1SLAPD-SOCK(5)                 File Formats Manual                SLAPD-SOCK(5)
2
3
4

NAME

6       slapd-sock - Socket backend to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  Socket  backend  to  slapd(8)  uses  an external program to handle
13       queries, similarly to slapd-shell(5).  However, in this case the exter‐
14       nal program listens on a Unix domain socket.  This makes it possible to
15       have a pool of processes, which persist between requests.  This  allows
16       multithreaded  operation and a higher level of efficiency. The external
17       program must have been started independently; slapd(8) itself will  not
18       start it.
19

CONFIGURATION

21       These  slapd.conf options apply to the SOCK backend database.  That is,
22       they must follow a "database sock" line and come before any  subsequent
23       "backend" or "database" lines.  Other database options are described in
24       the slapd.conf(5) manual page.
25
26       extensions [ binddn | peername | ssf ]*
27              Enables the sending  of  additional  meta-attributes  with  each
28              request.
29              binddn: <bound DN>
30              peername: IP=<address>:<port>
31              ssf: <SSF value>
32
33       socketpath <pathname>
34              Gives  the  path  to  a Unix domain socket to which the commands
35              will be sent and from which replies are received.
36

PROTOCOL

38       The protocol is essentially the same as slapd-shell(5) with  the  addi‐
39       tion  of  a  newline to terminate the command parameters. The following
40       commands are sent:
41              ADD
42              msgid: <message id>
43              <repeat { "suffix:" <database suffix DN> }>
44              <entry in LDIF format>
45              <blank line>
46
47              BIND
48              msgid: <message id>
49              <repeat { "suffix:" <database suffix DN> }>
50              dn: <DN>
51              method: <method number>
52              credlen: <length of <credentials>>
53              cred: <credentials>
54              <blank line>
55
56              COMPARE
57              msgid: <message id>
58              <repeat { "suffix:" <database suffix DN> }>
59              dn: <DN>
60              <attribute>: <value>
61              <blank line>
62
63              DELETE
64              msgid: <message id>
65              <repeat { "suffix:" <database suffix DN> }>
66              dn: <DN>
67              <blank line>
68
69              MODIFY
70              msgid: <message id>
71              <repeat { "suffix:" <database suffix DN> }>
72              dn: <DN>
73              <repeat {
74                  <"add"/"delete"/"replace">: <attribute>
75                  <repeat { <attribute>: <value> }>
76                  -
77              }>
78              <blank line>
79
80              MODRDN
81              msgid: <message id>
82              <repeat { "suffix:" <database suffix DN> }>
83              dn: <DN>
84              newrdn: <new RDN>
85              deleteoldrdn: <0 or 1>
86              <if new superior is specified: "newSuperior: <DN>">
87              <blank line>
88
89              SEARCH
90              msgid: <message id>
91              <repeat { "suffix:" <database suffix DN> }>
92              base: <base DN>
93              scope: <0-2, see ldap.h>
94              deref: <0-3, see ldap.h>
95              sizelimit: <size limit>
96              timelimit: <time limit>
97              filter: <filter>
98              attrsonly: <0 or 1>
99              attrs: <"all" or space-separated attribute list>
100              <blank line>
101
102              UNBIND
103              msgid: <message id>
104              <repeat { "suffix:" <database suffix DN> }>
105              <blank line>
106
107       The commands - except unbind - should output:
108              RESULT
109              code: <integer>
110              matched: <matched DN>
111              info: <text>
112       where only RESULT is mandatory, and then close the socket.  The  search
113       RESULT  should  be  preceded  by the entries in LDIF format, each entry
114       followed by a blank line.  Lines starting  with  `#'  or  `DEBUG:'  are
115       ignored.
116

ACCESS CONTROL

118       The  sock  backend  does  not  honor  all ACL semantics as described in
119       slapd.access(5).  In general, access to objects is checked by  using  a
120       dummy  object  that  contains only the DN, so access rules that rely on
121       the contents of the object are not honored.  In detail:
122
123       The add operation does not require write (=w) access  to  the  children
124       pseudo-attribute of the parent entry.
125
126       The  bind  operation  requires  auth  (=x)  access to the entry pseudo-
127       attribute of the entry whose identity  is  being  assessed;  auth  (=x)
128       access  to  the credentials is not checked, but rather delegated to the
129       underlying program.
130
131       The compare operation requires compare (=c) access to the entry pseudo-
132       attribute  of  the  object  whose value is being asserted; compare (=c)
133       access to the attribute whose value is being asserted is not checked.
134
135       The delete operation does not require write (=w) access to the children
136       pseudo-attribute of the parent entry.
137
138       The  modify  operation  requires write (=w) access to the entry pseudo-
139       attribute; write (=w) access to the specific attributes that are  modi‐
140       fied is not checked.
141
142       The modrdn operation does not require write (=w) access to the children
143       pseudo-attribute of the parent entry, nor to that of the new parent, if
144       different;  write (=w) access to the distinguished values of the naming
145       attributes is not checked.
146
147       The search operation does not require search (=s) access to  the  entry
148       pseudo_attribute   of   the  searchBase;  search  (=s)  access  to  the
149       attributes and values used in the filter is not checked.
150
151

EXAMPLE

153       There is an example script in the  slapd/back-sock/  directory  in  the
154       OpenLDAP source tree.
155

FILES

157       /etc/openldap/slapd.conf
158              default slapd configuration file
159

SEE ALSO

161       slapd.conf(5), slapd-config(5), slapd(8).
162

AUTHOR

164       Brian Candler
165
166
167
168OpenLDAP 2.4.23                   2010/06/30                     SLAPD-SOCK(5)
Impressum