1 .TH SLAPD-SOCK 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2007-2018 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapd\-sock \- Socket backend/overlay to slapd
12 uses an external program to handle queries, similarly to
14 However, in this case the external program listens on a Unix domain socket.
15 This makes it possible to have a pool of processes, which persist between
16 requests. This allows multithreaded operation and a higher level of
17 efficiency. The external program must have been started independently;
19 itself will not start it.
21 This module may also be used as an overlay on top of some other database.
22 Use as an overlay allows external actions to be triggered in response to
23 operations on the main database.
27 options apply to the SOCK backend database.
28 That is, they must follow a "database sock" line and come before any
29 subsequent "backend" or "database" lines.
30 Other database options are described in the
34 Alternatively, to use this module as an overlay, these directives must
35 follow an "overlay sock" line within an existing database definition.
37 .B extensions [ binddn | peername | ssf | connid ]*
38 Enables the sending of additional meta-attributes with each request.
41 peername: IP=<address>:<port>
43 connid: <connection ID>
46 .B socketpath <pathname>
47 Gives the path to a Unix domain socket to which the commands will
48 be sent and from which replies are received.
50 When used as an overlay, these additional directives are defined:
52 .B sockops [ bind | unbind | search | compare | modify | modrdn | add | delete | extended ]*
53 Specify which request types to send to the external program. The default is
54 empty (no requests are sent).
56 .B sockresps [ result | search ]*
57 Specify which response types to send to the external program. "result"
58 sends just the results of an operation. "search" sends all entries that
59 the database returned for a search request. The default is empty
60 (no responses are sent).
63 Specify DN patterns for which the overlay will act. Only operations on
64 DNs matching the specified regular expression will be processed. The default
65 is empty (all DNs are processed).
68 The protocol is essentially the same as
70 with the addition of a newline to terminate the command parameters. The
71 following commands are sent:
76 <repeat { "suffix:" <database suffix DN> }>
77 <entry in LDIF format>
86 <repeat { "suffix:" <database suffix DN> }>
88 method: <method number>
89 credlen: <length of <credentials>>
99 <repeat { "suffix:" <database suffix DN> }>
110 <repeat { "suffix:" <database suffix DN> }>
120 <repeat { "suffix:" <database suffix DN> }>
122 value: <base64-value>
131 <repeat { "suffix:" <database suffix DN> }>
134 <"add"/"delete"/"replace">: <attribute>
135 <repeat { <attribute>: <value> }>
146 <repeat { "suffix:" <database suffix DN> }>
149 deleteoldrdn: <0 or 1>
150 <if new superior is specified: "newSuperior: <DN>">
159 <repeat { "suffix:" <database suffix DN> }>
161 scope: <0-2, see ldap.h>
162 deref: <0-3, see ldap.h>
163 sizelimit: <size limit>
164 timelimit: <time limit>
167 attrs: <"all" or space-separated attribute list>
176 <repeat { "suffix:" <database suffix DN> }>
181 The commands - except \fBunbind\fP - should output:
186 matched: <matched DN>
190 where only RESULT is mandatory, and then close the socket.
191 The \fBsearch\fP RESULT should be preceded by the entries in LDIF
192 format, each entry followed by a blank line.
193 Lines starting with `#' or `DEBUG:' are ignored.
195 When used as an overlay, the external program should return a
196 CONTINUE response if request processing should continue normally, or
197 a regular RESULT response if the external program wishes to bypass the
200 If the overlay is configured to send response messages to the external
201 program, they will appear as an extended RESULT message or as an
202 ENTRY message, defined below. The RESULT message is similar to
203 the one above, but also includes the msgid and any configured
210 matched: <matched DN>
216 Typically both the msgid and the connid will be needed to match
217 a result message to a request. The ENTRY message has the form
222 <entry in LDIF format>
227 .SH KNOWN LIMITATIONS
230 backend does not process extended operation results from an external program.
235 backend does not honor all ACL semantics as described in
236 .BR slapd.access (5).
237 In general, access to objects is checked by using a dummy object
238 that contains only the DN, so access rules that rely on the contents
239 of the object are not honored.
244 operation does not require
248 pseudo-attribute of the parent entry.
256 pseudo-attribute of the entry whose identity is being assessed;
258 access to the credentials is not checked, but rather delegated
259 to the underlying program.
268 of the object whose value is being asserted;
270 access to the attribute whose value is being asserted is not checked.
274 operation does not require
278 pseudo-attribute of the parent entry.
288 access to the specific attributes that are modified is not checked.
292 operation does not require
296 pseudo-attribute of the parent entry, nor to that of the new parent,
299 access to the distinguished values of the naming attributes
304 operation does not require
308 pseudo_attribute of the searchBase;
310 access to the attributes and values used in the filter is not checked.
314 operation does not require any access special rights.
315 The external program has to implement any sort of access control.
318 There is an example script in the slapd/back\-sock/ directory
319 in the OpenLDAP source tree.
323 default slapd configuration file
326 .BR slapd\-config (5),
329 Brian Candler, with enhancements by Howard Chu