1SLAPD.CONF(5) File Formats Manual SLAPD.CONF(5)
2
3
4
6 slapd.conf - configuration file for slapd, the stand-alone LDAP daemon
7
9 /etc/openldap/slapd.conf
10
12 The file /etc/openldap/slapd.conf contains configuration information
13 for the slapd(8) daemon. This configuration file is also used by the
14 SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
15 slapindex(8), and slaptest(8).
16
17 The slapd.conf file consists of a series of global configuration
18 options that apply to slapd as a whole (including all backends), fol‐
19 lowed by zero or more database backend definitions that contain infor‐
20 mation specific to a backend instance. The configuration options are
21 case-insensitive; their value, on a case by case basis, may be case-
22 sensitive.
23
24 The general format of slapd.conf is as follows:
25
26 # comment - these options apply to every database
27 <global configuration options>
28 # first database definition & configuration options
29 database <backend 1 type>
30 <configuration options specific to backend 1>
31 # subsequent database definitions & configuration options
32 ...
33
34 As many backend-specific sections as desired may be included. Global
35 options can be overridden in a backend (for options that appear more
36 than once, the last appearance in the slapd.conf file is used).
37
38 If a line begins with white space, it is considered a continuation of
39 the previous line. No physical line should be over 2000 bytes long.
40
41 Blank lines and comment lines beginning with a `#' character are
42 ignored. Note: continuation lines are unwrapped before comment pro‐
43 cessing is applied.
44
45 Arguments on configuration lines are separated by white space. If an
46 argument contains white space, the argument should be enclosed in dou‐
47 ble quotes. If an argument contains a double quote (`"') or a back‐
48 slash character (`\'), the character should be preceded by a backslash
49 character.
50
51 The specific configuration options available are discussed below in the
52 Global Configuration Options, General Backend Options, and General
53 Database Options. Backend-specific options are discussed in the
54 slapd-<backend>(5) manual pages. Refer to the "OpenLDAP Administra‐
55 tor's Guide" for more details on the slapd configuration file.
56
58 Options described in this section apply to all backends, unless specif‐
59 ically overridden in a backend definition. Arguments that should be
60 replaced by actual text are shown in brackets <>.
61
62 access to <what> [ by <who> <access> <control> ]+
63 Grant access (specified by <access>) to a set of entries and/or
64 attributes (specified by <what>) by one or more requestors
65 (specified by <who>). If no access controls are present, the
66 default policy allows anyone and everyone to read anything but
67 restricts updates to rootdn. (e.g., "access to * by * read").
68 The rootdn can always read and write EVERYTHING! See
69 slapd.access(5) and the "OpenLDAP's Administrator's Guide" for
70 details.
71
72 allow <features>
73 Specify a set of features (separated by white space) to allow
74 (default none). bind_v2 allows acceptance of LDAPv2 bind
75 requests. Note that slapd(8) does not truly implement LDAPv2
76 (RFC 1777), now Historic (RFC 3494). bind_anon_cred allows
77 anonymous bind when credentials are not empty (e.g. when DN is
78 empty). bind_anon_dn allows unauthenticated (anonymous) bind
79 when DN is not empty. update_anon allows unauthenticated
80 (anonymous) update operations to be processed (subject to access
81 controls and other administrative limits). proxy_authz_anon
82 allows unauthenticated (anonymous) proxy authorization control
83 to be processed (subject to access controls, authorization and
84 other administrative limits).
85
86 argsfile <filename>
87 The (absolute) name of a file that will hold the slapd server's
88 command line (program name and options).
89
90 attributeoptions [option-name]...
91 Define tagging attribute options or option tag/range prefixes.
92 Options must not end with `-', prefixes must end with `-'. The
93 `lang-' prefix is predefined. If you use the attributeoptions
94 directive, `lang-' will no longer be defined and you must spec‐
95 ify it explicitly if you want it defined.
96
97 An attribute description with a tagging option is a subtype of
98 that attribute description without the option. Except for that,
99 options defined this way have no special semantics. Prefixes
100 defined this way work like the `lang-' options: They define a
101 prefix for tagging options starting with the prefix. That is,
102 if you define the prefix `x-foo-', you can use the option
103 `x-foo-bar'. Furthermore, in a search or compare, a prefix or
104 range name (with a trailing `-') matches all options starting
105 with that name, as well as the option with the range name sans
106 the trailing `-'. That is, `x-foo-bar-' matches `x-foo-bar' and
107 `x-foo-bar-baz'.
108
109 RFC 4520 reserves options beginning with `x-' for private exper‐
110 iments. Other options should be registered with IANA, see RFC
111 4520 section 3.5. OpenLDAP also has the `binary' option built
112 in, but this is a transfer option, not a tagging option.
113
114 attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
115 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>]
116 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE]
117 [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
118 Specify an attribute type using the LDAPv3 syntax defined in RFC
119 4512. The slapd parser extends the RFC 4512 definition by
120 allowing string forms as well as numeric OIDs to be used for the
121 attribute OID and attribute syntax OID. (See the
122 objectidentifier description.)
123
124 authid-rewrite<cmd> <args>
125 Used by the authentication framework to convert simple user
126 names to an LDAP DN used for authorization purposes. Its
127 purpose is analogous to that of authz-regexp (see below). The
128 prefix authid- is followed by a set of rules analogous to those
129 described in slapo-rwm(5) for data rewriting (replace the rwm-
130 prefix with authid-). authid-rewrite<cmd> and authz-regexp
131 rules should not be intermixed.
132
133 authz-policy <policy>
134 Used to specify which rules to use for Proxy Authorization.
135 Proxy authorization allows a client to authenticate to the
136 server using one user's credentials, but specify a different
137 identity to use for authorization and access control purposes.
138 It essentially allows user A to login as user B, using user A's
139 password. The none flag disables proxy authorization. This is
140 the default setting. The from flag will use rules in the
141 authzFrom attribute of the authorization DN. The to flag will
142 use rules in the authzTo attribute of the authentication DN.
143 The any flag, an alias for the deprecated value of both, will
144 allow any of the above, whatever succeeds first (checked in to,
145 from sequence. The all flag requires both authorizations to
146 succeed.
147
148 The rules are mechanisms to specify which identities are allowed
149 to perform proxy authorization. The authzFrom attribute in an
150 entry specifies which other users are allowed to proxy login to
151 this entry. The authzTo attribute in an entry specifies which
152 other users this user can authorize as. Use of authzTo rules
153 can be easily abused if users are allowed to write arbitrary
154 values to this attribute. In general the authzTo attribute must
155 be protected with ACLs such that only privileged users can
156 modify it. The value of authzFrom and authzTo describes an
157 identity or a set of identities; it can take five forms:
158
159 ldap:///<base>??[<scope>]?<filter>
160 dn[.<dnstyle>]:<pattern>
161 u[.<mech>[/<realm>]]:<pattern>
162 group[/objectClass[/attributeType]]:<pattern>
163 <pattern>
164
165 <dnstyle>:={exact|onelevel|children|subtree|regex}
166
167 The first form is a valid LDAP URI where the <host>:<port>, the
168 <attrs> and the <extensions> portions must be absent, so that
169 the search occurs locally on either authzFrom or authzTo. The
170 second form is a DN, with the optional style modifiers exact,
171 onelevel, children, and subtree for exact, onelevel, children
172 and subtree matches, which cause <pattern> to be normalized
173 according to the DN normalization rules, or the special regex
174 style, which causes the <pattern> to be treated as a POSIX
175 (''extended'') regular expression, as discussed in regex(7)
176 and/or re_format(7). A pattern of * means any non-anonymous DN.
177 The third form is a SASL id, with the optional fields <mech> and
178 <realm> that allow to specify a SASL mechanism, and eventually a
179 SASL realm, for those mechanisms that support one. The need to
180 allow the specification of a mechanism is still debated, and
181 users are strongly discouraged to rely on this possibility. The
182 fourth form is a group specification, consisting of the keyword
183 group, optionally followed by the specification of the group
184 objectClass and member attributeType. The group with DN
185 <pattern> is searched with base scope, and in case of match, the
186 values of the member attributeType are searched for the asserted
187 DN. For backwards compatibility, if no identity type is
188 provided, i.e. only <pattern> is present, an exact DN is
189 assumed; as a consequence, <pattern> is subjected to DN
190 normalization. Since the interpretation of authzFrom and
191 authzTo can impact security, users are strongly encouraged to
192 explicitly set the type of identity specification that is being
193 used. A subset of these rules can be used as third arg in the
194 authz-regexp statement (see below); significantly, the URI,
195 provided it results in exactly one entry, and the dn.exact:<dn>
196 forms.
197
198 authz-regexp <match> <replace>
199 Used by the authentication framework to convert simple user
200 names, such as provided by SASL subsystem, or extracted from
201 certificates in case of cert-based SASL EXTERNAL, or provided
202 within the RFC 4370 "proxied authorization" control, to an LDAP
203 DN used for authorization purposes. Note that the resulting DN
204 need not refer to an existing entry to be considered valid.
205 When an authorization request is received from the SASL
206 subsystem, the SASL USERNAME, REALM, and MECHANISM are taken,
207 when available, and combined into a name of the form
208
209 UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
210
211 This name is then compared against the match POSIX
212 (''extended'') regular expression, and if the match is
213 successful, the name is replaced with the replace string. If
214 there are wildcard strings in the match regular expression that
215 are enclosed in parenthesis, e.g.
216
217 UID=([^,]*),CN=.*
218
219 then the portion of the name that matched the wildcard will be
220 stored in the numbered placeholder variable $1. If there are
221 other wildcard strings in parenthesis, the matching strings will
222 be in $2, $3, etc. up to $9. The placeholders can then be used
223 in the replace string, e.g.
224
225 UID=$1,OU=Accounts,DC=example,DC=com
226
227 The replaced name can be either a DN, i.e. a string prefixed by
228 "dn:", or an LDAP URI. If the latter, the server will use the
229 URI to search its own database(s) and, if the search returns
230 exactly one entry, the name is replaced by the DN of that entry.
231 The LDAP URI must have no hostport, attrs, or extensions
232 components, but the filter is mandatory, e.g.
233
234 ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
235
236 The protocol portion of the URI must be strictly ldap. Note
237 that this search is subject to access controls. Specifically,
238 the authentication identity must have "auth" access in the
239 subject.
240
241 Multiple authz-regexp options can be given in the configuration
242 file to allow for multiple matching and replacement patterns.
243 The matching patterns are checked in the order they appear in
244 the file, stopping at the first successful match.
245
246
247 concurrency <integer>
248 Specify a desired level of concurrency. Provided to the
249 underlying thread system as a hint. The default is not to
250 provide any hint.
251
252 conn_max_pending <integer>
253 Specify the maximum number of pending requests for an anonymous
254 session. If requests are submitted faster than the server can
255 process them, they will be queued up to this limit. If the limit
256 is exceeded, the session is closed. The default is 100.
257
258 conn_max_pending_auth <integer>
259 Specify the maximum number of pending requests for an
260 authenticated session. The default is 1000.
261
262 defaultsearchbase <dn>
263 Specify a default search base to use when client submits a non-
264 base search request with an empty base DN. Base scoped search
265 requests with an empty base DN are not affected.
266
267 disallow <features>
268 Specify a set of features (separated by white space) to disallow
269 (default none). bind_anon disables acceptance of anonymous bind
270 requests. Note that this setting does not prohibit anonymous
271 directory access (See "require authc"). bind_simple disables
272 simple (bind) authentication. tls_2_anon disables forcing
273 session to anonymous status (see also tls_authc) upon StartTLS
274 operation receipt. tls_authc disallows the StartTLS operation
275 if authenticated (see also tls_2_anon).
276 proxy_authz_non_critical disables acceptance of the proxied
277 authorization control (RFC4370) when criticality is FALSE.
278 dontusecopy_non_critical disables acceptance of the dontUseCopy
279 control (a work in progress) when criticality is FALSE.
280
281 ditcontentrule ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
282 [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
283 Specify an DIT Content Rule using the LDAPv3 syntax defined in
284 RFC 4512. The slapd parser extends the RFC 4512 definition by
285 allowing string forms as well as numeric OIDs to be used for the
286 attribute OID and attribute syntax OID. (See the
287 objectidentifier description.)
288
289 gentlehup { on | off }
290 A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
291 Slapd will stop listening for new connections, but will not
292 close the connections to the current clients. Future write
293 operations return unwilling-to-perform, though. Slapd
294 terminates when all clients have closed their connections (if
295 they ever do), or - as before - if it receives a SIGTERM signal.
296 This can be useful if you wish to terminate the server and start
297 a new slapd server with another database, without disrupting the
298 currently active clients. The default is off. You may wish to
299 use idletimeout along with this option.
300
301 idletimeout <integer>
302 Specify the number of seconds to wait before forcibly closing an
303 idle client connection. A idletimeout of 0 disables this
304 feature. The default is 0. You may also want to set the
305 writetimeout option.
306
307 include <filename>
308 Read additional configuration information from the given file
309 before continuing with the next line of the current file.
310
311 index_intlen <integer>
312 Specify the key length for ordered integer indices. The most
313 significant bytes of the binary integer will be used for index
314 keys. The default value is 4, which provides exact indexing for
315 31 bit values. A floating point representation is used to index
316 too large values.
317
318 index_substr_if_minlen <integer>
319 Specify the minimum length for subinitial and subfinal indices.
320 An attribute value must have at least this many characters in
321 order to be processed by the indexing functions. The default is
322 2.
323
324 index_substr_if_maxlen <integer>
325 Specify the maximum length for subinitial and subfinal indices.
326 Only this many characters of an attribute value will be
327 processed by the indexing functions; any excess characters are
328 ignored. The default is 4.
329
330 index_substr_any_len <integer>
331 Specify the length used for subany indices. An attribute value
332 must have at least this many characters in order to be
333 processed. Attribute values longer than this length will be
334 processed in segments of this length. The default is 4. The
335 subany index will also be used in subinitial and subfinal index
336 lookups when the filter string is longer than the
337 index_substr_if_maxlen value.
338
339 index_substr_any_step <integer>
340 Specify the steps used in subany index lookups. This value sets
341 the offset for the segments of a filter string that are
342 processed for a subany index lookup. The default is 2. For
343 example, with the default values, a search using this filter
344 "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
345 and "efgh".
346
347
348 Note: Indexing support depends on the particular backend in use. Also,
349 changing these settings will generally require deleting any indices
350 that depend on these parameters and recreating them with slapindex(8).
351
352
353 ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )
354
355 Specify an LDAP syntax using the LDAPv3 syntax defined in RFC
356 4512. The slapd parser extends the RFC 4512 definition by
357 allowing string forms as well as numeric OIDs to be used for the
358 syntax OID. (See the objectidentifier description.) The slapd
359 parser also honors the X-SUBST extension (an OpenLDAP-specific
360 extension), which allows to use the ldapsyntax statement to
361 define a non-implemented syntax along with another syntax, the
362 extension value substitute-syntax, as its temporary replacement.
363 The substitute-syntax must be defined. This allows to define
364 attribute types that make use of non-implemented syntaxes using
365 the correct syntax OID. Unless X-SUBST is used, this
366 configuration statement would result in an error, since no
367 handlers would be associated to the resulting syntax structure.
368
369
370 listener-threads <integer>
371 Specify the number of threads to use for the connection manager.
372 The default is 1 and this is typically adequate for up to 16 CPU
373 cores. The value should be set to a power of 2.
374
375 localSSF <SSF>
376 Specifies the Security Strength Factor (SSF) to be given local
377 LDAP sessions, such as those to the ldapi:// listener. For a
378 description of SSF values, see sasl-secprops's minssf option
379 description. The default is 71.
380
381 logfile <filename>
382 Specify a file for recording debug log messages. By default
383 these messages only go to stderr and are not recorded anywhere
384 else. Specifying a logfile copies messages to both stderr and
385 the logfile.
386
387 loglevel <integer> [...]
388 Specify the level at which debugging statements and operation
389 statistics should be syslogged (currently logged to the
390 syslogd(8) LOG_LOCAL4 facility). They must be considered
391 subsystems rather than increasingly verbose log levels. Some
392 messages with higher priority are logged regardless of the
393 configured loglevel as soon as any logging is configured. Log
394 levels are additive, and available levels are:
395 1 (0x1 trace) trace function calls
396 2 (0x2 packets) debug packet handling
397 4 (0x4 args) heavy trace debugging (function args)
398 8 (0x8 conns) connection management
399 16 (0x10 BER) print out packets sent and received
400 32 (0x20 filter) search filter processing
401 64 (0x40 config) configuration file processing
402 128 (0x80 ACL) access control list processing
403 256 (0x100 stats) connections, LDAP operations,
404 results (recommended)
405 512 (0x200 stats2) stats log entries sent
406 1024 (0x400 shell) print communication with shell
407 backends
408 2048 (0x800 parse) entry parsing
409
410
411
412
413
414
415
416
417 16384 (0x4000 sync) LDAPSync replication
418 32768 (0x8000 none) only messages that get logged
419 whatever log level is set
420 The desired log level can be input as a single integer that
421 combines the (ORed) desired levels, both in decimal or in
422 hexadecimal notation, as a list of integers (that are ORed
423 internally), or as a list of the names that are shown between
424 brackets, such that
425
426 loglevel 129
427 loglevel 0x81
428 loglevel 128 1
429 loglevel 0x80 0x1
430 loglevel acl trace
431
432 are equivalent. The keyword any can be used as a shortcut to
433 enable logging at all levels (equivalent to -1). The keyword
434 none, or the equivalent integer representation, causes those
435 messages that are logged regardless of the configured loglevel
436 to be logged. In fact, if loglevel is set to 0, no logging
437 occurs, so at least the none level is required to have high
438 priority messages logged.
439
440 The loglevel defaults to stats. This level should usually also
441 be included when using other loglevels, to help analyze the
442 logs.
443
444 moduleload <filename>
445 Specify the name of a dynamically loadable module to load. The
446 filename may be an absolute path name or a simple filename. Non-
447 absolute names are searched for in the directories specified by
448 the modulepath option. This option and the modulepath option are
449 only usable if slapd was compiled with --enable-modules.
450
451 modulepath <pathspec>
452 Specify a list of directories to search for loadable modules.
453 Typically the path is colon-separated but this depends on the
454 operating system. The default is /usr/lib64/openldap, which is
455 where the standard OpenLDAP install will place its modules.
456
457 objectclass ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
458 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }]
459 [MUST <oids>] [MAY <oids>] )
460 Specify an objectclass using the LDAPv3 syntax defined in RFC
461 4512. The slapd parser extends the RFC 4512 definition by
462 allowing string forms as well as numeric OIDs to be used for the
463 object class OID. (See the objectidentifier description.)
464 Object classes are "STRUCTURAL" by default.
465
466 objectidentifier <name> { <oid> | <name>[:<suffix>] }
467 Define a string name that equates to the given OID. The string
468 can be used in place of the numeric OID in objectclass and
469 attribute definitions. The name can also be used with a suffix
470 of the form ":xx" in which case the value "oid.xx" will be used.
471
472 password-hash <hash> [<hash>...]
473 This option configures one or more hashes to be used in
474 generation of user passwords stored in the userPassword
475 attribute during processing of LDAP Password Modify Extended
476 Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
477 {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
478
479 {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
480 latter with a seed.
481
482 {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
483 with a seed.
484
485 {CRYPT} uses the crypt(3).
486
487 {CLEARTEXT} indicates that the new password should be added to
488 userPassword as clear text.
489
490 Note that this option does not alter the normal user
491 applications handling of userPassword during LDAP Add, Modify,
492 or other LDAP operations.
493
494 password-crypt-salt-format <format>
495 Specify the format of the salt passed to crypt(3) when
496 generating {CRYPT} passwords (see password-hash) during
497 processing of LDAP Password Modify Extended Operations (RFC
498 3062).
499
500 This string needs to be in sprintf(3) format and may include one
501 (and only one) %s conversion. This conversion will be
502 substituted with a string of random characters from
503 [A-Za-z0-9./]. For example, "%.2s" provides a two character
504 salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
505 algorithm and provides 8 random characters of salt. The default
506 is "%s", which provides 31 characters of salt.
507
508 pidfile <filename>
509 The (absolute) name of a file that will hold the slapd server's
510 process ID (see getpid(2)).
511
512 referral <url>
513 Specify the referral to pass back when slapd(8) cannot find a
514 local database to handle a request. If specified multiple
515 times, each url is provided.
516
517 require <conditions>
518 Specify a set of conditions (separated by white space) to
519 require (default none). The directive may be specified globally
520 and/or per-database; databases inherit global conditions, so
521 per-database specifications are additive. bind requires bind
522 operation prior to directory operations. LDAPv3 requires
523 session to be using LDAP version 3. authc requires
524 authentication prior to directory operations. SASL requires
525 SASL authentication prior to directory operations. strong
526 requires strong authentication prior to directory operations.
527 The strong keyword allows protected "simple" authentication as
528 well as SASL authentication. none may be used to require no
529 conditions (useful to clear out globally set conditions within a
530 particular database); it must occur first in the list of
531 conditions.
532
533 reverse-lookup on | off
534 Enable/disable client name unverified reverse lookup (default is
535 off if compiled with --enable-rlookups).
536
537 rootDSE <file>
538 Specify the name of an LDIF(5) file containing user defined
539 attributes for the root DSE. These attributes are returned in
540 addition to the attributes normally produced by slapd.
541
542 The root DSE is an entry with information about the server and
543 its capabilities, in operational attributes. It has the empty
544 DN, and can be read with e.g.:
545 ldapsearch -x -b "" -s base "+"
546 See RFC 4512 section 5.1 for details.
547
548 sasl-auxprops <plugin> [...]
549 Specify which auxprop plugins to use for authentication lookups.
550 The default is empty, which just uses slapd's internal support.
551 Usually no other auxprop plugins are needed.
552
553 sasl-host <fqdn>
554 Used to specify the fully qualified domain name used for SASL
555 processing.
556
557 sasl-realm <realm>
558 Specify SASL realm. Default is empty.
559
560 sasl-secprops <properties>
561 Used to specify Cyrus SASL security properties. The none flag
562 (without any other properties) causes the flag properties
563 default, "noanonymous,noplain", to be cleared. The noplain flag
564 disables mechanisms susceptible to simple passive attacks. The
565 noactive flag disables mechanisms susceptible to active attacks.
566 The nodict flag disables mechanisms susceptible to passive
567 dictionary attacks. The noanonymous flag disables mechanisms
568 which support anonymous login. The forwardsec flag require
569 forward secrecy between sessions. The passcred require
570 mechanisms which pass client credentials (and allow mechanisms
571 which can pass credentials to do so). The minssf=<factor>
572 property specifies the minimum acceptable security strength
573 factor as an integer approximate to effective key length used
574 for encryption. 0 (zero) implies no protection, 1 implies
575 integrity protection only, 56 allows DES or other weak ciphers,
576 112 allows triple DES and other strong ciphers, 128 allows RC4,
577 Blowfish and other modern strong ciphers. The default is 0.
578 The maxssf=<factor> property specifies the maximum acceptable
579 security strength factor as an integer (see minssf description).
580 The default is INT_MAX. The maxbufsize=<size> property
581 specifies the maximum security layer receive buffer size
582 allowed. 0 disables security layers. The default is 65536.
583
584 schemadn <dn>
585 Specify the distinguished name for the subschema subentry that
586 controls the entries on this server. The default is
587 "cn=Subschema".
588
589 security <factors>
590 Specify a set of security strength factors (separated by white
591 space) to require (see sasl-secprops's minssf option for a
592 description of security strength factors). The directive may be
593 specified globally and/or per-database. ssf=<n> specifies the
594 overall security strength factor. transport=<n> specifies the
595 transport security strength factor. tls=<n> specifies the TLS
596 security strength factor. sasl=<n> specifies the SASL security
597 strength factor. update_ssf=<n> specifies the overall security
598 strength factor to require for directory updates.
599 update_transport=<n> specifies the transport security strength
600 factor to require for directory updates. update_tls=<n>
601 specifies the TLS security strength factor to require for
602 directory updates. update_sasl=<n> specifies the SASL security
603 strength factor to require for directory updates.
604 simple_bind=<n> specifies the security strength factor required
605 for simple username/password authentication. Note that the
606 transport factor is measure of security provided by the
607 underlying transport, e.g. ldapi:// (and eventually IPSEC). It
608 is not normally used.
609
610 serverID <integer> [<URL>]
611 Specify an integer ID from 0 to 4095 for this server (limited to
612 3 hexadecimal digits). The ID may also be specified as a
613 hexadecimal ID by prefixing the value with "0x". These IDs are
614 required when using multimaster replication and each master must
615 have a unique ID. Note that this requirement also applies to
616 separate masters contributing to a glued set of databases. If
617 the URL is provided, this directive may be specified multiple
618 times, providing a complete list of participating servers and
619 their IDs. The fully qualified hostname of each server should be
620 used in the supplied URLs. The IDs are used in the "replica id"
621 field of all CSNs generated by the specified server. The default
622 value is zero. Example:
623
624 serverID 1
625
626 sizelimit {<integer>|unlimited}
627
628 sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
629 Specify the maximum number of entries to return from a search
630 operation. The default size limit is 500. Use unlimited to
631 specify no limits. The second format allows a fine grain
632 setting of the size limits. Extra args can be added on the same
633 line. See limits for an explanation of the different flags.
634
635 sockbuf_max_incoming <integer>
636 Specify the maximum incoming LDAP PDU size for anonymous
637 sessions. The default is 262143.
638
639 sockbuf_max_incoming_auth <integer>
640 Specify the maximum incoming LDAP PDU size for authenticated
641 sessions. The default is 4194303.
642
643 sortvals <attr> [...]
644 Specify a list of multi-valued attributes whose values will
645 always be maintained in sorted order. Using this option will
646 allow Modify, Compare, and filter evaluations on these
647 attributes to be performed more efficiently. The resulting sort
648 order depends on the attributes' syntax and matching rules and
649 may not correspond to lexical order or any other recognizable
650 order.
651
652 tcp-buffer [listener=<URL>] [{read|write}=]<size>
653 Specify the size of the TCP buffer. A global value for both
654 read and write TCP buffers related to any listener is defined,
655 unless the listener is explicitly specified, or either the read
656 or write qualifiers are used. See tcp(7) for details. Note
657 that some OS-es implement automatic TCP buffer tuning.
658
659 threads <integer>
660 Specify the maximum size of the primary thread pool. The
661 default is 16; the minimum value is 2.
662
663 timelimit {<integer>|unlimited}
664
665 timelimit time[.{soft|hard}]=<integer> [...]
666 Specify the maximum number of seconds (in real time) slapd will
667 spend answering a search request. The default time limit is
668 3600. Use unlimited to specify no limits. The second format
669 allows a fine grain setting of the time limits. Extra args can
670 be added on the same line. See limits for an explanation of the
671 different flags.
672
673 tool-threads <integer>
674 Specify the maximum number of threads to use in tool mode. This
675 should not be greater than the number of CPUs in the system.
676 The default is 1.
677
678 writetimeout <integer>
679 Specify the number of seconds to wait before forcibly closing a
680 connection with an outstanding write. This allows recovery from
681 various network hang conditions. A writetimeout of 0 disables
682 this feature. The default is 0.
683
685 If slapd is built with support for Transport Layer Security, there are
686 more options you can specify.
687
688 TLSCipherSuite <cipher-suite-spec>
689 Permits configuring what ciphers will be accepted and the
690 preference order. <cipher-suite-spec> should be a cipher
691 specification for the TLS library in use (OpenSSL, GnuTLS, or
692 Mozilla NSS). Example:
693
694 OpenSSL:
695 TLSCipherSuite HIGH:MEDIUM:+SSLv2
696
697 GnuTLS:
698 TLSCiphersuite SECURE256:!AES-128-CBC
699
700 To check what ciphers a given spec selects in OpenSSL, use:
701
702 openssl ciphers -v <cipher-suite-spec>
703
704 With GnuTLS the available specs can be found in the manual page
705 of gnutls-cli(1) (see the description of the option --priority).
706
707 In older versions of GnuTLS, where gnutls-cli does not support
708 the option --priority, you can obtain the — more limited — list
709 of ciphers by calling:
710
711 gnutls-cli -l
712
713 When using Mozilla NSS, the OpenSSL cipher suite specifications
714 are used and translated into the format used internally by
715 Mozilla NSS. There isn't an easy way to list the cipher suites
716 from the command line. The authoritative list is in the source
717 code for Mozilla NSS in the file sslinfo.c in the structure
718 static const SSLCipherSuiteInfo suiteInfo[]
719
720 TLSCACertificateFile <filename>
721 Specifies the file that contains certificates for all of the
722 Certificate Authorities that slapd will recognize.
723
724 TLSCACertificatePath <path>
725 Specifies the path of a directory that contains Certificate
726 Authority certificates in separate individual files. Usually
727 only one of this or the TLSCACertificateFile is defined. If both
728 are specified, both locations will be used. This directive is
729 not supported when using GnuTLS.
730
731 When using Mozilla NSS, <path> may contain a Mozilla NSS
732 cert/key database. If <path> contains a Mozilla NSS cert/key
733 database and CA cert files, OpenLDAP will use the cert/key
734 database and will ignore the CA cert files.
735
736 TLSCertificateFile <filename>
737 Specifies the file that contains the slapd server certificate.
738
739 When using Mozilla NSS, if using a cert/key database (specified
740 with TLSCACertificatePath), TLSCertificateFile specifies the
741 name of the certificate to use:
742 TLSCertificateFile Server-Cert
743 If using a token other than the internal built in token, specify
744 the token name first, followed by a colon:
745 TLSCertificateFile my hardware device:Server-Cert
746 Use certutil -L to list the certificates by name:
747 certutil -d /path/to/certdbdir -L
748
749 TLSCertificateKeyFile <filename>
750 Specifies the file that contains the slapd server private key
751 that matches the certificate stored in the TLSCertificateFile
752 file. If the private key is protected with a password, the
753 password must be manually typed in when slapd starts. Usually
754 the private key is not protected with a password, to allow slapd
755 to start without manual intervention, so it is of critical
756 importance that the file is protected carefully.
757
758 When using Mozilla NSS, TLSCertificateKeyFile specifies the name
759 of a file that contains the password for the key for the
760 certificate specified with TLSCertificateFile. The modutil
761 command can be used to turn off password protection for the
762 cert/key database. For example, if TLSCACertificatePath
763 specifes /etc/openldap/certdb as the location of the cert/key
764 database, use modutil to change the password to the empty
765 string:
766 modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
767 You must have the old password, if any. Ignore the WARNING
768 about the running browser. Press 'Enter' for the new password.
769
770
771 TLSDHParamFile <filename>
772 This directive specifies the file that contains parameters for
773 Diffie-Hellman ephemeral key exchange. This is required in
774 order to use a DSA certificate on the server. If multiple sets
775 of parameters are present in the file, all of them will be
776 processed. Note that setting this option may also enable
777 Anonymous Diffie-Hellman key exchanges in certain non-default
778 cipher suites. You should append "!ADH" to your cipher suites
779 if you have changed them from the default, otherwise no
780 certificate exchanges or verification will be done. When using
781 GnuTLS these parameters are always generated randomly so this
782 directive is ignored. This directive is ignored when using
783 Mozilla NSS.
784
785 TLSProtocolMin <major>[.<minor>]
786 Specifies minimum SSL/TLS protocol version that will be
787 negotiated. If the server doesn't support at least that
788 version, the SSL handshake will fail. To require TLS 1.x or
789 higher, set this option to 3.(x+1), e.g.,
790
791 TLSProtocolMin 3.2
792
793 would require TLS 1.1. Specifying a minimum that is higher than
794 that supported by the OpenLDAP implementation will result in it
795 requiring the highest level that it does support. This
796 directive is ignored with GnuTLS.
797
798 TLSRandFile <filename>
799 Specifies the file to obtain random bits from when
800 /dev/[u]random is not available. Generally set to the name of
801 the EGD/PRNGD socket. The environment variable RANDFILE can
802 also be used to specify the filename. This directive is ignored
803 with GnuTLS and Mozilla NSS.
804
805 TLSVerifyClient <level>
806 Specifies what checks to perform on client certificates in an
807 incoming TLS session, if any. The <level> can be specified as
808 one of the following keywords:
809
810 never This is the default. slapd will not ask the client for a
811 certificate.
812
813 allow The client certificate is requested. If no certificate
814 is provided, the session proceeds normally. If a bad
815 certificate is provided, it will be ignored and the
816 session proceeds normally.
817
818 try The client certificate is requested. If no certificate
819 is provided, the session proceeds normally. If a bad
820 certificate is provided, the session is immediately
821 terminated.
822
823 demand | hard | true
824 These keywords are all equivalent, for compatibility
825 reasons. The client certificate is requested. If no
826 certificate is provided, or a bad certificate is
827 provided, the session is immediately terminated.
828
829 Note that a valid client certificate is required in order
830 to use the SASL EXTERNAL authentication mechanism with a
831 TLS session. As such, a non-default TLSVerifyClient
832 setting must be chosen to enable SASL EXTERNAL
833 authentication.
834
835 TLSCRLCheck <level>
836 Specifies if the Certificate Revocation List (CRL) of the CA
837 should be used to verify if the client certificates have not
838 been revoked. This requires TLSCACertificatePath parameter to be
839 set. This directive is ignored with GnuTLS and Mozilla NSS.
840 <level> can be specified as one of the following keywords:
841
842 none No CRL checks are performed
843
844 peer Check the CRL of the peer certificate
845
846 all Check the CRL for a whole certificate chain
847
848 TLSCRLFile <filename>
849 Specifies a file containing a Certificate Revocation List to be
850 used for verifying that certificates have not been revoked. This
851 directive is only valid when using GnuTLS and Mozilla NSS.
852
854 Options in this section only apply to the configuration file section
855 for the specified backend. They are supported by every type of
856 backend.
857
858 backend <databasetype>
859 Mark the beginning of a backend definition. <databasetype>
860 should be one of bdb, config, dnssrv, hdb, ldap, ldif, mdb,
861 meta, monitor, null, passwd, perl, relay, shell, or sql,
862 depending on which backend will serve the database.
863
864
866 Options in this section only apply to the configuration file section
867 for the database in which they are defined. They are supported by
868 every type of backend. Note that the database and at least one suffix
869 option are mandatory for each database.
870
871 database <databasetype>
872 Mark the beginning of a new database instance definition.
873 <databasetype> should be one of bdb, config, dnssrv, hdb, ldap,
874 ldif, mdb, meta, monitor, null, passwd, perl, relay, shell, or
875 sql, depending on which backend will serve the database.
876
877 LDAP operations, even subtree searches, normally access only one
878 database. That can be changed by gluing databases together with
879 the subordinate keyword. Access controls and some overlays can
880 also involve multiple databases.
881
882 add_content_acl on | off
883 Controls whether Add operations will perform ACL checks on the
884 content of the entry being added. This check is off by default.
885 See the slapd.access(5) manual page for more details on ACL
886 requirements for Add operations.
887
888 extra_attrs <attrlist>
889 Lists what attributes need to be added to search requests.
890 Local storage backends return the entire entry to the frontend.
891 The frontend takes care of only returning the requested
892 attributes that are allowed by ACLs. However, features like
893 access checking and so may need specific attributes that are not
894 automatically returned by remote storage backends, like proxy
895 backends and so on. <attrlist> is a list of attributes that are
896 needed for internal purposes and thus always need to be
897 collected, even when not explicitly requested by clients.
898
899 hidden on | off
900 Controls whether the database will be used to answer queries. A
901 database that is hidden will never be selected to answer any
902 queries, and any suffix configured on the database will be
903 ignored in checks for conflicts with other databases. By
904 default, hidden is off.
905
906 lastmod on | off
907 Controls whether slapd will automatically maintain the
908 modifiersName, modifyTimestamp, creatorsName, and
909 createTimestamp attributes for entries. It also controls the
910 entryCSN and entryUUID attributes, which are needed by the
911 syncrepl provider. By default, lastmod is on.
912
913 limits <selector> <limit> [<limit> [...]]
914 Specify time and size limits based on the operation's initiator
915 or base DN. The argument <selector> can be any of
916
917 anonymous | users | [<dnspec>=]<pattern> |
918 group[/oc[/at]]=<pattern>
919
920 with
921
922 <dnspec> ::= dn[.<type>][.<style>]
923
924 <type> ::= self | this
925
926 <style> ::= exact | base | onelevel | subtree | children
927 | regex | anonymous
928
929 DN type self is the default and means the bound user, while this
930 means the base DN of the operation. The term anonymous matches
931 all unauthenticated clients. The term users matches all
932 authenticated clients; otherwise an exact dn pattern is assumed
933 unless otherwise specified by qualifying the (optional) key
934 string dn with exact or base (which are synonyms), to require an
935 exact match; with onelevel, to require exactly one level of
936 depth match; with subtree, to allow any level of depth match,
937 including the exact match; with children, to allow any level of
938 depth match, not including the exact match; regex explicitly
939 requires the (default) match based on POSIX (''extended'')
940 regular expression pattern. Finally, anonymous matches unbound
941 operations; the pattern field is ignored. The same behavior is
942 obtained by using the anonymous form of the <selector> clause.
943 The term group, with the optional objectClass oc and
944 attributeType at fields, followed by pattern, sets the limits
945 for any DN listed in the values of the at attribute (default
946 member) of the oc group objectClass (default groupOfNames) whose
947 DN exactly matches pattern.
948
949 The currently supported limits are size and time.
950
951 The syntax for time limits is time[.{soft|hard}]=<integer>,
952 where integer is the number of seconds slapd will spend
953 answering a search request. If no time limit is explicitly
954 requested by the client, the soft limit is used; if the
955 requested time limit exceeds the hard limit, the value of the
956 limit is used instead. If the hard limit is set to the keyword
957 soft, the soft limit is used in either case; if it is set to the
958 keyword unlimited, no hard limit is enforced. Explicit requests
959 for time limits smaller or equal to the hard limit are honored.
960 If no limit specifier is set, the value is assigned to the soft
961 limit, and the hard limit is set to soft, to preserve the
962 original behavior.
963
964 The syntax for size limits is
965 size[.{soft|hard|unchecked}]=<integer>, where integer is the
966 maximum number of entries slapd will return answering a search
967 request. If no size limit is explicitly requested by the
968 client, the soft limit is used; if the requested size limit
969 exceeds the hard limit, the value of the limit is used instead.
970 If the hard limit is set to the keyword soft, the soft limit is
971 used in either case; if it is set to the keyword unlimited, no
972 hard limit is enforced. Explicit requests for size limits
973 smaller or equal to the hard limit are honored. The unchecked
974 specifier sets a limit on the number of candidates a search
975 request is allowed to examine. The rationale behind it is that
976 searches for non-properly indexed attributes may result in large
977 sets of candidates, which must be examined by slapd(8) to
978 determine whether they match the search filter or not. The
979 unchecked limit provides a means to drop such operations before
980 they are even started. If the selected candidates exceed the
981 unchecked limit, the search will abort with Unwilling to
982 perform. If it is set to the keyword unlimited, no limit is
983 applied (the default). If it is set to disabled, the search is
984 not even performed; this can be used to disallow searches for a
985 specific set of users. If no limit specifier is set, the value
986 is assigned to the soft limit, and the hard limit is set to
987 soft, to preserve the original behavior.
988
989 In case of no match, the global limits are used. The default
990 values are the same as for sizelimit and timelimit; no limit is
991 set on unchecked.
992
993 If pagedResults control is requested, the hard size limit is
994 used by default, because the request of a specific page size is
995 considered an explicit request for a limitation on the number of
996 entries to be returned. However, the size limit applies to the
997 total count of entries returned within the search, and not to a
998 single page. Additional size limits may be enforced; the syntax
999 is size.pr={<integer>|noEstimate|unlimited}, where integer is
1000 the max page size if no explicit limit is set; the keyword
1001 noEstimate inhibits the server from returning an estimate of the
1002 total number of entries that might be returned (note: the
1003 current implementation does not return any estimate). The
1004 keyword unlimited indicates that no limit is applied to the
1005 pagedResults control page size. The syntax
1006 size.prtotal={<integer>|unlimited|disabled} allows to set a
1007 limit on the total number of entries that a pagedResults control
1008 allows to return. By default it is set to the hard limit. When
1009 set, integer is the max number of entries that the whole search
1010 with pagedResults control can return. Use unlimited to allow
1011 unlimited number of entries to be returned, e.g. to allow the
1012 use of the pagedResults control as a means to circumvent size
1013 limitations on regular searches; the keyword disabled disables
1014 the control, i.e. no paged results can be returned. Note that
1015 the total number of entries returned when the pagedResults
1016 control is requested cannot exceed the hard size limit of
1017 regular searches unless extended by the prtotal switch.
1018
1019 The limits statement is typically used to let an unlimited
1020 number of entries be returned by searches performed with the
1021 identity used by the consumer for synchronization purposes by
1022 means of the RFC 4533 LDAP Content Synchronization protocol (see
1023 syncrepl for details).
1024
1025 maxderefdepth <depth>
1026 Specifies the maximum number of aliases to dereference when
1027 trying to resolve an entry, used to avoid infinite alias loops.
1028 The default is 15.
1029
1030 mirrormode on | off
1031 This option puts a replica database into "mirror" mode. Update
1032 operations will be accepted from any user, not just the
1033 updatedn. The database must already be configured as a syncrepl
1034 consumer before this keyword may be set. This mode also requires
1035 a serverID (see above) to be configured. By default, mirrormode
1036 is off.
1037
1038 monitoring on | off
1039 This option enables database-specific monitoring in the entry
1040 related to the current database in the "cn=Databases,cn=Monitor"
1041 subtree of the monitor database, if the monitor database is
1042 enabled. Currently, only the BDB and the HDB databases provide
1043 database-specific monitoring. The default depends on the
1044 backend type.
1045
1046 overlay <overlay-name>
1047 Add the specified overlay to this database. An overlay is a
1048 piece of code that intercepts database operations in order to
1049 extend or change them. Overlays are pushed onto a stack over the
1050 database, and so they will execute in the reverse of the order
1051 in which they were configured and the database itself will
1052 receive control last of all. See the slapd.overlays(5) manual
1053 page for an overview of the available overlays. Note that all
1054 of the database's regular settings should be configured before
1055 any overlay settings.
1056
1057 readonly on | off
1058 This option puts the database into "read-only" mode. Any
1059 attempts to modify the database will return an "unwilling to
1060 perform" error. By default, readonly is off.
1061
1062 restrict <oplist>
1063 Specify a whitespace separated list of operations that are
1064 restricted. If defined inside a database specification,
1065 restrictions apply only to that database, otherwise they are
1066 global. Operations can be any of add, bind, compare, delete,
1067 extended[=<OID>], modify, rename, search, or the special pseudo-
1068 operations read and write, which respectively summarize read and
1069 write operations. The use of restrict write is equivalent to
1070 readonly on (see above). The extended keyword allows to
1071 indicate the OID of the specific operation to be restricted.
1072
1073 rootdn <dn>
1074 Specify the distinguished name that is not subject to access
1075 control or administrative limit restrictions for operations on
1076 this database. This DN may or may not be associated with an
1077 entry. An empty root DN (the default) specifies no root access
1078 is to be granted. It is recommended that the rootdn only be
1079 specified when needed (such as when initially populating a
1080 database). If the rootdn is within a namingContext (suffix) of
1081 the database, a simple bind password may also be provided using
1082 the rootpw directive. Many optional features, including
1083 syncrepl, require the rootdn to be defined for the database.
1084
1085 rootpw <password>
1086 Specify a password (or hash of the password) for the rootdn.
1087 The password can only be set if the rootdn is within the
1088 namingContext (suffix) of the database. This option accepts all
1089 RFC 2307 userPassword formats known to the server (see
1090 password-hash description) as well as cleartext. slappasswd(8)
1091 may be used to generate a hash of a password. Cleartext and
1092 {CRYPT} passwords are not recommended. If empty (the default),
1093 authentication of the root DN is by other means (e.g. SASL).
1094 Use of SASL is encouraged.
1095
1096 suffix <dn suffix>
1097 Specify the DN suffix of queries that will be passed to this
1098 backend database. Multiple suffix lines can be given and at
1099 least one is required for each database definition.
1100
1101 If the suffix of one database is "inside" that of another, the
1102 database with the inner suffix must come first in the
1103 configuration file. You may also want to glue such databases
1104 together with the subordinate keyword.
1105
1106 subordinate [advertise]
1107 Specify that the current backend database is a subordinate of
1108 another backend database. A subordinate database may have only
1109 one suffix. This option may be used to glue multiple databases
1110 into a single namingContext. If the suffix of the current
1111 database is within the namingContext of a superior database,
1112 searches against the superior database will be propagated to the
1113 subordinate as well. All of the databases associated with a
1114 single namingContext should have identical rootdns. Behavior of
1115 other LDAP operations is unaffected by this setting. In
1116 particular, it is not possible to use moddn to move an entry
1117 from one subordinate to another subordinate within the
1118 namingContext.
1119
1120 If the optional advertise flag is supplied, the naming context
1121 of this database is advertised in the root DSE. The default is
1122 to hide this database context, so that only the superior context
1123 is visible.
1124
1125 If the slap tools slapcat(8), slapadd(8), or slapindex(8) are
1126 used on the superior database, any glued subordinates that
1127 support these tools are opened as well.
1128
1129 Databases that are glued together should usually be configured
1130 with the same indices (assuming they support indexing), even for
1131 attributes that only exist in some of these databases. In
1132 general, all of the glued databases should be configured as
1133 similarly as possible, since the intent is to provide the
1134 appearance of a single directory.
1135
1136 Note that the subordinate functionality is implemented
1137 internally by the glue overlay and as such its behavior will
1138 interact with other overlays in use. By default, the glue
1139 overlay is automatically configured as the last overlay on the
1140 superior backend. Its position on the backend can be explicitly
1141 configured by setting an overlay glue directive at the desired
1142 position. This explicit configuration is necessary e.g. when
1143 using the syncprov overlay, which needs to follow glue in order
1144 to work over all of the glued databases. E.g.
1145 database bdb
1146 suffix dc=example,dc=com
1147 ...
1148 overlay glue
1149 overlay syncprov
1150
1151 sync_use_subentry
1152 Store the syncrepl contextCSN in a subentry instead of the
1153 context entry of the database. The subentry's RDN will be
1154 "cn=ldapsync". By default the contextCSN is stored in the
1155 context entry.
1156
1157 syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port]
1158 searchbase=<base DN> [type=refreshOnly|refreshAndPersist]
1159 [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of
1160 retries>]+] [filter=<filter str>] [scope=sub|one|base|subord]
1161 [attrs=<attr list>] [exattrs=<attr list>] [attrsonly]
1162 [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off]
1163 [network-timeout=<seconds>] [timeout=<seconds>]
1164 [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>]
1165 [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
1166 [realm=<realm>] [secprops=<properties>]
1167 [keepalive=<idle>:<probes>:<interval>] [starttls=yes|critical]
1168 [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>]
1169 [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand]
1170 [tls_ciphersuite=<ciphers>] [tls_crlcheck=none|peer|all]
1171 [tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real DN>]
1172 [logbase=<base DN>] [logfilter=<filter str>]
1173 [syncdata=default|accesslog|changelog]
1174 Specify the current database as a replica which is kept up-to-
1175 date with the master content by establishing the current
1176 slapd(8) as a replication consumer site running a syncrepl
1177 replication engine. The replica content is kept synchronized to
1178 the master content using the LDAP Content Synchronization
1179 protocol. Refer to the "OpenLDAP Administrator's Guide" for
1180 detailed information on setting up a replicated slapd directory
1181 service using the syncrepl replication engine.
1182
1183 rid identifies the current syncrepl directive within the
1184 replication consumer site. It is a non-negative integer not
1185 greater than 999 (limited to three decimal digits).
1186
1187 provider specifies the replication provider site containing the
1188 master content as an LDAP URI. If <port> is not given, the
1189 standard LDAP port number (389 or 636) is used.
1190
1191 The content of the syncrepl replica is defined using a search
1192 specification as its result set. The consumer slapd will send
1193 search requests to the provider slapd according to the search
1194 specification. The search specification includes searchbase,
1195 scope, filter, attrs, attrsonly, sizelimit, and timelimit
1196 parameters as in the normal search specification. The scope
1197 defaults to sub, the filter defaults to (objectclass=*), while
1198 there is no default searchbase. The attrs list defaults to "*,+"
1199 to return all user and operational attributes, and attrsonly is
1200 unset by default. The sizelimit and timelimit only accept
1201 "unlimited" and positive integers, and both default to
1202 "unlimited". The sizelimit and timelimit parameters define a
1203 consumer requested limitation on the number of entries that can
1204 be returned by the LDAP Content Synchronization operation; as
1205 such, it is intended to implement partial replication based on
1206 the size of the replicated database and on the time required by
1207 the synchronization. Note, however, that any provider-side
1208 limits for the replication identity will be enforced by the
1209 provider regardless of the limits requested by the LDAP Content
1210 Synchronization operation, much like for any other search
1211 operation. exattrs option may also be used to specify
1212 attributes that should be omitted from incoming entries. The
1213 scope defaults to sub, the filter defaults to (objectclass=*),
1214 and there is no default searchbase. The attrs list defaults to
1215 "*,+" to return all user and operational attributes, and
1216 attrsonly and exattrs are unset by default. The sizelimit and
1217 timelimit only accept "unlimited" and positive integers, and
1218 both default to "unlimited". Note, however, that any provider-
1219 side limits for the replication identity will be enforced by the
1220 provider regardless of the limits requested by the LDAP Content
1221 Synchronization operation, much like for any other search
1222 operation.
1223
1224 The LDAP Content Synchronization protocol has two operation
1225 types. In the refreshOnly operation, the next synchronization
1226 search operation is periodically rescheduled at an interval time
1227 (specified by interval parameter; 1 day by default) after each
1228 synchronization operation finishes. In the refreshAndPersist
1229 operation, a synchronization search remains persistent in the
1230 provider slapd. Further updates to the master replica will
1231 generate searchResultEntry to the consumer slapd as the search
1232 responses to the persistent synchronization search.
1233
1234 If an error occurs during replication, the consumer will attempt
1235 to reconnect according to the retry parameter which is a list of
1236 the <retry interval> and <# of retries> pairs. For example,
1237 retry="60 10 300 3" lets the consumer retry every 60 seconds for
1238 the first 10 times and then retry every 300 seconds for the next
1239 3 times before stop retrying. The `+' in <# of retries> means
1240 indefinite number of retries until success. If no retry was
1241 specified, by default syncrepl retries every hour forever.
1242
1243 The schema checking can be enforced at the LDAP Sync consumer
1244 site by turning on the schemachecking parameter. The default is
1245 off. Schema checking on means that replicated entries must have
1246 a structural objectClass, must obey to objectClass requirements
1247 in terms of required/allowed attributes, and that naming
1248 attributes and distinguished values must be present. As a
1249 consequence, schema checking should be off when partial
1250 replication is used.
1251
1252 The network-timeout parameter sets how long the consumer will
1253 wait to establish a network connection to the provider. Once a
1254 connection is established, the timeout parameter determines how
1255 long the consumer will wait for the initial Bind request to
1256 complete. The defaults for these parameters come from
1257 ldap.conf(5).
1258
1259 A bindmethod of simple requires the options binddn and
1260 credentials and should only be used when adequate security
1261 services (e.g. TLS or IPSEC) are in place. REMEMBER: simple
1262 bind credentials must be in cleartext! A bindmethod of sasl
1263 requires the option saslmech. Depending on the mechanism, an
1264 authentication identity and/or credentials can be specified
1265 using authcid and credentials. The authzid parameter may be
1266 used to specify an authorization identity. Specific security
1267 properties (as with the sasl-secprops keyword above) for a SASL
1268 bind can be set with the secprops option. A non default SASL
1269 realm can be set with the realm option. The identity used for
1270 synchronization by the consumer should be allowed to receive an
1271 unlimited number of entries in response to a search request.
1272 The provider, other than allow authentication of the syncrepl
1273 identity, should grant that identity appropriate access
1274 privileges to the data that is being replicated (access
1275 directive), and appropriate time and size limits. This can be
1276 accomplished by either allowing unlimited sizelimit and
1277 timelimit, or by setting an appropriate limits statement in the
1278 consumer's configuration (see sizelimit and limits for details).
1279
1280 The keepalive parameter sets the values of idle, probes, and
1281 interval used to check whether a socket is alive; idle is the
1282 number of seconds a connection needs to remain idle before TCP
1283 starts sending keepalive probes; probes is the maximum number of
1284 keepalive probes TCP should send before dropping the connection;
1285 interval is interval in seconds between individual keepalive
1286 probes. Only some systems support the customization of these
1287 values; the keepalive parameter is ignored otherwise, and
1288 system-wide settings are used.
1289
1290 The starttls parameter specifies use of the StartTLS extended
1291 operation to establish a TLS session before Binding to the
1292 provider. If the critical argument is supplied, the session will
1293 be aborted if the StartTLS request fails. Otherwise the syncrepl
1294 session continues without TLS. The tls_reqcert setting defaults
1295 to "demand" and the other TLS settings default to the same as
1296 the main slapd TLS settings.
1297
1298 The suffixmassage parameter allows the consumer to pull entries
1299 from a remote directory whose DN suffix differs from the local
1300 directory. The portion of the remote entries' DNs that matches
1301 the searchbase will be replaced with the suffixmassage DN.
1302
1303 Rather than replicating whole entries, the consumer can query
1304 logs of data modifications. This mode of operation is referred
1305 to as delta syncrepl. In addition to the above parameters, the
1306 logbase and logfilter parameters must be set appropriately for
1307 the log that will be used. The syncdata parameter must be set to
1308 either "accesslog" if the log conforms to the slapo-accesslog(5)
1309 log format, or "changelog" if the log conforms to the obsolete
1310 changelog format. If the syncdata parameter is omitted or set to
1311 "default" then the log parameters are ignored.
1312
1313 updatedn <dn>
1314 This option is only applicable in a slave database. It
1315 specifies the DN permitted to update (subject to access
1316 controls) the replica. It is only needed in certain push-mode
1317 replication scenarios. Generally, this DN should not be the
1318 same as the rootdn used at the master.
1319
1320 updateref <url>
1321 Specify the referral to pass back when slapd(8) is asked to
1322 modify a replicated local database. If specified multiple
1323 times, each url is provided.
1324
1325
1327 Each database may allow specific configuration options; they are
1328 documented separately in the backends' manual pages. See the
1329 slapd.backends(5) manual page for an overview of available backends.
1330
1332 Here is a short example of a configuration file:
1333
1334 include /etc/openldap/schema/core.schema
1335 pidfile /var/run/slapd.pid
1336
1337 # Subtypes of "name" (e.g. "cn" and "ou") with the
1338 # option ";x-hidden" can be searched for/compared,
1339 # but are not shown. See slapd.access(5).
1340 attributeoptions x-hidden lang-
1341 access to attrs=name;x-hidden by * =cs
1342
1343 # Protect passwords. See slapd.access(5).
1344 access to attrs=userPassword by * auth
1345 # Read access to other attributes and entries.
1346 access to * by * read
1347
1348 database bdb
1349 suffix "dc=our-domain,dc=com"
1350 # The database directory MUST exist prior to
1351 # running slapd AND should only be accessible
1352 # by the slapd/tools. Mode 0700 recommended.
1353 directory /var/openldap-data
1354 # Indices to maintain
1355 index objectClass eq
1356 index cn,sn,mail pres,eq,approx,sub
1357
1358 # We serve small clients that do not handle referrals,
1359 # so handle remote lookups on their behalf.
1360 database ldap
1361 suffix ""
1362 uri ldap://ldap.some-server.com/
1363 lastmod off
1364
1365 "OpenLDAP Administrator's Guide" contains a longer annotated example of
1366 a configuration file. The original /etc/openldap/slapd.conf is another
1367 example.
1368
1370 /etc/openldap/slapd.conf
1371 default slapd configuration file
1372
1374 ldap(3), gnutls-cli(1), slapd-config(5), slapd.access(5),
1375 slapd.backends(5), slapd.overlays(5), slapd.plugin(5), slapd(8),
1376 slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
1377 slapindex(8), slappasswd(8), slaptest(8).
1378
1379 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1380
1382 OpenLDAP Software is developed and maintained by The OpenLDAP Project
1383 <http://www.openldap.org/>. OpenLDAP Software is derived from
1384 University of Michigan LDAP 3.3 Release.
1385
1386
1387
1388OpenLDAP 2.4.40 2014/09/20 SLAPD.CONF(5)