ITS#5425

CHANGES

@@ -31,7 +31,8 @@ OpenLDAP 2.4.9 Engineering
 	Documentation
 		Fixed slapd.access(5) authz-regexp documented behavior (ITS#5400)
 		Fixed slapd.meta(5) idassert-* documentation (ITS#5406)
-		Fixed admin guide set documentation (ITS#5278,ITS#5279,ITS#5281)
+		admin24 set documentation (ITS#5278,ITS#5279,ITS#5281)
+		admin24 syncrepl directives update (ITS#5425)
 
 OpenLDAP 2.4.8 Release (2008/02/19)
 	Fixed ldapmodify verbose logging (ITS#5247)

doc/guide/admin/slapdconfig.sdf

@@ -366,6 +366,17 @@ H4: syncrepl
 >		[credentials=<passwd>]
 >		[realm=<realm>]
 >		[secprops=<properties>]
+>		[starttls=yes|critical]
+>		[tls_cert=<file>]
+>		[tls_key=<file>]
+>		[tls_cacert=<file>]
+>		[tls_cacertdir=<path>]
+>		[tls_reqcert=never|allow|try|demand]
+>		[tls_ciphersuite=<ciphers>]
+>		[tls_crlcheck=none|peer|all]
+>		[logbase=<base DN>]
+>		[logfilter=<filter str>]
+>		[syncdata=default|accesslog|changelog]
 
 
 This directive specifies the current database as a replica of the
@@ -407,10 +418,10 @@ default value and must always be specified. The {{EX:scope}} defaults
 to {{EX:sub}}, the {{EX:filter}} defaults to {{EX:(objectclass=*)}},
 {{EX:attrs}} defaults to {{EX:"*,+"}} to replicate all user and operational
 attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}}
-and {{EX:timelimit}} default to "unlimited", and only integers
+and {{EX:timelimit}} default to "unlimited", and only positive integers
 or "unlimited" may be specified.
 
-The LDAP Content Synchronization protocol has two operation
+The {{TERM[expand]LDAP Sync}} protocol has two operation
 types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}.
 The operation type is specified by the {{EX:type}} parameter.
 In the {{EX:refreshOnly}} operation, the next synchronization search operation
@@ -418,7 +429,7 @@ is periodically rescheduled at an interval time after each
 synchronization operation finishes. The interval is specified
 by the {{EX:interval}} parameter. It is set to one day by default.
 In the {{EX:refreshAndPersist}} operation, a synchronization search
-remains persistent in the provider slapd. Further updates to the
+remains persistent in the provider {{slapd}} instance. Further updates to the
 master replica will generate {{EX:searchResultEntry}} to the consumer slapd
 as the search responses to the persistent synchronization search.
 
@@ -446,7 +457,7 @@ master database.
 The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
 depending on whether simple password-based authentication or
 {{TERM:SASL}} authentication is to be used when connecting
-to the provider slapd.
+to the provider {{slapd}} instance.
 
 Simple authentication should not be used unless adequate data
 integrity and confidentiality protections are in place (e.g. TLS
@@ -464,11 +475,31 @@ The {{EX:realm}} parameter specifies a realm which a certain
 mechanisms authenticate the identity within. The {{EX:secprops}}
 parameter specifies Cyrus SASL security properties.
 
-The syncrepl replication mechanism is supported by the two primary
-database backends: back-bdb and back-hdb.
-
-See the {{SECT:LDAP Sync Replication}} chapter of the admin guide
-for more information on how to use this directive.
+The {{EX:starttls}} parameter specifies use of the StartTLS extended
+operation to establish a TLS session before authenticating to the provider.
+If the {{EX:critical}} argument is supplied, the session will be aborted
+if the StartTLS request fails.  Otherwise the syncrepl session continues
+without TLS.  Note that the main slapd TLS settings are not used by the
+syncrepl engine; by default the TLS parameters from a {{ldap.conf}}(5)
+configuration file will be used.  TLS settings may be specified here,
+in which case any {{ldap.conf}}(5) settings will be completely ignored.
+
+Rather than replicating whole entries, the consumer can query logs
+of data modifications.  This mode of operation is referred to as
+{{delta syncrepl}}.  In addition to the above parameters, the
+{{EX:logbase}} and {{EX:logfilter}} parameters must be set appropriately
+for the log that will be used. The {{EX:syncdata}} parameter must
+be set to either {{EX:"accesslog"}} if the log conforms to the
+{{slapo-accesslog}}(5) log format, or {{EX:"changelog"}} if the log
+conforms to the obsolete {{changelog}} format. If the {{EX:syncdata}}
+parameter is omitted or set to {{EX:"default"}} then the log
+parameters are ignored.
+
+The {{syncrepl}} replication mechanism is supported by the {{bdb}} and
+{{hdb}} backends.
+
+See the {{SECT:LDAP Sync Replication}} chapter of this guide for
+more information on how to use this directive.
 
 
 H4: updateref <URL>