1.lf 1 stdin 2.TH SLAPD.CONF 5 "2020/04/28" "OpenLDAP 2.4.50" 3.\" Copyright 1998-2020 The OpenLDAP Foundation All Rights Reserved. 4.\" Copying restrictions apply. See COPYRIGHT/LICENSE. 5.\" $OpenLDAP$ 6.SH NAME 7slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon 8.SH SYNOPSIS 9/etc/openldap/slapd.conf 10.SH DESCRIPTION 11The file 12.B /etc/openldap/slapd.conf 13contains configuration information for the 14.BR slapd (8) 15daemon. This configuration file is also used by the SLAPD tools 16.BR slapacl (8), 17.BR slapadd (8), 18.BR slapauth (8), 19.BR slapcat (8), 20.BR slapdn (8), 21.BR slapindex (8), 22and 23.BR slaptest (8). 24.LP 25The 26.B slapd.conf 27file consists of a series of global configuration options that apply to 28.B slapd 29as a whole (including all backends), followed by zero or more database 30backend definitions that contain information specific to a backend 31instance. 32The configuration options are case-insensitive; 33their value, on a case by case basis, may be case-sensitive. 34.LP 35The general format of 36.B slapd.conf 37is as follows: 38.LP 39.nf 40 # comment - these options apply to every database 41 <global configuration options> 42 # first database definition & configuration options 43 database <backend 1 type> 44 <configuration options specific to backend 1> 45 # subsequent database definitions & configuration options 46 ... 47.fi 48.LP 49As many backend-specific sections as desired may be included. Global 50options can be overridden in a backend (for options that appear more 51than once, the last appearance in the 52.B slapd.conf 53file is used). 54.LP 55If a line begins with white space, it is considered a continuation 56of the previous line. No physical line should be over 2000 bytes 57long. 58.LP 59Blank lines and comment lines beginning with 60a `#' character are ignored. Note: continuation lines are unwrapped 61before comment processing is applied. 62.LP 63Arguments on configuration lines are separated by white space. If an 64argument contains white space, the argument should be enclosed in 65double quotes. If an argument contains a double quote (`"') or a 66backslash character (`\\'), the character should be preceded by a 67backslash character. 68.LP 69The specific configuration options available are discussed below in the 70Global Configuration Options, General Backend Options, and General Database 71Options. Backend-specific options are discussed in the 72.B slapd\-<backend>(5) 73manual pages. Refer to the "OpenLDAP Administrator's Guide" for more 74details on the slapd configuration file. 75.SH GLOBAL CONFIGURATION OPTIONS 76Options described in this section apply to all backends, unless specifically 77overridden in a backend definition. Arguments that should be replaced by 78actual text are shown in brackets <>. 79.TP 80.B access to <what> "[ by <who> <access> <control> ]+" 81Grant access (specified by <access>) to a set of entries and/or 82attributes (specified by <what>) by one or more requestors (specified 83by <who>). 84If no access controls are present, the default policy 85allows anyone and everyone to read anything but restricts 86updates to rootdn. (e.g., "access to * by * read"). 87The rootdn can always read and write EVERYTHING! 88See 89.BR slapd.access (5) 90and the "OpenLDAP's Administrator's Guide" for details. 91.TP 92.B allow <features> 93Specify a set of features (separated by white space) to 94allow (default none). 95.B bind_v2 96allows acceptance of LDAPv2 bind requests. Note that 97.BR slapd (8) 98does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494). 99.B bind_anon_cred 100allows anonymous bind when credentials are not empty (e.g. 101when DN is empty). 102.B bind_anon_dn 103allows unauthenticated (anonymous) bind when DN is not empty. 104.B update_anon 105allows unauthenticated (anonymous) update operations to be processed 106(subject to access controls and other administrative limits). 107.B proxy_authz_anon 108allows unauthenticated (anonymous) proxy authorization control to be processed 109(subject to access controls, authorization and other administrative limits). 110.TP 111.B argsfile <filename> 112The (absolute) name of a file that will hold the 113.B slapd 114server's command line (program name and options). 115.TP 116.B attributeoptions [option-name]... 117Define tagging attribute options or option tag/range prefixes. 118Options must not end with `\-', prefixes must end with `\-'. 119The `lang\-' prefix is predefined. 120If you use the 121.B attributeoptions 122directive, `lang\-' will no longer be defined and you must specify it 123explicitly if you want it defined. 124 125An attribute description with a tagging option is a subtype of that 126attribute description without the option. 127Except for that, options defined this way have no special semantics. 128Prefixes defined this way work like the `lang\-' options: 129They define a prefix for tagging options starting with the prefix. 130That is, if you define the prefix `x\-foo\-', you can use the option 131`x\-foo\-bar'. 132Furthermore, in a search or compare, a prefix or range name (with 133a trailing `\-') matches all options starting with that name, as well 134as the option with the range name sans the trailing `\-'. 135That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'. 136 137RFC 4520 reserves options beginning with `x\-' for private experiments. 138Other options should be registered with IANA, see RFC 4520 section 3.5. 139OpenLDAP also has the `binary' option built in, but this is a transfer 140option, not a tagging option. 141.HP 142.hy 0 143.B attributetype "(\ <oid>\ 144 [NAME\ <name>]\ 145 [DESC\ <description>]\ 146 [OBSOLETE]\ 147 [SUP\ <oid>]\ 148 [EQUALITY\ <oid>]\ 149 [ORDERING\ <oid>]\ 150 [SUBSTR\ <oid>]\ 151 [SYNTAX\ <oidlen>]\ 152 [SINGLE\-VALUE]\ 153 [COLLECTIVE]\ 154 [NO\-USER\-MODIFICATION]\ 155 [USAGE\ <attributeUsage>]\ )" 156.RS 157Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. 158The slapd parser extends the RFC 4512 definition by allowing string 159forms as well as numeric OIDs to be used for the attribute OID and 160attribute syntax OID. 161(See the 162.B objectidentifier 163description.) 164.RE 165.TP 166.B authid\-rewrite<cmd> <args> 167Used by the authentication framework to convert simple user names 168to an LDAP DN used for authorization purposes. 169Its purpose is analogous to that of 170.BR authz-regexp 171(see below). 172The prefix \fIauthid\-\fP is followed by a set of rules analogous 173to those described in 174.BR slapo\-rwm (5) 175for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP). 176.B authid\-rewrite<cmd> 177and 178.B authz\-regexp 179rules should not be intermixed. 180.TP 181.B authz\-policy <policy> 182Used to specify which rules to use for Proxy Authorization. Proxy 183authorization allows a client to authenticate to the server using one 184user's credentials, but specify a different identity to use for authorization 185and access control purposes. It essentially allows user A to login as user 186B, using user A's password. 187The 188.B none 189flag disables proxy authorization. This is the default setting. 190The 191.B from 192flag will use rules in the 193.I authzFrom 194attribute of the authorization DN. 195The 196.B to 197flag will use rules in the 198.I authzTo 199attribute of the authentication DN. 200The 201.B any 202flag, an alias for the deprecated value of 203.BR both , 204will allow any of the above, whatever succeeds first (checked in 205.BR to , 206.B from 207sequence. 208The 209.B all 210flag requires both authorizations to succeed. 211.LP 212.RS 213The rules are mechanisms to specify which identities are allowed 214to perform proxy authorization. 215The 216.I authzFrom 217attribute in an entry specifies which other users 218are allowed to proxy login to this entry. The 219.I authzTo 220attribute in 221an entry specifies which other users this user can authorize as. Use of 222.I authzTo 223rules can be easily 224abused if users are allowed to write arbitrary values to this attribute. 225In general the 226.I authzTo 227attribute must be protected with ACLs such that 228only privileged users can modify it. 229The value of 230.I authzFrom 231and 232.I authzTo 233describes an 234.B identity 235or a set of identities; it can take five forms: 236.RS 237.TP 238.B ldap:///<base>??[<scope>]?<filter> 239.RE 240.RS 241.B dn[.<dnstyle>]:<pattern> 242.RE 243.RS 244.B u[.<mech>[/<realm>]]:<pattern> 245.RE 246.RS 247.B group[/objectClass[/attributeType]]:<pattern> 248.RE 249.RS 250.B <pattern> 251.RE 252.RS 253 254.B <dnstyle>:={exact|onelevel|children|subtree|regex} 255 256.RE 257The first form is a valid LDAP 258.B URI 259where the 260.IR <host>:<port> , 261the 262.I <attrs> 263and the 264.I <extensions> 265portions must be absent, so that the search occurs locally on either 266.I authzFrom 267or 268.IR authzTo . 269The second form is a 270.BR DN , 271with the optional style modifiers 272.IR exact , 273.IR onelevel , 274.IR children , 275and 276.I subtree 277for exact, onelevel, children and subtree matches, which cause 278.I <pattern> 279to be normalized according to the DN normalization rules, or the special 280.I regex 281style, which causes the 282.I <pattern> 283to be treated as a POSIX (''extended'') regular expression, as 284discussed in 285.BR regex (7) 286and/or 287.BR re_format (7). 288A pattern of 289.I * 290means any non-anonymous DN. 291The third form is a SASL 292.BR id , 293with the optional fields 294.I <mech> 295and 296.I <realm> 297that allow to specify a SASL 298.BR mechanism , 299and eventually a SASL 300.BR realm , 301for those mechanisms that support one. 302The need to allow the specification of a mechanism is still debated, 303and users are strongly discouraged to rely on this possibility. 304The fourth form is a group specification, consisting of the keyword 305.BR group , 306optionally followed by the specification of the group 307.B objectClass 308and member 309.BR attributeType . 310The group with DN 311.B <pattern> 312is searched with base scope, and in case of match, the values of the 313member 314.B attributeType 315are searched for the asserted DN. 316For backwards compatibility, if no identity type is provided, i.e. only 317.B <pattern> 318is present, an 319.I exact DN 320is assumed; as a consequence, 321.B <pattern> 322is subjected to DN normalization. 323Since the interpretation of 324.I authzFrom 325and 326.I authzTo 327can impact security, users are strongly encouraged 328to explicitly set the type of identity specification that is being used. 329A subset of these rules can be used as third arg in the 330.B authz\-regexp 331statement (see below); significantly, the 332.IR URI , 333provided it results in exactly one entry, 334and the 335.I dn.exact:<dn> 336forms. 337.RE 338.TP 339.B authz\-regexp <match> <replace> 340Used by the authentication framework to convert simple user names, 341such as provided by SASL subsystem, or extracted from certificates 342in case of cert-based SASL EXTERNAL, or provided within the RFC 4370 343"proxied authorization" control, to an LDAP DN used for 344authorization purposes. Note that the resulting DN need not refer 345to an existing entry to be considered valid. When an authorization 346request is received from the SASL subsystem, the SASL 347.BR USERNAME , 348.BR REALM , 349and 350.B MECHANISM 351are taken, when available, and combined into a name of the form 352.RS 353.RS 354.TP 355.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth 356 357.RE 358This name is then compared against the 359.B match 360POSIX (''extended'') regular expression, and if the match is successful, 361the name is replaced with the 362.B replace 363string. If there are wildcard strings in the 364.B match 365regular expression that are enclosed in parenthesis, e.g. 366.RS 367.TP 368.B UID=([^,]*),CN=.* 369 370.RE 371then the portion of the name that matched the wildcard will be stored 372in the numbered placeholder variable $1. If there are other wildcard strings 373in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The 374placeholders can then be used in the 375.B replace 376string, e.g. 377.RS 378.TP 379.B UID=$1,OU=Accounts,DC=example,DC=com 380 381.RE 382The replaced name can be either a DN, i.e. a string prefixed by "dn:", 383or an LDAP URI. 384If the latter, the server will use the URI to search its own database(s) 385and, if the search returns exactly one entry, the name is 386replaced by the DN of that entry. The LDAP URI must have no 387hostport, attrs, or extensions components, but the filter is mandatory, 388e.g. 389.RS 390.TP 391.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) 392 393.RE 394The protocol portion of the URI must be strictly 395.BR ldap . 396Note that this search is subject to access controls. Specifically, 397the authentication identity must have "auth" access in the subject. 398 399Multiple 400.B authz\-regexp 401options can be given in the configuration file to allow for multiple matching 402and replacement patterns. The matching patterns are checked in the order they 403appear in the file, stopping at the first successful match. 404 405.\".B Caution: 406.\"Because the plus sign + is a character recognized by the regular expression engine, 407.\"and it will appear in names that include a REALM, be careful to escape the 408.\"plus sign with a backslash \\+ to remove the character's special meaning. 409.RE 410.TP 411.B concurrency <integer> 412Specify a desired level of concurrency. Provided to the underlying 413thread system as a hint. The default is not to provide any hint. 414.TP 415.B conn_max_pending <integer> 416Specify the maximum number of pending requests for an anonymous session. 417If requests are submitted faster than the server can process them, they 418will be queued up to this limit. If the limit is exceeded, the session 419is closed. The default is 100. 420.TP 421.B conn_max_pending_auth <integer> 422Specify the maximum number of pending requests for an authenticated session. 423The default is 1000. 424.TP 425.B defaultsearchbase <dn> 426Specify a default search base to use when client submits a 427non-base search request with an empty base DN. 428Base scoped search requests with an empty base DN are not affected. 429.TP 430.B disallow <features> 431Specify a set of features (separated by white space) to 432disallow (default none). 433.B bind_anon 434disables acceptance of anonymous bind requests. Note that this setting 435does not prohibit anonymous directory access (See "require authc"). 436.B bind_simple 437disables simple (bind) authentication. 438.B tls_2_anon 439disables forcing session to anonymous status (see also 440.BR tls_authc ) 441upon StartTLS operation receipt. 442.B tls_authc 443disallows the StartTLS operation if authenticated (see also 444.BR tls_2_anon ). 445.B proxy_authz_non_critical 446disables acceptance of the proxied authorization control (RFC4370) 447when criticality is FALSE. 448.B dontusecopy_non_critical 449disables acceptance of the dontUseCopy control (a work in progress) 450when criticality is FALSE. 451.HP 452.hy 0 453.B ditcontentrule "(\ <oid>\ 454 [NAME\ <name>]\ 455 [DESC\ <description>]\ 456 [OBSOLETE]\ 457 [AUX\ <oids>]\ 458 [MUST\ <oids>]\ 459 [MAY\ <oids>]\ 460 [NOT\ <oids>]\ )" 461.RS 462Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. 463The slapd parser extends the RFC 4512 definition by allowing string 464forms as well as numeric OIDs to be used for the attribute OID and 465attribute syntax OID. 466(See the 467.B objectidentifier 468description.) 469.RE 470.TP 471.B gentlehup { on | off } 472A SIGHUP signal will only cause a 'gentle' shutdown-attempt: 473.B Slapd 474will stop listening for new connections, but will not close the 475connections to the current clients. Future write operations return 476unwilling-to-perform, though. Slapd terminates when all clients 477have closed their connections (if they ever do), or - as before - 478if it receives a SIGTERM signal. This can be useful if you wish to 479terminate the server and start a new 480.B slapd 481server 482.B with another database, 483without disrupting the currently active clients. 484The default is off. You may wish to use 485.B idletimeout 486along with this option. 487.TP 488.B idletimeout <integer> 489Specify the number of seconds to wait before forcibly closing 490an idle client connection. A idletimeout of 0 disables this 491feature. The default is 0. You may also want to set the 492.B writetimeout 493option. 494.TP 495.B include <filename> 496Read additional configuration information from the given file before 497continuing with the next line of the current file. 498.TP 499.B index_intlen <integer> 500Specify the key length for ordered integer indices. The most significant 501bytes of the binary integer will be used for index keys. The default 502value is 4, which provides exact indexing for 31 bit values. 503A floating point representation is used to index too large values. 504.TP 505.B index_substr_if_minlen <integer> 506Specify the minimum length for subinitial and subfinal indices. An 507attribute value must have at least this many characters in order to be 508processed by the indexing functions. The default is 2. 509.TP 510.B index_substr_if_maxlen <integer> 511Specify the maximum length for subinitial and subfinal indices. Only 512this many characters of an attribute value will be processed by the 513indexing functions; any excess characters are ignored. The default is 4. 514.TP 515.B index_substr_any_len <integer> 516Specify the length used for subany indices. An attribute value must have 517at least this many characters in order to be processed. Attribute values 518longer than this length will be processed in segments of this length. The 519default is 4. The subany index will also be used in subinitial and 520subfinal index lookups when the filter string is longer than the 521.I index_substr_if_maxlen 522value. 523.TP 524.B index_substr_any_step <integer> 525Specify the steps used in subany index lookups. This value sets the offset 526for the segments of a filter string that are processed for a subany index 527lookup. The default is 2. For example, with the default values, a search 528using this filter "cn=*abcdefgh*" would generate index lookups for 529"abcd", "cdef", and "efgh". 530 531.LP 532Note: Indexing support depends on the particular backend in use. Also, 533changing these settings will generally require deleting any indices that 534depend on these parameters and recreating them with 535.BR slapindex (8). 536 537.HP 538.hy 0 539.B ldapsyntax "(\ <oid>\ 540 [DESC\ <description>]\ 541 [X\-SUBST <substitute-syntax>]\ )" 542.RS 543Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512. 544The slapd parser extends the RFC 4512 definition by allowing string 545forms as well as numeric OIDs to be used for the syntax OID. 546(See the 547.B objectidentifier 548description.) 549The slapd parser also honors the 550.B X\-SUBST 551extension (an OpenLDAP-specific extension), which allows one to use the 552.B ldapsyntax 553statement to define a non-implemented syntax along with another syntax, 554the extension value 555.IR substitute-syntax , 556as its temporary replacement. 557The 558.I substitute-syntax 559must be defined. 560This allows one to define attribute types that make use of non-implemented syntaxes 561using the correct syntax OID. 562Unless 563.B X\-SUBST 564is used, this configuration statement would result in an error, 565since no handlers would be associated to the resulting syntax structure. 566.RE 567 568.TP 569.B listener-threads <integer> 570Specify the number of threads to use for the connection manager. 571The default is 1 and this is typically adequate for up to 16 CPU cores. 572The value should be set to a power of 2. 573.TP 574.B localSSF <SSF> 575Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, 576such as those to the ldapi:// listener. For a description of SSF values, 577see 578.BR sasl-secprops 's 579.B minssf 580option description. The default is 71. 581.TP 582.B logfile <filename> 583Specify a file for recording debug log messages. By default these messages 584only go to stderr and are not recorded anywhere else. Specifying a logfile 585copies messages to both stderr and the logfile. 586.TP 587.B loglevel <integer> [...] 588Specify the level at which debugging statements and operation 589statistics should be syslogged (currently logged to the 590.BR syslogd (8) 591LOG_LOCAL4 facility). 592They must be considered subsystems rather than increasingly verbose 593log levels. 594Some messages with higher priority are logged regardless 595of the configured loglevel as soon as any logging is configured. 596Log levels are additive, and available levels are: 597.RS 598.RS 599.PD 0 600.TP 601.B 1 602.B (0x1 trace) 603trace function calls 604.TP 605.B 2 606.B (0x2 packets) 607debug packet handling 608.TP 609.B 4 610.B (0x4 args) 611heavy trace debugging (function args) 612.TP 613.B 8 614.B (0x8 conns) 615connection management 616.TP 617.B 16 618.B (0x10 BER) 619print out packets sent and received 620.TP 621.B 32 622.B (0x20 filter) 623search filter processing 624.TP 625.B 64 626.B (0x40 config) 627configuration file processing 628.TP 629.B 128 630.B (0x80 ACL) 631access control list processing 632.TP 633.B 256 634.B (0x100 stats) 635connections, LDAP operations, results (recommended) 636.TP 637.B 512 638.B (0x200 stats2) 639stats log entries sent 640.TP 641.B 1024 642.B (0x400 shell) 643print communication with shell backends 644.TP 645.B 2048 646.B (0x800 parse) 647entry parsing 648\".TP 649\".B 4096 650\".B (0x1000 cache) 651\"caching (unused) 652\".TP 653\".B 8192 654\".B (0x2000 index) 655\"data indexing (unused) 656.TP 657.B 16384 658.B (0x4000 sync) 659LDAPSync replication 660.TP 661.B 32768 662.B (0x8000 none) 663only messages that get logged whatever log level is set 664.PD 665.RE 666The desired log level can be input as a single integer that combines 667the (ORed) desired levels, both in decimal or in hexadecimal notation, 668as a list of integers (that are ORed internally), 669or as a list of the names that are shown between parentheses, such that 670.LP 671.nf 672 loglevel 129 673 loglevel 0x81 674 loglevel 128 1 675 loglevel 0x80 0x1 676 loglevel acl trace 677.fi 678.LP 679are equivalent. 680The keyword 681.B any 682can be used as a shortcut to enable logging at all levels (equivalent to \-1). 683The keyword 684.BR none , 685or the equivalent integer representation, causes those messages 686that are logged regardless of the configured loglevel to be logged. 687In fact, if loglevel is set to 0, no logging occurs, 688so at least the 689.B none 690level is required to have high priority messages logged. 691 692The loglevel defaults to \fBstats\fP. 693This level should usually also be included when using other loglevels, to 694help analyze the logs. 695.RE 696.TP 697.B moduleload <filename> 698Specify the name of a dynamically loadable module to load. The filename 699may be an absolute path name or a simple filename. Non-absolute names 700are searched for in the directories specified by the 701.B modulepath 702option. This option and the 703.B modulepath 704option are only usable if slapd was compiled with \-\-enable\-modules. 705.TP 706.B modulepath <pathspec> 707Specify a list of directories to search for loadable modules. Typically 708the path is colon-separated but this depends on the operating system. 709The default is /usr/libexec/openldap, which is where the standard OpenLDAP install 710will place its modules. 711.HP 712.hy 0 713.B objectclass "(\ <oid>\ 714 [NAME\ <name>]\ 715 [DESC\ <description>]\ 716 [OBSOLETE]\ 717 [SUP\ <oids>]\ 718 [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ 719 [MUST\ <oids>] [MAY\ <oids>] )" 720.RS 721Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. 722The slapd parser extends the RFC 4512 definition by allowing string 723forms as well as numeric OIDs to be used for the object class OID. 724(See the 725.B 726objectidentifier 727description.) Object classes are "STRUCTURAL" by default. 728.RE 729.TP 730.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }" 731Define a string name that equates to the given OID. The string can be used 732in place of the numeric OID in objectclass and attribute definitions. The 733name can also be used with a suffix of the form ":xx" in which case the 734value "oid.xx" will be used. 735.TP 736.B password\-hash <hash> [<hash>...] 737This option configures one or more hashes to be used in generation of user 738passwords stored in the userPassword attribute during processing of 739LDAP Password Modify Extended Operations (RFC 3062). 740The <hash> must be one of 741.BR {SSHA} , 742.BR {SHA} , 743.BR {SMD5} , 744.BR {MD5} , 745.BR {CRYPT} , 746and 747.BR {CLEARTEXT} . 748The default is 749.BR {SSHA} . 750 751.B {SHA} 752and 753.B {SSHA} 754use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. 755 756.B {MD5} 757and 758.B {SMD5} 759use the MD5 algorithm (RFC 1321), the latter with a seed. 760 761.B {CRYPT} 762uses the 763.BR crypt (3). 764 765.B {CLEARTEXT} 766indicates that the new password should be 767added to userPassword as clear text. 768 769Note that this option does not alter the normal user applications 770handling of userPassword during LDAP Add, Modify, or other LDAP operations. 771.TP 772.B password\-crypt\-salt\-format <format> 773Specify the format of the salt passed to 774.BR crypt (3) 775when generating {CRYPT} passwords (see 776.BR password\-hash ) 777during processing of LDAP Password Modify Extended Operations (RFC 3062). 778 779This string needs to be in 780.BR sprintf (3) 781format and may include one (and only one) %s conversion. 782This conversion will be substituted with a string of random 783characters from [A\-Za\-z0\-9./]. For example, "%.2s" 784provides a two character salt and "$1$%.8s" tells some 785versions of crypt(3) to use an MD5 algorithm and provides 7868 random characters of salt. The default is "%s", which 787provides 31 characters of salt. 788.TP 789.B pidfile <filename> 790The (absolute) name of a file that will hold the 791.B slapd 792server's process ID (see 793.BR getpid (2)). 794.TP 795.B referral <url> 796Specify the referral to pass back when 797.BR slapd (8) 798cannot find a local database to handle a request. 799If specified multiple times, each url is provided. 800.TP 801.B require <conditions> 802Specify a set of conditions (separated by white space) to 803require (default none). 804The directive may be specified globally and/or per-database; 805databases inherit global conditions, so per-database specifications 806are additive. 807.B bind 808requires bind operation prior to directory operations. 809.B LDAPv3 810requires session to be using LDAP version 3. 811.B authc 812requires authentication prior to directory operations. 813.B SASL 814requires SASL authentication prior to directory operations. 815.B strong 816requires strong authentication prior to directory operations. 817The strong keyword allows protected "simple" authentication 818as well as SASL authentication. 819.B none 820may be used to require no conditions (useful to clear out globally 821set conditions within a particular database); it must occur first 822in the list of conditions. 823.TP 824.B reverse\-lookup on | off 825Enable/disable client name unverified reverse lookup (default is 826.BR off 827if compiled with \-\-enable\-rlookups). 828.TP 829.B rootDSE <file> 830Specify the name of an LDIF(5) file containing user defined attributes 831for the root DSE. These attributes are returned in addition to the 832attributes normally produced by slapd. 833 834The root DSE is an entry with information about the server and its 835capabilities, in operational attributes. 836It has the empty DN, and can be read with e.g.: 837.ti +4 838ldapsearch \-x \-b "" \-s base "+" 839.br 840See RFC 4512 section 5.1 for details. 841.TP 842.B sasl\-auxprops <plugin> [...] 843Specify which auxprop plugins to use for authentication lookups. The 844default is empty, which just uses slapd's internal support. Usually 845no other auxprop plugins are needed. 846.TP 847.B sasl\-host <fqdn> 848Used to specify the fully qualified domain name used for SASL processing. 849.TP 850.B sasl\-realm <realm> 851Specify SASL realm. Default is empty. 852.TP 853.B sasl\-secprops <properties> 854Used to specify Cyrus SASL security properties. 855The 856.B none 857flag (without any other properties) causes the flag properties 858default, "noanonymous,noplain", to be cleared. 859The 860.B noplain 861flag disables mechanisms susceptible to simple passive attacks. 862The 863.B noactive 864flag disables mechanisms susceptible to active attacks. 865The 866.B nodict 867flag disables mechanisms susceptible to passive dictionary attacks. 868The 869.B noanonymous 870flag disables mechanisms which support anonymous login. 871The 872.B forwardsec 873flag require forward secrecy between sessions. 874The 875.B passcred 876require mechanisms which pass client credentials (and allow 877mechanisms which can pass credentials to do so). 878The 879.B minssf=<factor> 880property specifies the minimum acceptable 881.I security strength factor 882as an integer approximate to effective key length used for 883encryption. 0 (zero) implies no protection, 1 implies integrity 884protection only, 56 allows DES or other weak ciphers, 112 885allows triple DES and other strong ciphers, 128 allows RC4, 886Blowfish and other modern strong ciphers. The default is 0. 887The 888.B maxssf=<factor> 889property specifies the maximum acceptable 890.I security strength factor 891as an integer (see minssf description). The default is INT_MAX. 892The 893.B maxbufsize=<size> 894property specifies the maximum security layer receive buffer 895size allowed. 0 disables security layers. The default is 65536. 896.TP 897.B schemadn <dn> 898Specify the distinguished name for the subschema subentry that 899controls the entries on this server. The default is "cn=Subschema". 900.TP 901.B security <factors> 902Specify a set of security strength factors (separated by white space) 903to require (see 904.BR sasl\-secprops 's 905.B minssf 906option for a description of security strength factors). 907The directive may be specified globally and/or per-database. 908.B ssf=<n> 909specifies the overall security strength factor. 910.B transport=<n> 911specifies the transport security strength factor. 912.B tls=<n> 913specifies the TLS security strength factor. 914.B sasl=<n> 915specifies the SASL security strength factor. 916.B update_ssf=<n> 917specifies the overall security strength factor to require for 918directory updates. 919.B update_transport=<n> 920specifies the transport security strength factor to require for 921directory updates. 922.B update_tls=<n> 923specifies the TLS security strength factor to require for 924directory updates. 925.B update_sasl=<n> 926specifies the SASL security strength factor to require for 927directory updates. 928.B simple_bind=<n> 929specifies the security strength factor required for 930.I simple 931username/password authentication. 932Note that the 933.B transport 934factor is measure of security provided by the underlying transport, 935e.g. ldapi:// (and eventually IPSEC). It is not normally used. 936.TP 937.B serverID <integer> [<URL>] 938Specify an integer ID from 0 to 4095 for this server (limited 939to 3 hexadecimal digits). The ID may also be specified as a 940hexadecimal ID by prefixing the value with "0x". 941Non-zero IDs are 942required when using multimaster replication and each master must have a 943unique non-zero ID. Note that this requirement also applies to separate masters 944contributing to a glued set of databases. 945If the URL is provided, this directive may be specified 946multiple times, providing a complete list of participating servers 947and their IDs. The fully qualified hostname of each server should be 948used in the supplied URLs. The IDs are used in the "replica id" field 949of all CSNs generated by the specified server. The default value is zero, which 950is only valid for single master replication. 951Example: 952.LP 953.nf 954 serverID 1 955.fi 956.TP 957.B sizelimit {<integer>|unlimited} 958.TP 959.B sizelimit size[.{soft|hard|unchecked}]=<integer> [...] 960Specify the maximum number of entries to return from a search operation. 961The default size limit is 500. 962Use 963.B unlimited 964to specify no limits. 965The second format allows a fine grain setting of the size limits. 966Extra args can be added on the same line. 967See 968.BR limits 969for an explanation of the different flags. 970.TP 971.B sockbuf_max_incoming <integer> 972Specify the maximum incoming LDAP PDU size for anonymous sessions. 973The default is 262143. 974.TP 975.B sockbuf_max_incoming_auth <integer> 976Specify the maximum incoming LDAP PDU size for authenticated sessions. 977The default is 4194303. 978.TP 979.B sortvals <attr> [...] 980Specify a list of multi-valued attributes whose values will always 981be maintained in sorted order. Using this option will allow Modify, 982Compare, and filter evaluations on these attributes to be performed 983more efficiently. The resulting sort order depends on the 984attributes' syntax and matching rules and may not correspond to 985lexical order or any other recognizable order. 986.TP 987.B tcp-buffer [listener=<URL>] [{read|write}=]<size> 988Specify the size of the TCP buffer. 989A global value for both read and write TCP buffers related to any listener 990is defined, unless the listener is explicitly specified, 991or either the read or write qualifiers are used. 992See 993.BR tcp (7) 994for details. 995Note that some OS-es implement automatic TCP buffer tuning. 996.TP 997.B threads <integer> 998Specify the maximum size of the primary thread pool. 999The default is 16; the minimum value is 2. 1000.TP 1001.B timelimit {<integer>|unlimited} 1002.TP 1003.B timelimit time[.{soft|hard}]=<integer> [...] 1004Specify the maximum number of seconds (in real time) 1005.B slapd 1006will spend answering a search request. The default time limit is 3600. 1007Use 1008.B unlimited 1009to specify no limits. 1010The second format allows a fine grain setting of the time limits. 1011Extra args can be added on the same line. 1012See 1013.BR limits 1014for an explanation of the different flags. 1015.TP 1016.B tool\-threads <integer> 1017Specify the maximum number of threads to use in tool mode. 1018This should not be greater than the number of CPUs in the system. 1019The default is 1. 1020.\"ucdata-path is obsolete / ignored... 1021.\".TP 1022.\".B ucdata-path <path> 1023.\"Specify the path to the directory containing the Unicode character 1024.\"tables. The default path is /usr/share/openldap/ucdata. 1025.TP 1026.B writetimeout <integer> 1027Specify the number of seconds to wait before forcibly closing 1028a connection with an outstanding write. This allows recovery from 1029various network hang conditions. A writetimeout of 0 disables this 1030feature. The default is 0. 1031.SH TLS OPTIONS 1032If 1033.B slapd 1034is built with support for Transport Layer Security, there are more options 1035you can specify. 1036.TP 1037.B TLSCipherSuite <cipher-suite-spec> 1038Permits configuring what ciphers will be accepted and the preference order. 1039<cipher-suite-spec> should be a cipher specification for the TLS library 1040in use (OpenSSL, GnuTLS, or Mozilla NSS). 1041Example: 1042.RS 1043.RS 1044.TP 1045.I OpenSSL: 1046TLSCipherSuite HIGH:MEDIUM:+SSLv2 1047.TP 1048.I GnuTLS: 1049TLSCiphersuite SECURE256:!AES-128-CBC 1050.RE 1051 1052To check what ciphers a given spec selects in OpenSSL, use: 1053 1054.nf 1055 openssl ciphers \-v <cipher-suite-spec> 1056.fi 1057 1058With GnuTLS the available specs can be found in the manual page of 1059.BR gnutls\-cli (1) 1060(see the description of the 1061option 1062.BR \-\-priority ). 1063 1064In older versions of GnuTLS, where gnutls\-cli does not support the option 1065\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling: 1066 1067.nf 1068 gnutls\-cli \-l 1069.fi 1070 1071When using Mozilla NSS, the OpenSSL cipher suite specifications are used and 1072translated into the format used internally by Mozilla NSS. There isn't an easy 1073way to list the cipher suites from the command line. The authoritative list 1074is in the source code for Mozilla NSS in the file sslinfo.c in the structure 1075.nf 1076 static const SSLCipherSuiteInfo suiteInfo[] 1077.fi 1078.RE 1079.TP 1080.B TLSCACertificateFile <filename> 1081Specifies the file that contains certificates for all of the Certificate 1082Authorities that 1083.B slapd 1084will recognize. The certificate for 1085the CA that signed the server certificate must be included among 1086these certificates. If the signing CA was not a top-level (root) CA, 1087certificates for the entire sequence of CA's from the signing CA to 1088the top-level CA should be present. Multiple certificates are simply 1089appended to the file; the order is not significant. 1090.TP 1091.B TLSCACertificatePath <path> 1092Specifies the path of a directory that contains Certificate Authority 1093certificates in separate individual files. Usually only one of this 1094or the TLSCACertificateFile is used. This directive is not supported 1095when using GnuTLS. 1096 1097When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key 1098database. If <path> contains a Mozilla NSS cert/key database and 1099CA cert files, OpenLDAP will use the cert/key database and will 1100ignore the CA cert files. 1101.TP 1102.B TLSCertificateFile <filename> 1103Specifies the file that contains the 1104.B slapd 1105server certificate. 1106 1107When using Mozilla NSS, if using a cert/key database (specified with 1108TLSCACertificatePath), TLSCertificateFile specifies 1109the name of the certificate to use: 1110.nf 1111 TLSCertificateFile Server-Cert 1112.fi 1113If using a token other than the internal built in token, specify the 1114token name first, followed by a colon: 1115.nf 1116 TLSCertificateFile my hardware device:Server-Cert 1117.fi 1118Use certutil \-L to list the certificates by name: 1119.nf 1120 certutil \-d /path/to/certdbdir \-L 1121.fi 1122.TP 1123.B TLSCertificateKeyFile <filename> 1124Specifies the file that contains the 1125.B slapd 1126server private key that matches the certificate stored in the 1127.B TLSCertificateFile 1128file. Currently, the private key must not be protected with a password, so 1129it is of critical importance that it is protected carefully. 1130 1131When using Mozilla NSS, TLSCertificateKeyFile specifies the name of 1132a file that contains the password for the key for the certificate specified with 1133TLSCertificateFile. The modutil command can be used to turn off password 1134protection for the cert/key database. For example, if TLSCACertificatePath 1135specifes /etc/openldap/certdb as the location of the cert/key database, use 1136modutil to change the password to the empty string: 1137.nf 1138 modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB' 1139.fi 1140You must have the old password, if any. Ignore the WARNING about the running 1141browser. Press 'Enter' for the new password. 1142.TP 1143.B TLSDHParamFile <filename> 1144This directive specifies the file that contains parameters for Diffie-Hellman 1145ephemeral key exchange. This is required in order to use a DSA certificate on 1146the server, or an RSA certificate missing the "key encipherment" key usage. 1147Note that setting this option may also enable 1148Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. 1149Anonymous key exchanges should generally be avoided since they provide no 1150actual client or server authentication and provide no protection against 1151man-in-the-middle attacks. 1152You should append "!ADH" to your cipher suites to ensure that these suites 1153are not used. 1154When using Mozilla NSS these parameters are always generated randomly 1155so this directive is ignored. 1156.TP 1157.B TLSECName <name> 1158Specify the name of a curve to use for Elliptic curve Diffie-Hellman 1159ephemeral key exchange. This is required to enable ECDHE algorithms in 1160OpenSSL. This option is not used with GnuTLS; the curves may be 1161chosen in the GnuTLS ciphersuite specification. This option is also 1162ignored for Mozilla NSS. 1163.TP 1164.B TLSProtocolMin <major>[.<minor>] 1165Specifies minimum SSL/TLS protocol version that will be negotiated. 1166If the server doesn't support at least that version, 1167the SSL handshake will fail. 1168To require TLS 1.x or higher, set this option to 3.(x+1), 1169e.g., 1170 1171.nf 1172 TLSProtocolMin 3.2 1173.fi 1174 1175would require TLS 1.1. 1176Specifying a minimum that is higher than that supported by the 1177OpenLDAP implementation will result in it requiring the 1178highest level that it does support. 1179This directive is ignored with GnuTLS. 1180.TP 1181.B TLSRandFile <filename> 1182Specifies the file to obtain random bits from when /dev/[u]random 1183is not available. Generally set to the name of the EGD/PRNGD socket. 1184The environment variable RANDFILE can also be used to specify the filename. 1185This directive is ignored with GnuTLS and Mozilla NSS. 1186.TP 1187.B TLSVerifyClient <level> 1188Specifies what checks to perform on client certificates in an 1189incoming TLS session, if any. 1190The 1191.B <level> 1192can be specified as one of the following keywords: 1193.RS 1194.TP 1195.B never 1196This is the default. 1197.B slapd 1198will not ask the client for a certificate. 1199.TP 1200.B allow 1201The client certificate is requested. If no certificate is provided, 1202the session proceeds normally. If a bad certificate is provided, 1203it will be ignored and the session proceeds normally. 1204.TP 1205.B try 1206The client certificate is requested. If no certificate is provided, 1207the session proceeds normally. If a bad certificate is provided, 1208the session is immediately terminated. 1209.TP 1210.B demand | hard | true 1211These keywords are all equivalent, for compatibility reasons. 1212The client certificate is requested. If no certificate is provided, 1213or a bad certificate is provided, the session is immediately terminated. 1214 1215Note that a valid client certificate is required in order to use the 1216SASL EXTERNAL authentication mechanism with a TLS session. As such, 1217a non-default 1218.B TLSVerifyClient 1219setting must be chosen to enable SASL EXTERNAL authentication. 1220.RE 1221.TP 1222.B TLSCRLCheck <level> 1223Specifies if the Certificate Revocation List (CRL) of the CA should be 1224used to verify if the client certificates have not been revoked. This 1225requires 1226.B TLSCACertificatePath 1227parameter to be set. This directive is ignored with GnuTLS and Mozilla NSS. 1228.B <level> 1229can be specified as one of the following keywords: 1230.RS 1231.TP 1232.B none 1233No CRL checks are performed 1234.TP 1235.B peer 1236Check the CRL of the peer certificate 1237.TP 1238.B all 1239Check the CRL for a whole certificate chain 1240.RE 1241.TP 1242.B TLSCRLFile <filename> 1243Specifies a file containing a Certificate Revocation List to be used 1244for verifying that certificates have not been revoked. This directive is 1245only valid when using GnuTLS and Mozilla NSS. 1246.SH GENERAL BACKEND OPTIONS 1247Options in this section only apply to the configuration file section 1248for the specified backend. They are supported by every 1249type of backend. 1250.TP 1251.B backend <databasetype> 1252Mark the beginning of a backend definition. <databasetype> 1253should be one of 1254.BR bdb , 1255.BR config , 1256.BR dnssrv , 1257.BR hdb , 1258.BR ldap , 1259.BR ldif , 1260.BR mdb , 1261.BR meta , 1262.BR monitor , 1263.BR null , 1264.BR passwd , 1265.BR perl , 1266.BR relay , 1267.BR shell , 1268or 1269.BR sql , 1270depending on which backend will serve the database. 1271 1272.SH GENERAL DATABASE OPTIONS 1273Options in this section only apply to the configuration file section 1274for the database in which they are defined. They are supported by every 1275type of backend. Note that the 1276.B database 1277and at least one 1278.B suffix 1279option are mandatory for each database. 1280.TP 1281.B database <databasetype> 1282Mark the beginning of a new database instance definition. <databasetype> 1283should be one of 1284.BR bdb , 1285.BR config , 1286.BR dnssrv , 1287.BR hdb , 1288.BR ldap , 1289.BR ldif , 1290.BR mdb , 1291.BR meta , 1292.BR monitor , 1293.BR null , 1294.BR passwd , 1295.BR perl , 1296.BR relay , 1297.BR shell , 1298or 1299.BR sql , 1300depending on which backend will serve the database. 1301 1302LDAP operations, even subtree searches, normally access only one 1303database. 1304That can be changed by gluing databases together with the 1305.B subordinate 1306keyword. 1307Access controls and some overlays can also involve multiple databases. 1308.TP 1309.B add_content_acl on | off 1310Controls whether Add operations will perform ACL checks on 1311the content of the entry being added. This check is off 1312by default. See the 1313.BR slapd.access (5) 1314manual page for more details on ACL requirements for 1315Add operations. 1316.TP 1317.B extra_attrs <attrlist> 1318Lists what attributes need to be added to search requests. 1319Local storage backends return the entire entry to the frontend. 1320The frontend takes care of only returning the requested attributes 1321that are allowed by ACLs. 1322However, features like access checking and so may need specific 1323attributes that are not automatically returned by remote storage 1324backends, like proxy backends and so on. 1325.B <attrlist> 1326is a list of attributes that are needed for internal purposes 1327and thus always need to be collected, even when not explicitly 1328requested by clients. 1329.TP 1330.B hidden on | off 1331Controls whether the database will be used to answer 1332queries. A database that is hidden will never be 1333selected to answer any queries, and any suffix configured 1334on the database will be ignored in checks for conflicts 1335with other databases. By default, hidden is off. 1336.TP 1337.B lastmod on | off 1338Controls whether 1339.B slapd 1340will automatically maintain the 1341modifiersName, modifyTimestamp, creatorsName, and 1342createTimestamp attributes for entries. It also controls 1343the entryCSN and entryUUID attributes, which are needed 1344by the syncrepl provider. By default, lastmod is on. 1345.TP 1346.B limits <selector> <limit> [<limit> [...]] 1347Specify time and size limits based on the operation's initiator or 1348base DN. 1349The argument 1350.B <selector> 1351can be any of 1352.RS 1353.RS 1354.TP 1355anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern> 1356 1357.RE 1358with 1359.RS 1360.TP 1361<dnspec> ::= dn[.<type>][.<style>] 1362.TP 1363<type> ::= self | this 1364.TP 1365<style> ::= exact | base | onelevel | subtree | children | regex | anonymous 1366 1367.RE 1368DN type 1369.B self 1370is the default and means the bound user, while 1371.B this 1372means the base DN of the operation. 1373The term 1374.B anonymous 1375matches all unauthenticated clients. 1376The term 1377.B users 1378matches all authenticated clients; 1379otherwise an 1380.B exact 1381dn pattern is assumed unless otherwise specified by qualifying 1382the (optional) key string 1383.B dn 1384with 1385.B exact 1386or 1387.B base 1388(which are synonyms), to require an exact match; with 1389.BR onelevel , 1390to require exactly one level of depth match; with 1391.BR subtree , 1392to allow any level of depth match, including the exact match; with 1393.BR children , 1394to allow any level of depth match, not including the exact match; 1395.BR regex 1396explicitly requires the (default) match based on POSIX (''extended'') 1397regular expression pattern. 1398Finally, 1399.B anonymous 1400matches unbound operations; the 1401.B pattern 1402field is ignored. 1403The same behavior is obtained by using the 1404.B anonymous 1405form of the 1406.B <selector> 1407clause. 1408The term 1409.BR group , 1410with the optional objectClass 1411.B oc 1412and attributeType 1413.B at 1414fields, followed by 1415.BR pattern , 1416sets the limits for any DN listed in the values of the 1417.B at 1418attribute (default 1419.BR member ) 1420of the 1421.B oc 1422group objectClass (default 1423.BR groupOfNames ) 1424whose DN exactly matches 1425.BR pattern . 1426 1427The currently supported limits are 1428.B size 1429and 1430.BR time . 1431 1432The syntax for time limits is 1433.BR time[.{soft|hard}]=<integer> , 1434where 1435.I integer 1436is the number of seconds slapd will spend answering a search request. 1437If no time limit is explicitly requested by the client, the 1438.BR soft 1439limit is used; if the requested time limit exceeds the 1440.BR hard 1441.\"limit, an 1442.\".I "Administrative limit exceeded" 1443.\"error is returned. 1444limit, the value of the limit is used instead. 1445If the 1446.BR hard 1447limit is set to the keyword 1448.IR soft , 1449the soft limit is used in either case; if it is set to the keyword 1450.IR unlimited , 1451no hard limit is enforced. 1452Explicit requests for time limits smaller or equal to the 1453.BR hard 1454limit are honored. 1455If no limit specifier is set, the value is assigned to the 1456.BR soft 1457limit, and the 1458.BR hard 1459limit is set to 1460.IR soft , 1461to preserve the original behavior. 1462 1463The syntax for size limits is 1464.BR size[.{soft|hard|unchecked}]=<integer> , 1465where 1466.I integer 1467is the maximum number of entries slapd will return answering a search 1468request. 1469If no size limit is explicitly requested by the client, the 1470.BR soft 1471limit is used; if the requested size limit exceeds the 1472.BR hard 1473.\"limit, an 1474.\".I "Administrative limit exceeded" 1475.\"error is returned. 1476limit, the value of the limit is used instead. 1477If the 1478.BR hard 1479limit is set to the keyword 1480.IR soft , 1481the soft limit is used in either case; if it is set to the keyword 1482.IR unlimited , 1483no hard limit is enforced. 1484Explicit requests for size limits smaller or equal to the 1485.BR hard 1486limit are honored. 1487The 1488.BR unchecked 1489specifier sets a limit on the number of candidates a search request is allowed 1490to examine. 1491The rationale behind it is that searches for non-properly indexed 1492attributes may result in large sets of candidates, which must be 1493examined by 1494.BR slapd (8) 1495to determine whether they match the search filter or not. 1496The 1497.B unchecked 1498limit provides a means to drop such operations before they are even 1499started. 1500If the selected candidates exceed the 1501.BR unchecked 1502limit, the search will abort with 1503.IR "Unwilling to perform" . 1504If it is set to the keyword 1505.IR unlimited , 1506no limit is applied (the default). 1507If it is set to 1508.IR disabled , 1509the search is not even performed; this can be used to disallow searches 1510for a specific set of users. 1511If no limit specifier is set, the value is assigned to the 1512.BR soft 1513limit, and the 1514.BR hard 1515limit is set to 1516.IR soft , 1517to preserve the original behavior. 1518 1519In case of no match, the global limits are used. 1520The default values are the same as for 1521.B sizelimit 1522and 1523.BR timelimit ; 1524no limit is set on 1525.BR unchecked . 1526 1527If 1528.B pagedResults 1529control is requested, the 1530.B hard 1531size limit is used by default, because the request of a specific page size 1532is considered an explicit request for a limitation on the number 1533of entries to be returned. 1534However, the size limit applies to the total count of entries returned within 1535the search, and not to a single page. 1536Additional size limits may be enforced; the syntax is 1537.BR size.pr={<integer>|noEstimate|unlimited} , 1538where 1539.I integer 1540is the max page size if no explicit limit is set; the keyword 1541.I noEstimate 1542inhibits the server from returning an estimate of the total number 1543of entries that might be returned 1544(note: the current implementation does not return any estimate). 1545The keyword 1546.I unlimited 1547indicates that no limit is applied to the pagedResults control page size. 1548The syntax 1549.B size.prtotal={<integer>|unlimited|disabled} 1550allows one to set a limit on the total number of entries that the pagedResults 1551control will return. 1552By default it is set to the 1553.B hard 1554limit. 1555When set, 1556.I integer 1557is the max number of entries that the whole search with pagedResults control 1558can return. 1559Use 1560.I unlimited 1561to allow unlimited number of entries to be returned, e.g. to allow 1562the use of the pagedResults control as a means to circumvent size 1563limitations on regular searches; the keyword 1564.I disabled 1565disables the control, i.e. no paged results can be returned. 1566Note that the total number of entries returned when the pagedResults control 1567is requested cannot exceed the 1568.B hard 1569size limit of regular searches unless extended by the 1570.B prtotal 1571switch. 1572 1573The \fBlimits\fP statement is typically used to let an unlimited 1574number of entries be returned by searches performed 1575with the identity used by the consumer for synchronization purposes 1576by means of the RFC 4533 LDAP Content Synchronization protocol 1577(see \fBsyncrepl\fP for details). 1578.RE 1579.TP 1580.B maxderefdepth <depth> 1581Specifies the maximum number of aliases to dereference when trying to 1582resolve an entry, used to avoid infinite alias loops. The default is 15. 1583.TP 1584.B mirrormode on | off 1585This option puts a replica database into "mirror" mode. Update 1586operations will be accepted from any user, not just the updatedn. The 1587database must already be configured as a syncrepl consumer 1588before this keyword may be set. This mode also requires a 1589.B serverID 1590(see above) to be configured. 1591By default, mirrormode is off. 1592.TP 1593.B monitoring on | off 1594This option enables database-specific monitoring in the entry related 1595to the current database in the "cn=Databases,cn=Monitor" subtree 1596of the monitor database, if the monitor database is enabled. 1597Currently, only the BDB and the HDB databases provide database-specific 1598monitoring. 1599The default depends on the backend type. 1600.TP 1601.B overlay <overlay-name> 1602Add the specified overlay to this database. An overlay is a piece of 1603code that intercepts database operations in order to extend or change 1604them. Overlays are pushed onto 1605a stack over the database, and so they will execute in the reverse 1606of the order in which they were configured and the database itself 1607will receive control last of all. See the 1608.BR slapd.overlays (5) 1609manual page for an overview of the available overlays. 1610Note that all of the database's 1611regular settings should be configured before any overlay settings. 1612.TP 1613.B readonly on | off 1614This option puts the database into "read-only" mode. Any attempts to 1615modify the database will return an "unwilling to perform" error. By 1616default, readonly is off. 1617.TP 1618.B restrict <oplist> 1619Specify a whitespace separated list of operations that are restricted. 1620If defined inside a database specification, restrictions apply only 1621to that database, otherwise they are global. 1622Operations can be any of 1623.BR add , 1624.BR bind , 1625.BR compare , 1626.BR delete , 1627.BR extended[=<OID>] , 1628.BR modify , 1629.BR rename , 1630.BR search , 1631or the special pseudo-operations 1632.B read 1633and 1634.BR write , 1635which respectively summarize read and write operations. 1636The use of 1637.I restrict write 1638is equivalent to 1639.I readonly on 1640(see above). 1641The 1642.B extended 1643keyword allows one to indicate the OID of the specific operation 1644to be restricted. 1645.TP 1646.B rootdn <dn> 1647Specify the distinguished name that is not subject to access control 1648or administrative limit restrictions for operations on this database. 1649This DN may or may not be associated with an entry. An empty root 1650DN (the default) specifies no root access is to be granted. It is 1651recommended that the rootdn only be specified when needed (such as 1652when initially populating a database). If the rootdn is within 1653a namingContext (suffix) of the database, a simple bind password 1654may also be provided using the 1655.B rootpw 1656directive. Many optional features, including syncrepl, require the 1657rootdn to be defined for the database. 1658.TP 1659.B rootpw <password> 1660Specify a password (or hash of the password) for the rootdn. The 1661password can only be set if the rootdn is within the namingContext 1662(suffix) of the database. 1663This option accepts all RFC 2307 userPassword formats known to 1664the server (see 1665.B password\-hash 1666description) as well as cleartext. 1667.BR slappasswd (8) 1668may be used to generate a hash of a password. Cleartext 1669and \fB{CRYPT}\fP passwords are not recommended. If empty 1670(the default), authentication of the root DN is by other means 1671(e.g. SASL). Use of SASL is encouraged. 1672.TP 1673.B suffix <dn suffix> 1674Specify the DN suffix of queries that will be passed to this 1675backend database. Multiple suffix lines can be given and at least one is 1676required for each database definition. 1677 1678If the suffix of one database is "inside" that of another, the database 1679with the inner suffix must come first in the configuration file. 1680You may also want to glue such databases together with the 1681.B subordinate 1682keyword. 1683.TP 1684.B subordinate [advertise] 1685Specify that the current backend database is a subordinate of another 1686backend database. A subordinate database may have only one suffix. This 1687option may be used to glue multiple databases into a single namingContext. 1688If the suffix of the current database is within the namingContext of a 1689superior database, searches against the superior database will be 1690propagated to the subordinate as well. All of the databases 1691associated with a single namingContext should have identical rootdns. 1692Behavior of other LDAP operations is unaffected by this setting. In 1693particular, it is not possible to use moddn to move an entry from 1694one subordinate to another subordinate within the namingContext. 1695 1696If the optional \fBadvertise\fP flag is supplied, the naming context of 1697this database is advertised in the root DSE. The default is to hide this 1698database context, so that only the superior context is visible. 1699 1700If the slap tools 1701.BR slapcat (8), 1702.BR slapadd (8), 1703or 1704.BR slapindex (8) 1705are used on the superior database, any glued subordinates that support 1706these tools are opened as well. 1707 1708Databases that are glued together should usually be configured with the 1709same indices (assuming they support indexing), even for attributes that 1710only exist in some of these databases. In general, all of the glued 1711databases should be configured as similarly as possible, since the intent 1712is to provide the appearance of a single directory. 1713 1714Note that the \fIsubordinate\fP functionality is implemented internally 1715by the \fIglue\fP overlay and as such its behavior will interact with other 1716overlays in use. By default, the glue overlay is automatically configured as 1717the last overlay on the superior backend. Its position on the backend 1718can be explicitly configured by setting an \fBoverlay glue\fP directive 1719at the desired position. This explicit configuration is necessary e.g. 1720when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP 1721in order to work over all of the glued databases. E.g. 1722.RS 1723.nf 1724 database bdb 1725 suffix dc=example,dc=com 1726 ... 1727 overlay glue 1728 overlay syncprov 1729.fi 1730.RE 1731.TP 1732.B sync_use_subentry 1733Store the syncrepl contextCSN in a subentry instead of the context entry 1734of the database. The subentry's RDN will be "cn=ldapsync". By default 1735the contextCSN is stored in the context entry. 1736.HP 1737.hy 0 1738.B syncrepl rid=<replica ID> 1739.B provider=ldap[s]://<hostname>[:port] 1740.B searchbase=<base DN> 1741.B [type=refreshOnly|refreshAndPersist] 1742.B [interval=dd:hh:mm:ss] 1743.B [retry=[<retry interval> <# of retries>]+] 1744.B [filter=<filter str>] 1745.B [scope=sub|one|base|subord] 1746.B [attrs=<attr list>] 1747.B [exattrs=<attr list>] 1748.B [attrsonly] 1749.B [sizelimit=<limit>] 1750.B [timelimit=<limit>] 1751.B [schemachecking=on|off] 1752.B [network\-timeout=<seconds>] 1753.B [timeout=<seconds>] 1754.B [bindmethod=simple|sasl] 1755.B [binddn=<dn>] 1756.B [saslmech=<mech>] 1757.B [authcid=<identity>] 1758.B [authzid=<identity>] 1759.B [credentials=<passwd>] 1760.B [realm=<realm>] 1761.B [secprops=<properties>] 1762.B [keepalive=<idle>:<probes>:<interval>] 1763.B [starttls=yes|critical] 1764.B [tls_cert=<file>] 1765.B [tls_key=<file>] 1766.B [tls_cacert=<file>] 1767.B [tls_cacertdir=<path>] 1768.B [tls_reqcert=never|allow|try|demand] 1769.B [tls_cipher_suite=<ciphers>] 1770.B [tls_crlcheck=none|peer|all] 1771.B [tls_protocol_min=<major>[.<minor>]] 1772.B [suffixmassage=<real DN>] 1773.B [logbase=<base DN>] 1774.B [logfilter=<filter str>] 1775.B [syncdata=default|accesslog|changelog] 1776.RS 1777Specify the current database as a replica which is kept up-to-date with the 1778master content by establishing the current 1779.BR slapd (8) 1780as a replication consumer site running a 1781.B syncrepl 1782replication engine. 1783The replica content is kept synchronized to the master content using 1784the LDAP Content Synchronization protocol. Refer to the 1785"OpenLDAP Administrator's Guide" for detailed information on 1786setting up a replicated 1787.B slapd 1788directory service using the 1789.B syncrepl 1790replication engine. 1791 1792.B rid 1793identifies the current 1794.B syncrepl 1795directive within the replication consumer site. 1796It is a non-negative integer not greater than 999 (limited 1797to three decimal digits). 1798 1799.B provider 1800specifies the replication provider site containing the master content 1801as an LDAP URI. If <port> is not given, the standard LDAP port number 1802(389 or 636) is used. 1803 1804The content of the 1805.B syncrepl 1806replica is defined using a search 1807specification as its result set. The consumer 1808.B slapd 1809will send search requests to the provider 1810.B slapd 1811according to the search specification. The search specification includes 1812.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", " 1813and 1814.B timelimit 1815parameters as in the normal search specification. 1816The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to 1817\fB(objectclass=*)\fP, while there is no default \fBsearchbase\fP. The 1818\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational 1819attributes, and \fBattrsonly\fP is unset by default. 1820The \fBsizelimit\fP and \fBtimelimit\fP only 1821accept "unlimited" and positive integers, and both default to "unlimited". 1822The \fBsizelimit\fP and \fBtimelimit\fP parameters define 1823a consumer requested limitation on the number of entries that can be returned 1824by the LDAP Content Synchronization operation; as such, it is intended 1825to implement partial replication based on the size of the replicated database 1826and on the time required by the synchronization. 1827Note, however, that any provider-side limits for the replication identity 1828will be enforced by the provider regardless of the limits requested 1829by the LDAP Content Synchronization operation, much like for any other 1830search operation. 1831.B exattrs 1832option may also be used to specify attributes that should be omitted 1833from incoming entries. 1834The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to 1835\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The 1836\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational 1837attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default. 1838The \fBsizelimit\fP and \fBtimelimit\fP only 1839accept "unlimited" and positive integers, and both default to "unlimited". 1840Note, however, that any provider-side limits for the replication identity 1841will be enforced by the provider regardless of the limits requested 1842by the LDAP Content Synchronization operation, much like for any other 1843search operation. 1844 1845The LDAP Content Synchronization protocol has two operation types. 1846In the 1847.B refreshOnly 1848operation, the next synchronization search operation 1849is periodically rescheduled at an interval time (specified by 1850.B interval 1851parameter; 1 day by default) 1852after each synchronization operation finishes. 1853In the 1854.B refreshAndPersist 1855operation, a synchronization search remains persistent in the provider slapd. 1856Further updates to the master replica will generate 1857.B searchResultEntry 1858to the consumer slapd as the search responses to the persistent 1859synchronization search. If the initial search fails due to an error, the 1860next synchronization search operation is periodically rescheduled at an 1861interval time (specified by 1862.B interval 1863parameter; 1 day by default) 1864 1865If an error occurs during replication, the consumer will attempt to 1866reconnect according to the 1867.B retry 1868parameter which is a list of the <retry interval> and <# of retries> pairs. 1869For example, retry="60 10 300 3" lets the consumer retry every 60 seconds 1870for the first 10 times and then retry every 300 seconds for the next 3 1871times before stop retrying. The `+' in <# of retries> means indefinite 1872number of retries until success. 1873If no 1874.B retry 1875was specified, by default syncrepl retries every hour forever. 1876 1877The schema checking can be enforced at the LDAP Sync 1878consumer site by turning on the 1879.B schemachecking 1880parameter. The default is \fBoff\fP. 1881Schema checking \fBon\fP means that replicated entries must have 1882a structural objectClass, must obey to objectClass requirements 1883in terms of required/allowed attributes, and that naming attributes 1884and distinguished values must be present. 1885As a consequence, schema checking should be \fBoff\fP when partial 1886replication is used. 1887 1888The 1889.B network\-timeout 1890parameter sets how long the consumer will wait to establish a 1891network connection to the provider. Once a connection is 1892established, the 1893.B timeout 1894parameter determines how long the consumer will wait for the initial 1895Bind request to complete. The defaults for these parameters come 1896from 1897.BR ldap.conf (5). 1898 1899A 1900.B bindmethod 1901of 1902.B simple 1903requires the options 1904.B binddn 1905and 1906.B credentials 1907and should only be used when adequate security services 1908(e.g. TLS or IPSEC) are in place. 1909.B REMEMBER: simple bind credentials must be in cleartext! 1910A 1911.B bindmethod 1912of 1913.B sasl 1914requires the option 1915.B saslmech. 1916Depending on the mechanism, an authentication identity and/or 1917credentials can be specified using 1918.B authcid 1919and 1920.B credentials. 1921The 1922.B authzid 1923parameter may be used to specify an authorization identity. 1924Specific security properties (as with the 1925.B sasl\-secprops 1926keyword above) for a SASL bind can be set with the 1927.B secprops 1928option. A non default SASL realm can be set with the 1929.B realm 1930option. 1931The identity used for synchronization by the consumer should be allowed 1932to receive an unlimited number of entries in response to a search request. 1933The provider, other than allow authentication of the syncrepl identity, 1934should grant that identity appropriate access privileges to the data 1935that is being replicated (\fBaccess\fP directive), and appropriate time 1936and size limits. 1937This can be accomplished by either allowing unlimited \fBsizelimit\fP 1938and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement 1939in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP 1940for details). 1941 1942The 1943.B keepalive 1944parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP 1945used to check whether a socket is alive; 1946.I idle 1947is the number of seconds a connection needs to remain idle before TCP 1948starts sending keepalive probes; 1949.I probes 1950is the maximum number of keepalive probes TCP should send before dropping 1951the connection; 1952.I interval 1953is interval in seconds between individual keepalive probes. 1954Only some systems support the customization of these values; 1955the 1956.B keepalive 1957parameter is ignored otherwise, and system-wide settings are used. 1958 1959The 1960.B starttls 1961parameter specifies use of the StartTLS extended operation 1962to establish a TLS session before Binding to the provider. If the 1963.B critical 1964argument is supplied, the session will be aborted if the StartTLS request 1965fails. Otherwise the syncrepl session continues without TLS. The 1966.B tls_reqcert 1967setting defaults to "demand" and the other TLS settings 1968default to the same as the main slapd TLS settings. 1969 1970The 1971.B suffixmassage 1972parameter allows the consumer to pull entries from a remote directory 1973whose DN suffix differs from the local directory. The portion of the 1974remote entries' DNs that matches the \fIsearchbase\fP will be replaced 1975with the suffixmassage DN. 1976 1977Rather than replicating whole entries, the consumer can query logs of 1978data modifications. This mode of operation is referred to as \fIdelta 1979syncrepl\fP. In addition to the above parameters, the 1980.B logbase 1981and 1982.B logfilter 1983parameters must be set appropriately for the log that will be used. The 1984.B syncdata 1985parameter must be set to either "accesslog" if the log conforms to the 1986.BR slapo\-accesslog (5) 1987log format, or "changelog" if the log conforms 1988to the obsolete \fIchangelog\fP format. If the 1989.B syncdata 1990parameter is omitted or set to "default" then the log parameters are 1991ignored. 1992.RE 1993.TP 1994.B updatedn <dn> 1995This option is only applicable in a slave 1996database. 1997It specifies the DN permitted to update (subject to access controls) 1998the replica. It is only needed in certain push-mode 1999replication scenarios. Generally, this DN 2000.I should not 2001be the same as the 2002.B rootdn 2003used at the master. 2004.TP 2005.B updateref <url> 2006Specify the referral to pass back when 2007.BR slapd (8) 2008is asked to modify a replicated local database. 2009If specified multiple times, each url is provided. 2010 2011.SH DATABASE-SPECIFIC OPTIONS 2012Each database may allow specific configuration options; they are 2013documented separately in the backends' manual pages. See the 2014.BR slapd.backends (5) 2015manual page for an overview of available backends. 2016.SH EXAMPLES 2017.LP 2018Here is a short example of a configuration file: 2019.LP 2020.RS 2021.nf 2022include /etc/openldap/schema/core.schema 2023pidfile /var/openldap/run/slapd.pid 2024 2025# Subtypes of "name" (e.g. "cn" and "ou") with the 2026# option ";x\-hidden" can be searched for/compared, 2027# but are not shown. See \fBslapd.access\fP(5). 2028attributeoptions x\-hidden lang\- 2029access to attrs=name;x\-hidden by * =cs 2030 2031# Protect passwords. See \fBslapd.access\fP(5). 2032access to attrs=userPassword by * auth 2033# Read access to other attributes and entries. 2034access to * by * read 2035 2036database bdb 2037suffix "dc=our\-domain,dc=com" 2038# The database directory MUST exist prior to 2039# running slapd AND should only be accessible 2040# by the slapd/tools. Mode 0700 recommended. 2041directory /var/openldap/openldap\-data 2042# Indices to maintain 2043index objectClass eq 2044index cn,sn,mail pres,eq,approx,sub 2045 2046# We serve small clients that do not handle referrals, 2047# so handle remote lookups on their behalf. 2048database ldap 2049suffix "" 2050uri ldap://ldap.some\-server.com/ 2051lastmod off 2052.fi 2053.RE 2054.LP 2055"OpenLDAP Administrator's Guide" contains a longer annotated 2056example of a configuration file. 2057The original /etc/openldap/slapd.conf is another example. 2058.SH FILES 2059.TP 2060/etc/openldap/slapd.conf 2061default slapd configuration file 2062.SH SEE ALSO 2063.BR ldap (3), 2064.BR gnutls\-cli (1), 2065.BR slapd\-config (5), 2066.BR slapd.access (5), 2067.BR slapd.backends (5), 2068.BR slapd.overlays (5), 2069.BR slapd.plugin (5), 2070.BR slapd (8), 2071.BR slapacl (8), 2072.BR slapadd (8), 2073.BR slapauth (8), 2074.BR slapcat (8), 2075.BR slapdn (8), 2076.BR slapindex (8), 2077.BR slappasswd (8), 2078.BR slaptest (8). 2079.LP 2080"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) 2081.SH ACKNOWLEDGEMENTS 2082.lf 1 ./../Project 2083.\" Shared Project Acknowledgement Text 2084.B "OpenLDAP Software" 2085is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. 2086.B "OpenLDAP Software" 2087is derived from the University of Michigan LDAP 3.3 Release. 2088.lf 2082 stdin 2089