1SLAPD.CONF(5) File Formats Manual SLAPD.CONF(5)
2
6 slapd.conf - configuration file for slapd, the stand-alone LDAP daemon
7
9 /etc/openldap/slapd.conf
10
12 The file /etc/openldap/slapd.conf contains configuration information
13 for the slapd(8) daemon. This configuration file is also used by the
14 SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
15 slapindex(8), and slaptest(8).
16 The slapd.conf file consists of a series of global configuration
18 options that apply to slapd as a whole (including all backends), fol‐
19 lowed by zero or more database backend definitions that contain infor‐
20 mation specific to a backend instance. The configuration options are
21 case-insensitive; their value, on a case by case basis, may be case-
22 sensitive.
23 The general format of slapd.conf is as follows:
25 # comment - these options apply to every database
27 <global configuration options>
28 # first database definition & configuration options
29 database <backend 1 type>
30 <configuration options specific to backend 1>
31 # subsequent database definitions & configuration options
32 ...
33 As many backend-specific sections as desired may be included. Global
35 options can be overridden in a backend (for options that appear more
36 than once, the last appearance in the slapd.conf file is used).
37 If a line begins with white space, it is considered a continuation of
39 the previous line. No physical line should be over 2000 bytes long.
40 Blank lines and comment lines beginning with a `#' character are
42 ignored. Note: continuation lines are unwrapped before comment pro‐
43 cessing is applied.
44 Arguments on configuration lines are separated by white space. If an
46 argument contains white space, the argument should be enclosed in dou‐
47 ble quotes. If an argument contains a double quote (`"') or a back‐
48 slash character (`\'), the character should be preceded by a backslash
49 character.
50 The specific configuration options available are discussed below in the
52 Global Configuration Options, General Backend Options, and General
53 Database Options. Backend-specific options are discussed in the
54 slapd-<backend>(5) manual pages. Refer to the "OpenLDAP Administra‐
55 tor's Guide" for more details on the slapd configuration file.
56
58 Options described in this section apply to all backends, unless specif‐
59 ically overridden in a backend definition. Arguments that should be
60 replaced by actual text are shown in brackets <>.
61 access to <what> [ by <who> <access> <control> ]+
63 Grant access (specified by <access>) to a set of entries and/or
64 attributes (specified by <what>) by one or more requestors
65 (specified by <who>). If no access controls are present, the
66 default policy allows anyone and everyone to read anything but
67 restricts updates to rootdn. (e.g., "access to * by * read").
68 The rootdn can always read and write EVERYTHING! See
69 slapd.access(5) and the "OpenLDAP's Administrator's Guide" for
70 details.
71 allow <features>
73 Specify a set of features (separated by white space) to allow
74 (default none). bind_v2 allows acceptance of LDAPv2 bind
75 requests. Note that slapd(8) does not truly implement LDAPv2
76 (RFC 1777), now Historic (RFC 3494). bind_anon_cred allows
77 anonymous bind when credentials are not empty (e.g. when DN is
78 empty). bind_anon_dn allows unauthenticated (anonymous) bind
79 when DN is not empty. update_anon allows unauthenticated
80 (anonymous) update operations to be processed (subject to access
81 controls and other administrative limits). proxy_authz_anon
82 allows unauthenticated (anonymous) proxy authorization control
83 to be processed (subject to access controls, authorization and
84 other administrative limits).
85 argsfile <filename>
87 The (absolute) name of a file that will hold the slapd server's
88 command line (program name and options).
89 attributeoptions [option-name]...
91 Define tagging attribute options or option tag/range prefixes.
92 Options must not end with `-', prefixes must end with `-'. The
93 `lang-' prefix is predefined. If you use the attributeoptions
94 directive, `lang-' will no longer be defined and you must spec‐
95 ify it explicitly if you want it defined.
96 An attribute description with a tagging option is a subtype of
98 that attribute description without the option. Except for that,
99 options defined this way have no special semantics. Prefixes
100 defined this way work like the `lang-' options: They define a
101 prefix for tagging options starting with the prefix. That is,
102 if you define the prefix `x-foo-', you can use the option
103 `x-foo-bar'. Furthermore, in a search or compare, a prefix or
104 range name (with a trailing `-') matches all options starting
105 with that name, as well as the option with the range name sans
106 the trailing `-'. That is, `x-foo-bar-' matches `x-foo-bar' and
107 `x-foo-bar-baz'.
108 RFC 4520 reserves options beginning with `x-' for private exper‐
110 iments. Other options should be registered with IANA, see RFC
111 4520 section 3.5. OpenLDAP also has the `binary' option built
112 in, but this is a transfer option, not a tagging option.
113 attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
115 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>]
116 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE]
117 [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
118 Specify an attribute type using the LDAPv3 syntax defined in RFC
119 4512. The slapd parser extends the RFC 4512 definition by
120 allowing string forms as well as numeric OIDs to be used for the
121 attribute OID and attribute syntax OID. (See the
122 objectidentifier description.)
123 authid-rewrite<cmd> <args>
125 Used by the authentication framework to convert simple user
126 names to an LDAP DN used for authorization purposes. Its
127 purpose is analogous to that of authz-regexp (see below). The
128 prefix authid- is followed by a set of rules analogous to those
129 described in slapo-rwm(5) for data rewriting (replace the rwm-
130 prefix with authid-). authid-rewrite<cmd> and authz-regexp
131 rules should not be intermixed.
132 authz-policy <policy>
134 Used to specify which rules to use for Proxy Authorization.
135 Proxy authorization allows a client to authenticate to the
136 server using one user's credentials, but specify a different
137 identity to use for authorization and access control purposes.
138 It essentially allows user A to login as user B, using user A's
139 password. The none flag disables proxy authorization. This is
140 the default setting. The from flag will use rules in the
141 authzFrom attribute of the authorization DN. The to flag will
142 use rules in the authzTo attribute of the authentication DN.
143 The any flag, an alias for the deprecated value of both, will
144 allow any of the above, whatever succeeds first (checked in to,
145 from sequence. The all flag requires both authorizations to
146 succeed.
147 The rules are mechanisms to specify which identities are allowed
149 to perform proxy authorization. The authzFrom attribute in an
150 entry specifies which other users are allowed to proxy login to
151 this entry. The authzTo attribute in an entry specifies which
152 other users this user can authorize as. Use of authzTo rules
153 can be easily abused if users are allowed to write arbitrary
154 values to this attribute. In general the authzTo attribute must
155 be protected with ACLs such that only privileged users can
156 modify it. The value of authzFrom and authzTo describes an
157 identity or a set of identities; it can take five forms:
158 ldap:///<base>??[<scope>]?<filter>
160 dn[.<dnstyle>]:<pattern>
161 u[.<mech>[/<realm>]]:<pattern>
162 group[/objectClass[/attributeType]]:<pattern>
163 <pattern>
164 <dnstyle>:={exact|onelevel|children|subtree|regex}
166 The first form is a valid LDAP URI where the <host>:<port>, the
168 <attrs> and the <extensions> portions must be absent, so that
169 the search occurs locally on either authzFrom or authzTo. The
170 second form is a DN, with the optional style modifiers exact,
171 onelevel, children, and subtree for exact, onelevel, children
172 and subtree matches, which cause <pattern> to be normalized
173 according to the DN normalization rules, or the special regex
174 style, which causes the <pattern> to be treated as a POSIX
175 (''extended'') regular expression, as discussed in regex(7)
176 and/or re_format(7). A pattern of * means any non-anonymous DN.
177 The third form is a SASL id, with the optional fields <mech> and
178 <realm> that allow to specify a SASL mechanism, and eventually a
179 SASL realm, for those mechanisms that support one. The need to
180 allow the specification of a mechanism is still debated, and
181 users are strongly discouraged to rely on this possibility. The
182 fourth form is a group specification, consisting of the keyword
183 group, optionally followed by the specification of the group
184 objectClass and member attributeType. The group with DN
185 <pattern> is searched with base scope, and in case of match, the
186 values of the member attributeType are searched for the asserted
187 DN. For backwards compatibility, if no identity type is
188 provided, i.e. only <pattern> is present, an exact DN is
189 assumed; as a consequence, <pattern> is subjected to DN
190 normalization. Since the interpretation of authzFrom and
191 authzTo can impact security, users are strongly encouraged to
192 explicitly set the type of identity specification that is being
193 used. A subset of these rules can be used as third arg in the
194 authz-regexp statement (see below); significantly, the URI,
195 provided it results in exactly one entry, and the dn.exact:<dn>
196 forms.
197 authz-regexp <match> <replace>
199 Used by the authentication framework to convert simple user
200 names, such as provided by SASL subsystem, or extracted from
201 certificates in case of cert-based SASL EXTERNAL, or provided
202 within the RFC 4370 "proxied authorization" control, to an LDAP
203 DN used for authorization purposes. Note that the resulting DN
204 need not refer to an existing entry to be considered valid.
205 When an authorization request is received from the SASL
206 subsystem, the SASL USERNAME, REALM, and MECHANISM are taken,
207 when available, and combined into a name of the form
208 UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
210 This name is then compared against the match POSIX
212 (''extended'') regular expression, and if the match is
213 successful, the name is replaced with the replace string. If
214 there are wildcard strings in the match regular expression that
215 are enclosed in parenthesis, e.g.
216 UID=([^,]*),CN=.*
218 then the portion of the name that matched the wildcard will be
220 stored in the numbered placeholder variable $1. If there are
221 other wildcard strings in parenthesis, the matching strings will
222 be in $2, $3, etc. up to $9. The placeholders can then be used
223 in the replace string, e.g.
224 UID=$1,OU=Accounts,DC=example,DC=com
226 The replaced name can be either a DN, i.e. a string prefixed by
228 "dn:", or an LDAP URI. If the latter, the server will use the
229 URI to search its own database(s) and, if the search returns
230 exactly one entry, the name is replaced by the DN of that entry.
231 The LDAP URI must have no hostport, attrs, or extensions
232 components, but the filter is mandatory, e.g.
233 ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
235 The protocol portion of the URI must be strictly ldap. Note
237 that this search is subject to access controls. Specifically,
238 the authentication identity must have "auth" access in the
239 subject.
240 Multiple authz-regexp options can be given in the configuration
242 file to allow for multiple matching and replacement patterns.
243 The matching patterns are checked in the order they appear in
244 the file, stopping at the first successful match.
245 concurrency <integer>
248 Specify a desired level of concurrency. Provided to the
249 underlying thread system as a hint. The default is not to
250 provide any hint.
251 conn_max_pending <integer>
253 Specify the maximum number of pending requests for an anonymous
254 session. If requests are submitted faster than the server can
255 process them, they will be queued up to this limit. If the limit
256 is exceeded, the session is closed. The default is 100.
257 conn_max_pending_auth <integer>
259 Specify the maximum number of pending requests for an
260 authenticated session. The default is 1000.
261 defaultsearchbase <dn>
263 Specify a default search base to use when client submits a non-
264 base search request with an empty base DN. Base scoped search
265 requests with an empty base DN are not affected.
266 disallow <features>
268 Specify a set of features (separated by white space) to disallow
269 (default none). bind_anon disables acceptance of anonymous bind
270 requests. Note that this setting does not prohibit anonymous
271 directory access (See "require authc"). bind_simple disables
272 simple (bind) authentication. tls_2_anon disables forcing
273 session to anonymous status (see also tls_authc) upon StartTLS
274 operation receipt. tls_authc disallows the StartTLS operation
275 if authenticated (see also tls_2_anon).
276 proxy_authz_non_critical disables acceptance of the proxied
277 authorization control (RFC4370) when criticality is FALSE.
278 dontusecopy_non_critical disables acceptance of the dontUseCopy
279 control (a work in progress) when criticality is FALSE.
280 ditcontentrule ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
282 [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
283 Specify an DIT Content Rule using the LDAPv3 syntax defined in
284 RFC 4512. The slapd parser extends the RFC 4512 definition by
285 allowing string forms as well as numeric OIDs to be used for the
286 attribute OID and attribute syntax OID. (See the
287 objectidentifier description.)
288 gentlehup { on | off }
290 A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
291 Slapd will stop listening for new connections, but will not
292 close the connections to the current clients. Future write
293 operations return unwilling-to-perform, though. Slapd
294 terminates when all clients have closed their connections (if
295 they ever do), or - as before - if it receives a SIGTERM signal.
296 This can be useful if you wish to terminate the server and start
297 a new slapd server with another database, without disrupting the
298 currently active clients. The default is off. You may wish to
299 use idletimeout along with this option.
300 idletimeout <integer>
302 Specify the number of seconds to wait before forcibly closing an
303 idle client connection. A idletimeout of 0 disables this
304 feature. The default is 0. You may also want to set the
305 writetimeout option.
306 include <filename>
308 Read additional configuration information from the given file
309 before continuing with the next line of the current file.
310 index_intlen <integer>
312 Specify the key length for ordered integer indices. The most
313 significant bytes of the binary integer will be used for index
314 keys. The default value is 4, which provides exact indexing for
315 31 bit values. A floating point representation is used to index
316 too large values.
317 index_substr_if_minlen <integer>
319 Specify the minimum length for subinitial and subfinal indices.
320 An attribute value must have at least this many characters in
321 order to be processed by the indexing functions. The default is
322 2.
323 index_substr_if_maxlen <integer>
325 Specify the maximum length for subinitial and subfinal indices.
326 Only this many characters of an attribute value will be
327 processed by the indexing functions; any excess characters are
328 ignored. The default is 4.
329 index_substr_any_len <integer>
331 Specify the length used for subany indices. An attribute value
332 must have at least this many characters in order to be
333 processed. Attribute values longer than this length will be
334 processed in segments of this length. The default is 4. The
335 subany index will also be used in subinitial and subfinal index
336 lookups when the filter string is longer than the
337 index_substr_if_maxlen value.
338 index_substr_any_step <integer>
340 Specify the steps used in subany index lookups. This value sets
341 the offset for the segments of a filter string that are
342 processed for a subany index lookup. The default is 2. For
343 example, with the default values, a search using this filter
344 "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
345 and "efgh".
346 Note: Indexing support depends on the particular backend in use. Also,
349 changing these settings will generally require deleting any indices
350 that depend on these parameters and recreating them with slapindex(8).
351 ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )
354 Specify an LDAP syntax using the LDAPv3 syntax defined in RFC
356 4512. The slapd parser extends the RFC 4512 definition by
357 allowing string forms as well as numeric OIDs to be used for the
358 syntax OID. (See the objectidentifier description.) The slapd
359 parser also honors the X-SUBST extension (an OpenLDAP-specific
360 extension), which allows one to use the ldapsyntax statement to
361 define a non-implemented syntax along with another syntax, the
362 extension value substitute-syntax, as its temporary replacement.
363 The substitute-syntax must be defined. This allows one to
364 define attribute types that make use of non-implemented syntaxes
365 using the correct syntax OID. Unless X-SUBST is used, this
366 configuration statement would result in an error, since no
367 handlers would be associated to the resulting syntax structure.
368 listener-threads <integer>
371 Specify the number of threads to use for the connection manager.
372 The default is 1 and this is typically adequate for up to 16 CPU
373 cores. The value should be set to a power of 2.
374 localSSF <SSF>
376 Specifies the Security Strength Factor (SSF) to be given local
377 LDAP sessions, such as those to the ldapi:// listener. For a
378 description of SSF values, see sasl-secprops's minssf option
379 description. The default is 71.
380 logfile <filename>
382 Specify a file for recording debug log messages. By default
383 these messages only go to stderr and are not recorded anywhere
384 else. Specifying a logfile copies messages to both stderr and
385 the logfile.
386 loglevel <integer> [...]
388 Specify the level at which debugging statements and operation
389 statistics should be syslogged (currently logged to the
390 syslogd(8) LOG_LOCAL4 facility). They must be considered
391 subsystems rather than increasingly verbose log levels. Some
392 messages with higher priority are logged regardless of the
393 configured loglevel as soon as any logging is configured. Log
394 levels are additive, and available levels are:
395 1 (0x1 trace) trace function calls
396 2 (0x2 packets) debug packet handling
397 4 (0x4 args) heavy trace debugging (function args)
398 8 (0x8 conns) connection management
399 16 (0x10 BER) print out packets sent and received
400 32 (0x20 filter) search filter processing
401 64 (0x40 config) configuration file processing
402 128 (0x80 ACL) access control list processing
403 256 (0x100 stats) connections, LDAP operations,
404 results (recommended)
405 512 (0x200 stats2) stats log entries sent
406 1024 (0x400 shell) print communication with shell
407 backends
408 2048 (0x800 parse) entry parsing
409 16384 (0x4000 sync) LDAPSync replication
418 32768 (0x8000 none) only messages that get logged
419 whatever log level is set
420 The desired log level can be input as a single integer that
421 combines the (ORed) desired levels, both in decimal or in
422 hexadecimal notation, as a list of integers (that are ORed
423 internally), or as a list of the names that are shown between
424 parentheses, such that
425 loglevel 129
427 loglevel 0x81
428 loglevel 128 1
429 loglevel 0x80 0x1
430 loglevel acl trace
431 are equivalent. The keyword any can be used as a shortcut to
433 enable logging at all levels (equivalent to -1). The keyword
434 none, or the equivalent integer representation, causes those
435 messages that are logged regardless of the configured loglevel
436 to be logged. In fact, if loglevel is set to 0, no logging
437 occurs, so at least the none level is required to have high
438 priority messages logged.
439 The loglevel defaults to stats. This level should usually also
441 be included when using other loglevels, to help analyze the
442 logs.
443 moduleload <filename>
445 Specify the name of a dynamically loadable module to load. The
446 filename may be an absolute path name or a simple filename. Non-
447 absolute names are searched for in the directories specified by
448 the modulepath option. This option and the modulepath option are
449 only usable if slapd was compiled with --enable-modules.
450 modulepath <pathspec>
452 Specify a list of directories to search for loadable modules.
453 Typically the path is colon-separated but this depends on the
454 operating system. The default is /usr/lib64/openldap, which is
455 where the standard OpenLDAP install will place its modules.
456 objectclass ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
458 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }]
459 [MUST <oids>] [MAY <oids>] )
460 Specify an objectclass using the LDAPv3 syntax defined in RFC
461 4512. The slapd parser extends the RFC 4512 definition by
462 allowing string forms as well as numeric OIDs to be used for the
463 object class OID. (See the objectidentifier description.)
464 Object classes are "STRUCTURAL" by default.
465 objectidentifier <name> { <oid> | <name>[:<suffix>] }
467 Define a string name that equates to the given OID. The string
468 can be used in place of the numeric OID in objectclass and
469 attribute definitions. The name can also be used with a suffix
470 of the form ":xx" in which case the value "oid.xx" will be used.
471 password-hash <hash> [<hash>...]
473 This option configures one or more hashes to be used in
474 generation of user passwords stored in the userPassword
475 attribute during processing of LDAP Password Modify Extended
476 Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
477 {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
478 {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
480 latter with a seed.
481 {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
483 with a seed.
484 {CRYPT} uses the crypt(3).
486 {CLEARTEXT} indicates that the new password should be added to
488 userPassword as clear text.
489 Note that this option does not alter the normal user
491 applications handling of userPassword during LDAP Add, Modify,
492 or other LDAP operations.
493 password-crypt-salt-format <format>
495 Specify the format of the salt passed to crypt(3) when
496 generating {CRYPT} passwords (see password-hash) during
497 processing of LDAP Password Modify Extended Operations (RFC
498 3062).
499 This string needs to be in sprintf(3) format and may include one
501 (and only one) %s conversion. This conversion will be
502 substituted with a string of random characters from
503 [A-Za-z0-9./]. For example, "%.2s" provides a two character
504 salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
505 algorithm and provides 8 random characters of salt. The default
506 is "%s", which provides 31 characters of salt.
507 pidfile <filename>
509 The (absolute) name of a file that will hold the slapd server's
510 process ID (see getpid(2)).
511 referral <url>
513 Specify the referral to pass back when slapd(8) cannot find a
514 local database to handle a request. If specified multiple
515 times, each url is provided.
516 require <conditions>
518 Specify a set of conditions (separated by white space) to
519 require (default none). The directive may be specified globally
520 and/or per-database; databases inherit global conditions, so
521 per-database specifications are additive. bind requires bind
522 operation prior to directory operations. LDAPv3 requires
523 session to be using LDAP version 3. authc requires
524 authentication prior to directory operations. SASL requires
525 SASL authentication prior to directory operations. strong
526 requires strong authentication prior to directory operations.
527 The strong keyword allows protected "simple" authentication as
528 well as SASL authentication. none may be used to require no
529 conditions (useful to clear out globally set conditions within a
530 particular database); it must occur first in the list of
531 conditions.
532 reverse-lookup on | off
534 Enable/disable client name unverified reverse lookup (default is
535 off if compiled with --enable-rlookups).
536 rootDSE <file>
538 Specify the name of an LDIF(5) file containing user defined
539 attributes for the root DSE. These attributes are returned in
540 addition to the attributes normally produced by slapd.
541 The root DSE is an entry with information about the server and
543 its capabilities, in operational attributes. It has the empty
544 DN, and can be read with e.g.:
545 ldapsearch -x -b "" -s base "+"
546 See RFC 4512 section 5.1 for details.
547 sasl-auxprops <plugin> [...]
549 Specify which auxprop plugins to use for authentication lookups.
550 The default is empty, which just uses slapd's internal support.
551 Usually no other auxprop plugins are needed.
552 sasl-host <fqdn>
554 Used to specify the fully qualified domain name used for SASL
555 processing.
556 sasl-realm <realm>
558 Specify SASL realm. Default is empty.
559 sasl-secprops <properties>
561 Used to specify Cyrus SASL security properties. The none flag
562 (without any other properties) causes the flag properties
563 default, "noanonymous,noplain", to be cleared. The noplain flag
564 disables mechanisms susceptible to simple passive attacks. The
565 noactive flag disables mechanisms susceptible to active attacks.
566 The nodict flag disables mechanisms susceptible to passive
567 dictionary attacks. The noanonymous flag disables mechanisms
568 which support anonymous login. The forwardsec flag require
569 forward secrecy between sessions. The passcred require
570 mechanisms which pass client credentials (and allow mechanisms
571 which can pass credentials to do so). The minssf=<factor>
572 property specifies the minimum acceptable security strength
573 factor as an integer approximate to effective key length used
574 for encryption. 0 (zero) implies no protection, 1 implies
575 integrity protection only, 56 allows DES or other weak ciphers,
576 112 allows triple DES and other strong ciphers, 128 allows RC4,
577 Blowfish and other modern strong ciphers. The default is 0.
578 The maxssf=<factor> property specifies the maximum acceptable
579 security strength factor as an integer (see minssf description).
580 The default is INT_MAX. The maxbufsize=<size> property
581 specifies the maximum security layer receive buffer size
582 allowed. 0 disables security layers. The default is 65536.
583 schemadn <dn>
585 Specify the distinguished name for the subschema subentry that
586 controls the entries on this server. The default is
587 "cn=Subschema".
588 security <factors>
590 Specify a set of security strength factors (separated by white
591 space) to require (see sasl-secprops's minssf option for a
592 description of security strength factors). The directive may be
593 specified globally and/or per-database. ssf=<n> specifies the
594 overall security strength factor. transport=<n> specifies the
595 transport security strength factor. tls=<n> specifies the TLS
596 security strength factor. sasl=<n> specifies the SASL security
597 strength factor. update_ssf=<n> specifies the overall security
598 strength factor to require for directory updates.
599 update_transport=<n> specifies the transport security strength
600 factor to require for directory updates. update_tls=<n>
601 specifies the TLS security strength factor to require for
602 directory updates. update_sasl=<n> specifies the SASL security
603 strength factor to require for directory updates.
604 simple_bind=<n> specifies the security strength factor required
605 for simple username/password authentication. Note that the
606 transport factor is measure of security provided by the
607 underlying transport, e.g. ldapi:// (and eventually IPSEC). It
608 is not normally used.
609 serverID <integer> [<URL>]
611 Specify an integer ID from 0 to 4095 for this server (limited to
612 3 hexadecimal digits). The ID may also be specified as a
613 hexadecimal ID by prefixing the value with "0x". Non-zero IDs
614 are required when using multimaster replication and each master
615 must have a unique non-zero ID. Note that this requirement also
616 applies to separate masters contributing to a glued set of
617 databases. If the URL is provided, this directive may be
618 specified multiple times, providing a complete list of
619 participating servers and their IDs. The fully qualified
620 hostname of each server should be used in the supplied URLs. The
621 IDs are used in the "replica id" field of all CSNs generated by
622 the specified server. The default value is zero, which is only
623 valid for single master replication. Example:
624 serverID 1
626 sizelimit {<integer>|unlimited}
628 sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
630 Specify the maximum number of entries to return from a search
631 operation. The default size limit is 500. Use unlimited to
632 specify no limits. The second format allows a fine grain
633 setting of the size limits. Extra args can be added on the same
634 line. See limits for an explanation of the different flags.
635 sockbuf_max_incoming <integer>
637 Specify the maximum incoming LDAP PDU size for anonymous
638 sessions. The default is 262143.
639 sockbuf_max_incoming_auth <integer>
641 Specify the maximum incoming LDAP PDU size for authenticated
642 sessions. The default is 4194303.
643 sortvals <attr> [...]
645 Specify a list of multi-valued attributes whose values will
646 always be maintained in sorted order. Using this option will
647 allow Modify, Compare, and filter evaluations on these
648 attributes to be performed more efficiently. The resulting sort
649 order depends on the attributes' syntax and matching rules and
650 may not correspond to lexical order or any other recognizable
651 order.
652 tcp-buffer [listener=<URL>] [{read|write}=]<size>
654 Specify the size of the TCP buffer. A global value for both
655 read and write TCP buffers related to any listener is defined,
656 unless the listener is explicitly specified, or either the read
657 or write qualifiers are used. See tcp(7) for details. Note
658 that some OS-es implement automatic TCP buffer tuning.
659 threads <integer>
661 Specify the maximum size of the primary thread pool. The
662 default is 16; the minimum value is 2.
663 timelimit {<integer>|unlimited}
665 timelimit time[.{soft|hard}]=<integer> [...]
667 Specify the maximum number of seconds (in real time) slapd will
668 spend answering a search request. The default time limit is
669 3600. Use unlimited to specify no limits. The second format
670 allows a fine grain setting of the time limits. Extra args can
671 be added on the same line. See limits for an explanation of the
672 different flags.
673 tool-threads <integer>
675 Specify the maximum number of threads to use in tool mode. This
676 should not be greater than the number of CPUs in the system.
677 The default is 1.
678 writetimeout <integer>
680 Specify the number of seconds to wait before forcibly closing a
681 connection with an outstanding write. This allows recovery from
682 various network hang conditions. A writetimeout of 0 disables
683 this feature. The default is 0.
684
686 If slapd is built with support for Transport Layer Security, there are
687 more options you can specify.
688 When using OpenSSL, if neither TLSCACertificateFile nor
690 TLSCACertificatePath is set, the system-wide default set of CA
691 certificates is used.
692 TLSCipherSuite <cipher-suite-spec>
694 Permits configuring what ciphers will be accepted and the
695 preference order. <cipher-suite-spec> should be a cipher
696 specification for the TLS library in use (OpenSSL, GnuTLS, or
697 Mozilla NSS). Example:
698 OpenSSL:
700 TLSCipherSuite HIGH:MEDIUM:+SSLv2
701 GnuTLS:
703 TLSCiphersuite SECURE256:!AES-128-CBC
704 To check what ciphers a given spec selects in OpenSSL, use:
706 openssl ciphers -v <cipher-suite-spec>
708 With GnuTLS the available specs can be found in the manual page
710 of gnutls-cli(1) (see the description of the option --priority).
711 In older versions of GnuTLS, where gnutls-cli does not support
713 the option --priority, you can obtain the — more limited — list
714 of ciphers by calling:
715 gnutls-cli -l
717 When using Mozilla NSS, the OpenSSL cipher suite specifications
719 are used and translated into the format used internally by
720 Mozilla NSS. There isn't an easy way to list the cipher suites
721 from the command line. The authoritative list is in the source
722 code for Mozilla NSS in the file sslinfo.c in the structure
723 static const SSLCipherSuiteInfo suiteInfo[]
724 TLSCACertificateFile <filename>
726 Specifies the file that contains certificates for all of the
727 Certificate Authorities that slapd will recognize. The
728 certificate for the CA that signed the server certificate must
729 be included among these certificates. If the signing CA was not
730 a top-level (root) CA, certificates for the entire sequence of
731 CA's from the signing CA to the top-level CA should be present.
732 Multiple certificates are simply appended to the file; the order
733 is not significant.
734 TLSCACertificatePath <path>
736 Specifies the path of a directory that contains Certificate
737 Authority certificates in separate individual files. Usually
738 only one of this or the TLSCACertificateFile is used. This
739 directive is not supported when using GnuTLS.
740 When using Mozilla NSS, <path> may contain a Mozilla NSS
742 cert/key database. If <path> contains a Mozilla NSS cert/key
743 database and CA cert files, OpenLDAP will use the cert/key
744 database and will ignore the CA cert files.
745 TLSCertificateFile <filename>
747 Specifies the file that contains the slapd server certificate.
748 When using Mozilla NSS, if using a cert/key database (specified
750 with TLSCACertificatePath), TLSCertificateFile specifies the
751 name of the certificate to use:
752 TLSCertificateFile Server-Cert
753 If using a token other than the internal built in token, specify
754 the token name first, followed by a colon:
755 TLSCertificateFile my hardware device:Server-Cert
756 Use certutil -L to list the certificates by name:
757 certutil -d /path/to/certdbdir -L
758 TLSCertificateKeyFile <filename>
760 Specifies the file that contains the slapd server private key
761 that matches the certificate stored in the TLSCertificateFile
762 file. Currently, the private key must not be protected with a
763 password, so it is of critical importance that it is protected
764 carefully.
765 When using Mozilla NSS, TLSCertificateKeyFile specifies the name
767 of a file that contains the password for the key for the
768 certificate specified with TLSCertificateFile. The modutil
769 command can be used to turn off password protection for the
770 cert/key database. For example, if TLSCACertificatePath
771 specifes /etc/openldap/certdb as the location of the cert/key
772 database, use modutil to change the password to the empty
773 string:
774 modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
775 You must have the old password, if any. Ignore the WARNING
776 about the running browser. Press 'Enter' for the new password.
777 TLSDHParamFile <filename>
779 This directive specifies the file that contains parameters for
780 Diffie-Hellman ephemeral key exchange. This is required in
781 order to use a DSA certificate on the server, or an RSA
782 certificate missing the "key encipherment" key usage. Note that
783 setting this option may also enable Anonymous Diffie-Hellman key
784 exchanges in certain non-default cipher suites. Anonymous key
785 exchanges should generally be avoided since they provide no
786 actual client or server authentication and provide no protection
787 against man-in-the-middle attacks. You should append "!ADH" to
788 your cipher suites to ensure that these suites are not used.
789 When using Mozilla NSS these parameters are always generated
790 randomly so this directive is ignored.
791 TLSECName <name>
793 Specify the name of a curve to use for Elliptic curve Diffie-
794 Hellman ephemeral key exchange. This is required to enable
795 ECDHE algorithms in OpenSSL. This option is not used with
796 GnuTLS; the curves may be chosen in the GnuTLS ciphersuite
797 specification. This option is also ignored for Mozilla NSS.
798 TLSProtocolMin <major>[.<minor>]
800 Specifies minimum SSL/TLS protocol version that will be
801 negotiated. If the server doesn't support at least that
802 version, the SSL handshake will fail. To require TLS 1.x or
803 higher, set this option to 3.(x+1), e.g.,
804 TLSProtocolMin 3.2
806 would require TLS 1.1. Specifying a minimum that is higher than
808 that supported by the OpenLDAP implementation will result in it
809 requiring the highest level that it does support. This
810 directive is ignored with GnuTLS.
811 TLSRandFile <filename>
813 Specifies the file to obtain random bits from when
814 /dev/[u]random is not available. Generally set to the name of
815 the EGD/PRNGD socket. The environment variable RANDFILE can
816 also be used to specify the filename. This directive is ignored
817 with GnuTLS and Mozilla NSS.
818 TLSVerifyClient <level>
820 Specifies what checks to perform on client certificates in an
821 incoming TLS session, if any. The <level> can be specified as
822 one of the following keywords:
823 never This is the default. slapd will not ask the client for a
825 certificate.
826 allow The client certificate is requested. If no certificate
828 is provided, the session proceeds normally. If a bad
829 certificate is provided, it will be ignored and the
830 session proceeds normally.
831 try The client certificate is requested. If no certificate
833 is provided, the session proceeds normally. If a bad
834 certificate is provided, the session is immediately
835 terminated.
836 demand | hard | true
838 These keywords are all equivalent, for compatibility
839 reasons. The client certificate is requested. If no
840 certificate is provided, or a bad certificate is
841 provided, the session is immediately terminated.
842 Note that a valid client certificate is required in order
844 to use the SASL EXTERNAL authentication mechanism with a
845 TLS session. As such, a non-default TLSVerifyClient
846 setting must be chosen to enable SASL EXTERNAL
847 authentication.
848 TLSCRLCheck <level>
850 Specifies if the Certificate Revocation List (CRL) of the CA
851 should be used to verify if the client certificates have not
852 been revoked. This requires TLSCACertificatePath parameter to be
853 set. This directive is ignored with GnuTLS and Mozilla NSS.
854 <level> can be specified as one of the following keywords:
855 none No CRL checks are performed
857 peer Check the CRL of the peer certificate
859 all Check the CRL for a whole certificate chain
861 TLSCRLFile <filename>
863 Specifies a file containing a Certificate Revocation List to be
864 used for verifying that certificates have not been revoked. This
865 directive is only valid when using GnuTLS and Mozilla NSS.
866
868 Options in this section only apply to the configuration file section
869 for the specified backend. They are supported by every type of
870 backend.
871 backend <databasetype>
873 Mark the beginning of a backend definition. <databasetype>
874 should be one of bdb, config, dnssrv, hdb, ldap, ldif, mdb,
875 meta, monitor, null, passwd, perl, relay, shell, or sql,
876 depending on which backend will serve the database.
877
880 Options in this section only apply to the configuration file section
881 for the database in which they are defined. They are supported by
882 every type of backend. Note that the database and at least one suffix
883 option are mandatory for each database.
884 database <databasetype>
886 Mark the beginning of a new database instance definition.
887 <databasetype> should be one of bdb, config, dnssrv, hdb, ldap,
888 ldif, mdb, meta, monitor, null, passwd, perl, relay, shell, or
889 sql, depending on which backend will serve the database.
890 LDAP operations, even subtree searches, normally access only one
892 database. That can be changed by gluing databases together with
893 the subordinate keyword. Access controls and some overlays can
894 also involve multiple databases.
895 add_content_acl on | off
897 Controls whether Add operations will perform ACL checks on the
898 content of the entry being added. This check is off by default.
899 See the slapd.access(5) manual page for more details on ACL
900 requirements for Add operations.
901 extra_attrs <attrlist>
903 Lists what attributes need to be added to search requests.
904 Local storage backends return the entire entry to the frontend.
905 The frontend takes care of only returning the requested
906 attributes that are allowed by ACLs. However, features like
907 access checking and so may need specific attributes that are not
908 automatically returned by remote storage backends, like proxy
909 backends and so on. <attrlist> is a list of attributes that are
910 needed for internal purposes and thus always need to be
911 collected, even when not explicitly requested by clients.
912 hidden on | off
914 Controls whether the database will be used to answer queries. A
915 database that is hidden will never be selected to answer any
916 queries, and any suffix configured on the database will be
917 ignored in checks for conflicts with other databases. By
918 default, hidden is off.
919 lastmod on | off
921 Controls whether slapd will automatically maintain the
922 modifiersName, modifyTimestamp, creatorsName, and
923 createTimestamp attributes for entries. It also controls the
924 entryCSN and entryUUID attributes, which are needed by the
925 syncrepl provider. By default, lastmod is on.
926 limits <selector> <limit> [<limit> [...]]
928 Specify time and size limits based on the operation's initiator
929 or base DN. The argument <selector> can be any of
930 anonymous | users | [<dnspec>=]<pattern> |
932 group[/oc[/at]]=<pattern>
933 with
935 <dnspec> ::= dn[.<type>][.<style>]
937 <type> ::= self | this
939 <style> ::= exact | base | onelevel | subtree | children
941 | regex | anonymous
942 DN type self is the default and means the bound user, while this
944 means the base DN of the operation. The term anonymous matches
945 all unauthenticated clients. The term users matches all
946 authenticated clients; otherwise an exact dn pattern is assumed
947 unless otherwise specified by qualifying the (optional) key
948 string dn with exact or base (which are synonyms), to require an
949 exact match; with onelevel, to require exactly one level of
950 depth match; with subtree, to allow any level of depth match,
951 including the exact match; with children, to allow any level of
952 depth match, not including the exact match; regex explicitly
953 requires the (default) match based on POSIX (''extended'')
954 regular expression pattern. Finally, anonymous matches unbound
955 operations; the pattern field is ignored. The same behavior is
956 obtained by using the anonymous form of the <selector> clause.
957 The term group, with the optional objectClass oc and
958 attributeType at fields, followed by pattern, sets the limits
959 for any DN listed in the values of the at attribute (default
960 member) of the oc group objectClass (default groupOfNames) whose
961 DN exactly matches pattern.
962 The currently supported limits are size and time.
964 The syntax for time limits is time[.{soft|hard}]=<integer>,
966 where integer is the number of seconds slapd will spend
967 answering a search request. If no time limit is explicitly
968 requested by the client, the soft limit is used; if the
969 requested time limit exceeds the hard limit, the value of the
970 limit is used instead. If the hard limit is set to the keyword
971 soft, the soft limit is used in either case; if it is set to the
972 keyword unlimited, no hard limit is enforced. Explicit requests
973 for time limits smaller or equal to the hard limit are honored.
974 If no limit specifier is set, the value is assigned to the soft
975 limit, and the hard limit is set to soft, to preserve the
976 original behavior.
977 The syntax for size limits is
979 size[.{soft|hard|unchecked}]=<integer>, where integer is the
980 maximum number of entries slapd will return answering a search
981 request. If no size limit is explicitly requested by the
982 client, the soft limit is used; if the requested size limit
983 exceeds the hard limit, the value of the limit is used instead.
984 If the hard limit is set to the keyword soft, the soft limit is
985 used in either case; if it is set to the keyword unlimited, no
986 hard limit is enforced. Explicit requests for size limits
987 smaller or equal to the hard limit are honored. The unchecked
988 specifier sets a limit on the number of candidates a search
989 request is allowed to examine. The rationale behind it is that
990 searches for non-properly indexed attributes may result in large
991 sets of candidates, which must be examined by slapd(8) to
992 determine whether they match the search filter or not. The
993 unchecked limit provides a means to drop such operations before
994 they are even started. If the selected candidates exceed the
995 unchecked limit, the search will abort with Unwilling to
996 perform. If it is set to the keyword unlimited, no limit is
997 applied (the default). If it is set to disabled, the search is
998 not even performed; this can be used to disallow searches for a
999 specific set of users. If no limit specifier is set, the value
1000 is assigned to the soft limit, and the hard limit is set to
1001 soft, to preserve the original behavior.
1002 In case of no match, the global limits are used. The default
1004 values are the same as for sizelimit and timelimit; no limit is
1005 set on unchecked.
1006 If pagedResults control is requested, the hard size limit is
1008 used by default, because the request of a specific page size is
1009 considered an explicit request for a limitation on the number of
1010 entries to be returned. However, the size limit applies to the
1011 total count of entries returned within the search, and not to a
1012 single page. Additional size limits may be enforced; the syntax
1013 is size.pr={<integer>|noEstimate|unlimited}, where integer is
1014 the max page size if no explicit limit is set; the keyword
1015 noEstimate inhibits the server from returning an estimate of the
1016 total number of entries that might be returned (note: the
1017 current implementation does not return any estimate). The
1018 keyword unlimited indicates that no limit is applied to the
1019 pagedResults control page size. The syntax
1020 size.prtotal={<integer>|unlimited|disabled} allows one to set a
1021 limit on the total number of entries that the pagedResults
1022 control will return. By default it is set to the hard limit.
1023 When set, integer is the max number of entries that the whole
1024 search with pagedResults control can return. Use unlimited to
1025 allow unlimited number of entries to be returned, e.g. to allow
1026 the use of the pagedResults control as a means to circumvent
1027 size limitations on regular searches; the keyword disabled
1028 disables the control, i.e. no paged results can be returned.
1029 Note that the total number of entries returned when the
1030 pagedResults control is requested cannot exceed the hard size
1031 limit of regular searches unless extended by the prtotal switch.
1032 The limits statement is typically used to let an unlimited
1034 number of entries be returned by searches performed with the
1035 identity used by the consumer for synchronization purposes by
1036 means of the RFC 4533 LDAP Content Synchronization protocol (see
1037 syncrepl for details).
1038 maxderefdepth <depth>
1040 Specifies the maximum number of aliases to dereference when
1041 trying to resolve an entry, used to avoid infinite alias loops.
1042 The default is 15.
1043 mirrormode on | off
1045 This option puts a replica database into "mirror" mode. Update
1046 operations will be accepted from any user, not just the
1047 updatedn. The database must already be configured as a syncrepl
1048 consumer before this keyword may be set. This mode also requires
1049 a serverID (see above) to be configured. By default, mirrormode
1050 is off.
1051 monitoring on | off
1053 This option enables database-specific monitoring in the entry
1054 related to the current database in the "cn=Databases,cn=Monitor"
1055 subtree of the monitor database, if the monitor database is
1056 enabled. Currently, only the BDB and the HDB databases provide
1057 database-specific monitoring. The default depends on the
1058 backend type.
1059 overlay <overlay-name>
1061 Add the specified overlay to this database. An overlay is a
1062 piece of code that intercepts database operations in order to
1063 extend or change them. Overlays are pushed onto a stack over the
1064 database, and so they will execute in the reverse of the order
1065 in which they were configured and the database itself will
1066 receive control last of all. See the slapd.overlays(5) manual
1067 page for an overview of the available overlays. Note that all
1068 of the database's regular settings should be configured before
1069 any overlay settings.
1070 readonly on | off
1072 This option puts the database into "read-only" mode. Any
1073 attempts to modify the database will return an "unwilling to
1074 perform" error. By default, readonly is off.
1075 restrict <oplist>
1077 Specify a whitespace separated list of operations that are
1078 restricted. If defined inside a database specification,
1079 restrictions apply only to that database, otherwise they are
1080 global. Operations can be any of add, bind, compare, delete,
1081 extended[=<OID>], modify, rename, search, or the special pseudo-
1082 operations read and write, which respectively summarize read and
1083 write operations. The use of restrict write is equivalent to
1084 readonly on (see above). The extended keyword allows one to
1085 indicate the OID of the specific operation to be restricted.
1086 rootdn <dn>
1088 Specify the distinguished name that is not subject to access
1089 control or administrative limit restrictions for operations on
1090 this database. This DN may or may not be associated with an
1091 entry. An empty root DN (the default) specifies no root access
1092 is to be granted. It is recommended that the rootdn only be
1093 specified when needed (such as when initially populating a
1094 database). If the rootdn is within a namingContext (suffix) of
1095 the database, a simple bind password may also be provided using
1096 the rootpw directive. Many optional features, including
1097 syncrepl, require the rootdn to be defined for the database.
1098 rootpw <password>
1100 Specify a password (or hash of the password) for the rootdn.
1101 The password can only be set if the rootdn is within the
1102 namingContext (suffix) of the database. This option accepts all
1103 RFC 2307 userPassword formats known to the server (see
1104 password-hash description) as well as cleartext. slappasswd(8)
1105 may be used to generate a hash of a password. Cleartext and
1106 {CRYPT} passwords are not recommended. If empty (the default),
1107 authentication of the root DN is by other means (e.g. SASL).
1108 Use of SASL is encouraged.
1109 suffix <dn suffix>
1111 Specify the DN suffix of queries that will be passed to this
1112 backend database. Multiple suffix lines can be given and at
1113 least one is required for each database definition.
1114 If the suffix of one database is "inside" that of another, the
1116 database with the inner suffix must come first in the
1117 configuration file. You may also want to glue such databases
1118 together with the subordinate keyword.
1119 subordinate [advertise]
1121 Specify that the current backend database is a subordinate of
1122 another backend database. A subordinate database may have only
1123 one suffix. This option may be used to glue multiple databases
1124 into a single namingContext. If the suffix of the current
1125 database is within the namingContext of a superior database,
1126 searches against the superior database will be propagated to the
1127 subordinate as well. All of the databases associated with a
1128 single namingContext should have identical rootdns. Behavior of
1129 other LDAP operations is unaffected by this setting. In
1130 particular, it is not possible to use moddn to move an entry
1131 from one subordinate to another subordinate within the
1132 namingContext.
1133 If the optional advertise flag is supplied, the naming context
1135 of this database is advertised in the root DSE. The default is
1136 to hide this database context, so that only the superior context
1137 is visible.
1138 If the slap tools slapcat(8), slapadd(8), or slapindex(8) are
1140 used on the superior database, any glued subordinates that
1141 support these tools are opened as well.
1142 Databases that are glued together should usually be configured
1144 with the same indices (assuming they support indexing), even for
1145 attributes that only exist in some of these databases. In
1146 general, all of the glued databases should be configured as
1147 similarly as possible, since the intent is to provide the
1148 appearance of a single directory.
1149 Note that the subordinate functionality is implemented
1151 internally by the glue overlay and as such its behavior will
1152 interact with other overlays in use. By default, the glue
1153 overlay is automatically configured as the last overlay on the
1154 superior backend. Its position on the backend can be explicitly
1155 configured by setting an overlay glue directive at the desired
1156 position. This explicit configuration is necessary e.g. when
1157 using the syncprov overlay, which needs to follow glue in order
1158 to work over all of the glued databases. E.g.
1159 database bdb
1160 suffix dc=example,dc=com
1161 ...
1162 overlay glue
1163 overlay syncprov
1164 sync_use_subentry
1166 Store the syncrepl contextCSN in a subentry instead of the
1167 context entry of the database. The subentry's RDN will be
1168 "cn=ldapsync". By default the contextCSN is stored in the
1169 context entry.
1170 syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port]
1172 searchbase=<base DN> [type=refreshOnly|refreshAndPersist]
1173 [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of
1174 retries>]+] [filter=<filter str>] [scope=sub|one|base|subord]
1175 [attrs=<attr list>] [exattrs=<attr list>] [attrsonly]
1176 [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off]
1177 [network-timeout=<seconds>] [timeout=<seconds>]
1178 [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>]
1179 [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
1180 [realm=<realm>] [secprops=<properties>]
1181 [keepalive=<idle>:<probes>:<interval>] [starttls=yes|critical]
1182 [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>]
1183 [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand]
1184 [tls_cipher_suite=<ciphers>] [tls_crlcheck=none|peer|all]
1185 [tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real DN>]
1186 [logbase=<base DN>] [logfilter=<filter str>]
1187 [syncdata=default|accesslog|changelog]
1188 Specify the current database as a replica which is kept up-to-
1189 date with the master content by establishing the current
1190 slapd(8) as a replication consumer site running a syncrepl
1191 replication engine. The replica content is kept synchronized to
1192 the master content using the LDAP Content Synchronization
1193 protocol. Refer to the "OpenLDAP Administrator's Guide" for
1194 detailed information on setting up a replicated slapd directory
1195 service using the syncrepl replication engine.
1196 rid identifies the current syncrepl directive within the
1198 replication consumer site. It is a non-negative integer not
1199 greater than 999 (limited to three decimal digits).
1200 provider specifies the replication provider site containing the
1202 master content as an LDAP URI. If <port> is not given, the
1203 standard LDAP port number (389 or 636) is used.
1204 The content of the syncrepl replica is defined using a search
1206 specification as its result set. The consumer slapd will send
1207 search requests to the provider slapd according to the search
1208 specification. The search specification includes searchbase,
1209 scope, filter, attrs, attrsonly, sizelimit, and timelimit
1210 parameters as in the normal search specification. The scope
1211 defaults to sub, the filter defaults to (objectclass=*), while
1212 there is no default searchbase. The attrs list defaults to "*,+"
1213 to return all user and operational attributes, and attrsonly is
1214 unset by default. The sizelimit and timelimit only accept
1215 "unlimited" and positive integers, and both default to
1216 "unlimited". The sizelimit and timelimit parameters define a
1217 consumer requested limitation on the number of entries that can
1218 be returned by the LDAP Content Synchronization operation; as
1219 such, it is intended to implement partial replication based on
1220 the size of the replicated database and on the time required by
1221 the synchronization. Note, however, that any provider-side
1222 limits for the replication identity will be enforced by the
1223 provider regardless of the limits requested by the LDAP Content
1224 Synchronization operation, much like for any other search
1225 operation. exattrs option may also be used to specify
1226 attributes that should be omitted from incoming entries. The
1227 scope defaults to sub, the filter defaults to (objectclass=*),
1228 and there is no default searchbase. The attrs list defaults to
1229 "*,+" to return all user and operational attributes, and
1230 attrsonly and exattrs are unset by default. The sizelimit and
1231 timelimit only accept "unlimited" and positive integers, and
1232 both default to "unlimited". Note, however, that any provider-
1233 side limits for the replication identity will be enforced by the
1234 provider regardless of the limits requested by the LDAP Content
1235 Synchronization operation, much like for any other search
1236 operation.
1237 The LDAP Content Synchronization protocol has two operation
1239 types. In the refreshOnly operation, the next synchronization
1240 search operation is periodically rescheduled at an interval time
1241 (specified by interval parameter; 1 day by default) after each
1242 synchronization operation finishes. In the refreshAndPersist
1243 operation, a synchronization search remains persistent in the
1244 provider slapd. Further updates to the master replica will
1245 generate searchResultEntry to the consumer slapd as the search
1246 responses to the persistent synchronization search. If the
1247 initial search fails due to an error, the next synchronization
1248 search operation is periodically rescheduled at an interval time
1249 (specified by interval parameter; 1 day by default)
1250 If an error occurs during replication, the consumer will attempt
1252 to reconnect according to the retry parameter which is a list of
1253 the <retry interval> and <# of retries> pairs. For example,
1254 retry="60 10 300 3" lets the consumer retry every 60 seconds for
1255 the first 10 times and then retry every 300 seconds for the next
1256 3 times before stop retrying. The `+' in <# of retries> means
1257 indefinite number of retries until success. If no retry was
1258 specified, by default syncrepl retries every hour forever.
1259 The schema checking can be enforced at the LDAP Sync consumer
1261 site by turning on the schemachecking parameter. The default is
1262 off. Schema checking on means that replicated entries must have
1263 a structural objectClass, must obey to objectClass requirements
1264 in terms of required/allowed attributes, and that naming
1265 attributes and distinguished values must be present. As a
1266 consequence, schema checking should be off when partial
1267 replication is used.
1268 The network-timeout parameter sets how long the consumer will
1270 wait to establish a network connection to the provider. Once a
1271 connection is established, the timeout parameter determines how
1272 long the consumer will wait for the initial Bind request to
1273 complete. The defaults for these parameters come from
1274 ldap.conf(5).
1275 A bindmethod of simple requires the options binddn and
1277 credentials and should only be used when adequate security
1278 services (e.g. TLS or IPSEC) are in place. REMEMBER: simple
1279 bind credentials must be in cleartext! A bindmethod of sasl
1280 requires the option saslmech. Depending on the mechanism, an
1281 authentication identity and/or credentials can be specified
1282 using authcid and credentials. The authzid parameter may be
1283 used to specify an authorization identity. Specific security
1284 properties (as with the sasl-secprops keyword above) for a SASL
1285 bind can be set with the secprops option. A non default SASL
1286 realm can be set with the realm option. The identity used for
1287 synchronization by the consumer should be allowed to receive an
1288 unlimited number of entries in response to a search request.
1289 The provider, other than allow authentication of the syncrepl
1290 identity, should grant that identity appropriate access
1291 privileges to the data that is being replicated (access
1292 directive), and appropriate time and size limits. This can be
1293 accomplished by either allowing unlimited sizelimit and
1294 timelimit, or by setting an appropriate limits statement in the
1295 consumer's configuration (see sizelimit and limits for details).
1296 The keepalive parameter sets the values of idle, probes, and
1298 interval used to check whether a socket is alive; idle is the
1299 number of seconds a connection needs to remain idle before TCP
1300 starts sending keepalive probes; probes is the maximum number of
1301 keepalive probes TCP should send before dropping the connection;
1302 interval is interval in seconds between individual keepalive
1303 probes. Only some systems support the customization of these
1304 values; the keepalive parameter is ignored otherwise, and
1305 system-wide settings are used.
1306 The starttls parameter specifies use of the StartTLS extended
1308 operation to establish a TLS session before Binding to the
1309 provider. If the critical argument is supplied, the session will
1310 be aborted if the StartTLS request fails. Otherwise the syncrepl
1311 session continues without TLS. The tls_reqcert setting defaults
1312 to "demand" and the other TLS settings default to the same as
1313 the main slapd TLS settings.
1314 The suffixmassage parameter allows the consumer to pull entries
1316 from a remote directory whose DN suffix differs from the local
1317 directory. The portion of the remote entries' DNs that matches
1318 the searchbase will be replaced with the suffixmassage DN.
1319 Rather than replicating whole entries, the consumer can query
1321 logs of data modifications. This mode of operation is referred
1322 to as delta syncrepl. In addition to the above parameters, the
1323 logbase and logfilter parameters must be set appropriately for
1324 the log that will be used. The syncdata parameter must be set to
1325 either "accesslog" if the log conforms to the slapo-accesslog(5)
1326 log format, or "changelog" if the log conforms to the obsolete
1327 changelog format. If the syncdata parameter is omitted or set to
1328 "default" then the log parameters are ignored.
1329 updatedn <dn>
1331 This option is only applicable in a slave database. It
1332 specifies the DN permitted to update (subject to access
1333 controls) the replica. It is only needed in certain push-mode
1334 replication scenarios. Generally, this DN should not be the
1335 same as the rootdn used at the master.
1336 updateref <url>
1338 Specify the referral to pass back when slapd(8) is asked to
1339 modify a replicated local database. If specified multiple
1340 times, each url is provided.
1341
1344 Each database may allow specific configuration options; they are
1345 documented separately in the backends' manual pages. See the
1346 slapd.backends(5) manual page for an overview of available backends.
1347
1349 Here is a short example of a configuration file:
1350 include /etc/openldap/schema/core.schema
1352 pidfile /var/run/slapd.pid
1353 # Subtypes of "name" (e.g. "cn" and "ou") with the
1355 # option ";x-hidden" can be searched for/compared,
1356 # but are not shown. See slapd.access(5).
1357 attributeoptions x-hidden lang-
1358 access to attrs=name;x-hidden by * =cs
1359 # Protect passwords. See slapd.access(5).
1361 access to attrs=userPassword by * auth
1362 # Read access to other attributes and entries.
1363 access to * by * read
1364 database bdb
1366 suffix "dc=our-domain,dc=com"
1367 # The database directory MUST exist prior to
1368 # running slapd AND should only be accessible
1369 # by the slapd/tools. Mode 0700 recommended.
1370 directory /var/openldap-data
1371 # Indices to maintain
1372 index objectClass eq
1373 index cn,sn,mail pres,eq,approx,sub
1374 # We serve small clients that do not handle referrals,
1376 # so handle remote lookups on their behalf.
1377 database ldap
1378 suffix ""
1379 uri ldap://ldap.some-server.com/
1380 lastmod off
1381 "OpenLDAP Administrator's Guide" contains a longer annotated example of
1383 a configuration file. The original /etc/openldap/slapd.conf is another
1384 example.
1385
1387 /etc/openldap/slapd.conf
1388 default slapd configuration file
1389
1391 ldap(3), gnutls-cli(1), slapd-config(5), slapd.access(5),
1392 slapd.backends(5), slapd.overlays(5), slapd.plugin(5), slapd(8),
1393 slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
1394 slapindex(8), slappasswd(8), slaptest(8).
1395 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1397
1399 OpenLDAP Software is developed and maintained by The OpenLDAP Project
1400 <http://www.openldap.org/>. OpenLDAP Software is derived from the
1401 University of Michigan LDAP 3.3 Release.
1402OpenLDAP 2.4.50 2020/04/28 SLAPD.CONF(5)