mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
317 lines
10 KiB
Groff
317 lines
10 KiB
Groff
.\" $OpenLDAP$
|
|
.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
.TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
.SH NAME
|
|
slapd \- Stand-alone LDAP Daemon
|
|
.SH SYNOPSIS
|
|
.B LIBEXECDIR/slapd
|
|
.B [\-[4|6]]
|
|
.B [\-T {acl|add|auth|cat|dn|index|passwd|test}]
|
|
.B [\-d debug\-level]
|
|
.B [\-f slapd\-config\-file]
|
|
.B [\-F slapd\-config\-directory]
|
|
.B [\-h URLs]
|
|
.B [\-n service\-name] [\-s syslog\-level] [\-l syslog\-local\-user]
|
|
.B [\-o option[=value]]
|
|
.B [\-r directory]
|
|
.B [\-u user] [\-g group]
|
|
.B [\-c cookie]
|
|
.SH DESCRIPTION
|
|
.LP
|
|
.B Slapd
|
|
is the stand-alone LDAP daemon. It listens for LDAP connections on
|
|
any number of ports (default 389), responding
|
|
to the LDAP operations it receives over these connections.
|
|
.B slapd
|
|
is typically invoked at boot time, usually out of
|
|
.BR /etc/rc.local .
|
|
Upon startup,
|
|
.B slapd
|
|
normally forks and disassociates itself from the invoking tty.
|
|
If configured in the config file (or config directory),
|
|
the
|
|
.B slapd
|
|
process will print its process ID (see
|
|
.BR getpid (2))
|
|
to a
|
|
.B .pid
|
|
file, as well as the command line options during invocation to an
|
|
.B .args
|
|
file (see
|
|
.BR slapd.conf (5)).
|
|
If the
|
|
.B \-d
|
|
flag is given, even with a zero argument,
|
|
.B slapd
|
|
will not fork and disassociate from the invoking tty.
|
|
.LP
|
|
.B Slapd
|
|
can be configured to provide replicated service for a database with
|
|
the help of
|
|
.BR slurpd ,
|
|
the standalone LDAP update replication daemon.
|
|
See
|
|
.BR slurpd (8)
|
|
for details.
|
|
.LP
|
|
See the "OpenLDAP Administrator's Guide" for more details on
|
|
.BR slapd .
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-4
|
|
Listen on IPv4 addresses only.
|
|
.TP
|
|
.B \-6
|
|
Listen on IPv6 addresses only.
|
|
.TP
|
|
.B \-T {a|c|d|i|p|t|acl|auth}
|
|
Run in Tool mode. The additional argument selects whether to run as
|
|
slapadd, slapcat, slapdn, slapindex, slappasswd, or slaptest
|
|
(slapacl and slapauth need the entire "\fIacl\fP" and "\fIauth\fP"
|
|
option value to be spelled out, as "\fIa\fP" is reserved to
|
|
.BR slapadd ).
|
|
This option should be the first option specified when it is used;
|
|
any remaining options will be interpreted by the corresponding
|
|
slap tool program, according to the respective man pages.
|
|
Note that these tool programs will usually be symbolic links to slapd.
|
|
This option is provided for situations where symbolic links
|
|
are not provided or not usable.
|
|
.TP
|
|
.BI \-d " debug\-level"
|
|
Turn on debugging as defined by
|
|
.IR debug\-level .
|
|
If this option is specified, even with a zero argument,
|
|
.B slapd
|
|
will not fork or disassociate from the invoking terminal. Some general
|
|
operation and status messages are printed for any value of \fIdebug\-level\fP.
|
|
\fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a
|
|
different kind of debugging information. See <ldap_log.h> for details.
|
|
Comma-separated arrays of friendly names can be specified to select
|
|
debugging output of the corresponding debugging information.
|
|
All the names recognized by the \fIloglevel\fP directive
|
|
described in \fBslapd.conf\fP(5) are supported.
|
|
If \fIdebug\-level\fP is \fB?\fP, a list of installed levels is printed,
|
|
and slapd exits.
|
|
|
|
Remember that if you turn on packet logging, packets containing bind passwords
|
|
will be output, so if you redirect the log to a logfile, that file should
|
|
be read-protected.
|
|
.TP
|
|
.BI \-s " syslog\-level"
|
|
This option tells
|
|
.B slapd
|
|
at what level debugging statements should be logged to the
|
|
.BR syslog (8)
|
|
facility.
|
|
The value "syslog\-level" can be set to any value or combination
|
|
allowed by the "-d" switch.
|
|
Slapd logs all messages selected by "syslog\-level"
|
|
at the syslog(3) severity level "DEBUG",
|
|
on the unit specified with "-l".
|
|
.TP
|
|
.BI \-n " service\-name"
|
|
Specifies the service name for logging and other purposes. Defaults
|
|
to basename of argv[0], i.e.: "slapd".
|
|
.TP
|
|
.BI \-l " syslog\-local\-user"
|
|
Selects the local user of the
|
|
.BR syslog (8)
|
|
facility. Value can be
|
|
.BR LOCAL0 ,
|
|
through
|
|
.BR LOCAL7 ,
|
|
as well as
|
|
.B USER
|
|
and
|
|
.BR DAEMON .
|
|
The default is
|
|
.BR LOCAL4 .
|
|
However, this option is only permitted on systems that support
|
|
local users with the
|
|
.BR syslog (8)
|
|
facility.
|
|
Logging to syslog(8) occurs at the "DEBUG" severity level.
|
|
.TP
|
|
.BI \-f " slapd\-config\-file"
|
|
Specifies the slapd configuration file. The default is
|
|
.BR ETCDIR/slapd.conf .
|
|
.TP
|
|
.BI \-F " slapd\-config\-directory"
|
|
Specifies the slapd configuration directory. The default is
|
|
.BR ETCDIR/slapd.d .
|
|
If both
|
|
.B -f
|
|
and
|
|
.B -F
|
|
are specified, the config file will be read and converted to
|
|
config directory format and written to the specified directory.
|
|
If neither option is specified, slapd will attempt to read the
|
|
default config directory before trying to use the default
|
|
config file. If a valid config directory exists then the
|
|
default config file is ignored. All of the slap tools that
|
|
use the config options observe this same behavior.
|
|
.TP
|
|
.BI \-h " URLlist"
|
|
.B slapd
|
|
will by default serve
|
|
.B ldap:///
|
|
(LDAP over TCP on all interfaces on default LDAP port). That is,
|
|
it will bind using INADDR_ANY and port 389.
|
|
The
|
|
.B \-h
|
|
option may be used to specify LDAP (and other scheme) URLs to serve.
|
|
For example, if slapd is given
|
|
.BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" ,
|
|
it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
|
|
and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
|
|
INADDR_ANY (any interface).
|
|
A space separated list of URLs is expected. The URLs should be of
|
|
the LDAP, LDAPS, or LDAPI schemes, and generally
|
|
without a DN or other optional parameters (excepting as discussed below).
|
|
Support for the latter two schemes depends on selected configuration
|
|
options. Hosts may be specified by name or IPv4 and IPv6 address formats.
|
|
Ports, if specified, must be numeric. The default ldap:// port is 389
|
|
and the default ldaps:// port is 636.
|
|
|
|
The listener permissions are indicated by
|
|
"x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any
|
|
of the "rwx" can be "-" to suppress the related permission, while any
|
|
of the "7" can be any legal octal digit, according to chmod(1).
|
|
The listeners can take advantage of the "x-mod"
|
|
extension to apply rough limitations to operations, e.g. allow read operations
|
|
("r", which applies to search and compare), write operations ("w",
|
|
which applies to add, delete, modify and modrdn), and execute operations
|
|
("x", which means bind is required).
|
|
"User" permissions apply to authenticated users, while "other" apply
|
|
to anonymous users; "group" permissions are ignored.
|
|
For example, "ldap:///????x-mod=-rw-------" means that read and write is only allowed
|
|
for authenticated connections, and bind is required for all operations.
|
|
This feature is experimental, and requires to be manually enabled
|
|
at configure time.
|
|
.TP
|
|
.BI \-r " directory"
|
|
Specifies a directory to become the root directory. slapd will
|
|
change the current working directory to this directory and
|
|
then
|
|
.BR chroot (2)
|
|
to this directory. This is done after opening listeners but before
|
|
reading any configuration file or initializing any backend. When
|
|
used as a security mechanism, it should be used in conjunction with
|
|
.B -u
|
|
and
|
|
.B -g
|
|
options.
|
|
.TP
|
|
.BI \-u " user"
|
|
.B slapd
|
|
will run slapd with the specified user name or id, and that user's
|
|
supplementary group access list as set with initgroups(3). The group ID
|
|
is also changed to this user's gid, unless the -g option is used to
|
|
override. Note when used with
|
|
.BR -r ,
|
|
slapd will use the user database in the change root environment.
|
|
|
|
Note that on some systems, running as a non-privileged user will prevent
|
|
passwd back-ends from accessing the encrypted passwords. Note also that
|
|
any shell back-ends will run as the specified non-privileged user.
|
|
.TP
|
|
.BI \-g " group"
|
|
.B slapd
|
|
will run with the specified group name or id. Note when used with
|
|
.BR -r ,
|
|
slapd will use the group database in the change root environment.
|
|
.TP
|
|
.BI \-c " cookie"
|
|
This option provides a cookie for the syncrepl replication consumer.
|
|
The cookie is a comma separated list of name=value pairs.
|
|
Currently supported syncrepl cookie fields are
|
|
.B rid
|
|
and
|
|
.B csn.
|
|
.B rid
|
|
identifies a replication thread within the consumer server
|
|
and is used to find the syncrepl specification in
|
|
.BR slapd.conf (5)
|
|
having the matching replication identifier in its definition. The
|
|
.B rid
|
|
must be provided in order for any other specified values to be used.
|
|
.B csn
|
|
is the commit sequence number received by a previous synchronization
|
|
and represents the state of the consumer replica content which the
|
|
syncrepl engine will synchronize to the current provider content.
|
|
.TP
|
|
.BI \-o " option[=value]"
|
|
This option provides a generic means to specify options without the need to reserve
|
|
a separate letter for them.
|
|
|
|
It supports the following options:
|
|
.RS
|
|
.TP
|
|
slp={\fBon\fP|\fBoff\fP|\fIslp\-attrs\fP}
|
|
When SLP support is compiled into slapd, disable it (
|
|
.B off
|
|
), enable it by registering at SLP DAs without specific SLP attributes (
|
|
.B on
|
|
), or with specific SLP attributes
|
|
.I slp\-attrs
|
|
that must be an SLP attribute list definition according to the SLP standard.
|
|
|
|
For example, "-o slp=(tree=production),(server-type=OpenLDAP),(server-version=2.3.20)"
|
|
registers at SLP DAs with the three SLP attributes tree, server-type and server-version
|
|
that have the values given above.
|
|
This allows to specifically query the SLP DAs for LDAP servers holding the
|
|
.I production
|
|
tree in case multiple trees are availabe.
|
|
.RE
|
|
.SH EXAMPLES
|
|
To start
|
|
.I slapd
|
|
and have it fork and detach from the terminal and start serving
|
|
the LDAP databases defined in the default config file, just type:
|
|
.LP
|
|
.nf
|
|
.ft tt
|
|
LIBEXECDIR/slapd
|
|
.ft
|
|
.fi
|
|
.LP
|
|
To start
|
|
.B slapd
|
|
with an alternate configuration file, and turn
|
|
on voluminous debugging which will be printed on standard error, type:
|
|
.LP
|
|
.nf
|
|
.ft tt
|
|
LIBEXECDIR/slapd -f /var/tmp/slapd.conf -d 255
|
|
.ft
|
|
.fi
|
|
.LP
|
|
To test whether the configuration file is correct or not, type:
|
|
.LP
|
|
.nf
|
|
.ft tt
|
|
LIBEXECDIR/slapd -Tt
|
|
.ft
|
|
.fi
|
|
.LP
|
|
.SH "SEE ALSO"
|
|
.BR ldap (3),
|
|
.BR slapd.conf (5),
|
|
.BR slapd.access (5),
|
|
.BR slapacl (8),
|
|
.BR slapadd (8),
|
|
.BR slapauth (8),
|
|
.BR slapcat (8),
|
|
.BR slapdn (8),
|
|
.BR slapindex (8),
|
|
.BR slappasswd (8),
|
|
.BR slaptest (8),
|
|
.BR slurpd (8)
|
|
.LP
|
|
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
|
|
.SH BUGS
|
|
See http://www.openldap.org/its/
|
|
.SH ACKNOWLEDGEMENTS
|
|
.so ../Project
|