1SLAPD-SOCK(5)                 File Formats Manual                SLAPD-SOCK(5)
2
3
4

NAME

6       slapd-sock - Socket backend/overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  Socket  backend  to  slapd(8)  uses  an external program to handle
13       queries, similarly to slapd-shell(5).  However, in this case the exter‐
14       nal program listens on a Unix domain socket.  This makes it possible to
15       have a pool of processes, which persist between requests.  This  allows
16       multithreaded  operation and a higher level of efficiency. The external
17       program must have been started independently; slapd(8) itself will  not
18       start it.
19
20       This  module  may also be used as an overlay on top of some other data‐
21       base.  Use as an overlay allows external actions  to  be  triggered  in
22       response to operations on the main database.
23

CONFIGURATION

25       These  slapd.conf options apply to the SOCK backend database.  That is,
26       they must follow a "database sock" line and come before any  subsequent
27       "backend" or "database" lines.  Other database options are described in
28       the slapd.conf(5) manual page.
29
30       Alternatively, to use this module as an overlay, these directives  must
31       follow an "overlay sock" line within an existing database definition.
32
33       extensions [ binddn | peername | ssf | connid ]*
34              Enables  the  sending  of  additional  meta-attributes with each
35              request.
36              binddn: <bound DN>
37              peername: IP=<address>:<port>
38              ssf: <SSF value>
39              connid: <connection ID>
40
41       socketpath <pathname>
42              Gives the path to a Unix domain socket  to  which  the  commands
43              will be sent and from which replies are received.
44
45              When  used  as  an  overlay,  these  additional  directives  are
46              defined:
47
48       sockops   [ bind | unbind | search | compare | modify | modrdn | add  |
49       delete ]*
50              Specify which request types to send to the external program. The
51              default is empty (no requests are sent).
52
53       sockresps [ result | search ]*
54              Specify which response types to send to  the  external  program.
55              "result"  sends just the results of an operation. "search" sends
56              all entries that the database returned for a search request. The
57              default is empty (no responses are sent).
58
59

PROTOCOL

61       The  protocol  is essentially the same as slapd-shell(5) with the addi‐
62       tion of a newline to terminate the command  parameters.  The  following
63       commands are sent:
64              ADD
65              msgid: <message id>
66              <repeat { "suffix:" <database suffix DN> }>
67              <entry in LDIF format>
68              <blank line>
69
70              BIND
71              msgid: <message id>
72              <repeat { "suffix:" <database suffix DN> }>
73              dn: <DN>
74              method: <method number>
75              credlen: <length of <credentials>>
76              cred: <credentials>
77              <blank line>
78
79              COMPARE
80              msgid: <message id>
81              <repeat { "suffix:" <database suffix DN> }>
82              dn: <DN>
83              <attribute>: <value>
84              <blank line>
85
86              DELETE
87              msgid: <message id>
88              <repeat { "suffix:" <database suffix DN> }>
89              dn: <DN>
90              <blank line>
91
92              MODIFY
93              msgid: <message id>
94              <repeat { "suffix:" <database suffix DN> }>
95              dn: <DN>
96              <repeat {
97                  <"add"/"delete"/"replace">: <attribute>
98                  <repeat { <attribute>: <value> }>
99                  -
100              }>
101              <blank line>
102
103              MODRDN
104              msgid: <message id>
105              <repeat { "suffix:" <database suffix DN> }>
106              dn: <DN>
107              newrdn: <new RDN>
108              deleteoldrdn: <0 or 1>
109              <if new superior is specified: "newSuperior: <DN>">
110              <blank line>
111
112              SEARCH
113              msgid: <message id>
114              <repeat { "suffix:" <database suffix DN> }>
115              base: <base DN>
116              scope: <0-2, see ldap.h>
117              deref: <0-3, see ldap.h>
118              sizelimit: <size limit>
119              timelimit: <time limit>
120              filter: <filter>
121              attrsonly: <0 or 1>
122              attrs: <"all" or space-separated attribute list>
123              <blank line>
124
125              UNBIND
126              msgid: <message id>
127              <repeat { "suffix:" <database suffix DN> }>
128              <blank line>
129
130       The commands - except unbind - should output:
131              RESULT
132              code: <integer>
133              matched: <matched DN>
134              info: <text>
135       where  only RESULT is mandatory, and then close the socket.  The search
136       RESULT should be preceded by the entries in  LDIF  format,  each  entry
137       followed  by  a  blank  line.   Lines starting with `#' or `DEBUG:' are
138       ignored.
139
140       When used as an overlay, the external program should return a  CONTINUE
141       response  if  request processing should continue normally, or a regular
142       RESULT response if the external program wishes to bypass the underlying
143       database.
144
145       If  the overlay is configured to send response messages to the external
146       program, they will appear as an extended RESULT message or as an  ENTRY
147       message, defined below. The RESULT message is similar to the one above,
148       but also includes the msgid and any configured extensions:
149              RESULT
150              msgid: <message id>
151              code: <integer>
152              matched: <matched DN>
153              info: <text>
154              <blank line>
155
156       Typically both the msgid and the connid  will  be  needed  to  match  a
157       result message to a request. The ENTRY message has the form
158              ENTRY
159              msgid: <message id>
160              <entry in LDIF format>
161              <blank line>
162
163

ACCESS CONTROL

165       The  sock  backend  does  not  honor  all ACL semantics as described in
166       slapd.access(5).  In general, access to objects is checked by  using  a
167       dummy  object  that  contains only the DN, so access rules that rely on
168       the contents of the object are not honored.  In detail:
169
170       The add operation does not require write (=w) access  to  the  children
171       pseudo-attribute of the parent entry.
172
173       The  bind  operation  requires  auth  (=x)  access to the entry pseudo-
174       attribute of the entry whose identity  is  being  assessed;  auth  (=x)
175       access  to  the credentials is not checked, but rather delegated to the
176       underlying program.
177
178       The compare operation requires compare (=c) access to the entry pseudo-
179       attribute  of  the  object  whose value is being asserted; compare (=c)
180       access to the attribute whose value is being asserted is not checked.
181
182       The delete operation does not require write (=w) access to the children
183       pseudo-attribute of the parent entry.
184
185       The  modify  operation  requires write (=w) access to the entry pseudo-
186       attribute; write (=w) access to the specific attributes that are  modi‐
187       fied is not checked.
188
189       The modrdn operation does not require write (=w) access to the children
190       pseudo-attribute of the parent entry, nor to that of the new parent, if
191       different;  write (=w) access to the distinguished values of the naming
192       attributes is not checked.
193
194       The search operation does not require search (=s) access to  the  entry
195       pseudo_attribute   of   the  searchBase;  search  (=s)  access  to  the
196       attributes and values used in the filter is not checked.
197
198

EXAMPLE

200       There is an example script in the  slapd/back-sock/  directory  in  the
201       OpenLDAP source tree.
202

FILES

204       /etc/openldap/slapd.conf
205              default slapd configuration file
206

SEE ALSO

208       slapd.conf(5), slapd-config(5), slapd(8).
209

AUTHOR

211       Brian Candler, with enhancements by Howard Chu
212
213
214
215OpenLDAP 2.4.46                   2018/03/22                     SLAPD-SOCK(5)
Impressum