.B dn[.<dnstyle>]:<pattern>
.RE
.RS
-.B u[<mech>[<realm>]]:<pattern>
+.B u[
.<mech>[<realm>]]:<pattern>
.RE
.RS
.B group[/objectClass[/attributeType]]:<pattern>
.I authzFrom
or
.IR authzTo .
+
+.LP
The second form is a
.BR DN ,
with the optional style modifiers
A pattern of
.I *
means any non-anonymous DN.
+
+.LP
The third form is a SASL
.BR id ,
with the optional fields
for those mechanisms that support one.
The need to allow the specification of a mechanism is still debated,
and users are strongly discouraged to rely on this possibility.
-The fourth form is a group specification, consisting of the keyword
+
+.LP
+The fourth form is a group specification.
+It consists of the keyword
.BR group ,
optionally followed by the specification of the group
.B objectClass
-and member
+and
.BR attributeType .
+The
+.B objectClass
+defaults to
+.IR groupOfNames .
+The
+.B attributeType
+defaults to
+.IR member .
The group with DN
.B <pattern>
-is searched with base scope, and in case of match, the values of the
-member
+is searched with base scope, filtered on the specified
+.BR objectClass .
+The values of the resulting
.B attributeType
are searched for the asserted DN.
-For backwards compatibility, if no identity type is provided, i.e. only
+
+.LP
+The fifth form is provided for backwards compatibility. If no identity
+type is provided, i.e. only
.B <pattern>
is present, an
.I exact DN
is assumed; as a consequence,
.B <pattern>
is subjected to DN normalization.
+
+.LP
Since the interpretation of
.I authzFrom
and
A subset of these rules can be used as third arg in the
.B olcAuthzRegexp
statement (see below); significantly, the
-.I URI
+.IR URI ,
+provided it results in exactly one entry,
and the
.I dn.exact:<dn>
forms.
.TP
.B olcAuthzRegexp: <match> <replace>
Used by the authentication framework to convert simple user names,
-such as provided by SASL subsystem, to an LDAP DN used for
-authorization purposes. Note that the resultant DN need not refer
+such as provided by SASL subsystem, or extracted from certificates
+in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
+"proxied authorization" control, to an LDAP DN used for
+authorization purposes. Note that the resulting DN need not refer
to an existing entry to be considered valid. When an authorization
request is received from the SASL subsystem, the SASL
.BR USERNAME ,
.TP
.B 256
.B (0x100 stats)
-stats log connections/operations/results
+connections, LDAP operations, results (recommended)
.TP
.B 512
.B (0x200 stats2)
-stats log entries sent
+stats2 log entries sent
.TP
.B 1024
.B (0x400 shell)
size allowed. 0 disables security layers. The default is 65536.
.TP
.B olcServerID: <integer> [<URL>]
-Specify an integer ID from 0 to 4095 for this server. The ID may also be
+Specify an integer ID from 0 to 4095 for this server. The ID may also be
specified as a hexadecimal ID by prefixing the value with "0x".
Non-zero IDs are required when using multi-provider replication and each
provider must have a unique non-zero ID. Note that this requirement also
.TP
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
-<cipher-suite-spec> should be a cipher specification for
-the TLS library in use (OpenSSL or GnuTLS).
+<cipher-suite-spec> should be a cipher specification for the TLS library
+in use (OpenSSL or GnuTLS).
Example:
.RS
.RS
Specifies the file that contains certificates for all of the Certificate
Authorities that
.B slapd
-will recognize.
+will recognize. The certificate for
+the CA that signed the server certificate must be included among
+these certificates. If the signing CA was not a top-level (root) CA,
+certificates for the entire sequence of CA's from the signing CA to
+the top-level CA should be present. Multiple certificates are simply
+appended to the file; the order is not significant.
.TP
.B olcTLSCACertificatePath: <path>
Specifies the path of a directory that contains Certificate Authority
.TP
.B olcTLSCRLFile: <filename>
Specifies a file containing a Certificate Revocation List to be used
-for verifying that certificates have not been revoked. This parameter
-is only valid when using GnuTLS.
+for verifying that certificates have not been revoked. This parameter is
+only valid when using GnuTLS.
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
description.)
.RE
+.HP
+.hy 0
+.B olcLdapSyntaxes "(\ <oid>\
+ [DESC\ <description>]\
+ [X\-SUBST <substitute-syntax>]\ )"
+.RS
+Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
+The slapd parser extends the RFC 4512 definition by allowing string
+forms as well as numeric OIDs to be used for the syntax OID.
+(See the
+.B objectidentifier
+description.)
+The slapd parser also honors the
+.B X\-SUBST
+extension (an OpenLDAP-specific extension), which allows one to use the
+.B olcLdapSyntaxes
+attribute to define a non-implemented syntax along with another syntax,
+the extension value
+.IR substitute-syntax ,
+as its temporary replacement.
+The
+.I substitute-syntax
+must be defined.
+This allows one to define attribute types that make use of non-implemented syntaxes
+using the correct syntax OID.
+Unless
+.B X\-SUBST
+is used, this configuration statement would result in an error,
+since no handlers would be associated to the resulting syntax structure.
+.RE
+
.HP
.hy 0
.B olcObjectClasses: "(\ <oid>\
.SH GENERAL BACKEND OPTIONS
Options in these entries only apply to the configuration of a single
type of backend. All backends may support this class of options, but
-currently none do.
+currently only back-mdb does.
The entry must be named
.B olcBackend=<databasetype>,cn=config
and must have the olcBackendConfig objectClass.
<databasetype>
should be one of
+.BR asyncmeta ,
.BR config ,
.BR dnssrv ,
.BR ldap ,
.BR passwd ,
.BR perl ,
.BR relay ,
-.BR shell ,
+.BR sock ,
+.BR sql ,
or
-.BR sql .
-At present, no backend implements any options of this type, so this
-entry should not be used.
+.BR wt .
+At present, only back-mdb implements any options of this type, so this
+entry should not be used for any other backends.
.SH DATABASE OPTIONS
Database options are set in entries named
The second format allows a fine grain setting of the size limits.
If no special qualifiers are specified, both soft and hard limits are set.
Extra args can be added in the same value.
-Additional qualifiers are available. See
+Additional qualifiers are available; see
.BR olcLimits
for an explanation of all of the different flags.
.TP
.IR unlimited ,
no limit is applied (the default).
If it is set to
-.IR disable ,
+.IR disabled ,
the search is not even performed; this can be used to disallow searches
for a specific set of users.
If no limit specifier is set, the value is assigned to the
.B olcMultiProvider: TRUE | FALSE
This option puts a consumer database into Multi-Provider mode. Update
operations will be accepted from any user, not just the updatedn. The
-database must already be configured as syncrepl consumer
-before this keyword may be set. This mode also requires a
+database must already be configured as a syncrepl consumer
+before this keyword may be set. This mode also requires a
.B olcServerID
(see above) to be configured.
By default, this setting is FALSE.
+.B olcMonitoring: TRUE | FALSE
+This option enables database-specific monitoring in the entry related
+to the current database in the "cn=Databases,cn=Monitor" subtree
+of the monitor database, if the monitor database is enabled.
+Currently, only the MDB database provides database-specific monitoring.
+The default depends on the backend type.
.TP
.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
Configure a SLAPI plugin. See the
a namingContext (suffix) of the database, a simple bind password
may also be provided using the
.B olcRootPW
-directive. Note that the rootdn is always needed when using syncrepl.
+directive. Many optional features, including syncrepl, require the
+rootdn to be defined for the database.
The
.B olcRootDN
of the
identifies the current
.B syncrepl
directive within the replication consumer site.
-It is a non-negative integer having no more than three decimal digits.
+It is a non-negative integer not greater than 999 (limited
+to three decimal digits).
.B provider
specifies the replication provider site containing the provider content
will send search requests to the provider
.B slapd
according to the search specification. The search specification includes
-.B searchbase, scope, filter, attrs, attrsonly, sizelimit,
+.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
and
.B timelimit
parameters as in the normal search specification. The
attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
The \fBsizelimit\fP and \fBtimelimit\fP only
accept "unlimited" and positive integers, and both default to "unlimited".
+The \fBsizelimit\fP and \fBtimelimit\fP parameters define
+a consumer requested limitation on the number of entries that can be returned
+by the LDAP Content Synchronization operation; as such, it is intended
+to implement partial replication based on the size of the replicated database
+and on the time required by the synchronization.
Note, however, that any provider-side limits for the replication identity
will be enforced by the provider regardless of the limits requested
by the LDAP Content Synchronization operation, much like for any other
for the first 10 times and then retry every 300 seconds for the next 3
times before stop retrying. The `+' in <# of retries> means indefinite
number of retries until success.
+If no
+.B retry
+is specified, by default syncrepl retries every hour forever.
The schema checking can be enforced at the LDAP Sync
consumer site by turning on the
.B schemachecking
-parameter. The default is off.
+parameter. The default is \fBoff\fP.
+Schema checking \fBon\fP means that replicated entries must have
+a structural objectClass, must obey to objectClass requirements
+in terms of required/allowed attributes, and that naming attributes
+and distinguished values must be present.
+As a consequence, schema checking should be \fBoff\fP when partial
+replication is used.
The
.B network\-timeout
.B credentials
and should only be used when adequate security services
(e.g. TLS or IPSEC) are in place.
+.B REMEMBER: simple bind credentials must be in cleartext!
A
.B bindmethod
of
option. A non default SASL realm can be set with the
.B realm
option.
-The provider, other than allow authentication of the syncrepl identity,
-should grant that identity appropriate access privileges to the data
-that is being replicated (\fBaccess\fP directive), and appropriate time
-and size limits (\fBlimits\fP directive).
+The identity used for synchronization by the consumer should be allowed
+to receive an unlimited number of entries in response to a search request.
+The provider, other than allowing authentication of the syncrepl identity,
+should grant that identity appropriate access privileges to the data
+that is being replicated (\fBaccess\fP directive), and appropriate time
+and size limits.
+This can be accomplished by either allowing unlimited \fBsizelimit\fP
+and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
+in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
+for details).
The
.B keepalive
.B tls_reqcert
setting defaults to "demand", the
.B tls_reqsan
-setting defaults to "allow", and the other TLS settings default to the same
-as the main slapd TLS settings.
+setting defaults to "allow", and the other TLS settings
+default to the same as the main slapd TLS settings.
The
.B suffixmassage
The fourth form is a group specification.
It consists of the keyword
.BR group ,
-optionally followed by the specification of
+optionally followed by the specification of the group
.B objectClass
and
.BR attributeType .
The
.B objectClass
defaults to
-.IR memberOf .
+.IR groupOfNames .
The
.B attributeType
defaults to
.TP
.B concurrency <integer>
Specify a desired level of concurrency. Provided to the underlying
-thread system as a hint. The default is not to provide any hint.
+thread system as a hint. The default is not to provide any hint. This setting
+is only meaningful on some platforms where there is not a one to one
+correspondence between user threads and kernel threads.
.TP
.B conn_max_pending <integer>
Specify the maximum number of pending requests for an anonymous session.
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
-have closed their connections (if they ever do), or - as before -
+have closed their connections (if they ever do), or \- as before \-
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
.TP
.B idletimeout <integer>
Specify the number of seconds to wait before forcibly closing
-an idle client connection. A idletimeout of 0 disables this
+an idle client connection. A setting of 0 disables this
feature. The default is 0. You may also want to set the
.B writetimeout
option.
value is 4, which provides exact indexing for 31 bit values.
A floating point representation is used to index too large values.
.TP
-.B index_substr_if_minlen <integer>
-Specify the minimum length for subinitial and subfinal indices. An
-attribute value must have at least this many characters in order to be
-processed by the indexing functions. The default is 2.
-.TP
.B index_substr_if_maxlen <integer>
Specify the maximum length for subinitial and subfinal indices. Only
this many characters of an attribute value will be processed by the
indexing functions; any excess characters are ignored. The default is 4.
.TP
+.B index_substr_if_minlen <integer>
+Specify the minimum length for subinitial and subfinal indices. An
+attribute value must have at least this many characters in order to be
+processed by the indexing functions. The default is 2.
+.TP
.B index_substr_any_len <integer>
Specify the length used for subany indices. An attribute value must have
at least this many characters in order to be processed. Attribute values
.TP
.B 512
.B (0x200 stats2)
-stats log entries sent
+stats2 log entries sent
.TP
.B 1024
.B (0x400 shell)
server's process ID (see
.BR getpid (2)).
.TP
+.B pluginlog: <filename>
+The ( absolute ) name of a file that will contain log
+messages from
+.B SLAPI
+plugins. See
+.BR slapd.plugin (5)
+for details.
+.TP
.B referral <url>
Specify the referral to pass back when
.BR slapd (8)
.B sasl\-realm <realm>
Specify SASL realm. Default is empty.
.TP
+.B sasl\-cbinding none | tls-unique | tls-endpoint
+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
+Default is none.
+.TP
.B sasl\-secprops <properties>
Used to specify Cyrus SASL security properties.
The
property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.TP
-.B sasl\-cbinding none | tls-unique | tls-endpoint
-Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
-.TP
.B schemadn <dn>
Specify the distinguished name for the subschema subentry that
controls the entries on this server. The default is "cn=Subschema".
Example:
.LP
.nf
- serverID 1
+ serverID 1 ldap://ldap1.example.com
+ serverID 2 ldap://ldap2.example.com
.fi
.TP
.B sizelimit {<integer>|unlimited}
.B unlimited
to specify no limits.
The second format allows a fine grain setting of the time limits.
-Extra args can be added on the same line.
-See
+Extra args can be added on the same line. See
.BR limits
for an explanation of the different flags.
.TP
Specify the maximum number of threads to use in tool mode.
This should not be greater than the number of CPUs in the system.
The default is 1.
-.\"ucdata-path is obsolete / ignored...
-.\".TP
-.\".B ucdata-path <path>
-.\"Specify the path to the directory containing the Unicode character
-.\"tables. The default path is DATADIR/ucdata.
.TP
.B writetimeout <integer>
Specify the number of seconds to wait before forcibly closing
.B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
-or the TLSCACertificateFile is used.
+or the TLSCACertificateFile is used. If both are specified, both
+locations will be used.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
only valid when using GnuTLS.
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
-for the specified backend. They are supported by every
-type of backend.
+of all instances of the specified backend. All backends may support
+this class of options, but currently only back-mdb does.
.TP
.B backend <databasetype>
Mark the beginning of a backend definition. <databasetype>
should be one of
+.BR asyncmeta ,
.BR config ,
.BR dnssrv ,
.BR ldap ,
.BR mdb ,
.BR meta ,
.BR monitor ,
+.BR ndb ,
.BR null ,
.BR passwd ,
.BR perl ,
.BR relay ,
-.BR shell ,
-or
+.BR sock ,
.BR sql ,
-depending on which backend will serve the database.
+or
+.BR wt .
+At present, only back-mdb implements any options of this type, so this
+setting should not be used for any other backends.
.SH GENERAL DATABASE OPTIONS
Options in this section only apply to the configuration file section
.B database <databasetype>
Mark the beginning of a new database instance definition. <databasetype>
should be one of
+.BR asyncmeta ,
.BR config ,
.BR dnssrv ,
.BR ldap ,
.BR mdb ,
.BR meta ,
.BR monitor ,
+.BR ndb ,
.BR null ,
.BR passwd ,
.BR perl ,
.BR relay ,
-.BR shell ,
-or
+.BR sock ,
.BR sql ,
+or
+.BR wt ,
depending on which backend will serve the database.
LDAP operations, even subtree searches, normally access only one
.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
and
.B timelimit
-parameters as in the normal search specification.
-The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
-\fB(objectclass=*)\fP, while there is no default \fBsearchbase\fP. The
-\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
-attributes, and \fBattrsonly\fP is unset by default.
-The \fBsizelimit\fP and \fBtimelimit\fP only
-accept "unlimited" and positive integers, and both default to "unlimited".
-The \fBsizelimit\fP and \fBtimelimit\fP parameters define
-a consumer requested limitation on the number of entries that can be returned
-by the LDAP Content Synchronization operation; as such, it is intended
-to implement partial replication based on the size of the replicated database
-and on the time required by the synchronization.
-Note, however, that any provider-side limits for the replication identity
-will be enforced by the provider regardless of the limits requested
-by the LDAP Content Synchronization operation, much like for any other
-search operation.
+parameters as in the normal search specification. The
.B exattrs
option may also be used to specify attributes that should be omitted
from incoming entries.
attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
The \fBsizelimit\fP and \fBtimelimit\fP only
accept "unlimited" and positive integers, and both default to "unlimited".
+The \fBsizelimit\fP and \fBtimelimit\fP parameters define
+a consumer requested limitation on the number of entries that can be returned
+by the LDAP Content Synchronization operation; as such, it is intended
+to implement partial replication based on the size of the replicated database
+and on the time required by the synchronization.
Note, however, that any provider-side limits for the replication identity
will be enforced by the provider regardless of the limits requested
by the LDAP Content Synchronization operation, much like for any other
Further updates to the provider will generate
.B searchResultEntry
to the consumer slapd as the search responses to the persistent
-synchronization search. If the initial search fails due to an error, the
+synchronization search. If the initial search fails due to an error, the
next synchronization search operation is periodically rescheduled at an
interval time (specified by
.B interval
number of retries until success.
If no
.B retry
-was specified, by default syncrepl retries every hour forever.
+is specified, by default syncrepl retries every hour forever.
The schema checking can be enforced at the LDAP Sync
consumer site by turning on the
option.
The identity used for synchronization by the consumer should be allowed
to receive an unlimited number of entries in response to a search request.
-The provider, other than allow authentication of the syncrepl identity,
+The provider, other than allowing authentication of the syncrepl identity,
should grant that identity appropriate access privileges to the data
that is being replicated (\fBaccess\fP directive), and appropriate time
and size limits.
projects / thirdparty / openldap.git / commitdiff
