slapd.conf man page on OpenDarwin

Man page or keyword search:  
man Server   3202 pages
apropos Keyword Search (all sections)
Output format
OpenDarwin logo
[printable version]

SLAPD.CONF(5)							 SLAPD.CONF(5)

NAME
       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The  file  /etc/openldap/slapd.conf  contains configuration information
       for the slapd(8) daemon.	 This configuration file is also used  by  the
       slurpd(8)  replication  daemon and by the SLAPD tools slapadd(8), slap‐
       cat(8), and slapindex(8).

       The slapd.conf file  consists  of  a  series  of	 global	 configuration
       options	that  apply to slapd as a whole (including all backends), fol‐
       lowed by zero or more database backend definitions that contain	infor‐
       mation specific to a backend instance.

       The general format of slapd.conf is as follows:

	   # comment - these options apply to every database
	   <global configuration options>
	   # first database definition & configuration options
	   database   <backend 1 type>
	   <configuration options specific to backend 1>
	   # subsequent database definitions & configuration options
	   ...

       As  many	 backend-specific sections as desired may be included.	Global
       options can be overridden in a backend (for options  that  appear  more
       than  once, the last appearance in the slapd.conf file is used).	 Blank
       lines and comment lines beginning with a `#' character are ignored.  If
       a  line begins with white space, it is considered a continuation of the
       previous line.

       Arguments on configuration lines are separated by white	space.	If  an
       argument	 contains white space, the argument should be enclosed in dou‐
       ble quotes.  If an argument contains a double quote (`"')  or  a	 back‐
       slash  character (`\'), the character should be preceded by a backslash
       character.

       The specific configuration options available are discussed below in the
       Global  Configuration  Options,	General	 Backend  Options, and General
       Database	 Options.   Backend-specific  options  are  discussed  in  the
       slapd-<backend>(5)  manual  pages.   Refer to the "OpenLDAP Administra‐
       tor's Guide" for more details on the slapd configuration file.

GLOBAL CONFIGURATION OPTIONS
       Options described in this section apply to all backends, unless specif‐
       ically  overridden  in  a  backend definition. Arguments that should be
       replaced by actual text are shown in brackets <>.

       access to <what> [ by <who> <access> <control> ]+
	      Grant access (specified by <access>) to a set of entries	and/or
	      attributes  (specified  by  <what>)  by  one  or more requestors
	      (specified by <who>).  See slapd.access(5) and  the  "OpenLDAP's
	      Administrator's Guide" for details.

       allow <features>
	      Specify  a  set  of features (separated by white space) to allow
	      (default	none).	 bind_v2  allows  acceptance  of  LDAPv2  bind
	      requests.	  Note	that slapd(8) does not truely implement LDAPv2
	      (RFC 1777), now  Historic	 (RFC  3494).	bind_anon_cred	allows
	      anonymous	 bind when credentials are not empty (e.g.  when DN is
	      empty).  bind_anon_dn allows  unauthenticated  (anonymous)  bind
	      when DN is not empty.  update_anon allow unauthenticated (anony‐
	      mous) update operations to be processed (subject to access  con‐
	      trols and other administrative limits).

       argsfile <filename>
	      The  (  absolute	)  name	 of  a	file  that will hold the slapd
	      server's command line options if started without	the  debugging
	      command line option.

       attributeoptions [option-name]...
	      Define  tagging  attribute options or option tag/range prefixes.
	      Options must not end with `-', prefixes must end with `-'.   The
	      `lang-'  prefix  is predefined.  If you use the attributeoptions
	      directive, `lang-' will no longer be defined and you must	 spec‐
	      ify it explicitly if you want it defined.

	      An  attribute  description with a tagging option is a subtype of
	      that attribute description without the option.  Except for that,
	      options  defined	this  way have no special semantics.  Prefixes
	      defined this way work like the `lang-' options:  They  define  a
	      prefix  for  tagging options starting with the prefix.  That is,
	      if you define the prefix `x-foo-', you can use  the  option  `x-
	      foo-bar'.	  Furthermore,	in  a  search  or compare, a prefix or
	      range name (with a trailing `-') matches	all  options  starting
	      with  that  name, as well as the option with the range name sans
	      the trailing `-'.	 That is, `x-foo-bar-' matches `x-foo-bar' and
	      `x-foo-bar-baz'.

	      RFC2251 reserves options beginning with `x-' for private experi‐
	      ments.  Other  options  should  be  registered  with  IANA,  see
	      RFC3383  section	3.4.   OpenLDAP	 also  has the `binary' option
	      built in, but this is a transfer option, not a tagging option.

       attributetype  ( <oid>  [NAME <name>]  [OBSOLETE]  [DESC <description>]
	      [SUP <oid>]   [EQUALITY <oid>]  [ORDERING <oid>]	[SUBSTR <oid>]
	      [SYNTAX <oidlen>]		 [SINGLE-VALUE]		  [COLLECTIVE]
	      [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
	      Specify an attribute type using the LDAPv3 syntax defined in RFC
	      2252.  The slapd parser  extends	the  RFC  2252	definition  by
	      allowing string forms as well as numeric OIDs to be used for the
	      attribute	  OID	and   attribute	  syntax   OID.	   (See	   the
	      objectidentifier description.)

       concurrency <integer>
	      Specify  a  desired  level  of  concurrency.   Provided  to  the
	      underlying thread system as a  hint.   The  default  is  not  to
	      provide any hint.

       conn_max_pending <integer>
	      Specify  the maximum number of pending requests for an anonymous
	      session.	If requests are submitted faster than the  server  can
	      process them, they will be queued up to this limit. If the limit
	      is exceeded, the session is closed. The default is 100.

       conn_max_pending_auth <integer>
	      Specify  the  maximum  number  of	 pending   requests   for   an
	      authenticated session.  The default is 1000.

       defaultsearchbase <dn>
	      Specify  a default search base to use when client submits a non-
	      base search request with an empty base DN.

       disallow <features>
	      Specify a set of features (separated by white space) to disallow
	      (default none).  bind_anon disables acceptance of anonymous bind
	      requests.	 bind_simple disables  simple  (bind)  authentication.
	      bind_krbv4   disables   Kerberos	 V4   (bind)   authentication.
	      tls_2_anon disables Start TLS from forcing session to  anonymous
	      status  (see  also  tls_authc).	tls_authc disables StartTLS if
	      authenticated (see also tls_2_anon).

       gentlehup { on | off }
	      A SIGHUP signal will only	 cause	a  'gentle'  shutdown-attempt:
	      Slapd  will  stop	 listening  for	 new connections, but will not
	      close the connections to	the  current  clients.	 Future	 write
	      operations    return    unwilling-to-perform,   though.	 Slapd
	      terminates when all clients have closed  their  connections  (if
	      they ever do), or - as before - if it receives a SIGTERM signal.
	      This can be useful if you wish to terminate the server and start
	      a new slapd server with another database, without disrupting the
	      currently active clients.	 The default is off.  You may wish  to
	      use idletimeout along with this option.

       idletimeout <integer>
	      Specify the number of seconds to wait before forcibly closing an
	      idle client  connection.	 A  idletimeout	 of  0	disables  this
	      feature.	The default is 0.

       include <filename>
	      Read  additional	configuration  information from the given file
	      before continuing with the next line of the current file.

       limits <who> <limit> [<limit> [...]]
	      Specify  time  and  size	limits	based  on  who	initiated   an
	      operation.  The argument who can be any of

		     anonymous | users | [dn[.<style>]=]<pattern>

	      with

		     <style>  ::=  exact  |  base | one | subtree | children |
		     regex | anonymous

	      Anonymous is hit	when  a	 search	 is  performed	without	 prior
	      binding;	 users	is  hit	 when  a  search  is  performed	 by  a
	      successfully bound user; otherwise a regex dn pattern is assumed
	      unless  otherwise	 specified  by	qualifying  the (optional) key
	      string dn with exact or base (which are synonims), to require an
	      exact  match;  with  one,	 to require exactly one level of depth
	      match;  with  subtree,  to  allow	 any  level  of	 depth	match,
	      including	 the exact match; with children, to allow any level of
	      depth match, not including the  exact  match;  regex  explicitly
	      requires	 the  (default)	 match	based  on  regular  expression
	      pattern, as detailed in regex(7).	  Finally,  anonymous  matches
	      unbound  operations;  the	 pattern  field	 is ignored.  The same
	      behavior is obtained by using the	 anonymous  form  of  the  who
	      clause.

	      The currently supported limits are size and time.

	      The  syntax  for	time  limits  is time[.{soft|hard}]=<integer>,
	      where  integer  is  the  number  of  seconds  slapd  will	 spend
	      answering	 a  search  request.   If  no time limit is explicitly
	      requested by  the	 client,  the  soft  limit  is	used;  if  the
	      requested time limit exceedes the hard limit, an "Administrative
	      limit exceeded" is returned.  If the hard limit is set to	 0  or
	      to the keyword "soft", the soft limit is used in either case; if
	      it is set to -1 or to the	 keyword  "none",  no  hard  limit  is
	      enforced.	 Explicit requests for time limits smaller or equal to
	      the hard limit are honored.  If no flag is  set,	the  value  is
	      assigned	to  the soft limit, and the hard limit is set to zero,
	      to preserve the original behavior.

	      The	 syntax	       for	  size	      limits	    is
	      size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
	      maximum number of entries slapd will return answering  a	search
	      request.	 If  no	 size  limit  is  explicitly  requested by the
	      client, the soft limit is used;  if  the	requested  size	 limit
	      exceedes	the  hard limit, an "Administrative limit exceeded" is
	      returned.	 If the hard limit is set  to  0  or  to  the  keyword
	      "soft",  the  soft limit is used in either case; if it is set to
	      -1 or  to	 the  keyword  "none",	no  hard  limit	 is  enforced.
	      Explicit	requests  for size limits smaller or equal to the hard
	      limit are honored.  The unchecked	 flag  sets  a	limit  on  the
	      number of candidates a search request is allowed to examine.  If
	      the selected candidates exceed the unchecked limit,  the	search
	      will  abort  with "Unwilling to perform".	 If it is set to -1 or
	      to the keyword "none", no limit is applied (the default).	 If no
	      flag  is	set,  the value is assigned to the soft limit, and the
	      hard limit is set to zero, to preserve the original behavior.

	      In case of no match, the global limits are  used.	  The  default
	      values  are the same of sizelimit and timelimit; no limit is set
	      on unchecked.

       loglevel <integer>
	      Specify the level at which debugging  statements	and  operation
	      statistics   should   be	syslogged  (currently  logged  to  the
	      syslogd(8) LOG_LOCAL4 facility).	Log levels are	additive,  and
	      available levels are:
		     1	    trace function calls
		     2	    debug packet handling
		     4	    heavy trace debugging
		     8	    connection management
		     16	    print out packets sent and received
		     32	    search filter processing
		     64	    configuration file processing
		     128    access control list processing
		     256    stats log connections/operations/results
		     512    stats log entries sent
		     1024   print communication with shell backends
		     2048   entry parsing

       moduleload <filename>
	      Specify  the  name of a dynamically loadable module to load. The
	      filename may be an absolute path name or a simple filename. Non-
	      absolute	names are searched for in the directories specified by
	      the modulepath option. This option and the modulepath option are
	      only usable if slapd was compiled with --enable-modules.

       modulepath <pathspec>
	      Specify  a  list	of directories to search for loadable modules.
	      Typically the path is colon-separated but this  depends  on  the
	      operating system.

       objectclass  (  <oid> [NAME <name>] [DESC <description] [OBSOLETE] [SUP
	      <oids>] [{ ABSTRACT | STRUCTURAL | AUXILIARY  }]	[MUST  <oids>]
	      [MAY <oids>] )
	      Specify  an  objectclass	using the LDAPv3 syntax defined in RFC
	      2252.  The slapd parser  extends	the  RFC  2252	definition  by
	      allowing string forms as well as numeric OIDs to be used for the
	      object  class  OID.   (See  the  objectidentifier	 description.)
	      Object classes are "STRUCTURAL" by default.

       objectidentifier <name> { <oid> | <name>[:<suffix>] }
	      Define  a	 string name that equates to the given OID. The string
	      can be used in place of  the  numeric  OID  in  objectclass  and
	      attribute	 definitions.  The name can also be used with a suffix
	      of the form ":xx" in which case the value "oid.xx" will be used.

       password-hash <hash>
	      This option sets the hash to  be	used  in  generation  of  user
	      passwords,  stored  in  userPassword,  during processing of LDAP
	      Password Modify Extended Operations (RFC 3052).  The <hash> must
	      be   one	 of   {SSHA},	{SHA},	{SMD5},	 {MD5},	 {CRYPT},  and
	      {CLEARTEXT}.  The default is {SSHA}.

	      {SHA} and {SSHA} use  the	 SHA-1	algorithm  (FIPS  160-1),  the
	      latter with a seed.

	      {MD5}  and  {SMD5}  use the MD5 algorithm (RFC 1321), the latter
	      with a seed.

	      {CRYPT} uses the crypt(3).

	      {CLEARTEXT} indicates that the new password should be  added  to
	      userPassword as clear text.

	      Note   that   this   option  does	 not  alter  the  normal  user
	      applications handling of userPassword during LDAP	 Add,  Modify,
	      or other LDAP operations.

       password-crypt-salt-format <format>
	      Specify	the  format  of	 the  salt  passed  to	crypt(3)  when
	      generating  {CRYPT}   passwords	(see   password-hash)	during
	      processing  of  LDAP  Password  Modify  Extended Operations (RFC
	      3062).

	      This string needs to be in sprintf(3) format and may include one
	      (and   only   one)  %s  conversion.   This  conversion  will  be
	      substituted with a string random characters from	[A-Za-z0-9./].
	      For  example, "%.2s" provides a two character salt and "$1$%.8s"
	      tells some versions of crypt(3) to  use  an  MD5	algorithm  and
	      provides	8  random  characters  of  salt.  The default is "%s",
	      which provides 31 characters of salt.

       pidfile <filename>
	      The ( absolute ) name  of	 a  file  that	will  hold  the	 slapd
	      server's	process	 ID  (	see getpid(2) ) if started without the
	      debugging command line option.

       referral <url>
	      Specify the referral to pass back when slapd(8)  cannot  find  a
	      local  database  to  handle  a  request.	 If specified multiple
	      times, each url is provided.

       require <conditions>
	      Specify a set  of	 conditions  (separated	 by  white  space)  to
	      require (default none).  The directive may be specified globally
	      and/or per-database.  bind  requires  bind  operation  prior  to
	      directory	 operations.  LDAPv3 requires session to be using LDAP
	      version 3.  authc requires  authentication  prior	 to  directory
	      operations.    SASL   requires   SASL  authentication  prior  to
	      directory operations.   strong  requires	strong	authentication
	      prior  to	 directory  operations.	  The  strong  keyword	allows
	      protected	  "simple"   authentication   as    well    as	  SASL
	      authentication.	none  may  be  used  to	 require no conditions
	      (useful for clearly globally set conditions within a  particular
	      database).

       reverse-lookup on | off
	      Enable/disable client name unverified reverse lookup (default is
	      off if compiled with --enable-rlookups).

       rootDSE <file>
	      Specify the name of an  LDIF(5)  file  containing	 user  defined
	      attributes  for  the root DSE.  These attributes are returned in
	      addition to the attributes normally produced by slapd.

       sasl-authz-policy <policy>
	      Used to specify which rules to use for SASL Proxy Authorization.
	      Proxy  authorization  allows  a  client  to  authenticate to the
	      server using one user's credentials,  but	 specify  a  different
	      identity	to  use for authorization and access control purposes.
	      It essentially allows user A to login as user B, using user  A's
	      password.	  The  none flag disables proxy authorization. This is
	      the default setting.  The	 from  flag  will  use	rules  in  the
	      saslAuthzFrom  attribute	of  the authorization DN.  The to flag
	      will  use	 rules	 in   the   saslAuthzTo	  attribute   of   the
	      authentication  DN.  The both flag will allow both of the above.
	      The rules are simply regular expressions	specifying  which  DNs
	      are  allowed  to	perform proxy authorization. The saslAuthzFrom
	      attribute in an entry specifies which other users are allowed to
	      proxy login to this entry. The saslAuthzTo attribute in an entry
	      specifies which other users this user can authorize as.  Use  of
	      saslAuthzTo  rules  can be easily abused if users are allowed to
	      write arbitrary  values  to  this	 attribute.   In  general  the
	      saslAuthzTo attribute must be protected with ACLs such that only
	      privileged users can modify it.

       sasl-host <fqdn>
	      Used to specify the fully qualified domain name  used  for  SASL
	      processing.

       sasl-realm <realm>
	      Specify SASL realm.  Default is empty.

       sasl-regexp <match> <replace>
	      Used  by	the  SASL  authorization  mechanism  to convert a SASL
	      authenticated username to an  LDAP  DN.  When  an	 authorization
	      request is received, the SASL USERNAME, REALM, and MECHANISM are
	      taken, when available, and combined into a SASL name of the form

		     uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth

	      This SASL name  is  then	compared  against  the	match  regular
	      expression,  and	if  the	 match is successful, the SASL name is
	      replaced with the replace string. If there are wildcard  strings
	      in   the	 match	 regular   expression  that  are  enclosed  in
	      parenthesis, e.g.

			    uid=(.*),cn=.*

	      then the portion of the SASL name that matched the wildcard will
	      be  stored in the numbered placeholder variable $1. If there are
	      other wildcard strings in parenthesis, the matching strings will
	      be  in  $2, $3, etc. up to $9. The placeholders can then be used
	      in the replace string, e.g.

			    cn=$1,ou=Accounts,dc=$2,dc=$4.

	      The replaced SASL name can be either a DN or an LDAP URI. If the
	      latter,  the  slapd  server  will	 use the URI to search its own
	      database, and if the search returns exactly one entry, the  SASL
	      name  is replaced by the DN of that entry.  Multiple sasl-regexp
	      options can be given in the  configuration  file	to  allow  for
	      multiple	 matching   and	 replacement  patterns.	 The  matching
	      patterns are checked in the  order  they	appear	in  the	 file,
	      stopping at the first successful match.

       sasl-secprops <properties>
	      Used  to	specify Cyrus SASL security properties.	 The none flag
	      (without any  other  properities)	 causes	 the  flag  properites
	      default, "noanonymous,noplain", to be cleared.  The noplain flag
	      disables mechanisms susceptible to simple passive attacks.   The
	      noactive flag disables mechanisms susceptible to active attacks.
	      The nodict  flag	disables  mechanisms  susceptible  to  passive
	      dictionary  attacks.   The  noanonymous flag disables mechanisms
	      which support anonymous  login.	The  forwardsec	 flag  require
	      forward	secrecy	  between   sessions.	The  passcred  require
	      mechanisms which pass client credentials (and  allow  mechanisms
	      which  can  pass	credentials  to	 do  so).  The minssf=<factor>
	      property specifies  the  minimum	acceptable  security  strength
	      factor  as  an  integer approximate to effective key length used
	      for encryption.  0  (zero)  implies  no  protection,  1  implies
	      integrity	 protection only, 56 allows DES or other weak ciphers,
	      112 allows triple DES and other strong ciphers, 128 allows  RC4,
	      Blowfish	and  other  modern  strong ciphers.  The default is 0.
	      The maxssf=<factor> property specifies  the  maximum  acceptable
	      security strength factor as an integer (see minssf description).
	      The  default  is	INT_MAX.    The	  maxbufsize=<size>   property
	      specifies	  the  maximum	security  layer	 receive  buffer  size
	      allowed.	0 disables security layers.  The default is 65536.

       schemadn <dn>
	      Specify the distinguished name for the subschema	subentry  that
	      controls	 the   entries	 on   this  server.   The  default  is
	      "cn=Subschema".

       security <factors>
	      Specify a set of factors (separated by white space) to  require.
	      An  integer  value is associated with each factor and is roughly
	      equivalent of the encryption key length to require.  A value  of
	      112 is equivalent to 3DES, 128 to Blowfish, etc..	 The directive
	      may  be  specified  globally   and/or   per-database.    ssf=<n>
	      specifies	 the  overall security strength factor.	 transport=<n>
	      specifies	 the  transport	 security  strength  factor.   tls=<n>
	      specifies	 the TLS security strength factor.  sasl=<n> specifies
	      the SASL security strength factor.  update_ssf=<n> specifies the
	      overall  security	 strength  factor  to  require	for  directory
	      updates.	update_transport=<n> specifies the transport  security
	      strength	  factor    to	  require   for	  directory   updates.
	      update_tls=<n> specifies the TLS	security  strength  factor  to
	      require  for  directory  updates.	 update_sasl=<n> specifies the
	      SASL security strength factor to require for directory  updates.
	      simple_bind=<n>  specifies the security strength factor required
	      for simple  username/password  authentication.   Note  that  the
	      transport	  factor  is  measure  of  security  provided  by  the
	      underlying transport, e.g. ldapi:// (and eventually IPSEC).   It
	      is not normally used.

       sizelimit {<integer>|unlimited}

       sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
	      Specify  the  maximum  number of entries to return from a search
	      operation.  The default size limit is 500.  Use -1 or  unlimited
	      to  specify  no  limits.	 The second format allows a fine grain
	      setting of the size limits.  Extra args can be added on the same
	      line.  See limits for an explanation of the different flags.

       sockbuf_max_incoming <integer>
	      Specify  the  maximum  incoming  LDAP  PDU  size	for  anonymous
	      sessions.	 The default is 262143.

       sockbuf_max_incoming_auth <integer>
	      Specify the maximum incoming LDAP	 PDU  size  for	 authenticated
	      sessions.	 The default is 4194303.

       srvtab <filename>
	      Specify the srvtab file in which the kerberos keys necessary for
	      authenticating clients using kerberos can be found. This	option
	      is only meaningful if you are using Kerberos authentication.

       threads <integer>
	      Specify  the  maximum  size  of  the  primary  thread pool.  The
	      default is 16.

       timelimit {<integer>|unlimited}

       timelimit time[.{soft|hard}]=<integer> [...]
	      Specify the maximum number of seconds (in real time) slapd  will
	      spend  answering	a  search  request.  The default time limit is
	      3600.  Use -1 or unlimited to specify  no	 limits.   The	second
	      format  allows  a	 fine grain setting of the time limits.	 Extra
	      args can	be  added  on  the  same  line.	  See  limits  for  an
	      explanation of the different flags.

       ucdata-path <path>
	      Specify  the  path  to  the  directory  containing  the  Unicode
	      character tables. The default path is /var/db/openldap/ucdata.

TLS OPTIONS
       If slapd is built with support for Transport Layer Security, there  are
       more options you can specify.

       TLSCipherSuite <cipher-suite-spec>
	      Permits  configuring  what  ciphers  will	 be  accepted  and the
	      preference  order.   <cipher-suite-spec>	should	be  a	cipher
	      specification for OpenSSL.  Example:

	      TLSCipherSuite HIGH:MEDIUM:+SSLv2

	      To check what ciphers a given spec selects, use:

	      openssl ciphers -v <cipher-suite-spec>

       TLSCACertificateFile <filename>
	      Specifies	 the  file  that  contains certificates for all of the
	      Certificate Authorities that slapd will recognize.

       TLSCACertificatePath <path>
	      Specifies the path of  a	directory  that	 contains  Certificate
	      Authority	 certificates  in  separate  individual files. Usually
	      only one of this or the TLSCACertificateFile is used.

       TLSCertificateFile <filename>
	      Specifies the file that contains the slapd server certificate.

       TLSCertificateKeyFile <filename>
	      Specifies the file that contains the slapd  server  private  key
	      that  matches  the  certificate stored in the TLSCertificateFile
	      file.  Currently, the private key must not be protected  with  a
	      password,	 so  it is of critical importance that it is protected
	      carefully.

       TLSRandFile <filename>
	      Specifies	 the  file   to	  obtain   random   bits   from	  when
	      /dev/[u]random  is  not available.  Generally set to the name of
	      the EGD/PRNGD socket.  The  environment  variable	 RANDFILE  can
	      also be used to specify the filename.

       TLSVerifyClient <level>
	      Specifies	 what  checks  to perform on client certificates in an
	      incoming TLS session, if any.  The <level> can be	 specified  as
	      one of the following keywords:

	      never  This is the default.  slapd will not ask the client for a
		     certificate.

	      allow  The client certificate is requested.  If  no  certificate
		     is	 provided,  the	 session  proceeds normally.  If a bad
		     certificate is provided,  it  will	 be  ignored  and  the
		     session proceeds normally.

	      try    The  client  certificate is requested.  If no certificate
		     is provided, the session proceeds	normally.   If	a  bad
		     certificate  is  provided,	 the  session  is  immediately
		     terminated.

	      demand | hard | true
		     These keywords  are  all  equivalent,  for	 compatibility
		     reasons.	The  client  certificate  is requested.	 If no
		     certificate  is  provided,	 or  a	bad   certificate   is
		     provided, the session is immediately terminated.

		     Note that a valid client certificate is required in order
		     to use the SASL EXTERNAL authentication mechanism with  a
		     TLS  session.   As	 such,	a  non-default TLSVerifyClient
		     setting  must  be	chosen	 to   enable   SASL   EXTERNAL
		     authentication.

GENERAL BACKEND OPTIONS
       Options	in  this  section only apply to the configuration file section
       for the specified  backend.   They  are	supported  by  every  type  of
       backend.

       backend <databasetype>
	      Mark  the	 beginning  of	a  backend  definition. <databasetype>
	      should be one of bdb, dnssrv, ldap, ldbm, meta,  monitor,	 null,
	      passwd,  perl,  shell,  sql,  or tcl, depending on which backend
	      will serve the database.

GENERAL DATABASE OPTIONS
       Options in this section only apply to the  configuration	 file  section
       for  the	 database  in  which  they are defined.	 They are supported by
       every type of backend.  Note that the database and at least one	suffix
       option are mandatory for each database.

       database <databasetype>
	      Mark  the	 beginning  of	a  new	database  instance definition.
	      <databasetype> should be one of bdb, dnssrv, ldap,  ldbm,	 meta,
	      monitor,	null,  passwd,	perl, shell, sql, or tcl, depending on
	      which backend will serve the database.

       lastmod on | off
	      Controls	whether	 slapd	 will	automatically	maintain   the
	      modifiersName,	  modifyTimestamp,	creatorsName,	   and
	      createTimestamp attributes for entries.  By default, lastmod  is
	      on.

       maxderefdepth <depth>
	      Specifies	 the  maximum  number  of  aliases to dereference when
	      trying to resolve an entry, used to avoid inifinite alias loops.
	      The default is 1.

       readonly on | off
	      This  option  puts  the  database	 into  "read-only"  mode.  Any
	      attempts to modify the database will  return  an	"unwilling  to
	      perform" error.  By default, readonly is off.

       replica	 host=<hostname>[:port]	  [tls=yes|critical]  [suffix=<suffix>
	      [...]]	  bindmethod=simple|sasl     [binddn=<simple	  DN>]
	      [credentials=<simple     password>]    [saslmech=<SASL	mech>]
	      [secprops=<properties>] [realm=<realm>] [authcId=<authentication
	      ID>] [authzId=<authorization ID>] [attr[!]=<attr list>]
	      Specify  a  replication  site  for  this database.  Refer to the
	      "OpenLDAP Administrator's Guide"	for  detailed  information  on
	      setting  up  a  replicated slapd directory service. Zero or more
	      suffix instances can be used to select the subtrees that will be
	      replicated  (defaults  to	 all  the  database).  A bindmethod of
	      simple requires the options binddn and  credentials  and	should
	      only  be used when adequate security services (e.g TLS or IPSEC)
	      are in place. A bindmethod of sasl requires the option saslmech.
	      Specific	security properties (as with the sasl-secprops keyword
	      above) for a SASL bind can be set with the  secprops  option.  A
	      non-default SASL realm can be set with the realm option.	If the
	      mechanism will use Kerberos, a kerberos instance should be given
	      in authcId.  An attr list can be given after the attr keyword to
	      allow the selective replication of the listed  attributes	 only;
	      if  the  optional	 !   mark  is  used,  the  list	 is considered
	      exclusive, i.e. the listed attributes are not replicated.	 If an
	      objectClass  is listed, all the related attributes are (are not)
	      replicated.

       replogfile <filename>
	      Specify the name of the replication log file to log changes  to.
	      The replication log is typically written by slapd(8) and read by
	      slurpd(8).   See	slapd.replog(5)	 for  more  information.   The
	      specified	 file  should  be  located in a directory with limited
	      read/write/execute access as the replication  logs  may  contain
	      sensitive information.

       rootdn <dn>
	      Specify  the  distinguished  name	 that is not subject to access
	      control or administrative limit restrictions for	operations  on
	      this  database.	This  DN  may or may not be associated with an
	      entry.  An empty root DN (the default) specifies no root	access
	      is  to  be  granted.   It is recommended that the rootdn only be
	      specified when needed  (such  as	when  initially	 populating  a
	      database).   If the rootdn is within a namingContext (suffix) of
	      the database, a simple bind password may also be provided	 using
	      the rootpw directive.

       rootpw <password>
	      Specify  a  password  (or	 hash of the password) for the rootdn.
	      The password can only  be	 set  if  the  rootdn  is  within  the
	      namingContext (suffix) of the database.  This option accepts all
	      RFC 2307 userPassword formats known to the server (see password-
	      hash  desription)	 as  well  as cleartext.  slappasswd(8) may be
	      used to generate a hash of a password.   Cleartext  and  {CRYPT}
	      passwords	  are	not  recommended.   If	empty  (the  default),
	      authentication of the root DN is by  other  means	 (e.g.	SASL).
	      Use of SASL is encouraged.

       suffix <dn suffix>
	      Specify  the  DN	suffix	of queries that will be passed to this
	      backend database.	 Multiple suffix lines can  be	given  and  at
	      least  one  is  required	for  each database definition.	If the
	      suffix of one database is "inside" that of another, the database
	      with the inner suffix must come first in the configuration file.

       subordinate
	      Specify  that  the  current backend database is a subordinate of
	      another backend database. A subordinate database may  have  only
	      one  suffix.  This option may be used to glue multiple databases
	      into a single namingContext.   If	 the  suffix  of  the  current
	      database	is  within  the	 namingContext of a superior database,
	      searches against the superior database will be propagated to the
	      subordinate  as  well.  All  of  the databases associated with a
	      single namingContext should have identical rootdns.  Behavior of
	      other   LDAP  operations	is  unaffected	by  this  setting.  In
	      particular, it is not possible to use moddn  to  move  an	 entry
	      from   one   subordinate	 to  another  subordinate  within  the
	      namingContext.

       updatedn <dn>
	      This option is only applicable in a slave slapd.	 It  specifies
	      the  DN  allowed to make changes to the replica (typically, this
	      is the  DN  slurpd(8)  binds  as	when  making  changes  to  the
	      replica).

       updateref <url>
	      Specify  the  referral  to  pass	back when slapd(8) is asked to
	      modify a	replicated  local  database.   If  specified  multiple
	      times, each url is provided.

DATABASE-SPECIFIC OPTIONS
       Each  database  may  allow  specific  configuration  options;  they are
       documented separately in the slapd-<backend>(5) manual pages.

EXAMPLES
       Here is a short example of a configuration file:

	      include	/etc/openldap/schema/core.schema
	      pidfile	/var/run/slapd.pid

	      # Subtypes of "name" (e.g. "cn" and "ou") with the
	      # option ";x-hidden" can be searched for/compared,
	      # but are not shown.  See slapd.access(5).
	      attributeoptions x-hidden lang-
	      access to attr=name;x-hidden by * =cs

	      database	bdb
	      suffix	"dc=our-domain,dc=com"
	      # The database directory MUST exist prior to
	      # running slapd AND should only be accessible
	      # by the slapd/tools. Mode 700 recommended.
	      directory /var/db/openldap/openldap-data
	      # Indices to maintain
	      index	objectClass  eq
	      index	cn,sn,mail   pres,eq,approx,sub

	      # We serve small clients that do not handle referrals,
	      # so handle remote lookups on their behalf.
	      database	ldap
	      suffix	""
	      uri	ldap://ldap.some-server.com/
	      lastmod	off

       "OpenLDAP Administrator's Guide" contains a longer annotated example of
       a configuration file.  The original /etc/openldap/slapd.conf is another
       example.

FILES
       /etc/openldap/slapd.conf
	      default slapd configuration file

SEE ALSO
       ldap(3), slapd-bdb(5), slapd-dnssrv(5),	slapd-ldap(5),	slapd-ldbm(5),
       slapd-meta(5),  slapd-null(5),  slapd-passwd(5),	 slapd-perl(5), slapd-
       shell(5), slapd-sql(5), slapd-tcl(5), slapd.replog(5), slapd.access(5),
       locale(5),     slapd(8),	   slapadd(8),	  slapcat(8),	 slapindex(8),
       slappassword(8), slurpd(8),

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS
       OpenLDAP	 is  developed	and  maintained	 by   The   OpenLDAP   Project
       (http://www.openldap.org/).   OpenLDAP  is  derived  from University of
       Michigan LDAP 3.3 Release.

OpenLDAP 2.1.X			  RELEASEDATE			 SLAPD.CONF(5)
[top]

List of man pages available for OpenDarwin

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
...................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net