From 515ac60fdcc3ae3f19b05c890524b86a144c9679 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Wed, 29 Mar 2017 13:47:13 -0700 Subject: [PATCH] ITS#7700 - Update syncrepl configuration bits with missing parameters --- doc/guide/admin/slapdconfig.sdf | 41 ++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf index 53b1c2c6ee..9f468f96e9 100644 --- a/doc/guide/admin/slapdconfig.sdf +++ b/doc/guide/admin/slapdconfig.sdf @@ -229,7 +229,7 @@ from a search operation. > sizelimit 500 -See the {{SECT:Limits}} section of this guide and slapd.conf(5) +See the {{SECT:Limits}} section of this guide and {{slapd.conf}}(5) for more details. H4: timelimit @@ -243,7 +243,7 @@ exceeded timelimit will be returned. > timelimit 3600 -See the {{SECT:Limits}} section of this guide and slapd.conf(5) +See the {{SECT:Limits}} section of this guide and {{slapd.conf}}(5) for more details. @@ -309,7 +309,7 @@ H4: limits [ [...]] Specify time and size limits based on who initiated an operation. -See the {{SECT:Limits}} section of this guide and slapd.conf(5) +See the {{SECT:Limits}} section of this guide and {{slapd.conf}}(5) for more details. @@ -388,17 +388,20 @@ H4: syncrepl > syncrepl rid= > provider=ldap[s]://[:port] +> searchbase= > [type=refreshOnly|refreshAndPersist] > [interval=dd:hh:mm:ss] > [retry=[ <# of retries>]+] -> searchbase= > [filter=] > [scope=sub|one|base] > [attrs=] +> [exattrs=] > [attrsonly] > [sizelimit=] > [timelimit=] > [schemachecking=on|off] +> [network-timeout=] +> [timeout=] > [bindmethod=simple|sasl] > [binddn=] > [saslmech=] @@ -407,6 +410,7 @@ H4: syncrepl > [credentials=] > [realm=] > [secprops=] +> [keepalive=::] > [starttls=yes|critical] > [tls_cert=] > [tls_key=] @@ -415,6 +419,8 @@ H4: syncrepl > [tls_reqcert=never|allow|try|demand] > [tls_cipher_suite=] > [tls_crlcheck=none|peer|all] +> [tls_protocol_min=[.]] +> [suffixmassage=] > [logbase=] > [logfilter=] > [syncdata=default|accesslog|changelog] @@ -452,7 +458,7 @@ The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes {{EX:searchbase}}, -{{EX:scope}}, {{EX:filter}}, {{EX:attrs}}, {{EX:attrsonly}}, +{{EX:scope}}, {{EX:filter}}, {{EX:attrs}}, {{EX:exattrs}}, {{EX:attrsonly}}, {{EX:sizelimit}}, and {{EX:timelimit}} parameters as in the normal search specification. The {{EX:searchbase}} parameter has no default value and must always be specified. The {{EX:scope}} defaults @@ -460,7 +466,8 @@ to {{EX:sub}}, the {{EX:filter}} defaults to {{EX:(objectclass=*)}}, {{EX:attrs}} defaults to {{EX:"*,+"}} to replicate all user and operational attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}} and {{EX:timelimit}} default to "unlimited", and only positive integers -or "unlimited" may be specified. +or "unlimited" may be specified. The {{EX:exattrs}} option may also be used +to specify attributes that should be omitted from incoming entries. The {{TERM[expand]LDAP Sync}} protocol has two operation types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}. @@ -490,6 +497,12 @@ required by the schema definition. If it is turned off, entries will be stored without checking schema conformance. The default is off. +The {{EX:network-timeout}} parameter sets how long the consumer will +wait to establish a network connection to the provider. Once a +connection is established, the {{EX:timeout}} parameter determines how +long the consumer will wait for the initial Bind request to complete. The +defaults for these parameters come from {{ldap.conf}}(5). + The {{EX:binddn}} parameter gives the DN to bind as for the syncrepl searches to the provider slapd. It should be a DN which has read access to the replication content in the @@ -516,6 +529,17 @@ The {{EX:realm}} parameter specifies a realm which a certain mechanisms authenticate the identity within. The {{EX:secprops}} parameter specifies Cyrus SASL security properties. +The {{EX:keepalive} parameter sets the values of idle, probes, and interval +used to check whether a socket is alive; idle is the number of seconds a +connection needs to remain idle before TCP starts sending keepalive probes; +probes is the maximum number of keepalive probes TCP should send before +dropping the connection; interval is interval in seconds between individual +keepalive probes. Only some systems support the customization of these +values; the keepalive parameter is ignored otherwise, and system-wide +settings are used. For example, keepalive="240:10:30" will send a keepalive +probe 10 times, every 30 seconds, after 240 seconds of idle activity. If +no response to the probes is received, the connection will be dropped. + The {{EX:starttls}} parameter specifies use of the StartTLS extended operation to establish a TLS session before authenticating to the provider. If the {{EX:critical}} argument is supplied, the session will be aborted @@ -523,6 +547,11 @@ if the StartTLS request fails. Otherwise the syncrepl session continues without TLS. The tls_reqcert setting defaults to {{EX:"demand"}} and the other TLS settings default to the same as the main slapd TLS settings. +The {{EX:suffixmassage}} parameter allows the consumer to pull entries +from a remote directory whose DN suffix differs from the local directory. +The portion of the remote entries' DNs that matches the searchbase will +be replaced with the suffixmassage DN. + Rather than replicating whole entries, the consumer can query logs of data modifications. This mode of operation is referred to as {{delta syncrepl}}. In addition to the above parameters, the -- 2.39.5