---

   slapd.conf    ( 5 )

---

GENERAL DATABASE OPTIONS

Options in this section only apply to the configuration file section for the database in which they are defined. They are supported by every type of backend. Note that the database and at least one suffix option are mandatory for each database.

database <databasetype> Mark the beginning of a new database instance definition. <databasetype> should be one of asyncmeta, config, dnssrv, ldap, ldif, mdb, meta, monitor, null, passwd, perl, relay, sock, sql, or wt, depending on which backend will serve the database.

LDAP operations, even subtree searches, normally access only one database. That can be changed by gluing databases together with the subordinate keyword. Access controls and some overlays can also involve multiple databases.

add_content_acl on | off Controls whether Add operations will perform ACL checks on the content of the entry being added. This check is off by default. See the slapd.access(5) manual page for more details on ACL requirements for Add operations.

extra_attrs <attrlist> Lists what attributes need to be added to search requests. Local storage backends return the entire entry to the frontend. The frontend takes care of only returning the requested attributes that are allowed by ACLs. However, features like access checking and so may need specific attributes that are not automatically returned by remote storage backends, like proxy backends and so on. <attrlist> is a list of attributes that are needed for internal purposes and thus always need to be collected, even when not explicitly requested by clients.

hidden on | off Controls whether the database will be used to answer queries. A database that is hidden will never be selected to answer any queries, and any suffix configured on the database will be ignored in checks for conflicts with other databases. By default, hidden is off.

lastmod on | off Controls whether slapd will automatically maintain the modifiersName, modifyTimestamp, creatorsName, and createTimestamp attributes for entries. It also controls the entryCSN and entryUUID attributes, which are needed by the syncrepl provider. By default, lastmod is on.

lastbind on | off Controls whether slapd will automatically maintain the pwdLastSuccess attribute for entries. By default, lastbind is off.

lastbind-precision <number> If lastbind is enabled, a new value is written only if the current one is more than number seconds in the past.

limits <selector> <limit> [<limit> [...]] Specify time and size limits based on the operation's initiator or base DN. The argument <selector> can be any of

anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>

with

<dnspec> ::= dn[.<type>][.<style>]

<type> ::= self | this

<style> ::= exact | base | onelevel | subtree | children | regex | anonymous

DN type self is the default and means the bound user, while this means the base DN of the operation. The term anonymous matches all unauthenticated clients. The term users matches all authenticated clients; otherwise an exact dn pattern is assumed unless otherwise specified by qualifying the (optional) key string dn with exact or base (which are synonyms), to require an exact match; with onelevel, to require exactly one level of depth match; with subtree, to allow any level of depth match, including the exact match; with children, to allow any level of depth match, not including the exact match; regex explicitly requires the (default) match based on POSIX (''extended'') regular expression pattern. Finally, anonymous matches unbound operations; the pattern field is ignored. The same behavior is obtained by using the anonymous form of the <selector> clause. The term group, with the optional objectClass oc and attributeType at fields, followed by pattern, sets the limits for any DN listed in the values of the at attribute (default member) of the oc group objectClass (default groupOfNames) whose DN exactly matches pattern.

The currently supported limits are size and time.

The syntax for time limits is time[.{soft|hard}]=<integer>, where integer is the number of seconds slapd will spend answering a search request. If no time limit is explicitly requested by the client, the soft limit is used; if the requested time limit exceeds the hard limit, the value of the limit is used instead. If the hard limit is set to the keyword soft, the soft limit is used in either case; if it is set to the keyword unlimited, no hard limit is enforced. Explicit requests for time limits smaller or equal to the hard limit are honored. If no limit specifier is set, the value is assigned to the soft limit, and the hard limit is set to soft, to preserve the original behavior.

The syntax for size limits is size[.{soft|hard|unchecked}]=<integer>, where integer is the maximum number of entries slapd will return answering a search request. If no size limit is explicitly requested by the client, the soft limit is used; if the requested size limit exceeds the hard limit, the value of the limit is used instead. If the hard limit is set to the keyword soft, the soft limit is used in either case; if it is set to the keyword unlimited, no hard limit is enforced. Explicit requests for size limits smaller or equal to the hard limit are honored. The unchecked specifier sets a limit on the number of candidates a search request is allowed to examine. The rationale behind it is that searches for non-properly indexed attributes may result in large sets of candidates, which must be examined by slapd(8) to determine whether they match the search filter or not. The unchecked limit provides a means to drop such operations before they are even started. If the selected candidates exceed the unchecked limit, the search will abort with Unwilling to perform. If it is set to the keyword unlimited, no limit is applied (the default). If it is set to disabled, the search is not even performed; this can be used to disallow searches for a specific set of users. If no limit specifier is set, the value is assigned to the soft limit, and the hard limit is set to soft, to preserve the original behavior.

In case of no match, the global limits are used. The default values are the same as for sizelimit and timelimit; no limit is set on unchecked.

If pagedResults control is requested, the hard size limit is used by default, because the request of a specific page size is considered an explicit request for a limitation on the number of entries to be returned. However, the size limit applies to the total count of entries returned within the search, and not to a single page. Additional size limits may be enforced; the syntax is size.pr={<integer>|noEstimate|unlimited}, where integer is the max page size if no explicit limit is set; the keyword noEstimate inhibits the server from returning an estimate of the total number of entries that might be returned (note: the current implementation does not return any estimate). The keyword unlimited indicates that no limit is applied to the pagedResults control page size. The syntax size.prtotal={<integer>|hard|unlimited|disabled} allows one to set a limit on the total number of entries that the pagedResults control will return. By default it is set to the hard limit which will use the size.hard value. When set, integer is the max number of entries that the whole search with pagedResults control can return. Use unlimited to allow unlimited number of entries to be returned, e.g. to allow the use of the pagedResults control as a means to circumvent size limitations on regular searches; the keyword disabled disables the control, i.e. no paged results can be returned. Note that the total number of entries returned when the pagedResults control is requested cannot exceed the hard size limit of regular searches unless extended by the prtotal switch.

The limits statement is typically used to let an unlimited number of entries be returned by searches performed with the identity used by the consumer for synchronization purposes by means of the RFC 4533 LDAP Content Synchronization protocol (see syncrepl for details).

When using subordinate databases, it is necessary for any limits that are to be applied across the parent and its subordinates to be defined in both the parent and its subordinates. Otherwise the settings on the subordinate databases are not honored.

maxderefdepth <depth> Specifies the maximum number of aliases to dereference when trying to resolve an entry, used to avoid infinite alias loops. The default is 15.

multiprovider on | off This option puts a consumer database into Multi-Provider mode. Update operations will be accepted from any user, not just the updatedn. The database must already be configured as a syncrepl consumer before this keyword may be set. This mode also requires a serverID (see above) to be configured. By default, multiprovider is off.

monitoring on | off This option enables database-specific monitoring in the entry related to the current database in the "cn=Databases,cn=Monitor" subtree of the monitor database, if the monitor database is enabled. Currently, only the MDB database provides database-specific monitoring. The default depends on the backend type.

overlay <overlay-name> Add the specified overlay to this database. An overlay is a piece of code that intercepts database operations in order to extend or change them. Overlays are pushed onto a stack over the database, and so they will execute in the reverse of the order in which they were configured and the database itself will receive control last of all. See the slapd.overlays(5) manual page for an overview of the available overlays. Note that all of the database's regular settings should be configured before any overlay settings.

readonly on | off This option puts the database into "read-only" mode. Any attempts to modify the database will return an "unwilling to perform" error. By default, readonly is off.

restrict <oplist> Specify a whitespace separated list of operations that are restricted. If defined inside a database specification, restrictions apply only to that database, otherwise they are global. Operations can be any of add, bind, compare, delete, extended[=<OID>], modify, rename, search, or the special pseudo-operations read and write, which respectively summarize read and write operations. The use of restrict write is equivalent to readonly on (see above). The extended keyword allows one to indicate the OID of the specific operation to be restricted.

rootdn <dn> Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. This DN may or may not be associated with an entry. An empty root DN (the default) specifies no root access is to be granted. It is recommended that the rootdn only be specified when needed (such as when initially populating a database). If the rootdn is within a namingContext (suffix) of the database, a simple bind password may also be provided using the rootpw directive. Many optional features, including syncrepl, require the rootdn to be defined for the database.

rootpw <password> Specify a password (or hash of the password) for the rootdn. The password can only be set if the rootdn is within the namingContext (suffix) of the database. This option accepts all RFC 2307 userPassword formats known to the server (see password-hash description) as well as cleartext. slappasswd(8) may be used to generate a hash of a password. Cleartext and {CRYPT} passwords are not recommended. If empty (the default), authentication of the root DN is by other means (e.g. SASL). Use of SASL is encouraged.

suffix <dn suffix> Specify the DN suffix of queries that will be passed to this backend database. Multiple suffix lines can be given and at least one is required for each database definition.

If the suffix of one database is "inside" that of another, the database with the inner suffix must come first in the configuration file. You may also want to glue such databases together with the subordinate keyword.

subordinate [advertise] Specify that the current backend database is a subordinate of another backend database. A subordinate database may have only one suffix. This option may be used to glue multiple databases into a single namingContext. If the suffix of the current database is within the namingContext of a superior database, searches against the superior database will be propagated to the subordinate as well. All of the databases associated with a single namingContext should have identical rootdns. Behavior of other LDAP operations is unaffected by this setting. In particular, it is not possible to use moddn to move an entry from one subordinate to another subordinate within the namingContext.

If the optional advertise flag is supplied, the naming context of this database is advertised in the root DSE. The default is to hide this database context, so that only the superior context is visible.

If the slap tools slapcat(8), slapadd(8), slapmodify(8), or slapindex(8) are used on the superior database, any glued subordinates that support these tools are opened as well.

Databases that are glued together should usually be configured with the same indices (assuming they support indexing), even for attributes that only exist in some of these databases. In general, all of the glued databases should be configured as similarly as possible, since the intent is to provide the appearance of a single directory.

Note that the subordinate functionality is implemented internally by the glue overlay and as such its behavior will interact with other overlays in use. By default, the glue overlay is automatically configured as the last overlay on the superior backend. Its position on the backend can be explicitly configured by setting an overlay glue directive at the desired position. This explicit configuration is necessary e.g. when using the syncprov overlay, which needs to follow glue in order to work over all of the glued databases. E.g. database mdb suffix dc=example,dc=com ... overlay glue overlay syncprov

sync_use_subentry Store the syncrepl contextCSN in a subentry instead of the context entry of the database. The subentry's RDN will be "cn=ldapsync". By default the contextCSN is stored in the context entry.

syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] searchbase=<base DN> [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] [filter=<filter str>] [scope=sub|one|base|subord] [attrs=<attr list>] [exattrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [network-timeout=<seconds>] [timeout=<seconds>] [tcp-user-timeout=<milliseconds>] [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>] [realm=<realm>] [secprops=<properties>] [keepalive=<idle>:<probes>:<interval>] [starttls=yes|critical] [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>] [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand] [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>] [tls_ecname=<names>] [tls_crlcheck=none|peer|all] [tls_protocol_min=<major>[.<minor>]] [suffixmassage=<real DN>] [logbase=<base DN>] [logfilter=<filter str>] [syncdata=default|accesslog|changelog] [lazycommit] Specify the current database as a consumer which is kept up-to-date with the provider content by establishing the current slapd(8) as a replication consumer site running a syncrepl replication engine. The consumer content is kept synchronized to the provider content using the LDAP Content Synchronization protocol. Refer to the "OpenLDAP Administrator's Guide" for detailed information on setting up a replicated slapd directory service using the syncrepl replication engine.

rid identifies the current syncrepl directive within the replication consumer site. It is a non-negative integer not greater than 999 (limited to three decimal digits).

provider specifies the replication provider site containing the provider content as an LDAP URI. If <port> is not given, the standard LDAP port number (389 or 636) is used.

The content of the syncrepl consumer is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes searchbase, scope, filter, attrs, attrsonly, sizelimit, and timelimit parameters as in the normal search specification. The exattrs option may also be used to specify attributes that should be omitted from incoming entries. The scope defaults to sub, the filter defaults to (objectclass=*), and there is no default searchbase. The attrs list defaults to "*,+" to return all user and operational attributes, and attrsonly and exattrs are unset by default. The sizelimit and timelimit only accept "unlimited" and positive integers, and both default to "unlimited". The sizelimit and timelimit parameters define a consumer requested limitation on the number of entries that can be returned by the LDAP Content Synchronization operation; as such, it is intended to implement partial replication based on the size of the replicated database and on the time required by the synchronization. Note, however, that any provider-side limits for the replication identity will be enforced by the provider regardless of the limits requested by the LDAP Content Synchronization operation, much like for any other search operation.

The LDAP Content Synchronization protocol has two operation types. In the refreshOnly operation, the next synchronization search operation is periodically rescheduled at an interval time (specified by interval parameter; 1 day by default) after each synchronization operation finishes. In the refreshAndPersist operation, a synchronization search remains persistent in the provider slapd. Further updates to the provider will generate searchResultEntry to the consumer slapd as the search responses to the persistent synchronization search. If the initial search fails due to an error, the next synchronization search operation is periodically rescheduled at an interval time (specified by interval parameter; 1 day by default)

If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the <retry interval> and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next 3 times before stop retrying. The `+' in <# of retries> means indefinite number of retries until success. If no retry is specified, by default syncrepl retries every hour forever.

The schema checking can be enforced at the LDAP Sync consumer site by turning on the schemachecking parameter. The default is off. Schema checking on means that replicated entries must have a structural objectClass, must obey to objectClass requirements in terms of required/allowed attributes, and that naming attributes and distinguished values must be present. As a consequence, schema checking should be off when partial replication is used.

The network-timeout parameter sets how long the consumer will wait to establish a network connection to the provider. Once a connection is established, the timeout parameter determines how long the consumer will wait for the initial Bind request to complete. The defaults for these parameters come from ldap.conf(5). The tcp-user-timeout parameter, if non-zero, corresponds to the TCP_USER_TIMEOUT set on the target connections, overriding the operating system setting. Only some systems support the customization of this parameter, it is ignored otherwise and system-wide settings are used.

A bindmethod of simple requires the options binddn and credentials and should only be used when adequate security services (e.g. TLS or IPSEC) are in place. REMEMBER: simple bind credentials must be in cleartext! A bindmethod of sasl requires the option saslmech. Depending on the mechanism, an authentication identity and/or credentials can be specified using authcid and credentials. The authzid parameter may be used to specify an authorization identity. Specific security properties (as with the sasl-secprops keyword above) for a SASL bind can be set with the secprops option. A non default SASL realm can be set with the realm option. The identity used for synchronization by the consumer should be allowed to receive an unlimited number of entries in response to a search request. The provider, other than allowing authentication of the syncrepl identity, should grant that identity appropriate access privileges to the data that is being replicated (access directive), and appropriate time and size limits. This can be accomplished by either allowing unlimited sizelimit and timelimit, or by setting an appropriate limits statement in the consumer's configuration (see sizelimit and limits for details).

The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle is the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before dropping the connection; interval is interval in seconds between individual keepalive probes. Only some systems support the customization of these values; the keepalive parameter is ignored otherwise, and system-wide settings are used.

The starttls parameter specifies use of the StartTLS extended operation to establish a TLS session before Binding to the provider. If the critical argument is supplied, the session will be aborted if the StartTLS request fails. Otherwise the syncrepl session continues without TLS. The tls_reqcert setting defaults to "demand", the tls_reqsan setting defaults to "allow", and the other TLS settings default to the same as the main slapd TLS settings.

The suffixmassage parameter allows the consumer to pull entries from a remote directory whose DN suffix differs from the local directory. The portion of the remote entries' DNs that matches the searchbase will be replaced with the suffixmassage DN.

Rather than replicating whole entries, the consumer can query logs of data modifications. This mode of operation is referred to as delta syncrepl. In addition to the above parameters, the logbase and logfilter parameters must be set appropriately for the log that will be used. The syncdata parameter must be set to either "accesslog" if the log conforms to the slapo-accesslog(5) log format, or "changelog" if the log conforms to the obsolete changelog format. If the syncdata parameter is omitted or set to "default" then the log parameters are ignored.

The lazycommit parameter tells the underlying database that it can store changes without performing a full flush after each change. This may improve performance for the consumer, while sacrificing safety or durability.

updatedn <dn> This option is only applicable in a replica database. It specifies the DN permitted to update (subject to access controls) the replica. It is only needed in certain push- mode replication scenarios. Generally, this DN should not be the same as the rootdn used at the provider.

updateref <url> Specify the referral to pass back when slapd(8) is asked to modify a replicated local database. If specified multiple times, each url is provided.