1SLAPD(8C)                                                            SLAPD(8C)
2
3
4

NAME

6       slapd - Stand-alone LDAP Daemon
7

SYNOPSIS

9       slapd  [-V[V[V]]  [-4|-6] [-T {acl|a[dd]|auth|c[at]| d[n]|i[ndex]|p[as‐
10       swd]|s[chema]|t[est]}]     [-d debug-level]      [-f slapd-config-file]
11       [-F slapd-config-directory]   [-h URLs]  [-n service-name]  [-s syslog-
12       level]   [-l syslog-local-user]   [-o option[=value]]    [-r directory]
13       [-u user] [-g group] [-c cookie]
14

DESCRIPTION

16       Slapd  is  the stand-alone LDAP daemon. It listens for LDAP connections
17       on any number of ports (default 389), responding to the LDAP operations
18       it receives over these connections.  slapd is typically invoked at boot
19       time, usually out of /etc/rc.local.  Upon startup, slapd normally forks
20       and  disassociates  itself from the invoking tty.  If configured in the
21       config file (or config directory), the slapd  process  will  print  its
22       process  ID (see getpid(2)) to a .pid file, as well as the command line
23       options during invocation to an .args file (see slapd.conf(5)).  If the
24       -d  flag  is  given, even with a zero argument, slapd will not fork and
25       disassociate from the invoking tty.
26
27       See the "OpenLDAP Administrator's Guide" for more details on slapd.
28

OPTIONS

30       -V[V[V]]
31              Print version info and proceed with startup.  If -VV  is  given,
32              exit  after  providing version info. If -VVV is given, addition‐
33              ally provide information on static overlays and backends.
34
35       -4     Listen on IPv4 addresses only.
36
37       -6     Listen on IPv6 addresses only.
38
39       -T tool
40              Run in Tool mode. The tool argument selects whether  to  run  as
41              slapadd,  slapcat, slapdn, slapindex, slappasswd, slapschema, or
42              slaptest (slapacl and slapauth need the entire acl and auth  op‐
43              tion  value  to  be  spelled  out, as a is reserved to slapadd).
44              This option should be the first  option  specified  when  it  is
45              used;  any  remaining  options will be interpreted by the corre‐
46              sponding slap tool program,  according  to  the  respective  man
47              pages.   Note  that these tool programs will usually be symbolic
48              links to slapd.  This option is provided  for  situations  where
49              symbolic links are not provided or not usable.
50
51       -d debug-level
52              Turn  on debugging as defined by debug-level.  If this option is
53              specified, even with a zero argument, slapd  will  not  fork  or
54              disassociate from the invoking terminal.  Some general operation
55              and status messages are printed for any  value  of  debug-level.
56              debug-level  is taken as a bit string, with each bit correspond‐
57              ing  to  a  different  kind  of  debugging   information.    See
58              <ldap_log.h>  for  details.   Comma-separated arrays of friendly
59              names can be specified to select debugging output of the  corre‐
60              sponding debugging information.  All the names recognized by the
61              loglevel directive described in slapd.conf(5) are supported.  If
62              debug-level  is  ?, a list of installed debug-levels is printed,
63              and slapd exits.
64
65              Remember that if you turn on packet logging, packets  containing
66              bind  passwords  will be output, so if you redirect the log to a
67              logfile, that file should be read-protected.
68
69       -s syslog-level
70              This option tells slapd at what debug-level debugging statements
71              should  be  logged to the syslog(8) facility.  The value syslog-
72              level can be set to any value or combination allowed by  the  -d
73              switch.  Slapd logs all messages selected by syslog-level at the
74              syslog(3) severity debug-level DEBUG, on the unit specified with
75              -l.
76
77       -n service-name
78              Specifies  the service name for logging and other purposes.  De‐
79              faults to basename of argv[0], i.e.: "slapd".
80
81       -l syslog-local-user
82              Selects the local user of the syslog(8) facility. Value  can  be
83              LOCAL0, through LOCAL7, as well as USER and DAEMON.  The default
84              is LOCAL4.  However, this option is only  permitted  on  systems
85              that  support  local users with the syslog(8) facility.  Logging
86              to syslog(8) occurs at the "DEBUG" severity debug-level.
87
88       -f slapd-config-file
89              Specifies  the  slapd  configuration  file.   The   default   is
90              /etc/openldap/slapd.conf.
91
92       -F slapd-config-directory
93              Specifies  the  slapd  configuration  directory.  The default is
94              /etc/openldap/slapd.d.  If both -f and  -F  are  specified,  the
95              config  file will be read and converted to config directory for‐
96              mat and written to the specified directory.  If  neither  option
97              is  specified, slapd will attempt to read the default config di‐
98              rectory before trying to use the default config file. If a valid
99              config directory exists then the default config file is ignored.
100              All of the slap tools that use the config options  observe  this
101              same behavior.
102
103       -h URLlist
104              slapd  will  by default serve ldap:/// (LDAP over TCP on all in‐
105              terfaces on default LDAP port).  That is, it will bind using IN‐
106              ADDR_ANY  and  port  389.   The -h option may be used to specify
107              LDAP (and other scheme) URLs to serve.  For example, if slapd is
108              given  -h  "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will
109              listen on 127.0.0.1:9009 for LDAP,  0.0.0.0:636  for  LDAP  over
110              TLS, and LDAP over IPC (Unix domain sockets).  Host 0.0.0.0 rep‐
111              resents INADDR_ANY (any interface).  A space separated  list  of
112              URLs is expected.  The URLs should be of the LDAP, PLDAP, LDAPS,
113              PLDAPS, or LDAPI schemes, and generally without a  DN  or  other
114              optional parameters (excepting as discussed below).  Support for
115              the latter three schemes depends on selected  configuration  op‐
116              tions.  Hosts  may be specified by name or IPv4 and IPv6 address
117              formats.  Ports, if specified, must  be  numeric.   The  default
118              ldap://  port  is 389 and the default ldaps:// port is 636, same
119              for the proxy enabled variants.
120
121              The PLDAP and PLDAPS URL schemes provide support for the HAProxy
122              proxy  protocol version 2, which allows a load balancer or proxy
123              server to provide the remote client IP address to  slapd  to  be
124              used  for  access control or logging. Ports configured for PLDAP
125              or PLDAPS will only accept connections that include  the  neces‐
126              sary proxy protocol header. Connections to these ports should be
127              restricted at the network level to only trusted  load  balancers
128              or  proxies  to  avoid  spoofing of client IP addresses by third
129              parties.
130
131              For LDAP over IPC, name is the name of the socket, and  no  port
132              is required, nor allowed; note that directory separators must be
133              URL-encoded, like any other characters that are special to URLs;
134              so the socket
135
136                      /usr/local/var/ldapi
137
138              must be specified as
139
140                      ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
141
142              The default location for the IPC socket is /var/run/ldapi
143
144              The  listener  permissions  are indicated by "x-mod=-rwxrwxrwx",
145              "x-mod=0777" or "x-mod=777", where any of the "rwx" can  be  "-"
146              to  suppress the related permission, while any of the "7" can be
147              any legal octal digit, according to chmod(1).  The listeners can
148              take  advantage  of the "x-mod" extension to apply rough limita‐
149              tions to operations, e.g. allow read operations ("r", which  ap‐
150              plies  to  search and compare), write operations ("w", which ap‐
151              plies to add, delete, modify and modrdn), and execute operations
152              ("x",  which  means bind is required).  "User" permissions apply
153              to authenticated users, while "other" apply to anonymous  users;
154              "group"     permissions     are     ignored.     For    example,
155              "ldap:///????x-mod=-rw-------" means that read and write is only
156              allowed  for authenticated connections, and bind is required for
157              all operations.  This feature is experimental, and  requires  to
158              be manually enabled at configure time.
159
160       -r directory
161              Specifies  a directory to become the root directory.  slapd will
162              change the current working directory to this directory and  then
163              chroot(2) to this directory.  This is done after opening listen‐
164              ers but before reading any configuration  file  or  initializing
165              any  backend.   When  used as a security mechanism, it should be
166              used in conjunction with -u and -g options.
167
168       -u user
169              slapd will run slapd with the specified user  name  or  id,  and
170              that  user's  supplementary  group access list as set with init‐
171              groups(3).  The group ID is also changed to this user's gid, un‐
172              less the -g option is used to override.  Note when used with -r,
173              slapd will use the user database in the change root environment.
174
175              Note that on some systems, running as a non-privileged user will
176              prevent passwd back-ends from accessing the encrypted passwords.
177              Note also that any shell back-ends will  run  as  the  specified
178              non-privileged user.
179
180       -g group
181              slapd  will  run with the specified group name or id.  Note when
182              used with -r, slapd will use the group database  in  the  change
183              root environment.
184
185       -c cookie
186              This  option provides a cookie for the syncrepl replication con‐
187              sumer.  The cookie is  a  comma  separated  list  of  name=value
188              pairs.  Currently supported syncrepl cookie fields are rid, sid,
189              and csn.  rid identifies a replication thread  within  the  con‐
190              sumer  server  and is used to find the syncrepl specification in
191              slapd.conf(5) or slapd-config(5) having the matching replication
192              identifier  in its definition. The rid must be provided in order
193              for any other specified values to be used.  sid is the server id
194              in  a  multi-provider configuration.  csn is the commit sequence
195              number received by a previous synchronization and represents the
196              state  of  the  consumer  content which the syncrepl engine will
197              synchronize to the current provider content.  In case of  multi-
198              provider  replication  agreement, multiple csn values, semicolon
199              separated, can appear.  Use only the rid part to  force  a  full
200              reload.
201
202       -o option[=value]
203              This  option provides a generic means to specify options without
204              the need to reserve a separate letter for them.
205
206              It supports the following options:
207
208              slp={on|off|slp-attrs}
209                     When SLP support  is  compiled  into  slapd,  disable  it
210                     (off),
211                      enable it by registering at SLP DAs without specific SLP
212                     attributes (on), or with specific SLP attributes  slp-at‐
213                     trs that must be an SLP attribute list definition accord‐
214                     ing to the SLP standard.
215
216                     For  example,  "slp=(tree=production),(server-type=OpenL‐
217                     DAP),(server-version=2.4.15)"  registers  at SLP DAs with
218                     the three SLP attributes tree,  server-type  and  server-
219                     version  that  have  the values given above.  This allows
220                     one to specifically query the SLP DAs  for  LDAP  servers
221                     holding  the  production  tree in case multiple trees are
222                     available.
223

EXAMPLES

225       To start slapd and have it fork and detach from the terminal and  start
226       serving  the  LDAP  databases  defined in the default config file, just
227       type:
228
229            slapd
230
231       To start slapd with an alternate configuration file, and turn on  volu‐
232       minous debugging which will be printed on standard error, type:
233
234            slapd -f /var/tmp/slapd.conf -d 255
235
236       To test whether the configuration file is correct or not, type:
237
238            slapd -Tt
239

SEE ALSO

241       ldap(3),  slapd.conf(5),  slapd-config(5), slapd.access(5), slapacl(8),
242       slapadd(8), slapauth(8),  slapcat(8),  slapdn(8),  slapindex(8),  slap‐
243       passwd(8), slapschema(8), slaptest(8).
244
245       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
246

BUGS

248       See http://www.openldap.org/its/
249

ACKNOWLEDGEMENTS

251       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
252       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
253       versity of Michigan LDAP 3.3 Release.
254
255
256
257OpenLDAP 2.6.6                    2023/07/31                         SLAPD(8C)
Impressum