1SLAPD-SOCK(5) File Formats Manual SLAPD-SOCK(5)
2
6 slapd-sock - Socket backend/overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The Socket backend to slapd(8) uses an external program to handle
13 queries, similarly to slapd-shell(5). However, in this case the exter‐
14 nal program listens on a Unix domain socket. This makes it possible to
15 have a pool of processes, which persist between requests. This allows
16 multithreaded operation and a higher level of efficiency. The external
17 program must have been started independently; slapd(8) itself will not
18 start it.
19 This module may also be used as an overlay on top of some other data‐
21 base. Use as an overlay allows external actions to be triggered in
22 response to operations on the main database.
23
25 These slapd.conf options apply to the SOCK backend database. That is,
26 they must follow a "database sock" line and come before any subsequent
27 "backend" or "database" lines. Other database options are described in
28 the slapd.conf(5) manual page.
29 Alternatively, to use this module as an overlay, these directives must
31 follow an "overlay sock" line within an existing database definition.
32 extensions [ binddn | peername | ssf | connid ]*
34 Enables the sending of additional meta-attributes with each
35 request.
36 binddn: <bound DN>
37 peername: IP=<address>:<port>
38 ssf: <SSF value>
39 connid: <connection ID>
40 socketpath <pathname>
42 Gives the path to a Unix domain socket to which the commands
43 will be sent and from which replies are received.
44 When used as an overlay, these additional directives are
46 defined:
47 sockops [ bind | unbind | search | compare | modify | modrdn | add |
49 delete ]*
50 Specify which request types to send to the external program. The
51 default is empty (no requests are sent).
52 sockresps [ result | search ]*
54 Specify which response types to send to the external program.
55 "result" sends just the results of an operation. "search" sends
56 all entries that the database returned for a search request. The
57 default is empty (no responses are sent).
58
61 The protocol is essentially the same as slapd-shell(5) with the addi‐
62 tion of a newline to terminate the command parameters. The following
63 commands are sent:
64 ADD
65 msgid: <message id>
66 <repeat { "suffix:" <database suffix DN> }>
67 <entry in LDIF format>
68 <blank line>
69 BIND
71 msgid: <message id>
72 <repeat { "suffix:" <database suffix DN> }>
73 dn: <DN>
74 method: <method number>
75 credlen: <length of <credentials>>
76 cred: <credentials>
77 <blank line>
78 COMPARE
80 msgid: <message id>
81 <repeat { "suffix:" <database suffix DN> }>
82 dn: <DN>
83 <attribute>: <value>
84 <blank line>
85 DELETE
87 msgid: <message id>
88 <repeat { "suffix:" <database suffix DN> }>
89 dn: <DN>
90 <blank line>
91 MODIFY
93 msgid: <message id>
94 <repeat { "suffix:" <database suffix DN> }>
95 dn: <DN>
96 <repeat {
97 <"add"/"delete"/"replace">: <attribute>
98 <repeat { <attribute>: <value> }>
99 -
100 }>
101 <blank line>
102 MODRDN
104 msgid: <message id>
105 <repeat { "suffix:" <database suffix DN> }>
106 dn: <DN>
107 newrdn: <new RDN>
108 deleteoldrdn: <0 or 1>
109 <if new superior is specified: "newSuperior: <DN>">
110 <blank line>
111 SEARCH
113 msgid: <message id>
114 <repeat { "suffix:" <database suffix DN> }>
115 base: <base DN>
116 scope: <0-2, see ldap.h>
117 deref: <0-3, see ldap.h>
118 sizelimit: <size limit>
119 timelimit: <time limit>
120 filter: <filter>
121 attrsonly: <0 or 1>
122 attrs: <"all" or space-separated attribute list>
123 <blank line>
124 UNBIND
126 msgid: <message id>
127 <repeat { "suffix:" <database suffix DN> }>
128 <blank line>
129 The commands - except unbind - should output:
131 RESULT
132 code: <integer>
133 matched: <matched DN>
134 info: <text>
135 where only RESULT is mandatory, and then close the socket. The search
136 RESULT should be preceded by the entries in LDIF format, each entry
137 followed by a blank line. Lines starting with `#' or `DEBUG:' are
138 ignored.
139 When used as an overlay, the external program should return a CONTINUE
141 response if request processing should continue normally, or a regular
142 RESULT response if the external program wishes to bypass the underlying
143 database.
144 If the overlay is configured to send response messages to the external
146 program, they will appear as an extended RESULT message or as an ENTRY
147 message, defined below. The RESULT message is similar to the one above,
148 but also includes the msgid and any configured extensions:
149 RESULT
150 msgid: <message id>
151 code: <integer>
152 matched: <matched DN>
153 info: <text>
154 <blank line>
155 Typically both the msgid and the connid will be needed to match a
157 result message to a request. The ENTRY message has the form
158 ENTRY
159 msgid: <message id>
160 <entry in LDIF format>
161 <blank line>
162
165 The sock backend does not honor all ACL semantics as described in
166 slapd.access(5). In general, access to objects is checked by using a
167 dummy object that contains only the DN, so access rules that rely on
168 the contents of the object are not honored. In detail:
169 The add operation does not require write (=w) access to the children
171 pseudo-attribute of the parent entry.
172 The bind operation requires auth (=x) access to the entry pseudo-
174 attribute of the entry whose identity is being assessed; auth (=x)
175 access to the credentials is not checked, but rather delegated to the
176 underlying program.
177 The compare operation requires compare (=c) access to the entry pseudo-
179 attribute of the object whose value is being asserted; compare (=c)
180 access to the attribute whose value is being asserted is not checked.
181 The delete operation does not require write (=w) access to the children
183 pseudo-attribute of the parent entry.
184 The modify operation requires write (=w) access to the entry pseudo-
186 attribute; write (=w) access to the specific attributes that are modi‐
187 fied is not checked.
188 The modrdn operation does not require write (=w) access to the children
190 pseudo-attribute of the parent entry, nor to that of the new parent, if
191 different; write (=w) access to the distinguished values of the naming
192 attributes is not checked.
193 The search operation does not require search (=s) access to the entry
195 pseudo_attribute of the searchBase; search (=s) access to the
196 attributes and values used in the filter is not checked.
197
200 There is an example script in the slapd/back-sock/ directory in the
201 OpenLDAP source tree.
202
204 /etc/openldap/slapd.conf
205 default slapd configuration file
206
208 slapd.conf(5), slapd-config(5), slapd(8).
209
211 Brian Candler, with enhancements by Howard Chu
212OpenLDAP 2.4.40 2014/09/20 SLAPD-SOCK(5)