Commit 2fcfeb83 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#8742 - Bring slapd.conf.5 and slapd-config.5 in sync

parent 616e5bf1
...@@ -252,7 +252,7 @@ or a set of identities; it can take five forms: ...@@ -252,7 +252,7 @@ or a set of identities; it can take five forms:
.B dn[.<dnstyle>]:<pattern> .B dn[.<dnstyle>]:<pattern>
.RE .RE
.RS .RS
.B u[<mech>[<realm>]]:<pattern> .B u[.<mech>[<realm>]]:<pattern>
.RE .RE
.RS .RS
.B group[/objectClass[/attributeType]]:<pattern> .B group[/objectClass[/attributeType]]:<pattern>
...@@ -277,6 +277,8 @@ portions must be absent, so that the search occurs locally on either ...@@ -277,6 +277,8 @@ portions must be absent, so that the search occurs locally on either
.I authzFrom .I authzFrom
or or
.IR authzTo . .IR authzTo .
.LP
The second form is a The second form is a
.BR DN , .BR DN ,
with the optional style modifiers with the optional style modifiers
...@@ -299,6 +301,8 @@ and/or ...@@ -299,6 +301,8 @@ and/or
A pattern of A pattern of
.I * .I *
means any non-anonymous DN. means any non-anonymous DN.
.LP
The third form is a SASL The third form is a SASL
.BR id , .BR id ,
with the optional fields with the optional fields
...@@ -312,25 +316,42 @@ and eventually a SASL ...@@ -312,25 +316,42 @@ and eventually a SASL
for those mechanisms that support one. for those mechanisms that support one.
The need to allow the specification of a mechanism is still debated, The need to allow the specification of a mechanism is still debated,
and users are strongly discouraged to rely on this possibility. and users are strongly discouraged to rely on this possibility.
The fourth form is a group specification, consisting of the keyword
.LP
The fourth form is a group specification.
It consists of the keyword
.BR group , .BR group ,
optionally followed by the specification of the group optionally followed by the specification of the group
.B objectClass .B objectClass
and member and
.BR attributeType . .BR attributeType .
The
.B objectClass
defaults to
.IR groupOfNames .
The
.B attributeType
defaults to
.IR member .
The group with DN The group with DN
.B <pattern> .B <pattern>
is searched with base scope, and in case of match, the values of the is searched with base scope, filtered on the specified
member .BR objectClass .
The values of the resulting
.B attributeType .B attributeType
are searched for the asserted DN. are searched for the asserted DN.
For backwards compatibility, if no identity type is provided, i.e. only
.LP
The fifth form is provided for backwards compatibility. If no identity
type is provided, i.e. only
.B <pattern> .B <pattern>
is present, an is present, an
.I exact DN .I exact DN
is assumed; as a consequence, is assumed; as a consequence,
.B <pattern> .B <pattern>
is subjected to DN normalization. is subjected to DN normalization.
.LP
Since the interpretation of Since the interpretation of
.I authzFrom .I authzFrom
and and
...@@ -340,7 +361,8 @@ to explicitly set the type of identity specification that is being used. ...@@ -340,7 +361,8 @@ to explicitly set the type of identity specification that is being used.
A subset of these rules can be used as third arg in the A subset of these rules can be used as third arg in the
.B olcAuthzRegexp .B olcAuthzRegexp
statement (see below); significantly, the statement (see below); significantly, the
.I URI .IR URI ,
provided it results in exactly one entry,
and the and the
.I dn.exact:<dn> .I dn.exact:<dn>
forms. forms.
...@@ -348,8 +370,10 @@ forms. ...@@ -348,8 +370,10 @@ forms.
.TP .TP
.B olcAuthzRegexp: <match> <replace> .B olcAuthzRegexp: <match> <replace>
Used by the authentication framework to convert simple user names, Used by the authentication framework to convert simple user names,
such as provided by SASL subsystem, to an LDAP DN used for such as provided by SASL subsystem, or extracted from certificates
authorization purposes. Note that the resultant DN need not refer in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
"proxied authorization" control, to an LDAP DN used for
authorization purposes. Note that the resulting DN need not refer
to an existing entry to be considered valid. When an authorization to an existing entry to be considered valid. When an authorization
request is received from the SASL subsystem, the SASL request is received from the SASL subsystem, the SASL
.BR USERNAME , .BR USERNAME ,
...@@ -595,11 +619,11 @@ access control list processing ...@@ -595,11 +619,11 @@ access control list processing
.TP .TP
.B 256 .B 256
.B (0x100 stats) .B (0x100 stats)
stats log connections/operations/results connections, LDAP operations, results (recommended)
.TP .TP
.B 512 .B 512
.B (0x200 stats2) .B (0x200 stats2)
stats log entries sent stats2 log entries sent
.TP .TP
.B 1024 .B 1024
.B (0x400 shell) .B (0x400 shell)
...@@ -790,7 +814,7 @@ property specifies the maximum security layer receive buffer ...@@ -790,7 +814,7 @@ property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536. size allowed. 0 disables security layers. The default is 65536.
.TP .TP
.B olcServerID: <integer> [<URL>] .B olcServerID: <integer> [<URL>]
Specify an integer ID from 0 to 4095 for this server. The ID may also be Specify an integer ID from 0 to 4095 for this server. The ID may also be
specified as a hexadecimal ID by prefixing the value with "0x". specified as a hexadecimal ID by prefixing the value with "0x".
Non-zero IDs are required when using multi-provider replication and each Non-zero IDs are required when using multi-provider replication and each
provider must have a unique non-zero ID. Note that this requirement also provider must have a unique non-zero ID. Note that this requirement also
...@@ -853,8 +877,8 @@ you can specify. ...@@ -853,8 +877,8 @@ you can specify.
.TP .TP
.B olcTLSCipherSuite: <cipher-suite-spec> .B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order. Permits configuring what ciphers will be accepted and the preference order.
<cipher-suite-spec> should be a cipher specification for <cipher-suite-spec> should be a cipher specification for the TLS library
the TLS library in use (OpenSSL or GnuTLS). in use (OpenSSL or GnuTLS).
Example: Example:
.RS .RS
.RS .RS
...@@ -890,7 +914,12 @@ In older versions of GnuTLS, where gnutls\-cli does not support the option ...@@ -890,7 +914,12 @@ In older versions of GnuTLS, where gnutls\-cli does not support the option
Specifies the file that contains certificates for all of the Certificate Specifies the file that contains certificates for all of the Certificate
Authorities that Authorities that
.B slapd .B slapd
will recognize. will recognize. The certificate for
the CA that signed the server certificate must be included among
these certificates. If the signing CA was not a top-level (root) CA,
certificates for the entire sequence of CA's from the signing CA to
the top-level CA should be present. Multiple certificates are simply
appended to the file; the order is not significant.
.TP .TP
.B olcTLSCACertificatePath: <path> .B olcTLSCACertificatePath: <path>
Specifies the path of a directory that contains Certificate Authority Specifies the path of a directory that contains Certificate Authority
...@@ -1012,8 +1041,8 @@ Check the CRL for a whole certificate chain ...@@ -1012,8 +1041,8 @@ Check the CRL for a whole certificate chain
.TP .TP
.B olcTLSCRLFile: <filename> .B olcTLSCRLFile: <filename>
Specifies a file containing a Certificate Revocation List to be used Specifies a file containing a Certificate Revocation List to be used
for verifying that certificates have not been revoked. This parameter for verifying that certificates have not been revoked. This parameter is
is only valid when using GnuTLS. only valid when using GnuTLS.
.SH DYNAMIC MODULE OPTIONS .SH DYNAMIC MODULE OPTIONS
If If
.B slapd .B slapd
...@@ -1092,6 +1121,37 @@ attribute syntax OID. ...@@ -1092,6 +1121,37 @@ attribute syntax OID.
description.) description.)
.RE .RE
.HP
.hy 0
.B olcLdapSyntaxes "(\ <oid>\
[DESC\ <description>]\
[X\-SUBST <substitute-syntax>]\ )"
.RS
Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the syntax OID.
(See the
.B objectidentifier
description.)
The slapd parser also honors the
.B X\-SUBST
extension (an OpenLDAP-specific extension), which allows one to use the
.B olcLdapSyntaxes
attribute to define a non-implemented syntax along with another syntax,
the extension value
.IR substitute-syntax ,
as its temporary replacement.
The
.I substitute-syntax
must be defined.
This allows one to define attribute types that make use of non-implemented syntaxes
using the correct syntax OID.
Unless
.B X\-SUBST
is used, this configuration statement would result in an error,
since no handlers would be associated to the resulting syntax structure.
.RE
.HP .HP
.hy 0 .hy 0
.B olcObjectClasses: "(\ <oid>\ .B olcObjectClasses: "(\ <oid>\
...@@ -1120,12 +1180,13 @@ value "oid.xx" will be used. ...@@ -1120,12 +1180,13 @@ value "oid.xx" will be used.
.SH GENERAL BACKEND OPTIONS .SH GENERAL BACKEND OPTIONS
Options in these entries only apply to the configuration of a single Options in these entries only apply to the configuration of a single
type of backend. All backends may support this class of options, but type of backend. All backends may support this class of options, but
currently none do. currently only back-mdb does.
The entry must be named The entry must be named
.B olcBackend=<databasetype>,cn=config .B olcBackend=<databasetype>,cn=config
and must have the olcBackendConfig objectClass. and must have the olcBackendConfig objectClass.
<databasetype> <databasetype>
should be one of should be one of
.BR asyncmeta ,
.BR config , .BR config ,
.BR dnssrv , .BR dnssrv ,
.BR ldap , .BR ldap ,
...@@ -1138,11 +1199,12 @@ should be one of ...@@ -1138,11 +1199,12 @@ should be one of
.BR passwd , .BR passwd ,
.BR perl , .BR perl ,
.BR relay , .BR relay ,
.BR shell , .BR sock ,
.BR sql ,
or or
.BR sql . .BR wt .
At present, no backend implements any options of this type, so this At present, only back-mdb implements any options of this type, so this
entry should not be used. entry should not be used for any other backends.
.SH DATABASE OPTIONS .SH DATABASE OPTIONS
Database options are set in entries named Database options are set in entries named
...@@ -1349,7 +1411,7 @@ to specify no limits. ...@@ -1349,7 +1411,7 @@ to specify no limits.
The second format allows a fine grain setting of the size limits. The second format allows a fine grain setting of the size limits.
If no special qualifiers are specified, both soft and hard limits are set. If no special qualifiers are specified, both soft and hard limits are set.
Extra args can be added in the same value. Extra args can be added in the same value.
Additional qualifiers are available. See Additional qualifiers are available; see
.BR olcLimits .BR olcLimits
for an explanation of all of the different flags. for an explanation of all of the different flags.
.TP .TP
...@@ -1574,7 +1636,7 @@ If it is set to the keyword ...@@ -1574,7 +1636,7 @@ If it is set to the keyword
.IR unlimited , .IR unlimited ,
no limit is applied (the default). no limit is applied (the default).
If it is set to If it is set to
.IR disable , .IR disabled ,
the search is not even performed; this can be used to disallow searches the search is not even performed; this can be used to disallow searches
for a specific set of users. for a specific set of users.
If no limit specifier is set, the value is assigned to the If no limit specifier is set, the value is assigned to the
...@@ -1658,11 +1720,17 @@ resolve an entry, used to avoid infinite alias loops. The default is 15. ...@@ -1658,11 +1720,17 @@ resolve an entry, used to avoid infinite alias loops. The default is 15.
.B olcMultiProvider: TRUE | FALSE .B olcMultiProvider: TRUE | FALSE
This option puts a consumer database into Multi-Provider mode. Update This option puts a consumer database into Multi-Provider mode. Update
operations will be accepted from any user, not just the updatedn. The operations will be accepted from any user, not just the updatedn. The
database must already be configured as syncrepl consumer database must already be configured as a syncrepl consumer
before this keyword may be set. This mode also requires a before this keyword may be set. This mode also requires a
.B olcServerID .B olcServerID
(see above) to be configured. (see above) to be configured.
By default, this setting is FALSE. By default, this setting is FALSE.
.B olcMonitoring: TRUE | FALSE
This option enables database-specific monitoring in the entry related
to the current database in the "cn=Databases,cn=Monitor" subtree
of the monitor database, if the monitor database is enabled.
Currently, only the MDB database provides database-specific monitoring.
The default depends on the backend type.
.TP .TP
.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>] .B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
Configure a SLAPI plugin. See the Configure a SLAPI plugin. See the
...@@ -1679,7 +1747,8 @@ when initially populating a database). If the rootdn is within ...@@ -1679,7 +1747,8 @@ when initially populating a database). If the rootdn is within
a namingContext (suffix) of the database, a simple bind password a namingContext (suffix) of the database, a simple bind password
may also be provided using the may also be provided using the
.B olcRootPW .B olcRootPW
directive. Note that the rootdn is always needed when using syncrepl. directive. Many optional features, including syncrepl, require the
rootdn to be defined for the database.
The The
.B olcRootDN .B olcRootDN
of the of the
...@@ -1834,7 +1903,8 @@ replication engine. ...@@ -1834,7 +1903,8 @@ replication engine.
identifies the current identifies the current
.B syncrepl .B syncrepl
directive within the replication consumer site. directive within the replication consumer site.
It is a non-negative integer having no more than three decimal digits. It is a non-negative integer not greater than 999 (limited
to three decimal digits).
.B provider .B provider
specifies the replication provider site containing the provider content specifies the replication provider site containing the provider content
...@@ -1849,7 +1919,7 @@ specification as its result set. The consumer ...@@ -1849,7 +1919,7 @@ specification as its result set. The consumer
will send search requests to the provider will send search requests to the provider
.B slapd .B slapd
according to the search specification. The search specification includes according to the search specification. The search specification includes
.B searchbase, scope, filter, attrs, attrsonly, sizelimit, .BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
and and
.B timelimit .B timelimit
parameters as in the normal search specification. The parameters as in the normal search specification. The
...@@ -1862,6 +1932,11 @@ The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to ...@@ -1862,6 +1932,11 @@ The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default. attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
The \fBsizelimit\fP and \fBtimelimit\fP only The \fBsizelimit\fP and \fBtimelimit\fP only
accept "unlimited" and positive integers, and both default to "unlimited". accept "unlimited" and positive integers, and both default to "unlimited".
The \fBsizelimit\fP and \fBtimelimit\fP parameters define
a consumer requested limitation on the number of entries that can be returned
by the LDAP Content Synchronization operation; as such, it is intended
to implement partial replication based on the size of the replicated database
and on the time required by the synchronization.
Note, however, that any provider-side limits for the replication identity Note, however, that any provider-side limits for the replication identity
will be enforced by the provider regardless of the limits requested will be enforced by the provider regardless of the limits requested
by the LDAP Content Synchronization operation, much like for any other by the LDAP Content Synchronization operation, much like for any other
...@@ -1895,11 +1970,20 @@ For example, retry="60 10 300 3" lets the consumer retry every 60 seconds ...@@ -1895,11 +1970,20 @@ For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
for the first 10 times and then retry every 300 seconds for the next 3 for the first 10 times and then retry every 300 seconds for the next 3
times before stop retrying. The `+' in <# of retries> means indefinite times before stop retrying. The `+' in <# of retries> means indefinite
number of retries until success. number of retries until success.
If no
.B retry
is specified, by default syncrepl retries every hour forever.
The schema checking can be enforced at the LDAP Sync The schema checking can be enforced at the LDAP Sync
consumer site by turning on the consumer site by turning on the
.B schemachecking .B schemachecking
parameter. The default is off. parameter. The default is \fBoff\fP.
Schema checking \fBon\fP means that replicated entries must have
a structural objectClass, must obey to objectClass requirements
in terms of required/allowed attributes, and that naming attributes
and distinguished values must be present.
As a consequence, schema checking should be \fBoff\fP when partial
replication is used.
The The
.B network\-timeout .B network\-timeout
...@@ -1922,6 +2006,7 @@ and ...@@ -1922,6 +2006,7 @@ and
.B credentials .B credentials
and should only be used when adequate security services and should only be used when adequate security services
(e.g. TLS or IPSEC) are in place. (e.g. TLS or IPSEC) are in place.
.B REMEMBER: simple bind credentials must be in cleartext!
A A
.B bindmethod .B bindmethod
of of
...@@ -1943,10 +2028,16 @@ keyword above) for a SASL bind can be set with the ...@@ -1943,10 +2028,16 @@ keyword above) for a SASL bind can be set with the
option. A non default SASL realm can be set with the option. A non default SASL realm can be set with the
.B realm .B realm
option. option.
The provider, other than allow authentication of the syncrepl identity, The identity used for synchronization by the consumer should be allowed
should grant that identity appropriate access privileges to the data to receive an unlimited number of entries in response to a search request.
that is being replicated (\fBaccess\fP directive), and appropriate time The provider, other than allowing authentication of the syncrepl identity,
and size limits (\fBlimits\fP directive). should grant that identity appropriate access privileges to the data
that is being replicated (\fBaccess\fP directive), and appropriate time
and size limits.
This can be accomplished by either allowing unlimited \fBsizelimit\fP
and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
for details).
The The
.B keepalive .B keepalive
...@@ -1975,8 +2066,8 @@ fails. Otherwise the syncrepl session continues without TLS. The ...@@ -1975,8 +2066,8 @@ fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert .B tls_reqcert
setting defaults to "demand", the setting defaults to "demand", the
.B tls_reqsan .B tls_reqsan
setting defaults to "allow", and the other TLS settings default to the same setting defaults to "allow", and the other TLS settings
as the main slapd TLS settings. default to the same as the main slapd TLS settings.
The The
.B suffixmassage .B suffixmassage
......
...@@ -315,14 +315,14 @@ and users are strongly discouraged to rely on this possibility. ...@@ -315,14 +315,14 @@ and users are strongly discouraged to rely on this possibility.
The fourth form is a group specification. The fourth form is a group specification.
It consists of the keyword It consists of the keyword
.BR group , .BR group ,
optionally followed by the specification of optionally followed by the specification of the group
.B objectClass .B objectClass
and and
.BR attributeType . .BR attributeType .
The The
.B objectClass .B objectClass
defaults to defaults to
.IR memberOf . .IR groupOfNames .
The The
.B attributeType .B attributeType
defaults to defaults to
...@@ -436,7 +436,9 @@ appear in the file, stopping at the first successful match. ...@@ -436,7 +436,9 @@ appear in the file, stopping at the first successful match.
.TP .TP
.B concurrency <integer> .B concurrency <integer>
Specify a desired level of concurrency. Provided to the underlying Specify a desired level of concurrency. Provided to the underlying
thread system as a hint. The default is not to provide any hint. thread system as a hint. The default is not to provide any hint. This setting
is only meaningful on some platforms where there is not a one to one
correspondence between user threads and kernel threads.
.TP .TP
.B conn_max_pending <integer> .B conn_max_pending <integer>
Specify the maximum number of pending requests for an anonymous session. Specify the maximum number of pending requests for an anonymous session.
...@@ -500,7 +502,7 @@ A SIGHUP signal will only cause a 'gentle' shutdown-attempt: ...@@ -500,7 +502,7 @@ A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
will stop listening for new connections, but will not close the will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients unwilling-to-perform, though. Slapd terminates when all clients
have closed their connections (if they ever do), or - as before - have closed their connections (if they ever do), or \- as before \-
if it receives a SIGTERM signal. This can be useful if you wish to if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new terminate the server and start a new
.B slapd .B slapd
...@@ -513,7 +515,7 @@ along with this option. ...@@ -513,7 +515,7 @@ along with this option.
.TP .TP
.B idletimeout <integer> .B idletimeout <integer>
Specify the number of seconds to wait before forcibly closing Specify the number of seconds to wait before forcibly closing
an idle client connection. A idletimeout of 0 disables this an idle client connection. A setting of 0 disables this
feature. The default is 0. You may also want to set the feature. The default is 0. You may also want to set the
.B writetimeout .B writetimeout
option. option.
...@@ -538,16 +540,16 @@ bytes of the binary integer will be used for index keys. The default ...@@ -538,16 +540,16 @@ bytes of the binary integer will be used for index keys. The default
value is 4, which provides exact indexing for 31 bit values. value is 4, which provides exact indexing for 31 bit values.
A floating point representation is used to index too large values. A floating point representation is used to index too large values.
.TP .TP
.B index_substr_if_minlen <integer>
Specify the minimum length for subinitial and subfinal indices. An
attribute value must have at least this many characters in order to be
processed by the indexing functions. The default is 2.
.TP
.B index_substr_if_maxlen <integer> .B index_substr_if_maxlen <integer>
Specify the maximum length for subinitial and subfinal indices. Only Specify the maximum length for subinitial and subfinal indices. Only
this many characters of an attribute value will be processed by the this many characters of an attribute value will be processed by the
indexing functions; any excess characters are ignored. The default is 4. indexing functions; any excess characters are ignored. The default is 4.
.TP .TP
.B index_substr_if_minlen <integer>
Specify the minimum length for subinitial and subfinal indices. An
attribute value must have at least this many characters in order to be
processed by the indexing functions. The default is 2.
.TP
.B index_substr_any_len <integer> .B index_substr_any_len <integer>
Specify the length used for subany indices. An attribute value must have Specify the length used for subany indices. An attribute value must have
at least this many characters in order to be processed. Attribute values at least this many characters in order to be processed. Attribute values
...@@ -675,7 +677,7 @@ connections, LDAP operations, results (recommended) ...@@ -675,7 +677,7 @@ connections, LDAP operations, results (recommended)
.TP .TP
.B 512 .B 512
.B (0x200 stats2) .B (0x200 stats2)
stats log entries sent stats2 log entries sent
.TP .TP
.B 1024 .B 1024
.B (0x400 shell) .B (0x400 shell)
...@@ -839,6 +841,14 @@ The (absolute) name of a file that will hold the ...@@ -839,6 +841,14 @@ The (absolute) name of a file that will hold the
server's process ID (see server's process ID (see
.BR getpid (2)). .BR getpid (2)).
.TP .TP
.B pluginlog: <filename>
The ( absolute ) name of a file that will contain log
messages from
.B SLAPI
plugins. See
.BR slapd.plugin (5)
for details.
.TP
.B referral <url> .B referral <url>
Specify the referral to pass back when Specify the referral to pass back when
.BR slapd (8) .BR slapd (8)
...@@ -908,6 +918,10 @@ Used to specify the fully qualified domain name used for SASL processing. ...@@ -908,6 +918,10 @@ Used to specify the fully qualified domain name used for SASL processing.
.B sasl\-realm <realm> .B sasl\-realm <realm>
Specify SASL realm. Default is empty. Specify SASL realm. Default is empty.
.TP .TP
.B sasl\-cbinding none | tls-unique | tls-endpoint
Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
Default is none.
.TP
.B sasl\-secprops <properties> .B sasl\-secprops <properties>
Used to specify Cyrus SASL security properties. Used to specify Cyrus SASL security properties.
The The
...@@ -951,9 +965,6 @@ The ...@@ -951,9 +965,6 @@ The
property specifies the maximum security layer receive buffer property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536. size allowed. 0 disables security layers. The default is 65536.
.TP .TP
.B sasl\-cbinding none | tls-unique | tls-endpoint
Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
.TP
.B schemadn <dn> .B schemadn <dn>
Specify the distinguished name for the subschema subentry that Specify the distinguished name for the subschema subentry that
controls the entries on this server. The default is "cn=Subschema". controls the entries on this server. The default is "cn=Subschema".
...@@ -1009,7 +1020,8 @@ is only valid for single provider replication. ...@@ -1009,7 +1020,8 @@ is only valid for single provider replication.
Example: Example:
.LP