1SLAPD.CONF(5)                 File Formats Manual                SLAPD.CONF(5)
2
3
4

NAME

6       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  file  /etc/openldap/slapd.conf  contains configuration information
13       for the slapd(8) daemon.  This configuration file is also used  by  the
14       SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
15       slapindex(8), and slaptest(8).
16
17       The slapd.conf file  consists  of  a  series  of  global  configuration
18       options  that  apply to slapd as a whole (including all backends), fol‐
19       lowed by zero or more database backend definitions that contain  infor‐
20       mation  specific  to a backend instance.  The configuration options are
21       case-insensitive; their value, on a case by case basis,  may  be  case-
22       sensitive.
23
24       The general format of slapd.conf is as follows:
25
26           # comment - these options apply to every database
27           <global configuration options>
28           # first database definition & configuration options
29           database <backend 1 type>
30           <configuration options specific to backend 1>
31           # subsequent database definitions & configuration options
32           ...
33
34       As  many  backend-specific sections as desired may be included.  Global
35       options can be overridden in a backend (for options  that  appear  more
36       than once, the last appearance in the slapd.conf file is used).
37
38       If  a  line begins with white space, it is considered a continuation of
39       the previous line.  No physical line should be over 2000 bytes long.
40
41       Blank lines and comment  lines  beginning  with  a  `#'  character  are
42       ignored.   Note:  continuation  lines are unwrapped before comment pro‐
43       cessing is applied.
44
45       Arguments on configuration lines are separated by white  space.  If  an
46       argument  contains white space, the argument should be enclosed in dou‐
47       ble quotes.  If an argument contains a double quote (`"')  or  a  back‐
48       slash  character (`\'), the character should be preceded by a backslash
49       character.
50
51       The specific configuration options available are discussed below in the
52       Global  Configuration  Options,  General  Backend  Options, and General
53       Database  Options.   Backend-specific  options  are  discussed  in  the
54       slapd-<backend>(5)  manual  pages.   Refer to the "OpenLDAP Administra‐
55       tor's Guide" for more details on the slapd configuration file.
56

GLOBAL CONFIGURATION OPTIONS

58       Options described in this section apply to all backends, unless specif‐
59       ically  overridden  in  a  backend definition. Arguments that should be
60       replaced by actual text are shown in brackets <>.
61
62       access to <what> [ by <who> <access> <control> ]+
63              Grant access (specified by <access>) to a set of entries  and/or
64              attributes  (specified  by  <what>)  by  one  or more requestors
65              (specified by <who>).  If no access controls  are  present,  the
66              default  policy  allows anyone and everyone to read anything but
67              restricts updates to rootdn.  (e.g., "access to * by  *  read").
68              The   rootdn   can   always  read  and  write  EVERYTHING!   See
69              slapd.access(5) and the "OpenLDAP's Administrator's  Guide"  for
70              details.
71
72       allow <features>
73              Specify  a  set  of features (separated by white space) to allow
74              (default  none).   bind_v2  allows  acceptance  of  LDAPv2  bind
75              requests.   Note  that  slapd(8) does not truly implement LDAPv2
76              (RFC 1777), now  Historic  (RFC  3494).   bind_anon_cred  allows
77              anonymous  bind when credentials are not empty (e.g.  when DN is
78              empty).  bind_anon_dn allows  unauthenticated  (anonymous)  bind
79              when  DN  is  not  empty.   update_anon  allows  unauthenticated
80              (anonymous) update operations to be processed (subject to access
81              controls  and  other  administrative  limits).  proxy_authz_anon
82              allows unauthenticated (anonymous) proxy  authorization  control
83              to  be  processed (subject to access controls, authorization and
84              other administrative limits).
85
86       argsfile <filename>
87              The (absolute) name of a file that will hold the slapd  server's
88              command line (program name and options).
89
90       attributeoptions [option-name]...
91              Define  tagging  attribute options or option tag/range prefixes.
92              Options must not end with `-', prefixes must end with `-'.   The
93              `lang-'  prefix  is predefined.  If you use the attributeoptions
94              directive, `lang-' will no longer be defined and you must  spec‐
95              ify it explicitly if you want it defined.
96
97              An  attribute  description with a tagging option is a subtype of
98              that attribute description without the option.  Except for that,
99              options  defined  this  way have no special semantics.  Prefixes
100              defined this way work like the `lang-' options:  They  define  a
101              prefix  for  tagging options starting with the prefix.  That is,
102              if you define the  prefix  `x-foo-',  you  can  use  the  option
103              `x-foo-bar'.   Furthermore,  in a search or compare, a prefix or
104              range name (with a trailing `-') matches  all  options  starting
105              with  that  name, as well as the option with the range name sans
106              the trailing `-'.  That is, `x-foo-bar-' matches `x-foo-bar' and
107              `x-foo-bar-baz'.
108
109              RFC 4520 reserves options beginning with `x-' for private exper‐
110              iments.  Other options should be registered with IANA,  see  RFC
111              4520  section  3.5.  OpenLDAP also has the `binary' option built
112              in, but this is a transfer option, not a tagging option.
113
114       attributetype  ( <oid>  [NAME <name>]  [DESC <description>]  [OBSOLETE]
115              [SUP <oid>]   [EQUALITY <oid>]  [ORDERING <oid>]  [SUBSTR <oid>]
116              [SYNTAX <oidlen>]          [SINGLE-VALUE]           [COLLECTIVE]
117              [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
118              Specify an attribute type using the LDAPv3 syntax defined in RFC
119              4512.  The slapd parser  extends  the  RFC  4512  definition  by
120              allowing string forms as well as numeric OIDs to be used for the
121              attribute   OID   and   attribute   syntax   OID.    (See    the
122              objectidentifier description.)
123
124       authid-rewrite<cmd> <args>
125              Used  by  the  authentication  framework  to convert simple user
126              names to an  LDAP  DN  used  for  authorization  purposes.   Its
127              purpose  is  analogous to that of authz-regexp (see below).  The
128              prefix authid- is followed by a set of rules analogous to  those
129              described  in  slapo-rwm(5) for data rewriting (replace the rwm-
130              prefix  with  authid-).   authid-rewrite<cmd>  and  authz-regexp
131              rules should not be intermixed.
132
133       authz-policy <policy>
134              Used  to  specify  which  rules  to use for Proxy Authorization.
135              Proxy authorization allows  a  client  to  authenticate  to  the
136              server  using  one  user's  credentials, but specify a different
137              identity to use for authorization and access  control  purposes.
138              It  essentially allows user A to login as user B, using user A's
139              password.  The none flag disables proxy authorization.  This  is
140              the  default  setting.   The  from  flag  will  use rules in the
141              authzFrom attribute of the authorization DN.  The to  flag  will
142              use  rules  in  the  authzTo attribute of the authentication DN.
143              The any flag, an alias for the deprecated value  of  both,  will
144              allow  any of the above, whatever succeeds first (checked in to,
145              from sequence.  The all flag  requires  both  authorizations  to
146              succeed.
147
148              The rules are mechanisms to specify which identities are allowed
149              to perform proxy authorization.  The authzFrom attribute  in  an
150              entry  specifies which other users are allowed to proxy login to
151              this entry. The authzTo attribute in an  entry  specifies  which
152              other  users  this  user can authorize as.  Use of authzTo rules
153              can be easily abused if users are  allowed  to  write  arbitrary
154              values to this attribute.  In general the authzTo attribute must
155              be protected with ACLs  such  that  only  privileged  users  can
156              modify  it.   The  value  of  authzFrom and authzTo describes an
157              identity or a set of identities; it can take five forms:
158
159                     ldap:///<base>??[<scope>]?<filter>
160                     dn[.<dnstyle>]:<pattern>
161                     u[.<mech>[/<realm>]]:<pattern>
162                     group[/objectClass[/attributeType]]:<pattern>
163                     <pattern>
164
165                     <dnstyle>:={exact|onelevel|children|subtree|regex}
166
167              The first form is a valid LDAP URI where the <host>:<port>,  the
168              <attrs>  and  the  <extensions> portions must be absent, so that
169              the search occurs locally on either authzFrom or  authzTo.   The
170              second  form  is  a DN, with the optional style modifiers exact,
171              onelevel, children, and subtree for  exact,  onelevel,  children
172              and  subtree  matches,  which  cause  <pattern> to be normalized
173              according to the DN normalization rules, or  the  special  regex
174              style,  which  causes  the  <pattern>  to  be treated as a POSIX
175              (''extended'') regular  expression,  as  discussed  in  regex(7)
176              and/or re_format(7).  A pattern of * means any non-anonymous DN.
177              The third form is a SASL id, with the optional fields <mech> and
178              <realm> that allow to specify a SASL mechanism, and eventually a
179              SASL realm, for those mechanisms that support one.  The need  to
180              allow  the  specification  of  a mechanism is still debated, and
181              users are strongly discouraged to rely on this possibility.  The
182              fourth  form is a group specification, consisting of the keyword
183              group, optionally followed by the  specification  of  the  group
184              objectClass   and  member  attributeType.   The  group  with  DN
185              <pattern> is searched with base scope, and in case of match, the
186              values of the member attributeType are searched for the asserted
187              DN.   For  backwards  compatibility,  if  no  identity  type  is
188              provided,  i.e.  only  <pattern>  is  present,  an  exact  DN is
189              assumed;  as  a  consequence,  <pattern>  is  subjected  to   DN
190              normalization.    Since  the  interpretation  of  authzFrom  and
191              authzTo can impact security, users are  strongly  encouraged  to
192              explicitly  set the type of identity specification that is being
193              used.  A subset of these rules can be used as third arg  in  the
194              authz-regexp  statement  (see  below);  significantly,  the URI,
195              provided it results in exactly one entry, and the  dn.exact:<dn>
196              forms.
197
198       authz-regexp <match> <replace>
199              Used  by  the  authentication  framework  to convert simple user
200              names, such as provided by SASL  subsystem,  or  extracted  from
201              certificates  in  case  of cert-based SASL EXTERNAL, or provided
202              within the RFC 4370 "proxied authorization" control, to an  LDAP
203              DN  used for authorization purposes.  Note that the resulting DN
204              need not refer to an existing  entry  to  be  considered  valid.
205              When   an  authorization  request  is  received  from  the  SASL
206              subsystem, the SASL USERNAME, REALM, and  MECHANISM  are  taken,
207              when available, and combined into a name of the form
208
209                     UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
210
211              This   name   is   then   compared   against   the  match  POSIX
212              (''extended'')  regular  expression,  and  if   the   match   is
213              successful,  the  name  is replaced with the replace string.  If
214              there are wildcard strings in the match regular expression  that
215              are enclosed in parenthesis, e.g.
216
217                     UID=([^,]*),CN=.*
218
219              then  the  portion of the name that matched the wildcard will be
220              stored in the numbered placeholder variable  $1.  If  there  are
221              other wildcard strings in parenthesis, the matching strings will
222              be in $2, $3, etc. up to $9. The placeholders can then  be  used
223              in the replace string, e.g.
224
225                     UID=$1,OU=Accounts,DC=example,DC=com
226
227              The  replaced name can be either a DN, i.e. a string prefixed by
228              "dn:", or an LDAP URI.  If the latter, the server will  use  the
229              URI  to  search  its  own database(s) and, if the search returns
230              exactly one entry, the name is replaced by the DN of that entry.
231              The  LDAP  URI  must  have  no  hostport,  attrs,  or extensions
232              components, but the filter is mandatory, e.g.
233
234                     ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
235
236              The protocol portion of the URI must  be  strictly  ldap.   Note
237              that  this  search is subject to access controls.  Specifically,
238              the authentication identity  must  have  "auth"  access  in  the
239              subject.
240
241              Multiple  authz-regexp options can be given in the configuration
242              file to allow for multiple matching  and  replacement  patterns.
243              The  matching  patterns  are checked in the order they appear in
244              the file, stopping at the first successful match.
245
246
247       concurrency <integer>
248              Specify  a  desired  level  of  concurrency.   Provided  to  the
249              underlying  thread  system  as  a  hint.   The default is not to
250              provide any hint.
251
252       conn_max_pending <integer>
253              Specify the maximum number of pending requests for an  anonymous
254              session.   If  requests are submitted faster than the server can
255              process them, they will be queued up to this limit. If the limit
256              is exceeded, the session is closed. The default is 100.
257
258       conn_max_pending_auth <integer>
259              Specify   the   maximum   number  of  pending  requests  for  an
260              authenticated session.  The default is 1000.
261
262       defaultsearchbase <dn>
263              Specify a default search base to use when client submits a  non-
264              base  search  request with an empty base DN.  Base scoped search
265              requests with an empty base DN are not affected.
266
267       disallow <features>
268              Specify a set of features (separated by white space) to disallow
269              (default none).  bind_anon disables acceptance of anonymous bind
270              requests.  Note that this setting does  not  prohibit  anonymous
271              directory  access  (See  "require authc").  bind_simple disables
272              simple  (bind)  authentication.   tls_2_anon  disables   forcing
273              session  to  anonymous status (see also tls_authc) upon StartTLS
274              operation receipt.  tls_authc disallows the  StartTLS  operation
275              if        authenticated       (see       also       tls_2_anon).
276              proxy_authz_non_critical  disables  acceptance  of  the  proxied
277              authorization  control  (RFC4370)  when  criticality  is  FALSE.
278              dontusecopy_non_critical disables acceptance of the  dontUseCopy
279              control (a work in progress) when criticality is FALSE.
280
281       ditcontentrule  ( <oid>  [NAME <name>]  [DESC <description>] [OBSOLETE]
282              [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
283              Specify an DIT Content Rule using the LDAPv3 syntax  defined  in
284              RFC  4512.   The slapd parser extends the RFC 4512 definition by
285              allowing string forms as well as numeric OIDs to be used for the
286              attribute    OID   and   attribute   syntax   OID.    (See   the
287              objectidentifier description.)
288
289       gentlehup { on | off }
290              A SIGHUP signal will only  cause  a  'gentle'  shutdown-attempt:
291              Slapd  will  stop  listening  for  new connections, but will not
292              close the connections to  the  current  clients.   Future  write
293              operations    return    unwilling-to-perform,   though.    Slapd
294              terminates when all clients have closed  their  connections  (if
295              they ever do), or - as before - if it receives a SIGTERM signal.
296              This can be useful if you wish to terminate the server and start
297              a new slapd server with another database, without disrupting the
298              currently active clients.  The default is off.  You may wish  to
299              use idletimeout along with this option.
300
301       idletimeout <integer>
302              Specify the number of seconds to wait before forcibly closing an
303              idle client  connection.   A  idletimeout  of  0  disables  this
304              feature.   The  default  is  0.  You  may  also  want to set the
305              writetimeout option.
306
307       include <filename>
308              Read additional configuration information from  the  given  file
309              before continuing with the next line of the current file.
310
311       index_intlen <integer>
312              Specify  the  key  length  for ordered integer indices. The most
313              significant bytes of the binary integer will be used  for  index
314              keys.  The default value is 4, which provides exact indexing for
315              31 bit values.  A floating point representation is used to index
316              too large values.
317
318       index_substr_if_minlen <integer>
319              Specify  the minimum length for subinitial and subfinal indices.
320              An attribute value must have at least this  many  characters  in
321              order  to be processed by the indexing functions. The default is
322              2.
323
324       index_substr_if_maxlen <integer>
325              Specify the maximum length for subinitial and subfinal  indices.
326              Only  this  many  characters  of  an  attribute  value  will  be
327              processed by the indexing functions; any excess  characters  are
328              ignored. The default is 4.
329
330       index_substr_any_len <integer>
331              Specify  the  length used for subany indices. An attribute value
332              must  have  at  least  this  many  characters  in  order  to  be
333              processed.  Attribute  values  longer  than  this length will be
334              processed in segments of this length.  The  default  is  4.  The
335              subany  index will also be used in subinitial and subfinal index
336              lookups  when   the   filter   string   is   longer   than   the
337              index_substr_if_maxlen value.
338
339       index_substr_any_step <integer>
340              Specify  the steps used in subany index lookups. This value sets
341              the offset  for  the  segments  of  a  filter  string  that  are
342              processed  for  a  subany  index  lookup.  The default is 2. For
343              example, with the default values, a  search  using  this  filter
344              "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
345              and "efgh".
346
347
348       Note: Indexing support depends on the particular backend in use.  Also,
349       changing  these  settings  will  generally require deleting any indices
350       that depend on these parameters and recreating them with slapindex(8).
351
352
353       ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )
354
355              Specify  an  LDAP  syntax using the LDAPv3 syntax defined in RFC
356              4512.  The slapd parser  extends  the  RFC  4512  definition  by
357              allowing string forms as well as numeric OIDs to be used for the
358              syntax OID.  (See the objectidentifier description.)  The  slapd
359              parser  also  honors the X-SUBST extension (an OpenLDAP-specific
360              extension), which allows to  use  the  ldapsyntax  statement  to
361              define  a  non-implemented syntax along with another syntax, the
362              extension value substitute-syntax, as its temporary replacement.
363              The  substitute-syntax  must  be defined.  This allows to define
364              attribute types that make use of non-implemented syntaxes  using
365              the   correct   syntax   OID.   Unless  X-SUBST  is  used,  this
366              configuration statement would  result  in  an  error,  since  no
367              handlers would be associated to the resulting syntax structure.
368
369
370       listener-threads <integer>
371              Specify the number of threads to use for the connection manager.
372              The default is 1 and this is typically adequate for up to 16 CPU
373              cores.  The value should be set to a power of 2.
374
375       localSSF <SSF>
376              Specifies  the  Security Strength Factor (SSF) to be given local
377              LDAP sessions, such as those to the ldapi://  listener.   For  a
378              description  of  SSF  values,  see sasl-secprops's minssf option
379              description.  The default is 71.
380
381       logfile <filename>
382              Specify a file for recording  debug  log  messages.  By  default
383              these  messages  only go to stderr and are not recorded anywhere
384              else. Specifying a logfile copies messages to  both  stderr  and
385              the logfile.
386
387       loglevel <integer> [...]
388              Specify  the  level  at which debugging statements and operation
389              statistics  should  be  syslogged  (currently  logged   to   the
390              syslogd(8)   LOG_LOCAL4  facility).   They  must  be  considered
391              subsystems rather than increasingly verbose  log  levels.   Some
392              messages  with  higher  priority  are  logged  regardless of the
393              configured loglevel as soon as any logging is  configured.   Log
394              levels are additive, and available levels are:
395                     1      (0x1 trace) trace function calls
396                     2      (0x2 packets) debug packet handling
397                     4      (0x4 args) heavy trace debugging (function args)
398                     8      (0x8 conns) connection management
399                     16     (0x10 BER) print out packets sent and received
400                     32     (0x20 filter) search filter processing
401                     64     (0x40 config) configuration file processing
402                     128    (0x80 ACL) access control list processing
403                     256    (0x100   stats)   connections,   LDAP  operations,
404                            results (recommended)
405                     512    (0x200 stats2) stats log entries sent
406                     1024   (0x400  shell)  print  communication  with   shell
407                            backends
408                     2048   (0x800 parse) entry parsing
409
410
411
412
413
414
415
416
417                     16384  (0x4000 sync) LDAPSync replication
418                     32768  (0x8000   none)  only  messages  that  get  logged
419                            whatever log level is set
420              The desired log level can be input  as  a  single  integer  that
421              combines  the  (ORed)  desired  levels,  both  in  decimal or in
422              hexadecimal notation, as a  list  of  integers  (that  are  ORed
423              internally),  or  as  a list of the names that are shown between
424              brackets, such that
425
426                  loglevel 129
427                  loglevel 0x81
428                  loglevel 128 1
429                  loglevel 0x80 0x1
430                  loglevel acl trace
431
432              are equivalent.  The keyword any can be used as  a  shortcut  to
433              enable  logging  at  all levels (equivalent to -1).  The keyword
434              none, or the equivalent  integer  representation,  causes  those
435              messages  that  are logged regardless of the configured loglevel
436              to be logged.  In fact, if loglevel is  set  to  0,  no  logging
437              occurs,  so  at  least  the  none level is required to have high
438              priority messages logged.
439
440              The loglevel defaults to stats.  This level should usually  also
441              be  included  when  using  other  loglevels, to help analyze the
442              logs.
443
444       moduleload <filename>
445              Specify the name of a dynamically loadable module to  load.  The
446              filename may be an absolute path name or a simple filename. Non-
447              absolute names are searched for in the directories specified  by
448              the modulepath option. This option and the modulepath option are
449              only usable if slapd was compiled with --enable-modules.
450
451       modulepath <pathspec>
452              Specify a list of directories to search  for  loadable  modules.
453              Typically  the  path  is colon-separated but this depends on the
454              operating system.  The default is /usr/lib64/openldap, which  is
455              where the standard OpenLDAP install will place its modules.
456
457       objectclass   ( <oid>   [NAME <name>]  [DESC <description>]  [OBSOLETE]
458              [SUP <oids>]  [{  ABSTRACT   |   STRUCTURAL   |   AUXILIARY   }]
459              [MUST <oids>] [MAY <oids>] )
460              Specify  an  objectclass  using the LDAPv3 syntax defined in RFC
461              4512.  The slapd parser  extends  the  RFC  4512  definition  by
462              allowing string forms as well as numeric OIDs to be used for the
463              object  class  OID.   (See  the  objectidentifier  description.)
464              Object classes are "STRUCTURAL" by default.
465
466       objectidentifier <name> { <oid> | <name>[:<suffix>] }
467              Define  a  string name that equates to the given OID. The string
468              can be used in place of  the  numeric  OID  in  objectclass  and
469              attribute  definitions.  The name can also be used with a suffix
470              of the form ":xx" in which case the value "oid.xx" will be used.
471
472       password-hash <hash> [<hash>...]
473              This option  configures  one  or  more  hashes  to  be  used  in
474              generation   of   user  passwords  stored  in  the  userPassword
475              attribute during processing of  LDAP  Password  Modify  Extended
476              Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
477              {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.
478
479              {SHA} and {SSHA} use  the  SHA-1  algorithm  (FIPS  160-1),  the
480              latter with a seed.
481
482              {MD5}  and  {SMD5}  use the MD5 algorithm (RFC 1321), the latter
483              with a seed.
484
485              {CRYPT} uses the crypt(3).
486
487              {CLEARTEXT} indicates that the new password should be  added  to
488              userPassword as clear text.
489
490              Note   that   this   option  does  not  alter  the  normal  user
491              applications handling of userPassword during LDAP  Add,  Modify,
492              or other LDAP operations.
493
494       password-crypt-salt-format <format>
495              Specify   the  format  of  the  salt  passed  to  crypt(3)  when
496              generating  {CRYPT}   passwords   (see   password-hash)   during
497              processing  of  LDAP  Password  Modify  Extended Operations (RFC
498              3062).
499
500              This string needs to be in sprintf(3) format and may include one
501              (and   only   one)  %s  conversion.   This  conversion  will  be
502              substituted  with   a   string   of   random   characters   from
503              [A-Za-z0-9./].   For  example,  "%.2s"  provides a two character
504              salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
505              algorithm and provides 8 random characters of salt.  The default
506              is "%s", which provides 31 characters of salt.
507
508       pidfile <filename>
509              The (absolute) name of a file that will hold the slapd  server's
510              process ID (see getpid(2)).
511
512       referral <url>
513              Specify  the  referral  to pass back when slapd(8) cannot find a
514              local database to  handle  a  request.   If  specified  multiple
515              times, each url is provided.
516
517       require <conditions>
518              Specify  a  set  of  conditions  (separated  by  white space) to
519              require (default none).  The directive may be specified globally
520              and/or  per-database;  databases  inherit  global conditions, so
521              per-database specifications are additive.   bind  requires  bind
522              operation   prior  to  directory  operations.   LDAPv3  requires
523              session  to  be  using   LDAP   version   3.    authc   requires
524              authentication  prior  to  directory  operations.  SASL requires
525              SASL  authentication  prior  to  directory  operations.   strong
526              requires  strong  authentication  prior to directory operations.
527              The strong keyword allows protected "simple"  authentication  as
528              well  as  SASL  authentication.   none may be used to require no
529              conditions (useful to clear out globally set conditions within a
530              particular  database);  it  must  occur  first  in  the  list of
531              conditions.
532
533       reverse-lookup on | off
534              Enable/disable client name unverified reverse lookup (default is
535              off if compiled with --enable-rlookups).
536
537       rootDSE <file>
538              Specify  the  name  of  an  LDIF(5) file containing user defined
539              attributes for the root DSE.  These attributes are  returned  in
540              addition to the attributes normally produced by slapd.
541
542              The  root  DSE is an entry with information about the server and
543              its capabilities, in operational attributes.  It has  the  empty
544              DN, and can be read with e.g.:
545                  ldapsearch -x -b "" -s base "+"
546              See RFC 4512 section 5.1 for details.
547
548       sasl-auxprops <plugin> [...]
549              Specify which auxprop plugins to use for authentication lookups.
550              The default is empty, which just uses slapd's internal  support.
551              Usually no other auxprop plugins are needed.
552
553       sasl-host <fqdn>
554              Used  to  specify  the fully qualified domain name used for SASL
555              processing.
556
557       sasl-realm <realm>
558              Specify SASL realm.  Default is empty.
559
560       sasl-secprops <properties>
561              Used to specify Cyrus SASL security properties.  The  none  flag
562              (without  any  other  properties)  causes  the  flag  properties
563              default, "noanonymous,noplain", to be cleared.  The noplain flag
564              disables  mechanisms susceptible to simple passive attacks.  The
565              noactive flag disables mechanisms susceptible to active attacks.
566              The  nodict  flag  disables  mechanisms  susceptible  to passive
567              dictionary attacks.  The noanonymous  flag  disables  mechanisms
568              which  support  anonymous  login.   The  forwardsec flag require
569              forward  secrecy  between  sessions.    The   passcred   require
570              mechanisms  which  pass client credentials (and allow mechanisms
571              which can pass  credentials  to  do  so).   The  minssf=<factor>
572              property  specifies  the  minimum  acceptable  security strength
573              factor as an integer approximate to effective  key  length  used
574              for  encryption.   0  (zero)  implies  no  protection, 1 implies
575              integrity protection only, 56 allows DES or other weak  ciphers,
576              112  allows triple DES and other strong ciphers, 128 allows RC4,
577              Blowfish and other modern strong ciphers.   The  default  is  0.
578              The  maxssf=<factor>  property  specifies the maximum acceptable
579              security strength factor as an integer (see minssf description).
580              The   default   is   INT_MAX.   The  maxbufsize=<size>  property
581              specifies  the  maximum  security  layer  receive  buffer   size
582              allowed.  0 disables security layers.  The default is 65536.
583
584       schemadn <dn>
585              Specify  the  distinguished name for the subschema subentry that
586              controls  the  entries  on  this   server.    The   default   is
587              "cn=Subschema".
588
589       security <factors>
590              Specify  a  set of security strength factors (separated by white
591              space) to require  (see  sasl-secprops's  minssf  option  for  a
592              description of security strength factors).  The directive may be
593              specified globally and/or per-database.  ssf=<n>  specifies  the
594              overall  security  strength factor.  transport=<n> specifies the
595              transport security strength factor.  tls=<n> specifies  the  TLS
596              security  strength factor.  sasl=<n> specifies the SASL security
597              strength factor.  update_ssf=<n> specifies the overall  security
598              strength    factor    to    require   for   directory   updates.
599              update_transport=<n> specifies the transport  security  strength
600              factor   to   require  for  directory  updates.   update_tls=<n>
601              specifies the  TLS  security  strength  factor  to  require  for
602              directory  updates.  update_sasl=<n> specifies the SASL security
603              strength   factor   to   require    for    directory    updates.
604              simple_bind=<n>  specifies the security strength factor required
605              for simple  username/password  authentication.   Note  that  the
606              transport   factor  is  measure  of  security  provided  by  the
607              underlying transport, e.g. ldapi:// (and eventually IPSEC).   It
608              is not normally used.
609
610       serverID <integer> [<URL>]
611              Specify an integer ID from 0 to 4095 for this server (limited to
612              3 hexadecimal digits).  The  ID  may  also  be  specified  as  a
613              hexadecimal  ID by prefixing the value with "0x".  These IDs are
614              required when using multimaster replication and each master must
615              have  a  unique  ID.  Note that this requirement also applies to
616              separate masters contributing to a glued set of  databases.   If
617              the  URL  is  provided, this directive may be specified multiple
618              times, providing a complete list of  participating  servers  and
619              their IDs. The fully qualified hostname of each server should be
620              used in the supplied URLs. The IDs are used in the "replica  id"
621              field of all CSNs generated by the specified server. The default
622              value is zero.  Example:
623
624            serverID 1
625
626       sizelimit {<integer>|unlimited}
627
628       sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
629              Specify the maximum number of entries to return  from  a  search
630              operation.   The  default  size  limit is 500.  Use unlimited to
631              specify no limits.   The  second  format  allows  a  fine  grain
632              setting of the size limits.  Extra args can be added on the same
633              line.  See limits for an explanation of the different flags.
634
635       sockbuf_max_incoming <integer>
636              Specify  the  maximum  incoming  LDAP  PDU  size  for  anonymous
637              sessions.  The default is 262143.
638
639       sockbuf_max_incoming_auth <integer>
640              Specify  the  maximum  incoming  LDAP PDU size for authenticated
641              sessions.  The default is 4194303.
642
643       sortvals <attr> [...]
644              Specify a list of  multi-valued  attributes  whose  values  will
645              always  be  maintained  in  sorted order. Using this option will
646              allow  Modify,  Compare,  and  filter   evaluations   on   these
647              attributes  to be performed more efficiently. The resulting sort
648              order depends on the attributes' syntax and matching  rules  and
649              may  not  correspond  to lexical order or any other recognizable
650              order.
651
652       tcp-buffer [listener=<URL>] [{read|write}=]<size>
653              Specify the size of the TCP buffer.  A  global  value  for  both
654              read  and  write TCP buffers related to any listener is defined,
655              unless the listener is explicitly specified, or either the  read
656              or  write  qualifiers  are  used.  See tcp(7) for details.  Note
657              that some OS-es implement automatic TCP buffer tuning.
658
659       threads <integer>
660              Specify the maximum  size  of  the  primary  thread  pool.   The
661              default is 16; the minimum value is 2.
662
663       timelimit {<integer>|unlimited}
664
665       timelimit time[.{soft|hard}]=<integer> [...]
666              Specify  the maximum number of seconds (in real time) slapd will
667              spend answering a search request.  The  default  time  limit  is
668              3600.   Use  unlimited  to specify no limits.  The second format
669              allows a fine grain setting of the time limits.  Extra args  can
670              be added on the same line.  See limits for an explanation of the
671              different flags.
672
673       tool-threads <integer>
674              Specify the maximum number of threads to use in tool mode.  This
675              should  not  be  greater  than the number of CPUs in the system.
676              The default is 1.
677
678       writetimeout <integer>
679              Specify the number of seconds to wait before forcibly closing  a
680              connection  with an outstanding write. This allows recovery from
681              various network hang conditions.  A writetimeout of  0  disables
682              this feature.  The default is 0.
683

TLS OPTIONS

685       If  slapd is built with support for Transport Layer Security, there are
686       more options you can specify.
687
688       TLSCipherSuite <cipher-suite-spec>
689              Permits configuring  what  ciphers  will  be  accepted  and  the
690              preference   order.   <cipher-suite-spec>  should  be  a  cipher
691              specification for the TLS library in use  (OpenSSL,  GnuTLS,  or
692              Mozilla NSS).  Example:
693
694                     OpenSSL:
695                            TLSCipherSuite HIGH:MEDIUM:+SSLv2
696
697                     GnuTLS:
698                            TLSCiphersuite SECURE256:!AES-128-CBC
699
700              To check what ciphers a given spec selects in OpenSSL, use:
701
702                   openssl ciphers -v <cipher-suite-spec>
703
704              With  GnuTLS the available specs can be found in the manual page
705              of gnutls-cli(1) (see the description of the option --priority).
706
707              In older versions of GnuTLS, where gnutls-cli does  not  support
708              the  option --priority, you can obtain the — more limited — list
709              of ciphers by calling:
710
711                   gnutls-cli -l
712
713              When using Mozilla NSS, the OpenSSL cipher suite  specifications
714              are  used  and  translated  into  the  format used internally by
715              Mozilla NSS.  There isn't an easy way to list the cipher  suites
716              from  the command line.  The authoritative list is in the source
717              code for Mozilla NSS in the file sslinfo.c in the structure
718                      static const SSLCipherSuiteInfo suiteInfo[]
719
720       TLSCACertificateFile <filename>
721              Specifies the file that contains certificates  for  all  of  the
722              Certificate   Authorities   that   slapd  will  recognize.   The
723              certificate for the CA that signed the server  certificate  must
724              be  included among these certificates. If the signing CA was not
725              a top-level (root) CA, certificates for the entire  sequence  of
726              CA's  from the signing CA to the top-level CA should be present.
727              Multiple certificates are simply appended to the file; the order
728              is not significant.
729
730       TLSCACertificatePath <path>
731              Specifies  the  path  of  a  directory that contains Certificate
732              Authority certificates in  separate  individual  files.  Usually
733              only  one  of  this  or  the  TLSCACertificateFile is used. This
734              directive is not supported when using GnuTLS.
735
736              When using  Mozilla  NSS,  <path>  may  contain  a  Mozilla  NSS
737              cert/key  database.   If  <path> contains a Mozilla NSS cert/key
738              database and CA cert  files,  OpenLDAP  will  use  the  cert/key
739              database and will ignore the CA cert files.
740
741       TLSCertificateFile <filename>
742              Specifies the file that contains the slapd server certificate.
743
744              When  using Mozilla NSS, if using a cert/key database (specified
745              with  TLSCACertificatePath),  TLSCertificateFile  specifies  the
746              name of the certificate to use:
747                   TLSCertificateFile Server-Cert
748              If using a token other than the internal built in token, specify
749              the token name first, followed by a colon:
750                   TLSCertificateFile my hardware device:Server-Cert
751              Use certutil -L to list the certificates by name:
752                   certutil -d /path/to/certdbdir -L
753
754       TLSCertificateKeyFile <filename>
755              Specifies the file that contains the slapd  server  private  key
756              that  matches  the  certificate stored in the TLSCertificateFile
757              file.  Currently, the private key must not be protected  with  a
758              password,  so  it is of critical importance that it is protected
759              carefully.
760
761              When using Mozilla NSS, TLSCertificateKeyFile specifies the name
762              of  a  file  that  contains  the  password  for  the key for the
763              certificate  specified  with  TLSCertificateFile.   The  modutil
764              command  can  be  used  to  turn off password protection for the
765              cert/key  database.   For   example,   if   TLSCACertificatePath
766              specifes  /etc/openldap/certdb  as  the location of the cert/key
767              database, use modutil  to  change  the  password  to  the  empty
768              string:
769                   modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
770              You  must  have  the  old  password, if any.  Ignore the WARNING
771              about the running browser.  Press 'Enter' for the new password.
772
773       TLSDHParamFile <filename>
774              This directive specifies the file that contains  parameters  for
775              Diffie-Hellman  ephemeral  key  exchange.   This  is required in
776              order to use a DSA certificate on the server. If  multiple  sets
777              of  parameters  are  present  in  the  file, all of them will be
778              processed.  Note  that  setting  this  option  may  also  enable
779              Anonymous  Diffie-Hellman  key  exchanges in certain non-default
780              cipher suites.  You should append "!ADH" to your  cipher  suites
781              if  you  have  changed  them  from  the  default,  otherwise  no
782              certificate exchanges or verification will be done.  When  using
783              GnuTLS  these  parameters  are always generated randomly so this
784              directive is ignored.  This  directive  is  ignored  when  using
785              Mozilla NSS.
786
787       TLSECName <name>
788              Specify  the  name  of a curve to use for Elliptic curve Diffie-
789              Hellman ephemeral key exchange.   This  is  required  to  enable
790              ECDHE  algorithms  in  OpenSSL.   This  option  is not used with
791              GnuTLS; the curves may  be  chosen  in  the  GnuTLS  ciphersuite
792              specification. This option is also ignored for Mozilla NSS.
793
794       TLSProtocolMin <major>[.<minor>]
795              Specifies   minimum   SSL/TLS  protocol  version  that  will  be
796              negotiated.   If  the  server  doesn't  support  at  least  that
797              version,  the  SSL  handshake  will fail.  To require TLS 1.x or
798              higher, set this option to 3.(x+1), e.g.,
799
800                   TLSProtocolMin 3.2
801
802              would require TLS 1.1.  Specifying a minimum that is higher than
803              that  supported by the OpenLDAP implementation will result in it
804              requiring  the  highest  level  that  it  does  support.    This
805              directive is ignored with GnuTLS.
806
807       TLSRandFile <filename>
808              Specifies   the   file   to   obtain   random   bits  from  when
809              /dev/[u]random is not available.  Generally set to the  name  of
810              the  EGD/PRNGD  socket.   The  environment variable RANDFILE can
811              also be used to specify the filename.  This directive is ignored
812              with GnuTLS and Mozilla NSS.
813
814       TLSVerifyClient <level>
815              Specifies  what  checks  to perform on client certificates in an
816              incoming TLS session, if any.  The <level> can be  specified  as
817              one of the following keywords:
818
819              never  This is the default.  slapd will not ask the client for a
820                     certificate.
821
822              allow  The client certificate is requested.  If  no  certificate
823                     is  provided,  the  session  proceeds normally.  If a bad
824                     certificate is provided,  it  will  be  ignored  and  the
825                     session proceeds normally.
826
827              try    The  client  certificate is requested.  If no certificate
828                     is provided, the session proceeds  normally.   If  a  bad
829                     certificate  is  provided,  the  session  is  immediately
830                     terminated.
831
832              demand | hard | true
833                     These keywords  are  all  equivalent,  for  compatibility
834                     reasons.   The  client  certificate  is requested.  If no
835                     certificate  is  provided,  or  a  bad   certificate   is
836                     provided, the session is immediately terminated.
837
838                     Note that a valid client certificate is required in order
839                     to use the SASL EXTERNAL authentication mechanism with  a
840                     TLS  session.   As  such,  a  non-default TLSVerifyClient
841                     setting  must  be  chosen   to   enable   SASL   EXTERNAL
842                     authentication.
843
844       TLSCRLCheck <level>
845              Specifies  if  the  Certificate  Revocation List (CRL) of the CA
846              should be used to verify if the  client  certificates  have  not
847              been revoked. This requires TLSCACertificatePath parameter to be
848              set. This directive is ignored  with  GnuTLS  and  Mozilla  NSS.
849              <level> can be specified as one of the following keywords:
850
851              none   No CRL checks are performed
852
853              peer   Check the CRL of the peer certificate
854
855              all    Check the CRL for a whole certificate chain
856
857       TLSCRLFile <filename>
858              Specifies  a file containing a Certificate Revocation List to be
859              used for verifying that certificates have not been revoked. This
860              directive is only valid when using GnuTLS and Mozilla NSS.
861
862       TLSMozNSSCompatibility <on/true/yes/off/false/no>
863              Specifies  whether  the  MozNSS database compatibility layer for
864              TLS options should be enabled. This options is available only if
865              OpenLDAP  is  compiled with OpenSSL.  This option defaults to be
866              on.
867

GENERAL BACKEND OPTIONS

869       Options in this section only apply to the  configuration  file  section
870       for  the  specified  backend.   They  are  supported  by  every type of
871       backend.
872
873       backend <databasetype>
874              Mark the  beginning  of  a  backend  definition.  <databasetype>
875              should  be  one  of  bdb,  config, dnssrv, hdb, ldap, ldif, mdb,
876              meta,  monitor,  null,  passwd,  perl,  relay,  shell,  or  sql,
877              depending on which backend will serve the database.
878
879

GENERAL DATABASE OPTIONS

881       Options  in  this  section only apply to the configuration file section
882       for the database in which they are  defined.   They  are  supported  by
883       every  type of backend.  Note that the database and at least one suffix
884       option are mandatory for each database.
885
886       database <databasetype>
887              Mark the  beginning  of  a  new  database  instance  definition.
888              <databasetype>  should be one of bdb, config, dnssrv, hdb, ldap,
889              ldif, mdb, meta, monitor, null, passwd, perl, relay,  shell,  or
890              sql, depending on which backend will serve the database.
891
892              LDAP operations, even subtree searches, normally access only one
893              database.  That can be changed by gluing databases together with
894              the  subordinate keyword.  Access controls and some overlays can
895              also involve multiple databases.
896
897       add_content_acl on | off
898              Controls whether Add operations will perform ACL checks  on  the
899              content  of the entry being added. This check is off by default.
900              See the slapd.access(5) manual page  for  more  details  on  ACL
901              requirements for Add operations.
902
903       extra_attrs <attrlist>
904              Lists  what  attributes  need  to  be  added to search requests.
905              Local storage backends return the entire entry to the  frontend.
906              The   frontend  takes  care  of  only  returning  the  requested
907              attributes that are allowed by  ACLs.   However,  features  like
908              access checking and so may need specific attributes that are not
909              automatically returned by remote storage  backends,  like  proxy
910              backends and so on.  <attrlist> is a list of attributes that are
911              needed  for  internal  purposes  and  thus  always  need  to  be
912              collected, even when not explicitly requested by clients.
913
914       hidden on | off
915              Controls  whether the database will be used to answer queries. A
916              database that is hidden will never be  selected  to  answer  any
917              queries,  and  any  suffix  configured  on  the database will be
918              ignored  in  checks  for  conflicts  with  other  databases.  By
919              default, hidden is off.
920
921       lastmod on | off
922              Controls   whether   slapd   will   automatically  maintain  the
923              modifiersName,      modifyTimestamp,      creatorsName,      and
924              createTimestamp  attributes  for  entries.  It also controls the
925              entryCSN and entryUUID  attributes,  which  are  needed  by  the
926              syncrepl provider. By default, lastmod is on.
927
928       limits <selector> <limit> [<limit> [...]]
929              Specify  time and size limits based on the operation's initiator
930              or base DN.  The argument <selector> can be any of
931
932                     anonymous    |    users    |    [<dnspec>=]<pattern>    |
933                     group[/oc[/at]]=<pattern>
934
935              with
936
937                     <dnspec> ::= dn[.<type>][.<style>]
938
939                     <type>  ::= self | this
940
941                     <style>  ::= exact | base | onelevel | subtree | children
942                     | regex | anonymous
943
944              DN type self is the default and means the bound user, while this
945              means  the base DN of the operation.  The term anonymous matches
946              all  unauthenticated  clients.   The  term  users  matches   all
947              authenticated  clients; otherwise an exact dn pattern is assumed
948              unless otherwise specified  by  qualifying  the  (optional)  key
949              string dn with exact or base (which are synonyms), to require an
950              exact match; with onelevel, to  require  exactly  one  level  of
951              depth  match;  with  subtree, to allow any level of depth match,
952              including the exact match; with children, to allow any level  of
953              depth  match,  not  including  the exact match; regex explicitly
954              requires the  (default)  match  based  on  POSIX  (''extended'')
955              regular  expression pattern.  Finally, anonymous matches unbound
956              operations; the pattern field is ignored.  The same behavior  is
957              obtained  by  using the anonymous form of the <selector> clause.
958              The  term  group,  with  the   optional   objectClass   oc   and
959              attributeType  at  fields,  followed by pattern, sets the limits
960              for any DN listed in the values of  the  at  attribute  (default
961              member) of the oc group objectClass (default groupOfNames) whose
962              DN exactly matches pattern.
963
964              The currently supported limits are size and time.
965
966              The syntax  for  time  limits  is  time[.{soft|hard}]=<integer>,
967              where  integer  is  the  number  of  seconds  slapd  will  spend
968              answering a search request.  If  no  time  limit  is  explicitly
969              requested  by  the  client,  the  soft  limit  is  used;  if the
970              requested time limit exceeds the hard limit, the  value  of  the
971              limit  is used instead.  If the hard limit is set to the keyword
972              soft, the soft limit is used in either case; if it is set to the
973              keyword unlimited, no hard limit is enforced.  Explicit requests
974              for time limits smaller or equal to the hard limit are  honored.
975              If  no limit specifier is set, the value is assigned to the soft
976              limit, and the hard limit  is  set  to  soft,  to  preserve  the
977              original behavior.
978
979              The        syntax        for        size        limits        is
980              size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
981              maximum  number  of entries slapd will return answering a search
982              request.  If no  size  limit  is  explicitly  requested  by  the
983              client,  the  soft  limit  is  used; if the requested size limit
984              exceeds the hard limit, the value of the limit is used  instead.
985              If  the hard limit is set to the keyword soft, the soft limit is
986              used in either case; if it is set to the keyword  unlimited,  no
987              hard  limit  is  enforced.   Explicit  requests  for size limits
988              smaller or equal to the hard limit are honored.   The  unchecked
989              specifier  sets  a  limit  on  the number of candidates a search
990              request is allowed to examine.  The rationale behind it is  that
991              searches for non-properly indexed attributes may result in large
992              sets of candidates,  which  must  be  examined  by  slapd(8)  to
993              determine  whether  they  match  the  search filter or not.  The
994              unchecked limit provides a means to drop such operations  before
995              they  are  even  started.  If the selected candidates exceed the
996              unchecked  limit,  the  search  will  abort  with  Unwilling  to
997              perform.   If  it  is  set to the keyword unlimited, no limit is
998              applied (the default).  If it is set to disabled, the search  is
999              not  even performed; this can be used to disallow searches for a
1000              specific set of users.  If no limit specifier is set, the  value
1001              is  assigned  to  the  soft  limit, and the hard limit is set to
1002              soft, to preserve the original behavior.
1003
1004              In case of no match, the global limits are  used.   The  default
1005              values  are the same as for sizelimit and timelimit; no limit is
1006              set on unchecked.
1007
1008              If pagedResults control is requested, the  hard  size  limit  is
1009              used  by default, because the request of a specific page size is
1010              considered an explicit request for a limitation on the number of
1011              entries  to be returned.  However, the size limit applies to the
1012              total count of entries returned within the search, and not to  a
1013              single page.  Additional size limits may be enforced; the syntax
1014              is size.pr={<integer>|noEstimate|unlimited},  where  integer  is
1015              the  max  page  size  if  no  explicit limit is set; the keyword
1016              noEstimate inhibits the server from returning an estimate of the
1017              total  number  of  entries  that  might  be  returned (note: the
1018              current implementation  does  not  return  any  estimate).   The
1019              keyword  unlimited  indicates  that  no  limit is applied to the
1020              pagedResults     control     page     size.      The      syntax
1021              size.prtotal={<integer>|unlimited|disabled}   allows  to  set  a
1022              limit on the total number of entries that a pagedResults control
1023              allows to return.  By default it is set to the hard limit.  When
1024              set, integer is the max number of entries that the whole  search
1025              with  pagedResults  control  can return.  Use unlimited to allow
1026              unlimited number of entries to be returned, e.g.  to  allow  the
1027              use  of  the  pagedResults control as a means to circumvent size
1028              limitations on regular searches; the keyword  disabled  disables
1029              the  control,  i.e. no paged results can be returned.  Note that
1030              the total number  of  entries  returned  when  the  pagedResults
1031              control  is  requested  cannot  exceed  the  hard  size limit of
1032              regular searches unless extended by the prtotal switch.
1033
1034              The limits statement is  typically  used  to  let  an  unlimited
1035              number  of  entries  be  returned by searches performed with the
1036              identity used by the consumer for  synchronization  purposes  by
1037              means of the RFC 4533 LDAP Content Synchronization protocol (see
1038              syncrepl for details).
1039
1040       maxderefdepth <depth>
1041              Specifies the maximum number  of  aliases  to  dereference  when
1042              trying  to resolve an entry, used to avoid infinite alias loops.
1043              The default is 15.
1044
1045       mirrormode on | off
1046              This option puts a replica database into "mirror" mode.   Update
1047              operations  will  be  accepted  from  any  user,  not  just  the
1048              updatedn.  The database must already be configured as a syncrepl
1049              consumer before this keyword may be set. This mode also requires
1050              a serverID (see above) to be configured.  By default, mirrormode
1051              is off.
1052
1053       monitoring on | off
1054              This  option  enables  database-specific monitoring in the entry
1055              related to the current database in the "cn=Databases,cn=Monitor"
1056              subtree  of  the  monitor  database,  if the monitor database is
1057              enabled.  Currently, only the BDB and the HDB databases  provide
1058              database-specific   monitoring.   The  default  depends  on  the
1059              backend type.
1060
1061       overlay <overlay-name>
1062              Add the specified overlay to this  database.  An  overlay  is  a
1063              piece  of  code  that intercepts database operations in order to
1064              extend or change them. Overlays are pushed onto a stack over the
1065              database,  and  so they will execute in the reverse of the order
1066              in which they were  configured  and  the  database  itself  will
1067              receive  control  last  of all. See the slapd.overlays(5) manual
1068              page for an overview of the available overlays.  Note  that  all
1069              of  the  database's regular settings should be configured before
1070              any overlay settings.
1071
1072       readonly on | off
1073              This option  puts  the  database  into  "read-only"  mode.   Any
1074              attempts  to  modify  the  database will return an "unwilling to
1075              perform" error.  By default, readonly is off.
1076
1077       restrict <oplist>
1078              Specify a whitespace  separated  list  of  operations  that  are
1079              restricted.    If   defined  inside  a  database  specification,
1080              restrictions apply only to that  database,  otherwise  they  are
1081              global.   Operations  can  be any of add, bind, compare, delete,
1082              extended[=<OID>], modify, rename, search, or the special pseudo-
1083              operations read and write, which respectively summarize read and
1084              write operations.  The use of restrict write  is  equivalent  to
1085              readonly  on  (see  above).   The  extended  keyword  allows  to
1086              indicate the OID of the specific operation to be restricted.
1087
1088       rootdn <dn>
1089              Specify the distinguished name that is  not  subject  to  access
1090              control  or  administrative limit restrictions for operations on
1091              this database.  This DN may or may not  be  associated  with  an
1092              entry.   An empty root DN (the default) specifies no root access
1093              is to be granted.  It is recommended that  the  rootdn  only  be
1094              specified  when  needed  (such  as  when  initially populating a
1095              database).  If the rootdn is within a namingContext (suffix)  of
1096              the  database, a simple bind password may also be provided using
1097              the  rootpw  directive.  Many   optional   features,   including
1098              syncrepl, require the rootdn to be defined for the database.
1099
1100       rootpw <password>
1101              Specify  a  password  (or  hash of the password) for the rootdn.
1102              The password can only  be  set  if  the  rootdn  is  within  the
1103              namingContext (suffix) of the database.  This option accepts all
1104              RFC  2307  userPassword  formats  known  to  the   server   (see
1105              password-hash  description) as well as cleartext.  slappasswd(8)
1106              may be used to generate a hash of  a  password.   Cleartext  and
1107              {CRYPT}  passwords are not recommended.  If empty (the default),
1108              authentication of the root DN is by  other  means  (e.g.  SASL).
1109              Use of SASL is encouraged.
1110
1111       suffix <dn suffix>
1112              Specify  the  DN  suffix  of queries that will be passed to this
1113              backend database.  Multiple suffix lines can  be  given  and  at
1114              least one is required for each database definition.
1115
1116              If  the  suffix of one database is "inside" that of another, the
1117              database  with  the  inner  suffix  must  come  first   in   the
1118              configuration  file.   You  may also want to glue such databases
1119              together with the subordinate keyword.
1120
1121       subordinate [advertise]
1122              Specify that the current backend database is  a  subordinate  of
1123              another  backend database. A subordinate  database may have only
1124              one suffix. This option may be used to glue  multiple  databases
1125              into  a  single  namingContext.   If  the  suffix of the current
1126              database is within the namingContext  of  a  superior  database,
1127              searches against the superior database will be propagated to the
1128              subordinate as well. All of  the  databases  associated  with  a
1129              single namingContext should have identical rootdns.  Behavior of
1130              other  LDAP  operations  is  unaffected  by  this  setting.   In
1131              particular,  it  is  not  possible to use moddn to move an entry
1132              from  one  subordinate  to  another   subordinate   within   the
1133              namingContext.
1134
1135              If  the  optional advertise flag is supplied, the naming context
1136              of this database is advertised in the root DSE. The  default  is
1137              to hide this database context, so that only the superior context
1138              is visible.
1139
1140              If the slap tools slapcat(8), slapadd(8),  or  slapindex(8)  are
1141              used  on  the  superior  database,  any  glued subordinates that
1142              support these tools are opened as well.
1143
1144              Databases that are glued together should usually  be  configured
1145              with the same indices (assuming they support indexing), even for
1146              attributes that only  exist  in  some  of  these  databases.  In
1147              general,  all  of  the  glued  databases should be configured as
1148              similarly as possible,  since  the  intent  is  to  provide  the
1149              appearance of a single directory.
1150
1151              Note   that   the   subordinate   functionality  is  implemented
1152              internally by the glue overlay and as  such  its  behavior  will
1153              interact  with  other  overlays  in  use.  By  default, the glue
1154              overlay is automatically configured as the last overlay  on  the
1155              superior  backend. Its position on the backend can be explicitly
1156              configured by setting an overlay glue directive at  the  desired
1157              position.  This  explicit  configuration is necessary e.g.  when
1158              using the syncprov overlay, which needs to follow glue in  order
1159              to work over all of the glued databases. E.g.
1160                   database bdb
1161                   suffix dc=example,dc=com
1162                   ...
1163                   overlay glue
1164                   overlay syncprov
1165
1166       sync_use_subentry
1167              Store  the  syncrepl  contextCSN  in  a  subentry instead of the
1168              context entry of  the  database.  The  subentry's  RDN  will  be
1169              "cn=ldapsync".  By  default  the  contextCSN  is  stored  in the
1170              context entry.
1171
1172       syncrepl    rid=<replica    ID>    provider=ldap[s]://<hostname>[:port]
1173              searchbase=<base     DN>    [type=refreshOnly|refreshAndPersist]
1174              [interval=dd:hh:mm:ss]   [retry=[<retry    interval>    <#    of
1175              retries>]+]  [filter=<filter  str>]  [scope=sub|one|base|subord]
1176              [attrs=<attr   list>]    [exattrs=<attr    list>]    [attrsonly]
1177              [sizelimit=<limit>]  [timelimit=<limit>] [schemachecking=on|off]
1178              [network-timeout=<seconds>]                  [timeout=<seconds>]
1179              [bindmethod=simple|sasl]     [binddn=<dn>]     [saslmech=<mech>]
1180              [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
1181              [realm=<realm>]                          [secprops=<properties>]
1182              [keepalive=<idle>:<probes>:<interval>]   [starttls=yes|critical]
1183              [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
1184              [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
1185              [tls_cipher_suite=<ciphers>]        [tls_crlcheck=none|peer|all]
1186              [tls_protocol_min=<major>[.<minor>]]  [suffixmassage=<real  DN>]
1187              [logbase=<base        DN>]        [logfilter=<filter       str>]
1188              [syncdata=default|accesslog|changelog]
1189              Specify the current database as a replica which is  kept  up-to-
1190              date  with  the  master  content  by  establishing  the  current
1191              slapd(8) as a  replication  consumer  site  running  a  syncrepl
1192              replication engine.  The replica content is kept synchronized to
1193              the  master  content  using  the  LDAP  Content  Synchronization
1194              protocol.  Refer  to  the  "OpenLDAP  Administrator's Guide" for
1195              detailed information on setting up a replicated slapd  directory
1196              service using the syncrepl replication engine.
1197
1198              rid   identifies  the  current  syncrepl  directive  within  the
1199              replication consumer site.  It is  a  non-negative  integer  not
1200              greater than 999 (limited to three decimal digits).
1201
1202              provider  specifies the replication provider site containing the
1203              master content as an LDAP URI.  If  <port>  is  not  given,  the
1204              standard LDAP port number (389 or 636) is used.
1205
1206              The  content  of  the syncrepl replica is defined using a search
1207              specification as its result set. The consumer  slapd  will  send
1208              search  requests  to  the provider slapd according to the search
1209              specification. The  search  specification  includes  searchbase,
1210              scope,   filter,  attrs,  attrsonly,  sizelimit,  and  timelimit
1211              parameters as in the normal  search  specification.   The  scope
1212              defaults  to  sub, the filter defaults to (objectclass=*), while
1213              there is no default searchbase. The attrs list defaults to "*,+"
1214              to  return all user and operational attributes, and attrsonly is
1215              unset by default.   The  sizelimit  and  timelimit  only  accept
1216              "unlimited"   and   positive   integers,  and  both  default  to
1217              "unlimited".  The sizelimit and timelimit  parameters  define  a
1218              consumer  requested limitation on the number of entries that can
1219              be returned by the LDAP Content  Synchronization  operation;  as
1220              such,  it  is intended to implement partial replication based on
1221              the size of the replicated database and on the time required  by
1222              the  synchronization.   Note,  however,  that  any provider-side
1223              limits for the replication identity  will  be  enforced  by  the
1224              provider  regardless of the limits requested by the LDAP Content
1225              Synchronization  operation,  much  like  for  any  other  search
1226              operation.    exattrs   option  may  also  be  used  to  specify
1227              attributes that should be omitted from  incoming  entries.   The
1228              scope  defaults  to sub, the filter defaults to (objectclass=*),
1229              and there is no default searchbase. The attrs list  defaults  to
1230              "*,+"  to  return  all  user  and  operational  attributes,  and
1231              attrsonly and exattrs are unset by default.  The  sizelimit  and
1232              timelimit  only  accept  "unlimited"  and positive integers, and
1233              both default to "unlimited".  Note, however, that any  provider-
1234              side limits for the replication identity will be enforced by the
1235              provider regardless of the limits requested by the LDAP  Content
1236              Synchronization  operation,  much  like  for  any  other  search
1237              operation.
1238
1239              The LDAP Content  Synchronization  protocol  has  two  operation
1240              types.   In  the refreshOnly operation, the next synchronization
1241              search operation is periodically rescheduled at an interval time
1242              (specified  by  interval parameter; 1 day by default) after each
1243              synchronization operation finishes.   In  the  refreshAndPersist
1244              operation,  a  synchronization  search remains persistent in the
1245              provider slapd.  Further updates  to  the  master  replica  will
1246              generate  searchResultEntry  to the consumer slapd as the search
1247              responses to the persistent synchronization search.
1248
1249              If an error occurs during replication, the consumer will attempt
1250              to reconnect according to the retry parameter which is a list of
1251              the <retry interval> and <# of  retries>  pairs.   For  example,
1252              retry="60 10 300 3" lets the consumer retry every 60 seconds for
1253              the first 10 times and then retry every 300 seconds for the next
1254              3  times  before  stop retrying. The `+' in <# of retries> means
1255              indefinite number of retries until success.   If  no  retry  was
1256              specified, by default syncrepl retries every hour forever.
1257
1258              The  schema  checking  can be enforced at the LDAP Sync consumer
1259              site by turning on the schemachecking parameter. The default  is
1260              off.  Schema checking on means that replicated entries must have
1261              a structural objectClass, must obey to objectClass  requirements
1262              in   terms  of  required/allowed  attributes,  and  that  naming
1263              attributes and distinguished  values  must  be  present.   As  a
1264              consequence,   schema   checking  should  be  off  when  partial
1265              replication is used.
1266
1267              The network-timeout parameter sets how long  the  consumer  will
1268              wait  to  establish a network connection to the provider. Once a
1269              connection is established, the timeout parameter determines  how
1270              long  the  consumer  will  wait  for the initial Bind request to
1271              complete.  The  defaults  for   these   parameters   come   from
1272              ldap.conf(5).
1273
1274              A   bindmethod   of  simple  requires  the  options  binddn  and
1275              credentials and should  only  be  used  when  adequate  security
1276              services  (e.g.  TLS  or  IPSEC) are in place.  REMEMBER: simple
1277              bind credentials must be in cleartext!   A  bindmethod  of  sasl
1278              requires  the  option  saslmech.  Depending on the mechanism, an
1279              authentication identity  and/or  credentials  can  be  specified
1280              using  authcid  and  credentials.   The authzid parameter may be
1281              used to specify an authorization  identity.   Specific  security
1282              properties  (as with the sasl-secprops keyword above) for a SASL
1283              bind can be set with the secprops option.  A  non  default  SASL
1284              realm  can  be set with the realm option.  The identity used for
1285              synchronization by the consumer should be allowed to receive  an
1286              unlimited  number  of  entries  in response to a search request.
1287              The provider, other than allow authentication  of  the  syncrepl
1288              identity,   should   grant   that  identity  appropriate  access
1289              privileges  to  the  data  that  is  being  replicated   (access
1290              directive),  and  appropriate time and size limits.  This can be
1291              accomplished  by  either  allowing   unlimited   sizelimit   and
1292              timelimit,  or by setting an appropriate limits statement in the
1293              consumer's configuration (see sizelimit and limits for details).
1294
1295              The keepalive parameter sets the values  of  idle,  probes,  and
1296              interval  used  to  check whether a socket is alive; idle is the
1297              number of seconds a connection needs to remain idle  before  TCP
1298              starts sending keepalive probes; probes is the maximum number of
1299              keepalive probes TCP should send before dropping the connection;
1300              interval  is  interval  in  seconds between individual keepalive
1301              probes.  Only some systems support the  customization  of  these
1302              values;  the  keepalive  parameter  is  ignored  otherwise,  and
1303              system-wide settings are used.
1304
1305              The starttls parameter specifies use of  the  StartTLS  extended
1306              operation  to  establish  a  TLS  session  before Binding to the
1307              provider. If the critical argument is supplied, the session will
1308              be aborted if the StartTLS request fails. Otherwise the syncrepl
1309              session continues without TLS. The tls_reqcert setting  defaults
1310              to  "demand"  and  the other TLS settings default to the same as
1311              the main slapd TLS settings.
1312
1313              The suffixmassage parameter allows the consumer to pull  entries
1314              from  a  remote directory whose DN suffix differs from the local
1315              directory. The portion of the remote entries' DNs  that  matches
1316              the searchbase will be replaced with the suffixmassage DN.
1317
1318              Rather  than  replicating  whole entries, the consumer can query
1319              logs of data modifications. This mode of operation  is  referred
1320              to  as  delta syncrepl. In addition to the above parameters, the
1321              logbase and logfilter parameters must be set  appropriately  for
1322              the log that will be used. The syncdata parameter must be set to
1323              either "accesslog" if the log conforms to the slapo-accesslog(5)
1324              log  format,  or "changelog" if the log conforms to the obsolete
1325              changelog format. If the syncdata parameter is omitted or set to
1326              "default" then the log parameters are ignored.
1327
1328       updatedn <dn>
1329              This  option  is  only  applicable  in  a  slave  database.   It
1330              specifies  the  DN  permitted  to  update  (subject  to   access
1331              controls)  the  replica.  It is only needed in certain push-mode
1332              replication scenarios.  Generally, this DN  should  not  be  the
1333              same as the rootdn used at the master.
1334
1335       updateref <url>
1336              Specify  the  referral  to  pass  back when slapd(8) is asked to
1337              modify a  replicated  local  database.   If  specified  multiple
1338              times, each url is provided.
1339
1340

DATABASE-SPECIFIC OPTIONS

1342       Each  database  may  allow  specific  configuration  options;  they are
1343       documented  separately  in  the  backends'  manual   pages.   See   the
1344       slapd.backends(5) manual page for an overview of available backends.
1345

EXAMPLES

1347       Here is a short example of a configuration file:
1348
1349              include   /etc/openldap/schema/core.schema
1350              pidfile   /var/run/slapd.pid
1351
1352              # Subtypes of "name" (e.g. "cn" and "ou") with the
1353              # option ";x-hidden" can be searched for/compared,
1354              # but are not shown.  See slapd.access(5).
1355              attributeoptions x-hidden lang-
1356              access to attrs=name;x-hidden by * =cs
1357
1358              # Protect passwords.  See slapd.access(5).
1359              access    to attrs=userPassword  by * auth
1360              # Read access to other attributes and entries.
1361              access    to *  by * read
1362
1363              database  bdb
1364              suffix    "dc=our-domain,dc=com"
1365              # The database directory MUST exist prior to
1366              # running slapd AND should only be accessible
1367              # by the slapd/tools. Mode 0700 recommended.
1368              directory /var/openldap-data
1369              # Indices to maintain
1370              index     objectClass  eq
1371              index     cn,sn,mail   pres,eq,approx,sub
1372
1373              # We serve small clients that do not handle referrals,
1374              # so handle remote lookups on their behalf.
1375              database  ldap
1376              suffix    ""
1377              uri       ldap://ldap.some-server.com/
1378              lastmod   off
1379
1380       "OpenLDAP Administrator's Guide" contains a longer annotated example of
1381       a configuration file.  The original /etc/openldap/slapd.conf is another
1382       example.
1383

FILES

1385       /etc/openldap/slapd.conf
1386              default slapd configuration file
1387

SEE ALSO

1389       ldap(3),      gnutls-cli(1),      slapd-config(5),     slapd.access(5),
1390       slapd.backends(5),   slapd.overlays(5),   slapd.plugin(5),    slapd(8),
1391       slapacl(8),    slapadd(8),    slapauth(8),    slapcat(8),    slapdn(8),
1392       slapindex(8), slappasswd(8), slaptest(8).
1393
1394       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1395

ACKNOWLEDGEMENTS

1397       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
1398       <http://www.openldap.org/>.    OpenLDAP   Software   is   derived  from
1399       University of Michigan LDAP 3.3 Release.
1400
1401
1402
1403OpenLDAP 2.4.44                   2016/02/05                     SLAPD.CONF(5)
Impressum