]>
Commit | Line | Data |
---|---|---|
c4f3bb4b AB |
1 | Submitted by: Bruce Dubbs <bdubbs at linuxfromscratch.org> |
2 | Date: 2012-03-26 | |
3 | Initial Package Version: 2.4.40 | |
4 | Upstream Status: BLFS Specific | |
5 | Origin: Armin K. <krejzi at email dot com> and Debian | |
6 | Comment: Rediffed by Fernando de Oliveira <famobr at yahoo dot | |
7 | com dot br> for version 2.4.44 - 2016.02.06 | |
8 | Rediffed by Pierre Labastie <pierre dot labastie at | |
9 | neuf dot fr> to add mdb backend and slapd.ldif. See | |
10 | ticket #7394 - 2016.02.24 | |
11 | Rediffed by Douglas R. Reno <renodr at linuxfromscratch | |
12 | dot org> to function on 2.4.51. - 2020-08-13 | |
13 | Fixed the rediff to use a .c file instead of a .s, fixing | |
14 | the test by Douglas R. Reno - 2020-08-13 | |
15 | Rediffed by Tim Tassonis <stuff at decentral.ch> to | |
16 | remove now integrated symbol versioning stuff and | |
17 | remove changes to now non-existent slapd-bdb.5 file - 2021-05-03 | |
18 | Rediffed by Douglas R. Reno - 2022-02-13 - updated man | |
19 | pages for lloadd.8 and slapd.8 to use the proper path. | |
20 | Description: Consolidate earlier patches to: | |
21 | 1. Update various installation options, such as ldap database path, | |
22 | configuration file options, slapd install location, etc. | |
23 | 2. Remove reference to bdb module | |
24 | ||
25 | ||
26 | diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 openldap-2.6.1/doc/man/man5/slapd.conf.5 | |
27 | --- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 2022-01-19 12:32:34.000000000 -0600 | |
28 | +++ openldap-2.6.1/doc/man/man5/slapd.conf.5 2022-02-13 15:54:13.654979570 -0600 | |
29 | @@ -2123,7 +2123,7 @@ suffix "dc=our\-domain,dc=com" | |
30 | # The database directory MUST exist prior to | |
31 | # running slapd AND should only be accessible | |
32 | # by the slapd/tools. Mode 0700 recommended. | |
33 | -directory LOCALSTATEDIR/openldap\-data | |
34 | +directory LOCALSTATEDIR/lib/openldap | |
35 | # Indices to maintain | |
36 | index objectClass eq | |
37 | index cn,sn,mail pres,eq,approx,sub | |
38 | diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig openldap-2.6.1/doc/man/man5/slapd.conf.5.orig | |
39 | --- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig 1969-12-31 18:00:00.000000000 -0600 | |
40 | +++ openldap-2.6.1/doc/man/man5/slapd.conf.5.orig 2022-01-19 12:32:34.000000000 -0600 | |
41 | @@ -0,0 +1,2168 @@ | |
42 | +.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION" | |
43 | +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. | |
44 | +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. | |
45 | +.\" $OpenLDAP$ | |
46 | +.SH NAME | |
47 | +slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon | |
48 | +.SH SYNOPSIS | |
49 | +ETCDIR/slapd.conf | |
50 | +.SH DESCRIPTION | |
51 | +The file | |
52 | +.B ETCDIR/slapd.conf | |
53 | +contains configuration information for the | |
54 | +.BR slapd (8) | |
55 | +daemon. This configuration file is also used by the SLAPD tools | |
56 | +.BR slapacl (8), | |
57 | +.BR slapadd (8), | |
58 | +.BR slapauth (8), | |
59 | +.BR slapcat (8), | |
60 | +.BR slapdn (8), | |
61 | +.BR slapindex (8), | |
62 | +.BR slapmodify (8), | |
63 | +and | |
64 | +.BR slaptest (8). | |
65 | +.LP | |
66 | +The | |
67 | +.B slapd.conf | |
68 | +file consists of a series of global configuration options that apply to | |
69 | +.B slapd | |
70 | +as a whole (including all backends), followed by zero or more database | |
71 | +backend definitions that contain information specific to a backend | |
72 | +instance. | |
73 | +The configuration options are case-insensitive; | |
74 | +their value, on a case by case basis, may be case-sensitive. | |
75 | +.LP | |
76 | +The general format of | |
77 | +.B slapd.conf | |
78 | +is as follows: | |
79 | +.LP | |
80 | +.nf | |
81 | + # comment - these options apply to every database | |
82 | + <global configuration options> | |
83 | + # first database definition & configuration options | |
84 | + database <backend 1 type> | |
85 | + <configuration options specific to backend 1> | |
86 | + # subsequent database definitions & configuration options | |
87 | + ... | |
88 | +.fi | |
89 | +.LP | |
90 | +As many backend-specific sections as desired may be included. Global | |
91 | +options can be overridden in a backend (for options that appear more | |
92 | +than once, the last appearance in the | |
93 | +.B slapd.conf | |
94 | +file is used). | |
95 | +.LP | |
96 | +If a line begins with white space, it is considered a continuation | |
97 | +of the previous line. No physical line should be over 2000 bytes | |
98 | +long. | |
99 | +.LP | |
100 | +Blank lines and comment lines beginning with | |
101 | +a `#' character are ignored. Note: continuation lines are unwrapped | |
102 | +before comment processing is applied. | |
103 | +.LP | |
104 | +Arguments on configuration lines are separated by white space. If an | |
105 | +argument contains white space, the argument should be enclosed in | |
106 | +double quotes. If an argument contains a double quote (`"') or a | |
107 | +backslash character (`\\'), the character should be preceded by a | |
108 | +backslash character. | |
109 | +.LP | |
110 | +The specific configuration options available are discussed below in the | |
111 | +Global Configuration Options, General Backend Options, and General Database | |
112 | +Options. Backend-specific options are discussed in the | |
113 | +.B slapd\-<backend>(5) | |
114 | +manual pages. Refer to the "OpenLDAP Administrator's Guide" for more | |
115 | +details on the slapd configuration file. | |
116 | +.SH GLOBAL CONFIGURATION OPTIONS | |
117 | +Options described in this section apply to all backends, unless specifically | |
118 | +overridden in a backend definition. Arguments that should be replaced by | |
119 | +actual text are shown in brackets <>. | |
120 | +.TP | |
121 | +.B access to <what> "[ by <who> <access> <control> ]+" | |
122 | +Grant access (specified by <access>) to a set of entries and/or | |
123 | +attributes (specified by <what>) by one or more requestors (specified | |
124 | +by <who>). | |
125 | +If no access controls are present, the default policy | |
126 | +allows anyone and everyone to read anything but restricts | |
127 | +updates to rootdn. (e.g., "access to * by * read"). | |
128 | +The rootdn can always read and write EVERYTHING! | |
129 | +See | |
130 | +.BR slapd.access (5) | |
131 | +and the "OpenLDAP's Administrator's Guide" for details. | |
132 | +.TP | |
133 | +.B allow <features> | |
134 | +Specify a set of features (separated by white space) to | |
135 | +allow (default none). | |
136 | +.B bind_v2 | |
137 | +allows acceptance of LDAPv2 bind requests. Note that | |
138 | +.BR slapd (8) | |
139 | +does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494). | |
140 | +.B bind_anon_cred | |
141 | +allows anonymous bind when credentials are not empty (e.g. | |
142 | +when DN is empty). | |
143 | +.B bind_anon_dn | |
144 | +allows unauthenticated (anonymous) bind when DN is not empty. | |
145 | +.B update_anon | |
146 | +allows unauthenticated (anonymous) update operations to be processed | |
147 | +(subject to access controls and other administrative limits). | |
148 | +.B proxy_authz_anon | |
149 | +allows unauthenticated (anonymous) proxy authorization control to be processed | |
150 | +(subject to access controls, authorization and other administrative limits). | |
151 | +.TP | |
152 | +.B argsfile <filename> | |
153 | +The (absolute) name of a file that will hold the | |
154 | +.B slapd | |
155 | +server's command line (program name and options). | |
156 | +.TP | |
157 | +.B attributeoptions [option-name]... | |
158 | +Define tagging attribute options or option tag/range prefixes. | |
159 | +Options must not end with `\-', prefixes must end with `\-'. | |
160 | +The `lang\-' prefix is predefined. | |
161 | +If you use the | |
162 | +.B attributeoptions | |
163 | +directive, `lang\-' will no longer be defined and you must specify it | |
164 | +explicitly if you want it defined. | |
165 | + | |
166 | +An attribute description with a tagging option is a subtype of that | |
167 | +attribute description without the option. | |
168 | +Except for that, options defined this way have no special semantics. | |
169 | +Prefixes defined this way work like the `lang\-' options: | |
170 | +They define a prefix for tagging options starting with the prefix. | |
171 | +That is, if you define the prefix `x\-foo\-', you can use the option | |
172 | +`x\-foo\-bar'. | |
173 | +Furthermore, in a search or compare, a prefix or range name (with | |
174 | +a trailing `\-') matches all options starting with that name, as well | |
175 | +as the option with the range name sans the trailing `\-'. | |
176 | +That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'. | |
177 | + | |
178 | +RFC 4520 reserves options beginning with `x\-' for private experiments. | |
179 | +Other options should be registered with IANA, see RFC 4520 section 3.5. | |
180 | +OpenLDAP also has the `binary' option built in, but this is a transfer | |
181 | +option, not a tagging option. | |
182 | +.HP | |
183 | +.hy 0 | |
184 | +.B attributetype "(\ <oid>\ | |
185 | + [NAME\ <name>]\ | |
186 | + [DESC\ <description>]\ | |
187 | + [OBSOLETE]\ | |
188 | + [SUP\ <oid>]\ | |
189 | + [EQUALITY\ <oid>]\ | |
190 | + [ORDERING\ <oid>]\ | |
191 | + [SUBSTR\ <oid>]\ | |
192 | + [SYNTAX\ <oidlen>]\ | |
193 | + [SINGLE\-VALUE]\ | |
194 | + [COLLECTIVE]\ | |
195 | + [NO\-USER\-MODIFICATION]\ | |
196 | + [USAGE\ <attributeUsage>]\ )" | |
197 | +.RS | |
198 | +Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. | |
199 | +The slapd parser extends the RFC 4512 definition by allowing string | |
200 | +forms as well as numeric OIDs to be used for the attribute OID and | |
201 | +attribute syntax OID. | |
202 | +(See the | |
203 | +.B objectidentifier | |
204 | +description.) | |
205 | +.RE | |
206 | +.TP | |
207 | +.B authid\-rewrite<cmd> <args> | |
208 | +Used by the authentication framework to convert simple user names | |
209 | +to an LDAP DN used for authorization purposes. | |
210 | +Its purpose is analogous to that of | |
211 | +.BR authz-regexp | |
212 | +(see below). | |
213 | +The prefix \fIauthid\-\fP is followed by a set of rules analogous | |
214 | +to those described in | |
215 | +.BR slapo\-rwm (5) | |
216 | +for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP). | |
217 | +.B authid\-rewrite<cmd> | |
218 | +and | |
219 | +.B authz\-regexp | |
220 | +rules should not be intermixed. | |
221 | +.TP | |
222 | +.B authz\-policy <policy> | |
223 | +Used to specify which rules to use for Proxy Authorization. Proxy | |
224 | +authorization allows a client to authenticate to the server using one | |
225 | +user's credentials, but specify a different identity to use for authorization | |
226 | +and access control purposes. It essentially allows user A to login as user | |
227 | +B, using user A's password. | |
228 | +The | |
229 | +.B none | |
230 | +flag disables proxy authorization. This is the default setting. | |
231 | +The | |
232 | +.B from | |
233 | +flag will use rules in the | |
234 | +.I authzFrom | |
235 | +attribute of the authorization DN. | |
236 | +The | |
237 | +.B to | |
238 | +flag will use rules in the | |
239 | +.I authzTo | |
240 | +attribute of the authentication DN. | |
241 | +The | |
242 | +.B any | |
243 | +flag, an alias for the deprecated value of | |
244 | +.BR both , | |
245 | +will allow any of the above, whatever succeeds first (checked in | |
246 | +.BR to , | |
247 | +.B from | |
248 | +sequence. | |
249 | +The | |
250 | +.B all | |
251 | +flag requires both authorizations to succeed. | |
252 | +.LP | |
253 | +.RS | |
254 | +The rules are mechanisms to specify which identities are allowed | |
255 | +to perform proxy authorization. | |
256 | +The | |
257 | +.I authzFrom | |
258 | +attribute in an entry specifies which other users | |
259 | +are allowed to proxy login to this entry. The | |
260 | +.I authzTo | |
261 | +attribute in | |
262 | +an entry specifies which other users this user can authorize as. Use of | |
263 | +.I authzTo | |
264 | +rules can be easily | |
265 | +abused if users are allowed to write arbitrary values to this attribute. | |
266 | +In general the | |
267 | +.I authzTo | |
268 | +attribute must be protected with ACLs such that | |
269 | +only privileged users can modify it. | |
270 | +The value of | |
271 | +.I authzFrom | |
272 | +and | |
273 | +.I authzTo | |
274 | +describes an | |
275 | +.B identity | |
276 | +or a set of identities; it can take five forms: | |
277 | +.RS | |
278 | +.TP | |
279 | +.B ldap:///<base>??[<scope>]?<filter> | |
280 | +.RE | |
281 | +.RS | |
282 | +.B dn[.<dnstyle>]:<pattern> | |
283 | +.RE | |
284 | +.RS | |
285 | +.B u[.<mech>[/<realm>]]:<pattern> | |
286 | +.RE | |
287 | +.RS | |
288 | +.B group[/objectClass[/attributeType]]:<pattern> | |
289 | +.RE | |
290 | +.RS | |
291 | +.B <pattern> | |
292 | +.RE | |
293 | +.RS | |
294 | + | |
295 | +.B <dnstyle>:={exact|onelevel|children|subtree|regex} | |
296 | + | |
297 | +.RE | |
298 | +The first form is a valid LDAP | |
299 | +.B URI | |
300 | +where the | |
301 | +.IR <host>:<port> , | |
302 | +the | |
303 | +.I <attrs> | |
304 | +and the | |
305 | +.I <extensions> | |
306 | +portions must be absent, so that the search occurs locally on either | |
307 | +.I authzFrom | |
308 | +or | |
309 | +.IR authzTo . | |
310 | + | |
311 | +.LP | |
312 | +The second form is a | |
313 | +.BR DN . | |
314 | +The optional | |
315 | +.B dnstyle | |
316 | +modifiers | |
317 | +.IR exact , | |
318 | +.IR onelevel , | |
319 | +.IR children , | |
320 | +and | |
321 | +.I subtree | |
322 | +provide exact, onelevel, children and subtree matches, which cause | |
323 | +.I <pattern> | |
324 | +to be normalized according to the DN normalization rules. | |
325 | +The special | |
326 | +.B dnstyle | |
327 | +modifier | |
328 | +.I regex | |
329 | +causes the | |
330 | +.I <pattern> | |
331 | +to be treated as a POSIX (''extended'') regular expression, as | |
332 | +discussed in | |
333 | +.BR regex (7) | |
334 | +and/or | |
335 | +.BR re_format (7). | |
336 | +A pattern of | |
337 | +.I * | |
338 | +means any non-anonymous DN. | |
339 | + | |
340 | +.LP | |
341 | +The third form is a SASL | |
342 | +.BR id . | |
343 | +The optional fields | |
344 | +.I <mech> | |
345 | +and | |
346 | +.I <realm> | |
347 | +allow specification of a SASL | |
348 | +.BR mechanism , | |
349 | +and eventually a SASL | |
350 | +.BR realm , | |
351 | +for those mechanisms that support one. | |
352 | +The need to allow the specification of a mechanism is still debated, | |
353 | +and users are strongly discouraged to rely on this possibility. | |
354 | + | |
355 | +.LP | |
356 | +The fourth form is a group specification. | |
357 | +It consists of the keyword | |
358 | +.BR group , | |
359 | +optionally followed by the specification of the group | |
360 | +.B objectClass | |
361 | +and | |
362 | +.BR attributeType . | |
363 | +The | |
364 | +.B objectClass | |
365 | +defaults to | |
366 | +.IR groupOfNames . | |
367 | +The | |
368 | +.B attributeType | |
369 | +defaults to | |
370 | +.IR member . | |
371 | +The group with DN | |
372 | +.B <pattern> | |
373 | +is searched with base scope, filtered on the specified | |
374 | +.BR objectClass . | |
375 | +The values of the resulting | |
376 | +.B attributeType | |
377 | +are searched for the asserted DN. | |
378 | + | |
379 | +.LP | |
380 | +The fifth form is provided for backwards compatibility. If no identity | |
381 | +type is provided, i.e. only | |
382 | +.B <pattern> | |
383 | +is present, an | |
384 | +.I exact DN | |
385 | +is assumed; as a consequence, | |
386 | +.B <pattern> | |
387 | +is subjected to DN normalization. | |
388 | + | |
389 | +.LP | |
390 | +Since the interpretation of | |
391 | +.I authzFrom | |
392 | +and | |
393 | +.I authzTo | |
394 | +can impact security, users are strongly encouraged | |
395 | +to explicitly set the type of identity specification that is being used. | |
396 | +A subset of these rules can be used as third arg in the | |
397 | +.B authz\-regexp | |
398 | +statement (see below); significantly, the | |
399 | +.IR URI , | |
400 | +provided it results in exactly one entry, | |
401 | +and the | |
402 | +.I dn.exact:<dn> | |
403 | +forms. | |
404 | +.RE | |
405 | +.TP | |
406 | +.B authz\-regexp <match> <replace> | |
407 | +Used by the authentication framework to convert simple user names, | |
408 | +such as provided by SASL subsystem, or extracted from certificates | |
409 | +in case of cert-based SASL EXTERNAL, or provided within the RFC 4370 | |
410 | +"proxied authorization" control, to an LDAP DN used for | |
411 | +authorization purposes. Note that the resulting DN need not refer | |
412 | +to an existing entry to be considered valid. When an authorization | |
413 | +request is received from the SASL subsystem, the SASL | |
414 | +.BR USERNAME , | |
415 | +.BR REALM , | |
416 | +and | |
417 | +.B MECHANISM | |
418 | +are taken, when available, and combined into a name of the form | |
419 | +.RS | |
420 | +.RS | |
421 | +.TP | |
422 | +.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth | |
423 | + | |
424 | +.RE | |
425 | +This name is then compared against the | |
426 | +.B match | |
427 | +POSIX (''extended'') regular expression, and if the match is successful, | |
428 | +the name is replaced with the | |
429 | +.B replace | |
430 | +string. If there are wildcard strings in the | |
431 | +.B match | |
432 | +regular expression that are enclosed in parenthesis, e.g. | |
433 | +.RS | |
434 | +.TP | |
435 | +.B UID=([^,]*),CN=.* | |
436 | + | |
437 | +.RE | |
438 | +then the portion of the name that matched the wildcard will be stored | |
439 | +in the numbered placeholder variable $1. If there are other wildcard strings | |
440 | +in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The | |
441 | +placeholders can then be used in the | |
442 | +.B replace | |
443 | +string, e.g. | |
444 | +.RS | |
445 | +.TP | |
446 | +.B UID=$1,OU=Accounts,DC=example,DC=com | |
447 | + | |
448 | +.RE | |
449 | +The replaced name can be either a DN, i.e. a string prefixed by "dn:", | |
450 | +or an LDAP URI. | |
451 | +If the latter, the server will use the URI to search its own database(s) | |
452 | +and, if the search returns exactly one entry, the name is | |
453 | +replaced by the DN of that entry. The LDAP URI must have no | |
454 | +hostport, attrs, or extensions components, but the filter is mandatory, | |
455 | +e.g. | |
456 | +.RS | |
457 | +.TP | |
458 | +.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) | |
459 | + | |
460 | +.RE | |
461 | +The protocol portion of the URI must be strictly | |
462 | +.BR ldap . | |
463 | +Note that this search is subject to access controls. Specifically, | |
464 | +the authentication identity must have "auth" access in the subject. | |
465 | + | |
466 | +Multiple | |
467 | +.B authz\-regexp | |
468 | +options can be given in the configuration file to allow for multiple matching | |
469 | +and replacement patterns. The matching patterns are checked in the order they | |
470 | +appear in the file, stopping at the first successful match. | |
471 | + | |
472 | +.\".B Caution: | |
473 | +.\"Because the plus sign + is a character recognized by the regular expression engine, | |
474 | +.\"and it will appear in names that include a REALM, be careful to escape the | |
475 | +.\"plus sign with a backslash \\+ to remove the character's special meaning. | |
476 | +.RE | |
477 | +.TP | |
478 | +.B concurrency <integer> | |
479 | +Specify a desired level of concurrency. Provided to the underlying | |
480 | +thread system as a hint. The default is not to provide any hint. This setting | |
481 | +is only meaningful on some platforms where there is not a one to one | |
482 | +correspondence between user threads and kernel threads. | |
483 | +.TP | |
484 | +.B conn_max_pending <integer> | |
485 | +Specify the maximum number of pending requests for an anonymous session. | |
486 | +If requests are submitted faster than the server can process them, they | |
487 | +will be queued up to this limit. If the limit is exceeded, the session | |
488 | +is closed. The default is 100. | |
489 | +.TP | |
490 | +.B conn_max_pending_auth <integer> | |
491 | +Specify the maximum number of pending requests for an authenticated session. | |
492 | +The default is 1000. | |
493 | +.TP | |
494 | +.B defaultsearchbase <dn> | |
495 | +Specify a default search base to use when client submits a | |
496 | +non-base search request with an empty base DN. | |
497 | +Base scoped search requests with an empty base DN are not affected. | |
498 | +.TP | |
499 | +.B disallow <features> | |
500 | +Specify a set of features (separated by white space) to | |
501 | +disallow (default none). | |
502 | +.B bind_anon | |
503 | +disables acceptance of anonymous bind requests. Note that this setting | |
504 | +does not prohibit anonymous directory access (See "require authc"). | |
505 | +.B bind_simple | |
506 | +disables simple (bind) authentication. | |
507 | +.B tls_2_anon | |
508 | +disables forcing session to anonymous status (see also | |
509 | +.BR tls_authc ) | |
510 | +upon StartTLS operation receipt. | |
511 | +.B tls_authc | |
512 | +disallows the StartTLS operation if authenticated (see also | |
513 | +.BR tls_2_anon ). | |
514 | +.B proxy_authz_non_critical | |
515 | +disables acceptance of the proxied authorization control (RFC4370) | |
516 | +with criticality set to FALSE. | |
517 | +.B dontusecopy_non_critical | |
518 | +disables acceptance of the dontUseCopy control (a work in progress) | |
519 | +with criticality set to FALSE. | |
520 | +.HP | |
521 | +.hy 0 | |
522 | +.B ditcontentrule "(\ <oid>\ | |
523 | + [NAME\ <name>]\ | |
524 | + [DESC\ <description>]\ | |
525 | + [OBSOLETE]\ | |
526 | + [AUX\ <oids>]\ | |
527 | + [MUST\ <oids>]\ | |
528 | + [MAY\ <oids>]\ | |
529 | + [NOT\ <oids>]\ )" | |
530 | +.RS | |
531 | +Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. | |
532 | +The slapd parser extends the RFC 4512 definition by allowing string | |
533 | +forms as well as numeric OIDs to be used for the attribute OID and | |
534 | +attribute syntax OID. | |
535 | +(See the | |
536 | +.B objectidentifier | |
537 | +description.) | |
538 | +.RE | |
539 | +.TP | |
540 | +.B gentlehup { on | off } | |
541 | +A SIGHUP signal will only cause a 'gentle' shutdown-attempt: | |
542 | +.B Slapd | |
543 | +will stop listening for new connections, but will not close the | |
544 | +connections to the current clients. Future write operations return | |
545 | +unwilling-to-perform, though. Slapd terminates when all clients | |
546 | +have closed their connections (if they ever do), or \- as before \- | |
547 | +if it receives a SIGTERM signal. This can be useful if you wish to | |
548 | +terminate the server and start a new | |
549 | +.B slapd | |
550 | +server | |
551 | +.B with another database, | |
552 | +without disrupting the currently active clients. | |
553 | +The default is off. You may wish to use | |
554 | +.B idletimeout | |
555 | +along with this option. | |
556 | +.TP | |
557 | +.B idletimeout <integer> | |
558 | +Specify the number of seconds to wait before forcibly closing | |
559 | +an idle client connection. A setting of 0 disables this | |
560 | +feature. The default is 0. You may also want to set the | |
561 | +.B writetimeout | |
562 | +option. | |
563 | +.TP | |
564 | +.B include <filename> | |
565 | +Read additional configuration information from the given file before | |
566 | +continuing with the next line of the current file. | |
567 | +.TP | |
568 | +.B index_hash64 { on | off } | |
569 | +Use a 64 bit hash for indexing. The default is to use 32 bit hashes. | |
570 | +These hashes are used for equality and substring indexing. The 64 bit | |
571 | +version may be needed to avoid index collisions when the number of | |
572 | +indexed values exceeds ~64 million. (Note that substring indexing | |
573 | +generates multiple index values per actual attribute value.) | |
574 | +Indices generated with 32 bit hashes are incompatible with the 64 bit | |
575 | +version, and vice versa. Any existing databases must be fully reloaded | |
576 | +when changing this setting. This directive is only supported on 64 bit CPUs. | |
577 | +.TP | |
578 | +.B index_intlen <integer> | |
579 | +Specify the key length for ordered integer indices. The most significant | |
580 | +bytes of the binary integer will be used for index keys. The default | |
581 | +value is 4, which provides exact indexing for 31 bit values. | |
582 | +A floating point representation is used to index too large values. | |
583 | +.TP | |
584 | +.B index_substr_if_maxlen <integer> | |
585 | +Specify the maximum length for subinitial and subfinal indices. Only | |
586 | +this many characters of an attribute value will be processed by the | |
587 | +indexing functions; any excess characters are ignored. The default is 4. | |
588 | +.TP | |
589 | +.B index_substr_if_minlen <integer> | |
590 | +Specify the minimum length for subinitial and subfinal indices. An | |
591 | +attribute value must have at least this many characters in order to be | |
592 | +processed by the indexing functions. The default is 2. | |
593 | +.TP | |
594 | +.B index_substr_any_len <integer> | |
595 | +Specify the length used for subany indices. An attribute value must have | |
596 | +at least this many characters in order to be processed. Attribute values | |
597 | +longer than this length will be processed in segments of this length. The | |
598 | +default is 4. The subany index will also be used in subinitial and | |
599 | +subfinal index lookups when the filter string is longer than the | |
600 | +.I index_substr_if_maxlen | |
601 | +value. | |
602 | +.TP | |
603 | +.B index_substr_any_step <integer> | |
604 | +Specify the steps used in subany index lookups. This value sets the offset | |
605 | +for the segments of a filter string that are processed for a subany index | |
606 | +lookup. The default is 2. For example, with the default values, a search | |
607 | +using this filter "cn=*abcdefgh*" would generate index lookups for | |
608 | +"abcd", "cdef", and "efgh". | |
609 | + | |
610 | +.LP | |
611 | +Note: Indexing support depends on the particular backend in use. Also, | |
612 | +changing these settings will generally require deleting any indices that | |
613 | +depend on these parameters and recreating them with | |
614 | +.BR slapindex (8). | |
615 | + | |
616 | +.HP | |
617 | +.hy 0 | |
618 | +.B ldapsyntax "(\ <oid>\ | |
619 | + [DESC\ <description>]\ | |
620 | + [X\-SUBST <substitute-syntax>]\ )" | |
621 | +.RS | |
622 | +Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512. | |
623 | +The slapd parser extends the RFC 4512 definition by allowing string | |
624 | +forms as well as numeric OIDs to be used for the syntax OID. | |
625 | +(See the | |
626 | +.B objectidentifier | |
627 | +description.) | |
628 | +The slapd parser also honors the | |
629 | +.B X\-SUBST | |
630 | +extension (an OpenLDAP-specific extension), which allows one to use the | |
631 | +.B ldapsyntax | |
632 | +statement to define a non-implemented syntax along with another syntax, | |
633 | +the extension value | |
634 | +.IR substitute-syntax , | |
635 | +as its temporary replacement. | |
636 | +The | |
637 | +.I substitute-syntax | |
638 | +must be defined. | |
639 | +This allows one to define attribute types that make use of non-implemented syntaxes | |
640 | +using the correct syntax OID. | |
641 | +Unless | |
642 | +.B X\-SUBST | |
643 | +is used, this configuration statement would result in an error, | |
644 | +since no handlers would be associated to the resulting syntax structure. | |
645 | +.RE | |
646 | + | |
647 | +.TP | |
648 | +.B listener-threads <integer> | |
649 | +Specify the number of threads to use for the connection manager. | |
650 | +The default is 1 and this is typically adequate for up to 16 CPU cores. | |
651 | +The value should be set to a power of 2. | |
652 | +.TP | |
653 | +.B localSSF <SSF> | |
654 | +Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, | |
655 | +such as those to the ldapi:// listener. For a description of SSF values, | |
656 | +see | |
657 | +.BR sasl-secprops 's | |
658 | +.B minssf | |
659 | +option description. The default is 71. | |
660 | +.TP | |
661 | +.B logfile <filename> | |
662 | +Specify a file for recording slapd debug messages. By default these messages | |
663 | +only go to stderr, are not recorded anywhere else, and are unrelated to | |
664 | +messages exposed by the | |
665 | +.B loglevel | |
666 | +configuration parameter. Specifying a logfile copies messages to both stderr | |
667 | +and the logfile. | |
668 | +.TP | |
669 | +.B logfile-format debug | syslog-utc | syslog-localtime | |
670 | +Specify the prefix format for messages written to the logfile. The debug | |
671 | +format is the normal format used for slapd debug messages, with a timestamp | |
672 | +in hexadecimal, followed by a thread ID. The other options are to | |
673 | +use syslog(3) style prefixes, with timestamps either in UTC or in the | |
674 | +local timezone. The default is debug format. | |
675 | +.TP | |
676 | +.B logfile-only on | off | |
677 | +Specify that debug messages should only go to the configured logfile, and | |
678 | +not to stderr. | |
679 | +.TP | |
680 | +.B logfile-rotate <max> <Mbytes> <hours> | |
681 | +Specify automatic rotation for the configured logfile as the maximum | |
682 | +number of old logfiles to retain, a maximum size in megabytes to allow a | |
683 | +logfile to grow before rotation, and a maximum age in hours for a logfile | |
684 | +to be used before rotation. The maximum number must be in the range 1-99. | |
685 | +Setting Mbytes or hours to zero disables the size or age check, respectively. | |
686 | +At least one of Mbytes or hours must be non-zero. By default no automatic | |
687 | +rotation will be performed. | |
688 | +.TP | |
689 | +.B loglevel <integer> [...] | |
690 | +Specify the level at which debugging statements and operation | |
691 | +statistics should be syslogged (currently logged to the | |
692 | +.BR syslogd (8) | |
693 | +LOG_LOCAL4 facility). | |
694 | +They must be considered subsystems rather than increasingly verbose | |
695 | +log levels. | |
696 | +Some messages with higher priority are logged regardless | |
697 | +of the configured loglevel as soon as any logging is configured. | |
698 | +Log levels are additive, and available levels are: | |
699 | +.RS | |
700 | +.RS | |
701 | +.PD 0 | |
702 | +.TP | |
703 | +.B 1 | |
704 | +.B (0x1 trace) | |
705 | +trace function calls | |
706 | +.TP | |
707 | +.B 2 | |
708 | +.B (0x2 packets) | |
709 | +debug packet handling | |
710 | +.TP | |
711 | +.B 4 | |
712 | +.B (0x4 args) | |
713 | +heavy trace debugging (function args) | |
714 | +.TP | |
715 | +.B 8 | |
716 | +.B (0x8 conns) | |
717 | +connection management | |
718 | +.TP | |
719 | +.B 16 | |
720 | +.B (0x10 BER) | |
721 | +print out packets sent and received | |
722 | +.TP | |
723 | +.B 32 | |
724 | +.B (0x20 filter) | |
725 | +search filter processing | |
726 | +.TP | |
727 | +.B 64 | |
728 | +.B (0x40 config) | |
729 | +configuration file processing | |
730 | +.TP | |
731 | +.B 128 | |
732 | +.B (0x80 ACL) | |
733 | +access control list processing | |
734 | +.TP | |
735 | +.B 256 | |
736 | +.B (0x100 stats) | |
737 | +connections, LDAP operations, results (recommended) | |
738 | +.TP | |
739 | +.B 512 | |
740 | +.B (0x200 stats2) | |
741 | +stats2 log entries sent | |
742 | +.TP | |
743 | +.B 1024 | |
744 | +.B (0x400 shell) | |
745 | +print communication with shell backends | |
746 | +.TP | |
747 | +.B 2048 | |
748 | +.B (0x800 parse) | |
749 | +entry parsing | |
750 | +\".TP | |
751 | +\".B 4096 | |
752 | +\".B (0x1000 cache) | |
753 | +\"caching (unused) | |
754 | +\".TP | |
755 | +\".B 8192 | |
756 | +\".B (0x2000 index) | |
757 | +\"data indexing (unused) | |
758 | +.TP | |
759 | +.B 16384 | |
760 | +.B (0x4000 sync) | |
761 | +LDAPSync replication | |
762 | +.TP | |
763 | +.B 32768 | |
764 | +.B (0x8000 none) | |
765 | +only messages that get logged whatever log level is set | |
766 | +.PD | |
767 | +.RE | |
768 | +The desired log level can be input as a single integer that combines | |
769 | +the (ORed) desired levels, both in decimal or in hexadecimal notation, | |
770 | +as a list of integers (that are ORed internally), | |
771 | +or as a list of the names that are shown between parentheses, such that | |
772 | +.LP | |
773 | +.nf | |
774 | + loglevel 129 | |
775 | + loglevel 0x81 | |
776 | + loglevel 128 1 | |
777 | + loglevel 0x80 0x1 | |
778 | + loglevel acl trace | |
779 | +.fi | |
780 | +.LP | |
781 | +are equivalent. | |
782 | +The keyword | |
783 | +.B any | |
784 | +can be used as a shortcut to enable logging at all levels (equivalent to \-1). | |
785 | +The keyword | |
786 | +.BR none , | |
787 | +or the equivalent integer representation, causes those messages | |
788 | +that are logged regardless of the configured loglevel to be logged. | |
789 | +In fact, if loglevel is set to 0, no logging occurs, | |
790 | +so at least the | |
791 | +.B none | |
792 | +level is required to have high priority messages logged. | |
793 | + | |
794 | +Note that the | |
795 | +.BR packets , | |
796 | +.BR BER , | |
797 | +and | |
798 | +.B parse | |
799 | +levels are only available as debug output on stderr, and are not | |
800 | +sent to syslog. | |
801 | + | |
802 | +The loglevel defaults to \fBstats\fP. | |
803 | +This level should usually also be included when using other loglevels, to | |
804 | +help analyze the logs. | |
805 | +.RE | |
806 | +.TP | |
807 | +.B maxfilterdepth <integer> | |
808 | +Specify the maximum depth of nested filters in search requests. | |
809 | +The default is 1000. | |
810 | +.TP | |
811 | +.B moduleload <filename> [<arguments>...] | |
812 | +Specify the name of a dynamically loadable module to load and any | |
813 | +additional arguments if supported by the module. The filename | |
814 | +may be an absolute path name or a simple filename. Non-absolute names | |
815 | +are searched for in the directories specified by the | |
816 | +.B modulepath | |
817 | +option. This option and the | |
818 | +.B modulepath | |
819 | +option are only usable if slapd was compiled with \-\-enable\-modules. | |
820 | +.TP | |
821 | +.B modulepath <pathspec> | |
822 | +Specify a list of directories to search for loadable modules. Typically | |
823 | +the path is colon-separated but this depends on the operating system. | |
824 | +The default is MODULEDIR, which is where the standard OpenLDAP install | |
825 | +will place its modules. | |
826 | +.HP | |
827 | +.hy 0 | |
828 | +.B objectclass "(\ <oid>\ | |
829 | + [NAME\ <name>]\ | |
830 | + [DESC\ <description>]\ | |
831 | + [OBSOLETE]\ | |
832 | + [SUP\ <oids>]\ | |
833 | + [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ | |
834 | + [MUST\ <oids>] [MAY\ <oids>] )" | |
835 | +.RS | |
836 | +Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. | |
837 | +The slapd parser extends the RFC 4512 definition by allowing string | |
838 | +forms as well as numeric OIDs to be used for the object class OID. | |
839 | +(See the | |
840 | +.B | |
841 | +objectidentifier | |
842 | +description.) Object classes are "STRUCTURAL" by default. | |
843 | +.RE | |
844 | +.TP | |
845 | +.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }" | |
846 | +Define a string name that equates to the given OID. The string can be used | |
847 | +in place of the numeric OID in objectclass and attribute definitions. The | |
848 | +name can also be used with a suffix of the form ":xx" in which case the | |
849 | +value "oid.xx" will be used. | |
850 | +.TP | |
851 | +.B password\-hash <hash> [<hash>...] | |
852 | +This option configures one or more hashes to be used in generation of user | |
853 | +passwords stored in the userPassword attribute during processing of | |
854 | +LDAP Password Modify Extended Operations (RFC 3062). | |
855 | +The <hash> must be one of | |
856 | +.BR {SSHA} , | |
857 | +.BR {SHA} , | |
858 | +.BR {SMD5} , | |
859 | +.BR {MD5} , | |
860 | +.BR {CRYPT} , | |
861 | +and | |
862 | +.BR {CLEARTEXT} . | |
863 | +The default is | |
864 | +.BR {SSHA} . | |
865 | + | |
866 | +.B {SHA} | |
867 | +and | |
868 | +.B {SSHA} | |
869 | +use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. | |
870 | + | |
871 | +.B {MD5} | |
872 | +and | |
873 | +.B {SMD5} | |
874 | +use the MD5 algorithm (RFC 1321), the latter with a seed. | |
875 | + | |
876 | +.B {CRYPT} | |
877 | +uses the | |
878 | +.BR crypt (3). | |
879 | + | |
880 | +.B {CLEARTEXT} | |
881 | +indicates that the new password should be | |
882 | +added to userPassword as clear text. | |
883 | + | |
884 | +Note that this option does not alter the normal user applications | |
885 | +handling of userPassword during LDAP Add, Modify, or other LDAP operations. | |
886 | +.TP | |
887 | +.B password\-crypt\-salt\-format <format> | |
888 | +Specify the format of the salt passed to | |
889 | +.BR crypt (3) | |
890 | +when generating {CRYPT} passwords (see | |
891 | +.BR password\-hash ) | |
892 | +during processing of LDAP Password Modify Extended Operations (RFC 3062). | |
893 | + | |
894 | +This string needs to be in | |
895 | +.BR sprintf (3) | |
896 | +format and may include one (and only one) %s conversion. | |
897 | +This conversion will be substituted with a string of random | |
898 | +characters from [A\-Za\-z0\-9./]. For example, "%.2s" | |
899 | +provides a two character salt and "$1$%.8s" tells some | |
900 | +versions of crypt(3) to use an MD5 algorithm and provides | |
901 | +8 random characters of salt. The default is "%s", which | |
902 | +provides 31 characters of salt. | |
903 | +.TP | |
904 | +.B pidfile <filename> | |
905 | +The (absolute) name of a file that will hold the | |
906 | +.B slapd | |
907 | +server's process ID (see | |
908 | +.BR getpid (2)). | |
909 | +.TP | |
910 | +.B pluginlog: <filename> | |
911 | +The ( absolute ) name of a file that will contain log | |
912 | +messages from | |
913 | +.B SLAPI | |
914 | +plugins. See | |
915 | +.BR slapd.plugin (5) | |
916 | +for details. | |
917 | +.TP | |
918 | +.B referral <url> | |
919 | +Specify the referral to pass back when | |
920 | +.BR slapd (8) | |
921 | +cannot find a local database to handle a request. | |
922 | +If specified multiple times, each url is provided. | |
923 | +.TP | |
924 | +.B require <conditions> | |
925 | +Specify a set of conditions (separated by white space) to | |
926 | +require (default none). | |
927 | +The directive may be specified globally and/or per-database; | |
928 | +databases inherit global conditions, so per-database specifications | |
929 | +are additive. | |
930 | +.B bind | |
931 | +requires bind operation prior to directory operations. | |
932 | +.B LDAPv3 | |
933 | +requires session to be using LDAP version 3. | |
934 | +.B authc | |
935 | +requires authentication prior to directory operations. | |
936 | +.B SASL | |
937 | +requires SASL authentication prior to directory operations. | |
938 | +.B strong | |
939 | +requires strong authentication prior to directory operations. | |
940 | +The strong keyword allows protected "simple" authentication | |
941 | +as well as SASL authentication. | |
942 | +.B none | |
943 | +may be used to require no conditions (useful to clear out globally | |
944 | +set conditions within a particular database); it must occur first | |
945 | +in the list of conditions. | |
946 | +.TP | |
947 | +.B reverse\-lookup on | off | |
948 | +Enable/disable client name unverified reverse lookup (default is | |
949 | +.BR off | |
950 | +if compiled with \-\-enable\-rlookups). | |
951 | +.TP | |
952 | +.B rootDSE <file> | |
953 | +Specify the name of an LDIF(5) file containing user defined attributes | |
954 | +for the root DSE. These attributes are returned in addition to the | |
955 | +attributes normally produced by slapd. | |
956 | + | |
957 | +The root DSE is an entry with information about the server and its | |
958 | +capabilities, in operational attributes. | |
959 | +It has the empty DN, and can be read with e.g.: | |
960 | +.ti +4 | |
961 | +ldapsearch \-x \-b "" \-s base "+" | |
962 | +.br | |
963 | +See RFC 4512 section 5.1 for details. | |
964 | +.TP | |
965 | +.B sasl\-auxprops <plugin> [...] | |
966 | +Specify which auxprop plugins to use for authentication lookups. The | |
967 | +default is empty, which just uses slapd's internal support. Usually | |
968 | +no other auxprop plugins are needed. | |
969 | +.TP | |
970 | +.B sasl\-auxprops\-dontusecopy <attr> [...] | |
971 | +Specify which attribute(s) should be subject to the don't use copy control. This | |
972 | +is necessary for some SASL mechanisms such as OTP to work in a replicated | |
973 | +environment. The attribute "cmusaslsecretOTP" is the default value. | |
974 | +.TP | |
975 | +.B sasl\-auxprops\-dontusecopy\-ignore on | off | |
976 | +Used to disable replication of the attribute(s) defined by | |
977 | +sasl-auxprops-dontusecopy and instead use a local value for the attribute. This | |
978 | +allows the SASL mechanism to continue to work if the provider is offline. This can | |
979 | +cause replication inconsistency. Defaults to off. | |
980 | +.TP | |
981 | +.B sasl\-host <fqdn> | |
982 | +Used to specify the fully qualified domain name used for SASL processing. | |
983 | +.TP | |
984 | +.B sasl\-realm <realm> | |
985 | +Specify SASL realm. Default is empty. | |
986 | +.TP | |
987 | +.B sasl\-cbinding none | tls-unique | tls-endpoint | |
988 | +Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. | |
989 | +Default is none. | |
990 | +.TP | |
991 | +.B sasl\-secprops <properties> | |
992 | +Used to specify Cyrus SASL security properties. | |
993 | +The | |
994 | +.B none | |
995 | +flag (without any other properties) causes the flag properties | |
996 | +default, "noanonymous,noplain", to be cleared. | |
997 | +The | |
998 | +.B noplain | |
999 | +flag disables mechanisms susceptible to simple passive attacks. | |
1000 | +The | |
1001 | +.B noactive | |
1002 | +flag disables mechanisms susceptible to active attacks. | |
1003 | +The | |
1004 | +.B nodict | |
1005 | +flag disables mechanisms susceptible to passive dictionary attacks. | |
1006 | +The | |
1007 | +.B noanonymous | |
1008 | +flag disables mechanisms which support anonymous login. | |
1009 | +The | |
1010 | +.B forwardsec | |
1011 | +flag require forward secrecy between sessions. | |
1012 | +The | |
1013 | +.B passcred | |
1014 | +require mechanisms which pass client credentials (and allow | |
1015 | +mechanisms which can pass credentials to do so). | |
1016 | +The | |
1017 | +.B minssf=<factor> | |
1018 | +property specifies the minimum acceptable | |
1019 | +.I security strength factor | |
1020 | +as an integer approximate to effective key length used for | |
1021 | +encryption. 0 (zero) implies no protection, 1 implies integrity | |
1022 | +protection only, 128 allows RC4, Blowfish and other similar ciphers, | |
1023 | +256 will require modern ciphers. The default is 0. | |
1024 | +The | |
1025 | +.B maxssf=<factor> | |
1026 | +property specifies the maximum acceptable | |
1027 | +.I security strength factor | |
1028 | +as an integer (see minssf description). The default is INT_MAX. | |
1029 | +The | |
1030 | +.B maxbufsize=<size> | |
1031 | +property specifies the maximum security layer receive buffer | |
1032 | +size allowed. 0 disables security layers. The default is 65536. | |
1033 | +.TP | |
1034 | +.B schemadn <dn> | |
1035 | +Specify the distinguished name for the subschema subentry that | |
1036 | +controls the entries on this server. The default is "cn=Subschema". | |
1037 | +.TP | |
1038 | +.B security <factors> | |
1039 | +Specify a set of security strength factors (separated by white space) | |
1040 | +to require (see | |
1041 | +.BR sasl\-secprops 's | |
1042 | +.B minssf | |
1043 | +option for a description of security strength factors). | |
1044 | +The directive may be specified globally and/or per-database. | |
1045 | +.B ssf=<n> | |
1046 | +specifies the overall security strength factor. | |
1047 | +.B transport=<n> | |
1048 | +specifies the transport security strength factor. | |
1049 | +.B tls=<n> | |
1050 | +specifies the TLS security strength factor. | |
1051 | +.B sasl=<n> | |
1052 | +specifies the SASL security strength factor. | |
1053 | +.B update_ssf=<n> | |
1054 | +specifies the overall security strength factor to require for | |
1055 | +directory updates. | |
1056 | +.B update_transport=<n> | |
1057 | +specifies the transport security strength factor to require for | |
1058 | +directory updates. | |
1059 | +.B update_tls=<n> | |
1060 | +specifies the TLS security strength factor to require for | |
1061 | +directory updates. | |
1062 | +.B update_sasl=<n> | |
1063 | +specifies the SASL security strength factor to require for | |
1064 | +directory updates. | |
1065 | +.B simple_bind=<n> | |
1066 | +specifies the security strength factor required for | |
1067 | +.I simple | |
1068 | +username/password authentication. | |
1069 | +Note that the | |
1070 | +.B transport | |
1071 | +factor is measure of security provided by the underlying transport, | |
1072 | +e.g. ldapi:// (and eventually IPSEC). It is not normally used. | |
1073 | +.TP | |
1074 | +.B serverID <integer> [<URL>] | |
1075 | +Specify an integer ID from 0 to 4095 for this server. The ID may also be | |
1076 | +specified as a hexadecimal ID by prefixing the value with "0x". | |
1077 | +Non-zero IDs are required when using multi-provider replication and each | |
1078 | +provider must have a unique non-zero ID. Note that this requirement also | |
1079 | +applies to separate providers contributing to a glued set of databases. | |
1080 | +If the URL is provided, this directive may be specified | |
1081 | +multiple times, providing a complete list of participating servers | |
1082 | +and their IDs. The fully qualified hostname of each server should be | |
1083 | +used in the supplied URLs. The IDs are used in the "replica id" field | |
1084 | +of all CSNs generated by the specified server. The default value is zero, which | |
1085 | +is only valid for single provider replication. | |
1086 | +Example: | |
1087 | +.LP | |
1088 | +.nf | |
1089 | + serverID 1 ldap://ldap1.example.com | |
1090 | + serverID 2 ldap://ldap2.example.com | |
1091 | +.fi | |
1092 | +.TP | |
1093 | +.B sizelimit {<integer>|unlimited} | |
1094 | +.TP | |
1095 | +.B sizelimit size[.{soft|hard}]=<integer> [...] | |
1096 | +Specify the maximum number of entries to return from a search operation. | |
1097 | +The default size limit is 500. | |
1098 | +Use | |
1099 | +.B unlimited | |
1100 | +to specify no limits. | |
1101 | +The second format allows a fine grain setting of the size limits. | |
1102 | +If no special qualifiers are specified, both soft and hard limits are set. | |
1103 | +Extra args can be added on the same line. | |
1104 | +Additional qualifiers are available; see | |
1105 | +.BR limits | |
1106 | +for an explanation of all of the different flags. | |
1107 | +.TP | |
1108 | +.B sockbuf_max_incoming <integer> | |
1109 | +Specify the maximum incoming LDAP PDU size for anonymous sessions. | |
1110 | +The default is 262143. | |
1111 | +.TP | |
1112 | +.B sockbuf_max_incoming_auth <integer> | |
1113 | +Specify the maximum incoming LDAP PDU size for authenticated sessions. | |
1114 | +The default is 4194303. | |
1115 | +.TP | |
1116 | +.B sortvals <attr> [...] | |
1117 | +Specify a list of multi-valued attributes whose values will always | |
1118 | +be maintained in sorted order. Using this option will allow Modify, | |
1119 | +Compare, and filter evaluations on these attributes to be performed | |
1120 | +more efficiently. The resulting sort order depends on the | |
1121 | +attributes' syntax and matching rules and may not correspond to | |
1122 | +lexical order or any other recognizable order. | |
1123 | +.TP | |
1124 | +.B tcp-buffer [listener=<URL>] [{read|write}=]<size> | |
1125 | +Specify the size of the TCP buffer. | |
1126 | +A global value for both read and write TCP buffers related to any listener | |
1127 | +is defined, unless the listener is explicitly specified, | |
1128 | +or either the read or write qualifiers are used. | |
1129 | +See | |
1130 | +.BR tcp (7) | |
1131 | +for details. | |
1132 | +Note that some OS-es implement automatic TCP buffer tuning. | |
1133 | +.TP | |
1134 | +.B threads <integer> | |
1135 | +Specify the maximum size of the primary thread pool. | |
1136 | +The default is 16; the minimum value is 2. | |
1137 | +.TP | |
1138 | +.B threadqueues <integer> | |
1139 | +Specify the number of work queues to use for the primary thread pool. | |
1140 | +The default is 1 and this is typically adequate for up to 8 CPU cores. | |
1141 | +The value should not exceed the number of CPUs in the system. | |
1142 | +.TP | |
1143 | +.B timelimit {<integer>|unlimited} | |
1144 | +.TP | |
1145 | +.B timelimit time[.{soft|hard}]=<integer> [...] | |
1146 | +Specify the maximum number of seconds (in real time) | |
1147 | +.B slapd | |
1148 | +will spend answering a search request. The default time limit is 3600. | |
1149 | +Use | |
1150 | +.B unlimited | |
1151 | +to specify no limits. | |
1152 | +The second format allows a fine grain setting of the time limits. | |
1153 | +Extra args can be added on the same line. See | |
1154 | +.BR limits | |
1155 | +for an explanation of the different flags. | |
1156 | +.TP | |
1157 | +.B tool\-threads <integer> | |
1158 | +Specify the maximum number of threads to use in tool mode. | |
1159 | +This should not be greater than the number of CPUs in the system. | |
1160 | +The default is 1. | |
1161 | +.TP | |
1162 | +.B writetimeout <integer> | |
1163 | +Specify the number of seconds to wait before forcibly closing | |
1164 | +a connection with an outstanding write. This allows recovery from | |
1165 | +various network hang conditions. A writetimeout of 0 disables this | |
1166 | +feature. The default is 0. | |
1167 | +.SH TLS OPTIONS | |
1168 | +If | |
1169 | +.B slapd | |
1170 | +is built with support for Transport Layer Security, there are more options | |
1171 | +you can specify. | |
1172 | +.TP | |
1173 | +.B TLSCipherSuite <cipher-suite-spec> | |
1174 | +Permits configuring what ciphers will be accepted and the preference order. | |
1175 | +<cipher-suite-spec> should be a cipher specification for the TLS library | |
1176 | +in use (OpenSSL or GnuTLS). | |
1177 | +Example: | |
1178 | +.RS | |
1179 | +.RS | |
1180 | +.TP | |
1181 | +.I OpenSSL: | |
1182 | +TLSCipherSuite HIGH:MEDIUM:+SSLv2 | |
1183 | +.TP | |
1184 | +.I GnuTLS: | |
1185 | +TLSCiphersuite SECURE256:!AES-128-CBC | |
1186 | +.RE | |
1187 | + | |
1188 | +To check what ciphers a given spec selects in OpenSSL, use: | |
1189 | + | |
1190 | +.nf | |
1191 | + openssl ciphers \-v <cipher-suite-spec> | |
1192 | +.fi | |
1193 | + | |
1194 | +With GnuTLS the available specs can be found in the manual page of | |
1195 | +.BR gnutls\-cli (1) | |
1196 | +(see the description of the | |
1197 | +option | |
1198 | +.BR \-\-priority ). | |
1199 | + | |
1200 | +In older versions of GnuTLS, where gnutls\-cli does not support the option | |
1201 | +\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling: | |
1202 | + | |
1203 | +.nf | |
1204 | + gnutls\-cli \-l | |
1205 | +.fi | |
1206 | +.RE | |
1207 | +.TP | |
1208 | +.B TLSCACertificateFile <filename> | |
1209 | +Specifies the file that contains certificates for all of the Certificate | |
1210 | +Authorities that | |
1211 | +.B slapd | |
1212 | +will recognize. The certificate for | |
1213 | +the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among | |
1214 | +these certificates. If the signing CA was not a top-level (root) CA, | |
1215 | +certificates for the entire sequence of CA's from the signing CA to | |
1216 | +the top-level CA should be present. Multiple certificates are simply | |
1217 | +appended to the file; the order is not significant. | |
1218 | +.TP | |
1219 | +.B TLSCACertificatePath <path> | |
1220 | +Specifies the path of directories that contain Certificate Authority | |
1221 | +certificates in separate individual files. Usually only one of this | |
1222 | +or the TLSCACertificateFile is used. If both are specified, both | |
1223 | +locations will be used. Multiple directories may be specified, | |
1224 | +separated by a semi-colon. | |
1225 | +.TP | |
1226 | +.B TLSCertificateFile <filename> | |
1227 | +Specifies the file that contains the | |
1228 | +.B slapd | |
1229 | +server certificate. | |
1230 | + | |
1231 | +When using OpenSSL that file may also contain any number of intermediate | |
1232 | +certificates after the server certificate. | |
1233 | +.TP | |
1234 | +.B TLSCertificateKeyFile <filename> | |
1235 | +Specifies the file that contains the | |
1236 | +.B slapd | |
1237 | +server private key that matches the certificate stored in the | |
1238 | +.B TLSCertificateFile | |
1239 | +file. Currently, the private key must not be protected with a password, so | |
1240 | +it is of critical importance that it is protected carefully. | |
1241 | +.TP | |
1242 | +.B TLSDHParamFile <filename> | |
1243 | +This directive specifies the file that contains parameters for Diffie-Hellman | |
1244 | +ephemeral key exchange. This is required in order to use a DSA certificate on | |
1245 | +the server, or an RSA certificate missing the "key encipherment" key usage. | |
1246 | +Note that setting this option may also enable | |
1247 | +Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. | |
1248 | +Anonymous key exchanges should generally be avoided since they provide no | |
1249 | +actual client or server authentication and provide no protection against | |
1250 | +man-in-the-middle attacks. | |
1251 | +You should append "!ADH" to your cipher suites to ensure that these suites | |
1252 | +are not used. | |
1253 | +.TP | |
1254 | +.B TLSECName <name> | |
1255 | +Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman | |
1256 | +ephemeral key exchange. This option is only used for OpenSSL. | |
1257 | +This option is not used with GnuTLS; the curves may be | |
1258 | +chosen in the GnuTLS ciphersuite specification. | |
1259 | +.TP | |
1260 | +.B TLSProtocolMin <major>[.<minor>] | |
1261 | +Specifies minimum SSL/TLS protocol version that will be negotiated. | |
1262 | +If the server doesn't support at least that version, | |
1263 | +the SSL handshake will fail. | |
1264 | +To require TLS 1.x or higher, set this option to 3.(x+1), | |
1265 | +e.g., | |
1266 | + | |
1267 | +.nf | |
1268 | + TLSProtocolMin 3.2 | |
1269 | +.fi | |
1270 | + | |
1271 | +would require TLS 1.1. | |
1272 | +Specifying a minimum that is higher than that supported by the | |
1273 | +OpenLDAP implementation will result in it requiring the | |
1274 | +highest level that it does support. | |
1275 | +This directive is ignored with GnuTLS. | |
1276 | +.TP | |
1277 | +.B TLSRandFile <filename> | |
1278 | +Specifies the file to obtain random bits from when /dev/[u]random | |
1279 | +is not available. Generally set to the name of the EGD/PRNGD socket. | |
1280 | +The environment variable RANDFILE can also be used to specify the filename. | |
1281 | +This directive is ignored with GnuTLS. | |
1282 | +.TP | |
1283 | +.B TLSVerifyClient <level> | |
1284 | +Specifies what checks to perform on client certificates in an | |
1285 | +incoming TLS session, if any. | |
1286 | +The | |
1287 | +.B <level> | |
1288 | +can be specified as one of the following keywords: | |
1289 | +.RS | |
1290 | +.TP | |
1291 | +.B never | |
1292 | +This is the default. | |
1293 | +.B slapd | |
1294 | +will not ask the client for a certificate. | |
1295 | +.TP | |
1296 | +.B allow | |
1297 | +The client certificate is requested. If no certificate is provided, | |
1298 | +the session proceeds normally. If a bad certificate is provided, | |
1299 | +it will be ignored and the session proceeds normally. | |
1300 | +.TP | |
1301 | +.B try | |
1302 | +The client certificate is requested. If no certificate is provided, | |
1303 | +the session proceeds normally. If a bad certificate is provided, | |
1304 | +the session is immediately terminated. | |
1305 | +.TP | |
1306 | +.B demand | hard | true | |
1307 | +These keywords are all equivalent, for compatibility reasons. | |
1308 | +The client certificate is requested. If no certificate is provided, | |
1309 | +or a bad certificate is provided, the session is immediately terminated. | |
1310 | + | |
1311 | +Note that a valid client certificate is required in order to use the | |
1312 | +SASL EXTERNAL authentication mechanism with a TLS session. As such, | |
1313 | +a non-default | |
1314 | +.B TLSVerifyClient | |
1315 | +setting must be chosen to enable SASL EXTERNAL authentication. | |
1316 | +.RE | |
1317 | +.TP | |
1318 | +.B TLSCRLCheck <level> | |
1319 | +Specifies if the Certificate Revocation List (CRL) of the CA should be | |
1320 | +used to verify if the client certificates have not been revoked. This | |
1321 | +requires | |
1322 | +.B TLSCACertificatePath | |
1323 | +parameter to be set. This directive is ignored with GnuTLS. | |
1324 | +.B <level> | |
1325 | +can be specified as one of the following keywords: | |
1326 | +.RS | |
1327 | +.TP | |
1328 | +.B none | |
1329 | +No CRL checks are performed | |
1330 | +.TP | |
1331 | +.B peer | |
1332 | +Check the CRL of the peer certificate | |
1333 | +.TP | |
1334 | +.B all | |
1335 | +Check the CRL for a whole certificate chain | |
1336 | +.RE | |
1337 | +.TP | |
1338 | +.B TLSCRLFile <filename> | |
1339 | +Specifies a file containing a Certificate Revocation List to be used | |
1340 | +for verifying that certificates have not been revoked. This directive is | |
1341 | +only valid when using GnuTLS. | |
1342 | +.SH GENERAL BACKEND OPTIONS | |
1343 | +Options in this section only apply to the configuration file section | |
1344 | +of all instances of the specified backend. All backends may support | |
1345 | +this class of options, but currently only back-mdb does. | |
1346 | +.TP | |
1347 | +.B backend <databasetype> | |
1348 | +Mark the beginning of a backend definition. <databasetype> | |
1349 | +should be one of | |
1350 | +.BR asyncmeta , | |
1351 | +.BR config , | |
1352 | +.BR dnssrv , | |
1353 | +.BR ldap , | |
1354 | +.BR ldif , | |
1355 | +.BR mdb , | |
1356 | +.BR meta , | |
1357 | +.BR monitor , | |
1358 | +.BR null , | |
1359 | +.BR passwd , | |
1360 | +.BR perl , | |
1361 | +.BR relay , | |
1362 | +.BR sock , | |
1363 | +.BR sql , | |
1364 | +or | |
1365 | +.BR wt . | |
1366 | +At present, only back-mdb implements any options of this type, so this | |
1367 | +setting is not needed for any other backends. | |
1368 | + | |
1369 | +.SH GENERAL DATABASE OPTIONS | |
1370 | +Options in this section only apply to the configuration file section | |
1371 | +for the database in which they are defined. They are supported by every | |
1372 | +type of backend. Note that the | |
1373 | +.B database | |
1374 | +and at least one | |
1375 | +.B suffix | |
1376 | +option are mandatory for each database. | |
1377 | +.TP | |
1378 | +.B database <databasetype> | |
1379 | +Mark the beginning of a new database instance definition. <databasetype> | |
1380 | +should be one of | |
1381 | +.BR asyncmeta , | |
1382 | +.BR config , | |
1383 | +.BR dnssrv , | |
1384 | +.BR ldap , | |
1385 | +.BR ldif , | |
1386 | +.BR mdb , | |
1387 | +.BR meta , | |
1388 | +.BR monitor , | |
1389 | +.BR null , | |
1390 | +.BR passwd , | |
1391 | +.BR perl , | |
1392 | +.BR relay , | |
1393 | +.BR sock , | |
1394 | +.BR sql , | |
1395 | +or | |
1396 | +.BR wt , | |
1397 | +depending on which backend will serve the database. | |
1398 | + | |
1399 | +LDAP operations, even subtree searches, normally access only one | |
1400 | +database. | |
1401 | +That can be changed by gluing databases together with the | |
1402 | +.B subordinate | |
1403 | +keyword. | |
1404 | +Access controls and some overlays can also involve multiple databases. | |
1405 | +.TP | |
1406 | +.B add_content_acl on | off | |
1407 | +Controls whether Add operations will perform ACL checks on | |
1408 | +the content of the entry being added. This check is off | |
1409 | +by default. See the | |
1410 | +.BR slapd.access (5) | |
1411 | +manual page for more details on ACL requirements for | |
1412 | +Add operations. | |
1413 | +.TP | |
1414 | +.B extra_attrs <attrlist> | |
1415 | +Lists what attributes need to be added to search requests. | |
1416 | +Local storage backends return the entire entry to the frontend. | |
1417 | +The frontend takes care of only returning the requested attributes | |
1418 | +that are allowed by ACLs. | |
1419 | +However, features like access checking and so may need specific | |
1420 | +attributes that are not automatically returned by remote storage | |
1421 | +backends, like proxy backends and so on. | |
1422 | +.B <attrlist> | |
1423 | +is a list of attributes that are needed for internal purposes | |
1424 | +and thus always need to be collected, even when not explicitly | |
1425 | +requested by clients. | |
1426 | +.TP | |
1427 | +.B hidden on | off | |
1428 | +Controls whether the database will be used to answer | |
1429 | +queries. A database that is hidden will never be | |
1430 | +selected to answer any queries, and any suffix configured | |
1431 | +on the database will be ignored in checks for conflicts | |
1432 | +with other databases. By default, hidden is off. | |
1433 | +.TP | |
1434 | +.B lastmod on | off | |
1435 | +Controls whether | |
1436 | +.B slapd | |
1437 | +will automatically maintain the | |
1438 | +modifiersName, modifyTimestamp, creatorsName, and | |
1439 | +createTimestamp attributes for entries. It also controls | |
1440 | +the entryCSN and entryUUID attributes, which are needed | |
1441 | +by the syncrepl provider. By default, lastmod is on. | |
1442 | +.TP | |
1443 | +.B lastbind on | off | |
1444 | +Controls whether | |
1445 | +.B slapd | |
1446 | +will automatically maintain the pwdLastSuccess attribute for | |
1447 | +entries. By default, lastbind is off. | |
1448 | +.TP | |
1449 | +.B lastbind-precision <integer> | |
1450 | +If lastbind is enabled, specifies how frequently pwdLastSuccess | |
1451 | +will be updated. More than | |
1452 | +.B integer | |
1453 | +seconds must have passed since the last successful bind. In a | |
1454 | +replicated environment with frequent bind activity it may be | |
1455 | +useful to set this to a large value. | |
1456 | +.TP | |
1457 | +.B limits <selector> <limit> [<limit> [...]] | |
1458 | +Specify time and size limits based on the operation's initiator or | |
1459 | +base DN. | |
1460 | +The argument | |
1461 | +.B <selector> | |
1462 | +can be any of | |
1463 | +.RS | |
1464 | +.RS | |
1465 | +.TP | |
1466 | +anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern> | |
1467 | + | |
1468 | +.RE | |
1469 | +with | |
1470 | +.RS | |
1471 | +.TP | |
1472 | +<dnspec> ::= dn[.<type>][.<style>] | |
1473 | +.TP | |
1474 | +<type> ::= self | this | |
1475 | +.TP | |
1476 | +<style> ::= exact | base | onelevel | subtree | children | regex | anonymous | |
1477 | + | |
1478 | +.RE | |
1479 | +DN type | |
1480 | +.B self | |
1481 | +is the default and means the bound user, while | |
1482 | +.B this | |
1483 | +means the base DN of the operation. | |
1484 | +The term | |
1485 | +.B anonymous | |
1486 | +matches all unauthenticated clients. | |
1487 | +The term | |
1488 | +.B users | |
1489 | +matches all authenticated clients; | |
1490 | +otherwise an | |
1491 | +.B exact | |
1492 | +dn pattern is assumed unless otherwise specified by qualifying | |
1493 | +the (optional) key string | |
1494 | +.B dn | |
1495 | +with | |
1496 | +.B exact | |
1497 | +or | |
1498 | +.B base | |
1499 | +(which are synonyms), to require an exact match; with | |
1500 | +.BR onelevel , | |
1501 | +to require exactly one level of depth match; with | |
1502 | +.BR subtree , | |
1503 | +to allow any level of depth match, including the exact match; with | |
1504 | +.BR children , | |
1505 | +to allow any level of depth match, not including the exact match; | |
1506 | +.BR regex | |
1507 | +explicitly requires the (default) match based on POSIX (''extended'') | |
1508 | +regular expression pattern. | |
1509 | +Finally, | |
1510 | +.B anonymous | |
1511 | +matches unbound operations; the | |
1512 | +.B pattern | |
1513 | +field is ignored. | |
1514 | +The same behavior is obtained by using the | |
1515 | +.B anonymous | |
1516 | +form of the | |
1517 | +.B <selector> | |
1518 | +clause. | |
1519 | +The term | |
1520 | +.BR group , | |
1521 | +with the optional objectClass | |
1522 | +.B oc | |
1523 | +and attributeType | |
1524 | +.B at | |
1525 | +fields, followed by | |
1526 | +.BR pattern , | |
1527 | +sets the limits for any DN listed in the values of the | |
1528 | +.B at | |
1529 | +attribute (default | |
1530 | +.BR member ) | |
1531 | +of the | |
1532 | +.B oc | |
1533 | +group objectClass (default | |
1534 | +.BR groupOfNames ) | |
1535 | +whose DN exactly matches | |
1536 | +.BR pattern . | |
1537 | + | |
1538 | +The currently supported limits are | |
1539 | +.B size | |
1540 | +and | |
1541 | +.BR time . | |
1542 | + | |
1543 | +The syntax for time limits is | |
1544 | +.BR time[.{soft|hard}]=<integer> , | |
1545 | +where | |
1546 | +.I integer | |
1547 | +is the number of seconds slapd will spend answering a search request. | |
1548 | +If no time limit is explicitly requested by the client, the | |
1549 | +.BR soft | |
1550 | +limit is used; if the requested time limit exceeds the | |
1551 | +.BR hard | |
1552 | +.\"limit, an | |
1553 | +.\".I "Administrative limit exceeded" | |
1554 | +.\"error is returned. | |
1555 | +limit, the value of the limit is used instead. | |
1556 | +If the | |
1557 | +.BR hard | |
1558 | +limit is set to the keyword | |
1559 | +.IR soft , | |
1560 | +the soft limit is used in either case; if it is set to the keyword | |
1561 | +.IR unlimited , | |
1562 | +no hard limit is enforced. | |
1563 | +Explicit requests for time limits smaller or equal to the | |
1564 | +.BR hard | |
1565 | +limit are honored. | |
1566 | +If no limit specifier is set, the value is assigned to the | |
1567 | +.BR soft | |
1568 | +limit, and the | |
1569 | +.BR hard | |
1570 | +limit is set to | |
1571 | +.IR soft , | |
1572 | +to preserve the original behavior. | |
1573 | + | |
1574 | +The syntax for size limits is | |
1575 | +.BR size[.{soft|hard|unchecked}]=<integer> , | |
1576 | +where | |
1577 | +.I integer | |
1578 | +is the maximum number of entries slapd will return answering a search | |
1579 | +request. | |
1580 | +If no size limit is explicitly requested by the client, the | |
1581 | +.BR soft | |
1582 | +limit is used; if the requested size limit exceeds the | |
1583 | +.BR hard | |
1584 | +.\"limit, an | |
1585 | +.\".I "Administrative limit exceeded" | |
1586 | +.\"error is returned. | |
1587 | +limit, the value of the limit is used instead. | |
1588 | +If the | |
1589 | +.BR hard | |
1590 | +limit is set to the keyword | |
1591 | +.IR soft , | |
1592 | +the soft limit is used in either case; if it is set to the keyword | |
1593 | +.IR unlimited , | |
1594 | +no hard limit is enforced. | |
1595 | +Explicit requests for size limits smaller or equal to the | |
1596 | +.BR hard | |
1597 | +limit are honored. | |
1598 | +The | |
1599 | +.BR unchecked | |
1600 | +specifier sets a limit on the number of candidates a search request is allowed | |
1601 | +to examine. | |
1602 | +The rationale behind it is that searches for non-properly indexed | |
1603 | +attributes may result in large sets of candidates, which must be | |
1604 | +examined by | |
1605 | +.BR slapd (8) | |
1606 | +to determine whether they match the search filter or not. | |
1607 | +The | |
1608 | +.B unchecked | |
1609 | +limit provides a means to drop such operations before they are even | |
1610 | +started. | |
1611 | +If the selected candidates exceed the | |
1612 | +.BR unchecked | |
1613 | +limit, the search will abort with | |
1614 | +.IR "Unwilling to perform" . | |
1615 | +If it is set to the keyword | |
1616 | +.IR unlimited , | |
1617 | +no limit is applied (the default). | |
1618 | +If it is set to | |
1619 | +.IR disabled , | |
1620 | +the search is not even performed; this can be used to disallow searches | |
1621 | +for a specific set of users. | |
1622 | +If no limit specifier is set, the value is assigned to the | |
1623 | +.BR soft | |
1624 | +limit, and the | |
1625 | +.BR hard | |
1626 | +limit is set to | |
1627 | +.IR soft , | |
1628 | +to preserve the original behavior. | |
1629 | + | |
1630 | +In case of no match, the global limits are used. | |
1631 | +The default values are the same as for | |
1632 | +.B sizelimit | |
1633 | +and | |
1634 | +.BR timelimit ; | |
1635 | +no limit is set on | |
1636 | +.BR unchecked . | |
1637 | + | |
1638 | +If | |
1639 | +.B pagedResults | |
1640 | +control is requested, the | |
1641 | +.B hard | |
1642 | +size limit is used by default, because the request of a specific page size | |
1643 | +is considered an explicit request for a limitation on the number | |
1644 | +of entries to be returned. | |
1645 | +However, the size limit applies to the total count of entries returned within | |
1646 | +the search, and not to a single page. | |
1647 | +Additional size limits may be enforced; the syntax is | |
1648 | +.BR size.pr={<integer>|noEstimate|unlimited} , | |
1649 | +where | |
1650 | +.I integer | |
1651 | +is the max page size if no explicit limit is set; the keyword | |
1652 | +.I noEstimate | |
1653 | +inhibits the server from returning an estimate of the total number | |
1654 | +of entries that might be returned | |
1655 | +(note: the current implementation does not return any estimate). | |
1656 | +The keyword | |
1657 | +.I unlimited | |
1658 | +indicates that no limit is applied to the pagedResults control page size. | |
1659 | +The syntax | |
1660 | +.B size.prtotal={<integer>|hard|unlimited|disabled} | |
1661 | +allows one to set a limit on the total number of entries that the pagedResults | |
1662 | +control will return. | |
1663 | +By default it is set to the | |
1664 | +.B hard | |
1665 | +limit which will use the size.hard value. | |
1666 | +When set, | |
1667 | +.I integer | |
1668 | +is the max number of entries that the whole search with pagedResults control | |
1669 | +can return. | |
1670 | +Use | |
1671 | +.I unlimited | |
1672 | +to allow unlimited number of entries to be returned, e.g. to allow | |
1673 | +the use of the pagedResults control as a means to circumvent size | |
1674 | +limitations on regular searches; the keyword | |
1675 | +.I disabled | |
1676 | +disables the control, i.e. no paged results can be returned. | |
1677 | +Note that the total number of entries returned when the pagedResults control | |
1678 | +is requested cannot exceed the | |
1679 | +.B hard | |
1680 | +size limit of regular searches unless extended by the | |
1681 | +.B prtotal | |
1682 | +switch. | |
1683 | + | |
1684 | +The \fBlimits\fP statement is typically used to let an unlimited | |
1685 | +number of entries be returned by searches performed | |
1686 | +with the identity used by the consumer for synchronization purposes | |
1687 | +by means of the RFC 4533 LDAP Content Synchronization protocol | |
1688 | +(see \fBsyncrepl\fP for details). | |
1689 | + | |
1690 | +When using subordinate databases, it is necessary for any limits that | |
1691 | +are to be applied across the parent and its subordinates to be defined in | |
1692 | +both the parent and its subordinates. Otherwise the settings on the | |
1693 | +subordinate databases are not honored. | |
1694 | +.RE | |
1695 | +.TP | |
1696 | +.B maxderefdepth <depth> | |
1697 | +Specifies the maximum number of aliases to dereference when trying to | |
1698 | +resolve an entry, used to avoid infinite alias loops. The default is 15. | |
1699 | +.TP | |
1700 | +.B multiprovider on | off | |
1701 | +This option puts a consumer database into Multi-Provider mode. Update | |
1702 | +operations will be accepted from any user, not just the updatedn. The | |
1703 | +database must already be configured as a syncrepl consumer | |
1704 | +before this keyword may be set. This mode also requires a | |
1705 | +.B serverID | |
1706 | +(see above) to be configured. | |
1707 | +By default, multiprovider is off. | |
1708 | +.TP | |
1709 | +.B monitoring on | off | |
1710 | +This option enables database-specific monitoring in the entry related | |
1711 | +to the current database in the "cn=Databases,cn=Monitor" subtree | |
1712 | +of the monitor database, if the monitor database is enabled. | |
1713 | +Currently, only the MDB database provides database-specific monitoring. | |
1714 | +If monitoring is supported by the backend it defaults to on, otherwise | |
1715 | +off. | |
1716 | +.TP | |
1717 | +.B overlay <overlay-name> | |
1718 | +Add the specified overlay to this database. An overlay is a piece of | |
1719 | +code that intercepts database operations in order to extend or change | |
1720 | +them. Overlays are pushed onto | |
1721 | +a stack over the database, and so they will execute in the reverse | |
1722 | +of the order in which they were configured and the database itself | |
1723 | +will receive control last of all. See the | |
1724 | +.BR slapd.overlays (5) | |
1725 | +manual page for an overview of the available overlays. | |
1726 | +Note that all of the database's | |
1727 | +regular settings should be configured before any overlay settings. | |
1728 | +.TP | |
1729 | +.B readonly on | off | |
1730 | +This option puts the database into "read-only" mode. Any attempts to | |
1731 | +modify the database will return an "unwilling to perform" error. By | |
1732 | +default, readonly is off. | |
1733 | +.TP | |
1734 | +.B restrict <oplist> | |
1735 | +Specify a whitespace separated list of operations that are restricted. | |
1736 | +If defined inside a database specification, restrictions apply only | |
1737 | +to that database, otherwise they are global. | |
1738 | +Operations can be any of | |
1739 | +.BR add , | |
1740 | +.BR bind , | |
1741 | +.BR compare , | |
1742 | +.BR delete , | |
1743 | +.BR extended[=<OID>] , | |
1744 | +.BR modify , | |
1745 | +.BR rename , | |
1746 | +.BR search , | |
1747 | +or the special pseudo-operations | |
1748 | +.B read | |
1749 | +and | |
1750 | +.BR write , | |
1751 | +which respectively summarize read and write operations. | |
1752 | +The use of | |
1753 | +.I restrict write | |
1754 | +is equivalent to | |
1755 | +.I readonly on | |
1756 | +(see above). | |
1757 | +The | |
1758 | +.B extended | |
1759 | +keyword allows one to indicate the OID of the specific operation | |
1760 | +to be restricted. | |
1761 | +.TP | |
1762 | +.B rootdn <dn> | |
1763 | +Specify the distinguished name that is not subject to access control | |
1764 | +or administrative limit restrictions for operations on this database. | |
1765 | +This DN may or may not be associated with an entry. An empty root | |
1766 | +DN (the default) specifies no root access is to be granted. It is | |
1767 | +recommended that the rootdn only be specified when needed (such as | |
1768 | +when initially populating a database). If the rootdn is within | |
1769 | +a namingContext (suffix) of the database, a simple bind password | |
1770 | +may also be provided using the | |
1771 | +.B rootpw | |
1772 | +directive. Many optional features, including syncrepl, require the | |
1773 | +rootdn to be defined for the database. | |
1774 | +.TP | |
1775 | +.B rootpw <password> | |
1776 | +Specify a password (or hash of the password) for the rootdn. The | |
1777 | +password can only be set if the rootdn is within the namingContext | |
1778 | +(suffix) of the database. | |
1779 | +This option accepts all RFC 2307 userPassword formats known to | |
1780 | +the server (see | |
1781 | +.B password\-hash | |
1782 | +description) as well as cleartext. | |
1783 | +.BR slappasswd (8) | |
1784 | +may be used to generate a hash of a password. Cleartext | |
1785 | +and \fB{CRYPT}\fP passwords are not recommended. If empty | |
1786 | +(the default), authentication of the root DN is by other means | |
1787 | +(e.g. SASL). Use of SASL is encouraged. | |
1788 | +.TP | |
1789 | +.B suffix <dn suffix> | |
1790 | +Specify the DN suffix of queries that will be passed to this | |
1791 | +backend database. Multiple suffix lines can be given and at least one is | |
1792 | +required for each database definition. | |
1793 | + | |
1794 | +If the suffix of one database is "inside" that of another, the database | |
1795 | +with the inner suffix must come first in the configuration file. | |
1796 | +You may also want to glue such databases together with the | |
1797 | +.B subordinate | |
1798 | +keyword. | |
1799 | +.TP | |
1800 | +.B subordinate [advertise] | |
1801 | +Specify that the current backend database is a subordinate of another | |
1802 | +backend database. A subordinate database may have only one suffix. This | |
1803 | +option may be used to glue multiple databases into a single namingContext. | |
1804 | +If the suffix of the current database is within the namingContext of a | |
1805 | +superior database, searches against the superior database will be | |
1806 | +propagated to the subordinate as well. All of the databases | |
1807 | +associated with a single namingContext should have identical rootdns. | |
1808 | +Behavior of other LDAP operations is unaffected by this setting. In | |
1809 | +particular, it is not possible to use moddn to move an entry from | |
1810 | +one subordinate to another subordinate within the namingContext. | |
1811 | + | |
1812 | +If the optional \fBadvertise\fP flag is supplied, the naming context of | |
1813 | +this database is advertised in the root DSE. The default is to hide this | |
1814 | +database context, so that only the superior context is visible. | |
1815 | + | |
1816 | +If the slap tools | |
1817 | +.BR slapcat (8), | |
1818 | +.BR slapadd (8), | |
1819 | +.BR slapmodify (8), | |
1820 | +or | |
1821 | +.BR slapindex (8) | |
1822 | +are used on the superior database, any glued subordinates that support | |
1823 | +these tools are opened as well. | |
1824 | + | |
1825 | +Databases that are glued together should usually be configured with the | |
1826 | +same indices (assuming they support indexing), even for attributes that | |
1827 | +only exist in some of these databases. In general, all of the glued | |
1828 | +databases should be configured as similarly as possible, since the intent | |
1829 | +is to provide the appearance of a single directory. | |
1830 | + | |
1831 | +Note that the \fIsubordinate\fP functionality is implemented internally | |
1832 | +by the \fIglue\fP overlay and as such its behavior will interact with other | |
1833 | +overlays in use. By default, the glue overlay is automatically configured as | |
1834 | +the last overlay on the superior backend. Its position on the backend | |
1835 | +can be explicitly configured by setting an \fBoverlay glue\fP directive | |
1836 | +at the desired position. This explicit configuration is necessary e.g. | |
1837 | +when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP | |
1838 | +in order to work over all of the glued databases. E.g. | |
1839 | +.RS | |
1840 | +.nf | |
1841 | + database mdb | |
1842 | + suffix dc=example,dc=com | |
1843 | + ... | |
1844 | + overlay glue | |
1845 | + overlay syncprov | |
1846 | +.fi | |
1847 | +.RE | |
1848 | +.TP | |
1849 | +.B sync_use_subentry | |
1850 | +Store the syncrepl contextCSN in a subentry instead of the context entry | |
1851 | +of the database. The subentry's RDN will be "cn=ldapsync". By default | |
1852 | +the contextCSN is stored in the context entry. | |
1853 | +.HP | |
1854 | +.hy 0 | |
1855 | +.B syncrepl rid=<replica ID> | |
1856 | +.B provider=ldap[s]://<hostname>[:port] | |
1857 | +.B searchbase=<base DN> | |
1858 | +.B [type=refreshOnly|refreshAndPersist] | |
1859 | +.B [interval=dd:hh:mm:ss] | |
1860 | +.B [retry=[<retry interval> <# of retries>]+] | |
1861 | +.B [filter=<filter str>] | |
1862 | +.B [scope=sub|one|base|subord] | |
1863 | +.B [attrs=<attr list>] | |
1864 | +.B [exattrs=<attr list>] | |
1865 | +.B [attrsonly] | |
1866 | +.B [sizelimit=<limit>] | |
1867 | +.B [timelimit=<limit>] | |
1868 | +.B [schemachecking=on|off] | |
1869 | +.B [network\-timeout=<seconds>] | |
1870 | +.B [timeout=<seconds>] | |
1871 | +.B [tcp\-user\-timeout=<milliseconds>] | |
1872 | +.B [bindmethod=simple|sasl] | |
1873 | +.B [binddn=<dn>] | |
1874 | +.B [saslmech=<mech>] | |
1875 | +.B [authcid=<identity>] | |
1876 | +.B [authzid=<identity>] | |
1877 | +.B [credentials=<passwd>] | |
1878 | +.B [realm=<realm>] | |
1879 | +.B [secprops=<properties>] | |
1880 | +.B [keepalive=<idle>:<probes>:<interval>] | |
1881 | +.B [starttls=yes|critical] | |
1882 | +.B [tls_cert=<file>] | |
1883 | +.B [tls_key=<file>] | |
1884 | +.B [tls_cacert=<file>] | |
1885 | +.B [tls_cacertdir=<path>] | |
1886 | +.B [tls_reqcert=never|allow|try|demand] | |
1887 | +.B [tls_reqsan=never|allow|try|demand] | |
1888 | +.B [tls_cipher_suite=<ciphers>] | |
1889 | +.B [tls_ecname=<names>] | |
1890 | +.B [tls_crlcheck=none|peer|all] | |
1891 | +.B [tls_protocol_min=<major>[.<minor>]] | |
1892 | +.B [suffixmassage=<real DN>] | |
1893 | +.B [logbase=<base DN>] | |
1894 | +.B [logfilter=<filter str>] | |
1895 | +.B [syncdata=default|accesslog|changelog] | |
1896 | +.B [lazycommit] | |
1897 | +.RS | |
1898 | +Specify the current database as a consumer which is kept up-to-date with the | |
1899 | +provider content by establishing the current | |
1900 | +.BR slapd (8) | |
1901 | +as a replication consumer site running a | |
1902 | +.B syncrepl | |
1903 | +replication engine. | |
1904 | +The consumer content is kept synchronized to the provider content using | |
1905 | +the LDAP Content Synchronization protocol. Refer to the | |
1906 | +"OpenLDAP Administrator's Guide" for detailed information on | |
1907 | +setting up a replicated | |
1908 | +.B slapd | |
1909 | +directory service using the | |
1910 | +.B syncrepl | |
1911 | +replication engine. | |
1912 | + | |
1913 | +.B rid | |
1914 | +identifies the current | |
1915 | +.B syncrepl | |
1916 | +directive within the replication consumer site. | |
1917 | +It is a non-negative integer not greater than 999 (limited | |
1918 | +to three decimal digits). | |
1919 | + | |
1920 | +.B provider | |
1921 | +specifies the replication provider site containing the provider content | |
1922 | +as an LDAP URI. If <port> is not given, the standard LDAP port number | |
1923 | +(389 or 636) is used. | |
1924 | + | |
1925 | +The content of the | |
1926 | +.B syncrepl | |
1927 | +consumer is defined using a search | |
1928 | +specification as its result set. The consumer | |
1929 | +.B slapd | |
1930 | +will send search requests to the provider | |
1931 | +.B slapd | |
1932 | +according to the search specification. The search specification includes | |
1933 | +.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", " | |
1934 | +and | |
1935 | +.B timelimit | |
1936 | +parameters as in the normal search specification. The | |
1937 | +.B exattrs | |
1938 | +option may also be used to specify attributes that should be omitted | |
1939 | +from incoming entries. | |
1940 | +The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to | |
1941 | +\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The | |
1942 | +\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational | |
1943 | +attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default. | |
1944 | +The \fBsizelimit\fP and \fBtimelimit\fP only | |
1945 | +accept "unlimited" and positive integers, and both default to "unlimited". | |
1946 | +The \fBsizelimit\fP and \fBtimelimit\fP parameters define | |
1947 | +a consumer requested limitation on the number of entries that can be returned | |
1948 | +by the LDAP Content Synchronization operation; as such, it is intended | |
1949 | +to implement partial replication based on the size of the replicated database | |
1950 | +and on the time required by the synchronization. | |
1951 | +Note, however, that any provider-side limits for the replication identity | |
1952 | +will be enforced by the provider regardless of the limits requested | |
1953 | +by the LDAP Content Synchronization operation, much like for any other | |
1954 | +search operation. | |
1955 | + | |
1956 | +The LDAP Content Synchronization protocol has two operation types. | |
1957 | +In the | |
1958 | +.B refreshOnly | |
1959 | +operation, the next synchronization search operation | |
1960 | +is periodically rescheduled at an interval time (specified by | |
1961 | +.B interval | |
1962 | +parameter; 1 day by default) | |
1963 | +after each synchronization operation finishes. | |
1964 | +In the | |
1965 | +.B refreshAndPersist | |
1966 | +operation, a synchronization search remains persistent in the provider slapd. | |
1967 | +Further updates to the provider will generate | |
1968 | +.B searchResultEntry | |
1969 | +to the consumer slapd as the search responses to the persistent | |
1970 | +synchronization search. If the initial search fails due to an error, the | |
1971 | +next synchronization search operation is periodically rescheduled at an | |
1972 | +interval time (specified by | |
1973 | +.B interval | |
1974 | +parameter; 1 day by default) | |
1975 | + | |
1976 | +If an error occurs during replication, the consumer will attempt to | |
1977 | +reconnect according to the | |
1978 | +.B retry | |
1979 | +parameter which is a list of the <retry interval> and <# of retries> pairs. | |
1980 | +For example, retry="60 10 300 3" lets the consumer retry every 60 seconds | |
1981 | +for the first 10 times and then retry every 300 seconds for the next 3 | |
1982 | +times before stop retrying. The `+' in <# of retries> means indefinite | |
1983 | +number of retries until success. | |
1984 | +If no | |
1985 | +.B retry | |
1986 | +is specified, by default syncrepl retries every hour forever. | |
1987 | + | |
1988 | +The schema checking can be enforced at the LDAP Sync | |
1989 | +consumer site by turning on the | |
1990 | +.B schemachecking | |
1991 | +parameter. The default is \fBoff\fP. | |
1992 | +Schema checking \fBon\fP means that replicated entries must have | |
1993 | +a structural objectClass, must obey to objectClass requirements | |
1994 | +in terms of required/allowed attributes, and that naming attributes | |
1995 | +and distinguished values must be present. | |
1996 | +As a consequence, schema checking should be \fBoff\fP when partial | |
1997 | +replication is used. | |
1998 | + | |
1999 | +The | |
2000 | +.B network\-timeout | |
2001 | +parameter sets how long the consumer will wait to establish a | |
2002 | +network connection to the provider. Once a connection is | |
2003 | +established, the | |
2004 | +.B timeout | |
2005 | +parameter determines how long the consumer will wait for the initial | |
2006 | +Bind request to complete. The defaults for these parameters come | |
2007 | +from | |
2008 | +.BR ldap.conf (5). | |
2009 | +The | |
2010 | +.B tcp\-user\-timeout | |
2011 | +parameter, if non-zero, corresponds to the | |
2012 | +.B TCP_USER_TIMEOUT | |
2013 | +set on the target connections, overriding the operating system setting. | |
2014 | +Only some systems support the customization of this parameter, it is | |
2015 | +ignored otherwise and system-wide settings are used. | |
2016 | + | |
2017 | +A | |
2018 | +.B bindmethod | |
2019 | +of | |
2020 | +.B simple | |
2021 | +requires the options | |
2022 | +.B binddn | |
2023 | +and | |
2024 | +.B credentials | |
2025 | +and should only be used when adequate security services | |
2026 | +(e.g. TLS or IPSEC) are in place. | |
2027 | +.B REMEMBER: simple bind credentials must be in cleartext! | |
2028 | +A | |
2029 | +.B bindmethod | |
2030 | +of | |
2031 | +.B sasl | |
2032 | +requires the option | |
2033 | +.B saslmech. | |
2034 | +Depending on the mechanism, an authentication identity and/or | |
2035 | +credentials can be specified using | |
2036 | +.B authcid | |
2037 | +and | |
2038 | +.B credentials. | |
2039 | +The | |
2040 | +.B authzid | |
2041 | +parameter may be used to specify an authorization identity. | |
2042 | +Specific security properties (as with the | |
2043 | +.B sasl\-secprops | |
2044 | +keyword above) for a SASL bind can be set with the | |
2045 | +.B secprops | |
2046 | +option. A non default SASL realm can be set with the | |
2047 | +.B realm | |
2048 | +option. | |
2049 | +The identity used for synchronization by the consumer should be allowed | |
2050 | +to receive an unlimited number of entries in response to a search request. | |
2051 | +The provider, other than allowing authentication of the syncrepl identity, | |
2052 | +should grant that identity appropriate access privileges to the data | |
2053 | +that is being replicated (\fBaccess\fP directive), and appropriate time | |
2054 | +and size limits. | |
2055 | +This can be accomplished by either allowing unlimited \fBsizelimit\fP | |
2056 | +and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement | |
2057 | +in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP | |
2058 | +for details). | |
2059 | + | |
2060 | +The | |
2061 | +.B keepalive | |
2062 | +parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP | |
2063 | +used to check whether a socket is alive; | |
2064 | +.I idle | |
2065 | +is the number of seconds a connection needs to remain idle before TCP | |
2066 | +starts sending keepalive probes; | |
2067 | +.I probes | |
2068 | +is the maximum number of keepalive probes TCP should send before dropping | |
2069 | +the connection; | |
2070 | +.I interval | |
2071 | +is interval in seconds between individual keepalive probes. | |
2072 | +Only some systems support the customization of these values; | |
2073 | +the | |
2074 | +.B keepalive | |
2075 | +parameter is ignored otherwise, and system-wide settings are used. | |
2076 | + | |
2077 | +The | |
2078 | +.B starttls | |
2079 | +parameter specifies use of the StartTLS extended operation | |
2080 | +to establish a TLS session before Binding to the provider. If the | |
2081 | +.B critical | |
2082 | +argument is supplied, the session will be aborted if the StartTLS request | |
2083 | +fails. Otherwise the syncrepl session continues without TLS. The | |
2084 | +.B tls_reqcert | |
2085 | +setting defaults to "demand", the | |
2086 | +.B tls_reqsan | |
2087 | +setting defaults to "allow", and the other TLS settings | |
2088 | +default to the same as the main slapd TLS settings. | |
2089 | + | |
2090 | +The | |
2091 | +.B suffixmassage | |
2092 | +parameter allows the consumer to pull entries from a remote directory | |
2093 | +whose DN suffix differs from the local directory. The portion of the | |
2094 | +remote entries' DNs that matches the \fIsearchbase\fP will be replaced | |
2095 | +with the suffixmassage DN. | |
2096 | + | |
2097 | +Rather than replicating whole entries, the consumer can query logs of | |
2098 | +data modifications. This mode of operation is referred to as \fIdelta | |
2099 | +syncrepl\fP. In addition to the above parameters, the | |
2100 | +.B logbase | |
2101 | +and | |
2102 | +.B logfilter | |
2103 | +parameters must be set appropriately for the log that will be used. The | |
2104 | +.B syncdata | |
2105 | +parameter must be set to either "accesslog" if the log conforms to the | |
2106 | +.BR slapo\-accesslog (5) | |
2107 | +log format, or "changelog" if the log conforms | |
2108 | +to the obsolete \fIchangelog\fP format. If the | |
2109 | +.B syncdata | |
2110 | +parameter is omitted or set to "default" then the log parameters are | |
2111 | +ignored. | |
2112 | + | |
2113 | +The | |
2114 | +.B lazycommit | |
2115 | +parameter tells the underlying database that it can store changes without | |
2116 | +performing a full flush after each change. This may improve performance | |
2117 | +for the consumer, while sacrificing safety or durability. | |
2118 | +.RE | |
2119 | +.TP | |
2120 | +.B updatedn <dn> | |
2121 | +This option is only applicable in a replica | |
2122 | +database. | |
2123 | +It specifies the DN permitted to update (subject to access controls) | |
2124 | +the replica. It is only needed in certain push-mode | |
2125 | +replication scenarios. Generally, this DN | |
2126 | +.I should not | |
2127 | +be the same as the | |
2128 | +.B rootdn | |
2129 | +used at the provider. | |
2130 | +.TP | |
2131 | +.B updateref <url> | |
2132 | +Specify the referral to pass back when | |
2133 | +.BR slapd (8) | |
2134 | +is asked to modify a replicated local database. | |
2135 | +If specified multiple times, each url is provided. | |
2136 | + | |
2137 | +.SH DATABASE-SPECIFIC OPTIONS | |
2138 | +Each database may allow specific configuration options; they are | |
2139 | +documented separately in the backends' manual pages. See the | |
2140 | +.BR slapd.backends (5) | |
2141 | +manual page for an overview of available backends. | |
2142 | +.SH EXAMPLES | |
2143 | +.LP | |
2144 | +Here is a short example of a configuration file: | |
2145 | +.LP | |
2146 | +.RS | |
2147 | +.nf | |
2148 | +include SYSCONFDIR/schema/core.schema | |
2149 | +pidfile LOCALSTATEDIR/run/slapd.pid | |
2150 | + | |
2151 | +# Subtypes of "name" (e.g. "cn" and "ou") with the | |
2152 | +# option ";x\-hidden" can be searched for/compared, | |
2153 | +# but are not shown. See \fBslapd.access\fP(5). | |
2154 | +attributeoptions x\-hidden lang\- | |
2155 | +access to attrs=name;x\-hidden by * =cs | |
2156 | + | |
2157 | +# Protect passwords. See \fBslapd.access\fP(5). | |
2158 | +access to attrs=userPassword by * auth | |
2159 | +# Read access to other attributes and entries. | |
2160 | +access to * by * read | |
2161 | + | |
2162 | +database mdb | |
2163 | +suffix "dc=our\-domain,dc=com" | |
2164 | +# The database directory MUST exist prior to | |
2165 | +# running slapd AND should only be accessible | |
2166 | +# by the slapd/tools. Mode 0700 recommended. | |
2167 | +directory LOCALSTATEDIR/openldap\-data | |
2168 | +# Indices to maintain | |
2169 | +index objectClass eq | |
2170 | +index cn,sn,mail pres,eq,approx,sub | |
2171 | + | |
2172 | +# We serve small clients that do not handle referrals, | |
2173 | +# so handle remote lookups on their behalf. | |
2174 | +database ldap | |
2175 | +suffix "" | |
2176 | +uri ldap://ldap.some\-server.com/ | |
2177 | +lastmod off | |
2178 | +.fi | |
2179 | +.RE | |
2180 | +.LP | |
2181 | +"OpenLDAP Administrator's Guide" contains a longer annotated | |
2182 | +example of a configuration file. | |
2183 | +The original ETCDIR/slapd.conf is another example. | |
2184 | +.SH FILES | |
2185 | +.TP | |
2186 | +ETCDIR/slapd.conf | |
2187 | +default slapd configuration file | |
2188 | +.SH SEE ALSO | |
2189 | +.BR ldap (3), | |
2190 | +.BR gnutls\-cli (1), | |
2191 | +.BR slapd\-config (5), | |
2192 | +.BR slapd.access (5), | |
2193 | +.BR slapd.backends (5), | |
2194 | +.BR slapd.overlays (5), | |
2195 | +.BR slapd.plugin (5), | |
2196 | +.BR slapd (8), | |
2197 | +.BR slapacl (8), | |
2198 | +.BR slapadd (8), | |
2199 | +.BR slapauth (8), | |
2200 | +.BR slapcat (8), | |
2201 | +.BR slapdn (8), | |
2202 | +.BR slapindex (8), | |
2203 | +.BR slapmodify (8), | |
2204 | +.BR slappasswd (8), | |
2205 | +.BR slaptest (8). | |
2206 | +.LP | |
2207 | +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) | |
2208 | +.SH ACKNOWLEDGEMENTS | |
2209 | +.so ../Project | |
2210 | diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd-config.5 openldap-2.6.1/doc/man/man5/slapd-config.5 | |
2211 | --- openldap-2.6.1.orig/doc/man/man5/slapd-config.5 2022-01-19 12:32:34.000000000 -0600 | |
2212 | +++ openldap-2.6.1/doc/man/man5/slapd-config.5 2022-02-13 15:54:13.654979570 -0600 | |
2213 | @@ -2234,7 +2234,7 @@ olcSuffix: "dc=our\-domain,dc=com" | |
2214 | # The database directory MUST exist prior to | |
2215 | # running slapd AND should only be accessible | |
2216 | # by the slapd/tools. Mode 0700 recommended. | |
2217 | -olcDbDirectory: LOCALSTATEDIR/openldap\-data | |
2218 | +olcDbDirectory: LOCALSTATEDIR/lib/openldap | |
2219 | # Indices to maintain | |
2220 | olcDbIndex: objectClass eq | |
2221 | olcDbIndex: cn,sn,mail pres,eq,approx,sub | |
2222 | diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd-config.5.orig openldap-2.6.1/doc/man/man5/slapd-config.5.orig | |
2223 | --- openldap-2.6.1.orig/doc/man/man5/slapd-config.5.orig 1969-12-31 18:00:00.000000000 -0600 | |
2224 | +++ openldap-2.6.1/doc/man/man5/slapd-config.5.orig 2022-01-19 12:32:34.000000000 -0600 | |
2225 | @@ -0,0 +1,2303 @@ | |
2226 | +.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION" | |
2227 | +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. | |
2228 | +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. | |
2229 | +.\" $OpenLDAP$ | |
2230 | +.SH NAME | |
2231 | +slapd\-config \- configuration backend to slapd | |
2232 | +.SH SYNOPSIS | |
2233 | +ETCDIR/slapd.d | |
2234 | +.SH DESCRIPTION | |
2235 | +The | |
2236 | +.B config | |
2237 | +backend manages all of the configuration information for the | |
2238 | +.BR slapd (8) | |
2239 | +daemon. This configuration information is also used by the SLAPD tools | |
2240 | +.BR slapacl (8), | |
2241 | +.BR slapadd (8), | |
2242 | +.BR slapauth (8), | |
2243 | +.BR slapcat (8), | |
2244 | +.BR slapdn (8), | |
2245 | +.BR slapindex (8), | |
2246 | +.BR slapmodify (8), | |
2247 | +and | |
2248 | +.BR slaptest (8). | |
2249 | +.LP | |
2250 | +The | |
2251 | +.B config | |
2252 | +backend is backward compatible with the older | |
2253 | +.BR slapd.conf (5) | |
2254 | +file but provides the ability to change the configuration dynamically | |
2255 | +at runtime. If slapd is run with only a | |
2256 | +.B slapd.conf | |
2257 | +file dynamic changes will be allowed but they will not persist across | |
2258 | +a server restart. Dynamic changes are only saved when slapd is running | |
2259 | +from a | |
2260 | +.B slapd.d | |
2261 | +configuration directory. | |
2262 | +.LP | |
2263 | + | |
2264 | +Unlike other backends, there can only be one instance of the | |
2265 | +.B config | |
2266 | +backend, and most of its structure is predefined. The root of the | |
2267 | +database is hardcoded to | |
2268 | +.B "cn=config" | |
2269 | +and this root entry contains | |
2270 | +global settings for slapd. Multiple child entries underneath the | |
2271 | +root entry are used to carry various other settings: | |
2272 | +.RS | |
2273 | +.TP | |
2274 | +.B cn=Module | |
2275 | +dynamically loaded modules | |
2276 | +.TP | |
2277 | +.B cn=Schema | |
2278 | +schema definitions | |
2279 | +.TP | |
2280 | +.B olcBackend=xxx | |
2281 | +backend-specific settings | |
2282 | +.TP | |
2283 | +.B olcDatabase=xxx | |
2284 | +database-specific settings | |
2285 | +.RE | |
2286 | + | |
2287 | +The | |
2288 | +.B cn=Module | |
2289 | +entries will only appear in configurations where slapd | |
2290 | +was built with support for dynamically loaded modules. There can be | |
2291 | +multiple entries, one for each configured module path. Within each | |
2292 | +entry there will be values recorded for each module loaded on a | |
2293 | +given path. These entries have no children. | |
2294 | + | |
2295 | +The | |
2296 | +.B cn=Schema | |
2297 | +entry contains all of the hardcoded schema elements. | |
2298 | +The children of this entry contain all user-defined schema elements. | |
2299 | +In schema that were loaded from include files, the child entry will | |
2300 | +be named after the include file from which the schema was loaded. | |
2301 | +Typically the first child in this subtree will be | |
2302 | +.BR cn=core,cn=schema,cn=config . | |
2303 | + | |
2304 | +.B olcBackend | |
2305 | +entries are for storing settings specific to a single | |
2306 | +backend type (and thus global to all database instances of that type). | |
2307 | +At present, only back-mdb implements any options of this type, so this | |
2308 | +setting is not needed for any other backends. | |
2309 | + | |
2310 | +.B olcDatabase | |
2311 | +entries store settings specific to a single database | |
2312 | +instance. These entries may have | |
2313 | +.B olcOverlay | |
2314 | +child entries corresponding | |
2315 | +to any overlays configured on the database. The olcDatabase and | |
2316 | +olcOverlay entries may also have miscellaneous child entries for | |
2317 | +other settings as needed. There are two special database entries | |
2318 | +that are predefined \- one is an entry for the config database itself, | |
2319 | +and the other is for the "frontend" database. Settings in the | |
2320 | +frontend database are inherited by the other databases, unless | |
2321 | +they are explicitly overridden in a specific database. | |
2322 | +.LP | |
2323 | +The specific configuration options available are discussed below in the | |
2324 | +Global Configuration Options, General Backend Options, and General Database | |
2325 | +Options. Options are set by defining LDAP attributes with specific values. | |
2326 | +In general the names of the LDAP attributes are the same as the corresponding | |
2327 | +.B slapd.conf | |
2328 | +keyword, with an "olc" prefix added on. | |
2329 | + | |
2330 | +The parser for many of these attributes is the same as used for parsing | |
2331 | +the slapd.conf keywords. As such, slapd.conf keywords that allow multiple | |
2332 | +items to be specified on one line, separated by whitespace, will allow | |
2333 | +multiple items to be specified in one attribute value. However, when | |
2334 | +reading the attribute via LDAP, the items will be returned as individual | |
2335 | +attribute values. | |
2336 | + | |
2337 | +Backend-specific options are discussed in the | |
2338 | +.B slapd\-<backend>(5) | |
2339 | +manual pages. Refer to the "OpenLDAP Administrator's Guide" for more | |
2340 | +details on configuring slapd. | |
2341 | +.SH GLOBAL CONFIGURATION OPTIONS | |
2342 | +Options described in this section apply to the server as a whole. | |
2343 | +Arguments that should be replaced by | |
2344 | +actual text are shown in brackets <>. | |
2345 | + | |
2346 | +These options may only be specified in the | |
2347 | +.B cn=config | |
2348 | +entry. This entry must have an objectClass of | |
2349 | +.BR olcGlobal . | |
2350 | + | |
2351 | +.TP | |
2352 | +.B olcAllows: <features> | |
2353 | +Specify a set of features to allow (default none). | |
2354 | +.B bind_v2 | |
2355 | +allows acceptance of LDAPv2 bind requests. Note that | |
2356 | +.BR slapd (8) | |
2357 | +does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494). | |
2358 | +.B bind_anon_cred | |
2359 | +allows anonymous bind when credentials are not empty (e.g. | |
2360 | +when DN is empty). | |
2361 | +.B bind_anon_dn | |
2362 | +allows unauthenticated (anonymous) bind when DN is not empty. | |
2363 | +.B update_anon | |
2364 | +allows unauthenticated (anonymous) update operations to be processed | |
2365 | +(subject to access controls and other administrative limits). | |
2366 | +.B proxy_authz_anon | |
2367 | +allows unauthenticated (anonymous) proxy authorization control to be processed | |
2368 | +(subject to access controls, authorization and other administrative limits). | |
2369 | +.TP | |
2370 | +.B olcArgsFile: <filename> | |
2371 | +The (absolute) name of a file that will hold the | |
2372 | +.B slapd | |
2373 | +server's command line (program name and options). | |
2374 | +.TP | |
2375 | +.B olcAttributeOptions: <option-name>... | |
2376 | +Define tagging attribute options or option tag/range prefixes. | |
2377 | +Options must not end with `\-', prefixes must end with `\-'. | |
2378 | +The `lang\-' prefix is predefined. | |
2379 | +If you use the | |
2380 | +.B olcAttributeOptions | |
2381 | +directive, `lang\-' will no longer be defined and you must specify it | |
2382 | +explicitly if you want it defined. | |
2383 | + | |
2384 | +An attribute description with a tagging option is a subtype of that | |
2385 | +attribute description without the option. | |
2386 | +Except for that, options defined this way have no special semantics. | |
2387 | +Prefixes defined this way work like the `lang\-' options: | |
2388 | +They define a prefix for tagging options starting with the prefix. | |
2389 | +That is, if you define the prefix `x\-foo\-', you can use the option | |
2390 | +`x\-foo\-bar'. | |
2391 | +Furthermore, in a search or compare, a prefix or range name (with | |
2392 | +a trailing `\-') matches all options starting with that name, as well | |
2393 | +as the option with the range name sans the trailing `\-'. | |
2394 | +That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'. | |
2395 | + | |
2396 | +RFC 4520 reserves options beginning with `x\-' for private experiments. | |
2397 | +Other options should be registered with IANA, see RFC 4520 section 3.5. | |
2398 | +OpenLDAP also has the `binary' option built in, but this is a transfer | |
2399 | +option, not a tagging option. | |
2400 | +.TP | |
2401 | +.B olcAuthIDRewrite: <rewrite\-rule> | |
2402 | +Used by the authentication framework to convert simple user names | |
2403 | +to an LDAP DN used for authorization purposes. | |
2404 | +Its purpose is analogous to that of | |
2405 | +.BR olcAuthzRegexp | |
2406 | +(see below). | |
2407 | +The | |
2408 | +.B rewrite\-rule | |
2409 | +is a set of rules analogous to those described in | |
2410 | +.BR slapo\-rwm (5) | |
2411 | +for data rewriting (after stripping the \fIrwm\-\fP prefix). | |
2412 | +.B olcAuthIDRewrite | |
2413 | +and | |
2414 | +.B olcAuthzRegexp | |
2415 | +should not be intermixed. | |
2416 | +.TP | |
2417 | +.B olcAuthzPolicy: <policy> | |
2418 | +Used to specify which rules to use for Proxy Authorization. Proxy | |
2419 | +authorization allows a client to authenticate to the server using one | |
2420 | +user's credentials, but specify a different identity to use for authorization | |
2421 | +and access control purposes. It essentially allows user A to login as user | |
2422 | +B, using user A's password. | |
2423 | +The | |
2424 | +.B none | |
2425 | +flag disables proxy authorization. This is the default setting. | |
2426 | +The | |
2427 | +.B from | |
2428 | +flag will use rules in the | |
2429 | +.I authzFrom | |
2430 | +attribute of the authorization DN. | |
2431 | +The | |
2432 | +.B to | |
2433 | +flag will use rules in the | |
2434 | +.I authzTo | |
2435 | +attribute of the authentication DN. | |
2436 | +The | |
2437 | +.B any | |
2438 | +flag, an alias for the deprecated value of | |
2439 | +.BR both , | |
2440 | +will allow any of the above, whatever succeeds first (checked in | |
2441 | +.BR to , | |
2442 | +.B from | |
2443 | +sequence. | |
2444 | +The | |
2445 | +.B all | |
2446 | +flag requires both authorizations to succeed. | |
2447 | +.LP | |
2448 | +.RS | |
2449 | +The rules are mechanisms to specify which identities are allowed | |
2450 | +to perform proxy authorization. | |
2451 | +The | |
2452 | +.I authzFrom | |
2453 | +attribute in an entry specifies which other users | |
2454 | +are allowed to proxy login to this entry. The | |
2455 | +.I authzTo | |
2456 | +attribute in | |
2457 | +an entry specifies which other users this user can authorize as. Use of | |
2458 | +.I authzTo | |
2459 | +rules can be easily | |
2460 | +abused if users are allowed to write arbitrary values to this attribute. | |
2461 | +In general the | |
2462 | +.I authzTo | |
2463 | +attribute must be protected with ACLs such that | |
2464 | +only privileged users can modify it. | |
2465 | +The value of | |
2466 | +.I authzFrom | |
2467 | +and | |
2468 | +.I authzTo | |
2469 | +describes an | |
2470 | +.B identity | |
2471 | +or a set of identities; it can take five forms: | |
2472 | +.RS | |
2473 | +.TP | |
2474 | +.B ldap:///<base>??[<scope>]?<filter> | |
2475 | +.RE | |
2476 | +.RS | |
2477 | +.B dn[.<dnstyle>]:<pattern> | |
2478 | +.RE | |
2479 | +.RS | |
2480 | +.B u[.<mech>[<realm>]]:<pattern> | |
2481 | +.RE | |
2482 | +.RS | |
2483 | +.B group[/objectClass[/attributeType]]:<pattern> | |
2484 | +.RE | |
2485 | +.RS | |
2486 | +.B <pattern> | |
2487 | +.RE | |
2488 | +.RS | |
2489 | + | |
2490 | +.B <dnstyle>:={exact|onelevel|children|subtree|regex} | |
2491 | + | |
2492 | +.RE | |
2493 | +The first form is a valid LDAP | |
2494 | +.B URI | |
2495 | +where the | |
2496 | +.IR <host>:<port> , | |
2497 | +the | |
2498 | +.I <attrs> | |
2499 | +and the | |
2500 | +.I <extensions> | |
2501 | +portions must be absent, so that the search occurs locally on either | |
2502 | +.I authzFrom | |
2503 | +or | |
2504 | +.IR authzTo . | |
2505 | + | |
2506 | +.LP | |
2507 | +The second form is a | |
2508 | +.BR DN , | |
2509 | +with the optional style modifiers | |
2510 | +.IR exact , | |
2511 | +.IR onelevel , | |
2512 | +.IR children , | |
2513 | +and | |
2514 | +.I subtree | |
2515 | +for exact, onelevel, children and subtree matches, which cause | |
2516 | +.I <pattern> | |
2517 | +to be normalized according to the DN normalization rules, or the special | |
2518 | +.I regex | |
2519 | +style, which causes the | |
2520 | +.I <pattern> | |
2521 | +to be treated as a POSIX (''extended'') regular expression, as | |
2522 | +discussed in | |
2523 | +.BR regex (7) | |
2524 | +and/or | |
2525 | +.BR re_format (7). | |
2526 | +A pattern of | |
2527 | +.I * | |
2528 | +means any non-anonymous DN. | |
2529 | + | |
2530 | +.LP | |
2531 | +The third form is a SASL | |
2532 | +.BR id , | |
2533 | +with the optional fields | |
2534 | +.I <mech> | |
2535 | +and | |
2536 | +.I <realm> | |
2537 | +that allow to specify a SASL | |
2538 | +.BR mechanism , | |
2539 | +and eventually a SASL | |
2540 | +.BR realm , | |
2541 | +for those mechanisms that support one. | |
2542 | +The need to allow the specification of a mechanism is still debated, | |
2543 | +and users are strongly discouraged to rely on this possibility. | |
2544 | + | |
2545 | +.LP | |
2546 | +The fourth form is a group specification. | |
2547 | +It consists of the keyword | |
2548 | +.BR group , | |
2549 | +optionally followed by the specification of the group | |
2550 | +.B objectClass | |
2551 | +and | |
2552 | +.BR attributeType . | |
2553 | +The | |
2554 | +.B objectClass | |
2555 | +defaults to | |
2556 | +.IR groupOfNames . | |
2557 | +The | |
2558 | +.B attributeType | |
2559 | +defaults to | |
2560 | +.IR member . | |
2561 | +The group with DN | |
2562 | +.B <pattern> | |
2563 | +is searched with base scope, filtered on the specified | |
2564 | +.BR objectClass . | |
2565 | +The values of the resulting | |
2566 | +.B attributeType | |
2567 | +are searched for the asserted DN. | |
2568 | + | |
2569 | +.LP | |
2570 | +The fifth form is provided for backwards compatibility. If no identity | |
2571 | +type is provided, i.e. only | |
2572 | +.B <pattern> | |
2573 | +is present, an | |
2574 | +.I exact DN | |
2575 | +is assumed; as a consequence, | |
2576 | +.B <pattern> | |
2577 | +is subjected to DN normalization. | |
2578 | + | |
2579 | +.LP | |
2580 | +Since the interpretation of | |
2581 | +.I authzFrom | |
2582 | +and | |
2583 | +.I authzTo | |
2584 | +can impact security, users are strongly encouraged | |
2585 | +to explicitly set the type of identity specification that is being used. | |
2586 | +A subset of these rules can be used as third arg in the | |
2587 | +.B olcAuthzRegexp | |
2588 | +statement (see below); significantly, the | |
2589 | +.IR URI , | |
2590 | +provided it results in exactly one entry, | |
2591 | +and the | |
2592 | +.I dn.exact:<dn> | |
2593 | +forms. | |
2594 | +.RE | |
2595 | +.TP | |
2596 | +.B olcAuthzRegexp: <match> <replace> | |
2597 | +Used by the authentication framework to convert simple user names, | |
2598 | +such as provided by SASL subsystem, or extracted from certificates | |
2599 | +in case of cert-based SASL EXTERNAL, or provided within the RFC 4370 | |
2600 | +"proxied authorization" control, to an LDAP DN used for | |
2601 | +authorization purposes. Note that the resulting DN need not refer | |
2602 | +to an existing entry to be considered valid. When an authorization | |
2603 | +request is received from the SASL subsystem, the SASL | |
2604 | +.BR USERNAME , | |
2605 | +.BR REALM , | |
2606 | +and | |
2607 | +.B MECHANISM | |
2608 | +are taken, when available, and combined into a name of the form | |
2609 | +.RS | |
2610 | +.RS | |
2611 | +.TP | |
2612 | +.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth | |
2613 | + | |
2614 | +.RE | |
2615 | +This name is then compared against the | |
2616 | +.B match | |
2617 | +POSIX (''extended'') regular expression, and if the match is successful, | |
2618 | +the name is replaced with the | |
2619 | +.B replace | |
2620 | +string. If there are wildcard strings in the | |
2621 | +.B match | |
2622 | +regular expression that are enclosed in parenthesis, e.g. | |
2623 | +.RS | |
2624 | +.TP | |
2625 | +.B UID=([^,]*),CN=.* | |
2626 | + | |
2627 | +.RE | |
2628 | +then the portion of the name that matched the wildcard will be stored | |
2629 | +in the numbered placeholder variable $1. If there are other wildcard strings | |
2630 | +in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The | |
2631 | +placeholders can then be used in the | |
2632 | +.B replace | |
2633 | +string, e.g. | |
2634 | +.RS | |
2635 | +.TP | |
2636 | +.B UID=$1,OU=Accounts,DC=example,DC=com | |
2637 | + | |
2638 | +.RE | |
2639 | +The replaced name can be either a DN, i.e. a string prefixed by "dn:", | |
2640 | +or an LDAP URI. | |
2641 | +If the latter, the server will use the URI to search its own database(s) | |
2642 | +and, if the search returns exactly one entry, the name is | |
2643 | +replaced by the DN of that entry. The LDAP URI must have no | |
2644 | +hostport, attrs, or extensions components, but the filter is mandatory, | |
2645 | +e.g. | |
2646 | +.RS | |
2647 | +.TP | |
2648 | +.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) | |
2649 | + | |
2650 | +.RE | |
2651 | +The protocol portion of the URI must be strictly | |
2652 | +.BR ldap . | |
2653 | +Note that this search is subject to access controls. Specifically, | |
2654 | +the authentication identity must have "auth" access in the subject. | |
2655 | + | |
2656 | +Multiple | |
2657 | +.B olcAuthzRegexp | |
2658 | +values can be specified to allow for multiple matching | |
2659 | +and replacement patterns. The matching patterns are checked in the order they | |
2660 | +appear in the attribute, stopping at the first successful match. | |
2661 | + | |
2662 | +.\".B Caution: | |
2663 | +.\"Because the plus sign + is a character recognized by the regular expression engine, | |
2664 | +.\"and it will appear in names that include a REALM, be careful to escape the | |
2665 | +.\"plus sign with a backslash \\+ to remove the character's special meaning. | |
2666 | +.RE | |
2667 | +.TP | |
2668 | +.B olcConcurrency: <integer> | |
2669 | +Specify a desired level of concurrency. Provided to the underlying | |
2670 | +thread system as a hint. The default is not to provide any hint. This setting | |
2671 | +is only meaningful on some platforms where there is not a one to one | |
2672 | +correspondence between user threads and kernel threads. | |
2673 | +.TP | |
2674 | +.B olcConnMaxPending: <integer> | |
2675 | +Specify the maximum number of pending requests for an anonymous session. | |
2676 | +If requests are submitted faster than the server can process them, they | |
2677 | +will be queued up to this limit. If the limit is exceeded, the session | |
2678 | +is closed. The default is 100. | |
2679 | +.TP | |
2680 | +.B olcConnMaxPendingAuth: <integer> | |
2681 | +Specify the maximum number of pending requests for an authenticated session. | |
2682 | +The default is 1000. | |
2683 | +.TP | |
2684 | +.B olcDisallows: <features> | |
2685 | +Specify a set of features to disallow (default none). | |
2686 | +.B bind_anon | |
2687 | +disables acceptance of anonymous bind requests. Note that this setting | |
2688 | +does not prohibit anonymous directory access (See "require authc"). | |
2689 | +.B bind_simple | |
2690 | +disables simple (bind) authentication. | |
2691 | +.B tls_2_anon | |
2692 | +disables forcing session to anonymous status (see also | |
2693 | +.BR tls_authc ) | |
2694 | +upon StartTLS operation receipt. | |
2695 | +.B tls_authc | |
2696 | +disallows the StartTLS operation if authenticated (see also | |
2697 | +.BR tls_2_anon ). | |
2698 | +.B proxy_authz_non_critical | |
2699 | +disables acceptance of the proxied authorization control (RFC4370) | |
2700 | +with criticality set to FALSE. | |
2701 | +.B dontusecopy_non_critical | |
2702 | +disables acceptance of the dontUseCopy control (a work in progress) | |
2703 | +with criticality set to FALSE. | |
2704 | +.TP | |
2705 | +.B olcGentleHUP: { TRUE | FALSE } | |
2706 | +A SIGHUP signal will only cause a 'gentle' shutdown-attempt: | |
2707 | +.B Slapd | |
2708 | +will stop listening for new connections, but will not close the | |
2709 | +connections to the current clients. Future write operations return | |
2710 | +unwilling-to-perform, though. Slapd terminates when all clients | |
2711 | +have closed their connections (if they ever do), or \- as before \- | |
2712 | +if it receives a SIGTERM signal. This can be useful if you wish to | |
2713 | +terminate the server and start a new | |
2714 | +.B slapd | |
2715 | +server | |
2716 | +.B with another database, | |
2717 | +without disrupting the currently active clients. | |
2718 | +The default is FALSE. You may wish to use | |
2719 | +.B olcIdleTimeout | |
2720 | +along with this option. | |
2721 | +.TP | |
2722 | +.B olcIdleTimeout: <integer> | |
2723 | +Specify the number of seconds to wait before forcibly closing | |
2724 | +an idle client connection. A setting of 0 disables this | |
2725 | +feature. The default is 0. You may also want to set the | |
2726 | +.B olcWriteTimeout | |
2727 | +option. | |
2728 | +.TP | |
2729 | +.B olcIndexHash64: { on | off } | |
2730 | +Use a 64 bit hash for indexing. The default is to use 32 bit hashes. | |
2731 | +These hashes are used for equality and substring indexing. The 64 bit | |
2732 | +version may be needed to avoid index collisions when the number of | |
2733 | +indexed values exceeds ~64 million. (Note that substring indexing | |
2734 | +generates multiple index values per actual attribute value.) | |
2735 | +Indices generated with 32 bit hashes are incompatible with the 64 bit | |
2736 | +version, and vice versa. Any existing databases must be fully reloaded | |
2737 | +when changing this setting. This directive is only supported on 64 bit CPUs. | |
2738 | +.TP | |
2739 | +.B olcIndexIntLen: <integer> | |
2740 | +Specify the key length for ordered integer indices. The most significant | |
2741 | +bytes of the binary integer will be used for index keys. The default | |
2742 | +value is 4, which provides exact indexing for 31 bit values. | |
2743 | +A floating point representation is used to index too large values. | |
2744 | +.TP | |
2745 | +.B olcIndexSubstrIfMaxlen: <integer> | |
2746 | +Specify the maximum length for subinitial and subfinal indices. Only | |
2747 | +this many characters of an attribute value will be processed by the | |
2748 | +indexing functions; any excess characters are ignored. The default is 4. | |
2749 | +.TP | |
2750 | +.B olcIndexSubstrIfMinlen: <integer> | |
2751 | +Specify the minimum length for subinitial and subfinal indices. An | |
2752 | +attribute value must have at least this many characters in order to be | |
2753 | +processed by the indexing functions. The default is 2. | |
2754 | +.TP | |
2755 | +.B olcIndexSubstrAnyLen: <integer> | |
2756 | +Specify the length used for subany indices. An attribute value must have | |
2757 | +at least this many characters in order to be processed. Attribute values | |
2758 | +longer than this length will be processed in segments of this length. The | |
2759 | +default is 4. The subany index will also be used in subinitial and | |
2760 | +subfinal index lookups when the filter string is longer than the | |
2761 | +.I olcIndexSubstrIfMaxlen | |
2762 | +value. | |
2763 | +.TP | |
2764 | +.B olcIndexSubstrAnyStep: <integer> | |
2765 | +Specify the steps used in subany index lookups. This value sets the offset | |
2766 | +for the segments of a filter string that are processed for a subany index | |
2767 | +lookup. The default is 2. For example, with the default values, a search | |
2768 | +using this filter "cn=*abcdefgh*" would generate index lookups for | |
2769 | +"abcd", "cdef", and "efgh". | |
2770 | + | |
2771 | +.LP | |
2772 | +Note: Indexing support depends on the particular backend in use. Also, | |
2773 | +changing these settings will generally require deleting any indices that | |
2774 | +depend on these parameters and recreating them with | |
2775 | +.BR slapindex (8). | |
2776 | + | |
2777 | +.TP | |
2778 | +.B olcListenerThreads: <integer> | |
2779 | +Specify the number of threads to use for the connection manager. | |
2780 | +The default is 1 and this is typically adequate for up to 16 CPU cores. | |
2781 | +The value should be set to a power of 2. | |
2782 | +.TP | |
2783 | +.B olcLocalSSF: <SSF> | |
2784 | +Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, | |
2785 | +such as those to the ldapi:// listener. For a description of SSF values, | |
2786 | +see | |
2787 | +.BR olcSaslSecProps 's | |
2788 | +.B minssf | |
2789 | +option description. The default is 71. | |
2790 | +.TP | |
2791 | +.B olcLogFile: <filename> | |
2792 | +Specify a file for recording slapd debug messages. By default these messages | |
2793 | +only go to stderr, are not recorded anywhere else, and are unrelated to | |
2794 | +messages exposed by the | |
2795 | +.B olcLogLevel | |
2796 | +configuration parameter. Specifying a logfile copies messages to both stderr | |
2797 | +and the logfile. | |
2798 | +.TP | |
2799 | +.B olcLogFileFormat: debug | syslog-utc | syslog-localtime | |
2800 | +Specify the prefix format for messages written to the logfile. The debug | |
2801 | +format is the normal format used for slapd debug messages, with a timestamp | |
2802 | +in hexadecimal, followed by a thread ID. The other options are to | |
2803 | +use syslog(3) style prefixes, with timestamps either in UTC or in the | |
2804 | +local timezone. The default is debug format. | |
2805 | +.TP | |
2806 | +.B olcLogFileOnly: TRUE | FALSE | |
2807 | +Specify that debug messages should only go to the configured logfile, and | |
2808 | +not to stderr. | |
2809 | +.TP | |
2810 | +.B olcLogFileRotate: <max> <Mbytes> <hours> | |
2811 | +Specify automatic rotation for the configured logfile as the maximum | |
2812 | +number of old logfiles to retain, a maximum size in megabytes to allow a | |
2813 | +logfile to grow before rotation, and a maximum age in hours for a logfile | |
2814 | +to be used before rotation. The maximum number must be in the range 1-99. | |
2815 | +Setting Mbytes or hours to zero disables the size or age check, respectively. | |
2816 | +At least one of Mbytes or hours must be non-zero. By default no automatic | |
2817 | +rotation will be performed. | |
2818 | +.TP | |
2819 | +.B olcLogLevel: <integer> [...] | |
2820 | +Specify the level at which debugging statements and operation | |
2821 | +statistics should be syslogged (currently logged to the | |
2822 | +.BR syslogd (8) | |
2823 | +LOG_LOCAL4 facility). | |
2824 | +They must be considered subsystems rather than increasingly verbose | |
2825 | +log levels. | |
2826 | +Some messages with higher priority are logged regardless | |
2827 | +of the configured loglevel as soon as any logging is configured. | |
2828 | +Log levels are additive, and available levels are: | |
2829 | +.RS | |
2830 | +.RS | |
2831 | +.PD 0 | |
2832 | +.TP | |
2833 | +.B 1 | |
2834 | +.B (0x1 trace) | |
2835 | +trace function calls | |
2836 | +.TP | |
2837 | +.B 2 | |
2838 | +.B (0x2 packets) | |
2839 | +debug packet handling | |
2840 | +.TP | |
2841 | +.B 4 | |
2842 | +.B (0x4 args) | |
2843 | +heavy trace debugging (function args) | |
2844 | +.TP | |
2845 | +.B 8 | |
2846 | +.B (0x8 conns) | |
2847 | +connection management | |
2848 | +.TP | |
2849 | +.B 16 | |
2850 | +.B (0x10 BER) | |
2851 | +print out packets sent and received | |
2852 | +.TP | |
2853 | +.B 32 | |
2854 | +.B (0x20 filter) | |
2855 | +search filter processing | |
2856 | +.TP | |
2857 | +.B 64 | |
2858 | +.B (0x40 config) | |
2859 | +configuration file processing | |
2860 | +.TP | |
2861 | +.B 128 | |
2862 | +.B (0x80 ACL) | |
2863 | +access control list processing | |
2864 | +.TP | |
2865 | +.B 256 | |
2866 | +.B (0x100 stats) | |
2867 | +connections, LDAP operations, results (recommended) | |
2868 | +.TP | |
2869 | +.B 512 | |
2870 | +.B (0x200 stats2) | |
2871 | +stats2 log entries sent | |
2872 | +.TP | |
2873 | +.B 1024 | |
2874 | +.B (0x400 shell) | |
2875 | +print communication with shell backends | |
2876 | +.TP | |
2877 | +.B 2048 | |
2878 | +.B (0x800 parse) | |
2879 | +entry parsing | |
2880 | +\".TP | |
2881 | +\".B 4096 | |
2882 | +\".B (0x1000 cache) | |
2883 | +\"caching (unused) | |
2884 | +\".TP | |
2885 | +\".B 8192 | |
2886 | +\".B (0x2000 index) | |
2887 | +\"data indexing (unused) | |
2888 | +.TP | |
2889 | +.B 16384 | |
2890 | +.B (0x4000 sync) | |
2891 | +LDAPSync replication | |
2892 | +.TP | |
2893 | +.B 32768 | |
2894 | +.B (0x8000 none) | |
2895 | +only messages that get logged whatever log level is set | |
2896 | +.PD | |
2897 | +.RE | |
2898 | +The desired log level can be input as a single integer that combines | |
2899 | +the (ORed) desired levels, both in decimal or in hexadecimal notation, | |
2900 | +as a list of integers (that are ORed internally), | |
2901 | +or as a list of the names that are shown between parenthesis, such that | |
2902 | +.LP | |
2903 | +.nf | |
2904 | + olcLogLevel: 129 | |
2905 | + olcLogLevel: 0x81 | |
2906 | + olcLogLevel: 128 1 | |
2907 | + olcLogLevel: 0x80 0x1 | |
2908 | + olcLogLevel: acl trace | |
2909 | +.fi | |
2910 | +.LP | |
2911 | +are equivalent. | |
2912 | +The keyword | |
2913 | +.B any | |
2914 | +can be used as a shortcut to enable logging at all levels (equivalent to \-1). | |
2915 | +The keyword | |
2916 | +.BR none , | |
2917 | +or the equivalent integer representation, causes those messages | |
2918 | +that are logged regardless of the configured olcLogLevel to be logged. | |
2919 | +In fact, if no olcLogLevel (or a 0 level) is defined, no logging occurs, | |
2920 | +so at least the | |
2921 | +.B none | |
2922 | +level is required to have high priority messages logged. | |
2923 | + | |
2924 | +Note that the | |
2925 | +.BR packets , | |
2926 | +.BR BER , | |
2927 | +and | |
2928 | +.B parse | |
2929 | +levels are only available as debug output on stderr, and are not | |
2930 | +sent to syslog. | |
2931 | + | |
2932 | +This setting defaults to \fBstats\fP. | |
2933 | +This level should usually also be included when using other loglevels, to | |
2934 | +help analyze the logs. | |
2935 | +.RE | |
2936 | +.TP | |
2937 | +.B olcMaxFilterDepth: <integer> | |
2938 | +Specify the maximum depth of nested filters in search requests. | |
2939 | +The default is 1000. | |
2940 | +.TP | |
2941 | +.B olcPasswordCryptSaltFormat: <format> | |
2942 | +Specify the format of the salt passed to | |
2943 | +.BR crypt (3) | |
2944 | +when generating {CRYPT} passwords (see | |
2945 | +.BR olcPasswordHash ) | |
2946 | +during processing of LDAP Password Modify Extended Operations (RFC 3062). | |
2947 | + | |
2948 | +This string needs to be in | |
2949 | +.BR sprintf (3) | |
2950 | +format and may include one (and only one) %s conversion. | |
2951 | +This conversion will be substituted with a string of random | |
2952 | +characters from [A\-Za\-z0\-9./]. For example, "%.2s" | |
2953 | +provides a two character salt and "$1$%.8s" tells some | |
2954 | +versions of crypt(3) to use an MD5 algorithm and provides | |
2955 | +8 random characters of salt. The default is "%s", which | |
2956 | +provides 31 characters of salt. | |
2957 | +.TP | |
2958 | +.B olcPidFile: <filename> | |
2959 | +The (absolute) name of a file that will hold the | |
2960 | +.B slapd | |
2961 | +server's process ID (see | |
2962 | +.BR getpid (2)). | |
2963 | +.TP | |
2964 | +.B olcPluginLogFile: <filename> | |
2965 | +The ( absolute ) name of a file that will contain log | |
2966 | +messages from | |
2967 | +.B SLAPI | |
2968 | +plugins. See | |
2969 | +.BR slapd.plugin (5) | |
2970 | +for details. | |
2971 | +.TP | |
2972 | +.B olcReferral: <url> | |
2973 | +Specify the referral to pass back when | |
2974 | +.BR slapd (8) | |
2975 | +cannot find a local database to handle a request. | |
2976 | +If multiple values are specified, each url is provided. | |
2977 | +.TP | |
2978 | +.B olcReverseLookup: TRUE | FALSE | |
2979 | +Enable/disable client name unverified reverse lookup (default is | |
2980 | +.BR FALSE | |
2981 | +if compiled with \-\-enable\-rlookups). | |
2982 | +.TP | |
2983 | +.B olcRootDSE: <file> | |
2984 | +Specify the name of an LDIF(5) file containing user defined attributes | |
2985 | +for the root DSE. These attributes are returned in addition to the | |
2986 | +attributes normally produced by slapd. | |
2987 | + | |
2988 | +The root DSE is an entry with information about the server and its | |
2989 | +capabilities, in operational attributes. | |
2990 | +It has the empty DN, and can be read with e.g.: | |
2991 | +.ti +4 | |
2992 | +ldapsearch \-x \-b "" \-s base "+" | |
2993 | +.br | |
2994 | +See RFC 4512 section 5.1 for details. | |
2995 | +.TP | |
2996 | +.B olcSaslAuxprops: <plugin> [...] | |
2997 | +Specify which auxprop plugins to use for authentication lookups. The | |
2998 | +default is empty, which just uses slapd's internal support. Usually | |
2999 | +no other auxprop plugins are needed. | |
3000 | +.TP | |
3001 | +.B olcSaslAuxpropsDontUseCopy: <attr> [...] | |
3002 | +Specify which attribute(s) should be subject to the don't use copy control. This | |
3003 | +is necessary for some SASL mechanisms such as OTP to work in a replicated | |
3004 | +environment. The attribute "cmusaslsecretOTP" is the default value. | |
3005 | +.TP | |
3006 | +.B olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE | |
3007 | +Used to disable replication of the attribute(s) defined by | |
3008 | +olcSaslAuxpropsDontUseCopy and instead use a local value for the attribute. This | |
3009 | +allows the SASL mechanism to continue to work if the provider is offline. This can | |
3010 | +cause replication inconsistency. Defaults to FALSE. | |
3011 | +.TP | |
3012 | +.B olcSaslHost: <fqdn> | |
3013 | +Used to specify the fully qualified domain name used for SASL processing. | |
3014 | +.TP | |
3015 | +.B olcSaslRealm: <realm> | |
3016 | +Specify SASL realm. Default is empty. | |
3017 | +.TP | |
3018 | +.B olcSaslCbinding: none | tls-unique | tls-endpoint | |
3019 | +Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. | |
3020 | +Default is none. | |
3021 | +.TP | |
3022 | +.B olcSaslSecProps: <properties> | |
3023 | +Used to specify Cyrus SASL security properties. | |
3024 | +The | |
3025 | +.B none | |
3026 | +flag (without any other properties) causes the flag properties | |
3027 | +default, "noanonymous,noplain", to be cleared. | |
3028 | +The | |
3029 | +.B noplain | |
3030 | +flag disables mechanisms susceptible to simple passive attacks. | |
3031 | +The | |
3032 | +.B noactive | |
3033 | +flag disables mechanisms susceptible to active attacks. | |
3034 | +The | |
3035 | +.B nodict | |
3036 | +flag disables mechanisms susceptible to passive dictionary attacks. | |
3037 | +The | |
3038 | +.B noanonymous | |
3039 | +flag disables mechanisms which support anonymous login. | |
3040 | +The | |
3041 | +.B forwardsec | |
3042 | +flag require forward secrecy between sessions. | |
3043 | +The | |
3044 | +.B passcred | |
3045 | +require mechanisms which pass client credentials (and allow | |
3046 | +mechanisms which can pass credentials to do so). | |
3047 | +The | |
3048 | +.B minssf=<factor> | |
3049 | +property specifies the minimum acceptable | |
3050 | +.I security strength factor | |
3051 | +as an integer approximate to effective key length used for | |
3052 | +encryption. 0 (zero) implies no protection, 1 implies integrity | |
3053 | +protection only, 128 allows RC4, Blowfish and other similar ciphers, | |
3054 | +256 will require modern ciphers. The default is 0. | |
3055 | +The | |
3056 | +.B maxssf=<factor> | |
3057 | +property specifies the maximum acceptable | |
3058 | +.I security strength factor | |
3059 | +as an integer (see minssf description). The default is INT_MAX. | |
3060 | +The | |
3061 | +.B maxbufsize=<size> | |
3062 | +property specifies the maximum security layer receive buffer | |
3063 | +size allowed. 0 disables security layers. The default is 65536. | |
3064 | +.TP | |
3065 | +.B olcServerID: <integer> [<URL>] | |
3066 | +Specify an integer ID from 0 to 4095 for this server. The ID may also be | |
3067 | +specified as a hexadecimal ID by prefixing the value with "0x". | |
3068 | +Non-zero IDs are required when using multi-provider replication and each | |
3069 | +provider must have a unique non-zero ID. Note that this requirement also | |
3070 | +applies to separate providers contributing to a glued set of databases. | |
3071 | +If the URL is provided, this directive may be specified | |
3072 | +multiple times, providing a complete list of participating servers | |
3073 | +and their IDs. The fully qualified hostname of each server should be | |
3074 | +used in the supplied URLs. The IDs are used in the "replica id" field | |
3075 | +of all CSNs generated by the specified server. The default value is zero, which | |
3076 | +is only valid for single provider replication. | |
3077 | +Example: | |
3078 | +.LP | |
3079 | +.nf | |
3080 | + olcServerID: 1 ldap://ldap1.example.com | |
3081 | + olcServerID: 2 ldap://ldap2.example.com | |
3082 | +.fi | |
3083 | +.TP | |
3084 | +.B olcSockbufMaxIncoming: <integer> | |
3085 | +Specify the maximum incoming LDAP PDU size for anonymous sessions. | |
3086 | +The default is 262143. | |
3087 | +.TP | |
3088 | +.B olcSockbufMaxIncomingAuth: <integer> | |
3089 | +Specify the maximum incoming LDAP PDU size for authenticated sessions. | |
3090 | +The default is 4194303. | |
3091 | +.TP | |
3092 | +.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size> | |
3093 | +Specify the size of the TCP buffer. | |
3094 | +A global value for both read and write TCP buffers related to any listener | |
3095 | +is defined, unless the listener is explicitly specified, | |
3096 | +or either the read or write qualifiers are used. | |
3097 | +See | |
3098 | +.BR tcp (7) | |
3099 | +for details. | |
3100 | +Note that some OS-es implement automatic TCP buffer tuning. | |
3101 | +.TP | |
3102 | +.B olcThreads: <integer> | |
3103 | +Specify the maximum size of the primary thread pool. | |
3104 | +The default is 16; the minimum value is 2. | |
3105 | +.TP | |
3106 | +.B olcThreadQueues: <integer> | |
3107 | +Specify the number of work queues to use for the primary thread pool. | |
3108 | +The default is 1 and this is typically adequate for up to 8 CPU cores. | |
3109 | +The value should not exceed the number of CPUs in the system. | |
3110 | +.TP | |
3111 | +.B olcToolThreads: <integer> | |
3112 | +Specify the maximum number of threads to use in tool mode. | |
3113 | +This should not be greater than the number of CPUs in the system. | |
3114 | +The default is 1. | |
3115 | +.TP | |
3116 | +.B olcWriteTimeout: <integer> | |
3117 | +Specify the number of seconds to wait before forcibly closing | |
3118 | +a connection with an outstanding write. This allows recovery from | |
3119 | +various network hang conditions. A setting of 0 disables this | |
3120 | +feature. The default is 0. | |
3121 | +.SH TLS OPTIONS | |
3122 | +If | |
3123 | +.B slapd | |
3124 | +is built with support for Transport Layer Security, there are more options | |
3125 | +you can specify. | |
3126 | +.TP | |
3127 | +.B olcTLSCipherSuite: <cipher-suite-spec> | |
3128 | +Permits configuring what ciphers will be accepted and the preference order. | |
3129 | +<cipher-suite-spec> should be a cipher specification for the TLS library | |
3130 | +in use (OpenSSL or GnuTLS). | |
3131 | +Example: | |
3132 | +.RS | |
3133 | +.RS | |
3134 | +.TP | |
3135 | +.I OpenSSL: | |
3136 | +olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 | |
3137 | +.TP | |
3138 | +.I GnuTLS: | |
3139 | +olcTLSCiphersuite: SECURE256:!AES-128-CBC | |
3140 | +.RE | |
3141 | + | |
3142 | +To check what ciphers a given spec selects in OpenSSL, use: | |
3143 | + | |
3144 | +.nf | |
3145 | + openssl ciphers \-v <cipher-suite-spec> | |
3146 | +.fi | |
3147 | + | |
3148 | +With GnuTLS the available specs can be found in the manual page of | |
3149 | +.BR gnutls\-cli (1) | |
3150 | +(see the description of the | |
3151 | +option | |
3152 | +.BR \-\-priority ). | |
3153 | + | |
3154 | +In older versions of GnuTLS, where gnutls\-cli does not support the option | |
3155 | +\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling: | |
3156 | + | |
3157 | +.nf | |
3158 | + gnutls\-cli \-l | |
3159 | +.fi | |
3160 | +.RE | |
3161 | +.TP | |
3162 | +.B olcTLSCACertificateFile: <filename> | |
3163 | +Specifies the file that contains certificates for all of the Certificate | |
3164 | +Authorities that | |
3165 | +.B slapd | |
3166 | +will recognize. The certificate for | |
3167 | +the CA that signed the server certificate must be included among | |
3168 | +these certificates. If the signing CA was not a top-level (root) CA, | |
3169 | +certificates for the entire sequence of CA's from the signing CA to | |
3170 | +the top-level CA should be present. Multiple certificates are simply | |
3171 | +appended to the file; the order is not significant. | |
3172 | +.TP | |
3173 | +.B olcTLSCACertificatePath: <path> | |
3174 | +Specifies the path of directories that contain Certificate Authority | |
3175 | +certificates in separate individual files. Usually only one of this | |
3176 | +or the olcTLSCACertificateFile is defined. If both are specified, both | |
3177 | +locations will be used. Multiple directories may be specified, | |
3178 | +separated by a semi-colon. | |
3179 | +.TP | |
3180 | +.B olcTLSCertificateFile: <filename> | |
3181 | +Specifies the file that contains the | |
3182 | +.B slapd | |
3183 | +server certificate. | |
3184 | + | |
3185 | +When using OpenSSL that file may also contain any number of intermediate | |
3186 | +certificates after the server certificate. | |
3187 | +.TP | |
3188 | +.B olcTLSCertificateKeyFile: <filename> | |
3189 | +Specifies the file that contains the | |
3190 | +.B slapd | |
3191 | +server private key that matches the certificate stored in the | |
3192 | +.B olcTLSCertificateFile | |
3193 | +file. If the private key is protected with a password, the password must | |
3194 | +be manually typed in when slapd starts. Usually the private key is not | |
3195 | +protected with a password, to allow slapd to start without manual | |
3196 | +intervention, so | |
3197 | +it is of critical importance that the file is protected carefully. | |
3198 | +.TP | |
3199 | +.B olcTLSDHParamFile: <filename> | |
3200 | +This directive specifies the file that contains parameters for Diffie-Hellman | |
3201 | +ephemeral key exchange. This is required in order to use a DSA certificate on | |
3202 | +the server, or an RSA certificate missing the "key encipherment" key usage. | |
3203 | +Note that setting this option may also enable | |
3204 | +Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. | |
3205 | +Anonymous key exchanges should generally be avoided since they provide no | |
3206 | +actual client or server authentication and provide no protection against | |
3207 | +man-in-the-middle attacks. | |
3208 | +You should append "!ADH" to your cipher suites to ensure that these suites | |
3209 | +are not used. | |
3210 | +.TP | |
3211 | +.B olcTLSECName: <name> | |
3212 | +Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman | |
3213 | +ephemeral key exchange. This option is only used for OpenSSL. | |
3214 | +This option is not used with GnuTLS; the curves may be | |
3215 | +chosen in the GnuTLS ciphersuite specification. | |
3216 | +.TP | |
3217 | +.B olcTLSProtocolMin: <major>[.<minor>] | |
3218 | +Specifies minimum SSL/TLS protocol version that will be negotiated. | |
3219 | +If the server doesn't support at least that version, | |
3220 | +the SSL handshake will fail. | |
3221 | +To require TLS 1.x or higher, set this option to 3.(x+1), | |
3222 | +e.g., | |
3223 | + | |
3224 | +.nf | |
3225 | + olcTLSProtocolMin: 3.2 | |
3226 | +.fi | |
3227 | + | |
3228 | +would require TLS 1.1. | |
3229 | +Specifying a minimum that is higher than that supported by the | |
3230 | +OpenLDAP implementation will result in it requiring the | |
3231 | +highest level that it does support. | |
3232 | +This directive is ignored with GnuTLS. | |
3233 | +.TP | |
3234 | +.B olcTLSRandFile: <filename> | |
3235 | +Specifies the file to obtain random bits from when /dev/[u]random | |
3236 | +is not available. Generally set to the name of the EGD/PRNGD socket. | |
3237 | +The environment variable RANDFILE can also be used to specify the filename. | |
3238 | +This directive is ignored with GnuTLS. | |
3239 | +.TP | |
3240 | +.B olcTLSVerifyClient: <level> | |
3241 | +Specifies what checks to perform on client certificates in an | |
3242 | +incoming TLS session, if any. | |
3243 | +The | |
3244 | +.B <level> | |
3245 | +can be specified as one of the following keywords: | |
3246 | +.RS | |
3247 | +.TP | |
3248 | +.B never | |
3249 | +This is the default. | |
3250 | +.B slapd | |
3251 | +will not ask the client for a certificate. | |
3252 | +.TP | |
3253 | +.B allow | |
3254 | +The client certificate is requested. If no certificate is provided, | |
3255 | +the session proceeds normally. If a bad certificate is provided, | |
3256 | +it will be ignored and the session proceeds normally. | |
3257 | +.TP | |
3258 | +.B try | |
3259 | +The client certificate is requested. If no certificate is provided, | |
3260 | +the session proceeds normally. If a bad certificate is provided, | |
3261 | +the session is immediately terminated. | |
3262 | +.TP | |
3263 | +.B demand | hard | true | |
3264 | +These keywords are all equivalent, for compatibility reasons. | |
3265 | +The client certificate is requested. If no certificate is provided, | |
3266 | +or a bad certificate is provided, the session is immediately terminated. | |
3267 | + | |
3268 | +Note that a valid client certificate is required in order to use the | |
3269 | +SASL EXTERNAL authentication mechanism with a TLS session. As such, | |
3270 | +a non-default | |
3271 | +.B olcTLSVerifyClient | |
3272 | +setting must be chosen to enable SASL EXTERNAL authentication. | |
3273 | +.RE | |
3274 | +.TP | |
3275 | +.B olcTLSCRLCheck: <level> | |
3276 | +Specifies if the Certificate Revocation List (CRL) of the CA should be | |
3277 | +used to verify if the client certificates have not been revoked. This | |
3278 | +requires | |
3279 | +.B olcTLSCACertificatePath | |
3280 | +parameter to be set. This parameter is ignored with GnuTLS. | |
3281 | +.B <level> | |
3282 | +can be specified as one of the following keywords: | |
3283 | +.RS | |
3284 | +.TP | |
3285 | +.B none | |
3286 | +No CRL checks are performed | |
3287 | +.TP | |
3288 | +.B peer | |
3289 | +Check the CRL of the peer certificate | |
3290 | +.TP | |
3291 | +.B all | |
3292 | +Check the CRL for a whole certificate chain | |
3293 | +.RE | |
3294 | +.TP | |
3295 | +.B olcTLSCRLFile: <filename> | |
3296 | +Specifies a file containing a Certificate Revocation List to be used | |
3297 | +for verifying that certificates have not been revoked. This parameter is | |
3298 | +only valid when using GnuTLS. | |
3299 | +.SH DYNAMIC MODULE OPTIONS | |
3300 | +If | |
3301 | +.B slapd | |
3302 | +is compiled with \-\-enable\-modules then the module-related entries will | |
3303 | +be available. These entries are named | |
3304 | +.B cn=module{x},cn=config | |
3305 | +and | |
3306 | +must have the olcModuleList objectClass. One entry should be created | |
3307 | +per | |
3308 | +.B olcModulePath. | |
3309 | +Normally the config engine generates the "{x}" index in the RDN | |
3310 | +automatically, so it can be omitted when initially loading these entries. | |
3311 | +.TP | |
3312 | +.B olcModuleLoad: <filename> [<arguments>...] | |
3313 | +Specify the name of a dynamically loadable module to load and any | |
3314 | +additional arguments if supported by the module. The filename | |
3315 | +may be an absolute path name or a simple filename. Non-absolute names | |
3316 | +are searched for in the directories specified by the | |
3317 | +.B olcModulePath | |
3318 | +option. | |
3319 | +.TP | |
3320 | +.B olcModulePath: <pathspec> | |
3321 | +Specify a list of directories to search for loadable modules. Typically | |
3322 | +the path is colon-separated but this depends on the operating system. | |
3323 | +The default is MODULEDIR, which is where the standard OpenLDAP install | |
3324 | +will place its modules. | |
3325 | +.SH SCHEMA OPTIONS | |
3326 | +Schema definitions are created as entries in the | |
3327 | +.B cn=schema,cn=config | |
3328 | +subtree. These entries must have the olcSchemaConfig objectClass. | |
3329 | +As noted above, the actual | |
3330 | +.B cn=schema,cn=config | |
3331 | +entry is predefined and any values specified for it are ignored. | |
3332 | + | |
3333 | +.HP | |
3334 | +.hy 0 | |
3335 | +.B olcAttributetypes: "(\ <oid>\ | |
3336 | + [NAME\ <name>]\ | |
3337 | + [DESC\ <description>]\ | |
3338 | + [OBSOLETE]\ | |
3339 | + [SUP\ <oid>]\ | |
3340 | + [EQUALITY\ <oid>]\ | |
3341 | + [ORDERING\ <oid>]\ | |
3342 | + [SUBSTR\ <oid>]\ | |
3343 | + [SYNTAX\ <oidlen>]\ | |
3344 | + [SINGLE\-VALUE]\ | |
3345 | + [COLLECTIVE]\ | |
3346 | + [NO\-USER\-MODIFICATION]\ | |
3347 | + [USAGE\ <attributeUsage>]\ )" | |
3348 | +.RS | |
3349 | +Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. | |
3350 | +The slapd parser extends the RFC 4512 definition by allowing string | |
3351 | +forms as well as numeric OIDs to be used for the attribute OID and | |
3352 | +attribute syntax OID. | |
3353 | +(See the | |
3354 | +.B olcObjectIdentifier | |
3355 | +description.) | |
3356 | +.RE | |
3357 | + | |
3358 | +.HP | |
3359 | +.hy 0 | |
3360 | +.B olcDitContentRules: "(\ <oid>\ | |
3361 | + [NAME\ <name>]\ | |
3362 | + [DESC\ <description>]\ | |
3363 | + [OBSOLETE]\ | |
3364 | + [AUX\ <oids>]\ | |
3365 | + [MUST\ <oids>]\ | |
3366 | + [MAY\ <oids>]\ | |
3367 | + [NOT\ <oids>]\ )" | |
3368 | +.RS | |
3369 | +Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. | |
3370 | +The slapd parser extends the RFC 4512 definition by allowing string | |
3371 | +forms as well as numeric OIDs to be used for the attribute OID and | |
3372 | +attribute syntax OID. | |
3373 | +(See the | |
3374 | +.B olcObjectIdentifier | |
3375 | +description.) | |
3376 | +.RE | |
3377 | + | |
3378 | +.HP | |
3379 | +.hy 0 | |
3380 | +.B olcLdapSyntaxes "(\ <oid>\ | |
3381 | + [DESC\ <description>]\ | |
3382 | + [X\-SUBST <substitute-syntax>]\ )" | |
3383 | +.RS | |
3384 | +Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512. | |
3385 | +The slapd parser extends the RFC 4512 definition by allowing string | |
3386 | +forms as well as numeric OIDs to be used for the syntax OID. | |
3387 | +(See the | |
3388 | +.B objectidentifier | |
3389 | +description.) | |
3390 | +The slapd parser also honors the | |
3391 | +.B X\-SUBST | |
3392 | +extension (an OpenLDAP-specific extension), which allows one to use the | |
3393 | +.B olcLdapSyntaxes | |
3394 | +attribute to define a non-implemented syntax along with another syntax, | |
3395 | +the extension value | |
3396 | +.IR substitute-syntax , | |
3397 | +as its temporary replacement. | |
3398 | +The | |
3399 | +.I substitute-syntax | |
3400 | +must be defined. | |
3401 | +This allows one to define attribute types that make use of non-implemented syntaxes | |
3402 | +using the correct syntax OID. | |
3403 | +Unless | |
3404 | +.B X\-SUBST | |
3405 | +is used, this configuration statement would result in an error, | |
3406 | +since no handlers would be associated to the resulting syntax structure. | |
3407 | +.RE | |
3408 | + | |
3409 | +.HP | |
3410 | +.hy 0 | |
3411 | +.B olcObjectClasses: "(\ <oid>\ | |
3412 | + [NAME\ <name>]\ | |
3413 | + [DESC\ <description>]\ | |
3414 | + [OBSOLETE]\ | |
3415 | + [SUP\ <oids>]\ | |
3416 | + [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ | |
3417 | + [MUST\ <oids>] [MAY\ <oids>] )" | |
3418 | +.RS | |
3419 | +Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. | |
3420 | +The slapd parser extends the RFC 4512 definition by allowing string | |
3421 | +forms as well as numeric OIDs to be used for the object class OID. | |
3422 | +(See the | |
3423 | +.B | |
3424 | +olcObjectIdentifier | |
3425 | +description.) Object classes are "STRUCTURAL" by default. | |
3426 | +.RE | |
3427 | +.TP | |
3428 | +.B olcObjectIdentifier: <name> "{ <oid> | <name>[:<suffix>] }" | |
3429 | +Define a string name that equates to the given OID. The string can be used | |
3430 | +in place of the numeric OID in objectclass and attribute definitions. The | |
3431 | +name can also be used with a suffix of the form ":xx" in which case the | |
3432 | +value "oid.xx" will be used. | |
3433 | + | |
3434 | +.SH GENERAL BACKEND OPTIONS | |
3435 | +Options in these entries only apply to the configuration of a single | |
3436 | +type of backend. All backends may support this class of options, but | |
3437 | +currently only back-mdb does. | |
3438 | +The entry must be named | |
3439 | +.B olcBackend=<databasetype>,cn=config | |
3440 | +and must have the olcBackendConfig objectClass. | |
3441 | +<databasetype> | |
3442 | +should be one of | |
3443 | +.BR asyncmeta , | |
3444 | +.BR config , | |
3445 | +.BR dnssrv , | |
3446 | +.BR ldap , | |
3447 | +.BR ldif , | |
3448 | +.BR mdb , | |
3449 | +.BR meta , | |
3450 | +.BR monitor , | |
3451 | +.BR null , | |
3452 | +.BR passwd , | |
3453 | +.BR perl , | |
3454 | +.BR relay , | |
3455 | +.BR sock , | |
3456 | +.BR sql , | |
3457 | +or | |
3458 | +.BR wt . | |
3459 | +At present, only back-mdb implements any options of this type, so this | |
3460 | +entry should not be used for any other backends. | |
3461 | + | |
3462 | +.SH DATABASE OPTIONS | |
3463 | +Database options are set in entries named | |
3464 | +.B olcDatabase={x}<databasetype>,cn=config | |
3465 | +and must have the olcDatabaseConfig objectClass. Normally the config | |
3466 | +engine generates the "{x}" index in the RDN automatically, so it | |
3467 | +can be omitted when initially loading these entries. | |
3468 | + | |
3469 | +The special frontend database is always numbered "{\-1}" and the config | |
3470 | +database is always numbered "{0}". | |
3471 | + | |
3472 | +.SH GLOBAL DATABASE OPTIONS | |
3473 | +Options in this section may be set in the special "frontend" database | |
3474 | +and inherited in all the other databases. These options may be altered | |
3475 | +by further settings in each specific database. The frontend entry must | |
3476 | +be named | |
3477 | +.B olcDatabase=frontend,cn=config | |
3478 | +and must have the olcFrontendConfig objectClass. | |
3479 | +.TP | |
3480 | +.B olcAccess: to <what> "[ by <who> <access> <control> ]+" | |
3481 | +Grant access (specified by <access>) to a set of entries and/or | |
3482 | +attributes (specified by <what>) by one or more requestors (specified | |
3483 | +by <who>). | |
3484 | +If no access controls are present, the default policy | |
3485 | +allows anyone and everyone to read anything but restricts | |
3486 | +updates to rootdn. (e.g., "olcAccess: to * by * read"). | |
3487 | +See | |
3488 | +.BR slapd.access (5) | |
3489 | +and the "OpenLDAP Administrator's Guide" for details. | |
3490 | + | |
3491 | +Access controls set in the frontend are appended to any access | |
3492 | +controls set on the specific databases. | |
3493 | +The rootdn of a database can always read and write EVERYTHING | |
3494 | +in that database. | |
3495 | + | |
3496 | +Extra special care must be taken with the access controls on the | |
3497 | +config database. Unlike other databases, the default policy for the | |
3498 | +config database is to only allow access to the rootdn. Regular users | |
3499 | +should not have read access, and write access should be granted very | |
3500 | +carefully to privileged administrators. | |
3501 | + | |
3502 | +.TP | |
3503 | +.B olcDefaultSearchBase: <dn> | |
3504 | +Specify a default search base to use when client submits a | |
3505 | +non-base search request with an empty base DN. | |
3506 | +Base scoped search requests with an empty base DN are not affected. | |
3507 | +This setting is only allowed in the frontend entry. | |
3508 | +.TP | |
3509 | +.B olcExtraAttrs: <attr> | |
3510 | +Lists what attributes need to be added to search requests. | |
3511 | +Local storage backends return the entire entry to the frontend. | |
3512 | +The frontend takes care of only returning the requested attributes | |
3513 | +that are allowed by ACLs. | |
3514 | +However, features like access checking and so may need specific | |
3515 | +attributes that are not automatically returned by remote storage | |
3516 | +backends, like proxy backends and so on. | |
3517 | +.B <attr> | |
3518 | +is an attribute that is needed for internal purposes | |
3519 | +and thus always needs to be collected, even when not explicitly | |
3520 | +requested by clients. | |
3521 | +This attribute is multi-valued. | |
3522 | +.TP | |
3523 | +.B olcPasswordHash: <hash> [<hash>...] | |
3524 | +This option configures one or more hashes to be used in generation of user | |
3525 | +passwords stored in the userPassword attribute during processing of | |
3526 | +LDAP Password Modify Extended Operations (RFC 3062). | |
3527 | +The <hash> must be one of | |
3528 | +.BR {SSHA} , | |
3529 | +.BR {SHA} , | |
3530 | +.BR {SMD5} , | |
3531 | +.BR {MD5} , | |
3532 | +.BR {CRYPT} , | |
3533 | +and | |
3534 | +.BR {CLEARTEXT} . | |
3535 | +The default is | |
3536 | +.BR {SSHA} . | |
3537 | + | |
3538 | +.B {SHA} | |
3539 | +and | |
3540 | +.B {SSHA} | |
3541 | +use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. | |
3542 | + | |
3543 | +.B {MD5} | |
3544 | +and | |
3545 | +.B {SMD5} | |
3546 | +use the MD5 algorithm (RFC 1321), the latter with a seed. | |
3547 | + | |
3548 | +.B {CRYPT} | |
3549 | +uses the | |
3550 | +.BR crypt (3). | |
3551 | + | |
3552 | +.B {CLEARTEXT} | |
3553 | +indicates that the new password should be | |
3554 | +added to userPassword as clear text. | |
3555 | + | |
3556 | +Note that this option does not alter the normal user applications | |
3557 | +handling of userPassword during LDAP Add, Modify, or other LDAP operations. | |
3558 | +This setting is only allowed in the frontend entry. | |
3559 | +.TP | |
3560 | +.B olcReadOnly: TRUE | FALSE | |
3561 | +This option puts the database into "read-only" mode. Any attempts to | |
3562 | +modify the database will return an "unwilling to perform" error. By | |
3563 | +default, olcReadOnly is FALSE. Note that when this option is set | |
3564 | +TRUE on the frontend, it cannot be reset without restarting the | |
3565 | +server, since further writes to the config database will be rejected. | |
3566 | +.TP | |
3567 | +.B olcRequires: <conditions> | |
3568 | +Specify a set of conditions to require (default none). | |
3569 | +The directive may be specified globally and/or per-database; | |
3570 | +databases inherit global conditions, so per-database specifications | |
3571 | +are additive. | |
3572 | +.B bind | |
3573 | +requires bind operation prior to directory operations. | |
3574 | +.B LDAPv3 | |
3575 | +requires session to be using LDAP version 3. | |
3576 | +.B authc | |
3577 | +requires authentication prior to directory operations. | |
3578 | +.B SASL | |
3579 | +requires SASL authentication prior to directory operations. | |
3580 | +.B strong | |
3581 | +requires strong authentication prior to directory operations. | |
3582 | +The strong keyword allows protected "simple" authentication | |
3583 | +as well as SASL authentication. | |
3584 | +.B none | |
3585 | +may be used to require no conditions (useful to clear out globally | |
3586 | +set conditions within a particular database); it must occur first | |
3587 | +in the list of conditions. | |
3588 | +.TP | |
3589 | +.B olcRestrict: <oplist> | |
3590 | +Specify a list of operations that are restricted. | |
3591 | +Restrictions on a specific database override any frontend setting. | |
3592 | +Operations can be any of | |
3593 | +.BR add , | |
3594 | +.BR bind , | |
3595 | +.BR compare , | |
3596 | +.BR delete , | |
3597 | +.BR extended[=<OID>] , | |
3598 | +.BR modify , | |
3599 | +.BR rename , | |
3600 | +.BR search , | |
3601 | +or the special pseudo-operations | |
3602 | +.B read | |
3603 | +and | |
3604 | +.BR write , | |
3605 | +which respectively summarize read and write operations. | |
3606 | +The use of | |
3607 | +.I restrict write | |
3608 | +is equivalent to | |
3609 | +.I olcReadOnly: TRUE | |
3610 | +(see above). | |
3611 | +The | |
3612 | +.B extended | |
3613 | +keyword allows one to indicate the OID of the specific operation | |
3614 | +to be restricted. | |
3615 | +.TP | |
3616 | +.B olcSchemaDN: <dn> | |
3617 | +Specify the distinguished name for the subschema subentry that | |
3618 | +controls the entries on this server. The default is "cn=Subschema". | |
3619 | +.TP | |
3620 | +.B olcSecurity: <factors> | |
3621 | +Specify a set of security strength factors (separated by white space) | |
3622 | +to require (see | |
3623 | +.BR olcSaslSecprops 's | |
3624 | +.B minssf | |
3625 | +option for a description of security strength factors). | |
3626 | +The directive may be specified globally and/or per-database. | |
3627 | +.B ssf=<n> | |
3628 | +specifies the overall security strength factor. | |
3629 | +.B transport=<n> | |
3630 | +specifies the transport security strength factor. | |
3631 | +.B tls=<n> | |
3632 | +specifies the TLS security strength factor. | |
3633 | +.B sasl=<n> | |
3634 | +specifies the SASL security strength factor. | |
3635 | +.B update_ssf=<n> | |
3636 | +specifies the overall security strength factor to require for | |
3637 | +directory updates. | |
3638 | +.B update_transport=<n> | |
3639 | +specifies the transport security strength factor to require for | |
3640 | +directory updates. | |
3641 | +.B update_tls=<n> | |
3642 | +specifies the TLS security strength factor to require for | |
3643 | +directory updates. | |
3644 | +.B update_sasl=<n> | |
3645 | +specifies the SASL security strength factor to require for | |
3646 | +directory updates. | |
3647 | +.B simple_bind=<n> | |
3648 | +specifies the security strength factor required for | |
3649 | +.I simple | |
3650 | +username/password authentication. | |
3651 | +Note that the | |
3652 | +.B transport | |
3653 | +factor is measure of security provided by the underlying transport, | |
3654 | +e.g. ldapi:// (and eventually IPSEC). It is not normally used. | |
3655 | +.TP | |
3656 | +.B olcSizeLimit: {<integer>|unlimited} | |
3657 | +.TP | |
3658 | +.B olcSizeLimit: size[.{soft|hard}]=<integer> [...] | |
3659 | +Specify the maximum number of entries to return from a search operation. | |
3660 | +The default size limit is 500. | |
3661 | +Use | |
3662 | +.B unlimited | |
3663 | +to specify no limits. | |
3664 | +The second format allows a fine grain setting of the size limits. | |
3665 | +If no special qualifiers are specified, both soft and hard limits are set. | |
3666 | +Extra args can be added in the same value. | |
3667 | +Additional qualifiers are available; see | |
3668 | +.BR olcLimits | |
3669 | +for an explanation of all of the different flags. | |
3670 | +.TP | |
3671 | +.B olcSortVals: <attr> [...] | |
3672 | +Specify a list of multi-valued attributes whose values will always | |
3673 | +be maintained in sorted order. Using this option will allow Modify, | |
3674 | +Compare, and filter evaluations on these attributes to be performed | |
3675 | +more efficiently. The resulting sort order depends on the | |
3676 | +attributes' syntax and matching rules and may not correspond to | |
3677 | +lexical order or any other recognizable order. | |
3678 | +This setting is only allowed in the frontend entry. | |
3679 | +.TP | |
3680 | +.B olcTimeLimit: {<integer>|unlimited} | |
3681 | +.TP | |
3682 | +.B olcTimeLimit: time[.{soft|hard}]=<integer> [...] | |
3683 | +Specify the maximum number of seconds (in real time) | |
3684 | +.B slapd | |
3685 | +will spend answering a search request. The default time limit is 3600. | |
3686 | +Use | |
3687 | +.B unlimited | |
3688 | +to specify no limits. | |
3689 | +The second format allows a fine grain setting of the time limits. | |
3690 | +Extra args can be added in the same value. See | |
3691 | +.BR olcLimits | |
3692 | +for an explanation of the different flags. | |
3693 | + | |
3694 | +.SH GENERAL DATABASE OPTIONS | |
3695 | +Options in this section only apply to the specific database for | |
3696 | +which they are defined. They are supported by every | |
3697 | +type of backend. All of the Global Database Options may also be | |
3698 | +used here. | |
3699 | +.TP | |
3700 | +.B olcAddContentAcl: TRUE | FALSE | |
3701 | +Controls whether Add operations will perform ACL checks on | |
3702 | +the content of the entry being added. This check is off | |
3703 | +by default. See the | |
3704 | +.BR slapd.access (5) | |
3705 | +manual page for more details on ACL requirements for | |
3706 | +Add operations. | |
3707 | +.TP | |
3708 | +.B olcHidden: TRUE | FALSE | |
3709 | +Controls whether the database will be used to answer | |
3710 | +queries. A database that is hidden will never be | |
3711 | +selected to answer any queries, and any suffix configured | |
3712 | +on the database will be ignored in checks for conflicts | |
3713 | +with other databases. By default, olcHidden is FALSE. | |
3714 | +.TP | |
3715 | +.B olcLastMod: TRUE | FALSE | |
3716 | +Controls whether | |
3717 | +.B slapd | |
3718 | +will automatically maintain the | |
3719 | +modifiersName, modifyTimestamp, creatorsName, and | |
3720 | +createTimestamp attributes for entries. It also controls | |
3721 | +the entryCSN and entryUUID attributes, which are needed | |
3722 | +by the syncrepl provider. By default, olcLastMod is TRUE. | |
3723 | +.TP | |
3724 | +.B olcLastBind: TRUE | FALSE | |
3725 | +Controls whether | |
3726 | +.B slapd | |
3727 | +will automatically maintain the pwdLastSuccess attribute for | |
3728 | +entries. By default, olcLastBind is FALSE. | |
3729 | +.TP | |
3730 | +.B olcLastBindPrecision: <integer> | |
3731 | +If olcLastBind is enabled, specifies how frequently pwdLastSuccess | |
3732 | +will be updated. More than | |
3733 | +.B integer | |
3734 | +seconds must have passed since the last successful bind. In a | |
3735 | +replicated environment with frequent bind activity it may be | |
3736 | +useful to set this to a large value. | |
3737 | +.TP | |
3738 | +.B olcLimits: <selector> <limit> [<limit> [...]] | |
3739 | +Specify time and size limits based on the operation's initiator or | |
3740 | +base DN. | |
3741 | +The argument | |
3742 | +.B <selector> | |
3743 | +can be any of | |
3744 | +.RS | |
3745 | +.RS | |
3746 | +.TP | |
3747 | +anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern> | |
3748 | + | |
3749 | +.RE | |
3750 | +with | |
3751 | +.RS | |
3752 | +.TP | |
3753 | +<dnspec> ::= dn[.<type>][.<style>] | |
3754 | +.TP | |
3755 | +<type> ::= self | this | |
3756 | +.TP | |
3757 | +<style> ::= exact | base | onelevel | subtree | children | regex | anonymous | |
3758 | + | |
3759 | +.RE | |
3760 | +DN type | |
3761 | +.B self | |
3762 | +is the default and means the bound user, while | |
3763 | +.B this | |
3764 | +means the base DN of the operation. | |
3765 | +The term | |
3766 | +.B anonymous | |
3767 | +matches all unauthenticated clients. | |
3768 | +The term | |
3769 | +.B users | |
3770 | +matches all authenticated clients; | |
3771 | +otherwise an | |
3772 | +.B exact | |
3773 | +dn pattern is assumed unless otherwise specified by qualifying | |
3774 | +the (optional) key string | |
3775 | +.B dn | |
3776 | +with | |
3777 | +.B exact | |
3778 | +or | |
3779 | +.B base | |
3780 | +(which are synonyms), to require an exact match; with | |
3781 | +.BR onelevel , | |
3782 | +to require exactly one level of depth match; with | |
3783 | +.BR subtree , | |
3784 | +to allow any level of depth match, including the exact match; with | |
3785 | +.BR children , | |
3786 | +to allow any level of depth match, not including the exact match; | |
3787 | +.BR regex | |
3788 | +explicitly requires the (default) match based on POSIX (''extended'') | |
3789 | +regular expression pattern. | |
3790 | +Finally, | |
3791 | +.B anonymous | |
3792 | +matches unbound operations; the | |
3793 | +.B pattern | |
3794 | +field is ignored. | |
3795 | +The same behavior is obtained by using the | |
3796 | +.B anonymous | |
3797 | +form of the | |
3798 | +.B <selector> | |
3799 | +clause. | |
3800 | +The term | |
3801 | +.BR group , | |
3802 | +with the optional objectClass | |
3803 | +.B oc | |
3804 | +and attributeType | |
3805 | +.B at | |
3806 | +fields, followed by | |
3807 | +.BR pattern , | |
3808 | +sets the limits for any DN listed in the values of the | |
3809 | +.B at | |
3810 | +attribute (default | |
3811 | +.BR member ) | |
3812 | +of the | |
3813 | +.B oc | |
3814 | +group objectClass (default | |
3815 | +.BR groupOfNames ) | |
3816 | +whose DN exactly matches | |
3817 | +.BR pattern . | |
3818 | + | |
3819 | +The currently supported limits are | |
3820 | +.B size | |
3821 | +and | |
3822 | +.BR time . | |
3823 | + | |
3824 | +The syntax for time limits is | |
3825 | +.BR time[.{soft|hard}]=<integer> , | |
3826 | +where | |
3827 | +.I integer | |
3828 | +is the number of seconds slapd will spend answering a search request. | |
3829 | +If no time limit is explicitly requested by the client, the | |
3830 | +.BR soft | |
3831 | +limit is used; if the requested time limit exceeds the | |
3832 | +.BR hard | |
3833 | +.\"limit, an | |
3834 | +.\".I "Administrative limit exceeded" | |
3835 | +.\"error is returned. | |
3836 | +limit, the value of the limit is used instead. | |
3837 | +If the | |
3838 | +.BR hard | |
3839 | +limit is set to the keyword | |
3840 | +.IR soft , | |
3841 | +the soft limit is used in either case; if it is set to the keyword | |
3842 | +.IR unlimited , | |
3843 | +no hard limit is enforced. | |
3844 | +Explicit requests for time limits smaller or equal to the | |
3845 | +.BR hard | |
3846 | +limit are honored. | |
3847 | +If no limit specifier is set, the value is assigned to the | |
3848 | +.BR soft | |
3849 | +limit, and the | |
3850 | +.BR hard | |
3851 | +limit is set to | |
3852 | +.IR soft , | |
3853 | +to preserve the original behavior. | |
3854 | + | |
3855 | +The syntax for size limits is | |
3856 | +.BR size[.{soft|hard|unchecked}]=<integer> , | |
3857 | +where | |
3858 | +.I integer | |
3859 | +is the maximum number of entries slapd will return answering a search | |
3860 | +request. | |
3861 | +If no size limit is explicitly requested by the client, the | |
3862 | +.BR soft | |
3863 | +limit is used; if the requested size limit exceeds the | |
3864 | +.BR hard | |
3865 | +.\"limit, an | |
3866 | +.\".I "Administrative limit exceeded" | |
3867 | +.\"error is returned. | |
3868 | +limit, the value of the limit is used instead. | |
3869 | +If the | |
3870 | +.BR hard | |
3871 | +limit is set to the keyword | |
3872 | +.IR soft , | |
3873 | +the soft limit is used in either case; if it is set to the keyword | |
3874 | +.IR unlimited , | |
3875 | +no hard limit is enforced. | |
3876 | +Explicit requests for size limits smaller or equal to the | |
3877 | +.BR hard | |
3878 | +limit are honored. | |
3879 | +The | |
3880 | +.BR unchecked | |
3881 | +specifier sets a limit on the number of candidates a search request is allowed | |
3882 | +to examine. | |
3883 | +The rationale behind it is that searches for non-properly indexed | |
3884 | +attributes may result in large sets of candidates, which must be | |
3885 | +examined by | |
3886 | +.BR slapd (8) | |
3887 | +to determine whether they match the search filter or not. | |
3888 | +The | |
3889 | +.B unchecked | |
3890 | +limit provides a means to drop such operations before they are even | |
3891 | +started. | |
3892 | +If the selected candidates exceed the | |
3893 | +.BR unchecked | |
3894 | +limit, the search will abort with | |
3895 | +.IR "Unwilling to perform" . | |
3896 | +If it is set to the keyword | |
3897 | +.IR unlimited , | |
3898 | +no limit is applied (the default). | |
3899 | +If it is set to | |
3900 | +.IR disabled , | |
3901 | +the search is not even performed; this can be used to disallow searches | |
3902 | +for a specific set of users. | |
3903 | +If no limit specifier is set, the value is assigned to the | |
3904 | +.BR soft | |
3905 | +limit, and the | |
3906 | +.BR hard | |
3907 | +limit is set to | |
3908 | +.IR soft , | |
3909 | +to preserve the original behavior. | |
3910 | + | |
3911 | +In case of no match, the global limits are used. | |
3912 | +The default values are the same as for | |
3913 | +.B olcSizeLimit | |
3914 | +and | |
3915 | +.BR olcTimeLimit ; | |
3916 | +no limit is set on | |
3917 | +.BR unchecked . | |
3918 | + | |
3919 | +If | |
3920 | +.B pagedResults | |
3921 | +control is requested, the | |
3922 | +.B hard | |
3923 | +size limit is used by default, because the request of a specific page size | |
3924 | +is considered an explicit request for a limitation on the number | |
3925 | +of entries to be returned. | |
3926 | +However, the size limit applies to the total count of entries returned within | |
3927 | +the search, and not to a single page. | |
3928 | +Additional size limits may be enforced; the syntax is | |
3929 | +.BR size.pr={<integer>|noEstimate|unlimited} , | |
3930 | +where | |
3931 | +.I integer | |
3932 | +is the max page size if no explicit limit is set; the keyword | |
3933 | +.I noEstimate | |
3934 | +inhibits the server from returning an estimate of the total number | |
3935 | +of entries that might be returned | |
3936 | +(note: the current implementation does not return any estimate). | |
3937 | +The keyword | |
3938 | +.I unlimited | |
3939 | +indicates that no limit is applied to the pagedResults control page size. | |
3940 | +The syntax | |
3941 | +.B size.prtotal={<integer>|hard|unlimited|disabled} | |
3942 | +allows one to set a limit on the total number of entries that the pagedResults | |
3943 | +control will return. | |
3944 | +By default it is set to the | |
3945 | +.B hard | |
3946 | +limit which will use the size.hard value. | |
3947 | +When set, | |
3948 | +.I integer | |
3949 | +is the max number of entries that the whole search with pagedResults control | |
3950 | +can return. | |
3951 | +Use | |
3952 | +.I unlimited | |
3953 | +to allow unlimited number of entries to be returned, e.g. to allow | |
3954 | +the use of the pagedResults control as a means to circumvent size | |
3955 | +limitations on regular searches; the keyword | |
3956 | +.I disabled | |
3957 | +disables the control, i.e. no paged results can be returned. | |
3958 | +Note that the total number of entries returned when the pagedResults control | |
3959 | +is requested cannot exceed the | |
3960 | +.B hard | |
3961 | +size limit of regular searches unless extended by the | |
3962 | +.B prtotal | |
3963 | +switch. | |
3964 | + | |
3965 | +The \fBolcLimits\fP statement is typically used to let an unlimited | |
3966 | +number of entries be returned by searches performed | |
3967 | +with the identity used by the consumer for synchronization purposes | |
3968 | +by means of the RFC 4533 LDAP Content Synchronization protocol | |
3969 | +(see \fBolcSyncrepl\fP for details). | |
3970 | + | |
3971 | +When using subordinate databases, it is necessary for any limits that | |
3972 | +are to be applied across the parent and its subordinates to be defined in | |
3973 | +both the parent and its subordinates. Otherwise the settings on the | |
3974 | +subordinate databases are not honored. | |
3975 | +.RE | |
3976 | +.TP | |
3977 | +.B olcMaxDerefDepth: <depth> | |
3978 | +Specifies the maximum number of aliases to dereference when trying to | |
3979 | +resolve an entry, used to avoid infinite alias loops. The default is 15. | |
3980 | +.TP | |
3981 | +.B olcMultiProvider: TRUE | FALSE | |
3982 | +This option puts a consumer database into Multi-Provider mode. Update | |
3983 | +operations will be accepted from any user, not just the updatedn. The | |
3984 | +database must already be configured as a syncrepl consumer | |
3985 | +before this keyword may be set. This mode also requires a | |
3986 | +.B olcServerID | |
3987 | +(see above) to be configured. | |
3988 | +By default, this setting is FALSE. | |
3989 | +.TP | |
3990 | +.B olcMonitoring: TRUE | FALSE | |
3991 | +This option enables database-specific monitoring in the entry related | |
3992 | +to the current database in the "cn=Databases,cn=Monitor" subtree | |
3993 | +of the monitor database, if the monitor database is enabled. | |
3994 | +Currently, only the MDB database provides database-specific monitoring. | |
3995 | +If monitoring is supported by the backend it defaults to TRUE, otherwise | |
3996 | +FALSE. | |
3997 | +.TP | |
3998 | +.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>] | |
3999 | +Configure a SLAPI plugin. See the | |
4000 | +.BR slapd.plugin (5) | |
4001 | +manpage for more details. | |
4002 | +.TP | |
4003 | +.B olcRootDN: <dn> | |
4004 | +Specify the distinguished name that is not subject to access control | |
4005 | +or administrative limit restrictions for operations on this database. | |
4006 | +This DN may or may not be associated with an entry. An empty root | |
4007 | +DN (the default) specifies no root access is to be granted. It is | |
4008 | +recommended that the rootdn only be specified when needed (such as | |
4009 | +when initially populating a database). If the rootdn is within | |
4010 | +a namingContext (suffix) of the database, a simple bind password | |
4011 | +may also be provided using the | |
4012 | +.B olcRootPW | |
4013 | +directive. Many optional features, including syncrepl, require the | |
4014 | +rootdn to be defined for the database. | |
4015 | +The | |
4016 | +.B olcRootDN | |
4017 | +of the | |
4018 | +.B cn=config | |
4019 | +database defaults to | |
4020 | +.B cn=config | |
4021 | +itself. | |
4022 | +.TP | |
4023 | +.B olcRootPW: <password> | |
4024 | +Specify a password (or hash of the password) for the rootdn. The | |
4025 | +password can only be set if the rootdn is within the namingContext | |
4026 | +(suffix) of the database. | |
4027 | +This option accepts all RFC 2307 userPassword formats known to | |
4028 | +the server (see | |
4029 | +.B olcPasswordHash | |
4030 | +description) as well as cleartext. | |
4031 | +.BR slappasswd (8) | |
4032 | +may be used to generate a hash of a password. Cleartext | |
4033 | +and \fB{CRYPT}\fP passwords are not recommended. If empty | |
4034 | +(the default), authentication of the root DN is by other means | |
4035 | +(e.g. SASL). Use of SASL is encouraged. | |
4036 | +.TP | |
4037 | +.B olcSubordinate: [TRUE | FALSE | advertise] | |
4038 | +Specify that the current backend database is a subordinate of another | |
4039 | +backend database. A subordinate database may have only one suffix. This | |
4040 | +option may be used to glue multiple databases into a single namingContext. | |
4041 | +If the suffix of the current database is within the namingContext of a | |
4042 | +superior database, searches against the superior database will be | |
4043 | +propagated to the subordinate as well. All of the databases | |
4044 | +associated with a single namingContext should have identical rootdns. | |
4045 | +Behavior of other LDAP operations is unaffected by this setting. In | |
4046 | +particular, it is not possible to use moddn to move an entry from | |
4047 | +one subordinate to another subordinate within the namingContext. | |
4048 | + | |
4049 | +If the optional \fBadvertise\fP flag is supplied, the naming context of | |
4050 | +this database is advertised in the root DSE. The default is to hide this | |
4051 | +database context, so that only the superior context is visible. | |
4052 | + | |
4053 | +If the slap tools | |
4054 | +.BR slapcat (8), | |
4055 | +.BR slapadd (8), | |
4056 | +.BR slapmodify (8), | |
4057 | +or | |
4058 | +.BR slapindex (8) | |
4059 | +are used on the superior database, any glued subordinates that support | |
4060 | +these tools are opened as well. | |
4061 | + | |
4062 | +Databases that are glued together should usually be configured with the | |
4063 | +same indices (assuming they support indexing), even for attributes that | |
4064 | +only exist in some of these databases. In general, all of the glued | |
4065 | +databases should be configured as similarly as possible, since the intent | |
4066 | +is to provide the appearance of a single directory. | |
4067 | + | |
4068 | +Note that the subordinate functionality is implemented internally | |
4069 | +by the \fIglue\fP overlay and as such its behavior will interact with other | |
4070 | +overlays in use. By default, the glue overlay is automatically configured as | |
4071 | +the last overlay on the superior database. Its position on the database | |
4072 | +can be explicitly configured by setting an \fBoverlay glue\fP directive | |
4073 | +at the desired position. This explicit configuration is necessary e.g. | |
4074 | +when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP | |
4075 | +in order to work over all of the glued databases. E.g. | |
4076 | +.RS | |
4077 | +.nf | |
4078 | + dn: olcDatabase={1}mdb,cn=config | |
4079 | + olcSuffix: dc=example,dc=com | |
4080 | + ... | |
4081 | + | |
4082 | + dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config | |
4083 | + ... | |
4084 | + | |
4085 | + dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config | |
4086 | + ... | |
4087 | +.fi | |
4088 | +.RE | |
4089 | +See the Overlays section below for more details. | |
4090 | +.TP | |
4091 | +.B olcSuffix: <dn suffix> | |
4092 | +Specify the DN suffix of queries that will be passed to this | |
4093 | +backend database. Multiple suffix lines can be given and at least one is | |
4094 | +required for each database definition. | |
4095 | + | |
4096 | +If the suffix of one database is "inside" that of another, the database | |
4097 | +with the inner suffix must come first in the configuration file. | |
4098 | +You may also want to glue such databases together with the | |
4099 | +.B olcSubordinate | |
4100 | +attribute. | |
4101 | +.TP | |
4102 | +.B olcSyncUseSubentry: TRUE | FALSE | |
4103 | +Store the syncrepl contextCSN in a subentry instead of the context entry | |
4104 | +of the database. The subentry's RDN will be "cn=ldapsync". The default is | |
4105 | +FALSE, meaning the contextCSN is stored in the context entry. | |
4106 | +.HP | |
4107 | +.hy 0 | |
4108 | +.B olcSyncrepl: rid=<replica ID> | |
4109 | +.B provider=ldap[s]://<hostname>[:port] | |
4110 | +.B searchbase=<base DN> | |
4111 | +.B [type=refreshOnly|refreshAndPersist] | |
4112 | +.B [interval=dd:hh:mm:ss] | |
4113 | +.B [retry=[<retry interval> <# of retries>]+] | |
4114 | +.B [filter=<filter str>] | |
4115 | +.B [scope=sub|one|base|subord] | |
4116 | +.B [attrs=<attr list>] | |
4117 | +.B [exattrs=<attr list>] | |
4118 | +.B [attrsonly] | |
4119 | +.B [sizelimit=<limit>] | |
4120 | +.B [timelimit=<limit>] | |
4121 | +.B [schemachecking=on|off] | |
4122 | +.B [network\-timeout=<seconds>] | |
4123 | +.B [timeout=<seconds>] | |
4124 | +.B [tcp\-user\-timeout=<milliseconds>] | |
4125 | +.B [bindmethod=simple|sasl] | |
4126 | +.B [binddn=<dn>] | |
4127 | +.B [saslmech=<mech>] | |
4128 | +.B [authcid=<identity>] | |
4129 | +.B [authzid=<identity>] | |
4130 | +.B [credentials=<passwd>] | |
4131 | +.B [realm=<realm>] | |
4132 | +.B [secprops=<properties>] | |
4133 | +.B [keepalive=<idle>:<probes>:<interval>] | |
4134 | +.B [starttls=yes|critical] | |
4135 | +.B [tls_cert=<file>] | |
4136 | +.B [tls_key=<file>] | |
4137 | +.B [tls_cacert=<file>] | |
4138 | +.B [tls_cacertdir=<path>] | |
4139 | +.B [tls_reqcert=never|allow|try|demand] | |
4140 | +.B [tls_reqsan=never|allow|try|demand] | |
4141 | +.B [tls_cipher_suite=<ciphers>] | |
4142 | +.B [tls_ecname=<names>] | |
4143 | +.B [tls_crlcheck=none|peer|all] | |
4144 | +.B [tls_protocol_min=<major>[.<minor>]] | |
4145 | +.B [suffixmassage=<real DN>] | |
4146 | +.B [logbase=<base DN>] | |
4147 | +.B [logfilter=<filter str>] | |
4148 | +.B [syncdata=default|accesslog|changelog] | |
4149 | +.B [lazycommit] | |
4150 | +.RS | |
4151 | +Specify the current database as a consumer which is kept up-to-date with the | |
4152 | +provider content by establishing the current | |
4153 | +.BR slapd (8) | |
4154 | +as a replication consumer site running a | |
4155 | +.B syncrepl | |
4156 | +replication engine. | |
4157 | +The consumer content is kept synchronized to the provider content using | |
4158 | +the LDAP Content Synchronization protocol. Refer to the | |
4159 | +"OpenLDAP Administrator's Guide" for detailed information on | |
4160 | +setting up a replicated | |
4161 | +.B slapd | |
4162 | +directory service using the | |
4163 | +.B syncrepl | |
4164 | +replication engine. | |
4165 | + | |
4166 | +.B rid | |
4167 | +identifies the current | |
4168 | +.B syncrepl | |
4169 | +directive within the replication consumer site. | |
4170 | +It is a non-negative integer not greater than 999 (limited | |
4171 | +to three decimal digits). | |
4172 | + | |
4173 | +.B provider | |
4174 | +specifies the replication provider site containing the provider content | |
4175 | +as an LDAP URI. If <port> is not given, the standard LDAP port number | |
4176 | +(389 or 636) is used. | |
4177 | + | |
4178 | +The content of the | |
4179 | +.B syncrepl | |
4180 | +consumer is defined using a search | |
4181 | +specification as its result set. The consumer | |
4182 | +.B slapd | |
4183 | +will send search requests to the provider | |
4184 | +.B slapd | |
4185 | +according to the search specification. The search specification includes | |
4186 | +.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", " | |
4187 | +and | |
4188 | +.B timelimit | |
4189 | +parameters as in the normal search specification. The | |
4190 | +.B exattrs | |
4191 | +option may also be used to specify attributes that should be omitted | |
4192 | +from incoming entries. | |
4193 | +The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to | |
4194 | +\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The | |
4195 | +\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational | |
4196 | +attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default. | |
4197 | +The \fBsizelimit\fP and \fBtimelimit\fP only | |
4198 | +accept "unlimited" and positive integers, and both default to "unlimited". | |
4199 | +The \fBsizelimit\fP and \fBtimelimit\fP parameters define | |
4200 | +a consumer requested limitation on the number of entries that can be returned | |
4201 | +by the LDAP Content Synchronization operation; as such, it is intended | |
4202 | +to implement partial replication based on the size of the replicated database | |
4203 | +and on the time required by the synchronization. | |
4204 | +Note, however, that any provider-side limits for the replication identity | |
4205 | +will be enforced by the provider regardless of the limits requested | |
4206 | +by the LDAP Content Synchronization operation, much like for any other | |
4207 | +search operation. | |
4208 | + | |
4209 | +The LDAP Content Synchronization protocol has two operation types. | |
4210 | +In the | |
4211 | +.B refreshOnly | |
4212 | +operation, the next synchronization search operation | |
4213 | +is periodically rescheduled at an interval time (specified by | |
4214 | +.B interval | |
4215 | +parameter; 1 day by default) | |
4216 | +after each synchronization operation finishes. | |
4217 | +In the | |
4218 | +.B refreshAndPersist | |
4219 | +operation, a synchronization search remains persistent in the provider slapd. | |
4220 | +Further updates to the provider will generate | |
4221 | +.B searchResultEntry | |
4222 | +to the consumer slapd as the search responses to the persistent | |
4223 | +synchronization search. If the initial search fails due to an error, the | |
4224 | +next synchronization search operation is periodically rescheduled at an | |
4225 | +interval time (specified by | |
4226 | +.B interval | |
4227 | +parameter; 1 day by default) | |
4228 | + | |
4229 | +If an error occurs during replication, the consumer will attempt to | |
4230 | +reconnect according to the | |
4231 | +.B retry | |
4232 | +parameter which is a list of the <retry interval> and <# of retries> pairs. | |
4233 | +For example, retry="60 10 300 3" lets the consumer retry every 60 seconds | |
4234 | +for the first 10 times and then retry every 300 seconds for the next 3 | |
4235 | +times before stop retrying. The `+' in <# of retries> means indefinite | |
4236 | +number of retries until success. | |
4237 | +If no | |
4238 | +.B retry | |
4239 | +is specified, by default syncrepl retries every hour forever. | |
4240 | + | |
4241 | +The schema checking can be enforced at the LDAP Sync | |
4242 | +consumer site by turning on the | |
4243 | +.B schemachecking | |
4244 | +parameter. The default is \fBoff\fP. | |
4245 | +Schema checking \fBon\fP means that replicated entries must have | |
4246 | +a structural objectClass, must obey to objectClass requirements | |
4247 | +in terms of required/allowed attributes, and that naming attributes | |
4248 | +and distinguished values must be present. | |
4249 | +As a consequence, schema checking should be \fBoff\fP when partial | |
4250 | +replication is used. | |
4251 | + | |
4252 | +The | |
4253 | +.B network\-timeout | |
4254 | +parameter sets how long the consumer will wait to establish a | |
4255 | +network connection to the provider. Once a connection is | |
4256 | +established, the | |
4257 | +.B timeout | |
4258 | +parameter determines how long the consumer will wait for the initial | |
4259 | +Bind request to complete. The defaults for these parameters come | |
4260 | +from | |
4261 | +.BR ldap.conf (5). | |
4262 | +The | |
4263 | +.B tcp\-user\-timeout | |
4264 | +parameter, if non-zero, corresponds to the | |
4265 | +.B TCP_USER_TIMEOUT | |
4266 | +set on the target connections, overriding the operating system setting. | |
4267 | +Only some systems support the customization of this parameter, it is | |
4268 | +ignored otherwise and system-wide settings are used. | |
4269 | + | |
4270 | +A | |
4271 | +.B bindmethod | |
4272 | +of | |
4273 | +.B simple | |
4274 | +requires the options | |
4275 | +.B binddn | |
4276 | +and | |
4277 | +.B credentials | |
4278 | +and should only be used when adequate security services | |
4279 | +(e.g. TLS or IPSEC) are in place. | |
4280 | +.B REMEMBER: simple bind credentials must be in cleartext! | |
4281 | +A | |
4282 | +.B bindmethod | |
4283 | +of | |
4284 | +.B sasl | |
4285 | +requires the option | |
4286 | +.B saslmech. | |
4287 | +Depending on the mechanism, an authentication identity and/or | |
4288 | +credentials can be specified using | |
4289 | +.B authcid | |
4290 | +and | |
4291 | +.B credentials. | |
4292 | +The | |
4293 | +.B authzid | |
4294 | +parameter may be used to specify an authorization identity. | |
4295 | +Specific security properties (as with the | |
4296 | +.B sasl\-secprops | |
4297 | +keyword above) for a SASL bind can be set with the | |
4298 | +.B secprops | |
4299 | +option. A non default SASL realm can be set with the | |
4300 | +.B realm | |
4301 | +option. | |
4302 | +The identity used for synchronization by the consumer should be allowed | |
4303 | +to receive an unlimited number of entries in response to a search request. | |
4304 | +The provider, other than allowing authentication of the syncrepl identity, | |
4305 | +should grant that identity appropriate access privileges to the data | |
4306 | +that is being replicated (\fBaccess\fP directive), and appropriate time | |
4307 | +and size limits. | |
4308 | +This can be accomplished by either allowing unlimited \fBsizelimit\fP | |
4309 | +and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement | |
4310 | +in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP | |
4311 | +for details). | |
4312 | + | |
4313 | +The | |
4314 | +.B keepalive | |
4315 | +parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP | |
4316 | +used to check whether a socket is alive; | |
4317 | +.I idle | |
4318 | +is the number of seconds a connection needs to remain idle before TCP | |
4319 | +starts sending keepalive probes; | |
4320 | +.I probes | |
4321 | +is the maximum number of keepalive probes TCP should send before dropping | |
4322 | +the connection; | |
4323 | +.I interval | |
4324 | +is interval in seconds between individual keepalive probes. | |
4325 | +Only some systems support the customization of these values; | |
4326 | +the | |
4327 | +.B keepalive | |
4328 | +parameter is ignored otherwise, and system-wide settings are used. | |
4329 | + | |
4330 | +The | |
4331 | +.B starttls | |
4332 | +parameter specifies use of the StartTLS extended operation | |
4333 | +to establish a TLS session before Binding to the provider. If the | |
4334 | +.B critical | |
4335 | +argument is supplied, the session will be aborted if the StartTLS request | |
4336 | +fails. Otherwise the syncrepl session continues without TLS. The | |
4337 | +.B tls_reqcert | |
4338 | +setting defaults to "demand", the | |
4339 | +.B tls_reqsan | |
4340 | +setting defaults to "allow", and the other TLS settings | |
4341 | +default to the same as the main slapd TLS settings. | |
4342 | + | |
4343 | +The | |
4344 | +.B suffixmassage | |
4345 | +parameter allows the consumer to pull entries from a remote directory | |
4346 | +whose DN suffix differs from the local directory. The portion of the | |
4347 | +remote entries' DNs that matches the \fIsearchbase\fP will be replaced | |
4348 | +with the suffixmassage DN. | |
4349 | + | |
4350 | +Rather than replicating whole entries, the consumer can query logs of | |
4351 | +data modifications. This mode of operation is referred to as \fIdelta | |
4352 | +syncrepl\fP. In addition to the above parameters, the | |
4353 | +.B logbase | |
4354 | +and | |
4355 | +.B logfilter | |
4356 | +parameters must be set appropriately for the log that will be used. The | |
4357 | +.B syncdata | |
4358 | +parameter must be set to either "accesslog" if the log conforms to the | |
4359 | +.BR slapo\-accesslog (5) | |
4360 | +log format, or "changelog" if the log conforms | |
4361 | +to the obsolete \fIchangelog\fP format. If the | |
4362 | +.B syncdata | |
4363 | +parameter is omitted or set to "default" then the log parameters are | |
4364 | +ignored. | |
4365 | + | |
4366 | +The | |
4367 | +.B lazycommit | |
4368 | +parameter tells the underlying database that it can store changes without | |
4369 | +performing a full flush after each change. This may improve performance | |
4370 | +for the consumer, while sacrificing safety or durability. | |
4371 | +.RE | |
4372 | +.TP | |
4373 | +.B olcUpdateDN: <dn> | |
4374 | +This option is only applicable in a replica | |
4375 | +database. | |
4376 | +It specifies the DN permitted to update (subject to access controls) | |
4377 | +the replica. It is only needed in certain push-mode | |
4378 | +replication scenarios. Generally, this DN | |
4379 | +.I should not | |
4380 | +be the same as the | |
4381 | +.B rootdn | |
4382 | +used at the provider. | |
4383 | +.TP | |
4384 | +.B olcUpdateRef: <url> | |
4385 | +Specify the referral to pass back when | |
4386 | +.BR slapd (8) | |
4387 | +is asked to modify a replicated local database. | |
4388 | +If multiple values are specified, each url is provided. | |
4389 | + | |
4390 | +.SH DATABASE-SPECIFIC OPTIONS | |
4391 | +Each database may allow specific configuration options; they are | |
4392 | +documented separately in the backends' manual pages. See the | |
4393 | +.BR slapd.backends (5) | |
4394 | +manual page for an overview of available backends. | |
4395 | +.SH OVERLAYS | |
4396 | +An overlay is a piece of | |
4397 | +code that intercepts database operations in order to extend or change | |
4398 | +them. Overlays are pushed onto | |
4399 | +a stack over the database, and so they will execute in the reverse | |
4400 | +of the order in which they were configured and the database itself | |
4401 | +will receive control last of all. | |
4402 | + | |
4403 | +Overlays must be configured as child entries of a specific database. The | |
4404 | +entry's RDN must be of the form | |
4405 | +.B olcOverlay={x}<overlaytype> | |
4406 | +and the entry must have the olcOverlayConfig objectClass. Normally the | |
4407 | +config engine generates the "{x}" index in the RDN automatically, so | |
4408 | +it can be omitted when initially loading these entries. | |
4409 | + | |
4410 | +See the | |
4411 | +.BR slapd.overlays (5) | |
4412 | +manual page for an overview of available overlays. | |
4413 | +.SH EXAMPLES | |
4414 | +.LP | |
4415 | +Here is a short example of a configuration in LDIF suitable for use with | |
4416 | +.BR slapadd (8) | |
4417 | +: | |
4418 | +.LP | |
4419 | +.RS | |
4420 | +.nf | |
4421 | +dn: cn=config | |
4422 | +objectClass: olcGlobal | |
4423 | +cn: config | |
4424 | +olcPidFile: LOCALSTATEDIR/run/slapd.pid | |
4425 | +olcAttributeOptions: x\-hidden lang\- | |
4426 | + | |
4427 | +dn: cn=schema,cn=config | |
4428 | +objectClass: olcSchemaConfig | |
4429 | +cn: schema | |
4430 | + | |
4431 | +include: file://SYSCONFDIR/schema/core.ldif | |
4432 | + | |
4433 | +dn: olcDatabase=frontend,cn=config | |
4434 | +objectClass: olcDatabaseConfig | |
4435 | +objectClass: olcFrontendConfig | |
4436 | +olcDatabase: frontend | |
4437 | +# Subtypes of "name" (e.g. "cn" and "ou") with the | |
4438 | +# option ";x\-hidden" can be searched for/compared, | |
4439 | +# but are not shown. See \fBslapd.access\fP(5). | |
4440 | +olcAccess: to attrs=name;x\-hidden by * =cs | |
4441 | +# Protect passwords. See \fBslapd.access\fP(5). | |
4442 | +olcAccess: to attrs=userPassword by * auth | |
4443 | +# Read access to other attributes and entries. | |
4444 | +olcAccess: to * by * read | |
4445 | + | |
4446 | +# set a rootpw for the config database so we can bind. | |
4447 | +# deny access to everyone else. | |
4448 | +dn: olcDatabase=config,cn=config | |
4449 | +objectClass: olcDatabaseConfig | |
4450 | +olcDatabase: config | |
4451 | +olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy | |
4452 | +olcAccess: to * by * none | |
4453 | + | |
4454 | +dn: olcDatabase=mdb,cn=config | |
4455 | +objectClass: olcDatabaseConfig | |
4456 | +objectClass: olcMdbConfig | |
4457 | +olcDatabase: mdb | |
4458 | +olcSuffix: "dc=our\-domain,dc=com" | |
4459 | +# The database directory MUST exist prior to | |
4460 | +# running slapd AND should only be accessible | |
4461 | +# by the slapd/tools. Mode 0700 recommended. | |
4462 | +olcDbDirectory: LOCALSTATEDIR/openldap\-data | |
4463 | +# Indices to maintain | |
4464 | +olcDbIndex: objectClass eq | |
4465 | +olcDbIndex: cn,sn,mail pres,eq,approx,sub | |
4466 | + | |
4467 | +# We serve small clients that do not handle referrals, | |
4468 | +# so handle remote lookups on their behalf. | |
4469 | +dn: olcDatabase=ldap,cn=config | |
4470 | +objectClass: olcDatabaseConfig | |
4471 | +objectClass: olcLdapConfig | |
4472 | +olcDatabase: ldap | |
4473 | +olcSuffix: "" | |
4474 | +olcDbUri: ldap://ldap.some\-server.com/ | |
4475 | +.fi | |
4476 | +.RE | |
4477 | +.LP | |
4478 | +Assuming the above data was saved in a file named "config.ldif" and the | |
4479 | +ETCDIR/slapd.d directory has been created, this command will initialize | |
4480 | +the configuration: | |
4481 | +.RS | |
4482 | +.nf | |
4483 | +slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif | |
4484 | +.fi | |
4485 | +.RE | |
4486 | + | |
4487 | +.LP | |
4488 | +"OpenLDAP Administrator's Guide" contains a longer annotated | |
4489 | +example of a slapd configuration. | |
4490 | + | |
4491 | +Alternatively, an existing slapd.conf file can be converted to the new | |
4492 | +format using slapd or any of the slap tools: | |
4493 | +.RS | |
4494 | +.nf | |
4495 | +slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d | |
4496 | +.fi | |
4497 | +.RE | |
4498 | + | |
4499 | +.SH FILES | |
4500 | +.TP | |
4501 | +ETCDIR/slapd.conf | |
4502 | +default slapd configuration file | |
4503 | +.TP | |
4504 | +ETCDIR/slapd.d | |
4505 | +default slapd configuration directory | |
4506 | +.SH SEE ALSO | |
4507 | +.BR ldap (3), | |
4508 | +.BR ldif (5), | |
4509 | +.BR gnutls\-cli (1), | |
4510 | +.BR slapd.access (5), | |
4511 | +.BR slapd.backends (5), | |
4512 | +.BR slapd.conf (5), | |
4513 | +.BR slapd.overlays (5), | |
4514 | +.BR slapd.plugin (5), | |
4515 | +.BR slapd (8), | |
4516 | +.BR slapacl (8), | |
4517 | +.BR slapadd (8), | |
4518 | +.BR slapauth (8), | |
4519 | +.BR slapcat (8), | |
4520 | +.BR slapdn (8), | |
4521 | +.BR slapindex (8), | |
4522 | +.BR slapmodify (8), | |
4523 | +.BR slappasswd (8), | |
4524 | +.BR slaptest (8). | |
4525 | +.LP | |
4526 | +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) | |
4527 | +.SH ACKNOWLEDGEMENTS | |
4528 | +.so ../Project | |
4529 | diff -Naurp openldap-2.6.1.orig/doc/man/man8/lloadd.8 openldap-2.6.1/doc/man/man8/lloadd.8 | |
4530 | --- openldap-2.6.1.orig/doc/man/man8/lloadd.8 2022-01-19 12:32:34.000000000 -0600 | |
4531 | +++ openldap-2.6.1/doc/man/man8/lloadd.8 2022-02-13 15:55:12.222721830 -0600 | |
4532 | @@ -5,7 +5,7 @@ | |
4533 | .SH NAME | |
4534 | lloadd \- LDAP Load Balancer Daemon | |
4535 | .SH SYNOPSIS | |
4536 | -.B LIBEXECDIR/lloadd | |
4537 | +.B SBINDIR/lloadd | |
4538 | [\c | |
4539 | .BR \-4 | \-6 ] | |
4540 | [\c | |
4541 | diff -Naurp openldap-2.6.1.orig/doc/man/man8/slapd.8 openldap-2.6.1/doc/man/man8/slapd.8 | |
4542 | --- openldap-2.6.1.orig/doc/man/man8/slapd.8 2022-01-19 12:32:34.000000000 -0600 | |
4543 | +++ openldap-2.6.1/doc/man/man8/slapd.8 2022-02-13 15:55:00.466773546 -0600 | |
4544 | @@ -5,7 +5,7 @@ | |
4545 | .SH NAME | |
4546 | slapd \- Stand-alone LDAP Daemon | |
4547 | .SH SYNOPSIS | |
4548 | -.B LIBEXECDIR/slapd | |
4549 | +.B SBINDIR/slapd | |
4550 | [\c | |
4551 | .BR \-V [ V [ V ]] | |
4552 | [\c | |
4553 | diff -Naurp openldap-2.6.1.orig/include/ldap_defaults.h openldap-2.6.1/include/ldap_defaults.h | |
4554 | --- openldap-2.6.1.orig/include/ldap_defaults.h 2022-01-19 12:32:34.000000000 -0600 | |
4555 | +++ openldap-2.6.1/include/ldap_defaults.h 2022-02-13 15:54:13.654979570 -0600 | |
4556 | @@ -39,7 +39,7 @@ | |
4557 | #define LDAP_ENV_PREFIX "LDAP" | |
4558 | ||
4559 | /* default ldapi:// socket */ | |
4560 | -#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" | |
4561 | +#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi" | |
4562 | ||
4563 | /* | |
4564 | * SLAPD DEFINITIONS | |
4565 | @@ -47,7 +47,7 @@ | |
4566 | /* location of the default slapd config file */ | |
4567 | #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" | |
4568 | #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" | |
4569 | -#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" | |
4570 | +#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap" | |
4571 | #define SLAPD_DEFAULT_DB_MODE 0600 | |
4572 | #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" | |
4573 | /* default max deref depth for aliases */ | |
4574 | diff -Naurp openldap-2.6.1.orig/libraries/liblber/Makefile.in openldap-2.6.1/libraries/liblber/Makefile.in | |
4575 | --- openldap-2.6.1.orig/libraries/liblber/Makefile.in 2022-01-19 12:32:34.000000000 -0600 | |
4576 | +++ openldap-2.6.1/libraries/liblber/Makefile.in 2022-02-13 15:54:13.654979570 -0600 | |
4577 | @@ -51,6 +51,6 @@ idtest: $(XLIBS) idtest.o | |
4578 | ||
4579 | install-local: FORCE | |
4580 | -$(MKDIR) $(DESTDIR)$(libdir) | |
4581 | - $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) | |
4582 | + $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) | |
4583 | $(LTFINISH) $(DESTDIR)$(libdir) | |
4584 | ||
4585 | diff -Naurp openldap-2.6.1.orig/libraries/libldap/Makefile.in openldap-2.6.1/libraries/libldap/Makefile.in | |
4586 | --- openldap-2.6.1.orig/libraries/libldap/Makefile.in 2022-01-19 12:32:34.000000000 -0600 | |
4587 | +++ openldap-2.6.1/libraries/libldap/Makefile.in 2022-02-13 15:54:13.654979570 -0600 | |
4588 | @@ -82,7 +82,7 @@ CFFILES=ldap.conf | |
4589 | ||
4590 | install-local: $(CFFILES) FORCE | |
4591 | -$(MKDIR) $(DESTDIR)$(libdir) | |
4592 | - $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) | |
4593 | + $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) | |
4594 | $(LTFINISH) $(DESTDIR)$(libdir) | |
4595 | -$(MKDIR) $(DESTDIR)$(sysconfdir) | |
4596 | @for i in $(CFFILES); do \ | |
4597 | diff -Naurp openldap-2.6.1.orig/servers/slapd/Makefile.in openldap-2.6.1/servers/slapd/Makefile.in | |
4598 | --- openldap-2.6.1.orig/servers/slapd/Makefile.in 2022-01-19 12:32:34.000000000 -0600 | |
4599 | +++ openldap-2.6.1/servers/slapd/Makefile.in 2022-02-13 15:54:13.655979565 -0600 | |
4600 | @@ -374,9 +374,10 @@ install-local-srv: install-slapd install | |
4601 | ||
4602 | install-slapd: FORCE | |
4603 | -$(MKDIR) $(DESTDIR)$(libexecdir) | |
4604 | + -$(MKDIR) $(DESTDIR)$(sbindir) | |
4605 | -$(MKDIR) $(DESTDIR)$(localstatedir)/run | |
4606 | $(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \ | |
4607 | - slapd$(EXEEXT) $(DESTDIR)$(libexecdir) | |
4608 | + slapd$(EXEEXT) $(DESTDIR)$(sbindir) | |
4609 | @for i in $(SUBDIRS); do \ | |
4610 | if test -d $$i && test -f $$i/Makefile ; then \ | |
4611 | echo; echo " cd $$i && $(MAKE) $(MFLAGS) install"; \ | |
4612 | @@ -452,9 +453,9 @@ install-conf: FORCE | |
4613 | ||
4614 | install-db-config: FORCE | |
4615 | @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) | |
4616 | - @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data | |
4617 | + @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap | |
4618 | $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ | |
4619 | - $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example | |
4620 | + $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example | |
4621 | $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ | |
4622 | $(DESTDIR)$(sysconfdir)/DB_CONFIG.example | |
4623 | ||
4624 | @@ -462,6 +463,6 @@ install-tools: FORCE | |
4625 | -$(MKDIR) $(DESTDIR)$(sbindir) | |
4626 | for i in $(SLAPTOOLS); do \ | |
4627 | $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ | |
4628 | - $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ | |
4629 | + $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ | |
4630 | done | |
4631 | ||
4632 | diff -Naurp openldap-2.6.1.orig/servers/slapd/slapd.conf openldap-2.6.1/servers/slapd/slapd.conf | |
4633 | --- openldap-2.6.1.orig/servers/slapd/slapd.conf 2022-01-19 12:32:34.000000000 -0600 | |
4634 | +++ openldap-2.6.1/servers/slapd/slapd.conf 2022-02-13 15:54:13.655979565 -0600 | |
4635 | @@ -10,8 +10,9 @@ include %SYSCONFDIR%/schema/core.schema | |
4636 | # service AND an understanding of referrals. | |
4637 | #referral ldap://root.openldap.org | |
4638 | ||
4639 | -pidfile %LOCALSTATEDIR%/run/slapd.pid | |
4640 | -argsfile %LOCALSTATEDIR%/run/slapd.args | |
4641 | +pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid | |
4642 | +argsfile %LOCALSTATEDIR%/run/openldap/slapd.args | |
4643 | + | |
4644 | ||
4645 | # Load dynamic backend modules: | |
4646 | modulepath %MODULEDIR% | |
4647 | @@ -69,7 +70,7 @@ rootpw secret | |
4648 | # The database directory MUST exist prior to running slapd AND | |
4649 | # should only be accessible by the slapd and slap tools. | |
4650 | # Mode 700 recommended. | |
4651 | -directory %LOCALSTATEDIR%/openldap-data | |
4652 | +directory %LOCALSTATEDIR%/lib/openldap | |
4653 | # Indices to maintain | |
4654 | index objectClass eq | |
4655 | ||
4656 | diff -Naurp openldap-2.6.1.orig/servers/slapd/slapd.ldif openldap-2.6.1/servers/slapd/slapd.ldif | |
4657 | --- openldap-2.6.1.orig/servers/slapd/slapd.ldif 2022-01-19 12:32:34.000000000 -0600 | |
4658 | +++ openldap-2.6.1/servers/slapd/slapd.ldif 2022-02-13 15:54:13.655979565 -0600 | |
4659 | @@ -9,8 +9,8 @@ cn: config | |
4660 | # | |
4661 | # Define global ACLs to disable default read access. | |
4662 | # | |
4663 | -olcArgsFile: %LOCALSTATEDIR%/run/slapd.args | |
4664 | -olcPidFile: %LOCALSTATEDIR%/run/slapd.pid | |
4665 | +olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args | |
4666 | +olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid | |
4667 | # | |
4668 | # Do not enable referrals until AFTER you have a working directory | |
4669 | # service AND an understanding of referrals. | |
4670 | @@ -88,7 +88,7 @@ olcRootPW: secret | |
4671 | # The database directory MUST exist prior to running slapd AND | |
4672 | # should only be accessible by the slapd and slap tools. | |
4673 | # Mode 700 recommended. | |
4674 | -olcDbDirectory: %LOCALSTATEDIR%/openldap-data | |
4675 | +olcDbDirectory: %LOCALSTATEDIR%/lib/openldap | |
4676 | # Indices to maintain | |
4677 | olcDbIndex: objectClass eq | |
4678 | ||
4679 | diff -Naurp openldap-2.6.1.orig/servers/slapd/slapi/Makefile.in openldap-2.6.1/servers/slapd/slapi/Makefile.in | |
4680 | --- openldap-2.6.1.orig/servers/slapd/slapi/Makefile.in 2022-01-19 12:32:34.000000000 -0600 | |
4681 | +++ openldap-2.6.1/servers/slapd/slapi/Makefile.in 2022-02-13 15:54:13.655979565 -0600 | |
4682 | @@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@ | |
4683 | install-local: FORCE | |
4684 | if test "$(BUILD_MOD)" = "yes"; then \ | |
4685 | $(MKDIR) $(DESTDIR)$(libdir); \ | |
4686 | - $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \ | |
4687 | + $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \ | |
4688 | fi | |
4689 |