Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages

RedHat 9 (Linux i386) - man page for slapd.conf (redhat section 5)

SLAPD.CONF(5)			       File Formats Manual			    SLAPD.CONF(5)

NAME
       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The file /etc/openldap/slapd.conf contains configuration information for the slapd(8) dae-
       mon.  This configuration file is also used by the slurpd(8) replication daemon and by  the
       SLAPD tools slapadd(8), slapcat(8), and slapindex(8).

       The  slapd.conf	file  consists	of a series of global configuration options that apply to
       slapd as a whole (including all backends), followed by zero or more database backend defi-
       nitions that contain information specific to a backend instance.

       The general format of slapd.conf is as follows:

	   # comment - these options apply to every database
	   <global configuration options>
	   # first database definition & configuration options
	   database   <backend 1 type>
	   <configuration options specific to backend 1>
	   # subsequent database definitions & configuration options
	   ...

       As many backend-specific sections as desired may be included.  Global options can be over-
       ridden in a backend (for options that appear more than once, the last  appearance  in  the
       slapd.conf  file  is  used).  Blank lines and comment lines beginning with a `#' character
       are ignored. If a line begins with white space, it is considered  a  continuation  of  the
       previous line.

       Arguments  on  configuration  lines  are separated by white space. If an argument contains
       white space, the argument should be enclosed in double quotes.  If an argument contains	a
       double  quote  (`"') or a backslash character (`\'), the character should be preceded by a
       backslash character.

       The specific configuration options available are discussed below in the Global  Configura-
       tion  Options,  General	Backend Options, General Database Options, LDBM Database-Specific
       Options, Shell Database-Specific Options, and Password Database-Specific Options sections.
       Refer  to the "OpenLDAP Administrator's Guide" for more details on the slapd configuration
       file.

GLOBAL CONFIGURATION OPTIONS
       Options described in this section apply to all backends, unless specifically overridden in
       a backend definition. Arguments that should be replaced by actual text are shown in brack-
       ets <>.

       access to <what> [ by <who> <access> <control> ]+
	      Grant access (specified by <access>) to a set of entries and/or attributes  (speci-
	      fied  by	<what>)  by one or more requestors (specified by <who>).  See the "OpenL-
	      DAP's Administrator's Guide" for details.

       allow <features>
	      Specify a set of features (separated by  white  space)  to  allow  (default  none).
	      tls_2_anon allows Start TLS to force session to anonymous status (see also disallow
	      tls_authc).

       argsfile <filename>
	      The ( absolute ) name of a file that will hold  the  slapd  server's  command  line
	      options if started without the debugging command line option.

       attributetype	( <oid>   [NAME <name>]   [OBSOLETE]   [DESC <description>]   [SUP <oid>]
	      [EQUALITY <oid>] [ORDERING <oid>] [SUBSTR <oid>]	[SYNTAX <oidlen>]  [SINGLE-VALUE]
	      [COLLECTIVE] [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
	      Specify  an  attribute type using the LDAPv3 syntax defined in RFC 2252.	The slapd
	      parser extends the RFC 2252 definition by allowing string forms as well as  numeric
	      OIDs  to	be  used  for  the  attribute  OID  and  attribute  syntax OID.  (See the
	      objectidentifier description.) Currently the syntax name parser is  case-sensitive.
	      The known syntax names are:
			    AttributeTypeDescription	Audio	 Binary   BitString   Certificate
			    CertificateList  CertificatePair  DN  DeliveryMethod  DirectoryString
			    DITContentRuleDescription  DITStructureRuleDescription  EnhancedGuide
			    FacsimileTelephoneNumber  GeneralizedTime  Guide  IA5String   Integer
			    MatchingRuleDescription   MatchingRuleUseDescription   MailPreference
			    NameAndOptionalUUID 	NameFormDescription	    NumericString
			    ObjectClassDescription  OID  OtherMailbox  OctetString  PostalAddress
			    ProtocolInformation        PresentationAddress	  PrintableString
			    SupportedAlgorithm	    TelephoneNumber	TeletexTerminalIdentifier
			    TelexNumber    UTCTime    LDAPSyntaxDescription    SubstringAssertion
			    NISnetgrouptriple Bootparameter

       concurrency <integer>
	      Specify  a  desired level of concurrency.  Provided to the underlying thread system
	      as a hint.  The default is not to provide any hint.

       defaultaccess { none | auth | compare | search | read | write }
	      Specify the default access level to grant requestors when no access directives were
	      provided	for the database.  The default behavior is to grant 'read' access.  It is
	      recommended that access directives be used instead.

       defaultsearchbase <dn>
	      Specify a default search base to use when client submits a non-base search  request
	      with an empty base DN.

       disallow <features>
	      Specify  a  set  of features (separated by white space) to disallow (default none).
	      bind_v2 disables acceptance of LDAPv2 bind requests.  bind_anon disables acceptance
	      of  anonymous bind requests.  bind_anon_cred disables anonymous bind creditials are
	      not empty (e.g.  when DN is empty).  bind_anon_dn disables anonymous bind  when  DN
	      is  not  empty.	bind_simple  disables  simple  (bind) authentication.  bind_krbv4
	      disables	Kerberos  V4  (bind)  authentication.	tls_authc  disables  StartTLS  if
	      authenticated (see also allow tls_2_anon).

       idletimeout <integer>
	      Specify  the  number  of	seconds  to  wait  before forcibly closing an idle client
	      connections.  A idletimeout of 0 disables this feature.  The default is 0.

       include <filename>
	      Read additional configuration information from the  given  file  before  continuing
	      with the next line of the current file.

       loglevel <integer>
	      Specify  the level at which debugging statements and operation statistics should be
	      syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility).  Log levels are
	      additive, and available levels are:
		     1	    trace function calls
		     2	    debug packet handling
		     4	    heavy trace debugging
		     8	    connection management
		     16     print out packets sent and received
		     32     search filter processing
		     64     configuration file processing
		     128    access control list processing
		     256    stats log connections/operations/results
		     512    stats log entries sent
		     1024   print communication with shell backends
		     2048   entry parsing

       objectclass  ( <oid> [NAME <name>] [DESC <description] [OBSOLETE] [SUP <oids>] [{ ABSTRACT
	      | STRUCTURAL | AUXILIARY }] [MUST <oids>] [MAY <oids>] )
	      Specify an objectclass using the LDAPv3 syntax defined  in  RFC  2252.   The  slapd
	      parser  extends the RFC 2252 definition by allowing string forms as well as numeric
	      OIDs to be used for the object class OID.  (See the objectidentifier  description.)
	      Object classes are "STRUCTURAL" by default.

       objectidentifier <name> { <oid> | <name>[:<suffix>] }
	      Define a string name that equates to the given OID. The string can be used in place
	      of the numeric OID in objectclass and attribute definitions. The name can  also  be
	      used with a suffix of the form ":xx" in which case the value "oid.xx" will be used.

       password-hash <hash>
	      The  <hash>  to  use  for  userPassword  generation.  One of {SSHA}, {SHA}, {SMD5},
	      {MD5}, and {CRYPT}.  The default is {SSHA}.

       password-crypt-salt-format <format>
	      Specify the  format  of  the  salt  passed  to  crypt(3)	when  generating  {CRYPT}
	      passwords.   This  string needs to be in sprintf(3) format and may include one (and
	      only one) %s conversion.	This conversion will be substituted with a string  random
	      characters  from	[A-Za-z0-9./].	For example, "%.2s" provides a two character salt
	      and "$1$%.8s" tells some versions of crypt(3) to use an MD5 algorithm and  provides
	      8  random characters of salt.  The default is "%s", which provides 31 characters of
	      salt.

       pidfile <filename>
	      The ( absolute ) name of a file that will hold the slapd server's process ID (  see
	      getpid(2) ) if started without the debugging command line option.

       referral <url>
	      Specify  the  referral  to  pass back when slapd(8) cannot find a local database to
	      handle a request.  If specified multiple times, each url is provided.

       require <conditions>
	      Specify a set of conditions (separated by white space) to require  (default  none).
	      The  directive  may  be specified globally and/or per-database.  bind requires bind
	      operation prior to directory operations.	LDAPv3 requires session to be using  LDAP
	      version  3.   authc  requires  authentication  prior to directory operations.  SASL
	      requires SASL authentication prior to directory operations.  strong requires strong
	      authentication prior to directory operations.  Currently SASL and strong conditions
	      are currently same.  none may be used to require no conditions (useful for  clearly
	      globally set conditions within a particular database).

       sasl-host <fqdn>
	      Used to specify the fully qualified domain name used for SASL processing.

       sasl-realm <realm>
	      Specify SASL realm.  Default is empty.

       sasl-secprops <properties>
	      Used  to	specify Cyrus SASL security properties.  The none flag (without any other
	      properities) causes the  flag  properites  default,  "noanonymous,noplain",  to  be
	      cleared.	 The  noplain  flag  disables  mechanisms  susceptible	to simple passive
	      attacks.	The noactive flag disables mechanisms susceptible to active attacks.  The
	      nodict  flag  disables  mechanisms  susceptible to passive dictionary attacks.  The
	      noanonyous flag disables mechanisms which support anonymous login.  The  forwardsec
	      flag  require  forward  secrecy  between sessions.  The passcred require mechanisms
	      which pass client credentials (and allow mechanisms which can pass  credentials  to
	      do  so).	 The  minssf=<factor>  property specifies the minimum acceptable security
	      strength factor as  an  integer  approximate  to	effective  key	length	used  for
	      encryption.   0  (zero) implies no protection, 1 implies integrity protection only,
	      56 allows DES or other weak  ciphers,  112  allows  triple  DES  and  other  strong
	      ciphers,	128 allows RC4, Blowfish and other modern strong ciphers.  The default is
	      0.  The maxssf=<factor> property specifies the maximum acceptable security strength
	      factor  as  an  integer  (see  minssf  description).   The default is INT_MAX.  The
	      maxbufsize=<size> property specifies the maximum security layer receive buffer size
	      allowed.	0 disables security layers.  The default is 65536.

       schemacheck { on | off }
	      Turn schema checking on or off. The default is on.

       security <factors>
	      Specify  a  set of factors (separated by white space) to require.  An integer value
	      is associated with each factor and is roughly  equivalent  of  the  encryption  key
	      length  to  require.   A value of 112 is equivalent to 3DES, 128 to Blowfish, etc..
	      The directive may be specified globally and/or per-database.  ssf=<n> specifies the
	      overall  security  strength factor.  transport=<n> specifies the transport security
	      strength factor.	tls=<n> specifies the TLS  security  strength  factor.	 sasl=<n>
	      specifies  the SASL security strength factor.  update_ssf=<n> specifies the overall
	      security strength factor to require for  directory  updates.   update_transport=<n>
	      specifies  the transport security strength factor to require for directory updates.
	      update_tls=<n> specifies the TLS security strength factor to require for	directory
	      updates.	 update_sasl=<n>  specifies  the SASL security strength factor to require
	      for directory updates.  Note that the  transport	factor	is  measure  of  security
	      provided	by the underlying transport, e.g. ldapi:// (and eventually IPSEC).  It is
	      not normally used.

       schemacheck { on | off }
	      Turn schema checking on or off. The default is on.

       sizelimit <integer>
	      Specify the maximum number of entries to	return	from  a  search  operation.   The
	      default size limit is 500.

       sockbuf_max_incoming <integer>
	      Specify  the maximum incoming LDAP PDU size for anonymous sessions.  The default is
	      262143.

       sockbuf_max_incoming_auth <integer>
	      Specify the maximum incoming LDAP PDU size for authenticated sessions.  The default
	      is 4194303.

       srvtab <filename>
	      Specify  the  srvtab  file  in which the kerberos keys necessary for authenticating
	      clients using kerberos can be found. This option is  only  meaningful  if  you  are
	      using Kerberos authentication.

       threads <integer>
	      Specify the maximum size of the primary thread pool.  The default is 32.

       timelimit <integer>
	      Specify  the  maximum number of seconds (in real time) slapd will spend answering a
	      search request.  The default time limit is 3600.

TLS OPTIONS
       If slapd is build with support for Transport Layer Security, there are  more  options  you
       can specify.

       TLSCipherSuite <cipher-suite-spec>
	      Permits  configuring  what  ciphers  will  be  accepted  and  the preference order.
	      <cipher-suite-spec> should be a cipher specification for OpenSSL.  Example:

	      TLSCipherSuite HIGH:MEDIUM:+SSLv2

	      To check what ciphers a given spec selects, use:

	      openssl ciphers -v <cipher-suite-spec>

       TLSCertificateFile <filename>
	      Specifies the file that contains the slapd server certificate.

       TLSCertificateKeyFile <filename>
	      Specifies the file that contains the slapd server  private  key  that  matches  the
	      certificate stored in the TLSCertificateFile file.  Currently, the private key must
	      not be protected with a password, so it  is  of  critical  importance  that  it  is
	      protected carefully.

       TLSRandFile <filename>
	      Specifies the file to obtain random bits from when /dev/[u]random is not available.
	      Generally set to the name  of  the  EGD/PRNGD  socket.   The  environment  variable
	      RANDFILE can also be used to specify the filename.

GENERAL BACKEND OPTIONS
       Options	in  this  section  only apply to the configuration file section for the specified
       backend.  They are supported by every type of backend.

       backend <databasetype>
	      Mark the beginning of a backend definition. <databasetype> should be one	of  ldbm,
	      shell, or passwd depending on which backend will serve the database.

GENERAL DATABASE OPTIONS
       Options	in  this section only apply to the configuration file section for the database in
       which they are defined.	They are supported by every type of backend.

       database <databasetype>
	      Mark the beginning of a new database instance definition. <databasetype> should  be
	      one of ldbm, shell, or passwd depending on which backend will serve the database.

       lastmod on | off
	      Controls	 whether   slapd   will   automatically   maintain   the   modifiersName,
	      modifyTimestamp, creatorsName, and  createTimestamp  attributes  for  entries.   By
	      default, lastmod is on.

       readonly on | off
	      This  option  puts  the database into "read-only" mode.  Any attempts to modify the
	      database will return an "unwilling to perform" error.  By default, readonly is off.

       replica	   host=<hostname>[:port]     [tls=yes|critical]     [suffix=<suffix>	   [...]]
	      bindmethod=simple|sasl   [binddn=<simple	 DN>]	[credentials=<simple   password>]
	      [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>] [authcId=<authentication
	      ID>] [authcId=<authentication ID>]
	      Specify	a   replication   site	 for  this  database.	Refer  to  the	"OpenLDAP
	      Administrator's Guide" for detailed information on setting up  a	replicated  slapd
	      directory service. Zero or more suffix instances can be used to select the subtrees
	      that will be replicated (defaults to all the  database).	A  bindmethod  of  simple
	      requires	the  options binddn and credentials and should only be used when adequate
	      security services (e.g TLS or IPSEC) are in place. A bindmethod  of  sasl  requires
	      the  option  saslmech.   If  the	mechanism  will use Kerberos, a kerberos instance
	      should be given in authcId.

       replogfile <filename>
	      Specify the name of the replication log file to log changes  to.	 The  replication
	      log  is  typically  written by slapd(8) and read by slurpd(8).  See slapd.replog(5)
	      for more information.  The specified file should be located  in  a  directory  with
	      limited  read/write/execute  access  as  the replication logs may contain sensitive
	      information.

       rootdn <dn>
	      Specify  the  distinguished  name  that  is  not	subject  to  access  control   or
	      administrative  limit restrictions for operations on this database.  This DN may or
	      may not be associated with an entry.  An empty root DN (the default)  specifies  no
	      root  access is to be granted.  It is recommended that the rootdn only be specified
	      when needed (such as when initially populating  a  database).   If  the  rootdn  is
	      within a namingContext (suffix) of the database, a simple bind password may also be
	      provided using the rootpw directive.

       rootpw <password>
	      Specify a password (or hash of the password) for the rootdn.  If the rootdn is  not
	      within  the  namingContext of the database, the provided password is ignored.  This
	      option accepts all RFC 2307 userPassword formats known to the server (see password-
	      hash  desription)  as  well  as cleartext.  slappasswd(8) may be used to generate a
	      hash of a password.  Cleartext and {CRYPT} passwords are not recommended.  If empty
	      (the default), authentication of the root DN is by other means (e.g. SASL).  Use of
	      SASL is encouraged.

       suffix <dn suffix>
	      Specify the DN suffix of queries that will be  passed  to  this  backend	database.
	      Multiple	suffix	lines can be given and at least one is required for each database
	      definition.

       updatedn <dn>
	      This option is only applicable in a slave slapd.	It specifies the  DN  allowed  to
	      make  changes  to  the  replica  (typically, this is the DN slurpd(8) binds as when
	      making changes to the replica).

       updateref <url>
	      Specify the referral to pass back when slapd(8) is asked	to  modify  a  replicated
	      local database.  If specified multiple times, each url is provided.

LDBM DATABASE-SPECIFIC OPTIONS
       Options	in  this  category  only  apply to the LDBM databases.	That is, they must follow
       "database ldbm" line and come before any subsequent "backend" or "database" lines.

       cachesize <integer>
	      Specify the size in entries of the in-memory cache maintained by the  LDBM  backend
	      database instance.  The default is 1000 entries.

       dbcachesize <integer>
	      Specify  the  size  in bytes of the in-memory cache associated with each open index
	      file. If not supported by the underlying database method, this  option  is  ignored
	      without comment.	The default is 100000 bytes.

       dbnolocking
	      Specify  that  no  database  locking should be performed.  Enabling this option may
	      improve performance at the expense of data security.  Do NOT  run  any  slap  tools
	      while slapd is running.

       dbnosync
	      Specify  that on-disk database contents should not be immediately synchronized with
	      in memory changes.  Enabling this option may improve performance at the expense  of
	      data security.

       dbsync <frequency> <maxdelays> <delayinterval>
	      Flush  dirty  database  buffers  to disk every <seconds> seconds.  Implies dbnosync
	      (ie. indvidual updates are no longer written to disk).  It attempts to avoid  syncs
	      during periods of peak activity by waiting <delayinterval> seconds if the server is
	      busy, repeating this delay up to <maxdelays> times before  proceeding.   It  is  an
	      attempt  to  provide  higher  write  performance with some amount of data security.
	      Note that it may	still  be  possible  to  get  an  inconsistent	database  if  the
	      underlying engine fills its cache and writes out individual pages and slapd crashes
	      or is killed before the next sync.  <maxdelays> and  <delayinterval>  are  optional
	      and  default  to	12 and 5 respectively, giving a total elapsed delay of 60 seconds
	      before a sync will occur.  <maxdelays> may be zero, and <delayinterval> must  be	1
	      or greater.

       directory <directory>
	      Specify  the directory where the LDBM files containing this database and associated
	      indexes live.  A separate directory must	be  specified  for  each  database.   The
	      default is //var/run/openldap-ldbm.

       index {<attrlist>|default} [pres,eq,approx,sub,<special>]
	      Specify  the  indexes  to  maintain  for	the given attribute. If only an <attr> is
	      given, the indices specified for default are maintained.	A number of special index
	      parameters may be specified.  The index type sub can be decomposed into subinitial,
	      subany, and subfinal indices.  The special type lang may be specified to allow  use
	      of  this index by language subtypes.  The special type autolang may be specified to
	      automatically maintain separate indices for each language  subtypes.   The  special
	      type  subtypes  may be specified to allow use of this index by named subtypes.  The
	      special type autosubtypes may  be  specified  to	automatically  maintain  separate
	      indices for each other subtypes.

       mode <integer>
	      Specify  the  file  protection  mode that newly created database index files should
	      have.  The default is 0600.

SHELL DATABASE-SPECIFIC OPTIONS
       Options in this category only apply to the SHELL backend  database.  That  is,  they  must
       follow  a  "database  shell"  line  and come before any subsequent "backend" or "database"
       lines.  The Shell backend executes external  programs  to  implement  operations,  and  is
       designed to make it easy to tie an existing database to the slapd front-end.

       bind <pathname>

       unbind <pathname>

       search <pathname>

       compare <pathname>

       modify <pathname>

       modrdn <pathname>

       add <pathname>

       delete <pathname>

       abandon <pathname>
	      These  options  specify  the  pathname of the command to execute in response to the
	      given LDAP operation.

       Note that you need only supply configuration lines for those commands you want the backend
       to  handle.  Operations	for  which  a  command	is  not  supplied will be refused with an
       "unwilling to perform" error.

PASSWORD DATABASE-SPECIFIC OPTIONS
       Options in this category only apply to the PASSWD backend database.  That  is,  they  must
       follow  a  "database  passwd"  line and come before any subsequent "backend" or "database"
       lines.  The PASSWD database serves up the user account information listed  in  the  system
       passwd(5) file.

       file <filename>
	      Specifies an alternate passwd file to use.  The default is /etc/passwd.

EXAMPLE
       "OpenLDAP Administrator's Guide" contains an annotated example of a configuration file.

FILES
       /etc/openldap/slapd.conf

SEE ALSO
       ldap(3),   slapd.replog(5),   locale(5),   passwd(5),  slapd(8),  slapadd(8),  slapcat(8),
       slapindex(8), slappassword(8), slurpd(8),

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS
       OpenLDAP is developed and maintained by The OpenLDAP  Project  (http://www.openldap.org/).
       OpenLDAP is derived from University of Michigan LDAP 3.3 Release.

OpenLDAP 2.0.27-Release 		   28 May 2001				    SLAPD.CONF(5)


All times are GMT -4. The time now is 01:51 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password