slapd-config(5)


NAME

   slapd-config - configuration backend to slapd

SYNOPSIS

   /etc/ldap/slapd.d

DESCRIPTION

   The config backend manages all of the configuration information for the
   slapd(8) daemon.  This configuration information is also  used  by  the
   SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
   slapindex(8), and slaptest(8).

   The config backend is backward compatible with the older  slapd.conf(5)
   file  but  provides the ability to change the configuration dynamically
   at runtime. If slapd is run with only a slapd.conf file dynamic changes
   will  be  allowed  but  they  will not persist across a server restart.
   Dynamic changes are only saved when slapd is  running  from  a  slapd.d
   configuration directory.

   Unlike  other  backends,  there  can only be one instance of the config
   backend, and most of its structure  is  predefined.  The  root  of  the
   database  is hardcoded to cn=config and this root entry contains global
   settings for slapd. Multiple child entries underneath  the  root  entry
   are used to carry various other settings:

          cn=Module
                 dynamically loaded modules

          cn=Schema
                 schema definitions

          olcBackend=xxx
                 backend-specific settings

          olcDatabase=xxx
                 database-specific settings

   The  cn=Module  entries  will only appear in configurations where slapd
   was built with support for dynamically loaded  modules.  There  can  be
   multiple  entries,  one  for  each  configured module path. Within each
   entry there will be values recorded for each module loaded on  a  given
   path. These entries have no children.

   The cn=Schema entry contains all of the hardcoded schema elements.  The
   children of this entry contain all user-defined  schema  elements.   In
   schema  that  were  loaded  from include files, the child entry will be
   named after  the  include  file  from  which  the  schema  was  loaded.
   Typically    the    first    child    in    this    subtree   will   be
   cn=core,cn=schema,cn=config.

   olcBackend entries are  for  storing  settings  specific  to  a  single
   backend  type (and thus global to all database instances of that type).
   At present there are  no  backends  that  implement  settings  of  this
   nature, so usually there will not be any olcBackend entries.

   olcDatabase  entries  store  settings  specific  to  a  single database
   instance. These entries may have olcOverlay child entries corresponding
   to  any  overlays  configured  on  the  database.  The  olcDatabase and
   olcOverlay entries may also have miscellaneous child entries for  other
   settings  as  needed.  There  are two special database entries that are
   predefined - one is an entry for the config database  itself,  and  the
   other is for the "frontend" database. Settings in the frontend database
   are inherited by  the  other  databases,  unless  they  are  explicitly
   overridden in a specific database.

   The specific configuration options available are discussed below in the
   Global Configuration Options,  General  Backend  Options,  and  General
   Database  Options.  Options  are  set  by defining LDAP attributes with
   specific values.  In general the names of the LDAP attributes  are  the
   same  as  the  corresponding  slapd.conf  keyword, with an "olc" prefix
   added on.

   The parser for many of these attributes is the same as used for parsing
   the  slapd.conf  keywords.  As  such,  slapd.conf  keywords  that allow
   multiple items to be specified on one line,  separated  by  whitespace,
   will  allow  multiple  items  to  be  specified in one attribute value.
   However, when reading  the  attribute  via  LDAP,  the  items  will  be
   returned as individual attribute values.

   Backend-specific options are discussed in the slapd-<backend>(5) manual
   pages.  Refer to the "OpenLDAP Administrator's Guide" for more  details
   on configuring slapd.

GLOBAL CONFIGURATION OPTIONS

   Options  described  in  this  section  apply  to the server as a whole.
   Arguments that should be replaced by actual text are shown in  brackets
   <>.

   These  options may only be specified in the cn=config entry. This entry
   must have an objectClass of olcGlobal.

   olcAllows: <features>
          Specify a set of features  to  allow  (default  none).   bind_v2
          allows  acceptance  of LDAPv2 bind requests.  Note that slapd(8)
          does not truly implement LDAPv2 (RFC 1777),  now  Historic  (RFC
          3494).   bind_anon_cred  allows  anonymous bind when credentials
          are not empty (e.g.  when DN  is  empty).   bind_anon_dn  allows
          unauthenticated   (anonymous)   bind   when  DN  is  not  empty.
          update_anon allows unauthenticated (anonymous) update operations
          to   be   processed   (subject  to  access  controls  and  other
          administrative limits).  proxy_authz_anon allows unauthenticated
          (anonymous) proxy authorization control to be processed (subject
          to  access  controls,  authorization  and  other  administrative
          limits).

   olcArgsFile: <filename>
          The  (absolute) name of a file that will hold the slapd server's
          command line (program name and options).

   olcAttributeOptions: <option-name>...
          Define tagging attribute options or option  tag/range  prefixes.
          Options  must not end with `-', prefixes must end with `-'.  The
          `lang-'   prefix   is    predefined.     If    you    use    the
          olcAttributeOptions directive, `lang-' will no longer be defined
          and you must specify it explicitly if you want it defined.

          An attribute description with a tagging option is a  subtype  of
          that attribute description without the option.  Except for that,
          options defined this way have no  special  semantics.   Prefixes
          defined  this  way  work like the `lang-' options: They define a
          prefix for tagging options starting with the prefix.   That  is,
          if  you  define  the  prefix  `x-foo-',  you  can use the option
          `x-foo-bar'.  Furthermore, in a search or compare, a  prefix  or
          range  name  (with  a trailing `-') matches all options starting
          with that name, as well as the option with the range  name  sans
          the trailing `-'.  That is, `x-foo-bar-' matches `x-foo-bar' and
          `x-foo-bar-baz'.

          RFC 4520  reserves  options  beginning  with  `x-'  for  private
          experiments.   Other options should be registered with IANA, see
          RFC 4520 section 3.5.  OpenLDAP also  has  the  `binary'  option
          built in, but this is a transfer option, not a tagging option.

   olcAuthIDRewrite: <rewrite-rule>
          Used  by  the  authentication  framework  to convert simple user
          names to an  LDAP  DN  used  for  authorization  purposes.   Its
          purpose is analogous to that of olcAuthzRegexp (see below).  The
          rewrite-rule is a set of rules analogous to those  described  in
          slapo-rwm(5)  for  data  rewriting  (after  stripping  the  rwm-
          prefix).  olcAuthIDRewrite  and  olcAuthzRegexp  should  not  be
          intermixed.

   olcAuthzPolicy: <policy>
          Used  to  specify  which  rules  to use for Proxy Authorization.
          Proxy authorization allows  a  client  to  authenticate  to  the
          server  using  one  user's  credentials, but specify a different
          identity to use for authorization and access  control  purposes.
          It  essentially allows user A to login as user B, using user A's
          password.  The none flag disables proxy authorization.  This  is
          the  default  setting.   The  from  flag  will  use rules in the
          authzFrom attribute of the authorization DN.  The to  flag  will
          use  rules  in  the  authzTo attribute of the authentication DN.
          The any flag, an alias for the deprecated value  of  both,  will
          allow  any of the above, whatever succeeds first (checked in to,
          from sequence.  The all flag  requires  both  authorizations  to
          succeed.

          The rules are mechanisms to specify which identities are allowed
          to perform proxy authorization.  The authzFrom attribute  in  an
          entry  specifies which other users are allowed to proxy login to
          this entry. The authzTo attribute in an  entry  specifies  which
          other  users  this  user can authorize as.  Use of authzTo rules
          can be easily abused if users are  allowed  to  write  arbitrary
          values to this attribute.  In general the authzTo attribute must
          be protected with ACLs  such  that  only  privileged  users  can
          modify  it.   The  value  of  authzFrom and authzTo describes an
          identity or a set of identities; it can take five forms:

                 ldap:///<base>??[<scope>]?<filter>
                 dn[.<dnstyle>]:<pattern>
                 u[<mech>[<realm>]]:<pattern>
                 group[/objectClass[/attributeType]]:<pattern>
                 <pattern>

                 <dnstyle>:={exact|onelevel|children|subtree|regex}

          The first form is a valid LDAP URI where the <host>:<port>,  the
          <attrs>  and  the  <extensions> portions must be absent, so that
          the search occurs locally on either authzFrom or  authzTo.   The
          second  form  is  a DN, with the optional style modifiers exact,
          onelevel, children, and subtree for  exact,  onelevel,  children
          and  subtree  matches,  which  cause  <pattern> to be normalized
          according to the DN normalization rules, or  the  special  regex
          style,  which  causes  the  <pattern>  to  be treated as a POSIX
          (''extended'') regular  expression,  as  discussed  in  regex(7)
          and/or re_format(7).  A pattern of * means any non-anonymous DN.
          The third form is a SASL id, with the optional fields <mech> and
          <realm> that allow to specify a SASL mechanism, and eventually a
          SASL realm, for those mechanisms that support one.  The need  to
          allow  the  specification  of  a mechanism is still debated, and
          users are strongly discouraged to rely on this possibility.  The
          fourth  form is a group specification, consisting of the keyword
          group, optionally followed by the  specification  of  the  group
          objectClass   and  member  attributeType.   The  group  with  DN
          <pattern> is searched with base scope, and in case of match, the
          values of the member attributeType are searched for the asserted
          DN.   For  backwards  compatibility,  if  no  identity  type  is
          provided,  i.e.  only  <pattern>  is  present,  an  exact  DN is
          assumed;  as  a  consequence,  <pattern>  is  subjected  to   DN
          normalization.    Since  the  interpretation  of  authzFrom  and
          authzTo can impact security, users are  strongly  encouraged  to
          explicitly  set the type of identity specification that is being
          used.  A subset of these rules can be used as third arg  in  the
          olcAuthzRegexp statement (see below); significantly, the URI and
          the dn.exact:<dn> forms.

   olcAuthzRegexp: <match> <replace>
          Used by the authentication  framework  to  convert  simple  user
          names,  such  as  provided by SASL subsystem, to an LDAP DN used
          for authorization purposes.  Note that the resultant DN need not
          refer  to  an  existing  entry  to be considered valid.  When an
          authorization request is received from the SASL  subsystem,  the
          SASL  USERNAME,  REALM, and MECHANISM are taken, when available,
          and combined into a name of the form

                 UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth

          This  name  is   then   compared   against   the   match   POSIX
          (''extended'')   regular   expression,   and  if  the  match  is
          successful, the name is replaced with the  replace  string.   If
          there  are wildcard strings in the match regular expression that
          are enclosed in parenthesis, e.g.

                 UID=([^,]*),CN=.*

          then the portion of the name that matched the wildcard  will  be
          stored  in  the  numbered  placeholder variable $1. If there are
          other wildcard strings in parenthesis, the matching strings will
          be  in  $2, $3, etc. up to $9. The placeholders can then be used
          in the replace string, e.g.

                 UID=$1,OU=Accounts,DC=example,DC=com

          The replaced name can be either a DN, i.e. a string prefixed  by
          "dn:",  or  an LDAP URI.  If the latter, the server will use the
          URI to search its own database(s) and,  if  the  search  returns
          exactly one entry, the name is replaced by the DN of that entry.
          The LDAP  URI  must  have  no  hostport,  attrs,  or  extensions
          components, but the filter is mandatory, e.g.

                 ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)

          The  protocol  portion  of  the URI must be strictly ldap.  Note
          that this search is subject to access  controls.   Specifically,
          the  authentication  identity  must  have  "auth"  access in the
          subject.

          Multiple olcAuthzRegexp values can be  specified  to  allow  for
          multiple   matching   and  replacement  patterns.  The  matching
          patterns are checked in the order they appear in the  attribute,
          stopping at the first successful match.

          Note  that  changes  to olcAuthzRegexp take effect the next time
          the  server  is  started,  not  immediately  upon  changing  the
          configuration.

   olcConcurrency: <integer>
          Specify  a  desired  level  of  concurrency.   Provided  to  the
          underlying thread system as a  hint.   The  default  is  not  to
          provide  any  hint.  This  setting  is  only  meaningful on some
          platforms where there is not a one to one correspondence between
          user threads and kernel threads.

   olcConnMaxPending: <integer>
          Specify  the maximum number of pending requests for an anonymous
          session.  If requests are submitted faster than the  server  can
          process them, they will be queued up to this limit. If the limit
          is exceeded, the session is closed. The default is 100.

   olcConnMaxPendingAuth: <integer>
          Specify  the  maximum  number  of  pending   requests   for   an
          authenticated session.  The default is 1000.

   olcDisallows: <features>
          Specify a set of features to disallow (default none).  bind_anon
          disables acceptance of anonymous bind requests.  Note that  this
          setting  does  not  prohibit  anonymous  directory  access  (See
          "require   authc").    bind_simple   disables   simple    (bind)
          authentication.    tls_2_anon   disables   forcing   session  to
          anonymous status (see also tls_authc)  upon  StartTLS  operation
          receipt.    tls_authc   disallows   the  StartTLS  operation  if
          authenticated (see also tls_2_anon).

   olcGentleHUP: { TRUE | FALSE }
          A SIGHUP signal will only  cause  a  'gentle'  shutdown-attempt:
          Slapd  will  stop  listening  for  new connections, but will not
          close the connections to  the  current  clients.   Future  write
          operations    return    unwilling-to-perform,   though.    Slapd
          terminates when all clients have closed  their  connections  (if
          they ever do), or - as before - if it receives a SIGTERM signal.
          This can be useful if you wish to terminate the server and start
          a new slapd server with another database, without disrupting the
          currently active clients.  The default is FALSE.  You  may  wish
          to use olcIdleTimeout along with this option.

   olcIdleTimeout: <integer>
          Specify the number of seconds to wait before forcibly closing an
          idle client connection.  A setting of 0 disables  this  feature.
          The  default  is 0. You may also want to set the olcWriteTimeout
          option.

   olcIndexIntLen: <integer>
          Specify the key length for ordered  integer  indices.  The  most
          significant  bytes  of the binary integer will be used for index
          keys. The default value is 4, which provides exact indexing  for
          31 bit values.  A floating point representation is used to index
          too large values.

   olcIndexSubstrIfMaxlen: <integer>
          Specify the maximum length for subinitial and subfinal  indices.
          Only  this  many  characters  of  an  attribute  value  will  be
          processed by the indexing functions; any excess  characters  are
          ignored. The default is 4.

   olcIndexSubstrIfMinlen: <integer>
          Specify  the minimum length for subinitial and subfinal indices.
          An attribute value must have at least this  many  characters  in
          order  to be processed by the indexing functions. The default is
          2.

   olcIndexSubstrAnyLen: <integer>
          Specify the length used for subany indices. An  attribute  value
          must  have  at  least  this  many  characters  in  order  to  be
          processed. Attribute values longer  than  this  length  will  be
          processed  in  segments  of  this  length. The default is 4. The
          subany index will also be used in subinitial and subfinal  index
          lookups   when   the   filter   string   is   longer   than  the
          olcIndexSubstrIfMaxlen value.

   olcIndexSubstrAnyStep: <integer>
          Specify the steps used in subany index lookups. This value  sets
          the  offset  for  the  segments  of  a  filter  string  that are
          processed for a subany index  lookup.  The  default  is  2.  For
          example,  with  the  default  values, a search using this filter
          "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
          and "efgh".

   Note:  Indexing support depends on the particular backend in use. Also,
   changing these settings will generally  require  deleting  any  indices
   that depend on these parameters and recreating them with slapindex(8).

   olcListenerThreads: <integer>
          Specify the number of threads to use for the connection manager.
          The default is 1 and this is typically adequate for up to 16 CPU
          cores.  The value should be set to a power of 2.

   olcLocalSSF: <SSF>
          Specifies  the  Security Strength Factor (SSF) to be given local
          LDAP sessions, such as those to the ldapi://  listener.   For  a
          description  of  SSF values, see olcSaslSecProps's minssf option
          description.  The default is 71.

   olcLogFile: <filename>
          Specify a file for recording  debug  log  messages.  By  default
          these  messages  only go to stderr and are not recorded anywhere
          else. Specifying a logfile copies messages to  both  stderr  and
          the logfile.

   olcLogLevel: <integer> [...]
          Specify  the  level  at which debugging statements and operation
          statistics  should  be  syslogged  (currently  logged   to   the
          syslogd(8)   LOG_LOCAL4  facility).   They  must  be  considered
          subsystems rather than increasingly verbose  log  levels.   Some
          messages  with  higher  priority  are  logged  regardless of the
          configured loglevel as soon as any logging is  configured.   Log
          levels are additive, and available levels are:
                 1      (0x1 trace) trace function calls
                 2      (0x2 packets) debug packet handling
                 4      (0x4 args) heavy trace debugging (function args)
                 8      (0x8 conns) connection management
                 16     (0x10 BER) print out packets sent and received
                 32     (0x20 filter) search filter processing
                 64     (0x40 config) configuration file processing
                 128    (0x80 ACL) access control list processing
                 256    (0x100          stats)          stats          log
                        connections/operations/results
                 512    (0x200 stats2) stats log entries sent
                 1024   (0x400  shell)  print  communication  with   shell
                        backends
                 2048   (0x800 parse) entry parsing

                 16384  (0x4000 sync) LDAPSync replication
                 32768  (0x8000   none)  only  messages  that  get  logged
                        whatever log level is set
          The desired log level can be input  as  a  single  integer  that
          combines  the  (ORed)  desired  levels,  both  in  decimal or in
          hexadecimal notation, as a  list  of  integers  (that  are  ORed
          internally),  or  as  a list of the names that are shown between
          brackets, such that

              olcLogLevel: 129
              olcLogLevel: 0x81
              olcLogLevel: 128 1
              olcLogLevel: 0x80 0x1
              olcLogLevel: acl trace

          are equivalent.  The keyword any can be used as  a  shortcut  to
          enable  logging  at  all levels (equivalent to -1).  The keyword
          none, or the equivalent  integer  representation,  causes  those
          messages   that   are   logged   regardless  of  the  configured
          olcLogLevel to be logged.  In fact, if no olcLogLevel  (or  a  0
          level) is defined, no logging occurs, so at least the none level
          is required to have high priority messages logged.

   olcPasswordCryptSaltFormat: <format>
          Specify  the  format  of  the  salt  passed  to  crypt(3)   when
          generating   {CRYPT}   passwords  (see  olcPasswordHash)  during
          processing of LDAP  Password  Modify  Extended  Operations  (RFC
          3062).

          This string needs to be in sprintf(3) format and may include one
          (and  only  one)  %s  conversion.   This  conversion   will   be
          substituted   with   a   string   of   random   characters  from
          [A-Za-z0-9./].  For example, "%.2s"  provides  a  two  character
          salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
          algorithm and provides 8 random characters of salt.  The default
          is "%s", which provides 31 characters of salt.

   olcPidFile: <filename>
          The  (absolute) name of a file that will hold the slapd server's
          process ID (see getpid(2)).

   olcPluginLogFile: <filename>
          The ( absolute ) name of a file that will contain  log  messages
          from SLAPI plugins. See slapd.plugin(5) for details.

   olcReferral: <url>
          Specify  the  referral  to pass back when slapd(8) cannot find a
          local database to handle a  request.   If  multiple  values  are
          specified, each url is provided.

   olcReverseLookup: TRUE | FALSE
          Enable/disable client name unverified reverse lookup (default is
          FALSE if compiled with --enable-rlookups).

   olcRootDSE: <file>
          Specify the name of an  LDIF(5)  file  containing  user  defined
          attributes  for  the root DSE.  These attributes are returned in
          addition to the attributes normally produced by slapd.

          The root DSE is an entry with information about the  server  and
          its  capabilities,  in operational attributes.  It has the empty
          DN, and can be read with e.g.:
              ldapsearch -x -b "" -s base "+"
          See RFC 4512 section 5.1 for details.

   olcSaslAuxprops: <plugin> [...]
          Specify which auxprop plugins to use for authentication lookups.
          The  default is empty, which just uses slapd's internal support.
          Usually no other auxprop plugins are needed.

   olcSaslHost: <fqdn>
          Used to specify the fully qualified domain name  used  for  SASL
          processing.

   olcSaslRealm: <realm>
          Specify SASL realm.  Default is empty.

   olcSaslSecProps: <properties>
          Used  to  specify Cyrus SASL security properties.  The none flag
          (without  any  other  properties)  causes  the  flag  properties
          default, "noanonymous,noplain", to be cleared.  The noplain flag
          disables mechanisms susceptible to simple passive attacks.   The
          noactive flag disables mechanisms susceptible to active attacks.
          The nodict  flag  disables  mechanisms  susceptible  to  passive
          dictionary  attacks.   The  noanonymous flag disables mechanisms
          which support anonymous  login.   The  forwardsec  flag  require
          forward   secrecy   between   sessions.   The  passcred  require
          mechanisms which pass client credentials (and  allow  mechanisms
          which  can  pass  credentials  to  do  so).  The minssf=<factor>
          property specifies  the  minimum  acceptable  security  strength
          factor  as  an  integer approximate to effective key length used
          for encryption.  0  (zero)  implies  no  protection,  1  implies
          integrity  protection only, 56 allows DES or other weak ciphers,
          112 allows triple DES and other strong ciphers, 128 allows  RC4,
          Blowfish  and  other  modern  strong ciphers.  The default is 0.
          The maxssf=<factor> property specifies  the  maximum  acceptable
          security strength factor as an integer (see minssf description).
          The  default  is  INT_MAX.    The   maxbufsize=<size>   property
          specifies   the  maximum  security  layer  receive  buffer  size
          allowed.  0 disables security layers.  The default is 65536.

   olcServerID: <integer> [<URL>]
          Specify an integer ID from 0 to 4095 for this server (limited to
          3  hexadecimal  digits).   The  ID  may  also  be specified as a
          hexadecimal ID by prefixing the value with "0x".  These IDs  are
          required when using multimaster replication and each master must
          have a unique ID. Note that this  requirement  also  applies  to
          separate  masters  contributing to a glued set of databases.  If
          the URL is provided, this directive may  be  specified  multiple
          times,  providing  a  complete list of participating servers and
          their IDs. The fully qualified hostname of each server should be
          used  in the supplied URLs. The IDs are used in the "replica id"
          field of all CSNs generated by the specified server. The default
          value is zero.  Example:

        olcServerID: 1 ldap://ldap1.example.com
        olcServerID: 2 ldap://ldap2.example.com

   olcSockbufMaxIncoming: <integer>
          Specify  the  maximum  incoming  LDAP  PDU  size  for  anonymous
          sessions.  The default is 262143.

   olcSockbufMaxIncomingAuth: <integer>
          Specify the maximum incoming LDAP  PDU  size  for  authenticated
          sessions.  The default is 4194303.

   olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
          Specify  the  size  of  the TCP buffer.  A global value for both
          read and write TCP buffers related to any listener  is  defined,
          unless  the listener is explicitly specified, or either the read
          or write qualifiers are used.  See  tcp(7)  for  details.   Note
          that some OS-es implement automatic TCP buffer tuning.

   olcThreads: <integer>
          Specify  the  maximum  size  of  the  primary  thread pool.  The
          default is 16; the minimum value is 2.

   olcToolThreads: <integer>
          Specify the maximum number of threads to use in tool mode.  This
          should  not  be  greater  than the number of CPUs in the system.
          The default is 1.

   olcWriteTimeout: <integer>
          Specify the number of seconds to wait before forcibly closing  a
          connection with an outstanding write.  This allows recovery from
          various network hang conditions.  A setting of 0  disables  this
          feature.  The default is 0.

TLS OPTIONS

   If  slapd is built with support for Transport Layer Security, there are
   more options you can specify.

   olcTLSCipherSuite: <cipher-suite-spec>
          Permits configuring  what  ciphers  will  be  accepted  and  the
          preference   order.   <cipher-suite-spec>  should  be  a  cipher
          specification for the TLS library in use  (OpenSSL,  GnuTLS,  or
          Mozilla NSS).  Example:

                 OpenSSL:
                        olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2

                 GnuTLS:
                        TLSCiphersuite SECURE256:!AES-128-CBC

          To check what ciphers a given spec selects in OpenSSL, use:

               openssl ciphers -v <cipher-suite-spec>

          With  GnuTLS the available specs can be found in the manual page
          of gnutls-cli(1) (see the description of the option --priority).

          In older versions of GnuTLS, where gnutls-cli does  not  support
          the  option --priority, you can obtain the --- more limited --- list
          of ciphers by calling:

               gnutls-cli -l

          When using Mozilla NSS, the OpenSSL cipher suite  specifications
          are  used  and  translated  into  the  format used internally by
          Mozilla NSS.  There isn't an easy way to list the cipher  suites
          from  the command line.  The authoritative list is in the source
          code for Mozilla NSS in the file sslinfo.c in the structure
                  static const SSLCipherSuiteInfo suiteInfo[]

   olcTLSCACertificateFile: <filename>
          Specifies the file that contains certificates  for  all  of  the
          Certificate Authorities that slapd will recognize.

   olcTLSCACertificatePath: <path>
          Specifies  the  path  of  a  directory that contains Certificate
          Authority certificates in  separate  individual  files.  Usually
          only  one  of this or the olcTLSCACertificateFile is defined. If
          both are specified, both locations will be used. This  directive
          is not supported when using GnuTLS.

          When  using  Mozilla  NSS,  <path>  may  contain  a  Mozilla NSS
          cert/key database.  If <path> contains a  Mozilla  NSS  cert/key
          database  and  CA  cert  files,  OpenLDAP  will use the cert/key
          database and will ignore the CA cert files.

   olcTLSCertificateFile: <filename>
          Specifies the file that contains the slapd server certificate.

          When using Mozilla NSS, if using a cert/key database  (specified
          with  olcTLSCACertificatePath),  olcTLSCertificateFile specifies
          the name of the certificate to use:
               olcTLSCertificateFile: Server-Cert
          If using a token other than the internal built in token, specify
          the token name first, followed by a colon:
               olcTLSCertificateFile: my hardware device:Server-Cert
          Use certutil -L to list the certificates by name:
               certutil -d /path/to/certdbdir -L

   olcTLSCertificateKeyFile: <filename>
          Specifies  the  file  that contains the slapd server private key
          that matches the certificate stored in the olcTLSCertificateFile
          file.  If  the  private  key  is  protected with a password, the
          password must be manually typed in when slapd  starts.   Usually
          the private key is not protected with a password, to allow slapd
          to start without manual  intervention,  so  it  is  of  critical
          importance that the file is protected carefully.

          When  using  Mozilla NSS, olcTLSCertificateKeyFile specifies the
          name of a file that contains the password for the  key  for  the
          certificate  specified  with olcTLSCertificateFile.  The modutil
          command can be used to turn  off  password  protection  for  the
          cert/key  database.   For  example,  if  olcTLSCACertificatePath
          specifes /etc/openldap/certdb as the location  of  the  cert/key
          database,  use  modutil  to  change  the  password  to the empty
          string:
               modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
          You must have the old password,  if  any.   Ignore  the  WARNING
          about the running browser.  Press 'Enter' for the new password.

   olcTLSDHParamFile: <filename>
          This  directive  specifies the file that contains parameters for
          Diffie-Hellman ephemeral key  exchange.   This  is  required  in
          order  to  use a DSA certificate on the server. If multiple sets
          of parameters are present in the  file,  all  of  them  will  be
          processed.   Note  that  setting  this  option  may  also enable
          Anonymous Diffie-Hellman key exchanges  in  certain  non-default
          cipher  suites.   You should append "!ADH" to your cipher suites
          if  you  have  changed  them  from  the  default,  otherwise  no
          certificate  exchanges  or verification will be done. When using
          GnuTLS or Mozilla NSS  these  parameters  are  always  generated
          randomly so this directive is ignored.

   olcTLSProtocolMin: <major>[.<minor>]
          Specifies   minimum   SSL/TLS  protocol  version  that  will  be
          negotiated.   If  the  server  doesn't  support  at  least  that
          version,  the  SSL  handshake  will fail.  To require TLS 1.x or
          higher, set this option to 3.(x+1), e.g.,

               olcTLSProtocolMin: 3.2

          would require TLS 1.1.  Specifying a minimum that is higher than
          that  supported by the OpenLDAP implementation will result in it
          requiring  the  highest  level  that  it  does  support.    This
          directive is ignored with GnuTLS.

   olcTLSRandFile: <filename>
          Specifies   the   file   to   obtain   random   bits  from  when
          /dev/[u]random is not available.  Generally set to the  name  of
          the  EGD/PRNGD  socket.   The  environment variable RANDFILE can
          also be used to specify the filename.  This directive is ignored
          with GnuTLS and Mozilla NSS.

   olcTLSVerifyClient: <level>
          Specifies  what  checks  to perform on client certificates in an
          incoming TLS session, if any.  The <level> can be  specified  as
          one of the following keywords:

          never  This is the default.  slapd will not ask the client for a
                 certificate.

          allow  The client certificate is requested.  If  no  certificate
                 is  provided,  the  session  proceeds normally.  If a bad
                 certificate is provided,  it  will  be  ignored  and  the
                 session proceeds normally.

          try    The  client  certificate is requested.  If no certificate
                 is provided, the session proceeds  normally.   If  a  bad
                 certificate  is  provided,  the  session  is  immediately
                 terminated.

          demand | hard | true
                 These keywords  are  all  equivalent,  for  compatibility
                 reasons.   The  client  certificate  is requested.  If no
                 certificate  is  provided,  or  a  bad   certificate   is
                 provided, the session is immediately terminated.

                 Note that a valid client certificate is required in order
                 to use the SASL EXTERNAL authentication mechanism with  a
                 TLS  session.   As such, a non-default olcTLSVerifyClient
                 setting  must  be  chosen   to   enable   SASL   EXTERNAL
                 authentication.

   olcTLSCRLCheck: <level>
          Specifies  if  the  Certificate  Revocation List (CRL) of the CA
          should be used to verify if the  client  certificates  have  not
          been revoked. This requires olcTLSCACertificatePath parameter to
          be set. This parameter is ignored with GnuTLS and  Mozilla  NSS.
          <level> can be specified as one of the following keywords:

          none   No CRL checks are performed

          peer   Check the CRL of the peer certificate

          all    Check the CRL for a whole certificate chain

   olcTLSCRLFile: <filename>
          Specifies  a file containing a Certificate Revocation List to be
          used for verifying that certificates have not been revoked. This
          parameter is only valid when using GnuTLS or Mozilla NSS.

DYNAMIC MODULE OPTIONS

   If  slapd  is  compiled  with  --enable-modules then the module-related
   entries    will    be    available.    These    entries    are    named
   cn=module{x},cn=config and must have the olcModuleList objectClass. One
   entry should be created per olcModulePath.  Normally the config  engine
   generates  the  "{x}"  index  in  the  RDN  automatically, so it can be
   omitted when initially loading these entries.

   olcModuleLoad: <filename>
          Specify the name of a dynamically loadable module to  load.  The
          filename may be an absolute path name or a simple filename. Non-
          absolute names are searched for in the directories specified  by
          the olcModulePath option.

   olcModulePath: <pathspec>
          Specify  a  list  of directories to search for loadable modules.
          Typically the path is colon-separated but this  depends  on  the
          operating  system.  The default is /usr/lib/ldap, which is where
          the standard OpenLDAP install will place its modules.

SCHEMA OPTIONS

   Schema definitions are created as entries  in  the  cn=schema,cn=config
   subtree.  These  entries must have the olcSchemaConfig objectClass.  As
   noted above, the actual cn=schema,cn=config entry is predefined and any
   values specified for it are ignored.

   olcAttributetypes:     ( <oid>    [NAME <name>]    [DESC <description>]
          [OBSOLETE]   [SUP <oid>]    [EQUALITY <oid>]    [ORDERING <oid>]
          [SUBSTR <oid>]   [SYNTAX <oidlen>]  [SINGLE-VALUE]  [COLLECTIVE]
          [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
          Specify an attribute type using the LDAPv3 syntax defined in RFC
          4512.   The  slapd  parser  extends  the  RFC 4512 definition by
          allowing string forms as well as numeric OIDs to be used for the
          attribute    OID   and   attribute   syntax   OID.    (See   the
          olcObjectIdentifier description.)

   olcDitContentRules:    ( <oid>    [NAME <name>]    [DESC <description>]
          [OBSOLETE]      [AUX <oids>]      [MUST <oids>]     [MAY <oids>]
          [NOT <oids>] )
          Specify an DIT Content Rule using the LDAPv3 syntax  defined  in
          RFC  4512.   The slapd parser extends the RFC 4512 definition by
          allowing string forms as well as numeric OIDs to be used for the
          attribute    OID   and   attribute   syntax   OID.    (See   the
          olcObjectIdentifier description.)

   olcObjectClasses: ( <oid> [NAME <name>] [DESC <description>] [OBSOLETE]
          [SUP <oids>]   [{   ABSTRACT   |   STRUCTURAL   |  AUXILIARY  }]
          [MUST <oids>] [MAY <oids>] )
          Specify an objectclass using the LDAPv3 syntax  defined  in  RFC
          4512.   The  slapd  parser  extends  the  RFC 4512 definition by
          allowing string forms as well as numeric OIDs to be used for the
          object  class  OID.   (See the olcObjectIdentifier description.)
          Object classes are "STRUCTURAL" by default.

   olcObjectIdentifier: <name> { <oid> | <name>[:<suffix>] }
          Define a string name that equates to the given OID.  The  string
          can  be  used  in  place  of  the numeric OID in objectclass and
          attribute definitions. The name can also be used with  a  suffix
          of the form ":xx" in which case the value "oid.xx" will be used.

GENERAL BACKEND OPTIONS

   Options  in  these  entries only apply to the configuration of a single
   type of backend. All backends may support this class  of  options,  but
   currently     none     do.      The     entry     must     be     named
   olcBackend=<databasetype>,cn=config and must have the  olcBackendConfig
   objectClass.  <databasetype> should be one of bdb, config, dnssrv, hdb,
   ldap, ldif, mdb, meta, monitor, ndb, null, passwd, perl, relay,  shell,
   or sql.  At present, no backend implements any options of this type, so
   this entry should not be used.

DATABASE OPTIONS

   Database      options      are      set      in      entries      named
   olcDatabase={x}<databasetype>,cn=config     and     must    have    the
   olcDatabaseConfig objectClass. Normally the config engine generates the
   "{x}"  index  in  the  RDN  automatically,  so  it  can be omitted when
   initially loading these entries.

   The special frontend database is always numbered "{-1}" and the  config
   database is always numbered "{0}".

GLOBAL DATABASE OPTIONS

   Options  in  this section may be set in the special "frontend" database
   and inherited in all the other databases. These options may be  altered
   by  further settings in each specific database. The frontend entry must
   be   named   olcDatabase=frontend,cn=config   and   must    have    the
   olcFrontendConfig objectClass.

   olcAccess: to <what> [ by <who> <access> <control> ]+
          Grant  access (specified by <access>) to a set of entries and/or
          attributes (specified by  <what>)  by  one  or  more  requestors
          (specified  by  <who>).   If no access controls are present, the
          default policy allows anyone and everyone to read  anything  but
          restricts  updates  to  rootdn.   (e.g.,  "olcAccess:  to * by *
          read").  See slapd.access(5) and the  "OpenLDAP  Administrator's
          Guide" for details.

          Access  controls  set in the frontend are appended to any access
          controls set  on  the  specific  databases.   The  rootdn  of  a
          database can always read and write EVERYTHING in that database.

          Extra special care must be taken with the access controls on the
          config database. Unlike other databases, the default policy  for
          the  config  database  is  to  only  allow access to the rootdn.
          Regular users should not have  read  access,  and  write  access
          should be granted very carefully to privileged administrators.

   olcDefaultSearchBase: <dn>
          Specify  a default search base to use when client submits a non-
          base search request with an empty base DN.  Base  scoped  search
          requests  with  an empty base DN are not affected.  This setting
          is only allowed in the frontend entry.

   olcExtraAttrs: <attr>
          Lists what attributes need  to  be  added  to  search  requests.
          Local  storage backends return the entire entry to the frontend.
          The  frontend  takes  care  of  only  returning  the   requested
          attributes  that  are  allowed  by ACLs.  However, features like
          access checking and so may need specific attributes that are not
          automatically  returned  by  remote storage backends, like proxy
          backends and so on.  <attr> is an attribute that is  needed  for
          internal  purposes  and  thus always needs to be collected, even
          when not explicitly requested by  clients.   This  attribute  is
          multi-valued.

   olcPasswordHash: <hash> [<hash>...]
          This  option  configures  one  or  more  hashes  to  be  used in
          generation  of  user  passwords  stored  in   the   userPassword
          attribute  during  processing  of  LDAP Password Modify Extended
          Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
          {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.

          {SHA}  and  {SSHA}  use  the  SHA-1  algorithm (FIPS 160-1), the
          latter with a seed.

          {MD5} and {SMD5} use the MD5 algorithm (RFC  1321),  the  latter
          with a seed.

          {CRYPT} uses the crypt(3).

          {CLEARTEXT}  indicates  that the new password should be added to
          userPassword as clear text.

          Note  that  this  option  does  not  alter   the   normal   user
          applications  handling  of userPassword during LDAP Add, Modify,
          or other LDAP operations.  This setting is only allowed  in  the
          frontend entry.

   olcReadOnly: TRUE | FALSE
          This  option  puts  the  database  into  "read-only"  mode.  Any
          attempts to modify the database will  return  an  "unwilling  to
          perform"  error.   By  default,  olcReadOnly is FALSE. Note that
          when this option is set TRUE on the frontend, it cannot be reset
          without  restarting  the  server,  since  further  writes to the
          config database will be rejected.

   olcRequires: <conditions>
          Specify a set of conditions  to  require  (default  none).   The
          directive   may   be  specified  globally  and/or  per-database;
          databases   inherit   global   conditions,    so    per-database
          specifications are additive.  bind requires bind operation prior
          to directory operations.  LDAPv3 requires session  to  be  using
          LDAP   version   3.   authc  requires  authentication  prior  to
          directory operations.  SASL requires SASL  authentication  prior
          to  directory operations.  strong requires strong authentication
          prior  to  directory  operations.   The  strong  keyword  allows
          protected    "simple"    authentication    as   well   as   SASL
          authentication.  none may  be  used  to  require  no  conditions
          (useful to clear out globally set conditions within a particular
          database); it must occur first in the list of conditions.

   olcRestrict: <oplist>
          Specify a list of operations that are restricted.   Restrictions
          on   a   specific   database   override  any  frontend  setting.
          Operations  can  be  any  of   add,   bind,   compare,   delete,
          extended[=<OID>], modify, rename, search, or the special pseudo-
          operations read and write, which respectively summarize read and
          write  operations.   The  use of restrict write is equivalent to
          olcReadOnly: TRUE (see above).  The extended keyword  allows  to
          indicate the OID of the specific operation to be restricted.

   olcSchemaDN: <dn>
          Specify  the  distinguished name for the subschema subentry that
          controls  the  entries  on  this   server.    The   default   is
          "cn=Subschema".

   olcSecurity: <factors>
          Specify  a  set of security strength factors (separated by white
          space) to require (see olcSaslSecprops's  minssf  option  for  a
          description of security strength factors).  The directive may be
          specified globally and/or per-database.  ssf=<n>  specifies  the
          overall  security  strength factor.  transport=<n> specifies the
          transport security strength factor.  tls=<n> specifies  the  TLS
          security  strength factor.  sasl=<n> specifies the SASL security
          strength factor.  update_ssf=<n> specifies the overall  security
          strength    factor    to    require   for   directory   updates.
          update_transport=<n> specifies the transport  security  strength
          factor   to   require  for  directory  updates.   update_tls=<n>
          specifies the  TLS  security  strength  factor  to  require  for
          directory  updates.  update_sasl=<n> specifies the SASL security
          strength   factor   to   require    for    directory    updates.
          simple_bind=<n>  specifies the security strength factor required
          for simple  username/password  authentication.   Note  that  the
          transport   factor  is  measure  of  security  provided  by  the
          underlying transport, e.g. ldapi:// (and eventually IPSEC).   It
          is not normally used.

   olcSizeLimit: {<integer>|unlimited}

   olcSizeLimit: size[.{soft|hard|unchecked}]=<integer> [...]
          Specify  the  maximum  number of entries to return from a search
          operation.  The default size limit is  500.   Use  unlimited  to
          specify  no  limits.   The  second  format  allows  a fine grain
          setting of the size limits.  Extra args can be added in the same
          value or as additional values.  See olcLimits for an explanation
          of the different flags.

   olcSortVals: <attr> [...]
          Specify a list of  multi-valued  attributes  whose  values  will
          always  be  maintained  in  sorted order. Using this option will
          allow  Modify,  Compare,  and  filter   evaluations   on   these
          attributes  to be performed more efficiently. The resulting sort
          order depends on the attributes' syntax and matching  rules  and
          may  not  correspond  to lexical order or any other recognizable
          order.  This setting is only allowed in the frontend entry.

   olcTimeLimit: {<integer>|unlimited}

   olcTimeLimit: time[.{soft|hard}]=<integer> [...]
          Specify the maximum number of seconds (in real time) slapd  will
          spend  answering  a  search  request.  The default time limit is
          3600.  Use unlimited to specify no limits.   The  second  format
          allows  a fine grain setting of the time limits.  Extra args can
          be added in  the  same  value  or  as  additional  values.   See
          olcLimits for an explanation of the different flags.

GENERAL DATABASE OPTIONS

   Options  in  this section only apply to the specific database for which
   they are defined.  They are supported by every type of backend. All  of
   the Global Database Options may also be used here.

   olcAddContentAcl: TRUE | FALSE
          Controls  whether  Add operations will perform ACL checks on the
          content of the entry being added. This check is off by  default.
          See  the  slapd.access(5)  manual  page  for more details on ACL
          requirements for Add operations.

   olcHidden: TRUE | FALSE
          Controls whether the database will be used to answer queries.  A
          database  that  is  hidden  will never be selected to answer any
          queries, and any suffix  configured  on  the  database  will  be
          ignored  in  checks  for  conflicts  with  other  databases.  By
          default, olcHidden is FALSE.

   olcLastMod: TRUE | FALSE
          Controls  whether  slapd   will   automatically   maintain   the
          modifiersName,      modifyTimestamp,      creatorsName,      and
          createTimestamp attributes for entries.  It  also  controls  the
          entryCSN  and  entryUUID  attributes,  which  are  needed by the
          syncrepl provider. By default, olcLastMod is TRUE.

   olcLimits: <selector> <limit> [<limit> [...]]
          Specify time and size limits based on the operation's  initiator
          or base DN.  The argument <selector> can be any of

                 anonymous    |    users    |    [<dnspec>=]<pattern>    |
                 group[/oc[/at]]=<pattern>

          with

                 <dnspec> ::= dn[.<type>][.<style>]

                 <type>  ::= self | this

                 <style> ::= exact | base | onelevel | subtree |  children
                 | regex | anonymous

          DN type self is the default and means the bound user, while this
          means the base DN of the operation.  The term anonymous  matches
          all   unauthenticated  clients.   The  term  users  matches  all
          authenticated clients; otherwise an exact dn pattern is  assumed
          unless  otherwise  specified  by  qualifying  the (optional) key
          string dn with exact or base (which are synonyms), to require an
          exact  match;  with  onelevel,  to  require exactly one level of
          depth match; with subtree, to allow any level  of  depth  match,
          including  the exact match; with children, to allow any level of
          depth match, not including the  exact  match;  regex  explicitly
          requires  the  (default)  match  based  on  POSIX (''extended'')
          regular expression pattern.  Finally, anonymous matches  unbound
          operations;  the pattern field is ignored.  The same behavior is
          obtained by using the anonymous form of the  <selector>  clause.
          The   term   group,   with   the  optional  objectClass  oc  and
          attributeType at fields, followed by pattern,  sets  the  limits
          for  any  DN  listed  in the values of the at attribute (default
          member) of the oc group objectClass (default groupOfNames) whose
          DN exactly matches pattern.

          The currently supported limits are size and time.

          The  syntax  for  time  limits  is time[.{soft|hard}]=<integer>,
          where  integer  is  the  number  of  seconds  slapd  will  spend
          answering  a  search  request.   If  no time limit is explicitly
          requested by  the  client,  the  soft  limit  is  used;  if  the
          requested  time  limit  exceeds the hard limit, the value of the
          limit is used instead.  If the hard limit is set to the  keyword
          soft, the soft limit is used in either case; if it is set to the
          keyword unlimited, no hard limit is enforced.  Explicit requests
          for  time limits smaller or equal to the hard limit are honored.
          If no limit specifier is set, the value is assigned to the  soft
          limit,  and  the  hard  limit  is  set  to soft, to preserve the
          original behavior.

          The        syntax        for        size        limits        is
          size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
          maximum number of entries slapd will return answering  a  search
          request.   If  no  size  limit  is  explicitly  requested by the
          client, the soft limit is used;  if  the  requested  size  limit
          exceeds  the hard limit, the value of the limit is used instead.
          If the hard limit is set to the keyword soft, the soft limit  is
          used  in  either case; if it is set to the keyword unlimited, no
          hard limit is  enforced.   Explicit  requests  for  size  limits
          smaller  or  equal to the hard limit are honored.  The unchecked
          specifier sets a limit on the  number  of  candidates  a  search
          request  is allowed to examine.  The rationale behind it is that
          searches for non-properly indexed attributes may result in large
          sets  of  candidates,  which  must  be  examined  by slapd(8) to
          determine whether they match the  search  filter  or  not.   The
          unchecked  limit provides a means to drop such operations before
          they are even started.  If the selected  candidates  exceed  the
          unchecked  limit,  the  search  will  abort  with  Unwilling  to
          perform.  If it is set to the keyword  unlimited,  no  limit  is
          applied  (the  default).  If it is set to disable, the search is
          not even performed; this can be used to disallow searches for  a
          specific  set of users.  If no limit specifier is set, the value
          is assigned to the soft limit, and the  hard  limit  is  set  to
          soft, to preserve the original behavior.

          In  case  of  no match, the global limits are used.  The default
          values are the same as for  olcSizeLimit  and  olcTimeLimit;  no
          limit is set on unchecked.

          If  pagedResults  control  is  requested, the hard size limit is
          used by default, because the request of a specific page size  is
          considered an explicit request for a limitation on the number of
          entries to be returned.  However, the size limit applies to  the
          total  count of entries returned within the search, and not to a
          single page.  Additional size limits may be enforced; the syntax
          is  size.pr={<integer>|noEstimate|unlimited},  where  integer is
          the max page size if no  explicit  limit  is  set;  the  keyword
          noEstimate inhibits the server from returning an estimate of the
          total number of  entries  that  might  be  returned  (note:  the
          current  implementation  does  not  return  any  estimate).  The
          keyword unlimited indicates that no  limit  is  applied  to  the
          pagedResults      control     page     size.      The     syntax
          size.prtotal={<integer>|unlimited|disabled}  allows  to  set   a
          limit on the total number of entries that a pagedResults control
          allows to return.  By default it is set to the hard limit.  When
          set,  integer is the max number of entries that the whole search
          with pagedResults control can return.  Use  unlimited  to  allow
          unlimited  number  of  entries to be returned, e.g. to allow the
          use of the pagedResults control as a means  to  circumvent  size
          limitations  on  regular searches; the keyword disabled disables
          the control, i.e. no paged results can be returned.   Note  that
          the  total  number  of  entries  returned  when the pagedResults
          control is requested  cannot  exceed  the  hard  size  limit  of
          regular searches unless extended by the prtotal switch.

   olcMaxDerefDepth: <depth>
          Specifies  the  maximum  number  of  aliases to dereference when
          trying to resolve an entry, used to avoid infinite alias  loops.
          The default is 15.

   olcMirrorMode: TRUE | FALSE
          This  option puts a replica database into "mirror" mode.  Update
          operations  will  be  accepted  from  any  user,  not  just  the
          updatedn.   The  database must already be configured as syncrepl
          consumer before  this  keyword  may  be  set.   This  mode  also
          requires  a  olcServerID  (see  above)  to  be  configured.   By
          default, this setting is FALSE.

   olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
          Configure a SLAPI plugin. See the  slapd.plugin(5)  manpage  for
          more details.

   olcRootDN: <dn>
          Specify  the  distinguished  name  that is not subject to access
          control or administrative limit restrictions for  operations  on
          this  database.   This  DN  may or may not be associated with an
          entry.  An empty root DN (the default) specifies no root  access
          is  to  be  granted.   It is recommended that the rootdn only be
          specified when needed  (such  as  when  initially  populating  a
          database).   If the rootdn is within a namingContext (suffix) of
          the database, a simple bind password may also be provided  using
          the  olcRootPW  directive. Note that the rootdn is always needed
          when using syncrepl.  The olcRootDN of  the  cn=config  database
          defaults to cn=config itself.

   olcRootPW: <password>
          Specify  a  password  (or  hash of the password) for the rootdn.
          The password can only  be  set  if  the  rootdn  is  within  the
          namingContext (suffix) of the database.  This option accepts all
          RFC  2307  userPassword  formats  known  to  the   server   (see
          olcPasswordHash    description)    as    well    as   cleartext.
          slappasswd(8) may be used to generate  a  hash  of  a  password.
          Cleartext  and  {CRYPT} passwords are not recommended.  If empty
          (the default), authentication of the root DN is by  other  means
          (e.g. SASL).  Use of SASL is encouraged.

   olcSubordinate: [TRUE | FALSE | advertise]
          Specify  that  the  current backend database is a subordinate of
          another backend database. A subordinate  database may have  only
          one  suffix.  This option may be used to glue multiple databases
          into a single namingContext.   If  the  suffix  of  the  current
          database  is  within  the  namingContext of a superior database,
          searches against the superior database will be propagated to the
          subordinate  as  well.  All  of  the databases associated with a
          single namingContext should have identical rootdns.  Behavior of
          other   LDAP  operations  is  unaffected  by  this  setting.  In
          particular, it is not possible to use moddn  to  move  an  entry
          from   one   subordinate   to  another  subordinate  within  the
          namingContext.

          If the optional advertise flag is supplied, the  naming  context
          of  this  database is advertised in the root DSE. The default is
          to hide this database context, so that only the superior context
          is visible.

          If  the  slap  tools slapcat(8), slapadd(8), or slapindex(8) are
          used on the  superior  database,  any  glued  subordinates  that
          support these tools are opened as well.

          Databases  that  are glued together should usually be configured
          with the same indices (assuming they support indexing), even for
          attributes  that  only  exist  in  some  of  these databases. In
          general, all of the glued  databases  should  be  configured  as
          similarly  as  possible,  since  the  intent  is  to provide the
          appearance of a single directory.

          Note  that  the   subordinate   functionality   is   implemented
          internally  by  the  glue  overlay and as such its behavior will
          interact with other  overlays  in  use.  By  default,  the  glue
          overlay  is  automatically configured as the last overlay on the
          superior  database.  Its  position  on  the  database   can   be
          explicitly  configured  by  setting an overlay glue directive at
          the desired position. This explicit configuration  is  necessary
          e.g.   when  using  the  syncprov overlay, which needs to follow
          glue in order to work over all of the glued databases. E.g.
               dn: olcDatabase={1}bdb,cn=config
               olcSuffix: dc=example,dc=com
               ...

               dn: olcOverlay={0}glue,olcDatabase={1}bdb,cn=config
               ...

               dn: olcOverlay={1}syncprov,olcDatabase={1}bdb,cn=config
               ...
   See the Overlays section below for more details.

   olcSuffix: <dn suffix>
          Specify the DN suffix of queries that will  be  passed  to  this
          backend  database.   Multiple  suffix  lines can be given and at
          least one is required for each database definition.

          If the suffix of one database is "inside" that of  another,  the
          database   with   the  inner  suffix  must  come  first  in  the
          configuration file.  You may also want to  glue  such  databases
          together with the olcSubordinate attribute.

   olcSyncUseSubentry: TRUE | FALSE
          Store  the  syncrepl  contextCSN  in  a  subentry instead of the
          context entry of  the  database.  The  subentry's  RDN  will  be
          "cn=ldapsync".  The  default is FALSE, meaning the contextCSN is
          stored in the context entry.

   olcSyncrepl:  rid=<replica   ID>   provider=ldap[s]://<hostname>[:port]
          searchbase=<base     DN>    [type=refreshOnly|refreshAndPersist]
          [interval=dd:hh:mm:ss]   [retry=[<retry    interval>    <#    of
          retries>]+]  [filter=<filter  str>]  [scope=sub|one|base|subord]
          [attrs=<attr   list>]    [exattrs=<attr    list>]    [attrsonly]
          [sizelimit=<limit>]  [timelimit=<limit>] [schemachecking=on|off]
          [network-timeout=<seconds>]                  [timeout=<seconds>]
          [bindmethod=simple|sasl]     [binddn=<dn>]     [saslmech=<mech>]
          [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
          [realm=<realm>]                          [secprops=<properties>]
          [keepalive=<idle>:<probes>:<interval>]   [starttls=yes|critical]
          [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
          [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
          [tls_cipher_suite=<ciphers>]        [tls_crlcheck=none|peer|all]
          [tls_protocol_min=<major>[.<minor>]]  [suffixmassage=<real  DN>]
          [logbase=<base        DN>]        [logfilter=<filter       str>]
          [syncdata=default|accesslog|changelog]
          Specify the current database as a replica which is  kept  up-to-
          date  with  the  master  content  by  establishing  the  current
          slapd(8) as a  replication  consumer  site  running  a  syncrepl
          replication engine.  The replica content is kept synchronized to
          the  master  content  using  the  LDAP  Content  Synchronization
          protocol.  Refer  to  the  "OpenLDAP  Administrator's Guide" for
          detailed information on setting up a replicated slapd  directory
          service using the syncrepl replication engine.

          rid   identifies  the  current  syncrepl  directive  within  the
          replication consumer site.  It is a non-negative integer  having
          no more than three decimal digits.

          provider  specifies the replication provider site containing the
          master content as an LDAP URI.  If  <port>  is  not  given,  the
          standard LDAP port number (389 or 636) is used.

          The  content  of  the syncrepl replica is defined using a search
          specification as its result set. The consumer  slapd  will  send
          search  requests  to  the provider slapd according to the search
          specification. The  search  specification  includes  searchbase,
          scope,   filter,  attrs,  attrsonly,  sizelimit,  and  timelimit
          parameters as in the normal search  specification.  The  exattrs
          option  may  also  be  used to specify attributes that should be
          omitted from incoming entries.  The scope defaults to  sub,  the
          filter  defaults  to  (objectclass=*),  and  there is no default
          searchbase. The attrs list defaults to "*,+" to return all  user
          and  operational attributes, and attrsonly and exattrs are unset
          by default.  The sizelimit and timelimit only accept "unlimited"
          and  positive  integers, and both default to "unlimited".  Note,
          however, that  any  provider-side  limits  for  the  replication
          identity  will  be  enforced  by  the provider regardless of the
          limits requested by the LDAP Content Synchronization  operation,
          much like for any other search operation.

          The  LDAP  Content  Synchronization  protocol  has two operation
          types.  In the refreshOnly operation, the  next  synchronization
          search operation is periodically rescheduled at an interval time
          (specified by interval parameter; 1 day by default)  after  each
          synchronization  operation  finishes.   In the refreshAndPersist
          operation, a synchronization search remains  persistent  in  the
          provider  slapd.   Further  updates  to  the master replica will
          generate searchResultEntry to the consumer slapd as  the  search
          responses to the persistent synchronization search.

          If an error occurs during replication, the consumer will attempt
          to reconnect according to the retry parameter which is a list of
          the  <retry  interval>  and  <# of retries> pairs.  For example,
          retry="60 10 300 3" lets the consumer retry every 60 seconds for
          the first 10 times and then retry every 300 seconds for the next
          3 times before stop retrying. The `+' in <#  of  retries>  means
          indefinite number of retries until success.

          The  schema  checking  can be enforced at the LDAP Sync consumer
          site by turning on the schemachecking parameter. The default  is
          off.

          The  network-timeout  parameter  sets how long the consumer will
          wait to establish a network connection to the provider.  Once  a
          connection  is established, the timeout parameter determines how
          long the consumer will wait for  the  initial  Bind  request  to
          complete.   The   defaults   for   these  parameters  come  from
          ldap.conf(5).

          A  bindmethod  of  simple  requires  the  options   binddn   and
          credentials  and  should  only  be  used  when adequate security
          services (e.g. TLS or IPSEC) are in place.  A bindmethod of sasl
          requires  the  option  saslmech.  Depending on the mechanism, an
          authentication identity  and/or  credentials  can  be  specified
          using  authcid  and  credentials.   The authzid parameter may be
          used to specify an authorization  identity.   Specific  security
          properties  (as with the sasl-secprops keyword above) for a SASL
          bind can be set with the secprops option.  A  non  default  SASL
          realm  can  be  set  with the realm option.  The provider, other
          than allow authentication of the syncrepl identity, should grant
          that  identity appropriate access privileges to the data that is
          being replicated (access directive), and  appropriate  time  and
          size limits (limits directive).

          The  keepalive  parameter  sets  the values of idle, probes, and
          interval used to check whether a socket is alive;  idle  is  the
          number  of  seconds a connection needs to remain idle before TCP
          starts sending keepalive probes; probes is the maximum number of
          keepalive probes TCP should send before dropping the connection;
          interval is interval in  seconds  between  individual  keepalive
          probes.   Only  some  systems support the customization of these
          values;  the  keepalive  parameter  is  ignored  otherwise,  and
          system-wide settings are used.

          The  starttls  parameter  specifies use of the StartTLS extended
          operation to establish a  TLS  session  before  Binding  to  the
          provider. If the critical argument is supplied, the session will
          be aborted if the StartTLS request fails. Otherwise the syncrepl
          session  continues without TLS. The tls_reqcert setting defaults
          to "demand" and the other TLS settings default to  the  same  as
          the main slapd TLS settings.

          The  suffixmassage parameter allows the consumer to pull entries
          from a remote directory whose DN suffix differs from  the  local
          directory.  The  portion of the remote entries' DNs that matches
          the searchbase will be replaced with the suffixmassage DN.

          Rather than replicating whole entries, the  consumer  can  query
          logs  of  data modifications. This mode of operation is referred
          to as delta syncrepl. In addition to the above  parameters,  the
          logbase  and  logfilter parameters must be set appropriately for
          the log that will be used. The syncdata parameter must be set to
          either "accesslog" if the log conforms to the slapo-accesslog(5)
          log format, or "changelog" if the log conforms to  the  obsolete
          changelog format. If the syncdata parameter is omitted or set to
          "default" then the log parameters are ignored.

   olcUpdateDN: <dn>
          This  option  is  only  applicable  in  a  slave  database.   It
          specifies   the  DN  permitted  to  update  (subject  to  access
          controls) the replica.  It is only needed in  certain  push-mode
          replication  scenarios.   Generally,  this  DN should not be the
          same as the rootdn used at the master.

   olcUpdateRef: <url>
          Specify the referral to pass back  when  slapd(8)  is  asked  to
          modify  a  replicated  local  database.   If multiple values are
          specified, each url is provided.

DATABASE-SPECIFIC OPTIONS

   Each database  may  allow  specific  configuration  options;  they  are
   documented   separately   in   the  backends'  manual  pages.  See  the
   slapd.backends(5) manual page for an overview of available backends.

OVERLAYS

   An overlay is a piece of code that intercepts  database  operations  in
   order  to  extend or change them. Overlays are pushed onto a stack over
   the database, and so they will execute in the reverse of the  order  in
   which they were configured and the database itself will receive control
   last of all.

   Overlays must be configured as child entries of  a  specific  database.
   The entry's RDN must be of the form olcOverlay={x}<overlaytype> and the
   entry must have the olcOverlayConfig objectClass. Normally  the  config
   engine generates the "{x}" index in the RDN automatically, so it can be
   omitted when initially loading these entries.

   See the slapd.overlays(5) manual page  for  an  overview  of  available
   overlays.

EXAMPLES

   Here  is  a  short  example of a configuration in LDIF suitable for use
   with slapadd(8) :

          dn: cn=config
          objectClass: olcGlobal
          cn: config
          olcPidFile: /var/run/slapd.pid

          olcAttributeOptions: x-hidden lang-
          dn: cn=schema,cn=config
          objectClass: olcSchemaConfig
          cn: schema

          include: file:///etc/ldap/schema/core.ldif

          dn: olcDatabase=frontend,cn=config
          objectClass: olcDatabaseConfig
          objectClass: olcFrontendConfig
          olcDatabase: frontend
          # Subtypes of "name" (e.g. "cn" and "ou") with the
          # option ";x-hidden" can be searched for/compared,
          # but are not shown.  See slapd.access(5).
          olcAccess: to attrs=name;x-hidden by * =cs
          # Protect passwords.  See slapd.access(5).
          olcAccess: to attrs=userPassword  by * auth
          # Read access to other attributes and entries.
          olcAccess: to * by * read

          # set a rootpw for the config database so we can bind.
          # deny access to everyone else.
          dn: olcDatabase=config,cn=config
          objectClass: olcDatabaseConfig
          olcDatabase: config
          olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
          olcAccess: to * by * none

          dn: olcDatabase=bdb,cn=config
          objectClass: olcDatabaseConfig
          objectClass: olcBdbConfig
          olcDatabase: bdb
          olcSuffix: "dc=our-domain,dc=com"
          # The database directory MUST exist prior to
          # running slapd AND should only be accessible
          # by the slapd/tools. Mode 0700 recommended.
          olcDbDirectory: /var/lib/ldap
          # Indices to maintain
          olcDbIndex:     objectClass  eq
          olcDbIndex:     cn,sn,mail   pres,eq,approx,sub

          # We serve small clients that do not handle referrals,
          # so handle remote lookups on their behalf.
          dn: olcDatabase=ldap,cn=config
          objectClass: olcDatabaseConfig
          objectClass: olcLdapConfig
          olcDatabase: ldap
          olcSuffix: ""
          olcDbUri: ldap://ldap.some-server.com/

   Assuming the above data was saved in a file named "config.ldif" and the
   /etc/ldap/slapd.d   directory  has  been  created,  this  command  will
   initialize the configuration:
          slapadd -F /etc/ldap/slapd.d -n 0 -l config.ldif

   "OpenLDAP Administrator's Guide" contains a longer annotated example of
   a slapd configuration.

   Alternatively,  an existing slapd.conf file can be converted to the new
   format using slapd or any of the slap tools:
          slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d

FILES

   /etc/ldap/slapd.conf
          default slapd configuration file

   /etc/ldap/slapd.d
          default slapd configuration directory

SEE ALSO

   ldap(3), ldif(5),  gnutls-cli(1),  slapd.access(5),  slapd.backends(5),
   slapd.conf(5),     slapd.overlays(5),     slapd.plugin(5),    slapd(8),
   slapacl(8),    slapadd(8),    slapauth(8),    slapcat(8),    slapdn(8),
   slapindex(8), slappasswd(8), slaptest(8).

   "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS

   OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
   <http://www.openldap.org/>.   OpenLDAP   Software   is   derived   from
   University of Michigan LDAP 3.3 Release.





Opportunity


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.





Free Software


Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.


Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.





Free Books


The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.


Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.





Education


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.


Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.