DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

slapd.conf(5)




SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)


NAME

     slapd.conf - configuration file for slapd,  the  stand-alone
     LDAP daemon


SYNOPSIS

     ETCDIR/slapd.conf


DESCRIPTION

     The file ETCDIR/slapd.conf contains  configuration  informa-
     tion  for  the  slapd(8) daemon.  This configuration file is
     also used by the slurpd(8) replication  daemon  and  by  the
     SLAPD tools slapadd(8), slapcat(8), and slapindex(8).

     The slapd.conf file consists of a series  of  global  confi-
     guration  options  that apply to slapd as a whole (including
     all backends), followed by zero  or  more  database  backend
     definitions  that  contain information specific to a backend
     instance.

     The general format of slapd.conf is as follows:

         # comment - these options apply to every database
         <global configuration options>
         # first database definition & configuration options
         database <backend 1 type>
         <configuration options specific to backend 1>
         # subsequent database definitions & configuration options
         ...

     As  many  backend-specific  sections  as  desired   may   be
     included.   Global  options  can  be overridden in a backend
     (for options that appear more than once, the last appearance
     in the slapd.conf file is used).

     If a line begins with white space, it is considered  a  con-
     tinuation  of  the  previous  line.  Blank lines and comment
     lines beginning with a `#' character  are  ignored.   (Note:
     continuation  lines  are unwrapped before comment processing
     is applied.)

     Arguments on configuration  lines  are  separated  by  white
     space.  If  an  argument  contains white space, the argument
     should be enclosed in double quotes.  If  an  argument  con-
     tains  a  double quote (`"') or a backslash character (`\'),
     the character should be preceded by a backslash character.

     The specific configuration options available  are  discussed
     below  in  the Global Configuration Options, General Backend
     Options, and  General  Database  Options.   Backend-specific
     options  are  discussed  in  the  slapd-<backend>(5)  manual
     pages.  Refer to the "OpenLDAP  Administrator's  Guide"  for
     more details on the slapd configuration file.

OpenLDAP LDVERSION  Last change: RELEASEDATE                    1

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)


GLOBAL CONFIGURATION OPTIONS

     Options described in this section  apply  to  all  backends,
     unless  specifically  overridden  in  a  backend definition.
     Arguments that should be replaced by actual text  are  shown
     in brackets <>.

     access to <what> [ by <who> <access> <control> ]+
          Grant access  (specified  by  <access>)  to  a  set  of
          entries  and/or attributes (specified by <what>) by one
          or  more  requestors   (specified   by   <who>).    See
          slapd.access(5)  and  the  "OpenLDAP's  Administrator's
          Guide" for details.

     allow <features>
          Specify a set of features (separated by white space) to
          allow  (default  none).   bind_v2  allows acceptance of
          LDAPv2 bind requests.   Note  that  slapd(8)  does  not
          truly  implement  LDAPv2  (RFC 1777), now Historic (RFC
          3494).   bind_anon_cred  allows  anonymous  bind   when
          credentials  are  not  empty  (e.g.  when DN is empty).
          bind_anon_dn allows  unauthenticated  (anonymous)  bind
          when  DN  is  not empty.  update_anon allow unauthenti-
          cated (anonymous) update  operations  to  be  processed
          (subject  to  access  controls and other administrative
          limits).

     argsfile <filename>
          The ( absolute ) name of a  file  that  will  hold  the
          slapd  server's command line options if started without
          the debugging command line option.

     attributeoptions [option-name]...
          Define tagging attribute options  or  option  tag/range
          prefixes.  Options must not end with `-', prefixes must
          end with `-'.  The `lang-' prefix  is  predefined.   If
          you use the attributeoptions directive, `lang-' will no
          longer be defined and you must specify it explicitly if
          you want it defined.

          An attribute description with a  tagging  option  is  a
          subtype  of  that  attribute  description  without  the
          option.  Except for that, options defined this way have
          no  special  semantics.  Prefixes defined this way work
          like the `lang-' options:  They  define  a  prefix  for
          tagging  options starting with the prefix.  That is, if
          you define the prefix `x-foo-', you can use the  option
          `x-foo-bar'.   Furthermore,  in  a search or compare, a
          prefix or range name (with a trailing `-') matches  all
          options  starting with that name, as well as the option
          with the range name sans the trailing  `-'.   That  is,
          `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.

OpenLDAP LDVERSION  Last change: RELEASEDATE                    2

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          RFC 2251  reserves  options  beginning  with  `x-'  for
          private   experiments.    Other   options   should   be
          registered  with  IANA,  see  RFC  3383  section   3.4.
          OpenLDAP  also  has  the  `binary' option built in, but
          this is a transfer option, not a tagging option.

     attributetype  ( <oid>  [NAME <name>]   [DESC <description>]
          [OBSOLETE]         [SUP <oid>]         [EQUALITY <oid>]
          [ORDERING <oid>]    [SUBSTR <oid>]    [SYNTAX <oidlen>]
          [SINGLE-VALUE]    [COLLECTIVE]   [NO-USER-MODIFICATION]
          [USAGE <attributeUsage>] )
          Specify an  attribute  type  using  the  LDAPv3  syntax
          defined  in RFC 2252.  The slapd parser extends the RFC
          2252 definition by allowing string  forms  as  well  as
          numeric  OIDs  to  be  used  for  the attribute OID and
          attribute  syntax  OID.   (See   the   objectidentifier
          description.)

     concurrency <integer>
          Specify a desired level of  concurrency.   Provided  to
          the underlying thread system as a hint.  The default is
          not to provide any hint.

     conn_max_pending <integer>
          Specify the maximum number of pending requests  for  an
          anonymous  session.   If  requests are submitted faster
          than the server can process them, they will  be  queued
          up to this limit. If the limit is exceeded, the session
          is closed. The default is 100.

     conn_max_pending_auth <integer>
          Specify the maximum number of pending requests  for  an
          authenticated session.  The default is 1000.

     defaultsearchbase <dn>
          Specify a  default  search  base  to  use  when  client
          submits  a  non-base  search request with an empty base
          DN.

     disallow <features>
          Specify a set of features (separated by white space) to
          disallow (default none).  bind_anon disables acceptance
          of  anonymous  bind  requests.   bind_simple   disables
          simple   (bind)  authentication.   bind_krbv4  disables
          Kerberos V4 (bind) authentication.  tls_2_anon disables
          Start TLS from forcing session to anonymous status (see
          also  tls_authc).   tls_authc  disables   StartTLS   if
          authenticated (see also tls_2_anon).

     ditcontentrule  ( <oid>  [NAME <name>]  [DESC <description>]
          [OBSOLETE]   [AUX <oids>]   [MUST <oids>]  [MAY <oids>]
          [NOT <oids>] )

OpenLDAP LDVERSION  Last change: RELEASEDATE                    3

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          Specify an DIT Content Rule  using  the  LDAPv3  syntax
          defined  in RFC 2252.  The slapd parser extends the RFC
          2252 definition by allowing string  forms  as  well  as
          numeric  OIDs  to  be  used  for  the attribute OID and
          attribute  syntax  OID.   (See   the   objectidentifier
          description.)

     gentlehup { on | off }
          A SIGHUP signal will only cause  a  'gentle'  shutdown-
          attempt:    Slapd   will   stop   listening   for   new
          connections, but will not close the connections to  the
          current   clients.    Future  write  operations  return
          unwilling-to-perform, though.   Slapd  terminates  when
          all clients have closed their connections (if they ever
          do), or - as before - if it receives a SIGTERM  signal.
          This  can be useful if you wish to terminate the server
          and start a new slapd  server  with  another  database,
          without  disrupting  the currently active clients.  The
          default is off.  You may wish to use idletimeout  along
          with this option.

     idletimeout <integer>
          Specify the number of seconds to wait  before  forcibly
          closing  an idle client connection.  A idletimeout of 0
          disables this feature.  The default is 0.

     include <filename>
          Read  additional  configuration  information  from  the
          given  file before continuing with the next line of the
          current file.

     limits <who> <limit> [<limit> [...]]
          Specify time and size limits based on who initiated  an
          operation.  The argument who can be any of

               anonymous | users | [dn[.<style>]=]<pattern>

          with

                    regex | anonymous
               <style> ::= exact | base | one | subtree |  children  |

          The term anonymous matches all unauthenticated clients.
          the  term  users  matches  all  authenticated  clients;
          otherwise   a   regex  dn  pattern  is  assumed  unless
          otherwise specified by qualifying  the  (optional)  key
          string  dn  with exact or base (which are synonyms), to
          require an exact match; with one,  to  require  exactly
          one  level  of  depth match; with subtree, to allow any
          level of depth match, including the exact  match;  with
          children,  to  allow  any  level  of  depth  match, not
          including the exact match;  regex  explicitly  requires

OpenLDAP LDVERSION  Last change: RELEASEDATE                    4

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          the   (default)   match  based  on  regular  expression
          pattern, as detailed in regex(7).   Finally,  anonymous
          matches   unbound  operations;  the  pattern  field  is
          ignored.  The same behavior is obtained  by  using  the
          anonymous form of the who clause.

          The currently supported limits are size and time.

          The      syntax      for      time      limits       is
          time[.{soft|hard}]=<integer>,   where  integer  is  the
          number of seconds slapd will spend answering  a  search
          request.   If  no time limit is explicitly requested by
          the client, the soft limit is used;  if  the  requested
          time  limit  exceeds the hard limit, an "Administrative
          limit exceeded" is returned.  If the hard limit is  set
          to  0  or to the keyword "soft", the soft limit is used
          in either case; if it is set to -1 or  to  the  keyword
          "none",  no  hard limit is enforced.  Explicit requests
          for time limits smaller or equal to the hard limit  are
          honored.   If  no flag is set, the value is assigned to
          the soft limit, and the hard limit is set to  zero,  to
          preserve the original behavior.

          The      syntax      for      size      limits       is
          size[.{soft|hard|unchecked}]=<integer>,  where  integer
          is the maximum number  of  entries  slapd  will  return
          answering  a  search  request.   If  no  size  limit is
          explicitly requested by the client, the soft  limit  is
          used;  if  the  requested  size  limit exceeds the hard
          limit, an "Administrative limit exceeded" is  returned.
          If the hard limit is set to 0 or to the keyword "soft",
          the soft limit is used in either case; if it is set  to
          -1 or to the keyword "none", no hard limit is enforced.
          Explicit requests for size limits smaller or  equal  to
          the  hard limit are honored.  The unchecked flag sets a
          limit on the number of candidates a search  request  is
          allowed  to examine.  If the selected candidates exceed
          the  unchecked  limit,  the  search  will  abort   with
          "Unwilling  to  perform".  If it is set to -1 or to the
          keyword "none", no limit is applied (the default).   If
          no  flag  is  set,  the  value  is assigned to the soft
          limit, and the hard limit is set to zero,  to  preserve
          the original behavior.

          In case of no match, the global limits are  used.   The
          default values are the same of sizelimit and timelimit;
          no limit is set on unchecked.

          If pagedResults control  is  defined,  additional  size
          limits    may    be    enforced;    the    syntax    is
          size.pr={<integer>|noEstimate}, where  integer  is  the
          max  page size if no explicit limit is set; the keyword

OpenLDAP LDVERSION  Last change: RELEASEDATE                    5

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          noEstimate inhibits the server to return an estimate of
          the total number of entries that will be returned.

     loglevel <integer>
          Specify the level at  which  debugging  statements  and
          operation  statistics  should  be  syslogged (currently
          logged to the  syslogd(8)  LOG_LOCAL4  facility).   Log
          levels are additive, and available levels are:
               1    trace function calls
               2    debug packet handling
               4    heavy trace debugging
               8    connection management
               16   print out packets sent and received
               32   search filter processing
               64   configuration file processing
               128  access control list processing
               256  stats log connections/operations/results
               512  stats log entries sent
               1024 print communication with shell backends
               2048 entry parsing

     moduleload <filename>
          Specify the name of a dynamically  loadable  module  to
          load.  The  filename  may be an absolute path name or a
          simple filename. Non-absolute names are searched for in
          the  directories  specified  by  the modulepath option.
          This option and the modulepath option are  only  usable
          if slapd was compiled with --enable-modules.

     modulepath <pathspec>
          Specify a list of directories to  search  for  loadable
          modules. Typically the path is colon-separated but this
          depends on the operating system.

     objectclass   ( <oid>   [NAME <name>]    [DESC <description]
          [OBSOLETE]  [SUP <oids>]  [{  ABSTRACT  |  STRUCTURAL |
          AUXILIARY }] [MUST <oids>] [MAY <oids>] )
          Specify an objectclass using the LDAPv3 syntax  defined
          in  RFC  2252.   The  slapd parser extends the RFC 2252
          definition by allowing string forms as well as  numeric
          OIDs  to  be  used  for the object class OID.  (See the
          objectidentifier  description.)   Object  classes   are
          "STRUCTURAL" by default.

     objectidentifier <name> { <oid> | <name>[:<suffix>] }
          Define a string name that equates to the given OID. The
          string  can  be  used  in  place  of the numeric OID in
          objectclass and attribute  definitions.  The  name  can
          also  be  used with a suffix of the form ":xx" in which
          case the value "oid.xx" will be used.

     password-hash <hash>

OpenLDAP LDVERSION  Last change: RELEASEDATE                    6

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          This option sets the hash to be used in  generation  of
          user   passwords,   stored   in   userPassword,  during
          processing of LDAP Password Modify Extended  Operations
          (RFC  3062).   The <hash> must be one of {SSHA}, {SHA},
          {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.   The  default
          is {SSHA}.

          {SHA} and {SSHA} use the SHA-1 algorithm (FIPS  160-1),
          the latter with a seed.

          {MD5} and {SMD5} use the MD5 algorithm (RFC 1321),  the
          latter with a seed.

          {CRYPT} uses the crypt(3).

          {CLEARTEXT} indicates that the new password  should  be
          added to userPassword as clear text.

          Note that this option does not alter  the  normal  user
          applications  handling of userPassword during LDAP Add,
          Modify, or other LDAP operations.

     password-crypt-salt-format <format>
          Specify the format of the salt passed to crypt(3)  when
          generating {CRYPT} passwords (see password-hash) during
          processing of LDAP Password Modify Extended  Operations
          (RFC 3062).

          This string needs to be in sprintf(3)  format  and  may
          include   one  (and  only  one)  %s  conversion.   This
          conversion will be substituted  with  a  string  random
          characters  from  [A-Za-z0-9./].   For  example, "%.2s"
          provides a two character salt and "$1$%.8s" tells  some
          versions  of  crypt(3)  to  use  an  MD5  algorithm and
          provides 8 random characters of salt.  The  default  is
          "%s", which provides 31 characters of salt.

     pidfile <filename>
          The ( absolute ) name of a  file  that  will  hold  the
          slapd  server's process ID ( see getpid(2) ) if started
          without the debugging command line option.

     referral <url>
          Specify the referral to pass back when slapd(8)  cannot
          find   a  local  database  to  handle  a  request.   If
          specified multiple times, each url is provided.

     replica-argsfile
          The ( absolute ) name of a  file  that  will  hold  the
          slurpd server's command line options if started without
          the debugging command line option.

OpenLDAP LDVERSION  Last change: RELEASEDATE                    7

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

     replica-pidfile
          The ( absolute ) name of a  file  that  will  hold  the
          slurpd server's process ID ( see getpid(2) ) if started
          without the debugging command line option.

     require <conditions>
          Specify a set of conditions (separated by white  space)
          to  require  (default  none).   The  directive  may  be
          specified globally and/or per-database.  bind  requires
          bind  operation  prior to directory operations.  LDAPv3
          requires session to be using  LDAP  version  3.   authc
          requires  authentication prior to directory operations.
          SASL requires SASL authentication  prior  to  directory
          operations.    strong  requires  strong  authentication
          prior to  directory  operations.   The  strong  keyword
          allows  protected  "simple"  authentication  as well as
          SASL authentication.  none may be used  to  require  no
          conditions  (useful for clearly globally set conditions
          within a particular database).

     reverse-lookup on | off
          Enable/disable client name  unverified  reverse  lookup
          (default is off if compiled with --enable-rlookups).

     rootDSE <file>
          Specify the name of an  LDIF(5)  file  containing  user
          defined  attributes for the root DSE.  These attributes
          are returned in addition  to  the  attributes  normally
          produced by slapd.

     sasl-authz-policy <policy>
          Used to specify which  rules  to  use  for  SASL  Proxy
          Authorization.  Proxy  authorization allows a client to
          authenticate   to   the   server   using   one   user's
          credentials,  but  specify  a different identity to use
          for  authorization  and  access  control  purposes.  It
          essentially  allows  user  A  to login as user B, using
          user  A's  password.   The  none  flag  disables  proxy
          authorization.  This  is the default setting.  The from
          flag will use rules in the saslAuthzFrom  attribute  of
          the  authorization  DN.   The to flag will use rules in
          the saslAuthzTo attribute  of  the  authentication  DN.
          The  any  flag,  an  alias  for the deprecated value of
          both, will allow any of the  above,  whatever  succeeds
          first  (checked  in  to,  from  sequence.  The all flag
          requires both authorizations to succeed.  The rules are
          simply  regular  expressions  specifying  which DNs are
          allowed   to   perform   proxy   authorization.     The
          saslAuthzFrom  attribute  in  an  entry specifies which
          other users are allowed to proxy login to  this  entry.
          The  saslAuthzTo  attribute in an entry specifies which
          other  users  this  user  can  authorize  as.   Use  of

OpenLDAP LDVERSION  Last change: RELEASEDATE                    8

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          saslAuthzTo  rules  can  be  easily abused if users are
          allowed to write arbitrary values  to  this  attribute.
          In  general the saslAuthzTo attribute must be protected
          with ACLs such that only privileged  users  can  modify
          it.

     sasl-host <fqdn>
          Used to specify the fully qualified  domain  name  used
          for SASL processing.

     sasl-realm <realm>
          Specify SASL realm.  Default is empty.

     sasl-regexp <match> <replace>
          Used  by  the  SASL  mechanism  to   convert   a   SASL
          authenticated   username   to   an  LDAP  DN  used  for
          authorization purposes.  Note  that  the  resultant  DN
          need  not  refer  to an existing entry to be considered
          valid.  When an authorization request is received,  the
          SASL  USERNAME,  REALM,  and  MECHANISM are taken, when
          available, and combined into a SASL name of the form

               UID=<username>[[,CN=<realm>],CN=<mechanism>,]CN=auth

          This  SASL  name  is  then  compared  against the match
          regular expression, and if the match is successful, the
          SASL name is replaced with the replace string. If there
          are wildcard strings in the  match  regular  expression
          that are enclosed in parenthesis, e.g.

               UID=([^,]*),CN=.*

          then the portion of the  SASL  name  that  matched  the
          wildcard  will  be  stored  in the numbered placeholder
          variable $1. If there are  other  wildcard  strings  in
          parenthesis,  the  matching  strings will be in $2, $3,
          etc. up to $9. The placeholders can then be used in the
          replace string, e.g.

               UID=$1,OU=Accounts,DC=example,DC=com

          The replaced SASL name can be either a DN  or  an  LDAP
          URI.  If  the  latter,  the  server will use the URI to
          search its own database(s) and, if the  search  returns
          exactly  one entry, the SASL name is replaced by the DN
          of that entry.   The LDAP URI must  have  no  hostport,
          attrs, or extensions components, e.g.

               ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)

          Multiple  sasl-regexp  options  can  be  given  in  the
          configuration file to allow for multiple  matching  and

OpenLDAP LDVERSION  Last change: RELEASEDATE                    9

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          replacement patterns. The matching patterns are checked
          in the order they appear in the file, stopping  at  the
          first successful match.

     sasl-secprops <properties>
          Used to specify Cyrus SASL  security  properties.   The
          none  flag  (without  any  other properties) causes the
          flag properties default, "noanonymous,noplain",  to  be
          cleared.    The   noplain   flag   disables  mechanisms
          susceptible to simple passive  attacks.   The  noactive
          flag disables mechanisms susceptible to active attacks.
          The nodict  flag  disables  mechanisms  susceptible  to
          passive   dictionary  attacks.   The  noanonymous  flag
          disables mechanisms which support anonymous login.  The
          forwardsec   flag   require   forward  secrecy  between
          sessions.  The passcred require mechanisms  which  pass
          client credentials (and allow mechanisms which can pass
          credentials to do so).   The  minssf=<factor>  property
          specifies  the  minimum  acceptable  security  strength
          factor as  an  integer  approximate  to  effective  key
          length  used  for  encryption.   0  (zero)  implies  no
          protection, 1 implies  integrity  protection  only,  56
          allows DES or other weak ciphers, 112 allows triple DES
          and other strong ciphers, 128 allows RC4, Blowfish  and
          other  modern  strong  ciphers.  The default is 0.  The
          maxssf=<factor>   property   specifies   the    maximum
          acceptable  security strength factor as an integer (see
          minssf description).   The  default  is  INT_MAX.   The
          maxbufsize=<size>   property   specifies   the  maximum
          security layer receive buffer size allowed.  0 disables
          security layers.  The default is 65536.

     schemadn <dn>
          Specify  the  distinguished  name  for  the   subschema
          subentry that controls the entries on this server.  The
          default is "cn=Subschema".

     security <factors>
          Specify a set of factors (separated by white space)  to
          require.   An  integer  value  is  associated with each
          factor and is roughly equivalent of the encryption  key
          length  to  require.   A  value of 112 is equivalent to
          3DES, 128 to Blowfish,  etc..   The  directive  may  be
          specified   globally   and/or   per-database.   ssf=<n>
          specifies  the  overall   security   strength   factor.
          transport=<n> specifies the transport security strength
          factor.  tls=<n> specifies the  TLS  security  strength
          factor.   sasl=<n> specifies the SASL security strength
          factor.  update_ssf=<n> specifies the overall  security
          strength  factor  to  require  for  directory  updates.
          update_transport=<n> specifies the  transport  security

OpenLDAP LDVERSION  Last change: RELEASEDATE                   10

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          strength  factor  to  require  for  directory  updates.
          update_tls=<n>  specifies  the  TLS  security  strength
          factor    to    require    for    directory    updates.
          update_sasl=<n> specifies the  SASL  security  strength
          factor    to    require    for    directory    updates.
          simple_bind=<n> specifies the security strength  factor
          required  for  simple username/password authentication.
          Note that the transport factor is measure  of  security
          provided  by  the  underlying  transport, e.g. ldapi://
          (and eventually IPSEC).  It is not normally used.

     sizelimit {<integer>|unlimited}

     sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
          Specify the maximum number of entries to return from  a
          search  operation.  The default size limit is 500.  Use
          -1 or unlimited  to  specify  no  limits.   The  second
          format  allows a fine grain setting of the size limits.
          Extra args can be added on the same line.   See  limits
          for an explanation of the different flags.

     sockbuf_max_incoming <integer>
          Specify  the  maximum  incoming  LDAP  PDU   size   for
          anonymous sessions.  The default is 262143.

     sockbuf_max_incoming_auth <integer>
          Specify  the  maximum  incoming  LDAP  PDU   size   for
          authenticated sessions.  The default is 4194303.

     srvtab <filename>
          Specify the srvtab file  in  which  the  kerberos  keys
          necessary for authenticating clients using kerberos can
          be found. This option is only  meaningful  if  you  are
          using Kerberos authentication.

     threads <integer>
          Specify the maximum size of the  primary  thread  pool.
          The default is 16.

     timelimit {<integer>|unlimited}

     timelimit time[.{soft|hard}]=<integer> [...]
          Specify the maximum number of seconds  (in  real  time)
          slapd  will  spend  answering  a  search  request.  The
          default time limit is 3600.  Use  -1  or  unlimited  to
          specify  no  limits.   The  second format allows a fine
          grain setting of the time limits.  Extra  args  can  be
          added  on the same line.  See limits for an explanation
          of the different flags.

     ucdata-path <path>
          Specify  the  path  to  the  directory  containing  the

OpenLDAP LDVERSION  Last change: RELEASEDATE                   11

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          Unicode   character   tables.   The   default  path  is
          DATADIR/ucdata.


TLS OPTIONS

     If slapd is built with support for Transport Layer Security,
     there are more options you can specify.

     TLSCipherSuite <cipher-suite-spec>
          Permits configuring what ciphers will be  accepted  and
          the  preference order.  <cipher-suite-spec> should be a
          cipher specification for OpenSSL.  Example:

          TLSCipherSuite HIGH:MEDIUM:+SSLv2

          To check what ciphers a given spec selects, use:

          openssl ciphers -v <cipher-suite-spec>

     TLSCACertificateFile <filename>
          Specifies the file that contains certificates  for  all
          of   the   Certificate   Authorities  that  slapd  will
          recognize.

     TLSCACertificatePath <path>
          Specifies  the  path  of  a  directory  that   contains
          Certificate    Authority   certificates   in   separate
          individual files. Usually  only  one  of  this  or  the
          TLSCACertificateFile is used.

     TLSCertificateFile <filename>
          Specifies the  file  that  contains  the  slapd  server
          certificate.

     TLSCertificateKeyFile <filename>
          Specifies the  file  that  contains  the  slapd  server
          private  key that matches the certificate stored in the
          TLSCertificateFile file.  Currently,  the  private  key
          must  not  be  protected  with  a password, so it is of
          critical importance that it is protected carefully.

     TLSRandFile <filename>
          Specifies the file to  obtain  random  bits  from  when
          /dev/[u]random  is not available.  Generally set to the
          name of the EGD/PRNGD socket.  The environment variable
          RANDFILE can also be used to specify the filename.

     TLSVerifyClient <level>
          Specifies what checks to perform on client certificates
          in an incoming TLS session, if any.  The <level> can be
          specified as one of the following keywords:

          never

OpenLDAP LDVERSION  Last change: RELEASEDATE                   12

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

               This is the  default.   slapd  will  not  ask  the
               client for a certificate.

          allow
               The  client  certificate  is  requested.   If   no
               certificate  is  provided,  the  session  proceeds
               normally.  If a bad certificate  is  provided,  it
               will be ignored and the session proceeds normally.

          try  The  client  certificate  is  requested.   If   no
               certificate  is  provided,  the  session  proceeds
               normally.  If a bad certificate is  provided,  the
               session is immediately terminated.

          demand | hard | true
               These   keywords   are   all    equivalent,    for
               compatibility  reasons.  The client certificate is
               requested.  If no certificate is  provided,  or  a
               bad   certificate  is  provided,  the  session  is
               immediately terminated.

               Note that a valid client certificate  is  required
               in  order  to use the SASL EXTERNAL authentication
               mechanism with a TLS session.   As  such,  a  non-
               default  TLSVerifyClient setting must be chosen to
               enable SASL EXTERNAL authentication.


GENERAL BACKEND OPTIONS

     Options in this section only apply to the configuration file
     section  for  the  specified backend.  They are supported by
     every type of backend.

     backend <databasetype>
          Mark   the   beginning   of   a   backend   definition.
          <databasetype>  should  be  one  of  bdb, dnssrv, ldap,
          ldbm, meta, monitor, null, passwd, perl, shell, sql, or
          tcl,   depending   on  which  backend  will  serve  the
          database.


GENERAL DATABASE OPTIONS

     Options in this section only apply to the configuration file
     section  for  the  database in which they are defined.  They
     are supported by every  type  of  backend.   Note  that  the
     database  and  at  least one suffix option are mandatory for
     each database.

     database <databasetype>
          Mark  the  beginning  of  a   new   database   instance
          definition.   <databasetype>  should  be  one  of  bdb,
          dnssrv, ldap, ldbm, meta, monitor, null, passwd,  perl,
          shell,  sql,  or  tcl,  depending on which backend will

OpenLDAP LDVERSION  Last change: RELEASEDATE                   13

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          serve the database.

     lastmod on | off
          Controls whether slapd will automatically maintain  the
          modifiersName,   modifyTimestamp,   creatorsName,   and
          createTimestamp attributes for  entries.   By  default,
          lastmod is on.

     maxderefdepth <depth>
          Specifies the maximum number of aliases to  dereference
          when trying to resolve an entry, used to avoid infinite
          alias loops. The default is 1.

     readonly on | off
          This option puts the database  into  "read-only"  mode.
          Any  attempts  to  modify  the  database will return an
          "unwilling to perform" error.  By default, readonly  is
          off.

     replica
          uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
          [starttls=yes|critical]     [suffix=<suffix>     [...]]
          bindmethod=simple|sasl       [binddn=<simple       DN>]
          [credentials=<simple password>] [saslmech=<SASL  mech>]
          [secprops=<properties>]                 [realm=<realm>]
          [authcId=<authentication  ID>]  [authzId=<authorization
          ID>] [attr[!]=<attr list>]
          Specify a replication site for this database.  Refer to
          the   "OpenLDAP  Administrator's  Guide"  for  detailed
          information on setting up a replicated slapd  directory
          service.  Zero  or more suffix instances can be used to
          select the subtrees that will be  replicated  (defaults
          to  all  the  database). host is deprecated in favor of
          the uri option.  uri allows the replica LDAP server  to
          be  specified  as  an  LDAP URI. A bindmethod of simple
          requires the options binddn and credentials and  should
          only  be  used when adequate security services (e.g TLS
          or IPSEC) are in place. A bindmethod of  sasl  requires
          the  option  saslmech. Specific security properties (as
          with the sasl-secprops keyword above) for a  SASL  bind
          can be set with the secprops option. A non-default SASL
          realm can  be  set  with  the  realm  option.   If  the
          mechanism will use Kerberos, a kerberos instance should
          be given in authcId. An attr list can  be  given  after
          the  attr keyword to allow the selective replication of
          the listed attributes only; if the optional !  mark  is
          used, the list is considered exclusive, i.e. the listed
          attributes are not replicated.  If  an  objectClass  is
          listed,  all  the  related  attributes  are  (are  not)
          replicated.

     replogfile <filename>

OpenLDAP LDVERSION  Last change: RELEASEDATE                   14

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          Specify the name of the replication  log  file  to  log
          changes to. The replication log is typically written by
          slapd(8) and read by  slurpd(8).   See  slapd.replog(5)
          for  more  information.   The  specified file should be
          located in a directory with limited  read/write/execute
          access  as  the  replication logs may contain sensitive
          information.

     rootdn <dn>
          Specify the distinguished name that is not  subject  to
          access control or administrative limit restrictions for
          operations on this database.  This DN may or may not be
          associated  with  an  entry.   An  empty  root  DN (the
          default) specifies no root access is to be granted.  It
          is  recommended  that the rootdn only be specified when
          needed (such as when initially populating a  database).
          If the rootdn is within a namingContext (suffix) of the
          database, a simple bind password may also  be  provided
          using the rootpw directive.

     rootpw <password>
          Specify a password (or hash of the  password)  for  the
          rootdn.   The password can only be set if the rootdn is
          within the  namingContext  (suffix)  of  the  database.
          This  option  accepts all RFC 2307 userPassword formats
          known to the server (see password-hash description)  as
          well  as  cleartext.   slappasswd(8)  may  be  used  to
          generate a hash of a password.  Cleartext  and  {CRYPT}
          passwords are not recommended.  If empty (the default),
          authentication of the root DN is by other  means  (e.g.
          SASL).  Use of SASL is encouraged.

     suffix <dn suffix>
          Specify the DN suffix of queries that will be passed to
          this  backend  database.   Multiple suffix lines can be
          given and at least one is required  for  each  database
          definition.   If the suffix of one database is "inside"
          that of another, the database  with  the  inner  suffix
          must come first in the configuration file.

     subordinate
          Specify  that  the  current  backend  database   is   a
          subordinate  of another backend database. A subordinate
          database may have only one suffix. This option  may  be
          used   to   glue   multiple  databases  into  a  single
          namingContext.  If the suffix of the  current  database
          is  within  the  namingContext  of a superior database,
          searches  against  the  superior   database   will   be
          propagated  to  the  subordinate  as  well.  All of the
          databases associated with a single namingContext should
          have   identical   rootdns.   Behavior  of  other  LDAP
          operations  is   unaffected   by   this   setting.   In

OpenLDAP LDVERSION  Last change: RELEASEDATE                   15

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          particular,  it is not possible to use moddn to move an
          entry  from  one  subordinate  to  another  subordinate
          within the namingContext.

     syncrepl                  rid=<replica                   ID>
          provider=ldap[s]://<hostname>[:port]
          [type=refreshOnly|refreshAndPersist]
          [interval=dd:hh:mm:ss]      [searchbase=<base      DN>]
          [filter=<filter str>] [scope=sub|one|base] [attrs=<attr
          list>]          [attrsonly]         [sizelimit=<limit>]
          [timelimit=<limit>]             [schemachecking=on|off]
          [updatedn=<dn>]  [bindmethod=simple|sasl] [binddn=<dn>]
          [saslmech=<mech>]                  [authcid=<identity>]
          [authzid=<identity>]             [credentials=<passwd>]
          [realm=<realm>] [secprops=<properties>]
          Specify the current database as a replica which is kept
          up-to-date  with the master content by establishing the
          current slapd(8) as a replication consumer site running
          a  syncrepl replication engine.  The replica content is
          kept synchronized to the master content using the  LDAP
          Content   Synchronization   protocol.   Refer   to  the
          "OpenLDAP   Administrator's   Guide"    for    detailed
          information  on setting up a replicated slapd directory
          service using the  syncrepl  replication  engine.   rid
          identifies  the  current  syncrepl directive within the
          replication  consumer  site.   It  is  a   non-negative
          integer  having  no  more  than three digits.  provider
          specifies the replication provider site containing  the
          master  content as an LDAP URI. If <port> is not given,
          the standard LDAP port number (389 or 636) is used. The
          content  of  the  syncrepl  replica  is defined using a
          search specification as its result  set.  The  consumer
          slapd  will  send search requests to the provider slapd
          according  to  the  search  specification.  The  search
          specification   includes   searchbase,  scope,  filter,
          attrs, attrsonly, sizelimit, and  timelimit  parameters
          as  in  the  normal  search  specification.  The search
          specification  for  the  LDAP  Content  Synchronization
          operation  has  the  same  value  syntax  and  the same
          default values as in the  ldapsearch(1)  client  search
          tool.   The  LDAP  Content Synchronization protocol has
          two operation types.  In the refreshOnly operation, the
          next  synchronization  search operation is periodically
          rescheduled at an interval time (specified by  interval
          parameter; 1 day by default) after each synchronization
          operation   finishes.    In    the    refreshAndPersist
          operation,  a synchronization search remains persistent
          in the provider slapd.  Further updates to  the  master
          replica will generate searchResultEntry to the consumer
          slapd  as  the  search  responses  to  the   persistent
          synchronization  search.  The  schema  checking  can be
          enforced at the LDAP Sync consumer site by  turning  on

OpenLDAP LDVERSION  Last change: RELEASEDATE                   16

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          the  schemachecking parameter. The default is off.  The
          updatedn parameter specifies the  DN  in  the  consumer
          site  which  is allowed to make changes to the replica.
          The DN should have read/write  access  to  the  replica
          database.  Generally, this DN should not be the same as
          the  rootdn.   A  bindmethod  of  simple  requires  the
          options  binddn and credentials and should only be used
          when adequate security services (e.g. TLS or IPSEC) are
          in  place.   A  bindmethod  of sasl requires the option
          saslmech. Depending on the mechanism, an authentication
          identity  and/or  credentials  can  be  specified using
          authcid and credentials. The authzid parameter  may  be
          used  to  specify  an authorization identity.  Specific
          security properties (as with the sasl-secprops  keyword
          above)  for  a  SASL  bind can be set with the secprops
          option. A non default SASL realm can be  set  with  the
          realm option.

     updatedn <dn>
          This option is only applicable in  a  slave  slapd.  It
          specifies the DN permitted to update (subject to access
          controls)  the  replica  (typically,  this  is  the  DN
          slurpd(8)  binds  to  update  the replica).  Generally,
          this DN should not be the same as the rootdn.

     updateref <url>
          Specify the referral to  pass  back  when  slapd(8)  is
          asked  to  modify  a  replicated  local  database.   If
          specified multiple times, each url is provided.


DATABASE-SPECIFIC OPTIONS

     Each database may allow specific configuration options; they
     are documented separately in the backends' manual pages.


BACKENDS

     The following backends can be compiled into slapd.  They are
     documented in the slapd-<backend>(5) manual pages.

     bdb  This is the recommended  backend  for  a  normal  slapd
          database.   However,  it  takes more care than with the
          LDBM backend to configure it  properly.   It  uses  the
          Sleepycat Berkeley DB (BDB) package to store data.

     ldbm This is  the  database  backend  which  is  easiest  to
          configure.    However,  it  does  not  offer  the  data
          durability  features  of  the  BDB  backend.   It  uses
          Berkeley DB or GDBM to store data.

     dnssrv
          This backend is experimental.  It serves  up  referrals
          based upon SRV resource records held in the Domain Name

OpenLDAP LDVERSION  Last change: RELEASEDATE                   17

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          System.

     ldap This backend  acts  as  a  proxy  to  forward  incoming
          requests to another LDAP server.

     meta This backend performs basic LDAP proxying with  respect
          to  a  set of remote LDAP servers. It is an enhancement
          of the ldap backend. The proxy cache extension of  meta
          backend  provides answering of search requests from the
          proxy using results of previously cached requests.

     monitor
          This backend provides  information  about  the  running
          status of the slapd daemon.

     null Operations in this backend succeed but do nothing.

     passwd
          This backend is  provided  for  demonstration  purposes
          only.   It  serves up user account information from the
          system passwd(5) file.

     perl This backend embeds a perl(1) interpreter  into  slapd.
          It runs Perl subroutines to implement LDAP operations.

     shell
          This backend executes external  programs  to  implement
          LDAP  operations.   It  is  is primarily intended to be
          used in prototypes.

     sql  This  backend  is  experimental.   It   services   LDAP
          requests from an SQL database.

     tcl  This backend is experimental.  It  embeds  a  Tcl(3tcl)
          interpreter  into  slapd.   It  runs  Tcl  commands  to
          implement LDAP operations.


EXAMPLES

     Here is a short example of a configuration file:

          include   SYSCONFDIR/schema/core.schema
          pidfile   LOCALSTATEDIR/slapd.pid

          # Subtypes of "name" (e.g. "cn" and "ou") with the
          # option ";x-hidden" can be searched for/compared,
          # but are not shown.  See slapd.access(5).
          attributeoptions x-hidden lang-
          access to attr=name;x-hidden by * =cs

          database  bdb
          suffix    "dc=our-domain,dc=com"
          # The database directory MUST exist prior to

OpenLDAP LDVERSION  Last change: RELEASEDATE                   18

SLAPD.CONF(5)             FILE FORMATS              SLAPD.CONF(5)

          # running slapd AND should only be accessible
          # by the slapd/tools. Mode 0700 recommended.
          directory LOCALSTATEDIR/openldap-data
          # Indices to maintain
          index     objectClass  eq
          index     cn,sn,mail   pres,eq,approx,sub

          # We serve small clients that do not handle referrals,
          # so handle remote lookups on their behalf.
          database  ldap
          suffix    ""
          uri       ldap://ldap.some-server.com/
          lastmod   off

     "OpenLDAP Administrator's Guide" contains a longer annotated
     example    of    a   configuration   file.    The   original
     ETCDIR/slapd.conf is another example.


FILES

     ETCDIR/slapd.conf
          default slapd configuration file


SEE ALSO

     ldap(3),   slapd-bdb(5),   slapd-dnssrv(5),   slapd-ldap(5),
     slapd-ldbm(5),   slapd-meta(5),   slapd-monitor(5),   slapd-
     null(5),  slapd-passwd(5),  slapd-perl(5),   slapd-shell(5),
     slapd-sql(5),         slapd-tcl(5),         slapd.access(5),
     slapd.plugin(5),  slapd.replog(5),   slapd(8),   slapadd(8),
     slapcat(8), slapindex(8), slappasswd(8), slurpd(8),

     "OpenLDAP               Administrator's               Guide"
     (http://www.OpenLDAP.org/doc/admin/)


ACKNOWLEDGEMENTS

     OpenLDAP is developed and maintained by The OpenLDAP Project
     (http://www.openldap.org/).    OpenLDAP   is   derived  from
     University of Michigan LDAP 3.3 Release.

OpenLDAP LDVERSION  Last change: RELEASEDATE                   19


Man(1) output converted with man2html