slapd.8 7.57 KB
Newer Older
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1
.\" $OpenLDAP$
Kurt Zeilenga's avatar
Kurt Zeilenga committed
2
.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
3
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
4
.TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
Kurt Zeilenga's avatar
Kurt Zeilenga committed
5
6
7
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
8
.B LIBEXECDIR/slapd 
9
.B [\-[4|6]]
10
.B [\-T {add|auth|cat|dn|index|passwd|test}]
Pierangelo Masarati's avatar
Pierangelo Masarati committed
11
.B [\-d debug\-level]
12
13
.B [\-f slapd\-config\-file]
.B [\-h URLs]
14
.B [\-n service\-name] [\-s syslog\-level] [\-l syslog\-local\-user]
Kurt Zeilenga's avatar
Add -r    
Kurt Zeilenga committed
15
.B [\-r directory]
16
.B [\-u user] [\-g group]
17
.B [\-c cookie]
Kurt Zeilenga's avatar
Kurt Zeilenga committed
18
19
20
21
22
.B 
.SH DESCRIPTION
.LP
.B Slapd
is the stand-alone LDAP daemon. It listens for LDAP connections on
23
any number of ports (default 389), responding
Kurt Zeilenga's avatar
Kurt Zeilenga committed
24
25
26
27
28
29
30
to the LDAP operations it receives over these connections.
.B slapd
is typically invoked at boot time, usually out of
.BR  /etc/rc.local .
Upon startup,
.B slapd
normally forks and disassociates itself from the invoking tty.
31
32
33
If configured in
.BR ETCDIR/slapd.conf ,
the
34
.B slapd
Hallvard Furuseth's avatar
Hallvard Furuseth committed
35
36
37
process will print its process ID (see
.BR getpid (2))
to a 
38
39
.B .pid
file, as well as the command line options during invocation to an
40
.B .args
Hallvard Furuseth's avatar
Hallvard Furuseth committed
41
42
file (see 
.BR slapd.conf (5)).
Kurt Zeilenga's avatar
Kurt Zeilenga committed
43
44
If the
.B \-d
45
flag is given, even with a zero argument,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
46
47
48
49
50
51
52
53
54
55
56
57
.B slapd
will not fork and disassociate from the invoking tty.
.LP
.B Slapd
can be configured to provide replicated service for a database with
the help of
.BR slurpd ,
the standalone LDAP update replication daemon.
See
.BR slurpd (8)
for details.
.LP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
58
See the "OpenLDAP Administrator's Guide" for more details on
Kurt Zeilenga's avatar
Kurt Zeilenga committed
59
60
61
.BR slapd .
.SH OPTIONS
.TP
62
63
64
65
66
67
.B \-4
Listen on IPv4 addresses only.
.TP
.B \-6
Listen on IPv6 addresses only.
.TP
68
.B \-T {a|c|d|i|p|t}
69
Run in Tool mode. The additional argument selects whether to run as
70
71
72
73
74
slapadd, slapcat, slapdn, slapindex, slappasswd, or slatest. This option 
should be the first option specified when it is used. Any remaining options 
will be interpreted by the corresponding slap tool program. Note that these 
tool programs will usually be symbolic links to slapd. This option is provided 
for situations where symbolic links are not provided or not usable.
75
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
76
77
78
.BI \-d " debug\-level"
Turn on debugging as defined by
.I debug\-level.
79
If this option is specified, even with a zero argument,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
80
81
82
83
84
.B slapd
will not fork or disassociate from the invoking terminal.  Some general
operation and status messages are printed for any value of \fIdebug\-level\fP.
\fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a
different kind of debugging information.  See <ldap.h> for details.
Howard Chu's avatar
Howard Chu committed
85
86
87
Remember that if you turn on packet logging, packets containing bind passwords
will be output, so if you redirect the log to a logfile, that file should
be read-protected.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
88
89
90
91
92
93
94
95
.TP
.BI \-s " syslog\-level"
This option tells
.B slapd
at what level debugging statements should be logged to the
.BR syslog (8)
facility.
.TP
96
97
98
99
.BI \-n " service\-name"
Specifies the service name for logging and other purposes.  Defaults
to basename of argv[0], i.e.: "slapd".
.TP
100
.BI \-l " syslog\-local\-user"
101
102
103
104
105
106
107
108
109
110
111
112
113
114
Selects the local user of the
.BR syslog (8)
facility. Values can be 
.BR LOCAL0 , 
.BR LOCAL1 , 
and so on, up to 
.BR LOCAL7 . 
The default is
.BR LOCAL4 .
However, this option is only permitted on systems that support
local users with the 
.BR syslog (8)
facility.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
115
116
117
118
.BI \-f " slapd\-config\-file"
Specifies the slapd configuration file. The default is
.BR ETCDIR/slapd.conf .
.TP
119
.BI \-h " URLlist"
120
.B slapd
Howard Chu's avatar
Howard Chu committed
121
will by default serve
122
.B ldap:///
123
(LDAP over TCP on all interfaces on default LDAP port).  That is, 
Howard Chu's avatar
Howard Chu committed
124
it will bind using INADDR_ANY and port 389.
125
126
The
.B \-h
127
option may be used to specify LDAP (and other scheme) URLs to serve.
128
For example, if slapd is given
129
.B "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq", 
Kurt Zeilenga's avatar
Kurt Zeilenga committed
130
131
132
133
It will bind 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
and LDAP over IPC (Unix domain sockets).  Host 0.0.0.0 represents
INADDR_ANY.
A space separated list of URLs is expected.  The URLs should be of
134
LDAP (ldap://) or LDAP over TLS (ldaps://) or LDAP over IPC (ldapi://)
135
scheme without a DN or other optional parameters, except an experimental
136
137
138
extension to indicate the permissions of the underlying listeners.
Support for the latter two schemes depends on selected configuration 
options.  Hosts may be specified by name or IPv4 and IPv6 address formats.
139
Ports, if specified, must be numeric.  The default ldap:// port is 389
140
and the default ldaps:// port is 636.
141
142
143
144
145
The socket permissions for LDAP over IPC are indicated by
"x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any 
of the "rwx" can be "-" to suppress the related permission (note, 
however, that sockets only honor the "w" permission), while any 
of the "7" can be any legal octal digit, according to chmod(1).
146
147
148
149
150
151
152
153
While LDAP over IPC requires write permissions on the socket to allow
any operation, the other listeners can take advantage of the "x-mod"
extension to apply rough limitations to users, e.g. allow read operations
("r", which applies to search and compare), write operations ("w", 
which applies to add, delete, modify and modrdn), and execute operations
("x", which means bind is required).
"User" permissions apply to bound users, while "other" apply
to anonymous users.
154
.TP
Kurt Zeilenga's avatar
Add -r    
Kurt Zeilenga committed
155
.BI \-r " directory"
156
157
158
Specifies a chroot "jail" directory.  slapd will
.BR chdir (2)
then
Kurt Zeilenga's avatar
Add -r    
Kurt Zeilenga committed
159
.BR chroot (2)
160
to this directory after opening listeners but before reading
Kurt Zeilenga's avatar
Add -r    
Kurt Zeilenga committed
161
162
any configuration file or initializing any backend.
.TP
163
.BI \-u " user"
164
165
166
.B slapd
will run slapd with the specified user name or id, and that user's
supplementary group access list as set with initgroups(3).  The group ID
167
is also changed to this user's gid, unless the -g option is used to
168
169
override.
.TP
170
.BI \-g " group"
171
172
173
174
175
176
.B slapd
will run with the specified group name or id.
.LP
Note that on some systems, running as a non-privileged user will prevent
passwd back-ends from accessing the encrypted passwords.  Note also that
any shell back-ends will run as the specified non-privileged user.
Pierangelo Masarati's avatar
Pierangelo Masarati committed
177
.TP
Jong Hyuk Choi's avatar
Jong Hyuk Choi committed
178
.BI \-c " cookie"
179
This option provides a cookie for the syncrepl replication consumer.
Jong Hyuk Choi's avatar
Jong Hyuk Choi committed
180
181
182
183
184
185
186
The cookie is a comma separated list of name=value pairs.
Currently supported syncrepl cookie fields are
.B csn,
.B sid,
and
.B rid.
.B csn
187
188
189
is the commit sequence number received by a previous synchronization
and represents the state of the consumer replica content which the
syncrepl engine will synchronize to the current provider content.
Jong Hyuk Choi's avatar
Jong Hyuk Choi committed
190
.B sid
191
192
193
is the identity of the per-scope session log with which the 
provider server can process this syncrepl request to reduce
synchronization traffic.
Jong Hyuk Choi's avatar
Jong Hyuk Choi committed
194
.B rid
195
196
identifies a replication thread within the consumer server
and is used to find the syncrepl specification in 
Jong Hyuk Choi's avatar
Jong Hyuk Choi committed
197
.BR slapd.conf (5)
198
having the matching replication identifier in its definition.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
199
200
201
202
203
204
205
206
.SH EXAMPLES
To start 
.I slapd
and have it fork and detach from the terminal and start serving
the LDAP databases defined in the default config file, just type:
.LP
.nf
.ft tt
207
	LIBEXECDIR/slapd
Kurt Zeilenga's avatar
Kurt Zeilenga committed
208
209
210
211
212
213
214
215
216
217
.ft
.fi
.LP
To start 
.B slapd
with an alternate configuration file, and turn
on voluminous debugging which will be printed on standard error, type:
.LP
.nf
.ft tt
218
	LIBEXECDIR/slapd -f /var/tmp/slapd.conf -d 255
Kurt Zeilenga's avatar
Kurt Zeilenga committed
219
220
221
.ft
.fi
.LP
Pierangelo Masarati's avatar
Pierangelo Masarati committed
222
223
224
225
To test whether the configuration file is correct or not, type:
.LP
.nf
.ft tt
226
	LIBEXECDIR/slapd -Tt
Pierangelo Masarati's avatar
Pierangelo Masarati committed
227
228
229
.ft
.fi
.LP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
230
231
232
.SH "SEE ALSO"
.BR ldap (3),
.BR slapd.conf (5),
Pierangelo Masarati's avatar
Pierangelo Masarati committed
233
.BR slapd.access (5),
234
235
.BR slapadd (8),
.BR slapcat (8),
236
.BR slapdn (8),
237
238
.BR slapindex (8),
.BR slappasswd (8),
239
.BR slaptest (8),
Kurt Zeilenga's avatar
Kurt Zeilenga committed
240
241
.BR slurpd (8)
.LP
242
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
Kurt Zeilenga's avatar
Kurt Zeilenga committed
243
.SH BUGS
Kurt Zeilenga's avatar
Kurt Zeilenga committed
244
See http://www.openldap.org/its/
Kurt Zeilenga's avatar
Kurt Zeilenga committed
245
.SH ACKNOWLEDGEMENTS
246
.B OpenLDAP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
247
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
248
.B OpenLDAP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
249
is derived from University of Michigan LDAP 3.3 Release.