slapd.conf.5 30.9 KB
Newer Older
1
.TH SLAPD.CONF 5 "2 May 2002" "OpenLDAP LDVERSION"
2
3
4
.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
Kurt Zeilenga's avatar
Kurt Zeilenga committed
5
6
7
8
9
10
11
12
13
14
15
.SH NAME
slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The file
.B ETCDIR/slapd.conf
contains configuration information for the
.BR slapd (8)
daemon.  This configuration file is also used by the
.BR slurpd (8)
16
17
18
replication daemon and by the SLAPD tools
.BR slapadd (8),
.BR slapcat (8),
Kurt Zeilenga's avatar
Kurt Zeilenga committed
19
and
20
.BR slapindex (8).
Kurt Zeilenga's avatar
Kurt Zeilenga committed
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
.LP
The
.B slapd.conf
file consists of a series of global configuration options that apply to
.B slapd
as a whole (including all backends), followed by zero or more database
backend definitions that contain information specific to a backend
instance.
.LP
The general format of
.B slapd.conf
is as follows:
.LP
.nf
    # comment - these options apply to every database
    <global configuration options>
    # first database definition & configuration options
    database	<backend 1 type>
    <configuration options specific to backend 1>
    # subsequent database definitions & configuration options
    ...
.fi
.LP
As many backend-specific sections as desired may be included.  Global
options can be overridden in a backend (for options that appear more
than once, the last appearance in the
.B slapd.conf
file is used).  Blank lines and comment lines beginning with a `#'
character are ignored. If a line begins with white space, it is
considered a continuation of the previous line.
.LP
Arguments on configuration lines are separated by white space. If an
argument contains white space, the argument should be enclosed in
double quotes.  If an argument contains a double quote (`"') or a
backslash character (`\\'), the character should be preceded by a
backslash character.
.LP
The specific configuration options available are discussed below in the
59
60
61
62
63
Global Configuration Options, General Backend Options, and General Database
Options.  Backend-specific options are discussed in the
.B slapd-<backend>(5)
manual pages.  Refer to the "OpenLDAP Administrator's Guide" for more
details on the slapd configuration file.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
64
65
66
67
68
.SH GLOBAL CONFIGURATION OPTIONS
Options described in this section apply to all backends, unless specifically 
overridden in a backend definition. Arguments that should be replaced by 
actual text are shown in brackets <>.
.TP
69
.B access to <what> "[ by <who> <access> <control> ]+"
70
Grant access (specified by <access>) to a set of entries and/or
Kurt Zeilenga's avatar
Kurt Zeilenga committed
71
attributes (specified by <what>) by one or more requestors (specified
72
by <who>).
73
74
75
See
.BR slapd.access (5)
and the "OpenLDAP's Administrator's Guide" for details.
76
77
78
79
80
81
82
83
84
85
86
87
88
89
.TP
.B allow <features>
Specify a set of features (separated by white space) to
allow (default none).
.B bind_v2
allows acceptance of LDAPv2 bind requests.
.B bind_anon_cred
allows anonymous bind when credentials are not empty (e.g.
when DN is empty).
.B bind_anon_dn
allows unauthenticated (anonymous) bind when DN is not empty.
.TP
.B argsfile <filename>
The ( absolute ) name of a file that will hold the 
Kurt Zeilenga's avatar
Kurt Zeilenga committed
90
.B slapd
91
92
93
94
server's command line options
if started without the debugging command line option.
.HP
.hy 0
95
.B attributetype "(\ <oid> [NAME\ <name>] [OBSOLETE]\
96
97
98
 [DESC\ <description>]\
 [SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
 [SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
99
 [NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )"
100
101
102
103
104
105
106
107
108
.RS
Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
.B objectidentifier
description.) Currently the syntax name parser is case-sensitive.
The known syntax names are:
Kurt Zeilenga's avatar
Kurt Zeilenga committed
109
110
111
.RS
.RS
.PD 0
112
113
114
115
116
117
118
119
120
121
AttributeTypeDescription Audio Binary BitString Certificate CertificateList
CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
GeneralizedTime Guide IA5String Integer MatchingRuleDescription
MatchingRuleUseDescription MailPreference NameAndOptionalUUID
NameFormDescription NumericString ObjectClassDescription OID
OtherMailbox OctetString PostalAddress ProtocolInformation
PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
SubstringAssertion NISnetgrouptriple Bootparameter
Kurt Zeilenga's avatar
Kurt Zeilenga committed
122
123
124
.PD
.RE
.RE
125
.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
126
.TP
127
128
129
.B concurrency <integer>
Specify a desired level of concurrency.  Provided to the underlying
thread system as a hint.  The default is not to provide any hint.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
.\".TP
.\".B debug <subsys> <level>
.\"Specify a logging level for a particular subsystem.  The subsystems include
.\".B global
.\"a global level for all subsystems,
.\".B acl
.\"the ACL engine,
.\".B backend
.\"the backend databases,
.\".B cache
.\"the entry cache manager,
.\".B config
.\"the config file reader,
.\".B connection
.\"the connection manager,
.\".B cyrus
.\"the Cyrus SASL library interface,
.\".B filter
.\"the search filter processor,
.\".B getdn
.\"the DN normalization library,
.\".B index
.\"the database indexer,
.\".B liblber
.\"the ASN.1 BER library,
.\".B module
.\"the dynamic module loader,
.\".B operation
.\"the LDAP operation processors,
.\".B sasl
.\"the SASL authentication subsystem,
.\".B schema
.\"the schema processor, and
.\".B tls
.\"the TLS library interface. This is not an exhaustive list; there are many
.\"other subsystems and more are added over time.
.\"
.\"The levels are, in order of decreasing priority:
.\".B emergency, alert, critical, error, warning, notice, information, entry,
.\".B args, results, detail1, detail2
.\"An integer may be used instead, with 0 corresponding to
.\".B emergency
.\"up to 11 for
.\".BR detail2 .
.\"The
.\".B entry
.\"level logs function entry points,
.\".B args
.\"adds function call parameters, and
.\".B results
.\"adds the function results to the logs.
.\"The
.\".B detail1
.\"and
.\".B detail2
.\"levels add even more low level detail from individual functions.
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
.TP
.B defaultsearchbase <dn>
Specify a default search base to use when client submits a
non-base search request with an empty base DN.
.TP
.B disallow <features>
Specify a set of features (separated by white space) to
disallow (default none).
.B bind_anon
disables acceptance of anonymous bind requests.
.B bind_simple
disables simple (bind) authentication.
.B bind_krbv4
disables Kerberos V4 (bind) authentication.
.B tls_2_anon
disables Start TLS from forcing session to anonymous status (see also
.BR tls_authc ).
.B tls_authc
disables StartTLS if authenticated (see also
.BR tls_2_anon ).
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
.B gentlehup { on | off }
A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
.B Slapd
will stop listening for new connections, but will not close the
connections to the current clients.  It terminates when all clients
have closed their connections (if they ever do), or \- as before \-
if it receives a SIGTERM signal.  This can be useful if you wish to
terminate the server and start a new
.B slapd
server
.B with another database,
without disrupting the currently active clients.
The default is off.  You may wish to use
.B idletimeout
along with this option.
.TP
223
224
225
226
.B idletimeout <integer>
Specify the number of seconds to wait before forcibly closing
an idle client connection.  A idletimeout of 0 disables this
feature.  The default is 0.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
227
228
229
230
231
.TP
.B include <filename>
Read additional configuration information from the given file before
continuing with the next line of the current file.
.TP
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
The argument
.B who
can be any of
.RS
.RS
.TP
anonymous | users | [dn[.<style>]=]<pattern>

.RE
with
.RS
.TP
<style> ::= exact | base | one | subtree | children | regex | anonymous

.RE
.B Anonymous
is hit when a search is performed without prior binding;
.B users
is hit when a search is performed by a successfully bound user;
otherwise a
.B regex
dn pattern is assumed unless otherwise specified by qualifying 
the (optional) key string
.B dn
with 
.B exact
or
.B base
(which are synonims), to require an exact match; with
.BR one, 
to require exactly one level of depth match; with
.BR subtree,
to allow any level of depth match, including the exact match; with
.BR children,
to allow any level of depth match, not including the exact match;
.BR regex
explicitly requires the (default) match based on regular expression
pattern, as detailed in
272
.BR regex (7).
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
Finally,
.B anonymous
matches unbound operations; the 
.B pattern
field is ignored.
The same behavior is obtained by using the 
.B anonymous
form of the
.B who
clause.

The currently supported limits are 
.B size
and 
.BR time.

The syntax for time limits is 
.BR time[.{soft|hard}]=<integer> ,
where 
.BR integer
is the number of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client, the 
.BR soft
limit is used; if the requested time limit exceedes the
.BR hard
limit, an "Unwilling to perform" is returned.
If the
.BR hard
limit is set to 0 or to the keyword "soft", the soft limit is used 
in either case; if it is set to -1 or to the keyword "none", 
no hard limit is enforced.
Explicit requests for time limits smaller or equal to the
.BR hard 
limit are honored.
If no flag is set, the value is assigned to the 
.BR soft 
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.

The syntax for size limits is
.BR size[.{soft|hard|unchecked}]=<integer> ,
where
.BR integer
is the maximum number of entries slapd will return answering a search 
request.
If no size limit is explicitly requested by the client, the
.BR soft
limit is used; if the requested size limit exceedes the
.BR hard
limit, an "Unwilling to perform" is returned.
If the 
.BR hard
limit is set to 0 or to the keyword "soft", the soft limit is used 
in either case; if it is set to -1 or to the keyword "none", 
no hard limit is enforced.
Explicit requests for size limits smaller or equal to the
.BR hard
limit are honored.
The
.BR unchecked
flag sets a limit on the number of candidates a search request is allowed
to examine.
If the selected candidates exceed the 
.BR unchecked
limit, the search will abort with "Unwilling to perform".
If it is set to -1 or to the keyword "none", no limit is applied (the default).
If no flag is set, the value is assigned to the
.BR soft 
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.

In case of no match, the global limits are used.
The default values are the same of
.BR sizelimit
and
.BR timelimit ;
no limit is set on 
.BR unchecked .
.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
354
355
356
357
358
.\".TP
.\".B logfile <filename>
.\"Specify a file for recording debug log messages. By default these messages
.\"only go to stderr and are not recorded anywhere else. Specifying a logfile
.\"copies messages to both stderr and the logfile.
359
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
.B loglevel <integer>
Specify the level at which debugging statements and operation 
statistics should be syslogged (currently logged to the
.BR syslogd (8) 
LOG_LOCAL4 facility).  Log levels are additive, and available levels
are:
.RS
.RS
.PD 0
.TP
.B 1
trace function calls
.TP
.B 2
debug packet handling
.TP
.B 4
heavy trace debugging
.TP
.B 8
connection management
.TP
.B 16
print out packets sent and received
.TP
.B 32
search filter processing
.TP
.B 64
configuration file processing
.TP
.B 128
access control list processing
.TP
.B 256
stats log connections/operations/results
.TP
.B 512
stats log entries sent
.TP
.B 1024
print communication with shell backends
.TP
.B 2048
entry parsing
.PD
.RE
.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
408
409
410
411
412
413
414
415
416
417
418
419
420
.TP
.B moduleload <filename>
Specify the name of a dynamically loadable module to load. The filename
may be an absolute path name or a simple filename. Non-absolute names
are searched for in the directories specified by the
.B modulepath
option. This option and the
.B modulepath
option are only usable if slapd was compiled with --enable-modules.
.TP
.B modulepath <pathspec>
Specify a list of directories to search for loadable modules. Typically
the path is colon-separated but this depends on the operating system.
421
.HP
422
.B objectclass "( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
423
 [SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
424
 [MAY <oids>] )"
425
426
427
428
429
.RS
Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
forms as well as numeric OIDs to be used for the object class OID.
(See the
Kurt Zeilenga's avatar
Kurt Zeilenga committed
430
.B
431
432
433
434
objectidentifier
description.)  Object classes are "STRUCTURAL" by default.
.RE
.TP
435
.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }"
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
Define a string name that equates to the given OID. The string can be used
in place of the numeric OID in objectclass and attribute definitions. The
name can also be used with a suffix of the form ":xx" in which case the
value "oid.xx" will be used.
.TP
.B password-hash <hash>
This option sets the hash to be used in generation of user
passwords, stored in userPassword, during processing of
LDAP Password Modify Extended Operations (RFC 3052).
The <hash> must be one of
.BR {SSHA} ,
.BR {SHA} ,
.BR {SMD5} ,
.BR {MD5} ,
and
.BR {CRYPT} .
The default is
.BR {SSHA} .

Note that this option does not alter the normal user applications
handling of userPassword during LDAP Add, Modify, or other LDAP operations.
.TP
.B password\-crypt\-salt\-format <format>
Specify the format of the salt passed to
.BR crypt (3)
when generating {CRYPT} passwords (see
.BR password\-hash )
during processing of LDAP Password Modify Extended Operations (RFC 3062).

This string needs to be in
.BR sprintf (3)
format and may include one (and only one) %s conversion.
This conversion will be substituted with a string random
characters from [A\-Za\-z0\-9./].  For example, "%.2s"
provides a two character salt and "$1$%.8s" tells some
versions of crypt(3) to use an MD5 algorithm and provides
8 random characters of salt.  The default is "%s", which
provides 31 characters of salt.
.TP
.B pidfile <filename>
The ( absolute ) name of a file that will hold the 
.B slapd
server's process ID ( see
.BR getpid (2)
) if started without the debugging command line option.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
481
482
483
484
485
.TP
.B referral <url>
Specify the referral to pass back when
.BR slapd (8)
cannot find a local database to handle a request.
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
If specified multiple times, each url is provided.
.TP
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
The directive may be specified globally and/or per-database.
.B bind
requires bind operation prior to directory operations.
.B LDAPv3
requires session to be using LDAP version 3.
.B authc
requires authentication prior to directory operations.
.B SASL
requires SASL authentication prior to directory operations.
.B strong
requires strong authentication prior to directory operations.
The
.B SASL
and
.B strong
conditions are currently same.
.B none
may be used to require no conditions (useful for clearly globally
set conditions within a particular database).
.TP
.B reverse-lookup on | off
Enable/disable client name reverse lookup (default is 
.BR on 
if compiled with --enable-rlookups).
.TP
.B rootDSE <file>
Specify the name of an LDIF(5) file containing user defined attributes
for the root DSE.  These attributes are returned in addition to the
attributes normally produced by slapd.
.TP
.B sasl-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
.B sasl-realm <realm>
Specify SASL realm.  Default is empty.
.TP
.B sasl-regexp <match> <replace>
Used by the SASL authorization mechanism to convert a SASL authenticated 
username to an LDAP DN. When an authorization request is received, the SASL 
.B USERNAME, REALM, 
and
.B MECHANISM
are taken, when available, and combined into a SASL name of the 
form
.RS
.RS
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
538
.B uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth
539
540
541
542
543
544
545
546
547
548
549
550
551

.RE
This SASL name is then compared against the
.B match
regular expression, and if the match is successful, the SASL name is
replaced with the
.B replace
string. If there are wildcard strings in the 
.B match
regular expression that are enclosed in parenthesis, e.g. 
.RS
.RS
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
552
.B uid=(.*),cn=.*
553
554
555
556
557
558
559
560
561
562
563

.RE
.RE
then the portion of the SASL name that matched the wildcard will be stored
in the numbered placeholder variable $1. If there are other wildcard strings
in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The 
placeholders can then be used in the 
.B replace
string, e.g. 
.RS
.RS
Kurt Zeilenga's avatar
Kurt Zeilenga committed
564
.TP
565
566
567
568
569
570
571
572
573
574
575
576
577
.B cn=$1,ou=Accounts,dc=$2,dc=$4. 

.RE
.RE
The replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
server will use the URI to search its own database, and if the search returns 
exactly one entry, the SASL name is replaced by the DN of that entry.
Multiple 
.B sasl-regexp 
options can be given in the configuration file to allow for multiple matching 
and replacement patterns. The matching patterns are checked in the order they 
appear in the file, stopping at the first successful match.

Kurt Zeilenga's avatar
Kurt Zeilenga committed
578
579
580
581
.\".B Caution:
.\"Because the plus sign + is a character recognized by the regular expression engine,
.\"and it will appear in SASL names that include a REALM, be careful to escape the
.\"plus sign with a backslash \\+ to remove the character's special meaning.
582
.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
583
.TP
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
.B sasl-secprops <properties>
Used to specify Cyrus SASL security properties.
The
.B none
flag (without any other properities) causes the flag properites
default, "noanonymous,noplain", to be cleared.
The
.B noplain
flag disables mechanisms susceptible to simple passive attacks.
The
.B noactive
flag disables mechanisms susceptible to active attacks.
The
.B nodict
flag disables mechanisms susceptible to passive dictionary attacks.
The
.B noanonyous
flag disables mechanisms which support anonymous login.
The
.B forwardsec
flag require forward secrecy between sessions.
The
.B passcred
require mechanisms which pass client credentials (and allow
mechanisms which can pass credentials to do so).
The
.B minssf=<factor> 
property specifies the minimum acceptable
.I security strength factor
as an integer approximate to effective key length used for
encryption.  0 (zero) implies no protection, 1 implies integrity
protection only, 56 allows DES or other weak ciphers, 112
allows triple DES and other strong ciphers, 128 allows RC4,
Blowfish and other modern strong ciphers.  The default is 0.
The
.B maxssf=<factor> 
property specifies the maximum acceptable
.I security strength factor
as an integer (see minssf description).  The default is INT_MAX.
The
.B maxbufsize=<size> 
property specifies the maximum security layer receive buffer
size allowed.  0 disables security layers.  The default is 65536.
.TP
.B security <factors>
Specify a set of factors (separated by white space) to require.
An integer value is associated with each factor and is roughly
equivalent of the encryption key length to require.  A value
of 112 is equivalent to 3DES, 128 to Blowfish, etc..
The directive may be specified globally and/or per-database.
.B ssf=<n>
specifies the overall security strength factor.
.B transport=<n>
specifies the transport security strength factor.
.B tls=<n>
specifies the TLS security strength factor.
.B sasl=<n>
specifies the SASL security strength factor.
.B update_ssf=<n>
specifies the overall security strength factor to require for
directory updates.
.B update_transport=<n>
specifies the transport security strength factor to require for
directory updates.
.B update_tls=<n>
specifies the TLS security strength factor to require for
directory updates.
.B update_sasl=<n>
specifies the SASL security strength factor to require for
directory updates.
Note that the
.B transport
factor is measure of security provided by the underlying transport,
e.g. ldapi:// (and eventually IPSEC).  It is not normally used.
.TP
.B sizelimit <integer> 
.TP
.B sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
Kurt Zeilenga's avatar
Kurt Zeilenga committed
662
663
Specify the maximum number of entries to return from a search operation.
The default size limit is 500.
664
665
666
667
668
669
670
671
672
673
674
675
676
The second format allows a fine grain setting of the size limits.
Extra args can be added on the same line.
See
.BR limits
for an explanation of the different flags.
.TP
.B sockbuf_max_incoming <integer>
Specify the maximum incoming LDAP PDU size for anonymous sessions.
The default is 262143.
.TP
.B sockbuf_max_incoming_auth <integer>
Specify the maximum incoming LDAP PDU size for authenticated sessions.
The default is 4194303.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
677
678
679
680
681
682
.TP
.B srvtab <filename>
Specify the srvtab file in which the kerberos keys necessary for
authenticating clients using kerberos can be found. This option is only
meaningful if you are using Kerberos authentication.
.TP
683
684
685
686
.B threads <integer>
Specify the maximum size of the primary thread pool.
The default is 32.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
687
.B timelimit <integer>
688
689
.TP
.B timelimit time[.{soft|hard}]=<integer> [...]
Kurt Zeilenga's avatar
Kurt Zeilenga committed
690
691
692
Specify the maximum number of seconds (in real time)
.B slapd
will spend answering a search request.  The default time limit is 3600.
693
694
695
696
697
The second format allows a fine grain setting of the time limits.
Extra args can be added on the same line.
See
.BR limits
for an explanation of the different flags.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
698
699
700
701
.TP
.B ucdata-path <path>
Specify the path to the directory containing the Unicode character
tables. The default path is LOCALSTATEDIR/ucdata.
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
.SH TLS OPTIONS
If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
<cipher-suite-spec> should be a cipher specification for OpenSSL.  Example:

TLSCipherSuite HIGH:MEDIUM:+SSLv2

To check what ciphers a given spec selects, use:

openssl ciphers -v <cipher-suite-spec>
.TP
.B TLSCACertificateFile <filename>
Specifies the file that contains certificates for all of the Certificate
Authorities that
.B slapd
will recognize.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
724
725
726
727
728
.B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the TLSCACertificateFile is used.
.TP
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
.B TLSCertificateFile <filename>
Specifies the file that contains the
.B slapd
server certificate.
.TP
.B TLSCertificateKeyFile <filename>
Specifies the file that contains the
.B slapd
server private key that matches the certificate stored in the
.B TLSCertificateFile
file.  Currently, the private key must not be protected with a password, so
it is of critical importance that it is protected carefully. 
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available.  Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
.TP
.B TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an
incoming TLS session, if any.
The
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B never
This is the default.
.B slapd
will not ask the client for a certificate.
.TP
.B allow
The client certificate is requested.  If no certificate is provided,
the session proceeds normally.  If a bad certificate is provided,
it will be ignored and the session proceeds normally.
.TP
.B try
The client certificate is requested.  If no certificate is provided,
the session proceeds normally.  If a bad certificate is provided,
the session is immediately terminated.
.TP
.B demand | hard | true
These keywords are all equivalent, for compatibility reasons.
The client certificate is requested.  If no certificate is provided,
or a bad certificate is provided, the session is immediately terminated.

Note that a valid client certificate is required in order to use the
SASL EXTERNAL authentication mechanism with a TLS session.  As such,
a non-default
.B TLSVerifyClient
setting must be chosen to enable SASL EXTERNAL authentication.
.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
781
782
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
for the specified backend.  They are supported by every
type of backend.
.TP
.B backend <databasetype>
Mark the beginning of a backend definition. <databasetype>
should be one of
.B bdb,
.B dnssrv,
.B ldap,
.B ldbm,
.B meta,
.B monitor,
.B null,
.B passwd,
.B perl,
.B shell,
.B sql,
or
.B tcl,
depending on which backend will serve the database.

.SH GENERAL DATABASE OPTIONS
Options in this section only apply to the configuration file section
for the database in which they are defined.  They are supported by every
807
808
809
810
811
type of backend.  Note that the
.B database
and at least one
.B suffix
option are mandatory for each database.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
812
813
814
815
.TP
.B database <databasetype>
Mark the beginning of a new database instance definition. <databasetype>
should be one of
816
817
818
.B bdb,
.B dnssrv,
.B ldap,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
819
.B ldbm,
820
821
822
823
824
.B meta,
.B monitor,
.B null,
.B passwd,
.B perl,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
825
.B shell,
826
.B sql,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
827
or
828
.B tcl,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
829
830
831
832
833
834
835
depending on which backend will serve the database.
.TP
.B lastmod on | off
Controls whether
.B slapd
will automatically maintain the 
modifiersName, modifyTimestamp, creatorsName, and 
836
createTimestamp attributes for entries.  By default, lastmod is on.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
837
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
838
839
840
841
.B maxderefdepth <depth>
Specifies the maximum number of aliases to dereference when trying to
resolve an entry, used to avoid inifinite alias loops. The default is 1.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
842
843
844
845
.B readonly on | off
This option puts the database into "read-only" mode.  Any attempts to 
modify the database will return an "unwilling to perform" error.  By
default, readonly is off.
846
847
848
849
850
851
852
853
854
855
.HP
.B replica host=<hostname>[:port] [tls=yes|critical]
.B [suffix=<suffix> [...]]
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
.B [authcId=<authentication ID>] [authcId=<authentication ID>]
.B [attr[!]=<attr list>]
.RS
Specify a replication site for this database.  Refer to the "OpenLDAP 
Administrator's Guide" for detailed information on setting up a replicated
Kurt Zeilenga's avatar
Kurt Zeilenga committed
856
.B slapd
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
directory service. Zero or more
.B suffix
instances can be used to select the subtrees that will be replicated
(defaults to all the database). A
.B bindmethod
of
.B simple
requires the options
.B binddn 
and
.B credentials  
and should only be used when adequate security services 
(e.g TLS or IPSEC) are in place. A
.B bindmethod 
of
.B sasl 
requires the option
.B saslmech. 
If the 
.B mechanism
will use Kerberos, a kerberos instance should be given in 
.B authcId.
An
.B attr list
can be given after the 
.B attr
keyword to allow the selective replication of the listed attributes only;
if the optional 
.B !
mark is used, the list is considered exclusive, i.e. the listed attributes
are not replicated.
If an objectClass is listed, all the related attributes
are (are not) replicated.
.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
891
892
893
894
895
896
897
898
899
.TP
.B replogfile <filename>
Specify the name of the replication log file to log changes to.  
The replication log is typically written by
.BR slapd (8)
and read by
.BR slurpd (8).
See
.BR slapd.replog (5)
900
901
902
for more information.  The specified file should be located
in a directory with limited read/write/execute access as the replication
logs may contain sensitive information.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
903
904
.TP
.B rootdn <dn>
905
Specify the distinguished name that is not subject to access control 
Kurt Zeilenga's avatar
Kurt Zeilenga committed
906
or administrative limit restrictions for operations on this database.
907
908
909
910
911
912
913
914
This DN may or may not be associated with an entry.  An empty root
DN (the default) specifies no root access is to be granted.  It is
recommended that the rootdn only be specified when needed (such as
when initially populating a database).  If the rootdn is within
a namingContext (suffix) of the database, a simple bind password
may also be provided using the
.B rootpw
directive.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
915
916
.TP
.B rootpw <password>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
917
918
919
Specify a password (or hash of the password) for the rootdn.  The
password can only be set if the rootdn is within the namingContext
(suffix) of the database.
920
921
922
923
924
925
926
927
928
This option accepts all RFC 2307 userPassword formats known to
the server (see 
.B password-hash
desription) as well as cleartext.
.BR slappasswd (8) 
may be used to generate a hash of a password.  Cleartext
and \fB{CRYPT}\fP passwords are not recommended.  If empty
(the default), authentication of the root DN is by other means
(e.g. SASL).  Use of SASL is encouraged.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
929
930
931
932
933
.TP
.B suffix <dn suffix>
Specify the DN suffix of queries that will be passed to this 
backend database.  Multiple suffix lines can be given and at least one is 
required for each database definition.
934
935
If the suffix of one database is "inside" that of another, the database
with the inner suffix must come first in the configuration file.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
936
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
937
938
939
940
941
.B suffixalias <alias> <aliased suffix>
Specify an alternate suffix that may be used to reference an already defined
database suffix. Operations specifying DNs residing under the alias 
will execute as if they had specified the aliased suffix.
.TP
942
943
944
945
946
947
948
949
950
951
952
953
.B subordinate
Specify that the current backend database is a subordinate of another
backend database. A subordinate database may have only one suffix. This
option may be used to glue multiple databases into a single namingContext.
If the suffix of the current database is within the namingContext of a
superior database, searches against the superior database will be
propagated to the subordinate as well. All of the databases
associated with a single namingContext should have identical rootdns.
Behavior of other LDAP operations is unaffected by this setting. In
particular, it is not possible to use moddn to move an entry from
one subordinate to another subordinate within the namingContext.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
954
955
956
957
958
959
960
.B updatedn <dn>
This option is only applicable in a slave
.B slapd.
It specifies the DN allowed to make changes to the replica (typically,
this is the DN
.BR slurpd (8)
binds as when making changes to the replica).
961
962
963
964
965
966
.TP
.B updateref <url>
Specify the referral to pass back when
.BR slapd (8)
is asked to modify a replicated local database.
If specified multiple times, each url is provided.
967
968
969
970
971
972
973
974
975
976
977
978
979
.SH DATABASE-SPECIFIC OPTIONS
Each database may allow specific configuration options; they are
documented separately in the
.BR slapd-<backend> (5)
manual pages.
.SH EXAMPLES
.LP
Here is a short example of a configuration file:
.LP
.RS
.nf
include   SYSCONFDIR/schema/core.schema
pidfile   LOCALSTATEDIR/slapd.pid
980

981
982
983
984
985
986
987
988
989
database  bdb
suffix    "dc=our-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 700 recommended.
directory LOCALSTATEDIR/openldap-data
# Indices to maintain
index     objectClass  eq
index     cn,sn,mail   pres,eq,approx,sub
990

991
992
993
994
995
996
997
998
999
1000
# We serve small clients that do not handle referrals,
# so handle remote lookups on their behalf.
database  ldap
suffix    ""
uri       ldap://ldap.some-server.com/
lastmod   off
.fi
.RE
.LP
"OpenLDAP Administrator's Guide" contains a longer annotated
For faster browsing, not all history is shown. View entire blame