1SLAPD-SHELL(5)                File Formats Manual               SLAPD-SHELL(5)
2
3
4

NAME

6       slapd-shell - Shell backend to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  Shell  backend to slapd(8) executes external programs to implement
13       operations, and is designed to make it easy to tie an existing database
14       to the slapd front-end.
15
16       This backend is primarily intended to be used in prototypes.
17

WARNING

19       The abandon shell command has been removed since OpenLDAP 2.1.
20

CONFIGURATION

22       These slapd.conf options apply to the SHELL backend database.  That is,
23       they must follow a "database shell" line and come before any subsequent
24       "backend" or "database" lines.  Other database options are described in
25       the slapd.conf(5) manual page.
26
27       These options specify the pathname and arguments of the program to exe‐
28       cute  in response to the given LDAP operation.  Each option is followed
29       by the input lines that the program receives:
30
31       add <pathname> <argument>...
32              ADD
33              msgid: <message id>
34              <repeat { "suffix:" <database suffix DN> }>
35              <entry in LDIF format>
36
37       bind <pathname> <argument>...
38              BIND
39              msgid: <message id>
40              <repeat { "suffix:" <database suffix DN> }>
41              dn: <DN>
42              method: <method number>
43              credlen: <length of <credentials>>
44              cred: <credentials>
45
46       compare <pathname> <argument>...
47              COMPARE
48              msgid: <message id>
49              <repeat { "suffix:" <database suffix DN> }>
50              dn: <DN>
51              <attribute>: <value>
52
53       delete <pathname> <argument>...
54              DELETE
55              msgid: <message id>
56              <repeat { "suffix:" <database suffix DN> }>
57              dn: <DN>
58
59       modify <pathname> <argument>...
60              MODIFY
61              msgid: <message id>
62              <repeat { "suffix:" <database suffix DN> }>
63              dn: <DN>
64              <repeat {
65                  <"add"/"delete"/"replace">: <attribute>
66                  <repeat { <attribute>: <value> }>
67                  -
68              }>
69
70       modrdn <pathname> <argument>...
71              MODRDN
72              msgid: <message id>
73              <repeat { "suffix:" <database suffix DN> }>
74              dn: <DN>
75              newrdn: <new RDN>
76              deleteoldrdn: <0 or 1>
77              <if new superior is specified: "newSuperior: <DN>">
78
79       search <pathname> <argument>...
80              SEARCH
81              msgid: <message id>
82              <repeat { "suffix:" <database suffix DN> }>
83              base: <base DN>
84              scope: <0-2, see ldap.h>
85              deref: <0-3, see ldap.h>
86              sizelimit: <size limit>
87              timelimit: <time limit>
88              filter: <filter>
89              attrsonly: <0 or 1>
90              attrs: <"all" or space-separated attribute list>
91
92       unbind <pathname> <argument>...
93              UNBIND
94              msgid: <message id>
95              <repeat { "suffix:" <database suffix DN> }>
96              dn: <bound DN>
97
98       Note that you need only supply configuration lines for  those  commands
99       you  want the backend to handle.  Operations for which a command is not
100       supplied will be refused with an "unwilling to perform" error.
101
102       The search command should output the entries in LDIF format, each entry
103       followed by a blank line, and after these the RESULT below.
104
105       All commands except unbind should then output:
106              RESULT
107              code: <integer>
108              matched: <matched DN>
109              info: <text>
110       where  only  the  RESULT line is mandatory.  Lines starting with `#' or
111       `DEBUG:' are ignored.
112

ACCESS CONTROL

114       The shell backend does not honor all  ACL  semantics  as  described  in
115       slapd.access(5).   In  general, access to objects is checked by using a
116       dummy object that contains only the DN, so access rules  that  rely  on
117       the contents of the object are not honored.  In detail:
118
119       The  add  operation  does not require write (=w) access to the children
120       pseudo-attribute of the parent entry.
121
122       The bind operation requires auth (=x) access to the entry pseudo-attri‐
123       bute of the entry whose identity is being assessed; auth (=x) access to
124       the credentials is not checked, but rather delegated to the  underlying
125       shell script.
126
127       The  compare  operation requires read (=r) access (FIXME: wouldn't com‐
128       pare (=c) be a more appropriate choice?)  to the entry pseudo-attribute
129       of the object whose value is being asserted; compare (=c) access to the
130       attribute whose value is being asserted is not checked.
131
132       The delete operation does not require write (=w) access to the children
133       pseudo-attribute of the parent entry.
134
135       The modify operation requires write (=w) access to the entry pseudo-at‐
136       tribute; write (=w) access to the specific attributes that are modified
137       is not checked.
138
139       The modrdn operation does not require write (=w) access to the children
140       pseudo-attribute of the parent entry, nor to that of the new parent, if
141       different;  write (=w) access to the distinguished values of the naming
142       attributes is not checked.
143
144       The search operation does not require search (=s) access to  the  entry
145       pseudo_attribute  of  the  searchBase;  search  (=s)  access to the at‐
146       tributes and values used in the filter is not checked.
147
148

EXAMPLE

150       There is an example search script in the slapd/back-shell/ directory in
151       the OpenLDAP source tree.
152

LIMITATIONS

154       The  shell  backend does not support threaded environments.  When using
155       the shell backend, slapd(8) should be built --without-threads.
156

FILES

158       /etc/openldap/slapd.conf
159              default slapd configuration file
160

SEE ALSO

162       slapd.conf(5), slapd(8), sh(1).
163
164
165
166OpenLDAP                          2021/06/03                    SLAPD-SHELL(5)
Impressum