1SLAPD-CONFIG(5) File Formats Manual SLAPD-CONFIG(5)
2
3
4
6 slapd-config - configuration backend to slapd
7
9 /etc/openldap/slapd.d
10
12 The config backend manages all of the configuration information for the
13 slapd(8) daemon. This configuration information is also used by the
14 SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
15 slapindex(8), and slaptest(8).
16
17 The config backend is backward compatible with the older slapd.conf(5)
18 file but provides the ability to change the configuration dynamically
19 at runtime. If slapd is run with only a slapd.conf file dynamic changes
20 will be allowed but they will not persist across a server restart.
21 Dynamic changes are only saved when slapd is running from a slapd.d
22 configuration directory.
23
24 Unlike other backends, there can only be one instance of the config
25 backend, and most of its structure is predefined. The root of the data‐
26 base is hardcoded to cn=config and this root entry contains global set‐
27 tings for slapd. Multiple child entries underneath the root entry are
28 used to carry various other settings:
29
30 cn=Module
31 dynamically loaded modules
32
33 cn=Schema
34 schema definitions
35
36 olcBackend=xxx
37 backend-specific settings
38
39 olcDatabase=xxx
40 database-specific settings
41
42 The cn=Module entries will only appear in configurations where slapd
43 was built with support for dynamically loaded modules. There can be
44 multiple entries, one for each configured module path. Within each
45 entry there will be values recorded for each module loaded on a given
46 path. These entries have no children.
47
48 The cn=Schema entry contains all of the hardcoded schema elements. The
49 children of this entry contain all user-defined schema elements. In
50 schema that were loaded from include files, the child entry will be
51 named after the include file from which the schema was loaded. Typi‐
52 cally the first child in this subtree will be cn=core,cn=schema,cn=con‐
53 fig.
54
55 olcBackend entries are for storing settings specific to a single back‐
56 end type (and thus global to all database instances of that type). At
57 present there are no backends that implement settings of this nature,
58 so usually there will not be any olcBackend entries.
59
60 olcDatabase entries store settings specific to a single database
61 instance. These entries may have olcOverlay child entries corresponding
62 to any overlays configured on the database. The olcDatabase and olcOv‐
63 erlay entries may also have miscellaneous child entries for other set‐
64 tings as needed. There are two special database entries that are prede‐
65 fined - one is an entry for the config database itself, and the other
66 is for the "frontend" database. Settings in the frontend database are
67 inherited by the other databases, unless they are explicitly overridden
68 in a specific database.
69
70 The specific configuration options available are discussed below in the
71 Global Configuration Options, General Backend Options, and General
72 Database Options. Options are set by defining LDAP attributes with spe‐
73 cific values. In general the names of the LDAP attributes are the same
74 as the corresponding slapd.conf keyword, with an "olc" prefix added on.
75
76 The parser for many of these attributes is the same as used for parsing
77 the slapd.conf keywords. As such, slapd.conf keywords that allow multi‐
78 ple items to be specified on one line, separated by whitespace, will
79 allow multiple items to be specified in one attribute value. However,
80 when reading the attribute via LDAP, the items will be returned as
81 individual attribute values.
82
83 Backend-specific options are discussed in the slapd-<backend>(5) manual
84 pages. Refer to the "OpenLDAP Administrator's Guide" for more details
85 on configuring slapd.
86
88 Options described in this section apply to the server as a whole.
89 Arguments that should be replaced by actual text are shown in brackets
90 <>.
91
92 These options may only be specified in the cn=config entry. This entry
93 must have an objectClass of olcGlobal.
94
95
96 olcAllows: <features>
97 Specify a set of features to allow (default none). bind_v2
98 allows acceptance of LDAPv2 bind requests. Note that slapd(8)
99 does not truly implement LDAPv2 (RFC 1777), now Historic (RFC
100 3494). bind_anon_cred allows anonymous bind when credentials
101 are not empty (e.g. when DN is empty). bind_anon_dn allows
102 unauthenticated (anonymous) bind when DN is not empty.
103 update_anon allows unauthenticated (anonymous) update operations
104 to be processed (subject to access controls and other adminis‐
105 trative limits). proxy_authz_anon allows unauthenticated
106 (anonymous) proxy authorization control to be processed (subject
107 to access controls, authorization and other administrative lim‐
108 its).
109
110 olcArgsFile: <filename>
111 The (absolute) name of a file that will hold the slapd server's
112 command line (program name and options).
113
114 olcAttributeOptions: <option-name>...
115 Define tagging attribute options or option tag/range prefixes.
116 Options must not end with `-', prefixes must end with `-'. The
117 `lang-' prefix is predefined. If you use the olcAttributeOp‐
118 tions directive, `lang-' will no longer be defined and you must
119 specify it explicitly if you want it defined.
120
121 An attribute description with a tagging option is a subtype of
122 that attribute description without the option. Except for that,
123 options defined this way have no special semantics. Prefixes
124 defined this way work like the `lang-' options: They define a
125 prefix for tagging options starting with the prefix. That is,
126 if you define the prefix `x-foo-', you can use the option
127 `x-foo-bar'. Furthermore, in a search or compare, a prefix or
128 range name (with a trailing `-') matches all options starting
129 with that name, as well as the option with the range name sans
130 the trailing `-'. That is, `x-foo-bar-' matches `x-foo-bar' and
131 `x-foo-bar-baz'.
132
133 RFC 4520 reserves options beginning with `x-' for private exper‐
134 iments. Other options should be registered with IANA, see RFC
135 4520 section 3.5. OpenLDAP also has the `binary' option built
136 in, but this is a transfer option, not a tagging option.
137
138 olcAuthIDRewrite: <rewrite-rule>
139 Used by the authentication framework to convert simple user
140 names to an LDAP DN used for authorization purposes. Its pur‐
141 pose is analogous to that of olcAuthzRegexp (see below). The
142 rewrite-rule is a set of rules analogous to those described in
143 slapo-rwm(5) for data rewriting (after stripping the rwm- pre‐
144 fix). olcAuthIDRewrite and olcAuthzRegexp should not be inter‐
145 mixed.
146
147 olcAuthzPolicy: <policy>
148 Used to specify which rules to use for Proxy Authorization.
149 Proxy authorization allows a client to authenticate to the
150 server using one user's credentials, but specify a different
151 identity to use for authorization and access control purposes.
152 It essentially allows user A to login as user B, using user A's
153 password. The none flag disables proxy authorization. This is
154 the default setting. The from flag will use rules in the
155 authzFrom attribute of the authorization DN. The to flag will
156 use rules in the authzTo attribute of the authentication DN.
157 The any flag, an alias for the deprecated value of both, will
158 allow any of the above, whatever succeeds first (checked in to,
159 from sequence. The all flag requires both authorizations to
160 succeed.
161
162 The rules are mechanisms to specify which identities are allowed
163 to perform proxy authorization. The authzFrom attribute in an
164 entry specifies which other users are allowed to proxy login to
165 this entry. The authzTo attribute in an entry specifies which
166 other users this user can authorize as. Use of authzTo rules
167 can be easily abused if users are allowed to write arbitrary
168 values to this attribute. In general the authzTo attribute must
169 be protected with ACLs such that only privileged users can mod‐
170 ify it. The value of authzFrom and authzTo describes an iden‐
171 tity or a set of identities; it can take five forms:
172
173 ldap:///<base>??[<scope>]?<filter>
174 dn[.<dnstyle>]:<pattern>
175 u[<mech>[<realm>]]:<pattern>
176 group[/objectClass[/attributeType]]:<pattern>
177 <pattern>
178
179 <dnstyle>:={exact|onelevel|children|subtree|regex}
180
181 The first form is a valid LDAP URI where the <host>:<port>, the
182 <attrs> and the <extensions> portions must be absent, so that
183 the search occurs locally on either authzFrom or authzTo. The
184 second form is a DN, with the optional style modifiers exact,
185 onelevel, children, and subtree for exact, onelevel, children
186 and subtree matches, which cause <pattern> to be normalized
187 according to the DN normalization rules, or the special regex
188 style, which causes the <pattern> to be treated as a POSIX
189 (''extended'') regular expression, as discussed in regex(7)
190 and/or re_format(7). A pattern of * means any non-anonymous DN.
191 The third form is a SASL id, with the optional fields <mech> and
192 <realm> that allow to specify a SASL mechanism, and eventually a
193 SASL realm, for those mechanisms that support one. The need to
194 allow the specification of a mechanism is still debated, and
195 users are strongly discouraged to rely on this possibility. The
196 fourth form is a group specification, consisting of the keyword
197 group, optionally followed by the specification of the group
198 objectClass and member attributeType. The group with DN <pat‐
199 tern> is searched with base scope, and in case of match, the
200 values of the member attributeType are searched for the asserted
201 DN. For backwards compatibility, if no identity type is pro‐
202 vided, i.e. only <pattern> is present, an exact DN is assumed;
203 as a consequence, <pattern> is subjected to DN normalization.
204 Since the interpretation of authzFrom and authzTo can impact
205 security, users are strongly encouraged to explicitly set the
206 type of identity specification that is being used. A subset of
207 these rules can be used as third arg in the olcAuthzRegexp
208 statement (see below); significantly, the URI and the
209 dn.exact:<dn> forms.
210
211 olcAuthzRegexp: <match> <replace>
212 Used by the authentication framework to convert simple user
213 names, such as provided by SASL subsystem, to an LDAP DN used
214 for authorization purposes. Note that the resultant DN need not
215 refer to an existing entry to be considered valid. When an
216 authorization request is received from the SASL subsystem, the
217 SASL USERNAME, REALM, and MECHANISM are taken, when available,
218 and combined into a name of the form
219
220 UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
221
222 This name is then compared against the match POSIX
223 (''extended'') regular expression, and if the match is success‐
224 ful, the name is replaced with the replace string. If there are
225 wildcard strings in the match regular expression that are
226 enclosed in parenthesis, e.g.
227
228 UID=([^,]*),CN=.*
229
230 then the portion of the name that matched the wildcard will be
231 stored in the numbered placeholder variable $1. If there are
232 other wildcard strings in parenthesis, the matching strings will
233 be in $2, $3, etc. up to $9. The placeholders can then be used
234 in the replace string, e.g.
235
236 UID=$1,OU=Accounts,DC=example,DC=com
237
238 The replaced name can be either a DN, i.e. a string prefixed by
239 "dn:", or an LDAP URI. If the latter, the server will use the
240 URI to search its own database(s) and, if the search returns
241 exactly one entry, the name is replaced by the DN of that entry.
242 The LDAP URI must have no hostport, attrs, or extensions compo‐
243 nents, but the filter is mandatory, e.g.
244
245 ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
246
247 The protocol portion of the URI must be strictly ldap. Note
248 that this search is subject to access controls. Specifically,
249 the authentication identity must have "auth" access in the sub‐
250 ject.
251
252 Multiple olcAuthzRegexp values can be specified to allow for
253 multiple matching and replacement patterns. The matching pat‐
254 terns are checked in the order they appear in the attribute,
255 stopping at the first successful match.
256
257
258 olcConcurrency: <integer>
259 Specify a desired level of concurrency. Provided to the under‐
260 lying thread system as a hint. The default is not to provide
261 any hint. This setting is only meaningful on some platforms
262 where there is not a one to one correspondence between user
263 threads and kernel threads.
264
265 olcConnMaxPending: <integer>
266 Specify the maximum number of pending requests for an anonymous
267 session. If requests are submitted faster than the server can
268 process them, they will be queued up to this limit. If the limit
269 is exceeded, the session is closed. The default is 100.
270
271 olcConnMaxPendingAuth: <integer>
272 Specify the maximum number of pending requests for an authenti‐
273 cated session. The default is 1000.
274
275 olcDisallows: <features>
276 Specify a set of features to disallow (default none). bind_anon
277 disables acceptance of anonymous bind requests. Note that this
278 setting does not prohibit anonymous directory access (See
279 "require authc"). bind_simple disables simple (bind) authenti‐
280 cation. tls_2_anon disables forcing session to anonymous status
281 (see also tls_authc) upon StartTLS operation receipt. tls_authc
282 disallows the StartTLS operation if authenticated (see also
283 tls_2_anon).
284
285 olcGentleHUP: { TRUE | FALSE }
286 A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
287 Slapd will stop listening for new connections, but will not
288 close the connections to the current clients. Future write
289 operations return unwilling-to-perform, though. Slapd termi‐
290 nates when all clients have closed their connections (if they
291 ever do), or - as before - if it receives a SIGTERM signal.
292 This can be useful if you wish to terminate the server and start
293 a new slapd server with another database, without disrupting the
294 currently active clients. The default is FALSE. You may wish
295 to use olcIdleTimeout along with this option.
296
297 olcIdleTimeout: <integer>
298 Specify the number of seconds to wait before forcibly closing an
299 idle client connection. A setting of 0 disables this feature.
300 The default is 0. You may also want to set the olcWriteTimeout
301 option.
302
303 olcIndexIntLen: <integer>
304 Specify the key length for ordered integer indices. The most
305 significant bytes of the binary integer will be used for index
306 keys. The default value is 4, which provides exact indexing for
307 31 bit values. A floating point representation is used to index
308 too large values.
309
310 olcIndexSubstrIfMaxlen: <integer>
311 Specify the maximum length for subinitial and subfinal indices.
312 Only this many characters of an attribute value will be pro‐
313 cessed by the indexing functions; any excess characters are
314 ignored. The default is 4.
315
316 olcIndexSubstrIfMinlen: <integer>
317 Specify the minimum length for subinitial and subfinal indices.
318 An attribute value must have at least this many characters in
319 order to be processed by the indexing functions. The default is
320 2.
321
322 olcIndexSubstrAnyLen: <integer>
323 Specify the length used for subany indices. An attribute value
324 must have at least this many characters in order to be pro‐
325 cessed. Attribute values longer than this length will be pro‐
326 cessed in segments of this length. The default is 4. The subany
327 index will also be used in subinitial and subfinal index lookups
328 when the filter string is longer than the olcIndexSubstrIfMaxlen
329 value.
330
331 olcIndexSubstrAnyStep: <integer>
332 Specify the steps used in subany index lookups. This value sets
333 the offset for the segments of a filter string that are pro‐
334 cessed for a subany index lookup. The default is 2. For example,
335 with the default values, a search using this filter "cn=*abcde‐
336 fgh*" would generate index lookups for "abcd", "cdef", and
337 "efgh".
338
339
340 Note: Indexing support depends on the particular backend in use. Also,
341 changing these settings will generally require deleting any indices
342 that depend on these parameters and recreating them with slapindex(8).
343
344
345 olcListenerThreads: <integer>
346 Specify the number of threads to use for the connection manager.
347 The default is 1 and this is typically adequate for up to 16 CPU
348 cores. The value should be set to a power of 2.
349
350 olcLocalSSF: <SSF>
351 Specifies the Security Strength Factor (SSF) to be given local
352 LDAP sessions, such as those to the ldapi:// listener. For a
353 description of SSF values, see olcSaslSecProps's minssf option
354 description. The default is 71.
355
356 olcLogFile: <filename>
357 Specify a file for recording debug log messages. By default
358 these messages only go to stderr and are not recorded anywhere
359 else. Specifying a logfile copies messages to both stderr and
360 the logfile.
361
362 olcLogLevel: <integer> [...]
363 Specify the level at which debugging statements and operation
364 statistics should be syslogged (currently logged to the sys‐
365 logd(8) LOG_LOCAL4 facility). They must be considered subsys‐
366 tems rather than increasingly verbose log levels. Some messages
367 with higher priority are logged regardless of the configured
368 loglevel as soon as any logging is configured. Log levels are
369 additive, and available levels are:
370 1 (0x1 trace) trace function calls
371 2 (0x2 packets) debug packet handling
372 4 (0x4 args) heavy trace debugging (function args)
373 8 (0x8 conns) connection management
374 16 (0x10 BER) print out packets sent and received
375 32 (0x20 filter) search filter processing
376 64 (0x40 config) configuration file processing
377 128 (0x80 ACL) access control list processing
378 256 (0x100 stats) stats log connections/opera‐
379 tions/results
380 512 (0x200 stats2) stats log entries sent
381 1024 (0x400 shell) print communication with shell back‐
382 ends
383 2048 (0x800 parse) entry parsing
384
385
386
387
388
389
390
391
392 16384 (0x4000 sync) LDAPSync replication
393 32768 (0x8000 none) only messages that get logged what‐
394 ever log level is set
395 The desired log level can be input as a single integer that com‐
396 bines the (ORed) desired levels, both in decimal or in hexadeci‐
397 mal notation, as a list of integers (that are ORed internally),
398 or as a list of the names that are shown between brackets, such
399 that
400
401 olcLogLevel: 129
402 olcLogLevel: 0x81
403 olcLogLevel: 128 1
404 olcLogLevel: 0x80 0x1
405 olcLogLevel: acl trace
406
407 are equivalent. The keyword any can be used as a shortcut to
408 enable logging at all levels (equivalent to -1). The keyword
409 none, or the equivalent integer representation, causes those
410 messages that are logged regardless of the configured
411 olcLogLevel to be logged. In fact, if no olcLogLevel (or a 0
412 level) is defined, no logging occurs, so at least the none level
413 is required to have high priority messages logged.
414
415 olcPasswordCryptSaltFormat: <format>
416 Specify the format of the salt passed to crypt(3) when generat‐
417 ing {CRYPT} passwords (see olcPasswordHash) during processing of
418 LDAP Password Modify Extended Operations (RFC 3062).
419
420 This string needs to be in sprintf(3) format and may include one
421 (and only one) %s conversion. This conversion will be substi‐
422 tuted with a string of random characters from [A-Za-z0-9./].
423 For example, "%.2s" provides a two character salt and "$1$%.8s"
424 tells some versions of crypt(3) to use an MD5 algorithm and pro‐
425 vides 8 random characters of salt. The default is "%s", which
426 provides 31 characters of salt.
427
428 olcPidFile: <filename>
429 The (absolute) name of a file that will hold the slapd server's
430 process ID (see getpid(2)).
431
432 olcPluginLogFile: <filename>
433 The ( absolute ) name of a file that will contain log messages
434 from SLAPI plugins. See slapd.plugin(5) for details.
435
436 olcReferral: <url>
437 Specify the referral to pass back when slapd(8) cannot find a
438 local database to handle a request. If multiple values are
439 specified, each url is provided.
440
441 olcReverseLookup: TRUE | FALSE
442 Enable/disable client name unverified reverse lookup (default is
443 FALSE if compiled with --enable-rlookups).
444
445 olcRootDSE: <file>
446 Specify the name of an LDIF(5) file containing user defined
447 attributes for the root DSE. These attributes are returned in
448 addition to the attributes normally produced by slapd.
449
450 The root DSE is an entry with information about the server and
451 its capabilities, in operational attributes. It has the empty
452 DN, and can be read with e.g.:
453 ldapsearch -x -b "" -s base "+"
454 See RFC 4512 section 5.1 for details.
455
456 olcSaslAuxprops: <plugin> [...]
457 Specify which auxprop plugins to use for authentication lookups.
458 The default is empty, which just uses slapd's internal support.
459 Usually no other auxprop plugins are needed.
460
461 olcSaslHost: <fqdn>
462 Used to specify the fully qualified domain name used for SASL
463 processing.
464
465 olcSaslRealm: <realm>
466 Specify SASL realm. Default is empty.
467
468 olcSaslSecProps: <properties>
469 Used to specify Cyrus SASL security properties. The none flag
470 (without any other properties) causes the flag properties
471 default, "noanonymous,noplain", to be cleared. The noplain flag
472 disables mechanisms susceptible to simple passive attacks. The
473 noactive flag disables mechanisms susceptible to active attacks.
474 The nodict flag disables mechanisms susceptible to passive dic‐
475 tionary attacks. The noanonymous flag disables mechanisms which
476 support anonymous login. The forwardsec flag require forward
477 secrecy between sessions. The passcred require mechanisms which
478 pass client credentials (and allow mechanisms which can pass
479 credentials to do so). The minssf=<factor> property specifies
480 the minimum acceptable security strength factor as an integer
481 approximate to effective key length used for encryption. 0
482 (zero) implies no protection, 1 implies integrity protection
483 only, 56 allows DES or other weak ciphers, 112 allows triple DES
484 and other strong ciphers, 128 allows RC4, Blowfish and other
485 modern strong ciphers. The default is 0. The maxssf=<factor>
486 property specifies the maximum acceptable security strength fac‐
487 tor as an integer (see minssf description). The default is
488 INT_MAX. The maxbufsize=<size> property specifies the maximum
489 security layer receive buffer size allowed. 0 disables security
490 layers. The default is 65536.
491
492 olcServerID: <integer> [<URL>]
493 Specify an integer ID from 0 to 4095 for this server (limited to
494 3 hexadecimal digits). The ID may also be specified as a hexa‐
495 decimal ID by prefixing the value with "0x". These IDs are
496 required when using multimaster replication and each master must
497 have a unique ID. Note that this requirement also applies to
498 separate masters contributing to a glued set of databases. If
499 the URL is provided, this directive may be specified multiple
500 times, providing a complete list of participating servers and
501 their IDs. The fully qualified hostname of each server should be
502 used in the supplied URLs. The IDs are used in the "replica id"
503 field of all CSNs generated by the specified server. The default
504 value is zero. Example:
505
506 olcServerID: 1 ldap://ldap1.example.com
507 olcServerID: 2 ldap://ldap2.example.com
508
509 olcSockbufMaxIncoming: <integer>
510 Specify the maximum incoming LDAP PDU size for anonymous ses‐
511 sions. The default is 262143.
512
513 olcSockbufMaxIncomingAuth: <integer>
514 Specify the maximum incoming LDAP PDU size for authenticated
515 sessions. The default is 4194303.
516
517 olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
518 Specify the size of the TCP buffer. A global value for both
519 read and write TCP buffers related to any listener is defined,
520 unless the listener is explicitly specified, or either the read
521 or write qualifiers are used. See tcp(7) for details. Note
522 that some OS-es implement automatic TCP buffer tuning.
523
524 olcThreads: <integer>
525 Specify the maximum size of the primary thread pool. The
526 default is 16; the minimum value is 2.
527
528 olcToolThreads: <integer>
529 Specify the maximum number of threads to use in tool mode. This
530 should not be greater than the number of CPUs in the system.
531 The default is 1.
532
533 olcWriteTimeout: <integer>
534 Specify the number of seconds to wait before forcibly closing a
535 connection with an outstanding write. This allows recovery from
536 various network hang conditions. A setting of 0 disables this
537 feature. The default is 0.
538
540 If slapd is built with support for Transport Layer Security, there are
541 more options you can specify.
542
543 olcTLSCipherSuite: <cipher-suite-spec>
544 Permits configuring what ciphers will be accepted and the pref‐
545 erence order. <cipher-suite-spec> should be a cipher specifica‐
546 tion for the TLS library in use (OpenSSL, GnuTLS, or Mozilla
547 NSS). Example:
548
549 OpenSSL:
550 olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
551
552 GnuTLS:
553 TLSCiphersuite SECURE256:!AES-128-CBC
554
555 To check what ciphers a given spec selects in OpenSSL, use:
556
557 openssl ciphers -v <cipher-suite-spec>
558
559 With GnuTLS the available specs can be found in the manual page
560 of gnutls-cli(1) (see the description of the option --priority).
561
562 In older versions of GnuTLS, where gnutls-cli does not support
563 the option --priority, you can obtain the — more limited — list
564 of ciphers by calling:
565
566 gnutls-cli -l
567
568 When using Mozilla NSS, the OpenSSL cipher suite specifications
569 are used and translated into the format used internally by
570 Mozilla NSS. There isn't an easy way to list the cipher suites
571 from the command line. The authoritative list is in the source
572 code for Mozilla NSS in the file sslinfo.c in the structure
573 static const SSLCipherSuiteInfo suiteInfo[]
574
575 olcTLSCACertificateFile: <filename>
576 Specifies the file that contains certificates for all of the
577 Certificate Authorities that slapd will recognize.
578
579 olcTLSCACertificatePath: <path>
580 Specifies the path of a directory that contains Certificate
581 Authority certificates in separate individual files. Usually
582 only one of this or the olcTLSCACertificateFile is defined. If
583 both are specified, both locations will be used. This directive
584 is not supported when using GnuTLS.
585
586 When using Mozilla NSS, <path> may contain a Mozilla NSS
587 cert/key database. If <path> contains a Mozilla NSS cert/key
588 database and CA cert files, OpenLDAP will use the cert/key data‐
589 base and will ignore the CA cert files.
590
591 olcTLSCertificateFile: <filename>
592 Specifies the file that contains the slapd server certificate.
593
594 When using Mozilla NSS, if using a cert/key database (specified
595 with olcTLSCACertificatePath), olcTLSCertificateFile specifies
596 the name of the certificate to use:
597 olcTLSCertificateFile: Server-Cert
598 If using a token other than the internal built in token, specify
599 the token name first, followed by a colon:
600 olcTLSCertificateFile: my hardware device:Server-Cert
601 Use certutil -L to list the certificates by name:
602 certutil -d /path/to/certdbdir -L
603
604 olcTLSCertificateKeyFile: <filename>
605 Specifies the file that contains the slapd server private key
606 that matches the certificate stored in the olcTLSCertificateFile
607 file. If the private key is protected with a password, the pass‐
608 word must be manually typed in when slapd starts. Usually the
609 private key is not protected with a password, to allow slapd to
610 start without manual intervention, so it is of critical impor‐
611 tance that the file is protected carefully.
612
613 When using Mozilla NSS, olcTLSCertificateKeyFile specifies the
614 name of a file that contains the password for the key for the
615 certificate specified with olcTLSCertificateFile. The modutil
616 command can be used to turn off password protection for the
617 cert/key database. For example, if olcTLSCACertificatePath
618 specifes /etc/openldap/certdb as the location of the cert/key
619 database, use modutil to change the password to the empty
620 string:
621 modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
622 You must have the old password, if any. Ignore the WARNING
623 about the running browser. Press 'Enter' for the new password.
624
625
626 olcTLSDHParamFile: <filename>
627 This directive specifies the file that contains parameters for
628 Diffie-Hellman ephemeral key exchange. This is required in
629 order to use a DSA certificate on the server. If multiple sets
630 of parameters are present in the file, all of them will be pro‐
631 cessed. Note that setting this option may also enable Anonymous
632 Diffie-Hellman key exchanges in certain non-default cipher
633 suites. You should append "!ADH" to your cipher suites if you
634 have changed them from the default, otherwise no certificate
635 exchanges or verification will be done. When using GnuTLS or
636 Mozilla NSS these parameters are always generated randomly so
637 this directive is ignored.
638
639 olcTLSECName: <name>
640 Specify the name of a curve to use for Elliptic curve Diffie-
641 Hellman ephemeral key exchange. This is required to enable
642 ECDHE algorithms in OpenSSL. This option is not used with
643 GnuTLS; the curves may be chosen in the GnuTLS ciphersuite spec‐
644 ification. This option is also ignored for Mozilla NSS.
645
646 olcTLSProtocolMin: <major>[.<minor>]
647 Specifies minimum SSL/TLS protocol version that will be negoti‐
648 ated. If the server doesn't support at least that version, the
649 SSL handshake will fail. To require TLS 1.x or higher, set this
650 option to 3.(x+1), e.g.,
651
652 olcTLSProtocolMin: 3.2
653
654 would require TLS 1.1. Specifying a minimum that is higher than
655 that supported by the OpenLDAP implementation will result in it
656 requiring the highest level that it does support. This direc‐
657 tive is ignored with GnuTLS.
658
659 olcTLSRandFile: <filename>
660 Specifies the file to obtain random bits from when /dev/[u]ran‐
661 dom is not available. Generally set to the name of the
662 EGD/PRNGD socket. The environment variable RANDFILE can also be
663 used to specify the filename. This directive is ignored with
664 GnuTLS and Mozilla NSS.
665
666 olcTLSVerifyClient: <level>
667 Specifies what checks to perform on client certificates in an
668 incoming TLS session, if any. The <level> can be specified as
669 one of the following keywords:
670
671 never This is the default. slapd will not ask the client for a
672 certificate.
673
674 allow The client certificate is requested. If no certificate
675 is provided, the session proceeds normally. If a bad
676 certificate is provided, it will be ignored and the ses‐
677 sion proceeds normally.
678
679 try The client certificate is requested. If no certificate
680 is provided, the session proceeds normally. If a bad
681 certificate is provided, the session is immediately ter‐
682 minated.
683
684 demand | hard | true
685 These keywords are all equivalent, for compatibility rea‐
686 sons. The client certificate is requested. If no cer‐
687 tificate is provided, or a bad certificate is provided,
688 the session is immediately terminated.
689
690 Note that a valid client certificate is required in order
691 to use the SASL EXTERNAL authentication mechanism with a
692 TLS session. As such, a non-default olcTLSVerifyClient
693 setting must be chosen to enable SASL EXTERNAL authenti‐
694 cation.
695
696 olcTLSCRLCheck: <level>
697 Specifies if the Certificate Revocation List (CRL) of the CA
698 should be used to verify if the client certificates have not
699 been revoked. This requires olcTLSCACertificatePath parameter to
700 be set. This parameter is ignored with GnuTLS and Mozilla NSS.
701 <level> can be specified as one of the following keywords:
702
703 none No CRL checks are performed
704
705 peer Check the CRL of the peer certificate
706
707 all Check the CRL for a whole certificate chain
708
709 olcTLSCRLFile: <filename>
710 Specifies a file containing a Certificate Revocation List to be
711 used for verifying that certificates have not been revoked. This
712 parameter is only valid when using GnuTLS or Mozilla NSS.
713
714 olcTLSMozNSSCompatibility <on/true/yes/off/false/no>
715 Specifies whether the MozNSS database compatibility layer for
716 TLS options should be enabled. This options is available only if
717 OpenLDAP is compiled with OpenSSL. This option defaults to be
718 on.
719
721 If slapd is compiled with --enable-modules then the module-related
722 entries will be available. These entries are named cn=module{x},cn=con‐
723 fig and must have the olcModuleList objectClass. One entry should be
724 created per olcModulePath. Normally the config engine generates the
725 "{x}" index in the RDN automatically, so it can be omitted when ini‐
726 tially loading these entries.
727
728 olcModuleLoad: <filename>
729 Specify the name of a dynamically loadable module to load. The
730 filename may be an absolute path name or a simple filename. Non-
731 absolute names are searched for in the directories specified by
732 the olcModulePath option.
733
734 olcModulePath: <pathspec>
735 Specify a list of directories to search for loadable modules.
736 Typically the path is colon-separated but this depends on the
737 operating system. The default is /usr/lib64/openldap, which is
738 where the standard OpenLDAP install will place its modules.
739
741 Schema definitions are created as entries in the cn=schema,cn=config
742 subtree. These entries must have the olcSchemaConfig objectClass. As
743 noted above, the actual cn=schema,cn=config entry is predefined and any
744 values specified for it are ignored.
745
746
747 olcAttributetypes: ( <oid> [NAME <name>] [DESC <description>]
748 [OBSOLETE] [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>]
749 [SUBSTR <oid>] [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE]
750 [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
751 Specify an attribute type using the LDAPv3 syntax defined in RFC
752 4512. The slapd parser extends the RFC 4512 definition by
753 allowing string forms as well as numeric OIDs to be used for the
754 attribute OID and attribute syntax OID. (See the
755 olcObjectIdentifier description.)
756
757
758 olcDitContentRules: ( <oid> [NAME <name>] [DESC <description>]
759 [OBSOLETE] [AUX <oids>] [MUST <oids>] [MAY <oids>]
760 [NOT <oids>] )
761 Specify an DIT Content Rule using the LDAPv3 syntax defined in
762 RFC 4512. The slapd parser extends the RFC 4512 definition by
763 allowing string forms as well as numeric OIDs to be used for the
764 attribute OID and attribute syntax OID. (See the
765 olcObjectIdentifier description.)
766
767
768 olcObjectClasses: ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
769 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }]
770 [MUST <oids>] [MAY <oids>] )
771 Specify an objectclass using the LDAPv3 syntax defined in RFC
772 4512. The slapd parser extends the RFC 4512 definition by
773 allowing string forms as well as numeric OIDs to be used for the
774 object class OID. (See the olcObjectIdentifier description.)
775 Object classes are "STRUCTURAL" by default.
776
777 olcObjectIdentifier: <name> { <oid> | <name>[:<suffix>] }
778 Define a string name that equates to the given OID. The string
779 can be used in place of the numeric OID in objectclass and
780 attribute definitions. The name can also be used with a suffix
781 of the form ":xx" in which case the value "oid.xx" will be used.
782
783
785 Options in these entries only apply to the configuration of a single
786 type of backend. All backends may support this class of options, but
787 currently none do. The entry must be named
788 olcBackend=<databasetype>,cn=config and must have the olcBackendConfig
789 objectClass. <databasetype> should be one of bdb, config, dnssrv, hdb,
790 ldap, ldif, mdb, meta, monitor, ndb, null, passwd, perl, relay, shell,
791 or sql. At present, no backend implements any options of this type, so
792 this entry should not be used.
793
794
796 Database options are set in entries named
797 olcDatabase={x}<databasetype>,cn=config and must have the
798 olcDatabaseConfig objectClass. Normally the config engine generates the
799 "{x}" index in the RDN automatically, so it can be omitted when
800 initially loading these entries.
801
802 The special frontend database is always numbered "{-1}" and the config
803 database is always numbered "{0}".
804
805
807 Options in this section may be set in the special "frontend" database
808 and inherited in all the other databases. These options may be altered
809 by further settings in each specific database. The frontend entry must
810 be named olcDatabase=frontend,cn=config and must have the
811 olcFrontendConfig objectClass.
812
813 olcAccess: to <what> [ by <who> <access> <control> ]+
814 Grant access (specified by <access>) to a set of entries and/or
815 attributes (specified by <what>) by one or more requestors
816 (specified by <who>). If no access controls are present, the
817 default policy allows anyone and everyone to read anything but
818 restricts updates to rootdn. (e.g., "olcAccess: to * by *
819 read"). See slapd.access(5) and the "OpenLDAP Administrator's
820 Guide" for details.
821
822 Access controls set in the frontend are appended to any access
823 controls set on the specific databases. The rootdn of a
824 database can always read and write EVERYTHING in that database.
825
826 Extra special care must be taken with the access controls on the
827 config database. Unlike other databases, the default policy for
828 the config database is to only allow access to the rootdn.
829 Regular users should not have read access, and write access
830 should be granted very carefully to privileged administrators.
831
832
833 olcDefaultSearchBase: <dn>
834 Specify a default search base to use when client submits a non-
835 base search request with an empty base DN. Base scoped search
836 requests with an empty base DN are not affected. This setting
837 is only allowed in the frontend entry.
838
839 olcExtraAttrs: <attr>
840 Lists what attributes need to be added to search requests.
841 Local storage backends return the entire entry to the frontend.
842 The frontend takes care of only returning the requested
843 attributes that are allowed by ACLs. However, features like
844 access checking and so may need specific attributes that are not
845 automatically returned by remote storage backends, like proxy
846 backends and so on. <attr> is an attribute that is needed for
847 internal purposes and thus always needs to be collected, even
848 when not explicitly requested by clients. This attribute is
849 multi-valued.
850
851 olcPasswordHash: <hash> [<hash>...]
852 This option configures one or more hashes to be used in
853 generation of user passwords stored in the userPassword
854 attribute during processing of LDAP Password Modify Extended
855 Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
856 {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
857
858 {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
859 latter with a seed.
860
861 {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
862 with a seed.
863
864 {CRYPT} uses the crypt(3).
865
866 {CLEARTEXT} indicates that the new password should be added to
867 userPassword as clear text.
868
869 Note that this option does not alter the normal user
870 applications handling of userPassword during LDAP Add, Modify,
871 or other LDAP operations. This setting is only allowed in the
872 frontend entry.
873
874 olcReadOnly: TRUE | FALSE
875 This option puts the database into "read-only" mode. Any
876 attempts to modify the database will return an "unwilling to
877 perform" error. By default, olcReadOnly is FALSE. Note that
878 when this option is set TRUE on the frontend, it cannot be reset
879 without restarting the server, since further writes to the
880 config database will be rejected.
881
882 olcRequires: <conditions>
883 Specify a set of conditions to require (default none). The
884 directive may be specified globally and/or per-database;
885 databases inherit global conditions, so per-database
886 specifications are additive. bind requires bind operation prior
887 to directory operations. LDAPv3 requires session to be using
888 LDAP version 3. authc requires authentication prior to
889 directory operations. SASL requires SASL authentication prior
890 to directory operations. strong requires strong authentication
891 prior to directory operations. The strong keyword allows
892 protected "simple" authentication as well as SASL
893 authentication. none may be used to require no conditions
894 (useful to clear out globally set conditions within a particular
895 database); it must occur first in the list of conditions.
896
897 olcRestrict: <oplist>
898 Specify a list of operations that are restricted. Restrictions
899 on a specific database override any frontend setting.
900 Operations can be any of add, bind, compare, delete,
901 extended[=<OID>], modify, rename, search, or the special pseudo-
902 operations read and write, which respectively summarize read and
903 write operations. The use of restrict write is equivalent to
904 olcReadOnly: TRUE (see above). The extended keyword allows to
905 indicate the OID of the specific operation to be restricted.
906
907 olcSchemaDN: <dn>
908 Specify the distinguished name for the subschema subentry that
909 controls the entries on this server. The default is
910 "cn=Subschema".
911
912 olcSecurity: <factors>
913 Specify a set of security strength factors (separated by white
914 space) to require (see olcSaslSecprops's minssf option for a
915 description of security strength factors). The directive may be
916 specified globally and/or per-database. ssf=<n> specifies the
917 overall security strength factor. transport=<n> specifies the
918 transport security strength factor. tls=<n> specifies the TLS
919 security strength factor. sasl=<n> specifies the SASL security
920 strength factor. update_ssf=<n> specifies the overall security
921 strength factor to require for directory updates.
922 update_transport=<n> specifies the transport security strength
923 factor to require for directory updates. update_tls=<n>
924 specifies the TLS security strength factor to require for
925 directory updates. update_sasl=<n> specifies the SASL security
926 strength factor to require for directory updates.
927 simple_bind=<n> specifies the security strength factor required
928 for simple username/password authentication. Note that the
929 transport factor is measure of security provided by the
930 underlying transport, e.g. ldapi:// (and eventually IPSEC). It
931 is not normally used.
932
933 olcSizeLimit: {<integer>|unlimited}
934
935 olcSizeLimit: size[.{soft|hard|unchecked}]=<integer> [...]
936 Specify the maximum number of entries to return from a search
937 operation. The default size limit is 500. Use unlimited to
938 specify no limits. The second format allows a fine grain
939 setting of the size limits. Extra args can be added in the same
940 value or as additional values. See olcLimits for an explanation
941 of the different flags.
942
943 olcSortVals: <attr> [...]
944 Specify a list of multi-valued attributes whose values will
945 always be maintained in sorted order. Using this option will
946 allow Modify, Compare, and filter evaluations on these
947 attributes to be performed more efficiently. The resulting sort
948 order depends on the attributes' syntax and matching rules and
949 may not correspond to lexical order or any other recognizable
950 order. This setting is only allowed in the frontend entry.
951
952 olcTimeLimit: {<integer>|unlimited}
953
954 olcTimeLimit: time[.{soft|hard}]=<integer> [...]
955 Specify the maximum number of seconds (in real time) slapd will
956 spend answering a search request. The default time limit is
957 3600. Use unlimited to specify no limits. The second format
958 allows a fine grain setting of the time limits. Extra args can
959 be added in the same value or as additional values. See
960 olcLimits for an explanation of the different flags.
961
962
964 Options in this section only apply to the specific database for which
965 they are defined. They are supported by every type of backend. All of
966 the Global Database Options may also be used here.
967
968 olcAddContentAcl: TRUE | FALSE
969 Controls whether Add operations will perform ACL checks on the
970 content of the entry being added. This check is off by default.
971 See the slapd.access(5) manual page for more details on ACL
972 requirements for Add operations.
973
974 olcHidden: TRUE | FALSE
975 Controls whether the database will be used to answer queries. A
976 database that is hidden will never be selected to answer any
977 queries, and any suffix configured on the database will be
978 ignored in checks for conflicts with other databases. By
979 default, olcHidden is FALSE.
980
981 olcLastMod: TRUE | FALSE
982 Controls whether slapd will automatically maintain the
983 modifiersName, modifyTimestamp, creatorsName, and
984 createTimestamp attributes for entries. It also controls the
985 entryCSN and entryUUID attributes, which are needed by the
986 syncrepl provider. By default, olcLastMod is TRUE.
987
988 olcLimits: <selector> <limit> [<limit> [...]]
989 Specify time and size limits based on the operation's initiator
990 or base DN. The argument <selector> can be any of
991
992 anonymous | users | [<dnspec>=]<pattern> |
993 group[/oc[/at]]=<pattern>
994
995 with
996
997 <dnspec> ::= dn[.<type>][.<style>]
998
999 <type> ::= self | this
1000
1001 <style> ::= exact | base | onelevel | subtree | children
1002 | regex | anonymous
1003
1004 DN type self is the default and means the bound user, while this
1005 means the base DN of the operation. The term anonymous matches
1006 all unauthenticated clients. The term users matches all
1007 authenticated clients; otherwise an exact dn pattern is assumed
1008 unless otherwise specified by qualifying the (optional) key
1009 string dn with exact or base (which are synonyms), to require an
1010 exact match; with onelevel, to require exactly one level of
1011 depth match; with subtree, to allow any level of depth match,
1012 including the exact match; with children, to allow any level of
1013 depth match, not including the exact match; regex explicitly
1014 requires the (default) match based on POSIX (''extended'')
1015 regular expression pattern. Finally, anonymous matches unbound
1016 operations; the pattern field is ignored. The same behavior is
1017 obtained by using the anonymous form of the <selector> clause.
1018 The term group, with the optional objectClass oc and
1019 attributeType at fields, followed by pattern, sets the limits
1020 for any DN listed in the values of the at attribute (default
1021 member) of the oc group objectClass (default groupOfNames) whose
1022 DN exactly matches pattern.
1023
1024 The currently supported limits are size and time.
1025
1026 The syntax for time limits is time[.{soft|hard}]=<integer>,
1027 where integer is the number of seconds slapd will spend
1028 answering a search request. If no time limit is explicitly
1029 requested by the client, the soft limit is used; if the
1030 requested time limit exceeds the hard limit, the value of the
1031 limit is used instead. If the hard limit is set to the keyword
1032 soft, the soft limit is used in either case; if it is set to the
1033 keyword unlimited, no hard limit is enforced. Explicit requests
1034 for time limits smaller or equal to the hard limit are honored.
1035 If no limit specifier is set, the value is assigned to the soft
1036 limit, and the hard limit is set to soft, to preserve the
1037 original behavior.
1038
1039 The syntax for size limits is
1040 size[.{soft|hard|unchecked}]=<integer>, where integer is the
1041 maximum number of entries slapd will return answering a search
1042 request. If no size limit is explicitly requested by the
1043 client, the soft limit is used; if the requested size limit
1044 exceeds the hard limit, the value of the limit is used instead.
1045 If the hard limit is set to the keyword soft, the soft limit is
1046 used in either case; if it is set to the keyword unlimited, no
1047 hard limit is enforced. Explicit requests for size limits
1048 smaller or equal to the hard limit are honored. The unchecked
1049 specifier sets a limit on the number of candidates a search
1050 request is allowed to examine. The rationale behind it is that
1051 searches for non-properly indexed attributes may result in large
1052 sets of candidates, which must be examined by slapd(8) to
1053 determine whether they match the search filter or not. The
1054 unchecked limit provides a means to drop such operations before
1055 they are even started. If the selected candidates exceed the
1056 unchecked limit, the search will abort with Unwilling to
1057 perform. If it is set to the keyword unlimited, no limit is
1058 applied (the default). If it is set to disable, the search is
1059 not even performed; this can be used to disallow searches for a
1060 specific set of users. If no limit specifier is set, the value
1061 is assigned to the soft limit, and the hard limit is set to
1062 soft, to preserve the original behavior.
1063
1064 In case of no match, the global limits are used. The default
1065 values are the same as for olcSizeLimit and olcTimeLimit; no
1066 limit is set on unchecked.
1067
1068 If pagedResults control is requested, the hard size limit is
1069 used by default, because the request of a specific page size is
1070 considered an explicit request for a limitation on the number of
1071 entries to be returned. However, the size limit applies to the
1072 total count of entries returned within the search, and not to a
1073 single page. Additional size limits may be enforced; the syntax
1074 is size.pr={<integer>|noEstimate|unlimited}, where integer is
1075 the max page size if no explicit limit is set; the keyword
1076 noEstimate inhibits the server from returning an estimate of the
1077 total number of entries that might be returned (note: the
1078 current implementation does not return any estimate). The
1079 keyword unlimited indicates that no limit is applied to the
1080 pagedResults control page size. The syntax
1081 size.prtotal={<integer>|unlimited|disabled} allows to set a
1082 limit on the total number of entries that a pagedResults control
1083 allows to return. By default it is set to the hard limit. When
1084 set, integer is the max number of entries that the whole search
1085 with pagedResults control can return. Use unlimited to allow
1086 unlimited number of entries to be returned, e.g. to allow the
1087 use of the pagedResults control as a means to circumvent size
1088 limitations on regular searches; the keyword disabled disables
1089 the control, i.e. no paged results can be returned. Note that
1090 the total number of entries returned when the pagedResults
1091 control is requested cannot exceed the hard size limit of
1092 regular searches unless extended by the prtotal switch.
1093
1094 olcMaxDerefDepth: <depth>
1095 Specifies the maximum number of aliases to dereference when
1096 trying to resolve an entry, used to avoid infinite alias loops.
1097 The default is 15.
1098
1099 olcMirrorMode: TRUE | FALSE
1100 This option puts a replica database into "mirror" mode. Update
1101 operations will be accepted from any user, not just the
1102 updatedn. The database must already be configured as syncrepl
1103 consumer before this keyword may be set. This mode also
1104 requires a olcServerID (see above) to be configured. By
1105 default, this setting is FALSE.
1106
1107 olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
1108 Configure a SLAPI plugin. See the slapd.plugin(5) manpage for
1109 more details.
1110
1111 olcRootDN: <dn>
1112 Specify the distinguished name that is not subject to access
1113 control or administrative limit restrictions for operations on
1114 this database. This DN may or may not be associated with an
1115 entry. An empty root DN (the default) specifies no root access
1116 is to be granted. It is recommended that the rootdn only be
1117 specified when needed (such as when initially populating a
1118 database). If the rootdn is within a namingContext (suffix) of
1119 the database, a simple bind password may also be provided using
1120 the olcRootPW directive. Note that the rootdn is always needed
1121 when using syncrepl. The olcRootDN of the cn=config database
1122 defaults to cn=config itself.
1123
1124 olcRootPW: <password>
1125 Specify a password (or hash of the password) for the rootdn.
1126 The password can only be set if the rootdn is within the
1127 namingContext (suffix) of the database. This option accepts all
1128 RFC 2307 userPassword formats known to the server (see
1129 olcPasswordHash description) as well as cleartext.
1130 slappasswd(8) may be used to generate a hash of a password.
1131 Cleartext and {CRYPT} passwords are not recommended. If empty
1132 (the default), authentication of the root DN is by other means
1133 (e.g. SASL). Use of SASL is encouraged.
1134
1135 olcSubordinate: [TRUE | FALSE | advertise]
1136 Specify that the current backend database is a subordinate of
1137 another backend database. A subordinate database may have only
1138 one suffix. This option may be used to glue multiple databases
1139 into a single namingContext. If the suffix of the current
1140 database is within the namingContext of a superior database,
1141 searches against the superior database will be propagated to the
1142 subordinate as well. All of the databases associated with a
1143 single namingContext should have identical rootdns. Behavior of
1144 other LDAP operations is unaffected by this setting. In
1145 particular, it is not possible to use moddn to move an entry
1146 from one subordinate to another subordinate within the
1147 namingContext.
1148
1149 If the optional advertise flag is supplied, the naming context
1150 of this database is advertised in the root DSE. The default is
1151 to hide this database context, so that only the superior context
1152 is visible.
1153
1154 If the slap tools slapcat(8), slapadd(8), or slapindex(8) are
1155 used on the superior database, any glued subordinates that
1156 support these tools are opened as well.
1157
1158 Databases that are glued together should usually be configured
1159 with the same indices (assuming they support indexing), even for
1160 attributes that only exist in some of these databases. In
1161 general, all of the glued databases should be configured as
1162 similarly as possible, since the intent is to provide the
1163 appearance of a single directory.
1164
1165 Note that the subordinate functionality is implemented
1166 internally by the glue overlay and as such its behavior will
1167 interact with other overlays in use. By default, the glue
1168 overlay is automatically configured as the last overlay on the
1169 superior database. Its position on the database can be
1170 explicitly configured by setting an overlay glue directive at
1171 the desired position. This explicit configuration is necessary
1172 e.g. when using the syncprov overlay, which needs to follow
1173 glue in order to work over all of the glued databases. E.g.
1174 dn: olcDatabase={1}bdb,cn=config
1175 olcSuffix: dc=example,dc=com
1176 ...
1177
1178 dn: olcOverlay={0}glue,olcDatabase={1}bdb,cn=config
1179 ...
1180
1181 dn: olcOverlay={1}syncprov,olcDatabase={1}bdb,cn=config
1182 ...
1183 See the Overlays section below for more details.
1184
1185 olcSuffix: <dn suffix>
1186 Specify the DN suffix of queries that will be passed to this
1187 backend database. Multiple suffix lines can be given and at
1188 least one is required for each database definition.
1189
1190 If the suffix of one database is "inside" that of another, the
1191 database with the inner suffix must come first in the
1192 configuration file. You may also want to glue such databases
1193 together with the olcSubordinate attribute.
1194
1195 olcSyncUseSubentry: TRUE | FALSE
1196 Store the syncrepl contextCSN in a subentry instead of the
1197 context entry of the database. The subentry's RDN will be
1198 "cn=ldapsync". The default is FALSE, meaning the contextCSN is
1199 stored in the context entry.
1200
1201 olcSyncrepl: rid=<replica ID> provider=ldap[s]://<hostname>[:port]
1202 searchbase=<base DN> [type=refreshOnly|refreshAndPersist]
1203 [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of
1204 retries>]+] [filter=<filter str>] [scope=sub|one|base|subord]
1205 [attrs=<attr list>] [exattrs=<attr list>] [attrsonly]
1206 [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off]
1207 [network-timeout=<seconds>] [timeout=<seconds>]
1208 [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>]
1209 [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
1210 [realm=<realm>] [secprops=<properties>]
1211 [keepalive=<idle>:<probes>:<interval>] [starttls=yes|critical]
1212 [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>]
1213 [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand]
1214 [tls_cipher_suite=<ciphers>] [tls_crlcheck=none|peer|all]
1215 [tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real DN>]
1216 [logbase=<base DN>] [logfilter=<filter str>]
1217 [syncdata=default|accesslog|changelog]
1218 Specify the current database as a replica which is kept up-to-
1219 date with the master content by establishing the current
1220 slapd(8) as a replication consumer site running a syncrepl
1221 replication engine. The replica content is kept synchronized to
1222 the master content using the LDAP Content Synchronization
1223 protocol. Refer to the "OpenLDAP Administrator's Guide" for
1224 detailed information on setting up a replicated slapd directory
1225 service using the syncrepl replication engine.
1226
1227 rid identifies the current syncrepl directive within the
1228 replication consumer site. It is a non-negative integer having
1229 no more than three decimal digits.
1230
1231 provider specifies the replication provider site containing the
1232 master content as an LDAP URI. If <port> is not given, the
1233 standard LDAP port number (389 or 636) is used.
1234
1235 The content of the syncrepl replica is defined using a search
1236 specification as its result set. The consumer slapd will send
1237 search requests to the provider slapd according to the search
1238 specification. The search specification includes searchbase,
1239 scope, filter, attrs, attrsonly, sizelimit, and timelimit
1240 parameters as in the normal search specification. The exattrs
1241 option may also be used to specify attributes that should be
1242 omitted from incoming entries. The scope defaults to sub, the
1243 filter defaults to (objectclass=*), and there is no default
1244 searchbase. The attrs list defaults to "*,+" to return all user
1245 and operational attributes, and attrsonly and exattrs are unset
1246 by default. The sizelimit and timelimit only accept "unlimited"
1247 and positive integers, and both default to "unlimited". Note,
1248 however, that any provider-side limits for the replication
1249 identity will be enforced by the provider regardless of the
1250 limits requested by the LDAP Content Synchronization operation,
1251 much like for any other search operation.
1252
1253 The LDAP Content Synchronization protocol has two operation
1254 types. In the refreshOnly operation, the next synchronization
1255 search operation is periodically rescheduled at an interval time
1256 (specified by interval parameter; 1 day by default) after each
1257 synchronization operation finishes. In the refreshAndPersist
1258 operation, a synchronization search remains persistent in the
1259 provider slapd. Further updates to the master replica will
1260 generate searchResultEntry to the consumer slapd as the search
1261 responses to the persistent synchronization search.
1262
1263 If an error occurs during replication, the consumer will attempt
1264 to reconnect according to the retry parameter which is a list of
1265 the <retry interval> and <# of retries> pairs. For example,
1266 retry="60 10 300 3" lets the consumer retry every 60 seconds for
1267 the first 10 times and then retry every 300 seconds for the next
1268 3 times before stop retrying. The `+' in <# of retries> means
1269 indefinite number of retries until success.
1270
1271 The schema checking can be enforced at the LDAP Sync consumer
1272 site by turning on the schemachecking parameter. The default is
1273 off.
1274
1275 The network-timeout parameter sets how long the consumer will
1276 wait to establish a network connection to the provider. Once a
1277 connection is established, the timeout parameter determines how
1278 long the consumer will wait for the initial Bind request to
1279 complete. The defaults for these parameters come from
1280 ldap.conf(5).
1281
1282 A bindmethod of simple requires the options binddn and
1283 credentials and should only be used when adequate security
1284 services (e.g. TLS or IPSEC) are in place. A bindmethod of sasl
1285 requires the option saslmech. Depending on the mechanism, an
1286 authentication identity and/or credentials can be specified
1287 using authcid and credentials. The authzid parameter may be
1288 used to specify an authorization identity. Specific security
1289 properties (as with the sasl-secprops keyword above) for a SASL
1290 bind can be set with the secprops option. A non default SASL
1291 realm can be set with the realm option. The provider, other
1292 than allow authentication of the syncrepl identity, should grant
1293 that identity appropriate access privileges to the data that is
1294 being replicated (access directive), and appropriate time and
1295 size limits (limits directive).
1296
1297 The keepalive parameter sets the values of idle, probes, and
1298 interval used to check whether a socket is alive; idle is the
1299 number of seconds a connection needs to remain idle before TCP
1300 starts sending keepalive probes; probes is the maximum number of
1301 keepalive probes TCP should send before dropping the connection;
1302 interval is interval in seconds between individual keepalive
1303 probes. Only some systems support the customization of these
1304 values; the keepalive parameter is ignored otherwise, and
1305 system-wide settings are used.
1306
1307 The starttls parameter specifies use of the StartTLS extended
1308 operation to establish a TLS session before Binding to the
1309 provider. If the critical argument is supplied, the session will
1310 be aborted if the StartTLS request fails. Otherwise the syncrepl
1311 session continues without TLS. The tls_reqcert setting defaults
1312 to "demand" and the other TLS settings default to the same as
1313 the main slapd TLS settings.
1314
1315 The suffixmassage parameter allows the consumer to pull entries
1316 from a remote directory whose DN suffix differs from the local
1317 directory. The portion of the remote entries' DNs that matches
1318 the searchbase will be replaced with the suffixmassage DN.
1319
1320 Rather than replicating whole entries, the consumer can query
1321 logs of data modifications. This mode of operation is referred
1322 to as delta syncrepl. In addition to the above parameters, the
1323 logbase and logfilter parameters must be set appropriately for
1324 the log that will be used. The syncdata parameter must be set to
1325 either "accesslog" if the log conforms to the slapo-accesslog(5)
1326 log format, or "changelog" if the log conforms to the obsolete
1327 changelog format. If the syncdata parameter is omitted or set to
1328 "default" then the log parameters are ignored.
1329
1330 olcUpdateDN: <dn>
1331 This option is only applicable in a slave database. It
1332 specifies the DN permitted to update (subject to access
1333 controls) the replica. It is only needed in certain push-mode
1334 replication scenarios. Generally, this DN should not be the
1335 same as the rootdn used at the master.
1336
1337 olcUpdateRef: <url>
1338 Specify the referral to pass back when slapd(8) is asked to
1339 modify a replicated local database. If multiple values are
1340 specified, each url is provided.
1341
1342
1344 Each database may allow specific configuration options; they are
1345 documented separately in the backends' manual pages. See the
1346 slapd.backends(5) manual page for an overview of available backends.
1347
1349 An overlay is a piece of code that intercepts database operations in
1350 order to extend or change them. Overlays are pushed onto a stack over
1351 the database, and so they will execute in the reverse of the order in
1352 which they were configured and the database itself will receive control
1353 last of all.
1354
1355 Overlays must be configured as child entries of a specific database.
1356 The entry's RDN must be of the form olcOverlay={x}<overlaytype> and the
1357 entry must have the olcOverlayConfig objectClass. Normally the config
1358 engine generates the "{x}" index in the RDN automatically, so it can be
1359 omitted when initially loading these entries.
1360
1361 See the slapd.overlays(5) manual page for an overview of available
1362 overlays.
1363
1365 Here is a short example of a configuration in LDIF suitable for use
1366 with slapadd(8) :
1367
1368 dn: cn=config
1369 objectClass: olcGlobal
1370 cn: config
1371 olcPidFile: /var/run/slapd.pid
1372 olcAttributeOptions: x-hidden lang-
1373
1374 dn: cn=schema,cn=config
1375 objectClass: olcSchemaConfig
1376 cn: schema
1377
1378 include: file:///etc/openldap/schema/core.ldif
1379
1380 dn: olcDatabase=frontend,cn=config
1381 objectClass: olcDatabaseConfig
1382 objectClass: olcFrontendConfig
1383 olcDatabase: frontend
1384 # Subtypes of "name" (e.g. "cn" and "ou") with the
1385 # option ";x-hidden" can be searched for/compared,
1386 # but are not shown. See slapd.access(5).
1387 olcAccess: to attrs=name;x-hidden by * =cs
1388 # Protect passwords. See slapd.access(5).
1389 olcAccess: to attrs=userPassword by * auth
1390 # Read access to other attributes and entries.
1391 olcAccess: to * by * read
1392
1393 # set a rootpw for the config database so we can bind.
1394 # deny access to everyone else.
1395 dn: olcDatabase=config,cn=config
1396 objectClass: olcDatabaseConfig
1397 olcDatabase: config
1398 olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
1399 olcAccess: to * by * none
1400
1401 dn: olcDatabase=bdb,cn=config
1402 objectClass: olcDatabaseConfig
1403 objectClass: olcBdbConfig
1404 olcDatabase: bdb
1405 olcSuffix: "dc=our-domain,dc=com"
1406 # The database directory MUST exist prior to
1407 # running slapd AND should only be accessible
1408 # by the slapd/tools. Mode 0700 recommended.
1409 olcDbDirectory: /var/openldap-data
1410 # Indices to maintain
1411 olcDbIndex: objectClass eq
1412 olcDbIndex: cn,sn,mail pres,eq,approx,sub
1413
1414 # We serve small clients that do not handle referrals,
1415 # so handle remote lookups on their behalf.
1416 dn: olcDatabase=ldap,cn=config
1417 objectClass: olcDatabaseConfig
1418 objectClass: olcLdapConfig
1419 olcDatabase: ldap
1420 olcSuffix: ""
1421 olcDbUri: ldap://ldap.some-server.com/
1422
1423 Assuming the above data was saved in a file named "config.ldif" and the
1424 /etc/openldap/slapd.d directory has been created, this command will
1425 initialize the configuration:
1426 slapadd -F /etc/openldap/slapd.d -n 0 -l config.ldif
1427
1428
1429 "OpenLDAP Administrator's Guide" contains a longer annotated example of
1430 a slapd configuration.
1431
1432 Alternatively, an existing slapd.conf file can be converted to the new
1433 format using slapd or any of the slap tools:
1434 slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
1435
1436
1438 /etc/openldap/slapd.conf
1439 default slapd configuration file
1440
1441 /etc/openldap/slapd.d
1442 default slapd configuration directory
1443
1445 ldap(3), ldif(5), gnutls-cli(1), slapd.access(5), slapd.backends(5),
1446 slapd.conf(5), slapd.overlays(5), slapd.plugin(5), slapd(8),
1447 slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
1448 slapindex(8), slappasswd(8), slaptest(8).
1449
1450 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1451
1453 OpenLDAP Software is developed and maintained by The OpenLDAP Project
1454 <http://www.openldap.org/>. OpenLDAP Software is derived from
1455 University of Michigan LDAP 3.3 Release.
1456
1457
1458
1459OpenLDAP 2.4.44 2016/02/05 SLAPD-CONFIG(5)