1SLAPD-SOCK(5) File Formats Manual SLAPD-SOCK(5)
2
3
4
6 slapd-sock - Socket backend/overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The Socket backend to slapd(8) uses an external program to handle
13 queries that listens on a Unix domain socket. This makes it possible
14 to have a pool of processes, which persist between requests. This al‐
15 lows multithreaded operation and a high level of efficiency. The exter‐
16 nal program must have been started independently; slapd(8) itself will
17 not start it.
18
19 This module may also be used as an overlay on top of some other data‐
20 base. Use as an overlay allows external actions to be triggered in re‐
21 sponse to operations on the main database.
22
24 These slapd.conf options apply to the SOCK backend database. That is,
25 they must follow a "database sock" line and come before any subsequent
26 "backend" or "database" lines. Other database options are described in
27 the slapd.conf(5) manual page.
28
29 Alternatively, to use this module as an overlay, these directives must
30 follow an "overlay sock" line within an existing database definition.
31
32 extensions [ binddn | peername | ssf | connid ]*
33 Enables the sending of additional meta-attributes with each re‐
34 quest.
35 binddn: <bound DN>
36 peername: IP=<address>:<port>
37 ssf: <SSF value>
38 connid: <connection ID>
39
40 socketpath <pathname>
41 Gives the path to a Unix domain socket to which the commands
42 will be sent and from which replies are received.
43
44 When used as an overlay, these additional directives are de‐
45 fined:
46
47 sockops [ bind | unbind | search | compare | modify | modrdn | add |
48 delete | extended ]*
49 Specify which request types to send to the external program. The
50 default is empty (no requests are sent).
51
52 sockresps [ result | search ]*
53 Specify which response types to send to the external program.
54 "result" sends just the results of an operation. "search" sends
55 all entries that the database returned for a search request. The
56 default is empty (no responses are sent).
57
58 sockdnpat <regexp>
59 Specify DN patterns for which the overlay will act. Only opera‐
60 tions on DNs matching the specified regular expression will be
61 processed. The default is empty (all DNs are processed).
62
63
65 The protocol uses a newline to terminate the command parameters. The
66 following commands are sent:
67 ADD
68 msgid: <message id>
69 <repeat { "suffix:" <database suffix DN> }>
70 <entry in LDIF format>
71 <blank line>
72
73 BIND
74 msgid: <message id>
75 <repeat { "suffix:" <database suffix DN> }>
76 dn: <DN>
77 method: <method number>
78 credlen: <length of <credentials>>
79 cred: <credentials>
80 <blank line>
81
82 COMPARE
83 msgid: <message id>
84 <repeat { "suffix:" <database suffix DN> }>
85 dn: <DN>
86 <attribute>: <value>
87 <blank line>
88
89 DELETE
90 msgid: <message id>
91 <repeat { "suffix:" <database suffix DN> }>
92 dn: <DN>
93 <blank line>
94
95 EXTENDED
96 msgid: <message id>
97 <repeat { "suffix:" <database suffix DN> }>
98 oid: <OID>
99 value: <base64-value>
100 <blank line>
101
102 MODIFY
103 msgid: <message id>
104 <repeat { "suffix:" <database suffix DN> }>
105 dn: <DN>
106 <repeat {
107 <"add"/"delete"/"replace">: <attribute>
108 <repeat { <attribute>: <value> }>
109 -
110 }>
111 <blank line>
112
113 MODRDN
114 msgid: <message id>
115 <repeat { "suffix:" <database suffix DN> }>
116 dn: <DN>
117 newrdn: <new RDN>
118 deleteoldrdn: <0 or 1>
119 <if new superior is specified: "newSuperior: <DN>">
120 <blank line>
121
122 SEARCH
123 msgid: <message id>
124 <repeat { "suffix:" <database suffix DN> }>
125 base: <base DN>
126 scope: <0-2, see ldap.h>
127 deref: <0-3, see ldap.h>
128 sizelimit: <size limit>
129 timelimit: <time limit>
130 filter: <filter>
131 attrsonly: <0 or 1>
132 attrs: <"all" or space-separated attribute list>
133 <blank line>
134
135 UNBIND
136 msgid: <message id>
137 <repeat { "suffix:" <database suffix DN> }>
138 <blank line>
139
140 The commands - except unbind - should output:
141 RESULT
142 code: <integer>
143 matched: <matched DN>
144 info: <text>
145 where only RESULT is mandatory, and then close the socket. The search
146 RESULT should be preceded by the entries in LDIF format, each entry
147 followed by a blank line. Lines starting with `#' or `DEBUG:' are ig‐
148 nored.
149
150 When used as an overlay, the external program should return a CONTINUE
151 response if request processing should continue normally, or a regular
152 RESULT response if the external program wishes to bypass the underlying
153 database.
154
155 If sockresps includes result or search, the overlay will also send any
156 response messages to the external program (also see KNOWN LIMITATIONS).
157 These will appear as an extended RESULT message or an ENTRY message re‐
158 spectively, both are defined below and the program is not expected to
159 respond to these.
160
161 The extended RESULT message is similar to the one above, but also in‐
162 cludes the msgid and any configured extensions:
163 RESULT
164 msgid: <message id>
165 code: <integer>
166 matched: <matched DN>
167 info: <text>
168 <blank line>
169
170 Typically both the msgid and the connid will be needed to match a re‐
171 sult message to a request. The ENTRY message has the form
172 ENTRY
173 msgid: <message id>
174 <entry in LDIF format>
175 <blank line>
176
177
179 The sock backend does not process extended operation results from an
180 external program.
181
182 If sockresps is configured, sock overlay does not consider sockops nor
183 sockdnpat to decide which responses are passed onto the external pro‐
184 gram, instead, all responses are currently passed on.
185
186
188 The sock backend does not honor all ACL semantics as described in
189 slapd.access(5). In general, access to objects is checked by using a
190 dummy object that contains only the DN, so access rules that rely on
191 the contents of the object are not honored. In detail:
192
193 The add operation does not require write (=w) access to the children
194 pseudo-attribute of the parent entry.
195
196 The bind operation requires auth (=x) access to the entry pseudo-attri‐
197 bute of the entry whose identity is being assessed; auth (=x) access to
198 the credentials is not checked, but rather delegated to the underlying
199 program.
200
201 The compare operation requires compare (=c) access to the entry pseudo-
202 attribute of the object whose value is being asserted; compare (=c) ac‐
203 cess to the attribute whose value is being asserted is not checked.
204
205 The delete operation does not require write (=w) access to the children
206 pseudo-attribute of the parent entry.
207
208 The modify operation requires write (=w) access to the entry pseudo-at‐
209 tribute; write (=w) access to the specific attributes that are modified
210 is not checked.
211
212 The modrdn operation does not require write (=w) access to the children
213 pseudo-attribute of the parent entry, nor to that of the new parent, if
214 different; write (=w) access to the distinguished values of the naming
215 attributes is not checked.
216
217 The search operation does not require search (=s) access to the entry
218 pseudo_attribute of the searchBase; search (=s) access to the at‐
219 tributes and values used in the filter is not checked.
220
221 The extended operation does not require any access special rights. The
222 external program has to implement any sort of access control.
223
224
226 There is an example script in the slapd/back-sock/ directory in the
227 OpenLDAP source tree.
228
230 /etc/openldap/slapd.conf
231 default slapd configuration file
232
234 slapd.conf(5), slapd-config(5), slapd(8).
235
237 Brian Candler, with enhancements by Howard Chu
238
239
240
241OpenLDAP 2.6.3 2022/07/14 SLAPD-SOCK(5)