Options in this section only apply to the configuration file
section for the database in which they are defined. They are
supported by every type of backend. Note that the database
and
at least one suffix
option are mandatory for each database.
database <databasetype>
Mark the beginning of a new database instance definition.
<databasetype> should be one of asyncmeta
, config
, dnssrv
,
ldap
, ldif
, mdb
, meta
, monitor
, null
, passwd
, perl
, relay
,
sock
, sql
, or wt
, depending on which backend will serve
the database.
LDAP operations, even subtree searches, normally access
only one database. That can be changed by gluing
databases together with the subordinate
keyword. Access
controls and some overlays can also involve multiple
databases.
add_content_acl on | off
Controls whether Add operations will perform ACL checks on
the content of the entry being added. This check is off by
default. See the slapd.access(5) manual page for more
details on ACL requirements for Add operations.
extra_attrs <attrlist>
Lists what attributes need to be added to search requests.
Local storage backends return the entire entry to the
frontend. The frontend takes care of only returning the
requested attributes that are allowed by ACLs. However,
features like access checking and so may need specific
attributes that are not automatically returned by remote
storage backends, like proxy backends and so on.
<attrlist>
is a list of attributes that are needed for
internal purposes and thus always need to be collected,
even when not explicitly requested by clients.
hidden on | off
Controls whether the database will be used to answer
queries. A database that is hidden will never be selected
to answer any queries, and any suffix configured on the
database will be ignored in checks for conflicts with
other databases. By default, hidden is off.
lastmod on | off
Controls whether slapd
will automatically maintain the
modifiersName, modifyTimestamp, creatorsName, and
createTimestamp attributes for entries. It also controls
the entryCSN and entryUUID attributes, which are needed by
the syncrepl provider. By default, lastmod is on.
lastbind on | off
Controls whether slapd
will automatically maintain the
pwdLastSuccess attribute for entries. By default, lastbind
is off.
lastbind-precision <number>
If lastbind is enabled, a new value is written only if the
current one is more than number
seconds in the past.
limits <selector> <limit> [<limit> [...]]
Specify time and size limits based on the operation's
initiator or base DN. The argument <selector>
can be any
of
anonymous | users | [<dnspec>=]<pattern> |
group[/oc[/at]]=<pattern>
with
<dnspec> ::= dn[.<type>][.<style>]
<type> ::= self | this
<style> ::= exact | base | onelevel | subtree |
children | regex | anonymous
DN type self
is the default and means the bound user,
while this
means the base DN of the operation. The term
anonymous
matches all unauthenticated clients. The term
users
matches all authenticated clients; otherwise an
exact
dn pattern is assumed unless otherwise specified by
qualifying the (optional) key string dn
with exact
or base
(which are synonyms), to require an exact match; with
onelevel
, to require exactly one level of depth match;
with subtree
, to allow any level of depth match, including
the exact match; with children
, to allow any level of
depth match, not including the exact match; regex
explicitly requires the (default) match based on POSIX
(''extended'') regular expression pattern. Finally,
anonymous
matches unbound operations; the pattern
field is
ignored. The same behavior is obtained by using the
anonymous
form of the <selector>
clause. The term group
,
with the optional objectClass oc
and attributeType at
fields, followed by pattern
, sets the limits for any DN
listed in the values of the at
attribute (default member
)
of the oc
group objectClass (default groupOfNames
) whose
DN exactly matches pattern
.
The currently supported limits are size
and time
.
The syntax for time limits is
time[.{soft|hard}]=<integer>
, where integer is the number
of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client,
the soft
limit is used; if the requested time limit
exceeds the hard
limit, the value of the limit is used
instead. If the hard
limit is set to the keyword soft,
the soft limit is used in either case; if it is set to the
keyword unlimited, no hard limit is enforced. Explicit
requests for time limits smaller or equal to the hard
limit are honored. If no limit specifier is set, the
value is assigned to the soft
limit, and the hard
limit is
set to soft, to preserve the original behavior.
The syntax for size limits is
size[.{soft|hard|unchecked}]=<integer>
, where integer is
the maximum number of entries slapd will return answering
a search request. If no size limit is explicitly
requested by the client, the soft
limit is used; if the
requested size limit exceeds the hard
limit, the value of
the limit is used instead. If the hard
limit is set to
the keyword soft, the soft limit is used in either case;
if it is set to the keyword unlimited, no hard limit is
enforced. Explicit requests for size limits smaller or
equal to the hard
limit are honored. The unchecked
specifier sets a limit on the number of candidates a
search request is allowed to examine. The rationale
behind it is that searches for non-properly indexed
attributes may result in large sets of candidates, which
must be examined by slapd(8) to determine whether they
match the search filter or not. The unchecked
limit
provides a means to drop such operations before they are
even started. If the selected candidates exceed the
unchecked
limit, the search will abort with Unwilling to
perform. If it is set to the keyword unlimited, no limit
is applied (the default). If it is set to disabled, the
search is not even performed; this can be used to disallow
searches for a specific set of users. If no limit
specifier is set, the value is assigned to the soft
limit,
and the hard
limit is set to soft, to preserve the
original behavior.
In case of no match, the global limits are used. The
default values are the same as for sizelimit
and
timelimit
; no limit is set on unchecked
.
If pagedResults
control is requested, the hard
size limit
is used by default, because the request of a specific page
size is considered an explicit request for a limitation on
the number of entries to be returned. However, the size
limit applies to the total count of entries returned
within the search, and not to a single page. Additional
size limits may be enforced; the syntax is
size.pr={<integer>|noEstimate|unlimited}
, where integer is
the max page size if no explicit limit is set; the keyword
noEstimate inhibits the server from returning an estimate
of the total number of entries that might be returned
(note: the current implementation does not return any
estimate). The keyword unlimited indicates that no limit
is applied to the pagedResults control page size. The
syntax size.prtotal={<integer>|hard|unlimited|disabled}
allows one to set a limit on the total number of entries
that the pagedResults control will return. By default it
is set to the hard
limit which will use the size.hard
value. When set, integer is the max number of entries
that the whole search with pagedResults control can
return. Use unlimited to allow unlimited number of
entries to be returned, e.g. to allow the use of the
pagedResults control as a means to circumvent size
limitations on regular searches; the keyword disabled
disables the control, i.e. no paged results can be
returned. Note that the total number of entries returned
when the pagedResults control is requested cannot exceed
the hard
size limit of regular searches unless extended by
the prtotal
switch.
The limits
statement is typically used to let an unlimited
number of entries be returned by searches performed with
the identity used by the consumer for synchronization
purposes by means of the RFC 4533 LDAP Content
Synchronization protocol (see syncrepl
for details).
When using subordinate databases, it is necessary for any
limits that are to be applied across the parent and its
subordinates to be defined in both the parent and its
subordinates. Otherwise the settings on the subordinate
databases are not honored.
maxderefdepth <depth>
Specifies the maximum number of aliases to dereference
when trying to resolve an entry, used to avoid infinite
alias loops. The default is 15.
multiprovider on | off
This option puts a consumer database into Multi-Provider
mode. Update operations will be accepted from any user,
not just the updatedn. The database must already be
configured as a syncrepl consumer before this keyword may
be set. This mode also requires a serverID
(see above) to
be configured. By default, multiprovider is off.
monitoring on | off
This option enables database-specific monitoring in the
entry related to the current database in the
"cn=Databases,cn=Monitor" subtree of the monitor database,
if the monitor database is enabled. Currently, only the
MDB database provides database-specific monitoring. The
default depends on the backend type.
overlay <overlay-name>
Add the specified overlay to this database. An overlay is
a piece of code that intercepts database operations in
order to extend or change them. Overlays are pushed onto a
stack over the database, and so they will execute in the
reverse of the order in which they were configured and the
database itself will receive control last of all. See the
slapd.overlays(5) manual page for an overview of the
available overlays. Note that all of the database's
regular settings should be configured before any overlay
settings.
readonly on | off
This option puts the database into "read-only" mode. Any
attempts to modify the database will return an "unwilling
to perform" error. By default, readonly is off.
restrict <oplist>
Specify a whitespace separated list of operations that are
restricted. If defined inside a database specification,
restrictions apply only to that database, otherwise they
are global. Operations can be any of add
, bind
, compare
,
delete
, extended[=<OID>]
, modify
, rename
, search
, or the
special pseudo-operations read
and write
, which
respectively summarize read and write operations. The use
of restrict write is equivalent to readonly on (see
above). The extended
keyword allows one to indicate the
OID of the specific operation to be restricted.
rootdn <dn>
Specify the distinguished name that is not subject to
access control or administrative limit restrictions for
operations on this database. This DN may or may not be
associated with an entry. An empty root DN (the default)
specifies no root access is to be granted. It is
recommended that the rootdn only be specified when needed
(such as when initially populating a database). If the
rootdn is within a namingContext (suffix) of the database,
a simple bind password may also be provided using the
rootpw
directive. Many optional features, including
syncrepl, require the rootdn to be defined for the
database.
rootpw <password>
Specify a password (or hash of the password) for the
rootdn. The password can only be set if the rootdn is
within the namingContext (suffix) of the database. This
option accepts all RFC 2307 userPassword formats known to
the server (see password-hash
description) as well as
cleartext. slappasswd(8) may be used to generate a hash
of a password. Cleartext and {CRYPT}
passwords are not
recommended. If empty (the default), authentication of
the root DN is by other means (e.g. SASL). Use of SASL is
encouraged.
suffix <dn suffix>
Specify the DN suffix of queries that will be passed to
this backend database. Multiple suffix lines can be given
and at least one is required for each database definition.
If the suffix of one database is "inside" that of another,
the database with the inner suffix must come first in the
configuration file. You may also want to glue such
databases together with the subordinate
keyword.
subordinate [advertise]
Specify that the current backend database is a subordinate
of another backend database. A subordinate database may
have only one suffix. This option may be used to glue
multiple databases into a single namingContext. If the
suffix of the current database is within the namingContext
of a superior database, searches against the superior
database will be propagated to the subordinate as well.
All of the databases associated with a single
namingContext should have identical rootdns. Behavior of
other LDAP operations is unaffected by this setting. In
particular, it is not possible to use moddn to move an
entry from one subordinate to another subordinate within
the namingContext.
If the optional advertise
flag is supplied, the naming
context of this database is advertised in the root DSE.
The default is to hide this database context, so that only
the superior context is visible.
If the slap tools slapcat(8), slapadd(8), slapmodify(8),
or slapindex(8) are used on the superior database, any
glued subordinates that support these tools are opened as
well.
Databases that are glued together should usually be
configured with the same indices (assuming they support
indexing), even for attributes that only exist in some of
these databases. In general, all of the glued databases
should be configured as similarly as possible, since the
intent is to provide the appearance of a single directory.
Note that the subordinate functionality is implemented
internally by the glue overlay and as such its behavior
will interact with other overlays in use. By default, the
glue overlay is automatically configured as the last
overlay on the superior backend. Its position on the
backend can be explicitly configured by setting an overlay
glue
directive at the desired position. This explicit
configuration is necessary e.g. when using the syncprov
overlay, which needs to follow glue in order to work over
all of the glued databases. E.g.
database mdb
suffix dc=example,dc=com
...
overlay glue
overlay syncprov
sync_use_subentry
Store the syncrepl contextCSN in a subentry instead of the
context entry of the database. The subentry's RDN will be
"cn=ldapsync". By default the contextCSN is stored in the
context entry.
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port]
searchbase=<base DN> [type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss] [retry=[<retry interval> <# of
retries>]+] [filter=<filter str>]
[scope=sub|one|base|subord] [attrs=<attr list>]
[exattrs=<attr list>] [attrsonly] [sizelimit=<limit>]
[timelimit=<limit>] [schemachecking=on|off]
[network-timeout=<seconds>] [timeout=<seconds>]
[tcp-user-timeout=<milliseconds>] [bindmethod=simple|sasl]
[binddn=<dn>] [saslmech=<mech>] [authcid=<identity>]
[authzid=<identity>] [credentials=<passwd>]
[realm=<realm>] [secprops=<properties>]
[keepalive=<idle>:<probes>:<interval>]
[starttls=yes|critical] [tls_cert=<file>] [tls_key=<file>]
[tls_cacert=<file>] [tls_cacertdir=<path>]
[tls_reqcert=never|allow|try|demand]
[tls_reqsan=never|allow|try|demand]
[tls_cipher_suite=<ciphers>] [tls_ecname=<names>]
[tls_crlcheck=none|peer|all]
[tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real
DN>] [logbase=<base DN>] [logfilter=<filter str>]
[syncdata=default|accesslog|changelog] [lazycommit]
Specify the current database as a consumer which is kept
up-to-date with the provider content by establishing the
current slapd(8) as a replication consumer site running a
syncrepl
replication engine. The consumer content is kept
synchronized to the provider content using the LDAP
Content Synchronization protocol. Refer to the "OpenLDAP
Administrator's Guide" for detailed information on setting
up a replicated slapd
directory service using the syncrepl
replication engine.
rid
identifies the current syncrepl
directive within the
replication consumer site. It is a non-negative integer
not greater than 999 (limited to three decimal digits).
provider
specifies the replication provider site
containing the provider content as an LDAP URI. If <port>
is not given, the standard LDAP port number (389 or 636)
is used.
The content of the syncrepl
consumer is defined using a
search specification as its result set. The consumer slapd
will send search requests to the provider slapd
according
to the search specification. The search specification
includes searchbase
, scope
, filter
, attrs
, attrsonly
,
sizelimit
, and timelimit
parameters as in the normal
search specification. The exattrs
option may also be used
to specify attributes that should be omitted from incoming
entries. The scope
defaults to sub
, the filter
defaults
to (objectclass=*)
, and there is no default searchbase
.
The attrs
list defaults to "*,+"
to return all user and
operational attributes, and attrsonly
and exattrs
are
unset by default. The sizelimit
and timelimit
only accept
"unlimited" and positive integers, and both default to
"unlimited". The sizelimit
and timelimit
parameters
define a consumer requested limitation on the number of
entries that can be returned by the LDAP Content
Synchronization operation; as such, it is intended to
implement partial replication based on the size of the
replicated database and on the time required by the
synchronization. Note, however, that any provider-side
limits for the replication identity will be enforced by
the provider regardless of the limits requested by the
LDAP Content Synchronization operation, much like for any
other search operation.
The LDAP Content Synchronization protocol has two
operation types. In the refreshOnly
operation, the next
synchronization search operation is periodically
rescheduled at an interval time (specified by interval
parameter; 1 day by default) after each synchronization
operation finishes. In the refreshAndPersist
operation, a
synchronization search remains persistent in the provider
slapd. Further updates to the provider will generate
searchResultEntry
to the consumer slapd as the search
responses to the persistent synchronization search. If the
initial search fails due to an error, the next
synchronization search operation is periodically
rescheduled at an interval time (specified by interval
parameter; 1 day by default)
If an error occurs during replication, the consumer will
attempt to reconnect according to the retry
parameter
which is a list of the <retry interval> and <# of retries>
pairs. For example, retry="60 10 300 3" lets the consumer
retry every 60 seconds for the first 10 times and then
retry every 300 seconds for the next 3 times before stop
retrying. The `+' in <# of retries> means indefinite
number of retries until success. If no retry
is
specified, by default syncrepl retries every hour forever.
The schema checking can be enforced at the LDAP Sync
consumer site by turning on the schemachecking
parameter.
The default is off
. Schema checking on
means that
replicated entries must have a structural objectClass,
must obey to objectClass requirements in terms of
required/allowed attributes, and that naming attributes
and distinguished values must be present. As a
consequence, schema checking should be off
when partial
replication is used.
The network-timeout
parameter sets how long the consumer
will wait to establish a network connection to the
provider. Once a connection is established, the timeout
parameter determines how long the consumer will wait for
the initial Bind request to complete. The defaults for
these parameters come from ldap.conf(5). The
tcp-user-timeout
parameter, if non-zero, corresponds to
the TCP_USER_TIMEOUT
set on the target connections,
overriding the operating system setting. Only some
systems support the customization of this parameter, it is
ignored otherwise and system-wide settings are used.
A bindmethod
of simple
requires the options binddn
and
credentials
and should only be used when adequate security
services (e.g. TLS or IPSEC) are in place. REMEMBER:
simple bind credentials must be in cleartext!
A
bindmethod
of sasl
requires the option saslmech.
Depending on the mechanism, an authentication identity
and/or credentials can be specified using authcid
and
credentials.
The authzid
parameter may be used to specify
an authorization identity. Specific security properties
(as with the sasl-secprops
keyword above) for a SASL bind
can be set with the secprops
option. A non default SASL
realm can be set with the realm
option. The identity used
for synchronization by the consumer should be allowed to
receive an unlimited number of entries in response to a
search request. The provider, other than allowing
authentication of the syncrepl identity, should grant that
identity appropriate access privileges to the data that is
being replicated (access
directive), and appropriate time
and size limits. This can be accomplished by either
allowing unlimited sizelimit
and timelimit
, or by setting
an appropriate limits
statement in the consumer's
configuration (see sizelimit
and limits
for details).
The keepalive
parameter sets the values of idle, probes,
and interval used to check whether a socket is alive; idle
is the number of seconds a connection needs to remain idle
before TCP starts sending keepalive probes; probes is the
maximum number of keepalive probes TCP should send before
dropping the connection; interval is interval in seconds
between individual keepalive probes. Only some systems
support the customization of these values; the keepalive
parameter is ignored otherwise, and system-wide settings
are used.
The starttls
parameter specifies use of the StartTLS
extended operation to establish a TLS session before
Binding to the provider. If the critical
argument is
supplied, the session will be aborted if the StartTLS
request fails. Otherwise the syncrepl session continues
without TLS. The tls_reqcert
setting defaults to "demand",
the tls_reqsan
setting defaults to "allow", and the other
TLS settings default to the same as the main slapd TLS
settings.
The suffixmassage
parameter allows the consumer to pull
entries from a remote directory whose DN suffix differs
from the local directory. The portion of the remote
entries' DNs that matches the searchbase will be replaced
with the suffixmassage DN.
Rather than replicating whole entries, the consumer can
query logs of data modifications. This mode of operation
is referred to as delta syncrepl. In addition to the above
parameters, the logbase
and logfilter
parameters must be
set appropriately for the log that will be used. The
syncdata
parameter must be set to either "accesslog" if
the log conforms to the slapo-accesslog(5) log format, or
"changelog" if the log conforms to the obsolete changelog
format. If the syncdata
parameter is omitted or set to
"default" then the log parameters are ignored.
The lazycommit
parameter tells the underlying database
that it can store changes without performing a full flush
after each change. This may improve performance for the
consumer, while sacrificing safety or durability.
updatedn <dn>
This option is only applicable in a replica database. It
specifies the DN permitted to update (subject to access
controls) the replica. It is only needed in certain push-
mode replication scenarios. Generally, this DN should not
be the same as the rootdn
used at the provider.
updateref <url>
Specify the referral to pass back when slapd(8) is asked
to modify a replicated local database. If specified
multiple times, each url is provided.