2001-05-29 09:51:37 +08:00
|
|
|
.TH SLAPD.CONF 5 "28 May 2001" "OpenLDAP LDVERSION"
|
|
|
|
.\" Copyright 1998-2001 The OpenLDAP Foundation All Rights Reserved.
|
1999-09-12 12:41:47 +08:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
2000-10-18 08:15:32 +08:00
|
|
|
.\" $OpenLDAP$
|
1998-08-09 08:43:13 +08:00
|
|
|
.SH NAME
|
|
|
|
slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
|
|
|
|
.SH SYNOPSIS
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
.SH DESCRIPTION
|
|
|
|
The file
|
|
|
|
.B ETCDIR/slapd.conf
|
|
|
|
contains configuration information for the
|
|
|
|
.BR slapd (8)
|
|
|
|
daemon. This configuration file is also used by the
|
|
|
|
.BR slurpd (8)
|
1999-08-18 04:25:16 +08:00
|
|
|
replication daemon and by the SLAPD tools
|
|
|
|
.BR slapadd (8),
|
|
|
|
.BR slapcat (8),
|
1998-08-09 08:43:13 +08:00
|
|
|
and
|
1999-08-18 04:25:16 +08:00
|
|
|
.BR slapindex (8).
|
1998-08-09 08:43:13 +08:00
|
|
|
.LP
|
|
|
|
The
|
|
|
|
.B slapd.conf
|
|
|
|
file consists of a series of global configuration options that apply to
|
|
|
|
.B slapd
|
|
|
|
as a whole (including all backends), followed by zero or more database
|
|
|
|
backend definitions that contain information specific to a backend
|
|
|
|
instance.
|
|
|
|
.LP
|
|
|
|
The general format of
|
|
|
|
.B slapd.conf
|
|
|
|
is as follows:
|
|
|
|
.LP
|
|
|
|
.nf
|
|
|
|
# comment - these options apply to every database
|
|
|
|
<global configuration options>
|
|
|
|
# first database definition & configuration options
|
|
|
|
database <backend 1 type>
|
|
|
|
<configuration options specific to backend 1>
|
|
|
|
# subsequent database definitions & configuration options
|
|
|
|
...
|
|
|
|
.fi
|
|
|
|
.LP
|
|
|
|
As many backend-specific sections as desired may be included. Global
|
|
|
|
options can be overridden in a backend (for options that appear more
|
|
|
|
than once, the last appearance in the
|
|
|
|
.B slapd.conf
|
|
|
|
file is used). Blank lines and comment lines beginning with a `#'
|
|
|
|
character are ignored. If a line begins with white space, it is
|
|
|
|
considered a continuation of the previous line.
|
|
|
|
.LP
|
|
|
|
Arguments on configuration lines are separated by white space. If an
|
|
|
|
argument contains white space, the argument should be enclosed in
|
|
|
|
double quotes. If an argument contains a double quote (`"') or a
|
|
|
|
backslash character (`\\'), the character should be preceded by a
|
|
|
|
backslash character.
|
|
|
|
.LP
|
|
|
|
The specific configuration options available are discussed below in the
|
2001-05-29 09:51:37 +08:00
|
|
|
Global Configuration Options, General Backend Options, General Database
|
|
|
|
Options, LDBM Backend-Specific Options, LDBM Database-Specific Options,
|
|
|
|
Shell Database-Specific Options, and Password
|
|
|
|
Database-Specific Options sections. Refer to the "OpenLDAP
|
1998-08-09 08:43:13 +08:00
|
|
|
Administrator's Guide" for more details on the slapd configuration
|
|
|
|
file.
|
|
|
|
.SH GLOBAL CONFIGURATION OPTIONS
|
|
|
|
Options described in this section apply to all backends, unless specifically
|
|
|
|
overridden in a backend definition. Arguments that should be replaced by
|
|
|
|
actual text are shown in brackets <>.
|
|
|
|
.TP
|
2000-08-08 07:04:20 +08:00
|
|
|
.B access to <what> [ by <who> <access> <control> ]+
|
1999-10-22 01:53:56 +08:00
|
|
|
Grant access (specified by <access>) to a set of entries and/or
|
1998-08-09 08:43:13 +08:00
|
|
|
attributes (specified by <what>) by one or more requestors (specified
|
1999-10-22 01:53:56 +08:00
|
|
|
by <who>).
|
2000-08-20 06:14:14 +08:00
|
|
|
See the "OpenLDAP's Administrator's Guide" for details.
|
|
|
|
.TP
|
2000-09-09 06:59:01 +08:00
|
|
|
.B allow <features>
|
2000-09-12 02:24:24 +08:00
|
|
|
Specify a set of features (separated by white space) to
|
|
|
|
allow (default none).
|
2000-09-09 06:59:01 +08:00
|
|
|
.B tls_2_anon
|
|
|
|
allows Start TLS to force session to anonymous status (see also
|
|
|
|
.B disallow
|
|
|
|
.BR tls_authc ).
|
|
|
|
.TP
|
2000-08-20 06:14:14 +08:00
|
|
|
.B argsfile <filename>
|
|
|
|
The ( absolute ) name of a file that will hold the
|
|
|
|
.B slapd
|
|
|
|
server's command line options
|
|
|
|
if started without the debugging command line option.
|
2000-08-08 07:04:20 +08:00
|
|
|
.HP
|
|
|
|
.hy 0
|
|
|
|
.B attributetype (\ <oid> [NAME\ <name>] [OBSOLETE]\
|
|
|
|
[DESC\ <description>]\
|
|
|
|
[SUP\ <oid>] [EQUALITY\ <oid>] [ORDERING\ <oid>]\
|
|
|
|
[SUBSTR\ <oid>] [SYNTAX\ <oidlen>] [SINGLE\-VALUE] [COLLECTIVE]\
|
|
|
|
[NO\-USER\-MODIFICATION] [USAGE\ <attributeUsage>]\ )
|
|
|
|
.RS
|
1999-08-20 08:32:36 +08:00
|
|
|
Specify an attribute type using the LDAPv3 syntax defined in RFC 2252.
|
2000-06-06 15:57:41 +08:00
|
|
|
The slapd parser extends the RFC 2252 definition by allowing string
|
|
|
|
forms as well as numeric OIDs to be used for the attribute OID and
|
|
|
|
attribute syntax OID.
|
1999-08-20 08:32:36 +08:00
|
|
|
(See the
|
1999-10-14 04:28:00 +08:00
|
|
|
.B objectidentifier
|
1999-08-20 08:32:36 +08:00
|
|
|
description.) Currently the syntax name parser is case-sensitive.
|
|
|
|
The known syntax names are:
|
|
|
|
.RS
|
|
|
|
.RS
|
|
|
|
.PD 0
|
|
|
|
AttributeTypeDescription Audio Binary BitString Certificate CertificateList
|
|
|
|
CertificatePair DN DeliveryMethod DirectoryString DITContentRuleDescription
|
|
|
|
DITStructureRuleDescription EnhancedGuide FacsimileTelephoneNumber
|
|
|
|
GeneralizedTime Guide IA5String Integer MatchingRuleDescription
|
|
|
|
MatchingRuleUseDescription MailPreference NameAndOptionalUUID
|
|
|
|
NameFormDescription NumericString ObjectClassDescription OID
|
|
|
|
OtherMailbox OctetString PostalAddress ProtocolInformation
|
|
|
|
PresentationAddress PrintableString SupportedAlgorithm TelephoneNumber
|
|
|
|
TeletexTerminalIdentifier TelexNumber UTCTime LDAPSyntaxDescription
|
|
|
|
SubstringAssertion NISnetgrouptriple Bootparameter
|
|
|
|
.PD
|
|
|
|
.RE
|
|
|
|
.RE
|
2000-08-08 07:04:20 +08:00
|
|
|
.RE
|
1999-08-20 08:32:36 +08:00
|
|
|
.TP
|
2000-06-13 10:42:13 +08:00
|
|
|
.B concurrency <integer>
|
|
|
|
Specify a desired level of concurrency. Provided to the underlying
|
2000-10-18 08:15:32 +08:00
|
|
|
thread system as a hint. The default is not to provide any hint.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
2000-09-12 05:57:14 +08:00
|
|
|
.B defaultsearchbase <dn>
|
|
|
|
Specify a default search base to use when client submits a
|
|
|
|
non-base search request with an empty base DN.
|
|
|
|
.TP
|
2000-08-29 02:58:13 +08:00
|
|
|
.B disallow <features>
|
2000-09-12 02:24:24 +08:00
|
|
|
Specify a set of features (separated by white space) to
|
|
|
|
disallow (default none).
|
2000-08-29 02:58:13 +08:00
|
|
|
.B bind_v2
|
|
|
|
disables acceptance of LDAPv2 bind requests.
|
|
|
|
.B bind_anon
|
|
|
|
disables acceptance of anonymous bind requests.
|
|
|
|
.B bind_anon_cred
|
2000-09-12 02:24:24 +08:00
|
|
|
disables anonymous bind creditials are not empty (e.g.
|
|
|
|
when DN is empty).
|
2000-08-29 02:58:13 +08:00
|
|
|
.B bind_anon_dn
|
|
|
|
disables anonymous bind when DN is not empty.
|
2000-09-12 02:24:24 +08:00
|
|
|
.B bind_simple
|
|
|
|
disables simple (bind) authentication.
|
|
|
|
.B bind_krbv4
|
|
|
|
disables Kerberos V4 (bind) authentication.
|
2000-09-09 06:59:01 +08:00
|
|
|
.B tls_authc
|
|
|
|
disables StartTLS if authenticated (see also
|
|
|
|
.B allow
|
|
|
|
.BR tls_2_anon ).
|
2000-08-29 02:58:13 +08:00
|
|
|
.TP
|
1999-06-19 06:54:19 +08:00
|
|
|
.B idletimeout <integer>
|
|
|
|
Specify the number of seconds to wait before forcibly closing
|
|
|
|
an idle client connections. A idletimeout of 0 disables this
|
|
|
|
feature. The default is 0.
|
|
|
|
.TP
|
1998-08-09 08:43:13 +08:00
|
|
|
.B include <filename>
|
|
|
|
Read additional configuration information from the given file before
|
|
|
|
continuing with the next line of the current file.
|
|
|
|
.TP
|
|
|
|
.B loglevel <integer>
|
|
|
|
Specify the level at which debugging statements and operation
|
|
|
|
statistics should be syslogged (currently logged to the
|
|
|
|
.BR syslogd (8)
|
|
|
|
LOG_LOCAL4 facility). Log levels are additive, and available levels
|
|
|
|
are:
|
|
|
|
.RS
|
|
|
|
.RS
|
|
|
|
.PD 0
|
|
|
|
.TP
|
|
|
|
.B 1
|
|
|
|
trace function calls
|
|
|
|
.TP
|
|
|
|
.B 2
|
|
|
|
debug packet handling
|
|
|
|
.TP
|
|
|
|
.B 4
|
|
|
|
heavy trace debugging
|
|
|
|
.TP
|
|
|
|
.B 8
|
|
|
|
connection management
|
|
|
|
.TP
|
|
|
|
.B 16
|
|
|
|
print out packets sent and received
|
|
|
|
.TP
|
|
|
|
.B 32
|
|
|
|
search filter processing
|
|
|
|
.TP
|
|
|
|
.B 64
|
|
|
|
configuration file processing
|
|
|
|
.TP
|
|
|
|
.B 128
|
|
|
|
access control list processing
|
|
|
|
.TP
|
|
|
|
.B 256
|
|
|
|
stats log connections/operations/results
|
|
|
|
.TP
|
|
|
|
.B 512
|
|
|
|
stats log entries sent
|
|
|
|
.TP
|
|
|
|
.B 1024
|
|
|
|
print communication with shell backends
|
|
|
|
.TP
|
|
|
|
.B 2048
|
|
|
|
entry parsing
|
|
|
|
.PD
|
|
|
|
.RE
|
|
|
|
.RE
|
2000-08-08 07:04:20 +08:00
|
|
|
.HP
|
|
|
|
.B objectclass ( <oid> [NAME <name>] [DESC <description] [OBSOLETE]\
|
|
|
|
[SUP <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY }] [MUST <oids>]\
|
|
|
|
[MAY <oids>] )
|
|
|
|
.RS
|
1999-08-20 08:32:36 +08:00
|
|
|
Specify an objectclass using the LDAPv3 syntax defined in RFC 2252.
|
2000-06-06 15:57:41 +08:00
|
|
|
The slapd parser extends the RFC 2252 definition by allowing string
|
|
|
|
forms as well as numeric OIDs to be used for the object class OID.
|
|
|
|
(See the
|
1999-08-20 08:32:36 +08:00
|
|
|
.B
|
|
|
|
objectidentifier
|
2000-06-06 15:57:41 +08:00
|
|
|
description.) Object classes are "STRUCTURAL" by default.
|
2000-08-08 07:04:20 +08:00
|
|
|
.RE
|
1999-08-20 08:32:36 +08:00
|
|
|
.TP
|
|
|
|
.B objectidentifier <name> { <oid> | <name>[:<suffix>] }
|
|
|
|
Define a string name that equates to the given OID. The string can be used
|
|
|
|
in place of the numeric OID in objectclass and attribute definitions. The
|
|
|
|
name can also be used with a suffix of the form ":xx" in which case the
|
|
|
|
value "oid.xx" will be used.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
2000-08-20 06:14:14 +08:00
|
|
|
.B password-hash <hash>
|
|
|
|
The <hash> to use for userPassword generation. One of
|
|
|
|
.BR {SSHA} ,
|
|
|
|
.BR {SHA} ,
|
|
|
|
.BR {SMD5} ,
|
|
|
|
.BR {MD5} ,
|
|
|
|
.BR {CRYPT} ,
|
|
|
|
.BR {KERBEROS} ,
|
|
|
|
.BR {SASL} ,
|
|
|
|
and
|
|
|
|
.BR {UNIX} .
|
|
|
|
The default is
|
|
|
|
.BR {SSHA} .
|
|
|
|
.TP
|
2000-10-07 05:16:36 +08:00
|
|
|
.B pidfile <filename>
|
|
|
|
The ( absolute ) name of a file that will hold the
|
|
|
|
.B slapd
|
|
|
|
server's process ID ( see
|
|
|
|
.BR getpid (2)
|
|
|
|
) if started without the debugging command line option.
|
|
|
|
.TP
|
1998-08-09 08:43:13 +08:00
|
|
|
.B referral <url>
|
|
|
|
Specify the referral to pass back when
|
|
|
|
.BR slapd (8)
|
|
|
|
cannot find a local database to handle a request.
|
1999-07-16 10:45:46 +08:00
|
|
|
If specified multiple times, each url is provided.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
2000-08-29 02:58:13 +08:00
|
|
|
.B require <conditions>
|
2000-09-12 02:24:24 +08:00
|
|
|
Specify a set of conditions (separated by white space) to
|
|
|
|
require (default none).
|
2000-08-29 02:58:13 +08:00
|
|
|
The directive may be specified globally and/or per-database.
|
|
|
|
.B bind
|
|
|
|
requires bind operation prior to directory operations.
|
|
|
|
.B LDAPv3
|
|
|
|
requires session to be using LDAP version 3.
|
|
|
|
.B authc
|
|
|
|
requires authentication prior to directory operations.
|
|
|
|
.B SASL
|
|
|
|
requires SASL authentication prior to directory operations.
|
|
|
|
.B strong
|
|
|
|
requires strong authentication prior to directory operations.
|
|
|
|
Currently
|
|
|
|
.B SASL
|
|
|
|
and
|
|
|
|
.B strong
|
|
|
|
conditions are currently same.
|
|
|
|
.B none
|
|
|
|
may be used to require no conditions (useful for clearly globally
|
|
|
|
set conditions within a particular database).
|
|
|
|
.TP
|
2000-08-30 11:50:16 +08:00
|
|
|
.B sasl-host <fqdn>
|
|
|
|
Used to specify the fully qualified domain name used for SASL processing.
|
|
|
|
.TP
|
2000-10-07 05:16:36 +08:00
|
|
|
.B sasl-realm <realm>
|
|
|
|
Specify SASL realm. Default is empty.
|
2000-08-24 09:09:18 +08:00
|
|
|
.TP
|
2000-10-07 05:16:36 +08:00
|
|
|
.B sasl-regexp <match> <replace>
|
2000-09-22 01:32:54 +08:00
|
|
|
Used by the SASL authorization mechanism to convert a SASL authenticated
|
|
|
|
username to an LDAP DN. When an authorization request is received, the SASL
|
|
|
|
.B USERNAME, REALM,
|
|
|
|
and
|
|
|
|
.B MECHANISM
|
|
|
|
are taken, when available, and combined into a SASL name of the
|
|
|
|
form
|
|
|
|
.RS
|
|
|
|
.RS
|
|
|
|
.TP
|
2000-10-07 07:50:38 +08:00
|
|
|
.B uid=<UID>[,cn=<REALM>][,cn=<MECH>],cn=AUTHZ
|
2000-09-22 01:32:54 +08:00
|
|
|
|
|
|
|
.RE
|
|
|
|
This SASL name is then compared against the
|
|
|
|
.B match
|
|
|
|
regular expression, and if the match is successful, the SASL name is
|
|
|
|
replaced with the
|
|
|
|
.B replace
|
|
|
|
string. If there are wildcard strings in the
|
|
|
|
.B match
|
|
|
|
regular expression that are enclosed in parenthesis, e.g.
|
|
|
|
.RS
|
|
|
|
.RS
|
|
|
|
.TP
|
2000-10-07 05:16:36 +08:00
|
|
|
.B uid=(.*)\\\\+realm=.*
|
2000-09-22 01:32:54 +08:00
|
|
|
|
|
|
|
.RE
|
|
|
|
.RE
|
|
|
|
then the portion of the SASL name that matched the wildcard will be stored
|
|
|
|
in the numbered placeholder variable $1. If there are other wildcard strings
|
|
|
|
in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
|
|
|
|
placeholders can then be used in the
|
|
|
|
.B replace
|
|
|
|
string, e.g.
|
|
|
|
.RS
|
|
|
|
.RS
|
|
|
|
.TP
|
|
|
|
.B cn=$1,ou=Accounts,dc=$2,dc=$4.
|
|
|
|
|
|
|
|
.RE
|
|
|
|
.RE
|
|
|
|
The replaced SASL name can be either a DN or an LDAP URI. If the latter, the slapd
|
|
|
|
server will use the URI to search its own database, and if the search returns
|
|
|
|
exactly one entry, the SASL name is replaced by the DN of that entry.
|
|
|
|
Multiple
|
2000-10-07 05:16:36 +08:00
|
|
|
.B sasl-regexp
|
2000-09-22 01:32:54 +08:00
|
|
|
options can be given in the configuration file to allow for multiple matching
|
|
|
|
and replacement patterns. The matching patterns are checked in the order they
|
|
|
|
appear in the file, stopping at the first successful match.
|
|
|
|
.LP
|
|
|
|
.B Caution:
|
|
|
|
Because the plus sign + is a character recognized by the regular expression engine,
|
|
|
|
and it will appear in SASL names that include a REALM, be careful to escape the
|
2000-10-07 07:50:38 +08:00
|
|
|
plus sign with a backslash \\+ to remove the character's special meaning.
|
2000-09-22 01:32:54 +08:00
|
|
|
.RE
|
|
|
|
.TP
|
2000-10-07 05:16:36 +08:00
|
|
|
.B sasl-secprops <properties>
|
|
|
|
Used to specify Cyrus SASL security properties.
|
|
|
|
The
|
|
|
|
.B none
|
|
|
|
flag (without any other properities) causes the flag properites
|
|
|
|
default, "noanonymous,noplain", to be cleared.
|
|
|
|
The
|
|
|
|
.B noplain
|
|
|
|
flag disables mechanisms susceptible to simple passive attacks.
|
|
|
|
The
|
|
|
|
.B noactive
|
|
|
|
flag disables mechanisms susceptible to active attacks.
|
|
|
|
The
|
|
|
|
.B nodict
|
|
|
|
flag disables mechanisms susceptible to passive dictionary attacks.
|
|
|
|
The
|
|
|
|
.B noanonyous
|
|
|
|
flag disables mechanisms which support anonymous login.
|
|
|
|
The
|
|
|
|
.B forwardsec
|
|
|
|
flag require forward secrecy between sessions.
|
|
|
|
The
|
|
|
|
.B passcred
|
|
|
|
require mechanisms which pass client credentials (and allow
|
|
|
|
mechanisms which can pass credentials to do so).
|
|
|
|
The
|
|
|
|
.B minssf=<factor>
|
|
|
|
property specifies the minimum acceptable
|
|
|
|
.I security strength factor
|
|
|
|
as an integer approximate to effective key length used for
|
|
|
|
encryption. 0 (zero) implies no protection, 1 implies integrity
|
|
|
|
protection only, 56 allows DES or other weak ciphers, 112
|
|
|
|
allows triple DES and other strong ciphers, 128 allows RC4,
|
|
|
|
Blowfish and other modern strong ciphers. The default is 0.
|
|
|
|
The
|
|
|
|
.B maxssf=<factor>
|
|
|
|
property specifies the maximum acceptable
|
|
|
|
.I security strength factor
|
|
|
|
as an integer (see minssf description). The default is INT_MAX.
|
|
|
|
The
|
2000-10-07 10:07:39 +08:00
|
|
|
.B maxbufsize=<size>
|
2000-10-07 05:16:36 +08:00
|
|
|
property specifies the maximum security layer receive buffer
|
|
|
|
size allowed. 0 disables security layers. The default is 65536.
|
|
|
|
.TP
|
2000-08-24 09:09:18 +08:00
|
|
|
.B schemacheck { on | off }
|
|
|
|
Turn schema checking on or off. The default is on.
|
|
|
|
.TP
|
2000-08-29 03:17:37 +08:00
|
|
|
.B security <factors>
|
|
|
|
Specify a set of factors (separated by white space) to require.
|
|
|
|
An integer value is associated with each factor and is roughly
|
|
|
|
equivalent of the encryption key length to require. A value
|
|
|
|
of 112 is equivalent to 3DES, 128 to Blowfish, etc..
|
|
|
|
The directive may be specified globally and/or per-database.
|
|
|
|
.B ssf=<n>
|
|
|
|
specifies the overall security strength factor.
|
|
|
|
.B transport=<n>
|
|
|
|
specifies the transport security strength factor.
|
|
|
|
.B tls=<n>
|
|
|
|
specifies the TLS security strength factor.
|
|
|
|
.B sasl=<n>
|
|
|
|
specifies the SASL security strength factor.
|
|
|
|
.B update_ssf=<n>
|
|
|
|
specifies the overall security strength factor to require for
|
|
|
|
directory updates.
|
|
|
|
.B update_transport=<n>
|
|
|
|
specifies the transport security strength factor to require for
|
|
|
|
directory updates.
|
|
|
|
.B update_tls=<n>
|
|
|
|
specifies the TLS security strength factor to require for
|
|
|
|
directory updates.
|
|
|
|
.B update_sasl=<n>
|
|
|
|
specifies the SASL security strength factor to require for
|
|
|
|
directory updates.
|
|
|
|
Note that the
|
|
|
|
.B transport
|
|
|
|
factor is measure of security provided by the underlying transport,
|
|
|
|
e.g. ldapi:// (and eventually IPSEC). It is not normally used.
|
|
|
|
.TP
|
1998-08-09 08:43:13 +08:00
|
|
|
.B schemacheck { on | off }
|
1999-04-30 02:10:40 +08:00
|
|
|
Turn schema checking on or off. The default is on.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B sizelimit <integer>
|
|
|
|
Specify the maximum number of entries to return from a search operation.
|
|
|
|
The default size limit is 500.
|
|
|
|
.TP
|
2001-05-30 00:10:08 +08:00
|
|
|
.B sockbuf_max_incoming <integer>
|
2001-05-30 04:00:55 +08:00
|
|
|
Specify the maximum incoming LDAP PDU size for anonymous sessions.
|
|
|
|
The default is 262143.
|
|
|
|
.TP
|
|
|
|
.B sockbuf_max_incoming_auth <integer>
|
|
|
|
Specify the maximum incoming LDAP PDU size for authenticated sessions.
|
|
|
|
The default is 4194303.
|
2001-05-30 00:10:08 +08:00
|
|
|
.TP
|
1998-08-09 08:43:13 +08:00
|
|
|
.B srvtab <filename>
|
|
|
|
Specify the srvtab file in which the kerberos keys necessary for
|
|
|
|
authenticating clients using kerberos can be found. This option is only
|
|
|
|
meaningful if you are using Kerberos authentication.
|
|
|
|
.TP
|
2000-10-18 08:22:30 +08:00
|
|
|
.B threads <integer>
|
|
|
|
Specify the maximum size of the primary thread pool.
|
|
|
|
The default is 32.
|
|
|
|
.TP
|
1998-08-09 08:43:13 +08:00
|
|
|
.B timelimit <integer>
|
|
|
|
Specify the maximum number of seconds (in real time)
|
|
|
|
.B slapd
|
|
|
|
will spend answering a search request. The default time limit is 3600.
|
1999-07-17 03:56:32 +08:00
|
|
|
.SH TLS OPTIONS
|
|
|
|
If
|
|
|
|
.B slapd
|
|
|
|
is build with support for Transport Layer Security, there are more options
|
|
|
|
you can specify.
|
|
|
|
.TP
|
|
|
|
.B TLSCipherSuite <cipher-suite-spec>
|
|
|
|
Permits configuring what ciphers will be accepted and the preference order.
|
|
|
|
<cipher-suite-spec> should be a cipher specification for OpenSSL. Example:
|
|
|
|
|
|
|
|
TLSCipherSuite HIGH:MEDIUM:+SSLv2
|
|
|
|
|
|
|
|
To check what ciphers a given spec selects, use:
|
|
|
|
|
|
|
|
openssl ciphers -v <cipher-suite-spec>
|
|
|
|
.TP
|
|
|
|
.B TLSCertificateFile <filename>
|
|
|
|
Specifies the file that contains the
|
|
|
|
.B slapd
|
|
|
|
server certificate.
|
|
|
|
.TP
|
|
|
|
.B TLSCertificateKeyFile <filename>
|
|
|
|
Specifies the file that contains the
|
|
|
|
.B slapd
|
|
|
|
server private key that matches the certificate stored in the
|
|
|
|
.B TLSCertificateFile
|
|
|
|
file. Currently, the private key must not be protected with a password, so
|
|
|
|
it is of critical importance that it is protected carefully.
|
2001-05-03 03:52:58 +08:00
|
|
|
.TP
|
|
|
|
.B TLSRandFile <filename>
|
|
|
|
Specifies the file to obtain random bits from when /dev/[u]random
|
|
|
|
is not available. Generally set to the name of the EGD/PRNGD socket.
|
|
|
|
The environment variable RANDFILE can also be used to specify the filename.
|
1998-08-09 08:43:13 +08:00
|
|
|
.SH GENERAL BACKEND OPTIONS
|
|
|
|
Options in this section only apply to the configuration file section
|
2001-05-29 09:51:37 +08:00
|
|
|
for the specified backend. They are supported by every
|
|
|
|
type of backend.
|
|
|
|
.TP
|
|
|
|
.B backend <databasetype>
|
|
|
|
Mark the beginning of a backend definition. <databasetype>
|
|
|
|
should be one of
|
|
|
|
.B ldbm,
|
|
|
|
.B shell,
|
|
|
|
or
|
|
|
|
.B passwd
|
|
|
|
depending on which backend will serve the database.
|
|
|
|
|
|
|
|
.SH GENERAL DATABASE OPTIONS
|
|
|
|
Options in this section only apply to the configuration file section
|
|
|
|
for the database in which they are defined. They are supported by every
|
1998-08-09 08:43:13 +08:00
|
|
|
type of backend.
|
|
|
|
.TP
|
|
|
|
.B database <databasetype>
|
|
|
|
Mark the beginning of a new database instance definition. <databasetype>
|
|
|
|
should be one of
|
|
|
|
.B ldbm,
|
|
|
|
.B shell,
|
|
|
|
or
|
|
|
|
.B passwd
|
|
|
|
depending on which backend will serve the database.
|
|
|
|
.TP
|
|
|
|
.B lastmod on | off
|
|
|
|
Controls whether
|
|
|
|
.B slapd
|
|
|
|
will automatically maintain the
|
|
|
|
modifiersName, modifyTimestamp, creatorsName, and
|
1999-08-06 07:52:14 +08:00
|
|
|
createTimestamp attributes for entries. By default, lastmod is on.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B readonly on | off
|
|
|
|
This option puts the database into "read-only" mode. Any attempts to
|
|
|
|
modify the database will return an "unwilling to perform" error. By
|
|
|
|
default, readonly is off.
|
2000-08-08 07:04:20 +08:00
|
|
|
.HP
|
2000-09-16 07:41:07 +08:00
|
|
|
.B replica host=<hostname>[:port] [tls=yes|critical]
|
|
|
|
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
|
|
|
|
.B [saslmech=<SASL mech>] [secopts=<options>] [realm=<realm>]
|
|
|
|
.B [authcId=<authentication ID>] [authcId=<authentication ID>]
|
2000-08-08 07:04:20 +08:00
|
|
|
.RS
|
2000-08-18 10:58:05 +08:00
|
|
|
Specify a replication site for this database. Refer to the "OpenLDAP
|
2000-08-18 00:30:37 +08:00
|
|
|
Administrator's Guide" for detailed information on setting up a replicated
|
1998-08-09 08:43:13 +08:00
|
|
|
.B slapd
|
2000-08-18 00:30:37 +08:00
|
|
|
directory service. A
|
|
|
|
.B bindmethod
|
|
|
|
of
|
|
|
|
.B simple
|
|
|
|
requires the options
|
|
|
|
.B binddn
|
|
|
|
and
|
|
|
|
.B credentials
|
|
|
|
and should only be used when adequate security services
|
|
|
|
(e.g TLS or IPSEC) are in place. A
|
|
|
|
.B bindmethod
|
|
|
|
of
|
|
|
|
.B sasl
|
|
|
|
requires the option
|
|
|
|
.B saslmech.
|
|
|
|
If the
|
|
|
|
.B mechanism
|
|
|
|
will use Kerberos, a kerberos instance should be given in
|
|
|
|
.B authcId.
|
2000-08-08 07:04:20 +08:00
|
|
|
.RE
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B replogfile <filename>
|
|
|
|
Specify the name of the replication log file to log changes to.
|
|
|
|
The replication log is typically written by
|
|
|
|
.BR slapd (8)
|
|
|
|
and read by
|
|
|
|
.BR slurpd (8).
|
|
|
|
See
|
|
|
|
.BR slapd.replog (5)
|
2000-10-17 06:19:29 +08:00
|
|
|
for more information. The specified file should be located
|
|
|
|
in a directory with limited read/write/execute access as the replication
|
|
|
|
logs may contain sensitive information.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B rootdn <dn>
|
2000-08-20 06:14:14 +08:00
|
|
|
Specify the distinguished name that is not subject to access control
|
1998-08-09 08:43:13 +08:00
|
|
|
or administrative limit restrictions for operations on this database.
|
2000-08-20 06:14:14 +08:00
|
|
|
This DN may or may not be associated with an entry. An empty root
|
2000-09-12 02:24:24 +08:00
|
|
|
DN (the default) specifies no root access is to be granted. It is
|
|
|
|
recommended that the rootdn only be specified when needed (such as
|
2000-10-07 05:19:20 +08:00
|
|
|
when initially populating a database). If the rootdn is within
|
|
|
|
a namingContext (suffix) of the database, a simple bind password
|
|
|
|
may also be provided using the
|
|
|
|
.B rootpw
|
|
|
|
directive.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B rootpw <password>
|
2000-10-07 05:19:20 +08:00
|
|
|
Specify a password (or hash of the password) for the rootdn. If
|
|
|
|
the rootdn is not within the namingContext of the database, the
|
|
|
|
provided password is ignored.
|
2000-03-02 06:58:30 +08:00
|
|
|
This option accepts all RFC 2307 userPassword formats known to
|
2000-08-20 06:14:14 +08:00
|
|
|
the server (see
|
|
|
|
.B password-hash
|
|
|
|
desription) as well as cleartext.
|
2000-06-19 03:40:38 +08:00
|
|
|
.BR slappasswd (8)
|
|
|
|
may be used to generate a hash of a password. Cleartext
|
2000-09-12 02:24:24 +08:00
|
|
|
and \fB{CRYPT}\fP passwords are not recommended. If empty
|
|
|
|
(the default), authentication of the root DN is by other means
|
2000-08-20 06:14:14 +08:00
|
|
|
(e.g. SASL). Use of SASL is encouraged.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B suffix <dn suffix>
|
|
|
|
Specify the DN suffix of queries that will be passed to this
|
|
|
|
backend database. Multiple suffix lines can be given and at least one is
|
|
|
|
required for each database definition.
|
|
|
|
.TP
|
|
|
|
.B updatedn <dn>
|
|
|
|
This option is only applicable in a slave
|
|
|
|
.B slapd.
|
|
|
|
It specifies the DN allowed to make changes to the replica (typically,
|
|
|
|
this is the DN
|
|
|
|
.BR slurpd (8)
|
|
|
|
binds as when making changes to the replica).
|
1999-07-16 10:45:46 +08:00
|
|
|
.TP
|
|
|
|
.B updateref <url>
|
|
|
|
Specify the referral to pass back when
|
|
|
|
.BR slapd (8)
|
|
|
|
is asked to modify a replicated local database.
|
|
|
|
If specified multiple times, each url is provided.
|
1998-08-09 08:43:13 +08:00
|
|
|
.SH LDBM BACKEND-SPECIFIC OPTIONS
|
2001-05-29 09:51:37 +08:00
|
|
|
Options in this category only apply to the LDBM backend. That is,
|
|
|
|
they must follow "backend ldbm" line and come before any subsequent
|
|
|
|
"backend" or "database" lines. The LDBM backend is a high-performance
|
|
|
|
database that makes extensive use of indexing and caching to speed
|
|
|
|
data access.
|
|
|
|
.TP
|
|
|
|
.B directory <directory>
|
|
|
|
Specify the directory where shared LDBM files, namely those associated
|
|
|
|
with a BerkeleyDB environment, for all LDBM databases are kept.
|
|
|
|
The default is unset.
|
|
|
|
.SH LDBM DATABASE-SPECIFIC OPTIONS
|
|
|
|
Options in this category only apply to the LDBM databases. That is,
|
|
|
|
they must follow "database ldbm" line and come before any subsequent
|
|
|
|
"backend" or "database" lines.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B cachesize <integer>
|
|
|
|
Specify the size in entries of the in-memory cache maintained
|
|
|
|
by the LDBM backend database instance. The default is 1000 entries.
|
|
|
|
.TP
|
|
|
|
.B dbcachesize <integer>
|
|
|
|
Specify the size in bytes of the in-memory cache associated
|
|
|
|
with each open index file. If not supported by the underlying database
|
|
|
|
method, this option is ignored without comment. The default is 100000 bytes.
|
1998-12-31 03:58:31 +08:00
|
|
|
.TP
|
1999-09-24 03:49:20 +08:00
|
|
|
.B dbnolocking
|
|
|
|
Specify that no database locking should be performed.
|
|
|
|
Enabling this option may improve performance at the expense of data security.
|
|
|
|
.B dbnosync
|
|
|
|
Specify that on-disk database contents should not be immediately
|
|
|
|
synchronized with in memory changes. Enabling this option may improve
|
|
|
|
performance at the expense of data security.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B directory <directory>
|
2000-03-04 03:51:39 +08:00
|
|
|
Specify the directory where the LDBM files containing this database and
|
|
|
|
associated indexes live. A separate directory must be specified for
|
|
|
|
each database. The default is
|
2000-05-03 18:07:21 +08:00
|
|
|
.BR LOCALSTATEDIR/openldap-ldbm .
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B
|
2000-08-24 07:43:19 +08:00
|
|
|
index {<attrlist>|default} [pres,eq,approx,sub,<special>]
|
1998-08-09 08:43:13 +08:00
|
|
|
Specify the indexes to maintain for the given attribute. If only
|
2000-06-06 15:57:41 +08:00
|
|
|
an <attr> is given, the indices specified for \fBdefault\fR
|
2000-08-24 07:43:19 +08:00
|
|
|
are maintained. A number of special index parameters may be
|
|
|
|
specified.
|
|
|
|
The index type
|
|
|
|
.B sub
|
|
|
|
can be decomposed into
|
|
|
|
.BR subinitial ,
|
|
|
|
.BR subany ,\ and
|
|
|
|
.B subfinal
|
|
|
|
indices.
|
|
|
|
The special type
|
|
|
|
.B lang
|
|
|
|
may be specified to allow use of this index by language subtypes.
|
|
|
|
The special type
|
|
|
|
.B autolang
|
|
|
|
may be specified to automatically maintain separate indices for each
|
|
|
|
language subtypes.
|
|
|
|
The special type
|
|
|
|
.B subtypes
|
|
|
|
may be specified to allow use of this index by named subtypes.
|
|
|
|
The special type
|
|
|
|
.B autosubtypes
|
|
|
|
may be specified to automatically maintain separate indices for each
|
|
|
|
other subtypes.
|
1998-08-09 08:43:13 +08:00
|
|
|
.TP
|
|
|
|
.B mode <integer>
|
|
|
|
Specify the file protection mode that newly created database
|
|
|
|
index files should have. The default is 0600.
|
2001-05-29 09:51:37 +08:00
|
|
|
.SH SHELL DATABASE-SPECIFIC OPTIONS
|
1998-08-09 08:43:13 +08:00
|
|
|
Options in this category only apply to the SHELL backend database. That is,
|
|
|
|
they must follow a "database shell" line and come before any subsequent
|
2001-05-29 09:51:37 +08:00
|
|
|
"backend" or "database" lines. The Shell backend executes external programs to
|
1998-08-09 08:43:13 +08:00
|
|
|
implement operations, and is designed to make it easy to tie an existing
|
|
|
|
database to the
|
|
|
|
.B slapd
|
|
|
|
front-end.
|
|
|
|
.TP
|
|
|
|
.B bind <pathname>
|
|
|
|
.TP
|
|
|
|
.B unbind <pathname>
|
|
|
|
.TP
|
|
|
|
.B search <pathname>
|
|
|
|
.TP
|
|
|
|
.B compare <pathname>
|
|
|
|
.TP
|
|
|
|
.B modify <pathname>
|
|
|
|
.TP
|
|
|
|
.B modrdn <pathname>
|
|
|
|
.TP
|
|
|
|
.B add <pathname>
|
|
|
|
.TP
|
|
|
|
.B delete <pathname>
|
|
|
|
.TP
|
|
|
|
.B abandon <pathname>
|
|
|
|
These options specify the pathname of the command to execute in response
|
2000-08-18 10:58:05 +08:00
|
|
|
to the given LDAP operation.
|
1998-08-09 08:43:13 +08:00
|
|
|
.LP
|
|
|
|
Note that you need only supply configuration lines for those commands you
|
|
|
|
want the backend to handle. Operations for which a command is not
|
|
|
|
supplied will be refused with an "unwilling to perform" error.
|
2001-05-29 09:51:37 +08:00
|
|
|
.SH PASSWORD DATABASE-SPECIFIC OPTIONS
|
1998-08-09 08:43:13 +08:00
|
|
|
Options in this category only apply to the PASSWD backend database.
|
|
|
|
That is, they must follow a "database passwd" line and come before any
|
2001-05-29 09:51:37 +08:00
|
|
|
subsequent "backend" or "database" lines. The PASSWD database serves up the user
|
1998-08-09 08:43:13 +08:00
|
|
|
account information listed in the system
|
|
|
|
.BR passwd (5)
|
|
|
|
file.
|
|
|
|
.TP
|
|
|
|
.B file <filename>
|
|
|
|
Specifies an alternate passwd file to use. The default is
|
|
|
|
.B /etc/passwd.
|
|
|
|
.SH EXAMPLE
|
2000-08-14 06:00:36 +08:00
|
|
|
"OpenLDAP Administrator's Guide" contains an annotated
|
1998-08-09 08:43:13 +08:00
|
|
|
example of a configuration file.
|
|
|
|
.SH FILES
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
.SH SEE ALSO
|
|
|
|
.BR ldap (3),
|
|
|
|
.BR slapd.replog (5),
|
1999-02-23 05:01:24 +08:00
|
|
|
.BR locale (5),
|
1998-08-09 08:43:13 +08:00
|
|
|
.BR passwd (5),
|
|
|
|
.BR slapd (8),
|
1999-08-18 04:25:16 +08:00
|
|
|
.BR slapadd (8),
|
|
|
|
.BR slapcat (8),
|
|
|
|
.BR slapindex (8),
|
2000-06-19 03:40:38 +08:00
|
|
|
.BR slappassword (8),
|
1998-08-09 08:43:13 +08:00
|
|
|
.BR slurpd (8),
|
|
|
|
.LP
|
2000-08-25 07:18:06 +08:00
|
|
|
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
|
1998-10-25 09:41:42 +08:00
|
|
|
.SH ACKNOWLEDGEMENTS
|
|
|
|
.B OpenLDAP
|
|
|
|
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
|
|
|
|
.B OpenLDAP
|
|
|
|
is derived from University of Michigan LDAP 3.3 Release.
|