Options in this section may be set in the special "frontend"
database and inherited in all the other databases. These options
may be altered by further settings in each specific database. The
frontend entry must be named olcDatabase=frontend,cn=config and
must have the olcFrontendConfig objectClass.
olcAccess: to <what> [ by <who> <access> <control> ]+
Grant access (specified by <access>) to a set of entries
and/or attributes (specified by <what>) by one or more
requestors (specified by <who>). If no access controls
are present, the default policy allows anyone and everyone
to read anything but restricts updates to rootdn. (e.g.,
"olcAccess: to * by * read"). See slapd.access(5) and the
"OpenLDAP Administrator's Guide" for details.
Access controls set in the frontend are appended to any
access controls set on the specific databases. The rootdn
of a database can always read and write EVERYTHING in that
database.
Extra special care must be taken with the access controls
on the config database. Unlike other databases, the
default policy for the config database is to only allow
access to the rootdn. Regular users should not have read
access, and write access should be granted very carefully
to privileged administrators.
olcDefaultSearchBase: <dn>
Specify a default search base to use when client submits a
non-base search request with an empty base DN. Base
scoped search requests with an empty base DN are not
affected. This setting is only allowed in the frontend
entry.
olcExtraAttrs: <attr>
Lists what attributes need to be added to search requests.
Local storage backends return the entire entry to the
frontend. The frontend takes care of only returning the
requested attributes that are allowed by ACLs. However,
features like access checking and so may need specific
attributes that are not automatically returned by remote
storage backends, like proxy backends and so on. <attr>
is an attribute that is needed for internal purposes and
thus always needs to be collected, even when not
explicitly requested by clients. This attribute is multi-
valued.
olcPasswordHash: <hash> [<hash>...]
This option configures one or more hashes to be used in
generation of user passwords stored in the userPassword
attribute during processing of LDAP Password Modify
Extended Operations (RFC 3062). The <hash> must be one of
{SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.
The default is {SSHA}.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be
added to userPassword as clear text.
Note that this option does not alter the normal user
applications handling of userPassword during LDAP Add,
Modify, or other LDAP operations. This setting is only
allowed in the frontend entry.
olcReadOnly: TRUE | FALSE
This option puts the database into "read-only" mode. Any
attempts to modify the database will return an "unwilling
to perform" error. By default, olcReadOnly is FALSE. Note
that when this option is set TRUE on the frontend, it
cannot be reset without restarting the server, since
further writes to the config database will be rejected.
olcRequires: <conditions>
Specify a set of conditions to require (default none).
The directive may be specified globally and/or per-
database; databases inherit global conditions, so per-
database specifications are additive. bind requires bind
operation prior to directory operations. LDAPv3 requires
session to be using LDAP version 3. authc requires
authentication prior to directory operations. SASL
requires SASL authentication prior to directory
operations. strong requires strong authentication prior
to directory operations. The strong keyword allows
protected "simple" authentication as well as SASL
authentication. none may be used to require no conditions
(useful to clear out globally set conditions within a
particular database); it must occur first in the list of
conditions.
olcRestrict: <oplist>
Specify a list of operations that are restricted.
Restrictions on a specific database override any frontend
setting. Operations can be any of add, bind, compare,
delete, extended[=<OID>], modify, rename, search, or the
special pseudo-operations read and write, which
respectively summarize read and write operations. The use
of restrict write is equivalent to olcReadOnly: TRUE (see
above). The extended keyword allows one to indicate the
OID of the specific operation to be restricted.
olcSchemaDN: <dn>
Specify the distinguished name for the subschema subentry
that controls the entries on this server. The default is
"cn=Subschema".
olcSecurity: <factors>
Specify a set of security strength factors (separated by
white space) to require (see olcSaslSecprops's minssf
option for a description of security strength factors).
The directive may be specified globally and/or per-
database. ssf=<n> specifies the overall security strength
factor. transport=<n> specifies the transport security
strength factor. tls=<n> specifies the TLS security
strength factor. sasl=<n> specifies the SASL security
strength factor. update_ssf=<n> specifies the overall
security strength factor to require for directory updates.
update_transport=<n> specifies the transport security
strength factor to require for directory updates.
update_tls=<n> specifies the TLS security strength factor
to require for directory updates. update_sasl=<n>
specifies the SASL security strength factor to require for
directory updates. simple_bind=<n> specifies the security
strength factor required for simple username/password
authentication. Note that the transport factor is measure
of security provided by the underlying transport, e.g.
ldapi:// (and eventually IPSEC). It is not normally used.
olcSizeLimit: {<integer>|unlimited}
olcSizeLimit: size[.{soft|hard}]=<integer> [...]
Specify the maximum number of entries to return from a
search operation. The default size limit is 500. Use
unlimited to specify no limits. The second format allows
a fine grain setting of the size limits. If no special
qualifiers are specified, both soft and hard limits are
set. Extra args can be added in the same value.
Additional qualifiers are available; see olcLimits for an
explanation of all of the different flags.
olcSortVals: <attr> [...]
Specify a list of multi-valued attributes whose values
will always be maintained in sorted order. Using this
option will allow Modify, Compare, and filter evaluations
on these attributes to be performed more efficiently. The
resulting sort order depends on the attributes' syntax and
matching rules and may not correspond to lexical order or
any other recognizable order. This setting is only
allowed in the frontend entry.
olcTimeLimit: {<integer>|unlimited}
olcTimeLimit: time[.{soft|hard}]=<integer> [...]
Specify the maximum number of seconds (in real time) slapd
will spend answering a search request. The default time
limit is 3600. Use unlimited to specify no limits. The
second format allows a fine grain setting of the time
limits. Extra args can be added in the same value. See
olcLimits for an explanation of the different flags.
