synchronization protocol
+(see \fBsyncrepl\fP for details).
 .RE
 .TP
 .B maxderefdepth <depth>
 Specifies the maximum number of aliases to dereference when trying to
-resolve an entry, used to avoid infinite alias loops. The default is 1.
+resolve an entry, used to avoid infinite alias loops. The default is 15.
 .TP
 .B mirrormode on | off
 This option puts a replica database into "mirror" mode.  Update
 operations will be accepted from any user, not just the updatedn.  The
-database must already be configured as a slurpd or syncrepl consumer
-before this keyword may be set.  This mode must be used with extreme
-care, as it does not offer any consistency guarantees.
+database must already be configured as a syncrepl consumer
+before this keyword may be set. This mode also requires a
+.B serverID
+(see above) to be configured.
 By default, mirrormode is off.
 .TP
+.B monitoring on | off
+This option enables database-specific monitoring in the entry related
+to the current database in the "cn=Databases,cn=Monitor" subtree 
+of the monitor database, if the monitor database is enabled.
+Currently, only the BDB and the HDB databases provide database-specific
+monitoring.
+The default depends on the backend type.
+.TP
 .B overlay <overlay-name>
 Add the specified overlay to this database. An overlay is a piece of
 code that intercepts database operations in order to extend or change
 them. Overlays are pushed onto
 a stack over the database, and so they will execute in the reverse
 of the order in which they were configured and the database itself
-will receive control last of all.
+will receive control last of all. See the
+.BR slapd.overlays (5)
+manual page for an overview of the available overlays.
+Note that all of the database's
+regular settings should be configured before any overlay settings.
 .TP
 .B readonly on | off
 This option puts the database into "read-only" mode.  Any attempts to 
 modify the database will return an "unwilling to perform" error.  By
 default, readonly is off.
-.HP
-.hy 0
-.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port] 
-.B [starttls=yes|critical]
-.B [suffix=<suffix> [...]]
-.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
-.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
-.B [authcId=<authentication ID>] [authzId=<authorization ID>]
-.B [attrs[!]=<attr list>]
-.RS
-Specify a replication site for this database.  Refer to the "OpenLDAP 
-Administrator's Guide" for detailed information on setting up a replicated
-.B slapd
-directory service. Zero or more
-.B suffix
-instances can be used to select the subtrees that will be replicated
-(defaults to all the database). 
-.B host
-is deprecated in favor of the
-.B uri
-option.
-.B uri
-allows the replica LDAP server to be specified as an LDAP URI. 
-A
-.B bindmethod
-of
-.B simple
-requires the options
-.B binddn 
-and
-.B credentials  
-and should only be used when adequate security services 
-(e.g TLS or IPSEC) are in place. A
-.B bindmethod 
-of
-.B sasl 
-requires the option
-.B saslmech. 
-Specific security properties (as with the
-.B sasl-secprops
-keyword above) for a SASL bind can be set with the
-.B secprops
-option. A non-default SASL realm can be set with the
-.B realm
-option.
-If the 
-.B mechanism
-will use Kerberos, a kerberos instance should be given in 
-.B authcId.
-An
-.B attr list
-can be given after the 
-.B attrs
-keyword to allow the selective replication of the listed attributes only;
-if the optional 
-.B !
-mark is used, the list is considered exclusive, i.e. the listed attributes
-are not replicated.
-If an objectClass is listed, all the related attributes
-are (are not) replicated.
-.RE
-.TP
-.B replogfile <filename>
-Specify the name of the replication log file to log changes to.  
-The replication log is typically written by
-.BR slapd (8)
-and read by
-.BR slurpd (8).
-See
-.BR slapd.replog (5)
-for more information.  The specified file should be located
-in a directory with limited read/write/execute access as the replication
-logs may contain sensitive information.
 .TP
 .B restrict <oplist>
 Specify a whitespace separated list of operations that are restricted.
@@ -1447,7 +1527,8 @@ when initially populating a database).  If the rootdn is within
 a namingContext (suffix) of the database, a simple bind password
 may also be provided using the
 .B rootpw
-directive. Note that the rootdn is always needed when using syncrepl.
+directive. Many optional features, including syncrepl, require the
+rootdn to be defined for the database.
 .TP
 .B rootpw <password>
 Specify a password (or hash of the password) for the rootdn.  The
@@ -1455,7 +1536,7 @@ password can only be set if the rootdn is within the namingContext
 (suffix) of the database.
 This option accepts all RFC 2307 userPassword formats known to
 the server (see 
-.B password-hash
+.B password\-hash
 description) as well as cleartext.
 .BR slappasswd (8) 
 may be used to generate a hash of a password.  Cleartext
@@ -1467,8 +1548,12 @@ and \fB{CRYPT}\fP passwords are not recommended.  If empty
 Specify the DN suffix of queries that will be passed to this 
 backend database.  Multiple suffix lines can be given and at least one is 
 required for each database definition.
+
 If the suffix of one database is "inside" that of another, the database
 with the inner suffix must come first in the configuration file.
+You may also want to glue such databases together with the
+.B subordinate
+keyword.
 .TP
 .B subordinate [advertise]
 Specify that the current backend database is a subordinate of another
@@ -1517,6 +1602,11 @@ in order to work over all of the glued databases. E.g.
 	overlay syncprov
 .fi
 .RE
+.TP
+.B sync_use_subentry 
+Store the syncrepl contextCSN in a subentry instead of the context entry
+of the database. The subentry's RDN will be "cn=ldapsync". By default
+the contextCSN is stored in the context entry.
 .HP
 .hy 0
 .B syncrepl rid=<replica ID>
@@ -1532,6 +1622,8 @@ in order to work over all of the glued databases. E.g.
 .B [sizelimit=<limit>]
 .B [timelimit=<limit>]
 .B [schemachecking=on|off]
+.B [network\-timeout=<seconds>]
+.B [timeout=<seconds>]
 .B [bindmethod=simple|sasl]
 .B [binddn=<dn>]
 .B [saslmech=<mech>]
@@ -1566,15 +1658,20 @@ setting up a replicated
 directory service using the 
 .B syncrepl
 replication engine.
+
 .B rid
 identifies the current
 .B syncrepl
 directive within the replication consumer site.
-It is a non-negative integer having no more than three digits.
+It is a non-negative integer not greater than 999 (limited
+to three decimal digits).
+
 .B provider
 specifies the replication provider site containing the master content
 as an LDAP URI. If <port> is not given, the standard LDAP port number
-(389 or 636) is used. The content of the
+(389 or 636) is used.
+
+The content of the
 .B syncrepl
 replica is defined using a search
 specification as its result set. The consumer
@@ -1582,16 +1679,26 @@ specification as its result set. The consumer
 will send search requests to the provider
 .B slapd
 according to the search specification. The search specification includes
-.B searchbase, scope, filter, attrs, attrsonly, sizelimit,
+.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
 and
 .B timelimit
 parameters as in the normal search specification. 
 The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
-\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
+\fB(objectclass=*)\fP, while there is no default \fBsearchbase\fP. The
 \fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
 attributes, and \fBattrsonly\fP is unset by default.
 The \fBsizelimit\fP and \fBtimelimit\fP only
 accept "unlimited" and positive integers, and both default to "unlimited".
+The \fBsizelimit\fP and \fBtimelimit\fP parameters define
+a consumer requested limitation on the number of entries that can be returned
+by the LDAP Content Synchronization operation; as such, it is intended
+to implement partial replication based on the size of the replicated database
+and on the time required by the synchronization.
+Note, however, that any provider-side limits for the replication identity
+will be enforced by the provider regardless of the limits requested
+by the LDAP Content Synchronization operation, much like for any other
+search operation.
+
 The LDAP Content Synchronization protocol has two operation types.
 In the
 .B refreshOnly
@@ -1607,6 +1714,7 @@ Further updates to the master replica will generate
 .B searchResultEntry
 to the consumer slapd as the search responses to the persistent
 synchronization search.
+
 If an error occurs during replication, the consumer will attempt to
 reconnect according to the
 .B retry
@@ -1615,10 +1723,32 @@ For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
 for the first 10 times and then retry every 300 seconds for the next 3
 times before stop retrying. The `+' in <# of retries> means indefinite
 number of retries until success.
+If no 
+.B retry
+was specified, by default syncrepl retries every hour forever.
+
 The schema checking can be enforced at the LDAP Sync
 consumer site by turning on the
 .B schemachecking
-parameter. The default is off.
+parameter. The default is \fBoff\fP.
+Schema checking \fBon\fP means that replicated entries must have
+a structural objectClass, must obey to objectClass requirements
+in terms of required/allowed attributes, and that naming attributes
+and distinguished values must be present.
+As a consequence, schema checking should be \fBoff\fP when partial
+replication is used.
+
+The
+.B network\-timeout
+parameter sets how long the consumer will wait to establish a
+network connection to the provider. Once a connection is
+established, the
+.B timeout
+parameter determines how long the consumer will wait for the initial
+Bind request to complete. The defaults for these parameters come
+from 
+.BR ldap.conf (5).
+
 A
 .B bindmethod
 of 
@@ -1629,6 +1759,7 @@ and
 .B credentials
 and should only be used when adequate security services
 (e.g. TLS or IPSEC) are in place.
+.B REMEMBER: simple bind credentials must be in cleartext!
 A
 .B bindmethod
 of
@@ -1644,12 +1775,22 @@ The
 .B authzid
 parameter may be used to specify an authorization identity.
 Specific security properties (as with the
-.B sasl-secprops
+.B sasl\-secprops
 keyword above) for a SASL bind can be set with the
 .B secprops
 option. A non default SASL realm can be set with the
 .B realm 
 option.
+The identity used for synchronization by the consumer should be allowed
+to receive an unlimited number of entries in response to a search request.
+The provider, other than allow authentication of the syncrepl identity,
+should grant that identity appropriate access privileges to the data 
+that is being replicated (\fBaccess\fP directive), and appropriate time 
+and size limits.
+This can be accomplished by either allowing unlimited \fBsizelimit\fP
+and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
+in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
+for details).
 
 The
 .B starttls
@@ -1657,11 +1798,9 @@ parameter specifies use of the StartTLS extended operation
 to establish a TLS session before Binding to the provider. If the
 .B critical
 argument is supplied, the session will be aborted if the StartTLS request
-fails. Otherwise the syncrepl session continues without TLS.  Note that the
-main slapd TLS settings are not used by the syncrepl engine;
-by default the TLS parameters from ETCDIR/ldap.conf will be used.
-TLS settings may be specified here, in which case the ldap.conf settings
-will be completely ignored.
+fails. Otherwise the syncrepl session continues without TLS. The
+tls_reqcert setting defaults to "demand" and the other TLS settings
+default to the same as the main slapd TLS settings.
 
 Rather than replicating whole entries, the consumer can query logs of
 data modifications. This mode of operation is referred to as \fIdelta
@@ -1672,7 +1811,7 @@ and
 parameters must be set appropriately for the log that will be used. The
 .B syncdata
 parameter must be set to either "accesslog" if the log conforms to the
-.BR slapo-accesslog (5)
+.BR slapo\-accesslog (5)
 log format, or "changelog" if the log conforms
 to the obsolete \fIchangelog\fP format. If the
 .B syncdata
@@ -1682,12 +1821,10 @@ ignored.
 .TP
 .B updatedn <dn>
 This option is only applicable in a slave
-database updated using
-.BR slurpd(8). 
+database.
 It specifies the DN permitted to update (subject to access controls)
-the replica (typically, this is the DN
-.BR slurpd (8)
-binds to update the replica).  Generally, this DN
+the replica.  It is only needed in certain push-mode
+replication scenarios.  Generally, this DN
 .I should not
 be the same as the
 .B rootdn 
@@ -1701,182 +1838,9 @@ If specified multiple times, each url is provided.
 
 .SH DATABASE-SPECIFIC OPTIONS
 Each database may allow specific configuration options; they are
-documented separately in the backends' manual pages.
-.SH BACKENDS
-The following backends can be compiled into slapd.
-They are documented in the
-.BR slapd-<backend> (5)
-manual pages.
-.TP
-.B bdb
-This is the recommended primary backend for a normal slapd database.
-It takes care to configure it properly.
-It uses the transactional database interface of the Sleepycat Berkeley
-DB (BDB) package to store data.
-.TP
-.B config
-This backend is used to manage the configuration of slapd run-time.
-.TP
-.B dnssrv
-This backend is experimental.
-It serves up referrals based upon SRV resource records held in the
-Domain Name System.
-.TP
-.B hdb
-This is a variant of the BDB backend that uses a hierarchical database
-layout which supports subtree renames.
-.TP
-.B ldap
-This backend acts as a proxy to forward incoming requests to another
-LDAP server.
-.TP
-.B ldbm
-This is an easy-to-configure but obsolete database backend. It
-does not offer the data durability features of the BDB and HDB
-backends and hence is deprecated in favor of these robust backends.
-LDBM uses lightweight non-transactional DB interfaces,
-such as those providing by GDBM or Berkeley DB, to store data.
-.TP
-.B ldif
-This database uses the filesystem to build the tree structure
-of the database, using plain ascii files to store data.
-Its usage should be limited to very simple databases, where performance
-is not a requirement.
-.TP
-.B meta
-This backend performs basic LDAP proxying with respect to a set of
-remote LDAP servers. It is an enhancement of the ldap backend.
-.TP
-.B monitor
-This backend provides information about the running status of the slapd
-daemon.
-.TP
-.B null
-Operations in this backend succeed but do nothing.
-.TP
-.B passwd
-This backend is provided for demonstration purposes only.
-It serves up user account information from the system
-.BR passwd (5)
-file.
-.TP
-.B perl
-This backend embeds a
-.BR perl (1)
-interpreter into slapd.
-It runs Perl subroutines to implement LDAP operations.
-.TP
-.B relay
-This backend is experimental.
-It redirects LDAP operations to another database
-in the same server, based on the naming context of the request.
-Its use requires the 
-.B rwm
-overlay (see
-.BR slapo-rwm (5)
-for details) to rewrite the naming context of the request.
-It is primarily intended to implement virtual views on databases
-that actually store data.
-.TP
-.B shell
-This backend executes external programs to implement LDAP operations.
-It is primarily intended to be used in prototypes.
-.TP
-.B sql
-This backend is experimental.
-It services LDAP requests from an SQL database.
-.SH OVERLAYS
-The following overlays can be compiled into slapd.
-They are documented in the
-.BR slapo-<overlay> (5)
-manual pages.
-.TP
-.B accesslog
-Access Logging.
-This overlay can record accesses to a given backend database on another
-database.
-.TP
-.B auditlog
-Audit Logging.
-This overlay records changes on a given backend database to an LDIF log
-file.
-By default it is not built.
-.TP
-.B chain
-Chaining.
-This overlay allows automatic referral chasing when a referral would
-have been returned, either when configured by the server or when 
-requested by the client.
-.TP
-.B denyop
-Deny Operation.
-This overlay allows selected operations to be denied, similar to the
-\fBrestrict\fP option.
-.TP
-.B dyngroup
-Dynamic Group.
-This is a demo overlay which extends the Compare operation to detect
-members of a dynamic group.
-It has no effect on any other operations.
-.TP
-.B dynlist
-Dynamic List.
-This overlay allows expansion of dynamic groups and more.
-.TP
-.B lastmod
-Last Modification.
-This overlay maintains a service entry in the database with the DN,
-modification type, modifiersName and modifyTimestamp of the last write
-operation performed on that database.
-.TP
-.B pcache
-Proxycache.
-This overlay allows caching of LDAP search requests in a local database.
-It is most often used with the ldap or meta backends.
-.TP
-.B ppolicy
-Password Policy.
-This overlay provides a variety of password control mechanisms,
-e.g. password aging, password reuse and duplication control, mandatory
-password resets, etc.
-.TP
-.B refint
-Referential Integrity.
-This overlay can be used with a backend database such as
-.BR slapd-bdb (5)
-to maintain the cohesiveness of a schema which utilizes reference
-attributes.
-.TP
-.B retcode
-Return Code.
-This overlay is useful to test the behavior of clients when
-server-generated erroneous and/or unusual responses occur.
-.TP
-.B rwm
-Rewrite/remap.
-This overlay is experimental.
-It performs basic DN/data rewrite and
-objectClass/attributeType mapping.
-.TP
-.B syncprov
-Syncrepl Provider.
-This overlay implements the provider-side support for
-.B syncrepl
-replication, including persistent search functionality.
-.TP
-.B translucent
-Translucent Proxy.
-This overlay can be used with a backend database such as
-.BR slapd-bdb (5)
-to create a "translucent proxy".
-Content of entries retrieved from a remote LDAP server can be partially
-overridden by the database.
-.TP
-.B unique
-Attribute Uniqueness.
-This overlay can be used with a backend database such as
-.BR slapd-bdb (5)
-to enforce the uniqueness of some or all attributes within a subtree.
+documented separately in the backends' manual pages. See the
+.BR slapd.backends (5)
+manual page for an overview of available backends.
 .SH EXAMPLES
 .LP
 Here is a short example of a configuration file:
@@ -1884,13 +1848,13 @@ Here is a short example of a configuration file:
 .RS
 .nf
 include   SYSCONFDIR/schema/core.schema
-pidfile   LOCALSTATEDIR/slapd.pid
+pidfile   LOCALSTATEDIR/run/slapd.pid
 
 # Subtypes of "name" (e.g. "cn" and "ou") with the
-# option ";x-hidden" can be searched for/compared,
+# option ";x\-hidden" can be searched for/compared,
 # but are not shown.  See \fBslapd.access\fP(5).
-attributeoptions x-hidden lang-
-access to attrs=name;x-hidden by * =cs
+attributeoptions x\-hidden lang\-
+access to attrs=name;x\-hidden by * =cs
 
 # Protect passwords.  See \fBslapd.access\fP(5).
 access    to attrs=userPassword  by * auth
@@ -1898,11 +1862,11 @@ access    to attrs=userPassword  by * auth
 access    to *  by * read
 
 database  bdb
-suffix    "dc=our-domain,dc=com"
+suffix    "dc=our\-domain,dc=com"
 # The database directory MUST exist prior to
 # running slapd AND should only be accessible
 # by the slapd/tools. Mode 0700 recommended.
-directory LOCALSTATEDIR/openldap-data
+directory LOCALSTATEDIR/openldap\-data
 # Indices to maintain
 index     objectClass  eq
 index     cn,sn,mail   pres,eq,approx,sub
@@ -1911,7 +1875,7 @@ index     cn,sn,mail   pres,eq,approx,sub
 # so handle remote lookups on their behalf.
 database  ldap
 suffix    ""
-uri       ldap://ldap.some-server.com/
+uri       ldap://ldap.some\-server.com/
 lastmod   off
 .fi
 .RE
@@ -1925,21 +1889,10 @@ ETCDIR/slapd.conf
 default slapd configuration file
 .SH SEE ALSO
 .BR ldap (3),
-.BR slapd\-bdb (5),
-.BR slapd\-dnssrv (5),
-.BR slapd\-hdb (5),
-.BR slapd\-ldap (5),
-.BR slapd\-ldbm (5),
-.BR slapd\-ldif (5),
-.BR slapd\-meta (5),
-.BR slapd\-monitor (5),
-.BR slapd\-null (5),
-.BR slapd\-passwd (5),
-.BR slapd\-perl (5),
-.BR slapd\-relay (5),
-.BR slapd\-shell (5),
-.BR slapd\-sql (5),
+.BR slapd\-config (5),
 .BR slapd.access (5),
+.BR slapd.backends (5),
+.BR slapd.overlays (5),
 .BR slapd.plugin (5),
 .BR slapd.replog (5),
 .BR slapd (8),
@@ -1950,27 +1903,8 @@ default slapd configuration file
 .BR slapdn (8),
 .BR slapindex (8),
 .BR slappasswd (8),
-.BR slaptest (8),
-.BR slurpd (8).
-
-Known overlays are documented in
-.BR slapo\-accesslog (5),
-.BR slapo\-auditlog (5),
-.BR slapo\-chain (5),
-.BR slapo\-dynlist (5),
-.BR slapo\-lastmod (5),
-.BR slapo\-pcache (5),
-.BR slapo\-ppolicy (5),
-.BR slapo\-refint (5),
-.BR slapo\-retcode (5),
-.BR slapo\-rwm (5),
-.BR slapo\-syncprov (5),
-.BR slapo\-translucent (5),
-.BR slapo\-unique (5).
+.BR slaptest (8).
 .LP
 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
 .SH ACKNOWLEDGEMENTS
-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.  
+.so ../Project