Options in this section only apply to the specific database for
which they are defined. They are supported by every type of
backend. All of the Global Database Options may also be used
here.
olcAddContentAcl: TRUE | FALSE
Controls whether Add operations will perform ACL checks on
the content of the entry being added. This check is off by
default. See the slapd.access(5) manual page for more
details on ACL requirements for Add operations.
olcHidden: TRUE | FALSE
Controls whether the database will be used to answer
queries. A database that is hidden will never be selected
to answer any queries, and any suffix configured on the
database will be ignored in checks for conflicts with
other databases. By default, olcHidden is FALSE.
olcLastMod: TRUE | FALSE
Controls whether slapd will automatically maintain the
modifiersName, modifyTimestamp, creatorsName, and
createTimestamp attributes for entries. It also controls
the entryCSN and entryUUID attributes, which are needed by
the syncrepl provider. By default, olcLastMod is TRUE.
olcLastBind: TRUE | FALSE
Controls whether slapd will automatically maintain the
pwdLastSuccess attribute for entries. By default,
olcLastBind is FALSE.
olcLastBindPrecision: <number>
If olcLastBind is enabled, a new value is written only if
the current one is more than number seconds in the past.
olcLimits: <selector> <limit> [<limit> [...]]
Specify time and size limits based on the operation's
initiator or base DN. The argument <selector> can be any
of
anonymous | users | [<dnspec>=]<pattern> |
group[/oc[/at]]=<pattern>
with
<dnspec> ::= dn[.<type>][.<style>]
<type> ::= self | this
<style> ::= exact | base | onelevel | subtree |
children | regex | anonymous
DN type self is the default and means the bound user,
while this means the base DN of the operation. The term
anonymous matches all unauthenticated clients. The term
users matches all authenticated clients; otherwise an
exact dn pattern is assumed unless otherwise specified by
qualifying the (optional) key string dn with exact or base
(which are synonyms), to require an exact match; with
onelevel, to require exactly one level of depth match;
with subtree, to allow any level of depth match, including
the exact match; with children, to allow any level of
depth match, not including the exact match; regex
explicitly requires the (default) match based on POSIX
(''extended'') regular expression pattern. Finally,
anonymous matches unbound operations; the pattern field is
ignored. The same behavior is obtained by using the
anonymous form of the <selector> clause. The term group,
with the optional objectClass oc and attributeType at
fields, followed by pattern, sets the limits for any DN
listed in the values of the at attribute (default member)
of the oc group objectClass (default groupOfNames) whose
DN exactly matches pattern.
The currently supported limits are size and time.
The syntax for time limits is
time[.{soft|hard}]=<integer>, where integer is the number
of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client,
the soft limit is used; if the requested time limit
exceeds the hard limit, the value of the limit is used
instead. If the hard limit is set to the keyword soft,
the soft limit is used in either case; if it is set to the
keyword unlimited, no hard limit is enforced. Explicit
requests for time limits smaller or equal to the hard
limit are honored. If no limit specifier is set, the
value is assigned to the soft limit, and the hard limit is
set to soft, to preserve the original behavior.
The syntax for size limits is
size[.{soft|hard|unchecked}]=<integer>, where integer is
the maximum number of entries slapd will return answering
a search request. If no size limit is explicitly
requested by the client, the soft limit is used; if the
requested size limit exceeds the hard limit, the value of
the limit is used instead. If the hard limit is set to
the keyword soft, the soft limit is used in either case;
if it is set to the keyword unlimited, no hard limit is
enforced. Explicit requests for size limits smaller or
equal to the hard limit are honored. The unchecked
specifier sets a limit on the number of candidates a
search request is allowed to examine. The rationale
behind it is that searches for non-properly indexed
attributes may result in large sets of candidates, which
must be examined by slapd(8) to determine whether they
match the search filter or not. The unchecked limit
provides a means to drop such operations before they are
even started. If the selected candidates exceed the
unchecked limit, the search will abort with Unwilling to
perform. If it is set to the keyword unlimited, no limit
is applied (the default). If it is set to disabled, the
search is not even performed; this can be used to disallow
searches for a specific set of users. If no limit
specifier is set, the value is assigned to the soft limit,
and the hard limit is set to soft, to preserve the
original behavior.
In case of no match, the global limits are used. The
default values are the same as for olcSizeLimit and
olcTimeLimit; no limit is set on unchecked.
If pagedResults control is requested, the hard size limit
is used by default, because the request of a specific page
size is considered an explicit request for a limitation on
the number of entries to be returned. However, the size
limit applies to the total count of entries returned
within the search, and not to a single page. Additional
size limits may be enforced; the syntax is
size.pr={<integer>|noEstimate|unlimited}, where integer is
the max page size if no explicit limit is set; the keyword
noEstimate inhibits the server from returning an estimate
of the total number of entries that might be returned
(note: the current implementation does not return any
estimate). The keyword unlimited indicates that no limit
is applied to the pagedResults control page size. The
syntax size.prtotal={<integer>|hard|unlimited|disabled}
allows one to set a limit on the total number of entries
that the pagedResults control will return. By default it
is set to the hard limit which will use the size.hard
value. When set, integer is the max number of entries
that the whole search with pagedResults control can
return. Use unlimited to allow unlimited number of
entries to be returned, e.g. to allow the use of the
pagedResults control as a means to circumvent size
limitations on regular searches; the keyword disabled
disables the control, i.e. no paged results can be
returned. Note that the total number of entries returned
when the pagedResults control is requested cannot exceed
the hard size limit of regular searches unless extended by
the prtotal switch.
The olcLimits statement is typically used to let an
unlimited number of entries be returned by searches
performed with the identity used by the consumer for
synchronization purposes by means of the RFC 4533 LDAP
Content Synchronization protocol (see olcSyncrepl for
details).
When using subordinate databases, it is necessary for any
limits that are to be applied across the parent and its
subordinates to be defined in both the parent and its
subordinates. Otherwise the settings on the subordinate
databases are not honored.
olcMaxDerefDepth: <depth>
Specifies the maximum number of aliases to dereference
when trying to resolve an entry, used to avoid infinite
alias loops. The default is 15.
olcMultiProvider: TRUE | FALSE
This option puts a consumer database into Multi-Provider
mode. Update operations will be accepted from any user,
not just the updatedn. The database must already be
configured as a syncrepl consumer before this keyword may
be set. This mode also requires a olcServerID (see above)
to be configured. By default, this setting is FALSE.
olcMonitoring: TRUE | FALSE This option enables database-
specific monitoring in the entry related to the current
database in the "cn=Databases,cn=Monitor" subtree of the
monitor database, if the monitor database is enabled.
Currently, only the MDB database provides database-
specific monitoring. The default depends on the backend
type.
olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
Configure a SLAPI plugin. See the slapd.plugin(5) manpage
for more details.
olcRootDN: <dn>
Specify the distinguished name that is not subject to
access control or administrative limit restrictions for
operations on this database. This DN may or may not be
associated with an entry. An empty root DN (the default)
specifies no root access is to be granted. It is
recommended that the rootdn only be specified when needed
(such as when initially populating a database). If the
rootdn is within a namingContext (suffix) of the database,
a simple bind password may also be provided using the
olcRootPW directive. Many optional features, including
syncrepl, require the rootdn to be defined for the
database. The olcRootDN of the cn=config database
defaults to cn=config itself.
olcRootPW: <password>
Specify a password (or hash of the password) for the
rootdn. The password can only be set if the rootdn is
within the namingContext (suffix) of the database. This
option accepts all RFC 2307 userPassword formats known to
the server (see olcPasswordHash description) as well as
cleartext. slappasswd(8) may be used to generate a hash
of a password. Cleartext and {CRYPT} passwords are not
recommended. If empty (the default), authentication of
the root DN is by other means (e.g. SASL). Use of SASL is
encouraged.
olcSubordinate: [TRUE | FALSE | advertise]
Specify that the current backend database is a subordinate
of another backend database. A subordinate database may
have only one suffix. This option may be used to glue
multiple databases into a single namingContext. If the
suffix of the current database is within the namingContext
of a superior database, searches against the superior
database will be propagated to the subordinate as well.
All of the databases associated with a single
namingContext should have identical rootdns. Behavior of
other LDAP operations is unaffected by this setting. In
particular, it is not possible to use moddn to move an
entry from one subordinate to another subordinate within
the namingContext.
If the optional advertise flag is supplied, the naming
context of this database is advertised in the root DSE.
The default is to hide this database context, so that only
the superior context is visible.
If the slap tools slapcat(8), slapadd(8), slapmodify(8),
or slapindex(8) are used on the superior database, any
glued subordinates that support these tools are opened as
well.
Databases that are glued together should usually be
configured with the same indices (assuming they support
indexing), even for attributes that only exist in some of
these databases. In general, all of the glued databases
should be configured as similarly as possible, since the
intent is to provide the appearance of a single directory.
Note that the subordinate functionality is implemented
internally by the glue overlay and as such its behavior
will interact with other overlays in use. By default, the
glue overlay is automatically configured as the last
overlay on the superior database. Its position on the
database can be explicitly configured by setting an
overlay glue directive at the desired position. This
explicit configuration is necessary e.g. when using the
syncprov overlay, which needs to follow glue in order to
work over all of the glued databases. E.g.
dn: olcDatabase={1}mdb,cn=config
olcSuffix: dc=example,dc=com
...
dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config
...
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
...
See the Overlays section below for more details.
olcSuffix: <dn suffix>
Specify the DN suffix of queries that will be passed to
this backend database. Multiple suffix lines can be given
and at least one is required for each database definition.
If the suffix of one database is "inside" that of another,
the database with the inner suffix must come first in the
configuration file. You may also want to glue such
databases together with the olcSubordinate attribute.
olcSyncUseSubentry: TRUE | FALSE
Store the syncrepl contextCSN in a subentry instead of the
context entry of the database. The subentry's RDN will be
"cn=ldapsync". The default is FALSE, meaning the
contextCSN is stored in the context entry.
olcSyncrepl: rid=<replica ID>
provider=ldap[s]://<hostname>[:port] searchbase=<base DN>
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss] [retry=[<retry interval> <# of
retries>]+] [filter=<filter str>]
[scope=sub|one|base|subord] [attrs=<attr list>]
[exattrs=<attr list>] [attrsonly] [sizelimit=<limit>]
[timelimit=<limit>] [schemachecking=on|off]
[network-timeout=<seconds>] [timeout=<seconds>]
[tcp-user-timeout=<milliseconds>] [bindmethod=simple|sasl]
[binddn=<dn>] [saslmech=<mech>] [authcid=<identity>]
[authzid=<identity>] [credentials=<passwd>]
[realm=<realm>] [secprops=<properties>]
[keepalive=<idle>:<probes>:<interval>]
[starttls=yes|critical] [tls_cert=<file>] [tls_key=<file>]
[tls_cacert=<file>] [tls_cacertdir=<path>]
[tls_reqcert=never|allow|try|demand]
[tls_reqsan=never|allow|try|demand]
[tls_cipher_suite=<ciphers>] [tls_ecname=<names>]
[tls_crlcheck=none|peer|all]
[tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real
DN>] [logbase=<base DN>] [logfilter=<filter str>]
[syncdata=default|accesslog|changelog] [lazycommit]
Specify the current database as a consumer which is kept
up-to-date with the provider content by establishing the
current slapd(8) as a replication consumer site running a
syncrepl replication engine. The consumer content is kept
synchronized to the provider content using the LDAP
Content Synchronization protocol. Refer to the "OpenLDAP
Administrator's Guide" for detailed information on setting
up a replicated slapd directory service using the syncrepl
replication engine.
rid identifies the current syncrepl directive within the
replication consumer site. It is a non-negative integer
not greater than 999 (limited to three decimal digits).
provider specifies the replication provider site
containing the provider content as an LDAP URI. If <port>
is not given, the standard LDAP port number (389 or 636)
is used.
The content of the syncrepl consumer is defined using a
search specification as its result set. The consumer slapd
will send search requests to the provider slapd according
to the search specification. The search specification
includes searchbase, scope, filter, attrs, attrsonly,
sizelimit, and timelimit parameters as in the normal
search specification. The exattrs option may also be used
to specify attributes that should be omitted from incoming
entries. The scope defaults to sub, the filter defaults
to (objectclass=*), and there is no default searchbase.
The attrs list defaults to "*,+" to return all user and
operational attributes, and attrsonly and exattrs are
unset by default. The sizelimit and timelimit only accept
"unlimited" and positive integers, and both default to
"unlimited". The sizelimit and timelimit parameters
define a consumer requested limitation on the number of
entries that can be returned by the LDAP Content
Synchronization operation; as such, it is intended to
implement partial replication based on the size of the
replicated database and on the time required by the
synchronization. Note, however, that any provider-side
limits for the replication identity will be enforced by
the provider regardless of the limits requested by the
LDAP Content Synchronization operation, much like for any
other search operation.
The LDAP Content Synchronization protocol has two
operation types. In the refreshOnly operation, the next
synchronization search operation is periodically
rescheduled at an interval time (specified by interval
parameter; 1 day by default) after each synchronization
operation finishes. In the refreshAndPersist operation, a
synchronization search remains persistent in the provider
slapd. Further updates to the provider will generate
searchResultEntry to the consumer slapd as the search
responses to the persistent synchronization search. If the
initial search fails due to an error, the next
synchronization search operation is periodically
rescheduled at an interval time (specified by interval
parameter; 1 day by default)
If an error occurs during replication, the consumer will
attempt to reconnect according to the retry parameter
which is a list of the <retry interval> and <# of retries>
pairs. For example, retry="60 10 300 3" lets the consumer
retry every 60 seconds for the first 10 times and then
retry every 300 seconds for the next 3 times before stop
retrying. The `+' in <# of retries> means indefinite
number of retries until success. If no retry is
specified, by default syncrepl retries every hour forever.
The schema checking can be enforced at the LDAP Sync
consumer site by turning on the schemachecking parameter.
The default is off. Schema checking on means that
replicated entries must have a structural objectClass,
must obey to objectClass requirements in terms of
required/allowed attributes, and that naming attributes
and distinguished values must be present. As a
consequence, schema checking should be off when partial
replication is used.
The network-timeout parameter sets how long the consumer
will wait to establish a network connection to the
provider. Once a connection is established, the timeout
parameter determines how long the consumer will wait for
the initial Bind request to complete. The defaults for
these parameters come from ldap.conf(5). The
tcp-user-timeout parameter, if non-zero, corresponds to
the TCP_USER_TIMEOUT set on the target connections,
overriding the operating system setting. Only some
systems support the customization of this parameter, it is
ignored otherwise and system-wide settings are used.
A bindmethod of simple requires the options binddn and
credentials and should only be used when adequate security
services (e.g. TLS or IPSEC) are in place. REMEMBER:
simple bind credentials must be in cleartext! A
bindmethod of sasl requires the option saslmech.
Depending on the mechanism, an authentication identity
and/or credentials can be specified using authcid and
credentials. The authzid parameter may be used to specify
an authorization identity. Specific security properties
(as with the sasl-secprops keyword above) for a SASL bind
can be set with the secprops option. A non default SASL
realm can be set with the realm option. The identity used
for synchronization by the consumer should be allowed to
receive an unlimited number of entries in response to a
search request. The provider, other than allowing
authentication of the syncrepl identity, should grant that
identity appropriate access privileges to the data that is
being replicated (access directive), and appropriate time
and size limits. This can be accomplished by either
allowing unlimited sizelimit and timelimit, or by setting
an appropriate limits statement in the consumer's
configuration (see sizelimit and limits for details).
The keepalive parameter sets the values of idle, probes,
and interval used to check whether a socket is alive; idle
is the number of seconds a connection needs to remain idle
before TCP starts sending keepalive probes; probes is the
maximum number of keepalive probes TCP should send before
dropping the connection; interval is interval in seconds
between individual keepalive probes. Only some systems
support the customization of these values; the keepalive
parameter is ignored otherwise, and system-wide settings
are used.
The starttls parameter specifies use of the StartTLS
extended operation to establish a TLS session before
Binding to the provider. If the critical argument is
supplied, the session will be aborted if the StartTLS
request fails. Otherwise the syncrepl session continues
without TLS. The tls_reqcert setting defaults to "demand",
the tls_reqsan setting defaults to "allow", and the other
TLS settings default to the same as the main slapd TLS
settings.
The suffixmassage parameter allows the consumer to pull
entries from a remote directory whose DN suffix differs
from the local directory. The portion of the remote
entries' DNs that matches the searchbase will be replaced
with the suffixmassage DN.
Rather than replicating whole entries, the consumer can
query logs of data modifications. This mode of operation
is referred to as delta syncrepl. In addition to the above
parameters, the logbase and logfilter parameters must be
set appropriately for the log that will be used. The
syncdata parameter must be set to either "accesslog" if
the log conforms to the slapo-accesslog(5) log format, or
"changelog" if the log conforms to the obsolete changelog
format. If the syncdata parameter is omitted or set to
"default" then the log parameters are ignored.
The lazycommit parameter tells the underlying database
that it can store changes without performing a full flush
after each change. This may improve performance for the
consumer, while sacrificing safety or durability.
olcUpdateDN: <dn>
This option is only applicable in a replica database. It
specifies the DN permitted to update (subject to access
controls) the replica. It is only needed in certain push-
mode replication scenarios. Generally, this DN should not
be the same as the rootdn used at the provider.
olcUpdateRef: <url>
Specify the referral to pass back when slapd(8) is asked
to modify a replicated local database. If multiple values
are specified, each url is provided.
