1SLAPD-SOCK(5)                 File Formats Manual                SLAPD-SOCK(5)
2
3
4

NAME

6       slapd-sock - Socket backend/overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  Socket  backend  to  slapd(8)  uses  an external program to handle
13       queries that listens on a Unix domain socket.  This makes  it  possible
14       to  have  a pool of processes, which persist between requests. This al‐
15       lows multithreaded operation and a high level of efficiency. The exter‐
16       nal  program must have been started independently; slapd(8) itself will
17       not start it.
18
19       This module may also be used as an overlay on top of some  other  data‐
20       base.  Use as an overlay allows external actions to be triggered in re‐
21       sponse to operations on the main database.
22

CONFIGURATION

24       These slapd.conf options apply to the SOCK backend database.  That  is,
25       they  must follow a "database sock" line and come before any subsequent
26       "backend" or "database" lines.  Other database options are described in
27       the slapd.conf(5) manual page.
28
29       Alternatively,  to use this module as an overlay, these directives must
30       follow an "overlay sock" line within an existing database definition.
31
32       extensions [ binddn | peername | ssf | connid ]*
33              Enables the sending of additional meta-attributes with each  re‐
34              quest.
35              binddn: <bound DN>
36              peername: IP=<address>:<port>
37              ssf: <SSF value>
38              connid: <connection ID>
39
40       socketpath <pathname>
41              Gives  the  path  to  a Unix domain socket to which the commands
42              will be sent and from which replies are received.
43
44              When used as an overlay, these  additional  directives  are  de‐
45              fined:
46
47       sockops   [  bind | unbind | search | compare | modify | modrdn | add |
48       delete | extended ]*
49              Specify which request types to send to the external program. The
50              default is empty (no requests are sent).
51
52       sockresps [ result | search ]*
53              Specify  which  response  types to send to the external program.
54              "result" sends just the results of an operation. "search"  sends
55              all entries that the database returned for a search request. The
56              default is empty (no responses are sent).
57
58       sockdnpat <regexp>
59              Specify DN patterns for which the overlay will act. Only  opera‐
60              tions  on  DNs matching the specified regular expression will be
61              processed. The default is empty (all DNs are processed).
62
63

PROTOCOL

65       The protocol uses a newline to terminate the  command  parameters.  The
66       following commands are sent:
67              ADD
68              msgid: <message id>
69              <repeat { "suffix:" <database suffix DN> }>
70              <entry in LDIF format>
71              <blank line>
72
73              BIND
74              msgid: <message id>
75              <repeat { "suffix:" <database suffix DN> }>
76              dn: <DN>
77              method: <method number>
78              credlen: <length of <credentials>>
79              cred: <credentials>
80              <blank line>
81
82              COMPARE
83              msgid: <message id>
84              <repeat { "suffix:" <database suffix DN> }>
85              dn: <DN>
86              <attribute>: <value>
87              <blank line>
88
89              DELETE
90              msgid: <message id>
91              <repeat { "suffix:" <database suffix DN> }>
92              dn: <DN>
93              <blank line>
94
95              EXTENDED
96              msgid: <message id>
97              <repeat { "suffix:" <database suffix DN> }>
98              oid: <OID>
99              value: <base64-value>
100              <blank line>
101
102              MODIFY
103              msgid: <message id>
104              <repeat { "suffix:" <database suffix DN> }>
105              dn: <DN>
106              <repeat {
107                  <"add"/"delete"/"replace">: <attribute>
108                  <repeat { <attribute>: <value> }>
109                  -
110              }>
111              <blank line>
112
113              MODRDN
114              msgid: <message id>
115              <repeat { "suffix:" <database suffix DN> }>
116              dn: <DN>
117              newrdn: <new RDN>
118              deleteoldrdn: <0 or 1>
119              <if new superior is specified: "newSuperior: <DN>">
120              <blank line>
121
122              SEARCH
123              msgid: <message id>
124              <repeat { "suffix:" <database suffix DN> }>
125              base: <base DN>
126              scope: <0-2, see ldap.h>
127              deref: <0-3, see ldap.h>
128              sizelimit: <size limit>
129              timelimit: <time limit>
130              filter: <filter>
131              attrsonly: <0 or 1>
132              attrs: <"all" or space-separated attribute list>
133              <blank line>
134
135              UNBIND
136              msgid: <message id>
137              <repeat { "suffix:" <database suffix DN> }>
138              <blank line>
139
140       The commands - except unbind - should output:
141              RESULT
142              code: <integer>
143              matched: <matched DN>
144              info: <text>
145       where  only RESULT is mandatory, and then close the socket.  The search
146       RESULT should be preceded by the entries in  LDIF  format,  each  entry
147       followed  by a blank line.  Lines starting with `#' or `DEBUG:' are ig‐
148       nored.
149
150       When used as an overlay, the external program should return a  CONTINUE
151       response  if  request processing should continue normally, or a regular
152       RESULT response if the external program wishes to bypass the underlying
153       database.
154
155       If  sockresps includes result or search, the overlay will also send any
156       response messages to the external program (also see KNOWN LIMITATIONS).
157       These will appear as an extended RESULT message or an ENTRY message re‐
158       spectively, both are defined below and the program is not  expected  to
159       respond to these.
160
161       The  extended  RESULT message is similar to the one above, but also in‐
162       cludes the msgid and any configured extensions:
163              RESULT
164              msgid: <message id>
165              code: <integer>
166              matched: <matched DN>
167              info: <text>
168              <blank line>
169
170       Typically both the msgid and the connid will be needed to match  a  re‐
171       sult message to a request. The ENTRY message has the form
172              ENTRY
173              msgid: <message id>
174              <entry in LDIF format>
175              <blank line>
176
177

KNOWN LIMITATIONS

179       The  sock  backend  does not process extended operation results from an
180       external program.
181
182       If sockresps is configured, sock overlay does not consider sockops  nor
183       sockdnpat  to  decide which responses are passed onto the external pro‐
184       gram, instead, all responses are currently passed on.
185
186

ACCESS CONTROL

188       The sock backend does not honor  all  ACL  semantics  as  described  in
189       slapd.access(5).   In  general, access to objects is checked by using a
190       dummy object that contains only the DN, so access rules  that  rely  on
191       the contents of the object are not honored.  In detail:
192
193       The  add  operation  does not require write (=w) access to the children
194       pseudo-attribute of the parent entry.
195
196       The bind operation requires auth (=x) access to the entry pseudo-attri‐
197       bute of the entry whose identity is being assessed; auth (=x) access to
198       the credentials is not checked, but rather delegated to the  underlying
199       program.
200
201       The compare operation requires compare (=c) access to the entry pseudo-
202       attribute of the object whose value is being asserted; compare (=c) ac‐
203       cess to the attribute whose value is being asserted is not checked.
204
205       The delete operation does not require write (=w) access to the children
206       pseudo-attribute of the parent entry.
207
208       The modify operation requires write (=w) access to the entry pseudo-at‐
209       tribute; write (=w) access to the specific attributes that are modified
210       is not checked.
211
212       The modrdn operation does not require write (=w) access to the children
213       pseudo-attribute of the parent entry, nor to that of the new parent, if
214       different; write (=w) access to the distinguished values of the  naming
215       attributes is not checked.
216
217       The  search  operation does not require search (=s) access to the entry
218       pseudo_attribute of the searchBase;  search  (=s)  access  to  the  at‐
219       tributes and values used in the filter is not checked.
220
221       The extended operation does not require any access special rights.  The
222       external program has to implement any sort of access control.
223
224

EXAMPLE

226       There is an example script in the  slapd/back-sock/  directory  in  the
227       OpenLDAP source tree.
228

FILES

230       /etc/openldap/slapd.conf
231              default slapd configuration file
232

SEE ALSO

234       slapd.conf(5), slapd-config(5), slapd(8).
235

AUTHOR

237       Brian Candler, with enhancements by Howard Chu
238
239
240
241OpenLDAP 2.6.2                    2022/05/04                     SLAPD-SOCK(5)
Impressum