1SLAPD.CONF(5) File Formats Manual SLAPD.CONF(5)
2
6 slapd.conf - configuration file for slapd, the stand-alone LDAP daemon
7
9 /etc/openldap/slapd.conf
10
12 The file /etc/openldap/slapd.conf contains configuration information
13 for the slapd(8) daemon. This configuration file is also used by the
14 SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
15 slapindex(8), slapmodify(8), and slaptest(8).
16 The slapd.conf file consists of a series of global configuration op‐
18 tions that apply to slapd as a whole (including all backends), followed
19 by zero or more database backend definitions that contain information
20 specific to a backend instance. The configuration options are case-in‐
21 sensitive; their value, on a case by case basis, may be case-sensitive.
22 The general format of slapd.conf is as follows:
24 # comment - these options apply to every database
26 <global configuration options>
27 # first database definition & configuration options
28 database <backend 1 type>
29 <configuration options specific to backend 1>
30 # subsequent database definitions & configuration options
31 ...
32 As many backend-specific sections as desired may be included. Global
34 options can be overridden in a backend (for options that appear more
35 than once, the last appearance in the slapd.conf file is used).
36 If a line begins with white space, it is considered a continuation of
38 the previous line. No physical line should be over 2000 bytes long.
39 Blank lines and comment lines beginning with a `#' character are ig‐
41 nored. Note: continuation lines are unwrapped before comment process‐
42 ing is applied.
43 Arguments on configuration lines are separated by white space. If an
45 argument contains white space, the argument should be enclosed in dou‐
46 ble quotes. If an argument contains a double quote (`"') or a back‐
47 slash character (`\'), the character should be preceded by a backslash
48 character.
49 The specific configuration options available are discussed below in the
51 Global Configuration Options, General Backend Options, and General
52 Database Options. Backend-specific options are discussed in the
53 slapd-<backend>(5) manual pages. Refer to the "OpenLDAP Administra‐
54 tor's Guide" for more details on the slapd configuration file.
55
57 Options described in this section apply to all backends, unless specif‐
58 ically overridden in a backend definition. Arguments that should be re‐
59 placed by actual text are shown in brackets <>.
60 access to <what> [ by <who> <access> <control> ]+
62 Grant access (specified by <access>) to a set of entries and/or
63 attributes (specified by <what>) by one or more requestors
64 (specified by <who>). If no access controls are present, the
65 default policy allows anyone and everyone to read anything but
66 restricts updates to rootdn. (e.g., "access to * by * read").
67 The rootdn can always read and write EVERYTHING! See slapd.ac‐
68 cess(5) and the "OpenLDAP's Administrator's Guide" for details.
69 allow <features>
71 Specify a set of features (separated by white space) to allow
72 (default none). bind_v2 allows acceptance of LDAPv2 bind re‐
73 quests. Note that slapd(8) does not truly implement LDAPv2 (RFC
74 1777), now Historic (RFC 3494). bind_anon_cred allows anonymous
75 bind when credentials are not empty (e.g. when DN is empty).
76 bind_anon_dn allows unauthenticated (anonymous) bind when DN is
77 not empty. update_anon allows unauthenticated (anonymous) up‐
78 date operations to be processed (subject to access controls and
79 other administrative limits). proxy_authz_anon allows unauthen‐
80 ticated (anonymous) proxy authorization control to be processed
81 (subject to access controls, authorization and other administra‐
82 tive limits).
83 argsfile <filename>
85 The (absolute) name of a file that will hold the slapd server's
86 command line (program name and options).
87 attributeoptions [option-name]...
89 Define tagging attribute options or option tag/range prefixes.
90 Options must not end with `-', prefixes must end with `-'. The
91 `lang-' prefix is predefined. If you use the attributeoptions
92 directive, `lang-' will no longer be defined and you must spec‐
93 ify it explicitly if you want it defined.
94 An attribute description with a tagging option is a subtype of
96 that attribute description without the option. Except for that,
97 options defined this way have no special semantics. Prefixes
98 defined this way work like the `lang-' options: They define a
99 prefix for tagging options starting with the prefix. That is,
100 if you define the prefix `x-foo-', you can use the option
101 `x-foo-bar'. Furthermore, in a search or compare, a prefix or
102 range name (with a trailing `-') matches all options starting
103 with that name, as well as the option with the range name sans
104 the trailing `-'. That is, `x-foo-bar-' matches `x-foo-bar' and
105 `x-foo-bar-baz'.
106 RFC 4520 reserves options beginning with `x-' for private exper‐
108 iments. Other options should be registered with IANA, see RFC
109 4520 section 3.5. OpenLDAP also has the `binary' option built
110 in, but this is a transfer option, not a tagging option.
111 attributetype ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
113 [SUP <oid>] [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>]
114 [SYNTAX <oidlen>] [SINGLE-VALUE] [COLLECTIVE]
115 [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
116 Specify an attribute type using the LDAPv3 syntax defined in RFC
117 4512. The slapd parser extends the RFC 4512 definition by
118 allowing string forms as well as numeric OIDs to be used for the
119 attribute OID and attribute syntax OID. (See the
120 objectidentifier description.)
121 authid-rewrite<cmd> <args>
123 Used by the authentication framework to convert simple user
124 names to an LDAP DN used for authorization purposes. Its
125 purpose is analogous to that of authz-regexp (see below). The
126 prefix authid- is followed by a set of rules analogous to those
127 described in slapo-rwm(5) for data rewriting (replace the rwm-
128 prefix with authid-). authid-rewrite<cmd> and authz-regexp
129 rules should not be intermixed.
130 authz-policy <policy>
132 Used to specify which rules to use for Proxy Authorization.
133 Proxy authorization allows a client to authenticate to the
134 server using one user's credentials, but specify a different
135 identity to use for authorization and access control purposes.
136 It essentially allows user A to login as user B, using user A's
137 password. The none flag disables proxy authorization. This is
138 the default setting. The from flag will use rules in the
139 authzFrom attribute of the authorization DN. The to flag will
140 use rules in the authzTo attribute of the authentication DN.
141 The any flag, an alias for the deprecated value of both, will
142 allow any of the above, whatever succeeds first (checked in to,
143 from sequence. The all flag requires both authorizations to
144 succeed.
145 The rules are mechanisms to specify which identities are allowed
147 to perform proxy authorization. The authzFrom attribute in an
148 entry specifies which other users are allowed to proxy login to
149 this entry. The authzTo attribute in an entry specifies which
150 other users this user can authorize as. Use of authzTo rules
151 can be easily abused if users are allowed to write arbitrary
152 values to this attribute. In general the authzTo attribute must
153 be protected with ACLs such that only privileged users can
154 modify it. The value of authzFrom and authzTo describes an
155 identity or a set of identities; it can take five forms:
156 ldap:///<base>??[<scope>]?<filter>
158 dn[.<dnstyle>]:<pattern>
159 u[.<mech>[/<realm>]]:<pattern>
160 group[/objectClass[/attributeType]]:<pattern>
161 <pattern>
162 <dnstyle>:={exact|onelevel|children|subtree|regex}
164 The first form is a valid LDAP URI where the <host>:<port>, the
166 <attrs> and the <extensions> portions must be absent, so that
167 the search occurs locally on either authzFrom or authzTo.
168 The second form is a DN. The optional dnstyle modifiers exact,
171 onelevel, children, and subtree provide exact, onelevel,
172 children and subtree matches, which cause <pattern> to be
173 normalized according to the DN normalization rules. The special
174 dnstyle modifier regex causes the <pattern> to be treated as a
175 POSIX (''extended'') regular expression, as discussed in
176 regex(7) and/or re_format(7). A pattern of * means any non-
177 anonymous DN.
178 The third form is a SASL id. The optional fields <mech> and
181 <realm> allow specification of a SASL mechanism, and eventually
182 a SASL realm, for those mechanisms that support one. The need
183 to allow the specification of a mechanism is still debated, and
184 users are strongly discouraged to rely on this possibility.
185 The fourth form is a group specification. It consists of the
188 keyword group, optionally followed by the specification of the
189 group objectClass and attributeType. The objectClass defaults
190 to groupOfNames. The attributeType defaults to member. The
191 group with DN <pattern> is searched with base scope, filtered on
192 the specified objectClass. The values of the resulting
193 attributeType are searched for the asserted DN.
194 The fifth form is provided for backwards compatibility. If no
197 identity type is provided, i.e. only <pattern> is present, an
198 exact DN is assumed; as a consequence, <pattern> is subjected to
199 DN normalization.
200 Since the interpretation of authzFrom and authzTo can impact
203 security, users are strongly encouraged to explicitly set the
204 type of identity specification that is being used. A subset of
205 these rules can be used as third arg in the authz-regexp
206 statement (see below); significantly, the URI, provided it
207 results in exactly one entry, and the dn.exact:<dn> forms.
208 authz-regexp <match> <replace>
210 Used by the authentication framework to convert simple user
211 names, such as provided by SASL subsystem, or extracted from
212 certificates in case of cert-based SASL EXTERNAL, or provided
213 within the RFC 4370 "proxied authorization" control, to an LDAP
214 DN used for authorization purposes. Note that the resulting DN
215 need not refer to an existing entry to be considered valid.
216 When an authorization request is received from the SASL
217 subsystem, the SASL USERNAME, REALM, and MECHANISM are taken,
218 when available, and combined into a name of the form
219 UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
221 This name is then compared against the match POSIX
223 (''extended'') regular expression, and if the match is
224 successful, the name is replaced with the replace string. If
225 there are wildcard strings in the match regular expression that
226 are enclosed in parenthesis, e.g.
227 UID=([^,]*),CN=.*
229 then the portion of the name that matched the wildcard will be
231 stored in the numbered placeholder variable $1. If there are
232 other wildcard strings in parenthesis, the matching strings will
233 be in $2, $3, etc. up to $9. The placeholders can then be used
234 in the replace string, e.g.
235 UID=$1,OU=Accounts,DC=example,DC=com
237 The replaced name can be either a DN, i.e. a string prefixed by
239 "dn:", or an LDAP URI. If the latter, the server will use the
240 URI to search its own database(s) and, if the search returns
241 exactly one entry, the name is replaced by the DN of that entry.
242 The LDAP URI must have no hostport, attrs, or extensions
243 components, but the filter is mandatory, e.g.
244 ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
246 The protocol portion of the URI must be strictly ldap. Note
248 that this search is subject to access controls. Specifically,
249 the authentication identity must have "auth" access in the
250 subject.
251 Multiple authz-regexp options can be given in the configuration
253 file to allow for multiple matching and replacement patterns.
254 The matching patterns are checked in the order they appear in
255 the file, stopping at the first successful match.
256 concurrency <integer>
259 Specify a desired level of concurrency. Provided to the
260 underlying thread system as a hint. The default is not to
261 provide any hint. This setting is only meaningful on some
262 platforms where there is not a one to one correspondence between
263 user threads and kernel threads.
264 conn_max_pending <integer>
266 Specify the maximum number of pending requests for an anonymous
267 session. If requests are submitted faster than the server can
268 process them, they will be queued up to this limit. If the limit
269 is exceeded, the session is closed. The default is 100.
270 conn_max_pending_auth <integer>
272 Specify the maximum number of pending requests for an
273 authenticated session. The default is 1000.
274 defaultsearchbase <dn>
276 Specify a default search base to use when client submits a non-
277 base search request with an empty base DN. Base scoped search
278 requests with an empty base DN are not affected.
279 disallow <features>
281 Specify a set of features (separated by white space) to disallow
282 (default none). bind_anon disables acceptance of anonymous bind
283 requests. Note that this setting does not prohibit anonymous
284 directory access (See "require authc"). bind_simple disables
285 simple (bind) authentication. tls_2_anon disables forcing
286 session to anonymous status (see also tls_authc) upon StartTLS
287 operation receipt. tls_authc disallows the StartTLS operation
288 if authenticated (see also tls_2_anon).
289 proxy_authz_non_critical disables acceptance of the proxied
290 authorization control (RFC4370) with criticality set to FALSE.
291 dontusecopy_non_critical disables acceptance of the dontUseCopy
292 control (a work in progress) with criticality set to FALSE.
293 ditcontentrule ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
295 [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
296 Specify an DIT Content Rule using the LDAPv3 syntax defined in
297 RFC 4512. The slapd parser extends the RFC 4512 definition by
298 allowing string forms as well as numeric OIDs to be used for the
299 attribute OID and attribute syntax OID. (See the
300 objectidentifier description.)
301 gentlehup { on | off }
303 A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
304 Slapd will stop listening for new connections, but will not
305 close the connections to the current clients. Future write
306 operations return unwilling-to-perform, though. Slapd
307 terminates when all clients have closed their connections (if
308 they ever do), or - as before - if it receives a SIGTERM signal.
309 This can be useful if you wish to terminate the server and start
310 a new slapd server with another database, without disrupting the
311 currently active clients. The default is off. You may wish to
312 use idletimeout along with this option.
313 idletimeout <integer>
315 Specify the number of seconds to wait before forcibly closing an
316 idle client connection. A setting of 0 disables this feature.
317 The default is 0. You may also want to set the writetimeout
318 option.
319 include <filename>
321 Read additional configuration information from the given file
322 before continuing with the next line of the current file.
323 index_hash64 { on | off }
325 Use a 64 bit hash for indexing. The default is to use 32 bit
326 hashes. These hashes are used for equality and substring
327 indexing. The 64 bit version may be needed to avoid index
328 collisions when the number of indexed values exceeds ~64
329 million. (Note that substring indexing generates multiple index
330 values per actual attribute value.) Indices generated with 32
331 bit hashes are incompatible with the 64 bit version, and vice
332 versa. Any existing databases must be fully reloaded when
333 changing this setting. This directive is only supported on 64
334 bit CPUs.
335 index_intlen <integer>
337 Specify the key length for ordered integer indices. The most
338 significant bytes of the binary integer will be used for index
339 keys. The default value is 4, which provides exact indexing for
340 31 bit values. A floating point representation is used to index
341 too large values.
342 index_substr_if_maxlen <integer>
344 Specify the maximum length for subinitial and subfinal indices.
345 Only this many characters of an attribute value will be
346 processed by the indexing functions; any excess characters are
347 ignored. The default is 4.
348 index_substr_if_minlen <integer>
350 Specify the minimum length for subinitial and subfinal indices.
351 An attribute value must have at least this many characters in
352 order to be processed by the indexing functions. The default is
353 2.
354 index_substr_any_len <integer>
356 Specify the length used for subany indices. An attribute value
357 must have at least this many characters in order to be
358 processed. Attribute values longer than this length will be
359 processed in segments of this length. The default is 4. The
360 subany index will also be used in subinitial and subfinal index
361 lookups when the filter string is longer than the
362 index_substr_if_maxlen value.
363 index_substr_any_step <integer>
365 Specify the steps used in subany index lookups. This value sets
366 the offset for the segments of a filter string that are
367 processed for a subany index lookup. The default is 2. For
368 example, with the default values, a search using this filter
369 "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
370 and "efgh".
371 Note: Indexing support depends on the particular backend in use. Also,
374 changing these settings will generally require deleting any indices
375 that depend on these parameters and recreating them with slapindex(8).
376 ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )
379 Specify an LDAP syntax using the LDAPv3 syntax defined in RFC
381 4512. The slapd parser extends the RFC 4512 definition by
382 allowing string forms as well as numeric OIDs to be used for the
383 syntax OID. (See the objectidentifier description.) The slapd
384 parser also honors the X-SUBST extension (an OpenLDAP-specific
385 extension), which allows one to use the ldapsyntax statement to
386 define a non-implemented syntax along with another syntax, the
387 extension value substitute-syntax, as its temporary replacement.
388 The substitute-syntax must be defined. This allows one to
389 define attribute types that make use of non-implemented syntaxes
390 using the correct syntax OID. Unless X-SUBST is used, this
391 configuration statement would result in an error, since no
392 handlers would be associated to the resulting syntax structure.
393 listener-threads <integer>
396 Specify the number of threads to use for the connection manager.
397 The default is 1 and this is typically adequate for up to 16 CPU
398 cores. The value should be set to a power of 2.
399 localSSF <SSF>
401 Specifies the Security Strength Factor (SSF) to be given local
402 LDAP sessions, such as those to the ldapi:// listener. For a
403 description of SSF values, see sasl-secprops's minssf option
404 description. The default is 71.
405 logfile <filename>
407 Specify a file for recording slapd debug messages. By default
408 these messages only go to stderr, are not recorded anywhere
409 else, and are unrelated to messages exposed by the loglevel
410 configuration parameter. Specifying a logfile copies messages to
411 both stderr and the logfile.
412 logfile-format debug | syslog-utc | syslog-localtime
414 Specify the prefix format for messages written to the logfile.
415 The debug format is the normal format used for slapd debug
416 messages, with a timestamp in hexadecimal, followed by a thread
417 ID. The other options are to use syslog(3) style prefixes, with
418 timestamps either in UTC or in the local timezone. The default
419 is debug format.
420 logfile-only on | off
422 Specify that debug messages should only go to the configured
423 logfile, and not to stderr.
424 logfile-rotate <max> <Mbytes> <hours>
426 Specify automatic rotation for the configured logfile as the
427 maximum number of old logfiles to retain, a maximum size in
428 megabytes to allow a logfile to grow before rotation, and a
429 maximum age in hours for a logfile to be used before rotation.
430 The maximum number must be in the range 1-99. Setting Mbytes or
431 hours to zero disables the size or age check, respectively. At
432 least one of Mbytes or hours must be non-zero. By default no
433 automatic rotation will be performed.
434 loglevel <integer> [...]
436 Specify the level at which debugging statements and operation
437 statistics should be syslogged (currently logged to the
438 syslogd(8) LOG_LOCAL4 facility). They must be considered
439 subsystems rather than increasingly verbose log levels. Some
440 messages with higher priority are logged regardless of the
441 configured loglevel as soon as any logging is configured. Log
442 levels are additive, and available levels are:
443 1 (0x1 trace) trace function calls
444 2 (0x2 packets) debug packet handling
445 4 (0x4 args) heavy trace debugging (function args)
446 8 (0x8 conns) connection management
447 16 (0x10 BER) print out packets sent and received
448 32 (0x20 filter) search filter processing
449 64 (0x40 config) configuration file processing
450 128 (0x80 ACL) access control list processing
451 256 (0x100 stats) connections, LDAP operations,
452 results (recommended)
453 512 (0x200 stats2) stats2 log entries sent
454 1024 (0x400 shell) print communication with shell
455 backends
456 2048 (0x800 parse) entry parsing
457 16384 (0x4000 sync) LDAPSync replication
466 32768 (0x8000 none) only messages that get logged
467 whatever log level is set
468 The desired log level can be input as a single integer that
469 combines the (ORed) desired levels, both in decimal or in
470 hexadecimal notation, as a list of integers (that are ORed
471 internally), or as a list of the names that are shown between
472 parentheses, such that
473 loglevel 129
475 loglevel 0x81
476 loglevel 128 1
477 loglevel 0x80 0x1
478 loglevel acl trace
479 are equivalent. The keyword any can be used as a shortcut to
481 enable logging at all levels (equivalent to -1). The keyword
482 none, or the equivalent integer representation, causes those
483 messages that are logged regardless of the configured loglevel
484 to be logged. In fact, if loglevel is set to 0, no logging
485 occurs, so at least the none level is required to have high
486 priority messages logged.
487 Note that the packets, BER, and parse levels are only available
489 as debug output on stderr, and are not sent to syslog.
490 The loglevel defaults to stats. This level should usually also
492 be included when using other loglevels, to help analyze the
493 logs.
494 maxfilterdepth <integer>
496 Specify the maximum depth of nested filters in search requests.
497 The default is 1000.
498 moduleload <filename> [<arguments>...]
500 Specify the name of a dynamically loadable module to load and
501 any additional arguments if supported by the module. The
502 filename may be an absolute path name or a simple filename. Non-
503 absolute names are searched for in the directories specified by
504 the modulepath option. This option and the modulepath option are
505 only usable if slapd was compiled with --enable-modules.
506 modulepath <pathspec>
508 Specify a list of directories to search for loadable modules.
509 Typically the path is colon-separated but this depends on the
510 operating system. The default is /usr/lib64/openldap, which is
511 where the standard OpenLDAP install will place its modules.
512 objectclass ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
514 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }]
515 [MUST <oids>] [MAY <oids>] )
516 Specify an objectclass using the LDAPv3 syntax defined in RFC
517 4512. The slapd parser extends the RFC 4512 definition by
518 allowing string forms as well as numeric OIDs to be used for the
519 object class OID. (See the objectidentifier description.)
520 Object classes are "STRUCTURAL" by default.
521 objectidentifier <name> { <oid> | <name>[:<suffix>] }
523 Define a string name that equates to the given OID. The string
524 can be used in place of the numeric OID in objectclass and
525 attribute definitions. The name can also be used with a suffix
526 of the form ":xx" in which case the value "oid.xx" will be used.
527 password-hash <hash> [<hash>...]
529 This option configures one or more hashes to be used in
530 generation of user passwords stored in the userPassword
531 attribute during processing of LDAP Password Modify Extended
532 Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
533 {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
534 {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
536 latter with a seed.
537 {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
539 with a seed.
540 {CRYPT} uses the crypt(3).
542 {CLEARTEXT} indicates that the new password should be added to
544 userPassword as clear text.
545 Note that this option does not alter the normal user
547 applications handling of userPassword during LDAP Add, Modify,
548 or other LDAP operations.
549 password-crypt-salt-format <format>
551 Specify the format of the salt passed to crypt(3) when
552 generating {CRYPT} passwords (see password-hash) during
553 processing of LDAP Password Modify Extended Operations (RFC
554 3062).
555 This string needs to be in sprintf(3) format and may include one
557 (and only one) %s conversion. This conversion will be
558 substituted with a string of random characters from
559 [A-Za-z0-9./]. For example, "%.2s" provides a two character
560 salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
561 algorithm and provides 8 random characters of salt. The default
562 is "%s", which provides 31 characters of salt.
563 pidfile <filename>
565 The (absolute) name of a file that will hold the slapd server's
566 process ID (see getpid(2)).
567 pluginlog: <filename>
569 The ( absolute ) name of a file that will contain log messages
570 from SLAPI plugins. See slapd.plugin(5) for details.
571 referral <url>
573 Specify the referral to pass back when slapd(8) cannot find a
574 local database to handle a request. If specified multiple
575 times, each url is provided.
576 require <conditions>
578 Specify a set of conditions (separated by white space) to
579 require (default none). The directive may be specified globally
580 and/or per-database; databases inherit global conditions, so
581 per-database specifications are additive. bind requires bind
582 operation prior to directory operations. LDAPv3 requires
583 session to be using LDAP version 3. authc requires
584 authentication prior to directory operations. SASL requires
585 SASL authentication prior to directory operations. strong
586 requires strong authentication prior to directory operations.
587 The strong keyword allows protected "simple" authentication as
588 well as SASL authentication. none may be used to require no
589 conditions (useful to clear out globally set conditions within a
590 particular database); it must occur first in the list of
591 conditions.
592 reverse-lookup on | off
594 Enable/disable client name unverified reverse lookup (default is
595 off if compiled with --enable-rlookups).
596 rootDSE <file>
598 Specify the name of an LDIF(5) file containing user defined
599 attributes for the root DSE. These attributes are returned in
600 addition to the attributes normally produced by slapd.
601 The root DSE is an entry with information about the server and
603 its capabilities, in operational attributes. It has the empty
604 DN, and can be read with e.g.:
605 ldapsearch -x -b "" -s base "+"
606 See RFC 4512 section 5.1 for details.
607 sasl-auxprops <plugin> [...]
609 Specify which auxprop plugins to use for authentication lookups.
610 The default is empty, which just uses slapd's internal support.
611 Usually no other auxprop plugins are needed.
612 sasl-auxprops-dontusecopy <attr> [...]
614 Specify which attribute(s) should be subject to the don't use
615 copy control. This is necessary for some SASL mechanisms such as
616 OTP to work in a replicated environment. The attribute
617 "cmusaslsecretOTP" is the default value.
618 sasl-auxprops-dontusecopy-ignore on | off
620 Used to disable replication of the attribute(s) defined by sasl-
621 auxprops-dontusecopy and instead use a local value for the
622 attribute. This allows the SASL mechanism to continue to work if
623 the provider is offline. This can cause replication
624 inconsistency. Defaults to off.
625 sasl-host <fqdn>
627 Used to specify the fully qualified domain name used for SASL
628 processing.
629 sasl-realm <realm>
631 Specify SASL realm. Default is empty.
632 sasl-cbinding none | tls-unique | tls-endpoint
634 Specify the channel-binding type, see also
635 LDAP_OPT_X_SASL_CBINDING. Default is none.
636 sasl-secprops <properties>
638 Used to specify Cyrus SASL security properties. The none flag
639 (without any other properties) causes the flag properties
640 default, "noanonymous,noplain", to be cleared. The noplain flag
641 disables mechanisms susceptible to simple passive attacks. The
642 noactive flag disables mechanisms susceptible to active attacks.
643 The nodict flag disables mechanisms susceptible to passive
644 dictionary attacks. The noanonymous flag disables mechanisms
645 which support anonymous login. The forwardsec flag require
646 forward secrecy between sessions. The passcred require
647 mechanisms which pass client credentials (and allow mechanisms
648 which can pass credentials to do so). The minssf=<factor>
649 property specifies the minimum acceptable security strength
650 factor as an integer approximate to effective key length used
651 for encryption. 0 (zero) implies no protection, 1 implies
652 integrity protection only, 128 allows RC4, Blowfish and other
653 similar ciphers, 256 will require modern ciphers. The default
654 is 0. The maxssf=<factor> property specifies the maximum
655 acceptable security strength factor as an integer (see minssf
656 description). The default is INT_MAX. The maxbufsize=<size>
657 property specifies the maximum security layer receive buffer
658 size allowed. 0 disables security layers. The default is
659 65536.
660 schemadn <dn>
662 Specify the distinguished name for the subschema subentry that
663 controls the entries on this server. The default is
664 "cn=Subschema".
665 security <factors>
667 Specify a set of security strength factors (separated by white
668 space) to require (see sasl-secprops's minssf option for a
669 description of security strength factors). The directive may be
670 specified globally and/or per-database. ssf=<n> specifies the
671 overall security strength factor. transport=<n> specifies the
672 transport security strength factor. tls=<n> specifies the TLS
673 security strength factor. sasl=<n> specifies the SASL security
674 strength factor. update_ssf=<n> specifies the overall security
675 strength factor to require for directory updates.
676 update_transport=<n> specifies the transport security strength
677 factor to require for directory updates. update_tls=<n>
678 specifies the TLS security strength factor to require for
679 directory updates. update_sasl=<n> specifies the SASL security
680 strength factor to require for directory updates.
681 simple_bind=<n> specifies the security strength factor required
682 for simple username/password authentication. Note that the
683 transport factor is measure of security provided by the
684 underlying transport, e.g. ldapi:// (and eventually IPSEC). It
685 is not normally used.
686 serverID <integer> [<URL>]
688 Specify an integer ID from 0 to 4095 for this server. The ID may
689 also be specified as a hexadecimal ID by prefixing the value
690 with "0x". Non-zero IDs are required when using multi-provider
691 replication and each provider must have a unique non-zero ID.
692 Note that this requirement also applies to separate providers
693 contributing to a glued set of databases. If the URL is
694 provided, this directive may be specified multiple times,
695 providing a complete list of participating servers and their
696 IDs. The fully qualified hostname of each server should be used
697 in the supplied URLs. The IDs are used in the "replica id" field
698 of all CSNs generated by the specified server. The default value
699 is zero, which is only valid for single provider replication.
700 Example:
701 serverID 1 ldap://ldap1.example.com
703 serverID 2 ldap://ldap2.example.com
704 sizelimit {<integer>|unlimited}
706 sizelimit size[.{soft|hard}]=<integer> [...]
708 Specify the maximum number of entries to return from a search
709 operation. The default size limit is 500. Use unlimited to
710 specify no limits. The second format allows a fine grain
711 setting of the size limits. If no special qualifiers are
712 specified, both soft and hard limits are set. Extra args can be
713 added on the same line. Additional qualifiers are available;
714 see limits for an explanation of all of the different flags.
715 sockbuf_max_incoming <integer>
717 Specify the maximum incoming LDAP PDU size for anonymous
718 sessions. The default is 262143.
719 sockbuf_max_incoming_auth <integer>
721 Specify the maximum incoming LDAP PDU size for authenticated
722 sessions. The default is 4194303.
723 sortvals <attr> [...]
725 Specify a list of multi-valued attributes whose values will
726 always be maintained in sorted order. Using this option will
727 allow Modify, Compare, and filter evaluations on these
728 attributes to be performed more efficiently. The resulting sort
729 order depends on the attributes' syntax and matching rules and
730 may not correspond to lexical order or any other recognizable
731 order.
732 tcp-buffer [listener=<URL>] [{read|write}=]<size>
734 Specify the size of the TCP buffer. A global value for both
735 read and write TCP buffers related to any listener is defined,
736 unless the listener is explicitly specified, or either the read
737 or write qualifiers are used. See tcp(7) for details. Note
738 that some OS-es implement automatic TCP buffer tuning.
739 threads <integer>
741 Specify the maximum size of the primary thread pool. The
742 default is 16; the minimum value is 2.
743 threadqueues <integer>
745 Specify the number of work queues to use for the primary thread
746 pool. The default is 1 and this is typically adequate for up to
747 8 CPU cores. The value should not exceed the number of CPUs in
748 the system.
749 timelimit {<integer>|unlimited}
751 timelimit time[.{soft|hard}]=<integer> [...]
753 Specify the maximum number of seconds (in real time) slapd will
754 spend answering a search request. The default time limit is
755 3600. Use unlimited to specify no limits. The second format
756 allows a fine grain setting of the time limits. Extra args can
757 be added on the same line. See limits for an explanation of the
758 different flags.
759 tool-threads <integer>
761 Specify the maximum number of threads to use in tool mode. This
762 should not be greater than the number of CPUs in the system.
763 The default is 1.
764 writetimeout <integer>
766 Specify the number of seconds to wait before forcibly closing a
767 connection with an outstanding write. This allows recovery from
768 various network hang conditions. A writetimeout of 0 disables
769 this feature. The default is 0.
770
772 If slapd is built with support for Transport Layer Security, there are
773 more options you can specify.
774 When using OpenSSL, if neither TLSCACertificateFile nor
776 TLSCACertificatePath is set, the system-wide default set of CA
777 certificates is used.
778 TLSCipherSuite <cipher-suite-spec>
780 Permits configuring what ciphers will be accepted and the
781 preference order. <cipher-suite-spec> should be a cipher
782 specification for the TLS library in use (OpenSSL or GnuTLS).
783 Example:
784 OpenSSL:
786 TLSCipherSuite HIGH:MEDIUM:+SSLv2
787 GnuTLS:
789 TLSCiphersuite SECURE256:!AES-128-CBC
790 To check what ciphers a given spec selects in OpenSSL, use:
792 openssl ciphers -v <cipher-suite-spec>
794 With GnuTLS the available specs can be found in the manual page
796 of gnutls-cli(1) (see the description of the option --priority).
797 In older versions of GnuTLS, where gnutls-cli does not support
799 the option --priority, you can obtain the — more limited — list
800 of ciphers by calling:
801 gnutls-cli -l
803 TLSCACertificateFile <filename>
805 Specifies the file that contains certificates for all of the
806 Certificate Authorities that slapd will recognize. The
807 certificate for the CA that signed the server certificate
808 must(GnuTLS)/may(OpenSSL) be included among these certificates.
809 If the signing CA was not a top-level (root) CA, certificates
810 for the entire sequence of CA's from the signing CA to the top-
811 level CA should be present. Multiple certificates are simply
812 appended to the file; the order is not significant.
813 TLSCACertificatePath <path>
815 Specifies the path of directories that contain Certificate
816 Authority certificates in separate individual files. Usually
817 only one of this or the TLSCACertificateFile is used. If both
818 are specified, both locations will be used. Multiple directories
819 may be specified, separated by a semi-colon.
820 TLSCertificateFile <filename>
822 Specifies the file that contains the slapd server certificate.
823 When using OpenSSL that file may also contain any number of
825 intermediate certificates after the server certificate.
826 TLSCertificateKeyFile <filename>
828 Specifies the file that contains the slapd server private key
829 that matches the certificate stored in the TLSCertificateFile
830 file. Currently, the private key must not be protected with a
831 password, so it is of critical importance that it is protected
832 carefully.
833 TLSDHParamFile <filename>
835 This directive specifies the file that contains parameters for
836 Diffie-Hellman ephemeral key exchange. This is required in
837 order to use a DSA certificate on the server, or an RSA
838 certificate missing the "key encipherment" key usage. Note that
839 setting this option may also enable Anonymous Diffie-Hellman key
840 exchanges in certain non-default cipher suites. Anonymous key
841 exchanges should generally be avoided since they provide no
842 actual client or server authentication and provide no protection
843 against man-in-the-middle attacks. You should append "!ADH" to
844 your cipher suites to ensure that these suites are not used.
845 TLSECName <name>
847 Specify the name of the curve(s) to use for Elliptic curve
848 Diffie-Hellman ephemeral key exchange. This option is only used
849 for OpenSSL. This option is not used with GnuTLS; the curves
850 may be chosen in the GnuTLS ciphersuite specification.
851 TLSProtocolMin <major>[.<minor>]
853 Specifies minimum SSL/TLS protocol version that will be
854 negotiated. If the server doesn't support at least that
855 version, the SSL handshake will fail. To require TLS 1.x or
856 higher, set this option to 3.(x+1), e.g.,
857 TLSProtocolMin 3.2
859 would require TLS 1.1. Specifying a minimum that is higher than
861 that supported by the OpenLDAP implementation will result in it
862 requiring the highest level that it does support. This
863 directive is ignored with GnuTLS.
864 TLSRandFile <filename>
866 Specifies the file to obtain random bits from when
867 /dev/[u]random is not available. Generally set to the name of
868 the EGD/PRNGD socket. The environment variable RANDFILE can
869 also be used to specify the filename. This directive is ignored
870 with GnuTLS.
871 TLSVerifyClient <level>
873 Specifies what checks to perform on client certificates in an
874 incoming TLS session, if any. The <level> can be specified as
875 one of the following keywords:
876 never This is the default. slapd will not ask the client for a
878 certificate.
879 allow The client certificate is requested. If no certificate
881 is provided, the session proceeds normally. If a bad
882 certificate is provided, it will be ignored and the
883 session proceeds normally.
884 try The client certificate is requested. If no certificate
886 is provided, the session proceeds normally. If a bad
887 certificate is provided, the session is immediately
888 terminated.
889 demand | hard | true
891 These keywords are all equivalent, for compatibility
892 reasons. The client certificate is requested. If no
893 certificate is provided, or a bad certificate is
894 provided, the session is immediately terminated.
895 Note that a valid client certificate is required in order
897 to use the SASL EXTERNAL authentication mechanism with a
898 TLS session. As such, a non-default TLSVerifyClient
899 setting must be chosen to enable SASL EXTERNAL
900 authentication.
901 TLSCRLCheck <level>
903 Specifies if the Certificate Revocation List (CRL) of the CA
904 should be used to verify if the client certificates have not
905 been revoked. This requires TLSCACertificatePath parameter to be
906 set. This directive is ignored with GnuTLS. <level> can be
907 specified as one of the following keywords:
908 none No CRL checks are performed
910 peer Check the CRL of the peer certificate
912 all Check the CRL for a whole certificate chain
914 TLSCRLFile <filename>
916 Specifies a file containing a Certificate Revocation List to be
917 used for verifying that certificates have not been revoked. This
918 directive is only valid when using GnuTLS.
919
921 Options in this section only apply to the configuration file section of
922 all instances of the specified backend. All backends may support this
923 class of options, but currently only back-mdb does.
924 backend <databasetype>
926 Mark the beginning of a backend definition. <databasetype>
927 should be one of asyncmeta, config, dnssrv, ldap, ldif, mdb,
928 meta, monitor, null, passwd, perl, relay, sock, sql, or wt. At
929 present, only back-mdb implements any options of this type, so
930 this setting is not needed for any other backends.
931
934 Options in this section only apply to the configuration file section
935 for the database in which they are defined. They are supported by
936 every type of backend. Note that the database and at least one suffix
937 option are mandatory for each database.
938 database <databasetype>
940 Mark the beginning of a new database instance definition.
941 <databasetype> should be one of asyncmeta, config, dnssrv, ldap,
942 ldif, mdb, meta, monitor, null, passwd, perl, relay, sock, sql,
943 or wt, depending on which backend will serve the database.
944 LDAP operations, even subtree searches, normally access only one
946 database. That can be changed by gluing databases together with
947 the subordinate keyword. Access controls and some overlays can
948 also involve multiple databases.
949 add_content_acl on | off
951 Controls whether Add operations will perform ACL checks on the
952 content of the entry being added. This check is off by default.
953 See the slapd.access(5) manual page for more details on ACL
954 requirements for Add operations.
955 extra_attrs <attrlist>
957 Lists what attributes need to be added to search requests.
958 Local storage backends return the entire entry to the frontend.
959 The frontend takes care of only returning the requested
960 attributes that are allowed by ACLs. However, features like
961 access checking and so may need specific attributes that are not
962 automatically returned by remote storage backends, like proxy
963 backends and so on. <attrlist> is a list of attributes that are
964 needed for internal purposes and thus always need to be
965 collected, even when not explicitly requested by clients.
966 hidden on | off
968 Controls whether the database will be used to answer queries. A
969 database that is hidden will never be selected to answer any
970 queries, and any suffix configured on the database will be
971 ignored in checks for conflicts with other databases. By
972 default, hidden is off.
973 lastmod on | off
975 Controls whether slapd will automatically maintain the
976 modifiersName, modifyTimestamp, creatorsName, and
977 createTimestamp attributes for entries. It also controls the
978 entryCSN and entryUUID attributes, which are needed by the
979 syncrepl provider. By default, lastmod is on.
980 lastbind on | off
982 Controls whether slapd will automatically maintain the
983 pwdLastSuccess attribute for entries. By default, lastbind is
984 off.
985 lastbind-precision <integer>
987 If lastbind is enabled, specifies how frequently pwdLastSuccess
988 will be updated. More than integer seconds must have passed
989 since the last successful bind. In a replicated environment with
990 frequent bind activity it may be useful to set this to a large
991 value.
992 limits <selector> <limit> [<limit> [...]]
994 Specify time and size limits based on the operation's initiator
995 or base DN. The argument <selector> can be any of
996 anonymous | users | [<dnspec>=]<pattern> |
998 group[/oc[/at]]=<pattern>
999 with
1001 <dnspec> ::= dn[.<type>][.<style>]
1003 <type> ::= self | this
1005 <style> ::= exact | base | onelevel | subtree | children
1007 | regex | anonymous
1008 DN type self is the default and means the bound user, while this
1010 means the base DN of the operation. The term anonymous matches
1011 all unauthenticated clients. The term users matches all
1012 authenticated clients; otherwise an exact dn pattern is assumed
1013 unless otherwise specified by qualifying the (optional) key
1014 string dn with exact or base (which are synonyms), to require an
1015 exact match; with onelevel, to require exactly one level of
1016 depth match; with subtree, to allow any level of depth match,
1017 including the exact match; with children, to allow any level of
1018 depth match, not including the exact match; regex explicitly
1019 requires the (default) match based on POSIX (''extended'')
1020 regular expression pattern. Finally, anonymous matches unbound
1021 operations; the pattern field is ignored. The same behavior is
1022 obtained by using the anonymous form of the <selector> clause.
1023 The term group, with the optional objectClass oc and
1024 attributeType at fields, followed by pattern, sets the limits
1025 for any DN listed in the values of the at attribute (default
1026 member) of the oc group objectClass (default groupOfNames) whose
1027 DN exactly matches pattern.
1028 The currently supported limits are size and time.
1030 The syntax for time limits is time[.{soft|hard}]=<integer>,
1032 where integer is the number of seconds slapd will spend
1033 answering a search request. If no time limit is explicitly
1034 requested by the client, the soft limit is used; if the
1035 requested time limit exceeds the hard limit, the value of the
1036 limit is used instead. If the hard limit is set to the keyword
1037 soft, the soft limit is used in either case; if it is set to the
1038 keyword unlimited, no hard limit is enforced. Explicit requests
1039 for time limits smaller or equal to the hard limit are honored.
1040 If no limit specifier is set, the value is assigned to the soft
1041 limit, and the hard limit is set to soft, to preserve the
1042 original behavior.
1043 The syntax for size limits is
1045 size[.{soft|hard|unchecked}]=<integer>, where integer is the
1046 maximum number of entries slapd will return answering a search
1047 request. If no size limit is explicitly requested by the
1048 client, the soft limit is used; if the requested size limit
1049 exceeds the hard limit, the value of the limit is used instead.
1050 If the hard limit is set to the keyword soft, the soft limit is
1051 used in either case; if it is set to the keyword unlimited, no
1052 hard limit is enforced. Explicit requests for size limits
1053 smaller or equal to the hard limit are honored. The unchecked
1054 specifier sets a limit on the number of candidates a search
1055 request is allowed to examine. The rationale behind it is that
1056 searches for non-properly indexed attributes may result in large
1057 sets of candidates, which must be examined by slapd(8) to
1058 determine whether they match the search filter or not. The
1059 unchecked limit provides a means to drop such operations before
1060 they are even started. If the selected candidates exceed the
1061 unchecked limit, the search will abort with Unwilling to
1062 perform. If it is set to the keyword unlimited, no limit is
1063 applied (the default). If it is set to disabled, the search is
1064 not even performed; this can be used to disallow searches for a
1065 specific set of users. If no limit specifier is set, the value
1066 is assigned to the soft limit, and the hard limit is set to
1067 soft, to preserve the original behavior.
1068 In case of no match, the global limits are used. The default
1070 values are the same as for sizelimit and timelimit; no limit is
1071 set on unchecked.
1072 If pagedResults control is requested, the hard size limit is
1074 used by default, because the request of a specific page size is
1075 considered an explicit request for a limitation on the number of
1076 entries to be returned. However, the size limit applies to the
1077 total count of entries returned within the search, and not to a
1078 single page. Additional size limits may be enforced; the syntax
1079 is size.pr={<integer>|noEstimate|unlimited}, where integer is
1080 the max page size if no explicit limit is set; the keyword
1081 noEstimate inhibits the server from returning an estimate of the
1082 total number of entries that might be returned (note: the
1083 current implementation does not return any estimate). The
1084 keyword unlimited indicates that no limit is applied to the
1085 pagedResults control page size. The syntax
1086 size.prtotal={<integer>|hard|unlimited|disabled} allows one to
1087 set a limit on the total number of entries that the pagedResults
1088 control will return. By default it is set to the hard limit
1089 which will use the size.hard value. When set, integer is the
1090 max number of entries that the whole search with pagedResults
1091 control can return. Use unlimited to allow unlimited number of
1092 entries to be returned, e.g. to allow the use of the
1093 pagedResults control as a means to circumvent size limitations
1094 on regular searches; the keyword disabled disables the control,
1095 i.e. no paged results can be returned. Note that the total
1096 number of entries returned when the pagedResults control is
1097 requested cannot exceed the hard size limit of regular searches
1098 unless extended by the prtotal switch.
1099 The limits statement is typically used to let an unlimited
1101 number of entries be returned by searches performed with the
1102 identity used by the consumer for synchronization purposes by
1103 means of the RFC 4533 LDAP Content Synchronization protocol (see
1104 syncrepl for details).
1105 When using subordinate databases, it is necessary for any limits
1107 that are to be applied across the parent and its subordinates to
1108 be defined in both the parent and its subordinates. Otherwise
1109 the settings on the subordinate databases are not honored.
1110 maxderefdepth <depth>
1112 Specifies the maximum number of aliases to dereference when
1113 trying to resolve an entry, used to avoid infinite alias loops.
1114 The default is 15.
1115 multiprovider on | off
1117 This option puts a consumer database into Multi-Provider mode.
1118 Update operations will be accepted from any user, not just the
1119 updatedn. The database must already be configured as a syncrepl
1120 consumer before this keyword may be set. This mode also requires
1121 a serverID (see above) to be configured. By default,
1122 multiprovider is off.
1123 monitoring on | off
1125 This option enables database-specific monitoring in the entry
1126 related to the current database in the "cn=Databases,cn=Monitor"
1127 subtree of the monitor database, if the monitor database is
1128 enabled. Currently, only the MDB database provides database-
1129 specific monitoring. If monitoring is supported by the backend
1130 it defaults to on, otherwise off.
1131 overlay <overlay-name>
1133 Add the specified overlay to this database. An overlay is a
1134 piece of code that intercepts database operations in order to
1135 extend or change them. Overlays are pushed onto a stack over the
1136 database, and so they will execute in the reverse of the order
1137 in which they were configured and the database itself will
1138 receive control last of all. See the slapd.overlays(5) manual
1139 page for an overview of the available overlays. Note that all
1140 of the database's regular settings should be configured before
1141 any overlay settings.
1142 readonly on | off
1144 This option puts the database into "read-only" mode. Any
1145 attempts to modify the database will return an "unwilling to
1146 perform" error. By default, readonly is off.
1147 restrict <oplist>
1149 Specify a whitespace separated list of operations that are
1150 restricted. If defined inside a database specification,
1151 restrictions apply only to that database, otherwise they are
1152 global. Operations can be any of add, bind, compare, delete,
1153 extended[=<OID>], modify, rename, search, or the special pseudo-
1154 operations read and write, which respectively summarize read and
1155 write operations. The use of restrict write is equivalent to
1156 readonly on (see above). The extended keyword allows one to
1157 indicate the OID of the specific operation to be restricted.
1158 rootdn <dn>
1160 Specify the distinguished name that is not subject to access
1161 control or administrative limit restrictions for operations on
1162 this database. This DN may or may not be associated with an
1163 entry. An empty root DN (the default) specifies no root access
1164 is to be granted. It is recommended that the rootdn only be
1165 specified when needed (such as when initially populating a
1166 database). If the rootdn is within a namingContext (suffix) of
1167 the database, a simple bind password may also be provided using
1168 the rootpw directive. Many optional features, including
1169 syncrepl, require the rootdn to be defined for the database.
1170 rootpw <password>
1172 Specify a password (or hash of the password) for the rootdn.
1173 The password can only be set if the rootdn is within the
1174 namingContext (suffix) of the database. This option accepts all
1175 RFC 2307 userPassword formats known to the server (see
1176 password-hash description) as well as cleartext. slappasswd(8)
1177 may be used to generate a hash of a password. Cleartext and
1178 {CRYPT} passwords are not recommended. If empty (the default),
1179 authentication of the root DN is by other means (e.g. SASL).
1180 Use of SASL is encouraged.
1181 suffix <dn suffix>
1183 Specify the DN suffix of queries that will be passed to this
1184 backend database. Multiple suffix lines can be given and at
1185 least one is required for each database definition.
1186 If the suffix of one database is "inside" that of another, the
1188 database with the inner suffix must come first in the
1189 configuration file. You may also want to glue such databases
1190 together with the subordinate keyword.
1191 subordinate [advertise]
1193 Specify that the current backend database is a subordinate of
1194 another backend database. A subordinate database may have only
1195 one suffix. This option may be used to glue multiple databases
1196 into a single namingContext. If the suffix of the current
1197 database is within the namingContext of a superior database,
1198 searches against the superior database will be propagated to the
1199 subordinate as well. All of the databases associated with a
1200 single namingContext should have identical rootdns. Behavior of
1201 other LDAP operations is unaffected by this setting. In
1202 particular, it is not possible to use moddn to move an entry
1203 from one subordinate to another subordinate within the
1204 namingContext.
1205 If the optional advertise flag is supplied, the naming context
1207 of this database is advertised in the root DSE. The default is
1208 to hide this database context, so that only the superior context
1209 is visible.
1210 If the slap tools slapcat(8), slapadd(8), slapmodify(8), or
1212 slapindex(8) are used on the superior database, any glued
1213 subordinates that support these tools are opened as well.
1214 Databases that are glued together should usually be configured
1216 with the same indices (assuming they support indexing), even for
1217 attributes that only exist in some of these databases. In
1218 general, all of the glued databases should be configured as
1219 similarly as possible, since the intent is to provide the
1220 appearance of a single directory.
1221 Note that the subordinate functionality is implemented
1223 internally by the glue overlay and as such its behavior will
1224 interact with other overlays in use. By default, the glue
1225 overlay is automatically configured as the last overlay on the
1226 superior backend. Its position on the backend can be explicitly
1227 configured by setting an overlay glue directive at the desired
1228 position. This explicit configuration is necessary e.g. when
1229 using the syncprov overlay, which needs to follow glue in order
1230 to work over all of the glued databases. E.g.
1231 database mdb
1232 suffix dc=example,dc=com
1233 ...
1234 overlay glue
1235 overlay syncprov
1236 sync_use_subentry
1238 Store the syncrepl contextCSN in a subentry instead of the
1239 context entry of the database. The subentry's RDN will be
1240 "cn=ldapsync". By default the contextCSN is stored in the
1241 context entry.
1242 syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port]
1244 searchbase=<base DN> [type=refreshOnly|refreshAndPersist]
1245 [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of
1246 retries>]+] [filter=<filter str>] [scope=sub|one|base|subord]
1247 [attrs=<attr list>] [exattrs=<attr list>] [attrsonly]
1248 [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off]
1249 [network-timeout=<seconds>] [timeout=<seconds>]
1250 [tcp-user-timeout=<milliseconds>] [bindmethod=simple|sasl]
1251 [binddn=<dn>] [saslmech=<mech>] [authcid=<identity>]
1252 [authzid=<identity>] [credentials=<passwd>] [realm=<realm>]
1253 [secprops=<properties>] [keepalive=<idle>:<probes>:<interval>]
1254 [starttls=yes|critical] [tls_cert=<file>] [tls_key=<file>]
1255 [tls_cacert=<file>] [tls_cacertdir=<path>]
1256 [tls_reqcert=never|allow|try|demand]
1257 [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
1258 [tls_ecname=<names>] [tls_crlcheck=none|peer|all]
1259 [tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real DN>]
1260 [logbase=<base DN>] [logfilter=<filter str>]
1261 [syncdata=default|accesslog|changelog] [lazycommit]
1262 Specify the current database as a consumer which is kept up-to-
1263 date with the provider content by establishing the current
1264 slapd(8) as a replication consumer site running a syncrepl
1265 replication engine. The consumer content is kept synchronized
1266 to the provider content using the LDAP Content Synchronization
1267 protocol. Refer to the "OpenLDAP Administrator's Guide" for
1268 detailed information on setting up a replicated slapd directory
1269 service using the syncrepl replication engine.
1270 rid identifies the current syncrepl directive within the
1272 replication consumer site. It is a non-negative integer not
1273 greater than 999 (limited to three decimal digits).
1274 provider specifies the replication provider site containing the
1276 provider content as an LDAP URI. If <port> is not given, the
1277 standard LDAP port number (389 or 636) is used.
1278 The content of the syncrepl consumer is defined using a search
1280 specification as its result set. The consumer slapd will send
1281 search requests to the provider slapd according to the search
1282 specification. The search specification includes searchbase,
1283 scope, filter, attrs, attrsonly, sizelimit, and timelimit
1284 parameters as in the normal search specification. The exattrs
1285 option may also be used to specify attributes that should be
1286 omitted from incoming entries. The scope defaults to sub, the
1287 filter defaults to (objectclass=*), and there is no default
1288 searchbase. The attrs list defaults to "*,+" to return all user
1289 and operational attributes, and attrsonly and exattrs are unset
1290 by default. The sizelimit and timelimit only accept "unlimited"
1291 and positive integers, and both default to "unlimited". The
1292 sizelimit and timelimit parameters define a consumer requested
1293 limitation on the number of entries that can be returned by the
1294 LDAP Content Synchronization operation; these should be left
1295 unchanged from the default otherwise replication may never
1296 succeed. Note, however, that any provider-side limits for the
1297 replication identity will be enforced by the provider regardless
1298 of the limits requested by the LDAP Content Synchronization
1299 operation, much like for any other search operation.
1300 The LDAP Content Synchronization protocol has two operation
1302 types. In the refreshOnly operation, the next synchronization
1303 search operation is periodically rescheduled at an interval time
1304 (specified by interval parameter; 1 day by default) after each
1305 synchronization operation finishes. In the refreshAndPersist
1306 operation, a synchronization search remains persistent in the
1307 provider slapd. Further updates to the provider will generate
1308 searchResultEntry to the consumer slapd as the search responses
1309 to the persistent synchronization search. If the initial search
1310 fails due to an error, the next synchronization search operation
1311 is periodically rescheduled at an interval time (specified by
1312 interval parameter; 1 day by default)
1313 If an error occurs during replication, the consumer will attempt
1315 to reconnect according to the retry parameter which is a list of
1316 the <retry interval> and <# of retries> pairs. For example,
1317 retry="60 10 300 3" lets the consumer retry every 60 seconds for
1318 the first 10 times and then retry every 300 seconds for the next
1319 3 times before stop retrying. The `+' in <# of retries> means
1320 indefinite number of retries until success. If no retry is
1321 specified, by default syncrepl retries every hour forever.
1322 The schema checking can be enforced at the LDAP Sync consumer
1324 site by turning on the schemachecking parameter. The default is
1325 off. Schema checking on means that replicated entries must have
1326 a structural objectClass, must obey to objectClass requirements
1327 in terms of required/allowed attributes, and that naming
1328 attributes and distinguished values must be present. As a
1329 consequence, schema checking should be off when partial
1330 replication is used.
1331 The network-timeout parameter sets how long the consumer will
1333 wait to establish a network connection to the provider. Once a
1334 connection is established, the timeout parameter determines how
1335 long the consumer will wait for the initial Bind request to
1336 complete. The defaults for these parameters come from
1337 ldap.conf(5). The tcp-user-timeout parameter, if non-zero,
1338 corresponds to the TCP_USER_TIMEOUT set on the target
1339 connections, overriding the operating system setting. Only some
1340 systems support the customization of this parameter, it is
1341 ignored otherwise and system-wide settings are used.
1342 A bindmethod of simple requires the options binddn and
1344 credentials and should only be used when adequate security
1345 services (e.g. TLS or IPSEC) are in place. REMEMBER: simple
1346 bind credentials must be in cleartext! A bindmethod of sasl
1347 requires the option saslmech. Depending on the mechanism, an
1348 authentication identity and/or credentials can be specified
1349 using authcid and credentials. The authzid parameter may be
1350 used to specify an authorization identity. Specific security
1351 properties (as with the sasl-secprops keyword above) for a SASL
1352 bind can be set with the secprops option. A non default SASL
1353 realm can be set with the realm option. The identity used for
1354 synchronization by the consumer should be allowed to receive an
1355 unlimited number of entries in response to a search request.
1356 The provider, other than allowing authentication of the syncrepl
1357 identity, should grant that identity appropriate access
1358 privileges to the data that is being replicated (access
1359 directive), and appropriate time and size limits. This can be
1360 accomplished by either allowing unlimited sizelimit and
1361 timelimit, or by setting an appropriate limits statement in the
1362 consumer's configuration (see sizelimit and limits for details).
1363 The keepalive parameter sets the values of idle, probes, and
1365 interval used to check whether a socket is alive; idle is the
1366 number of seconds a connection needs to remain idle before TCP
1367 starts sending keepalive probes; probes is the maximum number of
1368 keepalive probes TCP should send before dropping the connection;
1369 interval is interval in seconds between individual keepalive
1370 probes. Only some systems support the customization of these
1371 values; the keepalive parameter is ignored otherwise, and
1372 system-wide settings are used.
1373 The starttls parameter specifies use of the StartTLS extended
1375 operation to establish a TLS session before Binding to the
1376 provider. If the critical argument is supplied, the session will
1377 be aborted if the StartTLS request fails. Otherwise the syncrepl
1378 session continues without TLS. The tls_reqcert setting defaults
1379 to "demand", the tls_reqsan setting defaults to "allow", and the
1380 other TLS settings default to the same as the main slapd TLS
1381 settings.
1382 The suffixmassage parameter allows the consumer to pull entries
1384 from a remote directory whose DN suffix differs from the local
1385 directory. The portion of the remote entries' DNs that matches
1386 the searchbase will be replaced with the suffixmassage DN.
1387 Rather than replicating whole entries, the consumer can query
1389 logs of data modifications. This mode of operation is referred
1390 to as delta syncrepl. In addition to the above parameters, the
1391 logbase and logfilter parameters must be set appropriately for
1392 the log that will be used. The syncdata parameter must be set to
1393 either "accesslog" if the log conforms to the slapo-accesslog(5)
1394 log format, or "changelog" if the log conforms to the obsolete
1395 changelog format. If the syncdata parameter is omitted or set to
1396 "default" then the log parameters are ignored.
1397 The lazycommit parameter tells the underlying database that it
1399 can store changes without performing a full flush after each
1400 change. This may improve performance for the consumer, while
1401 sacrificing safety or durability.
1402 updatedn <dn>
1404 This option is only applicable in a replica database. It
1405 specifies the DN permitted to update (subject to access
1406 controls) the replica. It is only needed in certain push-mode
1407 replication scenarios. Generally, this DN should not be the
1408 same as the rootdn used at the provider.
1409 updateref <url>
1411 Specify the referral to pass back when slapd(8) is asked to
1412 modify a replicated local database. If specified multiple
1413 times, each url is provided.
1414
1417 Each database may allow specific configuration options; they are
1418 documented separately in the backends' manual pages. See the
1419 slapd.backends(5) manual page for an overview of available backends.
1420
1422 Here is a short example of a configuration file:
1423 include /etc/openldap/schema/core.schema
1425 pidfile /var/run/slapd.pid
1426 # Subtypes of "name" (e.g. "cn" and "ou") with the
1428 # option ";x-hidden" can be searched for/compared,
1429 # but are not shown. See slapd.access(5).
1430 attributeoptions x-hidden lang-
1431 access to attrs=name;x-hidden by * =cs
1432 # Protect passwords. See slapd.access(5).
1434 access to attrs=userPassword by * auth
1435 # Read access to other attributes and entries.
1436 access to * by * read
1437 database mdb
1439 suffix "dc=our-domain,dc=com"
1440 # The database directory MUST exist prior to
1441 # running slapd AND should only be accessible
1442 # by the slapd/tools. Mode 0700 recommended.
1443 directory /var/openldap-data
1444 # Indices to maintain
1445 index objectClass eq
1446 index cn,sn,mail pres,eq,approx,sub
1447 # We serve small clients that do not handle referrals,
1449 # so handle remote lookups on their behalf.
1450 database ldap
1451 suffix ""
1452 uri ldap://ldap.some-server.com/
1453 lastmod off
1454 "OpenLDAP Administrator's Guide" contains a longer annotated example of
1456 a configuration file. The original /etc/openldap/slapd.conf is another
1457 example.
1458
1460 /etc/openldap/slapd.conf
1461 default slapd configuration file
1462
1464 ldap(3), gnutls-cli(1), slapd-config(5), slapd.access(5),
1465 slapd.backends(5), slapd.overlays(5), slapd.plugin(5), slapd(8),
1466 slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
1467 slapindex(8), slapmodify(8), slappasswd(8), slaptest(8).
1468 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1470
1472 OpenLDAP Software is developed and maintained by The OpenLDAP Project
1473 <http://www.openldap.org/>. OpenLDAP Software is derived from the
1474 University of Michigan LDAP 3.3 Release.
1475OpenLDAP 2.6.3 2022/07/14 SLAPD.CONF(5)