LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    slapd.conf

    
    
    

    SYNOPSIS

           /etc/openldap/slapd.conf
    
    
    

    DESCRIPTION

           The  file  /etc/openldap/slapd.conf  contains configuration information
           for the slapd(8) daemon.  This configuration file is also used  by  the
           SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
           slapindex(8), and slaptest(8).
    
           The slapd.conf file  consists  of  a  series  of  global  configuration
           options  that  apply to slapd as a whole (including all backends), fol-
           lowed by zero or more database backend definitions that contain  infor-
           mation  specific  to a backend instance.  The configuration options are
           case-insensitive; their value, on a case by case basis,  may  be  case-
           sensitive.
    
           The general format of slapd.conf is as follows:
    
               # comment - these options apply to every database
               <global configuration options>
               # first database definition & configuration options
               database <backend 1 type>
               <configuration options specific to backend 1>
               # subsequent database definitions & configuration options
               ...
    
           As  many  backend-specific sections as desired may be included.  Global
           options can be overridden in a backend (for options  that  appear  more
           than once, the last appearance in the slapd.conf file is used).
    
           If  a  line begins with white space, it is considered a continuation of
           the previous line.  No physical line should be over 2000 bytes long.
    
           Blank lines and comment  lines  beginning  with  a  '#'  character  are
           ignored.   Note:  continuation  lines are unwrapped before comment pro-
           cessing is applied.
    
           Arguments on configuration lines are separated by white  space.  If  an
           argument  contains white space, the argument should be enclosed in dou-
           ble quotes.  If an argument contains a double quote ('"')  or  a  back-
           slash  character ('\'), the character should be preceded by a backslash
           character.
    
           The specific configuration options available are discussed below in the
           Global  Configuration  Options,  General  Backend  Options, and General
           Database  Options.   Backend-specific  options  are  discussed  in  the
           slapd-<backend>(5)  manual  pages.   Refer to the "OpenLDAP Administra-
           tor's Guide" for more details on the slapd configuration file.
    
    
    

    GLOBAL CONFIGURATION OPTIONS

           Options described in this section apply to all backends, unless specif-
           ically  overridden  in  a  backend definition. Arguments that should be
                  (default  none).   bind_v2  allows  acceptance  of  LDAPv2  bind
                  requests.   Note  that  slapd(8) does not truly implement LDAPv2
                  (RFC 1777), now  Historic  (RFC  3494).   bind_anon_cred  allows
                  anonymous  bind when credentials are not empty (e.g.  when DN is
                  empty).  bind_anon_dn allows  unauthenticated  (anonymous)  bind
                  when  DN  is  not  empty.   update_anon  allows  unauthenticated
                  (anonymous) update operations to be processed (subject to access
                  controls  and  other  administrative  limits).  proxy_authz_anon
                  allows unauthenticated (anonymous) proxy  authorization  control
                  to  be  processed (subject to access controls, authorization and
                  other administrative limits).
    
           argsfile <filename>
                  The (absolute) name of a file that will hold the slapd  server's
                  command line (program name and options).
    
           attributeoptions [option-name]...
                  Define  tagging  attribute options or option tag/range prefixes.
                  Options must not end with '-', prefixes must end with '-'.   The
                  'lang-'  prefix  is predefined.  If you use the attributeoptions
                  directive, 'lang-' will no longer be defined and you must  spec-
                  ify it explicitly if you want it defined.
    
                  An  attribute  description with a tagging option is a subtype of
                  that attribute description without the option.  Except for that,
                  options  defined  this  way have no special semantics.  Prefixes
                  defined this way work like the 'lang-' options:  They  define  a
                  prefix  for  tagging options starting with the prefix.  That is,
                  if you define the  prefix  'x-foo-',  you  can  use  the  option
                  'x-foo-bar'.   Furthermore,  in a search or compare, a prefix or
                  range name (with a trailing '-') matches  all  options  starting
                  with  that  name, as well as the option with the range name sans
                  the trailing '-'.  That is, 'x-foo-bar-' matches 'x-foo-bar' and
                  'x-foo-bar-baz'.
    
                  RFC 4520 reserves options beginning with 'x-' for private exper-
                  iments.  Other options should be registered with IANA,  see  RFC
                  4520  section  3.5.  OpenLDAP also has the 'binary' option built
                  in, but this is a transfer option, not a tagging option.
    
           attributetype  ( <oid>  [NAME <name>]  [DESC <description>]  [OBSOLETE]
                  [SUP <oid>]   [EQUALITY <oid>]  [ORDERING <oid>]  [SUBSTR <oid>]
                  [SYNTAX <oidlen>]          [SINGLE-VALUE]           [COLLECTIVE]
                  [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
                  Specify an attribute type using the LDAPv3 syntax defined in RFC
                  4512.  The slapd parser  extends  the  RFC  4512  definition  by
                  allowing string forms as well as numeric OIDs to be used for the
                  attribute   OID   and   attribute   syntax   OID.    (See    the
                  objectidentifier description.)
    
           authid-rewrite<cmd> <args>
                  Used  by  the  authentication  framework  to convert simple user
                  the  default  setting.   The  from  flag  will  use rules in the
                  authzFrom attribute of the authorization DN.  The to  flag  will
                  use  rules  in  the  authzTo attribute of the authentication DN.
                  The any flag, an alias for the deprecated value  of  both,  will
                  allow  any of the above, whatever succeeds first (checked in to,
                  from sequence.  The all flag  requires  both  authorizations  to
                  succeed.
    
                  The rules are mechanisms to specify which identities are allowed
                  to perform proxy authorization.  The authzFrom attribute  in  an
                  entry  specifies which other users are allowed to proxy login to
                  this entry. The authzTo attribute in an  entry  specifies  which
                  other  users  this  user can authorize as.  Use of authzTo rules
                  can be easily abused if users are  allowed  to  write  arbitrary
                  values to this attribute.  In general the authzTo attribute must
                  be protected with ACLs  such  that  only  privileged  users  can
                  modify  it.   The  value  of  authzFrom and authzTo describes an
                  identity or a set of identities; it can take five forms:
    
                         ldap:///<base>??[<scope>]?<filter>
                         dn[.<dnstyle>]:<pattern>
                         u[.<mech>[/<realm>]]:<pattern>
                         group[/objectClass[/attributeType]]:<pattern>
                         <pattern>
    
                         <dnstyle>:={exact|onelevel|children|subtree|regex}
    
                  The first form is a valid LDAP URI where the <host>:<port>,  the
                  <attrs>  and  the  <extensions> portions must be absent, so that
                  the search occurs locally on either authzFrom or  authzTo.   The
                  second  form  is  a DN, with the optional style modifiers exact,
                  onelevel, children, and subtree for  exact,  onelevel,  children
                  and  subtree  matches,  which  cause  <pattern> to be normalized
                  according to the DN normalization rules, or  the  special  regex
                  style,  which  causes  the  <pattern>  to  be treated as a POSIX
                  (''extended'') regular  expression,  as  discussed  in  regex(7)
                  and/or re_format(7).  A pattern of * means any non-anonymous DN.
                  The third form is a SASL id, with the optional fields <mech> and
                  <realm> that allow to specify a SASL mechanism, and eventually a
                  SASL realm, for those mechanisms that support one.  The need  to
                  allow  the  specification  of  a mechanism is still debated, and
                  users are strongly discouraged to rely on this possibility.  The
                  fourth  form is a group specification, consisting of the keyword
                  group, optionally followed by the  specification  of  the  group
                  objectClass   and  member  attributeType.   The  group  with  DN
                  <pattern> is searched with base scope, and in case of match, the
                  values of the member attributeType are searched for the asserted
                  DN.   For  backwards  compatibility,  if  no  identity  type  is
                  provided,  i.e.  only  <pattern>  is  present,  an  exact  DN is
                  assumed;  as  a  consequence,  <pattern>  is  subjected  to   DN
                  normalization.    Since  the  interpretation  of  authzFrom  and
                  authzTo can impact security, users are  strongly  encouraged  to
                  subsystem, the SASL USERNAME, REALM, and  MECHANISM  are  taken,
                  when available, and combined into a name of the form
    
                         UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
    
                  This   name   is   then   compared   against   the  match  POSIX
                  (''extended'')  regular  expression,  and  if   the   match   is
                  successful,  the  name  is replaced with the replace string.  If
                  there are wildcard strings in the match regular expression  that
                  are enclosed in parenthesis, e.g.
    
                         UID=([^,]*),CN=.*
    
                  then  the  portion of the name that matched the wildcard will be
                  stored in the numbered placeholder variable  $1.  If  there  are
                  other wildcard strings in parenthesis, the matching strings will
                  be in $2, $3, etc. up to $9. The placeholders can then  be  used
                  in the replace string, e.g.
    
                         UID=$1,OU=Accounts,DC=example,DC=com
    
                  The  replaced name can be either a DN, i.e. a string prefixed by
                  "dn:", or an LDAP URI.  If the latter, the server will  use  the
                  URI  to  search  its  own database(s) and, if the search returns
                  exactly one entry, the name is replaced by the DN of that entry.
                  The  LDAP  URI  must  have  no  hostport,  attrs,  or extensions
                  components, but the filter is mandatory, e.g.
    
                         ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
    
                  The protocol portion of the URI must  be  strictly  ldap.   Note
                  that  this  search is subject to access controls.  Specifically,
                  the authentication identity  must  have  "auth"  access  in  the
                  subject.
    
                  Multiple  authz-regexp options can be given in the configuration
                  file to allow for multiple matching  and  replacement  patterns.
                  The  matching  patterns  are checked in the order they appear in
                  the file, stopping at the first successful match.
    
           concurrency <integer>
                  Specify  a  desired  level  of  concurrency.   Provided  to  the
                  underlying  thread  system  as  a  hint.   The default is not to
                  provide any hint.
    
           conn_max_pending <integer>
                  Specify the maximum number of pending requests for an  anonymous
                  session.   If  requests are submitted faster than the server can
                  process them, they will be queued up to this limit. If the limit
                  is exceeded, the session is closed. The default is 100.
    
                  simple  (bind)  authentication.   tls_2_anon  disables   forcing
                  session  to  anonymous status (see also tls_authc) upon StartTLS
                  operation receipt.  tls_authc disallows the  StartTLS  operation
                  if        authenticated       (see       also       tls_2_anon).
                  proxy_authz_non_critical  disables  acceptance  of  the  proxied
                  authorization  control  (RFC4370)  when  criticality  is  FALSE.
                  dontusecopy_non_critical disables acceptance of the  dontUseCopy
                  control (a work in progress) when criticality is FALSE.
    
           ditcontentrule  ( <oid>  [NAME <name>]  [DESC <description>] [OBSOLETE]
                  [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
                  Specify an DIT Content Rule using the LDAPv3 syntax  defined  in
                  RFC  4512.   The slapd parser extends the RFC 4512 definition by
                  allowing string forms as well as numeric OIDs to be used for the
                  attribute    OID   and   attribute   syntax   OID.    (See   the
                  objectidentifier description.)
    
           gentlehup { on | off }
                  A SIGHUP signal will only  cause  a  'gentle'  shutdown-attempt:
                  Slapd  will  stop  listening  for  new connections, but will not
                  close the connections to  the  current  clients.   Future  write
                  operations    return    unwilling-to-perform,   though.    Slapd
                  terminates when all clients have closed  their  connections  (if
                  they ever do), or - as before - if it receives a SIGTERM signal.
                  This can be useful if you wish to terminate the server and start
                  a new slapd server with another database, without disrupting the
                  currently active clients.  The default is off.  You may wish  to
                  use idletimeout along with this option.
    
           idletimeout <integer>
                  Specify the number of seconds to wait before forcibly closing an
                  idle client  connection.   A  idletimeout  of  0  disables  this
                  feature.   The  default  is  0.  You  may  also  want to set the
                  writetimeout option.
    
           include <filename>
                  Read additional configuration information from  the  given  file
                  before continuing with the next line of the current file.
    
           index_intlen <integer>
                  Specify  the  key  length  for ordered integer indices. The most
                  significant bytes of the binary integer will be used  for  index
                  keys.  The default value is 4, which provides exact indexing for
                  31 bit values.  A floating point representation is used to index
                  too large values.
    
           index_substr_if_minlen <integer>
                  Specify  the minimum length for subinitial and subfinal indices.
                  An attribute value must have at least this  many  characters  in
                  order  to be processed by the indexing functions. The default is
                  2.
    
    
           index_substr_any_step <integer>
                  Specify  the steps used in subany index lookups. This value sets
                  the offset  for  the  segments  of  a  filter  string  that  are
                  processed  for  a  subany  index  lookup.  The default is 2. For
                  example, with the default values, a  search  using  this  filter
                  "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
                  and "efgh".
    
           Note: Indexing support depends on the particular backend in use.  Also,
           changing  these  settings  will  generally require deleting any indices
           that depend on these parameters and recreating them with  slapindex(8).
    
           ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )
                  Specify an LDAP syntax using the LDAPv3 syntax  defined  in  RFC
                  4512.   The  slapd  parser  extends  the  RFC 4512 definition by
                  allowing string forms as well as numeric OIDs to be used for the
                  syntax  OID.  (See the objectidentifier description.)  The slapd
                  parser also honors the X-SUBST extension  (an  OpenLDAP-specific
                  extension),  which  allows  to  use  the ldapsyntax statement to
                  define a non-implemented syntax along with another  syntax,  the
                  extension value substitute-syntax, as its temporary replacement.
                  The substitute-syntax must be defined.  This  allows  to  define
                  attribute  types that make use of non-implemented syntaxes using
                  the  correct  syntax  OID.   Unless  X-SUBST   is   used,   this
                  configuration  statement  would  result  in  an  error, since no
                  handlers would be associated to the resulting syntax  structure.
    
           listener-threads <integer>
                  Specify the number of threads to use for the connection manager.
                  The default is 1 and this is typically adequate for up to 16 CPU
                  cores.  The value should be set to a power of 2.
    
           localSSF <SSF>
                  Specifies  the  Security Strength Factor (SSF) to be given local
                  LDAP sessions, such as those to the ldapi://  listener.   For  a
                  description  of  SSF  values,  see sasl-secprops's minssf option
                  description.  The default is 71.
    
           logfile <filename>
                  Specify a file for recording  debug  log  messages.  By  default
                  these  messages  only go to stderr and are not recorded anywhere
                  else. Specifying a logfile copies messages to  both  stderr  and
                  the logfile.
    
           loglevel <integer> [...]
                  Specify  the  level  at which debugging statements and operation
                  statistics  should  be  syslogged  (currently  logged   to   the
                  syslogd(8)   LOG_LOCAL4  facility).   They  must  be  considered
                          512    (0x200 stats2) stats log entries sent
                          1024   (0x400  shell)  print  communication  with  shell
                                 backends
                          2048   (0x800 parse) entry parsing
    
                          16384  (0x4000 sync) LDAPSync replication
                          32768  (0x8000  none)  only  messages  that  get  logged
                                 whatever log level is set
                  The desired log level can be input  as  a  single  integer  that
                  combines  the  (ORed)  desired  levels,  both  in  decimal or in
                  hexadecimal notation, as a  list  of  integers  (that  are  ORed
                  internally),  or  as  a list of the names that are shown between
                  brackets, such that
    
                      loglevel 129
                      loglevel 0x81
                      loglevel 128 1
                      loglevel 0x80 0x1
                      loglevel acl trace
    
                  are equivalent.  The keyword any can be used as  a  shortcut  to
                  enable  logging  at  all levels (equivalent to -1).  The keyword
                  none, or the equivalent  integer  representation,  causes  those
                  messages  that  are logged regardless of the configured loglevel
                  to be logged.  In fact, if loglevel is  set  to  0,  no  logging
                  occurs,  so  at  least  the  none level is required to have high
                  priority messages logged.
    
                  The loglevel defaults to stats.  This level should usually  also
                  be  included  when  using  other  loglevels, to help analyze the
                  logs.
    
           moduleload <filename>
                  Specify the name of a dynamically loadable module to  load.  The
                  filename may be an absolute path name or a simple filename. Non-
                  absolute names are searched for in the directories specified  by
                  the modulepath option. This option and the modulepath option are
                  only usable if slapd was compiled with --enable-modules.
    
           modulepath <pathspec>
                  Specify a list of directories to search  for  loadable  modules.
                  Typically  the  path  is colon-separated but this depends on the
                  operating system.  The default is /usr/lib64/openldap, which  is
                  where the standard OpenLDAP install will place its modules.
    
    
           password-hash <hash> [<hash>...]
                  This  option  configures  one  or  more  hashes  to  be  used in
                  generation  of  user  passwords  stored  in   the   userPassword
                  attribute  during  processing  of  LDAP Password Modify Extended
                  Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
                  {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.
    
                  {SHA} and {SSHA} use  the  SHA-1  algorithm  (FIPS  160-1),  the
                  latter with a seed.
    
                  {MD5}  and  {SMD5}  use the MD5 algorithm (RFC 1321), the latter
                  with a seed.
    
                  {CRYPT} uses the crypt(3).
    
                  {CLEARTEXT} indicates that the new password should be  added  to
                  userPassword as clear text.
    
                  Note   that   this   option  does  not  alter  the  normal  user
                  applications handling of userPassword during LDAP  Add,  Modify,
                  or other LDAP operations.
    
           password-crypt-salt-format <format>
                  Specify   the  format  of  the  salt  passed  to  crypt(3)  when
                  generating  {CRYPT}   passwords   (see   password-hash)   during
                  processing  of  LDAP  Password  Modify  Extended Operations (RFC
                  3062).
    
                  This string needs to be in sprintf(3) format and may include one
                  (and   only   one)  %s  conversion.   This  conversion  will  be
                  substituted  with   a   string   of   random   characters   from
                  [A-Za-z0-9./].   For  example,  "%.2s"  provides a two character
                  salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
                  algorithm and provides 8 random characters of salt.  The default
                  is "%s", which provides 31 characters of salt.
    
           pidfile <filename>
                  The (absolute) name of a file that will hold the slapd  server's
                  process ID (see getpid(2)).
    
           referral <url>
                  Specify  the  referral  to pass back when slapd(8) cannot find a
                  local database to  handle  a  request.   If  specified  multiple
                  times, each url is provided.
    
           require <conditions>
                  Specify  a  set  of  conditions  (separated  by  white space) to
                  require (default none).  The directive may be specified globally
                  and/or  per-database;  databases  inherit  global conditions, so
                  per-database specifications are additive.   bind  requires  bind
                  operation   prior  to  directory  operations.   LDAPv3  requires
    
           rootDSE <file>
                  Specify  the  name  of  an  LDIF(5) file containing user defined
                  attributes for the root DSE.  These attributes are  returned  in
                  addition to the attributes normally produced by slapd.
    
                  The  root  DSE is an entry with information about the server and
                  its capabilities, in operational attributes.  It has  the  empty
                  DN, and can be read with e.g.:
                      ldapsearch -x -b "" -s base "+"
                  See RFC 4512 section 5.1 for details.
    
           sasl-auxprops <plugin> [...]
                  Specify which auxprop plugins to use for authentication lookups.
                  The default is empty, which just uses slapd's internal  support.
                  Usually no other auxprop plugins are needed.
    
           sasl-host <fqdn>
                  Used  to  specify  the fully qualified domain name used for SASL
                  processing.
    
           sasl-realm <realm>
                  Specify SASL realm.  Default is empty.
    
           sasl-secprops <properties>
                  Used to specify Cyrus SASL security properties.  The  none  flag
                  (without  any  other  properties)  causes  the  flag  properties
                  default, "noanonymous,noplain", to be cleared.  The noplain flag
                  disables  mechanisms susceptible to simple passive attacks.  The
                  noactive flag disables mechanisms susceptible to active attacks.
                  The  nodict  flag  disables  mechanisms  susceptible  to passive
                  dictionary attacks.  The noanonymous  flag  disables  mechanisms
                  which  support  anonymous  login.   The  forwardsec flag require
                  forward  secrecy  between  sessions.    The   passcred   require
                  mechanisms  which  pass client credentials (and allow mechanisms
                  which can pass  credentials  to  do  so).   The  minssf=<factor>
                  property  specifies  the  minimum  acceptable  security strength
                  factor as an integer approximate to effective  key  length  used
                  for  encryption.   0  (zero)  implies  no  protection, 1 implies
                  integrity protection only, 56 allows DES or other weak  ciphers,
                  112  allows triple DES and other strong ciphers, 128 allows RC4,
                  Blowfish and other modern strong ciphers.   The  default  is  0.
                  The  maxssf=<factor>  property  specifies the maximum acceptable
                  security strength factor as an integer (see minssf description).
                  The   default   is   INT_MAX.   The  maxbufsize=<size>  property
                  specifies  the  maximum  security  layer  receive  buffer   size
                  allowed.  0 disables security layers.  The default is 65536.
    
           schemadn <dn>
                  Specify  the  distinguished name for the subschema subentry that
                  controls  the  entries  on  this   server.    The   default   is
                  "cn=Subschema".
    
                  strength   factor   to   require    for    directory    updates.
                  simple_bind=<n>  specifies the security strength factor required
                  for simple  username/password  authentication.   Note  that  the
                  transport   factor  is  measure  of  security  provided  by  the
                  underlying transport, e.g. ldapi:// (and eventually IPSEC).   It
                  is not normally used.
    
           serverID <integer> [<URL>]
                  Specify an integer ID from 0 to 4095 for this server (limited to
                  3 hexadecimal digits).  The  ID  may  also  be  specified  as  a
                  hexadecimal  ID by prefixing the value with "0x".  These IDs are
                  required when using multimaster replication and each master must
                  have  a  unique  ID.  Note that this requirement also applies to
                  separate masters contributing to a glued set of  databases.   If
                  the  URL  is  provided, this directive may be specified multiple
                  times, providing a complete list of  participating  servers  and
                  their IDs. The fully qualified hostname of each server should be
                  used in the supplied URLs. The IDs are used in the "replica  id"
                  field of all CSNs generated by the specified server. The default
                  value is zero.  Example:
    
                serverID 1
    
           sizelimit {<integer>|unlimited}
    
           sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
                  Specify the maximum number of entries to return  from  a  search
                  operation.   The  default  size  limit is 500.  Use unlimited to
                  specify no limits.   The  second  format  allows  a  fine  grain
                  setting of the size limits.  Extra args can be added on the same
                  line.  See limits for an explanation of the different flags.
    
           sockbuf_max_incoming <integer>
                  Specify  the  maximum  incoming  LDAP  PDU  size  for  anonymous
                  sessions.  The default is 262143.
    
           sockbuf_max_incoming_auth <integer>
                  Specify  the  maximum  incoming  LDAP PDU size for authenticated
                  sessions.  The default is 4194303.
    
           sortvals <attr> [...]
                  Specify a list of  multi-valued  attributes  whose  values  will
                  always  be  maintained  in  sorted order. Using this option will
                  allow  Modify,  Compare,  and  filter   evaluations   on   these
                  attributes  to be performed more efficiently. The resulting sort
                  order depends on the attributes' syntax and matching  rules  and
                  may  not  correspond  to lexical order or any other recognizable
                  order.
    
           tcp-buffer [listener=<URL>] [{read|write}=]<size>
                  Specify the size of the TCP buffer.  A  global  value  for  both
                  read  and  write TCP buffers related to any listener is defined,
                  allows a fine grain setting of the time limits.  Extra args  can
                  be added on the same line.  See limits for an explanation of the
                  different flags.
    
           tool-threads <integer>
                  Specify the maximum number of threads to use in tool mode.  This
                  should  not  be  greater  than the number of CPUs in the system.
                  The default is 1.
    
           writetimeout <integer>
                  Specify the number of seconds to wait before forcibly closing  a
                  connection  with an outstanding write. This allows recovery from
                  various network hang conditions.  A writetimeout of  0  disables
                  this feature.  The default is 0.
    
    
    

    TLS OPTIONS

           If  slapd is built with support for Transport Layer Security, there are
           more options you can specify.
    
           TLSCipherSuite <cipher-suite-spec>
                  Permits configuring  what  ciphers  will  be  accepted  and  the
                  preference   order.   <cipher-suite-spec>  should  be  a  cipher
                  specification for the TLS library in use  (OpenSSL,  GnuTLS,  or
                  Mozilla NSS).  Example:
    
                         OpenSSL:
                                 TLSCipherSuite HIGH:MEDIUM:+SSLv2
    
                         GnuTLS:
                                 TLSCiphersuite SECURE256:!AES-128-CBC
    
                  To check what ciphers a given spec selects in OpenSSL, use:
    
                       openssl ciphers -v <cipher-suite-spec>
    
                  With  GnuTLS the available specs can be found in the manual page
                  of gnutls-cli(1) (see the description of the option --priority).
    
                  In  older  versions of GnuTLS, where gnutls-cli does not support
                  the option --priority, you can obtain the -- more limited --  list
                  of ciphers by calling:
    
                       gnutls-cli -l
    
                  When  using Mozilla NSS, the OpenSSL cipher suite specifications
                  are used and translated  into  the  format  used  internally  by
                  Mozilla  NSS.  There isn't an easy way to list the cipher suites
                  from the command line.  The authoritative list is in the  source
                  code for Mozilla NSS in the file sslinfo.c in the structure
                          static const SSLCipherSuiteInfo suiteInfo[]
    
           TLSCACertificateFile <filename>
    
                  When  using  Mozilla  NSS,  <path>  may  contain  a  Mozilla NSS
                  cert/key database.  If <path> contains a  Mozilla  NSS  cert/key
                  database  and  CA  cert  files,  OpenLDAP  will use the cert/key
                  database and will ignore the CA cert files.
    
           TLSCertificateFile <filename>
                  Specifies the file that contains the slapd server certificate.
    
                  When using Mozilla NSS, if using a cert/key database  (specified
                  with  TLSCACertificatePath),  TLSCertificateFile  specifies  the
                  name of the certificate to use:
                       TLSCertificateFile Server-Cert
                  If using a token other than the internal built in token, specify
                  the token name first, followed by a colon:
                       TLSCertificateFile my hardware device:Server-Cert
                  Use certutil -L to list the certificates by name:
                       certutil -d /path/to/certdbdir -L
    
           TLSCertificateKeyFile <filename>
                  Specifies  the  file  that contains the slapd server private key
                  that matches the certificate stored  in  the  TLSCertificateFile
                  file.   Currently,  the private key must not be protected with a
                  password, so it is of critical importance that it  is  protected
                  carefully.
    
                  When using Mozilla NSS, TLSCertificateKeyFile specifies the name
                  of a file that  contains  the  password  for  the  key  for  the
                  certificate  specified  with  TLSCertificateFile.   The  modutil
                  command can be used to turn  off  password  protection  for  the
                  cert/key   database.    For   example,  if  TLSCACertificatePath
                  specifes /etc/openldap/certdb as the location  of  the  cert/key
                  database,  use  modutil  to  change  the  password  to the empty
                  string:
                       modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
                  You must have the old password,  if  any.   Ignore  the  WARNING
                  about  the running browser.  Press 'Enter' for the new password.
    
           TLSDHParamFile <filename>
                  This directive specifies the file that contains  parameters  for
                  Diffie-Hellman  ephemeral  key  exchange.   This  is required in
                  order to use a DSA certificate on the server. If  multiple  sets
                  of  parameters  are  present  in  the  file, all of them will be
                  processed.  Note  that  setting  this  option  may  also  enable
                  Anonymous  Diffie-Hellman  key  exchanges in certain non-default
                  cipher suites.  You should append "!ADH" to your  cipher  suites
                  if  you  have  changed  them  from  the  default,  otherwise  no
                  certificate exchanges or verification will be done.  When  using
                  GnuTLS  these  parameters  are always generated randomly so this
                  directive is ignored.  This  directive  is  ignored  when  using
                  Mozilla NSS.
    
                  Specifies   the   file   to   obtain   random   bits  from  when
                  /dev/[u]random is not available.  Generally set to the  name  of
                  the  EGD/PRNGD  socket.   The  environment variable RANDFILE can
                  also be used to specify the filename.  This directive is ignored
                  with GnuTLS and Mozilla NSS.
    
           TLSVerifyClient <level>
                  Specifies  what  checks  to perform on client certificates in an
                  incoming TLS session, if any.  The <level> can be  specified  as
                  one of the following keywords:
    
                  never  This is the default.  slapd will not ask the client for a
                         certificate.
    
                  allow  The client certificate is requested.  If  no  certificate
                         is  provided,  the  session  proceeds normally.  If a bad
                         certificate is provided,  it  will  be  ignored  and  the
                         session proceeds normally.
    
                  try    The  client  certificate is requested.  If no certificate
                         is provided, the session proceeds  normally.   If  a  bad
                         certificate  is  provided,  the  session  is  immediately
                         terminated.
    
                  demand | hard | true
                         These keywords  are  all  equivalent,  for  compatibility
                         reasons.   The  client  certificate  is requested.  If no
                         certificate  is  provided,  or  a  bad   certificate   is
                         provided, the session is immediately terminated.
    
                         Note that a valid client certificate is required in order
                         to use the SASL EXTERNAL authentication mechanism with  a
                         TLS  session.   As  such,  a  non-default TLSVerifyClient
                         setting  must  be  chosen   to   enable   SASL   EXTERNAL
                         authentication.
    
           TLSCRLCheck <level>
                  Specifies  if  the  Certificate  Revocation List (CRL) of the CA
                  should be used to verify if the  client  certificates  have  not
                  been revoked. This requires TLSCACertificatePath parameter to be
                  set. This directive is ignored  with  GnuTLS  and  Mozilla  NSS.
                  <level> can be specified as one of the following keywords:
    
                  none   No CRL checks are performed
    
                  peer   Check the CRL of the peer certificate
    
                  all    Check the CRL for a whole certificate chain
    
           TLSCRLFile <filename>
                  Specifies  a file containing a Certificate Revocation List to be
                  used for verifying that certificates have not been revoked. This
    
    
    

    GENERAL DATABASE OPTIONS

           Options in this section only apply to the  configuration  file  section
           for  the  database  in  which  they are defined.  They are supported by
           every type of backend.  Note that the database and at least one  suffix
           option are mandatory for each database.
    
           database <databasetype>
                  Mark  the  beginning  of  a  new  database  instance definition.
                  <databasetype> should be one of bdb, config, dnssrv, hdb,  ldap,
                  ldif,  mdb,  meta, monitor, null, passwd, perl, relay, shell, or
                  sql, depending on which backend will serve the database.
    
                  LDAP operations, even subtree searches, normally access only one
                  database.  That can be changed by gluing databases together with
                  the subordinate keyword.  Access controls and some overlays  can
                  also involve multiple databases.
    
           add_content_acl on | off
                  Controls  whether  Add operations will perform ACL checks on the
                  content of the entry being added. This check is off by  default.
                  See  the  slapd.access(5)  manual  page  for more details on ACL
                  requirements for Add operations.
    
           extra_attrs <attrlist>
                  Lists what attributes need  to  be  added  to  search  requests.
                  Local  storage backends return the entire entry to the frontend.
                  The  frontend  takes  care  of  only  returning  the   requested
                  attributes  that  are  allowed  by ACLs.  However, features like
                  access checking and so may need specific attributes that are not
                  automatically  returned  by  remote storage backends, like proxy
                  backends and so on.  <attrlist> is a list of attributes that are
                  needed  for  internal  purposes  and  thus  always  need  to  be
                  collected, even when not explicitly requested by clients.
    
           hidden on | off
                  Controls whether the database will be used to answer queries.  A
                  database  that  is  hidden  will never be selected to answer any
                  queries, and any suffix  configured  on  the  database  will  be
                  ignored  in  checks  for  conflicts  with  other  databases.  By
                  default, hidden is off.
    
           lastmod on | off
                  Controls  whether  slapd   will   automatically   maintain   the
                  modifiersName,      modifyTimestamp,      creatorsName,      and
                  createTimestamp attributes for entries.  It  also  controls  the
                  entryCSN  and  entryUUID  attributes,  which  are  needed by the
                  syncrepl provider. By default, lastmod is on.
    
           limits <selector> <limit> [<limit> [...]]
                  Specify time and size limits based on the operation's  initiator
                  or base DN.  The argument <selector> can be any of
    
                  all   unauthenticated  clients.   The  term  users  matches  all
                  authenticated clients; otherwise an exact dn pattern is  assumed
                  unless  otherwise  specified  by  qualifying  the (optional) key
                  string dn with exact or base (which are synonyms), to require an
                  exact  match;  with  onelevel,  to  require exactly one level of
                  depth match; with subtree, to allow any level  of  depth  match,
                  including  the exact match; with children, to allow any level of
                  depth match, not including the  exact  match;  regex  explicitly
                  requires  the  (default)  match  based  on  POSIX (''extended'')
                  regular expression pattern.  Finally, anonymous matches  unbound
                  operations;  the pattern field is ignored.  The same behavior is
                  obtained by using the anonymous form of the  <selector>  clause.
                  The   term   group,   with   the  optional  objectClass  oc  and
                  attributeType at fields, followed by pattern,  sets  the  limits
                  for  any  DN  listed  in the values of the at attribute (default
                  member) of the oc group objectClass (default groupOfNames) whose
                  DN exactly matches pattern.
    
                  The currently supported limits are size and time.
    
                  The  syntax  for  time  limits  is time[.{soft|hard}]=<integer>,
                  where  integer  is  the  number  of  seconds  slapd  will  spend
                  answering  a  search  request.   If  no time limit is explicitly
                  requested by  the  client,  the  soft  limit  is  used;  if  the
                  requested  time  limit  exceeds the hard limit, the value of the
                  limit is used instead.  If the hard limit is set to the  keyword
                  soft, the soft limit is used in either case; if it is set to the
                  keyword unlimited, no hard limit is enforced.  Explicit requests
                  for  time limits smaller or equal to the hard limit are honored.
                  If no limit specifier is set, the value is assigned to the  soft
                  limit,  and  the  hard  limit  is  set  to soft, to preserve the
                  original behavior.
    
                  The        syntax        for        size        limits        is
                  size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
                  maximum number of entries slapd will return answering  a  search
                  request.   If  no  size  limit  is  explicitly  requested by the
                  client, the soft limit is used;  if  the  requested  size  limit
                  exceeds  the hard limit, the value of the limit is used instead.
                  If the hard limit is set to the keyword soft, the soft limit  is
                  used  in  either case; if it is set to the keyword unlimited, no
                  hard limit is  enforced.   Explicit  requests  for  size  limits
                  smaller  or  equal to the hard limit are honored.  The unchecked
                  specifier sets a limit on the  number  of  candidates  a  search
                  request  is allowed to examine.  The rationale behind it is that
                  searches for non-properly indexed attributes may result in large
                  sets  of  candidates,  which  must  be  examined  by slapd(8) to
                  determine whether they match the  search  filter  or  not.   The
                  unchecked  limit provides a means to drop such operations before
                  they are even started.  If the selected  candidates  exceed  the
                  unchecked  limit,  the  search  will  abort  with  Unwilling  to
                  perform.  If it is set to the keyword  unlimited,  no  limit  is
                  total  count of entries returned within the search, and not to a
                  single page.  Additional size limits may be enforced; the syntax
                  is  size.pr={<integer>|noEstimate|unlimited},  where  integer is
                  the max page size if no  explicit  limit  is  set;  the  keyword
                  noEstimate inhibits the server from returning an estimate of the
                  total number of  entries  that  might  be  returned  (note:  the
                  current  implementation  does  not  return  any  estimate).  The
                  keyword unlimited indicates that no  limit  is  applied  to  the
                  pagedResults      control     page     size.      The     syntax
                  size.prtotal={<integer>|unlimited|disabled}  allows  to  set   a
                  limit on the total number of entries that a pagedResults control
                  allows to return.  By default it is set to the hard limit.  When
                  set,  integer is the max number of entries that the whole search
                  with pagedResults control can return.  Use  unlimited  to  allow
                  unlimited  number  of  entries to be returned, e.g. to allow the
                  use of the pagedResults control as a means  to  circumvent  size
                  limitations  on  regular searches; the keyword disabled disables
                  the control, i.e. no paged results can be returned.   Note  that
                  the  total  number  of  entries  returned  when the pagedResults
                  control is requested  cannot  exceed  the  hard  size  limit  of
                  regular searches unless extended by the prtotal switch.
    
                  The  limits  statement  is  typically  used  to let an unlimited
                  number of entries be returned by  searches  performed  with  the
                  identity  used  by  the consumer for synchronization purposes by
                  means of the RFC 4533 LDAP Content Synchronization protocol (see
                  syncrepl for details).
    
           maxderefdepth <depth>
                  Specifies  the  maximum  number  of  aliases to dereference when
                  trying to resolve an entry, used to avoid infinite alias  loops.
                  The default is 15.
    
           mirrormode on | off
                  This  option puts a replica database into "mirror" mode.  Update
                  operations  will  be  accepted  from  any  user,  not  just  the
                  updatedn.  The database must already be configured as a syncrepl
                  consumer before this keyword may be set. This mode also requires
                  a serverID (see above) to be configured.  By default, mirrormode
                  is off.
    
           monitoring on | off
                  This option enables database-specific monitoring  in  the  entry
                  related to the current database in the "cn=Databases,cn=Monitor"
                  subtree of the monitor database,  if  the  monitor  database  is
                  enabled.   Currently, only the BDB and the HDB databases provide
                  database-specific  monitoring.   The  default  depends  on   the
                  backend type.
    
           overlay <overlay-name>
                  Add  the  specified  overlay  to  this database. An overlay is a
                  piece of code that intercepts database operations  in  order  to
                  Specify  a  whitespace  separated  list  of  operations that are
                  restricted.   If  defined  inside  a   database   specification,
                  restrictions  apply  only  to  that database, otherwise they are
                  global.  Operations can be any of add,  bind,  compare,  delete,
                  extended[=<OID>], modify, rename, search, or the special pseudo-
                  operations read and write, which respectively summarize read and
                  write  operations.   The  use of restrict write is equivalent to
                  readonly  on  (see  above).   The  extended  keyword  allows  to
                  indicate the OID of the specific operation to be restricted.
    
           rootdn <dn>
                  Specify  the  distinguished  name  that is not subject to access
                  control or administrative limit restrictions for  operations  on
                  this  database.   This  DN  may or may not be associated with an
                  entry.  An empty root DN (the default) specifies no root  access
                  is  to  be  granted.   It is recommended that the rootdn only be
                  specified when needed  (such  as  when  initially  populating  a
                  database).   If the rootdn is within a namingContext (suffix) of
                  the database, a simple bind password may also be provided  using
                  the   rootpw   directive.   Many  optional  features,  including
                  syncrepl, require the rootdn to be defined for the database.
    
           rootpw <password>
                  Specify a password (or hash of the  password)  for  the  rootdn.
                  The  password  can  only  be  set  if  the  rootdn is within the
                  namingContext (suffix) of the database.  This option accepts all
                  RFC   2307   userPassword  formats  known  to  the  server  (see
                  password-hash description) as well as cleartext.   slappasswd(8)
                  may  be  used  to  generate a hash of a password.  Cleartext and
                  {CRYPT} passwords are not recommended.  If empty (the  default),
                  authentication  of  the  root  DN is by other means (e.g. SASL).
                  Use of SASL is encouraged.
    
           suffix <dn suffix>
                  Specify the DN suffix of queries that will  be  passed  to  this
                  backend  database.   Multiple  suffix  lines can be given and at
                  least one is required for each database definition.
    
                  If the suffix of one database is "inside" that of  another,  the
                  database   with   the  inner  suffix  must  come  first  in  the
                  configuration file.  You may also want to  glue  such  databases
                  together with the subordinate keyword.
    
           subordinate [advertise]
                  Specify  that  the  current backend database is a subordinate of
                  another backend database. A subordinate  database may have  only
                  one  suffix.  This option may be used to glue multiple databases
                  into a single namingContext.   If  the  suffix  of  the  current
                  database  is  within  the  namingContext of a superior database,
                  searches against the superior database will be propagated to the
                  subordinate  as  well.  All  of  the databases associated with a
                  single namingContext should have identical rootdns.  Behavior of
                  Databases  that  are glued together should usually be configured
                  with the same indices (assuming they support indexing), even for
                  attributes  that  only  exist  in  some  of  these databases. In
                  general, all of the glued  databases  should  be  configured  as
                  similarly  as  possible,  since  the  intent  is  to provide the
                  appearance of a single directory.
    
                  Note  that  the   subordinate   functionality   is   implemented
                  internally  by  the  glue  overlay and as such its behavior will
                  interact with other  overlays  in  use.  By  default,  the  glue
                  overlay  is  automatically configured as the last overlay on the
                  superior backend. Its position on the backend can be  explicitly
                  configured  by  setting an overlay glue directive at the desired
                  position. This explicit configuration is  necessary  e.g.   when
                  using  the syncprov overlay, which needs to follow glue in order
                  to work over all of the glued databases. E.g.
                       database bdb
                       suffix dc=example,dc=com
                       ...
                       overlay glue
                       overlay syncprov
    
           sync_use_subentry
                  Store the syncrepl contextCSN  in  a  subentry  instead  of  the
                  context  entry  of  the  database.  The  subentry's  RDN will be
                  "cn=ldapsync". By  default  the  contextCSN  is  stored  in  the
                  context entry.
    
           syncrepl    rid=<replica    ID>    provider=ldap[s]://<hostname>[:port]
                  searchbase=<base    DN>     [type=refreshOnly|refreshAndPersist]
                  [interval=dd:hh:mm:ss]    [retry=[<retry    interval>    <#   of
                  retries>]+]  [filter=<filter  str>]  [scope=sub|one|base|subord]
                  [attrs=<attr    list>]    [exattrs=<attr    list>]   [attrsonly]
                  [sizelimit=<limit>] [timelimit=<limit>]  [schemachecking=on|off]
                  [network-timeout=<seconds>]                  [timeout=<seconds>]
                  [bindmethod=simple|sasl]     [binddn=<dn>]     [saslmech=<mech>]
                  [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
                  [realm=<realm>]                          [secprops=<properties>]
                  [keepalive=<idle>:<probes>:<interval>]   [starttls=yes|critical]
                  [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
                  [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
                  [tls_ciphersuite=<ciphers>]         [tls_crlcheck=none|peer|all]
                  [tls_protocol_min=<major>[.<minor>]]  [suffixmassage=<real  DN>]
                  [logbase=<base       DN>]        [logfilter=<filter        str>]
                  [syncdata=default|accesslog|changelog]
                  Specify  the  current database as a replica which is kept up-to-
                  date  with  the  master  content  by  establishing  the  current
                  slapd(8)  as  a  replication  consumer  site  running a syncrepl
                  replication engine.  The replica content is kept synchronized to
                  the  master  content  using  the  LDAP  Content  Synchronization
                  protocol. Refer to  the  "OpenLDAP  Administrator's  Guide"  for
                  detailed  information on setting up a replicated slapd directory
                  scope,  filter,  attrs,  attrsonly,  sizelimit,  and   timelimit
                  parameters  as  in  the  normal search specification.  The scope
                  defaults to sub, the filter defaults to  (objectclass=*),  while
                  there is no default searchbase. The attrs list defaults to "*,+"
                  to return all user and operational attributes, and attrsonly  is
                  unset  by  default.   The  sizelimit  and  timelimit only accept
                  "unlimited"  and  positive  integers,  and   both   default   to
                  "unlimited".   The  sizelimit  and timelimit parameters define a
                  consumer requested limitation on the number of entries that  can
                  be  returned  by  the LDAP Content Synchronization operation; as
                  such, it is intended to implement partial replication  based  on
                  the  size of the replicated database and on the time required by
                  the synchronization.   Note,  however,  that  any  provider-side
                  limits  for  the  replication  identity  will be enforced by the
                  provider regardless of the limits requested by the LDAP  Content
                  Synchronization  operation,  much  like  for  any  other  search
                  operation.   exattrs  option  may  also  be  used   to   specify
                  attributes  that  should  be omitted from incoming entries.  The
                  scope defaults to sub, the filter defaults  to  (objectclass=*),
                  and  there  is no default searchbase. The attrs list defaults to
                  "*,+"  to  return  all  user  and  operational  attributes,  and
                  attrsonly  and  exattrs are unset by default.  The sizelimit and
                  timelimit only accept "unlimited"  and  positive  integers,  and
                  both  default to "unlimited".  Note, however, that any provider-
                  side limits for the replication identity will be enforced by the
                  provider  regardless of the limits requested by the LDAP Content
                  Synchronization  operation,  much  like  for  any  other  search
                  operation.
    
                  The  LDAP  Content  Synchronization  protocol  has two operation
                  types.  In the refreshOnly operation, the  next  synchronization
                  search operation is periodically rescheduled at an interval time
                  (specified by interval parameter; 1 day by default)  after  each
                  synchronization  operation  finishes.   In the refreshAndPersist
                  operation, a synchronization search remains  persistent  in  the
                  provider  slapd.   Further  updates  to  the master replica will
                  generate searchResultEntry to the consumer slapd as  the  search
                  responses to the persistent synchronization search.
    
                  If an error occurs during replication, the consumer will attempt
                  to reconnect according to the retry parameter which is a list of
                  the  <retry  interval>  and  <# of retries> pairs.  For example,
                  retry="60 10 300 3" lets the consumer retry every 60 seconds for
                  the first 10 times and then retry every 300 seconds for the next
                  3 times before stop retrying. The '+' in <#  of  retries>  means
                  indefinite  number  of  retries  until success.  If no retry was
                  specified, by default syncrepl retries every hour forever.
    
                  The schema checking can be enforced at the  LDAP  Sync  consumer
                  site  by turning on the schemachecking parameter. The default is
                  off.  Schema checking on means that replicated entries must have
                  a  structural objectClass, must obey to objectClass requirements
                  services (e.g. TLS or IPSEC) are  in  place.   REMEMBER:  simple
                  bind  credentials  must  be  in cleartext!  A bindmethod of sasl
                  requires the option saslmech.  Depending on  the  mechanism,  an
                  authentication  identity  and/or  credentials  can  be specified
                  using authcid and credentials.  The  authzid  parameter  may  be
                  used  to  specify  an authorization identity.  Specific security
                  properties (as with the sasl-secprops keyword above) for a  SASL
                  bind  can  be  set  with the secprops option. A non default SASL
                  realm can be set with the realm option.  The identity  used  for
                  synchronization  by the consumer should be allowed to receive an
                  unlimited number of entries in response  to  a  search  request.
                  The  provider,  other  than allow authentication of the syncrepl
                  identity,  should  grant  that   identity   appropriate   access
                  privileges   to  the  data  that  is  being  replicated  (access
                  directive), and appropriate time and size limits.  This  can  be
                  accomplished   by   either   allowing  unlimited  sizelimit  and
                  timelimit, or by setting an appropriate limits statement in  the
                  consumer's configuration (see sizelimit and limits for details).
    
                  The keepalive parameter sets the values  of  idle,  probes,  and
                  interval  used  to  check whether a socket is alive; idle is the
                  number of seconds a connection needs to remain idle  before  TCP
                  starts sending keepalive probes; probes is the maximum number of
                  keepalive probes TCP should send before dropping the connection;
                  interval  is  interval  in  seconds between individual keepalive
                  probes.  Only some systems support the  customization  of  these
                  values;  the  keepalive  parameter  is  ignored  otherwise,  and
                  system-wide settings are used.
    
                  The starttls parameter specifies use of  the  StartTLS  extended
                  operation  to  establish  a  TLS  session  before Binding to the
                  provider. If the critical argument is supplied, the session will
                  be aborted if the StartTLS request fails. Otherwise the syncrepl
                  session continues without TLS. The tls_reqcert setting  defaults
                  to  "demand"  and  the other TLS settings default to the same as
                  the main slapd TLS settings.
    
                  The suffixmassage parameter allows the consumer to pull  entries
                  from  a  remote directory whose DN suffix differs from the local
                  directory. The portion of the remote entries' DNs  that  matches
                  the searchbase will be replaced with the suffixmassage DN.
    
                  Rather  than  replicating  whole entries, the consumer can query
                  logs of data modifications. This mode of operation  is  referred
                  to  as  delta syncrepl. In addition to the above parameters, the
                  logbase and logfilter parameters must be set  appropriately  for
                  the log that will be used. The syncdata parameter must be set to
                  either "accesslog" if the log conforms to the slapo-accesslog(5)
                  log  format,  or "changelog" if the log conforms to the obsolete
                  changelog format. If the syncdata parameter is omitted or set to
                  "default" then the log parameters are ignored.
    
           Each  database  may  allow  specific  configuration  options;  they are
           documented  separately  in  the  backends'  manual   pages.   See   the
           slapd.backends(5) manual page for an overview of available backends.
    
    
    

    EXAMPLES

           Here is a short example of a configuration file:
    
                  include   /etc/openldap/schema/core.schema
                  pidfile   /var/run/slapd.pid
    
                  # Subtypes of "name" (e.g. "cn" and "ou") with the
                  # option ";x-hidden" can be searched for/compared,
                  # but are not shown.  See slapd.access(5).
                  attributeoptions x-hidden lang-
                  access to attrs=name;x-hidden by * =cs
    
                  # Protect passwords.  See slapd.access(5).
                  access    to attrs=userPassword  by * auth
                  # Read access to other attributes and entries.
                  access    to *  by * read
    
                  database  bdb
                  suffix    "dc=our-domain,dc=com"
                  # The database directory MUST exist prior to
                  # running slapd AND should only be accessible
                  # by the slapd/tools. Mode 0700 recommended.
                  directory /var/openldap-data
                  # Indices to maintain
                  index     objectClass  eq
                  index     cn,sn,mail   pres,eq,approx,sub
    
                  # We serve small clients that do not handle referrals,
                  # so handle remote lookups on their behalf.
                  database  ldap
                  suffix    ""
                  uri       ldap://ldap.some-server.com/
                  lastmod   off
    
           "OpenLDAP Administrator's Guide" contains a longer annotated example of
           a configuration file.  The original /etc/openldap/slapd.conf is another
           example.
    
    
    

    FILES

           /etc/openldap/slapd.conf
                  default slapd configuration file
    
    
    

    SEE ALSO

           ldap(3),      gnutls-cli(1),      slapd-config(5),     slapd.access(5),
           slapd.backends(5),   slapd.overlays(5),   slapd.plugin(5),    slapd(8),
           slapacl(8),    slapadd(8),    slapauth(8),    slapcat(8),    slapdn(8),
           slapindex(8), slappasswd(8), slaptest(8).
    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz