From 2c95a6fec528359e9db998f0ecdec7413bd7220b Mon Sep 17 00:00:00 2001
From: Will Ballantyne <willb@openldap.org>
Date: Fri, 23 Apr 1999 23:00:44 +0000
Subject: [PATCH] openldap guide sdf files and gifs

---
 doc/guide/LDAPwww.gif         | Bin 0 -> 2541 bytes
 doc/guide/config.sdf          |  76 +++
 doc/guide/dbtools.sdf         | 702 +++++++++++++++++++++++++++
 doc/guide/figure_1.gif        | Bin 0 -> 3086 bytes
 doc/guide/figure_2.gif        | Bin 0 -> 1424 bytes
 doc/guide/figure_3.gif        | Bin 0 -> 2395 bytes
 doc/guide/figure_4.gif        | Bin 0 -> 1667 bytes
 doc/guide/figure_5.gif        | Bin 0 -> 3298 bytes
 doc/guide/figure_6.gif        | Bin 0 -> 3538 bytes
 doc/guide/install.sdf         | 268 +++++++++++
 doc/guide/intro.sdf           | 227 +++++++++
 doc/guide/master.sdf          |  20 +
 doc/guide/monitoringslapd.sdf | 112 +++++
 doc/guide/preamble.sdf        |  11 +
 doc/guide/quickstart.sdf      | 123 +++++
 doc/guide/referrals.sdf       |  41 ++
 doc/guide/replication.sdf     | 407 ++++++++++++++++
 doc/guide/runningslapd.sdf    | 123 +++++
 doc/guide/slapdconfig.sdf     | 862 ++++++++++++++++++++++++++++++++++
 doc/guide/tuning.sdf          |  86 ++++
 20 files changed, 3058 insertions(+)
 create mode 100644 doc/guide/LDAPwww.gif
 create mode 100644 doc/guide/config.sdf
 create mode 100644 doc/guide/dbtools.sdf
 create mode 100644 doc/guide/figure_1.gif
 create mode 100644 doc/guide/figure_2.gif
 create mode 100644 doc/guide/figure_3.gif
 create mode 100644 doc/guide/figure_4.gif
 create mode 100644 doc/guide/figure_5.gif
 create mode 100644 doc/guide/figure_6.gif
 create mode 100644 doc/guide/install.sdf
 create mode 100644 doc/guide/intro.sdf
 create mode 100644 doc/guide/master.sdf
 create mode 100644 doc/guide/monitoringslapd.sdf
 create mode 100644 doc/guide/preamble.sdf
 create mode 100644 doc/guide/quickstart.sdf
 create mode 100644 doc/guide/referrals.sdf
 create mode 100644 doc/guide/replication.sdf
 create mode 100644 doc/guide/runningslapd.sdf
 create mode 100644 doc/guide/slapdconfig.sdf
 create mode 100644 doc/guide/tuning.sdf

diff --git a/doc/guide/LDAPwww.gif b/doc/guide/LDAPwww.gif
new file mode 100644
index 0000000000000000000000000000000000000000..b593bc983e33da5fc43bcf60d5c098ecca348ef1
GIT binary patch
literal 2541
zcmbu)`9IT-1Hke3#+dnFj=5vYku!x)`0%OCCPQf|G|l;$`XEQH5ZX{55|N|ksO4(T
z<Q5-Bw7DAPD09zQ(aZ-Q6~2$p-|&6?{`}!(Yj@V%!W#u50Am24uB?E^S-V^$ki9+K
z<Kshv12dgNsPVC-;rFZVWZllqefS{t?$f7*`Lz1`1+TM9AC{HTYHBLW86{0kH60zT
z%}rg;YS<OcoJQt&XI~48#d_P@&EZV<zaN~K7#kg(n4Mi5<9?Z4<nb2fS604!`zH9j
zzPY)%y}P@&y>obY2>gE;{Kx-$0iXwfGgK8{OYcgA%IcBWwa?%D1=p}Iz`rW$O;t4U
zpJKl%W<5k=@2lF?mGoulT&f`T)s+rBKJiC?fn9ysP`-KC=c&H>7o2D4MA#Ag2F6G+
zK1<KNzoGoY3qrAdp?zb;Sml*^|LOk5%88ek^bHgN`i)N@Q9X*g{&o+jK7<E04@p?J
z7K+;R7#wJRNfnk<^MZGsOqzwu?CVJubm0adp&D=8z0AC4|Gsas5;u(E33W=z1h^E?
zO}an~r-zD2zEHpe4KV(xy9+b9U&QFD>JS$Y8H~5t-S~pE>6)lfVd(HD7n0e2!Q!e;
z^VOua7Rcus^Vo1OOV;v$d}_b8&4&-pG}GZf$86oNo0n&#@^RD_P@UA2W9Au*G|Fp^
z86_*xas_uFMz)5^>qNQ*NZdeDVBgM%tCRdsUdE6RlR3zQ*k4CM;P}iH0<2ic)gu}9
zE8F$YH4LL$M9!@NLsB}`fFhY*+eP8ds3lQ7lYY+zdCIpWyNaOe7{eK{)E6`8Bi3@B
zL<lb2o4B{PO1|T1Otub@(qcY_9_8ntv!Z{+`FJQ$!Zk>;y<-|UbyXyVD1=9kKsUM&
z=x6^pYj))V@JT|3<jI)fC-~olbv>Zaf3!VTPcAah3rkA?K3VUWlaN45&NYB+7kM39
zGjhuH`60AW4^FP%i*|j|y@qhgi!E;%hQ#)kgKI--K5Aoi7Al-bwWq@qszeLz^#d)A
zlM5?-y%h`#!(PWQt68Bh46ydfUetUiJ+^CUT6%tdn|vHFktDb7H!k|BJ4dhS-{WMX
zrfYsz38V?1w$E+z2{b;o?|3ZyWwuOsImpHzW`xOi#8nWpolFgZB4te?ATw-c-35fx
zhC6+a)P5GxsWhk~AD7BL77z0+*y<Id(G+|P1>0OSVIg9p$SUA*11{M`WhDK|aw-o)
zc)VnaQJK)@qd8p&0W&ntp|LR6(7ox6BqESfd!4sb36uEZe{xbpX?e}|2YC1!?m!^W
zjR+j_`8_x;QGc|Nc;`j?E++a`Y{t7l6|{7ZNNirlbW}AlgA)aksF}hje35RD%XG|G
z<K`h+V36QILYHeL<uyiTRmCENj+HZOgU015WI>L!D!mVvHPtOsACk-z^vfnOs=b=0
z2+d)o9`e{Yjdb`TH$N?81G2r{gudx;+U#GEn;sVUA<G`CLh-Sn+>gS}akb^~oT|UA
zIo*dXyNCKSdxN(!9OrvO*LbNZuaBXn861GNfd8Q^=-AiNyq#jqW~mvsiNQ*ur^J!p
zC!MW?=6$I`C+EJOwq+iYnMu)@`Lk9n88DAv)IRSKMj%qlz9I$49sD!9>t>z__qjn@
z;u1aHn&GzCA@{7SF3E{nV@J1#ozMJI1bHLML|xPj$}>sk^TEY4n~<o?FX=1jN6o!9
z!imn0rse7t|JMIbxMNl|ubQKcUP#M8Wn<@-<rr|py-ez~(j*=p(fJp_$RT``C%^P3
z%W_;g`4^D4LhDCX661X4TN6%nHbY6+d=4C-YBvtdnWw~l4S2!jX>BI=J-F<Ydv<YA
zU7@H03QM|D^ozW1%14>cBLPPZ!ZZ-RN&|N9hvNoG%bL6OeHxJhWE+;<li&x;q+~oX
z^d85BKCyN4;Y6~ism2ZpLsAQMd86%Rn0`n<m5`nvRetzH!B<8vEl2OBa)S82h@joK
zG3(LNsFwMs28X06S=5pb_vO*M?7KBdF^wd(hkUc41ZH~VY7g7cvLb=xR{wmq>bh0t
zL<WyIT7qnq0g!ueT;E{9BLjyycDdPAwaZz8_G#=ndIwfUIBYtJ-E*<^VyZ{Dzht>G
zpsYKTlwf+t(qPKwtp8Zq!n^XWtyCk(f@M2C8^tt5D<Rxu)vPa|E|%(|WxGE_Q~-%%
z0c>cx#lX1^69xh?a!Oae^_6x{DYZI<w2XDdl@7kVmQo1YQGTCj9tl*|(;}AhK0K(4
zFymRviu6w^#L46C&V;jj$j}cNs*ZF7Q!?U!kZZ`!yGy>U(#7(xgy%LIG?BPWFu9+2
z7eGA2;etFmis6b+8&Q6U64yZMPxfHuDYu4VvREj1cBi&QbzM(AvvSz0NE)?dQe{o*
z?-@@gH-Gf^y$)(}Pc)bJni~qf)JmM04=F?a@l)Jp^w!K~!nRfr=p*QBUJHz!jjg$a
zudH>ZtcQ-(AM3q-XCJKCb;21XT!yElxm}DZD*4R{=MeWM)$Yl<J|JGh7L&|r#u!p6
zzW2SlU{}FY6I!C3mK2<)7%UzgNMfIL3^kXkSk$f;?lVB4ZMD&GJ<B~Ef=5cWc%3gI
z{1Zxz&qQ~t%1G)^0N5PUrsKc>4sM|V(nt_Sjt(TW(?D8Y4!O?V*Nmh}IO4DB(8BA|
z@Hrwx(+hwayk9XaW)4QXV8j$dR!@od48~j&I6&zjv(&vIdaf}@hq8?S5slOu1}dE6
z{K0hkSYZ5i?sda}M4cGqy&#ivgqJ^*PJCCe(@@%a4lad5Bjx4*Q62uuwc^PMcydGb
zF{H1j2{7zh0|oV*OCVZu2Yi+Rp^j>>wYV}^hfe`tmH<)dSEs*5-g-Szoe(L@eHSRX
z+u{tT+B~Me<DPA3{<eMtLI)rbYE2?v4Ktt&nh<NJE^n{eU(U;tE4wCOUKqN0BmXv1
z8E-0vJaHIGO)3Cs7`4J2pN8JcQW<|E8NvE1EjV_?4br?*m+yXh>uH!OFCen%ZKuSa
z677?Vwyq%PiSr<d+L*P7pzj}O8{t=t+>mDK-#NEuR(;g-Cxe@en;L7jtAz@Wk{>rU
zcve%B!+!D@j`i=?4E<UYDI13_Thqiif9!z8i0iHGehoE{%O%=Zk+r(lTR)f5q}up;
z6!Re^`f|{-BN}eIlzeA;w38=y>FN%1%;HQ;o-F!ZnQa`)dDhpYIC{b3zzTDevTT!e
zWHc~7tRQD2GM;-dqj3z~;CB!VCj1a+w??&APRT6IYL2jtQnq}J_h~J(i4ji6PBUkJ
hL-F?Ek2$H%e_0m}1o?+QS1)vapWqy<iwXml{{w_Ts9*p9

literal 0
HcmV?d00001

diff --git a/doc/guide/config.sdf b/doc/guide/config.sdf
new file mode 100644
index 0000000000..37322c7eb7
--- /dev/null
+++ b/doc/guide/config.sdf
@@ -0,0 +1,76 @@
+H1: The Big Picture - Configuration Choices
+
+This section gives a brief overview of various LDAP directory
+configurations, and how your LDAP server (either {{I:slapd}} or 
+{{I:ldapd}}) fits in with the rest of the world.
+
+
+
+H2: LDAP as a local service only
+
+In this configuration, you run a {{I:slapd}} which provides directory service
+for your local domain only. It does not interact with other directory
+servers in any way. This configuration is shown in Figure 2.
+
+!import "figure_2.gif"; align="center"; title="Local service via slapd configuration"
+FT: Figure 2: Local service via slapd configuration.
+
+Use this configuration if you are just starting out (it's the one the
+quick-start guide makes for you) or if you want to provide a local
+service and are not interested in connecting to the rest of the world.
+It's easy to upgrade to another configuration later if you want.
+
+
+
+H2: Local service with X.500 referrals
+
+In this configuration, you run a slapd which provides directory service
+for your local domain and an ldapd which provides access to the
+X.500 world (you don't have to run the ldapd yourself - you can just
+point to somebody else who does and doesn't mind you pointing to
+their service). This configuration is shown in Figure 3.
+
+!import "figure_3.gif"; align="center"; title="Local service via slapd + X.500 referrals configuration"
+FT: Figure 3: Local service via slapd + X.500 referrals configuration
+
+Use this configuration if you want to provide local service but still want
+to be connected to the rest of the X.500 world. Remember, you don't
+necessarily have to be running the ldapd in this picture; you just need
+to find one you can point to.
+
+
+
+H2: LDAP as a front end to X.500
+
+In this configuration, you run an X.500 service which provides
+directory service for your local domain and gatewaying service to the
+rest of the X.500 world. LDAP clients gain access to the directory
+through an ldapd which runs at your site. This configuration is shown
+in Figure 4.
+
+!import "figure_4.gif"; align="center"; title="Local service via X.500 and ldapd configuration"
+FT: Figure 4: Local service via X.500 and ldapd configuration
+
+Use this configuration if you are already running an X.500 service.
+Slapd is not involved in this configuration, so you can probably stop
+reading this guide.
+
+
+
+H2: Replicated slapd service
+
+The slurpd daemon is used to propagate changes from a master slapd
+to one or more slave slapds. An example master-slave configuration
+is shown in figure 5.
+
+!import "figure_5.gif"; align="center"; title="Master slapd with two slaves replicated with slurpd"
+FT: Figure 5: Master slapd with two slaves replicated with slurpd
+
+This configuration can be used in conjunction with the first two
+configurations in situations where a single slapd does not provide the
+required reliability or availability.
+
+PB:
+
+
+
diff --git a/doc/guide/dbtools.sdf b/doc/guide/dbtools.sdf
new file mode 100644
index 0000000000..b75170c8d0
--- /dev/null
+++ b/doc/guide/dbtools.sdf
@@ -0,0 +1,702 @@
+H1: Database Creation and Maintenance Tools
+
+This section tells you how to create a slapd database from
+scratch, and how to do trouble shooting if you run into
+problems. There are two ways to create a database. First,
+you can create the database on-line using LDAP. With this
+method, you simply start up slapd and add entries using the
+LDAP client of your choice. This method is fine for relatively
+small databases (a few hundred or thousand entries,
+depending on your requirements).
+
+The second method of database creation is to do it off-line,
+using the index generation tools. This method is best if you
+have many thousands of entries to create, which would take
+an unacceptably long time using the LDAP method, or if you
+want to ensure the database is not accessed while it is
+being created.
+
+
+
+H2: Creating a database over LDAP
+
+
+
+With this method, you use the LDAP client of your choice
+(e.g., the ldapadd(1) tool) to add entries, just like you would
+once the database is created. You should be sure to set the
+following configuration options before starting slapd:
+
+E:	suffix <dn>
+
+As described in the preceding section, this option says what
+entries are to be held by this database. You should set this
+to the DN of the root of the subtree you are trying to create.
+For example
+
+E: 	suffix "o=University of Michigan, c=US"
+
+You should be sure to specify a directory where the index
+files should be created:
+
+E:	directory <directory>
+
+For example:
+
+E:	directory /usr/local/openldap/slapd
+
+You need to make it so you can connect to slapd as
+somebody with permission to add entries. This is done
+through the following two options in the database definition:
+
+E:	rootdn <dn>
+E:	rootpw <passwd>
+
+These options specify a DN and password that can be used
+to authenticate as the "superuser" entry of the database (i.e.,
+the entry allowed to do anything). The DN and password
+specified here will always work, regardless of whether the
+entry named actually exists or has the password given. This
+solves the chicken-and-egg problem of how to authenticate
+and add entries before any entries yet exist.
+
+Finally, you should make sure that the database definition
+contains the index definitions you want:
+
+E: 	index {<attrlist> | default} [pres,eq,approx,sub,none]
+
+For example, to index the cn, sn, uid and objectclass
+attributes the following index configuration lines could be
+used.
+
+E:	index cn,sn,uid
+E:	index objectclass pres,eq
+E:	index default none
+
+See Section 4 on the configuration file for more details on
+this option. Once you have configured things to your liking,
+start up slapd, connect with your LDAP client, and start
+adding entries. For example, to add a the U of M entry
+followed by a Postmaster entry using the {{I:ldapadd}} tool, you
+could create a file called {{EX:/tmp/newentry}} with the contents:
+
+
+E: o=University of Michigan, c=US
+E: objectClass=organization
+E: o=University of Michigan
+E: description=University of Michigan at Ann Arbor
+E: cn=Postmaster, o=University of Michigan, c=US
+E: objectClass=organizationalRole
+E: cn=Postmaster
+E: description=U of M postmaster - postmaster@umich.edu
+
+and then use a command like this to actually create the
+entry:
+
+E: ldapadd -f /tmp/newentry -D "cn=Manager, o=University of
+E:	Michigan, c=US" -w secret
+
+The above command assumes that you have set {{EX: rootdn}} to
+"cn=Manager, o=University of Michigan, c=US" and {{EX: rootpw}}
+to "secret".
+
+H2: Creating a database off-line
+
+The second method of database creation is to do it off-line,
+using the index generation tools described below. This
+method is best if you have many thousands of entries to
+create, which would take an unacceptably long time using
+the LDAP method described above. These tools read the
+slapd configuration file and an input file containing a text
+representation of the entries to add. They produce the LDBM
+index files directly. There are several important configuration
+options you will want to be sure and set in the config file
+database definition first:
+
+E:	suffix <dn>
+
+As described in the preceding section, this option says what
+entries are to be held by this database. You should set this
+to the DN of the root of the subtree you are trying to create.
+For example
+
+E:	suffix "o=University of Michigan, c=US"
+
+You should be sure to specify a directory where the index
+files should be created:
+
+E:	directory <directory>
+
+For example:
+
+E:	directory /usr/local/openldap-slapd
+
+Next, you probably want to increase the size of the in-core
+cache used by each open index file. For best performance
+during index creation, the entire index should fit in memory. If
+your data is too big for this, or your memory too small, you
+can still make it pretty big and let the paging system do the
+work. This size is set with the following option:
+
+E:	dbcachesize <integer>
+
+For example:
+
+E:	dbcachesize 50000000
+
+This would create a cache 50 MB big, which is pretty big (at
+U-M, our database has about 125K entries, and our biggest
+index file is about 45 MB). Experiment with this number a bit,
+and the degree of parallelism (explained below), to see what
+works best for your system. Remember to turn this number
+back down once your index files are created and before you
+run slapd.
+
+Finally, you need to specify which indexes you want to build.
+This is done by one or more index options.
+
+E:	index {<attrlist> | default} [pres,eq,approx,sub,none]
+
+For example:
+
+E:	index cn,sn,uid pres,eq,approx
+E:	index default none
+
+This would create presence, equality and approximate
+indexes for the cn, sn, and uid attributes, and no indexes for
+any other attributes. See the configuration file section for
+more information on this option.
+
+H3: The {{EX: ldif2ldbm}} program
+
+Once you've configured things to your liking, you create the
+indexes by running the ldif2ldbm program:
+
+E:	ldif2ldbm -i <inputfile> -f <slapdconfigfile>
+E:		[-d <debuglevel>] [-j <integer>]
+E:		[-n <databasenumber>] [-e <etcdir>]
+
+The arguments have the following meanings:
+
+E:	-i <inputfile>
+
+Specifies the LDIF input file containing the entries to add in
+text form (described below in Section 8.3).
+
+E:	-f <slapdconfigfile>
+
+Specifies the slapd configuration file that tells where to
+create the indexes, what indexes to create, etc.
+
+E:	-d <debuglevel>
+
+Turn on debugging, as specified by {{EX: <debuglevel>}}. The
+debug levels are the same as for slapd (see Section 6.1).
+
+E:	-j <integer>
+
+An optional argument that specifies that at most {{EX: <integer>}}
+processes should be started in parallel when building the
+indexes. The default is 1. If set to a value greater than one,
+{{I: ldif2ldbm}} will create at most that many subprocesses at a
+time when building the indexes. A separate subprocess is
+created to build each attribute index. Running these
+processes in parallel can speed things up greatly, but
+beware of creating too many processes, all competing for
+memory and disk resources.
+
+E: 	-n <databasenumber>
+
+An optional argument that specifies the configuration file
+database for which to build indices. The first database listed
+is "1", the second "2", etc. By default, the first ldbm database
+in the configuration file is used.
+
+E:	-e <etcdir>
+
+An optional argument that specifies the directory where
+{{EX: ldif2ldbm}} can find the other database conversion tools it
+needs to execute ({{EX: ldif2index}} and friends). The default is the
+installation {{EX: ETCDIR}}.
+
+The next sections describe the programs invoked by
+{{I: ldif2ldbm}} when it is building indexes. Normally, these
+programs are invoked for you, but occasionally you may
+want to invoke them yourself.
+
+
+
+H3: The {{EX: ldif2index}} program
+
+Sometimes it may be necessary to create a new attribute
+index file without disturbing the rest of the database. This is
+possible using the {{EX: ldif2index}} program. {{EX: ldif2index}} is invoked
+like this
+
+E: 	ldif2index -i <inputfile> -f <slapdconfigfile>
+E:		[-d <debuglevel>] [-n <databasenumber>] <attr>
+
+Where the -i, -f, -d, and -n options are the same as for the
+{{I: ldif2ldbm}} program. {{EX: <attr>}} is the attribute to build an index for.
+Which indexes are built (e.g., equality, substring, etc.) is
+controlled by the corresponding index line in the slapd
+configuration file.
+
+You can use the ldbmcat program to create a suitable LDIF
+input file from an existing LDBM database.
+
+
+
+H3: The {{EX: ldif2id2entry}} program
+
+The {{EX: ldif2id2entry}} program is normally invoked from {{EX: ldif2ldbm}}.
+It is used to convert an LDIF text file into an {{EX: id2entry}} index.
+It is unlikely that you would need to invoke it yourself, but if
+you do it works like this
+
+E: 	ldif2id2entry -i <inputfile> -f <slapdconfigfile>
+E:		[-d <debuglevel>] [-n <databasenumber>]
+
+The arguments are the same as for the {{EX: ldif2ldbm}} program.
+
+
+
+H3: The {{EX: ldif2id2children}} program
+
+The {{EX: ldif2id2children}} program is normally invoked from
+{{EX: ldif2ldbm}}. It is used to convert an LDIF text file into
+{{EX: id2children}} and {{EX: dn2id}} indexes. Occasionally, it may be
+necessary to run this program yourself, for example if one of
+these indexes has become corrupted. {{EX: ldif2id2children}} is
+invoked like this
+
+E: 	ldif2id2children -i <inputfile> -f <slapdconfigfile>
+E: 		[-d <debuglevel>] [-n <databasenumber>]
+
+The arguments are the same as for the {{EX: ldif2ldbm}} program.
+You can use the ldbmcat program to create a suitable LDIF
+input file from an existing LDBM database.
+
+
+
+H3: The {{EX: ldbmcat}} program
+
+The {{EX: ldbmcat}} program is used to convert an {{EX: id2entry}} index
+back into its LDIF text format. This can be useful when you
+want to make a human-readable backup of your database,
+or as an intermediate step in creating a new index using the
+{{EX: ldif2index}} program. The program is invoked like this:
+
+E: 	ldbmcat [-n] <filename>
+
+where {{EX: <filename>}} is the name of the {{EX: id2entry}} index file. The
+corresponding LDIF output is written to standard output.
+
+The -n option can be used to prevent the printing of entry
+IDs in the LDIF format. If you are creating an LDIF format for
+use as input to {{EX: ldif2index}} or anything by {{EX: ldif2ldbm}}, you
+should not use the -n option (because the entry IDs must
+match those already in the id2entry file). If you are just
+making a backup of your data, you can use the -n option to
+save space.
+
+
+
+H3: The {{EX: ldif}} program
+
+The ldif program is used to convert arbitrary data values to
+LDIF format. This can be useful when writing a program or
+script to create the LDIF file you will feed into the ldif2ldbm
+program, or when writing a SHELL backend. ldif takes an
+attribute name as an argument, and reads the attribute
+value(s) from standard input. It produces the LDIF formatted
+attribute line(s) on standard output. The usage is:
+
+E: 	ldif [-b] <attrname>
+
+where {{EX: <attrname>}} is the name of the attribute. Without the
+-b option, ldif considers each line of standard input to be a
+separate value of the attribute.
+
+The -b option can be used to force ldif to interpret its input
+as a single raw binary value. This option is useful when
+converting binary data such as a {{EX: jpegPhoto}} or {{EX: audio}}
+attribute.
+
+
+H2: The LDIF text entry format
+
+The LDAP Data Interchange Format (LDIF) is used to
+represent LDAP entries in a simple text format. The basic
+form of an entry is:
+
+E:	[<id>]
+E:	dn: <distinguished name>
+E:	<attrtype>: <attrvalue>
+E:	<attrtype>: <attrvalue>
+E:
+E: 	...
+
+where {{EX: <id>}} is the optional entry ID (a positive decimal
+number). Normally, you would not supply the {{EX: <id>}}, allowing
+the database creation tools to do that for you. The ldbmcat
+program, however, produces an LDIF format that includes
+{{EX: <id>}} so that new indexes created will be consistent.
+
+A line may be continued by starting the next line with a
+single space or tab character. e.g.,
+
+E:	dn: cn=Barbara J Jensen, o=University of Michigan, c=US
+
+Multiple attribute values are specified on separate lines. e.g.,
+
+E:	cn: Barbara J Jensen
+E:	cn: Babs Jensen
+
+If an {{EX: <attrvalue>}} contains a non-printing character, or
+begins with a space or a colon `:', the {{EX: <attrtype>}} is followed
+by a double colon and the value is encoded in base 64
+notation. e.g., the value " begins with a space" would be
+encoded like this:
+
+E:	cn:: IGJlZ2lucyB3aXRoIGEgc3BhY2U=
+
+Multiple entries within the same LDIF file are separated by
+blank lines. Here's an example of an LDIF file containing
+three entries.
+
+E:	dn: cn=Barbara J Jensen, o=University of Michigan, c=US
+E:	cn: Barbara J Jensen
+E:	cn: Babs Jensen
+E:	objectclass: person
+E:	sn: Jensen
+E:
+E:
+E:	dn: cn=Bjorn J Jensen, o=University of Michigan, c=US
+E:	cn: Bjorn J Jensen
+E:	cn: Bjorn Jensen
+E:	objectclass: person
+E:	sn: Jensen
+E:
+E:	dn: cn=Jennifer J Jensen, o=University of Michigan, c=US
+E:	cn: Jennifer J Jensen
+E:	cn: Jennifer Jensen
+E:	objectclass: person
+E:	sn: Jensen
+E:	jpegPhoto:: /9j/4AAQSkZJRgABAAAAAQABAAD/2wBDABALD
+E:	A4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQ
+E:	ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG
+E:	
+E:	...
+
+Notice that the {{EX: jpegPhoto}} in Jennifer Jensen's entry is
+encoded using base 64. The {{EX: ldif}} program (described in
+Section 8.2.6) can be used to produce the LDIF format.
+
+Note: Trailing spaces are not trimmed from values in an
+LDIF file. Nor are multiple internal spaces compressed. If
+you don't want them in your data, don't put them there.
+
+
+H2: Converting from QUIPU EDB format to LDIF format
+
+If you have directory data that is or was held in a QUIPU
+DSA (available as part of the ISODE package), you will want
+to convert the EDB files used by QUIPU into an LDIF file.
+The edb2ldif program is provided to do most of the
+conversion for you. Once you have an LDIF file, you should
+follow the steps outlined in section 6.2 above to build an
+LDBM database for slapd.
+
+
+
+H3: The {{EX: edb2ldif}} program
+
+The edb2ldif program is invoked like this:
+
+E: edb2ldif [-d] [-v] [-r] [-o] [-b <basedn>]
+E: 	[-a <addvalsfile>] [-f <fileattrdir>]
+E: 	[-i <ignoreattr...>] [<edbfile...>]
+
+The LDIF data is written to standard output. The arguments
+have the following meanings:
+
+E: -d
+
+This option enables some debugging output on standard
+error.
+
+E: -v
+
+Enable verbose mode that writes status information to
+standard error, such as which EDB file is being processed,
+how many entries have been converted so far, etc.
+
+E: -r
+
+Recurse through child directories, processing all EDB files
+found.
+
+E: -o
+
+Cause local .add file definitions to override the global addfile
+(see -a below)
+
+E: -b <basedn>
+
+Specify the Distinguished Name that all EDB file entries
+appear below.
+
+E: -a <addvalsfile>
+
+The LDIF information contained in this file will be appended
+to each entry.
+
+E: -f <fileattrdir>
+
+Specify a single directory where all file-based attributes
+(typically sounds and images) can be found. If this option is
+not given, file attributes are assumed to be located in the
+same directory as the EDB file that refers to them.
+
+E: -i <ignoreattr>
+
+Specify an attribute that should not be converted. You can
+include as many -i flags as necessary. 
+
+E: <edbfile>
+
+Specify a particular EDB file (or files) to read data from. By
+default, the EDB.root (if it exists) and EDB files in the current
+directory are used.
+
+When {{EX: edb2ldif}} is invoked, it will also look for files named
+.add in the directories where EDB files are found and append
+the contents of the .add file to each entry. Typically, this
+feature is used to include inherited attribute values (e.g.,
+{{EX: objectClass}}) that do not appear in the EDB files.
+
+
+
+H3: Step-by-step EDB to LDIF conversion
+
+The basic steps to follow when converting your EDB format
+data to an LDIF file are:
+
+^ Locate the directory at the top of the EDB file hierarchy
+.that your QUIPU DSA masters. The EDB file located there
+.should contain the entries for the first level of your
+.organization or organizational unit. If you are using an
+.indexed database with QUIPU, you may need to create EDB
+.files from your index files (using the synctree or qb2edb
+.tools).
+.
+
++If you do not have a file named EDB.root in the same
+.directory that contains your organizational or organizational
+.unit entry, create it now by hand. Its contents should look
+.something like this:
+.
+.{{EX:	MASTER}}
+.{{EX:	000001}}
+.{{EX:	}}
+.{{EX:	o=University of Michigan}}
+.{{EX:	objectClass= top & organization & domainRelatedObject &\}}
+.{{EX:	quipuObject & quipuNonLeafObject}}
+.{{EX:	l= Ann Arbor, Michigan}}
+.{{EX:	st= Michigan}}
+.{{EX:	o= University of Michigan & UMICH & UM & U-M & U of M}}
+.{{EX:	description= The University of Michigan at Ann Arbor}}
+.{{EX:	associatedDomain= umich.edu}}
+.{{EX:	masterDSA= c=US@cn=Woolly Monkey}}
+.{{EX:	}}
+
++ (Optional) Create a global add file and/or local .add files to
+.take care of adding any attribute values that do not appear in
+.the EDB files. For example, if all entries in a particular EDB
+.are person entries and you want to add the appropriate
+.objectClass attribute value for them, create a file called .add
+.in the same directory as the person EDB that contains the
+.single line:
+.
+.{{EX: 	objectClass: person }}
+.
+
++ Run the edb2ldif program to do the actual conversion.
+.Make sure you are in the directory that contains the root of
+.the EDB hierarchy (the one where the EDB.root file resides).
+.Include a -b flag with a base DN one level above your
+.organizational entry, and include -i flags to ignore any
+.attributes that are not useful to slapd. E.g., the command:
+. 
+.{{EX:	edb2ldif -v -r -b "c=US" -i iattr -i acl -i xacl -i sacl}}
+.{{EX:		-i lacl -i masterDSA -i slaveDSA > ldif}}
+.
+.will convert the entire EDB hierarchy to LDIF format and
+.write the result to a file named ldif. Some attributes that are
+.not useful when running slapd are ignored. The EDB
+.hierarchy is assumed to reside logically below the base DN
+."c=US".
+.
+
++ Follow the steps outlined in section 8.2 above to produce
+.an LDBM database from your new LDIF file.
+
+
+
+H2: The ldbmtest program
+
+Occasionally you may find it useful to look at the LDBM
+database and index files directly (i.e., without going through
+slapd). The {{EX: ldbmtest}} program is provided for this purpose. It
+gives you raw access to the database itself. {{EX: ldbmtest}} should
+be run line this:
+
+E: 	ldbmtest [-d <debuglevel>] [-f <slapdconfigfile>]
+
+The default configuration file in the {{EX: ETCDIR}} is used if you
+don't supply one. By default, ldbmtest operates on the last
+database listed in the config file. You can specify an
+alternate database, or see the current database with the
+following commands.
+
+E:	b specify an alternate backend database
+E:	B print out the current backend database
+
+The {{EX: b}} command will prompt you for the suffix associated with
+the database you want. The database you select can be
+viewed and modified using a set of two-letter commands.
+The first letter selects the command function to perform.
+Possible commands and their meanings are as follows.
+
+E:	l lookup (do not follow indirection)
+E:	L lookup (follow indirection)
+E:	t traverse and print keys and data
+E:	T traverse and print keys only
+E:	x delete an index item
+E:	e edit an index item
+E:	a add an index item
+E:	c create an index file
+E:	i insert an entry into an index item
+
+The second letter indicates which index the command
+applies to. The possible index selections are as follows.
+
+E:	c id2children index
+E:	d dn2id index
+E:	e id2entry index
+E:	f arbitrary file name
+E:	i attribute index
+
+Each command may require additional arguments which
+ldbmtest will prompt you for.
+
+To exit {{EX: ldbmtest}}, type {{EX: control-D}} or {{EX: control-C}}.
+
+Note that this is a very raw interface originally developed
+when testing the database format. It is provided and
+minimally documented here for interested parties, but it is not
+meant to be used by the inexperienced. See the next section
+for a brief description of the LDBM database format.
+
+
+
+H2: The LDBM database format
+
+In normal operation, it is not necessary for you to know much
+about the LDBM database format. If you are going to use the
+ldbmtest program to look at or alter the database, or if you
+want a deeper understanding of how indexes are maintained,
+some knowledge of how it works could be useful. This
+section gives an overview of the database format and how
+slapd makes use of it.
+
+
+
+H3: Overview
+
+The LDBM database works by assigning a compact
+four-byte unique identifier to each entry in the database. It
+uses this identifier to refer to entries in indexes. The
+database consists of one main index file, called id2entry,
+which maps from an entry's unique identifier (EID) to a text
+representation of the entry itself. Other index files are
+maintained, for each indexed attribute for example, that map
+values people are likely to search on to lists of EIDs.
+
+Using this simple scheme, many LDAP queries can be
+answered efficiently. For example, to answer a search for
+entries with a surname of "Jensen", slapd would first consult
+the surname attribute index, look up the value "Jensen" and
+retrieve the corresponding list of EIDs. Next, slapd would
+look up each EID in the id2entry index, retrieve the
+corresponding entry, convert it from text to LDAP format, and
+return it to the client.
+
+The following sections give a very brief overview of each
+type of index and what it contains. For more detailed
+information see the paper "An X.500 and LDAP Database:
+Design and Implementation," available in postscript format
+from
+
+{{CMD[jump="ftp://terminator.rs.itd.umich.edu/ldap/papers/xldbm.ps"]ftp://terminator.rs.itd.umich.edu/ldap/papers/xldbm.ps}}
+
+
+
+H3: Attribute index format
+
+The LDBM backend will maintain one index file for each
+attribute it is asked to index. Several sets of keys must
+coexist in this file (e.g., keys for equality and approximate
+equality), so the keys are prefixed with a character to ensure
+uniqueness. The prefixes are given in the table below
+
+E:	= equality keys
+E:	~ approximate equality keys
+E:	* substring equality keys
+E:	\ continuation keys
+
+Key values are also normalized (e.g., converted to upper
+case for case ignore attributes). So, for example, to look up
+the surname equality value in the example above using the
+ldbmtest program, you would look up the value "{{EX: =JENSEN}}".
+
+Substring indexes are maintained by generating all possible
+N-character substrings for a value (N is 3 by default). These
+substrings are then stored in the attribute index, prefixed by
+"*". Additional anchors of "^" and "$" are added at the
+beginning and end of words. So, for example the surname of
+Jensen would cause the following keys to be entered in the
+index: {{EX: ^JE, JEN, ENS, NSE, SEN, EN$}}.
+
+Approximate values are handled in a similar way, with
+phonetic codes being generated for each word in a value
+and then stored in the index, prefixed by "~".
+
+Large blocks in the index are split into smaller ones. The
+smaller blocks are accessed through a level of indirection
+provided by the original block. They are stored in the index
+using the continuation key prefix of "\".
+
+
+
+H3: Other indexes
+
+In addition to the {{EX: id2entry}} and attribute indexes, LDBM
+maintains a number of other indexes, including the {{EX: dn2id}}
+index and the {{EX: id2children}} index. These indexes provide the
+mapping between a DN and the corresponding EID, and the
+mapping between an EID and the EIDs of the corresponding
+entry's children, respectively.
+
+The {{EX: dn2id}} index stores normalized DNs as keys. The data
+stored is the corresponding EID.
+
+The {{EX: id2children}} index stores EIDs as keys. The data stored
+is a list of EIDs, just as for the attribute indexes.
+
+
+PB:
+
+
+
diff --git a/doc/guide/figure_1.gif b/doc/guide/figure_1.gif
new file mode 100644
index 0000000000000000000000000000000000000000..9fdfaf71b7d4b1e581f90599ffa2b0b253ea02e5
GIT binary patch
literal 3086
zcmeH@`6Cky1AtXXd_poQDY<9lMXtFb<_Ph+&)2YATe;6vD)$j{<l3BzVM9ikDPG4M
zFXk%u(G1fFP1dpR>+ks9=f~&y?SYt^YH54>oLb=6=lCCN4mMlzg!2>!$7v4GZ}Gb%
z{|;>Sk2BwYn}7ND!2j6+9ySLTkGNS=`TJ))!a(<-ri#8~K`Dz;v*ybF^h;`ii$l#-
zgW1=O)5OhNs>w+CKe6uQmYR`5<x@O)=iXq(O0>e-I1R&KHf4s-c&}Q7U$=P<Ne6li
zw{8!j%_?-tEC|4vYW`-|rC~ylRinWB*sGRpAV{51f3e3%+vnQ^;kC{(%Q@^~S`>X}
ziSOd)0b=|aKI?N@K5Oq&goAW{%;DDuUv4nM#XDN4i5bQ)(rC=yW)2#hu3@PS+n%f)
zNiyxwAp})6I-nA)+_ra1n}g_{MGHra6{EPv-TXu?^L5J?SG-Vwm_MnbRggwLkIo31
zd%fFDoSruGGo=g677_3~I&S+k0<nH@Ok_>&b`3nX@i>lW1?|;GW*ammw6VX=3E6N0
z{8yjy$kwhV^5O>3Plz93E>8qqkIKzOtp`?<#3P6PdU3|W*&%80X>>t~Q-%KxQ|Uxl
zVVa^V&qkQqfV_*X(y(JyW`Leaxh<DPo|HHE;8Fp^U^34)TPn%_;>!wt7s*fq*-vx1
zg61)lm(I|lnjBS~X{3+Sg-@jgmtZkYg`yQ7uZ7r&X$j})JDm6-q57$LMTYBK7<7y(
zXMS${auKu~#;x$AP=D#$>z5EHW~)4GM{K*o#V;_RB1wOK+sFr~E?ZF&m{wQLP44io
z$hfhyUE^|!&8*5zOR$it^lcedXuuci<dw)I<vTT|&j$qID*>rhEkn?OUHrI)n?mqS
zWkn_IEb8(i;e%cJ>-I%gG5EcAzeEr%AFUl2P+D3EBYH!FzD7KXbyi9bfxSg^)y~lO
zdd?mw?uSF|w3;#pupN8v6@d^?pP=T>Mz2tE`-5H)sq`-)-1mbe`W+*8|M0z${GWrN
z6nH#xSYFL3)E(6BzA*9)1v+&6BO7u!)-z9}{-cZEReNA~cFb<_xg=cO-{RWR5he4{
z5A|u4sRFeb_~`~hPpn7gt?E4r_3Io7Vab^Ff8EHOzvif+j(n8E5C5Pz0@rw}(+$_G
z{j$S;8@2pM_(T)&^o@qrS{Cjy9ajUCI9`j8(|04~Vq&A#uW$d{bPH1Tq|s6x8K91Y
zf_m+Q5DikmPCiBgNY9pwEx!8<YVy6czreKC(Z`Yx-00A@qg5AALTGQ7+5vW2TLJao
z4&rp!#GN0%7|M)M9|OHF(~obl4hcr%I&~90`Q000Zs<6>-kS!$j#kc~h_!3iY<~4s
zb!E4(HZ^hVW9pRWClHq|lRBQz$T!W_O)4l|6A0e|dvVHX8J?4{v0+Pj9j^|)pZYoQ
zY$+GLJ7HqDAS0M4EWKQN`h&9I0e_4}h~#tMXg#6c=Sin~z1h&S9ajL1`@wvbg6w27
z{JEbhR(eMgOVC$$WK74*b%QIXQZD^HV&1Hm8X|DKUI?V>?Wa*jZltTob@Ce_0u$pd
z9PhT8cr@>2dUP)FLbP7r!uC4{f4ZJBvDL1B)#QboIGQ_IbVxX|$@X#UbxF~a!38Vx
zWU%&My!@%}jAS1^z0@FmU9a%=se<I}oaveUL>k$+n38i<x<;DMOo78SSHC=i3>=>u
zxJwF+N|7#Sau+E&^$O%_oxunzeI##*92T}7Qe<OXuw1H#$X?${dD_;HhBDF`Rw}}I
zwy5iZEctnChBZhrMc9E1FQsyBJbYVay>dye*vt5}$O5^UJ|S$pfA=4~A`Dw%*jCz`
zK$p?5H8Top`I62g%Mo?&%dd{v*bUoD(|$lEqk#4v;r4zCPNLm>p*e~D^;_o+qHW<G
zYNe0Xs}05E>TQeffn+>rdHOm)r~H6wls$^0B$@PzbO&{CYV|gJ-d34u=KxZtnrff1
z$G0B567{vWi@WTA3<yVBMwHk*0}eZ!8&4Fvs=($A95KOQ>aaqAs>bvEj_0SVxb;Rg
zX~Po(_rBnw$LPd;Kvm;`OmV_k);kV9%)7`;JpUCC)XMh*YcvyrG2ViFbTAH`Z^A39
z`Z%)9d&Bhs-o3G9*4=fccnTql^Q*tT7t2bgSmW-YF9;{yM)6}GOt)QVte1QcXE}cw
z*cKNqq9pg#uz_SlKq}GABLW<oxFGn6Ox&z`*9b%55WC#!LtA_?eZh$Qq(o^)|8|=D
zu@$y{phhO_8f&7tG92r-K!caM^idNFNi$=63h;oHm8?P{+~a{;OrhCimSFzU=v+Pz
zh?IvwcCP2+q3kQm2Dg}2l(D9yRI@c+(Y8Jg#>@*_O>f@p4@z<gHoiWQsEZr+y*Ey<
z$q{sW!M;>NS((pOH@AD@;I}1UiOpzQ`fWsLUe35WEGM<&lVIWB{pgE`Fv(cRS14Z(
zqCZgH3gq|AQ<PX0?;TatZlr=fKfEg0a<e~>%7Yzech5e5m;u*aP}t*b?`Z%^oh)ps
zO?CXmZ!Ou}+A({r3or!pYkHE+qyaQo?*7Zx)nwJ}{k(5I`M8i|wJ`@}r@cvGWYDHc
z=k_Q9V5Ltz3Pl93vd-IQdEW`YmHc(bSy5-GN|{g>4K}Az3QCCFDk!9QuspPLWL62s
znO(BD)YdWH!3^gKOYc&>`Mqlf7E(64yZQ&X=uIc8tt>lZ<)_6(WLm~yMhw>mB0xKV
z$;Bi*O7**+y`WN#@hTT-@V5uB!gyw7?|3MZrk3L}){??W_?n$4&)6Y>2kpJW61b!{
zhf@~^HDlyN=Vuy@oF9TCTXVjzr&3;J*ij>KL$)<bEv}4N{Lhd>Y?1i}D|$7dI?_+Z
z+JIIzU3^fmtd^Q-RxBkJCl=rScCQW=F?X;y&IF>1ek{XStW_ac=V@~M3f%=fIY5V_
z>a&gx=S!Ac=j<oYB-$G<)j~(>gUS^UEkXdd&4k6xxoI9%zQOLnqtqVniH4@sm(lI;
zu{}P@%{8*2yE^A}C4OeEe#7X!>YlnkAVzw)65;8Io^#$Z(PcTgh-<x`1B`d%vzA&D
yDk!MvT}97Wo9+adP!Dm}i4@o8^^qZp)}sfpYZu&<j*rwyn=i&szHoDLfd32jZL8-1

literal 0
HcmV?d00001

diff --git a/doc/guide/figure_2.gif b/doc/guide/figure_2.gif
new file mode 100644
index 0000000000000000000000000000000000000000..d518bca9195c81d0819443b70f7e1faa446aff54
GIT binary patch
literal 1424
zcmZ?wbhEHbJjh_i@PPpc{xkgluLEL$MA|_D|Nn!yqhK@yMqUVT{AXb1knz~C;9xU{
zuvW~84GRyq3n+Wd@z}WNXt#uM)}0d@7a#9eaPE>>DcEqbNiCSkU`Nq{Q<GJaPt7^G
zLDg%z8S68i1Yxza^Bt1kUGX${?zPypSu6Hcp~m^yE)!psoZ7M~wB4_K+nY|~r&re}
zNT;>_x|DijbB17_srQz*m$wvLE-K{?UVVE<#oB#$qNXiBzqgW^Th3?4hKGkc8sEj9
z*|9Nsy{x?Vyge3%UMK8BqpqxxC{CPTwNg*y?$6CJ9SinPVw-K1^SXKU%zbIP6{R_Q
z3-VX{t&ldqb#Gs!-Iq7hi!ZG^lFjv&_s^>f&$9nIrE1HXdOqGGczdhfoL|8!%QyD@
zXPNWY;K#!a%jIq3=2m+gdnuehS7PtmJC8O`jbC;~eqZ_F&z>RoqigqWo$2w<H$AT6
zQK`Fl>DiTE;~M$&G8R;Szv>$1CdfBkrdoz+x_p@Ir1VGeB0*OaJAdV}+;vsH7IwAk
z>B8-jy<2o!ABQl8wcl-D@%F`?430w?_b0L_MF#d5tvdRo(R>qoWP|N0jg$h{#Oom)
z9ziRYOr2&JakJV@Epyp)@k`}TLwF{2#?%)qYkNGUbnWw-o+e?DYQE<uK7Upr|B`cQ
zZ}YqFDGTe1R5B){EtC+AZ$EZCdWlw?duDTG*~*nOy}MXf)chB`^>j)+*9_$buCA(Q
zZJBOc)Y@-_hIPDL5jgeLy}V^7Pbt-v%C)M;FZ<^<BV&DCRoKR3UQ*(ly3AGzY}RvH
zy<$sDmuv3w=GgAHYmKvRPuVWlq$#~aAyaemP9`SF6}z4teVNyFaUXa3j1E>72F3r}
b!6A-8E}mfurg{dPj8B9a7%EwT8O$00X81dZ

literal 0
HcmV?d00001

diff --git a/doc/guide/figure_3.gif b/doc/guide/figure_3.gif
new file mode 100644
index 0000000000000000000000000000000000000000..c986d865e14689a034b9f684e3854a09c9c16b8a
GIT binary patch
literal 2395
zcmeH@`9Bj10Klg_XGxCUBZL=bq^Ege#6!(kujd*$Hdn)pk=$}b8gn%=N5)LdopbJ-
z%N2R%+9q?8^m#>z#NO-gczu8Tet-L#TR`>n-H!mNfDeHG-~o6%r2~FG0N?~b^Sk(7
z@ZSTE_wD52ck_cE2mWUVgm{3Tgydj#l->j(Ns!A>U2#8NT=GONte(n9`2~zh9jY%G
z%uqBV$PL$f#AN|(D_w>g)<y^yJx2;G8omAmXx-bIXGz4375$MQLe?kJ{w~pv7DJ9S
zRoL?B5iQAtpk-#&?Z(Jd%jPP(Qm1}`{OEL*V~N{fCDNd2o7DngHjp(QQ+w0GgqORv
z&ed{rf=`}#Vi5kDdz)L0(fh-eyNKQg!n4!P6W;966nU(dx=h2&c#^tjEk_2pGL{C9
zT2J}y)9S31JLFm#<g;%xMdLhO^l89*E}tFOE5D=eZuubiB=6Gw)`@{97Ha0V-hAOu
zT`?sgg(1(w81-llZxzXU9-6Zern@m7)4AWiUQw38c@blq`eDrGRG~!2@bTPRZ*H71
zrm4umdT9U=ucke>nBZMw?iMW|3u8lfi(3@q#Bf8d4<*GMmQeB$VdQv($>t(nMparF
zCwta>!A;0$(;crKleC!frfb#{D|9ZzEf6TiQY0Ac0Dlcv)|y?mlK>qMGv=?cva?|~
z)Yr`H*myLFk4;yx0PpOt1sP)Wy|BIwVXFC?HNp~EK`(^Wyn{${>v5qA2e%8w{}u+O
z#i;80m_@yq+aM?7Smo5jkuV@NOH0b@nZ-3wX_=)~r3{U1zco>stDp`tqof}c6(I}r
zbE?j!@qq8D(S0CdjsKDprPic$qzc!)Af;*DFXFt7Y*NK8)e9c@mJtK#k=%lD`=2!{
zN<}OSVB_|13N1at0Mw$L3|DF`ip1vGED~vR?L%Fn@_GGK=cn!4eY%%BlGotK%Jp_f
z(31g_UO@Qq-plhec3-|y)Ad^R1-y6%kl8!fR`w4zLw7rnbPX|`<1A{#s&SVqkqZds
z?Va=Kk&1uC8j#FE?>gL}b81ocm#V>i^?h=UuP#>v?~a)-yU-@gB>g`z#kYKj&&V@Q
znj{)gbLVmNm7{{eK@a($bn7VKVw)RSRQkysxIdjRi@-Fq!%Xx)6RU!vTZ(%KJe5mt
z#>D&-8c^p`FD$AE8?`P?O%n913H{BrHy#-r>)G#lb!@MVqtn&9WA7<At}5;n&^PZr
zI8WKQtDMr_lNoyqc~;*Ty|>L3$n(rSKAZd{FL4F6m>rmd{6?@7eXaIUr{j%5N{hxn
zrT4Air+?qEgclt;FgpA_zwl#?m1cxR+S(69NEcr0bFyj`4x2gxw7;#4av?`b9`LVk
z_Z={?2}icl?^Y!{0Sh#b9$_+HQE9b+4emjKh9du8jBep&9PZpy;R$dOMB=Vhq{27K
z2Qjt2vtG|0s$NtQF>f{9x2Q`@k1yUw0sF0{ts-<fm-d5`%oI=)_{LEsHm^D~PjGx9
zK+JCu_VsgRDh8BnDRt_!%1gOZR029nCT$d&*b|HhbQY8<kalLaWb14Dcu09PlBnIU
zF&3VJU}dU+&(-;+wOD}M&!efWYLK1x;IfaN4`)gkTW)^o;X2vemszl$+m`4VUzr?P
zR?&^g>yJG=vcl(8%oCe7{}5+757&7Or&v!CXH4L`>~(|P1Ffjsgn4!AhzlHTD3+Vz
zMCx1CxQT<tyP7J_+I*sylv_jQ^U;5K-BWpQm|@J&QFSz3hEMUI34bofc|=tovmwFq
zzC?-b7GMl<IJ{<Z<@#mTkRh@G7G3MNayT<t7b!8}W1qQU$iVPgc0!WEHX51QPeXFA
zbYbq$4}ZPlswxvgg%Ti~J86~PuO_v%d<1^-zGZJ)+}sTI0DP6lThdImj3$cDNE4x|
zB3&zOcE(mWNzkj6lUWT?5tRFH({CkNj}!-k$)i374i8I6q5fArFP2~TW@l0aaOE$-
zp#4nmy3DC9TKcdn7{1>1iFL}tLAf09U|=eHAVdFMr>CPv1wySfyXfeqtPWFccHu3!
zU=+THoE4lUnA+aB3Ry6D?KFdB`(yQ@*JAm7%bEr7d3Xj|D`a&XsT*3;v%27-rs2S_
znQ0({{6I`8tH%vN#>jzp=w9{f)sGMeuzw9ya0G_FqQGpXAZ1m$e;I=A(4+TCYEU15
kF1pKmDvY(f!x-mg9n~BPrqkZnHp`A~^$|6FS_ok9FCZr}m;e9(

literal 0
HcmV?d00001

diff --git a/doc/guide/figure_4.gif b/doc/guide/figure_4.gif
new file mode 100644
index 0000000000000000000000000000000000000000..916a26eae3241b5002231d5a03538e2a09e376e1
GIT binary patch
literal 1667
zcmZ?wbhEHbRA<y-_`m=J{~7-O*8wp=BJCi7|NlYUQ7{?;BQFFv{xdLh$arj6aIl#}
zSS#klhJ}aQ1(dz!cx+sBv|GYB>&}Udi;wp!ICsf-Zd!73vPST#n3n<#r<?SWnG7t7
z7o3@{6L@cp=Y;fzxt7gbb6;Fuc6O0RKcDVN;pG?Sc};(I$8+ndtE&xF#YA6he(k@)
ze`}Jgw^)Yjdbf*3TO+pV-t09BKbE`WtM-lcS#vL)T~(xaWJ&htYq2lBKRLTOsGe`%
z=^J^M7uS4OyLMXOL-M*-Rqv%Sl^;V6vFrZ++B3n#`*PxSt-c<sl1In5qEE-hnCC~_
z?213^k{iAC?*1LYMax#+-um&rZ+29j#GjI<D^C9xv-hj5$~segc9Y$oJ60cCZq1$b
zf9dPLyMLbZ*l8?xKPcn#`E!lh%g>bm{(VdEV{+Tc`u$&iJpHOJ6WCj7dfA)fUb$T5
z^U9^y^3R+UO~_;pS`yQo87sc9?Jnnw+l}SC>{0Q;VeXfzZ?v{uPM)55G_jqvj$>wr
zfl;VZtJ*?|sa+?&W-QGAU-{xjhQ!Msk9)bhQl2z!`Fdkfw?N*D#BP73G>J)`ZCg|(
z{Mq<JshR84i}(_8Nlw*i@l{J6H-COQEg{eT-tpLqlc{bCI(2!sEonS3^<;8g)x51r
zO`2l6qGqP?Z4FInC`waH2$Hj09MQMPGk8(gxelf3ey+&JGv7Rolvw6?u|s9@D^siG
z^V|4Vi7#de`|tX4)wFLeSu69NN@-0Iw^|mpzW<fho3+aYU(1AwDM_oYmtXfod%E7K
zRas?QZ$;&1tvq!+WBI-^Zk;VZGjGW(zy53b#Lbp*yENCFZhQT9^ZQL(XRlnkF<Yl|
z`@P?qJ7zu9d{vjbDC_O4uU)M7w(gzxdflGzc|RuZv$!_PAW%n5{6@`}V_^?HemT9-
zuez}In%W$nd!7Y*?w4h!9`;JBS$6nL)oh~;vp=1F5G-;2jMnLCRdZ6)w=L=pKWA1R
zVH_cRTzjRTP(F{w^f;%zCA;sQtw}r;y!`g&%WrulXKYOl`nz(@jjPiWP8R6-C{44I
z*NMN-?o|8jbmpsT-}YU*`?jpp_mk(_dn-Tu+`GNJ>T&M(`@*xrERIgr&D*f3&;IWF
zl*_L7OrIX@y>0PuTJv?w3$xe0-Zbk?SlqA9<>q!)?l-xt-n{16&sTkZ6E}CD1B2p!
c?%)u|AQ#Ut1yel(PR1-b28K!&V3}eK0E8FKUjP6A

literal 0
HcmV?d00001

diff --git a/doc/guide/figure_5.gif b/doc/guide/figure_5.gif
new file mode 100644
index 0000000000000000000000000000000000000000..d0b70bba487284a136af930d9aeb36869eacd40f
GIT binary patch
literal 3298
zcmeH@`6CmG1HdPbR(h2q_mTT1ggL7B7#1eCmHVE#6QYsKWQ4D4ZW=S!=G;i6mn+AR
z`{sGM<~Bzy)xO{Uj_>>Y`1$<yF}ZIH(sB1;sRA4V{s$AlWQsF>V*vmz0F-`-U*+Ym
zz+`@BJ^y9?<=+GUX9s{x02@#k((w8N3dpVC)Zc*XetBKev<T8z)|<l52AJ({EdQ8(
z(=e6_X~GX=$=TF64XAs31l;l*EV|!JfEI{2ZZ8frSB{q6V_6h7C09WKe`F~*50Ysk
zsmA4|BFU50Q?;;Wj~lv_+L=5dO0tMqi;{7j>qG<z(L!3txYm8yOK4`#fQ&dcuJCUS
zwr_bXLO(6!Jb2U{jkzjA1<5b<UJ_T#rt%-z4q?)@mOFS3KiBA7j6XBCR9S3`)3o+U
zeu&tif^>$?XpJX}3xY;FBf~<sgO=Y#)<+a!Jpmn->0!`1{e#1~PpaQkhB+e<JM6Wr
z??;?>cM6BnQB1Uei$3GHx4ia2)DP{ml?ilrE;H6Yl-!@i;r-Kk@Awp;b&?0~?45BA
z0S0M{g*e1i&c=Suzv!M2{e#cVQoIpgjQA~WL%@2Ttq=F|MGikU3918Jj{1t55r(Z-
zMB=OkBzOc<HB9mUSXl~~EGHx}wp`Qr?aAVSU<0ybfO&k*nho!AI6hI1OK05)>f>jd
z{b0M_+sQRT-Z>D4@Y}HTD6_37@S{tOXZrd~%iQ;`;n^rMjmKLRAx9D_jlvOI>%}ac
z@{dZB*bilm5=wf#%eOI*4ID;oQ?N+$&jJF$SH4XSfpTv1^~rlH_qj4&6E^dw+;acJ
z*Wp-Z^rS=6V2@vB>v%pQf@5QwA4mBKT21c~lv%5;ve+n&Bc3S~5-5o?WeF;M5dS7B
zf=z-r9K^Tfh+Z<mJzj?j?S{@SuP@;{blV+0SKh9zG_2eEZ$F|bwA-c5H7+1Jh6<!=
z$(++EE)AW$y4aHOcN}#EE&{S%>1!k4&>qG-Y}(IQH^9EDqBtsuAQ0K!SZjQNxNRy~
zKP%P0^8v{<=rJh#82iy4)-)hiOKh;f%0$yf_U6~asN_pA0%Q7yjExCPLulS`2Ib1a
z*nstL&3NN!#i^H$tf|I?DC;n#H#SDuZ8D%4s%3~+L25<0y#Eogm_3rZ-yOltOpRO)
zV=jfR#Iky8HhEpL0Il2+i4Am2MlGGKNhrHK`5Zm*qtWh1=pC)OWWBVb4I*aWY0XBc
zgt3gNe53m`#w6(5xDaaoV74?SZGOiVcU31e|GY#Q)q;y?Yt^E6O4ns;j~;=W+wGst
z?H{pu9PP8z>D!?bQ>*r~NGcs~C%Nza9oOfpT|fRgmxuf{J^5bDnP}^m)dESAYkE(<
z=~d#tb0`A6h%-1YbiIMEzw2O2ZZ-3yUhZ<hJfN}i=C^^pTiwwav4>%G!0n_Lizp!g
z#qRb=sNAz7D=`wxwgE*6f#k5@Jiz=N0P9WT%DGR+<jCq!2K=5dQf!Y&km<fIY8fnw
ze_f~mR^^k}M1YmbII|qO<D^L-r6=NzZckK^QBZhVIhEBHZbV(Wm?VtH_9lROTHg?K
z4w`u&EkH2M$S1+kUEn8vwlAGzl=4Ulc2i9{U(F)adp9&kob$AI2w)9!ynU^WNXgZ+
zKT?gBnvgj6A}8G$f5eyN#h2SkG20lkkXZF}&}Eotva6>E@>Gb}CH1IZ7z`|2<5pC)
zGtn`CdkoPyg{}=4p3QNYzd6oTP^9&F8~i7kA|<X~YN%2BJGVY#!J(>Xz?|hD&J63v
z1AzJ#1Ewb2y6x43$2dmIyi3{rrBL3;hyYhm=6E4t%?UK8!K}X$bPK**D7|^oW1&Gh
zF0_!Bnkr*6L*)+@o%G=DU>*|SCG@A?@l)iRG*i=Pt5UfX-|9LB)%p=n5ly4;jp+QC
zRfL9-Xqk7#Am)unyj8(^vyDz+l`;0NiqWJR&HT<K!+e?Rl|9c)dlK@EZ`WC2Rrk!D
zEH+2oE@b0*NbtWyl68ONTfDF`fEl_n`qKrc!p2XE9YV2|QJ5jydt^Raw&c;QZH;ON
zq<}pwS+ce61g%Dg+wQ!zGj9p5hy12^(jX^_WuLB)M*FxQ^M8mp=B;`)US)%!JXA?L
zQ30Z9u1X7krKs3@sg~oMxeLISH+YbVS!ud99P>zKa*OZCP@sR9uAMU5lP47CK$=qI
zj9T@$FW!6U4@}BK-TP`p+#WUPPwnQly0Q8!XO*yu8p2AAjcv_vkYnqDg92?js)?fP
z-|x7bDXoo}@P35U<6b&zY7M264wOe1I?k_-1b@3B>v4M7g{h_Nd7%6%yx!l9&H{Tk
z%eIR2)o>SNgP9KX2!<+N(O<pnQzmS&^n0*u&Ek!x?tEA!ZNmUEYqzZJ1u4sUYo*B>
z+MqsulFKV-(oD}-Uc=2!wNn|$hn;t3-9$zsG*D?R9C78@8H&`BO`O6Y_WLZbZY&Gj
zhCs*h!M%VGtg5epipf~FD|>TRLqL;yp$-%6%Nrar)#0O-H46sy9AmTzYu_1dgkA4Y
z%WwL&n>?qT@uK8he{&nAu<oY_v%{C8ayVVBX-R)@Uh%=1XQI{_x-lE?cCmd4ylFS$
z*GV-N<LI|q;U3G_KcRt@XRsqVlT=NLz!-H)IW=dRl(_3HK1?$z4L37C4d}&^c1t}{
z-fzWZ;$@Y!R_-peODr7M0)IF5e~$Po#z1|ossj?h%J+anMj(y=4b)YPw4rTSQTzAy
zb%O^>-tM15B?H!xLe(o{?vd>ub`K^DZl&e*VMttQJ0P)B6hZ~m^F_TDl4dp;lKHjj
zX$%-yzL1gMl+z1l^xTce|6I+CAoMXWK1Qb?^`)P4x{9PtQ=>bek|Yq?en}^5bas~i
z?*8DzWqQVYWTp_?6G<ykmrJS&o8n(qM-(Z6uj`>*hNWMHRtI~ZwMB2VgEh;kdyevs
ze$~b2z*q5*Gon@&4HX};aNQ}`(N1JPh%0Pq@2aYT&HaOC@70G>bv_XzpB^xHL8(-i
z-M?g)4=|GvM3Lu_jT4E^Yd2`UjJ4oiPx#9=nacH#fv4v2vE60C>*deWzU<Q#Kkewj
zVqsoW@H-szT~2zR<G^+ac8Vw~b|<rdI$O<`LNvX0-d$*hEE9CavWG>in5}Si%Vt--
zn@K;&s{dY~;rd0AqR`eXEn}Xdjihyrw(sYDUyS?g;<j_~apKa07;LZW&%JAJ7Q^+H
z&$%I6Kx6lxmBIC%F~xKR)_#Q}f-oH&cL^>TXyV3RrFck>^KX70)C_v7^@10sku&z<
zCR|p6H(m<(JlrN;4#qE=7q0}Ado>Y%YfBo>jk;YWNwPtKwz%fIUg-4e&rhNL*peT=
xkpPynNV7_Sz!QSHQ1?Ny|6paI{AiT5v$-6)ik?tshqljCsW<U}@Lvb${TIuG1?m6*

literal 0
HcmV?d00001

diff --git a/doc/guide/figure_6.gif b/doc/guide/figure_6.gif
new file mode 100644
index 0000000000000000000000000000000000000000..70814033e541e4f7b828f7777aceadb923268931
GIT binary patch
literal 3538
zcmeH@`6Cky1AtK&<>*x}N<vyAQ|_Zz${Xg&eUn0txv!b4Y;$bb<j!r59SFIPP!z*!
znk#2w&KWNq?(F;eJHGGv@p*oG^bPdXHJ<jf^RVx*{TCJ+izRt@mYt1_gH7(Y_+1iz
z2Nvt(%<*sYfBt{qf9wE&#l{H`gVdG0M*)OnohWtq-bBIch6Ru}r5}?;l%R8zH)Z{)
z5`QO&8Pt~#WPmIyod)VFhH~z>4Hg(Q5Qg*BLl|=d4MbB68<GnPc=CjnsLu)fHPA>N
zBbr^3cOHBxJ4&)^fX*j{RMPN<oUxaDGD|+y>W?JoI>O{Ww*=A$P1duR4t3r`H8=8=
zYae&OcBxm5TLZ1|ZpYg{&rMZ+X~zm*DKc&gHu-3H!3g(O80<zxupGoq+8ZhDHVSTB
zZ$;~&G=keuk;%BPPj}U&?$eHZm92$$sD|x)J750>OyZwlDy(5=?NeEJ_M^`Bu$Q=6
zp9N~?)4lDly~(U=rd@9jzpsx~xr}sm9`ElIzeqLhJ{>;X`@R{lVdv+uaLft%s!P_|
zTZjb!0htdv7l~g{0)N7VeFbgo@Nsw(&&32DS9Cr~EJ5U&>j#sj0yK!=m7gT{81gjv
zPM7{tit?lv9jmYk5MyKiu})9D&n2_`QU^(*r=fNs%jw3d-qPu2T@~&bRyNc0408|6
zM5YbQKswtYVR}4ME!&%({v?SEG<AyHSWWe=ky(ognB-Y2fQzq|<@(Kt-Y<yYVptSE
zci<tFpa~DX@K)k^>t)j5K~M%x2fCr}{>^}%pY@nQ)=PhMv_dTZcC#|4Fq^lKP~FU^
zbd-F?f)Yq%<Pqa_E0rYcOx$yDH^3i75{=*U`gp$f`O`;^_-;G5%IwiMw4C0cd@`d3
zVD0l7KkV<g+;}!JO1AYW^p<?Ze9<}L3qqwMsLdg7bGtT;+OcMfnu(HY<{qf}xAP~%
z=u-8~!{dL8PZZ&G`8%?5f!$|Q-FLeA^fh*S*=O&%e3$}9`}KH`qjs}4sGAZUSEK#`
zQ}i$={_Smwn}Yo%m2VY?Tt$!8vhM3_GP5516#GF<w-Hn9gV20w6d=7i6F+L$u{M6!
zb{?4fA^{pY1QFttAKUhiDQ`B+c9tFq-1{r6F1CxoY)~p~YaA6sfa}LJY`tL<_XSvm
zDiZ<R!!X^vd-E!bg)=cVQ<~{m)k!bQn5LOvOZQdU<$#L{^9i#|=`T1(zJo7Osnq?K
ziA#1bt6LQ3E_8tQHzUeQHsy|HZ9HW|H%O*d1ZJX7kqxuzn0&DDV=4M=i`@~?r}<*B
z-u2pkTyo9WP{27?W}d;N&L1Op&o^zP7K{HJLAhxkuZ7b7iTGlF?6)<k%26ABn3faM
zG=1b!dvbK@c(uNssD>fqeD;kTPo+FHDOkf8w&*7z%KKVOCw@d^h{W<yoC^0IKk`Dk
z@UEiH{h8eI=Y^XV8>%AZ{2bdT*15%&b>Y@O_>Iil6@@pX`|p<QR=>zfmL#$m(zO@5
zYLF+p(+46Tb*@vh@C_lUUNlGvGf@|&hQjcfx7-#~9Yh)aRV={Q*9zt`PX=z5UX+Q~
z?qWBGz6f#d%hRh?{^JddCmO#zN$BUGD)=fXxYdf}T)&E>dCG^DUVA;ICRcgqrJ}L;
z&`DE|)@fZT(A|BNAu>?3_{Q9CPJ$H;(l;4Z03yXcAIm+X2<sR@pZmDVn4&)9l&9Np
zFXiwx*!DTBR%NIu<K%Nb4yCiFXS|c1X4Ewqx%^awZy5r6L>@x;=YuUq=A>mS$j0b2
zMqbL`stk={a#C$!5@<xMN{LW&C4Vmzc7mv^D34@%k7=!)wZGS~#2VUTT3YL!@Tj9S
zN+VUbi$jsXXhB|bEN^4+4+T(idrlUDL+<|hVIfSjE6tx5R5ma}veDEW<~O*gvseXs
zs1Rw9VPRFld)3THJ8u;H+KQkwY>I8w87<J`E?+blHe#2yATu+|)T{-~+E94Pd0*XW
zO<4=KNXg>M1TsE?k(_Nmo(7!Iz3wV#t9wSY-S|_LRVU62qgIEP^2EC~4MS7tW(#tc
z(!HA=Sr$7?V(nGr?VPDb`L?f$vTxP}$IHf&28!N6!`@7{Gi<9+c59i|vYXRY&Mh;y
z2UfG{gI4$g=Ah$0&_5c7#?9QdqDD#*U<wz*#+}17MSEH4#CivlIhO~Hj_{iA&9#L-
z38bdk;-xLc`Aw+5hK19j@_y@nguGw*Ip=)eM}&zjoFjuV!bEc4p0gGR>#WMypk=>Z
zPziWQyJAJ|$?7!LlDM~cWnp0e-8J)cB6_#V`Pd`7oBjar%^qEpC!YOosc_4;FZqeH
z>cRUdL|vSV+9I#zP>%@EDdBi?mOo>%{mP`jMpVyN!LhjV24)f_S97T_6aJBM)&t{m
zp6+KD(x*ZVNVYC;YuY}zr?t0>4bh=XuoQFY;QBOs<WedEK9Koq7lRjDk<`u|9QFQo
zy*6dV+CVhRnSje~fK=b{w2uduOXW6stt!nvVj(P@8o;wBmddFY!cCoozj07JG^3_r
z0n3u7%l%!7$M*MNdrv^ZAWz`6qY<8Q2`O;fniBPpMm15cxV6y--WMHvPg|s`YblRz
zeEL-KC9RMJyjA*fmx{Hqs#G%hCkPQSSy`hZAJmBli<{Po^EV?SVsbB}PLF*^7<%K~
z!qf#i8uqOc^ozBurF%yP$5*`@D_$@A+CH0g*;BR3!^#H>JItwGt#3O_*(O$ZgzNfB
zx{kh;zoFSNzs(gc?wqSCe|Tm305;h1;!?n%iXb&B`^h^_d0zpSE16s_%0ld2J5@F1
zUjf~PSJq5+lWt-LNTq55y(GO<Awq=+>+^LnnL^i$GkcWdBK2>PQ$aZ)<JqJob&ORF
z#cuZG&hq*F5rlZCuRv$1Lh~LitteFVc8t-@Y?wjuJ%VdUK7*sBX1oI%w!tr!VCN~M
zy%0ZeTSJ4nawAxMf*I1d5XqEHskpTwuddTDyM+i1qTKkhp<Z+H1+L#TV{6jYb+dj8
zVatQHq^=)i<)x~ao_vhyIq3TLa3?nBWLc&=9P1N^&>cUi&?x>sLT?*`wKT4q_x!9i
z3jWC{bTIk!w$HRn;oeQLeP+-#8Lj!E{Wmify(qquua+6FInD>{vS#h43eeR<-2u>i
zfnQyE3&pb^<*ZVBr#HFnz^et%S^oE!zy1vmYbpzSe7NiV^)r9C&gMvU6j|W%LH{+a
zZ}B2bi=m&#;m=M_Jtf&hVmYRspG8}&g~xJ|qIoG6y_2y#lP?4zq5|rOGad+$SBT54
z2(c-I_yIyf1SzGCl(s{jszrm~w}4)57Pi5+0KwpO<ZTjM0fbVbM5@5`)c`0BIP5MO
zrL~UIhU+{4#r=JtuL}>?hZq^WiZBwnWwIV;ik2~dWnk%LXbphb0^;pSk&f#ZYSxTh
z(DBae25yviuRnrtpP@wCfVjROQDU4YL`N_@LaN^zz^(Ty0UqL|5k`3sJ_Y|PC$I(>
zAJeM5|2HU*qLZYoQBFSVIU$AM6Vdecg2ybQwJqVnaCBS-+SeU}B_$l5NzA8Uy1pkO
z07)>?eU@s7jaSk*GKotcnghU8gOX~wlhFs5e4zH8M}SJ>-6VosIw|(4I;7oB=@}`0
zU_Ei@Rq`<4;s^jsvr`+J(wS&Y{tP#t24QC@*m*DPg1X<Lx)L3NTRHGsvrFNIr!;5d
dmeg@fNbGj2&yE*v6P^kQ!dWH?v9q(?{STAzl@$O0

literal 0
HcmV?d00001

diff --git a/doc/guide/install.sdf b/doc/guide/install.sdf
new file mode 100644
index 0000000000..22d7355d2f
--- /dev/null
+++ b/doc/guide/install.sdf
@@ -0,0 +1,268 @@
+H1: Building and Installing slapd & slurpd
+
+Building and installing slapd requires three simple steps: configuring;
+making; and installing. The following sections describe each step in
+detail. If you are reading this guide, chances are you have already
+obtained the software, but just in case, here's where you can get the
+latest version of the OpenLDAP package, which includes all of the
+software discussed in this guide:
+
+{{CMD[jump="ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz"]ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz}}
+
+There is also an OpenLDAP homepage accessible from the World
+Wide Web. This page contains the latest OpenLDAP news, release
+announcements, and pointers to other resources. You can access it
+at:
+
+{{CMD[jump="http://www.OpenLDAP.org/"]http://www.OpenLDAP.org/}}
+
+
+H2: Pre-Build Configuration
+
+Before building slapd, be sure to take a look at the README file in the
+top level directory in the distribution so that you are familiar with the
+general configuration and make process.
+
+Briefly, you should edit the include/ldapconfig.h.edit and
+Make-common files to contain the site-specific configuration your site
+requires before making. The next sections discuss these steps in
+more detail.
+
+
+
+H3: Editing the {{EX: Make-common}} file
+
+All of the general Make-common configuration variables (e.g.,
+ETCDIR, BINDIR, etc.) apply to both slapd and slurpd. There are
+additional Make-common configuration variables that also affect how
+slapd and slurpd are built. They are:
+
+H4: MAKE_SLAPD
+
+This option controls whether slapd and slurpd get built at all. You
+should set it to yes, like this:
+
+E: MAKE_SLAPD = yes
+
+H4: SLAPD_BACKENDS
+
+This option controls which slapd backend databases get built. You
+should set it to one or more of the following:
+
+*{{EX: DLDAP_LDBM}} This is the main backend. It is a high-performance
+disk-based database suitable for handling up to a million entries or so.
+See the LDBMBACKEND and LDBMLIB options below.
+
+*{{EX: DLDAP_PASSWD}} This is a simple search-only backend that can be
+pointed at an {{EX: /etc/passwd}} file. It is intended more as an example than
+as a real backend.
+
+*{{EX: DLDAP_SHELL}} This backend allows the execution of arbitrary
+system administrator-defined commands in response to LDAP
+queries. The commands to execute are defined in the configuration file.
+See Appendix B for more information on writing shell backend
+programs.
+
+Example to enable the LDBM and SHELL backends only:
+
+E: SLAPD_BACKENDS= -DLDAP_LDBM -DLDAP_SHELL
+
+The default is to build all three backends. Note that building a backend
+only means that it can be enabled through the configuration file, not
+that it will automatically be enabled.
+
+H4: LDBMBACKEND
+
+This option should only be defined if you have enabled the LDBM
+backend as described above. The LDBM backend relies on a
+low-level hash or B-tree package for its underlying database. This
+option selects which package it will use. The currently supported
+options in order of preference are:
+
+*{{EX: DLDBM_USE_DBBTREE}}
+.
+.This option enables the Berkeley DB package btree database as the
+.LDBM backend. You can get this package from
+.
+.{{CMD[jump="ftp://ftp.cs.berkeley.edu/ucb/4bsd/db.tar.Z"]ftp://ftp.cs.berkeley.edu/ucb/4bsd/db.tar.Z}}
+.
+
+*{{EX: DLDBM_USE_DBHASH}}
+.
+.This option enables the Berkeley DB package hash database as the
+.LDBM backend. You can get this package from
+.
+.{{CMD[jump="ftp://ftp.cs.berkeley.edu/ucb/4bsd/db.tar.Z"]ftp://ftp.cs.berkeley.edu/ucb/4bsd/db.tar.Z}}
+.
+
+*{{EX: DLDBM_USE_GDBM}}
+.
+.This option enables GNU dbm as the LDBM backend. You can get this
+.package from
+.
+.{{CMD[jump="ftp://prep.ai.mit.edu/pub/gnu/gdbm-1.7.3.tar.gz"]ftp://prep.ai.mit.edu/pub/gnu/gdbm-1.7.3.tar.gz}}
+.
+
+*{{EX: DLDBM_USE_NDBM}}
+.
+.This option enables the standard UNIX ndbm(3) package as the
+.LDBM backend. This package should come standard on your UNIX
+.system. man ndbm for details.
+.
+
+Example to enable the Berkeley DB Btree backend:
+
+E: LDBMBACKEND= -DLDBM_USE_DBBTREE
+
+The default is -DLDBM_USE_NDBM, since it is the only one available
+on all UNIX systems. NDBM has some serious limitations, though (not
+thread-safe, severe size limits), and you are strongly encouraged to
+use one of the other packages if you can.
+
+Note[label='Note to Solaris users: '] If you are running under Solaris 2.x
+and linking in an external database package (e.g., db or gdbm) it is
+very important that you compile the package with the {{EX: D_REENTRANT}}
+flag. If you do not, bad things will happen.
+
+If you are using version 1.85 or earlier of the Berkeley db package, you
+will need to apply the patch found in build/db.1.85.patch to the db
+source before compiling it. You can do this with a command like this
+from the db source area:
+
+E: patch -p < ldap-source-directory/build/db.1.85.patch
+
+H4: LDBMLIB
+
+This option should only be defined if you have enabled the LDBM
+backend as described above, and the necessary library for the
+LDBMBACKEND option you chose above is not part of the standard C
+library (i.e., anything other than NDBM). This option specifies the library
+to link containing the package you selected, and optionally, its location.
+
+Example to link with {{EX: libdb.a}}, contained in {{EX: /usr/local/lib}}:
+
+E: LDBMLIB= -L/usr/local/lib -ldb
+
+H4: THREADS
+
+This option is normally set automatically in the {{EX: Make-platform}} file,
+based on the platform on which you are building. You do not normally
+need to set it. If you want to use a non-default threads package, you
+can specify the appropriate {{EX: -Ddefine}} to enable it here.
+
+H4: THREADSLIB
+
+This option is normally set automatically in the {{EX: Make-platform}} file,
+based on the platform on which you are building. You do not normally
+need to set it. If you have set {{EX: THREADS}} to a non-default threads
+package as described above, you can specify the appropriate
+ {{EX: -Ldirectory}} flag and  {{EX: -llibname}} flag needed to link the package here.
+
+H4: PHONETIC
+
+This option controls the phonetic algorithm used by {{I: slapd}} when doing
+approximate searches. The default is to use the metaphone algorithm.
+You can have {{I: slapd}} use the soundex algorithm by setting this variable
+to  {{EX: -DSOUNDEX}}.
+
+
+H3: Editing the {{EX: include/ldapconfig.h}} file
+
+In addition to setting the {{EX: LDAPHOST}} and {{EX: DEFAULT_BASE}} defines
+near the top of this file, there are some slapd-specific defines near the
+bottom of the file you may want to change. The defaults should be just
+fine, unless you have special needs.
+
+H4: SLAPD_DEFAULT_CONFIGFILE
+
+This define sets the location of the default slapd configuration file.
+Normally, it is set to {{EX: $(ETCDIR)/slapd.conf}}, where 
+{{EX: ETCDIR}} comes from Make-common.
+
+H4: SLAPD_DEFAULT_SIZELIMIT
+
+This define sets the default size limit on the number of entries returned
+from a search. This option is configurable via the tailor file, but if you
+want to change the default, do it here.
+
+H4: SLAPD_DEFAULT_TIMELIMIT
+
+This define sets the default time limit for a search. This option is
+configurable via the tailor file, but if you want to change the default, do it
+here.
+
+H4: SLAPD_PIDFILE
+
+This define sets the location of the file to which slapd will write its
+process ID when it starts up.
+
+H4: SLAPD_ARGSFILE
+
+This define sets the location of the file to which slapd will write its
+argument vector when it starts up.
+
+H4: SLAPD_MONITOR_DN
+
+This define sets the distinguished name used to retrieve monitoring
+information from {{I: slapd}}. See section 7 for more details.
+
+H4: SLAPD_LDBM_MIN_MAXIDS
+
+This define is only relevant to the LDBM backend. It sets the minimum
+number of entry IDs that an index entry will contain before it becomes
+an allIDs entry. See Section 9.1 for more details.
+
+
+
+H2: Making the Software
+
+Once you have edited the {{EX: include/ldapconfig.h.edit}} file and the
+Make-common file (see the top level {{EX: README}} file in the distribution),
+you are ready to make the software. From the top level LDAP source
+directory, type
+
+E: make
+
+You should examine the output of this command carefully to make sure
+everything is built correctly. Note that this command builds the LDAP
+libraries and associated clients as well as slapd and slurpd.
+
+Note that the LDAP distribution can support making for multiple
+platforms from a single source tree. If you want to do this, consult the
+{{EX: INSTALL}} file in the top level distribution directory.
+
+
+
+H2: Installing the Software
+
+Once the software has been properly configured and successfully
+made, you are ready to install it. You will need to have write permission
+to the installation directories you specified in the {{EX: Make-common}} file.
+Typically, the installation is done as root. From the top level LDAP
+source directory, type
+
+E: make install
+
+You should examine the output of this command carefully to make sure
+everything is installed correctly. Slapd, slurpd, and their configuration
+files, {{EX: slapd.conf}}, {{EX: slapd.at.conf}}, and {{EX: slapd.oc.conf}}
+ will be installed in the {{EX: ETCDIR}} directory you specified 
+in the {{EX: Make-common}} file.
+
+This command will install the entire LDAP distribution. If you only want
+to install slapd and slurpd, you could do something like this:
+
+E: (cd servers/slapd; make install)
+
+E: (cd servers/slurpd; make install)
+
+Note: The installation process installs configuration files as well as
+binaries. Existing configuration files are first moved to a name with a
+dash '-' appended, e.g., {{EX: slapd.conf}} is moved to {{EX: slapd.conf-}}. 
+If you install things twice, however, you can lose your existing configuration
+files.
+
+
+PB:
+
+
diff --git a/doc/guide/intro.sdf b/doc/guide/intro.sdf
new file mode 100644
index 0000000000..e9d47a815c
--- /dev/null
+++ b/doc/guide/intro.sdf
@@ -0,0 +1,227 @@
+H1: Introduction to slapd and slurpd
+
+This document describes how to build, configure, and run the stand-alone
+LDAP daemon ({{I:slapd}}) and the stand-alone LDAP update replication
+daemon ({{I:slurpd}}). It is intended for newcomers and experienced
+administrators alike. This section provides a basic introduction to directory
+service, and the directory service provided by {{I:slapd}} in particular.
+
+
+
+H2: What is a directory service?
+
+A directory is like a database, but tends to contain more descriptive,
+attribute-based information. The information in a directory is generally read
+much more often than it is written. As a consequence, directories don't
+usually implement the complicated transaction or roll-back schemes regular
+databases use for doing high-volume complex updates. Directory updates
+are typically simple all-or-nothing changes, if they are allowed at all.
+Directories are tuned to give quick-response to high-volume lookup or
+search operations. They may have the ability to replicate information widely in
+order to increase availability and reliability, while reducing response time.
+When directory information is replicated, temporary inconsistencies between
+the replicas may be OK, as long as they get in sync eventually.
+
+There are many different ways to provide a directory service. Different
+methods allow different kinds of information to be stored in the directory,
+place different requirements on how that information can be referenced,
+queried and updated, how it is protected from unauthorized access, etc.
+Some directory services are {{I:local}}, providing service to a restricted 
+context (e.g., the finger service on a single machine). Other services are 
+global, providing service to a much broader context (e.g., the entire Internet).
+Global services are usually {{I:distributed}}, meaning that the data they contain
+is spread across many machines, all of which cooperate to provide the
+directory service. Typically a global service defines a uniform {{I:namespace}}
+which gives the same view of the data no matter where you are in relation to
+the data itself.
+
+
+
+H2: What is LDAP?
+
+{{I:Slapd}}'s model for directory service is based on a global directory model
+called LDAP, which stands for the Lightweight Directory Access Protocol.
+LDAP is a directory service protocol that runs over TCP/IP. The nitty-gritty
+details of LDAP are defined in RFC 1777 "The Lightweight Directory Access
+Protocol." This section gives an overview of LDAP from a user's perspective.
+
+{{I:What kind of information can be stored in the directory?}} The LDAP directory
+service model is based on {{I:entries}}. An entry is a collection of 
+attributes that has a name, called a {{I:distinguished name}} (DN). 
+The DN is used to refer to the entry unambiguously. Each of the 
+entry's attributes has a {{I:type}} and one or
+more {{I:values}}. 
+The types are typically mnemonic strings, like "{{EX:cn}}" for common
+name, or "{{EX:mail}}" for email address. The values depend on what type of
+attribute it is. For example, a {{EX:mail}} attribute might contain the value
+"{{EX:babs@umich.edu}}". A {{EX:jpegPhoto}} attribute would contain 
+a photograph in binary JPEG/JFIF format.
+
+{{I:How is the information arranged?}} In LDAP, directory entries are arranged in
+a hierarchical tree-like structure that reflects political, geographic and/or
+organizational boundaries. Entries representing countries appear at the top
+of the tree. Below them are entries representing states or national
+organizations. Below them might be entries representing people,
+organizational units, printers, documents, or just about anything else you can
+think of. Figure 1 shows an example LDAP directory tree, which should help
+make things clear.
+
+
+!import "figure_1.gif"; align="center"; title="An example LDAP directory tree"
+FT: Figure 1: An example LDAP directory tree.
+
+
+In addition, LDAP allows you to control which attributes are required and
+allowed in an entry through the use of a special attribute called 
+{{I:objectclass}}.
+The values of the {{I:objectclass}} attribute determine 
+the {{I:schema}} rules the entry
+must obey.
+
+{{I:How is the information referenced?}} An entry is referenced by its
+distinguished name, which is constructed by taking the name of the entry
+itself (called the relative distinguished name, or RDN) and concatenating the
+names of its ancestor entries. For example, the entry for Barbara Jensen in
+the example above has an RDN of "{{EX:cn=Barbara J Jensen}}" and a DN of
+"{{EX:cn=Barbara J Jensen, o=U of M, c=US}}". The full DN format is described in
+RFC 1779, "A String Representation of Distinguished Names."
+
+{{I:How is the information accessed?}} LDAP defines operations for interrogating
+and updating the directory. Operations are provided for adding and deleting
+an entry from the directory, changing an existing entry, and changing the
+name of an entry. Most of the time, though, LDAP is used to search for
+information in the directory. The LDAP search operation allows some portion
+of the directory to be searched for entries that match some criteria specified
+by a search filter. Information can be requested from each entry that matches
+the criteria.
+
+For example, you might want to search the entire directory subtree below the
+University of Michigan for people with the name Barbara Jensen, retrieving
+the email address of each entry found. LDAP lets you do this easily. Or you
+might want to search the entries directly below the c=US entry for
+organizations with the string "Acme" in their name, and that have a fax
+number. LDAP lets you do this too. The next section describes in more detail
+what you can do with LDAP and how it might be useful to you.
+
+{{I:How is the information protected from unauthorized access?}} Some directory
+services provide no protection, allowing anyone to see the information. LDAP
+provides a method for a client to authenticate, or prove its identity to a
+directory server, paving the way for rich access control to protect the
+information the server contains.
+
+
+
+H2: How does LDAP work?
+
+LDAP directory service is based on a {{I:client-server}} model. One or more
+LDAP servers contain the data making up the LDAP directory tree. An LDAP
+client connects to an LDAP server and asks it a question. The server
+responds with the answer, or with a pointer to where the client can get more
+information (typically, another LDAP server). No matter which LDAP server a
+client connects to, it sees the same view of the directory; a name presented
+to one LDAP server references the same entry it would at another LDAP
+server. This is an important feature of a global directory service, like LDAP.
+
+
+
+
+H2: What is slapd and what can it do?
+
+{{I:Slapd}} is an LDAP directory server that runs on many different UNIX
+platforms. You can use it to provide a directory service of your very own.
+Your directory can contain pretty much anything you want to put in it. You
+can connect it to the global LDAP directory service, or run a service all by
+yourself. Some of slapd's more interesting features and capabilities include:
+
+{{B:Choice of databases}}: {{I:Slapd}} comes with three different backend 
+databases you can choose from. They are LDBM, a high-performance disk-based
+database; SHELL, a database interface to arbitrary UNIX commands or shell
+scripts; and PASSWD, a simple password file database.
+
+{{B:Multiple database instances}}: {{I:Slapd}} can be configured to serve 
+multiple databases at the same time. This means that a single {{I:slapd}}
+server can respond to requests for many logically different portions 
+of the LDAP tree, using the same or different backend databases.
+
+{{B:Generic database API}}: If you require even more customization, {{I:slapd}} 
+lets you write your own backend database easily. {{I:Slapd}} 
+consists of two distinct parts: a front end that handles protocol 
+communication with LDAP clients; and a backend that handles database 
+operations. Because these two pieces communicate via a well-defined 
+C API, you can write your own customized database backend to {{I:slapd}}.
+
+{{B:Access control}}: {{I:Slapd}} provides a rich and powerful access 
+control facility, allowing you to control access to the information 
+in your database(s). You can control access to entries based on 
+LDAP authentication information, IP address, domain name and other criteria.
+
+{{B:Threads}}: {{I:Slapd}} is threaded for high performance. A 
+single multi-threaded {{I:slapd}} process handles all incoming 
+requests, reducing the amount of system overhead required. {{I:Slapd}}
+will automatically select the best thread support for your platform.
+
+{{B:Replication}}: {{I:Slapd}} can be configured to maintain replica 
+copies of its database. This master/slave replication scheme is 
+vital in high-volume environments where a single {{I:slapd}} just 
+doesn't provide the necessary availability or reliability.
+
+{{B:Configuration}}: {{I:Slapd}} is highly configurable through a 
+single configuration file which allows you to change just about 
+everything you'd ever want to change.  Configuration options have 
+reasonable defaults, making your job much easier.
+
+{{I:Slapd}} also has its limitations, of course. It does not 
+currently handle aliases, which are part of the LDAP model. The 
+main LDBM database backend does not handle range queries or negation 
+queries very well. These features and more will be coming in a future release.
+
+
+
+H2: What about X.500?
+
+LDAP was originally developed as a front end to X.500, the OSI directory
+service. X.500 defines the Directory Access Protocol (DAP) for clients to
+use when contacting directory servers. DAP is a heavyweight protocol that
+runs over a full OSI stack and requires a significant amount of computing
+resources to run. LDAP runs directly over TCP and provides most of the
+functionality of DAP at a much lower cost.
+
+This use of LDAP makes it easy to access the X.500 directory, but still
+requires a full X.500 service to make data available to the many LDAP clients
+being developed. As with full X.500 DAP clients, a full X.500 server is no
+small piece of software to run.
+
+The stand-alone LDAP daemon, or {{I:slapd}}, is meant to remove much of the
+burden from the server side just as LDAP itself removed much of the burden
+from clients. If you are already running an X.500 service and you want to
+continue to do so, you can probably stop reading this guide, which is all
+about running LDAP via {{I:slapd}}, without running X.500. If you are not running
+X.500, want to stop running X.500, or have no immediate plans to run X.500,
+read on.
+
+It is possible to replicate data from a {{I:slapd}} directory 
+server to an X.500 DSA, which allows your organization to make your 
+data available as part of the global X.500 directory service on a 
+"read-only" basis. This is discussed in section 11.6.
+
+Another way to make data in a {{I:slapd}} server available to the X.500
+community would be by using a X.500 DAP to LDAP gateway. At this time, no
+such software has been written (to the best of our knowledge), but hopefully
+some group will see fit towrite such a gateway.
+
+
+
+H2: What is slurpd and what can it do?
+
+{{I:Slurpd}} is a UNIX daemon that helps {{I:slapd}} provide 
+replicated service. It is responsible for distributing changes made 
+to the master {{I:slapd}} database out to the various {{I:slapd}} 
+replicas. It frees {{I:slapd}} from having to worry that some
+replicas might be down or unreachable when a change comes through;
+{{I:slurpd}} handles retrying failed requests automatically. 
+{{I:Slapd}} and {{I:slurpd}} communicate through a simple text 
+file that is used to log changes.
+
+PB:
+
+
diff --git a/doc/guide/master.sdf b/doc/guide/master.sdf
new file mode 100644
index 0000000000..88aa6e97ae
--- /dev/null
+++ b/doc/guide/master.sdf
@@ -0,0 +1,20 @@
+# master.sdf 
+# SDF master file for the OpenLDAP Administrator's guide
+#
+
+!include "preamble.sdf"
+
+!include "intro.sdf"
+!include "quickstart.sdf"
+!include "config.sdf"
+!include "install.sdf"
+!include "slapdconfig.sdf"
+!include "runningslapd.sdf"
+!include "monitoringslapd.sdf"
+!include "dbtools.sdf"
+!include "tuning.sdf"
+!include "referrals.sdf"
+!include "replication.sdf"
+
+
+
diff --git a/doc/guide/monitoringslapd.sdf b/doc/guide/monitoringslapd.sdf
new file mode 100644
index 0000000000..884ff4831e
--- /dev/null
+++ b/doc/guide/monitoringslapd.sdf
@@ -0,0 +1,112 @@
+H1: Monitoring Slapd
+
+Slapd supports a monitoring interface you can use to find out
+many useful bits of information about what slapd is currently
+doing, how many connections it has, how many threads are
+working, etc. You can access the monitor feature by doing a
+base object search of the SLAPD_MONITOR_DN from
+include/ldapconfig.h with any kind of valid filter (e.g.,
+"(objectclass=*)"). By default, this DN is set to "cn=monitor".
+You will get one entry returned to you, with the following
+attributes:
+
+E: version: slapd <version> (<date>)
+
+This attribute identifies the slapd server software by name,
+version, and build date, e.g., {{EX: slapd 3.3 (Thu May 21 14:19:03
+EDT 1996)}}
+
+E: threads: <integer>
+
+This attribute indicates the number of threads (operations)
+currently outstanding in slapd.
+
+E: connection: <fd> : <opentime> : <opsinitiated> :
+E: 	<opscompleted> : <binddn> : [ <rw> ]
+
+This multi-valued attribute summarizes information for each
+open connection. The information given is {{EX: <fd>}}, the file
+descriptor; {{EX: <opentime>}}, the time the connection was opened
+in UTC format; {{EX: <opsinitiated>}}, the number of operations
+initiated over the connection; {{EX: <opscompleted>}}, the number
+of operations completed over the connection; {{EX: <binddn>}}, the
+DN currently bound to the connection; and optionally {{EX: <rw>}},
+indicating whether the connection is currently blocked for
+read or write..
+
+E: currentconnections: <integer>
+
+The current number of connections.
+
+E: totalconnections: <integer>
+
+The total number of connections handled by slapd since it
+started.
+
+E: dtablesize: <integer>
+
+The size of slapd's file descriptor table.
+
+E: writewaiters: <integer>
+
+The number of threads blocked waiting to write data to a
+client.
+
+E: readwaiters: <integer>
+
+The number of threads blocked waiting to read data from a
+client.
+
+E: opsinitiated: <integer>
+
+The total number of operations initiated by slapd since it
+started.
+
+E: opscompleted: <integer>
+
+The total number of operations completed by slapd since it
+started.
+
+E: entriessent: <integer>
+
+The total number of entries sent to clients by slapd since it
+started.
+
+E: bytessent: <integer>
+
+The total number of bytes sent to clients by slapd since it
+started.
+
+E: currenttime: <UTC time>
+
+Slapd's idea of the current time.
+
+E: starttime: <integer>
+
+The time slapd was started.
+
+E: nbackends: <integer>
+
+The number of backends currently being served by slapd.
+
+E: concurrency: <integer>
+
+Under Solaris 2.x only, an indication of the current level of
+thread concurrency.
+
+Note that slapd takes a snapshot of this information and
+returns it to you. No attempt is made to ensure that the
+information is consistent (i.e., if an operation thread is
+modifying one of these things when the monitor thread is
+reading it, strange results could be returned).
+
+You should be able to use any LDAP client to retrieve this
+information. Here's how you might do it using the
+{{I: ldapsearch}}(1) client:
+
+E: ldapsearch -s base -b cn=monitor 'objectclass=*'
+
+PB:
+
+
+
diff --git a/doc/guide/preamble.sdf b/doc/guide/preamble.sdf
new file mode 100644
index 0000000000..2ccda413db
--- /dev/null
+++ b/doc/guide/preamble.sdf
@@ -0,0 +1,11 @@
+# file: guide.sdf
+# 
+
+!define DOC_NAME           "OpenLDAP Administrators Guide"
+!define DOC_AUTHOR         "OpenLDAP"
+!define DOC_LOGO           "LDAPwww.gif"
+!define DOC_LOF_TITLE      "Figures"
+!define DOC_LOF
+!build_title
+
+
diff --git a/doc/guide/quickstart.sdf b/doc/guide/quickstart.sdf
new file mode 100644
index 0000000000..4d97407a73
--- /dev/null
+++ b/doc/guide/quickstart.sdf
@@ -0,0 +1,123 @@
+
+H1: A Quick-Start Guide to Running slapd
+
+This section provides a quick step-by-step guide to building,
+installing and running {{I:slapd}}. It is intended to provide users with a
+simple and quick way to get started only. If you intend to run slapd
+seriously, you should read the rest of this guide.
+
+
+^ {{B:Get the software}}. {{I:Slapd}} is part of the OpenLDAP distribution, which
+you can retrieve using this URL:
+.
+.{{CMD[jump="ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz"]ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release.tgz}}
+.
+.If you are reading this guide, you have probably already done this.
+.  
+
++ {{B:Untar the distribution}}. Pick a place for the LDAP source to live, cd
+there, and untar it. For example:
+.
+.{{EX: cd /usr/local/src}}
+.{{EX: gunzip -c openldap-release.tgz | tar xvfB -}}
+.{{EX: cd ldap}}
++{{B: Configure the software}}.
+.
+.You will have to edit two files to configure things for your site.
+.
+.{{EX: vi Make-common}}
+.{{EX:vi include/ldapconfig.h.edit}}
+.
+.Read the comments in Make-common and configure things
+.appropriately. If you have the Berkeley DB package installed, or the
+.GDBM package, you should set the LDBMBACKEND variable
+.accordingly. Otherwise, the defaults should be OK to get you started.
+.
+.In the include/ldapconfig.h.edit file, be sure to set the DEFAULT_BASE
+.and LDAPHOST variables to something appropriate for your site.
+.Other than that, the defaults should work OK.
+
+
++{{B:Install the software}}. From the top level LDAP source directory,
+type:
+.
+.{{EX: su}}
+.{{EX: make install}}
+.
+.Examine the output of this command carefully to ensure everything is
+.installed properly.
+.
+
+
++{{B:Make a configuration file}}. Create a file called myslapd.conf and
+.enter the following lines into it. See Section 5 for more details on this
+.file.
+.
+.{{EX:referral ldap://ldap.itd.umich.edu}}
+.{{EX:database ldbm}}
+.{{EX:suffix "o=<YOUR ORGANIZATION>, c=US"}}
+.{{EX:rootdn "cn=<YOUR NAME>, o=<YOUR ORGANIZATION>, c=US"}}
+.{{EX:rootpw secret}}
+.
+.Be sure to replace "<YOUR ORGANIZATION>" with the name of your
+.organization and "<YOUR NAME>" with your name. If you are not in
+.the US, replace "US" with your two-letter country code. The rootdn
+.and rootpw lines are only required if later you want to easily add or
+.modify entries via LDAP.
+.
+
+
++{{B:Create a database}}.  This is a two-step process. Step A is to create
+.a file (we'll call it myldif) containing the entries you want your database
+.to contain. Use the following example as a guide, or see Section 7.3 for
+.more details.
+.
+.{{EX:dn: o=<YOUR ORGANIZATION>, c=US}}
+.{{EX:o: <YOUR ORGANIZATION>}}
+.{{EX:objectclass: organization}}
+.
+.{{EX:dn: cn=<YOUR NAME>, o=<YOUR ORGANIZATION>, c=US}}
+.{{EX:cn: <YOUR NAME>}}
+.{{EX:sn: <YOUR LAST NAME>}}
+.{{EX:mail: <YOUR EMAIL ADDRESS>}}
+.{{EX:objectclass: person}}
+.
+.You can include additional entries and attributes in this file if you want,
+.or add them later via LDAP.
+.
+.Step B is to run this file through a tool to create the slapd database.
+.
+.{{EX:$(ETCDIR)/ldif2ldbm -f myslapd.conf -i myldif}}
+.
+.Where myslapd.conf is the configuration file you made in step 6, and
+.myldif is the file you made in step 7A above. By default, the database
+.files will be created in /usr/tmp. You may specify an alternate directory
+.via the directory option in the slapd.conf file.
+.
+
+
++{{B:See if it works}}.You can use any LDAP client to do this, but our
+.example uses the ldapsearch tool.
+.
+.{{EX:ldapsearch -h 127.0.0.1 'objectclass=*'}}
+.
+.This command will search for and retrieve every entry in the database.
+.Note the use of single quotes around the filter, which prevents the "*"
+.from being interpreted by the shell.
+.
+.You are now ready to add more entries (e.g., using {{I:ldapadd}}(3) or
+.another LDAP client), experiment with various configuration options,
+.backend arrangements, etc. Note that by default, the {{I:slapd}} database
+.grants {{EX:READ}} access to everybody. So if you want to add or modify
+.entries over LDAP, you will have to bind as the rootdn specified in the
+.config file (see Section 5.2.2), or change the default access control
+.(see Section 5.3).
+.
+
+
+The following sections provide more detailed information on making,
+installing, and running slapd.
+
+PB:
+
+
diff --git a/doc/guide/referrals.sdf b/doc/guide/referrals.sdf
new file mode 100644
index 0000000000..00477e9c37
--- /dev/null
+++ b/doc/guide/referrals.sdf
@@ -0,0 +1,41 @@
+H1: Distributing {{I: slapd}} DATA
+
+For many sites, running one or more {{I: slapds}} that hold an
+entire subtree of data is sufficient. But sometimes it may be
+desirable to have one slapd refer to other {{I: slapds}} for a
+certain part of the tree. This can be accomplished by
+creating a referral entry in one {{I:slapd}}'s database pointing
+to another {{I: slapd}}. For those familiar with X.500, a {{I:slapd}}
+{{I: referral}} entry is similar to an X.500 knowledge reference.
+
+The referral entry acts as a mount point, glueing two slapd
+databases together. A referral entry has an {{I: objectclass}} of
+"referral" and is named by a {{I: ref}} attribute containing a URL
+pointing to the slapd holding the data below the mount
+point. This mechanism is very general and allows slapd
+databases that are not normally hierarchical to be grafted
+together.
+
+An example should help illustrate things. Suppose your
+company is running a slapd and just purchased a new
+company, also running a slapd. You can easily connect
+the two databases by creating an entry like this in your
+slapd's database.
+
+E: dn: ref="ldap://new.host/o=New Company,c=US", o=Your 
+
+company, c=US
+
+E: objectclass: referral
+
+Now any subtree search that has this entry in its scope
+will return a referral to the new company, in addition to any
+entries matched in your database. Referral-aware clients
+will continue the search at the new company's server.
+
+A mechanism similar to this is used to support distributed
+indexing, described in Appendix C.
+
+
+PB:
+
diff --git a/doc/guide/replication.sdf b/doc/guide/replication.sdf
new file mode 100644
index 0000000000..b25b89e5a6
--- /dev/null
+++ b/doc/guide/replication.sdf
@@ -0,0 +1,407 @@
+H1: Replication with slurpd
+
+In certain configurations, a single slapd instance may be
+insufficient to handle the number of clients requiring
+directory service via LDAP. It may become necessary to
+run more than one slapd instance. At the University of
+Michigan, for instance, there are four slapd servers, one
+master and three slaves. A DNS lookup of the name
+ldap.itd.umich.edu returns the IP addresses of those four
+servers, distributing the load among them. This
+master/slave arrangement provides a simple and effective
+way to increase capacity, availability and reliability.
+
+Slurpd provides the capability for a master slapd to
+propagate changes to slave slapd instances,
+implementing the master/slave replication scheme
+described above. Slurpd runs on the same host as the
+master slapd instance.
+
+
+
+H2: Overview
+
+Slurpd provides replication services "in band". That is, it
+uses the LDAP protocol to update a slave database from
+the master. Perhaps the easiest way to illustrate this is
+with an example. In this example, we trace the propagation
+of an LDAP modify operation from its initiation by the LDAP
+client to its distribution to the slave slapd instance.
+
+
+{{B: Sample replication scenario:}}
+
+* Step 1: An LDAP client starts up and connects to a slave
+slapd. 
+
+* Step 2: The LDAP client submits an LDAP modify
+. operation to the slave slapd.
+
+* Step 3: The slave slapd returns a referral to the LDAP
+. client, which causes the client to send the modify
+. operation to the master slapd. 
+
+* Step 4: The master slapd performs the modify operation,
+. writes out the change to its replication log file and returns
+. a success code to the client. 
+
+* Step 5: The slurpd process notices that a new entry has
+. been appended to the replication log file, reads the
+. replication log entry, and sends the change to the slave
+. slapd via LDAP. 
+
+* Step 6: The slave slapd performs the modify operation and
+. returns a success code to the slurpd process. 
+
+Note: if the LDAP client happened to connect to the
+master slapd to begin with, Step 3 is omitted, but the rest
+of the scenario remains the same.
+
+
+
+H2: Replication Logs
+
+When slapd is configured to generate a replication logfile,
+it writes out a file in a format which is a variant of the LDIF
+format. The replication log gives the replication site(s), a
+timestamp, the DN of the entry being modified, and a series
+of lines which specify the changes to make. In the
+example below, "Barbara Jensen" has replaced a line of
+her multiLineDescription. The change is to be propagated
+to the slapd instance running on truelies.rs.itd.umich.edu.
+The lastModifiedBy and lastModified Time attributes are
+also propagated to the slave slapd.
+
+E: replica: truelies.rs.itd.umich.edu:389
+E: time: 809618633
+E: dn: cn=Barbara Jensen, ou=People, o=University of Michigan,c=US
+E: changetype: modify
+E: delete: multiLineDescription
+E: multiLineDescription: I enjoy sailing in my spare time
+E: -
+E: add: multiLineDescription
+E: multiLineDescription: A dreamer...
+E: -
+E: delete: lastModifiedBy
+E: -
+E: add: lastModifiedBy
+E: lastModifiedBy: cn=Barbara Jensen, ou=People, o=University of Michigan, c=US
+E: -
+E: delete: lastModifiedTime
+E: -
+E: add: lastModifiedTime
+E: lastModifiedTime: 950825073308Z
+E: -
+
+The modifications to {{EX: lastModifiedBy}} and {{EX: lastModifiedTime}}
+were initiated by the master {{I: slapd}}.
+
+
+
+H2: Command-Line Options
+
+Slurpd supports the following command-line options.
+
+E: -d <level> | ?
+
+This option sets the slurpd debug level to {{EX: <level>}}. When
+level is a `?' character, the various debugging levels are
+printed and slapd exits, regardless of any other options
+you give it. Current debugging levels (a subset of slapd's
+debugging levels) are
+
+
+E:	    4 heavy trace debugging
+E:	   64 configuration file processing
+E:	65535 enable all debugging
+
+Debugging levels are additive. That is, if you want heavy
+trace debugging and want to watch the config file being
+processed, you would set level to the sum of those two
+levels (in this case, 68).
+
+E: -f <filename>
+
+This option specifies an alternate slapd configuration file.
+Slurpd does not have its own configuration file. Instead, all
+configuration information is read from the slapd
+configuration file.
+
+E: -r <filename>
+
+This option specifies an alternate slapd replication log file.
+Under normal circumstances, slurpd reads the name of
+the slapd replication log file from the slapd configuration
+file. However, you can override this with the -r flag, to
+cause slurpd to process a different replication log file. See
+section 10.5, Advanced slurpd Operation, for a discussion
+of how you might use this option.
+
+E: -o
+
+Operate in "one-shot" mode. Under normal
+circumstances, when slurpd finishes processing a
+replication log, it remains active and periodically checks to
+see if new entries have been added to the replication log.
+In one-shot mode, by comparison, slurpd processes a
+replication log and exits immediately. If the -o option is
+given, the replication log file must be explicitly specified
+with the -r option
+
+E: -t <directory>
+
+Specify an alternate directory for slurpd's temporary
+copies of replication logs. The default location is /usr/tmp.
+
+E: -k <filename>
+
+When slurpd uses kerberos to authenticate to slave slapd
+instances, it needs to have an appropriate srvtab file for
+the remote slapd. This option allows you to specify an
+alternate filename containing kerberos keys for the remote
+slapd. The default filename is /etc/srvtab. You can also
+specify the srvtab file to use in the slapd configuration
+file's replica option. See the documentation on the srvtab
+directive in section 5.2.2, General Backend Options. A
+more complete discussion of using kerberos with slapd
+and slurpd may be found in Appendix D.
+
+
+
+H2: Configuring slurpd and a slave slapd instance
+
+To bring up a replica slapd instance, you must configure
+the master and slave slapd instances for replication, then
+shut down the master slapd so you can copy the
+database. Finally, you bring up the master slapd instance,
+the slave slapd instance, and the slurpd instance. These
+steps are detailed in the following sections. You can set
+up as many slave slapd instances as you wish.
+
+
+H3: Set up the master slapd
+
+Follow the procedures in Section 4, Building and Installing
+slapd. Be sure that the slapd instance is working properly
+before proceeding. Be sure to do the following in the
+master slapd configuration file.
+
+^ Add a replica directive for each replica. The binddn=
+. parameter should match the updatedn option in the
+. corresponding slave slapd configuration file, and should
+. name an entry with write permission to the slave database
+. (e.g., an entry listed as rootdn, or allowed access via
+. access directives in the slave slapd configuration file).
+
++ Add a replogfile directive, which tells slapd where to log
+. changes. This file will be read by slurpd.
+
+
+
+H3: Set up the slave slapd
+
+Install the slapd software on the host which is to be the
+slave slapd server. The configuration of the slave server
+should be identical to that of the master, with the following
+exceptions:
+
+^ Do not include a replica directive. While it is possible to
+. create "chains" of replicas, in most cases this is
+. inappropriate.
+
++ Do not include a replogfile directive.
+
++ Do include an updatedn line. The DN given should
+. match the DN given in the {{EX: binddn=}} parameter of the
+. corresponding {{EX: replica=}} directive in the master slapd
+. config file.
+
++ Make sure the DN given in the {{EX: updatedn}} directive has
+. permission to write the database (e.g., it is listed as rootdn
+. or is allowed access by one or more access directives).
+
+
+
+H3: Shut down the master slapd
+
+In order to ensure that the slave starts with an exact copy
+of the master's data, you must shut down the master
+slapd. Do this by sending the master slapd process an
+interrupt signal with {{EX: kill -TERM <pid>}}, where {{EX: <pid>}} is the
+process-id of the master slapd process.
+
+If you like, you may restart the master slapd in read-only
+mode while you are replicating the database. During this
+time, the master slapd will return an "unwilling to perform"
+error to clients that attempt to modify data.
+
+
+
+H3: Copy the master slapd's database to the slave
+
+Copy the master's database(s) to the slave. For an
+LDBM-based database, you must copy all index files as
+well as the "NEXTID" file. Index files will have a different
+suffix depending on the underlying database package
+used. The current possibilities are
+
+* {{EX: dbb}} Berkeley DB B-tree backend
+* {{EX: dbh}} Berkeley DB hash backend
+* {{EX: gdbm}} GNU DBM backend
+* {{EX: pag}} UNIX NBDM backend
+* {{EX: dir}} UNIX NBDM backend
+
+You should copy all files with such a suffix that are located
+in the index directory specified in your slapd config file.
+
+
+
+H3: Configure the master slapd for replication
+
+To configure slapd to generate a replication logfile, you
+add a "{{EX: replica}}" configuration option to the master slapd's
+config file. For example, if we wish to propagate changes
+to the slapd instance running on host
+truelies.rs.itd.umich.edu:
+
+E: replica host=truelies.rs.itd.umich.edu:389
+E:	binddn="cn=Replicator, o=U of M, c=US"
+E:	bindmethod=simple credentials=secret
+
+In this example, changes will be sent to port 389 (the
+standard LDAP port) on host truelies. The slurpd process
+will bind to the slave slapd as 
+"cn=Replicator, o=U of M, c=US"
+using simple authentication with password "secret".
+Note that the entry given by the binddn= directive must
+exist in the slave slapd's database (or be the rootdn
+specified in the slapd config file) in order for the bind
+operation to succeed.
+
+
+
+H3: Restart the master slapd and start the slave slapd
+
+Restart the master slapd process. To check that it is
+generating replication logs, perform a modification of any
+entry in the database, and check that data has been
+written to the log file.
+
+
+
+H3: Start slurpd
+
+Start the slurpd process. Slurpd should immediately send
+the test modification you made to the slave slapd. Watch
+the slave slapd's logfile to be sure that the modification
+was sent.
+
+{{EX: slurpd -f <masterslapdconfigfile>}}
+
+
+
+H2: Advanced slurpd Operation
+
+H3: Replication errors
+
+When slurpd propagates a change to a slave slapd and
+receives an error return code, it writes the reason for the
+error and the replication record to a reject file. The reject
+file is located in the same directory with the per-replica
+replication logfile, and has the same name, but with the
+string ".rej" appended. For example, for a replica running
+on host truelies.rs.itd.umich.edu, port 389, the reject file, if it
+exists, will be named
+
+E: /usr/tmp/truelies.rs.itd.umich.edu:389.
+
+A sample rejection log entry follows:
+
+E: ERROR: No such attribute
+E: replica: truelies.rs.itd.umich.edu:389
+E: time: 809618633
+E: dn: cn=Barbara Jensen, ou=People, o=University of Michigan, c=US
+E: changetype: modify
+E: delete: multiLineDescription
+E: multiLineDescription: I enjoy sailing in my spare time
+E: -
+E: add: multiLineDescription
+E: multiLineDescription: A dreamer...
+E: -
+E: delete: lastModifiedBy
+E: -
+E: add: lastModifiedBy
+E: lastModifiedBy: cn=Barbara Jensen, ou=People, o=University of Michigan, c=US
+E: -
+E: delete: lastModifiedTime
+E: -
+E: add: lastModifiedTime
+E: lastModifiedTime: 950825073308Z
+E: -
+
+Note that this is precisely the same format as the original
+replication log entry, but with an ERROR line prepended to
+the entry.
+
+
+
+H3: {{I:Slurpd}}'s one-shot mode and reject files
+
+It is possible to use slurpd to process a rejection log with
+its "one-shot mode." In normal operation, slurpd watches
+for more replication records to be appended to the
+replication log file. In one-shot mode, by contrast, slurpd
+processes a single log file and exits. Slurpd ignores
+ERROR lines at the beginning of replication log entries, so
+it's not necessary to edit them out before feeding it the
+rejection log.
+
+To use one-shot mode, specify the name of the rejection
+log on the command line as the argument to the -r flag,
+and specify one-shot mode with the -o flag. For example,
+to process the rejection log file
+/usr/tmp/replog.truelies.rs.itd.umich.edu:389 and exit, use the
+command
+
+E: slurpd -r /usr/tmp/truelies.rs.itd.umich.edu:389 -o
+
+
+H2: Replication from a slapd directory server to an X.500 DSA
+
+In mixed environments where both X.500 DSAs and slapd
+are used, it may be desirable to replicate changes from a
+slapd directory server to an X.500 DSA. This section
+discusses issues involved with this method of replication,
+and describes the currently-available facilities.
+
+To propagate changes from a slapd directory server to an
+X.500 DSA, slurpd runs on the master slapd host, and
+sends changes to an ldapd which acts as a gateway to
+the X.500 DSA:
+
+!import "figure_1.gif"; align="center"; title="Replication from slapd to an X.500 DSA"
+FT: Figure 6: Replication from slapd to an X.500 DSA
+
+Note that the X.500 DSA must be a read-only copy. Since
+the replication is one-way, updates from DAP clients
+connecting to the X.500 DSA simply cannot be handled.
+
+A problem arises where attribute names differ between the
+slapd directory server and the X.500 DSA. At present,
+slapd and slurpd do not support selective replication of
+attributes, nor do they support translation of attribute
+names and values. For example, slurpd will attempt to
+update the "modifiersName" and "modifyTimeStamp"
+attributes on the slave it connects to. However, the X.500
+DSA may expect these attributes to be named
+"lastModifiedBy" and "lastModifiedTime".
+
+A solution to this attribute naming problem is to have the
+ldapd read oidtables that map "modifiersName" to the
+objectID (OID) for the "lastModifiedBy" attribute and
+"modifyTimeStamp" to the OID for the "lastModifiedTime"
+attribute. Since attribute names are carried as OIDs over
+DAP, this should perform the appropriate translation of
+attribute names.
+
+
diff --git a/doc/guide/runningslapd.sdf b/doc/guide/runningslapd.sdf
new file mode 100644
index 0000000000..f591f92d72
--- /dev/null
+++ b/doc/guide/runningslapd.sdf
@@ -0,0 +1,123 @@
+H1: Running slapd
+
+Slapd can be run in two different modes, stand-alone or from
+inetd(8). Stand-alone operation is recommended, especially if you
+are using the LDBM backend. This allows the backend to take
+advantage of caching and avoids concurrency problems with the
+LDBM index files. If you are running only a PASSWD or SHELL
+backend, running from inetd is an option. How to do this is
+described in the next section, after the command-line options and
+stand-alone daemon operation are described.
+
+
+
+H2: Command-Line Options
+
+{{I:Slapd}} supports the following command-line options.
+
+E: -d <level> | ?
+
+This option sets the slapd debug level to <level>. When level is a
+`?' character, the various debugging levels are printed and slapd
+exits, regardless of any other options you give it. Current
+debugging levels are
+
+E:     1 trace function calls
+E:     2 debug packet handling
+E:     4 heavy trace debugging
+E:     8 connection management
+E:    16 print out packets sent and received
+E:    32 search filter processing
+E:    64 configuration file processing
+E:   128 access control list processing
+E:   256 stats log connections/operations/results
+E:   512 stats log entries sent
+E:  1024 print communication with shell backends
+E:  2048 print entry parsing debugging
+E: 65535 enable all debugging
+
+Debugging levels are additive. That is, if you want to trace function
+calls and watch the config file being processed, you would set
+level to the sum of those two levels (in this case, 65). Consult
+{{EX: <ldap.h>}} for more details.
+
+Note: slapd must have been compiled with {{EX:-DLDAP_DEBUG}}
+defined for any debugging information beyond the two stats levels
+to be available.
+
+E: -f <filename>
+
+This option specifies an alternate configuration file for slapd.
+
+E: -i
+
+This option tells slapd that it is running from inetd instead of as a
+stand-alone server. See the next section on running slapd from
+inetd for more details.
+
+E: -p <port>
+
+This option specifies an alternate TCP port on which slapd should
+listen for connections. The default port is 389.
+
+
+
+H2: Running slapd as a Stand-Alone Daemon
+
+In general, slapd is run like this:
+
+E: 	$(ETCDIR)/slapd [<option>]*
+
+where ETCDIR has the value you gave in the Make-common file
+during the pre-build configuration, and <option> is one of the
+options described below. Unless you have specified a debugging
+level, slapd will automatically fork and detach itself from its
+controlling terminal and run in the background. Any of the options
+given above can be given to slapd to point it at a different
+configuration file, listen on another port, etc.
+
+To kill off slapd safely, you should give a command like this
+
+E: 	kill -TERM `cat $(ETCDIR)/slapd.pid`
+
+Killing slapd by a more drastic method may cause its LDBM
+databases to be corrupted, as it may need to flush various buffers
+before it exits. Note that slapd writes its pid to a file called 
+{{EX: slapd.pid}} in the {{EX: ETCDIR}} you configured in 
+{{EX: Make-common}}. You can change
+the location of this pid file by changing the {{EX: SLAPD_PIDFILE}}
+variable in {{EX: include/ldapconfig.h.edit}}.
+
+{{I: Slapd}} will also write its arguments to a file called 
+{{EX: slapd.args}} in the {{EX: ETCDIR}} you configured 
+in {{EX: Make-common}}. You can change the
+location of the args file by changing the {{EX: SLAPD_ARGSFILE}}
+variable in {{EX: include/ldapconfig.h.edit}}.
+
+
+
+H2: Running slapd from inetd
+
+First, make sure that running from {{I: inetd}}(8) is a good idea. If you
+are using the LDBM backend, it is not. If you are in a high-volume
+environment, the overhead of running from inetd also makes it a
+bad idea. Otherwise, you may proceed with the two steps
+necessary.
+
+Step 1 is to add a line like this to your {{EX: /etc/services}} file:
+
+E: 	ldap 389 # ldap directory service
+
+Step 2 is to add a line like this to your /etc/inetd.conf file:
+
+E: 	ldap stream tcp nowait nobody $(ETCDIR)/slapd slapd -i
+
+where {{EX: ETCDIR}} has the value you gave it in the 
+{{EX: Make-common}} file
+during pre-build configuration. Finally, send inetd a HUP signal,
+and you should be all set.
+
+PB:
+
+
+
diff --git a/doc/guide/slapdconfig.sdf b/doc/guide/slapdconfig.sdf
new file mode 100644
index 0000000000..88286303f7
--- /dev/null
+++ b/doc/guide/slapdconfig.sdf
@@ -0,0 +1,862 @@
+H1: The {{I: slapd}} Configuration File
+
+Once the software has been built and installed, you are ready to configure it
+for use at your site. All slapd runtime configuration is accomplished through
+the {{EX: slapd.conf}} file, installed in the {{EX: ETCDIR}} 
+directory you specified in the {{EX: Make-common}} file. 
+
+An alternate configuration file can be specified via a
+command-line option to slapd or slurpd (see Sections 5 and 8,
+respectively). This section describes the general format of the config file,
+followed by a detailed description of each config file option.
+
+
+
+H2: Configuration File Format
+
+The {{EX: slapd.conf}} file consists of a series of global configuration options
+that apply to slapd as a whole (including all backends), followed by
+zero or more database backend definitions that contain information
+specific to a backend instance.
+
+Global options can be overridden in a backend (for options that
+appear more than once, the last appearance in the slapd.conf file is
+used). Blank lines and comment lines beginning with a `#' character
+are ignored. If a line begins with white space, it is considered a
+continuation of the previous line. The general format of slapd.conf is
+as follows:
+
+E: # comment - these options apply to every database
+E: <global config options>
+E: # first database definition & config options
+E: database <backend 1 type>
+E: <config options specific to backend 1>
+E: # second database definition & config options
+E: database <backend 2 type>
+E: <config options specific to backend 2>
+E: # subsequent database definitions & config options
+E: ...
+
+Configuration line arguments are separated by white space. If
+an argument contains white space, the argument should be
+enclosed in double quotes "like this". If an argument contains
+a double quote or a backslash character `\', the character
+should be preceded by a backslash character `\'.
+
+The distribution contains an example configuration file that will
+be installed in the {{EX: ETCDIR}} directory. Also provided are
+{{EX: slapd.at.conf}}, which contains many commonly used attribute
+definitions, and {{EX: slapd.oc.conf}}, which contains many commonly
+used object class definitions. These files can be included from
+the slapd configuration file (see below).
+
+
+
+H2: Configuration File Options
+
+This section separates the configuration file options into
+global and backend-specific categories, describing each
+option and its default value (if any), and giving an example of
+its use.
+
+
+
+H3: Global Options
+
+Options described in this section apply to all backends,
+unless specifically overridden in a backend definition. Option
+arguments that should be replaced by actual text are shown
+in brackets <>.
+
+
+H4: access to <what> [ by <who> <accesslevel> ]+
+
+This option grants access (specified by <accesslevel>) to a
+set of entries and/or attributes (specified by <what>) by one or
+more requesters (specified by <who>). See Section 5.3 on
+access control for more details and examples.
+
+
+H4: attribute <name> [<name2>] { bin | ces | cis | tel | dn }
+
+This option associates a syntax with an attribute name. By
+default, an attribute is assumed to have syntax cis. An
+optional alternate name can be given for an attribute. The
+possible syntaxes and their meanings are
+
+* {{EX: bin}} binary
+* {{EX: ces}} case exact string (case must match during comparisons)
+* {{EX: cis}} case ignore string (case is ignored during comparisons)
+* {{EX: tel}} telephone number string (like cis but blanks and dashes ` '
+are ignored during comparisons)
+* {{EX: dn}} distinguished name
+
+
+H4: defaultaccess { none | compare | search | read | write }
+
+This option specifies the default access to grant requesters
+not matched by any other access line (see Section 5.3). Note
+that an access level implies all lesser access levels (e.g.,
+write access implies read, search and compare).
+
+\Default:
+
+E: defaultaccess read
+
+H4: include <filename>
+
+This option specifies that slapd should read additional
+configuration information from the given file before continuing
+with the next line of the current file. The included file should
+follow the normal slapd config file format.
+
+Note: You should be careful when using this option - there is
+no small limit on the number of nested include options, and no
+loop detection is done.
+
+H4: loglevel <integer>
+
+This option specifies the level at which debugging statements
+and operation statistics should be syslogged (currently
+logged to the syslogd(8) LOG_LOCAL4 facility). You must
+have compiled slapd with  DLDAP_DEBUG for this to work
+(except for the two stats levels, which are always enabled).
+Log levels are additive. To display what numbers correspond
+to what kind of debugging, invoke slapd with the  ? flag or
+consult the table below. The possible values for <integer> are:
+
+*1 trace function calls
+*2 debug packet handling
+*4 heavy trace debugging
+*8 connection management
+*16 print out packets sent and received
+*32 search filter processing
+*64 configuration file processing
+*128 access control list processing
+*256 stats log connections/operations/results
+*512 stats log entries sent
+*1024 print communication with shell backends
+*2048 print entry parsing debugging
+
+\Example:
+
+E: loglevel 255
+
+This will cause lots and lots of debugging information to be
+syslogged.
+
+\Default:
+
+E: loglevel 256
+
+H4: objectclass <name> [ requires <attrs> ] [ allows <attrs> ]
+
+This option defines the schema rules for the given object
+class. Used in conjunction with the schemacheck option. See
+Section 5.4 for more details.
+
+H4: referral <url>
+
+This option specifies the referral to pass back when slapd
+cannot find a local database to handle a request.
+
+\Example:
+
+E: referral ldap://ldap.itd.umich.edu
+
+This will refer non-local queries to the LDAP server at the
+University of Michigan. Smart LDAP clients can re-ask their
+query at that server, but note that most of these clients are
+only going to know how to handle simple LDAP URLs that
+contain a host part and optionally a distinguished name part.
+
+H4: schemacheck { on | off }
+
+This option turns schema checking on or off. If schema
+checking is on, entries added or modified will be checked to
+ensure they obey the schema rules implied by their object
+class(es) as defined by the corresponding objectclass
+option(s). If schema checking is off this check is not done.
+
+\Default:
+
+E: schemacheck off
+
+H4: sizelimit <integer>
+
+This option specifies the maximum number of entries to return
+from a search operation.
+
+\Default:
+
+E: sizelimit 500
+
+
+H4: srvtab <filename>
+
+This option specifies the srvtab file in which slapd can find the
+kerberos keys necessary for authenticating clients using
+kerberos. This option is only meaningful if you are using
+kerberos authentication, which must be enabled at compile
+time by including the appropriate definitions in the
+{{EX: Make-common}} file.
+
+\Default:
+
+E: srvtab /etc/srvtab
+
+H4: timelimit <integer>
+
+This option specifies the maximum number of seconds (in real
+time) slapd will spend answering a search request. If a
+request is not finished in this time, a result indicating an
+exceeded timelimit will be returned.
+
+\Default:
+
+E: timelimit 3600
+
+
+
+H3: General Backend Options
+
+Options in this section only apply to the backend in which
+they are defined. They are supported by every type of
+backend.
+
+H4: database <databasetype>
+
+This option marks the beginning of a new database instance
+definition. <databasetype> should be one of ldbm, shell, or
+passwd, depending on which backend will serve the
+database.
+
+\Example:
+
+E: database ldbm
+
+This marks the beginning of a new LDBM backend database
+instance definition.
+
+H4: lastmod { on | off }
+
+This option controls whether slapd will automatically maintain
+the modifiersName, modifyTimestamp, creatorsName, and
+createTimestamp attributes for entries.
+
+\Default:
+
+E: lastmod off
+
+H4: readonly { on | off }
+
+This option puts the database into "read-only" mode. Any
+attempts to modify the database will return an "unwilling to
+perform" error.
+
+\Default:
+
+E: readonly off
+
+H4: replica
+E: replica host=<hostname>[:<port>] 
+E: "binddn=<DN>"
+E: bindmethod={ simple | kerberos }
+E: \[credentials=<password>]
+E: \[srvtab=<filename>]
+
+This option specifies a replication site for this database. The
+{{EX: host=}} parameter specifies a host and optionally a port where
+the slave slapd instance can be found. Either a domain name
+or IP address may be used for <hostname>. If <port> is not
+given, the standard LDAP port number (389) is used. 
+
+The {{EX: binddn=}} parameter gives the DN to bind as for updates to
+the slave slapd. It should be a DN which has read/write
+access to the slave slapd's database, typically given as a
+"rootdn" in the slave's config file. It must also match the
+updatedn option in the slave slapd's config file. Since DNs are
+likely to contain embedded spaces, the entire "{{EX: binddn=<DN>}}"
+string should be enclosed in quotes. 
+
+{{EX: bindmethod}} is either simple or kerberos, depending on
+whether simple password-based authentication or kerberos
+authentication is to be used when connecting to the slave
+slapd. Simple authentication requires a valid password be
+given. Kerberos authentication requires a valid srvtab file. 
+
+The {{EX: credentials=}} parameter, which is only required if using
+simple authentication, gives the password for binddn on the
+slave slapd.
+
+The {{EX: srvtab=}} parameter, which is only required if using
+kerberos, specifies the filename which holds the kerberos key
+for the slave slapd. If omitted, {{EX: /etc/srvtab}} is used.
+
+See Section 10 for more details on replication.
+
+H4: replogfile <filename>
+
+This option specifies the name of the replication log file to
+which slapd will log changes. The replication log is typically
+written by slapd and read by slurpd. Normally, this option is
+only used if slurpd is being used to replicate the database.
+However, you can also use it to generate a transaction log, if
+slurpd is not running. In this case, you will need to periodically
+truncate the file, since it will grow indefinitely otherwise.
+
+See Section 10 for more details on replication.
+
+H4: rootdn <dn>
+
+This option specifies the DN of an entry that is not subject to
+access control or administrative limit restrictions for
+operations on this database.
+
+\Example:
+
+E: rootdn "cn=Manager, o=U of M, c=US"
+
+H4: rootkrbname <kerberosname>
+
+This option specifies a kerberos name for the DN given above
+that will always work, regardless of whether an entry with the
+given DN exists or has a {{EX: krbName}} attribute. This option is
+useful when creating a database and also when using slurpd
+to provide replication service (see Section 10).
+
+\Example:
+
+E: rootkrbname admin@umich.edu
+
+H4: rootpw <password>
+
+This option specifies a password for the DN given above that
+will always work, regardless of whether an entry with the given
+DN exists or has a password. This option is useful when
+creating a database and also when using slurpd to provide
+replication service (see Section 10).
+
+\Example:
+
+E: rootpw secret
+
+H4: suffix <dn suffix>
+
+This option specifies the DN suffix of queries that will be
+passed to this backend database. Multiple suffix lines can be
+given, and at least one is required for each database
+definition.
+
+\Example:
+
+E: suffix "o=University of Michigan, c=US"
+
+Queries with a DN ending in "o=University of Michigan, c=US"
+will be passed to this backend.
+
+Note: when the backend to pass a query to is selected, slapd
+looks at the suffix line(s) in each database definition in the
+order they appear in the file. Thus, if one database suffix is a
+prefix of another, it must appear after it in the config file.
+
+H4: updatedn <dn>
+
+This option is only applicable in a slave slapd. It specifies the
+DN allowed to make changes to the replica (typically, this is
+the DN slurpd binds as when making changes to the replica).
+
+
+
+H3: LDBM Backend-Specific Options
+
+Options in this category only apply to the LDBM backend
+database. That is, they must follow a "database ldbm" line and
+come before any other "database" line.
+
+H4: cachesize <integer>
+
+This option specifies the size in entries of the in-memory
+cache maintained by the LDBM backend database instance.
+
+\Default:
+
+E: cachesize 1000
+
+
+H4: dbcachesize <integer>
+
+This option specifies the size in bytes of the in-memory cache
+associated with each open index file. If not supported by the
+underlying database method, this option is ignored without
+comment. Increasing this number uses more memory but can
+cause a dramatic performance increase, especially during
+modifies or when building indexes.
+
+\Default:
+
+E: dbcachesize 100000
+
+
+H4: directory <directory>
+
+This option specifies the directory where the LDBM files
+containing the database and associated indexes live.
+
+\Default:
+
+E: directory /usr/tmp
+
+
+H4: index {<attrlist> | default} [pres,eq,approx,sub,none]
+
+This option specifies the indexes to maintain for the given
+attribute. If only an <attrlist> is given, all possible indexes are
+maintained.
+
+\Example:
+
+E: index cn
+
+E: index sn,uid eq,sub,approx
+
+E: index default none
+
+This example causes all indexes to be maintained for the cn
+attribute; equality, substring, and approximate indexes for the
+sn and uid attributes; and no indexes for all other attributes.
+
+
+H4: mode <integer>
+
+This option specifies the file protection mode that newly
+created database index files should have.
+
+\Default:
+
+E: mode 0600
+
+
+
+H3: Shell Backend-Specific Options
+
+E: bind <pathname>
+
+E: unbind <pathname>
+
+E: search <pathname>
+
+E: compare <pathname>
+
+E: modify <pathname>
+
+E: modrdn <pathname>
+
+E: add <pathname>
+
+E: delete <pathname>
+
+E: abandon <pathname>
+
+These options specify the pathname of the command to
+execute in response to the given LDAP operation. The
+command given should understand and follow the input/output
+conventions described in Appendix B.
+
+\Example:
+
+E: search /usr/local/bin/search.sh
+
+Note that you need only supply those commands you want the
+backend to handle. Operations for which a command is not
+supplied will be refused with an "unwilling to perform" error.
+
+
+
+H3: Password Backend-Specific Options
+
+Options in this category only apply to the PASSWD backend
+database. That is, they must follow a "database passwd" line
+and come before any other "database" line.
+
+H4: file <filename>
+
+This option specifies an alternate passwd file to use.
+
+\Default:
+
+E: file /etc/passwd
+
+
+
+H2: Access Control
+
+Access to slapd entries and attributes is controlled by the
+access configuration file directive. The general form of an
+access line is:
+
+E: <access directive> ::= access to <what>
+E: [ by <who> <access> ]+
+E: <what> ::= * | [ dn=<regex> ] [ filter=<ldapfilter> ]
+E: [ attrs=<attrlist> ]
+E: <who> ::= * | self | dn=<regex> | addr=<regex> |
+E: domain=<regex> | dnattr=<dn attribute>
+E: <access> ::= [self]none | [self]compare | [self]search
+E: | [self]read | [self]write
+
+where the <what> part selects the entries and/or attributes to
+which the access applies, the <who> part specifies which
+entities are granted access, and the <access> part specifies
+the access granted. Multiple <who> <access> pairs are
+supported, allowing many entities to be granted different
+access to the same set of entries and attributes.
+
+
+H3: What to control access to
+
+The <what> part of an access specification determines the
+entries and attributes to which the access control applies.
+Entries can be selected in two ways: by a regular expression
+matching the entry's distinguished name:
+
+E: dn=<regular expression>
+
+Note: The DN pattern specified should be "normalized",
+meaning that there should be no extra spaces, and commas
+should be used to separate components. An example
+normalized DN is "cn=Babs Jensen,o=University of
+Michigan,c=US". An example of a non-normalized DN is
+"cn=Babs Jensen; o=University of Michigan, c=US".
+
+Or, entries may be selected by a filter matching some
+attribute(s) in the entry:
+
+E: filter=<ldap filter>
+
+where <ldap filter> is a string representation of an LDAP
+search filter, as described in RFC 1588. The special entry
+selector "*" is used to select any entry, and is a convenient
+shorthand for the equivalent "dn=.*" selector.
+
+Attributes within an entry are selected by including a
+comma-separated list of attribute names in the <what>
+selector:
+
+E: attrs=<attribute list>
+
+Access to the entry itself must be granted or denied using the
+special attribute name "entry". Note that giving access to an
+attribute is not enough; access to the entry itself through the
+"entry" attribute is also required. The complete examples at
+the end of this section should help clear things up.
+
+
+
+H2: Who to grant access to
+
+The <who> part identifies the entity or entities being granted
+access. Note that access is granted to "entities" not "entries."
+Entities can be specified by the special "*" identifier, matching
+any entry, the keyword "self" matching the entry protected by
+the access, or by a regular expression matching an entry's
+distinguished name:
+
+E: dn=<regular expression>
+
+Note:  The DN pattern specified should be "normalized",
+meaning that there should be no extra spaces, and commas
+should be used to separate components.
+
+Or entities can be specified by a regular expression matching
+the client's IP address or domain name:
+
+E: addr=<regular expression>
+E: domain=<regular expression>
+
+or by an entry listed in a DN-valued attribute in the entry to
+which the access applies:
+
+E: dnattr=<dn-valued attribute name>
+
+The dnattr specification is used to give access to an entry
+whose DN is listed in an attribute of the entry (e.g., give
+access to a group entry to whoever is listed as the owner of
+the group entry).
+
+
+
+H3: The access to grant
+
+
+The kind of <access> granted can be one of the following:
+
+E: none | compare | search | read | write
+
+Note that each level implies all lower levels of access. So, for
+example, granting someone write access to an entry also
+grants them read, search, and compare access.
+
+
+
+H3: Access Control Evaluation
+
+When evaluating whether some requester should be given
+access to an entry and/or attribute, slapd compares the entry
+and/or attribute to the {{EX: <what>}} selectors given in the
+configuration file. Access directives local to the current
+database are examined first, followed by global access
+directives. Within this priority, access directives are
+examined in the order in which they appear in the config file.
+Slapd stops with the first {{EX: <what>}} selector that matches the
+entry and/or attribute. The corresponding access directive is
+the one slapd will use to evaluate access.
+
+Next, slapd compares the entity requesting access to the
+{{EX: <who>}} selectors within the access directive selected above,
+in the order in which they appear. It stops with the first {{EX: <who>}}
+selector that matches the requester. This determines the
+access the entity requesting access has to the entry and/or
+attribute.
+
+Finally, slapd compares the access granted in the selected
+{{EX: <access>}} clause to the access requested by the client. If it
+allows greater or equal access, access is granted. Otherwise,
+access is denied.
+
+The order of evaluation of access directives makes their
+placement in the configuration file important. If one access
+directive is more specific than another in terms of the entries
+it selects, it should appear first in the config file. Similarly, if
+one {{EX: <who>}} selector is more specific than another it should
+come first in the access directive. The access control
+examples given below should help make this clear.
+
+
+
+H3: Access Control Examples
+
+
+
+The access control facility described above is quite powerful.
+This section shows some examples of its use. First, some
+simple examples:
+
+E: access to * by * read
+
+This access directive grants read access to everyone. If it
+appears alone it is the same as the following defaultaccess
+line.
+
+E: defaultaccess read
+
+The following example shows the use of a regular expression
+to select the entries by DN in two access directives where
+ordering is significant.
+
+E: access to dn=".*, o=U of M, c=US"
+E: 	by * search
+E: access to dn=".*, c=US"
+E: 	by * read
+
+Read access is granted to entries under the c=US subtree,
+except for those entries under the "o=University of Michigan,
+c=US" subtree, to which search access is granted. If the
+order of these access directives was reversed, the
+U-M-specific directive would never be matched, since all
+U-M entries are also c=US entries.
+
+The next example again shows the importance of ordering,
+both of the access directives and the "by" clauses. It also
+shows the use of an attribute selector to grant access to a
+specific attribute and various <who> selectors.
+
+E:access to dn=".*, o=U of M, c=US" attr=homePhone
+E:	by self write
+E:	by dn=".*, o=U of M, c=US" search
+E:	by domain=.*\.umich\.edu read
+E:	by * compare
+E:access to dn=".*, o=U of M, c=US"
+E:	by self write
+E:	by dn=".*, o=U of M, c=US" search
+E:	by * none
+
+This example applies to entries in the "o=U of M, c=US"
+subtree. To all attributes except homePhone, the entry itself
+can write them, other U-M entries can search by them,
+anybody else has no access. The homePhone attribute is
+writable by the entry, searchable by other U-M entries,
+readable by clients connecting from somewhere in the
+umich.edu domain, and comparable by everybody else.
+
+Sometimes it is useful to permit a particular DN to add or
+remove itself from an attribute. For example, if you would like to
+create a group and allow people too add and remove only
+their own DN from the member attribute, you could accomplish
+it with an access directive like this:
+
+E: access to attr=member,entry
+E: 	by dnattr=member selfwrite
+
+The dnattr {{EX: <who>}} selector says that the access applies to
+entries listed in the member attribute. The selfwrite access
+selector says that such members can only add or delete their
+own DN from the attribute, not other values. The addition of
+the entry attribute is required because access to the entry is
+required to access any of the entry's attributes.
+
+Note that the attr=member construct in the {{EX: <what>}} clause is a
+shorthand for the clause "dn=* attr=member" (i.e., it matches
+the member attribute in all entries).
+
+
+
+H2: Schema Enforcement
+
+
+
+The {{EX: objectclass}} and schemacheck configuration file options
+can be used to enforce schema rules on entries in the
+directory. The schema rules are defined by one or more
+objectclass lines, and enforcement is turned on or off via the
+schemacheck option. The format of an {{EX: objectclass}} line is:
+
+E: objectclass <name>
+E: 	[ requires <attrs> ] 
+E: 	[ allows <attrs> ]
+
+This option defines the schema rules for the object class
+given by {{EX: <name>}}. Schema rules consist of the attributes the
+entry is required to have (given by the requires {{EX: <attrs>}}
+clause) and those attributes that it may optionally have (given
+by the allows {{EX: <attrs>}} clause). In both clauses, {{EX: <attrs>}} is a
+comma-separated list of attribute names.
+
+Note that object class inheritance (that is, defining one object
+class in terms of another) is not supported directly. All of an
+object class's required and allowed attributes must be listed
+in the objectclass definition.
+
+For example, to define an objectclass called myPerson, you
+might include a definition like this:
+
+E: objectclass myperson
+E: 	requires cn, sn, objectclass
+E: 	allows mail, phone, fax
+
+To then enforce this rule (i.e., to make sure an entry with an
+objectclass of myperson contains the cn, sn and objectclass
+attributes, and that it contains no other attributes besides
+mail, phone, and fax), turn on schema checking with a line like
+this:
+
+E: schemacheck on
+
+
+
+H2: Configuration File Example
+
+
+
+The following is an example configuration file, interspersed
+with explanatory text. It defines two databases to handle
+different parts of the X.500 tree; both are LDBM database
+instances. The line numbers shown are provided for
+reference only and are not included in the actual file. First, the
+global configuration section:
+
+E: 1. # example config file - global configuration section
+E: 2. include /usr/local/etc/slapd.at.conf
+E: 3. include /usr/local/etc/slapd.oc.conf
+E: 4. schemacheck on
+E: 5. referral ldap://ldap.itd.umich.edu
+
+Line 1 is a comment. Lines 2 and 3 include other config files
+containing attribute and object class definitions, respectively.
+Line 4 turns on schema checking. The {{EX: referral}} option on line 5
+means that queries not local to one of the databases defined
+below will be referred to the LDAP server running on the
+standard port (389) at the host {{EX: ldap.itd.umich.edu}}.
+
+The next section of the configuration file defines an LDBM
+backend that will handle queries for things in the
+"o=University of Michigan, c=US" portion of the tree. The
+database is to be replicated to two slave slapds, one on
+truelies, the other on judgmentday. Indexes are to be
+maintained for several attributes, and the {{EX: userPassword}}
+attribute is to be protected from unauthorized access.
+
+E: 1. # ldbm definition for the U-M database
+E: 2. database ldbm
+E: 3. suffix "o=University of Michigan, c=US"
+E: 4. directory /usr/local/ldbm-umich
+E: 6. rootdn "cn=Manager, o=University of Michigan, c=US"
+E: 7. rootpw secret
+E: 8. replogfile /usr/local/ldbm-umich/slapd.replog
+E: 9. replica host=truelies.rs.itd.umich.edu:389
+E: 10. binddn="cn=Replicator, o=U of M, c=US"
+E: 11. bindmethod=simple credentials=secret
+E: 12.replica host=judgmentday.rs.itd.umich.edu
+E: 13. binddn="cn=Replicator, o=U of M, c=US"
+E: 14. bindmethod=kerberos
+E: 15. srvtab=/etc/srvtab.judgmentday
+E: 16.# ldbm indexed attribute definitions
+E: 17.index cn,sn,uid pres,eq,approx,sub
+E: 18.index objectclass pres,eq
+E: 19.index default none
+E: 20.# ldbm access control definitions
+E: 21.defaultaccess read
+E: 22.access to attr=userpassword
+E: 23. by self write
+E: 24. by dn="cn=Admin, o=University of Michigan, c=US" write
+E: 25. by * compare
+
+Line 1 is a comment. The start of the database definition is
+marked by the database keyword on line 2. Line 3 specifies
+the DN suffix for queries to pass to this database. Line 4
+specifies the directory in which the database files will live
+
+Lines 6 and 7 identify the database "super user" entry and
+associated password. This entry is not subject to access
+control or size or time limit restrictions.
+
+Lines 8 through 15 are for replication. Line 8 specifies the
+replication log file (where changes to the database are logged
+\- this file is written by slapd and read by slurpd). Lines 9
+through 11 specify the hostname and port for a replicated
+host, the DN to bind as when performing updates, the bind
+method (simple) and the credentials (password) for the
+binddn. Lines 12 through 15 specify a second replication site,
+using kerberos instead of simple authentication. See Section
+10 on slurpd for more information on these options.
+
+Lines 16 through 19 indicate the indexes to maintain for
+various attributes. The default is not to maintain any indexes
+(line 19).
+
+Lines 20 through 25 specify access control for entries in the
+database. For all entries, the {{EX: userPassword}} attribute is
+writable by the entry and the "admin" entry, comparable by
+everyone else. All other attributes allow read access by
+default (line 21). Note that the special "entry" attribute is not
+required in the access directive beginning on line 22. This is
+because the default access is read.
+
+The next section of the example configuration file defines
+another LDBM database. This one handles queries involving
+the "o="Babs, Inc.", c=US" subtree.
+
+E: 1. # ldbm definition for Babs, Inc. database
+E: 2. database ldbm
+E: 3. suffix "o=\"Babs, Inc.\", c=US"
+E: 4. directory /usr/local/ldbm-babs
+E: 5. rootdn "cn=Babs, o=\"Babs, Inc.\", c=US"
+E: 6. index default
+
+Note the use of `\' to escape the quotes necessary in the
+distinguished names given on lines 3 and 5. By default, all
+indexes are maintained for every attribute in an entry.
+
+
+PB:
+
+
diff --git a/doc/guide/tuning.sdf b/doc/guide/tuning.sdf
new file mode 100644
index 0000000000..1632114610
--- /dev/null
+++ b/doc/guide/tuning.sdf
@@ -0,0 +1,86 @@
+H1: Performance Tuning
+
+There are several things you can do to tune the performance of
+slapd for your system. Most of them have to do with the LDBM
+backend. LDBM uses an index mechanism to store and retrieve
+information in slapd. Each entry is assigned a unique ID, used to
+refer to the entry in the indexes. A search for entries with a
+surname of "Jensen", for example, would look up the index entry
+"=JENSEN" in the surname index. The data returned is a list of
+IDs of entries having that value for the surname attribute. We
+have found several things to be useful in improving the
+performance of this indexing scheme, especially on modify
+operations.
+
+
+
+H2: The allIDs threshold
+
+Some index entries become so large as to be useless. For
+example, if every entry in your database is a person entry, the
+"=PERSON" index entry in the objectclass index contains every
+entry. This returns very little useful information, and can cause
+significant delays, especially on updates. To alleviate this
+problem, we have introduced the idea of an allIDs index entry.
+
+The allIDs entry stands for a real index entry containing the IDs
+of every entry in the database, but it takes up very little space,
+never needs updating, and can be manipulated quickly and
+efficiently. The trade-off is that it does not prune the set of
+candidate entries at all during a search. This must be done
+using other, more "high-powered" index entries.
+
+You can set the minimum number of IDs that an index entry may
+contain before it turns into an allIDs block by changing the
+{{EX: SLAPD_LDBM_MIN_MAXIDS}} variable in the
+{{EX: include/ldapconfig.h}} file. The actual number is determined at
+runtime by the LDBM backend, depending on the block size of
+the underlying device (i.e., the number you provide is rounded up
+to the nearest multiple of a block size).
+
+
+
+H2: The entry cache
+
+The LDBM backend can be configured to keep a cache of
+entries in memory. Since the LDBM database spends much of its
+time reading entries from the id2entry file into memory, this cache
+can greatly speed performance. The trade-off is that the cache
+uses some extra memory. The default cache size is 1000
+entries. See the discussion of the cachesize option in Section
+5.2.3 on LDBM configuration.
+
+
+
+H2: The DB cache
+
+The LDBM backend uses a number of disk-based index files. If
+the underlying hash or B-tree package supports in-memory
+caching of these files, performance can be greatly improved,
+especially on modifies. The size of this in-memory file cache is
+given by the dbcachesize option, discussed in more detail in
+section 5.2.3 on LDBM configuration. The default {{EX: dbcachesize}} is
+100K.
+
+
+
+H2: Maintain the right indices
+
+Finally, one of the best performance tune-ups you can do is to
+make sure you are maintaining the right indices. Too few indices
+can lead to poor search performance. Too many indices can
+lead to poor update performance. For example, the LDBM
+backend would be perfectly happy to maintain substring and
+approximate indices for the {{EX: objectclass attribute}}, but this would
+not be useful and would just slow down update operations. If
+your database has many entries and is handling queries for
+substring equality on the surname attribute, you should make
+sure to maintain a surname substring index so these queries are
+answered quickly.
+
+So, take a look at the index lines in your slapd configuration file to
+ensure that only those indices that make sense and are needed
+are being maintained.
+
+PB:
+
-- 
2.39.5