.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION" .\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION The file .B ETCDIR/slapd.conf contains configuration information for the .BR slapd (8) daemon. This configuration file is also used by the .BR slurpd (8) replication daemon and by the SLAPD tools .BR slapadd (8), .BR slapcat (8), and .BR slapindex (8). .LP The .B slapd.conf file consists of a series of global configuration options that apply to .B slapd as a whole (including all backends), followed by zero or more database backend definitions that contain information specific to a backend instance. .LP The general format of .B slapd.conf is as follows: .LP .nf # comment - these options apply to every database # first database definition & configuration options database # subsequent database definitions & configuration options ... .fi .LP As many backend-specific sections as desired may be included. Global options can be overridden in a backend (for options that appear more than once, the last appearance in the .B slapd.conf file is used). Blank lines and comment lines beginning with a `#' character are ignored. If a line begins with white space, it is considered a continuation of the previous line. .LP Arguments on configuration lines are separated by white space. If an argument contains white space, the argument should be enclosed in double quotes. If an argument contains a double quote (`"') or a backslash character (`\\'), the character should be preceded by a backslash character. .LP The specific configuration options available are discussed below in the Global Configuration Options, General Backend Options, and General Database Options. Backend-specific options are discussed in the .B slapd-(5) manual pages. Refer to the "OpenLDAP Administrator's Guide" for more details on the slapd configuration file. .SH GLOBAL CONFIGURATION OPTIONS Options described in this section apply to all backends, unless specifically overridden in a backend definition. Arguments that should be replaced by actual text are shown in brackets <>. .TP .B access to "[ by ]+" Grant access (specified by ) to a set of entries and/or attributes (specified by ) by one or more requestors (specified by ). See .BR slapd.access (5) and the "OpenLDAP's Administrator's Guide" for details. .TP .B allow Specify a set of features (separated by white space) to allow (default none). .B bind_v2 allows acceptance of LDAPv2 bind requests. .B bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty). .B bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. .B update_anon allow unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits). .TP .B argsfile The ( absolute ) name of a file that will hold the .B slapd server's command line options if started without the debugging command line option. .TP .B attributeoptions [option-name]... Define tagging attribute options or option tag/range prefixes. Options must not end with `-', prefixes must end with `-'. The `lang-' prefix is predefined. If you use the .B attributeoptions directive, `lang-' will no longer be defined and you must specify it explicitly if you want it defined. An attribute description with a tagging option is a subtype of that attribute description without the option. Except for that, options defined this way have no special semantics. Prefixes defined this way work like the `lang-' options: They define a prefix for tagging options starting with the prefix. That is, if you define the prefix `x-foo-', you can use the option `x-foo-bar'. Furthermore, in a search or compare, a prefix or range name (with a trailing `-') matches all options starting with that name, as well as the option with the range name sans the trailing `-'. That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'. RFC2251 reserves options beginning with `x-' for private experiments. Other options should be registered with IANA, see RFC3383 section 3.4. OpenLDAP also has the `binary' option built in, but this is a transfer option, not a tagging option. .HP .hy 0 .B attributetype "(\ [NAME\ ] [OBSOLETE]\ [DESC\ ]\ [SUP\ ] [EQUALITY\ ] [ORDERING\ ]\ [SUBSTR\ ] [SYNTAX\ ] [SINGLE\-VALUE] [COLLECTIVE]\ [NO\-USER\-MODIFICATION] [USAGE\ ]\ )" .RS Specify an attribute type using the LDAPv3 syntax defined in RFC 2252. The slapd parser extends the RFC 2252 definition by allowing string forms as well as numeric OIDs to be used for the attribute OID and attribute syntax OID. (See the .B objectidentifier description.) .RE .TP .B concurrency Specify a desired level of concurrency. Provided to the underlying thread system as a hint. The default is not to provide any hint. .\".TP .\".B debug .\"Specify a logging level for a particular subsystem. The subsystems include .\".B global .\"a global level for all subsystems, .\".B acl .\"the ACL engine, .\".B backend .\"the backend databases, .\".B cache .\"the entry cache manager, .\".B config .\"the config file reader, .\".B connection .\"the connection manager, .\".B cyrus .\"the Cyrus SASL library interface, .\".B filter .\"the search filter processor, .\".B getdn .\"the DN normalization library, .\".B index .\"the database indexer, .\".B liblber .\"the ASN.1 BER library, .\".B module .\"the dynamic module loader, .\".B operation .\"the LDAP operation processors, .\".B sasl .\"the SASL authentication subsystem, .\".B schema .\"the schema processor, and .\".B tls .\"the TLS library interface. This is not an exhaustive list; there are many .\"other subsystems and more are added over time. .\" .\"The levels are, in order of decreasing priority: .\".B emergency, alert, critical, error, warning, notice, information, entry, .\".B args, results, detail1, detail2 .\"An integer may be used instead, with 0 corresponding to .\".B emergency .\"up to 11 for .\".BR detail2 . .\"The .\".B entry .\"level logs function entry points, .\".B args .\"adds function call parameters, and .\".B results .\"adds the function results to the logs. .\"The .\".B detail1 .\"and .\".B detail2 .\"levels add even more low level detail from individual functions. .TP .B defaultsearchbase Specify a default search base to use when client submits a non-base search request with an empty base DN. .TP .B disallow Specify a set of features (separated by white space) to disallow (default none). .B bind_anon disables acceptance of anonymous bind requests. .B bind_simple disables simple (bind) authentication. .B bind_simple_unprotected disables simple (bind) authentication when confidentiality protection (e.g. TLS) is not in place. The .B security directive's .B simple_bind option provides fine grain control over the confidentiality protection required for simple bind. .B bind_krbv4 disables Kerberos V4 (bind) authentication. .B tls_2_anon disables Start TLS from forcing session to anonymous status (see also .BR tls_authc ). .B tls_authc disables StartTLS if authenticated (see also .BR tls_2_anon ). .TP .B gentlehup { on | off } A SIGHUP signal will only cause a 'gentle' shutdown-attempt: .B Slapd will stop listening for new connections, but will not close the connections to the current clients. Future write operations return unwilling-to-perform, though. Slapd terminates when all clients have closed their connections (if they ever do), or \- as before \- if it receives a SIGTERM signal. This can be useful if you wish to terminate the server and start a new .B slapd server .B with another database, without disrupting the currently active clients. The default is off. You may wish to use .B idletimeout along with this option. .TP .B idletimeout Specify the number of seconds to wait before forcibly closing an idle client connection. A idletimeout of 0 disables this feature. The default is 0. .TP .B include Read additional configuration information from the given file before continuing with the next line of the current file. .TP .B limits [ [...]] Specify time and size limits based on who initiated an operation. The argument .B who can be any of .RS .RS .TP anonymous | users | [dn[.