1SLAPD(8C)                                                            SLAPD(8C)
2
3
4

NAME

6       slapd - Stand-alone LDAP Daemon
7

SYNOPSIS

9       slapd     [-4|-6]     [-T {acl|a[dd]|auth|c[at]|     d[n]|i[ndex]|p[as‐
10       swd]|s[chema]|t[est]}]     [-d debug-level]      [-f slapd-config-file]
11       [-F slapd-config-directory]   [-h URLs]  [-n service-name]  [-s syslog-
12       level]   [-l syslog-local-user]   [-o option[=value]]    [-r directory]
13       [-u user] [-g group] [-c cookie]
14

DESCRIPTION

16       Slapd  is  the stand-alone LDAP daemon. It listens for LDAP connections
17       on any number of ports (default 389), responding to the LDAP operations
18       it receives over these connections.  slapd is typically invoked at boot
19       time, usually out of /etc/rc.local.  Upon startup, slapd normally forks
20       and  disassociates  itself from the invoking tty.  If configured in the
21       config file (or config directory), the slapd  process  will  print  its
22       process  ID (see getpid(2)) to a .pid file, as well as the command line
23       options during invocation to an .args file (see slapd.conf(5)).  If the
24       -d  flag  is  given, even with a zero argument, slapd will not fork and
25       disassociate from the invoking tty.
26
27       See the "OpenLDAP Administrator's Guide" for more details on slapd.
28

OPTIONS

30       -4     Listen on IPv4 addresses only.
31
32       -6     Listen on IPv6 addresses only.
33
34       -T tool
35              Run in Tool mode. The tool argument selects whether  to  run  as
36              slapadd,  slapcat, slapdn, slapindex, slappasswd, slapschema, or
37              slaptest (slapacl and slapauth need the entire acl and auth  op‐
38              tion  value  to  be  spelled  out, as a is reserved to slapadd).
39              This option should be the first  option  specified  when  it  is
40              used;  any  remaining  options will be interpreted by the corre‐
41              sponding slap tool program,  according  to  the  respective  man
42              pages.   Note  that these tool programs will usually be symbolic
43              links to slapd.  This option is provided  for  situations  where
44              symbolic links are not provided or not usable.
45
46       -d debug-level
47              Turn  on debugging as defined by debug-level.  If this option is
48              specified, even with a zero argument, slapd  will  not  fork  or
49              disassociate from the invoking terminal.  Some general operation
50              and status messages are printed for any  value  of  debug-level.
51              debug-level  is taken as a bit string, with each bit correspond‐
52              ing  to  a  different  kind  of  debugging   information.    See
53              <ldap_log.h>  for  details.   Comma-separated arrays of friendly
54              names can be specified to select debugging output of the  corre‐
55              sponding debugging information.  All the names recognized by the
56              loglevel directive described in slapd.conf(5) are supported.  If
57              debug-level  is  ?, a list of installed debug-levels is printed,
58              and slapd exits.
59
60              Remember that if you turn on packet logging, packets  containing
61              bind  passwords  will be output, so if you redirect the log to a
62              logfile, that file should be read-protected.
63
64       -s syslog-level
65              This option tells slapd at what debug-level debugging statements
66              should  be  logged to the syslog(8) facility.  The value syslog-
67              level can be set to any value or combination allowed by  the  -d
68              switch.  Slapd logs all messages selected by syslog-level at the
69              syslog(3) severity debug-level DEBUG, on the unit specified with
70              -l.
71
72       -n service-name
73              Specifies  the service name for logging and other purposes.  De‐
74              faults to basename of argv[0], i.e.: "slapd".
75
76       -l syslog-local-user
77              Selects the local user of the syslog(8) facility. Value  can  be
78              LOCAL0, through LOCAL7, as well as USER and DAEMON.  The default
79              is LOCAL4.  However, this option is only  permitted  on  systems
80              that  support  local users with the syslog(8) facility.  Logging
81              to syslog(8) occurs at the "DEBUG" severity debug-level.
82
83       -f slapd-config-file
84              Specifies  the  slapd  configuration  file.   The   default   is
85              /etc/openldap/slapd.conf.
86
87       -F slapd-config-directory
88              Specifies  the  slapd  configuration  directory.  The default is
89              /etc/openldap/slapd.d.  If both -f and  -F  are  specified,  the
90              config  file will be read and converted to config directory for‐
91              mat and written to the specified directory.  If  neither  option
92              is  specified, slapd will attempt to read the default config di‐
93              rectory before trying to use the default config file. If a valid
94              config directory exists then the default config file is ignored.
95              All of the slap tools that use the config options  observe  this
96              same behavior.
97
98       -h URLlist
99              slapd  will  by default serve ldap:/// (LDAP over TCP on all in‐
100              terfaces on default LDAP port).  That is, it will bind using IN‐
101              ADDR_ANY  and  port  389.   The -h option may be used to specify
102              LDAP (and other scheme) URLs to serve.  For example, if slapd is
103              given  -h  "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will
104              listen on 127.0.0.1:9009 for LDAP,  0.0.0.0:636  for  LDAP  over
105              TLS, and LDAP over IPC (Unix domain sockets).  Host 0.0.0.0 rep‐
106              resents INADDR_ANY (any interface).  A space separated  list  of
107              URLs  is  expected.   The  URLs should be of the LDAP, LDAPS, or
108              LDAPI schemes, and generally without a DN or other optional  pa‐
109              rameters (excepting as discussed below).  Support for the latter
110              two schemes depends on selected  configuration  options.   Hosts
111              may  be  specified  by  name  or  IPv4 and IPv6 address formats.
112              Ports, if specified, must be numeric.  The default ldap://  port
113              is 389 and the default ldaps:// port is 636.
114
115              For  LDAP  over IPC, name is the name of the socket, and no port
116              is required, nor allowed; note that directory separators must be
117              URL-encoded, like any other characters that are special to URLs;
118              so the socket
119
120                      /usr/local/var/ldapi
121
122              must be specified as
123
124                      ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
125
126              The default location for the IPC socket is /var/run/ldapi
127
128              The listener permissions are  indicated  by  "x-mod=-rwxrwxrwx",
129              "x-mod=0777"  or  "x-mod=777", where any of the "rwx" can be "-"
130              to suppress the related permission, while any of the "7" can  be
131              any legal octal digit, according to chmod(1).  The listeners can
132              take advantage of the "x-mod" extension to apply  rough  limita‐
133              tions  to operations, e.g. allow read operations ("r", which ap‐
134              plies to search and compare), write operations ("w",  which  ap‐
135              plies to add, delete, modify and modrdn), and execute operations
136              ("x", which means bind is required).  "User"  permissions  apply
137              to  authenticated users, while "other" apply to anonymous users;
138              "group"    permissions    are     ignored.      For     example,
139              "ldap:///????x-mod=-rw-------" means that read and write is only
140              allowed for authenticated connections, and bind is required  for
141              all  operations.   This feature is experimental, and requires to
142              be manually enabled at configure time.
143
144       -r directory
145              Specifies a directory to become the root directory.  slapd  will
146              change  the current working directory to this directory and then
147              chroot(2) to this directory.  This is done after opening listen‐
148              ers  but  before  reading any configuration file or initializing
149              any backend.  When used as a security mechanism,  it  should  be
150              used in conjunction with -u and -g options.
151
152       -u user
153              slapd  will  run  slapd  with the specified user name or id, and
154              that user's supplementary group access list as  set  with  init‐
155              groups(3).  The group ID is also changed to this user's gid, un‐
156              less the -g option is used to override.  Note when used with -r,
157              slapd will use the user database in the change root environment.
158
159              Note that on some systems, running as a non-privileged user will
160              prevent passwd back-ends from accessing the encrypted passwords.
161              Note  also  that  any  shell back-ends will run as the specified
162              non-privileged user.
163
164       -g group
165              slapd will run with the specified group name or id.   Note  when
166              used  with  -r,  slapd will use the group database in the change
167              root environment.
168
169       -c cookie
170              This option provides a cookie for the syncrepl replication  con‐
171              sumer.   The  cookie  is  a  comma  separated list of name=value
172              pairs.  Currently supported syncrepl cookie fields are rid, sid,
173              and  csn.   rid  identifies a replication thread within the con‐
174              sumer server and is used to find the syncrepl  specification  in
175              slapd.conf(5) or slapd-config(5) having the matching replication
176              identifier in its definition. The rid must be provided in  order
177              for any other specified values to be used.  sid is the server id
178              in a multi-provider configuration.  csn is the  commit  sequence
179              number received by a previous synchronization and represents the
180              state of the consumer content which  the  syncrepl  engine  will
181              synchronize  to the current provider content.  In case of multi-
182              provider replication agreement, multiple csn  values,  semicolon
183              separated,  can  appear.   Use only the rid part to force a full
184              reload.
185
186       -o option[=value]
187              This option provides a generic means to specify options  without
188              the need to reserve a separate letter for them.
189
190              It supports the following options:
191
192              slp={on|off|slp-attrs}
193                     When  SLP  support  is  compiled  into  slapd, disable it
194                     (off),
195                      enable it by registering at SLP DAs without specific SLP
196                     attributes  (on), or with specific SLP attributes slp-at‐
197                     trs that must be an SLP attribute list definition accord‐
198                     ing to the SLP standard.
199
200                     For  example,  "slp=(tree=production),(server-type=OpenL‐
201                     DAP),(server-version=2.4.15)" registers at SLP  DAs  with
202                     the  three  SLP  attributes tree, server-type and server-
203                     version that have the values given  above.   This  allows
204                     one  to  specifically  query the SLP DAs for LDAP servers
205                     holding the production tree in case  multiple  trees  are
206                     available.
207

EXAMPLES

209       To  start slapd and have it fork and detach from the terminal and start
210       serving the LDAP databases defined in the  default  config  file,  just
211       type:
212
213            slapd
214
215       To  start slapd with an alternate configuration file, and turn on volu‐
216       minous debugging which will be printed on standard error, type:
217
218            slapd -f /var/tmp/slapd.conf -d 255
219
220       To test whether the configuration file is correct or not, type:
221
222            slapd -Tt
223

SEE ALSO

225       ldap(3), slapd.conf(5), slapd-config(5),  slapd.access(5),  slapacl(8),
226       slapadd(8),  slapauth(8),  slapcat(8),  slapdn(8),  slapindex(8), slap‐
227       passwd(8), slapschema(8), slaptest(8).
228
229       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
230

BUGS

232       See http://www.openldap.org/its/
233

ACKNOWLEDGEMENTS

235       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
236       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
237       versity of Michigan LDAP 3.3 Release.
238
239
240
241OpenLDAP 2.4.57                   2021/01/18                         SLAPD(8C)
Impressum