to any overlays configured on the database. The olcDatabase and
olcOverlay entries may also have miscellaneous child entries for
other settings as needed. There are two special database entries
-that are predefined - one is an entry for the config database itself,
+that are predefined \- one is an entry for the config database itself,
and the other is for the "frontend" database. Settings in the
frontend database are inherited by the other databases, unless
they are explicitly overridden in a specific database.
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
-have closed their connections (if they ever do), or - as before -
+have closed their connections (if they ever do), or \- as before \-
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
The desired log level can be input as a single integer that combines
the (ORed) desired levels, both in decimal or in hexadecimal notation,
as a list of integers (that are ORed internally),
-or as a list of the names that are shown between brackets, such that
+or as a list of the names that are shown between parenthesis, such that
.LP
.nf
olcLogLevel: 129
default is empty, which just uses slapd's internal support. Usually
no other auxprop plugins are needed.
.TP
+.B olcSaslAuxpropsDontUseCopy: <attr> [...]
+Specify which attribute(s) should be subject to the don't use copy control. This
+is necessary for some SASL mechanisms such as OTP to work in a replicated
+environment. The attribute "cmusaslsecretOTP" is the default value.
+.TP
+.B olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE
+Used to disable replication of the attribute(s) defined by
+olcSaslAuxpropsDontUseCopy and instead use a local value for the attribute. This
+allows the SASL mechanism to continue to work if the master is offline. This can
+cause replication inconsistency. Defaults to FALSE.
+.TP
.B olcSaslHost: <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
Specify an integer ID from 0 to 4095 for this server (limited
to 3 hexadecimal digits). The ID may also be specified as a
hexadecimal ID by prefixing the value with "0x".
-These IDs are
+Non-zero IDs are
required when using multimaster replication and each master must have a
-unique ID. Note that this requirement also applies to separate masters
+unique non-zero ID. Note that this requirement also applies to separate masters
contributing to a glued set of databases.
If the URL is provided, this directive may be specified
multiple times, providing a complete list of participating servers
and their IDs. The fully qualified hostname of each server should be
used in the supplied URLs. The IDs are used in the "replica id" field
-of all CSNs generated by the specified server. The default value is zero.
+of all CSNs generated by the specified server. The default value is zero, which
+is only valid for single master replication.
Example:
.LP
.nf
Specify the maximum size of the primary thread pool.
The default is 16; the minimum value is 2.
.TP
+.B olcThreadQueues: <integer>
+Specify the number of work queues to use for the primary thread pool.
+The default is 1 and this is typically adequate for up to 8 CPU cores.
+The value should not exceed the number of CPUs in the system.
+.TP
.B olcToolThreads: <integer>
Specify the maximum number of threads to use in tool mode.
This should not be greater than the number of CPUs in the system.
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
.TP
.I GnuTLS:
-TLSCiphersuite SECURE256:!AES-128-CBC
+olcTLSCiphersuite: SECURE256:!AES-128-CBC
.RE
To check what ciphers a given spec selects in OpenSSL, use:
.nf
olcTLSCertificateFile: my hardware device:Server-Cert
.fi
-Use certutil -L to list the certificates by name:
+Use certutil \-L to list the certificates by name:
.nf
- certutil -d /path/to/certdbdir -L
+ certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B olcTLSCertificateKeyFile: <filename>
specifes /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
- modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
+ modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'
.fi
You must have the old password, if any. Ignore the WARNING about the running
browser. Press 'Enter' for the new password.
(see above).
The
.B extended
-keyword allows to indicate the OID of the specific operation
+keyword allows one to indicate the OID of the specific operation
to be restricted.
.TP
.B olcSchemaDN: <dn>
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|unlimited|disabled}
-allows to set a limit on the total number of entries that a pagedResults
-control allows to return.
+allows one to set a limit on the total number of entries that the pagedResults
+control will return.
By default it is set to the
.B hard
limit.
in order to work over all of the glued databases. E.g.
.RS
.nf
- dn: olcDatabase={1}bdb,cn=config
+ dn: olcDatabase={1}mdb,cn=config
olcSuffix: dc=example,dc=com
...
- dn: olcOverlay={0}glue,olcDatabase={1}bdb,cn=config
+ dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config
...
- dn: olcOverlay={1}syncprov,olcDatabase={1}bdb,cn=config
+ dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
...
.fi
.RE
projects / openldap / blobdiff