1 diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd.conf.5 openldap-2.6.2/doc/man/man5/slapd.conf.5
2 --- openldap-2.6.2.orig/doc/man/man5/slapd.conf.5 2022-05-04 16:55:23.000000000 +0200
3 +++ openldap-2.6.2/doc/man/man5/slapd.conf.5 2022-05-05 12:05:53.309727745 +0200
4 @@ -2122,7 +2122,7 @@ suffix "dc=our\-domain,dc=com"
5 # The database directory MUST exist prior to
6 # running slapd AND should only be accessible
7 # by the slapd/tools. Mode 0700 recommended.
8 -directory LOCALSTATEDIR/openldap\-data
9 +directory LOCALSTATEDIR/lib/openldap
12 index cn,sn,mail pres,eq,approx,sub
13 diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd.conf.5.orig openldap-2.6.2/doc/man/man5/slapd.conf.5.orig
14 --- openldap-2.6.2.orig/doc/man/man5/slapd.conf.5.orig 1970-01-01 01:00:00.000000000 +0100
15 +++ openldap-2.6.2/doc/man/man5/slapd.conf.5.orig 2022-05-04 16:55:23.000000000 +0200
17 +.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
18 +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
19 +.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
22 +slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
28 +contains configuration information for the
30 +daemon. This configuration file is also used by the SLAPD tools
43 +file consists of a series of global configuration options that apply to
45 +as a whole (including all backends), followed by zero or more database
46 +backend definitions that contain information specific to a backend
48 +The configuration options are case-insensitive;
49 +their value, on a case by case basis, may be case-sensitive.
51 +The general format of
56 + # comment - these options apply to every database
57 + <global configuration options>
58 + # first database definition & configuration options
59 + database <backend 1 type>
60 + <configuration options specific to backend 1>
61 + # subsequent database definitions & configuration options
65 +As many backend-specific sections as desired may be included. Global
66 +options can be overridden in a backend (for options that appear more
67 +than once, the last appearance in the
71 +If a line begins with white space, it is considered a continuation
72 +of the previous line. No physical line should be over 2000 bytes
75 +Blank lines and comment lines beginning with
76 +a `#' character are ignored. Note: continuation lines are unwrapped
77 +before comment processing is applied.
79 +Arguments on configuration lines are separated by white space. If an
80 +argument contains white space, the argument should be enclosed in
81 +double quotes. If an argument contains a double quote (`"') or a
82 +backslash character (`\\'), the character should be preceded by a
85 +The specific configuration options available are discussed below in the
86 +Global Configuration Options, General Backend Options, and General Database
87 +Options. Backend-specific options are discussed in the
88 +.B slapd\-<backend>(5)
89 +manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
90 +details on the slapd configuration file.
91 +.SH GLOBAL CONFIGURATION OPTIONS
92 +Options described in this section apply to all backends, unless specifically
93 +overridden in a backend definition. Arguments that should be replaced by
94 +actual text are shown in brackets <>.
96 +.B access to <what> "[ by <who> <access> <control> ]+"
97 +Grant access (specified by <access>) to a set of entries and/or
98 +attributes (specified by <what>) by one or more requestors (specified
100 +If no access controls are present, the default policy
101 +allows anyone and everyone to read anything but restricts
102 +updates to rootdn. (e.g., "access to * by * read").
103 +The rootdn can always read and write EVERYTHING!
105 +.BR slapd.access (5)
106 +and the "OpenLDAP's Administrator's Guide" for details.
109 +Specify a set of features (separated by white space) to
110 +allow (default none).
112 +allows acceptance of LDAPv2 bind requests. Note that
114 +does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
116 +allows anonymous bind when credentials are not empty (e.g.
119 +allows unauthenticated (anonymous) bind when DN is not empty.
121 +allows unauthenticated (anonymous) update operations to be processed
122 +(subject to access controls and other administrative limits).
124 +allows unauthenticated (anonymous) proxy authorization control to be processed
125 +(subject to access controls, authorization and other administrative limits).
127 +.B argsfile <filename>
128 +The (absolute) name of a file that will hold the
130 +server's command line (program name and options).
132 +.B attributeoptions [option-name]...
133 +Define tagging attribute options or option tag/range prefixes.
134 +Options must not end with `\-', prefixes must end with `\-'.
135 +The `lang\-' prefix is predefined.
138 +directive, `lang\-' will no longer be defined and you must specify it
139 +explicitly if you want it defined.
141 +An attribute description with a tagging option is a subtype of that
142 +attribute description without the option.
143 +Except for that, options defined this way have no special semantics.
144 +Prefixes defined this way work like the `lang\-' options:
145 +They define a prefix for tagging options starting with the prefix.
146 +That is, if you define the prefix `x\-foo\-', you can use the option
148 +Furthermore, in a search or compare, a prefix or range name (with
149 +a trailing `\-') matches all options starting with that name, as well
150 +as the option with the range name sans the trailing `\-'.
151 +That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
153 +RFC 4520 reserves options beginning with `x\-' for private experiments.
154 +Other options should be registered with IANA, see RFC 4520 section 3.5.
155 +OpenLDAP also has the `binary' option built in, but this is a transfer
156 +option, not a tagging option.
159 +.B attributetype "(\ <oid>\
161 + [DESC\ <description>]\
167 + [SYNTAX\ <oidlen>]\
170 + [NO\-USER\-MODIFICATION]\
171 + [USAGE\ <attributeUsage>]\ )"
173 +Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
174 +The slapd parser extends the RFC 4512 definition by allowing string
175 +forms as well as numeric OIDs to be used for the attribute OID and
176 +attribute syntax OID.
182 +.B authid\-rewrite<cmd> <args>
183 +Used by the authentication framework to convert simple user names
184 +to an LDAP DN used for authorization purposes.
185 +Its purpose is analogous to that of
188 +The prefix \fIauthid\-\fP is followed by a set of rules analogous
189 +to those described in
191 +for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP).
192 +.B authid\-rewrite<cmd>
195 +rules should not be intermixed.
197 +.B authz\-policy <policy>
198 +Used to specify which rules to use for Proxy Authorization. Proxy
199 +authorization allows a client to authenticate to the server using one
200 +user's credentials, but specify a different identity to use for authorization
201 +and access control purposes. It essentially allows user A to login as user
202 +B, using user A's password.
205 +flag disables proxy authorization. This is the default setting.
208 +flag will use rules in the
210 +attribute of the authorization DN.
213 +flag will use rules in the
215 +attribute of the authentication DN.
218 +flag, an alias for the deprecated value of
220 +will allow any of the above, whatever succeeds first (checked in
226 +flag requires both authorizations to succeed.
229 +The rules are mechanisms to specify which identities are allowed
230 +to perform proxy authorization.
233 +attribute in an entry specifies which other users
234 +are allowed to proxy login to this entry. The
237 +an entry specifies which other users this user can authorize as. Use of
240 +abused if users are allowed to write arbitrary values to this attribute.
243 +attribute must be protected with ACLs such that
244 +only privileged users can modify it.
251 +or a set of identities; it can take five forms:
254 +.B ldap:///<base>??[<scope>]?<filter>
257 +.B dn[.<dnstyle>]:<pattern>
260 +.B u[.<mech>[/<realm>]]:<pattern>
263 +.B group[/objectClass[/attributeType]]:<pattern>
270 +.B <dnstyle>:={exact|onelevel|children|subtree|regex}
273 +The first form is a valid LDAP
281 +portions must be absent, so that the search occurs locally on either
287 +The second form is a
297 +provide exact, onelevel, children and subtree matches, which cause
299 +to be normalized according to the DN normalization rules.
306 +to be treated as a POSIX (''extended'') regular expression, as
313 +means any non-anonymous DN.
316 +The third form is a SASL
322 +allow specification of a SASL
324 +and eventually a SASL
326 +for those mechanisms that support one.
327 +The need to allow the specification of a mechanism is still debated,
328 +and users are strongly discouraged to rely on this possibility.
331 +The fourth form is a group specification.
332 +It consists of the keyword
334 +optionally followed by the specification of the group
348 +is searched with base scope, filtered on the specified
350 +The values of the resulting
352 +are searched for the asserted DN.
355 +The fifth form is provided for backwards compatibility. If no identity
356 +type is provided, i.e. only
360 +is assumed; as a consequence,
362 +is subjected to DN normalization.
365 +Since the interpretation of
369 +can impact security, users are strongly encouraged
370 +to explicitly set the type of identity specification that is being used.
371 +A subset of these rules can be used as third arg in the
373 +statement (see below); significantly, the
375 +provided it results in exactly one entry,
381 +.B authz\-regexp <match> <replace>
382 +Used by the authentication framework to convert simple user names,
383 +such as provided by SASL subsystem, or extracted from certificates
384 +in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
385 +"proxied authorization" control, to an LDAP DN used for
386 +authorization purposes. Note that the resulting DN need not refer
387 +to an existing entry to be considered valid. When an authorization
388 +request is received from the SASL subsystem, the SASL
393 +are taken, when available, and combined into a name of the form
397 +.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
400 +This name is then compared against the
402 +POSIX (''extended'') regular expression, and if the match is successful,
403 +the name is replaced with the
405 +string. If there are wildcard strings in the
407 +regular expression that are enclosed in parenthesis, e.g.
410 +.B UID=([^,]*),CN=.*
413 +then the portion of the name that matched the wildcard will be stored
414 +in the numbered placeholder variable $1. If there are other wildcard strings
415 +in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
416 +placeholders can then be used in the
421 +.B UID=$1,OU=Accounts,DC=example,DC=com
424 +The replaced name can be either a DN, i.e. a string prefixed by "dn:",
426 +If the latter, the server will use the URI to search its own database(s)
427 +and, if the search returns exactly one entry, the name is
428 +replaced by the DN of that entry. The LDAP URI must have no
429 +hostport, attrs, or extensions components, but the filter is mandatory,
433 +.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
436 +The protocol portion of the URI must be strictly
438 +Note that this search is subject to access controls. Specifically,
439 +the authentication identity must have "auth" access in the subject.
443 +options can be given in the configuration file to allow for multiple matching
444 +and replacement patterns. The matching patterns are checked in the order they
445 +appear in the file, stopping at the first successful match.
448 +.\"Because the plus sign + is a character recognized by the regular expression engine,
449 +.\"and it will appear in names that include a REALM, be careful to escape the
450 +.\"plus sign with a backslash \\+ to remove the character's special meaning.
453 +.B concurrency <integer>
454 +Specify a desired level of concurrency. Provided to the underlying
455 +thread system as a hint. The default is not to provide any hint. This setting
456 +is only meaningful on some platforms where there is not a one to one
457 +correspondence between user threads and kernel threads.
459 +.B conn_max_pending <integer>
460 +Specify the maximum number of pending requests for an anonymous session.
461 +If requests are submitted faster than the server can process them, they
462 +will be queued up to this limit. If the limit is exceeded, the session
463 +is closed. The default is 100.
465 +.B conn_max_pending_auth <integer>
466 +Specify the maximum number of pending requests for an authenticated session.
467 +The default is 1000.
469 +.B defaultsearchbase <dn>
470 +Specify a default search base to use when client submits a
471 +non-base search request with an empty base DN.
472 +Base scoped search requests with an empty base DN are not affected.
474 +.B disallow <features>
475 +Specify a set of features (separated by white space) to
476 +disallow (default none).
478 +disables acceptance of anonymous bind requests. Note that this setting
479 +does not prohibit anonymous directory access (See "require authc").
481 +disables simple (bind) authentication.
483 +disables forcing session to anonymous status (see also
485 +upon StartTLS operation receipt.
487 +disallows the StartTLS operation if authenticated (see also
489 +.B proxy_authz_non_critical
490 +disables acceptance of the proxied authorization control (RFC4370)
491 +with criticality set to FALSE.
492 +.B dontusecopy_non_critical
493 +disables acceptance of the dontUseCopy control (a work in progress)
494 +with criticality set to FALSE.
497 +.B ditcontentrule "(\ <oid>\
499 + [DESC\ <description>]\
506 +Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
507 +The slapd parser extends the RFC 4512 definition by allowing string
508 +forms as well as numeric OIDs to be used for the attribute OID and
509 +attribute syntax OID.
515 +.B gentlehup { on | off }
516 +A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
518 +will stop listening for new connections, but will not close the
519 +connections to the current clients. Future write operations return
520 +unwilling-to-perform, though. Slapd terminates when all clients
521 +have closed their connections (if they ever do), or \- as before \-
522 +if it receives a SIGTERM signal. This can be useful if you wish to
523 +terminate the server and start a new
526 +.B with another database,
527 +without disrupting the currently active clients.
528 +The default is off. You may wish to use
530 +along with this option.
532 +.B idletimeout <integer>
533 +Specify the number of seconds to wait before forcibly closing
534 +an idle client connection. A setting of 0 disables this
535 +feature. The default is 0. You may also want to set the
539 +.B include <filename>
540 +Read additional configuration information from the given file before
541 +continuing with the next line of the current file.
543 +.B index_hash64 { on | off }
544 +Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
545 +These hashes are used for equality and substring indexing. The 64 bit
546 +version may be needed to avoid index collisions when the number of
547 +indexed values exceeds ~64 million. (Note that substring indexing
548 +generates multiple index values per actual attribute value.)
549 +Indices generated with 32 bit hashes are incompatible with the 64 bit
550 +version, and vice versa. Any existing databases must be fully reloaded
551 +when changing this setting. This directive is only supported on 64 bit CPUs.
553 +.B index_intlen <integer>
554 +Specify the key length for ordered integer indices. The most significant
555 +bytes of the binary integer will be used for index keys. The default
556 +value is 4, which provides exact indexing for 31 bit values.
557 +A floating point representation is used to index too large values.
559 +.B index_substr_if_maxlen <integer>
560 +Specify the maximum length for subinitial and subfinal indices. Only
561 +this many characters of an attribute value will be processed by the
562 +indexing functions; any excess characters are ignored. The default is 4.
564 +.B index_substr_if_minlen <integer>
565 +Specify the minimum length for subinitial and subfinal indices. An
566 +attribute value must have at least this many characters in order to be
567 +processed by the indexing functions. The default is 2.
569 +.B index_substr_any_len <integer>
570 +Specify the length used for subany indices. An attribute value must have
571 +at least this many characters in order to be processed. Attribute values
572 +longer than this length will be processed in segments of this length. The
573 +default is 4. The subany index will also be used in subinitial and
574 +subfinal index lookups when the filter string is longer than the
575 +.I index_substr_if_maxlen
578 +.B index_substr_any_step <integer>
579 +Specify the steps used in subany index lookups. This value sets the offset
580 +for the segments of a filter string that are processed for a subany index
581 +lookup. The default is 2. For example, with the default values, a search
582 +using this filter "cn=*abcdefgh*" would generate index lookups for
583 +"abcd", "cdef", and "efgh".
586 +Note: Indexing support depends on the particular backend in use. Also,
587 +changing these settings will generally require deleting any indices that
588 +depend on these parameters and recreating them with
593 +.B ldapsyntax "(\ <oid>\
594 + [DESC\ <description>]\
595 + [X\-SUBST <substitute-syntax>]\ )"
597 +Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
598 +The slapd parser extends the RFC 4512 definition by allowing string
599 +forms as well as numeric OIDs to be used for the syntax OID.
603 +The slapd parser also honors the
605 +extension (an OpenLDAP-specific extension), which allows one to use the
607 +statement to define a non-implemented syntax along with another syntax,
609 +.IR substitute-syntax ,
610 +as its temporary replacement.
612 +.I substitute-syntax
614 +This allows one to define attribute types that make use of non-implemented syntaxes
615 +using the correct syntax OID.
618 +is used, this configuration statement would result in an error,
619 +since no handlers would be associated to the resulting syntax structure.
623 +.B listener-threads <integer>
624 +Specify the number of threads to use for the connection manager.
625 +The default is 1 and this is typically adequate for up to 16 CPU cores.
626 +The value should be set to a power of 2.
629 +Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
630 +such as those to the ldapi:// listener. For a description of SSF values,
632 +.BR sasl-secprops 's
634 +option description. The default is 71.
636 +.B logfile <filename>
637 +Specify a file for recording slapd debug messages. By default these messages
638 +only go to stderr, are not recorded anywhere else, and are unrelated to
639 +messages exposed by the
641 +configuration parameter. Specifying a logfile copies messages to both stderr
644 +.B logfile-format debug | syslog-utc | syslog-localtime
645 +Specify the prefix format for messages written to the logfile. The debug
646 +format is the normal format used for slapd debug messages, with a timestamp
647 +in hexadecimal, followed by a thread ID. The other options are to
648 +use syslog(3) style prefixes, with timestamps either in UTC or in the
649 +local timezone. The default is debug format.
651 +.B logfile-only on | off
652 +Specify that debug messages should only go to the configured logfile, and
655 +.B logfile-rotate <max> <Mbytes> <hours>
656 +Specify automatic rotation for the configured logfile as the maximum
657 +number of old logfiles to retain, a maximum size in megabytes to allow a
658 +logfile to grow before rotation, and a maximum age in hours for a logfile
659 +to be used before rotation. The maximum number must be in the range 1-99.
660 +Setting Mbytes or hours to zero disables the size or age check, respectively.
661 +At least one of Mbytes or hours must be non-zero. By default no automatic
662 +rotation will be performed.
664 +.B loglevel <integer> [...]
665 +Specify the level at which debugging statements and operation
666 +statistics should be syslogged (currently logged to the
668 +LOG_LOCAL4 facility).
669 +They must be considered subsystems rather than increasingly verbose
671 +Some messages with higher priority are logged regardless
672 +of the configured loglevel as soon as any logging is configured.
673 +Log levels are additive, and available levels are:
680 +trace function calls
684 +debug packet handling
688 +heavy trace debugging (function args)
692 +connection management
696 +print out packets sent and received
700 +search filter processing
704 +configuration file processing
708 +access control list processing
712 +connections, LDAP operations, results (recommended)
716 +stats2 log entries sent
720 +print communication with shell backends
732 +\"data indexing (unused)
736 +LDAPSync replication
740 +only messages that get logged whatever log level is set
743 +The desired log level can be input as a single integer that combines
744 +the (ORed) desired levels, both in decimal or in hexadecimal notation,
745 +as a list of integers (that are ORed internally),
746 +or as a list of the names that are shown between parentheses, such that
759 +can be used as a shortcut to enable logging at all levels (equivalent to \-1).
762 +or the equivalent integer representation, causes those messages
763 +that are logged regardless of the configured loglevel to be logged.
764 +In fact, if loglevel is set to 0, no logging occurs,
767 +level is required to have high priority messages logged.
774 +levels are only available as debug output on stderr, and are not
777 +The loglevel defaults to \fBstats\fP.
778 +This level should usually also be included when using other loglevels, to
779 +help analyze the logs.
782 +.B maxfilterdepth <integer>
783 +Specify the maximum depth of nested filters in search requests.
784 +The default is 1000.
786 +.B moduleload <filename> [<arguments>...]
787 +Specify the name of a dynamically loadable module to load and any
788 +additional arguments if supported by the module. The filename
789 +may be an absolute path name or a simple filename. Non-absolute names
790 +are searched for in the directories specified by the
792 +option. This option and the
794 +option are only usable if slapd was compiled with \-\-enable\-modules.
796 +.B modulepath <pathspec>
797 +Specify a list of directories to search for loadable modules. Typically
798 +the path is colon-separated but this depends on the operating system.
799 +The default is MODULEDIR, which is where the standard OpenLDAP install
800 +will place its modules.
803 +.B objectclass "(\ <oid>\
805 + [DESC\ <description>]\
808 + [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
809 + [MUST\ <oids>] [MAY\ <oids>] )"
811 +Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
812 +The slapd parser extends the RFC 4512 definition by allowing string
813 +forms as well as numeric OIDs to be used for the object class OID.
817 +description.) Object classes are "STRUCTURAL" by default.
820 +.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }"
821 +Define a string name that equates to the given OID. The string can be used
822 +in place of the numeric OID in objectclass and attribute definitions. The
823 +name can also be used with a suffix of the form ":xx" in which case the
824 +value "oid.xx" will be used.
826 +.B password\-hash <hash> [<hash>...]
827 +This option configures one or more hashes to be used in generation of user
828 +passwords stored in the userPassword attribute during processing of
829 +LDAP Password Modify Extended Operations (RFC 3062).
830 +The <hash> must be one of
844 +use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
849 +use the MD5 algorithm (RFC 1321), the latter with a seed.
856 +indicates that the new password should be
857 +added to userPassword as clear text.
859 +Note that this option does not alter the normal user applications
860 +handling of userPassword during LDAP Add, Modify, or other LDAP operations.
862 +.B password\-crypt\-salt\-format <format>
863 +Specify the format of the salt passed to
865 +when generating {CRYPT} passwords (see
866 +.BR password\-hash )
867 +during processing of LDAP Password Modify Extended Operations (RFC 3062).
869 +This string needs to be in
871 +format and may include one (and only one) %s conversion.
872 +This conversion will be substituted with a string of random
873 +characters from [A\-Za\-z0\-9./]. For example, "%.2s"
874 +provides a two character salt and "$1$%.8s" tells some
875 +versions of crypt(3) to use an MD5 algorithm and provides
876 +8 random characters of salt. The default is "%s", which
877 +provides 31 characters of salt.
879 +.B pidfile <filename>
880 +The (absolute) name of a file that will hold the
882 +server's process ID (see
885 +.B pluginlog: <filename>
886 +The ( absolute ) name of a file that will contain log
890 +.BR slapd.plugin (5)
894 +Specify the referral to pass back when
896 +cannot find a local database to handle a request.
897 +If specified multiple times, each url is provided.
899 +.B require <conditions>
900 +Specify a set of conditions (separated by white space) to
901 +require (default none).
902 +The directive may be specified globally and/or per-database;
903 +databases inherit global conditions, so per-database specifications
906 +requires bind operation prior to directory operations.
908 +requires session to be using LDAP version 3.
910 +requires authentication prior to directory operations.
912 +requires SASL authentication prior to directory operations.
914 +requires strong authentication prior to directory operations.
915 +The strong keyword allows protected "simple" authentication
916 +as well as SASL authentication.
918 +may be used to require no conditions (useful to clear out globally
919 +set conditions within a particular database); it must occur first
920 +in the list of conditions.
922 +.B reverse\-lookup on | off
923 +Enable/disable client name unverified reverse lookup (default is
925 +if compiled with \-\-enable\-rlookups).
928 +Specify the name of an LDIF(5) file containing user defined attributes
929 +for the root DSE. These attributes are returned in addition to the
930 +attributes normally produced by slapd.
932 +The root DSE is an entry with information about the server and its
933 +capabilities, in operational attributes.
934 +It has the empty DN, and can be read with e.g.:
936 +ldapsearch \-x \-b "" \-s base "+"
938 +See RFC 4512 section 5.1 for details.
940 +.B sasl\-auxprops <plugin> [...]
941 +Specify which auxprop plugins to use for authentication lookups. The
942 +default is empty, which just uses slapd's internal support. Usually
943 +no other auxprop plugins are needed.
945 +.B sasl\-auxprops\-dontusecopy <attr> [...]
946 +Specify which attribute(s) should be subject to the don't use copy control. This
947 +is necessary for some SASL mechanisms such as OTP to work in a replicated
948 +environment. The attribute "cmusaslsecretOTP" is the default value.
950 +.B sasl\-auxprops\-dontusecopy\-ignore on | off
951 +Used to disable replication of the attribute(s) defined by
952 +sasl-auxprops-dontusecopy and instead use a local value for the attribute. This
953 +allows the SASL mechanism to continue to work if the provider is offline. This can
954 +cause replication inconsistency. Defaults to off.
956 +.B sasl\-host <fqdn>
957 +Used to specify the fully qualified domain name used for SASL processing.
959 +.B sasl\-realm <realm>
960 +Specify SASL realm. Default is empty.
962 +.B sasl\-cbinding none | tls-unique | tls-endpoint
963 +Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
966 +.B sasl\-secprops <properties>
967 +Used to specify Cyrus SASL security properties.
970 +flag (without any other properties) causes the flag properties
971 +default, "noanonymous,noplain", to be cleared.
974 +flag disables mechanisms susceptible to simple passive attacks.
977 +flag disables mechanisms susceptible to active attacks.
980 +flag disables mechanisms susceptible to passive dictionary attacks.
983 +flag disables mechanisms which support anonymous login.
986 +flag require forward secrecy between sessions.
989 +require mechanisms which pass client credentials (and allow
990 +mechanisms which can pass credentials to do so).
993 +property specifies the minimum acceptable
994 +.I security strength factor
995 +as an integer approximate to effective key length used for
996 +encryption. 0 (zero) implies no protection, 1 implies integrity
997 +protection only, 128 allows RC4, Blowfish and other similar ciphers,
998 +256 will require modern ciphers. The default is 0.
1001 +property specifies the maximum acceptable
1002 +.I security strength factor
1003 +as an integer (see minssf description). The default is INT_MAX.
1005 +.B maxbufsize=<size>
1006 +property specifies the maximum security layer receive buffer
1007 +size allowed. 0 disables security layers. The default is 65536.
1010 +Specify the distinguished name for the subschema subentry that
1011 +controls the entries on this server. The default is "cn=Subschema".
1013 +.B security <factors>
1014 +Specify a set of security strength factors (separated by white space)
1016 +.BR sasl\-secprops 's
1018 +option for a description of security strength factors).
1019 +The directive may be specified globally and/or per-database.
1021 +specifies the overall security strength factor.
1023 +specifies the transport security strength factor.
1025 +specifies the TLS security strength factor.
1027 +specifies the SASL security strength factor.
1029 +specifies the overall security strength factor to require for
1031 +.B update_transport=<n>
1032 +specifies the transport security strength factor to require for
1035 +specifies the TLS security strength factor to require for
1038 +specifies the SASL security strength factor to require for
1041 +specifies the security strength factor required for
1043 +username/password authentication.
1046 +factor is measure of security provided by the underlying transport,
1047 +e.g. ldapi:// (and eventually IPSEC). It is not normally used.
1049 +.B serverID <integer> [<URL>]
1050 +Specify an integer ID from 0 to 4095 for this server. The ID may also be
1051 +specified as a hexadecimal ID by prefixing the value with "0x".
1052 +Non-zero IDs are required when using multi-provider replication and each
1053 +provider must have a unique non-zero ID. Note that this requirement also
1054 +applies to separate providers contributing to a glued set of databases.
1055 +If the URL is provided, this directive may be specified
1056 +multiple times, providing a complete list of participating servers
1057 +and their IDs. The fully qualified hostname of each server should be
1058 +used in the supplied URLs. The IDs are used in the "replica id" field
1059 +of all CSNs generated by the specified server. The default value is zero, which
1060 +is only valid for single provider replication.
1064 + serverID 1 ldap://ldap1.example.com
1065 + serverID 2 ldap://ldap2.example.com
1068 +.B sizelimit {<integer>|unlimited}
1070 +.B sizelimit size[.{soft|hard}]=<integer> [...]
1071 +Specify the maximum number of entries to return from a search operation.
1072 +The default size limit is 500.
1075 +to specify no limits.
1076 +The second format allows a fine grain setting of the size limits.
1077 +If no special qualifiers are specified, both soft and hard limits are set.
1078 +Extra args can be added on the same line.
1079 +Additional qualifiers are available; see
1081 +for an explanation of all of the different flags.
1083 +.B sockbuf_max_incoming <integer>
1084 +Specify the maximum incoming LDAP PDU size for anonymous sessions.
1085 +The default is 262143.
1087 +.B sockbuf_max_incoming_auth <integer>
1088 +Specify the maximum incoming LDAP PDU size for authenticated sessions.
1089 +The default is 4194303.
1091 +.B sortvals <attr> [...]
1092 +Specify a list of multi-valued attributes whose values will always
1093 +be maintained in sorted order. Using this option will allow Modify,
1094 +Compare, and filter evaluations on these attributes to be performed
1095 +more efficiently. The resulting sort order depends on the
1096 +attributes' syntax and matching rules and may not correspond to
1097 +lexical order or any other recognizable order.
1099 +.B tcp-buffer [listener=<URL>] [{read|write}=]<size>
1100 +Specify the size of the TCP buffer.
1101 +A global value for both read and write TCP buffers related to any listener
1102 +is defined, unless the listener is explicitly specified,
1103 +or either the read or write qualifiers are used.
1107 +Note that some OS-es implement automatic TCP buffer tuning.
1109 +.B threads <integer>
1110 +Specify the maximum size of the primary thread pool.
1111 +The default is 16; the minimum value is 2.
1113 +.B threadqueues <integer>
1114 +Specify the number of work queues to use for the primary thread pool.
1115 +The default is 1 and this is typically adequate for up to 8 CPU cores.
1116 +The value should not exceed the number of CPUs in the system.
1118 +.B timelimit {<integer>|unlimited}
1120 +.B timelimit time[.{soft|hard}]=<integer> [...]
1121 +Specify the maximum number of seconds (in real time)
1123 +will spend answering a search request. The default time limit is 3600.
1126 +to specify no limits.
1127 +The second format allows a fine grain setting of the time limits.
1128 +Extra args can be added on the same line. See
1130 +for an explanation of the different flags.
1132 +.B tool\-threads <integer>
1133 +Specify the maximum number of threads to use in tool mode.
1134 +This should not be greater than the number of CPUs in the system.
1137 +.B writetimeout <integer>
1138 +Specify the number of seconds to wait before forcibly closing
1139 +a connection with an outstanding write. This allows recovery from
1140 +various network hang conditions. A writetimeout of 0 disables this
1141 +feature. The default is 0.
1145 +is built with support for Transport Layer Security, there are more options
1148 +.B TLSCipherSuite <cipher-suite-spec>
1149 +Permits configuring what ciphers will be accepted and the preference order.
1150 +<cipher-suite-spec> should be a cipher specification for the TLS library
1151 +in use (OpenSSL or GnuTLS).
1157 +TLSCipherSuite HIGH:MEDIUM:+SSLv2
1160 +TLSCiphersuite SECURE256:!AES-128-CBC
1163 +To check what ciphers a given spec selects in OpenSSL, use:
1166 + openssl ciphers \-v <cipher-suite-spec>
1169 +With GnuTLS the available specs can be found in the manual page of
1170 +.BR gnutls\-cli (1)
1171 +(see the description of the
1173 +.BR \-\-priority ).
1175 +In older versions of GnuTLS, where gnutls\-cli does not support the option
1176 +\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
1183 +.B TLSCACertificateFile <filename>
1184 +Specifies the file that contains certificates for all of the Certificate
1187 +will recognize. The certificate for
1188 +the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among
1189 +these certificates. If the signing CA was not a top-level (root) CA,
1190 +certificates for the entire sequence of CA's from the signing CA to
1191 +the top-level CA should be present. Multiple certificates are simply
1192 +appended to the file; the order is not significant.
1194 +.B TLSCACertificatePath <path>
1195 +Specifies the path of directories that contain Certificate Authority
1196 +certificates in separate individual files. Usually only one of this
1197 +or the TLSCACertificateFile is used. If both are specified, both
1198 +locations will be used. Multiple directories may be specified,
1199 +separated by a semi-colon.
1201 +.B TLSCertificateFile <filename>
1202 +Specifies the file that contains the
1204 +server certificate.
1206 +When using OpenSSL that file may also contain any number of intermediate
1207 +certificates after the server certificate.
1209 +.B TLSCertificateKeyFile <filename>
1210 +Specifies the file that contains the
1212 +server private key that matches the certificate stored in the
1213 +.B TLSCertificateFile
1214 +file. Currently, the private key must not be protected with a password, so
1215 +it is of critical importance that it is protected carefully.
1217 +.B TLSDHParamFile <filename>
1218 +This directive specifies the file that contains parameters for Diffie-Hellman
1219 +ephemeral key exchange. This is required in order to use a DSA certificate on
1220 +the server, or an RSA certificate missing the "key encipherment" key usage.
1221 +Note that setting this option may also enable
1222 +Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
1223 +Anonymous key exchanges should generally be avoided since they provide no
1224 +actual client or server authentication and provide no protection against
1225 +man-in-the-middle attacks.
1226 +You should append "!ADH" to your cipher suites to ensure that these suites
1229 +.B TLSECName <name>
1230 +Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
1231 +ephemeral key exchange. This option is only used for OpenSSL.
1232 +This option is not used with GnuTLS; the curves may be
1233 +chosen in the GnuTLS ciphersuite specification.
1235 +.B TLSProtocolMin <major>[.<minor>]
1236 +Specifies minimum SSL/TLS protocol version that will be negotiated.
1237 +If the server doesn't support at least that version,
1238 +the SSL handshake will fail.
1239 +To require TLS 1.x or higher, set this option to 3.(x+1),
1243 + TLSProtocolMin 3.2
1246 +would require TLS 1.1.
1247 +Specifying a minimum that is higher than that supported by the
1248 +OpenLDAP implementation will result in it requiring the
1249 +highest level that it does support.
1250 +This directive is ignored with GnuTLS.
1252 +.B TLSRandFile <filename>
1253 +Specifies the file to obtain random bits from when /dev/[u]random
1254 +is not available. Generally set to the name of the EGD/PRNGD socket.
1255 +The environment variable RANDFILE can also be used to specify the filename.
1256 +This directive is ignored with GnuTLS.
1258 +.B TLSVerifyClient <level>
1259 +Specifies what checks to perform on client certificates in an
1260 +incoming TLS session, if any.
1263 +can be specified as one of the following keywords:
1267 +This is the default.
1269 +will not ask the client for a certificate.
1272 +The client certificate is requested. If no certificate is provided,
1273 +the session proceeds normally. If a bad certificate is provided,
1274 +it will be ignored and the session proceeds normally.
1277 +The client certificate is requested. If no certificate is provided,
1278 +the session proceeds normally. If a bad certificate is provided,
1279 +the session is immediately terminated.
1281 +.B demand | hard | true
1282 +These keywords are all equivalent, for compatibility reasons.
1283 +The client certificate is requested. If no certificate is provided,
1284 +or a bad certificate is provided, the session is immediately terminated.
1286 +Note that a valid client certificate is required in order to use the
1287 +SASL EXTERNAL authentication mechanism with a TLS session. As such,
1290 +setting must be chosen to enable SASL EXTERNAL authentication.
1293 +.B TLSCRLCheck <level>
1294 +Specifies if the Certificate Revocation List (CRL) of the CA should be
1295 +used to verify if the client certificates have not been revoked. This
1297 +.B TLSCACertificatePath
1298 +parameter to be set. This directive is ignored with GnuTLS.
1300 +can be specified as one of the following keywords:
1304 +No CRL checks are performed
1307 +Check the CRL of the peer certificate
1310 +Check the CRL for a whole certificate chain
1313 +.B TLSCRLFile <filename>
1314 +Specifies a file containing a Certificate Revocation List to be used
1315 +for verifying that certificates have not been revoked. This directive is
1316 +only valid when using GnuTLS.
1317 +.SH GENERAL BACKEND OPTIONS
1318 +Options in this section only apply to the configuration file section
1319 +of all instances of the specified backend. All backends may support
1320 +this class of options, but currently only back-mdb does.
1322 +.B backend <databasetype>
1323 +Mark the beginning of a backend definition. <databasetype>
1341 +At present, only back-mdb implements any options of this type, so this
1342 +setting is not needed for any other backends.
1344 +.SH GENERAL DATABASE OPTIONS
1345 +Options in this section only apply to the configuration file section
1346 +for the database in which they are defined. They are supported by every
1347 +type of backend. Note that the
1351 +option are mandatory for each database.
1353 +.B database <databasetype>
1354 +Mark the beginning of a new database instance definition. <databasetype>
1372 +depending on which backend will serve the database.
1374 +LDAP operations, even subtree searches, normally access only one
1376 +That can be changed by gluing databases together with the
1379 +Access controls and some overlays can also involve multiple databases.
1381 +.B add_content_acl on | off
1382 +Controls whether Add operations will perform ACL checks on
1383 +the content of the entry being added. This check is off
1384 +by default. See the
1385 +.BR slapd.access (5)
1386 +manual page for more details on ACL requirements for
1389 +.B extra_attrs <attrlist>
1390 +Lists what attributes need to be added to search requests.
1391 +Local storage backends return the entire entry to the frontend.
1392 +The frontend takes care of only returning the requested attributes
1393 +that are allowed by ACLs.
1394 +However, features like access checking and so may need specific
1395 +attributes that are not automatically returned by remote storage
1396 +backends, like proxy backends and so on.
1398 +is a list of attributes that are needed for internal purposes
1399 +and thus always need to be collected, even when not explicitly
1400 +requested by clients.
1403 +Controls whether the database will be used to answer
1404 +queries. A database that is hidden will never be
1405 +selected to answer any queries, and any suffix configured
1406 +on the database will be ignored in checks for conflicts
1407 +with other databases. By default, hidden is off.
1409 +.B lastmod on | off
1412 +will automatically maintain the
1413 +modifiersName, modifyTimestamp, creatorsName, and
1414 +createTimestamp attributes for entries. It also controls
1415 +the entryCSN and entryUUID attributes, which are needed
1416 +by the syncrepl provider. By default, lastmod is on.
1418 +.B lastbind on | off
1421 +will automatically maintain the pwdLastSuccess attribute for
1422 +entries. By default, lastbind is off.
1424 +.B lastbind-precision <integer>
1425 +If lastbind is enabled, specifies how frequently pwdLastSuccess
1426 +will be updated. More than
1428 +seconds must have passed since the last successful bind. In a
1429 +replicated environment with frequent bind activity it may be
1430 +useful to set this to a large value.
1432 +.B limits <selector> <limit> [<limit> [...]]
1433 +Specify time and size limits based on the operation's initiator or
1441 +anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
1447 +<dnspec> ::= dn[.<type>][.<style>]
1449 +<type> ::= self | this
1451 +<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
1456 +is the default and means the bound user, while
1458 +means the base DN of the operation.
1461 +matches all unauthenticated clients.
1464 +matches all authenticated clients;
1467 +dn pattern is assumed unless otherwise specified by qualifying
1468 +the (optional) key string
1474 +(which are synonyms), to require an exact match; with
1476 +to require exactly one level of depth match; with
1478 +to allow any level of depth match, including the exact match; with
1480 +to allow any level of depth match, not including the exact match;
1482 +explicitly requires the (default) match based on POSIX (''extended'')
1483 +regular expression pattern.
1486 +matches unbound operations; the
1489 +The same behavior is obtained by using the
1496 +with the optional objectClass
1500 +fields, followed by
1502 +sets the limits for any DN listed in the values of the
1508 +group objectClass (default
1510 +whose DN exactly matches
1513 +The currently supported limits are
1518 +The syntax for time limits is
1519 +.BR time[.{soft|hard}]=<integer> ,
1522 +is the number of seconds slapd will spend answering a search request.
1523 +If no time limit is explicitly requested by the client, the
1525 +limit is used; if the requested time limit exceeds the
1528 +.\".I "Administrative limit exceeded"
1529 +.\"error is returned.
1530 +limit, the value of the limit is used instead.
1533 +limit is set to the keyword
1535 +the soft limit is used in either case; if it is set to the keyword
1537 +no hard limit is enforced.
1538 +Explicit requests for time limits smaller or equal to the
1541 +If no limit specifier is set, the value is assigned to the
1547 +to preserve the original behavior.
1549 +The syntax for size limits is
1550 +.BR size[.{soft|hard|unchecked}]=<integer> ,
1553 +is the maximum number of entries slapd will return answering a search
1555 +If no size limit is explicitly requested by the client, the
1557 +limit is used; if the requested size limit exceeds the
1560 +.\".I "Administrative limit exceeded"
1561 +.\"error is returned.
1562 +limit, the value of the limit is used instead.
1565 +limit is set to the keyword
1567 +the soft limit is used in either case; if it is set to the keyword
1569 +no hard limit is enforced.
1570 +Explicit requests for size limits smaller or equal to the
1575 +specifier sets a limit on the number of candidates a search request is allowed
1577 +The rationale behind it is that searches for non-properly indexed
1578 +attributes may result in large sets of candidates, which must be
1581 +to determine whether they match the search filter or not.
1584 +limit provides a means to drop such operations before they are even
1586 +If the selected candidates exceed the
1588 +limit, the search will abort with
1589 +.IR "Unwilling to perform" .
1590 +If it is set to the keyword
1592 +no limit is applied (the default).
1595 +the search is not even performed; this can be used to disallow searches
1596 +for a specific set of users.
1597 +If no limit specifier is set, the value is assigned to the
1603 +to preserve the original behavior.
1605 +In case of no match, the global limits are used.
1606 +The default values are the same as for
1615 +control is requested, the
1617 +size limit is used by default, because the request of a specific page size
1618 +is considered an explicit request for a limitation on the number
1619 +of entries to be returned.
1620 +However, the size limit applies to the total count of entries returned within
1621 +the search, and not to a single page.
1622 +Additional size limits may be enforced; the syntax is
1623 +.BR size.pr={<integer>|noEstimate|unlimited} ,
1626 +is the max page size if no explicit limit is set; the keyword
1628 +inhibits the server from returning an estimate of the total number
1629 +of entries that might be returned
1630 +(note: the current implementation does not return any estimate).
1633 +indicates that no limit is applied to the pagedResults control page size.
1635 +.B size.prtotal={<integer>|hard|unlimited|disabled}
1636 +allows one to set a limit on the total number of entries that the pagedResults
1637 +control will return.
1638 +By default it is set to the
1640 +limit which will use the size.hard value.
1643 +is the max number of entries that the whole search with pagedResults control
1647 +to allow unlimited number of entries to be returned, e.g. to allow
1648 +the use of the pagedResults control as a means to circumvent size
1649 +limitations on regular searches; the keyword
1651 +disables the control, i.e. no paged results can be returned.
1652 +Note that the total number of entries returned when the pagedResults control
1653 +is requested cannot exceed the
1655 +size limit of regular searches unless extended by the
1659 +The \fBlimits\fP statement is typically used to let an unlimited
1660 +number of entries be returned by searches performed
1661 +with the identity used by the consumer for synchronization purposes
1662 +by means of the RFC 4533 LDAP Content Synchronization protocol
1663 +(see \fBsyncrepl\fP for details).
1665 +When using subordinate databases, it is necessary for any limits that
1666 +are to be applied across the parent and its subordinates to be defined in
1667 +both the parent and its subordinates. Otherwise the settings on the
1668 +subordinate databases are not honored.
1671 +.B maxderefdepth <depth>
1672 +Specifies the maximum number of aliases to dereference when trying to
1673 +resolve an entry, used to avoid infinite alias loops. The default is 15.
1675 +.B multiprovider on | off
1676 +This option puts a consumer database into Multi-Provider mode. Update
1677 +operations will be accepted from any user, not just the updatedn. The
1678 +database must already be configured as a syncrepl consumer
1679 +before this keyword may be set. This mode also requires a
1681 +(see above) to be configured.
1682 +By default, multiprovider is off.
1684 +.B monitoring on | off
1685 +This option enables database-specific monitoring in the entry related
1686 +to the current database in the "cn=Databases,cn=Monitor" subtree
1687 +of the monitor database, if the monitor database is enabled.
1688 +Currently, only the MDB database provides database-specific monitoring.
1689 +If monitoring is supported by the backend it defaults to on, otherwise
1692 +.B overlay <overlay-name>
1693 +Add the specified overlay to this database. An overlay is a piece of
1694 +code that intercepts database operations in order to extend or change
1695 +them. Overlays are pushed onto
1696 +a stack over the database, and so they will execute in the reverse
1697 +of the order in which they were configured and the database itself
1698 +will receive control last of all. See the
1699 +.BR slapd.overlays (5)
1700 +manual page for an overview of the available overlays.
1701 +Note that all of the database's
1702 +regular settings should be configured before any overlay settings.
1704 +.B readonly on | off
1705 +This option puts the database into "read-only" mode. Any attempts to
1706 +modify the database will return an "unwilling to perform" error. By
1707 +default, readonly is off.
1709 +.B restrict <oplist>
1710 +Specify a whitespace separated list of operations that are restricted.
1711 +If defined inside a database specification, restrictions apply only
1712 +to that database, otherwise they are global.
1713 +Operations can be any of
1718 +.BR extended[=<OID>] ,
1722 +or the special pseudo-operations
1726 +which respectively summarize read and write operations.
1734 +keyword allows one to indicate the OID of the specific operation
1738 +Specify the distinguished name that is not subject to access control
1739 +or administrative limit restrictions for operations on this database.
1740 +This DN may or may not be associated with an entry. An empty root
1741 +DN (the default) specifies no root access is to be granted. It is
1742 +recommended that the rootdn only be specified when needed (such as
1743 +when initially populating a database). If the rootdn is within
1744 +a namingContext (suffix) of the database, a simple bind password
1745 +may also be provided using the
1747 +directive. Many optional features, including syncrepl, require the
1748 +rootdn to be defined for the database.
1750 +.B rootpw <password>
1751 +Specify a password (or hash of the password) for the rootdn. The
1752 +password can only be set if the rootdn is within the namingContext
1753 +(suffix) of the database.
1754 +This option accepts all RFC 2307 userPassword formats known to
1757 +description) as well as cleartext.
1759 +may be used to generate a hash of a password. Cleartext
1760 +and \fB{CRYPT}\fP passwords are not recommended. If empty
1761 +(the default), authentication of the root DN is by other means
1762 +(e.g. SASL). Use of SASL is encouraged.
1764 +.B suffix <dn suffix>
1765 +Specify the DN suffix of queries that will be passed to this
1766 +backend database. Multiple suffix lines can be given and at least one is
1767 +required for each database definition.
1769 +If the suffix of one database is "inside" that of another, the database
1770 +with the inner suffix must come first in the configuration file.
1771 +You may also want to glue such databases together with the
1775 +.B subordinate [advertise]
1776 +Specify that the current backend database is a subordinate of another
1777 +backend database. A subordinate database may have only one suffix. This
1778 +option may be used to glue multiple databases into a single namingContext.
1779 +If the suffix of the current database is within the namingContext of a
1780 +superior database, searches against the superior database will be
1781 +propagated to the subordinate as well. All of the databases
1782 +associated with a single namingContext should have identical rootdns.
1783 +Behavior of other LDAP operations is unaffected by this setting. In
1784 +particular, it is not possible to use moddn to move an entry from
1785 +one subordinate to another subordinate within the namingContext.
1787 +If the optional \fBadvertise\fP flag is supplied, the naming context of
1788 +this database is advertised in the root DSE. The default is to hide this
1789 +database context, so that only the superior context is visible.
1794 +.BR slapmodify (8),
1797 +are used on the superior database, any glued subordinates that support
1798 +these tools are opened as well.
1800 +Databases that are glued together should usually be configured with the
1801 +same indices (assuming they support indexing), even for attributes that
1802 +only exist in some of these databases. In general, all of the glued
1803 +databases should be configured as similarly as possible, since the intent
1804 +is to provide the appearance of a single directory.
1806 +Note that the \fIsubordinate\fP functionality is implemented internally
1807 +by the \fIglue\fP overlay and as such its behavior will interact with other
1808 +overlays in use. By default, the glue overlay is automatically configured as
1809 +the last overlay on the superior backend. Its position on the backend
1810 +can be explicitly configured by setting an \fBoverlay glue\fP directive
1811 +at the desired position. This explicit configuration is necessary e.g.
1812 +when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
1813 +in order to work over all of the glued databases. E.g.
1817 + suffix dc=example,dc=com
1824 +.B sync_use_subentry
1825 +Store the syncrepl contextCSN in a subentry instead of the context entry
1826 +of the database. The subentry's RDN will be "cn=ldapsync". By default
1827 +the contextCSN is stored in the context entry.
1830 +.B syncrepl rid=<replica ID>
1831 +.B provider=ldap[s]://<hostname>[:port]
1832 +.B searchbase=<base DN>
1833 +.B [type=refreshOnly|refreshAndPersist]
1834 +.B [interval=dd:hh:mm:ss]
1835 +.B [retry=[<retry interval> <# of retries>]+]
1836 +.B [filter=<filter str>]
1837 +.B [scope=sub|one|base|subord]
1838 +.B [attrs=<attr list>]
1839 +.B [exattrs=<attr list>]
1841 +.B [sizelimit=<limit>]
1842 +.B [timelimit=<limit>]
1843 +.B [schemachecking=on|off]
1844 +.B [network\-timeout=<seconds>]
1845 +.B [timeout=<seconds>]
1846 +.B [tcp\-user\-timeout=<milliseconds>]
1847 +.B [bindmethod=simple|sasl]
1849 +.B [saslmech=<mech>]
1850 +.B [authcid=<identity>]
1851 +.B [authzid=<identity>]
1852 +.B [credentials=<passwd>]
1854 +.B [secprops=<properties>]
1855 +.B [keepalive=<idle>:<probes>:<interval>]
1856 +.B [starttls=yes|critical]
1857 +.B [tls_cert=<file>]
1858 +.B [tls_key=<file>]
1859 +.B [tls_cacert=<file>]
1860 +.B [tls_cacertdir=<path>]
1861 +.B [tls_reqcert=never|allow|try|demand]
1862 +.B [tls_reqsan=never|allow|try|demand]
1863 +.B [tls_cipher_suite=<ciphers>]
1864 +.B [tls_ecname=<names>]
1865 +.B [tls_crlcheck=none|peer|all]
1866 +.B [tls_protocol_min=<major>[.<minor>]]
1867 +.B [suffixmassage=<real DN>]
1868 +.B [logbase=<base DN>]
1869 +.B [logfilter=<filter str>]
1870 +.B [syncdata=default|accesslog|changelog]
1873 +Specify the current database as a consumer which is kept up-to-date with the
1874 +provider content by establishing the current
1876 +as a replication consumer site running a
1878 +replication engine.
1879 +The consumer content is kept synchronized to the provider content using
1880 +the LDAP Content Synchronization protocol. Refer to the
1881 +"OpenLDAP Administrator's Guide" for detailed information on
1882 +setting up a replicated
1884 +directory service using the
1886 +replication engine.
1889 +identifies the current
1891 +directive within the replication consumer site.
1892 +It is a non-negative integer not greater than 999 (limited
1893 +to three decimal digits).
1896 +specifies the replication provider site containing the provider content
1897 +as an LDAP URI. If <port> is not given, the standard LDAP port number
1898 +(389 or 636) is used.
1902 +consumer is defined using a search
1903 +specification as its result set. The consumer
1905 +will send search requests to the provider
1907 +according to the search specification. The search specification includes
1908 +.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
1911 +parameters as in the normal search specification. The
1913 +option may also be used to specify attributes that should be omitted
1914 +from incoming entries.
1915 +The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
1916 +\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
1917 +\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
1918 +attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
1919 +The \fBsizelimit\fP and \fBtimelimit\fP only
1920 +accept "unlimited" and positive integers, and both default to "unlimited".
1921 +The \fBsizelimit\fP and \fBtimelimit\fP parameters define
1922 +a consumer requested limitation on the number of entries that can be returned
1923 +by the LDAP Content Synchronization operation; these should be left unchanged
1924 +from the default otherwise replication may never succeed.
1925 +Note, however, that any provider-side limits for the replication identity
1926 +will be enforced by the provider regardless of the limits requested
1927 +by the LDAP Content Synchronization operation, much like for any other
1930 +The LDAP Content Synchronization protocol has two operation types.
1933 +operation, the next synchronization search operation
1934 +is periodically rescheduled at an interval time (specified by
1936 +parameter; 1 day by default)
1937 +after each synchronization operation finishes.
1939 +.B refreshAndPersist
1940 +operation, a synchronization search remains persistent in the provider slapd.
1941 +Further updates to the provider will generate
1942 +.B searchResultEntry
1943 +to the consumer slapd as the search responses to the persistent
1944 +synchronization search. If the initial search fails due to an error, the
1945 +next synchronization search operation is periodically rescheduled at an
1946 +interval time (specified by
1948 +parameter; 1 day by default)
1950 +If an error occurs during replication, the consumer will attempt to
1951 +reconnect according to the
1953 +parameter which is a list of the <retry interval> and <# of retries> pairs.
1954 +For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
1955 +for the first 10 times and then retry every 300 seconds for the next 3
1956 +times before stop retrying. The `+' in <# of retries> means indefinite
1957 +number of retries until success.
1960 +is specified, by default syncrepl retries every hour forever.
1962 +The schema checking can be enforced at the LDAP Sync
1963 +consumer site by turning on the
1965 +parameter. The default is \fBoff\fP.
1966 +Schema checking \fBon\fP means that replicated entries must have
1967 +a structural objectClass, must obey to objectClass requirements
1968 +in terms of required/allowed attributes, and that naming attributes
1969 +and distinguished values must be present.
1970 +As a consequence, schema checking should be \fBoff\fP when partial
1971 +replication is used.
1974 +.B network\-timeout
1975 +parameter sets how long the consumer will wait to establish a
1976 +network connection to the provider. Once a connection is
1979 +parameter determines how long the consumer will wait for the initial
1980 +Bind request to complete. The defaults for these parameters come
1984 +.B tcp\-user\-timeout
1985 +parameter, if non-zero, corresponds to the
1986 +.B TCP_USER_TIMEOUT
1987 +set on the target connections, overriding the operating system setting.
1988 +Only some systems support the customization of this parameter, it is
1989 +ignored otherwise and system-wide settings are used.
1995 +requires the options
1999 +and should only be used when adequate security services
2000 +(e.g. TLS or IPSEC) are in place.
2001 +.B REMEMBER: simple bind credentials must be in cleartext!
2006 +requires the option
2008 +Depending on the mechanism, an authentication identity and/or
2009 +credentials can be specified using
2015 +parameter may be used to specify an authorization identity.
2016 +Specific security properties (as with the
2018 +keyword above) for a SASL bind can be set with the
2020 +option. A non default SASL realm can be set with the
2023 +The identity used for synchronization by the consumer should be allowed
2024 +to receive an unlimited number of entries in response to a search request.
2025 +The provider, other than allowing authentication of the syncrepl identity,
2026 +should grant that identity appropriate access privileges to the data
2027 +that is being replicated (\fBaccess\fP directive), and appropriate time
2029 +This can be accomplished by either allowing unlimited \fBsizelimit\fP
2030 +and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
2031 +in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
2036 +parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
2037 +used to check whether a socket is alive;
2039 +is the number of seconds a connection needs to remain idle before TCP
2040 +starts sending keepalive probes;
2042 +is the maximum number of keepalive probes TCP should send before dropping
2045 +is interval in seconds between individual keepalive probes.
2046 +Only some systems support the customization of these values;
2049 +parameter is ignored otherwise, and system-wide settings are used.
2053 +parameter specifies use of the StartTLS extended operation
2054 +to establish a TLS session before Binding to the provider. If the
2056 +argument is supplied, the session will be aborted if the StartTLS request
2057 +fails. Otherwise the syncrepl session continues without TLS. The
2059 +setting defaults to "demand", the
2061 +setting defaults to "allow", and the other TLS settings
2062 +default to the same as the main slapd TLS settings.
2066 +parameter allows the consumer to pull entries from a remote directory
2067 +whose DN suffix differs from the local directory. The portion of the
2068 +remote entries' DNs that matches the \fIsearchbase\fP will be replaced
2069 +with the suffixmassage DN.
2071 +Rather than replicating whole entries, the consumer can query logs of
2072 +data modifications. This mode of operation is referred to as \fIdelta
2073 +syncrepl\fP. In addition to the above parameters, the
2077 +parameters must be set appropriately for the log that will be used. The
2079 +parameter must be set to either "accesslog" if the log conforms to the
2080 +.BR slapo\-accesslog (5)
2081 +log format, or "changelog" if the log conforms
2082 +to the obsolete \fIchangelog\fP format. If the
2084 +parameter is omitted or set to "default" then the log parameters are
2089 +parameter tells the underlying database that it can store changes without
2090 +performing a full flush after each change. This may improve performance
2091 +for the consumer, while sacrificing safety or durability.
2095 +This option is only applicable in a replica
2097 +It specifies the DN permitted to update (subject to access controls)
2098 +the replica. It is only needed in certain push-mode
2099 +replication scenarios. Generally, this DN
2103 +used at the provider.
2106 +Specify the referral to pass back when
2108 +is asked to modify a replicated local database.
2109 +If specified multiple times, each url is provided.
2111 +.SH DATABASE-SPECIFIC OPTIONS
2112 +Each database may allow specific configuration options; they are
2113 +documented separately in the backends' manual pages. See the
2114 +.BR slapd.backends (5)
2115 +manual page for an overview of available backends.
2118 +Here is a short example of a configuration file:
2122 +include SYSCONFDIR/schema/core.schema
2123 +pidfile LOCALSTATEDIR/run/slapd.pid
2125 +# Subtypes of "name" (e.g. "cn" and "ou") with the
2126 +# option ";x\-hidden" can be searched for/compared,
2127 +# but are not shown. See \fBslapd.access\fP(5).
2128 +attributeoptions x\-hidden lang\-
2129 +access to attrs=name;x\-hidden by * =cs
2131 +# Protect passwords. See \fBslapd.access\fP(5).
2132 +access to attrs=userPassword by * auth
2133 +# Read access to other attributes and entries.
2134 +access to * by * read
2137 +suffix "dc=our\-domain,dc=com"
2138 +# The database directory MUST exist prior to
2139 +# running slapd AND should only be accessible
2140 +# by the slapd/tools. Mode 0700 recommended.
2141 +directory LOCALSTATEDIR/openldap\-data
2142 +# Indices to maintain
2143 +index objectClass eq
2144 +index cn,sn,mail pres,eq,approx,sub
2146 +# We serve small clients that do not handle referrals,
2147 +# so handle remote lookups on their behalf.
2150 +uri ldap://ldap.some\-server.com/
2155 +"OpenLDAP Administrator's Guide" contains a longer annotated
2156 +example of a configuration file.
2157 +The original ETCDIR/slapd.conf is another example.
2161 +default slapd configuration file
2164 +.BR gnutls\-cli (1),
2165 +.BR slapd\-config (5),
2166 +.BR slapd.access (5),
2167 +.BR slapd.backends (5),
2168 +.BR slapd.overlays (5),
2169 +.BR slapd.plugin (5),
2177 +.BR slapmodify (8),
2178 +.BR slappasswd (8),
2181 +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
2182 +.SH ACKNOWLEDGEMENTS
2184 diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd-config.5 openldap-2.6.2/doc/man/man5/slapd-config.5
2185 --- openldap-2.6.2.orig/doc/man/man5/slapd-config.5 2022-05-04 16:55:23.000000000 +0200
2186 +++ openldap-2.6.2/doc/man/man5/slapd-config.5 2022-05-05 12:05:53.312727754 +0200
2187 @@ -2233,7 +2233,7 @@ olcSuffix: "dc=our\-domain,dc=com"
2188 # The database directory MUST exist prior to
2189 # running slapd AND should only be accessible
2190 # by the slapd/tools. Mode 0700 recommended.
2191 -olcDbDirectory: LOCALSTATEDIR/openldap\-data
2192 +olcDbDirectory: LOCALSTATEDIR/lib/openldap
2193 # Indices to maintain
2194 olcDbIndex: objectClass eq
2195 olcDbIndex: cn,sn,mail pres,eq,approx,sub
2196 diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd-config.5.orig openldap-2.6.2/doc/man/man5/slapd-config.5.orig
2197 --- openldap-2.6.2.orig/doc/man/man5/slapd-config.5.orig 1970-01-01 01:00:00.000000000 +0100
2198 +++ openldap-2.6.2/doc/man/man5/slapd-config.5.orig 2022-05-04 16:55:23.000000000 +0200
2200 +.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2201 +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
2202 +.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
2205 +slapd\-config \- configuration backend to slapd
2211 +backend manages all of the configuration information for the
2213 +daemon. This configuration information is also used by the SLAPD tools
2220 +.BR slapmodify (8),
2226 +backend is backward compatible with the older
2228 +file but provides the ability to change the configuration dynamically
2229 +at runtime. If slapd is run with only a
2231 +file dynamic changes will be allowed but they will not persist across
2232 +a server restart. Dynamic changes are only saved when slapd is running
2235 +configuration directory.
2238 +Unlike other backends, there can only be one instance of the
2240 +backend, and most of its structure is predefined. The root of the
2241 +database is hardcoded to
2243 +and this root entry contains
2244 +global settings for slapd. Multiple child entries underneath the
2245 +root entry are used to carry various other settings:
2249 +dynamically loaded modules
2255 +backend-specific settings
2258 +database-specific settings
2263 +entries will only appear in configurations where slapd
2264 +was built with support for dynamically loaded modules. There can be
2265 +multiple entries, one for each configured module path. Within each
2266 +entry there will be values recorded for each module loaded on a
2267 +given path. These entries have no children.
2271 +entry contains all of the hardcoded schema elements.
2272 +The children of this entry contain all user-defined schema elements.
2273 +In schema that were loaded from include files, the child entry will
2274 +be named after the include file from which the schema was loaded.
2275 +Typically the first child in this subtree will be
2276 +.BR cn=core,cn=schema,cn=config .
2279 +entries are for storing settings specific to a single
2280 +backend type (and thus global to all database instances of that type).
2281 +At present, only back-mdb implements any options of this type, so this
2282 +setting is not needed for any other backends.
2285 +entries store settings specific to a single database
2286 +instance. These entries may have
2288 +child entries corresponding
2289 +to any overlays configured on the database. The olcDatabase and
2290 +olcOverlay entries may also have miscellaneous child entries for
2291 +other settings as needed. There are two special database entries
2292 +that are predefined \- one is an entry for the config database itself,
2293 +and the other is for the "frontend" database. Settings in the
2294 +frontend database are inherited by the other databases, unless
2295 +they are explicitly overridden in a specific database.
2297 +The specific configuration options available are discussed below in the
2298 +Global Configuration Options, General Backend Options, and General Database
2299 +Options. Options are set by defining LDAP attributes with specific values.
2300 +In general the names of the LDAP attributes are the same as the corresponding
2302 +keyword, with an "olc" prefix added on.
2304 +The parser for many of these attributes is the same as used for parsing
2305 +the slapd.conf keywords. As such, slapd.conf keywords that allow multiple
2306 +items to be specified on one line, separated by whitespace, will allow
2307 +multiple items to be specified in one attribute value. However, when
2308 +reading the attribute via LDAP, the items will be returned as individual
2311 +Backend-specific options are discussed in the
2312 +.B slapd\-<backend>(5)
2313 +manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
2314 +details on configuring slapd.
2315 +.SH GLOBAL CONFIGURATION OPTIONS
2316 +Options described in this section apply to the server as a whole.
2317 +Arguments that should be replaced by
2318 +actual text are shown in brackets <>.
2320 +These options may only be specified in the
2322 +entry. This entry must have an objectClass of
2326 +.B olcAllows: <features>
2327 +Specify a set of features to allow (default none).
2329 +allows acceptance of LDAPv2 bind requests. Note that
2331 +does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
2333 +allows anonymous bind when credentials are not empty (e.g.
2336 +allows unauthenticated (anonymous) bind when DN is not empty.
2338 +allows unauthenticated (anonymous) update operations to be processed
2339 +(subject to access controls and other administrative limits).
2340 +.B proxy_authz_anon
2341 +allows unauthenticated (anonymous) proxy authorization control to be processed
2342 +(subject to access controls, authorization and other administrative limits).
2344 +.B olcArgsFile: <filename>
2345 +The (absolute) name of a file that will hold the
2347 +server's command line (program name and options).
2349 +.B olcAttributeOptions: <option-name>...
2350 +Define tagging attribute options or option tag/range prefixes.
2351 +Options must not end with `\-', prefixes must end with `\-'.
2352 +The `lang\-' prefix is predefined.
2354 +.B olcAttributeOptions
2355 +directive, `lang\-' will no longer be defined and you must specify it
2356 +explicitly if you want it defined.
2358 +An attribute description with a tagging option is a subtype of that
2359 +attribute description without the option.
2360 +Except for that, options defined this way have no special semantics.
2361 +Prefixes defined this way work like the `lang\-' options:
2362 +They define a prefix for tagging options starting with the prefix.
2363 +That is, if you define the prefix `x\-foo\-', you can use the option
2365 +Furthermore, in a search or compare, a prefix or range name (with
2366 +a trailing `\-') matches all options starting with that name, as well
2367 +as the option with the range name sans the trailing `\-'.
2368 +That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
2370 +RFC 4520 reserves options beginning with `x\-' for private experiments.
2371 +Other options should be registered with IANA, see RFC 4520 section 3.5.
2372 +OpenLDAP also has the `binary' option built in, but this is a transfer
2373 +option, not a tagging option.
2375 +.B olcAuthIDRewrite: <rewrite\-rule>
2376 +Used by the authentication framework to convert simple user names
2377 +to an LDAP DN used for authorization purposes.
2378 +Its purpose is analogous to that of
2383 +is a set of rules analogous to those described in
2385 +for data rewriting (after stripping the \fIrwm\-\fP prefix).
2386 +.B olcAuthIDRewrite
2389 +should not be intermixed.
2391 +.B olcAuthzPolicy: <policy>
2392 +Used to specify which rules to use for Proxy Authorization. Proxy
2393 +authorization allows a client to authenticate to the server using one
2394 +user's credentials, but specify a different identity to use for authorization
2395 +and access control purposes. It essentially allows user A to login as user
2396 +B, using user A's password.
2399 +flag disables proxy authorization. This is the default setting.
2402 +flag will use rules in the
2404 +attribute of the authorization DN.
2407 +flag will use rules in the
2409 +attribute of the authentication DN.
2412 +flag, an alias for the deprecated value of
2414 +will allow any of the above, whatever succeeds first (checked in
2420 +flag requires both authorizations to succeed.
2423 +The rules are mechanisms to specify which identities are allowed
2424 +to perform proxy authorization.
2427 +attribute in an entry specifies which other users
2428 +are allowed to proxy login to this entry. The
2431 +an entry specifies which other users this user can authorize as. Use of
2433 +rules can be easily
2434 +abused if users are allowed to write arbitrary values to this attribute.
2437 +attribute must be protected with ACLs such that
2438 +only privileged users can modify it.
2445 +or a set of identities; it can take five forms:
2448 +.B ldap:///<base>??[<scope>]?<filter>
2451 +.B dn[.<dnstyle>]:<pattern>
2454 +.B u[.<mech>[<realm>]]:<pattern>
2457 +.B group[/objectClass[/attributeType]]:<pattern>
2464 +.B <dnstyle>:={exact|onelevel|children|subtree|regex}
2467 +The first form is a valid LDAP
2470 +.IR <host>:<port> ,
2475 +portions must be absent, so that the search occurs locally on either
2481 +The second form is a
2483 +with the optional style modifiers
2489 +for exact, onelevel, children and subtree matches, which cause
2491 +to be normalized according to the DN normalization rules, or the special
2493 +style, which causes the
2495 +to be treated as a POSIX (''extended'') regular expression, as
2502 +means any non-anonymous DN.
2505 +The third form is a SASL
2507 +with the optional fields
2511 +that allow to specify a SASL
2513 +and eventually a SASL
2515 +for those mechanisms that support one.
2516 +The need to allow the specification of a mechanism is still debated,
2517 +and users are strongly discouraged to rely on this possibility.
2520 +The fourth form is a group specification.
2521 +It consists of the keyword
2523 +optionally followed by the specification of the group
2526 +.BR attributeType .
2537 +is searched with base scope, filtered on the specified
2539 +The values of the resulting
2541 +are searched for the asserted DN.
2544 +The fifth form is provided for backwards compatibility. If no identity
2545 +type is provided, i.e. only
2549 +is assumed; as a consequence,
2551 +is subjected to DN normalization.
2554 +Since the interpretation of
2558 +can impact security, users are strongly encouraged
2559 +to explicitly set the type of identity specification that is being used.
2560 +A subset of these rules can be used as third arg in the
2562 +statement (see below); significantly, the
2564 +provided it results in exactly one entry,
2570 +.B olcAuthzRegexp: <match> <replace>
2571 +Used by the authentication framework to convert simple user names,
2572 +such as provided by SASL subsystem, or extracted from certificates
2573 +in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
2574 +"proxied authorization" control, to an LDAP DN used for
2575 +authorization purposes. Note that the resulting DN need not refer
2576 +to an existing entry to be considered valid. When an authorization
2577 +request is received from the SASL subsystem, the SASL
2582 +are taken, when available, and combined into a name of the form
2586 +.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
2589 +This name is then compared against the
2591 +POSIX (''extended'') regular expression, and if the match is successful,
2592 +the name is replaced with the
2594 +string. If there are wildcard strings in the
2596 +regular expression that are enclosed in parenthesis, e.g.
2599 +.B UID=([^,]*),CN=.*
2602 +then the portion of the name that matched the wildcard will be stored
2603 +in the numbered placeholder variable $1. If there are other wildcard strings
2604 +in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
2605 +placeholders can then be used in the
2610 +.B UID=$1,OU=Accounts,DC=example,DC=com
2613 +The replaced name can be either a DN, i.e. a string prefixed by "dn:",
2615 +If the latter, the server will use the URI to search its own database(s)
2616 +and, if the search returns exactly one entry, the name is
2617 +replaced by the DN of that entry. The LDAP URI must have no
2618 +hostport, attrs, or extensions components, but the filter is mandatory,
2622 +.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
2625 +The protocol portion of the URI must be strictly
2627 +Note that this search is subject to access controls. Specifically,
2628 +the authentication identity must have "auth" access in the subject.
2632 +values can be specified to allow for multiple matching
2633 +and replacement patterns. The matching patterns are checked in the order they
2634 +appear in the attribute, stopping at the first successful match.
2637 +.\"Because the plus sign + is a character recognized by the regular expression engine,
2638 +.\"and it will appear in names that include a REALM, be careful to escape the
2639 +.\"plus sign with a backslash \\+ to remove the character's special meaning.
2642 +.B olcConcurrency: <integer>
2643 +Specify a desired level of concurrency. Provided to the underlying
2644 +thread system as a hint. The default is not to provide any hint. This setting
2645 +is only meaningful on some platforms where there is not a one to one
2646 +correspondence between user threads and kernel threads.
2648 +.B olcConnMaxPending: <integer>
2649 +Specify the maximum number of pending requests for an anonymous session.
2650 +If requests are submitted faster than the server can process them, they
2651 +will be queued up to this limit. If the limit is exceeded, the session
2652 +is closed. The default is 100.
2654 +.B olcConnMaxPendingAuth: <integer>
2655 +Specify the maximum number of pending requests for an authenticated session.
2656 +The default is 1000.
2658 +.B olcDisallows: <features>
2659 +Specify a set of features to disallow (default none).
2661 +disables acceptance of anonymous bind requests. Note that this setting
2662 +does not prohibit anonymous directory access (See "require authc").
2664 +disables simple (bind) authentication.
2666 +disables forcing session to anonymous status (see also
2668 +upon StartTLS operation receipt.
2670 +disallows the StartTLS operation if authenticated (see also
2672 +.B proxy_authz_non_critical
2673 +disables acceptance of the proxied authorization control (RFC4370)
2674 +with criticality set to FALSE.
2675 +.B dontusecopy_non_critical
2676 +disables acceptance of the dontUseCopy control (a work in progress)
2677 +with criticality set to FALSE.
2679 +.B olcGentleHUP: { TRUE | FALSE }
2680 +A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
2682 +will stop listening for new connections, but will not close the
2683 +connections to the current clients. Future write operations return
2684 +unwilling-to-perform, though. Slapd terminates when all clients
2685 +have closed their connections (if they ever do), or \- as before \-
2686 +if it receives a SIGTERM signal. This can be useful if you wish to
2687 +terminate the server and start a new
2690 +.B with another database,
2691 +without disrupting the currently active clients.
2692 +The default is FALSE. You may wish to use
2694 +along with this option.
2696 +.B olcIdleTimeout: <integer>
2697 +Specify the number of seconds to wait before forcibly closing
2698 +an idle client connection. A setting of 0 disables this
2699 +feature. The default is 0. You may also want to set the
2703 +.B olcIndexHash64: { on | off }
2704 +Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
2705 +These hashes are used for equality and substring indexing. The 64 bit
2706 +version may be needed to avoid index collisions when the number of
2707 +indexed values exceeds ~64 million. (Note that substring indexing
2708 +generates multiple index values per actual attribute value.)
2709 +Indices generated with 32 bit hashes are incompatible with the 64 bit
2710 +version, and vice versa. Any existing databases must be fully reloaded
2711 +when changing this setting. This directive is only supported on 64 bit CPUs.
2713 +.B olcIndexIntLen: <integer>
2714 +Specify the key length for ordered integer indices. The most significant
2715 +bytes of the binary integer will be used for index keys. The default
2716 +value is 4, which provides exact indexing for 31 bit values.
2717 +A floating point representation is used to index too large values.
2719 +.B olcIndexSubstrIfMaxlen: <integer>
2720 +Specify the maximum length for subinitial and subfinal indices. Only
2721 +this many characters of an attribute value will be processed by the
2722 +indexing functions; any excess characters are ignored. The default is 4.
2724 +.B olcIndexSubstrIfMinlen: <integer>
2725 +Specify the minimum length for subinitial and subfinal indices. An
2726 +attribute value must have at least this many characters in order to be
2727 +processed by the indexing functions. The default is 2.
2729 +.B olcIndexSubstrAnyLen: <integer>
2730 +Specify the length used for subany indices. An attribute value must have
2731 +at least this many characters in order to be processed. Attribute values
2732 +longer than this length will be processed in segments of this length. The
2733 +default is 4. The subany index will also be used in subinitial and
2734 +subfinal index lookups when the filter string is longer than the
2735 +.I olcIndexSubstrIfMaxlen
2738 +.B olcIndexSubstrAnyStep: <integer>
2739 +Specify the steps used in subany index lookups. This value sets the offset
2740 +for the segments of a filter string that are processed for a subany index
2741 +lookup. The default is 2. For example, with the default values, a search
2742 +using this filter "cn=*abcdefgh*" would generate index lookups for
2743 +"abcd", "cdef", and "efgh".
2746 +Note: Indexing support depends on the particular backend in use. Also,
2747 +changing these settings will generally require deleting any indices that
2748 +depend on these parameters and recreating them with
2752 +.B olcListenerThreads: <integer>
2753 +Specify the number of threads to use for the connection manager.
2754 +The default is 1 and this is typically adequate for up to 16 CPU cores.
2755 +The value should be set to a power of 2.
2757 +.B olcLocalSSF: <SSF>
2758 +Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
2759 +such as those to the ldapi:// listener. For a description of SSF values,
2761 +.BR olcSaslSecProps 's
2763 +option description. The default is 71.
2765 +.B olcLogFile: <filename>
2766 +Specify a file for recording slapd debug messages. By default these messages
2767 +only go to stderr, are not recorded anywhere else, and are unrelated to
2768 +messages exposed by the
2770 +configuration parameter. Specifying a logfile copies messages to both stderr
2773 +.B olcLogFileFormat: debug | syslog-utc | syslog-localtime
2774 +Specify the prefix format for messages written to the logfile. The debug
2775 +format is the normal format used for slapd debug messages, with a timestamp
2776 +in hexadecimal, followed by a thread ID. The other options are to
2777 +use syslog(3) style prefixes, with timestamps either in UTC or in the
2778 +local timezone. The default is debug format.
2780 +.B olcLogFileOnly: TRUE | FALSE
2781 +Specify that debug messages should only go to the configured logfile, and
2784 +.B olcLogFileRotate: <max> <Mbytes> <hours>
2785 +Specify automatic rotation for the configured logfile as the maximum
2786 +number of old logfiles to retain, a maximum size in megabytes to allow a
2787 +logfile to grow before rotation, and a maximum age in hours for a logfile
2788 +to be used before rotation. The maximum number must be in the range 1-99.
2789 +Setting Mbytes or hours to zero disables the size or age check, respectively.
2790 +At least one of Mbytes or hours must be non-zero. By default no automatic
2791 +rotation will be performed.
2793 +.B olcLogLevel: <integer> [...]
2794 +Specify the level at which debugging statements and operation
2795 +statistics should be syslogged (currently logged to the
2797 +LOG_LOCAL4 facility).
2798 +They must be considered subsystems rather than increasingly verbose
2800 +Some messages with higher priority are logged regardless
2801 +of the configured loglevel as soon as any logging is configured.
2802 +Log levels are additive, and available levels are:
2809 +trace function calls
2813 +debug packet handling
2817 +heavy trace debugging (function args)
2821 +connection management
2825 +print out packets sent and received
2829 +search filter processing
2833 +configuration file processing
2837 +access control list processing
2841 +connections, LDAP operations, results (recommended)
2845 +stats2 log entries sent
2849 +print communication with shell backends
2856 +\".B (0x1000 cache)
2860 +\".B (0x2000 index)
2861 +\"data indexing (unused)
2865 +LDAPSync replication
2869 +only messages that get logged whatever log level is set
2872 +The desired log level can be input as a single integer that combines
2873 +the (ORed) desired levels, both in decimal or in hexadecimal notation,
2874 +as a list of integers (that are ORed internally),
2875 +or as a list of the names that are shown between parenthesis, such that
2880 + olcLogLevel: 128 1
2881 + olcLogLevel: 0x80 0x1
2882 + olcLogLevel: acl trace
2888 +can be used as a shortcut to enable logging at all levels (equivalent to \-1).
2891 +or the equivalent integer representation, causes those messages
2892 +that are logged regardless of the configured olcLogLevel to be logged.
2893 +In fact, if no olcLogLevel (or a 0 level) is defined, no logging occurs,
2896 +level is required to have high priority messages logged.
2903 +levels are only available as debug output on stderr, and are not
2906 +This setting defaults to \fBstats\fP.
2907 +This level should usually also be included when using other loglevels, to
2908 +help analyze the logs.
2911 +.B olcMaxFilterDepth: <integer>
2912 +Specify the maximum depth of nested filters in search requests.
2913 +The default is 1000.
2915 +.B olcPasswordCryptSaltFormat: <format>
2916 +Specify the format of the salt passed to
2918 +when generating {CRYPT} passwords (see
2919 +.BR olcPasswordHash )
2920 +during processing of LDAP Password Modify Extended Operations (RFC 3062).
2922 +This string needs to be in
2924 +format and may include one (and only one) %s conversion.
2925 +This conversion will be substituted with a string of random
2926 +characters from [A\-Za\-z0\-9./]. For example, "%.2s"
2927 +provides a two character salt and "$1$%.8s" tells some
2928 +versions of crypt(3) to use an MD5 algorithm and provides
2929 +8 random characters of salt. The default is "%s", which
2930 +provides 31 characters of salt.
2932 +.B olcPidFile: <filename>
2933 +The (absolute) name of a file that will hold the
2935 +server's process ID (see
2938 +.B olcPluginLogFile: <filename>
2939 +The ( absolute ) name of a file that will contain log
2943 +.BR slapd.plugin (5)
2946 +.B olcReferral: <url>
2947 +Specify the referral to pass back when
2949 +cannot find a local database to handle a request.
2950 +If multiple values are specified, each url is provided.
2952 +.B olcReverseLookup: TRUE | FALSE
2953 +Enable/disable client name unverified reverse lookup (default is
2955 +if compiled with \-\-enable\-rlookups).
2957 +.B olcRootDSE: <file>
2958 +Specify the name of an LDIF(5) file containing user defined attributes
2959 +for the root DSE. These attributes are returned in addition to the
2960 +attributes normally produced by slapd.
2962 +The root DSE is an entry with information about the server and its
2963 +capabilities, in operational attributes.
2964 +It has the empty DN, and can be read with e.g.:
2966 +ldapsearch \-x \-b "" \-s base "+"
2968 +See RFC 4512 section 5.1 for details.
2970 +.B olcSaslAuxprops: <plugin> [...]
2971 +Specify which auxprop plugins to use for authentication lookups. The
2972 +default is empty, which just uses slapd's internal support. Usually
2973 +no other auxprop plugins are needed.
2975 +.B olcSaslAuxpropsDontUseCopy: <attr> [...]
2976 +Specify which attribute(s) should be subject to the don't use copy control. This
2977 +is necessary for some SASL mechanisms such as OTP to work in a replicated
2978 +environment. The attribute "cmusaslsecretOTP" is the default value.
2980 +.B olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE
2981 +Used to disable replication of the attribute(s) defined by
2982 +olcSaslAuxpropsDontUseCopy and instead use a local value for the attribute. This
2983 +allows the SASL mechanism to continue to work if the provider is offline. This can
2984 +cause replication inconsistency. Defaults to FALSE.
2986 +.B olcSaslHost: <fqdn>
2987 +Used to specify the fully qualified domain name used for SASL processing.
2989 +.B olcSaslRealm: <realm>
2990 +Specify SASL realm. Default is empty.
2992 +.B olcSaslCbinding: none | tls-unique | tls-endpoint
2993 +Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
2996 +.B olcSaslSecProps: <properties>
2997 +Used to specify Cyrus SASL security properties.
3000 +flag (without any other properties) causes the flag properties
3001 +default, "noanonymous,noplain", to be cleared.
3004 +flag disables mechanisms susceptible to simple passive attacks.
3007 +flag disables mechanisms susceptible to active attacks.
3010 +flag disables mechanisms susceptible to passive dictionary attacks.
3013 +flag disables mechanisms which support anonymous login.
3016 +flag require forward secrecy between sessions.
3019 +require mechanisms which pass client credentials (and allow
3020 +mechanisms which can pass credentials to do so).
3023 +property specifies the minimum acceptable
3024 +.I security strength factor
3025 +as an integer approximate to effective key length used for
3026 +encryption. 0 (zero) implies no protection, 1 implies integrity
3027 +protection only, 128 allows RC4, Blowfish and other similar ciphers,
3028 +256 will require modern ciphers. The default is 0.
3031 +property specifies the maximum acceptable
3032 +.I security strength factor
3033 +as an integer (see minssf description). The default is INT_MAX.
3035 +.B maxbufsize=<size>
3036 +property specifies the maximum security layer receive buffer
3037 +size allowed. 0 disables security layers. The default is 65536.
3039 +.B olcServerID: <integer> [<URL>]
3040 +Specify an integer ID from 0 to 4095 for this server. The ID may also be
3041 +specified as a hexadecimal ID by prefixing the value with "0x".
3042 +Non-zero IDs are required when using multi-provider replication and each
3043 +provider must have a unique non-zero ID. Note that this requirement also
3044 +applies to separate providers contributing to a glued set of databases.
3045 +If the URL is provided, this directive may be specified
3046 +multiple times, providing a complete list of participating servers
3047 +and their IDs. The fully qualified hostname of each server should be
3048 +used in the supplied URLs. The IDs are used in the "replica id" field
3049 +of all CSNs generated by the specified server. The default value is zero, which
3050 +is only valid for single provider replication.
3054 + olcServerID: 1 ldap://ldap1.example.com
3055 + olcServerID: 2 ldap://ldap2.example.com
3058 +.B olcSockbufMaxIncoming: <integer>
3059 +Specify the maximum incoming LDAP PDU size for anonymous sessions.
3060 +The default is 262143.
3062 +.B olcSockbufMaxIncomingAuth: <integer>
3063 +Specify the maximum incoming LDAP PDU size for authenticated sessions.
3064 +The default is 4194303.
3066 +.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
3067 +Specify the size of the TCP buffer.
3068 +A global value for both read and write TCP buffers related to any listener
3069 +is defined, unless the listener is explicitly specified,
3070 +or either the read or write qualifiers are used.
3074 +Note that some OS-es implement automatic TCP buffer tuning.
3076 +.B olcThreads: <integer>
3077 +Specify the maximum size of the primary thread pool.
3078 +The default is 16; the minimum value is 2.
3080 +.B olcThreadQueues: <integer>
3081 +Specify the number of work queues to use for the primary thread pool.
3082 +The default is 1 and this is typically adequate for up to 8 CPU cores.
3083 +The value should not exceed the number of CPUs in the system.
3085 +.B olcToolThreads: <integer>
3086 +Specify the maximum number of threads to use in tool mode.
3087 +This should not be greater than the number of CPUs in the system.
3090 +.B olcWriteTimeout: <integer>
3091 +Specify the number of seconds to wait before forcibly closing
3092 +a connection with an outstanding write. This allows recovery from
3093 +various network hang conditions. A setting of 0 disables this
3094 +feature. The default is 0.
3098 +is built with support for Transport Layer Security, there are more options
3101 +.B olcTLSCipherSuite: <cipher-suite-spec>
3102 +Permits configuring what ciphers will be accepted and the preference order.
3103 +<cipher-suite-spec> should be a cipher specification for the TLS library
3104 +in use (OpenSSL or GnuTLS).
3110 +olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
3113 +olcTLSCiphersuite: SECURE256:!AES-128-CBC
3116 +To check what ciphers a given spec selects in OpenSSL, use:
3119 + openssl ciphers \-v <cipher-suite-spec>
3122 +With GnuTLS the available specs can be found in the manual page of
3123 +.BR gnutls\-cli (1)
3124 +(see the description of the
3126 +.BR \-\-priority ).
3128 +In older versions of GnuTLS, where gnutls\-cli does not support the option
3129 +\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
3136 +.B olcTLSCACertificateFile: <filename>
3137 +Specifies the file that contains certificates for all of the Certificate
3140 +will recognize. The certificate for
3141 +the CA that signed the server certificate must be included among
3142 +these certificates. If the signing CA was not a top-level (root) CA,
3143 +certificates for the entire sequence of CA's from the signing CA to
3144 +the top-level CA should be present. Multiple certificates are simply
3145 +appended to the file; the order is not significant.
3147 +.B olcTLSCACertificatePath: <path>
3148 +Specifies the path of directories that contain Certificate Authority
3149 +certificates in separate individual files. Usually only one of this
3150 +or the olcTLSCACertificateFile is defined. If both are specified, both
3151 +locations will be used. Multiple directories may be specified,
3152 +separated by a semi-colon.
3154 +.B olcTLSCertificateFile: <filename>
3155 +Specifies the file that contains the
3157 +server certificate.
3159 +When using OpenSSL that file may also contain any number of intermediate
3160 +certificates after the server certificate.
3162 +.B olcTLSCertificateKeyFile: <filename>
3163 +Specifies the file that contains the
3165 +server private key that matches the certificate stored in the
3166 +.B olcTLSCertificateFile
3167 +file. If the private key is protected with a password, the password must
3168 +be manually typed in when slapd starts. Usually the private key is not
3169 +protected with a password, to allow slapd to start without manual
3171 +it is of critical importance that the file is protected carefully.
3173 +.B olcTLSDHParamFile: <filename>
3174 +This directive specifies the file that contains parameters for Diffie-Hellman
3175 +ephemeral key exchange. This is required in order to use a DSA certificate on
3176 +the server, or an RSA certificate missing the "key encipherment" key usage.
3177 +Note that setting this option may also enable
3178 +Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
3179 +Anonymous key exchanges should generally be avoided since they provide no
3180 +actual client or server authentication and provide no protection against
3181 +man-in-the-middle attacks.
3182 +You should append "!ADH" to your cipher suites to ensure that these suites
3185 +.B olcTLSECName: <name>
3186 +Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
3187 +ephemeral key exchange. This option is only used for OpenSSL.
3188 +This option is not used with GnuTLS; the curves may be
3189 +chosen in the GnuTLS ciphersuite specification.
3191 +.B olcTLSProtocolMin: <major>[.<minor>]
3192 +Specifies minimum SSL/TLS protocol version that will be negotiated.
3193 +If the server doesn't support at least that version,
3194 +the SSL handshake will fail.
3195 +To require TLS 1.x or higher, set this option to 3.(x+1),
3199 + olcTLSProtocolMin: 3.2
3202 +would require TLS 1.1.
3203 +Specifying a minimum that is higher than that supported by the
3204 +OpenLDAP implementation will result in it requiring the
3205 +highest level that it does support.
3206 +This directive is ignored with GnuTLS.
3208 +.B olcTLSRandFile: <filename>
3209 +Specifies the file to obtain random bits from when /dev/[u]random
3210 +is not available. Generally set to the name of the EGD/PRNGD socket.
3211 +The environment variable RANDFILE can also be used to specify the filename.
3212 +This directive is ignored with GnuTLS.
3214 +.B olcTLSVerifyClient: <level>
3215 +Specifies what checks to perform on client certificates in an
3216 +incoming TLS session, if any.
3219 +can be specified as one of the following keywords:
3223 +This is the default.
3225 +will not ask the client for a certificate.
3228 +The client certificate is requested. If no certificate is provided,
3229 +the session proceeds normally. If a bad certificate is provided,
3230 +it will be ignored and the session proceeds normally.
3233 +The client certificate is requested. If no certificate is provided,
3234 +the session proceeds normally. If a bad certificate is provided,
3235 +the session is immediately terminated.
3237 +.B demand | hard | true
3238 +These keywords are all equivalent, for compatibility reasons.
3239 +The client certificate is requested. If no certificate is provided,
3240 +or a bad certificate is provided, the session is immediately terminated.
3242 +Note that a valid client certificate is required in order to use the
3243 +SASL EXTERNAL authentication mechanism with a TLS session. As such,
3245 +.B olcTLSVerifyClient
3246 +setting must be chosen to enable SASL EXTERNAL authentication.
3249 +.B olcTLSCRLCheck: <level>
3250 +Specifies if the Certificate Revocation List (CRL) of the CA should be
3251 +used to verify if the client certificates have not been revoked. This
3253 +.B olcTLSCACertificatePath
3254 +parameter to be set. This parameter is ignored with GnuTLS.
3256 +can be specified as one of the following keywords:
3260 +No CRL checks are performed
3263 +Check the CRL of the peer certificate
3266 +Check the CRL for a whole certificate chain
3269 +.B olcTLSCRLFile: <filename>
3270 +Specifies a file containing a Certificate Revocation List to be used
3271 +for verifying that certificates have not been revoked. This parameter is
3272 +only valid when using GnuTLS.
3273 +.SH DYNAMIC MODULE OPTIONS
3276 +is compiled with \-\-enable\-modules then the module-related entries will
3277 +be available. These entries are named
3278 +.B cn=module{x},cn=config
3280 +must have the olcModuleList objectClass. One entry should be created
3283 +Normally the config engine generates the "{x}" index in the RDN
3284 +automatically, so it can be omitted when initially loading these entries.
3286 +.B olcModuleLoad: <filename> [<arguments>...]
3287 +Specify the name of a dynamically loadable module to load and any
3288 +additional arguments if supported by the module. The filename
3289 +may be an absolute path name or a simple filename. Non-absolute names
3290 +are searched for in the directories specified by the
3294 +.B olcModulePath: <pathspec>
3295 +Specify a list of directories to search for loadable modules. Typically
3296 +the path is colon-separated but this depends on the operating system.
3297 +The default is MODULEDIR, which is where the standard OpenLDAP install
3298 +will place its modules.
3300 +Schema definitions are created as entries in the
3301 +.B cn=schema,cn=config
3302 +subtree. These entries must have the olcSchemaConfig objectClass.
3303 +As noted above, the actual
3304 +.B cn=schema,cn=config
3305 +entry is predefined and any values specified for it are ignored.
3309 +.B olcAttributetypes: "(\ <oid>\
3311 + [DESC\ <description>]\
3314 + [EQUALITY\ <oid>]\
3315 + [ORDERING\ <oid>]\
3317 + [SYNTAX\ <oidlen>]\
3320 + [NO\-USER\-MODIFICATION]\
3321 + [USAGE\ <attributeUsage>]\ )"
3323 +Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
3324 +The slapd parser extends the RFC 4512 definition by allowing string
3325 +forms as well as numeric OIDs to be used for the attribute OID and
3326 +attribute syntax OID.
3328 +.B olcObjectIdentifier
3334 +.B olcDitContentRules: "(\ <oid>\
3336 + [DESC\ <description>]\
3343 +Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
3344 +The slapd parser extends the RFC 4512 definition by allowing string
3345 +forms as well as numeric OIDs to be used for the attribute OID and
3346 +attribute syntax OID.
3348 +.B olcObjectIdentifier
3354 +.B olcLdapSyntaxes "(\ <oid>\
3355 + [DESC\ <description>]\
3356 + [X\-SUBST <substitute-syntax>]\ )"
3358 +Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
3359 +The slapd parser extends the RFC 4512 definition by allowing string
3360 +forms as well as numeric OIDs to be used for the syntax OID.
3362 +.B objectidentifier
3364 +The slapd parser also honors the
3366 +extension (an OpenLDAP-specific extension), which allows one to use the
3368 +attribute to define a non-implemented syntax along with another syntax,
3369 +the extension value
3370 +.IR substitute-syntax ,
3371 +as its temporary replacement.
3373 +.I substitute-syntax
3375 +This allows one to define attribute types that make use of non-implemented syntaxes
3376 +using the correct syntax OID.
3379 +is used, this configuration statement would result in an error,
3380 +since no handlers would be associated to the resulting syntax structure.
3385 +.B olcObjectClasses: "(\ <oid>\
3387 + [DESC\ <description>]\
3390 + [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
3391 + [MUST\ <oids>] [MAY\ <oids>] )"
3393 +Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
3394 +The slapd parser extends the RFC 4512 definition by allowing string
3395 +forms as well as numeric OIDs to be used for the object class OID.
3398 +olcObjectIdentifier
3399 +description.) Object classes are "STRUCTURAL" by default.
3402 +.B olcObjectIdentifier: <name> "{ <oid> | <name>[:<suffix>] }"
3403 +Define a string name that equates to the given OID. The string can be used
3404 +in place of the numeric OID in objectclass and attribute definitions. The
3405 +name can also be used with a suffix of the form ":xx" in which case the
3406 +value "oid.xx" will be used.
3408 +.SH GENERAL BACKEND OPTIONS
3409 +Options in these entries only apply to the configuration of a single
3410 +type of backend. All backends may support this class of options, but
3411 +currently only back-mdb does.
3412 +The entry must be named
3413 +.B olcBackend=<databasetype>,cn=config
3414 +and must have the olcBackendConfig objectClass.
3433 +At present, only back-mdb implements any options of this type, so this
3434 +entry should not be used for any other backends.
3436 +.SH DATABASE OPTIONS
3437 +Database options are set in entries named
3438 +.B olcDatabase={x}<databasetype>,cn=config
3439 +and must have the olcDatabaseConfig objectClass. Normally the config
3440 +engine generates the "{x}" index in the RDN automatically, so it
3441 +can be omitted when initially loading these entries.
3443 +The special frontend database is always numbered "{\-1}" and the config
3444 +database is always numbered "{0}".
3446 +.SH GLOBAL DATABASE OPTIONS
3447 +Options in this section may be set in the special "frontend" database
3448 +and inherited in all the other databases. These options may be altered
3449 +by further settings in each specific database. The frontend entry must
3451 +.B olcDatabase=frontend,cn=config
3452 +and must have the olcFrontendConfig objectClass.
3454 +.B olcAccess: to <what> "[ by <who> <access> <control> ]+"
3455 +Grant access (specified by <access>) to a set of entries and/or
3456 +attributes (specified by <what>) by one or more requestors (specified
3458 +If no access controls are present, the default policy
3459 +allows anyone and everyone to read anything but restricts
3460 +updates to rootdn. (e.g., "olcAccess: to * by * read").
3462 +.BR slapd.access (5)
3463 +and the "OpenLDAP Administrator's Guide" for details.
3465 +Access controls set in the frontend are appended to any access
3466 +controls set on the specific databases.
3467 +The rootdn of a database can always read and write EVERYTHING
3470 +Extra special care must be taken with the access controls on the
3471 +config database. Unlike other databases, the default policy for the
3472 +config database is to only allow access to the rootdn. Regular users
3473 +should not have read access, and write access should be granted very
3474 +carefully to privileged administrators.
3477 +.B olcDefaultSearchBase: <dn>
3478 +Specify a default search base to use when client submits a
3479 +non-base search request with an empty base DN.
3480 +Base scoped search requests with an empty base DN are not affected.
3481 +This setting is only allowed in the frontend entry.
3483 +.B olcExtraAttrs: <attr>
3484 +Lists what attributes need to be added to search requests.
3485 +Local storage backends return the entire entry to the frontend.
3486 +The frontend takes care of only returning the requested attributes
3487 +that are allowed by ACLs.
3488 +However, features like access checking and so may need specific
3489 +attributes that are not automatically returned by remote storage
3490 +backends, like proxy backends and so on.
3492 +is an attribute that is needed for internal purposes
3493 +and thus always needs to be collected, even when not explicitly
3494 +requested by clients.
3495 +This attribute is multi-valued.
3497 +.B olcPasswordHash: <hash> [<hash>...]
3498 +This option configures one or more hashes to be used in generation of user
3499 +passwords stored in the userPassword attribute during processing of
3500 +LDAP Password Modify Extended Operations (RFC 3062).
3501 +The <hash> must be one of
3515 +use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
3520 +use the MD5 algorithm (RFC 1321), the latter with a seed.
3527 +indicates that the new password should be
3528 +added to userPassword as clear text.
3530 +Note that this option does not alter the normal user applications
3531 +handling of userPassword during LDAP Add, Modify, or other LDAP operations.
3532 +This setting is only allowed in the frontend entry.
3534 +.B olcReadOnly: TRUE | FALSE
3535 +This option puts the database into "read-only" mode. Any attempts to
3536 +modify the database will return an "unwilling to perform" error. By
3537 +default, olcReadOnly is FALSE. Note that when this option is set
3538 +TRUE on the frontend, it cannot be reset without restarting the
3539 +server, since further writes to the config database will be rejected.
3541 +.B olcRequires: <conditions>
3542 +Specify a set of conditions to require (default none).
3543 +The directive may be specified globally and/or per-database;
3544 +databases inherit global conditions, so per-database specifications
3547 +requires bind operation prior to directory operations.
3549 +requires session to be using LDAP version 3.
3551 +requires authentication prior to directory operations.
3553 +requires SASL authentication prior to directory operations.
3555 +requires strong authentication prior to directory operations.
3556 +The strong keyword allows protected "simple" authentication
3557 +as well as SASL authentication.
3559 +may be used to require no conditions (useful to clear out globally
3560 +set conditions within a particular database); it must occur first
3561 +in the list of conditions.
3563 +.B olcRestrict: <oplist>
3564 +Specify a list of operations that are restricted.
3565 +Restrictions on a specific database override any frontend setting.
3566 +Operations can be any of
3571 +.BR extended[=<OID>] ,
3575 +or the special pseudo-operations
3579 +which respectively summarize read and write operations.
3583 +.I olcReadOnly: TRUE
3587 +keyword allows one to indicate the OID of the specific operation
3590 +.B olcSchemaDN: <dn>
3591 +Specify the distinguished name for the subschema subentry that
3592 +controls the entries on this server. The default is "cn=Subschema".
3594 +.B olcSecurity: <factors>
3595 +Specify a set of security strength factors (separated by white space)
3597 +.BR olcSaslSecprops 's
3599 +option for a description of security strength factors).
3600 +The directive may be specified globally and/or per-database.
3602 +specifies the overall security strength factor.
3604 +specifies the transport security strength factor.
3606 +specifies the TLS security strength factor.
3608 +specifies the SASL security strength factor.
3610 +specifies the overall security strength factor to require for
3612 +.B update_transport=<n>
3613 +specifies the transport security strength factor to require for
3616 +specifies the TLS security strength factor to require for
3619 +specifies the SASL security strength factor to require for
3622 +specifies the security strength factor required for
3624 +username/password authentication.
3627 +factor is measure of security provided by the underlying transport,
3628 +e.g. ldapi:// (and eventually IPSEC). It is not normally used.
3630 +.B olcSizeLimit: {<integer>|unlimited}
3632 +.B olcSizeLimit: size[.{soft|hard}]=<integer> [...]
3633 +Specify the maximum number of entries to return from a search operation.
3634 +The default size limit is 500.
3637 +to specify no limits.
3638 +The second format allows a fine grain setting of the size limits.
3639 +If no special qualifiers are specified, both soft and hard limits are set.
3640 +Extra args can be added in the same value.
3641 +Additional qualifiers are available; see
3643 +for an explanation of all of the different flags.
3645 +.B olcSortVals: <attr> [...]
3646 +Specify a list of multi-valued attributes whose values will always
3647 +be maintained in sorted order. Using this option will allow Modify,
3648 +Compare, and filter evaluations on these attributes to be performed
3649 +more efficiently. The resulting sort order depends on the
3650 +attributes' syntax and matching rules and may not correspond to
3651 +lexical order or any other recognizable order.
3652 +This setting is only allowed in the frontend entry.
3654 +.B olcTimeLimit: {<integer>|unlimited}
3656 +.B olcTimeLimit: time[.{soft|hard}]=<integer> [...]
3657 +Specify the maximum number of seconds (in real time)
3659 +will spend answering a search request. The default time limit is 3600.
3662 +to specify no limits.
3663 +The second format allows a fine grain setting of the time limits.
3664 +Extra args can be added in the same value. See
3666 +for an explanation of the different flags.
3668 +.SH GENERAL DATABASE OPTIONS
3669 +Options in this section only apply to the specific database for
3670 +which they are defined. They are supported by every
3671 +type of backend. All of the Global Database Options may also be
3674 +.B olcAddContentAcl: TRUE | FALSE
3675 +Controls whether Add operations will perform ACL checks on
3676 +the content of the entry being added. This check is off
3677 +by default. See the
3678 +.BR slapd.access (5)
3679 +manual page for more details on ACL requirements for
3682 +.B olcHidden: TRUE | FALSE
3683 +Controls whether the database will be used to answer
3684 +queries. A database that is hidden will never be
3685 +selected to answer any queries, and any suffix configured
3686 +on the database will be ignored in checks for conflicts
3687 +with other databases. By default, olcHidden is FALSE.
3689 +.B olcLastMod: TRUE | FALSE
3692 +will automatically maintain the
3693 +modifiersName, modifyTimestamp, creatorsName, and
3694 +createTimestamp attributes for entries. It also controls
3695 +the entryCSN and entryUUID attributes, which are needed
3696 +by the syncrepl provider. By default, olcLastMod is TRUE.
3698 +.B olcLastBind: TRUE | FALSE
3701 +will automatically maintain the pwdLastSuccess attribute for
3702 +entries. By default, olcLastBind is FALSE.
3704 +.B olcLastBindPrecision: <integer>
3705 +If olcLastBind is enabled, specifies how frequently pwdLastSuccess
3706 +will be updated. More than
3708 +seconds must have passed since the last successful bind. In a
3709 +replicated environment with frequent bind activity it may be
3710 +useful to set this to a large value.
3712 +.B olcLimits: <selector> <limit> [<limit> [...]]
3713 +Specify time and size limits based on the operation's initiator or
3721 +anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
3727 +<dnspec> ::= dn[.<type>][.<style>]
3729 +<type> ::= self | this
3731 +<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
3736 +is the default and means the bound user, while
3738 +means the base DN of the operation.
3741 +matches all unauthenticated clients.
3744 +matches all authenticated clients;
3747 +dn pattern is assumed unless otherwise specified by qualifying
3748 +the (optional) key string
3754 +(which are synonyms), to require an exact match; with
3756 +to require exactly one level of depth match; with
3758 +to allow any level of depth match, including the exact match; with
3760 +to allow any level of depth match, not including the exact match;
3762 +explicitly requires the (default) match based on POSIX (''extended'')
3763 +regular expression pattern.
3766 +matches unbound operations; the
3769 +The same behavior is obtained by using the
3776 +with the optional objectClass
3780 +fields, followed by
3782 +sets the limits for any DN listed in the values of the
3788 +group objectClass (default
3790 +whose DN exactly matches
3793 +The currently supported limits are
3798 +The syntax for time limits is
3799 +.BR time[.{soft|hard}]=<integer> ,
3802 +is the number of seconds slapd will spend answering a search request.
3803 +If no time limit is explicitly requested by the client, the
3805 +limit is used; if the requested time limit exceeds the
3808 +.\".I "Administrative limit exceeded"
3809 +.\"error is returned.
3810 +limit, the value of the limit is used instead.
3813 +limit is set to the keyword
3815 +the soft limit is used in either case; if it is set to the keyword
3817 +no hard limit is enforced.
3818 +Explicit requests for time limits smaller or equal to the
3821 +If no limit specifier is set, the value is assigned to the
3827 +to preserve the original behavior.
3829 +The syntax for size limits is
3830 +.BR size[.{soft|hard|unchecked}]=<integer> ,
3833 +is the maximum number of entries slapd will return answering a search
3835 +If no size limit is explicitly requested by the client, the
3837 +limit is used; if the requested size limit exceeds the
3840 +.\".I "Administrative limit exceeded"
3841 +.\"error is returned.
3842 +limit, the value of the limit is used instead.
3845 +limit is set to the keyword
3847 +the soft limit is used in either case; if it is set to the keyword
3849 +no hard limit is enforced.
3850 +Explicit requests for size limits smaller or equal to the
3855 +specifier sets a limit on the number of candidates a search request is allowed
3857 +The rationale behind it is that searches for non-properly indexed
3858 +attributes may result in large sets of candidates, which must be
3861 +to determine whether they match the search filter or not.
3864 +limit provides a means to drop such operations before they are even
3866 +If the selected candidates exceed the
3868 +limit, the search will abort with
3869 +.IR "Unwilling to perform" .
3870 +If it is set to the keyword
3872 +no limit is applied (the default).
3875 +the search is not even performed; this can be used to disallow searches
3876 +for a specific set of users.
3877 +If no limit specifier is set, the value is assigned to the
3883 +to preserve the original behavior.
3885 +In case of no match, the global limits are used.
3886 +The default values are the same as for
3895 +control is requested, the
3897 +size limit is used by default, because the request of a specific page size
3898 +is considered an explicit request for a limitation on the number
3899 +of entries to be returned.
3900 +However, the size limit applies to the total count of entries returned within
3901 +the search, and not to a single page.
3902 +Additional size limits may be enforced; the syntax is
3903 +.BR size.pr={<integer>|noEstimate|unlimited} ,
3906 +is the max page size if no explicit limit is set; the keyword
3908 +inhibits the server from returning an estimate of the total number
3909 +of entries that might be returned
3910 +(note: the current implementation does not return any estimate).
3913 +indicates that no limit is applied to the pagedResults control page size.
3915 +.B size.prtotal={<integer>|hard|unlimited|disabled}
3916 +allows one to set a limit on the total number of entries that the pagedResults
3917 +control will return.
3918 +By default it is set to the
3920 +limit which will use the size.hard value.
3923 +is the max number of entries that the whole search with pagedResults control
3927 +to allow unlimited number of entries to be returned, e.g. to allow
3928 +the use of the pagedResults control as a means to circumvent size
3929 +limitations on regular searches; the keyword
3931 +disables the control, i.e. no paged results can be returned.
3932 +Note that the total number of entries returned when the pagedResults control
3933 +is requested cannot exceed the
3935 +size limit of regular searches unless extended by the
3939 +The \fBolcLimits\fP statement is typically used to let an unlimited
3940 +number of entries be returned by searches performed
3941 +with the identity used by the consumer for synchronization purposes
3942 +by means of the RFC 4533 LDAP Content Synchronization protocol
3943 +(see \fBolcSyncrepl\fP for details).
3945 +When using subordinate databases, it is necessary for any limits that
3946 +are to be applied across the parent and its subordinates to be defined in
3947 +both the parent and its subordinates. Otherwise the settings on the
3948 +subordinate databases are not honored.
3951 +.B olcMaxDerefDepth: <depth>
3952 +Specifies the maximum number of aliases to dereference when trying to
3953 +resolve an entry, used to avoid infinite alias loops. The default is 15.
3955 +.B olcMultiProvider: TRUE | FALSE
3956 +This option puts a consumer database into Multi-Provider mode. Update
3957 +operations will be accepted from any user, not just the updatedn. The
3958 +database must already be configured as a syncrepl consumer
3959 +before this keyword may be set. This mode also requires a
3961 +(see above) to be configured.
3962 +By default, this setting is FALSE.
3964 +.B olcMonitoring: TRUE | FALSE
3965 +This option enables database-specific monitoring in the entry related
3966 +to the current database in the "cn=Databases,cn=Monitor" subtree
3967 +of the monitor database, if the monitor database is enabled.
3968 +Currently, only the MDB database provides database-specific monitoring.
3969 +If monitoring is supported by the backend it defaults to TRUE, otherwise
3972 +.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
3973 +Configure a SLAPI plugin. See the
3974 +.BR slapd.plugin (5)
3975 +manpage for more details.
3978 +Specify the distinguished name that is not subject to access control
3979 +or administrative limit restrictions for operations on this database.
3980 +This DN may or may not be associated with an entry. An empty root
3981 +DN (the default) specifies no root access is to be granted. It is
3982 +recommended that the rootdn only be specified when needed (such as
3983 +when initially populating a database). If the rootdn is within
3984 +a namingContext (suffix) of the database, a simple bind password
3985 +may also be provided using the
3987 +directive. Many optional features, including syncrepl, require the
3988 +rootdn to be defined for the database.
3993 +database defaults to
3997 +.B olcRootPW: <password>
3998 +Specify a password (or hash of the password) for the rootdn. The
3999 +password can only be set if the rootdn is within the namingContext
4000 +(suffix) of the database.
4001 +This option accepts all RFC 2307 userPassword formats known to
4004 +description) as well as cleartext.
4006 +may be used to generate a hash of a password. Cleartext
4007 +and \fB{CRYPT}\fP passwords are not recommended. If empty
4008 +(the default), authentication of the root DN is by other means
4009 +(e.g. SASL). Use of SASL is encouraged.
4011 +.B olcSubordinate: [TRUE | FALSE | advertise]
4012 +Specify that the current backend database is a subordinate of another
4013 +backend database. A subordinate database may have only one suffix. This
4014 +option may be used to glue multiple databases into a single namingContext.
4015 +If the suffix of the current database is within the namingContext of a
4016 +superior database, searches against the superior database will be
4017 +propagated to the subordinate as well. All of the databases
4018 +associated with a single namingContext should have identical rootdns.
4019 +Behavior of other LDAP operations is unaffected by this setting. In
4020 +particular, it is not possible to use moddn to move an entry from
4021 +one subordinate to another subordinate within the namingContext.
4023 +If the optional \fBadvertise\fP flag is supplied, the naming context of
4024 +this database is advertised in the root DSE. The default is to hide this
4025 +database context, so that only the superior context is visible.
4030 +.BR slapmodify (8),
4033 +are used on the superior database, any glued subordinates that support
4034 +these tools are opened as well.
4036 +Databases that are glued together should usually be configured with the
4037 +same indices (assuming they support indexing), even for attributes that
4038 +only exist in some of these databases. In general, all of the glued
4039 +databases should be configured as similarly as possible, since the intent
4040 +is to provide the appearance of a single directory.
4042 +Note that the subordinate functionality is implemented internally
4043 +by the \fIglue\fP overlay and as such its behavior will interact with other
4044 +overlays in use. By default, the glue overlay is automatically configured as
4045 +the last overlay on the superior database. Its position on the database
4046 +can be explicitly configured by setting an \fBoverlay glue\fP directive
4047 +at the desired position. This explicit configuration is necessary e.g.
4048 +when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
4049 +in order to work over all of the glued databases. E.g.
4052 + dn: olcDatabase={1}mdb,cn=config
4053 + olcSuffix: dc=example,dc=com
4056 + dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config
4059 + dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
4063 +See the Overlays section below for more details.
4065 +.B olcSuffix: <dn suffix>
4066 +Specify the DN suffix of queries that will be passed to this
4067 +backend database. Multiple suffix lines can be given and at least one is
4068 +required for each database definition.
4070 +If the suffix of one database is "inside" that of another, the database
4071 +with the inner suffix must come first in the configuration file.
4072 +You may also want to glue such databases together with the
4076 +.B olcSyncUseSubentry: TRUE | FALSE
4077 +Store the syncrepl contextCSN in a subentry instead of the context entry
4078 +of the database. The subentry's RDN will be "cn=ldapsync". The default is
4079 +FALSE, meaning the contextCSN is stored in the context entry.
4082 +.B olcSyncrepl: rid=<replica ID>
4083 +.B provider=ldap[s]://<hostname>[:port]
4084 +.B searchbase=<base DN>
4085 +.B [type=refreshOnly|refreshAndPersist]
4086 +.B [interval=dd:hh:mm:ss]
4087 +.B [retry=[<retry interval> <# of retries>]+]
4088 +.B [filter=<filter str>]
4089 +.B [scope=sub|one|base|subord]
4090 +.B [attrs=<attr list>]
4091 +.B [exattrs=<attr list>]
4093 +.B [sizelimit=<limit>]
4094 +.B [timelimit=<limit>]
4095 +.B [schemachecking=on|off]
4096 +.B [network\-timeout=<seconds>]
4097 +.B [timeout=<seconds>]
4098 +.B [tcp\-user\-timeout=<milliseconds>]
4099 +.B [bindmethod=simple|sasl]
4101 +.B [saslmech=<mech>]
4102 +.B [authcid=<identity>]
4103 +.B [authzid=<identity>]
4104 +.B [credentials=<passwd>]
4106 +.B [secprops=<properties>]
4107 +.B [keepalive=<idle>:<probes>:<interval>]
4108 +.B [starttls=yes|critical]
4109 +.B [tls_cert=<file>]
4110 +.B [tls_key=<file>]
4111 +.B [tls_cacert=<file>]
4112 +.B [tls_cacertdir=<path>]
4113 +.B [tls_reqcert=never|allow|try|demand]
4114 +.B [tls_reqsan=never|allow|try|demand]
4115 +.B [tls_cipher_suite=<ciphers>]
4116 +.B [tls_ecname=<names>]
4117 +.B [tls_crlcheck=none|peer|all]
4118 +.B [tls_protocol_min=<major>[.<minor>]]
4119 +.B [suffixmassage=<real DN>]
4120 +.B [logbase=<base DN>]
4121 +.B [logfilter=<filter str>]
4122 +.B [syncdata=default|accesslog|changelog]
4125 +Specify the current database as a consumer which is kept up-to-date with the
4126 +provider content by establishing the current
4128 +as a replication consumer site running a
4130 +replication engine.
4131 +The consumer content is kept synchronized to the provider content using
4132 +the LDAP Content Synchronization protocol. Refer to the
4133 +"OpenLDAP Administrator's Guide" for detailed information on
4134 +setting up a replicated
4136 +directory service using the
4138 +replication engine.
4141 +identifies the current
4143 +directive within the replication consumer site.
4144 +It is a non-negative integer not greater than 999 (limited
4145 +to three decimal digits).
4148 +specifies the replication provider site containing the provider content
4149 +as an LDAP URI. If <port> is not given, the standard LDAP port number
4150 +(389 or 636) is used.
4154 +consumer is defined using a search
4155 +specification as its result set. The consumer
4157 +will send search requests to the provider
4159 +according to the search specification. The search specification includes
4160 +.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
4163 +parameters as in the normal search specification. The
4165 +option may also be used to specify attributes that should be omitted
4166 +from incoming entries.
4167 +The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
4168 +\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
4169 +\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
4170 +attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
4171 +The \fBsizelimit\fP and \fBtimelimit\fP only
4172 +accept "unlimited" and positive integers, and both default to "unlimited".
4173 +The \fBsizelimit\fP and \fBtimelimit\fP parameters define
4174 +a consumer requested limitation on the number of entries that can be returned
4175 +by the LDAP Content Synchronization operation; these should be left unchanged
4176 +from the default otherwise replication may never succeed.
4177 +Note, however, that any provider-side limits for the replication identity
4178 +will be enforced by the provider regardless of the limits requested
4179 +by the LDAP Content Synchronization operation, much like for any other
4182 +The LDAP Content Synchronization protocol has two operation types.
4185 +operation, the next synchronization search operation
4186 +is periodically rescheduled at an interval time (specified by
4188 +parameter; 1 day by default)
4189 +after each synchronization operation finishes.
4191 +.B refreshAndPersist
4192 +operation, a synchronization search remains persistent in the provider slapd.
4193 +Further updates to the provider will generate
4194 +.B searchResultEntry
4195 +to the consumer slapd as the search responses to the persistent
4196 +synchronization search. If the initial search fails due to an error, the
4197 +next synchronization search operation is periodically rescheduled at an
4198 +interval time (specified by
4200 +parameter; 1 day by default)
4202 +If an error occurs during replication, the consumer will attempt to
4203 +reconnect according to the
4205 +parameter which is a list of the <retry interval> and <# of retries> pairs.
4206 +For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
4207 +for the first 10 times and then retry every 300 seconds for the next 3
4208 +times before stop retrying. The `+' in <# of retries> means indefinite
4209 +number of retries until success.
4212 +is specified, by default syncrepl retries every hour forever.
4214 +The schema checking can be enforced at the LDAP Sync
4215 +consumer site by turning on the
4217 +parameter. The default is \fBoff\fP.
4218 +Schema checking \fBon\fP means that replicated entries must have
4219 +a structural objectClass, must obey to objectClass requirements
4220 +in terms of required/allowed attributes, and that naming attributes
4221 +and distinguished values must be present.
4222 +As a consequence, schema checking should be \fBoff\fP when partial
4223 +replication is used.
4226 +.B network\-timeout
4227 +parameter sets how long the consumer will wait to establish a
4228 +network connection to the provider. Once a connection is
4231 +parameter determines how long the consumer will wait for the initial
4232 +Bind request to complete. The defaults for these parameters come
4236 +.B tcp\-user\-timeout
4237 +parameter, if non-zero, corresponds to the
4238 +.B TCP_USER_TIMEOUT
4239 +set on the target connections, overriding the operating system setting.
4240 +Only some systems support the customization of this parameter, it is
4241 +ignored otherwise and system-wide settings are used.
4247 +requires the options
4251 +and should only be used when adequate security services
4252 +(e.g. TLS or IPSEC) are in place.
4253 +.B REMEMBER: simple bind credentials must be in cleartext!
4258 +requires the option
4260 +Depending on the mechanism, an authentication identity and/or
4261 +credentials can be specified using
4267 +parameter may be used to specify an authorization identity.
4268 +Specific security properties (as with the
4270 +keyword above) for a SASL bind can be set with the
4272 +option. A non default SASL realm can be set with the
4275 +The identity used for synchronization by the consumer should be allowed
4276 +to receive an unlimited number of entries in response to a search request.
4277 +The provider, other than allowing authentication of the syncrepl identity,
4278 +should grant that identity appropriate access privileges to the data
4279 +that is being replicated (\fBaccess\fP directive), and appropriate time
4281 +This can be accomplished by either allowing unlimited \fBsizelimit\fP
4282 +and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
4283 +in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
4288 +parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
4289 +used to check whether a socket is alive;
4291 +is the number of seconds a connection needs to remain idle before TCP
4292 +starts sending keepalive probes;
4294 +is the maximum number of keepalive probes TCP should send before dropping
4297 +is interval in seconds between individual keepalive probes.
4298 +Only some systems support the customization of these values;
4301 +parameter is ignored otherwise, and system-wide settings are used.
4305 +parameter specifies use of the StartTLS extended operation
4306 +to establish a TLS session before Binding to the provider. If the
4308 +argument is supplied, the session will be aborted if the StartTLS request
4309 +fails. Otherwise the syncrepl session continues without TLS. The
4311 +setting defaults to "demand", the
4313 +setting defaults to "allow", and the other TLS settings
4314 +default to the same as the main slapd TLS settings.
4318 +parameter allows the consumer to pull entries from a remote directory
4319 +whose DN suffix differs from the local directory. The portion of the
4320 +remote entries' DNs that matches the \fIsearchbase\fP will be replaced
4321 +with the suffixmassage DN.
4323 +Rather than replicating whole entries, the consumer can query logs of
4324 +data modifications. This mode of operation is referred to as \fIdelta
4325 +syncrepl\fP. In addition to the above parameters, the
4329 +parameters must be set appropriately for the log that will be used. The
4331 +parameter must be set to either "accesslog" if the log conforms to the
4332 +.BR slapo\-accesslog (5)
4333 +log format, or "changelog" if the log conforms
4334 +to the obsolete \fIchangelog\fP format. If the
4336 +parameter is omitted or set to "default" then the log parameters are
4341 +parameter tells the underlying database that it can store changes without
4342 +performing a full flush after each change. This may improve performance
4343 +for the consumer, while sacrificing safety or durability.
4346 +.B olcUpdateDN: <dn>
4347 +This option is only applicable in a replica
4349 +It specifies the DN permitted to update (subject to access controls)
4350 +the replica. It is only needed in certain push-mode
4351 +replication scenarios. Generally, this DN
4355 +used at the provider.
4357 +.B olcUpdateRef: <url>
4358 +Specify the referral to pass back when
4360 +is asked to modify a replicated local database.
4361 +If multiple values are specified, each url is provided.
4363 +.SH DATABASE-SPECIFIC OPTIONS
4364 +Each database may allow specific configuration options; they are
4365 +documented separately in the backends' manual pages. See the
4366 +.BR slapd.backends (5)
4367 +manual page for an overview of available backends.
4369 +An overlay is a piece of
4370 +code that intercepts database operations in order to extend or change
4371 +them. Overlays are pushed onto
4372 +a stack over the database, and so they will execute in the reverse
4373 +of the order in which they were configured and the database itself
4374 +will receive control last of all.
4376 +Overlays must be configured as child entries of a specific database. The
4377 +entry's RDN must be of the form
4378 +.B olcOverlay={x}<overlaytype>
4379 +and the entry must have the olcOverlayConfig objectClass. Normally the
4380 +config engine generates the "{x}" index in the RDN automatically, so
4381 +it can be omitted when initially loading these entries.
4384 +.BR slapd.overlays (5)
4385 +manual page for an overview of available overlays.
4388 +Here is a short example of a configuration in LDIF suitable for use with
4395 +objectClass: olcGlobal
4397 +olcPidFile: LOCALSTATEDIR/run/slapd.pid
4398 +olcAttributeOptions: x\-hidden lang\-
4400 +dn: cn=schema,cn=config
4401 +objectClass: olcSchemaConfig
4404 +include: file://SYSCONFDIR/schema/core.ldif
4406 +dn: olcDatabase=frontend,cn=config
4407 +objectClass: olcDatabaseConfig
4408 +objectClass: olcFrontendConfig
4409 +olcDatabase: frontend
4410 +# Subtypes of "name" (e.g. "cn" and "ou") with the
4411 +# option ";x\-hidden" can be searched for/compared,
4412 +# but are not shown. See \fBslapd.access\fP(5).
4413 +olcAccess: to attrs=name;x\-hidden by * =cs
4414 +# Protect passwords. See \fBslapd.access\fP(5).
4415 +olcAccess: to attrs=userPassword by * auth
4416 +# Read access to other attributes and entries.
4417 +olcAccess: to * by * read
4419 +# set a rootpw for the config database so we can bind.
4420 +# deny access to everyone else.
4421 +dn: olcDatabase=config,cn=config
4422 +objectClass: olcDatabaseConfig
4423 +olcDatabase: config
4424 +olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
4425 +olcAccess: to * by * none
4427 +dn: olcDatabase=mdb,cn=config
4428 +objectClass: olcDatabaseConfig
4429 +objectClass: olcMdbConfig
4431 +olcSuffix: "dc=our\-domain,dc=com"
4432 +# The database directory MUST exist prior to
4433 +# running slapd AND should only be accessible
4434 +# by the slapd/tools. Mode 0700 recommended.
4435 +olcDbDirectory: LOCALSTATEDIR/openldap\-data
4436 +# Indices to maintain
4437 +olcDbIndex: objectClass eq
4438 +olcDbIndex: cn,sn,mail pres,eq,approx,sub
4440 +# We serve small clients that do not handle referrals,
4441 +# so handle remote lookups on their behalf.
4442 +dn: olcDatabase=ldap,cn=config
4443 +objectClass: olcDatabaseConfig
4444 +objectClass: olcLdapConfig
4447 +olcDbUri: ldap://ldap.some\-server.com/
4451 +Assuming the above data was saved in a file named "config.ldif" and the
4452 +ETCDIR/slapd.d directory has been created, this command will initialize
4456 +slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
4461 +"OpenLDAP Administrator's Guide" contains a longer annotated
4462 +example of a slapd configuration.
4464 +Alternatively, an existing slapd.conf file can be converted to the new
4465 +format using slapd or any of the slap tools:
4468 +slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
4475 +default slapd configuration file
4478 +default slapd configuration directory
4482 +.BR gnutls\-cli (1),
4483 +.BR slapd.access (5),
4484 +.BR slapd.backends (5),
4485 +.BR slapd.conf (5),
4486 +.BR slapd.overlays (5),
4487 +.BR slapd.plugin (5),
4495 +.BR slapmodify (8),
4496 +.BR slappasswd (8),
4499 +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
4500 +.SH ACKNOWLEDGEMENTS
4502 diff -Naurp openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h
4503 --- openldap-2.6.2.orig/include/ldap_defaults.h 2022-05-04 16:55:23.000000000 +0200
4504 +++ openldap-2.6.2/include/ldap_defaults.h 2022-05-05 12:07:08.783961875 +0200
4507 /* default ldapi:// socket */
4509 -#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
4510 +#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"
4516 #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
4518 #ifndef SLAPD_DEFAULT_DB_DIR
4519 -#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
4520 +#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"
4523 #define SLAPD_DEFAULT_DB_MODE 0600
4524 /* default max deref depth for aliases */
4525 diff -Naurp openldap-2.6.2.orig/libraries/liblber/Makefile.in openldap-2.6.2/libraries/liblber/Makefile.in
4526 --- openldap-2.6.2.orig/libraries/liblber/Makefile.in 2022-05-04 16:55:23.000000000 +0200
4527 +++ openldap-2.6.2/libraries/liblber/Makefile.in 2022-05-05 12:05:53.313727757 +0200
4528 @@ -51,6 +51,6 @@ idtest: $(XLIBS) idtest.o
4530 install-local: FORCE
4531 -$(MKDIR) $(DESTDIR)$(libdir)
4532 - $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
4533 + $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
4534 $(LTFINISH) $(DESTDIR)$(libdir)
4536 diff -Naurp openldap-2.6.2.orig/libraries/libldap/Makefile.in openldap-2.6.2/libraries/libldap/Makefile.in
4537 --- openldap-2.6.2.orig/libraries/libldap/Makefile.in 2022-05-04 16:55:23.000000000 +0200
4538 +++ openldap-2.6.2/libraries/libldap/Makefile.in 2022-05-05 12:05:53.327727801 +0200
4539 @@ -82,7 +82,7 @@ CFFILES=ldap.conf
4541 install-local: $(CFFILES) FORCE
4542 -$(MKDIR) $(DESTDIR)$(libdir)
4543 - $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
4544 + $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
4545 $(LTFINISH) $(DESTDIR)$(libdir)
4546 -$(MKDIR) $(DESTDIR)$(sysconfdir)
4547 @for i in $(CFFILES); do \
4548 diff -Naurp openldap-2.6.2.orig/servers/slapd/Makefile.in openldap-2.6.2/servers/slapd/Makefile.in
4549 --- openldap-2.6.2.orig/servers/slapd/Makefile.in 2022-05-04 16:55:23.000000000 +0200
4550 +++ openldap-2.6.2/servers/slapd/Makefile.in 2022-05-05 12:05:53.329727807 +0200
4551 @@ -374,9 +374,10 @@ install-local-srv: install-slapd install
4553 install-slapd: FORCE
4554 -$(MKDIR) $(DESTDIR)$(libexecdir)
4555 + -$(MKDIR) $(DESTDIR)$(sbindir)
4556 -$(MKDIR) $(DESTDIR)$(localstatedir)/run
4557 $(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \
4558 - slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
4559 + slapd$(EXEEXT) $(DESTDIR)$(sbindir)
4560 @for i in $(SUBDIRS); do \
4561 if test -d $$i && test -f $$i/Makefile ; then \
4562 echo; echo " cd $$i && $(MAKE) $(MFLAGS) install"; \
4563 @@ -452,9 +453,9 @@ install-conf: FORCE
4565 install-db-config: FORCE
4566 @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
4567 - @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
4568 + @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap
4569 $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
4570 - $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
4571 + $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example
4572 $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
4573 $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
4575 @@ -462,6 +463,6 @@ install-tools: FORCE
4576 -$(MKDIR) $(DESTDIR)$(sbindir)
4577 for i in $(SLAPTOOLS); do \
4578 $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
4579 - $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
4580 + $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
4583 diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.conf openldap-2.6.2/servers/slapd/slapd.conf
4584 --- openldap-2.6.2.orig/servers/slapd/slapd.conf 2022-05-04 16:55:23.000000000 +0200
4585 +++ openldap-2.6.2/servers/slapd/slapd.conf 2022-05-05 12:05:53.331727813 +0200
4586 @@ -10,8 +10,9 @@ include %SYSCONFDIR%/schema/core.schema
4587 # service AND an understanding of referrals.
4588 #referral ldap://root.openldap.org
4590 -pidfile %LOCALSTATEDIR%/run/slapd.pid
4591 -argsfile %LOCALSTATEDIR%/run/slapd.args
4592 +pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid
4593 +argsfile %LOCALSTATEDIR%/run/openldap/slapd.args
4596 # Load dynamic backend modules:
4597 modulepath %MODULEDIR%
4598 @@ -69,7 +70,7 @@ rootpw secret
4599 # The database directory MUST exist prior to running slapd AND
4600 # should only be accessible by the slapd and slap tools.
4601 # Mode 700 recommended.
4602 -directory %LOCALSTATEDIR%/openldap-data
4603 +directory %LOCALSTATEDIR%/lib/openldap
4604 # Indices to maintain
4605 index objectClass eq
4607 diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.ldif openldap-2.6.2/servers/slapd/slapd.ldif
4608 --- openldap-2.6.2.orig/servers/slapd/slapd.ldif 2022-05-04 16:55:23.000000000 +0200
4609 +++ openldap-2.6.2/servers/slapd/slapd.ldif 2022-05-05 12:05:53.332727816 +0200
4610 @@ -9,8 +9,8 @@ cn: config
4612 # Define global ACLs to disable default read access.
4614 -olcArgsFile: %LOCALSTATEDIR%/run/slapd.args
4615 -olcPidFile: %LOCALSTATEDIR%/run/slapd.pid
4616 +olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args
4617 +olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid
4619 # Do not enable referrals until AFTER you have a working directory
4620 # service AND an understanding of referrals.
4621 @@ -88,7 +88,7 @@ olcRootPW: secret
4622 # The database directory MUST exist prior to running slapd AND
4623 # should only be accessible by the slapd and slap tools.
4624 # Mode 700 recommended.
4625 -olcDbDirectory: %LOCALSTATEDIR%/openldap-data
4626 +olcDbDirectory: %LOCALSTATEDIR%/lib/openldap
4627 # Indices to maintain
4628 olcDbIndex: objectClass eq
4630 diff -Naurp openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in openldap-2.6.2/servers/slapd/slapi/Makefile.in
4631 --- openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in 2022-05-04 16:55:23.000000000 +0200
4632 +++ openldap-2.6.2/servers/slapd/slapi/Makefile.in 2022-05-05 12:05:53.333727819 +0200
4633 @@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@
4634 install-local: FORCE
4635 if test "$(BUILD_MOD)" = "yes"; then \
4636 $(MKDIR) $(DESTDIR)$(libdir); \
4637 - $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \
4638 + $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \