slapd.conf.5 44.4 KB
Newer Older
1
.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
Kurt Zeilenga's avatar
Kurt Zeilenga committed
2
.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
3
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
4
.\" $OpenLDAP$
Kurt Zeilenga's avatar
Kurt Zeilenga committed
5
6
7
8
9
10
11
12
13
14
15
.SH NAME
slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The file
.B ETCDIR/slapd.conf
contains configuration information for the
.BR slapd (8)
daemon.  This configuration file is also used by the
.BR slurpd (8)
16
17
18
replication daemon and by the SLAPD tools
.BR slapadd (8),
.BR slapcat (8),
Kurt Zeilenga's avatar
Kurt Zeilenga committed
19
and
20
.BR slapindex (8).
Kurt Zeilenga's avatar
Kurt Zeilenga committed
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
.LP
The
.B slapd.conf
file consists of a series of global configuration options that apply to
.B slapd
as a whole (including all backends), followed by zero or more database
backend definitions that contain information specific to a backend
instance.
.LP
The general format of
.B slapd.conf
is as follows:
.LP
.nf
    # comment - these options apply to every database
    <global configuration options>
    # first database definition & configuration options
38
    database <backend 1 type>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
39
40
41
42
43
44
45
46
47
    <configuration options specific to backend 1>
    # subsequent database definitions & configuration options
    ...
.fi
.LP
As many backend-specific sections as desired may be included.  Global
options can be overridden in a backend (for options that appear more
than once, the last appearance in the
.B slapd.conf
48
49
50
51
52
53
file is used).
.LP
If a line begins with white space, it is considered a continuation
of the previous line.  Blank lines and comment lines beginning with
a `#' character are ignored.  (Note: continuation lines are unwrapped
before comment processing is applied.)
Kurt Zeilenga's avatar
Kurt Zeilenga committed
54
55
56
57
58
59
60
61
.LP
Arguments on configuration lines are separated by white space. If an
argument contains white space, the argument should be enclosed in
double quotes.  If an argument contains a double quote (`"') or a
backslash character (`\\'), the character should be preceded by a
backslash character.
.LP
The specific configuration options available are discussed below in the
62
63
64
65
66
Global Configuration Options, General Backend Options, and General Database
Options.  Backend-specific options are discussed in the
.B slapd-<backend>(5)
manual pages.  Refer to the "OpenLDAP Administrator's Guide" for more
details on the slapd configuration file.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
67
68
69
70
71
.SH GLOBAL CONFIGURATION OPTIONS
Options described in this section apply to all backends, unless specifically 
overridden in a backend definition. Arguments that should be replaced by 
actual text are shown in brackets <>.
.TP
Pierangelo Masarati's avatar
Pierangelo Masarati committed
72
.B access to <what> "[ by <who> <access> <control> ]+"
73
Grant access (specified by <access>) to a set of entries and/or
Kurt Zeilenga's avatar
Kurt Zeilenga committed
74
attributes (specified by <what>) by one or more requestors (specified
75
by <who>).
Pierangelo Masarati's avatar
Pierangelo Masarati committed
76
77
78
See
.BR slapd.access (5)
and the "OpenLDAP's Administrator's Guide" for details.
79
.TP
80
.B allow <features>
81
82
Specify a set of features (separated by white space) to
allow (default none).
83
.B bind_v2
Kurt Zeilenga's avatar
Kurt Zeilenga committed
84
85
allows acceptance of LDAPv2 bind requests.  Note that
.BR slapd (8)
86
does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
87
.B bind_anon_cred
Howard Chu's avatar
Howard Chu committed
88
allows anonymous bind when credentials are not empty (e.g.
89
90
91
when DN is empty).
.B bind_anon_dn
allows unauthenticated (anonymous) bind when DN is not empty.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
92
93
94
.B update_anon
allow unauthenticated (anonymous) update operations to be processed
(subject to access controls and other administrative limits).
95
.TP
96
97
98
99
100
.B argsfile <filename>
The ( absolute ) name of a file that will hold the 
.B slapd
server's command line options
if started without the debugging command line option.
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
.TP
.B attributeoptions [option-name]...
Define tagging attribute options or option tag/range prefixes.
Options must not end with `-', prefixes must end with `-'.
The `lang-' prefix is predefined.
If you use the
.B attributeoptions
directive, `lang-' will no longer be defined and you must specify it
explicitly if you want it defined.

An attribute description with a tagging option is a subtype of that
attribute description without the option.
Except for that, options defined this way have no special semantics.
Prefixes defined this way work like the `lang-' options:
They define a prefix for tagging options starting with the prefix.
That is, if you define the prefix `x-foo-', you can use the option
`x-foo-bar'.
Furthermore, in a search or compare, a prefix or range name (with
a trailing `-') matches all options starting with that name, as well
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.

Kurt Zeilenga's avatar
Kurt Zeilenga committed
123
124
RFC 2251 reserves options beginning with `x-' for private experiments.
Other options should be registered with IANA, see RFC 3383 section 3.4.
125
126
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
127
128
.HP
.hy 0
129
130
.B attributetype "(\ <oid>\
 [NAME\ <name>]\
131
 [DESC\ <description>]\
132
133
134
135
136
137
138
139
140
141
 [OBSOLETE]\
 [SUP\ <oid>]\
 [EQUALITY\ <oid>]\
 [ORDERING\ <oid>]\
 [SUBSTR\ <oid>]\
 [SYNTAX\ <oidlen>]\
 [SINGLE\-VALUE]\
 [COLLECTIVE]\
 [NO\-USER\-MODIFICATION]\
 [USAGE\ <attributeUsage>]\ )"
142
.RS
143
Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
144
145
146
The slapd parser extends the RFC 2252 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
147
(See the
148
.B objectidentifier
149
description.) 
150
.RE
151
.TP
152
153
.B concurrency <integer>
Specify a desired level of concurrency.  Provided to the underlying
154
thread system as a hint.  The default is not to provide any hint.
155
156
157
158
159
160
161
162
163
164
.TP
.B conn_max_pending <integer>
Specify the maximum number of pending requests for an anonymous session.
If requests are submitted faster than the server can process them, they
will be queued up to this limit. If the limit is exceeded, the session
is closed. The default is 100.
.TP
.B conn_max_pending_auth <integer>
Specify the maximum number of pending requests for an authenticated session.
The default is 1000.
165
.\"-- NEW_LOGGING option --
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
.\".TP
.\".B debug <subsys> <level>
.\"Specify a logging level for a particular subsystem.  The subsystems include
.\".B global
.\"a global level for all subsystems,
.\".B acl
.\"the ACL engine,
.\".B backend
.\"the backend databases,
.\".B cache
.\"the entry cache manager,
.\".B config
.\"the config file reader,
.\".B connection
.\"the connection manager,
.\".B cyrus
.\"the Cyrus SASL library interface,
.\".B filter
.\"the search filter processor,
.\".B getdn
.\"the DN normalization library,
.\".B index
.\"the database indexer,
.\".B liblber
.\"the ASN.1 BER library,
.\".B module
.\"the dynamic module loader,
.\".B operation
.\"the LDAP operation processors,
.\".B sasl
.\"the SASL authentication subsystem,
.\".B schema
.\"the schema processor, and
.\".B tls
.\"the TLS library interface. This is not an exhaustive list; there are many
.\"other subsystems and more are added over time.
.\"
.\"The levels are, in order of decreasing priority:
.\".B emergency, alert, critical, error, warning, notice, information, entry,
.\".B args, results, detail1, detail2
.\"An integer may be used instead, with 0 corresponding to
.\".B emergency
.\"up to 11 for
.\".BR detail2 .
.\"The
.\".B entry
.\"level logs function entry points,
.\".B args
.\"adds function call parameters, and
.\".B results
.\"adds the function results to the logs.
.\"The
.\".B detail1
.\"and
.\".B detail2
.\"levels add even more low level detail from individual functions.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
222
.TP
223
224
225
226
.B defaultsearchbase <dn>
Specify a default search base to use when client submits a
non-base search request with an empty base DN.
.TP
227
.B disallow <features>
228
229
Specify a set of features (separated by white space) to
disallow (default none).
230
231
.B bind_anon
disables acceptance of anonymous bind requests.
232
233
234
235
.B bind_simple
disables simple (bind) authentication.
.B bind_krbv4
disables Kerberos V4 (bind) authentication.
236
237
238
.B tls_2_anon
disables Start TLS from forcing session to anonymous status (see also
.BR tls_authc ).
239
240
241
.B tls_authc
disables StartTLS if authenticated (see also
.BR tls_2_anon ).
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
.HP
.hy 0
.B ditcontentrule "(\ <oid>\
 [NAME\ <name>]\
 [DESC\ <description>]\
 [OBSOLETE]\
 [AUX\ <oids>]\
 [MUST\ <oids>]\
 [MAY\ <oids>]\
 [NOT\ <oids>]\ )"
.RS
Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252.
The slapd parser extends the RFC 2252 definition by allowing string
forms as well as numeric OIDs to be used for the attribute OID and
attribute syntax OID.
(See the
.B objectidentifier
description.) 
.RE
261
.TP
262
263
264
265
.B gentlehup { on | off }
A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
.B Slapd
will stop listening for new connections, but will not close the
266
267
connections to the current clients.  Future write operations return
unwilling-to-perform, though.  Slapd terminates when all clients
268
269
270
271
272
273
274
275
276
277
278
have closed their connections (if they ever do), or \- as before \-
if it receives a SIGTERM signal.  This can be useful if you wish to
terminate the server and start a new
.B slapd
server
.B with another database,
without disrupting the currently active clients.
The default is off.  You may wish to use
.B idletimeout
along with this option.
.TP
279
280
.B idletimeout <integer>
Specify the number of seconds to wait before forcibly closing
281
an idle client connection.  A idletimeout of 0 disables this
282
283
feature.  The default is 0.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
284
285
286
287
.B include <filename>
Read additional configuration information from the given file before
continuing with the next line of the current file.
.TP
Pierangelo Masarati's avatar
Pierangelo Masarati committed
288
289
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
290
The argument
Pierangelo Masarati's avatar
Pierangelo Masarati committed
291
292
293
294
295
.B who
can be any of
.RS
.RS
.TP
296
anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>
Pierangelo Masarati's avatar
Pierangelo Masarati committed
297
298
299
300
301

.RE
with
.RS
.TP
302
<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
Pierangelo Masarati's avatar
Pierangelo Masarati committed
303
304

.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
305
306
307
The term
.B anonymous
matches all unauthenticated clients.
308
The term
Pierangelo Masarati's avatar
Pierangelo Masarati committed
309
.B users
Kurt Zeilenga's avatar
Kurt Zeilenga committed
310
matches all authenticated clients;
311
312
otherwise an
.B exact
Pierangelo Masarati's avatar
Pierangelo Masarati committed
313
314
315
316
317
318
319
dn pattern is assumed unless otherwise specified by qualifying 
the (optional) key string
.B dn
with 
.B exact
or
.B base
320
(which are synonyms), to require an exact match; with
321
.BR onelevel , 
Pierangelo Masarati's avatar
Pierangelo Masarati committed
322
to require exactly one level of depth match; with
323
.BR subtree ,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
324
to allow any level of depth match, including the exact match; with
325
.BR children ,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
326
to allow any level of depth match, not including the exact match;
327
.BR regex
Pierangelo Masarati's avatar
Pierangelo Masarati committed
328
329
explicitly requires the (default) match based on regular expression
pattern, as detailed in
330
.BR regex (7).
Pierangelo Masarati's avatar
Pierangelo Masarati committed
331
332
333
334
335
336
337
338
339
340
Finally,
.B anonymous
matches unbound operations; the 
.B pattern
field is ignored.
The same behavior is obtained by using the 
.B anonymous
form of the
.B who
clause.
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
The term
.BR group ,
with the optional objectClass
.B oc
and attributeType
.B at
fields, followed by
.BR pattern ,
sets the limits for any DN listed in the values of the
.B at
attribute (default
.BR member )
of the 
.B oc
group objectClass (default
.BR groupOfNames )
whose DN exactly matches
.BR pattern .
Pierangelo Masarati's avatar
Pierangelo Masarati committed
359
360
361
362

The currently supported limits are 
.B size
and 
363
.BR time .
364
365
366
367
368
369
370
371

The syntax for time limits is 
.BR time[.{soft|hard}]=<integer> ,
where 
.BR integer
is the number of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client, the 
.BR soft
372
limit is used; if the requested time limit exceeds the
373
.BR hard
374
375
376
limit, an
.I \"Administrative limit exceeded\"
is returned.
377
378
If the
.BR hard
379
380
381
382
383
384
limit is set to 0 or to the keyword 
.IR soft ,
the soft limit is used in either case; if it is set to 
.I -1 
or to the keyword 
.IR none , 
385
no hard limit is enforced.
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
Explicit requests for time limits smaller or equal to the
.BR hard 
limit are honored.
If no flag is set, the value is assigned to the 
.BR soft 
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.

The syntax for size limits is
.BR size[.{soft|hard|unchecked}]=<integer> ,
where
.BR integer
is the maximum number of entries slapd will return answering a search 
request.
If no size limit is explicitly requested by the client, the
.BR soft
403
limit is used; if the requested size limit exceeds the
404
.BR hard
405
406
407
limit, an 
.I \"Administrative limit exceeded\"
is returned.
408
409
If the 
.BR hard
410
411
412
413
414
415
limit is set to 0 or to the keyword 
.IR soft , 
the soft limit is used in either case; if it is set to 
.I -1 
or to the keyword
.IR none , 
416
no hard limit is enforced.
417
418
419
Explicit requests for size limits smaller or equal to the
.BR hard
limit are honored.
420
The
421
422
423
424
425
.BR unchecked
flag sets a limit on the number of candidates a search request is allowed
to examine.
If the selected candidates exceed the 
.BR unchecked
426
427
428
429
430
431
432
limit, the search will abort with 
.IR \"Unwilling to perform\" .
If it is set to
.I -1 
or to the keyword 
.IR none , 
no limit is applied (the default).
433
434
435
436
If it is set to
.IR disable ,
the search is not even performed; this can be used to disallow searches
for a specific set of users.
437
438
439
440
441
442
If no flag is set, the value is assigned to the
.BR soft 
limit, and the
.BR hard
limit is set to zero, to preserve the original behavior.

443
In case of no match, the global limits are used.
444
The default values are the same of
445
.B sizelimit
446
447
448
449
and
.BR timelimit ;
no limit is set on 
.BR unchecked .
450
451
452
453

If 
.B pagedResults
control is defined, additional size limits may be enforced; the syntax is
454
.BR size.pr={<integer>|noEstimate|disabled|none} ,
455
where
456
.B integer
457
is the max page size if no explicit limit is set; the keyword
458
.I noEstimate
459
inhibits the server to return an estimate of the total number
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
of entries that will be returned; the keyword
.I disabled
disables the control; the keyword
.I none
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|none}
allows to set a limit on the total number of entries that a pagedResults
control allows to return.
By default it is unlimited, which is indicated by the keyword
.IR none .
When set, 
.B integer
is the max number of entries that the whole search with pagedResults control
can return.
Pierangelo Masarati's avatar
Pierangelo Masarati committed
475
.RE
476
.\"-- NEW_LOGGING option --
477
478
479
480
481
.\".TP
.\".B logfile <filename>
.\"Specify a file for recording debug log messages. By default these messages
.\"only go to stderr and are not recorded anywhere else. Specifying a logfile
.\"copies messages to both stderr and the logfile.
482
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
.B loglevel <integer>
Specify the level at which debugging statements and operation 
statistics should be syslogged (currently logged to the
.BR syslogd (8) 
LOG_LOCAL4 facility).  Log levels are additive, and available levels
are:
.RS
.RS
.PD 0
.TP
.B 1
trace function calls
.TP
.B 2
debug packet handling
.TP
.B 4
heavy trace debugging
.TP
.B 8
connection management
.TP
.B 16
print out packets sent and received
.TP
.B 32
search filter processing
.TP
.B 64
configuration file processing
.TP
.B 128
access control list processing
.TP
.B 256
stats log connections/operations/results
.TP
.B 512
stats log entries sent
.TP
.B 1024
print communication with shell backends
.TP
.B 2048
entry parsing
.PD
.RE
.RE
531
532
533
534
535
536
537
538
539
540
541
542
543
.TP
.B moduleload <filename>
Specify the name of a dynamically loadable module to load. The filename
may be an absolute path name or a simple filename. Non-absolute names
are searched for in the directories specified by the
.B modulepath
option. This option and the
.B modulepath
option are only usable if slapd was compiled with --enable-modules.
.TP
.B modulepath <pathspec>
Specify a list of directories to search for loadable modules. Typically
the path is colon-separated but this depends on the operating system.
544
.HP
545
546
547
548
549
550
551
552
.hy 0
.B objectclass "(\ <oid>\
 [NAME\ <name>]\
 [DESC\ <description]\
 [OBSOLETE]\
 [SUP\ <oids>]\
 [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
 [MUST\ <oids>] [MAY\ <oids>] )"
553
.RS
554
Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
555
556
557
The slapd parser extends the RFC 2252 definition by allowing string
forms as well as numeric OIDs to be used for the object class OID.
(See the
558
559
.B
objectidentifier
Kurt Zeilenga's avatar
Kurt Zeilenga committed
560
description.)  Object classes are "STRUCTURAL" by default.
561
.RE
562
.TP
Pierangelo Masarati's avatar
Pierangelo Masarati committed
563
.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }"
564
565
566
567
Define a string name that equates to the given OID. The string can be used
in place of the numeric OID in objectclass and attribute definitions. The
name can also be used with a suffix of the form ":xx" in which case the
value "oid.xx" will be used.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
568
.TP
569
570
571
.B password-hash <hash> [<hash>...]
This option configures one or more hashes to be used in generation of user
passwords stored in the userPassword attribute during processing of
Kurt Zeilenga's avatar
Kurt Zeilenga committed
572
LDAP Password Modify Extended Operations (RFC 3062).
573
The <hash> must be one of
574
575
576
577
.BR {SSHA} ,
.BR {SHA} ,
.BR {SMD5} ,
.BR {MD5} ,
578
.BR {CRYPT} ,
579
and
580
.BR {CLEARTEXT} .
581
582
The default is
.BR {SSHA} .
583

584
585
586
587
.B {SHA}
and
.B {SSHA}
use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
588

589
590
591
592
.B {MD5}
and
.B {SMD5}
use the MD5 algorithm (RFC 1321), the latter with a seed.
593

594
595
596
.B {CRYPT}
uses the
.BR crypt (3).
597

598
599
600
.B {CLEARTEXT}
indicates that the new password should be
added to userPassword as clear text.
601

602
Note that this option does not alter the normal user applications
603
handling of userPassword during LDAP Add, Modify, or other LDAP operations.
604
.TP
605
.B password\-crypt\-salt\-format <format>
606
607
Specify the format of the salt passed to
.BR crypt (3)
608
609
610
611
when generating {CRYPT} passwords (see
.BR password\-hash )
during processing of LDAP Password Modify Extended Operations (RFC 3062).

612
613
614
615
616
617
618
619
620
621
This string needs to be in
.BR sprintf (3)
format and may include one (and only one) %s conversion.
This conversion will be substituted with a string random
characters from [A\-Za\-z0\-9./].  For example, "%.2s"
provides a two character salt and "$1$%.8s" tells some
versions of crypt(3) to use an MD5 algorithm and provides
8 random characters of salt.  The default is "%s", which
provides 31 characters of salt.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
622
623
624
625
626
627
628
.B pidfile <filename>
The ( absolute ) name of a file that will hold the 
.B slapd
server's process ID ( see
.BR getpid (2)
) if started without the debugging command line option.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
629
630
631
632
.B referral <url>
Specify the referral to pass back when
.BR slapd (8)
cannot find a local database to handle a request.
633
If specified multiple times, each url is provided.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
634
.TP
635
636
637
638
639
640
641
642
643
644
645
646
647
.B replica-argsfile
The ( absolute ) name of a file that will hold the 
.B slurpd
server's command line options
if started without the debugging command line option.
.TP
.B replica-pidfile
The ( absolute ) name of a file that will hold the 
.B slurpd
server's process ID ( see
.BR getpid (2)
) if started without the debugging command line option.
.TP
648
649
650
651
652
.B replicationinterval
The number of seconds 
.B slurpd 
waits before checking the replogfile for changes.
.TP
653
.B require <conditions>
654
655
Specify a set of conditions (separated by white space) to
require (default none).
656
657
658
659
660
661
662
663
664
665
666
The directive may be specified globally and/or per-database.
.B bind
requires bind operation prior to directory operations.
.B LDAPv3
requires session to be using LDAP version 3.
.B authc
requires authentication prior to directory operations.
.B SASL
requires SASL authentication prior to directory operations.
.B strong
requires strong authentication prior to directory operations.
667
668
The strong keyword allows protected "simple" authentication
as well as SASL authentication.
669
670
671
672
.B none
may be used to require no conditions (useful for clearly globally
set conditions within a particular database).
.TP
673
.B reverse-lookup on | off
674
675
Enable/disable client name unverified reverse lookup (default is 
.BR off 
676
677
if compiled with --enable-rlookups).
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
678
.B rootDSE <file>
679
680
681
682
Specify the name of an LDIF(5) file containing user defined attributes
for the root DSE.  These attributes are returned in addition to the
attributes normally produced by slapd.
.TP
Howard Chu's avatar
Howard Chu committed
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
.B sasl-authz-policy <policy>
Used to specify which rules to use for SASL Proxy Authorization. Proxy
authorization allows a client to authenticate to the server using one
user's credentials, but specify a different identity to use for authorization
and access control purposes. It essentially allows user A to login as user
B, using user A's password.
The
.B none
flag disables proxy authorization. This is the default setting.
The
.B from
flag will use rules in the
.I saslAuthzFrom
attribute of the authorization DN.
The
.B to
flag will use rules in the
.I saslAuthzTo
attribute of the authentication DN.
The
703
704
705
706
707
708
709
710
711
712
713
714
715
.B any
flag, an alias for the deprecated value of
.BR both ,
will allow any of the above, whatever succeeds first (checked in
.BR to ,
.B from
sequence.
The
.B all
flag requires both authorizations to succeed.
The rules are simply regular expressions specifying which DNs are allowed 
to perform proxy authorization.
The
Howard Chu's avatar
Howard Chu committed
716
717
718
719
720
721
722
723
724
725
726
727
728
.I saslAuthzFrom
attribute in an entry specifies which other users
are allowed to proxy login to this entry. The
.I saslAuthzTo
attribute in
an entry specifies which other users this user can authorize as.  Use of
.I saslAuthzTo
rules can be easily
abused if users are allowed to write arbitrary values to this attribute.
In general the
.I saslAuthzTo
attribute must be protected with ACLs such that
only privileged users can modify it.
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
The value of
.I saslAuthzFrom
and
.I saslAuthzTo
describes an 
.B identity 
or a set of identities; it can take three forms:
.RS
.RS
.TP
.B ldap:///<base>??[<scope>]?<filter>
.RE
.RS
.B dn[.<dnstyle>]:<pattern>
.RE
.RS
.B u[<mech>[<realm>]]:<pattern>
.RE
.RS
.B <pattern>
.RE
.RS

.B <dnstyle>:={exact|onelevel|children|subtree|regex}

.RE
The first form is a valid LDAP
.B uri
where the 
.IR <host>:<port> ,
the
.I <attrs>
and the
.I <extensions>
portions must be absent, so that the search occurs locally on either
.I saslAuthzFrom
or 
.IR saslAuthzTo .
The second form is a 
.BR DN ,
with the optional style modifiers
.IR exact ,
.IR onelevel ,
.IR children ,
and
.I subtree
for exact, onelevel, children and subtree matches, which cause 
.I <pattern>
to be normalized according to the DN normalization rules, or the special
.I regex
style, which causes
.I <pattern>
to be compiled according to 
.BR regex (7).
The third form is a SASL
.BR id ,
with the optional fields
.I <mech>
and
.I <realm>
that allow to specify a SASL
.BR mechanism ,
and eventually a SASL
.BR realm ,
for those mechanisms that support one.
The need to allow the specification of a mechanism is still debated, 
and users are strongly discouraged to rely on this possibility.
For backwards compatibility, if no identity type is provided, i.e. only
.B <pattern>
is present, an
.I exact DN
is assumed; as a consequence, 
.B <pattern>
is subjected to DN normalization.
Since the interpretation of
.I saslAuthzFrom
and
.I saslAuthzTo
can impact security, users are strongly encouraged 
to explicitly set the type of identity specification that is being used.
.RE
Howard Chu's avatar
Howard Chu committed
810
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
811
812
813
.B sasl-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
814
815
.B sasl-realm <realm>
Specify SASL realm.  Default is empty.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
816
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
817
.B sasl-regexp <match> <replace>
818
819
820
821
Used by the SASL mechanism to convert a SASL authenticated 
username to an LDAP DN used for authorization purposes.  Note that
the resultant DN need not refer to an existing entry to be considered
valid.  When an authorization request is received, the SASL 
822
823
824
825
826
827
828
829
.B USERNAME, REALM, 
and
.B MECHANISM
are taken, when available, and combined into a SASL name of the 
form
.RS
.RS
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
830
.B UID=<username>[[,CN=<realm>],CN=<mechanism>,]CN=auth
831
832
833
834
835
836
837
838
839
840
841
842

.RE
This SASL name is then compared against the
.B match
regular expression, and if the match is successful, the SASL name is
replaced with the
.B replace
string. If there are wildcard strings in the 
.B match
regular expression that are enclosed in parenthesis, e.g. 
.RS
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
843
.B UID=([^,]*),CN=.*
844
845
846
847
848
849
850
851
852
853

.RE
then the portion of the SASL name that matched the wildcard will be stored
in the numbered placeholder variable $1. If there are other wildcard strings
in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The 
placeholders can then be used in the 
.B replace
string, e.g. 
.RS
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
854
.B UID=$1,OU=Accounts,DC=example,DC=com 
855
856

.RE
Kurt Zeilenga's avatar
Kurt Zeilenga committed
857
858
859
860
861
862
863
864
865
The replaced SASL name can be either a DN or an LDAP URI. If the
latter, the server will use the URI to search its own database(s)
and, if the search returns exactly one entry, the SASL name is
replaced by the DN of that entry.   The LDAP URI must have no
hostport, attrs, or extensions components, e.g.
.RS
.TP
.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)

866
867
.RE
Multiple 
Kurt Zeilenga's avatar
Kurt Zeilenga committed
868
.B sasl-regexp 
869
870
871
options can be given in the configuration file to allow for multiple matching 
and replacement patterns. The matching patterns are checked in the order they 
appear in the file, stopping at the first successful match.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
872

873
874
875
876
.\".B Caution:
.\"Because the plus sign + is a character recognized by the regular expression engine,
.\"and it will appear in SASL names that include a REALM, be careful to escape the
.\"plus sign with a backslash \\+ to remove the character's special meaning.
877
878
.RE
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
879
880
881
882
.B sasl-secprops <properties>
Used to specify Cyrus SASL security properties.
The
.B none
883
flag (without any other properties) causes the flag properties
Kurt Zeilenga's avatar
Kurt Zeilenga committed
884
885
886
887
888
889
890
891
892
893
894
default, "noanonymous,noplain", to be cleared.
The
.B noplain
flag disables mechanisms susceptible to simple passive attacks.
The
.B noactive
flag disables mechanisms susceptible to active attacks.
The
.B nodict
flag disables mechanisms susceptible to passive dictionary attacks.
The
Kurt Zeilenga's avatar
Kurt Zeilenga committed
895
.B noanonymous
Kurt Zeilenga's avatar
Kurt Zeilenga committed
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
flag disables mechanisms which support anonymous login.
The
.B forwardsec
flag require forward secrecy between sessions.
The
.B passcred
require mechanisms which pass client credentials (and allow
mechanisms which can pass credentials to do so).
The
.B minssf=<factor> 
property specifies the minimum acceptable
.I security strength factor
as an integer approximate to effective key length used for
encryption.  0 (zero) implies no protection, 1 implies integrity
protection only, 56 allows DES or other weak ciphers, 112
allows triple DES and other strong ciphers, 128 allows RC4,
Blowfish and other modern strong ciphers.  The default is 0.
The
.B maxssf=<factor> 
property specifies the maximum acceptable
.I security strength factor
as an integer (see minssf description).  The default is INT_MAX.
The
Kurt Zeilenga's avatar
Kurt Zeilenga committed
919
.B maxbufsize=<size> 
Kurt Zeilenga's avatar
Kurt Zeilenga committed
920
921
922
property specifies the maximum security layer receive buffer
size allowed.  0 disables security layers.  The default is 65536.
.TP
923
924
925
926
.B schemadn <dn>
Specify the distinguished name for the subschema subentry that
controls the entries on this server.  The default is "cn=Subschema".
.TP
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
.B security <factors>
Specify a set of factors (separated by white space) to require.
An integer value is associated with each factor and is roughly
equivalent of the encryption key length to require.  A value
of 112 is equivalent to 3DES, 128 to Blowfish, etc..
The directive may be specified globally and/or per-database.
.B ssf=<n>
specifies the overall security strength factor.
.B transport=<n>
specifies the transport security strength factor.
.B tls=<n>
specifies the TLS security strength factor.
.B sasl=<n>
specifies the SASL security strength factor.
.B update_ssf=<n>
specifies the overall security strength factor to require for
directory updates.
.B update_transport=<n>
specifies the transport security strength factor to require for
directory updates.
.B update_tls=<n>
specifies the TLS security strength factor to require for
directory updates.
.B update_sasl=<n>
specifies the SASL security strength factor to require for
directory updates.
953
954
955
956
.B simple_bind=<n>
specifies the security strength factor required for
.I simple
username/password authentication.
957
958
959
960
961
Note that the
.B transport
factor is measure of security provided by the underlying transport,
e.g. ldapi:// (and eventually IPSEC).  It is not normally used.
.TP
962
.B sizelimit {<integer>|unlimited}
963
.TP
964
.B sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
Kurt Zeilenga's avatar
Kurt Zeilenga committed
965
966
Specify the maximum number of entries to return from a search operation.
The default size limit is 500.
967
968
969
970
971
Use
.B -1
or 
.B unlimited
to specify no limits.
972
The second format allows a fine grain setting of the size limits.
973
Extra args can be added on the same line.
974
975
976
See
.BR limits
for an explanation of the different flags.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
977
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
978
.B sockbuf_max_incoming <integer>
979
980
981
982
983
984
Specify the maximum incoming LDAP PDU size for anonymous sessions.
The default is 262143.
.TP
.B sockbuf_max_incoming_auth <integer>
Specify the maximum incoming LDAP PDU size for authenticated sessions.
The default is 4194303.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
985
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
986
987
988
989
990
.B srvtab <filename>
Specify the srvtab file in which the kerberos keys necessary for
authenticating clients using kerberos can be found. This option is only
meaningful if you are using Kerberos authentication.
.TP
991
992
.B threads <integer>
Specify the maximum size of the primary thread pool.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
993
The default is 16.
994
.TP
995
.B timelimit {<integer>|unlimited}
996
.TP
997
.B timelimit time[.{soft|hard}]=<integer> [...]
Kurt Zeilenga's avatar
Kurt Zeilenga committed
998
999
1000
Specify the maximum number of seconds (in real time)
.B slapd
will spend answering a search request.  The default time limit is 3600.
For faster browsing, not all history is shown. View entire blame