1SLAPD.CONF(5)                 File Formats Manual                SLAPD.CONF(5)
2
3
4

NAME

6       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  file  /etc/openldap/slapd.conf  contains configuration information
13       for the slapd(8) daemon.  This configuration file is also used  by  the
14       SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
15       slapindex(8), slapmodify(8), and slaptest(8).
16
17       The slapd.conf file consists of a series of  global  configuration  op‐
18       tions that apply to slapd as a whole (including all backends), followed
19       by zero or more database backend definitions that  contain  information
20       specific to a backend instance.  The configuration options are case-in‐
21       sensitive; their value, on a case by case basis, may be case-sensitive.
22
23       The general format of slapd.conf is as follows:
24
25           # comment - these options apply to every database
26           <global configuration options>
27           # first database definition & configuration options
28           database <backend 1 type>
29           <configuration options specific to backend 1>
30           # subsequent database definitions & configuration options
31           ...
32
33       As many backend-specific sections as desired may be  included.   Global
34       options  can  be  overridden in a backend (for options that appear more
35       than once, the last appearance in the slapd.conf file is used).
36
37       If a line begins with white space, it is considered a  continuation  of
38       the previous line.  No physical line should be over 2000 bytes long.
39
40       Blank  lines  and  comment lines beginning with a `#' character are ig‐
41       nored.  Note: continuation lines are unwrapped before comment  process‐
42       ing is applied.
43
44       Arguments  on  configuration  lines are separated by white space. If an
45       argument contains white space, the argument should be enclosed in  dou‐
46       ble  quotes.   If  an argument contains a double quote (`"') or a back‐
47       slash character (`\'), the character should be preceded by a  backslash
48       character.
49
50       The specific configuration options available are discussed below in the
51       Global Configuration Options,  General  Backend  Options,  and  General
52       Database  Options.   Backend-specific  options  are  discussed  in  the
53       slapd-<backend>(5) manual pages.  Refer to  the  "OpenLDAP  Administra‐
54       tor's Guide" for more details on the slapd configuration file.
55

GLOBAL CONFIGURATION OPTIONS

57       Options described in this section apply to all backends, unless specif‐
58       ically overridden in a backend definition. Arguments that should be re‐
59       placed by actual text are shown in brackets <>.
60
61       access to <what> [ by <who> <access> <control> ]+
62              Grant  access (specified by <access>) to a set of entries and/or
63              attributes (specified by  <what>)  by  one  or  more  requestors
64              (specified  by  <who>).   If no access controls are present, the
65              default policy allows anyone and everyone to read  anything  but
66              restricts  updates  to rootdn.  (e.g., "access to * by * read").
67              The rootdn can always read and write EVERYTHING!  See  slapd.ac‐
68              cess(5) and the "OpenLDAP's Administrator's Guide" for details.
69
70       allow <features>
71              Specify  a  set  of features (separated by white space) to allow
72              (default none).  bind_v2 allows acceptance of  LDAPv2  bind  re‐
73              quests.  Note that slapd(8) does not truly implement LDAPv2 (RFC
74              1777), now Historic (RFC 3494).  bind_anon_cred allows anonymous
75              bind  when  credentials  are not empty (e.g.  when DN is empty).
76              bind_anon_dn allows unauthenticated (anonymous) bind when DN  is
77              not  empty.   update_anon allows unauthenticated (anonymous) up‐
78              date operations to be processed (subject to access controls  and
79              other administrative limits).  proxy_authz_anon allows unauthen‐
80              ticated (anonymous) proxy authorization control to be  processed
81              (subject to access controls, authorization and other administra‐
82              tive limits).
83
84       argsfile <filename>
85              The (absolute) name of a file that will hold the slapd  server's
86              command line (program name and options).
87
88       attributeoptions [option-name]...
89              Define  tagging  attribute options or option tag/range prefixes.
90              Options must not end with `-', prefixes must end with `-'.   The
91              `lang-'  prefix  is predefined.  If you use the attributeoptions
92              directive, `lang-' will no longer be defined and you must  spec‐
93              ify it explicitly if you want it defined.
94
95              An  attribute  description with a tagging option is a subtype of
96              that attribute description without the option.  Except for that,
97              options  defined  this  way have no special semantics.  Prefixes
98              defined this way work like the `lang-' options:  They  define  a
99              prefix  for  tagging options starting with the prefix.  That is,
100              if you define the  prefix  `x-foo-',  you  can  use  the  option
101              `x-foo-bar'.   Furthermore,  in a search or compare, a prefix or
102              range name (with a trailing `-') matches  all  options  starting
103              with  that  name, as well as the option with the range name sans
104              the trailing `-'.  That is, `x-foo-bar-' matches `x-foo-bar' and
105              `x-foo-bar-baz'.
106
107              RFC 4520 reserves options beginning with `x-' for private exper‐
108              iments.  Other options should be registered with IANA,  see  RFC
109              4520  section  3.5.  OpenLDAP also has the `binary' option built
110              in, but this is a transfer option, not a tagging option.
111
112       attributetype  ( <oid>  [NAME <name>]  [DESC <description>]  [OBSOLETE]
113              [SUP <oid>]   [EQUALITY <oid>]  [ORDERING <oid>]  [SUBSTR <oid>]
114              [SYNTAX <oidlen>]          [SINGLE-VALUE]           [COLLECTIVE]
115              [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
116              Specify an attribute type using the LDAPv3 syntax defined in RFC
117              4512.  The slapd parser  extends  the  RFC  4512  definition  by
118              allowing string forms as well as numeric OIDs to be used for the
119              attribute   OID   and   attribute   syntax   OID.    (See    the
120              objectidentifier description.)
121
122       authid-rewrite<cmd> <args>
123              Used  by  the  authentication  framework  to convert simple user
124              names to an  LDAP  DN  used  for  authorization  purposes.   Its
125              purpose  is  analogous to that of authz-regexp (see below).  The
126              prefix authid- is followed by a set of rules analogous to  those
127              described  in  slapo-rwm(5) for data rewriting (replace the rwm-
128              prefix  with  authid-).   authid-rewrite<cmd>  and  authz-regexp
129              rules should not be intermixed.
130
131       authz-policy <policy>
132              Used  to  specify  which  rules  to use for Proxy Authorization.
133              Proxy authorization allows  a  client  to  authenticate  to  the
134              server  using  one  user's  credentials, but specify a different
135              identity to use for authorization and access  control  purposes.
136              It  essentially allows user A to login as user B, using user A's
137              password.  The none flag disables proxy authorization.  This  is
138              the  default  setting.   The  from  flag  will  use rules in the
139              authzFrom attribute of the authorization DN.  The to  flag  will
140              use  rules  in  the  authzTo attribute of the authentication DN.
141              The any flag, an alias for the deprecated value  of  both,  will
142              allow  any of the above, whatever succeeds first (checked in to,
143              from sequence.  The all flag  requires  both  authorizations  to
144              succeed.
145
146              The rules are mechanisms to specify which identities are allowed
147              to perform proxy authorization.  The authzFrom attribute  in  an
148              entry  specifies which other users are allowed to proxy login to
149              this entry. The authzTo attribute in an  entry  specifies  which
150              other  users  this  user can authorize as.  Use of authzTo rules
151              can be easily abused if users are  allowed  to  write  arbitrary
152              values to this attribute.  In general the authzTo attribute must
153              be protected with ACLs  such  that  only  privileged  users  can
154              modify  it.   The  value  of  authzFrom and authzTo describes an
155              identity or a set of identities; it can take five forms:
156
157                     ldap:///<base>??[<scope>]?<filter>
158                     dn[.<dnstyle>]:<pattern>
159                     u[.<mech>[/<realm>]]:<pattern>
160                     group[/objectClass[/attributeType]]:<pattern>
161                     <pattern>
162
163                     <dnstyle>:={exact|onelevel|children|subtree|regex}
164
165              The first form is a valid LDAP URI where the <host>:<port>,  the
166              <attrs>  and  the  <extensions> portions must be absent, so that
167              the search occurs locally on either authzFrom or authzTo.
168
169
170              The second form is a DN.  The optional dnstyle modifiers  exact,
171              onelevel,   children,   and  subtree  provide  exact,  onelevel,
172              children and  subtree  matches,  which  cause  <pattern>  to  be
173              normalized according to the DN normalization rules.  The special
174              dnstyle modifier regex causes the <pattern> to be treated  as  a
175              POSIX   (''extended'')   regular  expression,  as  discussed  in
176              regex(7) and/or re_format(7).  A pattern of  *  means  any  non-
177              anonymous DN.
178
179
180              The  third  form  is  a SASL id.  The optional fields <mech> and
181              <realm> allow specification of a SASL mechanism, and  eventually
182              a  SASL  realm, for those mechanisms that support one.  The need
183              to allow the specification of a mechanism is still debated,  and
184              users are strongly discouraged to rely on this possibility.
185
186
187              The  fourth  form  is a group specification.  It consists of the
188              keyword group, optionally followed by the specification  of  the
189              group  objectClass  and attributeType.  The objectClass defaults
190              to groupOfNames.  The attributeType  defaults  to  member.   The
191              group with DN <pattern> is searched with base scope, filtered on
192              the  specified  objectClass.   The  values  of   the   resulting
193              attributeType are searched for the asserted DN.
194
195
196              The  fifth  form is provided for backwards compatibility.  If no
197              identity type is provided, i.e. only <pattern>  is  present,  an
198              exact DN is assumed; as a consequence, <pattern> is subjected to
199              DN normalization.
200
201
202              Since the interpretation of authzFrom  and  authzTo  can  impact
203              security,  users  are  strongly encouraged to explicitly set the
204              type of identity specification that is being used.  A subset  of
205              these  rules  can  be  used  as  third  arg  in the authz-regexp
206              statement (see  below);  significantly,  the  URI,  provided  it
207              results in exactly one entry, and the dn.exact:<dn> forms.
208
209       authz-regexp <match> <replace>
210              Used  by  the  authentication  framework  to convert simple user
211              names, such as provided by SASL  subsystem,  or  extracted  from
212              certificates  in  case  of cert-based SASL EXTERNAL, or provided
213              within the RFC 4370 "proxied authorization" control, to an  LDAP
214              DN  used for authorization purposes.  Note that the resulting DN
215              need not refer to an existing  entry  to  be  considered  valid.
216              When   an  authorization  request  is  received  from  the  SASL
217              subsystem, the SASL USERNAME, REALM, and  MECHANISM  are  taken,
218              when available, and combined into a name of the form
219
220                     UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
221
222              This   name   is   then   compared   against   the  match  POSIX
223              (''extended'')  regular  expression,  and  if   the   match   is
224              successful,  the  name  is replaced with the replace string.  If
225              there are wildcard strings in the match regular expression  that
226              are enclosed in parenthesis, e.g.
227
228                     UID=([^,]*),CN=.*
229
230              then  the  portion of the name that matched the wildcard will be
231              stored in the numbered placeholder variable  $1.  If  there  are
232              other wildcard strings in parenthesis, the matching strings will
233              be in $2, $3, etc. up to $9. The placeholders can then  be  used
234              in the replace string, e.g.
235
236                     UID=$1,OU=Accounts,DC=example,DC=com
237
238              The  replaced name can be either a DN, i.e. a string prefixed by
239              "dn:", or an LDAP URI.  If the latter, the server will  use  the
240              URI  to  search  its  own database(s) and, if the search returns
241              exactly one entry, the name is replaced by the DN of that entry.
242              The  LDAP  URI  must  have  no  hostport,  attrs,  or extensions
243              components, but the filter is mandatory, e.g.
244
245                     ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
246
247              The protocol portion of the URI must  be  strictly  ldap.   Note
248              that  this  search is subject to access controls.  Specifically,
249              the authentication identity  must  have  "auth"  access  in  the
250              subject.
251
252              Multiple  authz-regexp options can be given in the configuration
253              file to allow for multiple matching  and  replacement  patterns.
254              The  matching  patterns  are checked in the order they appear in
255              the file, stopping at the first successful match.
256
257
258       concurrency <integer>
259              Specify  a  desired  level  of  concurrency.   Provided  to  the
260              underlying  thread  system  as  a  hint.   The default is not to
261              provide any hint.  This  setting  is  only  meaningful  on  some
262              platforms where there is not a one to one correspondence between
263              user threads and kernel threads.
264
265       conn_max_pending <integer>
266              Specify the maximum number of pending requests for an  anonymous
267              session.   If  requests are submitted faster than the server can
268              process them, they will be queued up to this limit. If the limit
269              is exceeded, the session is closed. The default is 100.
270
271       conn_max_pending_auth <integer>
272              Specify   the   maximum   number  of  pending  requests  for  an
273              authenticated session.  The default is 1000.
274
275       defaultsearchbase <dn>
276              Specify a default search base to use when client submits a  non-
277              base  search  request with an empty base DN.  Base scoped search
278              requests with an empty base DN are not affected.
279
280       disallow <features>
281              Specify a set of features (separated by white space) to disallow
282              (default none).  bind_anon disables acceptance of anonymous bind
283              requests.  Note that this setting does  not  prohibit  anonymous
284              directory  access  (See  "require authc").  bind_simple disables
285              simple  (bind)  authentication.   tls_2_anon  disables   forcing
286              session  to  anonymous status (see also tls_authc) upon StartTLS
287              operation receipt.  tls_authc disallows the  StartTLS  operation
288              if        authenticated       (see       also       tls_2_anon).
289              proxy_authz_non_critical  disables  acceptance  of  the  proxied
290              authorization  control  (RFC4370) with criticality set to FALSE.
291              dontusecopy_non_critical disables acceptance of the  dontUseCopy
292              control (a work in progress) with criticality set to FALSE.
293
294       ditcontentrule  ( <oid>  [NAME <name>]  [DESC <description>] [OBSOLETE]
295              [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
296              Specify an DIT Content Rule using the LDAPv3 syntax  defined  in
297              RFC  4512.   The slapd parser extends the RFC 4512 definition by
298              allowing string forms as well as numeric OIDs to be used for the
299              attribute    OID   and   attribute   syntax   OID.    (See   the
300              objectidentifier description.)
301
302       gentlehup { on | off }
303              A SIGHUP signal will only  cause  a  'gentle'  shutdown-attempt:
304              Slapd  will  stop  listening  for  new connections, but will not
305              close the connections to  the  current  clients.   Future  write
306              operations    return    unwilling-to-perform,   though.    Slapd
307              terminates when all clients have closed  their  connections  (if
308              they ever do), or - as before - if it receives a SIGTERM signal.
309              This can be useful if you wish to terminate the server and start
310              a new slapd server with another database, without disrupting the
311              currently active clients.  The default is off.  You may wish  to
312              use idletimeout along with this option.
313
314       idletimeout <integer>
315              Specify the number of seconds to wait before forcibly closing an
316              idle client connection.  A setting of 0 disables  this  feature.
317              The  default  is  0.  You  may also want to set the writetimeout
318              option.
319
320       include <filename>
321              Read additional configuration information from  the  given  file
322              before continuing with the next line of the current file.
323
324       index_hash64 { on | off }
325              Use  a  64  bit  hash for indexing. The default is to use 32 bit
326              hashes.  These  hashes  are  used  for  equality  and  substring
327              indexing.  The  64  bit  version  may  be  needed to avoid index
328              collisions  when  the  number  of  indexed  values  exceeds  ~64
329              million.  (Note that substring indexing generates multiple index
330              values per actual attribute value.)  Indices generated  with  32
331              bit  hashes  are  incompatible with the 64 bit version, and vice
332              versa. Any  existing  databases  must  be  fully  reloaded  when
333              changing  this  setting.  This directive is only supported on 64
334              bit CPUs.
335
336       index_intlen <integer>
337              Specify the key length for ordered  integer  indices.  The  most
338              significant  bytes  of the binary integer will be used for index
339              keys. The default value is 4, which provides exact indexing  for
340              31 bit values.  A floating point representation is used to index
341              too large values.
342
343       index_substr_if_maxlen <integer>
344              Specify the maximum length for subinitial and subfinal  indices.
345              Only  this  many  characters  of  an  attribute  value  will  be
346              processed by the indexing functions; any excess  characters  are
347              ignored. The default is 4.
348
349       index_substr_if_minlen <integer>
350              Specify  the minimum length for subinitial and subfinal indices.
351              An attribute value must have at least this  many  characters  in
352              order  to be processed by the indexing functions. The default is
353              2.
354
355       index_substr_any_len <integer>
356              Specify the length used for subany indices. An  attribute  value
357              must  have  at  least  this  many  characters  in  order  to  be
358              processed. Attribute values longer  than  this  length  will  be
359              processed  in  segments  of  this  length. The default is 4. The
360              subany index will also be used in subinitial and subfinal  index
361              lookups   when   the   filter   string   is   longer   than  the
362              index_substr_if_maxlen value.
363
364       index_substr_any_step <integer>
365              Specify the steps used in subany index lookups. This value  sets
366              the  offset  for  the  segments  of  a  filter  string  that are
367              processed for a subany index  lookup.  The  default  is  2.  For
368              example,  with  the  default  values, a search using this filter
369              "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
370              and "efgh".
371
372
373       Note:  Indexing support depends on the particular backend in use. Also,
374       changing these settings will generally  require  deleting  any  indices
375       that depend on these parameters and recreating them with slapindex(8).
376
377
378       ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )
379
380              Specify an LDAP syntax using the LDAPv3 syntax  defined  in  RFC
381              4512.   The  slapd  parser  extends  the  RFC 4512 definition by
382              allowing string forms as well as numeric OIDs to be used for the
383              syntax  OID.  (See the objectidentifier description.)  The slapd
384              parser also honors the X-SUBST extension  (an  OpenLDAP-specific
385              extension),  which allows one to use the ldapsyntax statement to
386              define a non-implemented syntax along with another  syntax,  the
387              extension value substitute-syntax, as its temporary replacement.
388              The substitute-syntax must  be  defined.   This  allows  one  to
389              define attribute types that make use of non-implemented syntaxes
390              using the correct syntax OID.   Unless  X-SUBST  is  used,  this
391              configuration  statement  would  result  in  an  error, since no
392              handlers would be associated to the resulting syntax structure.
393
394
395       listener-threads <integer>
396              Specify the number of threads to use for the connection manager.
397              The default is 1 and this is typically adequate for up to 16 CPU
398              cores.  The value should be set to a power of 2.
399
400       localSSF <SSF>
401              Specifies the Security Strength Factor (SSF) to be  given  local
402              LDAP  sessions,  such  as those to the ldapi:// listener.  For a
403              description of SSF values,  see  sasl-secprops's  minssf  option
404              description.  The default is 71.
405
406       logfile <filename>
407              Specify  a  file  for recording slapd debug messages. By default
408              these messages only go to  stderr,  are  not  recorded  anywhere
409              else,  and  are  unrelated  to  messages exposed by the loglevel
410              configuration parameter. Specifying a logfile copies messages to
411              both stderr and the logfile.
412
413       logfile-format debug | syslog-utc | syslog-localtime
414              Specify  the  prefix format for messages written to the logfile.
415              The debug format is the  normal  format  used  for  slapd  debug
416              messages,  with a timestamp in hexadecimal, followed by a thread
417              ID.  The other options are to use syslog(3) style prefixes, with
418              timestamps  either  in UTC or in the local timezone. The default
419              is debug format.
420
421       logfile-only on | off
422              Specify that debug messages should only  go  to  the  configured
423              logfile, and not to stderr.
424
425       logfile-rotate <max> <Mbytes> <hours>
426              Specify  automatic  rotation  for  the configured logfile as the
427              maximum number of old logfiles to  retain,  a  maximum  size  in
428              megabytes  to  allow  a  logfile  to grow before rotation, and a
429              maximum age in hours for a logfile to be used  before  rotation.
430              The maximum number must be in the range 1-99.  Setting Mbytes or
431              hours to zero disables the size or age check, respectively.   At
432              least  one  of  Mbytes  or hours must be non-zero. By default no
433              automatic rotation will be performed.
434
435       loglevel <integer> [...]
436              Specify the level at which debugging  statements  and  operation
437              statistics   should   be  syslogged  (currently  logged  to  the
438              syslogd(8)  LOG_LOCAL4  facility).   They  must  be   considered
439              subsystems  rather  than  increasingly verbose log levels.  Some
440              messages with higher  priority  are  logged  regardless  of  the
441              configured  loglevel  as soon as any logging is configured.  Log
442              levels are additive, and available levels are:
443                     1      (0x1 trace) trace function calls
444                     2      (0x2 packets) debug packet handling
445                     4      (0x4 args) heavy trace debugging (function args)
446                     8      (0x8 conns) connection management
447                     16     (0x10 BER) print out packets sent and received
448                     32     (0x20 filter) search filter processing
449                     64     (0x40 config) configuration file processing
450                     128    (0x80 ACL) access control list processing
451                     256    (0x100  stats)   connections,   LDAP   operations,
452                            results (recommended)
453                     512    (0x200 stats2) stats2 log entries sent
454                     1024   (0x400   shell)  print  communication  with  shell
455                            backends
456                     2048   (0x800 parse) entry parsing
457
458
459
460
461
462
463
464
465                     16384  (0x4000 sync) LDAPSync replication
466                     32768  (0x8000  none)  only  messages  that  get   logged
467                            whatever log level is set
468              The  desired  log  level  can  be input as a single integer that
469              combines the (ORed)  desired  levels,  both  in  decimal  or  in
470              hexadecimal  notation,  as  a  list  of  integers (that are ORed
471              internally), or as a list of the names that  are  shown  between
472              parentheses, such that
473
474                  loglevel 129
475                  loglevel 0x81
476                  loglevel 128 1
477                  loglevel 0x80 0x1
478                  loglevel acl trace
479
480              are  equivalent.   The  keyword any can be used as a shortcut to
481              enable logging at all levels (equivalent to  -1).   The  keyword
482              none,  or  the  equivalent  integer representation, causes those
483              messages that are logged regardless of the  configured  loglevel
484              to  be  logged.   In  fact,  if loglevel is set to 0, no logging
485              occurs, so at least the none level  is  required  to  have  high
486              priority messages logged.
487
488              Note  that the packets, BER, and parse levels are only available
489              as debug output on stderr, and are not sent to syslog.
490
491              The loglevel defaults to stats.  This level should usually  also
492              be  included  when  using  other  loglevels, to help analyze the
493              logs.
494
495       maxfilterdepth <integer>
496              Specify the maximum depth of nested filters in search  requests.
497              The default is 1000.
498
499       moduleload <filename> [<arguments>...]
500              Specify  the  name  of a dynamically loadable module to load and
501              any  additional  arguments  if  supported  by  the  module.  The
502              filename may be an absolute path name or a simple filename. Non-
503              absolute names are searched for in the directories specified  by
504              the modulepath option. This option and the modulepath option are
505              only usable if slapd was compiled with --enable-modules.
506
507       modulepath <pathspec>
508              Specify a list of directories to search  for  loadable  modules.
509              Typically  the  path  is colon-separated but this depends on the
510              operating system.  The default is /usr/lib64/openldap, which  is
511              where the standard OpenLDAP install will place its modules.
512
513       objectclass   ( <oid>   [NAME <name>]  [DESC <description>]  [OBSOLETE]
514              [SUP <oids>]  [{  ABSTRACT   |   STRUCTURAL   |   AUXILIARY   }]
515              [MUST <oids>] [MAY <oids>] )
516              Specify  an  objectclass  using the LDAPv3 syntax defined in RFC
517              4512.  The slapd parser  extends  the  RFC  4512  definition  by
518              allowing string forms as well as numeric OIDs to be used for the
519              object  class  OID.   (See  the  objectidentifier  description.)
520              Object classes are "STRUCTURAL" by default.
521
522       objectidentifier <name> { <oid> | <name>[:<suffix>] }
523              Define  a  string name that equates to the given OID. The string
524              can be used in place of  the  numeric  OID  in  objectclass  and
525              attribute  definitions.  The name can also be used with a suffix
526              of the form ":xx" in which case the value "oid.xx" will be used.
527
528       password-hash <hash> [<hash>...]
529              This option  configures  one  or  more  hashes  to  be  used  in
530              generation   of   user  passwords  stored  in  the  userPassword
531              attribute during processing of  LDAP  Password  Modify  Extended
532              Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
533              {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.
534
535              {SHA} and {SSHA} use  the  SHA-1  algorithm  (FIPS  160-1),  the
536              latter with a seed.
537
538              {MD5}  and  {SMD5}  use the MD5 algorithm (RFC 1321), the latter
539              with a seed.
540
541              {CRYPT} uses the crypt(3).
542
543              {CLEARTEXT} indicates that the new password should be  added  to
544              userPassword as clear text.
545
546              Note   that   this   option  does  not  alter  the  normal  user
547              applications handling of userPassword during LDAP  Add,  Modify,
548              or other LDAP operations.
549
550       password-crypt-salt-format <format>
551              Specify   the  format  of  the  salt  passed  to  crypt(3)  when
552              generating  {CRYPT}   passwords   (see   password-hash)   during
553              processing  of  LDAP  Password  Modify  Extended Operations (RFC
554              3062).
555
556              This string needs to be in sprintf(3) format and may include one
557              (and   only   one)  %s  conversion.   This  conversion  will  be
558              substituted  with   a   string   of   random   characters   from
559              [A-Za-z0-9./].   For  example,  "%.2s"  provides a two character
560              salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
561              algorithm and provides 8 random characters of salt.  The default
562              is "%s", which provides 31 characters of salt.
563
564       pidfile <filename>
565              The (absolute) name of a file that will hold the slapd  server's
566              process ID (see getpid(2)).
567
568       pluginlog: <filename>
569              The  (  absolute ) name of a file that will contain log messages
570              from SLAPI plugins. See slapd.plugin(5) for details.
571
572       referral <url>
573              Specify the referral to pass back when slapd(8)  cannot  find  a
574              local  database  to  handle  a  request.   If specified multiple
575              times, each url is provided.
576
577       require <conditions>
578              Specify a set  of  conditions  (separated  by  white  space)  to
579              require (default none).  The directive may be specified globally
580              and/or per-database; databases  inherit  global  conditions,  so
581              per-database  specifications  are  additive.  bind requires bind
582              operation  prior  to  directory  operations.   LDAPv3   requires
583              session   to   be   using   LDAP   version  3.   authc  requires
584              authentication prior to  directory  operations.   SASL  requires
585              SASL  authentication  prior  to  directory  operations.   strong
586              requires strong authentication prior  to  directory  operations.
587              The  strong  keyword allows protected "simple" authentication as
588              well as SASL authentication.  none may be  used  to  require  no
589              conditions (useful to clear out globally set conditions within a
590              particular database);  it  must  occur  first  in  the  list  of
591              conditions.
592
593       reverse-lookup on | off
594              Enable/disable client name unverified reverse lookup (default is
595              off if compiled with --enable-rlookups).
596
597       rootDSE <file>
598              Specify the name of an  LDIF(5)  file  containing  user  defined
599              attributes  for  the root DSE.  These attributes are returned in
600              addition to the attributes normally produced by slapd.
601
602              The root DSE is an entry with information about the  server  and
603              its  capabilities,  in operational attributes.  It has the empty
604              DN, and can be read with e.g.:
605                  ldapsearch -x -b "" -s base "+"
606              See RFC 4512 section 5.1 for details.
607
608       sasl-auxprops <plugin> [...]
609              Specify which auxprop plugins to use for authentication lookups.
610              The  default is empty, which just uses slapd's internal support.
611              Usually no other auxprop plugins are needed.
612
613       sasl-auxprops-dontusecopy <attr> [...]
614              Specify which attribute(s) should be subject to  the  don't  use
615              copy control. This is necessary for some SASL mechanisms such as
616              OTP  to  work  in  a  replicated  environment.   The   attribute
617              "cmusaslsecretOTP" is the default value.
618
619       sasl-auxprops-dontusecopy-ignore on | off
620              Used to disable replication of the attribute(s) defined by sasl-
621              auxprops-dontusecopy and instead  use  a  local  value  for  the
622              attribute. This allows the SASL mechanism to continue to work if
623              the  provider   is   offline.   This   can   cause   replication
624              inconsistency. Defaults to off.
625
626       sasl-host <fqdn>
627              Used  to  specify  the fully qualified domain name used for SASL
628              processing.
629
630       sasl-realm <realm>
631              Specify SASL realm.  Default is empty.
632
633       sasl-cbinding none | tls-unique | tls-endpoint
634              Specify     the     channel-binding     type,      see      also
635              LDAP_OPT_X_SASL_CBINDING.  Default is none.
636
637       sasl-secprops <properties>
638              Used  to  specify Cyrus SASL security properties.  The none flag
639              (without  any  other  properties)  causes  the  flag  properties
640              default, "noanonymous,noplain", to be cleared.  The noplain flag
641              disables mechanisms susceptible to simple passive attacks.   The
642              noactive flag disables mechanisms susceptible to active attacks.
643              The nodict  flag  disables  mechanisms  susceptible  to  passive
644              dictionary  attacks.   The  noanonymous flag disables mechanisms
645              which support anonymous  login.   The  forwardsec  flag  require
646              forward   secrecy   between   sessions.   The  passcred  require
647              mechanisms which pass client credentials (and  allow  mechanisms
648              which  can  pass  credentials  to  do  so).  The minssf=<factor>
649              property specifies  the  minimum  acceptable  security  strength
650              factor  as  an  integer approximate to effective key length used
651              for encryption.  0  (zero)  implies  no  protection,  1  implies
652              integrity  protection  only,  128 allows RC4, Blowfish and other
653              similar ciphers, 256 will require modern ciphers.   The  default
654              is  0.   The  maxssf=<factor>  property  specifies  the  maximum
655              acceptable security strength factor as an  integer  (see  minssf
656              description).   The  default  is INT_MAX.  The maxbufsize=<size>
657              property specifies the maximum  security  layer  receive  buffer
658              size  allowed.   0  disables  security  layers.   The default is
659              65536.
660
661       schemadn <dn>
662              Specify the distinguished name for the subschema  subentry  that
663              controls   the   entries   on   this  server.   The  default  is
664              "cn=Subschema".
665
666       security <factors>
667              Specify a set of security strength factors (separated  by  white
668              space)  to  require  (see  sasl-secprops's  minssf  option for a
669              description of security strength factors).  The directive may be
670              specified  globally  and/or per-database.  ssf=<n> specifies the
671              overall security strength factor.  transport=<n>  specifies  the
672              transport  security  strength factor.  tls=<n> specifies the TLS
673              security strength factor.  sasl=<n> specifies the SASL  security
674              strength  factor.  update_ssf=<n> specifies the overall security
675              strength   factor   to   require    for    directory    updates.
676              update_transport=<n>  specifies  the transport security strength
677              factor  to  require  for  directory   updates.    update_tls=<n>
678              specifies  the  TLS  security  strength  factor  to  require for
679              directory updates.  update_sasl=<n> specifies the SASL  security
680              strength    factor    to    require   for   directory   updates.
681              simple_bind=<n> specifies the security strength factor  required
682              for  simple  username/password  authentication.   Note  that the
683              transport  factor  is  measure  of  security  provided  by   the
684              underlying  transport, e.g. ldapi:// (and eventually IPSEC).  It
685              is not normally used.
686
687       serverID <integer> [<URL>]
688              Specify an integer ID from 0 to 4095 for this server. The ID may
689              also  be  specified  as  a hexadecimal ID by prefixing the value
690              with "0x".  Non-zero IDs are required when using  multi-provider
691              replication  and  each  provider must have a unique non-zero ID.
692              Note that this requirement also applies  to  separate  providers
693              contributing  to  a  glued  set  of  databases.   If  the URL is
694              provided,  this  directive  may  be  specified  multiple  times,
695              providing  a  complete  list  of participating servers and their
696              IDs. The fully qualified hostname of each server should be  used
697              in the supplied URLs. The IDs are used in the "replica id" field
698              of all CSNs generated by the specified server. The default value
699              is  zero,  which  is only valid for single provider replication.
700              Example:
701
702            serverID 1 ldap://ldap1.example.com
703            serverID 2 ldap://ldap2.example.com
704
705       sizelimit {<integer>|unlimited}
706
707       sizelimit size[.{soft|hard}]=<integer> [...]
708              Specify the maximum number of entries to return  from  a  search
709              operation.   The  default  size  limit is 500.  Use unlimited to
710              specify no limits.   The  second  format  allows  a  fine  grain
711              setting  of  the  size  limits.   If  no  special qualifiers are
712              specified, both soft and hard limits are set.  Extra args can be
713              added  on  the  same line.  Additional qualifiers are available;
714              see limits for an explanation of all of the different flags.
715
716       sockbuf_max_incoming <integer>
717              Specify  the  maximum  incoming  LDAP  PDU  size  for  anonymous
718              sessions.  The default is 262143.
719
720       sockbuf_max_incoming_auth <integer>
721              Specify  the  maximum  incoming  LDAP PDU size for authenticated
722              sessions.  The default is 4194303.
723
724       sortvals <attr> [...]
725              Specify a list of  multi-valued  attributes  whose  values  will
726              always  be  maintained  in  sorted order. Using this option will
727              allow  Modify,  Compare,  and  filter   evaluations   on   these
728              attributes  to be performed more efficiently. The resulting sort
729              order depends on the attributes' syntax and matching  rules  and
730              may  not  correspond  to lexical order or any other recognizable
731              order.
732
733       tcp-buffer [listener=<URL>] [{read|write}=]<size>
734              Specify the size of the TCP buffer.  A  global  value  for  both
735              read  and  write TCP buffers related to any listener is defined,
736              unless the listener is explicitly specified, or either the  read
737              or  write  qualifiers  are  used.  See tcp(7) for details.  Note
738              that some OS-es implement automatic TCP buffer tuning.
739
740       threads <integer>
741              Specify the maximum  size  of  the  primary  thread  pool.   The
742              default is 16; the minimum value is 2.
743
744       threadqueues <integer>
745              Specify  the number of work queues to use for the primary thread
746              pool.  The default is 1 and this is typically adequate for up to
747              8  CPU cores.  The value should not exceed the number of CPUs in
748              the system.
749
750       timelimit {<integer>|unlimited}
751
752       timelimit time[.{soft|hard}]=<integer> [...]
753              Specify the maximum number of seconds (in real time) slapd  will
754              spend  answering  a  search  request.  The default time limit is
755              3600.  Use unlimited to specify no limits.   The  second  format
756              allows  a fine grain setting of the time limits.  Extra args can
757              be added on the same line.  See limits for an explanation of the
758              different flags.
759
760       tool-threads <integer>
761              Specify the maximum number of threads to use in tool mode.  This
762              should not be greater than the number of  CPUs  in  the  system.
763              The default is 1.
764
765       writetimeout <integer>
766              Specify  the number of seconds to wait before forcibly closing a
767              connection with an outstanding write. This allows recovery  from
768              various  network  hang conditions.  A writetimeout of 0 disables
769              this feature.  The default is 0.
770

TLS OPTIONS

772       If slapd is built with support for Transport Layer Security, there  are
773       more options you can specify.
774
775       When    using    OpenSSL,    if   neither    TLSCACertificateFile   nor
776       TLSCACertificatePath  is  set,  the  system-wide  default  set  of   CA
777       certificates is used.
778
779       TLSCipherSuite <cipher-suite-spec>
780              Permits  configuring  what  ciphers  will  be  accepted  and the
781              preference  order.   <cipher-suite-spec>  should  be  a   cipher
782              specification  for  the  TLS library in use (OpenSSL or GnuTLS).
783              Example:
784
785                     OpenSSL:
786                            TLSCipherSuite HIGH:MEDIUM:+SSLv2
787
788                     GnuTLS:
789                            TLSCiphersuite SECURE256:!AES-128-CBC
790
791              To check what ciphers a given spec selects in OpenSSL, use:
792
793                   openssl ciphers -v <cipher-suite-spec>
794
795              With GnuTLS the available specs can be found in the manual  page
796              of gnutls-cli(1) (see the description of the option --priority).
797
798              In  older  versions of GnuTLS, where gnutls-cli does not support
799              the option --priority, you can obtain the — more limited —  list
800              of ciphers by calling:
801
802                   gnutls-cli -l
803
804       TLSCACertificateFile <filename>
805              Specifies  the  file  that  contains certificates for all of the
806              Certificate  Authorities  that  slapd   will   recognize.    The
807              certificate  for  the  CA  that  signed  the  server certificate
808              must(GnuTLS)/may(OpenSSL) be included among these  certificates.
809              If  the  signing  CA was not a top-level (root) CA, certificates
810              for the entire sequence of CA's from the signing CA to the  top-
811              level  CA  should  be  present. Multiple certificates are simply
812              appended to the file; the order is not significant.
813
814       TLSCACertificatePath <path>
815              Specifies the  path  of  directories  that  contain  Certificate
816              Authority  certificates  in  separate  individual files. Usually
817              only one of this or the TLSCACertificateFile is  used.  If  both
818              are specified, both locations will be used. Multiple directories
819              may be specified, separated by a semi-colon.
820
821       TLSCertificateFile <filename>
822              Specifies the file that contains the slapd server certificate.
823
824              When using OpenSSL that file may  also  contain  any  number  of
825              intermediate certificates after the server certificate.
826
827       TLSCertificateKeyFile <filename>
828              Specifies  the  file  that contains the slapd server private key
829              that matches the certificate stored  in  the  TLSCertificateFile
830              file.   Currently,  the private key must not be protected with a
831              password, so it is of critical importance that it  is  protected
832              carefully.
833
834       TLSDHParamFile <filename>
835              This  directive  specifies the file that contains parameters for
836              Diffie-Hellman ephemeral key  exchange.   This  is  required  in
837              order  to  use  a  DSA  certificate  on  the  server,  or an RSA
838              certificate missing the "key encipherment" key usage.  Note that
839              setting this option may also enable Anonymous Diffie-Hellman key
840              exchanges in certain non-default cipher suites.   Anonymous  key
841              exchanges  should  generally  be  avoided  since they provide no
842              actual client or server authentication and provide no protection
843              against  man-in-the-middle attacks.  You should append "!ADH" to
844              your cipher suites to ensure that these suites are not used.
845
846       TLSECName <name>
847              Specify the name of the  curve(s)  to  use  for  Elliptic  curve
848              Diffie-Hellman ephemeral key exchange.  This option is only used
849              for OpenSSL.  This option is not used with  GnuTLS;  the  curves
850              may be chosen in the GnuTLS ciphersuite specification.
851
852       TLSProtocolMin <major>[.<minor>]
853              Specifies   minimum   SSL/TLS  protocol  version  that  will  be
854              negotiated.   If  the  server  doesn't  support  at  least  that
855              version,  the  SSL  handshake  will fail.  To require TLS 1.x or
856              higher, set this option to 3.(x+1), e.g.,
857
858                   TLSProtocolMin 3.2
859
860              would require TLS 1.1.  Specifying a minimum that is higher than
861              that  supported by the OpenLDAP implementation will result in it
862              requiring  the  highest  level  that  it  does  support.    This
863              directive is ignored with GnuTLS.
864
865       TLSRandFile <filename>
866              Specifies   the   file   to   obtain   random   bits  from  when
867              /dev/[u]random is not available.  Generally set to the  name  of
868              the  EGD/PRNGD  socket.   The  environment variable RANDFILE can
869              also be used to specify the filename.  This directive is ignored
870              with GnuTLS.
871
872       TLSVerifyClient <level>
873              Specifies  what  checks  to perform on client certificates in an
874              incoming TLS session, if any.  The <level> can be  specified  as
875              one of the following keywords:
876
877              never  This is the default.  slapd will not ask the client for a
878                     certificate.
879
880              allow  The client certificate is requested.  If  no  certificate
881                     is  provided,  the  session  proceeds normally.  If a bad
882                     certificate is provided,  it  will  be  ignored  and  the
883                     session proceeds normally.
884
885              try    The  client  certificate is requested.  If no certificate
886                     is provided, the session proceeds  normally.   If  a  bad
887                     certificate  is  provided,  the  session  is  immediately
888                     terminated.
889
890              demand | hard | true
891                     These keywords  are  all  equivalent,  for  compatibility
892                     reasons.   The  client  certificate  is requested.  If no
893                     certificate  is  provided,  or  a  bad   certificate   is
894                     provided, the session is immediately terminated.
895
896                     Note that a valid client certificate is required in order
897                     to use the SASL EXTERNAL authentication mechanism with  a
898                     TLS  session.   As  such,  a  non-default TLSVerifyClient
899                     setting  must  be  chosen   to   enable   SASL   EXTERNAL
900                     authentication.
901
902       TLSCRLCheck <level>
903              Specifies  if  the  Certificate  Revocation List (CRL) of the CA
904              should be used to verify if the  client  certificates  have  not
905              been revoked. This requires TLSCACertificatePath parameter to be
906              set. This directive is ignored  with  GnuTLS.   <level>  can  be
907              specified as one of the following keywords:
908
909              none   No CRL checks are performed
910
911              peer   Check the CRL of the peer certificate
912
913              all    Check the CRL for a whole certificate chain
914
915       TLSCRLFile <filename>
916              Specifies  a file containing a Certificate Revocation List to be
917              used for verifying that certificates have not been revoked. This
918              directive is only valid when using GnuTLS.
919

GENERAL BACKEND OPTIONS

921       Options in this section only apply to the configuration file section of
922       all instances of the specified backend.  All backends may support  this
923       class of options, but currently only back-mdb does.
924
925       backend <databasetype>
926              Mark  the  beginning  of  a  backend  definition. <databasetype>
927              should be one of asyncmeta, config,  dnssrv,  ldap,  ldif,  mdb,
928              meta,  monitor, null, passwd, perl, relay, sock, sql, or wt.  At
929              present, only back-mdb implements any options of this  type,  so
930              this setting is not needed for any other backends.
931
932

GENERAL DATABASE OPTIONS

934       Options  in  this  section only apply to the configuration file section
935       for the database in which they are  defined.   They  are  supported  by
936       every  type of backend.  Note that the database and at least one suffix
937       option are mandatory for each database.
938
939       database <databasetype>
940              Mark the  beginning  of  a  new  database  instance  definition.
941              <databasetype> should be one of asyncmeta, config, dnssrv, ldap,
942              ldif, mdb, meta, monitor, null, passwd, perl, relay, sock,  sql,
943              or wt, depending on which backend will serve the database.
944
945              LDAP operations, even subtree searches, normally access only one
946              database.  That can be changed by gluing databases together with
947              the  subordinate keyword.  Access controls and some overlays can
948              also involve multiple databases.
949
950       add_content_acl on | off
951              Controls whether Add operations will perform ACL checks  on  the
952              content  of the entry being added. This check is off by default.
953              See the slapd.access(5) manual page  for  more  details  on  ACL
954              requirements for Add operations.
955
956       extra_attrs <attrlist>
957              Lists  what  attributes  need  to  be  added to search requests.
958              Local storage backends return the entire entry to the  frontend.
959              The   frontend  takes  care  of  only  returning  the  requested
960              attributes that are allowed by  ACLs.   However,  features  like
961              access checking and so may need specific attributes that are not
962              automatically returned by remote storage  backends,  like  proxy
963              backends and so on.  <attrlist> is a list of attributes that are
964              needed  for  internal  purposes  and  thus  always  need  to  be
965              collected, even when not explicitly requested by clients.
966
967       hidden on | off
968              Controls  whether the database will be used to answer queries. A
969              database that is hidden will never be  selected  to  answer  any
970              queries,  and  any  suffix  configured  on  the database will be
971              ignored  in  checks  for  conflicts  with  other  databases.  By
972              default, hidden is off.
973
974       lastmod on | off
975              Controls   whether   slapd   will   automatically  maintain  the
976              modifiersName,      modifyTimestamp,      creatorsName,      and
977              createTimestamp  attributes  for  entries.  It also controls the
978              entryCSN and entryUUID  attributes,  which  are  needed  by  the
979              syncrepl provider. By default, lastmod is on.
980
981       lastbind on | off
982              Controls   whether   slapd   will   automatically  maintain  the
983              pwdLastSuccess attribute for entries. By  default,  lastbind  is
984              off.
985
986       lastbind-precision <integer>
987              If  lastbind is enabled, specifies how frequently pwdLastSuccess
988              will be updated. More than  integer  seconds  must  have  passed
989              since the last successful bind. In a replicated environment with
990              frequent bind activity it may be useful to set this to  a  large
991              value.
992
993       limits <selector> <limit> [<limit> [...]]
994              Specify  time and size limits based on the operation's initiator
995              or base DN.  The argument <selector> can be any of
996
997                     anonymous    |    users    |    [<dnspec>=]<pattern>    |
998                     group[/oc[/at]]=<pattern>
999
1000              with
1001
1002                     <dnspec> ::= dn[.<type>][.<style>]
1003
1004                     <type>  ::= self | this
1005
1006                     <style>  ::= exact | base | onelevel | subtree | children
1007                     | regex | anonymous
1008
1009              DN type self is the default and means the bound user, while this
1010              means  the base DN of the operation.  The term anonymous matches
1011              all  unauthenticated  clients.   The  term  users  matches   all
1012              authenticated  clients; otherwise an exact dn pattern is assumed
1013              unless otherwise specified  by  qualifying  the  (optional)  key
1014              string dn with exact or base (which are synonyms), to require an
1015              exact match; with onelevel, to  require  exactly  one  level  of
1016              depth  match;  with  subtree, to allow any level of depth match,
1017              including the exact match; with children, to allow any level  of
1018              depth  match,  not  including  the exact match; regex explicitly
1019              requires the  (default)  match  based  on  POSIX  (''extended'')
1020              regular  expression pattern.  Finally, anonymous matches unbound
1021              operations; the pattern field is ignored.  The same behavior  is
1022              obtained  by  using the anonymous form of the <selector> clause.
1023              The  term  group,  with  the   optional   objectClass   oc   and
1024              attributeType  at  fields,  followed by pattern, sets the limits
1025              for any DN listed in the values of  the  at  attribute  (default
1026              member) of the oc group objectClass (default groupOfNames) whose
1027              DN exactly matches pattern.
1028
1029              The currently supported limits are size and time.
1030
1031              The syntax  for  time  limits  is  time[.{soft|hard}]=<integer>,
1032              where  integer  is  the  number  of  seconds  slapd  will  spend
1033              answering a search request.  If  no  time  limit  is  explicitly
1034              requested  by  the  client,  the  soft  limit  is  used;  if the
1035              requested time limit exceeds the hard limit, the  value  of  the
1036              limit  is used instead.  If the hard limit is set to the keyword
1037              soft, the soft limit is used in either case; if it is set to the
1038              keyword unlimited, no hard limit is enforced.  Explicit requests
1039              for time limits smaller or equal to the hard limit are  honored.
1040              If  no limit specifier is set, the value is assigned to the soft
1041              limit, and the hard limit  is  set  to  soft,  to  preserve  the
1042              original behavior.
1043
1044              The        syntax        for        size        limits        is
1045              size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
1046              maximum  number  of entries slapd will return answering a search
1047              request.  If no  size  limit  is  explicitly  requested  by  the
1048              client,  the  soft  limit  is  used; if the requested size limit
1049              exceeds the hard limit, the value of the limit is used  instead.
1050              If  the hard limit is set to the keyword soft, the soft limit is
1051              used in either case; if it is set to the keyword  unlimited,  no
1052              hard  limit  is  enforced.   Explicit  requests  for size limits
1053              smaller or equal to the hard limit are honored.   The  unchecked
1054              specifier  sets  a  limit  on  the number of candidates a search
1055              request is allowed to examine.  The rationale behind it is  that
1056              searches for non-properly indexed attributes may result in large
1057              sets of candidates,  which  must  be  examined  by  slapd(8)  to
1058              determine  whether  they  match  the  search filter or not.  The
1059              unchecked limit provides a means to drop such operations  before
1060              they  are  even  started.  If the selected candidates exceed the
1061              unchecked  limit,  the  search  will  abort  with  Unwilling  to
1062              perform.   If  it  is  set to the keyword unlimited, no limit is
1063              applied (the default).  If it is set to disabled, the search  is
1064              not  even performed; this can be used to disallow searches for a
1065              specific set of users.  If no limit specifier is set, the  value
1066              is  assigned  to  the  soft  limit, and the hard limit is set to
1067              soft, to preserve the original behavior.
1068
1069              In case of no match, the global limits are  used.   The  default
1070              values  are the same as for sizelimit and timelimit; no limit is
1071              set on unchecked.
1072
1073              If pagedResults control is requested, the  hard  size  limit  is
1074              used  by default, because the request of a specific page size is
1075              considered an explicit request for a limitation on the number of
1076              entries  to be returned.  However, the size limit applies to the
1077              total count of entries returned within the search, and not to  a
1078              single page.  Additional size limits may be enforced; the syntax
1079              is size.pr={<integer>|noEstimate|unlimited},  where  integer  is
1080              the  max  page  size  if  no  explicit limit is set; the keyword
1081              noEstimate inhibits the server from returning an estimate of the
1082              total  number  of  entries  that  might  be  returned (note: the
1083              current implementation  does  not  return  any  estimate).   The
1084              keyword  unlimited  indicates  that  no  limit is applied to the
1085              pagedResults     control     page     size.      The      syntax
1086              size.prtotal={<integer>|hard|unlimited|disabled}  allows  one to
1087              set a limit on the total number of entries that the pagedResults
1088              control  will  return.   By  default it is set to the hard limit
1089              which will use the size.hard value.  When set,  integer  is  the
1090              max  number  of  entries that the whole search with pagedResults
1091              control can return.  Use unlimited to allow unlimited number  of
1092              entries   to   be  returned,  e.g.  to  allow  the  use  of  the
1093              pagedResults control as a means to circumvent  size  limitations
1094              on  regular searches; the keyword disabled disables the control,
1095              i.e. no paged results can be  returned.   Note  that  the  total
1096              number  of  entries  returned  when  the pagedResults control is
1097              requested cannot exceed the hard size limit of regular  searches
1098              unless extended by the prtotal switch.
1099
1100              The  limits  statement  is  typically  used  to let an unlimited
1101              number of entries be returned by  searches  performed  with  the
1102              identity  used  by  the consumer for synchronization purposes by
1103              means of the RFC 4533 LDAP Content Synchronization protocol (see
1104              syncrepl for details).
1105
1106              When using subordinate databases, it is necessary for any limits
1107              that are to be applied across the parent and its subordinates to
1108              be  defined  in  both the parent and its subordinates. Otherwise
1109              the settings on the subordinate databases are not honored.
1110
1111       maxderefdepth <depth>
1112              Specifies the maximum number  of  aliases  to  dereference  when
1113              trying  to resolve an entry, used to avoid infinite alias loops.
1114              The default is 15.
1115
1116       multiprovider on | off
1117              This option puts a consumer database into  Multi-Provider  mode.
1118              Update  operations  will be accepted from any user, not just the
1119              updatedn.  The database must already be configured as a syncrepl
1120              consumer before this keyword may be set. This mode also requires
1121              a  serverID  (see  above)  to  be   configured.    By   default,
1122              multiprovider is off.
1123
1124       monitoring on | off
1125              This  option  enables  database-specific monitoring in the entry
1126              related to the current database in the "cn=Databases,cn=Monitor"
1127              subtree  of  the  monitor  database,  if the monitor database is
1128              enabled.  Currently, only the MDB  database  provides  database-
1129              specific  monitoring.  If monitoring is supported by the backend
1130              it defaults to on, otherwise off.
1131
1132       overlay <overlay-name>
1133              Add the specified overlay to this  database.  An  overlay  is  a
1134              piece  of  code  that intercepts database operations in order to
1135              extend or change them. Overlays are pushed onto a stack over the
1136              database,  and  so they will execute in the reverse of the order
1137              in which they were  configured  and  the  database  itself  will
1138              receive  control  last  of all. See the slapd.overlays(5) manual
1139              page for an overview of the available overlays.  Note  that  all
1140              of  the  database's regular settings should be configured before
1141              any overlay settings.
1142
1143       readonly on | off
1144              This option  puts  the  database  into  "read-only"  mode.   Any
1145              attempts  to  modify  the  database will return an "unwilling to
1146              perform" error.  By default, readonly is off.
1147
1148       restrict <oplist>
1149              Specify a whitespace  separated  list  of  operations  that  are
1150              restricted.    If   defined  inside  a  database  specification,
1151              restrictions apply only to that  database,  otherwise  they  are
1152              global.   Operations  can  be any of add, bind, compare, delete,
1153              extended[=<OID>], modify, rename, search, or the special pseudo-
1154              operations read and write, which respectively summarize read and
1155              write operations.  The use of restrict write  is  equivalent  to
1156              readonly  on  (see  above).   The extended keyword allows one to
1157              indicate the OID of the specific operation to be restricted.
1158
1159       rootdn <dn>
1160              Specify the distinguished name that is  not  subject  to  access
1161              control  or  administrative limit restrictions for operations on
1162              this database.  This DN may or may not  be  associated  with  an
1163              entry.   An empty root DN (the default) specifies no root access
1164              is to be granted.  It is recommended that  the  rootdn  only  be
1165              specified  when  needed  (such  as  when  initially populating a
1166              database).  If the rootdn is within a namingContext (suffix)  of
1167              the  database, a simple bind password may also be provided using
1168              the  rootpw  directive.  Many   optional   features,   including
1169              syncrepl, require the rootdn to be defined for the database.
1170
1171       rootpw <password>
1172              Specify  a  password  (or  hash of the password) for the rootdn.
1173              The password can only  be  set  if  the  rootdn  is  within  the
1174              namingContext (suffix) of the database.  This option accepts all
1175              RFC  2307  userPassword  formats  known  to  the   server   (see
1176              password-hash  description) as well as cleartext.  slappasswd(8)
1177              may be used to generate a hash of  a  password.   Cleartext  and
1178              {CRYPT}  passwords are not recommended.  If empty (the default),
1179              authentication of the root DN is by  other  means  (e.g.  SASL).
1180              Use of SASL is encouraged.
1181
1182       suffix <dn suffix>
1183              Specify  the  DN  suffix  of queries that will be passed to this
1184              backend database.  Multiple suffix lines can  be  given  and  at
1185              least one is required for each database definition.
1186
1187              If  the  suffix of one database is "inside" that of another, the
1188              database  with  the  inner  suffix  must  come  first   in   the
1189              configuration  file.   You  may also want to glue such databases
1190              together with the subordinate keyword.
1191
1192       subordinate [advertise]
1193              Specify that the current backend database is  a  subordinate  of
1194              another  backend database. A subordinate  database may have only
1195              one suffix. This option may be used to glue  multiple  databases
1196              into  a  single  namingContext.   If  the  suffix of the current
1197              database is within the namingContext  of  a  superior  database,
1198              searches against the superior database will be propagated to the
1199              subordinate as well. All of  the  databases  associated  with  a
1200              single namingContext should have identical rootdns.  Behavior of
1201              other  LDAP  operations  is  unaffected  by  this  setting.   In
1202              particular,  it  is  not  possible to use moddn to move an entry
1203              from  one  subordinate  to  another   subordinate   within   the
1204              namingContext.
1205
1206              If  the  optional advertise flag is supplied, the naming context
1207              of this database is advertised in the root DSE. The  default  is
1208              to hide this database context, so that only the superior context
1209              is visible.
1210
1211              If the slap  tools  slapcat(8),  slapadd(8),  slapmodify(8),  or
1212              slapindex(8)  are  used  on  the  superior  database,  any glued
1213              subordinates that support these tools are opened as well.
1214
1215              Databases that are glued together should usually  be  configured
1216              with the same indices (assuming they support indexing), even for
1217              attributes that only  exist  in  some  of  these  databases.  In
1218              general,  all  of  the  glued  databases should be configured as
1219              similarly as possible,  since  the  intent  is  to  provide  the
1220              appearance of a single directory.
1221
1222              Note   that   the   subordinate   functionality  is  implemented
1223              internally by the glue overlay and as  such  its  behavior  will
1224              interact  with  other  overlays  in  use.  By  default, the glue
1225              overlay is automatically configured as the last overlay  on  the
1226              superior  backend. Its position on the backend can be explicitly
1227              configured by setting an overlay glue directive at  the  desired
1228              position.  This  explicit  configuration is necessary e.g.  when
1229              using the syncprov overlay, which needs to follow glue in  order
1230              to work over all of the glued databases. E.g.
1231                   database mdb
1232                   suffix dc=example,dc=com
1233                   ...
1234                   overlay glue
1235                   overlay syncprov
1236
1237       sync_use_subentry
1238              Store  the  syncrepl  contextCSN  in  a  subentry instead of the
1239              context entry of  the  database.  The  subentry's  RDN  will  be
1240              "cn=ldapsync".  By  default  the  contextCSN  is  stored  in the
1241              context entry.
1242
1243       syncrepl    rid=<replica    ID>    provider=ldap[s]://<hostname>[:port]
1244              searchbase=<base     DN>    [type=refreshOnly|refreshAndPersist]
1245              [interval=dd:hh:mm:ss]   [retry=[<retry    interval>    <#    of
1246              retries>]+]  [filter=<filter  str>]  [scope=sub|one|base|subord]
1247              [attrs=<attr   list>]    [exattrs=<attr    list>]    [attrsonly]
1248              [sizelimit=<limit>]  [timelimit=<limit>] [schemachecking=on|off]
1249              [network-timeout=<seconds>]                  [timeout=<seconds>]
1250              [tcp-user-timeout=<milliseconds>]       [bindmethod=simple|sasl]
1251              [binddn=<dn>]       [saslmech=<mech>]       [authcid=<identity>]
1252              [authzid=<identity>]    [credentials=<passwd>]   [realm=<realm>]
1253              [secprops=<properties>]   [keepalive=<idle>:<probes>:<interval>]
1254              [starttls=yes|critical]    [tls_cert=<file>]    [tls_key=<file>]
1255              [tls_cacert=<file>]                       [tls_cacertdir=<path>]
1256              [tls_reqcert=never|allow|try|demand]
1257              [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>]
1258              [tls_ecname=<names>]                [tls_crlcheck=none|peer|all]
1259              [tls_protocol_min=<major>[.<minor>]]  [suffixmassage=<real  DN>]
1260              [logbase=<base        DN>]        [logfilter=<filter       str>]
1261              [syncdata=default|accesslog|changelog] [lazycommit]
1262              Specify the current database as a consumer which is kept  up-to-
1263              date  with  the  provider  content  by  establishing the current
1264              slapd(8) as a  replication  consumer  site  running  a  syncrepl
1265              replication  engine.   The consumer content is kept synchronized
1266              to the provider content using the LDAP  Content  Synchronization
1267              protocol.  Refer  to  the  "OpenLDAP  Administrator's Guide" for
1268              detailed information on setting up a replicated slapd  directory
1269              service using the syncrepl replication engine.
1270
1271              rid   identifies  the  current  syncrepl  directive  within  the
1272              replication consumer site.  It is  a  non-negative  integer  not
1273              greater than 999 (limited to three decimal digits).
1274
1275              provider  specifies the replication provider site containing the
1276              provider content as an LDAP URI. If <port>  is  not  given,  the
1277              standard LDAP port number (389 or 636) is used.
1278
1279              The  content  of the syncrepl consumer is defined using a search
1280              specification as its result set. The consumer  slapd  will  send
1281              search  requests  to  the provider slapd according to the search
1282              specification. The  search  specification  includes  searchbase,
1283              scope,   filter,  attrs,  attrsonly,  sizelimit,  and  timelimit
1284              parameters as in the normal search  specification.  The  exattrs
1285              option  may  also  be  used to specify attributes that should be
1286              omitted from incoming entries.  The scope defaults to  sub,  the
1287              filter  defaults  to  (objectclass=*),  and  there is no default
1288              searchbase. The attrs list defaults to "*,+" to return all  user
1289              and  operational attributes, and attrsonly and exattrs are unset
1290              by default.  The sizelimit and timelimit only accept "unlimited"
1291              and  positive  integers,  and  both default to "unlimited".  The
1292              sizelimit and timelimit parameters define a  consumer  requested
1293              limitation  on the number of entries that can be returned by the
1294              LDAP Content Synchronization operation;  these  should  be  left
1295              unchanged  from  the  default  otherwise  replication  may never
1296              succeed.  Note, however, that any provider-side limits  for  the
1297              replication identity will be enforced by the provider regardless
1298              of the limits requested  by  the  LDAP  Content  Synchronization
1299              operation, much like for any other search operation.
1300
1301              The  LDAP  Content  Synchronization  protocol  has two operation
1302              types.  In the refreshOnly operation, the  next  synchronization
1303              search operation is periodically rescheduled at an interval time
1304              (specified by interval parameter; 1 day by default)  after  each
1305              synchronization  operation  finishes.   In the refreshAndPersist
1306              operation, a synchronization search remains  persistent  in  the
1307              provider  slapd.   Further updates to the provider will generate
1308              searchResultEntry to the consumer slapd as the search  responses
1309              to  the persistent synchronization search. If the initial search
1310              fails due to an error, the next synchronization search operation
1311              is  periodically  rescheduled  at an interval time (specified by
1312              interval parameter; 1 day by default)
1313
1314              If an error occurs during replication, the consumer will attempt
1315              to reconnect according to the retry parameter which is a list of
1316              the <retry interval> and <# of  retries>  pairs.   For  example,
1317              retry="60 10 300 3" lets the consumer retry every 60 seconds for
1318              the first 10 times and then retry every 300 seconds for the next
1319              3  times  before  stop retrying. The `+' in <# of retries> means
1320              indefinite number of retries until  success.   If  no  retry  is
1321              specified, by default syncrepl retries every hour forever.
1322
1323              The  schema  checking  can be enforced at the LDAP Sync consumer
1324              site by turning on the schemachecking parameter. The default  is
1325              off.  Schema checking on means that replicated entries must have
1326              a structural objectClass, must obey to objectClass  requirements
1327              in   terms  of  required/allowed  attributes,  and  that  naming
1328              attributes and distinguished  values  must  be  present.   As  a
1329              consequence,   schema   checking  should  be  off  when  partial
1330              replication is used.
1331
1332              The network-timeout parameter sets how long  the  consumer  will
1333              wait  to  establish a network connection to the provider. Once a
1334              connection is established, the timeout parameter determines  how
1335              long  the  consumer  will  wait  for the initial Bind request to
1336              complete.  The  defaults  for   these   parameters   come   from
1337              ldap.conf(5).   The  tcp-user-timeout  parameter,  if  non-zero,
1338              corresponds  to  the  TCP_USER_TIMEOUT   set   on   the   target
1339              connections, overriding the operating system setting.  Only some
1340              systems support the  customization  of  this  parameter,  it  is
1341              ignored otherwise and system-wide settings are used.
1342
1343              A   bindmethod   of  simple  requires  the  options  binddn  and
1344              credentials and should  only  be  used  when  adequate  security
1345              services  (e.g.  TLS  or  IPSEC) are in place.  REMEMBER: simple
1346              bind credentials must be in cleartext!   A  bindmethod  of  sasl
1347              requires  the  option  saslmech.  Depending on the mechanism, an
1348              authentication identity  and/or  credentials  can  be  specified
1349              using  authcid  and  credentials.   The authzid parameter may be
1350              used to specify an authorization  identity.   Specific  security
1351              properties  (as with the sasl-secprops keyword above) for a SASL
1352              bind can be set with the secprops option.  A  non  default  SASL
1353              realm  can  be set with the realm option.  The identity used for
1354              synchronization by the consumer should be allowed to receive  an
1355              unlimited  number  of  entries  in response to a search request.
1356              The provider, other than allowing authentication of the syncrepl
1357              identity,   should   grant   that  identity  appropriate  access
1358              privileges  to  the  data  that  is  being  replicated   (access
1359              directive),  and  appropriate time and size limits.  This can be
1360              accomplished  by  either  allowing   unlimited   sizelimit   and
1361              timelimit,  or by setting an appropriate limits statement in the
1362              consumer's configuration (see sizelimit and limits for details).
1363
1364              The keepalive parameter sets the values  of  idle,  probes,  and
1365              interval  used  to  check whether a socket is alive; idle is the
1366              number of seconds a connection needs to remain idle  before  TCP
1367              starts sending keepalive probes; probes is the maximum number of
1368              keepalive probes TCP should send before dropping the connection;
1369              interval  is  interval  in  seconds between individual keepalive
1370              probes.  Only some systems support the  customization  of  these
1371              values;  the  keepalive  parameter  is  ignored  otherwise,  and
1372              system-wide settings are used.
1373
1374              The starttls parameter specifies use of  the  StartTLS  extended
1375              operation  to  establish  a  TLS  session  before Binding to the
1376              provider. If the critical argument is supplied, the session will
1377              be aborted if the StartTLS request fails. Otherwise the syncrepl
1378              session continues without TLS. The tls_reqcert setting  defaults
1379              to "demand", the tls_reqsan setting defaults to "allow", and the
1380              other TLS settings default to the same as  the  main  slapd  TLS
1381              settings.
1382
1383              The  suffixmassage parameter allows the consumer to pull entries
1384              from a remote directory whose DN suffix differs from  the  local
1385              directory.  The  portion of the remote entries' DNs that matches
1386              the searchbase will be replaced with the suffixmassage DN.
1387
1388              Rather than replicating whole entries, the  consumer  can  query
1389              logs  of  data modifications. This mode of operation is referred
1390              to as delta syncrepl. In addition to the above  parameters,  the
1391              logbase  and  logfilter parameters must be set appropriately for
1392              the log that will be used. The syncdata parameter must be set to
1393              either "accesslog" if the log conforms to the slapo-accesslog(5)
1394              log format, or "changelog" if the log conforms to  the  obsolete
1395              changelog format. If the syncdata parameter is omitted or set to
1396              "default" then the log parameters are ignored.
1397
1398              The lazycommit parameter tells the underlying database  that  it
1399              can  store  changes  without  performing a full flush after each
1400              change. This may improve performance  for  the  consumer,  while
1401              sacrificing safety or durability.
1402
1403       updatedn <dn>
1404              This  option  is  only  applicable  in  a  replica database.  It
1405              specifies  the  DN  permitted  to  update  (subject  to   access
1406              controls)  the  replica.  It is only needed in certain push-mode
1407              replication scenarios.  Generally, this DN  should  not  be  the
1408              same as the rootdn used at the provider.
1409
1410       updateref <url>
1411              Specify  the  referral  to  pass  back when slapd(8) is asked to
1412              modify a  replicated  local  database.   If  specified  multiple
1413              times, each url is provided.
1414
1415

DATABASE-SPECIFIC OPTIONS

1417       Each  database  may  allow  specific  configuration  options;  they are
1418       documented  separately  in  the  backends'  manual   pages.   See   the
1419       slapd.backends(5) manual page for an overview of available backends.
1420

EXAMPLES

1422       Here is a short example of a configuration file:
1423
1424              include   /etc/openldap/schema/core.schema
1425              pidfile   /var/run/slapd.pid
1426
1427              # Subtypes of "name" (e.g. "cn" and "ou") with the
1428              # option ";x-hidden" can be searched for/compared,
1429              # but are not shown.  See slapd.access(5).
1430              attributeoptions x-hidden lang-
1431              access to attrs=name;x-hidden by * =cs
1432
1433              # Protect passwords.  See slapd.access(5).
1434              access    to attrs=userPassword  by * auth
1435              # Read access to other attributes and entries.
1436              access    to *  by * read
1437
1438              database  mdb
1439              suffix    "dc=our-domain,dc=com"
1440              # The database directory MUST exist prior to
1441              # running slapd AND should only be accessible
1442              # by the slapd/tools. Mode 0700 recommended.
1443              directory /var/openldap-data
1444              # Indices to maintain
1445              index     objectClass  eq
1446              index     cn,sn,mail   pres,eq,approx,sub
1447
1448              # We serve small clients that do not handle referrals,
1449              # so handle remote lookups on their behalf.
1450              database  ldap
1451              suffix    ""
1452              uri       ldap://ldap.some-server.com/
1453              lastmod   off
1454
1455       "OpenLDAP Administrator's Guide" contains a longer annotated example of
1456       a configuration file.  The original /etc/openldap/slapd.conf is another
1457       example.
1458

FILES

1460       /etc/openldap/slapd.conf
1461              default slapd configuration file
1462

SEE ALSO

1464       ldap(3),      gnutls-cli(1),      slapd-config(5),     slapd.access(5),
1465       slapd.backends(5),   slapd.overlays(5),   slapd.plugin(5),    slapd(8),
1466       slapacl(8),    slapadd(8),    slapauth(8),    slapcat(8),    slapdn(8),
1467       slapindex(8), slapmodify(8), slappasswd(8), slaptest(8).
1468
1469       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
1470

ACKNOWLEDGEMENTS

1472       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
1473       <http://www.openldap.org/>.   OpenLDAP  Software  is  derived  from the
1474       University of Michigan LDAP 3.3 Release.
1475
1476
1477
1478OpenLDAP 2.6.6                    2023/07/31                     SLAPD.CONF(5)
Impressum