From 15d898f73dfe140e4b2d559e6e3a3252d41ca47b Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 16 Nov 2006 11:48:19 +0000 Subject: [PATCH] ITS#3812 back-config documentation --- doc/man/man5/slapd-config.5 | 2120 +++++++++++++++++++++++++++++++++++ 1 file changed, 2120 insertions(+) create mode 100644 doc/man/man5/slapd-config.5 diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 new file mode 100644 index 0000000000..60a13b6eef --- /dev/null +++ b/doc/man/man5/slapd-config.5 @@ -0,0 +1,2120 @@ +.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd-config \- configuration backend +.SH SYNOPSIS +ETCDIR/slapd.d +.SH DESCRIPTION +The +.B config +backend manages all of the configuration information for the +.BR slapd (8) +daemon. This configuration information is also used by the SLAPD tools +.BR slapacl (8), +.BR slapadd (8), +.BR slapauth (8), +.BR slapcat (8), +.BR slapdn (8), +.BR slapindex (8), +and +.BR slaptest (8). +.LP +The +.B config +backend is backward compatible with the older +.BR slapd.conf (5) +file but provides the ability to change the configuration dynamically +at runtime. If slapd is run with only a +.B slapd.conf +file dynamic changes will be allowed but they will not persist across +a server restart. Dynamic changes are only saved when slapd is running +from a +.B slapd.d +configuration directory. +.LP + +Unlike other backends, there can only be one instance of the +.B config +backend, and most of its structure is predefined. The root of the +database is hardcoded to +.B "cn=config" +and this root entry contains +global settings for slapd. Multiple child entries underneath the +root entry are used to carry various other settings: +.RS +.TP +.B cn=Include +old-style include files +.TP +.B cn=Module +dynamically loaded modules +.TP +.B cn=Schema +schema definitions +.TP +.B olcBackend=xxx +backend-specific settings +.TP +.B olcDatabase=xxx +database-specific settings +.RE + +The +.B cn=Include +entries will only appear in configurations that were +converted from slapd.conf format. There can be multiple entries, one +for each included file. These entries only serve as placeholders to +document the fact that files were previously included. After those +files have been read and parsed, their content is merged into the +main configuration and then the include files are ignored thereafter. +These entries may form an arbitrarily deep subtree, reflecting any +nesting of the original include files. + +The +.B cn=Module +entries will only appear in configurations where slapd +was built with support for dynamically loaded modules. There can be +multiple entries, one for each configured module path. Within each +entry there will be values recorded for each module loaded on a +given path. These entries have no children. + +The +.B cn=Schema +entry contains all of the hardcoded schema elements. +The children of this entry contain all user-defined schema elements. +In schema that were loaded from include files, the child entry will +be named after the include file from which the schema was loaded. +Typically the first child in this subtree will be +.BR cn=core,cn=schema,cn=config . + +.B olcBackend +entries are for storing settings specific to a single +backend type (and thus global to all database instances of that type). +At present there are no backends that implement settings of this +nature, so usually there will not be any olcBackend entries. + +.B olcDatabase +entries store settings specific to a single database +instance. These entries may have +.B olcOverlay +child entries corresponding +to any overlays configured on the database. The olcDatabase and +olcOverlay entries may also have miscellaneous child entries for +other settings as needed. There are two special database entries +that are predefined - one is an entry for the config database itself, +and the other is for the "frontend" database. Settings in the +frontend database are inherited by the other databases, unless +they are explicitly overridden in a specific database. +.LP +The specific configuration options available are discussed below in the +Global Configuration Options, General Backend Options, and General Database +Options. Options are set by defining LDAP attributes with specific values. +In general the names of the LDAP attributes are the same as the corresponding +.B slapd.conf +keyword, with an "olc" prefix added on. + +The parser for many of these attributes is the same as used for parsing +the slapd.conf keywords. As such, slapd.conf keywords that allow multiple +items to be specified on one line, separate by whitespace, will allow +multiple items to be specified in one attribute value. However, when +reading the attribute via LDAP, the items will be returned as individual +attribute values. + +Backend-specific options are discussed in the +.B slapd-(5) +manual pages. Refer to the "OpenLDAP Administrator's Guide" for more +details on configuring slapd. +.SH GLOBAL CONFIGURATION OPTIONS +Options described in this section apply to the server as a whole. +Arguments that should be replaced by +actual text are shown in brackets <>. + +These options may only be specified in the +.B cn=config +entry. This entry must have an objectClass of +.BR olcGlobal . + +.TP +.B olcAllows: +Specify a set of features to allow (default none). +.B bind_v2 +allows acceptance of LDAPv2 bind requests. Note that +.BR slapd (8) +does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494). +.B bind_anon_cred +allows anonymous bind when credentials are not empty (e.g. +when DN is empty). +.B bind_anon_dn +allows unauthenticated (anonymous) bind when DN is not empty. +.B update_anon +allows unauthenticated (anonymous) update operations to be processed +(subject to access controls and other administrative limits). +.B proxy_authz_anon +allows unauthenticated (anonymous) proxy authorization control to be processed +(subject to access controls, authorization and other administrative limits). +.TP +.B olcArgsFile: +The ( absolute ) name of a file that will hold the +.B slapd +server's command line options +if started without the debugging command line option. +.TP +.B olcAttributeOptions: ... +Define tagging attribute options or option tag/range prefixes. +Options must not end with `-', prefixes must end with `-'. +The `lang-' prefix is predefined. +If you use the +.B olcAttributeOptions +directive, `lang-' will no longer be defined and you must specify it +explicitly if you want it defined. + +An attribute description with a tagging option is a subtype of that +attribute description without the option. +Except for that, options defined this way have no special semantics. +Prefixes defined this way work like the `lang-' options: +They define a prefix for tagging options starting with the prefix. +That is, if you define the prefix `x-foo-', you can use the option +`x-foo-bar'. +Furthermore, in a search or compare, a prefix or range name (with +a trailing `-') matches all options starting with that name, as well +as the option with the range name sans the trailing `-'. +That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'. + +RFC 4520 reserves options beginning with `x-' for private experiments. +Other options should be registered with IANA, see RFC 4520 section 3.5. +OpenLDAP also has the `binary' option built in, but this is a transfer +option, not a tagging option. +.TP +.B olcAuthzPolicy: +Used to specify which rules to use for Proxy Authorization. Proxy +authorization allows a client to authenticate to the server using one +user's credentials, but specify a different identity to use for authorization +and access control purposes. It essentially allows user A to login as user +B, using user A's password. +The +.B none +flag disables proxy authorization. This is the default setting. +The +.B from +flag will use rules in the +.I authzFrom +attribute of the authorization DN. +The +.B to +flag will use rules in the +.I authzTo +attribute of the authentication DN. +The +.B any +flag, an alias for the deprecated value of +.BR both , +will allow any of the above, whatever succeeds first (checked in +.BR to , +.B from +sequence. +The +.B all +flag requires both authorizations to succeed. +.LP +.RS +The rules are mechanisms to specify which identities are allowed +to perform proxy authorization. +The +.I authzFrom +attribute in an entry specifies which other users +are allowed to proxy login to this entry. The +.I authzTo +attribute in +an entry specifies which other users this user can authorize as. Use of +.I authzTo +rules can be easily +abused if users are allowed to write arbitrary values to this attribute. +In general the +.I authzTo +attribute must be protected with ACLs such that +only privileged users can modify it. +The value of +.I authzFrom +and +.I authzTo +describes an +.B identity +or a set of identities; it can take five forms: +.RS +.TP +.B ldap:///??[]? +.RE +.RS +.B dn[.]: +.RE +.RS +.B u[[]]: +.RE +.RS +.B group[/objectClass[/attributeType]]: +.RE +.RS +.B +.RE +.RS + +.B :={exact|onelevel|children|subtree|regex} + +.RE +The first form is a valid LDAP +.B URI +where the +.IR : , +the +.I +and the +.I +portions must be absent, so that the search occurs locally on either +.I authzFrom +or +.IR authzTo . +The second form is a +.BR DN , +with the optional style modifiers +.IR exact , +.IR onelevel , +.IR children , +and +.I subtree +for exact, onelevel, children and subtree matches, which cause +.I +to be normalized according to the DN normalization rules, or the special +.I regex +style, which causes the +.I +to be treated as a POSIX (''extended'') regular expression, as +discussed in +.BR regex (7) +and/or +.BR re_format (7). +A pattern of +.I * +means any non-anonymous DN. +The third form is a SASL +.BR id , +with the optional fields +.I +and +.I +that allow to specify a SASL +.BR mechanism , +and eventually a SASL +.BR realm , +for those mechanisms that support one. +The need to allow the specification of a mechanism is still debated, +and users are strongly discouraged to rely on this possibility. +The fourth form is a group specification, consisting of the keyword +.BR group , +optionally followed by the specification of the group +.B objectClass +and member +.BR attributeType . +The group with DN +.B +is searched with base scope, and in case of match, the values of the +member +.B attributeType +are searched for the asserted DN. +For backwards compatibility, if no identity type is provided, i.e. only +.B +is present, an +.I exact DN +is assumed; as a consequence, +.B +is subjected to DN normalization. +Since the interpretation of +.I authzFrom +and +.I authzTo +can impact security, users are strongly encouraged +to explicitly set the type of identity specification that is being used. +A subset of these rules can be used as third arg in the +.B olcAuthzRegexp +statement (see below); significantly, the +.I URI +and the +.I dn.exact: +forms. +.RE +.TP +.B olcAuthzRegexp: +Used by the authentication framework to convert simple user names, +such as provided by SASL subsystem, to an LDAP DN used for +authorization purposes. Note that the resultant DN need not refer +to an existing entry to be considered valid. When an authorization +request is received from the SASL subsystem, the SASL +.BR USERNAME , +.BR REALM , +and +.B MECHANISM +are taken, when available, and combined into a name of the form +.RS +.RS +.TP +.B UID=[[,CN=],CN=],CN=auth + +.RE +This name is then compared against the +.B match +POSIX (''extended'') regular expression, and if the match is successful, +the name is replaced with the +.B replace +string. If there are wildcard strings in the +.B match +regular expression that are enclosed in parenthesis, e.g. +.RS +.TP +.B UID=([^,]*),CN=.* + +.RE +then the portion of the name that matched the wildcard will be stored +in the numbered placeholder variable $1. If there are other wildcard strings +in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The +placeholders can then be used in the +.B replace +string, e.g. +.RS +.TP +.B UID=$1,OU=Accounts,DC=example,DC=com + +.RE +The replaced name can be either a DN, i.e. a string prefixed by "dn:", +or an LDAP URI. +If the latter, the server will use the URI to search its own database(s) +and, if the search returns exactly one entry, the name is +replaced by the DN of that entry. The LDAP URI must have no +hostport, attrs, or extensions components, but the filter is mandatory, +e.g. +.RS +.TP +.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) + +.RE +The protocol portion of the URI must be strictly +.BR ldap . +Note that this search is subject to access controls. Specifically, +the authentication identity must have "auth" access in the subject. + +Multiple +.B olcAuthzRegexp +values can be given in the configuration file to allow for multiple matching +and replacement patterns. The matching patterns are checked in the order they +appear in the file, stopping at the first successful match. + +.\".B Caution: +.\"Because the plus sign + is a character recognized by the regular expression engine, +.\"and it will appear in names that include a REALM, be careful to escape the +.\"plus sign with a backslash \\+ to remove the character's special meaning. +.RE +.TP +.B olcConcurrency: +Specify a desired level of concurrency. Provided to the underlying +thread system as a hint. The default is not to provide any hint. This setting +is only meaningful on some platforms where there is not a one to one +correspondence between user threads and kernel threads. +.TP +.B olcConnMaxPending: +Specify the maximum number of pending requests for an anonymous session. +If requests are submitted faster than the server can process them, they +will be queued up to this limit. If the limit is exceeded, the session +is closed. The default is 100. +.TP +.B olcConnMaxPendingAuth: +Specify the maximum number of pending requests for an authenticated session. +The default is 1000. +.TP +.B olcDisallows: +Specify a set of features to disallow (default none). +.B bind_anon +disables acceptance of anonymous bind requests. Note that this setting +does not prohibit anonymous directory access (See "require authc"). +.B bind_simple +disables simple (bind) authentication. +.B tls_2_anon +disables forcing session to anonymous status (see also +.BR tls_authc ) +upon StartTLS operation receipt. +.B tls_authc +disallows the StartTLS operation if authenticated (see also +.BR tls_2_anon ). +.TP +.B olcGentleHUP: { TRUE | FALSE } +A SIGHUP signal will only cause a 'gentle' shutdown-attempt: +.B Slapd +will stop listening for new connections, but will not close the +connections to the current clients. Future write operations return +unwilling-to-perform, though. Slapd terminates when all clients +have closed their connections (if they ever do), or \- as before \- +if it receives a SIGTERM signal. This can be useful if you wish to +terminate the server and start a new +.B slapd +server +.B with another database, +without disrupting the currently active clients. +The default is FALSE. You may wish to use +.B idletimeout +along with this option. +.TP +.B olcIdleTimeout: +Specify the number of seconds to wait before forcibly closing +an idle client connection. A idletimeout of 0 disables this +feature. The default is 0. +.TP +.B olcIndexSubstrIfMaxlen: +Specify the maximum length for subinitial and subfinal indices. Only +this many characters of an attribute value will be processed by the +indexing functions; any excess characters are ignored. The default is 4. +.TP +.B olcIndexSubstrIfMinlen: +Specify the minimum length for subinitial and subfinal indices. An +attribute value must have at least this many characters in order to be +processed by the indexing functions. The default is 2. +.TP +.B olcIndexSubstrAnyLen: +Specify the length used for subany indices. An attribute value must have +at least this many characters in order to be processed. Attribute values +longer than this length will be processed in segments of this length. The +default is 4. The subany index will also be used in subinitial and +subfinal index lookups when the filter string is longer than the +.I index_substr_if_maxlen +value. +.TP +.B olcIndexSubstrAnyStep: +Specify the steps used in subany index lookups. This value sets the offset +for the segments of a filter string that are processed for a subany index +lookup. The default is 2. For example, with the default values, a search +using this filter "cn=*abcdefgh*" would generate index lookups for +"abcd", "cdef", and "efgh". + +.TP +.B olcLocalSSF: +Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, +such as those to the ldapi:// listener. For a description of SSF values, +see +.BR olcSaslSecProps 's +.B minssf +option description. The default is 71. +.TP +.B olcLogLevel: [...] +Specify the level at which debugging statements and operation +statistics should be syslogged (currently logged to the +.BR syslogd (8) +LOG_LOCAL4 facility). +They must be considered subsystems rather than increasingly verbose +log levels. +Some messages with higher priority are logged regardless +of the configured loglevel as soon as some logging is configured, +otherwise anything is logged at all. +Log levels are additive, and available levels are: +.RS +.RS +.PD 0 +.TP +.B 1 +.B (0x1 trace) +trace function calls +.TP +.B 2 +.B (0x2 packets) +debug packet handling +.TP +.B 4 +.B (0x4 args) +heavy trace debugging (function args) +.TP +.B 8 +.B (0x8 conns) +connection management +.TP +.B 16 +.B (0x10 BER) +print out packets sent and received +.TP +.B 32 +.B (0x20 filter) +search filter processing +.TP +.B 64 +.B (0x40 config) +configuration file processing +.TP +.B 128 +.B (0x80 ACL) +access control list processing +.TP +.B 256 +.B (0x100 stats) +stats log connections/operations/results +.TP +.B 512 +.B (0x200 stats2) +stats log entries sent +.TP +.B 1024 +.B (0x400 shell) +print communication with shell backends +.TP +.B 2048 +.B (0x800 parse) +entry parsing +\".TP +\".B 4096 +\".B (0x1000 cache) +\"caching (unused) +\".TP +\".B 8192 +\".B (0x2000 index) +\"data indexing (unused) +.TP +.B 16384 +.B (0x4000 sync) +LDAPSync replication +.TP +.B 32768 +.B (0x8000 none) +only messages that get logged whatever log level is set +.PD +.RE +The desired log level can be input as a single integer that combines +the (ORed) desired levels, both in decimal or in hexadecimal notation, +as a list of integers (that are ORed internally), +or as a list of the names that are shown between brackets, such that +.LP +.nf + olcLogLevel 129 + olcLogLevel 0x81 + olcLogLevel 128 1 + olcLogLevel 0x80 0x1 + olcLogLevel acl trace +.fi +.LP +are equivalent. +The keyword +.B any +can be used as a shortcut to enable logging at all levels (equivalent to -1). +The keyword +.BR none , +or the equivalent integer representation, causes those messages +that are logged regardless of the configured loglevel to be logged. +In fact, if no loglevel (or a 0 level) is defined, no logging occurs, +so at least the +.B none +level is required to have high priority messages logged. +.RE +.TP +.B olcPasswordCryptSaltFormat: +Specify the format of the salt passed to +.BR crypt (3) +when generating {CRYPT} passwords (see +.BR olcPasswordHash ) +during processing of LDAP Password Modify Extended Operations (RFC 3062). + +This string needs to be in +.BR sprintf (3) +format and may include one (and only one) %s conversion. +This conversion will be substituted with a string of random +characters from [A\-Za\-z0\-9./]. For example, "%.2s" +provides a two character salt and "$1$%.8s" tells some +versions of crypt(3) to use an MD5 algorithm and provides +8 random characters of salt. The default is "%s", which +provides 31 characters of salt. +.TP +.B olcPasswordHash: [...] +This option configures one or more hashes to be used in generation of user +passwords stored in the userPassword attribute during processing of +LDAP Password Modify Extended Operations (RFC 3062). +The must be one of +.BR {SSHA} , +.BR {SHA} , +.BR {SMD5} , +.BR {MD5} , +.BR {CRYPT} , +and +.BR {CLEARTEXT} . +The default is +.BR {SSHA} . + +.B {SHA} +and +.B {SSHA} +use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. + +.B {MD5} +and +.B {SMD5} +use the MD5 algorithm (RFC 1321), the latter with a seed. + +.B {CRYPT} +uses the +.BR crypt (3). + +.B {CLEARTEXT} +indicates that the new password should be +added to userPassword as clear text. + +Note that this option does not alter the normal user applications +handling of userPassword during LDAP Add, Modify, or other LDAP operations. +.TP +.B olcPidFile: +The ( absolute ) name of a file that will hold the +.B slapd +server's process ID ( see +.BR getpid (2) +) if started without the debugging command line option. +.TP +.B olcPluginLogFile: +The ( absolute ) name of a file that will contain log +messages from +.B SLAPI +plugins. +.TP +.B olcReferral: +Specify the referral to pass back when +.BR slapd (8) +cannot find a local database to handle a request. +If multiple values are specified, each url is provided. +.\" slurpd-related keywords are all deprecated +.\".TP +.\".B replica-argsfile +.\"The ( absolute ) name of a file that will hold the +.\".B slurpd +.\"server's command line options +.\"if started without the debugging command line option. +.\"If it appears after a +.\".B replogfile +.\"directive, the args file is specific to the +.\".BR slurpd (8) +.\"instance that handles that replication log. +.\".TP +.\".B replica-pidfile +.\"The ( absolute ) name of a file that will hold the +.\".B slurpd +.\"server's process ID ( see +.\".BR getpid (2) +.\") if started without the debugging command line option. +.\"If it appears after a +.\".B replogfile +.\"directive, the pid file is specific to the +.\".BR slurpd (8) +.\"instance that handles that replication log. +.\".TP +.\".B replicationinterval +.\"The number of seconds +.\".B slurpd +.\"waits before checking the replogfile for changes. +.\"If it appears after a +.\".B replogfile +.\"directive, the replication interval is specific to the +.\".BR slurpd (8) +.\"instance that handles that replication log. +.TP +.B olcReverseLookup: TRUE | FALSE +Enable/disable client name unverified reverse lookup (default is +.BR FALSE +if compiled with --enable-rlookups). +.TP +.B olcRootDSE: +Specify the name of an LDIF(5) file containing user defined attributes +for the root DSE. These attributes are returned in addition to the +attributes normally produced by slapd. +.TP +.B olcSaslHost: +Used to specify the fully qualified domain name used for SASL processing. +.TP +.B olcSaslRealm: +Specify SASL realm. Default is empty. +.TP +.B olcSaslSecProps: +Used to specify Cyrus SASL security properties. +The +.B none +flag (without any other properties) causes the flag properties +default, "noanonymous,noplain", to be cleared. +The +.B noplain +flag disables mechanisms susceptible to simple passive attacks. +The +.B noactive +flag disables mechanisms susceptible to active attacks. +The +.B nodict +flag disables mechanisms susceptible to passive dictionary attacks. +The +.B noanonymous +flag disables mechanisms which support anonymous login. +The +.B forwardsec +flag require forward secrecy between sessions. +The +.B passcred +require mechanisms which pass client credentials (and allow +mechanisms which can pass credentials to do so). +The +.B minssf= +property specifies the minimum acceptable +.I security strength factor +as an integer approximate to effective key length used for +encryption. 0 (zero) implies no protection, 1 implies integrity +protection only, 56 allows DES or other weak ciphers, 112 +allows triple DES and other strong ciphers, 128 allows RC4, +Blowfish and other modern strong ciphers. The default is 0. +The +.B maxssf= +property specifies the maximum acceptable +.I security strength factor +as an integer (see minssf description). The default is INT_MAX. +The +.B maxbufsize= +property specifies the maximum security layer receive buffer +size allowed. 0 disables security layers. The default is 65536. +.TP +.B olcSockbufMaxIncoming: +Specify the maximum incoming LDAP PDU size for anonymous sessions. +The default is 262143. +.TP +.B olcSockbufMaxIncomingAuth: +Specify the maximum incoming LDAP PDU size for authenticated sessions. +The default is 4194303. +.TP +.B olcThreads: +Specify the maximum size of the primary thread pool. +The default is 16; the minimum value is 2. +.TP +.B olcToolThreads: +Specify the maximum number of threads to use in tool mode. +This should not be greater than the number of CPUs in the system. +The default is 1. +.\"ucdata-path is obsolete / ignored... +.\".TP +.\".B ucdata-path +.\"Specify the path to the directory containing the Unicode character +.\"tables. The default path is DATADIR/ucdata. +.SH TLS OPTIONS +If +.B slapd +is built with support for Transport Layer Security, there are more options +you can specify. +.TP +.B olcTLSCipherSuite: +Permits configuring what ciphers will be accepted and the preference order. + should be a cipher specification for OpenSSL. Example: + +olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 + +To check what ciphers a given spec selects, use: + +openssl ciphers -v +.TP +.B olcTLSCACertificateFile: +Specifies the file that contains certificates for all of the Certificate +Authorities that +.B slapd +will recognize. +.TP +.B olcTLSCACertificatePath: +Specifies the path of a directory that contains Certificate Authority +certificates in separate individual files. Usually only one of this +or the olcTLSCACertificateFile is used. +.TP +.B olcTLSCertificateFile: +Specifies the file that contains the +.B slapd +server certificate. +.TP +.B olcTLSCertificateKeyFile: +Specifies the file that contains the +.B slapd +server private key that matches the certificate stored in the +.B olcTLSCertificateFile +file. Currently, the private key must not be protected with a password, so +it is of critical importance that it is protected carefully. +.TP +.B olcTLSDHParamFile: +This directive specifies the file that contains parameters for Diffie-Hellman +ephemeral key exchange. This is required in order to use a DSA certificate on +the server. If multiple sets of parameters are present in the file, all of +them will be processed. Note that setting this option may also enable +Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. +You should append "!ADH" to your cipher suites if you have changed them +from the default, otherwise no certificate exchanges or verification will +be done. +.TP +.B olcTLSRandFile: +Specifies the file to obtain random bits from when /dev/[u]random +is not available. Generally set to the name of the EGD/PRNGD socket. +The environment variable RANDFILE can also be used to specify the filename. +.TP +.B olcTLSVerifyClient: +Specifies what checks to perform on client certificates in an +incoming TLS session, if any. +The +.B +can be specified as one of the following keywords: +.RS +.TP +.B never +This is the default. +.B slapd +will not ask the client for a certificate. +.TP +.B allow +The client certificate is requested. If no certificate is provided, +the session proceeds normally. If a bad certificate is provided, +it will be ignored and the session proceeds normally. +.TP +.B try +The client certificate is requested. If no certificate is provided, +the session proceeds normally. If a bad certificate is provided, +the session is immediately terminated. +.TP +.B demand | hard | true +These keywords are all equivalent, for compatibility reasons. +The client certificate is requested. If no certificate is provided, +or a bad certificate is provided, the session is immediately terminated. + +Note that a valid client certificate is required in order to use the +SASL EXTERNAL authentication mechanism with a TLS session. As such, +a non-default +.B olcTLSVerifyClient +setting must be chosen to enable SASL EXTERNAL authentication. +.RE +.TP +.B olcTLSCRLCheck: +Specifies if the Certificate Revocation List (CRL) of the CA should be +used to verify if the client certificates have not been revoked. This +requires +.B olcTLSCACertificatePath +parameter to be set. +.B +can be specified as one of the following keywords: +.RS +.TP +.B none +No CRL checks are performed +.TP +.B peer +Check the CRL of the peer certificate +.TP +.B all +Check the CRL for a whole certificate chain +.RE +.SH DYNAMIC MODULE OPTIONS +If +.B slapd +is compiled with --enable-modules then the module-related entries will +be available. These entries are named +.B cn=module{x},cn=config +and +must have the olcModuleList objectClass. One entry should be created +per +.B olcModulePath. +Normally the config engine generates the "{x}" index in the RDN +automatically, so it can be omitted when initially loading these entries. +.TP +.B olcModuleLoad: +Specify the name of a dynamically loadable module to load. The filename +may be an absolute path name or a simple filename. Non-absolute names +are searched for in the directories specified by the +.B olcModulePath +option. +.TP +.B olcModulePath: +Specify a list of directories to search for loadable modules. Typically +the path is colon-separated but this depends on the operating system. +.SH SCHEMA OPTIONS +Schema definitions are created as entries in the +.B cn=schema,cn=config +subtree. These entries must have the olcSchemaConfig objectClass. +As noted above, the actual +.B cn=schema,cn=config +entry is predefined and any values specified for it are ignored. + +.HP +.hy 0 +.B olcAttributetypes: "(\ \ + [NAME\ ]\ + [DESC\ ]\ + [OBSOLETE]\ + [SUP\ ]\ + [EQUALITY\ ]\ + [ORDERING\ ]\ + [SUBSTR\ ]\ + [SYNTAX\ ]\ + [SINGLE\-VALUE]\ + [COLLECTIVE]\ + [NO\-USER\-MODIFICATION]\ + [USAGE\ ]\ )" +.RS +Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. +The slapd parser extends the RFC 4512 definition by allowing string +forms as well as numeric OIDs to be used for the attribute OID and +attribute syntax OID. +(See the +.B olcObjectIdentifier +description.) +.RE + +.HP +.hy 0 +.B olcDitContentRules: "(\ \ + [NAME\ ]\ + [DESC\ ]\ + [OBSOLETE]\ + [AUX\ ]\ + [MUST\ ]\ + [MAY\ ]\ + [NOT\ ]\ )" +.RS +Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. +The slapd parser extends the RFC 4512 definition by allowing string +forms as well as numeric OIDs to be used for the attribute OID and +attribute syntax OID. +(See the +.B olcObjectIdentifier +description.) +.RE + +.HP +.hy 0 +.B olcObjectClasses: "(\ \ + [NAME\ ]\ + [DESC\ ]\ + [OBSOLETE]\ + [SUP\ ]\ + [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ + [MUST\ ] [MAY\ ] )" +.RS +Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. +The slapd parser extends the RFC 4512 definition by allowing string +forms as well as numeric OIDs to be used for the object class OID. +(See the +.B +olcObjectIdentifier +description.) Object classes are "STRUCTURAL" by default. +.RE +.TP +.B olcObjectIdentifier: "{ | [:] }" +Define a string name that equates to the given OID. The string can be used +in place of the numeric OID in objectclass and attribute definitions. The +name can also be used with a suffix of the form ":xx" in which case the +value "oid.xx" will be used. + +.SH GENERAL BACKEND OPTIONS +Options in these entries only apply to the configuration of a single +type of backend. All backends may support this class of options. +The entry must be named +.B olcBackend=,cn=config +and must have the olcBackendConfig objectClass. + +should be one of +.BR bdb , +.BR config , +.BR dnssrv , +.BR hdb , +.BR ldap , +.BR ldif , +.BR meta , +.BR monitor , +.BR null , +.BR passwd , +.BR perl , +.BR relay , +.BR shell , +or +.BR sql . +At present, no backend implements any options of this type. + +.SH DATABASE OPTIONS +Database options are set in entries named +.B olcDatabase={x},cn=config +and must have the olcDatabaseConfig objectClass. Normally the config +engine generates the "{x}" index in the RDN automatically, so it +can be omitted when initially loading these entries. + +The special frontend database is always numbered "{-1}" and the config +database is always numbered "{0}". + +.SH GLOBAL DATABASE OPTIONS +Options in this section may be set in the special "frontend" database +and inherited in all the other databases. These options may be altered +by further settings in each specific database. The frontend entry must +be named +.B olcDatabase=frontend,cn=config +and must have the olcFrontendConfig objectClass. +.TP +.B olcAccess: to "[ by ]+" +Grant access (specified by ) to a set of entries and/or +attributes (specified by ) by one or more requestors (specified +by ). +If no access controls are present, the default policy +allows anyone and everyone to read anything but restricts +updates to rootdn. (e.g., "olcAccess: to * by * read"). Access +controls set in the frontend are inherited by all other databases. +Access controls set in specific databases do not override these +global settings; they are appended to the global settings. +The rootdn of a database can always read and write EVERYTHING +in that database! +See +.BR slapd.access (5) +and the "OpenLDAP Administrator's Guide" for details. +.TP +.B olcDefaultSearchBase: +Specify a default search base to use when client submits a +non-base search request with an empty base DN. +Base scoped search requests with an empty base DN are not affected. +This setting is only allowed in the frontend entry. +.TP +.B olcReadOnly: TRUE | FALSE +This option puts the database into "read-only" mode. Any attempts to +modify the database will return an "unwilling to perform" error. By +default, olcReadOnly is FALSE. Note that when this option is set +TRUE on the frontend, it cannot be reset without restarting the +server, since further writes to tne config database will be rejected. +.TP +.B olcRequires: +Specify a set of conditions to require (default none). +The directive may be specified globally and/or per-database; +databases inherit global conditions, so per-database specifications +are additive. +.B bind +requires bind operation prior to directory operations. +.B LDAPv3 +requires session to be using LDAP version 3. +.B authc +requires authentication prior to directory operations. +.B SASL +requires SASL authentication prior to directory operations. +.B strong +requires strong authentication prior to directory operations. +The strong keyword allows protected "simple" authentication +as well as SASL authentication. +.B none +may be used to require no conditions (useful to clear out globally +set conditions within a particular database); it must occur first +in the list of conditions. +.TP +.B olcRestrict: +Specify a list of operations that are restricted. +Restrictions on a specific database override any frontend setting. +Operations can be any of +.BR add , +.BR bind , +.BR compare , +.BR delete , +.BR extended[=] , +.BR modify , +.BR rename , +.BR search , +or the special pseudo-operations +.B read +and +.BR write , +which respectively summarize read and write operations. +The use of +.I restrict write +is equivalent to +.I olcReadOnly: TRUE +(see above). +The +.B extended +keyword allows to indicate the OID of the specific operation +to be restricted. +.TP +.B olcSchemaDN: +Specify the distinguished name for the subschema subentry that +controls the entries on this server. The default is "cn=Subschema". +.TP +.B olcSecurity: +Specify a set of security strength factors (separated by white space) +to require (see +.BR olcSaslSecprops 's +.B minssf +option for a description of security strength factors). +The directive may be specified globally and/or per-database. +.B ssf= +specifies the overall security strength factor. +.B transport= +specifies the transport security strength factor. +.B tls= +specifies the TLS security strength factor. +.B sasl= +specifies the SASL security strength factor. +.B update_ssf= +specifies the overall security strength factor to require for +directory updates. +.B update_transport= +specifies the transport security strength factor to require for +directory updates. +.B update_tls= +specifies the TLS security strength factor to require for +directory updates. +.B update_sasl= +specifies the SASL security strength factor to require for +directory updates. +.B simple_bind= +specifies the security strength factor required for +.I simple +username/password authentication. +Note that the +.B transport +factor is measure of security provided by the underlying transport, +e.g. ldapi:// (and eventually IPSEC). It is not normally used. +.TP +.B olcSizeLimit: {|unlimited} +.TP +.B olcSizeLimit: size[.{soft|hard|unchecked}]= [...] +Specify the maximum number of entries to return from a search operation. +The default size limit is 500. +Use +.B unlimited +to specify no limits. +The second format allows a fine grain setting of the size limits. +Extra args can be added in the same value or as additional values. +See +.BR olcLimits +for an explanation of the different flags. +.TP +.B olcTimeLimit: {|unlimited} +.TP +.B olcTimeLimit: time[.{soft|hard}]= [...] +Specify the maximum number of seconds (in real time) +.B slapd +will spend answering a search request. The default time limit is 3600. +Use +.B unlimited +to specify no limits. +The second format allows a fine grain setting of the time limits. +Extra args can be added in the same value or as additional values. +See +.BR olcLimits +for an explanation of the different flags. + +.SH GENERAL DATABASE OPTIONS +Options in this section only apply to the specific database for +which they are defined. They are supported by every +type of backend. All of the Global Database Options may also be +used here. +.TP +.B olcLastMod: TRUE | FALSE +Controls whether +.B slapd +will automatically maintain the +modifiersName, modifyTimestamp, creatorsName, and +createTimestamp attributes for entries. It also controls +the entryCSN and entryUUID attributes, which are needed +by the syncrepl provider. By default, olcLastMod is TRUE. +.TP +.B olcLimits: [ [...]] +Specify time and size limits based on who initiated an operation. +The argument +.B who +can be any of +.RS +.RS +.TP +anonymous | users | [dn[.