1SLAPD-SOCK(5) File Formats Manual SLAPD-SOCK(5)
2
6 slapd-sock - Socket backend to slapd
7
9 /etc/openldap/slapd.conf
10
12 The Socket backend to slapd(8) uses an external program to handle
13 queries, similarly to slapd-shell(5). However, in this case the exter‐
14 nal program listens on a Unix domain socket. This makes it possible to
15 have a pool of processes, which persist between requests. This allows
16 multithreaded operation and a higher level of efficiency. The external
17 program must have been started independently; slapd(8) itself will not
18 start it.
19
21 These slapd.conf options apply to the SOCK backend database. That is,
22 they must follow a "database sock" line and come before any subsequent
23 "backend" or "database" lines. Other database options are described in
24 the slapd.conf(5) manual page.
25 extensions [ binddn | peername | ssf ]*
27 Enables the sending of additional meta-attributes with each
28 request.
29 binddn: <bound DN>
30 peername: IP=<address>:<port>
31 ssf: <SSF value>
32 socketpath <pathname>
34 Gives the path to a Unix domain socket to which the commands
35 will be sent and from which replies are received.
36
38 The protocol is essentially the same as slapd-shell(5) with the addi‐
39 tion of a newline to terminate the command parameters. The following
40 commands are sent:
41 ADD
42 msgid: <message id>
43 <repeat { "suffix:" <database suffix DN> }>
44 <entry in LDIF format>
45 <blank line>
46 BIND
48 msgid: <message id>
49 <repeat { "suffix:" <database suffix DN> }>
50 dn: <DN>
51 method: <method number>
52 credlen: <length of <credentials>>
53 cred: <credentials>
54 <blank line>
55 COMPARE
57 msgid: <message id>
58 <repeat { "suffix:" <database suffix DN> }>
59 dn: <DN>
60 <attribute>: <value>
61 <blank line>
62 DELETE
64 msgid: <message id>
65 <repeat { "suffix:" <database suffix DN> }>
66 dn: <DN>
67 <blank line>
68 MODIFY
70 msgid: <message id>
71 <repeat { "suffix:" <database suffix DN> }>
72 dn: <DN>
73 <repeat {
74 <"add"/"delete"/"replace">: <attribute>
75 <repeat { <attribute>: <value> }>
76 -
77 }>
78 <blank line>
79 MODRDN
81 msgid: <message id>
82 <repeat { "suffix:" <database suffix DN> }>
83 dn: <DN>
84 newrdn: <new RDN>
85 deleteoldrdn: <0 or 1>
86 <if new superior is specified: "newSuperior: <DN>">
87 <blank line>
88 SEARCH
90 msgid: <message id>
91 <repeat { "suffix:" <database suffix DN> }>
92 base: <base DN>
93 scope: <0-2, see ldap.h>
94 deref: <0-3, see ldap.h>
95 sizelimit: <size limit>
96 timelimit: <time limit>
97 filter: <filter>
98 attrsonly: <0 or 1>
99 attrs: <"all" or space-separated attribute list>
100 <blank line>
101 UNBIND
103 msgid: <message id>
104 <repeat { "suffix:" <database suffix DN> }>
105 <blank line>
106 The commands - except unbind - should output:
108 RESULT
109 code: <integer>
110 matched: <matched DN>
111 info: <text>
112 where only RESULT is mandatory, and then close the socket. The search
113 RESULT should be preceded by the entries in LDIF format, each entry
114 followed by a blank line. Lines starting with `#' or `DEBUG:' are
115 ignored.
116
118 The sock backend does not honor all ACL semantics as described in
119 slapd.access(5). In general, access to objects is checked by using a
120 dummy object that contains only the DN, so access rules that rely on
121 the contents of the object are not honored. In detail:
122 The add operation does not require write (=w) access to the children
124 pseudo-attribute of the parent entry.
125 The bind operation requires auth (=x) access to the entry pseudo-
127 attribute of the entry whose identity is being assessed; auth (=x)
128 access to the credentials is not checked, but rather delegated to the
129 underlying program.
130 The compare operation requires compare (=c) access to the entry pseudo-
132 attribute of the object whose value is being asserted; compare (=c)
133 access to the attribute whose value is being asserted is not checked.
134 The delete operation does not require write (=w) access to the children
136 pseudo-attribute of the parent entry.
137 The modify operation requires write (=w) access to the entry pseudo-
139 attribute; write (=w) access to the specific attributes that are modi‐
140 fied is not checked.
141 The modrdn operation does not require write (=w) access to the children
143 pseudo-attribute of the parent entry, nor to that of the new parent, if
144 different; write (=w) access to the distinguished values of the naming
145 attributes is not checked.
146 The search operation does not require search (=s) access to the entry
148 pseudo_attribute of the searchBase; search (=s) access to the
149 attributes and values used in the filter is not checked.
150
153 There is an example script in the slapd/back-sock/ directory in the
154 OpenLDAP source tree.
155
157 /etc/openldap/slapd.conf
158 default slapd configuration file
159
161 slapd.conf(5), slapd-config(5), slapd(8).
162
164 Brian Candler
165OpenLDAP 2.4.23 2010/06/30 SLAPD-SOCK(5)