diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf index def9645415..ecf08723d6 100644 --- a/doc/guide/admin/slapdconfig.sdf +++ b/doc/guide/admin/slapdconfig.sdf @@ -366,6 +366,17 @@ H4: syncrepl > [credentials=] > [realm=] > [secprops=] +> [starttls=yes|critical] +> [tls_cert=] +> [tls_key=] +> [tls_cacert=] +> [tls_cacertdir=] +> [tls_reqcert=never|allow|try|demand] +> [tls_ciphersuite=] +> [tls_crlcheck=none|peer|all] +> [logbase=] +> [logfilter=] +> [syncdata=default|accesslog|changelog] This directive specifies the current database as a replica of the @@ -407,10 +418,10 @@ default value and must always be specified. The {{EX:scope}} defaults to {{EX:sub}}, the {{EX:filter}} defaults to {{EX:(objectclass=*)}}, {{EX:attrs}} defaults to {{EX:"*,+"}} to replicate all user and operational attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}} -and {{EX:timelimit}} default to "unlimited", and only integers +and {{EX:timelimit}} default to "unlimited", and only positive integers or "unlimited" may be specified. -The LDAP Content Synchronization protocol has two operation +The {{TERM[expand]LDAP Sync}} protocol has two operation types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}. The operation type is specified by the {{EX:type}} parameter. In the {{EX:refreshOnly}} operation, the next synchronization search operation @@ -418,7 +429,7 @@ is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the {{EX:interval}} parameter. It is set to one day by default. In the {{EX:refreshAndPersist}} operation, a synchronization search -remains persistent in the provider slapd. Further updates to the +remains persistent in the provider {{slapd}} instance. Further updates to the master replica will generate {{EX:searchResultEntry}} to the consumer slapd as the search responses to the persistent synchronization search. @@ -446,7 +457,7 @@ master database. The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}}, depending on whether simple password-based authentication or {{TERM:SASL}} authentication is to be used when connecting -to the provider slapd. +to the provider {{slapd}} instance. Simple authentication should not be used unless adequate data integrity and confidentiality protections are in place (e.g. TLS @@ -464,11 +475,31 @@ The {{EX:realm}} parameter specifies a realm which a certain mechanisms authenticate the identity within. The {{EX:secprops}} parameter specifies Cyrus SASL security properties. -The syncrepl replication mechanism is supported by the two primary -database backends: back-bdb and back-hdb. +The {{EX:starttls}} parameter specifies use of the StartTLS extended +operation to establish a TLS session before authenticating to the provider. +If the {{EX:critical}} argument is supplied, the session will be aborted +if the StartTLS request fails. Otherwise the syncrepl session continues +without TLS. Note that the main slapd TLS settings are not used by the +syncrepl engine; by default the TLS parameters from a {{ldap.conf}}(5) +configuration file will be used. TLS settings may be specified here, +in which case any {{ldap.conf}}(5) settings will be completely ignored. -See the {{SECT:LDAP Sync Replication}} chapter of the admin guide -for more information on how to use this directive. +Rather than replicating whole entries, the consumer can query logs +of data modifications. This mode of operation is referred to as +{{delta syncrepl}}. In addition to the above parameters, the +{{EX:logbase}} and {{EX:logfilter}} parameters must be set appropriately +for the log that will be used. The {{EX:syncdata}} parameter must +be set to either {{EX:"accesslog"}} if the log conforms to the +{{slapo-accesslog}}(5) log format, or {{EX:"changelog"}} if the log +conforms to the obsolete {{changelog}} format. If the {{EX:syncdata}} +parameter is omitted or set to {{EX:"default"}} then the log +parameters are ignored. + +The {{syncrepl}} replication mechanism is supported by the {{bdb}} and +{{hdb}} backends. + +See the {{SECT:LDAP Sync Replication}} chapter of this guide for +more information on how to use this directive. H4: updateref