Unix/Linux Go Back    


OpenDarwin 7.2.1 - man page for slapd.conf (opendarwin section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


SLAPD.CONF(5)									    SLAPD.CONF(5)

NAME
       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The file /etc/openldap/slapd.conf contains configuration information for the slapd(8) dae-
       mon.  This configuration file is also used by the slurpd(8) replication daemon and by  the
       SLAPD tools slapadd(8), slapcat(8), and slapindex(8).

       The  slapd.conf	file  consists	of a series of global configuration options that apply to
       slapd as a whole (including all backends), followed by zero or more database backend defi-
       nitions that contain information specific to a backend instance.

       The general format of slapd.conf is as follows:

	   # comment - these options apply to every database
	   <global configuration options>
	   # first database definition & configuration options
	   database   <backend 1 type>
	   <configuration options specific to backend 1>
	   # subsequent database definitions & configuration options
	   ...

       As many backend-specific sections as desired may be included.  Global options can be over-
       ridden in a backend (for options that appear more than once, the last  appearance  in  the
       slapd.conf  file  is  used).  Blank lines and comment lines beginning with a `#' character
       are ignored. If a line begins with white space, it is considered  a  continuation  of  the
       previous line.

       Arguments  on  configuration  lines  are separated by white space. If an argument contains
       white space, the argument should be enclosed in double quotes.  If an argument contains	a
       double  quote  (`"') or a backslash character (`\'), the character should be preceded by a
       backslash character.

       The specific configuration options available are discussed below in the Global  Configura-
       tion  Options,  General	Backend  Options, and General Database Options.  Backend-specific
       options are discussed in the slapd-<backend>(5) manual  pages.	Refer  to  the	"OpenLDAP
       Administrator's Guide" for more details on the slapd configuration file.

GLOBAL CONFIGURATION OPTIONS
       Options described in this section apply to all backends, unless specifically overridden in
       a backend definition. Arguments that should be replaced by actual text are shown in brack-
       ets <>.

       access to <what> [ by <who> <access> <control> ]+
	      Grant  access (specified by <access>) to a set of entries and/or attributes (speci-
	      fied  by	<what>)  by  one  or  more  requestors	 (specified   by   <who>).    See
	      slapd.access(5) and the "OpenLDAP's Administrator's Guide" for details.

       allow <features>
	      Specify  a  set  of  features  (separated  by white space) to allow (default none).
	      bind_v2 allows acceptance of LDAPv2 bind requests.  Note	that  slapd(8)	does  not
	      truely implement LDAPv2 (RFC 1777), now Historic (RFC 3494).  bind_anon_cred allows
	      anonymous  bind  when  credentials  are  not  empty  (e.g.   when  DN  is   empty).
	      bind_anon_dn  allows  unauthenticated  (anonymous)  bind	when  DN  is  not  empty.
	      update_anon allow unauthenticated (anonymous) update  operations	to  be	processed
	      (subject to access controls and other administrative limits).

       argsfile <filename>
	      The  (  absolute	)  name  of a file that will hold the slapd server's command line
	      options if started without the debugging command line option.

       attributeoptions [option-name]...
	      Define tagging attribute options or option tag/range prefixes.   Options	must  not
	      end  with  `-',  prefixes must end with `-'.  The `lang-' prefix is predefined.  If
	      you use the attributeoptions directive, `lang-' will no longer be defined  and  you
	      must specify it explicitly if you want it defined.

	      An  attribute  description  with	a  tagging  option is a subtype of that attribute
	      description without the option.  Except for that, options defined this way have  no
	      special  semantics.   Prefixes defined this way work like the `lang-' options: They
	      define a prefix for tagging options starting with the  prefix.   That  is,  if  you
	      define  the prefix `x-foo-', you can use the option `x-foo-bar'.	Furthermore, in a
	      search or compare, a prefix or range name (with a trailing `-') matches all options
	      starting	with that name, as well as the option with the range name sans the trail-
	      ing `-'.	That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.

	      RFC2251 reserves options	beginning  with  `x-'  for  private  experiments.   Other
	      options should be registered with IANA, see RFC3383 section 3.4.	OpenLDAP also has
	      the `binary' option built in, but this is a transfer option, not a tagging option.

       attributetype   ( <oid>	 [NAME <name>]	 [OBSOLETE]   [DESC <description>]    [SUP <oid>]
	      [EQUALITY <oid>]	[ORDERING <oid>]  [SUBSTR <oid>] [SYNTAX <oidlen>] [SINGLE-VALUE]
	      [COLLECTIVE] [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
	      Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.   The  slapd
	      parser  extends the RFC 2252 definition by allowing string forms as well as numeric
	      OIDs to be used  for  the  attribute  OID  and  attribute  syntax  OID.	(See  the
	      objectidentifier description.)

       concurrency <integer>
	      Specify  a  desired level of concurrency.  Provided to the underlying thread system
	      as a hint.  The default is not to provide any hint.

       conn_max_pending <integer>
	      Specify the maximum number of  pending  requests	for  an  anonymous  session.   If
	      requests are submitted faster than the server can process them, they will be queued
	      up to this limit. If the limit is exceeded, the session is closed. The  default  is
	      100.

       conn_max_pending_auth <integer>
	      Specify  the  maximum number of pending requests for an authenticated session.  The
	      default is 1000.

       defaultsearchbase <dn>
	      Specify a default search base to use when client submits a non-base search  request
	      with an empty base DN.

       disallow <features>
	      Specify  a  set  of features (separated by white space) to disallow (default none).
	      bind_anon disables acceptance of anonymous  bind	requests.   bind_simple  disables
	      simple   (bind)	authentication.    bind_krbv4	disables   Kerberos   V4   (bind)
	      authentication.  tls_2_anon disables Start TLS from forcing  session  to	anonymous
	      status  (see  also  tls_authc).	tls_authc disables StartTLS if authenticated (see
	      also tls_2_anon).

       gentlehup { on | off }
	      A SIGHUP signal will only  cause	a  'gentle'  shutdown-attempt:	Slapd  will  stop
	      listening  for  new  connections, but will not close the connections to the current
	      clients.	Future	write  operations  return  unwilling-to-perform,  though.   Slapd
	      terminates  when	all clients have closed their connections (if they ever do), or -
	      as before - if it receives a SIGTERM signal.  This can be useful	if  you  wish  to
	      terminate  the  server  and start a new slapd server with another database, without
	      disrupting the currently active clients.	The default is off.  You may wish to  use
	      idletimeout along with this option.

       idletimeout <integer>
	      Specify  the  number  of	seconds  to  wait  before forcibly closing an idle client
	      connection.  A idletimeout of 0 disables this feature.  The default is 0.

       include <filename>
	      Read additional configuration information from the  given  file  before  continuing
	      with the next line of the current file.

       limits <who> <limit> [<limit> [...]]
	      Specify time and size limits based on who initiated an operation.  The argument who
	      can be any of

		     anonymous | users | [dn[.<style>]=]<pattern>

	      with

		     <style> ::= exact | base | one | subtree | children | regex | anonymous

	      Anonymous is hit when a search is performed without prior  binding;  users  is  hit
	      when  a  search  is  performed  by  a successfully bound user; otherwise a regex dn
	      pattern is assumed unless otherwise specified  by  qualifying  the  (optional)  key
	      string  dn with exact or base (which are synonims), to require an exact match; with
	      one, to require exactly one level of depth match; with subtree, to allow any  level
	      of  depth  match,  including  the exact match; with children, to allow any level of
	      depth match, not including the exact match; regex explicitly requires the (default)
	      match  based  on	regular  expression  pattern,  as detailed in regex(7).  Finally,
	      anonymous matches unbound operations; the  pattern  field  is  ignored.	The  same
	      behavior is obtained by using the anonymous form of the who clause.

	      The currently supported limits are size and time.

	      The  syntax  for	time limits is time[.{soft|hard}]=<integer>, where integer is the
	      number of seconds slapd will spend answering a search request.  If no time limit is
	      explicitly  requested  by the client, the soft limit is used; if the requested time
	      limit exceedes the hard limit, an "Administrative limit exceeded" is returned.   If
	      the  hard  limit	is  set  to 0 or to the keyword "soft", the soft limit is used in
	      either case; if it is set to -1  or  to  the  keyword  "none",  no  hard	limit  is
	      enforced.  Explicit requests for time limits smaller or equal to the hard limit are
	      honored.	If no flag is set, the value is assigned to the soft limit, and the  hard
	      limit is set to zero, to preserve the original behavior.

	      The syntax for size limits is size[.{soft|hard|unchecked}]=<integer>, where integer
	      is the maximum number of entries slapd will return answering a search request.   If
	      no size limit is explicitly requested by the client, the soft limit is used; if the
	      requested size limit exceedes the hard limit, an "Administrative limit exceeded" is
	      returned.   If  the hard limit is set to 0 or to the keyword "soft", the soft limit
	      is used in either case; if it is set to -1 or to the keyword "none", no hard  limit
	      is  enforced.  Explicit requests for size limits smaller or equal to the hard limit
	      are honored.  The unchecked flag sets a limit on the number of candidates a  search
	      request  is  allowed  to	examine.  If the selected candidates exceed the unchecked
	      limit, the search will abort with "Unwilling to perform".  If it is set to -1 or to
	      the  keyword  "none",  no  limit	is applied (the default).  If no flag is set, the
	      value is assigned to the soft limit, and the hard limit is set to zero, to preserve
	      the original behavior.

	      In  case	of no match, the global limits are used.  The default values are the same
	      of sizelimit and timelimit; no limit is set on unchecked.

       loglevel <integer>
	      Specify the level at which debugging statements and operation statistics should  be
	      syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility).  Log levels are
	      additive, and available levels are:
		     1	    trace function calls
		     2	    debug packet handling
		     4	    heavy trace debugging
		     8	    connection management
		     16     print out packets sent and received
		     32     search filter processing
		     64     configuration file processing
		     128    access control list processing
		     256    stats log connections/operations/results
		     512    stats log entries sent
		     1024   print communication with shell backends
		     2048   entry parsing

       moduleload <filename>
	      Specify the name of a dynamically loadable module to load. The filename may  be  an
	      absolute path name or a simple filename. Non-absolute names are searched for in the
	      directories specified by the modulepath option.  This  option  and  the  modulepath
	      option are only usable if slapd was compiled with --enable-modules.

       modulepath <pathspec>
	      Specify a list of directories to search for loadable modules. Typically the path is
	      colon-separated but this depends on the operating system.

       objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] [SUP <oids>] [{  ABSTRACT
	      | STRUCTURAL | AUXILIARY }] [MUST <oids>] [MAY <oids>] )
	      Specify  an  objectclass	using  the  LDAPv3 syntax defined in RFC 2252.	The slapd
	      parser extends the RFC 2252 definition by allowing string forms as well as  numeric
	      OIDs  to be used for the object class OID.  (See the objectidentifier description.)
	      Object classes are "STRUCTURAL" by default.

       objectidentifier <name> { <oid> | <name>[:<suffix>] }
	      Define a string name that equates to the given OID. The string can be used in place
	      of  the  numeric OID in objectclass and attribute definitions. The name can also be
	      used with a suffix of the form ":xx" in which case the value "oid.xx" will be used.

       password-hash <hash>
	      This option sets the hash to be used in generation of  user  passwords,  stored  in
	      userPassword,  during  processing  of LDAP Password Modify Extended Operations (RFC
	      3052).  The <hash> must be one  of  {SSHA},  {SHA},  {SMD5},  {MD5},  {CRYPT},  and
	      {CLEARTEXT}.  The default is {SSHA}.

	      {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.

	      {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.

	      {CRYPT} uses the crypt(3).

	      {CLEARTEXT}  indicates  that  the  new  password should be added to userPassword as
	      clear text.

	      Note that this option does not alter  the  normal  user  applications  handling  of
	      userPassword during LDAP Add, Modify, or other LDAP operations.

       password-crypt-salt-format <format>
	      Specify the format of the salt passed to crypt(3) when generating {CRYPT} passwords
	      (see password-hash) during processing of LDAP Password Modify  Extended  Operations
	      (RFC 3062).

	      This  string needs to be in sprintf(3) format and may include one (and only one) %s
	      conversion.  This conversion will be substituted with a  string  random  characters
	      from  [A-Za-z0-9./].   For  example,  "%.2s"  provides  a  two  character  salt and
	      "$1$%.8s" tells some versions of crypt(3) to use an MD5 algorithm  and  provides	8
	      random  characters  of  salt.  The default is "%s", which provides 31 characters of
	      salt.

       pidfile <filename>
	      The ( absolute ) name of a file that will hold the slapd server's process ID (  see
	      getpid(2) ) if started without the debugging command line option.

       referral <url>
	      Specify  the  referral  to  pass back when slapd(8) cannot find a local database to
	      handle a request.  If specified multiple times, each url is provided.

       require <conditions>
	      Specify a set of conditions (separated by white space) to require  (default  none).
	      The  directive  may  be specified globally and/or per-database.  bind requires bind
	      operation prior to directory operations.	LDAPv3 requires session to be using  LDAP
	      version  3.   authc  requires  authentication  prior to directory operations.  SASL
	      requires SASL authentication prior to directory operations.  strong requires strong
	      authentication  prior to directory operations.  The strong keyword allows protected
	      "simple" authentication as well as  SASL	authentication.   none	may  be  used  to
	      require  no  conditions  (useful	for  clearly  globally	set  conditions  within a
	      particular database).

       reverse-lookup on | off
	      Enable/disable client name unverified reverse lookup (default is	off  if  compiled
	      with --enable-rlookups).

       rootDSE <file>
	      Specify the name of an LDIF(5) file containing user defined attributes for the root
	      DSE.  These attributes are returned in addition to the attributes normally produced
	      by slapd.

       sasl-authz-policy <policy>
	      Used   to   specify  which  rules  to  use  for  SASL  Proxy  Authorization.  Proxy
	      authorization allows a client to	authenticate  to  the  server  using  one  user's
	      credentials,  but  specify a different identity to use for authorization and access
	      control purposes. It essentially allows user A to login as user B, using	user  A's
	      password.  The none flag disables proxy authorization. This is the default setting.
	      The from flag will use rules in the saslAuthzFrom attribute  of  the  authorization
	      DN.   The to flag will use rules in the saslAuthzTo attribute of the authentication
	      DN.  The both flag will allow both of the  above.  The  rules  are  simply  regular
	      expressions  specifying  which  DNs are allowed to perform proxy authorization. The
	      saslAuthzFrom attribute in an entry specifies which  other  users  are  allowed  to
	      proxy  login  to	this entry. The saslAuthzTo attribute in an entry specifies which
	      other users this user can authorize as.  Use of saslAuthzTo  rules  can  be  easily
	      abused  if  users  are  allowed  to  write  arbitrary values to this attribute.  In
	      general the saslAuthzTo attribute must  be  protected  with  ACLs  such  that  only
	      privileged users can modify it.

       sasl-host <fqdn>
	      Used to specify the fully qualified domain name used for SASL processing.

       sasl-realm <realm>
	      Specify SASL realm.  Default is empty.

       sasl-regexp <match> <replace>
	      Used  by	the SASL authorization mechanism to convert a SASL authenticated username
	      to an LDAP DN. When an authorization request is received, the SASL USERNAME, REALM,
	      and MECHANISM are taken, when available, and combined into a SASL name of the form

		     uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth

	      This  SASL  name	is then compared against the match regular expression, and if the
	      match is successful, the SASL name is replaced with the replace  string.	If  there
	      are  wildcard  strings  in  the  match  regular  expression  that  are  enclosed in
	      parenthesis, e.g.

			    uid=(.*),cn=.*

	      then the portion of the SASL name that matched the wildcard will be stored  in  the
	      numbered	 placeholder  variable	$1.  If  there	are  other  wildcard  strings  in
	      parenthesis, the	matching  strings  will  be  in  $2,  $3,  etc.  up  to  $9.  The
	      placeholders can then be used in the replace string, e.g.

			    cn=$1,ou=Accounts,dc=$2,dc=$4.

	      The  replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
	      server will use the URI to search its own  database,  and  if  the  search  returns
	      exactly  one  entry,  the  SASL name is replaced by the DN of that entry.  Multiple
	      sasl-regexp options can be given in the configuration file to  allow  for  multiple
	      matching	and  replacement patterns. The matching patterns are checked in the order
	      they appear in the file, stopping at the first successful match.

       sasl-secprops <properties>
	      Used to specify Cyrus SASL security properties.  The none flag (without  any  other
	      properities)  causes  the  flag  properites  default,  "noanonymous,noplain", to be
	      cleared.	The noplain  flag  disables  mechanisms  susceptible  to  simple  passive
	      attacks.	The noactive flag disables mechanisms susceptible to active attacks.  The
	      nodict flag disables mechanisms susceptible to  passive  dictionary  attacks.   The
	      noanonymous flag disables mechanisms which support anonymous login.  The forwardsec
	      flag require forward secrecy between sessions.   The  passcred  require  mechanisms
	      which  pass  client credentials (and allow mechanisms which can pass credentials to
	      do so).  The minssf=<factor> property specifies  the  minimum  acceptable  security
	      strength	factor	as  an	integer  approximate  to  effective  key  length used for
	      encryption.  0 (zero) implies no protection, 1 implies integrity	protection  only,
	      56  allows  DES  or  other  weak	ciphers,  112  allows triple DES and other strong
	      ciphers, 128 allows RC4, Blowfish and other modern strong ciphers.  The default  is
	      0.  The maxssf=<factor> property specifies the maximum acceptable security strength
	      factor as an integer (see  minssf  description).	 The  default  is  INT_MAX.   The
	      maxbufsize=<size> property specifies the maximum security layer receive buffer size
	      allowed.	0 disables security layers.  The default is 65536.

       schemadn <dn>
	      Specify the distinguished name for the subschema subentry that controls the entries
	      on this server.  The default is "cn=Subschema".

       security <factors>
	      Specify  a  set of factors (separated by white space) to require.  An integer value
	      is associated with each factor and is roughly  equivalent  of  the  encryption  key
	      length  to  require.   A value of 112 is equivalent to 3DES, 128 to Blowfish, etc..
	      The directive may be specified globally and/or per-database.  ssf=<n> specifies the
	      overall  security  strength factor.  transport=<n> specifies the transport security
	      strength factor.	tls=<n> specifies the TLS  security  strength  factor.	 sasl=<n>
	      specifies  the SASL security strength factor.  update_ssf=<n> specifies the overall
	      security strength factor to require for  directory  updates.   update_transport=<n>
	      specifies  the transport security strength factor to require for directory updates.
	      update_tls=<n> specifies the TLS security strength factor to require for	directory
	      updates.	 update_sasl=<n>  specifies  the SASL security strength factor to require
	      for directory updates.  simple_bind=<n>  specifies  the  security  strength  factor
	      required	for  simple  username/password	authentication.   Note that the transport
	      factor is measure of security provided by the underlying transport,  e.g.  ldapi://
	      (and eventually IPSEC).  It is not normally used.

       sizelimit {<integer>|unlimited}

       sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
	      Specify  the  maximum  number  of  entries  to return from a search operation.  The
	      default size limit is 500.  Use -1 or unlimited to specify no limits.   The  second
	      format  allows a fine grain setting of the size limits.  Extra args can be added on
	      the same line.  See limits for an explanation of the different flags.

       sockbuf_max_incoming <integer>
	      Specify the maximum incoming LDAP PDU size for anonymous sessions.  The default  is
	      262143.

       sockbuf_max_incoming_auth <integer>
	      Specify the maximum incoming LDAP PDU size for authenticated sessions.  The default
	      is 4194303.

       srvtab <filename>
	      Specify the srvtab file in which the kerberos  keys  necessary  for  authenticating
	      clients  using  kerberos	can  be  found. This option is only meaningful if you are
	      using Kerberos authentication.

       threads <integer>
	      Specify the maximum size of the primary thread pool.  The default is 16.

       timelimit {<integer>|unlimited}

       timelimit time[.{soft|hard}]=<integer> [...]
	      Specify the maximum number of seconds (in real time) slapd will spend  answering	a
	      search request.  The default time limit is 3600.	Use -1 or unlimited to specify no
	      limits.  The second format allows a fine grain setting of the time  limits.   Extra
	      args can be added on the same line.  See limits for an explanation of the different
	      flags.

       ucdata-path <path>
	      Specify the path to the directory containing  the  Unicode  character  tables.  The
	      default path is /var/db/openldap/ucdata.

TLS OPTIONS
       If  slapd  is  built with support for Transport Layer Security, there are more options you
       can specify.

       TLSCipherSuite <cipher-suite-spec>
	      Permits configuring what	ciphers  will  be  accepted  and  the  preference  order.
	      <cipher-suite-spec> should be a cipher specification for OpenSSL.  Example:

	      TLSCipherSuite HIGH:MEDIUM:+SSLv2

	      To check what ciphers a given spec selects, use:

	      openssl ciphers -v <cipher-suite-spec>

       TLSCACertificateFile <filename>
	      Specifies   the  file  that  contains  certificates  for	all  of  the  Certificate
	      Authorities that slapd will recognize.

       TLSCACertificatePath <path>
	      Specifies the path of a directory that contains Certificate Authority  certificates
	      in  separate individual files. Usually only one of this or the TLSCACertificateFile
	      is used.

       TLSCertificateFile <filename>
	      Specifies the file that contains the slapd server certificate.

       TLSCertificateKeyFile <filename>
	      Specifies the file that contains the slapd server  private  key  that  matches  the
	      certificate stored in the TLSCertificateFile file.  Currently, the private key must
	      not be protected with a password, so it  is  of  critical  importance  that  it  is
	      protected carefully.

       TLSRandFile <filename>
	      Specifies the file to obtain random bits from when /dev/[u]random is not available.
	      Generally set to the name  of  the  EGD/PRNGD  socket.   The  environment  variable
	      RANDFILE can also be used to specify the filename.

       TLSVerifyClient <level>
	      Specifies what checks to perform on client certificates in an incoming TLS session,
	      if any.  The <level> can be specified as one of the following keywords:

	      never  This is the default.  slapd will not ask the client for a certificate.

	      allow  The client certificate is requested.  If no  certificate  is  provided,  the
		     session  proceeds	normally.   If	a bad certificate is provided, it will be
		     ignored and the session proceeds normally.

	      try    The client certificate is requested.  If no  certificate  is  provided,  the
		     session proceeds normally.  If a bad certificate is provided, the session is
		     immediately terminated.

	      demand | hard | true
		     These keywords are all equivalent, for compatibility  reasons.   The  client
		     certificate  is  requested.   If  no  certificate	is  provided,  or  a  bad
		     certificate is provided, the session is immediately terminated.

		     Note that a valid client certificate is required in order to  use	the  SASL
		     EXTERNAL  authentication  mechanism  with	a  TLS	session.  As such, a non-
		     default TLSVerifyClient setting must  be  chosen  to  enable  SASL  EXTERNAL
		     authentication.

GENERAL BACKEND OPTIONS
       Options	in  this  section  only apply to the configuration file section for the specified
       backend.  They are supported by every type of backend.

       backend <databasetype>
	      Mark the beginning of a backend definition. <databasetype> should be  one  of  bdb,
	      dnssrv,  ldap,  ldbm,  meta,  monitor,  null,  passwd,  perl,  shell,  sql, or tcl,
	      depending on which backend will serve the database.

GENERAL DATABASE OPTIONS
       Options in this section only apply to the configuration file section for the  database  in
       which  they  are  defined.   They  are  supported by every type of backend.  Note that the
       database and at least one suffix option are mandatory for each database.

       database <databasetype>
	      Mark the beginning of a new database instance definition. <databasetype> should  be
	      one  of  bdb, dnssrv, ldap, ldbm, meta, monitor, null, passwd, perl, shell, sql, or
	      tcl, depending on which backend will serve the database.

       lastmod on | off
	      Controls	 whether   slapd   will   automatically   maintain   the   modifiersName,
	      modifyTimestamp,	creatorsName,  and  createTimestamp  attributes  for entries.  By
	      default, lastmod is on.

       maxderefdepth <depth>
	      Specifies the maximum number of aliases to dereference when trying  to  resolve  an
	      entry, used to avoid inifinite alias loops. The default is 1.

       readonly on | off
	      This  option  puts  the database into "read-only" mode.  Any attempts to modify the
	      database will return an "unwilling to perform" error.  By default, readonly is off.

       replica	   host=<hostname>[:port]     [tls=yes|critical]     [suffix=<suffix>	   [...]]
	      bindmethod=simple|sasl   [binddn=<simple	 DN>]	[credentials=<simple   password>]
	      [saslmech=<SASL	     mech>]	   [secprops=<properties>]	  [realm=<realm>]
	      [authcId=<authentication ID>] [authzId=<authorization ID>] [attr[!]=<attr list>]
	      Specify	a   replication   site	 for  this  database.	Refer  to  the	"OpenLDAP
	      Administrator's Guide" for detailed information on setting up  a	replicated  slapd
	      directory service. Zero or more suffix instances can be used to select the subtrees
	      that will be replicated (defaults to all the  database).	A  bindmethod  of  simple
	      requires	the  options binddn and credentials and should only be used when adequate
	      security services (e.g TLS or IPSEC) are in place. A bindmethod  of  sasl  requires
	      the  option  saslmech.   Specific  security  properties  (as with the sasl-secprops
	      keyword above) for a SASL bind can be set with the secprops option.  A  non-default
	      SASL realm can be set with the realm option.  If the mechanism will use Kerberos, a
	      kerberos instance should be given in authcId.  An attr list can be given after  the
	      attr  keyword  to allow the selective replication of the listed attributes only; if
	      the optional !  mark is used, the list is considered  exclusive,	i.e.  the  listed
	      attributes  are  not  replicated.   If  an  objectClass  is listed, all the related
	      attributes are (are not) replicated.

       replogfile <filename>
	      Specify the name of the replication log file to log changes  to.	 The  replication
	      log  is  typically  written by slapd(8) and read by slurpd(8).  See slapd.replog(5)
	      for more information.  The specified file should be located  in  a  directory  with
	      limited  read/write/execute  access  as  the replication logs may contain sensitive
	      information.

       rootdn <dn>
	      Specify  the  distinguished  name  that  is  not	subject  to  access  control   or
	      administrative  limit restrictions for operations on this database.  This DN may or
	      may not be associated with an entry.  An empty root DN (the default)  specifies  no
	      root  access is to be granted.  It is recommended that the rootdn only be specified
	      when needed (such as when initially populating  a  database).   If  the  rootdn  is
	      within a namingContext (suffix) of the database, a simple bind password may also be
	      provided using the rootpw directive.

       rootpw <password>
	      Specify a password (or hash of the password) for the rootdn.  The password can only
	      be  set  if  the rootdn is within the namingContext (suffix) of the database.  This
	      option accepts all RFC 2307 userPassword formats known to the server (see password-
	      hash  desription)  as  well  as cleartext.  slappasswd(8) may be used to generate a
	      hash of a password.  Cleartext and {CRYPT} passwords are not recommended.  If empty
	      (the default), authentication of the root DN is by other means (e.g. SASL).  Use of
	      SASL is encouraged.

       suffix <dn suffix>
	      Specify the DN suffix of queries that will be  passed  to  this  backend	database.
	      Multiple	suffix	lines can be given and at least one is required for each database
	      definition.  If the suffix of  one  database  is	"inside"  that	of  another,  the
	      database with the inner suffix must come first in the configuration file.

       subordinate
	      Specify  that  the  current  backend  database  is a subordinate of another backend
	      database. A subordinate database may have only one suffix. This option may be  used
	      to  glue	multiple  databases  into  a  single namingContext.  If the suffix of the
	      current database is within the  namingContext  of  a  superior  database,  searches
	      against the superior database will be propagated to the subordinate as well. All of
	      the databases associated with a single namingContext should have identical rootdns.
	      Behavior	of other LDAP operations is unaffected by this setting. In particular, it
	      is not possible to use moddn to move an  entry  from  one  subordinate  to  another
	      subordinate within the namingContext.

       updatedn <dn>
	      This  option  is	only applicable in a slave slapd.  It specifies the DN allowed to
	      make changes to the replica (typically, this is the  DN  slurpd(8)  binds  as  when
	      making changes to the replica).

       updateref <url>
	      Specify  the  referral  to  pass back when slapd(8) is asked to modify a replicated
	      local database.  If specified multiple times, each url is provided.

DATABASE-SPECIFIC OPTIONS
       Each database may allow specific configuration options; they are documented separately  in
       the slapd-<backend>(5) manual pages.

EXAMPLES
       Here is a short example of a configuration file:

	      include	/etc/openldap/schema/core.schema
	      pidfile	/var/run/slapd.pid

	      # Subtypes of "name" (e.g. "cn" and "ou") with the
	      # option ";x-hidden" can be searched for/compared,
	      # but are not shown.  See slapd.access(5).
	      attributeoptions x-hidden lang-
	      access to attr=name;x-hidden by * =cs

	      database	bdb
	      suffix	"dc=our-domain,dc=com"
	      # The database directory MUST exist prior to
	      # running slapd AND should only be accessible
	      # by the slapd/tools. Mode 700 recommended.
	      directory /var/db/openldap/openldap-data
	      # Indices to maintain
	      index	objectClass  eq
	      index	cn,sn,mail   pres,eq,approx,sub

	      # We serve small clients that do not handle referrals,
	      # so handle remote lookups on their behalf.
	      database	ldap
	      suffix	""
	      uri	ldap://ldap.some-server.com/
	      lastmod	off

       "OpenLDAP  Administrator's  Guide"  contains a longer annotated example of a configuration
       file.  The original /etc/openldap/slapd.conf is another example.

FILES
       /etc/openldap/slapd.conf
	      default slapd configuration file

SEE ALSO
       ldap(3),  slapd-bdb(5),	slapd-dnssrv(5),  slapd-ldap(5),  slapd-ldbm(5),   slapd-meta(5),
       slapd-null(5), slapd-passwd(5), slapd-perl(5), slapd-shell(5), slapd-sql(5), slapd-tcl(5),
       slapd.replog(5),   slapd.access(5),   locale(5),   slapd(8),    slapadd(8),    slapcat(8),
       slapindex(8), slappassword(8), slurpd(8),

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS
       OpenLDAP  is  developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
       OpenLDAP is derived from University of Michigan LDAP 3.3 Release.

OpenLDAP 2.1.X				   RELEASEDATE				    SLAPD.CONF(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 07:27 PM.