конфигурация backend для slapd (configuration backend to slapd)
Глобальные параметры конфигурации (Global configuration options)
Options described in this section apply to the server as a whole.
Arguments that should be replaced by actual text are shown in
brackets <>.
These options may only be specified in the cn=config entry. This
entry must have an objectClass of olcGlobal.
olcAllows: <features>
Specify a set of features to allow (default none).
bind_v2 allows acceptance of LDAPv2 bind requests. Note
that slapd(8) does not truly implement LDAPv2 (RFC 1777),
now Historic (RFC 3494). bind_anon_cred allows anonymous
bind when credentials are not empty (e.g. when DN is
empty). bind_anon_dn allows unauthenticated (anonymous)
bind when DN is not empty. update_anon allows
unauthenticated (anonymous) update operations to be
processed (subject to access controls and other
administrative limits). proxy_authz_anon allows
unauthenticated (anonymous) proxy authorization control to
be processed (subject to access controls, authorization
and other administrative limits).
olcArgsFile: <filename>
The (absolute) name of a file that will hold the slapd
server's command line (program name and options).
olcAttributeOptions: <option-name>...
Define tagging attribute options or option tag/range
prefixes. Options must not end with `-', prefixes must
end with `-'. The `lang-' prefix is predefined. If you
use the olcAttributeOptions directive, `lang-' will no
longer be defined and you must specify it explicitly if
you want it defined.
An attribute description with a tagging option is a
subtype of that attribute description without the option.
Except for that, options defined this way have no special
semantics. Prefixes defined this way work like the
`lang-' options: They define a prefix for tagging options
starting with the prefix. That is, if you define the
prefix `x-foo-', you can use the option `x-foo-bar'.
Furthermore, in a search or compare, a prefix or range
name (with a trailing `-') matches all options starting
with that name, as well as the option with the range name
sans the trailing `-'. That is, `x-foo-bar-' matches
`x-foo-bar' and `x-foo-bar-baz'.
RFC 4520 reserves options beginning with `x-' for private
experiments. Other options should be registered with
IANA, see RFC 4520 section 3.5. OpenLDAP also has the
`binary' option built in, but this is a transfer option,
not a tagging option.
olcAuthIDRewrite: <rewrite-rule>
Used by the authentication framework to convert simple
user names to an LDAP DN used for authorization purposes.
Its purpose is analogous to that of olcAuthzRegexp (see
below). The rewrite-rule is a set of rules analogous to
those described in slapo-rwm(5) for data rewriting (after
stripping the rwm- prefix). olcAuthIDRewrite and
olcAuthzRegexp should not be intermixed.
olcAuthzPolicy: <policy>
Used to specify which rules to use for Proxy
Authorization. Proxy authorization allows a client to
authenticate to the server using one user's credentials,
but specify a different identity to use for authorization
and access control purposes. It essentially allows user A
to login as user B, using user A's password. The none
flag disables proxy authorization. This is the default
setting. The from flag will use rules in the authzFrom
attribute of the authorization DN. The to flag will use
rules in the authzTo attribute of the authentication DN.
The any flag, an alias for the deprecated value of both,
will allow any of the above, whatever succeeds first
(checked in to, from sequence. The all flag requires both
authorizations to succeed.
The rules are mechanisms to specify which identities are
allowed to perform proxy authorization. The authzFrom
attribute in an entry specifies which other users are
allowed to proxy login to this entry. The authzTo
attribute in an entry specifies which other users this
user can authorize as. Use of authzTo rules can be easily
abused if users are allowed to write arbitrary values to
this attribute. In general the authzTo attribute must be
protected with ACLs such that only privileged users can
modify it. The value of authzFrom and authzTo describes
an identity or a set of identities; it can take five
forms:
ldap:///<base>??[<scope>]?<filter>
dn[.<dnstyle>]:<pattern>
u[.<mech>[<realm>]]:<pattern>
group[/objectClass[/attributeType]]:<pattern>
<pattern>
<dnstyle>:={exact|onelevel|children|subtree|regex}
The first form is a valid LDAP URI where the
<host>:<port>, the <attrs> and the <extensions> portions
must be absent, so that the search occurs locally on
either authzFrom or authzTo.
The second form is a DN, with the optional style modifiers
exact, onelevel, children, and subtree for exact,
onelevel, children and subtree matches, which cause
<pattern> to be normalized according to the DN
normalization rules, or the special regex style, which
causes the <pattern> to be treated as a POSIX
(''extended'') regular expression, as discussed in
regex(7) and/or re_format(7). A pattern of * means any
non-anonymous DN.
The third form is a SASL id, with the optional fields
<mech> and <realm> that allow to specify a SASL mechanism,
and eventually a SASL realm, for those mechanisms that
support one. The need to allow the specification of a
mechanism is still debated, and users are strongly
discouraged to rely on this possibility.
The fourth form is a group specification. It consists of
the keyword group, optionally followed by the
specification of the group objectClass and attributeType.
The objectClass defaults to groupOfNames. The
attributeType defaults to member. The group with DN
<pattern> is searched with base scope, filtered on the
specified objectClass. The values of the resulting
attributeType are searched for the asserted DN.
The fifth form is provided for backwards compatibility.
If no identity type is provided, i.e. only <pattern> is
present, an exact DN is assumed; as a consequence,
<pattern> is subjected to DN normalization.
Since the interpretation of authzFrom and authzTo can
impact security, users are strongly encouraged to
explicitly set the type of identity specification that is
being used. A subset of these rules can be used as third
arg in the olcAuthzRegexp statement (see below);
significantly, the URI, provided it results in exactly one
entry, and the dn.exact:<dn> forms.
olcAuthzRegexp: <match> <replace>
Used by the authentication framework to convert simple
user names, such as provided by SASL subsystem, or
extracted from certificates in case of cert-based SASL
EXTERNAL, or provided within the RFC 4370 "proxied
authorization" control, to an LDAP DN used for
authorization purposes. Note that the resulting DN need
not refer to an existing entry to be considered valid.
When an authorization request is received from the SASL
subsystem, the SASL USERNAME, REALM, and MECHANISM are
taken, when available, and combined into a name of the
form
UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
This name is then compared against the match POSIX
(''extended'') regular expression, and if the match is
successful, the name is replaced with the replace string.
If there are wildcard strings in the match regular
expression that are enclosed in parenthesis, e.g.
UID=([^,]*),CN=.*
then the portion of the name that matched the wildcard
will be stored in the numbered placeholder variable $1. If
there are other wildcard strings in parenthesis, the
matching strings will be in $2, $3, etc. up to $9. The
placeholders can then be used in the replace string, e.g.
UID=$1,OU=Accounts,DC=example,DC=com
The replaced name can be either a DN, i.e. a string
prefixed by "dn:", or an LDAP URI. If the latter, the
server will use the URI to search its own database(s) and,
if the search returns exactly one entry, the name is
replaced by the DN of that entry. The LDAP URI must have
no hostport, attrs, or extensions components, but the
filter is mandatory, e.g.
ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
The protocol portion of the URI must be strictly ldap.
Note that this search is subject to access controls.
Specifically, the authentication identity must have "auth"
access in the subject.
Multiple olcAuthzRegexp values can be specified to allow
for multiple matching and replacement patterns. The
matching patterns are checked in the order they appear in
the attribute, stopping at the first successful match.
olcConcurrency: <integer>
Specify a desired level of concurrency. Provided to the
underlying thread system as a hint. The default is not to
provide any hint. This setting is only meaningful on some
platforms where there is not a one to one correspondence
between user threads and kernel threads.
olcConnMaxPending: <integer>
Specify the maximum number of pending requests for an
anonymous session. If requests are submitted faster than
the server can process them, they will be queued up to
this limit. If the limit is exceeded, the session is
closed. The default is 100.
olcConnMaxPendingAuth: <integer>
Specify the maximum number of pending requests for an
authenticated session. The default is 1000.
olcDisallows: <features>
Specify a set of features to disallow (default none).
bind_anon disables acceptance of anonymous bind requests.
Note that this setting does not prohibit anonymous
directory access (See "require authc"). bind_simple
disables simple (bind) authentication. tls_2_anon
disables forcing session to anonymous status (see also
tls_authc) upon StartTLS operation receipt. tls_authc
disallows the StartTLS operation if authenticated (see
also tls_2_anon). proxy_authz_non_critical disables
acceptance of the proxied authorization control (RFC4370)
with criticality set to FALSE. dontusecopy_non_critical
disables acceptance of the dontUseCopy control (a work in
progress) with criticality set to FALSE.
olcGentleHUP: { TRUE | FALSE }
A SIGHUP signal will only cause a 'gentle' shutdown-
attempt: Slapd will stop listening for new connections,
but will not close the connections to the current clients.
Future write operations return unwilling-to-perform,
though. Slapd terminates when all clients have closed
their connections (if they ever do), or - as before - if
it receives a SIGTERM signal. This can be useful if you
wish to terminate the server and start a new slapd server
with another database, without disrupting the currently
active clients. The default is FALSE. You may wish to
use olcIdleTimeout along with this option.
olcIdleTimeout: <integer>
Specify the number of seconds to wait before forcibly
closing an idle client connection. A setting of 0
disables this feature. The default is 0. You may also
want to set the olcWriteTimeout option.
olcIndexHash64: { on | off }
Use a 64 bit hash for indexing. The default is to use 32
bit hashes. These hashes are used for equality and
substring indexing. The 64 bit version may be needed to
avoid index collisions when the number of indexed values
exceeds ~64 million. (Note that substring indexing
generates multiple index values per actual attribute
value.) Indices generated with 32 bit hashes are
incompatible with the 64 bit version, and vice versa. Any
existing databases must be fully reloaded when changing
this setting. This directive is only supported on 64 bit
CPUs.
olcIndexIntLen: <integer>
Specify the key length for ordered integer indices. The
most significant bytes of the binary integer will be used
for index keys. The default value is 4, which provides
exact indexing for 31 bit values. A floating point
representation is used to index too large values.
olcIndexSubstrIfMaxlen: <integer>
Specify the maximum length for subinitial and subfinal
indices. Only this many characters of an attribute value
will be processed by the indexing functions; any excess
characters are ignored. The default is 4.
olcIndexSubstrIfMinlen: <integer>
Specify the minimum length for subinitial and subfinal
indices. An attribute value must have at least this many
characters in order to be processed by the indexing
functions. The default is 2.
olcIndexSubstrAnyLen: <integer>
Specify the length used for subany indices. An attribute
value must have at least this many characters in order to
be processed. Attribute values longer than this length
will be processed in segments of this length. The default
is 4. The subany index will also be used in subinitial and
subfinal index lookups when the filter string is longer
than the olcIndexSubstrIfMaxlen value.
olcIndexSubstrAnyStep: <integer>
Specify the steps used in subany index lookups. This value
sets the offset for the segments of a filter string that
are processed for a subany index lookup. The default is 2.
For example, with the default values, a search using this
filter "cn=*abcdefgh*" would generate index lookups for
"abcd", "cdef", and "efgh".
Note: Indexing support depends on the particular backend in use.
Also, changing these settings will generally require deleting any
indices that depend on these parameters and recreating them with
slapindex(8).
olcListenerThreads: <integer>
Specify the number of threads to use for the connection
manager. The default is 1 and this is typically adequate
for up to 16 CPU cores. The value should be set to a
power of 2.
olcLocalSSF: <SSF>
Specifies the Security Strength Factor (SSF) to be given
local LDAP sessions, such as those to the ldapi://
listener. For a description of SSF values, see
olcSaslSecProps's minssf option description. The default
is 71.
olcLogFile: <filename>
Specify a file for recording slapd debug messages. By
default these messages only go to stderr, are not recorded
anywhere else, and are unrelated to messages exposed by
the olcLogLevel configuration parameter. Specifying a
logfile copies messages to both stderr and the logfile.
olcLogFileOnly: TRUE | FALSE
Specify that debug messages should only go to the
configured logfile, and not to stderr.
olcLogFileRotate: <max> <Mbytes> <hours>
Specify automatic rotation for the configured logfile as
the maximum number of old logfiles to retain, a maximum
size in megabytes to allow a logfile to grow before
rotation, and a maximum age in hours for a logfile to be
used before rotation. The maximum number must be in the
range 1-99. Setting Mbytes or hours to zero disables the
size or age check, respectively. At least one of Mbytes
or hours must be non-zero. By default no automatic
rotation will be performed.
olcLogLevel: <integer> [...]
Specify the level at which debugging statements and
operation statistics should be syslogged (currently logged
to the syslogd(8) LOG_LOCAL4 facility). They must be
considered subsystems rather than increasingly verbose log
levels. Some messages with higher priority are logged
regardless of the configured loglevel as soon as any
logging is configured. Log levels are additive, and
available levels are:
1 (0x1 trace) trace function calls
2 (0x2 packets) debug packet handling
4 (0x4 args) heavy trace debugging (function
args)
8 (0x8 conns) connection management
16 (0x10 BER) print out packets sent and
received
32 (0x20 filter) search filter processing
64 (0x40 config) configuration file processing
128 (0x80 ACL) access control list processing
256 (0x100 stats) connections, LDAP operations,
results (recommended)
512 (0x200 stats2) stats2 log entries sent
1024 (0x400 shell) print communication with shell
backends
2048 (0x800 parse) entry parsing
16384 (0x4000 sync) LDAPSync replication
32768 (0x8000 none) only messages that get logged
whatever log level is set
The desired log level can be input as a single integer
that combines the (ORed) desired levels, both in decimal
or in hexadecimal notation, as a list of integers (that
are ORed internally), or as a list of the names that are
shown between parenthesis, such that
olcLogLevel: 129
olcLogLevel: 0x81
olcLogLevel: 128 1
olcLogLevel: 0x80 0x1
olcLogLevel: acl trace
are equivalent. The keyword any can be used as a shortcut
to enable logging at all levels (equivalent to -1). The
keyword none, or the equivalent integer representation,
causes those messages that are logged regardless of the
configured olcLogLevel to be logged. In fact, if no
olcLogLevel (or a 0 level) is defined, no logging occurs,
so at least the none level is required to have high
priority messages logged.
Note that the packets, BER, and parse levels are only
available as debug output on stderr, and are not sent to
syslog.
This setting defaults to stats. This level should usually
also be included when using other loglevels, to help
analyze the logs.
olcMaxFilterDepth: <integer>
Specify the maximum depth of nested filters in search
requests. The default is 1000.
olcPasswordCryptSaltFormat: <format>
Specify the format of the salt passed to crypt(3) when
generating {CRYPT} passwords (see olcPasswordHash) during
processing of LDAP Password Modify Extended Operations
(RFC 3062).
This string needs to be in sprintf(3) format and may
include one (and only one) %s conversion. This conversion
will be substituted with a string of random characters
from [A-Za-z0-9./]. For example, "%.2s" provides a two
character salt and "$1$%.8s" tells some versions of
crypt(3) to use an MD5 algorithm and provides 8 random
characters of salt. The default is "%s", which provides
31 characters of salt.
olcPidFile: <filename>
The (absolute) name of a file that will hold the slapd
server's process ID (see getpid(2)).
olcPluginLogFile: <filename>
The ( absolute ) name of a file that will contain log
messages from SLAPI plugins. See slapd.plugin(5) for
details.
olcReferral: <url>
Specify the referral to pass back when slapd(8) cannot
find a local database to handle a request. If multiple
values are specified, each url is provided.
olcReverseLookup: TRUE | FALSE
Enable/disable client name unverified reverse lookup
(default is FALSE if compiled with --enable-rlookups).
olcRootDSE: <file>
Specify the name of an LDIF(5) file containing user
defined attributes for the root DSE. These attributes are
returned in addition to the attributes normally produced
by slapd.
The root DSE is an entry with information about the server
and its capabilities, in operational attributes. It has
the empty DN, and can be read with e.g.:
ldapsearch -x -b "" -s base "+"
See RFC 4512 section 5.1 for details.
olcSaslAuxprops: <plugin> [...]
Specify which auxprop plugins to use for authentication
lookups. The default is empty, which just uses slapd's
internal support. Usually no other auxprop plugins are
needed.
olcSaslAuxpropsDontUseCopy: <attr> [...]
Specify which attribute(s) should be subject to the don't
use copy control. This is necessary for some SASL
mechanisms such as OTP to work in a replicated
environment. The attribute "cmusaslsecretOTP" is the
default value.
olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE
Used to disable replication of the attribute(s) defined by
olcSaslAuxpropsDontUseCopy and instead use a local value
for the attribute. This allows the SASL mechanism to
continue to work if the provider is offline. This can
cause replication inconsistency. Defaults to FALSE.
olcSaslHost: <fqdn>
Used to specify the fully qualified domain name used for
SASL processing.
olcSaslRealm: <realm>
Specify SASL realm. Default is empty.
olcSaslCbinding: none | tls-unique | tls-endpoint
Specify the channel-binding type, see also
LDAP_OPT_X_SASL_CBINDING. Default is none.
olcSaslSecProps: <properties>
Used to specify Cyrus SASL security properties. The none
flag (without any other properties) causes the flag
properties default, "noanonymous,noplain", to be cleared.
The noplain flag disables mechanisms susceptible to simple
passive attacks. The noactive flag disables mechanisms
susceptible to active attacks. The nodict flag disables
mechanisms susceptible to passive dictionary attacks. The
noanonymous flag disables mechanisms which support
anonymous login. The forwardsec flag require forward
secrecy between sessions. The passcred require mechanisms
which pass client credentials (and allow mechanisms which
can pass credentials to do so). The minssf=<factor>
property specifies the minimum acceptable security
strength factor as an integer approximate to effective key
length used for encryption. 0 (zero) implies no
protection, 1 implies integrity protection only, 128
allows RC4, Blowfish and other similar ciphers, 256 will
require modern ciphers. The default is 0. The
maxssf=<factor> property specifies the maximum acceptable
security strength factor as an integer (see minssf
description). The default is INT_MAX. The
maxbufsize=<size> property specifies the maximum security
layer receive buffer size allowed. 0 disables security
layers. The default is 65536.
olcServerID: <integer> [<URL>]
Specify an integer ID from 0 to 4095 for this server. The
ID may also be specified as a hexadecimal ID by prefixing
the value with "0x". Non-zero IDs are required when using
multi-provider replication and each provider must have a
unique non-zero ID. Note that this requirement also
applies to separate providers contributing to a glued set
of databases. If the URL is provided, this directive may
be specified multiple times, providing a complete list of
participating servers and their IDs. The fully qualified
hostname of each server should be used in the supplied
URLs. The IDs are used in the "replica id" field of all
CSNs generated by the specified server. The default value
is zero, which is only valid for single provider
replication. Example:
olcServerID: 1 ldap://ldap1.example.com
olcServerID: 2 ldap://ldap2.example.com
olcSockbufMaxIncoming: <integer>
Specify the maximum incoming LDAP PDU size for anonymous
sessions. The default is 262143.
olcSockbufMaxIncomingAuth: <integer>
Specify the maximum incoming LDAP PDU size for
authenticated sessions. The default is 4194303.
olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
Specify the size of the TCP buffer. A global value for
both read and write TCP buffers related to any listener is
defined, unless the listener is explicitly specified, or
either the read or write qualifiers are used. See tcp(7)
for details. Note that some OS-es implement automatic TCP
buffer tuning.
olcThreads: <integer>
Specify the maximum size of the primary thread pool. The
default is 16; the minimum value is 2.
olcThreadQueues: <integer>
Specify the number of work queues to use for the primary
thread pool. The default is 1 and this is typically
adequate for up to 8 CPU cores. The value should not
exceed the number of CPUs in the system.
olcToolThreads: <integer>
Specify the maximum number of threads to use in tool mode.
This should not be greater than the number of CPUs in the
system. The default is 1.
olcWriteTimeout: <integer>
Specify the number of seconds to wait before forcibly
closing a connection with an outstanding write. This
allows recovery from various network hang conditions. A
setting of 0 disables this feature. The default is 0.
