.TH SLAPD-META 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2020 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2024 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
.\" $OpenLDAP$
.LP
Note: When looping back to the same instance of \fBslapd\fP(8),
-each connection requires a new thread; as a consequence, \fBslapd\fP(8)
-must be compiled with thread support, and the \fBthreads\fP parameter
-may need some tuning; in those cases, unless the multiple target feature
-is required, one may consider using \fBslapd\-relay\fP(5) instead,
+each connection requires a new thread; as a consequence, the \fBslapd\fP(8)
+\fBthreads\fP parameter may need some tuning. In those cases, unless the
+multiple target feature is required, one may consider using \fBslapd\-relay\fP(5) instead,
which performs the relayed operation internally and thus reuses
the same connection.
.SH EXAMPLES
There are examples in various places in this document, as well as in the
-slapd/back\-meta/data/ directory in the OpenLDAP source tree.
+slapd/back-meta/data/ directory in the OpenLDAP source tree.
.SH CONFIGURATION
These
.B slapd.conf
to all backends.
They are:
+.TP
+.B conn\-pool\-max <int>
+This directive defines the maximum size of the privileged connections pool.
+
.TP
.B conn\-ttl <time>
This directive causes a cached connection to be dropped an recreated
.BR yes ,
causes the authentication to the remote servers with the pseudo-root
identity (the identity defined in each
-.B idassert-bind
+.B idassert\-bind
directive) to be deferred until actually needed by subsequent operations.
Otherwise, all binds as the rootdn are propagated to the targets.
.TP
.B acl\-passwd <password>
Password used with the
-.B
-acl\-authcDN
+.B acl\-authcDN
above.
.TP
irrespective of the client's request.
When set to a numeric value, Paged Results control is always
used with \fIsize\fP as the page size.
-When set to \fIaccept-unsolicited\fP, unsolicited Paged Results
+When set to \fIaccept\-unsolicited\fP, unsolicited Paged Results
control responses are accepted and honored
for compatibility with broken remote DSAs.
The client is not exposed to paged results handling
.I local
identities are authorized to exploit the identity assertion feature.
The string
-.B <authz-regexp>
+.B <authz\-regexp>
follows the rules defined for the
.I authzFrom
attribute.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<ciphers>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
.B none
is the default, i.e. no \fIidentity assertion\fP is performed.
-The authz parameter is used to instruct the SASL bind to exploit
+The
+.B authz
+parameter is used to instruct the SASL bind to exploit
.B native
SASL authorization, if available; since connections are cached,
this should only be used when authorizing with a fixed identity
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow"..
The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
.B keepalive
parameter is ignored otherwise, and system-wide settings are used.
+.TP
+.B tcp\-user\-timeout <milliseconds>
+If non-zero, corresponds to the
+.B TCP_USER_TIMEOUT
+set on the target connections, overriding the operating system setting.
+Only some systems support the customization of this parameter, it is
+ignored otherwise and system-wide settings are used.
+
.TP
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
is destroyed, according to RFC4511.
.TP
-.B tls {[try\-]start|[try\-]propagate}
-execute the StartTLS extended operation when the connection is initialized;
-only works if the URI directive protocol scheme is not \fBldaps://\fP.
-\fBpropagate\fP issues the StartTLS operation only if the original
-connection did.
+.B tls {none|[try\-]start|[try\-]propagate|ldaps}
+.B [starttls=no]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
+.B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
+.B [tls_crlcheck=none|peer|all]
+.RS
+Specify TLS settings regular connections.
+
+If the first parameter is not "none" then this configures the TLS
+settings to be used for regular connections.
+The StartTLS extended operation will be used when establishing the
+connection unless the URI directive protocol scheme is \fBldaps://\fP.
+In that case this keyword may only be set to "ldaps" and the StartTLS
+operation will not be used.
+
+With \fBpropagate\fP, the proxy issues the StartTLS operation only if
+the original connection has a TLS layer set up.
The \fBtry\-\fP prefix instructs the proxy to continue operations
-if the StartTLS operation failed; its use is highly deprecated.
+if the StartTLS operation failed; its use is \fBnot\fP recommended.
+
+The TLS settings default to the same as the main slapd TLS settings,
+except for
+.B tls_reqcert
+which defaults to "demand",
+.B tls_reqsan
+which defaults to "allow", and
+.B starttls
+which is overshadowed by the first keyword and thus ignored.
+
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
+.RE
.SH SCENARIOS
A powerful (and in some sense dangerous) rewrite engine has been added
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
+.BR slapd\-asyncmeta (5),
.BR slapd\-ldap (5),
.BR slapo\-pcache (5),
.BR slapd (8),