SLAPD.CONF(5)SLAPD.CONF(5)NAMEslapd.conf - configuration file for slapd, the stand-alone
LDAP daemon
SYNOPSIS
ETCDIR/slapd.conf
DESCRIPTION
The file ETCDIR/slapd.conf contains configuration informa-
tion for the slapd(8) daemon. This configuration file is
also used by the slurpd(8) replication daemon and by the
SLAPD tools slapadd(8), slapcat(8), and slapindex(8).
The slapd.conf file consists of a series of global config-
uration options that apply to slapd as a whole (including
all backends), followed by zero or more database backend
definitions that contain information specific to a backend
instance.
The general format of slapd.conf is as follows:
# comment - these options apply to every database
<global configuration options>
# first database definition & configuration options
database <backend 1 type>
<configuration options specific to backend 1>
# subsequent database definitions & configuration options
...
As many backend-specific sections as desired may be
included. Global options can be overridden in a backend
(for options that appear more than once, the last appear-
ance in the slapd.conf file is used). Blank lines and
comment lines beginning with a `#' character are ignored.
If a line begins with white space, it is considered a con-
tinuation of the previous line.
Arguments on configuration lines are separated by white
space. If an argument contains white space, the argument
should be enclosed in double quotes. If an argument con-
tains a double quote (`"') or a backslash character (`\'),
the character should be preceded by a backslash character.
The specific configuration options available are discussed
below in the Global Configuration Options, General Backend
Options, and General Database Options. Backend-specific
options are discussed in the slapd-<backend>(5) manual
pages. Refer to the "OpenLDAP Administrator's Guide" for
more details on the slapd configuration file.
GLOBAL CONFIGURATION OPTIONS
Options described in this section apply to all backends,
unless specifically overridden in a backend definition.
Arguments that should be replaced by actual text are shown
in brackets <>.
access to <what> [ by <who> <access> <control> ]+
Grant access (specified by <access>) to a set of
entries and/or attributes (specified by <what>) by
one or more requestors (specified by <who>). See
slapd.access(5) and the "OpenLDAP's Administrator's
Guide" for details.
allow <features>
Specify a set of features (separated by white
space) to allow (default none). bind_v2 allows
acceptance of LDAPv2 bind requests. Note that
slapd(8) does not truely implement LDAPv2 (RFC
1777), now Historic (RFC 3494). bind_anon_cred
allows anonymous bind when credentials are not
empty (e.g. when DN is empty). bind_anon_dn
allows unauthenticated (anonymous) bind when DN is
not empty. update_anon allow unauthenticated
(anonymous) update operations to be processed (sub-
ject to access controls and other administrative
limits).
argsfile <filename>
The ( absolute ) name of a file that will hold the
slapd server's command line options if started
without the debugging command line option.
attributeoptions [option-name]...
Define tagging attribute options or option
tag/range prefixes. Options must not end with `-',
prefixes must end with `-'. The `lang-' prefix is
predefined. If you use the attributeoptions direc-
tive, `lang-' will no longer be defined and you
must specify it explicitly if you want it defined.
An attribute description with a tagging option is a
subtype of that attribute description without the
option. Except for that, options defined this way
have no special semantics. Prefixes defined this
way work like the `lang-' options: They define a
prefix for tagging options starting with the pre-
fix. That is, if you define the prefix `x-foo-',
you can use the option `x-foo-bar'. Furthermore,
in a search or compare, a prefix or range name
(with a trailing `-') matches all options starting
with that name, as well as the option with the
range name sans the trailing `-'. That is, `x-foo-
bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
RFC2251 reserves options beginning with `x-' for
private experiments. Other options should be reg-
istered with IANA, see RFC3383 section 3.4. OpenL-
DAP also has the `binary' option built in, but this
is a transfer option, not a tagging option.
attributetype ( <oid> [NAME <name>] [OBSOLETE]
[DESC <description>] [SUP <oid>] [EQUALITY <oid>]
[ORDERING <oid>] [SUBSTR <oid>] [SYNTAX <oidlen>]
[SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION]
[USAGE <attributeUsage>] )
Specify an attribute type using the LDAPv3 syntax
defined in RFC 2252. The slapd parser extends the
RFC 2252 definition by allowing string forms as
well as numeric OIDs to be used for the attribute
OID and attribute syntax OID. (See the
objectidentifier description.)
concurrency <integer>
Specify a desired level of concurrency. Provided
to the underlying thread system as a hint. The
default is not to provide any hint.
conn_max_pending <integer>
Specify the maximum number of pending requests for
an anonymous session. If requests are submitted
faster than the server can process them, they will
be queued up to this limit. If the limit is
exceeded, the session is closed. The default is
100.
conn_max_pending_auth <integer>
Specify the maximum number of pending requests for
an authenticated session. The default is 1000.
defaultsearchbase <dn>
Specify a default search base to use when client
submits a non-base search request with an empty
base DN.
disallow <features>
Specify a set of features (separated by white
space) to disallow (default none). bind_anon
disables acceptance of anonymous bind requests.
bind_simple disables simple (bind) authentication.
bind_krbv4 disables Kerberos V4 (bind)
authentication. tls_2_anon disables Start TLS from
forcing session to anonymous status (see also
tls_authc). tls_authc disables StartTLS if
authenticated (see also tls_2_anon).
gentlehup { on | off }
A SIGHUP signal will only cause a 'gentle'
shutdown-attempt: Slapd will stop listening for new
connections, but will not close the connections to
the current clients. Future write operations
return unwilling-to-perform, though. Slapd
terminates when all clients have closed their
connections (if they ever do), or - as before - if
it receives a SIGTERM signal. This can be useful
if you wish to terminate the server and start a new
slapd server with another database, without
disrupting the currently active clients. The
default is off. You may wish to use idletimeout
along with this option.
idletimeout <integer>
Specify the number of seconds to wait before
forcibly closing an idle client connection. A
idletimeout of 0 disables this feature. The
default is 0.
include <filename>
Read additional configuration information from the
given file before continuing with the next line of
the current file.
limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated
an operation. The argument who can be any of
anonymous | users | [dn[.<style>]=]<pattern>
with
<style> ::= exact | base | one | subtree |
children | regex | anonymous
Anonymous is hit when a search is performed without
prior binding; users is hit when a search is
performed by a successfully bound user; otherwise a
regex dn pattern is assumed unless otherwise
specified by qualifying the (optional) key string
dn with exact or base (which are synonims), to
require an exact match; with one, to require
exactly one level of depth match; with subtree, to
allow any level of depth match, including the exact
match; with children, to allow any level of depth
match, not including the exact match; regex
explicitly requires the (default) match based on
regular expression pattern, as detailed in
regex(7). Finally, anonymous matches unbound
operations; the pattern field is ignored. The same
behavior is obtained by using the anonymous form of
the who clause.
The currently supported limits are size and time.
The syntax for time limits is
time[.{soft|hard}]=<integer>, where integer is the
number of seconds slapd will spend answering a
search request. If no time limit is explicitly
requested by the client, the soft limit is used; if
the requested time limit exceedes the hard limit,
an "Administrative limit exceeded" is returned. If
the hard limit is set to 0 or to the keyword
"soft", the soft limit is used in either case; if
it is set to -1 or to the keyword "none", no hard
limit is enforced. Explicit requests for time
limits smaller or equal to the hard limit are
honored. If no flag is set, the value is assigned
to the soft limit, and the hard limit is set to
zero, to preserve the original behavior.
The syntax for size limits is
size[.{soft|hard|unchecked}]=<integer>, where
integer is the maximum number of entries slapd will
return answering a search request. If no size
limit is explicitly requested by the client, the
soft limit is used; if the requested size limit
exceedes the hard limit, an "Administrative limit
exceeded" is returned. If the hard limit is set to
0 or to the keyword "soft", the soft limit is used
in either case; if it is set to -1 or to the
keyword "none", no hard limit is enforced.
Explicit requests for size limits smaller or equal
to the hard limit are honored. The unchecked flag
sets a limit on the number of candidates a search
request is allowed to examine. If the selected
candidates exceed the unchecked limit, the search
will abort with "Unwilling to perform". If it is
set to -1 or to the keyword "none", no limit is
applied (the default). If no flag is set, the
value is assigned to the soft limit, and the hard
limit is set to zero, to preserve the original
behavior.
In case of no match, the global limits are used.
The default values are the same of sizelimit and
timelimit; no limit is set on unchecked.
loglevel <integer>
Specify the level at which debugging statements and
operation statistics should be syslogged (currently
logged to the syslogd(8) LOG_LOCAL4 facility). Log
levels are additive, and available levels are:
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log
connections/operations/results
512 stats log entries sent
1024 print communication with shell
backends
2048 entry parsing
moduleload <filename>
Specify the name of a dynamically loadable module
to load. The filename may be an absolute path name
or a simple filename. Non-absolute names are
searched for in the directories specified by the
modulepath option. This option and the modulepath
option are only usable if slapd was compiled with
--enable-modules.
modulepath <pathspec>
Specify a list of directories to search for
loadable modules. Typically the path is colon-
separated but this depends on the operating system.
objectclass ( <oid> [NAME <name>] [DESC <description]
[OBSOLETE] [SUP <oids>] [{ ABSTRACT | STRUCTURAL |
AUXILIARY }] [MUST <oids>] [MAY <oids>] )
Specify an objectclass using the LDAPv3 syntax
defined in RFC 2252. The slapd parser extends the
RFC 2252 definition by allowing string forms as
well as numeric OIDs to be used for the object
class OID. (See the objectidentifier description.)
Object classes are "STRUCTURAL" by default.
objectidentifier <name> { <oid> | <name>[:<suffix>] }
Define a string name that equates to the given OID.
The string can be used in place of the numeric OID
in objectclass and attribute definitions. The name
can also be used with a suffix of the form ":xx" in
which case the value "oid.xx" will be used.
password-hash <hash>
This option sets the hash to be used in generation
of user passwords, stored in userPassword, during
processing of LDAP Password Modify Extended
Operations (RFC 3052). The <hash> must be one of
{SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and
{CLEARTEXT}. The default is {SSHA}.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS
160-1), the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321),
the latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should
be added to userPassword as clear text.
Note that this option does not alter the normal
user applications handling of userPassword during
LDAP Add, Modify, or other LDAP operations.
password-crypt-salt-format <format>
Specify the format of the salt passed to crypt(3)
when generating {CRYPT} passwords (see
password-hash) during processing of LDAP Password
Modify Extended Operations (RFC 3062).
This string needs to be in sprintf(3) format and
may include one (and only one) %s conversion. This
conversion will be substituted with a string random
characters from [A-Za-z0-9./]. For example, "%.2s"
provides a two character salt and "$1$%.8s" tells
some versions of crypt(3) to use an MD5 algorithm
and provides 8 random characters of salt. The
default is "%s", which provides 31 characters of
salt.
pidfile <filename>
The ( absolute ) name of a file that will hold the
slapd server's process ID ( see getpid(2) ) if
started without the debugging command line option.
referral <url>
Specify the referral to pass back when slapd(8)
cannot find a local database to handle a request.
If specified multiple times, each url is provided.
require <conditions>
Specify a set of conditions (separated by white
space) to require (default none). The directive
may be specified globally and/or per-database.
bind requires bind operation prior to directory
operations. LDAPv3 requires session to be using
LDAP version 3. authc requires authentication
prior to directory operations. SASL requires SASL
authentication prior to directory operations.
strong requires strong authentication prior to
directory operations. The strong keyword allows
protected "simple" authentication as well as SASL
authentication. none may be used to require no
conditions (useful for clearly globally set
conditions within a particular database).
reverse-lookup on | off
Enable/disable client name unverified reverse
lookup (default is off if compiled with --enable-
rlookups).
rootDSE <file>
Specify the name of an LDIF(5) file containing user
defined attributes for the root DSE. These
attributes are returned in addition to the
attributes normally produced by slapd.
sasl-authz-policy <policy>
Used to specify which rules to use for SASL Proxy
Authorization. Proxy authorization allows a client
to authenticate to the server using one user's
credentials, but specify a different identity to
use for authorization and access control purposes.
It essentially allows user A to login as user B,
using user A's password. The none flag disables
proxy authorization. This is the default setting.
The from flag will use rules in the saslAuthzFrom
attribute of the authorization DN. The to flag
will use rules in the saslAuthzTo attribute of the
authentication DN. The both flag will allow both
of the above. The rules are simply regular
expressions specifying which DNs are allowed to
perform proxy authorization. The saslAuthzFrom
attribute in an entry specifies which other users
are allowed to proxy login to this entry. The
saslAuthzTo attribute in an entry specifies which
other users this user can authorize as. Use of
saslAuthzTo rules can be easily abused if users are
allowed to write arbitrary values to this
attribute. In general the saslAuthzTo attribute
must be protected with ACLs such that only
privileged users can modify it.
sasl-host <fqdn>
Used to specify the fully qualified domain name
used for SASL processing.
sasl-realm <realm>
Specify SASL realm. Default is empty.
sasl-regexp <match> <replace>
Used by the SASL authorization mechanism to convert
a SASL authenticated username to an LDAP DN. When
an authorization request is received, the SASL
USERNAME, REALM, and MECHANISM are taken, when
available, and combined into a SASL name of the
form
uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth
This SASL name is then compared against the match
regular expression, and if the match is successful,
the SASL name is replaced with the replace string.
If there are wildcard strings in the match regular
expression that are enclosed in parenthesis, e.g.
uid=(.*),cn=.*
then the portion of the SASL name that matched the
wildcard will be stored in the numbered placeholder
variable $1. If there are other wildcard strings in
parenthesis, the matching strings will be in $2,
$3, etc. up to $9. The placeholders can then be
used in the replace string, e.g.
cn=$1,ou=Accounts,dc=$2,dc=$4.
The replaced SASL name can be either a DN or an
LDAP URI. If the latter, the slapd server will use
the URI to search its own database, and if the
search returns exactly one entry, the SASL name is
replaced by the DN of that entry. Multiple sasl-
regexp options can be given in the configuration
file to allow for multiple matching and replacement
patterns. The matching patterns are checked in the
order they appear in the file, stopping at the
first successful match.
sasl-secprops <properties>
Used to specify Cyrus SASL security properties.
The none flag (without any other properities)
causes the flag properites default,
"noanonymous,noplain", to be cleared. The noplain
flag disables mechanisms susceptible to simple
passive attacks. The noactive flag disables
mechanisms susceptible to active attacks. The
nodict flag disables mechanisms susceptible to
passive dictionary attacks. The noanonymous flag
disables mechanisms which support anonymous login.
The forwardsec flag require forward secrecy between
sessions. The passcred require mechanisms which
pass client credentials (and allow mechanisms which
can pass credentials to do so). The
minssf=<factor> property specifies the minimum
acceptable security strength factor as an integer
approximate to effective key length used for
encryption. 0 (zero) implies no protection, 1
implies integrity protection only, 56 allows DES or
other weak ciphers, 112 allows triple DES and other
strong ciphers, 128 allows RC4, Blowfish and other
modern strong ciphers. The default is 0. The
maxssf=<factor> property specifies the maximum
acceptable security strength factor as an integer
(see minssf description). The default is INT_MAX.
The maxbufsize=<size> property specifies the
maximum security layer receive buffer size allowed.
0 disables security layers. The default is 65536.
schemadn <dn>
Specify the distinguished name for the subschema
subentry that controls the entries on this server.
The default is "cn=Subschema".
security <factors>
Specify a set of factors (separated by white space)
to require. An integer value is associated with
each factor and is roughly equivalent of the
encryption key length to require. A value of 112
is equivalent to 3DES, 128 to Blowfish, etc.. The
directive may be specified globally and/or per-
database. ssf=<n> specifies the overall security
strength factor. transport=<n> specifies the
transport security strength factor. tls=<n>
specifies the TLS security strength factor.
sasl=<n> specifies the SASL security strength
factor. update_ssf=<n> specifies the overall
security strength factor to require for directory
updates. update_transport=<n> specifies the
transport security strength factor to require for
directory updates. update_tls=<n> specifies the
TLS security strength factor to require for
directory updates. update_sasl=<n> specifies the
SASL security strength factor to require for
directory updates. simple_bind=<n> specifies the
security strength factor required for simple
username/password authentication. Note that the
transport factor is measure of security provided by
the underlying transport, e.g. ldapi:// (and
eventually IPSEC). It is not normally used.
sizelimit {<integer>|unlimited}
sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
Specify the maximum number of entries to return
from a search operation. The default size limit is
500. Use -1 or unlimited to specify no limits.
The second format allows a fine grain setting of
the size limits. Extra args can be added on the
same line. See limits for an explanation of the
different flags.
sockbuf_max_incoming <integer>
Specify the maximum incoming LDAP PDU size for
anonymous sessions. The default is 262143.
sockbuf_max_incoming_auth <integer>
Specify the maximum incoming LDAP PDU size for
authenticated sessions. The default is 4194303.
srvtab <filename>
Specify the srvtab file in which the kerberos keys
necessary for authenticating clients using kerberos
can be found. This option is only meaningful if you
are using Kerberos authentication.
threads <integer>
Specify the maximum size of the primary thread
pool. The default is 16.
timelimit {<integer>|unlimited}
timelimit time[.{soft|hard}]=<integer> [...]
Specify the maximum number of seconds (in real
time) slapd will spend answering a search request.
The default time limit is 3600. Use -1 or
unlimited to specify no limits. The second format
allows a fine grain setting of the time limits.
Extra args can be added on the same line. See
limits for an explanation of the different flags.
ucdata-path <path>
Specify the path to the directory containing the
Unicode character tables. The default path is
LOCALSTATEDIR/ucdata.
TLS OPTIONS
If slapd is built with support for Transport Layer
Security, there are more options you can specify.
TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted
and the preference order. <cipher-suite-spec>
should be a cipher specification for OpenSSL.
Example:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
To check what ciphers a given spec selects, use:
openssl ciphers -v <cipher-suite-spec>
TLSCACertificateFile <filename>
Specifies the file that contains certificates for
all of the Certificate Authorities that slapd will
recognize.
TLSCACertificatePath <path>
Specifies the path of a directory that contains
Certificate Authority certificates in separate
individual files. Usually only one of this or the
TLSCACertificateFile is used.
TLSCertificateFile <filename>
Specifies the file that contains the slapd server
certificate.
TLSCertificateKeyFile <filename>
Specifies the file that contains the slapd server
private key that matches the certificate stored in
the TLSCertificateFile file. Currently, the
private key must not be protected with a password,
so it is of critical importance that it is
protected carefully.
TLSRandFile <filename>
Specifies the file to obtain random bits from when
/dev/[u]random is not available. Generally set to
the name of the EGD/PRNGD socket. The environment
variable RANDFILE can also be used to specify the
filename.
TLSVerifyClient <level>
Specifies what checks to perform on client
certificates in an incoming TLS session, if any.
The <level> can be specified as one of the
following keywords:
never This is the default. slapd will not ask the
client for a certificate.
allow The client certificate is requested. If no
certificate is provided, the session
proceeds normally. If a bad certificate is
provided, it will be ignored and the session
proceeds normally.
try The client certificate is requested. If no
certificate is provided, the session
proceeds normally. If a bad certificate is
provided, the session is immediately
terminated.
demand | hard | true
These keywords are all equivalent, for
compatibility reasons. The client
certificate is requested. If no certificate
is provided, or a bad certificate is
provided, the session is immediately
terminated.
Note that a valid client certificate is
required in order to use the SASL EXTERNAL
authentication mechanism with a TLS session.
As such, a non-default TLSVerifyClient
setting must be chosen to enable SASL
EXTERNAL authentication.
GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration
file section for the specified backend. They are
supported by every type of backend.
backend <databasetype>
Mark the beginning of a backend definition.
<databasetype> should be one of bdb, dnssrv, ldap,
ldbm, meta, monitor, null, passwd, perl, shell,
sql, or tcl, depending on which backend will serve
the database.
GENERAL DATABASE OPTIONS
Options in this section only apply to the configuration
file section for the database in which they are defined.
They are supported by every type of backend. Note that
the database and at least one suffix option are mandatory
for each database.
database <databasetype>
Mark the beginning of a new database instance
definition. <databasetype> should be one of bdb,
dnssrv, ldap, ldbm, meta, monitor, null, passwd,
perl, shell, sql, or tcl, depending on which
backend will serve the database.
lastmod on | off
Controls whether slapd will automatically maintain
the modifiersName, modifyTimestamp, creatorsName,
and createTimestamp attributes for entries. By
default, lastmod is on.
maxderefdepth <depth>
Specifies the maximum number of aliases to
dereference when trying to resolve an entry, used
to avoid inifinite alias loops. The default is 1.
readonly on | off
This option puts the database into "read-only"
mode. Any attempts to modify the database will
return an "unwilling to perform" error. By
default, readonly is off.
replica host=<hostname>[:port] [tls=yes|critical]
[suffix=<suffix> [...]] bindmethod=simple|sasl
[binddn=<simple DN>] [credentials=<simple
password>] [saslmech=<SASL mech>]
[secprops=<properties>] [realm=<realm>]
[authcId=<authentication ID>]
[authzId=<authorization ID>] [attr[!]=<attr list>]
Specify a replication site for this database.
Refer to the "OpenLDAP Administrator's Guide" for
detailed information on setting up a replicated
slapd directory service. Zero or more suffix
instances can be used to select the subtrees that
will be replicated (defaults to all the database).
A bindmethod of simple requires the options binddn
and credentials and should only be used when
adequate security services (e.g TLS or IPSEC) are
in place. A bindmethod of sasl requires the option
saslmech. Specific security properties (as with
the sasl-secprops keyword above) for a SASL bind
can be set with the secprops option. A non-default
SASL realm can be set with the realm option. If
the mechanism will use Kerberos, a kerberos
instance should be given in authcId. An attr list
can be given after the attr keyword to allow the
selective replication of the listed attributes
only; if the optional ! mark is used, the list is
considered exclusive, i.e. the listed attributes
are not replicated. If an objectClass is listed,
all the related attributes are (are not)
replicated.
replogfile <filename>
Specify the name of the replication log file to log
changes to. The replication log is typically
written by slapd(8) and read by slurpd(8). See
slapd.replog(5) for more information. The
specified file should be located in a directory
with limited read/write/execute access as the
replication logs may contain sensitive information.
rootdn <dn>
Specify the distinguished name that is not subject
to access control or administrative limit
restrictions for operations on this database. This
DN may or may not be associated with an entry. An
empty root DN (the default) specifies no root
access is to be granted. It is recommended that
the rootdn only be specified when needed (such as
when initially populating a database). If the
rootdn is within a namingContext (suffix) of the
database, a simple bind password may also be
provided using the rootpw directive.
rootpw <password>
Specify a password (or hash of the password) for
the rootdn. The password can only be set if the
rootdn is within the namingContext (suffix) of the
database. This option accepts all RFC 2307
userPassword formats known to the server (see
password-hash desription) as well as cleartext.
slappasswd(8) may be used to generate a hash of a
password. Cleartext and {CRYPT} passwords are not
recommended. If empty (the default),
authentication of the root DN is by other means
(e.g. SASL). Use of SASL is encouraged.
suffix <dn suffix>
Specify the DN suffix of queries that will be
passed to this backend database. Multiple suffix
lines can be given and at least one is required for
each database definition. If the suffix of one
database is "inside" that of another, the database
with the inner suffix must come first in the
configuration file.
subordinate
Specify that the current backend database is a
subordinate of another backend database. A
subordinate database may have only one suffix. This
option may be used to glue multiple databases into
a single namingContext. If the suffix of the
current database is within the namingContext of a
superior database, searches against the superior
database will be propagated to the subordinate as
well. All of the databases associated with a single
namingContext should have identical rootdns.
Behavior of other LDAP operations is unaffected by
this setting. In particular, it is not possible to
use moddn to move an entry from one subordinate to
another subordinate within the namingContext.
updatedn <dn>
This option is only applicable in a slave slapd.
It specifies the DN allowed to make changes to the
replica (typically, this is the DN slurpd(8) binds
as when making changes to the replica).
updateref <url>
Specify the referral to pass back when slapd(8) is
asked to modify a replicated local database. If
specified multiple times, each url is provided.
DATABASE-SPECIFIC OPTIONS
Each database may allow specific configuration options;
they are documented separately in the slapd-<backend>(5)
manual pages.
EXAMPLES
Here is a short example of a configuration file:
include SYSCONFDIR/schema/core.schema
pidfile LOCALSTATEDIR/slapd.pid
# Subtypes of "name" (e.g. "cn" and "ou") with the
# option ";x-hidden" can be searched for/compared,
# but are not shown. See slapd.access(5).
attributeoptions x-hidden lang-
access to attr=name;x-hidden by * =cs
database bdb
suffix "dc=our-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 700 recommended.
directory LOCALSTATEDIR/openldap-data
# Indices to maintain
index objectClass eq
index cn,sn,mail pres,eq,approx,sub
# We serve small clients that do not handle referrals,
# so handle remote lookups on their behalf.
database ldap
suffix ""
uri ldap://ldap.some-server.com/
lastmod off
"OpenLDAP Administrator's Guide" contains a longer
annotated example of a configuration file. The original
ETCDIR/slapd.conf is another example.
FILES
ETCDIR/slapd.conf
default slapd configuration file
SEE ALSOldap(3), slapd-bdb(5), slapd-dnssrv(5), slapd-ldap(5),
slapd-ldbm(5), slapd-meta(5), slapd-null(5), slapd-
passwd(5), slapd-perl(5), slapd-shell(5), slapd-sql(5),
slapd-tcl(5), slapd.replog(5), slapd.access(5), locale(5),
slapd(8), slapadd(8), slapcat(8), slapindex(8),
slappassword(8), slurpd(8),
"OpenLDAP Administrator's Guide"
(http://www.OpenLDAP.org/doc/admin/)
ACKNOWLEDGEMENTS
OpenLDAP is developed and maintained by The OpenLDAP
Project (http://www.openldap.org/). OpenLDAP is derived
from University of Michigan LDAP 3.3 Release.
OpenLDAP LDVERSION RELEASEDATE SLAPD.CONF(5)