1SLAPD-SHELL(5) File Formats Manual SLAPD-SHELL(5)
2
3
4
6 slapd-shell - Shell backend to slapd
7
9 /etc/openldap/slapd.conf
10
12 The Shell backend to slapd(8) executes external programs to implement
13 operations, and is designed to make it easy to tie an existing database
14 to the slapd front-end.
15
16 This backend is primarily intended to be used in prototypes.
17
19 The abandon shell command has been removed since OpenLDAP 2.1.
20
22 These slapd.conf options apply to the SHELL backend database. That is,
23 they must follow a "database shell" line and come before any subsequent
24 "backend" or "database" lines. Other database options are described in
25 the slapd.conf(5) manual page.
26
27 These options specify the pathname and arguments of the program to exe‐
28 cute in response to the given LDAP operation. Each option is followed
29 by the input lines that the program receives:
30
31 add <pathname> <argument>...
32 ADD
33 msgid: <message id>
34 <repeat { "suffix:" <database suffix DN> }>
35 <entry in LDIF format>
36
37 bind <pathname> <argument>...
38 BIND
39 msgid: <message id>
40 <repeat { "suffix:" <database suffix DN> }>
41 dn: <DN>
42 method: <method number>
43 credlen: <length of <credentials>>
44 cred: <credentials>
45
46 compare <pathname> <argument>...
47 COMPARE
48 msgid: <message id>
49 <repeat { "suffix:" <database suffix DN> }>
50 dn: <DN>
51 <attribute>: <value>
52
53 delete <pathname> <argument>...
54 DELETE
55 msgid: <message id>
56 <repeat { "suffix:" <database suffix DN> }>
57 dn: <DN>
58
59 modify <pathname> <argument>...
60 MODIFY
61 msgid: <message id>
62 <repeat { "suffix:" <database suffix DN> }>
63 dn: <DN>
64 <repeat {
65 <"add"/"delete"/"replace">: <attribute>
66 <repeat { <attribute>: <value> }>
67 -
68 }>
69
70 modrdn <pathname> <argument>...
71 MODRDN
72 msgid: <message id>
73 <repeat { "suffix:" <database suffix DN> }>
74 dn: <DN>
75 newrdn: <new RDN>
76 deleteoldrdn: <0 or 1>
77 <if new superior is specified: "newSuperior: <DN>">
78
79 search <pathname> <argument>...
80 SEARCH
81 msgid: <message id>
82 <repeat { "suffix:" <database suffix DN> }>
83 base: <base DN>
84 scope: <0-2, see ldap.h>
85 deref: <0-3, see ldap.h>
86 sizelimit: <size limit>
87 timelimit: <time limit>
88 filter: <filter>
89 attrsonly: <0 or 1>
90 attrs: <"all" or space-separated attribute list>
91
92 unbind <pathname> <argument>...
93 UNBIND
94 msgid: <message id>
95 <repeat { "suffix:" <database suffix DN> }>
96 dn: <bound DN>
97
98 Note that you need only supply configuration lines for those commands
99 you want the backend to handle. Operations for which a command is not
100 supplied will be refused with an "unwilling to perform" error.
101
102 The search command should output the entries in LDIF format, each entry
103 followed by a blank line, and after these the RESULT below.
104
105 All commands except unbind should then output:
106 RESULT
107 code: <integer>
108 matched: <matched DN>
109 info: <text>
110 where only the RESULT line is mandatory. Lines starting with `#' or
111 `DEBUG:' are ignored.
112
114 The shell backend does not honor all ACL semantics as described in
115 slapd.access(5). In general, access to objects is checked by using a
116 dummy object that contains only the DN, so access rules that rely on
117 the contents of the object are not honored. In detail:
118
119 The add operation does not require write (=w) access to the children
120 pseudo-attribute of the parent entry.
121
122 The bind operation requires auth (=x) access to the entry pseudo-attri‐
123 bute of the entry whose identity is being assessed; auth (=x) access to
124 the credentials is not checked, but rather delegated to the underlying
125 shell script.
126
127 The compare operation requires read (=r) access (FIXME: wouldn't com‐
128 pare (=c) be a more appropriate choice?) to the entry pseudo-attribute
129 of the object whose value is being asserted; compare (=c) access to the
130 attribute whose value is being asserted is not checked.
131
132 The delete operation does not require write (=w) access to the children
133 pseudo-attribute of the parent entry.
134
135 The modify operation requires write (=w) access to the entry pseudo-at‐
136 tribute; write (=w) access to the specific attributes that are modified
137 is not checked.
138
139 The modrdn operation does not require write (=w) access to the children
140 pseudo-attribute of the parent entry, nor to that of the new parent, if
141 different; write (=w) access to the distinguished values of the naming
142 attributes is not checked.
143
144 The search operation does not require search (=s) access to the entry
145 pseudo_attribute of the searchBase; search (=s) access to the at‐
146 tributes and values used in the filter is not checked.
147
148
150 There is an example search script in the slapd/back-shell/ directory in
151 the OpenLDAP source tree.
152
154 The shell backend does not support threaded environments. When using
155 the shell backend, slapd(8) should be built --without-threads.
156
158 /etc/openldap/slapd.conf
159 default slapd configuration file
160
162 slapd.conf(5), slapd(8), sh(1).
163
164
165
166OpenLDAP 2021/06/03 SLAPD-SHELL(5)