[\c
.BR \-z ]
[\c
-.BR \-M[M] ]
+.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
[\c
.BI \-p \ ldapport\fR]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
+.BR \-P \ { 2 \||\| 3 }]
[\c
-.BR \-O \ security-properties ]
+.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
-.IR DN \ <
-.BR attr:value \ |
-.BR attr::b64value \ >
+.BR \-Z [ Z ]]
+.IR DN
+{\c
+.BI attr: value
+|
+.BI attr:: b64value\fR}
.SH DESCRIPTION
.I ldapcompare
is a shell-accessible interface to the
followed by one colon, the assertion \fIvalue\fP should be provided
as a string. If followed by two colons, the base64 encoding of the
value is provided. The result code of the compare is provided as
-the exit code and, unless ran with -z, the program prints
+the exit code and, unless ran with \fB\-z\fP, the program prints
TRUE, FALSE, or UNDEFINED on standard output.
.LP
.SH OPTIONS
.TP
.B \-n
Show what would be done, but don't actually perform the compare. Useful for
-debugging in conjunction with -v.
+debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Run in verbose mode, with many diagnostics written to standard output.
Run in quiet mode, no output is written. You must check the return
status. Useful in shell scripts.
.TP
-.B \-M[M]
+.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
-For SASL Binds, the server is expected to ignore this value.
+For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
The recommended portable way to store a cleartext password in a file
for use with this option is to use
.BR slappasswd (8)
-with \fI{CLEARTEXT}\fP as hash and the option \fI\-n\fP.
+with \fI{CLEARTEXT}\fP as hash and the option \fB\-n\fP.
.TP
.BI \-H \ ldapuri
Specify URI(s) referring to the ldap server(s); only the protocol/host/port
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
-.BI \-P \ 2\fR\||\|\fI3
+.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.BI \-O \ security-properties
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: "<distinguished name>"
or
-.B u:\c
-.I <username>
+.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
-.B \-ZZ\c
-, the command will require the operation to be successful.
+\fB\-ZZ\fP, the command will require the operation to be successful.
.SH EXAMPLES
.nf
ldapcompare "uid=babs,dc=example,dc=com" sn:Jensen
[\c
.BR \-c ]
[\c
-.BR \-M[M] ]
+.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
[\c
.BI \-h \ ldaphost\fR]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
+.BR \-P \ { 2 \||\| 3 }]
[\c
.BI \-p \ ldapport\fR]
[\c
-.BR \-O \ security-properties ]
+.BI \-O \ security-properties\fR]
[\c
.BI \-U \ authcid\fR]
[\c
[\c
.BI \-z \ sizelimit\fR]
[\c
-.BR \-Z[Z] ]
+.BR \-Z [ Z ]]
[\c
-.IR dn ]...
+.IR DN \ [ ... ]]
.SH DESCRIPTION
.I ldapdelete
is a shell-accessible interface to the
entries. If one or more \fIDN\fP arguments are provided, entries with
those Distinguished Names are deleted. Each \fIDN\fP should be provided
using the LDAPv3 string representation as defined in RFC 4514.
-If no \fIdn\fP arguments
+If no \fIDN\fP arguments
are provided, a list of DNs is read from standard input (or from
-\fIfile\fP if the -f flag is used).
+\fIfile\fP if the \fB\-f\fP flag is used).
.SH OPTIONS
.TP
.B \-n
Show what would be done, but don't actually delete entries. Useful for
-debugging in conjunction with -v.
+debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Use verbose mode, with many diagnostics written to standard output.
will continue with deletions. The default is to exit after
reporting an error.
.TP
-.B \-M[M]
+.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
-For SASL Binds, the server is expected to ignore this value.
+For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
-.BI \-P \ 2\fR\||\|\fI3
+.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.B \-r
.BI \-z \ sizelimit
Use \fIsizelimit\fP when searching for children DN to delete,
to circumvent any server-side size limit. Only useful in conjunction
-with \-r.
+with \fB\-r\fP.
.TP
.BI \-O \ security-properties
Specify SASL security properties.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: "<distinguished name>"
or
-.B u:\c
-.I <username>
+.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
-.B \-ZZ\c
-, the command will require the operation to be successful.
+\fB\-ZZ\fP, the command will require the operation to be successful.
.SH EXAMPLE
The following command:
.LP
[\c
.BI \-D \ binddn\fR]
[\c
-.BI \-e \ [!]ext[=extparam]\fR]
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-f \ file\fR]
[\c
[\c
.BI \-O \ security-properties\fR]
[\c
-.BI \-o \ [!]ext[=extparam]\fR]
+.BI \-o \ opt\fR[\fP = optparam\fR]]
[\c
.BI \-p \ port\fR]
[\c
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
-\ {
+.BR \-Z [ Z ]]
+{\c
.I oid
|
.BI oid: data
|
.BI cancel \ cancel-id
|
-.BI refresh \ DN \ \fR[\fIttl\fR]
-}
+.BI refresh \ DN \ \fR[\fIttl\fR]}
.SH DESCRIPTION
ldapexop issues the LDAP extended operation specified by \fBoid\fP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
.TP
-.BI \-e \ [!]ext[=extparam]
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
Specify general extensions. \'!\' indicates criticality.
.nf
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
.TP
.BI \-h \ host
Specify the host on which the ldap server is running.
-Deprecated in favor of \fB-H\fP.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-H \ URI
Specify URI(s) referring to the ldap server(s); only the protocol/host/port
.TP
.BI \-n
Show what would be done but don't actually do it.
-Useful for debugging in conjunction with \fB-v\fP.
+Useful for debugging in conjunction with \fB\-v\fP.
.TP
.BI \-N
Do not use reverse DNS to canonicalize SASL host name.
.BI \-O \ security-properties
Specify SASL security properties.
.TP
-.BI \-o \ opt[=optparam]
+.BI \-o \ opt\fR[\fP = optparam\fR]
Specify general options:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
.TP
.BI \-p \ port
Specify the TCP port where the ldap server is listening.
-Deprecated in favor of \fB-H\fP.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-Q
Enable SASL Quiet mode. Never prompt.
.TP
.BI \-V
Print version info and usage message.
-If\fB-VV\fP is given, only the version information is printed.
+If\fB\-VV\fP is given, only the version information is printed.
.TP
.BI \-w \ passwd
Use \fIpasswd\fP as the password for simple authentication.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: "<distinguished name>"
or
-.B u:\c
-.I <username>
+.BI u: <username>
.TP
.BI \-y \ file
Use complete contents of \fIfile\fP as the password for
Specify the SASL mechanism to be used for authentication.
Without this option, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation.
-Giving it twice (\fB-ZZ\fP) will require the operation to be successful.
+Giving it twice (\fB\-ZZ\fP) will require the operation to be successful.
.SH DIAGNOSTICS
Exit status is zero if no errors occur.
Do not expect it to be complete or absolutely correct.
.SH ACKNOWLEDGEMENTS
-The OpenLDAP Project <http://www.openldap.org/>
+.so ../Project
[\c
.BR \-v ]
[\c
-.BR \-M[M] ]
+.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
[\c
.BI \-p \ ldapport\fR]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
+.BR \-P \ { 2 \||\| 3 }]
[\c
-.BR \-O \ security-properties ]
+.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
+.BR \-Z [ Z ]]
[\c
.BI \-f \ file\fR]
.LP
[\c
.BR \-v ]
[\c
-.BR \-M[M] ]
+.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
[\c
.BI \-p \ ldapport\fR]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
+.BR \-P \ { 2 \||\| 3 }]
[\c
-.BR \-O \ security-properties ]
+.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
+.BR \-Z [ Z ]]
[\c
.BI \-f \ file\fR]
.SH DESCRIPTION
.B ldapadd
is implemented as a hard link to the ldapmodify tool. When invoked as
.B ldapadd
-the -a (add new entry) flag is turned on automatically.
+the \fB\-a\fP (add new entry) flag is turned on automatically.
.LP
.B ldapmodify
opens a connection to an LDAP server, binds, and modifies or adds entries.
The entry information is read from standard input or from \fIfile\fP through
-the use of the -f option.
+the use of the \fB\-f\fP option.
.SH OPTIONS
.TP
.B \-a
.BI \-S \ file
Add or change records which where skipped due to an error are written to \fIfile\fP
and the error message returned by the server is added as a comment. Most useful in
-conjunction with -c.
+conjunction with \fB\-c\fP.
.TP
.B \-n
Show what would be done, but don't actually modify entries. Useful for
-debugging in conjunction with -v.
+debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Use verbose mode, with many diagnostics written to standard output.
.TP
-.B \-M[M]
+.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
-For SASL Binds, the server is expected to ignore this value.
+For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
-.BI \-P \ 2\fR\||\|\fI3
+.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.BI \-O \ security-properties
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: "<distinguished name>"
or
-.B u:\c
-.I <username>
+.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.B \-ZZ\c
, the command will require the operation to be successful.
.SH INPUT FORMAT
-The contents of \fIfile\fP (or standard input if no \-f flag is given on
+The contents of \fIfile\fP (or standard input if no \fB\-f\fP flag is given on
the command line) must conform to the format defined in
.BR ldif (5)
(LDIF as defined in RFC 2849).
changetype: modify
replace: mail
mail: modme@example.com
- -
+ \-
add: title
title: Grand Poobah
- -
+ \-
add: jpegPhoto
jpegPhoto:< file:///tmp/modme.jpeg
- -
+ \-
delete: description
- -
+ \-
.fi
.LP
the command:
.LP
.nf
- ldapmodify -f /tmp/entrymods
+ ldapmodify \-f /tmp/entrymods
.fi
.LP
will replace the contents of the "Modify Me" entry's
the command:
.LP
.nf
- ldapadd -f /tmp/newentry
+ ldapadd \-f /tmp/newentry
.fi
.LP
will add a new entry for Babs Jensen, using the values from the
the command:
.LP
.nf
- ldapmodify -f /tmp/entrymods
+ ldapmodify \-f /tmp/entrymods
.fi
.LP
will remove Babs Jensen's entry.
[\c
.BR \-c ]
[\c
-.BR \-M[M] ]
+.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
[\c
.BI \-p \ ldapport\fR]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
+.BR \-P \ { 2 \||\| 3 }]
[\c
-.BR \-O \ security-properties ]
+.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
+.BR \-Z [ Z ]]
[\c
.BI \-f \ file\fR]
[\c
.TP
.B \-n
Show what would be done, but don't actually change entries. Useful for
-debugging in conjunction with -v.
+debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Use verbose mode, with many diagnostics written to standard output.
will continue with modifications. The default is to exit after
reporting an error.
.TP
-.B \-M[M]
+.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
.TP
-.B \-d debuglevel
+.BI \-d \ debuglevel
Set the LDAP debugging level to \fIdebuglevel\fP.
.B ldapmodrdn
must be
compiled with LDAP_DEBUG defined for this option to have any effect.
.TP
-.B \-f file
+.BI \-f \ file
Read the entry modification information from \fIfile\fP instead of from
standard input or the command-line.
.TP
.B \-x
Use simple authentication instead of SASL.
.TP
-.B \-D binddn
+.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
-For SASL Binds, the server is expected to ignore this value.
+For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
This is used instead of specifying the password on the command line.
.TP
-.B \-w passwd
+.BI \-w \ passwd
Use \fIpasswd\fP as the password for simple authentication.
.TP
.BI \-y \ passwdfile
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
-.BI \-P \ 2\fR\||\|\fI3
+.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.BI \-O \ security-properties
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: "<distinguished name>"
or
-.B u:\c
-.I <username>
+.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
-.B \-ZZ\c
-, the command will require the operation to be successful.
+\fB\-ZZ\fP, the command will require the operation to be successful.
.SH INPUT FORMAT
If the command-line arguments \fIdn\fP and \fIrdn\fP are given, \fIrdn\fP
will replace the RDN of the entry specified by the DN, \fIdn\fP.
.LP
Otherwise, the contents of \fIfile\fP (or standard input if
-no
-.RI \- f
-flag is given) should consist of one or more entries.
+no \fB\-f\fP flag is given) should consist of one or more entries.
.LP
.nf
Distinguished Name (DN)
the command:
.LP
.nf
- ldapmodrdn -r -f /tmp/entrymods
+ ldapmodrdn \-r \-f /tmp/entrymods
.fi
.LP
will change the RDN of the "Modify Me" entry from "Modify Me" to
[\c
.BI \-y \ passwdfile\fR]
[\c
-.BR \-O \ security-properties ]
+.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
+.BR \-Z [ Z ]]
[\c
.IR user ]
.SH DESCRIPTION
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
-For SASL Binds, the server is expected to ignore this value.
+For SASL binds, the server is expected to ignore this value.
.TP
.BI \-d \ debuglevel
Set the LDAP debugging level to \fIdebuglevel\fP.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.B \-n
Do not set password. (Can be useful when used in conjunction with
-.BR \-v \ or
-.BR \-d )
+\fB\-v\fP or \fB\-d\fP)
.TP
.BI \-S
Prompt for new password.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.BI dn: <distinguished name>
+.BI dn: "<distinguished name>"
or
.BI u: <username>\fP.
.TP
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
-.BR \-ZZ ,
-the command will require the operation to be successful
+\fB\-ZZ\fP, the command will require the operation to be successful
.SH SEE ALSO
.BR ldap_sasl_bind (3),
.BR ldap_extended_operation (3),
[\c
.BR \-v ]
[\c
-.BR \-t[t] ]
+.BR \-t [ t ]]
[\c
.BI \-T \ path\fR]
[\c
[\c
.BR \-A ]
[\c
-.BR \-L[L[L]] ]
+.BR \-L [ L [ L ]]]
[\c
-.BR \-M[M] ]
+.BR \-M [ M ]]
[\c
.BI \-S \ attribute\fR]
[\c
[\c
.BI \-b \ searchbase\fR]
[\c
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren\fR]
+.BR \-s \ { base \||\| one \||\| sub \||\| children }]
[\c
-.BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
+.BR \-a \ { never \||\| always \||\| search \||\| find }]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
+.BR \-P \ { 2 \||\| 3 }]
[\c
-.BR \-e \ [!]ext[=extparam]]
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
-.BR \-E \ [!]ext[=extparam]]
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-l \ timelimit\fR]
[\c
.BI \-z \ sizelimit\fR]
[\c
-.BR \-O \ security-properties ]
+.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
+.BR \-Z [ Z ]]
.I filter
[\c
.IR attrs... ]
.B \-v
Run in verbose mode, with many diagnostics written to standard output.
.TP
-.B \-t[t]
-A single -t writes retrieved non-printable values to a set of temporary
+.BR \-t [ t ]
+A single \fB\-t\fP writes retrieved non-printable values to a set of temporary
files. This is useful for dealing with values containing non-character
-data such as jpegPhoto or audio. A second -t writes all retrieved values to
+data such as jpegPhoto or audio. A second \fB\-t\fP writes all retrieved values to
files.
.TP
.BI \-T \ path
Write temporary files to directory specified by \fIpath\fP (default:
-/var/tmp/)
+\fB/var/tmp/\fP)
.TP
.BI \-F \ prefix
-URL prefix for temporary files. Default is file://\fIpath\fP/ where
-\fIpath\fP is /var/tmp/ or specified with -T.
+URL prefix for temporary files. Default is \fBfile://\fIpath\fP where
+\fIpath\fP is \fB/var/tmp/\fP or specified with \fB\-T\fP.
.TP
.B \-A
Retrieve attributes only (no values). This is useful when you just want to
.B \-L
Search results are display in LDAP Data Interchange Format detailed in
.BR ldif (5).
-A single -L restricts the output to LDIFv1.
-A second -L disables comments.
-A third -L disables printing of the LDIF version.
+A single \fB\-L\fP restricts the output to LDIFv1.
+ A second \fB\-L\fP disables comments.
+A third \fB\-L\fP disables printing of the LDIF version.
The default is to use an extended version of LDIF.
.TP
-.B \-M[M]
+.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
.BR ldap_sort (3)
for more details. Note that
.B ldapsearch
-normally prints out entries as it receives them. The use of the
-.B \-S
+normally prints out entries as it receives them. The use of the \fB\-S\fP
option defeats this behavior, causing all entries to be retrieved,
then sorted, then printed.
.TP
Where it is desired that the search filter include a \fB%\fP character,
the character should be encoded as \fB\\25\fP (see RFC 4515).
If \fIfile\fP is a single
-\fI-\fP character, then the lines are read from standard input.
+\fB\-\fP character, then the lines are read from standard input.
.B ldapsearch
will exit when the first non-successful search result is returned,
-unless -c is used.
+unless \fB\-c\fP is used.
.TP
.B \-x
Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
-For SASL Binds, the server is expected to ignore this value.
+For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-b \ searchbase
Use \fIsearchbase\fP as the starting point for the search instead of
the default.
.TP
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren
+.BR \-s \ { base \||\| one \||\| sub \||\| children }
Specify the scope of the search to be one of
-.IR base ,
-.IR one ,
-.IR sub ,
+.BR base ,
+.BR one ,
+.BR sub ,
or
-.I children
+.B children
to specify a base object, one-level, subtree, or children search.
The default is
-.IR sub .
+.BR sub .
Note:
.I children
scope requires LDAPv3 subordinate feature extension.
.TP
-.BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
+.BR \-a \ { never \||\| always \||\| search \||\| find }
Specify how aliases dereferencing is done. Should be one of
-.IR never ,
-.IR always ,
-.IR search ,
+.BR never ,
+.BR always ,
+.BR search ,
or
-.I find
+.B find
to specify that aliases are never dereferenced, always dereferenced,
dereferenced when searching, or dereferenced only when locating the
base object for the search. The default is to never dereference aliases.
.TP
-.BI \-P \ 2\fR\||\|\fI3
+.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
-.B \-e \fI[!]ext[=extparam]\fP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
.TP
-.B \-E \fI[!]ext[=extparam]\fP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
-Specify general extensions with -e and search extensions with -E.
-\'!\' indicates criticality.
+Specify general extensions with \fB\-e\fP and search extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
General extensions:
.nf
[!]domainScope (domain scope)
[!]mv=<filter> (matched values filter)
[!]pr=<size>[/prompt|noprompt] (paged results/prompt)
- [!]sss=[
-]<attr[:OID]>[/[-]<attr[:OID]>...] (server side sorting)
+ [!]sss=[
\-]<attr[:OID]>[/[\-]<attr[:OID]>...] (server side sorting)
[!]subentries[=true|false] (subentries)
[!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: "<distinguished name>"
or
-.B u:\c
-.I <username>
+.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
-.B \-ZZ\c
-, the command will require the operation to be successful.
+\fB\-ZZ\fP, the command will require the operation to be successful.
.SH OUTPUT FORMAT
If one or more entries are found, each entry is written to standard
output in LDAP Data Interchange Format or
...
.fi
.LP
-If the -t option is used, the URI of a temporary file
-is used in place of the actual value. If the -A option
+If the \fB\-t\fP option is used, the URI of a temporary file
+is used in place of the actual value. If the \fB\-A\fP option
is given, only the "attributename" part is written.
.SH EXAMPLE
The following command:
.LP
.nf
- ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
+ ldapsearch \-LLL "(sn=smith)" cn sn telephoneNumber
.fi
.LP
will perform a subtree search (using the default search base and
cn: John Smith
cn: John T. Smith
sn: Smith
- sn;lang-en: Smith
- sn;lang-de: Schmidt
- telephoneNumber: 1 555 123-4567
+ sn;lang\-en: Smith
+ sn;lang\-de: Schmidt
+ telephoneNumber: 1 555 123\-4567
dn: uid=sss,dc=example,dc=com
cn: Steve Smith
cn: Steve S. Smith
sn: Smith
- sn;lang-en: Smith
- sn;lang-de: Schmidt
- telephoneNumber: 1 555 765-4321
+ sn;lang\-en: Smith
+ sn;lang\-de: Schmidt
+ telephoneNumber: 1 555 765\-4321
.fi
.LP
The command:
.LP
.nf
- ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
+ ldapsearch \-LLL \-u \-t "(uid=xyz)" jpegPhoto audio
.fi
.LP
will perform a subtree search using the default search base for entries
.nf
dn: uid=xyz,dc=example,dc=com
ufn: xyz, example, com
- audio:< file:///tmp/ldapsearch-audio-a19924
- jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924
+ audio:< file:///tmp/ldapsearch\-audio\-a19924
+ jpegPhoto:< file:///tmp/ldapsearch\-jpegPhoto\-a19924
.fi
.LP
This command:
.LP
.nf
- ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
+ ldapsearch \-LLL \-s one \-b "c=US" "(o=University*)" o description
.fi
.LP
will perform a one-level search at the c=US level for all entries
o: University of Colorado at Denver
o: UCD
o: CU/Denver
- o: CU-Denver
+ o: CU\-Denver
description: Institute for Higher Learning and Research
dn: o=University of Florida,c=US
[\c
.BI \-b \ searchbase\fR]
[\c
-.BR \-E \ [!]ext[=extparam]]
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-f \ filter\fR]
[\c
[\c
.BI \-p \ ldapport\fR]
[\c
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren\fR]
+.BR \-s \ { base \||\| one \||\| sub \||\| children }]
[\c
.BI \-S \ scheme\fR]
.SH DESCRIPTION
.I ldapurl
is a command that allows to either compose or decompose LDAP URIs.
.LP
-When invoked with the \fI-H\fP option,
+When invoked with the \fB\-H\fP option,
.B ldapurl
extracts the components of the \fIldapuri\fP option argument,
unescaping hex-escaped chars as required.
call.
Otherwise, it builds an LDAP URI based on the components
passed with the appropriate options, performing the inverse operation.
-Option \fI-H\fP is incompatible with options
-.IR \-a ,
-.IR \-b ,
-.IR \-E ,
-.IR \-f ,
-.IR \-H ,
-.IR \-h ,
-.IR \-p ,
-.IR \-S ,
+Option \fB\-H\fP is incompatible with options
+.BR \-a ,
+.BR \-b ,
+.BR \-E ,
+.BR \-f ,
+.BR \-H ,
+.BR \-h ,
+.BR \-p ,
+.BR \-S ,
and
-.IR \-s .
+.BR \-s .
.SH OPTIONS
.TP
.TP
.BI \-b \ searchbase
Set the \fIsearchbase\fP.
.TP
-.B \-E \fI[!]ext[=extparam]\fP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
Set URL extensions; \'!\' indicates criticality.
.TP
.BI \-f \ filter
Set the URL scheme. Defaults for other fields, like \fIldapport\fP,
may depend on the value of \fIscheme\fP.
.TP
-.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren
+.BR \-s \ { base \||\| one \||\| sub \||\| children }
Specify the scope of the search to be one of
-.IR base ,
-.IR one ,
-.IR sub ,
+.BR base ,
+.BR one ,
+.BR sub ,
or
-.I children
+.B children
to specify a base object, one-level, subtree, or children search.
The default is
-.IR sub .
+.BR sub .
Note:
-.I children
+.B children
scope requires LDAPv3 subordinate feature extension.
.SH OUTPUT FORMAT
-If the \fI-H\fP option is used, the \fIldapuri\fP supplied
+If the \fB\-H\fP option is used, the \fIldapuri\fP supplied
is exploded in its components, which are printed to standard output
in an LDIF-like form.
.LP
The following command:
.LP
.nf
- ldapuri -h ldap.example.com -b dc=example,dc=com -s sub -f (cn=Some One)
+ ldapuri \-h ldap.example.com \-b dc=example,dc=com \-s sub \-f "(cn=Some One)"
.fi
.LP
returns
The command:
.LP
.nf
- ldapuri -H ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One)
+ ldapuri \-H ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One)
.fi
.LP
returns
[\c
.BI \-Y \ mech\fR]
[\c
-.BR \-Z[Z] ]
+.BR \-Z [ Z ]]
.SH DESCRIPTION
.I ldapwhoami
implements the LDAP "Who Am I?" extended operation.
.B \-n
Show what would be done, but don't actually perform the whoami operation.
Useful for
-debugging in conjunction with -v.
+debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Run in verbose mode, with many diagnostics written to standard output.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
-For SASL Binds, the server is expected to ignore this value.
+For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
-Deprecated in favor of -H.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
-Deprecated in favor of -H.
-.TP
-.BI \-P \ 2\fR\||\|\fI3
-Specify the LDAP protocol version to use.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-O \ security-properties
Specify SASL security properties.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
-.B dn:\c
-.I <distinguished name>
+.BI dn: "<distinguished name>"
or
-.B u:\c
-.I <username>
+.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
-.B \-Z[Z]
+.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
-.B \-ZZ\c
-, the command will require the operation to be successful.
+\fB\-ZZ\fP, the command will require the operation to be successful.
.SH EXAMPLE
.nf
- ldapwhoami -x -D "cn=Manager,dc=example,dc=com" -W
+ ldapwhoami \-x \-D "cn=Manager,dc=example,dc=com" \-W
.fi
.SH "SEE ALSO"
.BR ldap.conf (5),
.SH NAME
ber_get_next, ber_skip_tag, ber_peek_tag, ber_scanf, ber_get_int, ber_get_enum, ber_get_stringb, ber_get_stringa, ber_get_stringal, ber_get_stringbv, ber_get_null, ber_get_boolean, ber_get_bitstring, ber_first_element, ber_next_element \- OpenLDAP LBER simplified Basic Encoding Rules library routines for decoding
.SH LIBRARY
-OpenLDAP LBER (liblber, -llber)
+OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP
.SH NAME
ber_alloc_t, ber_flush, ber_flush2, ber_printf, ber_put_int, ber_put_enum, ber_put_ostring, ber_put_string, ber_put_null, ber_put_boolean, ber_put_bitstring, ber_start_seq, ber_start_set, ber_put_seq, ber_put_set \- OpenLDAP LBER simplified Basic Encoding Rules library routines for encoding
.SH LIBRARY
-OpenLDAP LBER (liblber, -llber)
+OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP
rc = ber_printf( ber, "{siiiib{v}}", dn, scope, ali,
size, time, attrsonly, attrs );
- if( rc == -1 ) {
+ if( rc == \-1 ) {
/* error */
} else {
/* success */
}
.fi
.SH ERRORS
-If an error occurs during encoding, generally these routines return -1.
+If an error occurs during encoding, generally these routines return \-1.
.LP
.SH NOTES
.LP
.SH NAME
ber_memalloc, ber_memcalloc, ber_memrealloc, ber_memfree, ber_memvfree \- OpenLDAP LBER memory allocators
.SH LIBRARY
-OpenLDAP LBER (liblber, -llber)
+OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP
.SH NAME
ber_sockbuf_alloc, ber_sockbuf_free, ber_sockbuf_ctrl, ber_sockbuf_add_io, ber_sockbuf_remove_io, Sockbuf_IO \- OpenLDAP LBER I/O infrastructure
.SH LIBRARY
-OpenLDAP LBER (liblber, -llber)
+OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP
.B arg
must be a
.BR "ber_socket_t *" .
-The return value will be 1 if a valid descriptor was present, -1 otherwise.
+The return value will be 1 if a valid descriptor was present, \-1 otherwise.
.TP
.B LBER_SB_OPT_SET_FD
Sets the file descriptor of the
.BR Sockbuf .
.B arg
should be NULL to disable and non-NULL to enable the non-blocking state.
-The return value will be 1 for success, -1 otherwise.
+The return value will be 1 for success, \-1 otherwise.
.TP
.B LBER_SB_OPT_DRAIN
Flush (read and discard) all available input on the
.SH NAME
ber_int_t, ber_uint_t, ber_len_t, ber_slen_t, ber_tag_t, struct berval, BerValue, BerVarray, BerElement, ber_bvfree, ber_bvecfree, ber_bvecadd, ber_bvarray_free, ber_bvarray_add, ber_bvdup, ber_dupbv, ber_bvstr, ber_bvstrdup, ber_str2bv, ber_alloc_t, ber_init, ber_init2, ber_free \- OpenLDAP LBER types and allocation functions
.SH LIBRARY
-OpenLDAP LBER (liblber, -llber)
+OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP
.SH NAME
ldap \- OpenLDAP Lightweight Directory Access Protocol API
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
to select version 3. The library manual pages assume version 3
has been selected.
.SH INPUT and OUTPUT PARAMETERS
-All character string input/output is expected to be/is UTF\-8
+All character string input/output is expected to be/is UTF-8
encoded Unicode (version 3.2).
.LP
Distinguished names (DN) (and relative distinguished names (RDN) to
-be passed to the LDAP routines should conform to RFC 4514 UTF\-8
+be passed to the LDAP routines should conform to RFC 4514 UTF-8
string representation.
.LP
Search filters to be passed to the search routines are to be
-constructed by hand and should conform to RFC 4515 UTF\-8
+constructed by hand and should conform to RFC 4515 UTF-8
string representation.
.LP
LDAP URLs to be passed to routines are expected to conform
.SH NAME
ldap_abandon_ext \- Abandon an LDAP operation in progress
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B
.SH NAME
ldap_add_ext, ldap_add_ext_s \- Perform an LDAP add operation
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.ft B
#include <ldap.h>
.SH NAME
ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_sasl_bind, ldap_sasl_bind_s, ldap_sasl_interactive_bind_s, ldap_parse_sasl_bind_result, ldap_unbind, ldap_unbind_s, ldap_unbind_ext, ldap_unbind_ext_s, ldap_set_rebind_proc \- LDAP bind routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B #include <ldap.h>
.B ldap_unbind_ext_s()
allows the operations to specify controls.
.SH ERRORS
-Asynchronous routines will return -1 in case of error, setting the
+Asynchronous routines will return \-1 in case of error, setting the
\fIld_errno\fP parameter of the \fIld\fP structure. Synchronous
routines return whatever \fIld_errno\fP is set to. See
.BR ldap_error (3)
.SH NAME
ldap_compare, ldap_compare_s, ldap_compare_ext, ldap_compare_ext_s \- Perform an LDAP compare operation.
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
ldap_controls_dup, ldap_control_free, ldap_controls_free
\- LDAP control manipulation routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.B #include <ldap.h>
.LP
.SH NAME
ldap_delete, ldap_delete_s, ldap_delete_ext, ldap_delete_ext_s \- Perform an LDAP delete operation.
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.BR ldap_perror (3)
and friends.
.B ldap_delete()
-returns -1 if something went wrong initiating the request. It returns the
+returns \-1 if something went wrong initiating the request. It returns the
non-negative message id of the request if things went ok.
.LP
.B ldap_delete_ext()
.SH NAME
ldap_perror, ld_errno, ldap_result2error, ldap_errlist, ldap_err2string \- LDAP protocol error handling routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_extended_operation, ldap_extended_operation_s \- Extends the LDAP operations to the LDAP server.
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_first_attribute, ldap_next_attribute \- step through LDAP entry attributes
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_first_entry, ldap_next_entry, ldap_count_entries \- LDAP result entry parsing and counting routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_first_message, ldap_next_message, ldap_count_messages \- Stepping through messages in a result chain
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_first_reference, ldap_next_reference, ldap_count_references \- Stepping through continuation references in a result chain
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_get_dn, ldap_explode_dn, ldap_explode_rdn, ldap_dn2ufn \- LDAP DN handling routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_get_option, ldap_set_option \- LDAP option handling routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B #include <ldap.h>
.B invalue
must be a
.BR "struct timeval *" ,
-and they cannot be NULL. Using a struct with seconds set to -1 results
+and they cannot be NULL. Using a struct with seconds set to \-1 results
in an infinite timeout, which is the default.
.TP
.B LDAP_OPT_NETWORK_TIMEOUT
.B invalue
must be a
.BR "struct timeval *" ,
-and they cannot be NULL. Using a struct with seconds set to -1 results
+and they cannot be NULL. Using a struct with seconds set to \-1 results
in an infinite timeout, which is the default.
.TP
.B LDAP_OPT_DEREF
.SH NAME
ldap_get_values, ldap_get_values_len, ldap_count_values \- LDAP attribute value handling routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_memfree, ldap_memvfree, ldap_memalloc, ldap_memcalloc, ldap_memrealloc, ldap_strdup \- LDAP memory allocation routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.B #include <ldap.h>
.LP
.SH NAME
ldap_modify_ext, ldap_modify_ext_s \- Perform an LDAP modify operation
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_modrdn, ldap_modrdn_s, ldap_modrdn2, ldap_modrdn2_s \- Perform an LDAP modify RDN operation
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH ERRORS
The synchronous (_s) versions of these routines return an LDAP error
code, either LDAP_SUCCESS or an error if there was trouble.
-The asynchronous versions return -1 in case
+The asynchronous versions return \-1 in case
of trouble, setting the
.B ld_errno
field of \fIld\fP. See
.SH NAME
ldap_init, ldap_initialize, ldap_open \- Initialize the LDAP library and open a connection to an LDAP server
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_parse_reference \- Extract referrals and controls from a reference message
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_parse_result \- Parsing results
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_parse_sort_control \- Decode the information returned from a search operation that used a server-side sort control
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_parse_vlv_control \- Decode the information returned from a search operation that used a VLV (virtual list view) control
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_rename, ldap_rename_s \- Renames the specified entry.
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.BR ldap_result(3).
.SH ERRORS
.B ldap_rename()
-returns -1 in case of error initiating the request, and
+returns \-1 in case of error initiating the request, and
will set the \fIld_errno\fP field in the \fIld\fP parameter to
indicate the error.
.BR ldap_rename_s()
.SH NAME
ldap_result \- Wait for the result of an LDAP operation
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
operation routines (e.g.,
.BR ldap_search_ext (3),
.BR ldap_modify_ext (3),
-etc.). Those routines all return -1 in case of error, and an
+etc.). Those routines all return \-1 in case of error, and an
invocation identifier upon successful initiation of the operation. The
invocation identifier is picked by the library and is guaranteed to be
unique across the LDAP session. It can be used to request the result
routine returns the message id of a message.
.SH ERRORS
.B ldap_result()
-returns -1 if something bad happens, and zero if the
+returns \-1 if something bad happens, and zero if the
timeout specified was exceeded.
.B ldap_msgtype()
and
.B ldap_msgid()
-return -1 on error.
+return \-1 on error.
.SH SEE ALSO
.BR ldap (3),
.BR ldap_first_message (3),
.SH NAME
ldap_str2syntax, ldap_syntax2str, ldap_syntax2name, ldap_syntax_free, ldap_str2matchingrule, ldap_matchingrule2str, ldap_matchingrule2name, ldap_matchingrule_free, ldap_str2attributetype, ldap_attributetype2str, ldap_attributetype2name, ldap_attributetype_free, ldap_str2objectclass, ldap_objectclass2str, ldap_objectclass2name, ldap_objectclass_free, ldap_scherr2str \- Schema definition handling routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_search, ldap_search_s, ldap_search_st, ldap_search_ext, ldap_search_ext_s \- Perform an LDAP search operation
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
.SH NAME
ldap_sort_entries, ldap_sort_values, ldap_sort_strcasecmp \- LDAP sorting routines (deprecated)
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH DESCRIPTION
The
.BR ldap_sort_entries (),
.SH NAME
ldap_sync_init, ldap_sync_init_refresh_only, ldap_sync_init_refresh_and_persist, ldap_sync_poll \- LDAP sync routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B #include <ldap.h>
The desired timeout during polling with
.BR ldap_sync_poll (3).
A value of
-.BR -1
+.BR \-1
means that polling is blocking, so
.BR ldap_sync_poll (3)
will not return until a message is received; a value of
.BR ldap_parse_result (3).
The
.BR refreshDeletes
-argument is not relevant in this case; it should always be -1.
+argument is not relevant in this case; it should always be \-1.
.TP
.BI "void *" ls_private
A pointer to private data. The client may register here
.BR ls_timeout
to 0, or to set it to a finite, small value.
Otherwise, if the client's main purpose consists in waiting for
-responses, a timeout of -1 is most suitable, so that the function
+responses, a timeout of \-1 is most suitable, so that the function
only returns after some data has been received and handled.
.SH ERRORS
.SH NAME
ldap_start_tls, ldap_start_tls_s, ldap_tls_inplace, ldap_install_tls \- LDAP TLS initialization routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.B #include <ldap.h>
.LP
.SH NAME
ldap_is_ldap_url, ldap_url_parse, ldap_free_urldesc \- LDAP Uniform Resource Locator routines
.SH LIBRARY
-OpenLDAP LDAP (libldap, -lldap)
+OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
For example, to define \fBBASE\fP via the environment, set the variable
\fBLDAPBASE\fP to the desired value.
.LP
-Some options are user\-only. Such options are ignored if present
+Some options are user-only. Such options are ignored if present
in the
.I ldap.conf
(or file specified by
.B BINDDN <dn>
Specifies the default bind DN to use when performing ldap operations.
The bind DN must be specified as a Distinguished Name in LDAP format.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B DEREF <when>
Specifies how alias dereferencing is done when performing a search. The
.TP
.B SASL_MECH <mechanism>
Specifies the SASL mechanism to use.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_REALM <realm>
Specifies the SASL realm.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_AUTHCID <authcid>
Specifies the authentication identity.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_AUTHZID <authcid>
Specifies the proxy authorization identity.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_SECPROPS <properties>
Specifies Cyrus SASL security properties. The
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
.B TLS_CERT
file. Currently, the private key must not be protected with a password, so
it is of critical importance that the key file is protected carefully.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
To check what ciphers a given spec selects, use:
.nf
- openssl ciphers -v <cipher-suite-spec>
+ openssl ciphers \-v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
- gnutls-cli -l
+ gnutls-cli \-l
.fi
.TP
.B TLS_RANDFILE <filename>
<attrdesc>: <value1>
<attrdesc>: <value2>
...
- -
+ \-
.fi
.LP
Or, for a replace modification:
<attrdesc>: <value1>
<attrdesc>: <value2>
...
- -
+ \-
.fi
.LP
If no \fIattributetype\fP lines are given to replace,
<attrdesc>: <value1>
<attrdesc>: <value2>
...
- -
+ \-
.fi
.LP
If no \fIattributetype\fP lines are given to delete,
add: givenName
givenName: Barbara
givenName: babs
- -
+ \-
replace: description
description: the fabulous babs
- -
+ \-
delete: sn
sn: jensen
- -
+ \-
dn: cn=Babs Jensen,dc=example,dc=com
changetype: modrdn
.BR ldapmodify (1),
.BR slapadd (8),
.BR slapcat (8),
-.BR slapd-ldif (5),
+.BR slapd\-ldif (5),
.BR slapd.replog (5).
.LP
"LDAP Data Interchange Format," Good, G., RFC 2849.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-bdb, slapd-hdb \- Berkeley DB backends to slapd
+slapd\-bdb, slapd\-hdb \- Berkeley DB backends to slapd
.SH SYNOPSIS
.B ETCDIR/slapd.conf
.SH DESCRIPTION
.B cryptfile
may be configured.
.TP
-.BI dbconfig \ <Berkeley\-DB\-setting>
+.BI dbconfig \ <Berkeley-DB-setting>
Specify a configuration directive to be placed in the
.B DB_CONFIG
file of the database directory. The
underlying filesystem's block size (typically 4 or 8).
The maximum that BerkeleyDB supports is 64. This
setting usually should not need to be changed, but if BerkeleyDB's
-"db_stat -d" shows a large amount of overflow pages in use in a file,
+"db_stat \-d" shows a large amount of overflow pages in use in a file,
setting a larger size may increase performance at the expense of
data integrity. This setting only takes effect when a database is
being newly created. See the Berkeley DB reference guide for more details.
associated indexes live.
A separate directory must be specified for each database.
The default is
-.BR LOCALSTATEDIR/openldap-data .
+.BR LOCALSTATEDIR/openldap\-data .
.TP
.B dirtyread
Allow reads of modified but not yet committed data.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-config \- configuration backend to slapd
+slapd\-config \- configuration backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.d
.SH DESCRIPTION
attribute values.
Backend-specific options are discussed in the
-.B slapd-<backend>(5)
+.B slapd\-<backend>(5)
manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
details on configuring slapd.
.SH GLOBAL CONFIGURATION OPTIONS
.TP
.B olcAttributeOptions: <option-name>...
Define tagging attribute options or option tag/range prefixes.
-Options must not end with `-', prefixes must end with `-'.
-The `lang-' prefix is predefined.
+Options must not end with `\-', prefixes must end with `\-'.
+The `lang\-' prefix is predefined.
If you use the
.B olcAttributeOptions
-directive, `lang-' will no longer be defined and you must specify it
+directive, `lang\-' will no longer be defined and you must specify it
explicitly if you want it defined.
An attribute description with a tagging option is a subtype of that
attribute description without the option.
Except for that, options defined this way have no special semantics.
-Prefixes defined this way work like the `lang-' options:
+Prefixes defined this way work like the `lang\-' options:
They define a prefix for tagging options starting with the prefix.
-That is, if you define the prefix `x-foo-', you can use the option
-`x-foo-bar'.
+That is, if you define the prefix `x\-foo\-', you can use the option
+`x\-foo\-bar'.
Furthermore, in a search or compare, a prefix or range name (with
-a trailing `-') matches all options starting with that name, as well
-as the option with the range name sans the trailing `-'.
-That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
+a trailing `\-') matches all options starting with that name, as well
+as the option with the range name sans the trailing `\-'.
+That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
-RFC 4520 reserves options beginning with `x-' for private experiments.
+RFC 4520 reserves options beginning with `x\-' for private experiments.
Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
-have closed their connections (if they ever do), or \- as before \-
+have closed their connections (if they ever do), or - as before -
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
are equivalent.
The keyword
.B any
-can be used as a shortcut to enable logging at all levels (equivalent to -1).
+can be used as a shortcut to enable logging at all levels (equivalent to \-1).
The keyword
.BR none ,
or the equivalent integer representation, causes those messages
.B olcReverseLookup: TRUE | FALSE
Enable/disable client name unverified reverse lookup (default is
.BR FALSE
-if compiled with --enable-rlookups).
+if compiled with \-\-enable\-rlookups).
.TP
.B olcRootDSE: <file>
Specify the name of an LDIF(5) file containing user defined attributes
capabilities, in operational attributes.
It has the empty DN, and can be read with e.g.:
.ti +4
-ldapsearch -x -b "" -s base "+"
+ldapsearch \-x \-b "" \-s base "+"
.br
See RFC 4512 section 5.1 for details.
.TP
To check what ciphers a given spec selects in OpenSSL, use:
.nf
- openssl ciphers -v <cipher-suite-spec>
+ openssl ciphers \-v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
- gnutls-cli -l
+ gnutls-cli \-l
.fi
.TP
.B olcTLSCACertificateFile: <filename>
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
-is compiled with --enable-modules then the module-related entries will
+is compiled with \-\-enable\-modules then the module-related entries will
be available. These entries are named
.B cn=module{x},cn=config
and
engine generates the "{x}" index in the RDN automatically, so it
can be omitted when initially loading these entries.
-The special frontend database is always numbered "{-1}" and the config
+The special frontend database is always numbered "{\-1}" and the config
database is always numbered "{0}".
.SH GLOBAL DATABASE OPTIONS
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
-.B [network-timeout=<seconds>]
+.B [network\-timeout=<seconds>]
.B [timeout=<seconds>]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
parameter. The default is off.
The
-.B network-timeout
+.B network\-timeout
parameter sets how long the consumer will wait to establish a
network connection to the provider. Once a connection is
established, the
.B authzid
parameter may be used to specify an authorization identity.
Specific security properties (as with the
-.B sasl-secprops
+.B sasl\-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
parameters must be set appropriately for the log that will be used. The
.B syncdata
parameter must be set to either "accesslog" if the log conforms to the
-.BR slapo-accesslog (5)
+.BR slapo\-accesslog (5)
log format, or "changelog" if the log conforms
to the obsolete \fIchangelog\fP format. If the
.B syncdata
objectClass: olcGlobal
cn: config
olcPidFile: LOCALSTATEDIR/run/slapd.pid
-olcAttributeOptions: x-hidden lang-
+olcAttributeOptions: x\-hidden lang\-
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# Subtypes of "name" (e.g. "cn" and "ou") with the
-# option ";x-hidden" can be searched for/compared,
+# option ";x\-hidden" can be searched for/compared,
# but are not shown. See \fBslapd.access\fP(5).
-olcAccess: to attrs=name;x-hidden by * =cs
+olcAccess: to attrs=name;x\-hidden by * =cs
# Protect passwords. See \fBslapd.access\fP(5).
olcAccess: to attrs=userPassword by * auth
# Read access to other attributes and entries.
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
-olcSuffix: "dc=our-domain,dc=com"
+olcSuffix: "dc=our\-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 0700 recommended.
-olcDbDirectory: LOCALSTATEDIR/openldap-data
+olcDbDirectory: LOCALSTATEDIR/openldap\-data
# Indices to maintain
olcDbIndex: objectClass eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
objectClass: olcLdapConfig
olcDatabase: ldap
olcSuffix: ""
-olcDbUri: ldap://ldap.some-server.com/
+olcDbUri: ldap://ldap.some\-server.com/
.fi
.RE
.LP
the configuration:
.RS
.nf
-slapadd -F ETCDIR/slapd.d -n 0 -l config.ldif
+slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
.fi
.RE
format using slapd or any of the slap tools:
.RS
.nf
-slaptest -f ETCDIR/slapd.conf -F ETCDIR/slapd.d
+slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
.fi
.RE
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-dnssrv \- DNS SRV referral backend to slapd
+slapd\-dnssrv \- DNS SRV referral backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-ldap \- LDAP backend to slapd
+slapd\-ldap \- LDAP backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
For this purpose, the proxy binds to the remote server with some
administrative identity, and, if required, authorizes the asserted identity.
See the
-.IR idassert- *
+.IR idassert\- *
rules below.
The administrative identity of the proxy, on the remote server, must be
allowed to authorize by means of appropriate
.BR slapd (8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, one may consider using
-.BR slapd-relay (5)
+.BR slapd\-relay (5)
instead, which performs the relayed operation
internally and thus reuses the same connection.
argument, resulting in the underlying library automatically
call the first server of the list that responds, e.g.
-\fBuri "ldap://host/ ldap://backup-host/"\fP
+\fBuri "ldap://host/ ldap://backup\-host/"\fP
The URI list is space- or comma-separated.
Whenever the server that responds is not the first one in the list,
needs be created.
.HP
.hy 0
-.B acl-bind
+.B acl\-bind
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
.BR simple
bind, with empty \fIbinddn\fP and \fIcredentials\fP,
which means that the related operations will be performed anonymously.
-If not set, and if \fBidassert-bind\fP is defined, this latter identity
-is used instead. See \fBidassert-bind\fP for details.
+If not set, and if \fBidassert\-bind\fP is defined, this latter identity
+is used instead. See \fBidassert\-bind\fP for details.
The connection between the proxy database and the remote server
associated to this identity is cached regardless of the lifespan
.B This identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
-.B idassert-bind
+.B idassert\-bind
feature, instead, in some cases can be crafted to implement that behavior,
which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
-.BR acl-authcDN ,
+.BR acl\-authcDN ,
and
-.BR acl-passwd .
+.BR acl\-passwd .
The TLS settings default to the same as the main slapd TLS settings,
except for
.RE
.TP
-.B cancel {ABANDON|ignore|exop[-discover]}
+.B cancel {ABANDON|ignore|exop[\-discover]}
Defines how to handle operation cancellation.
By default,
.B abandon
no action is taken and any further response is ignored; this may result
in further response messages to be queued for that connection, so it is
recommended that long lasting connections are timed out either by
-.I idle-timeout
+.I idle\-timeout
or
-.IR conn-ttl ,
+.IR conn\-ttl ,
so that resources eventually get released.
If set to
.BR exop ,
operation waits for remote server response, so its use
may not be recommended.
If set to
-.BR exop-discover ,
+.BR exop\-discover ,
support of the
.I cancel
extended operation is detected by reading the remote server's root DSE.
.TP
-.B chase-referrals {YES|no}
+.B chase\-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
-\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+\fBrebind\-as\-user\fP directive is used. The default is to chase referrals.
.TP
-.B conn-ttl <time>
+.B conn\-ttl <time>
This directive causes a cached connection to be dropped an recreated
after a given ttl, regardless of being idle or not.
.TP
-.B idassert-authzFrom <authz-regexp>
+.B idassert
\-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
See
.BR slapd.conf (5),
section related to
-.BR authz-policy ,
+.BR authz\-policy ,
for details on the syntax of this field.
.HP
.hy 0
-.B idassert-bind
+.B idassert\-bind
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
privileges on a wide set of DNs, e.g.
.BR authzTo=dn.subtree:"" ,
and the remote server to have
-.B authz-policy
+.B authz\-policy
set to
.B to
or
or a SASL bind as the
.IR authcID ,
unless restricted by
-.BR idassert-authzFrom
+.BR idassert\-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
Flags can be
-\fBoverride,[non-]prescriptive\fP
+\fBoverride,[non\-]prescriptive\fP
When the
.B override
flag is used (the default), operations fail with
\fIinappropriateAuthentication\fP
for those identities whose assertion is not allowed by the
-.B idassert-authzFrom
+.B idassert\-authzFrom
patterns.
If the
-.B non-prescriptive
+.B non\-prescriptive
flag is used, operations are performed anonymously for those identities
whose assertion is not allowed by the
-.B idassert-authzFrom
+.B idassert\-authzFrom
patterns.
The TLS settings default to the same as the main slapd TLS settings,
which defaults to "demand".
The identity associated to this directive is also used for privileged
-operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
-is not. See \fBacl-bind\fP for details.
+operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
+is not. See \fBacl\-bind\fP for details.
This directive obsoletes
-.BR idassert-authcDN ,
-.BR idassert-passwd ,
-.BR idassert-mode ,
+.BR idassert\-authcDN ,
+.BR idassert\-passwd ,
+.BR idassert\-mode ,
and
-.BR idassert-method .
+.BR idassert\-method .
.RE
.TP
-.B idle-timeout <time>
+.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.TP
-.B network-timeout <time>
+.B network\-timeout <time>
Sets the network timeout value after which
.BR poll (2)/ select (2)
following a
.BR connect (2)
returns in case of no activity.
The value is in seconds, and it can be specified as for
-.BR idle-timeout .
+.BR idle\-timeout .
.TP
.B norefs <NO|yes>
attribute of the database entry in the configuration backend.
.TP
-.B rebind-as-user {NO|yes}
+.B rebind\-as\-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds, when trying to re-establish a broken connection,
or when chasing a referral, if
-.B chase-referrals
+.B chase\-referrals
is set to
.IR yes .
Discards current cached connection when the client rebinds.
.TP
-.B t-f-support {NO|yes|discover}
+.B t\-f\-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
Note: in some cases, this backend may issue binds prior
to other operations (e.g. to bind anonymously or with some prescribed
-identity according to the \fBidassert-bind\fP directive).
+identity according to the \fBidassert\-bind\fP directive).
In this case, the timeout of the operation that resulted in the bind
is used.
.HP
.hy 0
-.B tls {[try-]start|[try-]propagate|ldaps}
+.B tls {[try\-]start|[try\-]propagate|ldaps}
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
set to "ldaps" and the StartTLS operation will not be used.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
-The \fBtry-\fP prefix instructs the proxy to continue operations
+The \fBtry\-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is \fBnot\fP recommended.
The TLS settings default to the same as the main slapd TLS settings,
.RE
.TP
-.B use-temporary-conn {NO|yes}
+.B use\-temporary\-conn {NO|yes}
when set to
.BR yes ,
create a temporary connection whenever competing with other threads
in future releases.
.TP
-.B acl-authcDN "<administrative DN for access control purposes>"
+.B acl
\-authcDN "<administrative DN for access control purposes>"
Formerly known as the
.BR binddn ,
it is the DN that is used to query the target server for acl checking;
There is no risk of giving away such values; they are only used to
check permissions.
-.B The acl-authcDN identity is by no means implicitly used by the proxy
+.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
-.B idassert-*
+.B idassert\-*
feature can be used (at own risk) for that purpose instead.
This directive is obsoleted by the
.B binddn
arg of
-.B acl-bind
+.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B acl-passwd <password>
+.B acl
\-passwd <password>
Formerly known as the
.BR bindpw ,
it is the password used with the above
-.B acl-authcDN
+.B acl\-authcDN
directive.
This directive is obsoleted by the
.B credentials
arg of
-.B acl-bind
+.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
+.B idassert
\-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by the
.B binddn
arg of
-.BR idassert-bind
+.BR idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B idassert-passwd <password>
+.B idassert
\-passwd <password>
Password used with the
-.B idassert-authcDN
+.B idassert\-authcDN
above.
This directive is obsoleted by the
.B crendentials
arg of
-.B idassert-bind
+.B idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
-.B idassert-mode <mode> [<flags>]
+.B idassert\-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
This directive is obsoleted by the
.B mode
arg of
-.BR idassert-bind ,
+.BR idassert\-bind ,
and will be dismissed in the future.
.TP
-.B idassert-method <method> [<saslargs>]
+.B idassert\-method <method> [<saslargs>]
This directive is obsoleted by the
.B bindmethod
arg of
-.BR idassert-bind ,
+.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B overlay rwm
first, and prefix all rewrite/map statements with
-.B rwm-
+.B rwm\-
to obtain the original behavior.
See
-.BR slapo-rwm (5)
+.BR slapo\-rwm (5)
for details.
.\" However, to ease update from existing configurations, back-ldap still
.\" recognizes them and automatically instantiates the
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-ldbm \- Discontinued LDBM backend to slapd
+slapd\-ldbm \- Discontinued LDBM backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.SH SEE ALSO
.BR slapd (8),
-.BR slapd-bdb (5),
+.BR slapd\-bdb (5),
.BR slapd.backends (5).
.SH ACKNOWLEDGEMENTS
.so ../Project
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-ldif \- LDIF backend to slapd
+slapd\-ldif \- LDIF backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.\" and maybe manual pages for librewrite.
.\"
.SH NAME
-slapd-meta \- metadirectory backend to slapd
+slapd\-meta \- metadirectory backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
each connection requires a new thread; as a consequence, \fBslapd\fP(8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, unless the multiple target feature
-is required, one may consider using \fBslapd-relay\fP(5) instead,
+is required, one may consider using \fBslapd\-relay\fP(5) instead,
which performs the relayed operation internally and thus reuses
the same connection.
.SH EXAMPLES
There are examples in various places in this document, as well as in the
-slapd/back-meta/data/ directory in the OpenLDAP source tree.
+slapd/back\-meta/data/ directory in the OpenLDAP source tree.
.SH CONFIGURATION
These
.B slapd.conf
They are:
.TP
-.B conn-ttl <time>
+.B conn\-ttl <time>
This directive causes a cached connection to be dropped an recreated
after a given ttl, regardless of being idle or not.
.TP
-.B default-target none
+.B default\-target none
This directive forces the backend to reject all those operations
that must resolve to a single target in case none or multiple
targets are selected.
specific target as default.
.TP
-.B dncache-ttl {DISABLED|forever|<ttl>}
+.B dncache\-ttl {DISABLED|forever|<ttl>}
This directive sets the time-to-live of the DN cache.
This caches the target that holds a given DN to speed up target
selection in case multiple targets would result from an uncached
search; forever means cache never expires; disabled means no DN
caching; otherwise a valid ( > 0 ) ttl is required, in the format
illustrated for the
-.B idle-timeout
+.B idle\-timeout
directive.
.TP
overridden by any per-target directive.
.TP
-.B pseudoroot-bind-defer {YES|no}
+.B pseudoroot\-bind\-defer {YES|no}
This directive, when set to
.BR yes ,
causes the authentication to the remote servers with the pseudo-root
it affects all targets with the same pattern.
.TP
-.B rebind-as-user {NO|yes}
+.B rebind\-as\-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds, when trying to re-establish a broken connection,
or when chasing a referral, if
-.B chase-referrals
+.B chase\-referrals
is set to
.IR yes .
Discards current cached connection when the client rebinds.
.TP
-.B use-temporary-conn {NO|yes}
+.B use\-temporary\-conn {NO|yes}
when set to
.BR yes ,
create a temporary connection whenever competing with other threads
.RE
.TP
-.B acl-authcDN "<administrative DN for access control purposes>"
+.B acl
\-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
as in the LDAP backend; it is supposed to have read access
on the target server to attributes used on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
-.B The acl-authcDN identity is by no means implicitly used by the proxy
+.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
.TP
-.B acl-passwd <password>
+.B acl
\-passwd <password>
Password used with the
.B
-acl-authcDN
+acl\-authcDN
above.
.TP
-.B bind-timeout <microseconds>
+.B bind\-timeout <microseconds>
This directive defines the timeout, in microseconds, used when polling
for response after an asynchronous bind connection. The initial call
to ldap_result(3) is performed with a trade-off timeout of 100000 us;
if that results in a timeout exceeded, subsequent calls use the value
provided with
-.BR bind-timeout .
+.BR bind\-timeout .
The default value is used also for subsequent calls if
-.B bind-timeout
+.B bind\-timeout
is not specified.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
-.B chase-referrals {YES|no}
+.B chase\-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
-\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+\fBrebind\-as\-user\fP directive is used. The default is to chase referrals.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
-.B default-target [<target>]
-The "default-target" directive can also be used during target specification.
+.B default\-target [<target>]
+The "default\-target" directive can also be used during target specification.
With no arguments it marks the current target as the default.
The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
-.B idassert-authzFrom <authz-regexp>
+.B idassert
\-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
See
.BR slapd.conf (5),
section related to
-.BR authz-policy ,
+.BR authz\-policy ,
for details on the syntax of this field.
.HP
.hy 0
-.B idassert-bind
+.B idassert\-bind
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
privileges on a wide set of DNs, e.g.
.BR authzTo=dn.subtree:"" ,
and the remote server to have
-.B authz-policy
+.B authz\-policy
set to
.B to
or
or a SASL bind as the
.IR authcID ,
unless restricted by
-.BR idassert-authzFrom
+.BR idassert\-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
Flags can be
-\fBoverride,[non-]prescriptive\fP
+\fBoverride,[non\-]prescriptive\fP
When the
.B override
flag is used (the default), operations fail with
\fIinappropriateAuthentication\fP
for those identities whose assertion is not allowed by the
-.B idassert-authzFrom
+.B idassert\-authzFrom
patterns.
If the
-.B non-prescriptive
+.B non\-prescriptive
flag is used, operations are performed anonymously for those identities
whose assertion is not allowed by the
-.B idassert-authzFrom
+.B idassert\-authzFrom
patterns.
The TLS settings default to the same as the main slapd TLS settings,
which defaults to "demand".
The identity associated to this directive is also used for privileged
-operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
-is not. See \fBacl-bind\fP for details.
+operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
+is not. See \fBacl\-bind\fP for details.
.RE
.TP
-.B idle-timeout <time>
+.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
The value can be specified as
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
See
-.BR slapd-ldap (5).
+.BR slapd\-ldap (5).
.TP
-.B network-timeout <time>
+.B network\-timeout <time>
Sets the network timeout value after which
.BR poll (2)/ select (2)
following a
.BR connect (2)
returns in case of no activity.
The value is in seconds, and it can be specified as for
-.BR idle-timeout .
+.BR idle\-timeout .
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
The rewrite options are described in the "REWRITING" section.
.TP
-.B subtree-exclude "<DN>"
+.B subtree\-exclude "<DN>"
This directive instructs back-meta to ignore the current target
for operations whose requestDN is subordinate to
.BR DN .
There may be multiple occurrences of the
-.B subtree-exclude
+.B subtree\-exclude
directive for each of the targets.
.TP
of the rewrite rules it implies.
.TP
-.B t-f-support {NO|yes|discover}
+.B t\-f\-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
is destroyed, according to RFC4511.
.TP
-.B tls {[try-]start|[try-]propagate}
+.B tls {[try\-]start|[try\-]propagate}
execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
-The \fBtry-\fP prefix instructs the proxy to continue operations
+The \fBtry\-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is highly deprecated.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
they are divided in two main groups: client \-> server and
server \-> client rewriting.
.LP
-client -> server:
+client \-> server:
.LP
.RS
.nf
.fi
.RE
.LP
-server -> client:
+server \-> client:
.LP
.RS
.nf
The proxy cache overlay
allows caching of LDAP search requests (queries) in a local database.
See
-.BR slapo-pcache (5)
+.BR slapo\-pcache (5)
for details.
.SH FILES
.TP
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-monitor \- Monitor backend to slapd
+slapd\-monitor \- Monitor backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.LP
.RS
.nf
-configure --enable-monitor
+configure \-\-enable\-monitor
.fi
.RE
.TP
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-ndb \- MySQL NDB backend to slapd
+slapd\-ndb \- MySQL NDB backend to slapd
.SH SYNOPSIS
.B ETCDIR/slapd.conf
.SH DESCRIPTION
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-null \- Null backend to slapd
+slapd\-null \- Null backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-passwd \- /etc/passwd backend to slapd
+slapd\-passwd \- /etc/passwd backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.TH SLAPD-PERL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
-slapd-perl \- Perl backend to slapd
+slapd\-perl \- Perl backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
filter in the search request), rather than search results to be
returned directly to the client.
.SH EXAMPLE
-There is an example Perl module `SampleLDAP' in the slapd/back-perl/
+There is an example Perl module `SampleLDAP' in the slapd/back\-perl/
directory in the OpenLDAP source tree.
.SH ACCESS CONTROL
The
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-relay \- relay backend to slapd
+slapd\-relay \- relay backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
instance into a virtual naming context, with attributeType
and objectClass manipulation, if required.
It requires the
-.BR slapo-rwm (5)
+.BR slapo\-rwm (5)
overlay.
.LP
This backend and the above mentioned overlay are experimental.
database does not automatically rewrite the naming context
of requests and responses.
For this purpose, the
-.BR slapo-rwm (5)
+.BR slapo\-rwm (5)
overlay must be explicitly instantiated, and configured
as appropriate.
Usually, the
-.B rwm-suffixmassage
+.B rwm\-suffixmassage
directive suffices if only naming context rewriting is required.
.SH ACCESS RULES
frontend sees the operation as performed by the identity in the
real naming context.
Moreover, since
-.B back-relay
+.B back\-relay
bypasses the real database frontend operations by short-circuiting
operations through the internal backend API, the original database
access rules do not apply but in selected cases, i.e. when the
suffix "dc=virtual,dc=naming,dc=context"
relay "dc=real,dc=naming,dc=context"
overlay rwm
- rwm-suffixmassage "dc=real,dc=naming,dc=context"
+ rwm\-suffixmassage "dc=real,dc=naming,dc=context"
.fi
.LP
To implement a plain virtual naming context mapping
database relay
suffix "dc=virtual,dc=naming,dc=context"
overlay rwm
- rwm-suffixmassage "dc=real,dc=naming,dc=context"
+ rwm\-suffixmassage "dc=real,dc=naming,dc=context"
.fi
.LP
This is useful, for instance, to relay different databases that
suffix "dc=virtual,dc=naming,dc=context"
relay "dc=real,dc=naming,dc=context"
overlay rwm
- rwm-rewriteEngine on
- rwm-rewriteContext default
- rwm-rewriteRule "dc=virtual,dc=naming,dc=context"
+ rwm\-rewriteEngine on
+ rwm\-rewriteContext default
+ rwm\-rewriteRule "dc=virtual,dc=naming,dc=context"
"dc=real,dc=naming,dc=context" ":@"
- rwm-rewriteContext searchFilter
- rwm-rewriteContext searchEntryDN
- rwm-rewriteContext searchAttrDN
- rwm-rewriteContext matchedDN
+ rwm\-rewriteContext searchFilter
+ rwm\-rewriteContext searchEntryDN
+ rwm\-rewriteContext searchAttrDN
+ rwm\-rewriteContext matchedDN
.fi
.LP
Note that the
-.BR slapo-rwm (5)
+.BR slapo\-rwm (5)
overlay is instantiated, but the rewrite rules are written explicitly,
rather than automatically as with the
-.B rwm-suffixmassage
+.B rwm\-suffixmassage
statement, to map all the virtual to real naming context data flow,
but none of the real to virtual.
.LP
suffix "o=Example,c=US"
relay "dc=example,dc=com"
overlay rwm
- rwm-suffixmassage "dc=example,dc=com"
+ rwm\-suffixmassage "dc=example,dc=com"
# skip ...
access to dn.subtree="o=Example,c=US"
by dn.exact="cn=Supervisor,dc=example,dc=com" write
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
-.BR slapo-rwm (5),
+.BR slapo\-rwm (5),
.BR slapd (8).
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-shell \- Shell backend to slapd
+slapd\-shell \- Shell backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
<repeat {
<"add"/"delete"/"replace">: <attribute>
<repeat { <attribute>: <value> }>
- -
+ \-
}>
.fi
.TP
access to the attributes and values used in the filter is not checked.
.SH EXAMPLE
-There is an example search script in the slapd/back-shell/ directory
+There is an example search script in the slapd/back\-shell/ directory
in the OpenLDAP source tree.
.SH LIMITATIONS
The shell backend does not support threaded environments.
When using the shell backend,
.BR slapd (8)
should be built
-.IR --without-threads .
+.IR \-\-without\-threads .
.SH FILES
.TP
ETCDIR/slapd.conf
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapd-sock \- Socket backend to slapd
+slapd\-sock \- Socket backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Socket backend to
.BR slapd (8)
uses an external program to handle queries, similarly to
-.BR slapd-shell (5).
+.BR slapd\-shell (5).
However, in this case the external program listens on a Unix domain socket.
This makes it possible to have a pool of processes, which persist between
requests. This allows multithreaded operation and a higher level of
be sent and from which replies are received.
.SH PROTOCOL
The protocol is essentially the same as
-.BR slapd-shell (5)
+.BR slapd\-shell (5)
with the addition of a newline to terminate the command parameters. The
following commands are sent:
.RS
<repeat {
<"add"/"delete"/"replace">: <attribute>
<repeat { <attribute>: <value> }>
- -
+ \-
}>
<blank line>
.fi
access to the attributes and values used in the filter is not checked.
.SH EXAMPLE
-There is an example script in the slapd/back-sock/ directory
+There is an example script in the slapd/back\-sock/ directory
in the OpenLDAP source tree.
.SH FILES
.TP
.TH SLAPD-SQL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
-slapd-sql \- SQL backend to slapd
+slapd\-sql \- SQL backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
used as such with several limitations.
You can take a look at
.B http://www.openldap.org/faq/index.cgi?file=378
-(OpenLDAP FAQ-O-Matic/General LDAP FAQ/Directories vs. conventional
+(OpenLDAP FAQ\-O\-Matic/General LDAP FAQ/Directories vs. conventional
databases) to find out more on this point.
.LP
The idea (detailed below) is to use some meta-information to translate
meta-information, adding and deleting entries to ldap_entries, etc.
All these and subtree_cond should have the given default values.
For the current value it is recommended to look at the sources,
-or in the log output when slapd starts with "-d 5" or greater.
+or in the log output when slapd starts with "\-d 5" or greater.
Note that the parameter number and order must not be changed.
.TP
.LP
Almost everything mentioned later is illustrated in examples located
in the
-.B servers/slapd/back-sql/rdbms_depend/
+.B servers/slapd/back\-sql/rdbms_depend/
directory in the OpenLDAP source tree, and contains scripts for
generating sample database for Oracle, MS SQL Server, mySQL and more
(including PostgreSQL and IBM db2).
The proxy cache overlay
allows caching of LDAP search requests (queries) in a local database.
See
-.BR slapo-pcache (5)
+.BR slapo\-pcache (5)
for details.
.SH EXAMPLES
-There are example SQL modules in the slapd/back-sql/rdbms_depend/
+There are example SQL modules in the slapd/back\-sql/rdbms_depend/
directory in the OpenLDAP source tree.
.SH ACCESS CONTROL
The
and/or
.BR re_format (7),
matching a normalized string representation of the entry's DN.
-The regex form of the pattern does not (yet) support UTF\-8.
+The regex form of the pattern does not (yet) support UTF-8.
.LP
The statement
.B filter=<ldapfilter>
.LP
.nf
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
- <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
+ <priv> ::= {=|+|\-}{0|d|x|c|s|r|{w|a|z}|m}+
.fi
.LP
The modifier
The
.B +
and
-.B -
+.B \-
signs add/remove access privileges to the existing ones.
The privileges are
.B m
the database (see the
.BR slapd.conf (5)
or
-.BR slapd-config (5)
+.BR slapd\-config (5)
manual page),
.B add (=a)
will be required on all of the attributes being added.
so it is fully honored by all backends; for all other operations
and for the discovery phase of the search operation,
full ACL semantics is only supported by the primary backends, i.e.
-.BR back-bdb (5),
+.BR back\-bdb (5),
and
-.BR back-hdb (5).
+.BR back\-hdb (5).
Some other backend, like
-.BR back-sql (5),
+.BR back\-sql (5),
may fully support them; others may only support a portion of the
described semantics, or even differ in some aspects.
The relevant details are described in the backend-specific man pages.
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
-.BR slapd-* (5),
+.BR slapd\-* (5),
.BR slapacl (8),
.BR regex (7),
.BR re_format (7)
Configuration options for each backend are documented separately in the
corresponding
-.BR slapd-<backend> (5)
+.BR slapd\-<backend> (5)
manual pages.
.TP
.B bdb
Its use requires the
.B rwm
overlay (see
-.BR slapo-rwm (5)
+.BR slapo\-rwm (5)
for details) to rewrite the naming context of the request.
It is primarily intended to implement virtual views on databases
that actually store data.
The specific configuration options available are discussed below in the
Global Configuration Options, General Backend Options, and General Database
Options. Backend-specific options are discussed in the
-.B slapd-<backend>(5)
+.B slapd\-<backend>(5)
manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
details on the slapd configuration file.
.SH GLOBAL CONFIGURATION OPTIONS
.TP
.B attributeoptions [option-name]...
Define tagging attribute options or option tag/range prefixes.
-Options must not end with `-', prefixes must end with `-'.
-The `lang-' prefix is predefined.
+Options must not end with `\-', prefixes must end with `\-'.
+The `lang\-' prefix is predefined.
If you use the
.B attributeoptions
-directive, `lang-' will no longer be defined and you must specify it
+directive, `lang\-' will no longer be defined and you must specify it
explicitly if you want it defined.
An attribute description with a tagging option is a subtype of that
attribute description without the option.
Except for that, options defined this way have no special semantics.
-Prefixes defined this way work like the `lang-' options:
+Prefixes defined this way work like the `lang\-' options:
They define a prefix for tagging options starting with the prefix.
-That is, if you define the prefix `x-foo-', you can use the option
-`x-foo-bar'.
+That is, if you define the prefix `x\-foo\-', you can use the option
+`x\-foo\-bar'.
Furthermore, in a search or compare, a prefix or range name (with
-a trailing `-') matches all options starting with that name, as well
-as the option with the range name sans the trailing `-'.
-That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
+a trailing `\-') matches all options starting with that name, as well
+as the option with the range name sans the trailing `\-'.
+That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
-RFC 4520 reserves options beginning with `x-' for private experiments.
+RFC 4520 reserves options beginning with `x\-' for private experiments.
Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
description.)
.RE
.TP
-.B authz-policy <policy>
+.B authz
\-policy <policy>
Used to specify which rules to use for Proxy Authorization. Proxy
authorization allows a client to authenticate to the server using one
user's credentials, but specify a different identity to use for authorization
can impact security, users are strongly encouraged
to explicitly set the type of identity specification that is being used.
A subset of these rules can be used as third arg in the
-.B authz-regexp
+.B authz\-regexp
statement (see below); significantly, the
.IR URI ,
provided it results in exactly one entry,
forms.
.RE
.TP
-.B authz-regexp <match> <replace>
+.B authz\-regexp <match> <replace>
Used by the authentication framework to convert simple user names,
such as provided by SASL subsystem, or extracted from certificates
in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
the authentication identity must have "auth" access in the subject.
Multiple
-.B authz-regexp
+.B authz\-regexp
options can be given in the configuration file to allow for multiple matching
and replacement patterns. The matching patterns are checked in the order they
appear in the file, stopping at the first successful match.
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
-have closed their connections (if they ever do), or \- as before \-
+have closed their connections (if they ever do), or - as before -
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
.hy 0
.B ldapsyntax "(\ <oid>\
[DESC\ <description>]\
- [X-SUBST <substitute\-syntax>]\ )"
+ [X\-SUBST <substitute-syntax>]\ )"
.RS
Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
The slapd parser extends the RFC 4512 definition by allowing string
.B objectidentifier
description.)
The slapd parser also honors the
-.B X-SUBST
+.B X\-SUBST
extension (an OpenLDAP-specific extension), which allows to use the
.B ldapsyntax
statement to define a non-implemented syntax along with another syntax,
the extension value
-.IR substitute\-syntax ,
+.IR substitute-syntax ,
as its temporary replacement.
The
-.I substitute\-syntax
+.I substitute-syntax
must be defined.
This allows to define attribute types that make use of non-implemented syntaxes
using the correct syntax OID.
Unless
-.B X-SUBST
+.B X\-SUBST
is used, this configuration statement would result in an error,
since no handlers would be associated to the resulting syntax structure.
.RE
are equivalent.
The keyword
.B any
-can be used as a shortcut to enable logging at all levels (equivalent to -1).
+can be used as a shortcut to enable logging at all levels (equivalent to \-1).
The keyword
.BR none ,
or the equivalent integer representation, causes those messages
.B modulepath
option. This option and the
.B modulepath
-option are only usable if slapd was compiled with --enable-modules.
+option are only usable if slapd was compiled with \-\-enable\-modules.
.TP
.B modulepath <pathspec>
Specify a list of directories to search for loadable modules. Typically
name can also be used with a suffix of the form ":xx" in which case the
value "oid.xx" will be used.
.TP
-.B password-hash <hash> [<hash>...]
+.B password\-hash <hash> [<hash>...]
This option configures one or more hashes to be used in generation of user
passwords stored in the userPassword attribute during processing of
LDAP Password Modify Extended Operations (RFC 3062).
set conditions within a particular database); it must occur first
in the list of conditions.
.TP
-.B reverse-lookup on | off
+.B reverse\-lookup on | off
Enable/disable client name unverified reverse lookup (default is
.BR off
-if compiled with --enable-rlookups).
+if compiled with \-\-enable\-rlookups).
.TP
.B rootDSE <file>
Specify the name of an LDIF(5) file containing user defined attributes
capabilities, in operational attributes.
It has the empty DN, and can be read with e.g.:
.ti +4
-ldapsearch -x -b "" -s base "+"
+ldapsearch \-x \-b "" \-s base "+"
.br
See RFC 4512 section 5.1 for details.
.TP
-.B sasl-auxprops <plugin> [...]
+.B sasl
\-auxprops <plugin> [...]
Specify which auxprop plugins to use for authentication lookups. The
default is empty, which just uses slapd's internal support. Usually
no other auxprop plugins are needed.
.TP
-.B sasl-host <fqdn>
+.B sasl\-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
-.B sasl-realm <realm>
+.B sasl\-realm <realm>
Specify SASL realm. Default is empty.
.TP
-.B sasl-secprops <properties>
+.B sasl
\-secprops <properties>
Used to specify Cyrus SASL security properties.
The
.B none
.B security <factors>
Specify a set of security strength factors (separated by white space)
to require (see
-.BR sasl-secprops 's
+.BR sasl\-secprops 's
.B minssf
option for a description of security strength factors).
The directive may be specified globally and/or per-database.
.BR limits
for an explanation of the different flags.
.TP
-.B tool-threads <integer>
+.B tool\-threads <integer>
Specify the maximum number of threads to use in tool mode.
This should not be greater than the number of CPUs in the system.
The default is 1.
To check what ciphers a given spec selects, use:
.nf
- openssl ciphers -v <cipher-suite-spec>
+ openssl ciphers \-v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
- gnutls-cli -l
+ gnutls-cli \-l
.fi
.TP
(suffix) of the database.
This option accepts all RFC 2307 userPassword formats known to
the server (see
-.B password-hash
+.B password\-hash
description) as well as cleartext.
.BR slappasswd (8)
may be used to generate a hash of a password. Cleartext
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
-.B [network-timeout=<seconds>]
+.B [network\-timeout=<seconds>]
.B [timeout=<seconds>]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
replication is used.
The
-.B network-timeout
+.B network\-timeout
parameter sets how long the consumer will wait to establish a
network connection to the provider. Once a connection is
established, the
.B authzid
parameter may be used to specify an authorization identity.
Specific security properties (as with the
-.B sasl-secprops
+.B sasl\-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
parameters must be set appropriately for the log that will be used. The
.B syncdata
parameter must be set to either "accesslog" if the log conforms to the
-.BR slapo-accesslog (5)
+.BR slapo\-accesslog (5)
log format, or "changelog" if the log conforms
to the obsolete \fIchangelog\fP format. If the
.B syncdata
pidfile LOCALSTATEDIR/run/slapd.pid
# Subtypes of "name" (e.g. "cn" and "ou") with the
-# option ";x-hidden" can be searched for/compared,
+# option ";x\-hidden" can be searched for/compared,
# but are not shown. See \fBslapd.access\fP(5).
-attributeoptions x-hidden lang-
-access to attrs=name;x-hidden by * =cs
+attributeoptions x\-hidden lang\-
+access to attrs=name;x\-hidden by * =cs
# Protect passwords. See \fBslapd.access\fP(5).
access to attrs=userPassword by * auth
access to * by * read
database bdb
-suffix "dc=our-domain,dc=com"
+suffix "dc=our\-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 0700 recommended.
-directory LOCALSTATEDIR/openldap-data
+directory LOCALSTATEDIR/openldap\-data
# Indices to maintain
index objectClass eq
index cn,sn,mail pres,eq,approx,sub
# so handle remote lookups on their behalf.
database ldap
suffix ""
-uri ldap://ldap.some-server.com/
+uri ldap://ldap.some\-server.com/
lastmod off
.fi
.RE
Configuration options for each overlay are documented separately in the
corresponding
-.BR slapo-<overlay> (5)
+.BR slapo\-<overlay> (5)
manual pages.
.TP
.B accesslog
Proxycache.
This overlay allows caching of LDAP search requests in a local database.
It is most often used with the
-.BR slapd-ldap (5)
+.BR slapd\-ldap (5)
or
-.BR slapd-meta (5)
+.BR slapd\-meta (5)
backends.
.TP
.B ppolicy
.B refint
Referential Integrity.
This overlay can be used with a backend database such as
-.BR slapd-bdb (5)
+.BR slapd\-bdb (5)
to maintain the cohesiveness of a schema which utilizes reference
attributes.
.TP
.B translucent
Translucent Proxy.
This overlay can be used with a backend database such as
-.BR slapd-bdb (5)
+.BR slapd\-bdb (5)
to create a "translucent proxy".
Content of entries retrieved from a remote LDAP server can be partially
overridden by the database.
.B unique
Attribute Uniqueness.
This overlay can be used with a backend database such as
-.BR slapd-bdb (5)
+.BR slapd\-bdb (5)
to enforce the uniqueness of some or all attributes within a subtree.
.TP
.B valsort
...
.fi
.LP
-If slapd is compiled with \fI--enable-slapi\fP, support for plugins
+If slapd is compiled with \fI\-\-enable\-slapi\fP, support for plugins
according to \fINetscape's Directory Server Plug-Ins\fP.
Version 4 of the API is currently implemented, with some extensions
from version 5.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-accesslog \- Access Logging overlay to slapd
+slapo\-accesslog \- Access Logging overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.RS
.PD 0
.TP
-attribute:<+|-|=|#> [ value]
+attribute:<+|\-|=|#> [ value]
.RE
.RE
.PD
-Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace,
+Where '+' indicates an Add of a value, '\-' for Delete, '=' for Replace,
and '#' for Increment. In an Add operation, all of the reqMod values will
have the '+' designator.
.P
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-auditlog \- Audit Logging overlay to slapd
+slapo\-auditlog \- Audit Logging overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.TP
default slapd configuration directory
.SH SEE ALSO
.BR slapd.conf (5),
-.BR slapd-config(5).
+.BR slapd\-config(5).
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-chain \- chain overlay to slapd
+slapo\-chain \- chain overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
that identity can be asserted while chasing the referrals
by means of the \fIidentity assertion\fP feature of back-ldap
(see
-.BR slapd-ldap (5)
+.BR slapd\-ldap (5)
for details), which is essentially based on the
.B proxied authorization
control [RFC 4370].
related to the instances of the \fIldap\fP backend that may be implicitly
instantiated by the overlay may assume a special meaning when used
in conjunction with this overlay. They are described in
-.BR slapd-ldap (5),
+.BR slapd\-ldap (5),
and they also need to be prefixed by
.BR chain\- .
.TP
This directive adds the chain overlay to the current backend.
The chain overlay may be used with any backend, but it is mainly
intended for use with local storage backends that may return referrals.
-It is useless in conjunction with the \fIslapd-ldap\fP and \fIslapd-meta\fP
+It is useless in conjunction with the \fIslapd\-ldap\fP and \fIslapd\-meta\fP
backends because they already exploit the libldap specific referral chase
feature.
[Note: this may change in the future, as the \fBldap\fP(5) and
\fBmeta\fP(5) backends might no longer chase referrals on their own.]
.TP
-.B chain-cache-uri {FALSE|true}
+.B chain\-cache\-uri {FALSE|true}
This directive instructs the \fIchain\fP overlay to cache
connections to URIs parsed out of referrals that are not predefined,
to be reused for later chaining.
These URIs inherit the properties configured for the underlying
-\fBslapd-ldap\fP(5) before any occurrence of the \fBchain-uri\fP
+\fBslapd\-ldap\fP(5) before any occurrence of the \fBchain\-uri\fP
directive; basically, they are chained anonymously.
.TP
-.B chain-chaining [resolve=<r>] [continuation=<c>] [critical]
+.B chain\-chaining [resolve=<r>] [continuation=<c>] [critical]
This directive enables the \fIchaining\fP control
(see \fIdraft-sermersheim-ldap-chaining\fP for details)
with the desired resolve and continuation behaviors and criticality.
If the \fBcritical\fP flag affects the control criticality if provided.
[This control is experimental and its support may change in the future.]
.TP
-.B chain-max-depth <n>
+.B chain\-max\-depth <n>
In case a referral is returned during referral chasing, further chasing
occurs at most \fB<n>\fP levels deep. Set to \fB1\fP (the default)
to disable further referral chasing.
.TP
-.B chain-return-error {FALSE|true}
+.B chain\-return\-error {FALSE|true}
In case referral chasing fails, the real error is returned instead
of the original referral. In case multiple referral URIs are present,
only the first error is returned. This behavior may not be always
better resolved by the client (e.g. when caused by distributed
authentication issues).
.TP
-.B chain-uri <ldapuri>
+.B chain\-uri <ldapuri>
This directive instantiates a new underlying \fIldap\fP database
and instructs it about which URI to contact to chase referrals.
-As opposed to what stated in \fBslapd-ldap\fP(5), only one URI
-can appear after this directive; all subsequent \fBslapd-ldap\fP(5)
-directives prefixed by \fBchain-\fP refer to this specific instance
+As opposed to what stated in \fBslapd\-ldap\fP(5), only one URI
+can appear after this directive; all subsequent \fBslapd\-ldap\fP(5)
+directives prefixed by \fBchain\-\fP refer to this specific instance
of a remote server.
.LP
.RS
.nf
overlay chain
-chain-rebind-as-user FALSE
+chain\-rebind\-as\-user FALSE
-chain-uri "ldap://ldap1.example.com"
-chain-rebind-as-user TRUE
-chain-idassert-bind bindmethod="simple"
+chain\-uri "ldap://ldap1.example.com"
+chain\-rebind\-as\-user TRUE
+chain\-idassert\-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
-chain-uri "ldap://ldap2.example.com"
-chain-idassert-bind bindmethod="simple"
+chain\-uri "ldap://ldap2.example.com"
+chain\-idassert\-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="none"
.RE
.LP
Any valid directives for the ldap database may be used; see
-.BR slapd-ldap (5)
+.BR slapd\-ldap (5)
for details.
-Multiple occurrences of the \fBchain-uri\fP directive may appear,
+Multiple occurrences of the \fBchain\-uri\fP directive may appear,
to define multiple "trusted" URIs where operations with
\fIidentity assertion\fP are chained.
All URIs not listed in the configuration are chained anonymously.
-All \fBslapd-ldap\fP(5) directives appearing before the first
-occurrence of \fBchain-uri\fP are inherited by all URIs,
+All \fBslapd\-ldap\fP(5) directives appearing before the first
+occurrence of \fBchain\-uri\fP are inherited by all URIs,
unless specifically overridden inside each URI configuration.
.SH FILES
.TP
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-collect \- Collective attributes overlay to slapd
+slapo\-collect \- Collective attributes overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.BR slapd.conf (5),
.BR slapd\-config (5),
The
-.BR slapo-collect (5)
+.BR slapo\-collect (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-constraint \- Attribute Constraint Overlay to slapd
+slapo\-constraint \- Attribute Constraint Overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-dds \- Dynamic Directory Services overlay to slapd
+slapo\-dds \- Dynamic Directory Services overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
By default, no limit is set.
.TP
-.B dds-state {TRUE|false}
+.B dds\-state {TRUE|false}
Specifies if the Dynamic Directory Services feature is enabled or not.
By default it is; however, a proxy does not need to keep track of dynamic
objects itself, it only needs to inform the frontend that support for
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-dyngroup \- Dynamic Group overlay to slapd
+slapo\-dyngroup \- Dynamic Group overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-dynlist \- Dynamic List overlay to slapd
+slapo\-dynlist \- Dynamic List overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
No recursion is allowed, to avoid potential infinite loops.
The resulting entry must comply with the LDAP data model, so constraints
are enforced.
-For example, if a \fISINGLE-VALUE\fP attribute is listed,
+For example, if a \fISINGLE\-VALUE\fP attribute is listed,
only the first value results in the final entry.
The above described behavior is disabled when the \fImanageDSAit\fP
control (RFC 3296) is used.
.B overlay
directive.
.TP
-.B dynlist-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...]
+.B dynlist\-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...]
The value
-.B group-oc
+.B group\-oc
is the name of the objectClass that triggers the dynamic expansion of the
data.
# ...
overlay dynlist
- dynlist-attrset groupOfURLs memberURL
+ dynlist\-attrset groupOfURLs memberURL
.fi
.LP
and that slapd loads dynlist.la, if compiled as a run-time module;
# ...
overlay dynlist
- dynlist-attrset groupOfURLs memberURL member
+ dynlist\-attrset groupOfURLs memberURL member
.fi
.LP
.BR slapd\-config (5),
.BR slapd (8).
The
-.BR slapo-dynlist (5)
+.BR slapo\-dynlist (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-memberof \- Reverse Group Membership overlay to slapd
+slapo\-memberof \- Reverse Group Membership overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
configuration options are defined for the memberofoverlay.
.TP
-.BI memberof-group-oc \ <group-oc>
+.BI memberof\-group\-oc \ <group-oc>
The value
.I <group-oc>
is the name of the objectClass that triggers the reverse group membership
It defaults to \fIgroupOfNames\fP.
.TP
-.BI memberof-member-ad \ <member-ad>
+.BI memberof\-member\-ad \ <member-ad>
The value
.I <member-ad>
is the name of the attribute that contains the names of the members
It defaults to \fImember\fP.
.TP
-.BI memberof-memberof-ad \ <memberof-ad>
+.BI memberof\-memberof\-ad \ <memberof-ad>
The value
.I <memberof-ad>
is the name of the attribute that contains the names of the groups
It defaults to \fImemberOf\fP.
.TP
-.BI memberof-dn \ <dn>
+.BI memberof\-dn \ <dn>
The value
.I <dn>
contains the DN that is used as \fImodifiersName\fP for internal
It defaults to the \fIrootdn\fP of the underlying database.
.TP
-.BI "memberof-dangling {" ignore ", " drop ", " error "}"
+.BI "memberof\-dangling {" ignore ", " drop ", " error "}"
This option determines the behavior of the overlay when, during
a modification, it encounters dangling references.
The default is
to fail.
.TP
-.BI memberof-dangling-error \ <error-code>
+.BI memberof\-dangling\-error \ <error-code>
If
-.BR memberof-dangling
+.BR memberof\-dangling
is set to
.IR error ,
this configuration parameter can be used to modify the response code
but other implementations are known to return "no such object" instead.
.TP
-.BI "memberof-refint {" true "|" FALSE "}"
+.BI "memberof\-refint {" true "|" FALSE "}"
This option determines whether the overlay will try to preserve
referential integrity or not.
If set to
.BR slapd\-config (5),
.BR slapd (8).
The
-.BR slapo-memberof (5)
+.BR slapo\-memberof (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
.\" $OpenLDAP$
.SH NAME
-slapo-pcache \- proxycache overlay to slapd
+slapo\-pcache \- proxycache overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.TP
.B proxyattrset <index> <attrs...>
Used to associate a set of attributes <attrs..> with an <index>. Each attribute
-set is associated with an integer from 0 to <numattrsets>-1. These indices are
+set is associated with an integer from 0 to <numattrsets>\-1. These indices are
used by the \fBproxytemplate\fP directive to define cacheable templates.
A set of attributes cannot be empty. A set of attributes can contain the
special attributes "*" (all user attributes), "+" (all operational attributes)
Results hitting a sizelimit are not cached by default (<limitttl> set to 0).
.TP
-.B response-callback { head | tail }
+.B response\-callback { head | tail }
Specifies whether the response callback should be placed at the
.B tail
(the default) or at the
proxy caching be used in conjunction with the
.I identity assertion
feature of
-.BR slapd-ldap (5)
+.BR slapd\-ldap (5)
(see the
-.B idassert-bind
+.B idassert\-bind
and the
-.B idassert-authz
+.B idassert\-authz
statements), so that remote server interrogation occurs with a vanilla identity
that has some relatively high
.B search
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-ppolicy \- Password Policy overlay to slapd
+slapo\-ppolicy \- Password Policy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
use of a backend database, changes to user password fields, etc.
.P
The overlay provides a variety of password control mechanisms. They
-include password aging--both minimum and maximum ages, password
+include password aging -- both minimum and maximum ages, password
reuse and duplication control, account time-outs, mandatory password
resets, acceptable password content, and even grace logins.
Different groups of users may be associated with different password
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMaxAge
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdInHistory
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdCheckQuality
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMinLength
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdExpireWarning
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdGraceAuthnLimit
NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdLockout
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdLockoutDuration
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMaxFailure
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdFailureCountInterval
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMustChange
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdAllowUserChange
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdSafeModify
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdCheckModule
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.P
Note:
this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation )
.RE
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
DESC 'The timestamps of the grace login once the password has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE
+ SINGLE\-VALUE
USAGE directoryOperation)
.RE
.nf
database bdb
suffix dc=example,dc=com
-\...
+\|...
overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
.fi
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-refint \- Referential Integrity overlay to slapd
+slapo\-refint \- Referential Integrity overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Referential Integrity overlay can be used with a backend database such as
-.BR slapd-bdb (5)
+.BR slapd\-bdb (5)
to maintain the cohesiveness of a schema which utilizes reference attributes.
.LP
Integrity is maintained by updating database records which contain the named
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
.\" $OpenLDAP$
.SH NAME
-slapo-retcode \- return code overlay to slapd
+slapo\-retcode \- return code overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.hy 0
.B retcode\-item <RDN> <errCode> [op=<oplist>] [text=<message>]
.B [ref=<referral>] [sleeptime=<sec>] [matched=<DN>]
-.B [unsolicited=<OID>[:<data>]] [flags=[{pre|post}-]disconnect[,...]]
+.B [unsolicited=<OID>[:<data>]] [flags=[{pre|post}\-]disconnect[,...]]
.RS
A dynamically generated entry, located below \fBretcode\-parent\fP.
The \fBerrCode\fP is the number of the response code;
of an RFC 4511 unsolicited response message; if \fBOID\fP
is not "0", an extended response is generated, with the optional
\fBdata\fP appended.
-If \fBflags\fP contains \fBdisconnect\fP, or \fBpre-disconnect\fP,
+If \fBflags\fP contains \fBdisconnect\fP, or \fBpre\-disconnect\fP,
.BR slapd (8)
-disconnects abruptly, without notice; \fBpost-disconnect\fP
+disconnects abruptly, without notice; \fBpost\-disconnect\fP
causes disconnection right after sending response as appropriate.
.RE
.TP
Enables exploitation of in-directory stored errAbsObject.
May result in a lot of unnecessary overhead.
.TP
-.B retcode\-sleep [-]<n>
+.B retcode\-sleep [\-]<n>
Defines a sleep time in seconds that is spent before actually handling
any operation.
If negative, a random time between 0 and the absolute value of the argument
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.LP
The operations that trigger the response code:
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.LP
The sleep time before the response is actually returned to the client:
DESC 'Time to wait before returning the error'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.LP
The matched DN returned to the client:
DESC 'Value to be returned as matched DN'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.LP
The OID to be returned as extended response OID
DESC 'OID to be returned within unsolicited response'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.LP
The octet string to be returned as extended response data
NAME ( 'errUnsolicitedData' )
DESC 'Data to be returned within unsolicited response'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.LP
If TRUE,
NAME ( 'errDisconnect' )
DESC 'Disconnect without notice'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.LP
The abstract class that triggers the overlay:
.RS
.nf
overlay retcode
-retcode-parent "ou=RetCodes,dc=example,dc=com"
+retcode\-parent "ou=RetCodes,dc=example,dc=com"
# retcode.conf is found in tests/data/ of the source tree
include ./retcode.conf
# Wait 10 seconds, then return success (0x00)
-retcode-item "cn=Success after 10 seconds" 0x00 sleeptime=10
+retcode\-item "cn=Success after 10 seconds" 0x00 sleeptime=10
# Wait 10 seconds, then return timelimitExceeded (0x03)
-retcode-item "cn=Timelimit after 10 seconds" 0x03 sleeptime=10
+retcode\-item "cn=Timelimit after 10 seconds" 0x03 sleeptime=10
.fi
.RE
.LP
.BR slapd\-config (5),
.BR slapd (8).
The
-.BR slapo-retcode (5)
+.BR slapo\-retcode (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS
.\" and maybe manual pages for librewrite.
.\"
.SH NAME
-slapo-rwm \- rewrite/remap overlay to slapd
+slapo\-rwm \- rewrite/remap overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
performs basic DN/data rewrite and objectClass/attributeType mapping.
Its usage is mostly intended to provide virtual views of existing data
either remotely, in conjunction with the proxy backend described in
-.BR slapd-ldap (5),
+.BR slapd\-ldap (5),
or locally, in conjunction with the relay backend described in
-.BR slapd-relay (5).
+.BR slapd\-relay (5).
.LP
This overlay is experimental.
.SH MAPPING
overlay is the capability to map objectClasses and attributeTypes
from the local set (or a subset of it) to a foreign set, and vice versa.
This is accomplished by means of the
-.B rwm-map
+.B rwm\-map
directive.
.TP
-.B rwm-map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
+.B rwm\-map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
Map attributeTypes and objectClasses from the foreign server to
different values on the local slapd.
The reason is that some attributes might not be part of the local
must be defined in the local schema; the foreign ones do not have to,
but users are encouraged to explicitly define the remote attributeTypes
and the objectClasses they intend to map. All in all, when remapping
-a remote server via back-ldap (\fBslapd-ldap\fP(5))
-or back-meta (\fBslapd-meta\fP(5))
+a remote server via back-ldap (\fBslapd\-ldap\fP(5))
+or back-meta (\fBslapd\-meta\fP(5))
their definition can be easily obtained by querying the \fIsubschemaSubentry\fP
of the remote server; the problem should not exist when remapping a local
database.
overlay is used together with e.g. the
.B pcache
overlay. This normalization can be enabled by means of the
-.B rwm-normalize-mapped-attrs
+.B rwm\-normalize\-mapped\-attrs
directive.
.TP
-.B rwm-normalize-mapped-attrs {yes|no}
+.B rwm\-normalize\-mapped\-attrs {yes|no}
Set this to "yes", if the
.B rwm
overlay should try to normalize the values of attributes that are mapped from
.B rwm
overlay is the capability to perform suffix massaging between a virtual
and a real naming context by means of the
-.B rwm-suffixmassage
+.B rwm\-suffixmassage
directive.
This, in conjunction with proxy backends,
-.BR slapd-ldap (5)
+.BR slapd\-ldap (5)
and
-.BR slapd-meta (5),
+.BR slapd\-meta (5),
or with the relay backend,
-.BR slapd-relay (5),
+.BR slapd\-relay (5),
allows to create virtual views of databases.
A distinguishing feature of this overlay is that, when instantiated
before any database, it can modify the DN of requests
or the subschemaSubentry DN (usually "cn=subschema"),
would prevent clients from reading the root DSE or the DSA's schema.
.TP
-.B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
+.B rwm\-suffixmassage "[<virtual naming context>]" "<real naming context>"
Shortcut to implement naming context rewriting; the trailing part
of the DN is rewritten from the virtual to the real naming context
in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
and for the referralAttrDN and referralDN rewrite contexts.
If no \fI<virtual naming context>\fP is given, the first suffix of the
database is used; this requires the
-.B rwm-suffixmassage
+.B rwm\-suffixmassage
directive be defined \fIafter\fP the database
.B suffix
directive.
The
-.B rwm-suffixmassage
+.B rwm\-suffixmassage
directive automatically sets the
-.B rwm-rewriteEngine
+.B rwm\-rewriteEngine
to
.BR ON .
.LP
flags; see "Action Flags" for details.
A default limit on the recursion level is set, and can be altered
by the
-.B rwm-rewriteMaxPasses
+.B rwm\-rewriteMaxPasses
directive, as detailed in the "Additional Configuration Syntax" section.
The substitution pattern allows map resolution of substrings.
A map is a generic object that maps a substitution pattern to a value.
they are divided in two main groups: client \-> server and
server \-> client rewriting.
.LP
-client -> server:
+client \-> server:
.LP
.RS
.nf
.fi
.RE
.LP
-server -> client:
+server \-> client:
.LP
.RS
.nf
.LP
.SH "Basic Configuration Syntax"
All rewrite/remap directives start with the prefix
-.BR rwm- ;
+.BR rwm\- ;
for backwards compatibility with the historical
-.BR slapd-ldap (5)
+.BR slapd\-ldap (5)
and
-.BR slapd-meta (5)
+.BR slapd\-meta (5)
builtin rewrite/remap capabilities, the prefix may be omitted,
but this practice is strongly discouraged.
.TP
-.B rwm-rewriteEngine { on | off }
+.B rwm\-rewriteEngine { on | off }
If `on', the requested rewriting is performed; if `off', no
rewriting takes place (an easy way to stop rewriting without
altering too much the configuration file).
.TP
-.B rwm-rewriteContext <context name> "[ alias <aliased context name> ]"
+.B rwm
\-rewriteContext <context name> "[ alias <aliased context name> ]"
<Context name> is the name that identifies the context, i.e. the name
used by the application to refer to the set of rules it contains.
It is used also to reference sub contexts in string rewriting.
In this case the alias context contains no rule, and any reference to
it will result in accessing the aliased one.
.TP
-.B rwm-rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
+.B rwm\-rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
Determines how a string can be rewritten if a pattern is matched.
Examples are reported below.
.SH "Additional Configuration Syntax"
.TP
-.B rwm-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
+.B rwm\-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
Allows to define a map that transforms substring rewriting into
something else.
The map is referenced inside the substitution pattern of a rule.
.TP
-.B rwm-rewriteParam <param name> <param value>
+.B rwm
\-rewriteParam <param name> <param value>
Sets a value with global scope, that can be dereferenced by the
command `${$paramName}'.
.TP
-.B rwm-rewriteMaxPasses <number of passes> [<number of passes per rule>]
+.B rwm\-rewriteMaxPasses <number of passes> [<number of passes per rule>]
Sets the maximum number of total rewriting passes that can be
performed in a single rewrite operation (to avoid loops).
A safe default is set to 100; note that reaching this limit is still
.SH "REWRITE CONFIGURATION EXAMPLES"
.nf
# set to `off' to disable rewriting
-rwm-rewriteEngine on
+rwm\-rewriteEngine on
# the rules the "suffixmassage" directive implies
-rwm-rewriteEngine on
+rwm\-rewriteEngine on
# all dataflow from client to server referring to DNs
-rwm-rewriteContext default
-rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
+rwm\-rewriteContext default
+rwm\-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
# empty filter rule
-rwm-rewriteContext searchFilter
+rwm\-rewriteContext searchFilter
# all dataflow from server to client
-rwm-rewriteContext searchEntryDN
-rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
-rwm-rewriteContext searchAttrDN alias searchEntryDN
-rwm-rewriteContext matchedDN alias searchEntryDN
+rwm\-rewriteContext searchEntryDN
+rwm\-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
+rwm\-rewriteContext searchAttrDN alias searchEntryDN
+rwm\-rewriteContext matchedDN alias searchEntryDN
# misc empty rules
-rwm-rewriteContext referralAttrDN
-rwm-rewriteContext referralDN
+rwm\-rewriteContext referralAttrDN
+rwm\-rewriteContext referralDN
# Everything defined here goes into the `default' context.
# This rule changes the naming context of anything sent
# to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
-rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
+rwm\-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
"$1dc=OpenLDAP, dc=org" ":"
# since a pretty/normalized DN does not include spaces
# after rdn separators, e.g. `,', this rule suffices:
-rwm-rewriteRule "(.+,)?dc=home,dc=net$"
+rwm\-rewriteRule "(.+,)?dc=home,dc=net$"
"$1dc=OpenLDAP,dc=org" ":"
# Start a new context (ends input of the previous one).
# This rule adds blanks between DN parts if not present.
-rwm-rewriteContext addBlanks
-rwm-rewriteRule "(.*),([^ ].*)" "$1, $2"
+rwm\-rewriteContext addBlanks
+rwm\-rewriteRule "(.*),([^ ].*)" "$1, $2"
# This one eats blanks
-rwm-rewriteContext eatBlanks
-rwm-rewriteRule "(.*), (.*)" "$1,$2"
+rwm\-rewriteContext eatBlanks
+rwm\-rewriteRule "(.*), (.*)" "$1,$2"
# Here control goes back to the default rewrite
# context; rules are appended to the existing ones.
# anything that gets here is piped into rule `addBlanks'
-rwm-rewriteContext default
-rwm-rewriteRule ".*" "${>addBlanks($0)}" ":"
+rwm\-rewriteContext default
+rwm\-rewriteRule ".*" "${>addBlanks($0)}" ":"
.\" # Anything with `uid=username' is looked up in
.\" # /etc/passwd for gecos (I know it's nearly useless,
.\" # Note the `I' flag that leaves `uid=username' in place
.\" # if `username' does not have a valid account, and the
.\" # `:' that forces the rule to be processed exactly once.
-.\" rwm-rewriteContext uid2Gecos
-.\" rwm-rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
+.\" rwm\-rewriteContext uid2Gecos
+.\" rwm\-rewriteRule "(.*)uid=([a\-z0\-9]+),(.+)"
.\" "$1cn=$2{xpasswd},$3" "I:"
.\"
.\" # Finally, in a bind, if one uses a `uid=username' DN,
.\" # it is rewritten in `cn=name surname' if possible.
-.\" rwm-rewriteContext bindDN
-.\" rwm-rewriteRule ".*" "${>addBlanks(${>uid2Gecos($0)})}" ":"
+.\" rwm\-rewriteContext bindDN
+.\" rwm\-rewriteRule ".*" "${>addBlanks(${>uid2Gecos($0)})}" ":"
.\"
# Rewrite the search base according to `default' rules.
-rwm-rewriteContext searchDN alias default
+rwm\-rewriteContext searchDN alias default
# Search results with OpenLDAP DN are rewritten back with
# `dc=home,dc=net' naming context, with spaces eaten.
-rwm-rewriteContext searchEntryDN
-rwm-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
+rwm\-rewriteContext searchEntryDN
+rwm\-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
"${>eatBlanks($1)}dc=home,dc=net" ":"
# Bind with email instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# argument used when invoking the map is appended to
# the URI and acts as the filter portion)
-rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
+rwm\-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
# Then we need to detect DN made up of a single email,
# e.g. `mail=someone@example.com'; note that the rule
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDN
# rewrite context overrides the default definition.
-rwm-rewriteContext bindDN
-rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
+rwm\-rewriteContext bindDN
+rwm\-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
# This is a rather sophisticated example. It massages a
# search filter in case who performs the search has
# track of the bind DN of the incoming request, which is
# stored in a variable called `binddn' with session scope,
# and left in place to allow regular binding:
-rwm-rewriteContext bindDN
-rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"
+rwm\-rewriteContext bindDN
+rwm\-rewriteRule ".+" "${&&binddn($0)}$0" ":"
# A search filter containing `uid=' is rewritten only
# if an appropriate DN is bound.
# module to authenticate users with both `uid' and
# `cn', but only if the request comes from a possible
# `cn=Web auth,ou=admin,dc=home,dc=net' user.
-rwm-rewriteContext searchFilter
-rwm-rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
+rwm\-rewriteContext searchFilter
+rwm\-rewriteRule "(.*\e\e()uid=([a\-z0\-9_]+)(\e\e).*)"
"${**binddn}<>${&prefix($1)}${&arg($2)}${&suffix($3)}"
":I"
-rwm-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
+rwm\-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
"${*prefix}|(uid=${*arg})(cn=${*arg})${*suffix}" ":@I"
-rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
+rwm\-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
# This example shows how to strip unwanted DN-valued
# attribute values from a search result; the first rule
# in case of match the rewriting exits successfully.
# The second rule matches everything else and causes
# the value to be rejected.
-rwm-rewriteContext searchEntryDN
-rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
-rwm-rewriteRule ".*" "" "#"
+rwm\-rewriteContext searchEntryDN
+rwm\-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
+rwm\-rewriteRule ".*" "" "#"
.fi
.SH "MAPPING EXAMPLES"
The following directives map the object class `groupOfNames' to
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-syncprov \- Sync Provider overlay to slapd
+slapo\-syncprov \- Sync Provider overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.B overlay
directive.
.TP
-.B syncprov-checkpoint <ops> <minutes>
+.B syncprov\-checkpoint <ops> <minutes>
After a write operation has succeeded, write the contextCSN to the underlying
database if
.B <ops>
time have passed
since the last checkpoint. Checkpointing is disabled by default.
.TP
-.B syncprov-sessionlog <ops>
+.B syncprov\-sessionlog <ops>
Configures an in-memory session log for recording information about write
operations made on the database. The
.B <ops>
When using the session log, it is helpful to set an eq index on the
entryUUID attribute in the underlying database.
.TP
-.B syncprov-nopresent TRUE | FALSE
+.B syncprov\-nopresent TRUE | FALSE
Specify that the Present phase of refreshing should be skipped. This value
should only be set TRUE for a syncprov instance on top of a log database
(such as one managed by the accesslog overlay).
The default is FALSE.
.TP
-.B syncprov-reloadhint TRUE | FALSE
+.B syncprov\-reloadhint TRUE | FALSE
Specify that the overlay should honor the reloadHint flag in the Sync
Control. In OpenLDAP releases 2.3.11 and earlier the syncrepl consumer did
not properly set this flag, so the overlay must ignore it. This option
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
-.BR slapo-accesslog (5).
+.BR slapo\-accesslog (5).
OpenLDAP Administrator's Guide.
.SH ACKNOWLEDGEMENTS
.so ../Project
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-translucent \- Translucent Proxy overlay to slapd
+slapo\-translucent \- Translucent Proxy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Translucent Proxy overlay can be used with a backend database such as
-.BR slapd-bdb (5)
+.BR slapd\-bdb (5)
to create a "translucent proxy". Entries retrieved from a remote LDAP
server may have some or all attributes overridden, or new attributes
added, by entries in the local database before being presented to the
.SH CONFIGURATION
The Translucent Proxy overlay uses a proxied database,
typically a (set of) remote LDAP server(s), which is configured with the options shown in
-.BR slapd-ldap (5),
-.BR slapd-meta (5)
+.BR slapd\-ldap (5),
+.BR slapd\-meta (5)
or similar.
These
.B slapd.conf
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
-.BR slapd-ldap (5).
+.BR slapd\-ldap (5).
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-unique \- Attribute Uniqueness overlay to slapd
+slapo\-unique \- Attribute Uniqueness overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Attribute Uniqueness overlay can be used with a backend database such as
-.BR slapd-bdb (5)
+.BR slapd\-bdb (5)
to enforce the uniqueness of some or all attributes within a
scope. This subtree defaults to all objects within the subtree of the
database for which the Uniqueness overlay is configured.
.TP
.B unique_uri <[strict ][ignore ]URI[URI...]...>
Configure the base, attributes, scope, and filter for uniqueness
-checking. Multiple URIs may be specified within a domain, allowing complex selections of objects. Multiple
+checking. Multiple URIs may be specified within a domain,
+allowing complex selections of objects. Multiple
.B unique_uri
statements or
.B olcUniqueURI
-attributes will create independent domains, each with their own independent lists of URIs and ignore/strict settings.
+attributes will create independent domains, each with their own
+independent lists of URIs and ignore/strict settings.
The LDAP URI syntax is a subset of
.B RFC-4516,
The
.B base dn
-defaults to that of the back-end database. Specified base dns must be within the subtree of the back-end database.
+defaults to that of the back-end database.
+Specified base dns must be within the subtree of the back-end database.
If no
.B attributes
null value. Strictness applies to all URIs within a uniqueness
domain, but some domains may be strict while others are not.
.LP
-It is not possible to set both URIs and legacy slapo-unique configuration parameters simultaneously. In general, the legacy configuration options control pieces of a single unfiltered subtree domain.
+It is not possible to set both URIs and legacy slapo\-unique configuration
+parameters simultaneously. In general, the legacy configuration options
+control pieces of a single unfiltered subtree domain.
.TP
.B unique_base <basedn>
This legacy configuration parameter should be converted to the
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-valsort \- Value Sorting overlay to slapd
+slapo\-valsort \- Value Sorting overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.B overlay
directive.
.TP
-valsort-attr <\fIattribute\fP> <\fIbaseDN\fP> (<\fIsort-method\fP> | weighted [<\fIsort-method\fP>])
+valsort\-attr <\fIattribute\fP> <\fIbaseDN\fP> (<\fIsort-method\fP> | weighted [<\fIsort-method\fP>])
Configure a sorting method for the specified
.I attribute
in the subtree rooted at
The
.I sort-method
may be one of
-.BR alpha-ascend ,
-.BR alpha-descend ,
-.BR numeric-ascend ,
+.BR alpha\-ascend ,
+.BR alpha\-descend ,
+.BR numeric\-ascend ,
or
-.BR numeric-descend .
+.BR numeric\-descend .
If the special
.B weighted
method is specified, a secondary
suffix dc=example,dc=com
...
overlay valsort
- valsort-attr member ou=groups,dc=example,dc=com alpha-ascend
+ valsort\-attr member ou=groups,dc=example,dc=com alpha\-ascend
.fi
.SH FILES
slapacl \- Check access to a list of attributes.
.SH SYNOPSIS
.B SBINDIR/slapacl
-.B \-b DN
-.B [\-d level]
-.B [\-D authcDN | \-U authcID]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-o name[=value]]
-.B [\-u]
-.B [\-v]
-.B [\-X authzID | \-o authzDN=DN]
-.B [attr[/access][:value]] [...]
+.BI \-b \ DN
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-D \ authcDN\ \fR|
+.BI \-U \ authcID\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+[\c
+.BI \-X \ authzID\ \fR|
+.BI "\-o \ authzDN=" DN\fR]
+[\c
+.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]
.LP
.SH DESCRIPTION
.LP
It opens the
.BR slapd.conf (5)
configuration file or the
-.BR slapd-config (5)
+.BR slapd\-config (5)
backend, reads in the
-.B access/olcAccess
+.BR access / olcAccess
directives, and then parses the
.B attr
list given on the command-line; if none is given, access to the
.LP
.SH OPTIONS
.TP
-.BI \-b " DN"
+.BI \-b \ DN
specify the
-.B DN
+.I DN
which access is requested to; the corresponding entry is fetched
from the database, and thus it must exist.
-The DN is also used to determine what rules apply; thus, it must be
+The
+.I DN
+is also used to determine what rules apply; thus, it must be
in the naming context of a configured database. See also
.BR \-u .
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-D " authcDN"
+.BI \-D \ authcDN
specify a DN to be used as identity through the test session
when selecting appropriate
.B <by>
clauses in access lists.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
config file. If a valid config directory exists then the
default config file is ignored.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.RS
.TP
.BI \-u
do not fetch the entry from the database.
-In this case, if the entry does not exist, a fake entry with the DN
+In this case, if the entry does not exist, a fake entry with the
+.I DN
given with the
.B \-b
option is used, with no attributes.
As a consequence, those rules that depend on the contents
of the target object will not behave as with the real object.
-The DN given with the
+The
+.I DN
+given with the
.B \-b
option is still used to select what rules apply; thus, it must be
in the naming context of a configured database.
See also
.BR \-b .
.TP
-.BI \-U " authcID"
+.BI \-U \ authcID
specify an ID to be mapped to a
.B DN
as by means of
-.B authz-regexp
+.B authz\-regexp
or
-.B authz-rewrite
+.B authz\-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with
.B \-v
enable verbose mode.
.TP
-.BI \-X " authzID"
+.BI \-X \ authzID
specify an authorization ID to be mapped to a
.B DN
as by means of
-.B authz-regexp
+.B authz\-regexp
or
-.B authz-rewrite
+.B authz\-rewrite
rules (see
.BR slapd.conf (5)
-for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
+for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.
.SH EXAMPLES
The command
.LP
.nf
.ft tt
- SBINDIR/slapacl -f ETCDIR/slapd.conf -v \\
- -U bjorn -b "o=University of Michigan,c=US" \\
+ SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\
+ \-U bjorn \-b "o=University of Michigan,c=US" \\
"o/read:University of Michigan"
.ft
level.
.SH "SEE ALSO"
.BR ldap (3),
-.BR slapd (8)
-.BR slaptest (8)
+.BR slapd (8),
+.BR slaptest (8),
.BR slapauth (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
slapadd \- Add entries to a SLAPD database
.SH SYNOPSIS
.B SBINDIR/slapadd
-.B [\-b suffix]
-.B [\-c]
-.B [\-d level]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-g]
-.B [\-j lineno]
-.B [\-l ldif-file]
-.B [\-n dbnum]
-.B [\-o name[=value]]
-.B [\-q]
-.B [\-s]
-.B [\-S SID]
-.B [\-u]
-.B [\-v]
-.B [\-w]
+[\c
+.BI \-b \ suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-j \ lineno\fR]
+[\c
+.BI \-l \ ldif-file\fR]
+[\c
+.BI \-n \ dbnum\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-q ]
+[\c
+.BR \-s ]
+[\c
+.BI \-S \ SID\fR]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+[\c
+.BR \-w ]
.SH DESCRIPTION
.LP
.B Slapadd
the database.
Databases configured as
.B subordinate
-of this one are also updated, unless \fB-g\fP is specified.
+of this one are also updated, unless \fB\-g\fP is specified.
The LDIF input is read from standard input or the specified file.
All files eventually created by
.BR slapd (8).
.SH OPTIONS
.TP
-.BI \-b " suffix"
+.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
-add entries to. The \-b cannot be used in conjunction
+add entries to. The \fB\-b\fP cannot be used in conjunction
with the
.B \-n
option.
.B \-c
enable continue (ignore errors) mode.
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
default config directory will be made before trying to use the default
config file. If a valid config directory exists then the
-default config file is ignored. If dryrun mode is also specified,
+default config file is ignored. If dry-run mode is also specified,
no conversion will occur.
.TP
.B \-g
disable subordinate gluing. Only the specified database will be
processed, and not its glued subordinates (if any).
.TP
-.BI \-j " lineno"
+.BI \-j \ lineno
Jump to the specified line number in the LDIF file before processing
any entries. This allows a load that was aborted due to errors in the
input LDIF to be resumed after the errors are corrected.
.TP
-.BI \-l " ldif-file"
+.BI \-l \ ldif-file
Read LDIF from the specified file instead of standard input.
.TP
-.BI \-n " dbnum"
-Add entries to the \fIdbnum\fR\-th database listed in the
+.BI \-n \ dbnum
+Add entries to the \fIdbnum\fR-th database listed in the
configuration file. The
.B \-n
cannot be used in conjunction with the
.B \-b
option.
To populate the config database
-.BR slapd-config (5),
+.BR slapd\-config (5),
use
.B \-n 0
as it is always the first database. It must physically exist
on the filesystem prior to this, however.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
Improves the load time but if any errors or interruptions occur the resulting
database will be unusable.
.TP
-.B -s
+.B \-s
disable schema checking. This option is intended to be used when loading
databases containing special objects, such as fractional objects on a
partial replica. Loading normal objects which do not conform to
schema may result in unexpected and ill behavior.
.TP
-.B \-S " SID"
+.BI \-S \ SID
Server ID to use in generated entryCSN. Also used for contextCSN
-if `\-w' is set as well. Defaults to 0.
+if \fB\-w\fP is set as well. Defaults to \fB0\fP.
.TP
.B \-u
enable dry-run (don't write to backend) mode.
.LP
.nf
.ft tt
- SBINDIR/slapadd -l ldif
+ SBINDIR/slapadd \-l ldif
.ft
.fi
.SH "SEE ALSO"
slapauth \- Check a list of string-represented IDs for LDAP authc/authz
.SH SYNOPSIS
.B SBINDIR/slapauth
-.B [\-d level]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-M mech]
-.B [\-o name[=value]]
-.B [\-R realm]
-.B [\-U authcID]
-.B [\-v]
-.B [\-X authzID]
-.B ID [...]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-M \ mech\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-U \ authcID\fR]
+[\c
+.BR \-v ]
+[\c
+.BI \-X \ authzID\fR]
+.IR ID \ [ ... ]
.LP
.SH DESCRIPTION
.LP
It opens the
.BR slapd.conf (5)
configuration file or the
-.BR slapd-config (5)
+.BR slapd\-config (5)
backend, reads in the
-.B authz-policy/olcAuthzPolicy
+.BR authz\-policy / olcAuthzPolicy
and
-.B authz-regexp/olcAuthzRegexp
+.BR authz\-regexp / olcAuthzRegexp
directives, and then parses the
-.B ID
+.I ID
list given on the command-line.
.LP
.SH OPTIONS
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
config file. If a valid config directory exists then the
default config file is ignored.
.TP
-.BI \-M " mech"
+.BI \-M \ mech
specify a mechanism.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
-.BI \-R " realm"
+.BI \-R \ realm
specify a realm.
.TP
-.BI \-U " authcID"
+.BI \-U \ authcID
specify an ID to be used as
.I authcID
throughout the test session.
If present, and if no
-.B authzID
+.I authzID
is given, the IDs in the ID list are treated as
-.BR authzID .
+.IR authzID .
.TP
-.BI \-X " authzID"
+.BI \-X \ authzID
specify an ID to be used as
.I authzID
throughout the test session.
If present, and if no
-.B authcID
+.I authcID
is given, the IDs in the ID list are treated as
-.BR authcID .
+.IR authcID .
If both
.I authcID
and
.LP
.nf
.ft tt
- SBINDIR/slapauth -f /ETCDIR/slapd.conf -v \\
- -U bjorn -X u:bjensen
+ SBINDIR/slapauth \-f /ETCDIR/slapd.conf \-v \\
+ \-U bjorn \-X u:bjensen
.ft
.fi
.LP
.nf
.ft tt
- authz-policy from
- authz-regexp "^uid=([^,]+).*,cn=auth$"
+ authz\-policy from
+ authz\-regexp "^uid=([^,]+).*,cn=auth$"
"ldap:///dc=example,dc=net??sub?uid=$1"
.ft
.BR slapd.conf (5).
.SH "SEE ALSO"
.BR ldap (3),
-.BR slapd (8)
+.BR slapd (8),
.BR slaptest (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
slapcat \- SLAPD database to LDIF utility
.SH SYNOPSIS
.B SBINDIR/slapcat
-.B [\-a filter]
-.B [\-b suffix]
-.B [\-c]
-.B [\-d level]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-g]
-.B [\-l ldif-file]
-.B [\-n dbnum]
-.B [\-o name[=value]]
-.B [\-s subtree-dn]
-.B [\-v]
-.B
+[\c
+.BI \-a filter\fR]
+[\c
+.BI \-b suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d debug-level\fR]
+[\c
+.BI \-f slapd.conf\fR]
+[\c
+.BI \-F confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-l ldif-file\fR]
+[\c
+.BI \-n dbnum\fR]
+[\c
+.BI \-o option\fR[ = value\fR]]
+[\c
+.BI \-s subtree-dn\fR]
+[\c
+.BR \-v ]
.LP
.SH DESCRIPTION
.LP
the specified file.
Databases configured as
.B subordinate
-of this one are also output, unless \fB-g\fP is specified.
+of this one are also output, unless \fB\-g\fP is specified.
.LP
The entry records are presented in database order, not superior first
order. The entry records will include all (user and operational)
operational attributes.
.SH OPTIONS
.TP
-.BI \-a " filter"
+.BI \-a \ filter
Only dump entries matching the asserted filter.
For example
-slapcat -a \\
+slapcat \-a \\
"(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"
will dump all but the "ou=People,dc=example,dc=com" subtree
of the "dc=example,dc=com" database.
.TP
-.BI \-b " suffix"
+.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
-generate output for. The \-b cannot be used in conjunction
+generate output for. The \fB\-b\fP cannot be used in conjunction
with the
.B \-n
option.
.B \-c
Enable continue (ignore errors) mode.
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
Enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
Specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
disable subordinate gluing. Only the specified database will be
processed, and not its glued subordinates (if any).
.TP
-.BI \-l " ldif-file"
+.BI \-l \ ldif-file
Write LDIF to specified file instead of standard output.
.TP
-.BI \-n " dbnum"
-Generate output for the \fIdbnum\fR\-th database listed in the
+.BI \-n \ dbnum
+Generate output for the \fIdbnum\fR-th database listed in the
configuration file. The config database
-.BR slapd-config (5),
+.BR slapd\-config (5),
is always the first database, so use
.B \-n 0
.B \-b
option.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
-.BI \-s " subtree-dn"
+.BI \-s \ subtree-dn
Only dump entries in the subtree specified by this DN.
-Implies `-b subtree-dn' if no
+Implies \fB\-b\fP \fIsubtree-dn\fP if no
.B \-b
or
.B \-n
always safe to run
.B slapcat
with the
-.BR slapd-bdb (5),
-.BR slapd-hdb (5),
+.BR slapd\-bdb (5),
+.BR slapd\-hdb (5),
and
-.BR slapd-null (5)
+.BR slapd\-null (5)
backends.
.SH EXAMPLES
To make a text backup of your SLAPD database and put it in a file called
.LP
.nf
.ft tt
- SBINDIR/slapcat -l ldif
+ SBINDIR/slapcat \-l ldif
.ft
.fi
.SH "SEE ALSO"
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
.B LIBEXECDIR/slapd
-.B [\-[4|6]]
-.B [\-T {acl|add|auth|cat|dn|index|passwd|test}]
-.B [\-d debug\-level]
-.B [\-f slapd\-config\-file]
-.B [\-F slapd\-config\-directory]
-.B [\-h URLs]
-.B [\-n service\-name] [\-s syslog\-level] [\-l syslog\-local\-user]
-.B [\-o option[=value]]
-.B [\-r directory]
-.B [\-u user] [\-g group]
-.B [\-c cookie]
+[\c
+.BR \-4 | \-6 ]
+[\c
+.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\| d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| t [ est ]}]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd-config-file\fR]
+[\c
+.BI \-F \ slapd-config-directory\fR]
+[\c
+.BI \-h \ URLs\fR]
+[\c
+.BI \-n \ service-name\fR]
+[\c
+.BI \-s \ syslog-level\fR]
+[\c
+.BI \-l \ syslog-local-user\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BI \-r \ directory\fR]
+[\c
+.BI \-u \ user\fR]
+[\c
+.BI \-g \ group\fR]
+[\c
+.BI \-c \ cookie\fR]
.SH DESCRIPTION
.LP
.B Slapd
is the stand-alone LDAP daemon. It listens for LDAP connections on
-any number of ports (default 389), responding
+any number of ports (default \fB389\fP), responding
to the LDAP operations it receives over these connections.
.B slapd
is typically invoked at boot time, usually out of
.B \-6
Listen on IPv6 addresses only.
.TP
-.B \-T {a|c|d|i|p|t|acl|auth}
+.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\| d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| t [ est ]}
Run in Tool mode. The additional argument selects whether to run as
-slapadd, slapcat, slapdn, slapindex, slappasswd, or slaptest
-(slapacl and slapauth need the entire "\fIacl\fP" and "\fIauth\fP"
-option value to be spelled out, as "\fIa\fP" is reserved to
-.BR slapadd ).
+.IR slapadd ,
+.IR slapcat ,
+.IR slapdn ,
+.IR slapindex ,
+.IR slappasswd ,
+or
+.I slaptest
+(\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP
+option value to be spelled out, as \fBa\fP is reserved to
+.IR slapadd ).
This option should be the first option specified when it is used;
any remaining options will be interpreted by the corresponding
slap tool program, according to the respective man pages.
-Note that these tool programs will usually be symbolic links to slapd.
+Note that these tool programs will usually be symbolic links to
+.BR slapd .
This option is provided for situations where symbolic links
are not provided or not usable.
.TP
-.BI \-d " debug\-level"
+.BI \-d \ debug-level
Turn on debugging as defined by
-.IR debug\-level .
+.IR debug-level .
If this option is specified, even with a zero argument,
.B slapd
will not fork or disassociate from the invoking terminal. Some general
-operation and status messages are printed for any value of \fIdebug\-level\fP.
-\fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a
+operation and status messages are printed for any value of \fIdebug-level\fP.
+\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
different kind of debugging information. See <ldap_log.h> for details.
Comma-separated arrays of friendly names can be specified to select
debugging output of the corresponding debugging information.
All the names recognized by the \fIloglevel\fP directive
described in \fBslapd.conf\fP(5) are supported.
-If \fIdebug\-level\fP is \fB?\fP, a list of installed levels is printed,
+If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
and slapd exits.
Remember that if you turn on packet logging, packets containing bind passwords
will be output, so if you redirect the log to a logfile, that file should
be read-protected.
.TP
-.BI \-s " syslog\-level"
+.BI \-s \ syslog-level
This option tells
.B slapd
-at what level debugging statements should be logged to the
+at what debug-level debugging statements should be logged to the
.BR syslog (8)
facility.
-The value "syslog\-level" can be set to any value or combination
-allowed by the "-d" switch.
-Slapd logs all messages selected by "syslog\-level"
-at the syslog(3) severity level "DEBUG",
-on the unit specified with "-l".
+The value \fIsyslog-level\fP can be set to any value or combination
+allowed by the \fB\-d\fP switch.
+Slapd logs all messages selected by \fIsyslog-leveli\fP
+at the
+.BR syslog (3)
+severity debug-level \fBDEBUG\fP,
+on the unit specified with \fB\-l\fP.
.TP
-.BI \-n " service\-name"
+.BI \-n \ service-name
Specifies the service name for logging and other purposes. Defaults
to basename of argv[0], i.e.: "slapd".
.TP
-.BI \-l " syslog\-local\-user"
+.BI \-l \ syslog-local-user
Selects the local user of the
.BR syslog (8)
facility. Value can be
local users with the
.BR syslog (8)
facility.
-Logging to syslog(8) occurs at the "DEBUG" severity level.
+Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
.TP
-.BI \-f " slapd\-config\-file"
+.BI \-f \ slapd-config-file
Specifies the slapd configuration file. The default is
.BR ETCDIR/slapd.conf .
.TP
-.BI \-F " slapd\-config\-directory"
+.BI \-F \ slapd-config-directory
Specifies the slapd configuration directory. The default is
.BR ETCDIR/slapd.d .
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, slapd will attempt to read the
default config file is ignored. All of the slap tools that
use the config options observe this same behavior.
.TP
-.BI \-h " URLlist"
+.BI \-h \ URLlist
.B slapd
will by default serve
.B ldap:///
(LDAP over TCP on all interfaces on default LDAP port). That is,
-it will bind using INADDR_ANY and port 389.
+it will bind using INADDR_ANY and port \fB389\fP.
The
.B \-h
option may be used to specify LDAP (and other scheme) URLs to serve.
without a DN or other optional parameters (excepting as discussed below).
Support for the latter two schemes depends on selected configuration
options. Hosts may be specified by name or IPv4 and IPv6 address formats.
-Ports, if specified, must be numeric. The default ldap:// port is 389
-and the default ldaps:// port is 636.
+Ports, if specified, must be numeric. The default ldap:// port is \fB389\fP
+and the default ldaps:// port is \fB636\fP.
The listener permissions are indicated by
-"x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any
-of the "rwx" can be "-" to suppress the related permission, while any
+"x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any
+of the "rwx" can be "\-" to suppress the related permission, while any
of the "7" can be any legal octal digit, according to chmod(1).
-The listeners can take advantage of the "x-mod"
+The listeners can take advantage of the "x\-mod"
extension to apply rough limitations to operations, e.g. allow read operations
("r", which applies to search and compare), write operations ("w",
which applies to add, delete, modify and modrdn), and execute operations
("x", which means bind is required).
"User" permissions apply to authenticated users, while "other" apply
to anonymous users; "group" permissions are ignored.
-For example, "ldap:///????x-mod=-rw-------" means that read and write is only allowed
+For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed
for authenticated connections, and bind is required for all operations.
This feature is experimental, and requires to be manually enabled
at configure time.
.TP
-.BI \-r " directory"
+.BI \-r \ directory
Specifies a directory to become the root directory. slapd will
change the current working directory to this directory and
then
to this directory. This is done after opening listeners but before
reading any configuration file or initializing any backend. When
used as a security mechanism, it should be used in conjunction with
-.B -u
+.B \-u
and
-.B -g
+.B \-g
options.
.TP
-.BI \-u " user"
+.BI \-u \ user
.B slapd
will run slapd with the specified user name or id, and that user's
supplementary group access list as set with initgroups(3). The group ID
-is also changed to this user's gid, unless the -g option is used to
+is also changed to this user's gid, unless the \fB\-g\fP option is used to
override. Note when used with
-.BR -r ,
+.BR \-r ,
slapd will use the user database in the change root environment.
Note that on some systems, running as a non-privileged user will prevent
passwd back-ends from accessing the encrypted passwords. Note also that
any shell back-ends will run as the specified non-privileged user.
.TP
-.BI \-g " group"
+.BI \-g \ group
.B slapd
will run with the specified group name or id. Note when used with
-.BR -r ,
+.BR \-r ,
slapd will use the group database in the change root environment.
.TP
-.BI \-c " cookie"
+.BI \-c \ cookie
This option provides a cookie for the syncrepl replication consumer.
The cookie is a comma separated list of \fIname=value\fP pairs.
Currently supported syncrepl cookie fields are
and is used to find the syncrepl specification in
.BR slapd.conf (5)
or
-.BR slapd-config (5)
+.BR slapd\-config (5)
having the matching replication identifier in its definition. The
.B rid
must be provided in order for any other specified values to be used.
.B rid
part to force a full reload.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
This option provides a generic means to specify options without the need to reserve
a separate letter for them.
It supports the following options:
.RS
.TP
-slp={\fBon\fP|\fBoff\fP|\fIslp\-attrs\fP}
-When SLP support is compiled into slapd, disable it (
-.B off
-), enable it by registering at SLP DAs without specific SLP attributes (
-.B on
-), or with specific SLP attributes
-.I slp\-attrs
+.BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
+When SLP support is compiled into slapd, disable it (\fBoff\fP),
+ enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
+or with specific SLP attributes
+.I slp-attrs
that must be an SLP attribute list definition according to the SLP standard.
-For example, "-o slp=(tree=production),(server-type=OpenLDAP),(server-version=2.3.20)"
+For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
registers at SLP DAs with the three SLP attributes tree, server-type and server-version
that have the values given above.
This allows to specifically query the SLP DAs for LDAP servers holding the
.LP
.nf
.ft tt
- LIBEXECDIR/slapd -f /var/tmp/slapd.conf -d 255
+ LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
.ft
.fi
.LP
.LP
.nf
.ft tt
- LIBEXECDIR/slapd -Tt
+ LIBEXECDIR/slapd \-Tt
.ft
.fi
.LP
slapdn \- Check a list of string-represented LDAP DNs based on schema syntax
.SH SYNOPSIS
.B SBINDIR/slapdn
-.B [\-d level]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-N | \-P]
-.B [\-o name[=value]]
-.B [\-v]
-.B DN [...]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BR \-N | \-P ]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-v ]
+.IR DN \ [...]
.LP
.SH DESCRIPTION
.LP
.BR slapd.conf (5).
It opens the
.BR slapd.conf (5)
-configuration file or the slapd-config (5) backend, reads in the schema definitions, and then
+configuration file or the slapd\-config (5) backend, reads in the schema definitions, and then
parses the
-.B DN
+.I DN
list given on the command-line.
.LP
.SH OPTIONS
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
default config file is ignored.
.TP
.BI \-N
-only output a normalized form of the DN, suitable to be used
+only output a normalized form of the \fIDN\fP, suitable to be used
in a normalization tool; incompatible with
.BR \-P .
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
.BI \-P
-only output a prettified form of the DN, suitable to be used
+only output a prettified form of the \fIDN\fP, suitable to be used
in a check and beautification tool; incompatible with
.BR \-N .
.TP
.LP
.nf
.ft tt
- SBINDIR/slapdn -f /ETCDIR/slapd.conf -v DN
+ SBINDIR/slapdn \-f /ETCDIR/slapd.conf \-v DN
.ft
.fi
.SH "SEE ALSO"
.BR ldap (3),
-.BR slapd (8)
+.BR slapd (8),
.BR slaptest (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
slapindex \- Reindex entries in a SLAPD database
.SH SYNOPSIS
.B SBINDIR/slapindex
-.B [\-b suffix]
-.B [\-c]
-.B [\-d level]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-g]
-.B [\-n dbnum]
-.B [\-o name[=value]]
-.B [\-q]
-.B [\-t]
-.B [\-v]
-.B [attr] [...]
+[\c
+.BI \-b \ suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-n \ dbnum\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-q ]
+[\c
+.BR \-t ]
+[\c
+.BR \-v ]
+[\c
+.IR attr [ ... ]]
.B
.LP
.SH DESCRIPTION
be regenerated.
Databases configured as
.B subordinate
-of this one are also re-indexed, unless \fB-g\fP is specified.
+of this one are also re-indexed, unless \fB\-g\fP is specified.
All files eventually created by
.BR slapindex
.BR slapd (8).
.SH OPTIONS
.TP
-.BI \-b " suffix"
+.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
-generate output for. The \-b cannot be used in conjunction
+generate output for. The \fB\-b\fP cannot be used in conjunction
with the
.B \-n
option.
.B \-c
enable continue (ignore errors) mode.
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
disable subordinate gluing. Only the specified database will be
processed, and not its glued subordinates (if any).
.TP
-.BI \-n " dbnum"
-Generate output for the \fIdbnum\fR\-th database listed in the
+.BI \-n \ dbnum
+Generate output for the \fIdbnum\fR-th database listed in the
configuration file. The config database
-.BR slapd-config (5),
+.BR slapd\-config (5),
is always the first database, so use
.B \-n 0
.B \-b
option.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
slappasswd \- OpenLDAP password utility
.SH SYNOPSIS
.B SBINDIR/slappasswd
-.B [\-v]
-.B [\-u]
-.B [\-g|\-s secret|\-T file]
-.B [\-h hash]
-.B [\-c salt-format]
-.B [\-n]
+[\c
+.BR \-v ]
+[\c
+.BR \-u ]
+[\c
+.BR \-g \||\| \-s \ \fIsecret\fR \||\| \fB\-T \ \fIfile\fR]
+[\c
+.BI \-h \ hash\fR]
+[\c
+.BI \-c \ salt-format\fR]
+[\c
+.BR \-n ]
.B
.LP
.SH DESCRIPTION
.BR slapd.conf (5)
.I rootpw
configuration directive or the
-.BR slapd-config (5)
+.BR slapd\-config (5)
.I olcRootPW
configuration directive.
.
versions of this program may generate alternative syntaxes
by default. This option is provided for forward compatibility.
.TP
-.BI \-s " secret"
+.BI \-s \ secret
The secret to hash.
If this,
.B \-g
.B \-g
and
.B \-T
-and mutually exclusive flags.
+are mutually exclusive flags.
.TP
.BI \-g
Generate the secret.
.B \-g
and
.B \-T
-and mutually exclusive flags.
+are mutually exclusive flags.
If this is present,
.I {CLEARTEXT}
is used as scheme.
.B \-h
are mutually exclusive flags.
.TP
-.BI \-T " file"
+.BI \-T \ "file"
Hash the contents of the file.
If this,
.B \-g
.B \-T
and mutually exclusive flags.
.TP
-.BI \-h " scheme"
-If -h is specified, one of the following RFC 2307 schemes may
+.BI \-h \ "scheme"
+If \fB\-h\fP is specified, one of the following RFC 2307 schemes may
be specified:
-.IR {CRYPT} ,
-.IR {MD5} ,
-.IR {SMD5} ,
-.IR {SSHA} ", and"
-.IR {SHA} .
+.BR {CRYPT} ,
+.BR {MD5} ,
+.BR {SMD5} ,
+.BR {SSHA} ", and"
+.BR {SHA} .
The default is
-.IR {SSHA} .
+.BR {SSHA} .
Note that scheme names may need to be protected, due to
.B {
clear text.
Unless
.I {CLEARTEXT}
-is used, this flag is incompatible with
+is used, this flag is incompatible with option
.BR \-g .
.TP
-.BI \-c " crypt-salt-format"
+.BI \-c \ crypt-salt-format
Specify the format of the salt passed to
.BR crypt (3)
when generating {CRYPT} passwords.
This string needs to be in
.BR sprintf (3)
-format and may include one (and only one) %s conversion.
-This conversion will be substituted with a string random
-characters from [A\-Za\-z0\-9./]. For example, '%.2s'
-provides a two character salt and '$1$%.8s' tells some
-versions of crypt(3) to use an MD5 algorithm and provides
-8 random characters of salt. The default is '%s', which
-provides 31 characters of salt.
+format and may include one (and only one)
+.B %s
+conversion.
+This conversion will be substituted with a string of random
+characters from [A\-Za\-z0\-9./]. For example,
+.RB ' %.2s '
+provides a two character salt and
+.RB ' $1$%.8s '
+tells some
+versions of
+.BR crypt (3)
+to use an MD5 algorithm and provides
+8 random characters of salt.
+The default is
+.RB ' %s ' ,
+which provides 31 characters of salt.
.TP
.BI \-n
Omit the trailing newline; useful to pipe the credentials
.SH "SECURITY CONSIDERATIONS"
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
-should be in\-place before using LDAP simple bind.
+should be in-place before using LDAP simple bind.
.LP
The hashed password values should be protected as if they
were clear text passwords.
.BR slapd (8),
.BR slapd.conf (5),
.BR slapd\-config (5),
-.B RFC 2307
-.B RFC 4519
+.B RFC 2307\fP,
+.B RFC 4519\fP,
.B RFC 3112
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
slaptest \- Check the suitability of the OpenLDAP slapd.conf file
.SH SYNOPSIS
.B SBINDIR/slaptest
-.B [\-d level]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-o name[=value]]
-.B [\-Q]
-.B [\-u]
-.B [\-v]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-Q ]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
.LP
.SH DESCRIPTION
.LP
It opens the
.BR slapd.conf (5)
configuration file or the
-.BR slapd-config (5)
+.BR slapd\-config (5)
backend, and parses it according to the general and the backend-specific
rules, checking its sanity.
.LP
.SH OPTIONS
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, slaptest will attempt to read the
default config directory before trying to use the default
config file. If a valid config directory exists then the
-default config file is ignored. If dryrun mode is also specified,
+default config file is ignored. If dry-run mode is also specified,
no conversion will occur.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
Be extremely quiet: only the exit code indicates success (0) or not
(any other value).
.TP
-.BI \-u
-enable dryrun mode (i.e. don't fail if databases cannot be opened,
+.B \-u
+enable dry-run mode (i.e. don't fail if databases cannot be opened,
but config is fine).
.TP
-.BI \-v
+.B \-v
enable verbose mode.
.SH EXAMPLES
To check a
.LP
.nf
.ft tt
- SBINDIR/slaptest -f /ETCDIR/slapd.conf -v
+ SBINDIR/slaptest \-f /ETCDIR/slapd.conf \-v
.ft
.fi
.SH "SEE ALSO"
.BR ldap (3),
-.BR slapd (8)
+.BR slapd (8),
.BR slapdn (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
projects / openldap / commitdiff