slapd.conf(5)

1SLAPD.CONF(5)                 File Formats Manual                SLAPD.CONF(5)
2
3
4

NAME

6       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  file  /etc/openldap/slapd.conf  contains configuration information
13       for the slapd(8) daemon.  This configuration file is also used  by  the
14       slurpd(8)  replication  daemon  and by the SLAPD tools slapacl(8), sla‐
15       padd(8),  slapauth(8),   slapcat(8),   slapdn(8),   slapindex(8),   and
16       slaptest(8).
17
18       The  slapd.conf  file  consists  of  a  series  of global configuration
19       options that apply to slapd as a whole (including all  backends),  fol‐
20       lowed  by zero or more database backend definitions that contain infor‐
21       mation specific to a backend instance.  The configuration  options  are
22       case-insensitive;  their  value,  on a case by case basis, may be case-
23       sensitive.
24
25       The general format of slapd.conf is as follows:
26
27           # comment - these options apply to every database
28           <global configuration options>
29           # first database definition & configuration options
30           database <backend 1 type>
31           <configuration options specific to backend 1>
32           # subsequent database definitions & configuration options
33           ...
34
35       As many backend-specific sections as desired may be  included.   Global
36       options  can  be  overridden in a backend (for options that appear more
37       than once, the last appearance in the slapd.conf file is used).
38
39       If a line begins with white space, it is considered a  continuation  of
40       the  previous line.  Blank lines and comment lines beginning with a `#'
41       character are ignored.  Note: continuation lines are  unwrapped  before
42       comment processing is applied.
43
44       Arguments  on  configuration  lines are separated by white space. If an
45       argument contains white space, the argument should be enclosed in  dou‐
46       ble  quotes.   If  an argument contains a double quote (`"') or a back‐
47       slash character (`\'), the character should be preceded by a  backslash
48       character.
49
50       The specific configuration options available are discussed below in the
51       Global Configuration Options,  General  Backend  Options,  and  General
52       Database  Options.   Backend-specific  options  are  discussed  in  the
53       slapd-<backend>(5) manual pages.  Refer to  the  "OpenLDAP  Administra‐
54       tor's Guide" for more details on the slapd configuration file.
55

GLOBAL CONFIGURATION OPTIONS

57       Options described in this section apply to all backends, unless specif‐
58       ically overridden in a backend definition.  Arguments  that  should  be
59       replaced by actual text are shown in brackets <>.
60
61       access to <what> [ by <who> <access> <control> ]+
62              Grant  access (specified by <access>) to a set of entries and/or
63              attributes (specified by  <what>)  by  one  or  more  requestors
64              (specified  by  <who>).   If no access controls are present, the
65              default policy allows anyone and everyone to read  anything  but
66              restricts  updates  to rootdn.  (e.g., "access to * by * read").
67              The  rootdn  can  always  read  and   write   EVERYTHING!    See
68              slapd.access(5)  and  the "OpenLDAP's Administrator's Guide" for
69              details.
70
71       allow <features>
72              Specify a set of features (separated by white  space)  to  allow
73              (default  none).   bind_v2  allows  acceptance  of  LDAPv2  bind
74              requests.  Note that slapd(8) does not  truly  implement  LDAPv2
75              (RFC  1777),  now  Historic  (RFC  3494).  bind_anon_cred allows
76              anonymous bind when credentials are not empty (e.g.  when DN  is
77              empty).   bind_anon_dn  allows  unauthenticated (anonymous) bind
78              when  DN  is  not  empty.   update_anon  allows  unauthenticated
79              (anonymous) update operations to be processed (subject to access
80              controls and other administrative limits).
81
82       argsfile <filename>
83              The ( absolute ) name  of  a  file  that  will  hold  the  slapd
84              server's  command  line options if started without the debugging
85              command line option.
86
87       attributeoptions [option-name]...
88              Define tagging attribute options or option  tag/range  prefixes.
89              Options  must not end with `-', prefixes must end with `-'.  The
90              `lang-' prefix is predefined.  If you use  the  attributeoptions
91              directive,  `lang-' will no longer be defined and you must spec‐
92              ify it explicitly if you want it defined.
93
94              An attribute description with a tagging option is a  subtype  of
95              that attribute description without the option.  Except for that,
96              options defined this way have no  special  semantics.   Prefixes
97              defined  this  way  work like the `lang-' options: They define a
98              prefix for tagging options starting with the prefix.   That  is,
99              if  you  define  the prefix `x-foo-', you can use the option `x-
100              foo-bar'.  Furthermore, in a search  or  compare,  a  prefix  or
101              range  name  (with  a trailing `-') matches all options starting
102              with that name, as well as the option with the range  name  sans
103              the trailing `-'.  That is, `x-foo-bar-' matches `x-foo-bar' and
104              `x-foo-bar-baz'.
105
106              RFC 4520 reserves options beginning with `x-' for private exper‐
107              iments.   Other  options should be registered with IANA, see RFC
108              4520 section 3.5.  OpenLDAP also has the `binary'  option  built
109              in, but this is a transfer option, not a tagging option.
110
111       attributetype  ( <oid>  [NAME <name>]  [DESC <description>]  [OBSOLETE]
112              [SUP <oid>]  [EQUALITY <oid>]  [ORDERING <oid>]   [SUBSTR <oid>]
113              [SYNTAX <oidlen>]           [SINGLE-VALUE]          [COLLECTIVE]
114              [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
115              Specify an attribute type using the LDAPv3 syntax defined in RFC
116              4512.   The  slapd  parser  extends  the  RFC 4512 definition by
117              allowing string forms as well as numeric OIDs to be used for the
118              attribute    OID   and   attribute   syntax   OID.    (See   the
119              objectidentifier description.)
120
121       authz-policy <policy>
122              Used to specify which rules  to  use  for  Proxy  Authorization.
123              Proxy  authorization  allows  a  client  to  authenticate to the
124              server using one user's credentials,  but  specify  a  different
125              identity  to  use for authorization and access control purposes.
126              It essentially allows user A to login as user B, using user  A's
127              password.   The  none flag disables proxy authorization. This is
128              the default setting.  The  from  flag  will  use  rules  in  the
129              authzFrom  attribute  of the authorization DN.  The to flag will
130              use rules in the authzTo attribute  of  the  authentication  DN.
131              The  any  flag,  an alias for the deprecated value of both, will
132              allow any of the above, whatever succeeds first (checked in  to,
133              from  sequence.   The  all  flag requires both authorizations to
134              succeed.
135
136              The rules are mechanisms to specify which identities are allowed
137              to  perform  proxy authorization.  The authzFrom attribute in an
138              entry specifies which other users are allowed to proxy login  to
139              this  entry.  The  authzTo attribute in an entry specifies which
140              other users this user can authorize as.  Use  of  authzTo  rules
141              can  be  easily  abused  if users are allowed to write arbitrary
142              values to this attribute.  In general the authzTo attribute must
143              be  protected  with  ACLs  such  that  only privileged users can
144              modify it.  The value of  authzFrom  and  authzTo  describes  an
145              identity or a set of identities; it can take five forms:
146
147                     ldap:///<base>??[<scope>]?<filter>
148                     dn[.<dnstyle>]:<pattern>
149                     u[<mech>[<realm>]]:<pattern>
150                     group[/objectClass[/attributeType]]:<pattern>
151                     <pattern>
152
153                     <dnstyle>:={exact|onelevel|children|subtree|regex}
154
155              The  first form is a valid LDAP URI where the <host>:<port>, the
156              <attrs> and the <extensions> portions must be  absent,  so  that
157              the  search  occurs locally on either authzFrom or authzTo.  The
158              second form is a DN, with the optional  style  modifiers  exact,
159              onelevel,  children,  and  subtree for exact, onelevel, children
160              and subtree matches, which  cause  <pattern>  to  be  normalized
161              according  to  the  DN normalization rules, or the special regex
162              style, which causes the <pattern>  to  be  treated  as  a  POSIX
163              (''extended'')  regular  expression,  as  discussed  in regex(7)
164              and/or re_format(7).  A pattern of * means any non-anonymous DN.
165              The third form is a SASL id, with the optional fields <mech> and
166              <realm> that allow to specify a SASL mechanism, and eventually a
167              SASL  realm, for those mechanisms that support one.  The need to
168              allow the specification of a mechanism  is  still  debated,  and
169              users are strongly discouraged to rely on this possibility.  The
170              fourth form is a group specification, consisting of the  keyword
171              group,  optionally  followed  by  the specification of the group
172              objectClass  and  member  attributeType.   The  group  with   DN
173              <pattern> is searched with base scope, and in case of match, the
174              values of the member attributeType are searched for the asserted
175              DN.   For  backwards  compatibility,  if  no  identity  type  is
176              provided, i.e.  only  <pattern>  is  present,  an  exact  DN  is
177              assumed;   as  a  consequence,  <pattern>  is  subjected  to  DN
178              normalization.   Since  the  interpretation  of  authzFrom   and
179              authzTo  can  impact  security, users are strongly encouraged to
180              explicitly set the type of identity specification that is  being
181              used.   A  subset of these rules can be used as third arg in the
182              authz-regexp statement (see below); significantly, the  URI  and
183              the dn.exact:<dn> forms.
184
185       authz-regexp <match> <replace>
186              Used  by  the  authentication  framework  to convert simple user
187              names, such as provided by SASL subsystem, to an  LDAP  DN  used
188              for authorization purposes.  Note that the resultant DN need not
189              refer to an existing entry to  be  considered  valid.   When  an
190              authorization  request  is received from the SASL subsystem, the
191              SASL USERNAME, REALM, and MECHANISM are taken,  when  available,
192              and combined into a name of the form
193
194                     UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
195
196              This   name   is   then   compared   against   the  match  POSIX
197              (''extended'')  regular  expression,  and  if   the   match   is
198              successful,  the  name  is replaced with the replace string.  If
199              there are wildcard strings in the match regular expression  that
200              are enclosed in parenthesis, e.g.
201
202                     UID=([^,]*),CN=.*
203
204              then  the  portion of the name that matched the wildcard will be
205              stored in the numbered placeholder variable  $1.  If  there  are
206              other wildcard strings in parenthesis, the matching strings will
207              be in $2, $3, etc. up to $9. The placeholders can then  be  used
208              in the replace string, e.g.
209
210                     UID=$1,OU=Accounts,DC=example,DC=com
211
212              The  replaced name can be either a DN, i.e. a string prefixed by
213              "dn:", or an LDAP URI.  If the latter, the server will  use  the
214              URI  to  search  its  own database(s) and, if the search returns
215              exactly one entry, the name is replaced by the DN of that entry.
216              The  LDAP  URI  must  have  no  hostport,  attrs,  or extensions
217              components, but the filter is mandatory, e.g.
218
219                     ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
220
221              The protocol portion of the URI must  be  strictly  ldap.   Note
222              that  this  search is subject to access controls.  Specifically,
223              the authentication identity  must  have  "auth"  access  in  the
224              subject.
225
226              Multiple  authz-regexp options can be given in the configuration
227              file to allow for multiple matching  and  replacement  patterns.
228              The  matching  patterns  are checked in the order they appear in
229              the file, stopping at the first successful match.
230
231
232       concurrency <integer>
233              Specify  a  desired  level  of  concurrency.   Provided  to  the
234              underlying  thread  system  as  a  hint.   The default is not to
235              provide any hint.
236
237       conn_max_pending <integer>
238              Specify the maximum number of pending requests for an  anonymous
239              session.   If  requests are submitted faster than the server can
240              process them, they will be queued up to this limit. If the limit
241              is exceeded, the session is closed. The default is 100.
242
243       conn_max_pending_auth <integer>
244              Specify   the   maximum   number  of  pending  requests  for  an
245              authenticated session.  The default is 1000.
246
247       defaultsearchbase <dn>
248              Specify a default search base to use when client submits a  non-
249              base  search  request with an empty base DN.  Base scoped search
250              requests with an empty base DN are not affected.
251
252       disallow <features>
253              Specify a set of features (separated by white space) to disallow
254              (default none).  bind_anon disables acceptance of anonymous bind
255              requests.  Note that this setting does  not  prohibit  anonymous
256              directory  access  (See  "require authc").  bind_simple disables
257              simple  (bind)  authentication.   tls_2_anon  disables   forcing
258              session       to       anonymous      status      (see      also
259              tls_authc)uponStartTLSoperationreceipt.  tls_authc dissallow the
260              StartTLS operation if authenticated (see also tls_2_anon).
261
262       ditcontentrule  ( <oid>  [NAME <name>]  [DESC <description>] [OBSOLETE]
263              [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
264              Specify an DIT Content Rule using the LDAPv3 syntax  defined  in
265              RFC  4512.   The slapd parser extends the RFC 4512 definition by
266              allowing string forms as well as numeric OIDs to be used for the
267              attribute    OID   and   attribute   syntax   OID.    (See   the
268              objectidentifier description.)
269
270       gentlehup { on | off }
271              A SIGHUP signal will only  cause  a  'gentle'  shutdown-attempt:
272              Slapd  will  stop  listening  for  new connections, but will not
273              close the connections to  the  current  clients.   Future  write
274              operations    return    unwilling-to-perform,   though.    Slapd
275              terminates when all clients have closed  their  connections  (if
276              they ever do), or - as before - if it receives a SIGTERM signal.
277              This can be useful if you wish to terminate the server and start
278              a new slapd server with another database, without disrupting the
279              currently active clients.  The default is off.  You may wish  to
280              use idletimeout along with this option.
281
282       idletimeout <integer>
283              Specify the number of seconds to wait before forcibly closing an
284              idle client  connection.   A  idletimeout  of  0  disables  this
285              feature.  The default is 0.
286
287       include <filename>
288              Read  additional  configuration  information from the given file
289              before continuing with the next line of the current file.
290
291       index_substr_if_minlen <integer>
292              Specify the minimum length for subinitial and subfinal  indices.
293              An  attribute  value  must have at least this many characters in
294              order to be processed by the indexing functions. The default  is
295              2.
296
297       index_substr_if_maxlen <integer>
298              Specify  the maximum length for subinitial and subfinal indices.
299              Only  this  many  characters  of  an  attribute  value  will  be
300              processed  by  the indexing functions; any excess characters are
301              ignored. The default is 4.
302
303       index_substr_any_len <integer>
304              Specify the length used for subany indices. An  attribute  value
305              must  have  at  least  this  many  characters  in  order  to  be
306              processed. Attribute values longer  than  this  length  will  be
307              processed  in  segments  of  this  length. The default is 4. The
308              subany index will also be used in subinitial and subfinal  index
309              lookups   when   the   filter   string   is   longer   than  the
310              index_substr_if_maxlen value.
311
312       index_substr_any_step <integer>
313              Specify the steps used in subany index lookups. This value  sets
314              the  offset  for  the  segments  of  a  filter  string  that are
315              processed for a subany index  lookup.  The  default  is  2.  For
316              example,  with  the  default  values, a search using this filter
317              "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
318              and "efgh".
319
320
321       localSSF <SSF>
322              Specifies  the  Security Strength Factor (SSF) to be given local
323              LDAP sessions, such as those to the ldapi://  listener.   For  a
324              description  of  SSF  values,  see sasl-secprops's minssf option
325              description.  The default is 71.
326
327       loglevel <integer> [...]
328              Specify the level at which debugging  statements  and  operation
329              statistics   should   be  syslogged  (currently  logged  to  the
330              syslogd(8)  LOG_LOCAL4  facility).   They  must  be   considered
331              subsystems  rather  than  increasingly verbose log levels.  Some
332              messages with higher  priority  are  logged  regardless  of  the
333              configured  loglevel  as  soon  as  some  logging is configured,
334              otherwise anything is logged at all.  Log levels  are  additive,
335              and available levels are:
336                     1      (0x1 trace) trace function calls
337                     2      (0x2 packet) debug packet handling
338                     4      (0x4 args) heavy trace debugging (function args)
339                     8      (0x8 conns) connection management
340                     16     (0x10 BER) print out packets sent and received
341                     32     (0x20 filter) search filter processing
342                     64     (0x40 config) configuration file processing
343                     128    (0x80 ACL) access control list processing
344                     256    (0x100          stats)          stats          log
345                            connections/operations/results
346                     512    (0x200 stats2) stats log entries sent
347                     1024   (0x400  shell)  print  communication  with   shell
348                            backends
349                     2048   (0x800 parse) entry parsing
350                     4096   (0x1000 cache) caching (unused)
351                     8192   (0x2000 index) data indexing (unused)
352                     16384  (0x4000 sync) LDAPSync replication
353                     32768  (0x8000   none)  only  messages  that  get  logged
354                            whatever log level is set
355              The desired log level can be input  as  a  single  integer  that
356              combines  the  (ORed)  desired  levels,  both  in  decimal or in
357              hexadecimal notation, as a  list  of  integers  (that  are  ORed
358              internally),  or  as  a list of the names that are shown between
359              brackets, such that
360
361                  loglevel 129
362                  loglevel 0x81
363                  loglevel 128 1
364                  loglevel 0x80 0x1
365                  loglevel acl trace
366
367              are equivalent.  The keyword any can be used as  a  shortcut  to
368              enable  logging  at  all levels (equivalent to -1).  The keyword
369              none, or the equivalent  integer  representation,  causes  those
370              messages  that  are logged regardless of the configured loglevel
371              to be logged.  In fact,  if  no  loglevel  (or  a  0  level)  is
372              defined,  no  logging  occurs,  so  at  least  the none level is
373              required to have high priority messages logged.
374
375       moduleload <filename>
376              Specify the name of a dynamically loadable module to  load.  The
377              filename may be an absolute path name or a simple filename. Non-
378              absolute names are searched for in the directories specified  by
379              the modulepath option. This option and the modulepath option are
380              only usable if slapd was compiled with --enable-modules.
381
382       modulepath <pathspec>
383              Specify a list of directories to search  for  loadable  modules.
384              Typically  the  path  is colon-separated but this depends on the
385              operating system.
386
387       objectclass  ( <oid>  [NAME <name>]   [DESC <description>]   [OBSOLETE]
388              [SUP <oids>]   [{   ABSTRACT   |   STRUCTURAL   |  AUXILIARY  }]
389              [MUST <oids>] [MAY <oids>] )
390              Specify an objectclass using the LDAPv3 syntax  defined  in  RFC
391              4512.   The  slapd  parser  extends  the  RFC 4512 definition by
392              allowing string forms as well as numeric OIDs to be used for the
393              object  class  OID.   (See  the  objectidentifier  description.)
394              Object classes are "STRUCTURAL" by default.
395
396       objectidentifier <name> { <oid> | <name>[:<suffix>] }
397              Define a string name that equates to the given OID.  The  string
398              can  be  used  in  place  of  the numeric OID in objectclass and
399              attribute definitions. The name can also be used with  a  suffix
400              of the form ":xx" in which case the value "oid.xx" will be used.
401
402       password-hash <hash> [<hash>...]
403              This  option  configures  one  or  more  hashes  to  be  used in
404              generation  of  user  passwords  stored  in   the   userPassword
405              attribute  during  processing  of  LDAP Password Modify Extended
406              Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
407              {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.
408
409              {SHA}  and  {SSHA}  use  the  SHA-1  algorithm (FIPS 160-1), the
410              latter with a seed.
411
412              {MD5} and {SMD5} use the MD5 algorithm (RFC  1321),  the  latter
413              with a seed.
414
415              {CRYPT} uses the crypt(3).
416
417              {CLEARTEXT}  indicates  that the new password should be added to
418              userPassword as clear text.
419
420              Note  that  this  option  does  not  alter   the   normal   user
421              applications  handling  of userPassword during LDAP Add, Modify,
422              or other LDAP operations.
423
424       password-crypt-salt-format <format>
425              Specify  the  format  of  the  salt  passed  to  crypt(3)   when
426              generating   {CRYPT}   passwords   (see   password-hash)  during
427              processing of LDAP  Password  Modify  Extended  Operations  (RFC
428              3062).
429
430              This string needs to be in sprintf(3) format and may include one
431              (and  only  one)  %s  conversion.   This  conversion   will   be
432              substituted   with   a   string   of   random   characters  from
433              [A-Za-z0-9./].  For example, "%.2s"  provides  a  two  character
434              salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
435              algorithm and provides 8 random characters of salt.  The default
436              is "%s", which provides 31 characters of salt.
437
438       pidfile <filename>
439              The  (  absolute  )  name  of  a  file  that will hold the slapd
440              server's process ID ( see getpid(2) )  if  started  without  the
441              debugging command line option.
442
443       referral <url>
444              Specify  the  referral  to pass back when slapd(8) cannot find a
445              local database to  handle  a  request.   If  specified  multiple
446              times, each url is provided.
447
448       replica-argsfile
449              The  (  absolute  )  name  of  a  file that will hold the slurpd
450              server's command line options if started without  the  debugging
451              command line option.
452
453       replica-pidfile
454              The  (  absolute  )  name  of  a  file that will hold the slurpd
455              server's process ID ( see getpid(2) )  if  started  without  the
456              debugging command line option.
457
458       replicationinterval
459              The   number   of  seconds  slurpd  waits  before  checking  the
460              replogfile for changes.
461
462       require <conditions>
463              Specify a set  of  conditions  (separated  by  white  space)  to
464              require (default none).  The directive may be specified globally
465              and/or per-database; databases  inherit  global  conditions,  so
466              per-database  specifications  are  additive.  bind requires bind
467              operation  prior  to  directory  operations.   LDAPv3   requires
468              session   to   be   using   LDAP   version  3.   authc  requires
469              authentication prior to  directory  operations.   SASL  requires
470              SASL  authentication  prior  to  directory  operations.   strong
471              requires strong authentication prior  to  directory  operations.
472              The  strong  keyword allows protected "simple" authentication as
473              well as SASL authentication.  none may be  used  to  require  no
474              conditions (useful to clear out globally set conditions within a
475              particular database);  it  must  occur  first  in  the  list  of
476              conditions.
477
478       reverse-lookup on | off
479              Enable/disable client name unverified reverse lookup (default is
480              off if compiled with --enable-rlookups).
481
482       rootDSE <file>
483              Specify the name of an  LDIF(5)  file  containing  user  defined
484              attributes  for  the root DSE.  These attributes are returned in
485              addition to the attributes normally produced by slapd.
486
487       sasl-host <fqdn>
488              Used to specify the fully qualified domain name  used  for  SASL
489              processing.
490
491       sasl-realm <realm>
492              Specify SASL realm.  Default is empty.
493
494       sasl-secprops <properties>
495              Used  to  specify Cyrus SASL security properties.  The none flag
496              (without  any  other  properties)  causes  the  flag  properties
497              default, "noanonymous,noplain", to be cleared.  The noplain flag
498              disables mechanisms susceptible to simple passive attacks.   The
499              noactive flag disables mechanisms susceptible to active attacks.
500              The nodict  flag  disables  mechanisms  susceptible  to  passive
501              dictionary  attacks.   The  noanonymous flag disables mechanisms
502              which support anonymous  login.   The  forwardsec  flag  require
503              forward   secrecy   between   sessions.   The  passcred  require
504              mechanisms which pass client credentials (and  allow  mechanisms
505              which  can  pass  credentials  to  do  so).  The minssf=<factor>
506              property specifies  the  minimum  acceptable  security  strength
507              factor  as  an  integer approximate to effective key length used
508              for encryption.  0  (zero)  implies  no  protection,  1  implies
509              integrity  protection only, 56 allows DES or other weak ciphers,
510              112 allows triple DES and other strong ciphers, 128 allows  RC4,
511              Blowfish  and  other  modern  strong ciphers.  The default is 0.
512              The maxssf=<factor> property specifies  the  maximum  acceptable
513              security strength factor as an integer (see minssf description).
514              The  default  is  INT_MAX.    The   maxbufsize=<size>   property
515              specifies   the  maximum  security  layer  receive  buffer  size
516              allowed.  0 disables security layers.  The default is 65536.
517
518       schemadn <dn>
519              Specify the distinguished name for the subschema  subentry  that
520              controls   the   entries   on   this  server.   The  default  is
521              "cn=Subschema".
522
523       security <factors>
524              Specify a set of security strength factors (separated  by  white
525              space)  to  require  (see  sasl-secprops's  minssf  option for a
526              description of security strength factors).  The directive may be
527              specified  globally  and/or per-database.  ssf=<n> specifies the
528              overall security strength factor.  transport=<n>  specifies  the
529              transport  security  strength factor.  tls=<n> specifies the TLS
530              security strength factor.  sasl=<n> specifies the SASL  security
531              strength  factor.  update_ssf=<n> specifies the overall security
532              strength   factor   to   require    for    directory    updates.
533              update_transport=<n>  specifies  the transport security strength
534              factor  to  require  for  directory   updates.    update_tls=<n>
535              specifies  the  TLS  security  strength  factor  to  require for
536              directory updates.  update_sasl=<n> specifies the SASL  security
537              strength    factor    to    require   for   directory   updates.
538              simple_bind=<n> specifies the security strength factor  required
539              for  simple  username/password  authentication.   Note  that the
540              transport  factor  is  measure  of  security  provided  by   the
541              underlying  transport, e.g. ldapi:// (and eventually IPSEC).  It
542              is not normally used.
543
544       sizelimit {<integer>|unlimited}
545
546       sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
547              Specify the maximum number of entries to return  from  a  search
548              operation.   The  default  size  limit is 500.  Use unlimited to
549              specify no limits.   The  second  format  allows  a  fine  grain
550              setting of the size limits.  Extra args can be added on the same
551              line.  See limits for an explanation of the different flags.
552
553       sockbuf_max_incoming <integer>
554              Specify  the  maximum  incoming  LDAP  PDU  size  for  anonymous
555              sessions.  The default is 262143.
556
557       sockbuf_max_incoming_auth <integer>
558              Specify  the  maximum  incoming  LDAP PDU size for authenticated
559              sessions.  The default is 4194303.
560
561       threads <integer>
562              Specify the maximum  size  of  the  primary  thread  pool.   The
563              default is 16; the minimum value is 2.
564
565       timelimit {<integer>|unlimited}
566
567       timelimit time[.{soft|hard}]=<integer> [...]
568              Specify  the maximum number of seconds (in real time) slapd will
569              spend answering a search request.  The  default  time  limit  is
570              3600.   Use  unlimited  to specify no limits.  The second format
571              allows a fine grain setting of the time limits.  Extra args  can
572              be added on the same line.  See limits for an explanation of the
573              different flags.
574
575       tool-threads <integer>
576              Specify the maximum number of threads to use in tool mode.  This
577              should  not  be  greater  than the number of CPUs in the system.
578              The default is 1.
579

TLS OPTIONS

581       If slapd is built with support for Transport Layer Security, there  are
582       more options you can specify.
583
584       TLSCipherSuite <cipher-suite-spec>
585              Permits  configuring  what  ciphers  will  be  accepted  and the
586              preference  order.   <cipher-suite-spec>  should  be  a   cipher
587              specification for OpenSSL.  Example:
588
589              TLSCipherSuite HIGH:MEDIUM:+SSLv2
590
591              To check what ciphers a given spec selects, use:
592
593              openssl ciphers -v <cipher-suite-spec>
594
595       TLSCACertificateFile <filename>
596              Specifies  the  file  that  contains certificates for all of the
597              Certificate Authorities that slapd will recognize.
598
599       TLSCACertificatePath <path>
600              Specifies the path of  a  directory  that  contains  Certificate
601              Authority  certificates  in  separate  individual files. Usually
602              only one of this or the TLSCACertificateFile is used.
603
604       TLSCertificateFile <filename>
605              Specifies the file that contains the slapd server certificate.
606
607       TLSCertificateKeyFile <filename>
608              Specifies the file that contains the slapd  server  private  key
609              that  matches  the  certificate stored in the TLSCertificateFile
610              file.  Currently, the private key must not be protected  with  a
611              password,  so  it is of critical importance that it is protected
612              carefully.
613
614       TLSDHParamFile <filename>
615              This directive specifies the file that contains  parameters  for
616              Diffie-Hellman  ephemeral  key  exchange.   This  is required in
617              order to use a DSA certificate on the server. If  multiple  sets
618              of  parameters  are  present  in  the  file, all of them will be
619              processed.  Note  that  setting  this  option  may  also  enable
620              Anonymous  Diffie-Hellman  key  exchanges in certain non-default
621              cipher suites.  You should append "!ADH" to your  cipher  suites
622              if  you  have  changed  them  from  the  default,  otherwise  no
623              certificate exchanges or verification will be done.
624
625       TLSRandFile <filename>
626              Specifies  the  file   to   obtain   random   bits   from   when
627              /dev/[u]random  is  not available.  Generally set to the name of
628              the EGD/PRNGD socket.  The  environment  variable  RANDFILE  can
629              also be used to specify the filename.
630
631       TLSVerifyClient <level>
632              Specifies  what  checks  to perform on client certificates in an
633              incoming TLS session, if any.  The <level> can be  specified  as
634              one of the following keywords:
635
636              never  This is the default.  slapd will not ask the client for a
637                     certificate.
638
639              allow  The client certificate is requested.  If  no  certificate
640                     is  provided,  the  session  proceeds normally.  If a bad
641                     certificate is provided,  it  will  be  ignored  and  the
642                     session proceeds normally.
643
644              try    The  client  certificate is requested.  If no certificate
645                     is provided, the session proceeds  normally.   If  a  bad
646                     certificate  is  provided,  the  session  is  immediately
647                     terminated.
648
649              demand | hard | true
650                     These keywords  are  all  equivalent,  for  compatibility
651                     reasons.   The  client  certificate  is requested.  If no
652                     certificate  is  provided,  or  a  bad   certificate   is
653                     provided, the session is immediately terminated.
654
655                     Note that a valid client certificate is required in order
656                     to use the SASL EXTERNAL authentication mechanism with  a
657                     TLS  session.   As  such,  a  non-default TLSVerifyClient
658                     setting  must  be  chosen   to   enable   SASL   EXTERNAL
659                     authentication.
660
661       TLSCRLCheck <level>
662              Specifies  if  the  Certificate  Revocation List (CRL) of the CA
663              should be used to verify if the  client  certificates  have  not
664              been revoked. This requires TLSCACertificatePath parameter to be
665              set.  <level> can be specified as one of the following keywords:
666
667              none   No CRL checks are performed
668
669              peer   Check the CRL of the peer certificate
670
671              all    Check the CRL for a whole certificate chain
672

GENERAL BACKEND OPTIONS

674       Options in this section only apply to the  configuration  file  section
675       for  the  specified  backend.   They  are  supported  by  every type of
676       backend.
677
678       backend <databasetype>
679              Mark the  beginning  of  a  backend  definition.  <databasetype>
680              should  be  one  of  bdb, config, dnssrv, hdb, ldap, ldbm, ldif,
681              meta,  monitor,  null,  passwd,  perl,  relay,  shell,  or  sql,
682              depending on which backend will serve the database.
683
684

GENERAL DATABASE OPTIONS

686       Options  in  this  section only apply to the configuration file section
687       for the database in which they are  defined.   They  are  supported  by
688       every  type of backend.  Note that the database and at least one suffix
689       option are mandatory for each database.
690
691       database <databasetype>
692              Mark the  beginning  of  a  new  database  instance  definition.
693              <databasetype>  should be one of bdb, config, dnssrv, hdb, ldap,
694              ldbm, ldif, meta, monitor, null, passwd, perl, relay, shell,  or
695              sql, depending on which backend will serve the database.
696
697       lastmod on | off
698              Controls   whether   slapd   will   automatically  maintain  the
699              modifiersName,      modifyTimestamp,      creatorsName,      and
700              createTimestamp  attributes  for  entries.  It also controls the
701              entryCSN and entryUUID  attributes,  which  are  needed  by  the
702              syncrepl provider. By default, lastmod is on.
703
704       limits <who> <limit> [<limit> [...]]
705              Specify   time  and  size  limits  based  on  who  initiated  an
706              operation.  The argument who can be any of
707
708                     anonymous   |   users   |   [dn[.<style>]=]<pattern>    |
709                     group[/oc[/at]]=<pattern>
710
711              with
712
713                     <style>  ::= exact | base | onelevel | subtree | children
714                     | regex | anonymous
715
716              The term anonymous matches  all  unauthenticated  clients.   The
717              term users matches all authenticated clients; otherwise an exact
718              dn pattern is assumed unless otherwise specified  by  qualifying
719              the  (optional)  key  string  dn  with  exact or base (which are
720              synonyms), to require an exact match; with onelevel, to  require
721              exactly  one  level  of  depth match; with subtree, to allow any
722              level of depth match, including the exact match; with  children,
723              to  allow  any  level  of  depth  match, not including the exact
724              match; regex explicitly requires the (default)  match  based  on
725              POSIX   (''extended'')  regular  expression  pattern.   Finally,
726              anonymous matches  unbound  operations;  the  pattern  field  is
727              ignored.   The  same behavior is obtained by using the anonymous
728              form of the who clause.   The  term  group,  with  the  optional
729              objectClass oc and attributeType at fields, followed by pattern,
730              sets the limits for any DN  listed  in  the  values  of  the  at
731              attribute  (default member) of the oc group objectClass (default
732              groupOfNames) whose DN exactly matches pattern.
733
734              The currently supported limits are size and time.
735
736              The syntax  for  time  limits  is  time[.{soft|hard}]=<integer>,
737              where  integer  is  the  number  of  seconds  slapd  will  spend
738              answering a search request.  If  no  time  limit  is  explicitly
739              requested  by  the  client,  the  soft  limit  is  used;  if the
740              requested time limit exceeds the hard limit, the  value  of  the
741              limit  is used instead.  If the hard limit is set to the keyword
742              soft, the soft limit is used in either case; if it is set to the
743              keyword unlimited, no hard limit is enforced.  Explicit requests
744              for time limits smaller or equal to the hard limit are  honored.
745              If  no limit specifier is set, the value is assigned to the soft
746              limit, and the hard limit  is  set  to  soft,  to  preserve  the
747              original behavior.
748
749              The        syntax        for        size        limits        is
750              size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
751              maximum  number  of entries slapd will return answering a search
752              request.  If no  size  limit  is  explicitly  requested  by  the
753              client,  the  soft  limit  is  used; if the requested size limit
754              exceeds the hard limit, the value of the limit is used  instead.
755              If  the hard limit is set to the keyword soft, the soft limit is
756              used in either case; if it is set to the keyword  unlimited,  no
757              hard  limit  is  enforced.   Explicit  requests  for size limits
758              smaller or equal to the hard limit are honored.   The  unchecked
759              specifier  sets  a  limit  on  the number of candidates a search
760              request is allowed to examine.  The rationale behind it is  that
761              searches for non-properly indexed attributes may result in large
762              sets of candidates,  which  must  be  examined  by  slapd(8)  to
763              determine  whether  they  match  the  search filter or not.  The
764              unchecked limit provides a means to drop such operations  before
765              they  are  even  started.  If the selected candidates exceed the
766              unchecked  limit,  the  search  will  abort  with  Unwilling  to
767              perform.   If  it  is  set to the keyword unlimited, no limit is
768              applied (the default).  If it is set to disable, the  search  is
769              not  even performed; this can be used to disallow searches for a
770              specific set of users.  If no limit specifier is set, the  value
771              is  assigned  to  the  soft  limit, and the hard limit is set to
772              soft, to preserve the original behavior.
773
774              In case of no match, the global limits are  used.   The  default
775              values  are the same of sizelimit and timelimit; no limit is set
776              on unchecked.
777
778              If pagedResults control is requested, the  hard  size  limit  is
779              used  by default, because the request of a specific page size is
780              considered an explicit request for a limitation on the number of
781              entries  to be returned.  However, the size limit applies to the
782              total count of entries returned within the search, and not to  a
783              single page.  Additional size limits may be enforced; the syntax
784              is size.pr={<integer>|noEstimate|unlimited},  where  integer  is
785              the  max  page  size  if  no  explicit limit is set; the keyword
786              noEstimate inhibits the server from returning an estimate of the
787              total  number  of  entries  that  might  be  returned (note: the
788              current implementation  does  not  return  any  estimate).   The
789              keyword  unlimited  indicates  that  no  limit is applied to the
790              pagedResults     control     page     size.      The      syntax
791              size.prtotal={<integer>|unlimited|disabled}   allows  to  set  a
792              limit on the total number of entries that a pagedResults control
793              allows to return.  By default it is set to the hard limit.  When
794              set, integer is the max number of entries that the whole  search
795              with  pagedResults  control  can return.  Use unlimited to allow
796              unlimited number of entries to be returned, e.g.  to  allow  the
797              use  of  the  pagedResults control as a means to circumvent size
798              limitations on regular searches; the keyword  disabled  disables
799              the  control,  i.e. no paged results can be returned.  Note that
800              the total number  of  entries  returned  when  the  pagedResults
801              control  is  requested  cannot  exceed  the  hard  size limit of
802              regular searches unless extended by the prtotal switch.
803
804       maxderefdepth <depth>
805              Specifies the maximum number  of  aliases  to  dereference  when
806              trying  to resolve an entry, used to avoid infinite alias loops.
807              The default is 1.
808
809       overlay <overlay-name>
810              Add the specified overlay to this  database.  An  overlay  is  a
811              piece  of  code  that intercepts database operations in order to
812              extend or change them. Overlays are pushed onto a stack over the
813              database,  and  so they will execute in the reverse of the order
814              in which they were  configured  and  the  database  itself  will
815              receive control last of all.
816
817       readonly on | off
818              This  option  puts  the  database  into  "read-only"  mode.  Any
819              attempts to modify the database will  return  an  "unwilling  to
820              perform" error.  By default, readonly is off.
821
822       replica          uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
823              [starttls=yes|critical]         [suffix=<suffix>          [...]]
824              bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple
825              password>]   [saslmech=<SASL   mech>]    [secprops=<properties>]
826              [realm=<realm>]           [authcId=<authentication          ID>]
827              [authzId=<authorization ID>] [attr[!]=<attr list>]
828              Specify a replication site for  this  database.   Refer  to  the
829              "OpenLDAP  Administrator's  Guide"  for  detailed information on
830              setting up a replicated slapd directory service.  Zero  or  more
831              suffix instances can be used to select the subtrees that will be
832              replicated (defaults to all the database).  host  is  deprecated
833              in  favor of the uri option.  uri allows the replica LDAP server
834              to be specified as an LDAP URI.  A bindmethod of simple requires
835              the  options binddn and credentials and should only be used when
836              adequate security services (e.g TLS or IPSEC) are  in  place.  A
837              bindmethod  of  sasl  requires  the  option  saslmech.  Specific
838              security properties (as with the  sasl-secprops  keyword  above)
839              for  a  SASL  bind  can  be set with the secprops option. A non-
840              default SASL realm can be set with the  realm  option.   If  the
841              mechanism will use Kerberos, a kerberos instance should be given
842              in authcId.  An attr list can be given after the attr keyword to
843              allow  the  selective replication of the listed attributes only;
844              if the  optional  !   mark  is  used,  the  list  is  considered
845              exclusive, i.e. the listed attributes are not replicated.  If an
846              objectClass is listed, all the related attributes are (are  not)
847              replicated.
848
849       replogfile <filename>
850              Specify  the name of the replication log file to log changes to.
851              The replication log is typically written by slapd(8) and read by
852              slurpd(8).   See  slapd.replog(5)  for  more  information.   The
853              specified file should be located in  a  directory  with  limited
854              read/write/execute  access  as  the replication logs may contain
855              sensitive information.
856
857       restrict <oplist>
858              Specify a whitespace  separated  list  of  operations  that  are
859              restricted.    If   defined  inside  a  database  specification,
860              restrictions apply only to that  database,  otherwise  they  are
861              global.   Operations  can  be any of add, bind, compare, delete,
862              extended[=<OID>], modify, rename, search, or the special pseudo-
863              operations read and write, which respectively summarize read and
864              write operations.  The use of restrict write  is  equivalent  to
865              readonly  on  (see  above).   The  extended  keyword  allows  to
866              indicate the OID of the specific operation to be restricted.
867
868       rootdn <dn>
869              Specify the distinguished name that is  not  subject  to  access
870              control  or  administrative limit restrictions for operations on
871              this database.  This DN may or may not  be  associated  with  an
872              entry.   An empty root DN (the default) specifies no root access
873              is to be granted.  It is recommended that  the  rootdn  only  be
874              specified  when  needed  (such  as  when  initially populating a
875              database).  If the rootdn is within a namingContext (suffix)  of
876              the  database, a simple bind password may also be provided using
877              the rootpw directive. Note that the rootdn is always needed when
878              using syncrepl.
879
880       rootpw <password>
881              Specify  a  password  (or  hash of the password) for the rootdn.
882              The password can only  be  set  if  the  rootdn  is  within  the
883              namingContext (suffix) of the database.  This option accepts all
884              RFC 2307 userPassword formats known to the server (see password-
885              hash  description)  as  well as cleartext.  slappasswd(8) may be
886              used to generate a hash of a password.   Cleartext  and  {CRYPT}
887              passwords   are   not  recommended.   If  empty  (the  default),
888              authentication of the root DN is by  other  means  (e.g.  SASL).
889              Use of SASL is encouraged.
890
891       suffix <dn suffix>
892              Specify  the  DN  suffix  of queries that will be passed to this
893              backend database.  Multiple suffix lines can  be  given  and  at
894              least  one  is  required  for  each database definition.  If the
895              suffix of one database is "inside" that of another, the database
896              with the inner suffix must come first in the configuration file.
897
898       subordinate [advertise]
899              Specify  that  the  current backend database is a subordinate of
900              another backend database. A subordinate  database may have  only
901              one  suffix.  This option may be used to glue multiple databases
902              into a single namingContext.   If  the  suffix  of  the  current
903              database  is  within  the  namingContext of a superior database,
904              searches against the superior database will be propagated to the
905              subordinate  as  well.  All  of  the databases associated with a
906              single namingContext should have identical rootdns.  Behavior of
907              other   LDAP  operations  is  unaffected  by  this  setting.  In
908              particular, it is not possible to use moddn  to  move  an  entry
909              from   one   subordinate   to  another  subordinate  within  the
910              namingContext.
911
912              If the optional advertise flag is supplied, the  naming  context
913              of  this  database is advertised in the root DSE. The default is
914              to hide this database context, so that only the superior context
915              is visible.
916
917              If  the  slap  tools slapcat(8), slapadd(8), or slapindex(8) are
918              used on the  superior  database,  any  glued  subordinates  that
919              support these tools are opened as well.
920
921              Databases  that  are glued together should usually be configured
922              with the same indices (assuming they support indexing), even for
923              attributes  that  only  exist  in  some  of  these databases. In
924              general, all of the glued  databases  should  be  configured  as
925              similarly  as  possible,  since  the  intent  is  to provide the
926              appearance of a single directory.
927
928              Note  that  the   subordinate   functionality   is   implemented
929              internally  by  the  glue  overlay and as such its behavior will
930              interact with other  overlays  in  use.  By  default,  the  glue
931              overlay  is  automatically configured as the last overlay on the
932              superior backend. Its position on the backend can be  explicitly
933              configured  by  setting an overlay glue directive at the desired
934              position. This explicit configuration is  necessary  e.g.   when
935              using  the syncprov overlay, which needs to follow glue in order
936              to work over all of the glued databases. E.g.
937                   database bdb
938                   suffix dc=example,dc=com
939                   ...
940                   overlay glue
941                   overlay syncprov
942
943       syncrepl    rid=<replica    ID>    provider=ldap[s]://<hostname>[:port]
944              [type=refreshOnly|refreshAndPersist]      [interval=dd:hh:mm:ss]
945              [retry=[<retry interval> <# of retries>]+] searchbase=<base  DN>
946              [filter=<filter  str>]  [scope=sub|one|base] [attrs=<attr list>]
947              [attrsonly]       [sizelimit=<limit>]        [timelimit=<limit>]
948              [schemachecking=on|off]                  [starttls=yes|critical]
949              [bindmethod=simple|sasl]     [binddn=<dn>]     [saslmech=<mech>]
950              [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
951              [realm=<realm>]  [secprops=<properties>]   [logbase=<base   DN>]
952              [logfilter=<filter str>] [syncdata=default|accesslog|changelog]
953              Specify  the  current database as a replica which is kept up-to-
954              date  with  the  master  content  by  establishing  the  current
955              slapd(8)  as  a  replication  consumer  site  running a syncrepl
956              replication engine.  The replica content is kept synchronized to
957              the  master  content  using  the  LDAP  Content  Synchronization
958              protocol. Refer to  the  "OpenLDAP  Administrator's  Guide"  for
959              detailed  information on setting up a replicated slapd directory
960              service using the syncrepl replication engine.   rid  identifies
961              the  current  syncrepl directive within the replication consumer
962              site.  It is a non-negative integer having no  more  than  three
963              digits.    provider  specifies  the  replication  provider  site
964              containing the master content as an LDAP URI. If <port>  is  not
965              given,  the  standard LDAP port number (389 or 636) is used. The
966              content of the  syncrepl  replica  is  defined  using  a  search
967              specification  as  its  result set. The consumer slapd will send
968              search requests to the provider slapd according  to  the  search
969              specification.  The  search  specification  includes searchbase,
970              scope,  filter,  attrs,  attrsonly,  sizelimit,  and   timelimit
971              parameters  as  in  the  normal search specification.  The scope
972              defaults to sub, the filter  defaults  to  (objectclass=*),  and
973              there is no default searchbase. The attrs list defaults to "*,+"
974              to return all user and operational attributes, and attrsonly  is
975              unset  by  default.   The  sizelimit  and  timelimit only accept
976              "unlimited"  and  positive  integers,  and   both   default   to
977              "unlimited".   The LDAP Content Synchronization protocol has two
978              operation  types.   In  the  refreshOnly  operation,  the   next
979              synchronization  search operation is periodically rescheduled at
980              an interval time (specified by  interval  parameter;  1  day  by
981              default)  after each synchronization operation finishes.  In the
982              refreshAndPersist operation, a  synchronization  search  remains
983              persistent in the provider slapd.  Further updates to the master
984              replica will generate searchResultEntry to the consumer slapd as
985              the  search  responses to the persistent synchronization search.
986              If an error occurs during replication, the consumer will attempt
987              to reconnect according to the retry parameter which is a list of
988              the <retry interval> and <# of  retries>  pairs.   For  example,
989              retry="60 10 300 3" lets the consumer retry every 60 seconds for
990              the first 10 times and then retry every 300 seconds for the next
991              3  times  before  stop retrying. The `+' in <# of retries> means
992              indefinite number of retries until success.  The schema checking
993              can be enforced at the LDAP Sync consumer site by turning on the
994              schemachecking parameter. The  default  is  off.   The  starttls
995              parameter  specifies  use  of the StartTLS extended operation to
996              establish a TLS session before Binding to the provider.  If  the
997              StartTLS  request  fails and the critical argument was used, the
998              session  will  be  aborted.  Otherwise  the   syncrepl   session
999              continues  without  TLS.   A  bindmethod  of simple requires the
1000              options binddn and credentials and  should  only  be  used  when
1001              adequate  security services (e.g. TLS or IPSEC) are in place.  A
1002              bindmethod of sasl requires the option saslmech.   Depending  on
1003              the mechanism, an authentication identity and/or credentials can
1004              be  specified  using  authcid  and  credentials.   The   authzid
1005              parameter  may  be  used  to  specify an authorization identity.
1006              Specific security properties (as with the sasl-secprops  keyword
1007              above)  for  a  SASL bind can be set with the secprops option. A
1008              non default SASL realm can be set with the realm option.
1009
1010              Rather than replicating whole entries, the  consumer  can  query
1011              logs  of  data modifications. This mode of operation is referred
1012              to as delta syncrepl. In addition to the above  parameters,  the
1013              logbase  and  logfilter parameters must be set appropriately for
1014              the log that will be used. The syncdata parameter must be set to
1015              either "accesslog" if the log conforms to the slapo-accesslog(5)
1016              log format, or "changelog" if the log conforms to  the  obsolete
1017              changelog format. If the syncdata parameter is omitted or set to
1018              "default" then the log parameters are ignored.
1019
1020       updatedn <dn>
1021              This option is only applicable in a slave database updated using
1022              slurpd(8).   It specifies the DN permitted to update (subject to
1023              access  controls)  the  replica  (typically,  this  is  the   DN
1024              slurpd(8)  binds  to  update  the  replica).  Generally, this DN
1025              should not be the same as the rootdn used at the master.
1026
1027       updateref <url>
1028              Specify the referral to pass back  when  slapd(8)  is  asked  to
1029              modify  a  replicated  local  database.   If  specified multiple
1030              times, each url is provided.
1031
1032

DATABASE-SPECIFIC OPTIONS

1034       Each database  may  allow  specific  configuration  options;  they  are
1035       documented separately in the backends' manual pages.
1036

BACKENDS

1038       The following backends can be compiled into slapd.  They are documented
1039       in the slapd-<backend>[22m(5) manual pages.
1040
1041       bdb    This is the recommended  primary  backend  for  a  normal  slapd
1042              database.   It takes care to configure it properly.  It uses the
1043              transactional database interface of the  Sleepycat  Berkeley  DB
1044              (BDB) package to store data.
1045
1046       config This  backend  is used to manage the configuration of slapd run-
1047              time.
1048
1049       dnssrv This backend is experimental.  It serves up referrals based upon
1050              SRV resource records held in the Domain Name System.
1051
1052       hdb    This  is  a  variant of the BDB backend that uses a hierarchical
1053              database layout which supports subtree renames.
1054
1055       ldap   This backend acts as a proxy to  forward  incoming  requests  to
1056              another LDAP server.
1057
1058       ldbm   This  is  an easy-to-configure but obsolete database backend. It
1059              does not offer the data durability features of the BDB  and  HDB
1060              backends  and  hence  is  deprecated  in  favor  of these robust
1061              backends.    LDBM   uses   lightweight   non-transactional    DB
1062              interfaces,  such  as those providing by GDBM or Berkeley DB, to
1063              store data.
1064
1065       ldif   This database uses the filesystem to build the tree structure of
1066              the  database, using plain ascii files to store data.  Its usage
1067              should be limited to very simple databases, where performance is
1068              not a requirement.
1069
1070       meta   This  backend performs basic LDAP proxying with respect to a set
1071              of remote LDAP  servers.  It  is  an  enhancement  of  the  ldap
1072              backend.
1073
1074       monitor
1075              This  backend  provides  information about the running status of
1076              the slapd daemon.
1077
1078       null   Operations in this backend succeed but do nothing.
1079
1080       passwd This backend is provided for demonstration  purposes  only.   It
1081              serves  up  user  account  information from the system passwd(5)
1082              file.
1083
1084       perl   This backend embeds a perl(1) interpreter into slapd.   It  runs
1085              Perl subroutines to implement LDAP operations.
1086
1087       relay  This  backend  is experimental.  It redirects LDAP operations to
1088              another database in the same server, based on the naming context
1089              of  the  request.   Its use requires the rwm overlay (see slapo-
1090              rwm(5) for  details)  to  rewrite  the  naming  context  of  the
1091              request.  It is primarily intended to implement virtual views on
1092              databases that actually store data.
1093
1094       shell  This  backend  executes  external  programs  to  implement  LDAP
1095              operations.  It is primarily intended to be used in prototypes.
1096
1097       sql    This backend is experimental.  It services LDAP requests from an
1098              SQL database.
1099

OVERLAYS

1101       The following overlays can be compiled into slapd.  They are documented
1102       in the slapo-<overlay>[22m(5) manual pages.
1103
1104       accesslog
1105              Access  Logging.   This  overlay  can record accesses to a given
1106              backend database on another database.
1107
1108       auditlog
1109              Audit Logging.  This overlay records changes on a given  backend
1110              database to an LDIF log file.  By default it is not built.
1111
1112       chain  Chaining.  This overlay allows automatic referral chasing when a
1113              referral would have been returned, either when configured by the
1114              server or when requested by the client.
1115
1116       denyop Deny  Operation.   This overlay allows selected operations to be
1117              denied, similar to the restrict option.
1118
1119       dyngroup
1120              Dynamic Group.  This is a demo overlay which extends the Compare
1121              operation  to  detect  members  of  a  dynamic group.  It has no
1122              effect on any other operations.
1123
1124       dynlist
1125              Dynamic List.  This overlay allows expansion of  dynamic  groups
1126              and more.
1127
1128       lastmod
1129              Last  Modification.   This  overlay maintains a service entry in
1130              the database with the DN, modification type,  modifiersName  and
1131              modifyTimestamp  of  the  last write operation performed on that
1132              database.
1133
1134       pcache Proxycache.  This overlay allows caching of LDAP search requests
1135              in  a  local  database.   It is most often used with the ldap or
1136              meta backends.
1137
1138       ppolicy
1139              Password Policy.  This overlay provides a  variety  of  password
1140              control  mechanisms,  e.g.  password  aging,  password reuse and
1141              duplication control, mandatory password resets, etc.
1142
1143       refint Referential Integrity.  This overlay can be used with a  backend
1144              database  such as slapd-bdb(5) to maintain the cohesiveness of a
1145              schema which utilizes reference attributes.
1146
1147       retcode
1148              Return Code.  This overlay is useful to  test  the  behavior  of
1149              clients when server-generated erroneous and/or unusual responses
1150              occur.
1151
1152       rwm    Rewrite/remap.  This overlay is experimental.  It performs basic
1153              DN/data rewrite and objectClass/attributeType mapping.
1154
1155       syncprov
1156              Syncrepl  Provider.   This  overlay implements the provider-side
1157              support for syncrepl replication,  including  persistent  search
1158              functionality.
1159
1160       translucent
1161              Translucent  Proxy.   This  overlay  can  be used with a backend
1162              database such as slapd-bdb(5) to create a  "translucent  proxy".
1163              Content  of  entries  retrieved from a remote LDAP server can be
1164              partially overridden by the database.
1165
1166       unique Attribute Uniqueness.  This overlay can be used with  a  backend
1167              database  such as slapd-bdb(5) to enforce the uniqueness of some
1168              or all attributes within a subtree.
1169

EXAMPLES

1171       Here is a short example of a configuration file:
1172
1173              include   /etc/openldap/schema/core.schema
1174              pidfile   /var/slapd.pid
1175
1176              # Subtypes of "name" (e.g. "cn" and "ou") with the
1177              # option ";x-hidden" can be searched for/compared,
1178              # but are not shown.  See slapd.access(5).
1179              attributeoptions x-hidden lang-
1180              access to attr=name;x-hidden by * =cs
1181
1182              # Protect passwords.  See slapd.access(5).
1183              access    to attrs=userPassword  by * auth
1184              # Read access to other attributes and entries.
1185              access    to *  by * read
1186
1187              database  bdb
1188              suffix    "dc=our-domain,dc=com"
1189              # The database directory MUST exist prior to
1190              # running slapd AND should only be accessible
1191              # by the slapd/tools. Mode 0700 recommended.
1192              directory /var/openldap-data
1193              # Indices to maintain
1194              index     objectClass  eq
1195              index     cn,sn,mail   pres,eq,approx,sub
1196
1197              # We serve small clients that do not handle referrals,
1198              # so handle remote lookups on their behalf.
1199              database  ldap
1200              suffix    ""
1201              uri       ldap://ldap.some-server.com/
1202              lastmod   off
1203
1204       "OpenLDAP Administrator's Guide" contains a longer annotated example of
1205       a configuration file.  The original /etc/openldap/slapd.conf is another
1206       example.
1207

FILES

1209       /etc/openldap/slapd.conf
1210              default slapd configuration file
1211

ACKNOWLEDGEMENTS

1229       OpenLDAP   is   developed   and  maintained  by  The  OpenLDAP  Project
1230       (http://www.openldap.org/).  OpenLDAP is  derived  from  University  of
1231       Michigan LDAP 3.3 Release.
1232
1233
1234
1235OpenLDAP 2.3.34                    2007/2/16                     SLAPD.CONF(5)