slapd.conf(5)


NAME

   slapd.conf - configuration file for slapd, the stand-alone LDAP daemon

SYNOPSIS

   /etc/ldap/slapd.conf

DESCRIPTION

   The  file  /etc/ldap/slapd.conf  contains configuration information for
   the slapd(8) daemon.  This configuration file is also used by the SLAPD
   tools   slapacl(8),  slapadd(8),  slapauth(8),  slapcat(8),  slapdn(8),
   slapindex(8), and slaptest(8).

   The slapd.conf file  consists  of  a  series  of  global  configuration
   options  that  apply  to  slapd  as  a  whole (including all backends),
   followed by zero or more  database  backend  definitions  that  contain
   information  specific to a backend instance.  The configuration options
   are case-insensitive; their value, on a case  by  case  basis,  may  be
   case-sensitive.

   The general format of slapd.conf is as follows:

       # comment - these options apply to every database
       <global configuration options>
       # first database definition & configuration options
       database <backend 1 type>
       <configuration options specific to backend 1>
       # subsequent database definitions & configuration options
       ...

   As  many  backend-specific sections as desired may be included.  Global
   options can be overridden in a backend (for options  that  appear  more
   than once, the last appearance in the slapd.conf file is used).

   If  a  line begins with white space, it is considered a continuation of
   the previous line.  No physical line should be over 2000 bytes long.

   Blank lines and comment  lines  beginning  with  a  `#'  character  are
   ignored.    Note:  continuation  lines  are  unwrapped  before  comment
   processing is applied.

   Arguments on configuration lines are separated by white  space.  If  an
   argument  contains  white  space,  the  argument  should be enclosed in
   double quotes.  If an argument contains  a  double  quote  (`"')  or  a
   backslash  character  (`\'),  the  character  should  be  preceded by a
   backslash character.

   The specific configuration options available are discussed below in the
   Global  Configuration  Options,  General  Backend  Options, and General
   Database  Options.   Backend-specific  options  are  discussed  in  the
   slapd-<backend>(5)    manual    pages.     Refer   to   the   "OpenLDAP
   Administrator's Guide" for more  details  on  the  slapd  configuration
   file.

GLOBAL CONFIGURATION OPTIONS

   Options  described  in  this  section  apply  to  all  backends, unless
   specifically overridden in a backend definition. Arguments that  should
   be replaced by actual text are shown in brackets <>.

   access to <what> [ by <who> <access> <control> ]+
          Grant  access (specified by <access>) to a set of entries and/or
          attributes (specified by  <what>)  by  one  or  more  requestors
          (specified  by  <who>).   If no access controls are present, the
          default policy allows anyone and everyone to read  anything  but
          restricts  updates  to rootdn.  (e.g., "access to * by * read").
          The  rootdn  can  always  read  and   write   EVERYTHING!    See
          slapd.access(5)  and  the "OpenLDAP's Administrator's Guide" for
          details.

   allow <features>
          Specify a set of features (separated by white  space)  to  allow
          (default  none).   bind_v2  allows  acceptance  of  LDAPv2  bind
          requests.  Note that slapd(8) does not  truly  implement  LDAPv2
          (RFC  1777),  now  Historic  (RFC  3494).  bind_anon_cred allows
          anonymous bind when credentials are not empty (e.g.  when DN  is
          empty).   bind_anon_dn  allows  unauthenticated (anonymous) bind
          when  DN  is  not  empty.   update_anon  allows  unauthenticated
          (anonymous) update operations to be processed (subject to access
          controls and  other  administrative  limits).   proxy_authz_anon
          allows  unauthenticated  (anonymous) proxy authorization control
          to be processed (subject to access controls,  authorization  and
          other administrative limits).

   argsfile <filename>
          The  (absolute) name of a file that will hold the slapd server's
          command line (program name and options).

   attributeoptions [option-name]...
          Define tagging attribute options or option  tag/range  prefixes.
          Options  must not end with `-', prefixes must end with `-'.  The
          `lang-' prefix is predefined.  If you use  the  attributeoptions
          directive,  `lang-'  will  no  longer  be  defined  and you must
          specify it explicitly if you want it defined.

          An attribute description with a tagging option is a  subtype  of
          that attribute description without the option.  Except for that,
          options defined this way have no  special  semantics.   Prefixes
          defined  this  way  work like the `lang-' options: They define a
          prefix for tagging options starting with the prefix.   That  is,
          if  you  define  the  prefix  `x-foo-',  you  can use the option
          `x-foo-bar'.  Furthermore, in a search or compare, a  prefix  or
          range  name  (with  a trailing `-') matches all options starting
          with that name, as well as the option with the range  name  sans
          the trailing `-'.  That is, `x-foo-bar-' matches `x-foo-bar' and
          `x-foo-bar-baz'.

          RFC 4520  reserves  options  beginning  with  `x-'  for  private
          experiments.   Other options should be registered with IANA, see
          RFC 4520 section 3.5.  OpenLDAP also  has  the  `binary'  option
          built in, but this is a transfer option, not a tagging option.

   attributetype  ( <oid>  [NAME <name>]  [DESC <description>]  [OBSOLETE]
          [SUP <oid>]  [EQUALITY <oid>]  [ORDERING <oid>]   [SUBSTR <oid>]
          [SYNTAX <oidlen>]           [SINGLE-VALUE]          [COLLECTIVE]
          [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
          Specify an attribute type using the LDAPv3 syntax defined in RFC
          4512.   The  slapd  parser  extends  the  RFC 4512 definition by
          allowing string forms as well as numeric OIDs to be used for the
          attribute    OID   and   attribute   syntax   OID.    (See   the
          objectidentifier description.)

   authid-rewrite<cmd> <args>
          Used by the authentication  framework  to  convert  simple  user
          names  to  an  LDAP  DN  used  for  authorization purposes.  Its
          purpose is analogous to that of authz-regexp (see  below).   The
          prefix  authid- is followed by a set of rules analogous to those
          described in slapo-rwm(5) for data rewriting (replace  the  rwm-
          prefix  with  authid-).   authid-rewrite<cmd>  and  authz-regexp
          rules should not be intermixed.

   authz-policy <policy>
          Used to specify which rules  to  use  for  Proxy  Authorization.
          Proxy  authorization  allows  a  client  to  authenticate to the
          server using one user's credentials,  but  specify  a  different
          identity  to  use for authorization and access control purposes.
          It essentially allows user A to login as user B, using user  A's
          password.   The  none flag disables proxy authorization. This is
          the default setting.  The  from  flag  will  use  rules  in  the
          authzFrom  attribute  of the authorization DN.  The to flag will
          use rules in the authzTo attribute  of  the  authentication  DN.
          The  any  flag,  an alias for the deprecated value of both, will
          allow any of the above, whatever succeeds first (checked in  to,
          from  sequence.   The  all  flag requires both authorizations to
          succeed.

          The rules are mechanisms to specify which identities are allowed
          to  perform  proxy authorization.  The authzFrom attribute in an
          entry specifies which other users are allowed to proxy login  to
          this  entry.  The  authzTo attribute in an entry specifies which
          other users this user can authorize as.  Use  of  authzTo  rules
          can  be  easily  abused  if users are allowed to write arbitrary
          values to this attribute.  In general the authzTo attribute must
          be  protected  with  ACLs  such  that  only privileged users can
          modify it.  The value of  authzFrom  and  authzTo  describes  an
          identity or a set of identities; it can take five forms:

                 ldap:///<base>??[<scope>]?<filter>
                 dn[.<dnstyle>]:<pattern>
                 u[.<mech>[/<realm>]]:<pattern>
                 group[/objectClass[/attributeType]]:<pattern>
                 <pattern>

                 <dnstyle>:={exact|onelevel|children|subtree|regex}

          The  first form is a valid LDAP URI where the <host>:<port>, the
          <attrs> and the <extensions> portions must be  absent,  so  that
          the  search  occurs locally on either authzFrom or authzTo.  The
          second form is a DN, with the optional  style  modifiers  exact,
          onelevel,  children,  and  subtree for exact, onelevel, children
          and subtree matches, which  cause  <pattern>  to  be  normalized
          according  to  the  DN normalization rules, or the special regex
          style, which causes the <pattern>  to  be  treated  as  a  POSIX
          (''extended'')  regular  expression,  as  discussed  in regex(7)
          and/or re_format(7).  A pattern of * means any non-anonymous DN.
          The third form is a SASL id, with the optional fields <mech> and
          <realm> that allow to specify a SASL mechanism, and eventually a
          SASL  realm, for those mechanisms that support one.  The need to
          allow the specification of a mechanism  is  still  debated,  and
          users are strongly discouraged to rely on this possibility.  The
          fourth form is a group specification, consisting of the  keyword
          group,  optionally  followed  by  the specification of the group
          objectClass  and  member  attributeType.   The  group  with   DN
          <pattern> is searched with base scope, and in case of match, the
          values of the member attributeType are searched for the asserted
          DN.   For  backwards  compatibility,  if  no  identity  type  is
          provided, i.e.  only  <pattern>  is  present,  an  exact  DN  is
          assumed;   as  a  consequence,  <pattern>  is  subjected  to  DN
          normalization.   Since  the  interpretation  of  authzFrom   and
          authzTo  can  impact  security, users are strongly encouraged to
          explicitly set the type of identity specification that is  being
          used.   A  subset of these rules can be used as third arg in the
          authz-regexp statement  (see  below);  significantly,  the  URI,
          provided  it results in exactly one entry, and the dn.exact:<dn>
          forms.

   authz-regexp <match> <replace>
          Used by the authentication  framework  to  convert  simple  user
          names,  such  as  provided  by SASL subsystem, or extracted from
          certificates in case of cert-based SASL  EXTERNAL,  or  provided
          within  the RFC 4370 "proxied authorization" control, to an LDAP
          DN used for authorization purposes.  Note that the resulting  DN
          need  not  refer  to  an  existing entry to be considered valid.
          When  an  authorization  request  is  received  from  the   SASL
          subsystem,  the  SASL  USERNAME, REALM, and MECHANISM are taken,
          when available, and combined into a name of the form

                 UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth

          This  name  is   then   compared   against   the   match   POSIX
          (''extended'')   regular   expression,   and  if  the  match  is
          successful, the name is replaced with the  replace  string.   If
          there  are wildcard strings in the match regular expression that
          are enclosed in parenthesis, e.g.

                 UID=([^,]*),CN=.*

          then the portion of the name that matched the wildcard  will  be
          stored  in  the  numbered  placeholder variable $1. If there are
          other wildcard strings in parenthesis, the matching strings will
          be  in  $2, $3, etc. up to $9. The placeholders can then be used
          in the replace string, e.g.

                 UID=$1,OU=Accounts,DC=example,DC=com

          The replaced name can be either a DN, i.e. a string prefixed  by
          "dn:",  or  an LDAP URI.  If the latter, the server will use the
          URI to search its own database(s) and,  if  the  search  returns
          exactly one entry, the name is replaced by the DN of that entry.
          The LDAP  URI  must  have  no  hostport,  attrs,  or  extensions
          components, but the filter is mandatory, e.g.

                 ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)

          The  protocol  portion  of  the URI must be strictly ldap.  Note
          that this search is subject to access  controls.   Specifically,
          the  authentication  identity  must  have  "auth"  access in the
          subject.

          Multiple authz-regexp options can be given in the  configuration
          file  to  allow  for multiple matching and replacement patterns.
          The matching patterns are checked in the order  they  appear  in
          the file, stopping at the first successful match.

   concurrency <integer>
          Specify  a  desired  level  of  concurrency.   Provided  to  the
          underlying thread system as a  hint.   The  default  is  not  to
          provide any hint.

   conn_max_pending <integer>
          Specify  the maximum number of pending requests for an anonymous
          session.  If requests are submitted faster than the  server  can
          process them, they will be queued up to this limit. If the limit
          is exceeded, the session is closed. The default is 100.

   conn_max_pending_auth <integer>
          Specify  the  maximum  number  of  pending   requests   for   an
          authenticated session.  The default is 1000.

   defaultsearchbase <dn>
          Specify  a default search base to use when client submits a non-
          base search request with an empty base DN.  Base  scoped  search
          requests with an empty base DN are not affected.

   disallow <features>
          Specify a set of features (separated by white space) to disallow
          (default none).  bind_anon disables acceptance of anonymous bind
          requests.   Note  that  this setting does not prohibit anonymous
          directory access (See "require  authc").   bind_simple  disables
          simple   (bind)  authentication.   tls_2_anon  disables  forcing
          session to anonymous status (see also tls_authc)  upon  StartTLS
          operation  receipt.   tls_authc disallows the StartTLS operation
          if       authenticated       (see       also        tls_2_anon).
          proxy_authz_non_critical  disables  acceptance  of  the  proxied
          authorization  control  (RFC4370)  when  criticality  is  FALSE.
          dontusecopy_non_critical  disables acceptance of the dontUseCopy
          control (a work in progress) when criticality is FALSE.

   ditcontentrule ( <oid>  [NAME <name>]  [DESC <description>]  [OBSOLETE]
          [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
          Specify  an  DIT Content Rule using the LDAPv3 syntax defined in
          RFC 4512.  The slapd parser extends the RFC 4512  definition  by
          allowing string forms as well as numeric OIDs to be used for the
          attribute   OID   and   attribute   syntax   OID.    (See    the
          objectidentifier description.)

   gentlehup { on | off }
          A  SIGHUP  signal  will  only cause a 'gentle' shutdown-attempt:
          Slapd will stop listening for  new  connections,  but  will  not
          close  the  connections  to  the  current clients.  Future write
          operations   return   unwilling-to-perform,    though.     Slapd
          terminates  when  all  clients have closed their connections (if
          they ever do), or - as before - if it receives a SIGTERM signal.
          This can be useful if you wish to terminate the server and start
          a new slapd server with another database, without disrupting the
          currently  active clients.  The default is off.  You may wish to
          use idletimeout along with this option.

   idletimeout <integer>
          Specify the number of seconds to wait before forcibly closing an
          idle  client  connection.   A  idletimeout  of  0  disables this
          feature.  The default is  0.  You  may  also  want  to  set  the
          writetimeout option.

   include <filename>
          Read  additional  configuration  information from the given file
          before continuing with the next line of the current file.

   index_intlen <integer>
          Specify the key length for ordered  integer  indices.  The  most
          significant  bytes  of the binary integer will be used for index
          keys. The default value is 4, which provides exact indexing  for
          31 bit values.  A floating point representation is used to index
          too large values.

   index_substr_if_minlen <integer>
          Specify the minimum length for subinitial and subfinal  indices.
          An  attribute  value  must have at least this many characters in
          order to be processed by the indexing functions. The default  is
          2.

   index_substr_if_maxlen <integer>
          Specify  the maximum length for subinitial and subfinal indices.
          Only  this  many  characters  of  an  attribute  value  will  be
          processed  by  the indexing functions; any excess characters are
          ignored. The default is 4.

   index_substr_any_len <integer>
          Specify the length used for subany indices. An  attribute  value
          must  have  at  least  this  many  characters  in  order  to  be
          processed. Attribute values longer  than  this  length  will  be
          processed  in  segments  of  this  length. The default is 4. The
          subany index will also be used in subinitial and subfinal  index
          lookups   when   the   filter   string   is   longer   than  the
          index_substr_if_maxlen value.

   index_substr_any_step <integer>
          Specify the steps used in subany index lookups. This value  sets
          the  offset  for  the  segments  of  a  filter  string  that are
          processed for a subany index  lookup.  The  default  is  2.  For
          example,  with  the  default  values, a search using this filter
          "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
          and "efgh".

   Note:  Indexing support depends on the particular backend in use. Also,
   changing these settings will generally  require  deleting  any  indices
   that depend on these parameters and recreating them with slapindex(8).

   ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )

          Specify an LDAP syntax using the LDAPv3 syntax  defined  in  RFC
          4512.   The  slapd  parser  extends  the  RFC 4512 definition by
          allowing string forms as well as numeric OIDs to be used for the
          syntax  OID.  (See the objectidentifier description.)  The slapd
          parser also honors the X-SUBST extension  (an  OpenLDAP-specific
          extension),  which  allows  to  use  the ldapsyntax statement to
          define a non-implemented syntax along with another  syntax,  the
          extension value substitute-syntax, as its temporary replacement.
          The substitute-syntax must be defined.  This  allows  to  define
          attribute  types that make use of non-implemented syntaxes using
          the  correct  syntax  OID.   Unless  X-SUBST   is   used,   this
          configuration  statement  would  result  in  an  error, since no
          handlers would be associated to the resulting syntax structure.

   listener-threads <integer>
          Specify the number of threads to use for the connection manager.
          The default is 1 and this is typically adequate for up to 16 CPU
          cores.  The value should be set to a power of 2.

   localSSF <SSF>
          Specifies the Security Strength Factor (SSF) to be  given  local
          LDAP  sessions,  such  as those to the ldapi:// listener.  For a
          description of SSF values,  see  sasl-secprops's  minssf  option
          description.  The default is 71.

   logfile <filename>
          Specify  a  file  for  recording  debug log messages. By default
          these messages only go to stderr and are not  recorded  anywhere
          else.  Specifying  a  logfile copies messages to both stderr and
          the logfile.

   loglevel <integer> [...]
          Specify the level at which debugging  statements  and  operation
          statistics   should   be  syslogged  (currently  logged  to  the
          syslogd(8)  LOG_LOCAL4  facility).   They  must  be   considered
          subsystems  rather  than  increasingly verbose log levels.  Some
          messages with higher  priority  are  logged  regardless  of  the
          configured  loglevel  as soon as any logging is configured.  Log
          levels are additive, and available levels are:
                 1      (0x1 trace) trace function calls
                 2      (0x2 packets) debug packet handling
                 4      (0x4 args) heavy trace debugging (function args)
                 8      (0x8 conns) connection management
                 16     (0x10 BER) print out packets sent and received
                 32     (0x20 filter) search filter processing
                 64     (0x40 config) configuration file processing
                 128    (0x80 ACL) access control list processing
                 256    (0x100  stats)   connections,   LDAP   operations,
                        results (recommended)
                 512    (0x200 stats2) stats log entries sent
                 1024   (0x400   shell)  print  communication  with  shell
                        backends
                 2048   (0x800 parse) entry parsing

                 16384  (0x4000 sync) LDAPSync replication
                 32768  (0x8000  none)  only  messages  that  get   logged
                        whatever log level is set
          The  desired  log  level  can  be input as a single integer that
          combines the (ORed)  desired  levels,  both  in  decimal  or  in
          hexadecimal  notation,  as  a  list  of  integers (that are ORed
          internally), or as a list of the names that  are  shown  between
          brackets, such that

              loglevel 129
              loglevel 0x81
              loglevel 128 1
              loglevel 0x80 0x1
              loglevel acl trace

          are  equivalent.   The  keyword any can be used as a shortcut to
          enable logging at all levels (equivalent to  -1).   The  keyword
          none,  or  the  equivalent  integer representation, causes those
          messages that are logged regardless of the  configured  loglevel
          to  be  logged.   In  fact,  if loglevel is set to 0, no logging
          occurs, so at least the none level  is  required  to  have  high
          priority messages logged.

          The  loglevel defaults to stats.  This level should usually also
          be included when using other  loglevels,  to  help  analyze  the
          logs.

   moduleload <filename>
          Specify  the  name of a dynamically loadable module to load. The
          filename may be an absolute path name or a simple filename. Non-
          absolute  names are searched for in the directories specified by
          the modulepath option. This option and the modulepath option are
          only usable if slapd was compiled with --enable-modules.

   modulepath <pathspec>
          Specify  a  list  of directories to search for loadable modules.
          Typically the path is colon-separated but this  depends  on  the
          operating  system.  The default is /usr/lib/ldap, which is where
          the standard OpenLDAP install will place its modules.

   objectclass  ( <oid>  [NAME <name>]   [DESC <description>]   [OBSOLETE]
          [SUP <oids>]   [{   ABSTRACT   |   STRUCTURAL   |  AUXILIARY  }]
          [MUST <oids>] [MAY <oids>] )
          Specify an objectclass using the LDAPv3 syntax  defined  in  RFC
          4512.   The  slapd  parser  extends  the  RFC 4512 definition by
          allowing string forms as well as numeric OIDs to be used for the
          object  class  OID.   (See  the  objectidentifier  description.)
          Object classes are "STRUCTURAL" by default.

   objectidentifier <name> { <oid> | <name>[:<suffix>] }
          Define a string name that equates to the given OID.  The  string
          can  be  used  in  place  of  the numeric OID in objectclass and
          attribute definitions. The name can also be used with  a  suffix
          of the form ":xx" in which case the value "oid.xx" will be used.

   password-hash <hash> [<hash>...]
          This  option  configures  one  or  more  hashes  to  be  used in
          generation  of  user  passwords  stored  in   the   userPassword
          attribute  during  processing  of  LDAP Password Modify Extended
          Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
          {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.

          {SHA}  and  {SSHA}  use  the  SHA-1  algorithm (FIPS 160-1), the
          latter with a seed.

          {MD5} and {SMD5} use the MD5 algorithm (RFC  1321),  the  latter
          with a seed.

          {CRYPT} uses the crypt(3).

          {CLEARTEXT}  indicates  that the new password should be added to
          userPassword as clear text.

          Note  that  this  option  does  not  alter   the   normal   user
          applications  handling  of userPassword during LDAP Add, Modify,
          or other LDAP operations.

   password-crypt-salt-format <format>
          Specify  the  format  of  the  salt  passed  to  crypt(3)   when
          generating   {CRYPT}   passwords   (see   password-hash)  during
          processing of LDAP  Password  Modify  Extended  Operations  (RFC
          3062).

          This string needs to be in sprintf(3) format and may include one
          (and  only  one)  %s  conversion.   This  conversion   will   be
          substituted   with   a   string   of   random   characters  from
          [A-Za-z0-9./].  For example, "%.2s"  provides  a  two  character
          salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
          algorithm and provides 8 random characters of salt.  The default
          is "%s", which provides 31 characters of salt.

   pidfile <filename>
          The  (absolute) name of a file that will hold the slapd server's
          process ID (see getpid(2)).

   referral <url>
          Specify the referral to pass back when slapd(8)  cannot  find  a
          local  database  to  handle  a  request.   If specified multiple
          times, each url is provided.

   require <conditions>
          Specify a set  of  conditions  (separated  by  white  space)  to
          require (default none).  The directive may be specified globally
          and/or per-database; databases  inherit  global  conditions,  so
          per-database  specifications  are  additive.  bind requires bind
          operation  prior  to  directory  operations.   LDAPv3   requires
          session   to   be   using   LDAP   version  3.   authc  requires
          authentication prior to  directory  operations.   SASL  requires
          SASL  authentication  prior  to  directory  operations.   strong
          requires strong authentication prior  to  directory  operations.
          The  strong  keyword allows protected "simple" authentication as
          well as SASL authentication.  none may be  used  to  require  no
          conditions (useful to clear out globally set conditions within a
          particular database);  it  must  occur  first  in  the  list  of
          conditions.

   reverse-lookup on | off
          Enable/disable client name unverified reverse lookup (default is
          off if compiled with --enable-rlookups).

   rootDSE <file>
          Specify the name of an  LDIF(5)  file  containing  user  defined
          attributes  for  the root DSE.  These attributes are returned in
          addition to the attributes normally produced by slapd.

          The root DSE is an entry with information about the  server  and
          its  capabilities,  in operational attributes.  It has the empty
          DN, and can be read with e.g.:
              ldapsearch -x -b "" -s base "+"
          See RFC 4512 section 5.1 for details.

   sasl-auxprops <plugin> [...]
          Specify which auxprop plugins to use for authentication lookups.
          The  default is empty, which just uses slapd's internal support.
          Usually no other auxprop plugins are needed.

   sasl-host <fqdn>
          Used to specify the fully qualified domain name  used  for  SASL
          processing.

   sasl-realm <realm>
          Specify SASL realm.  Default is empty.

   sasl-secprops <properties>
          Used  to  specify Cyrus SASL security properties.  The none flag
          (without  any  other  properties)  causes  the  flag  properties
          default, "noanonymous,noplain", to be cleared.  The noplain flag
          disables mechanisms susceptible to simple passive attacks.   The
          noactive flag disables mechanisms susceptible to active attacks.
          The nodict  flag  disables  mechanisms  susceptible  to  passive
          dictionary  attacks.   The  noanonymous flag disables mechanisms
          which support anonymous  login.   The  forwardsec  flag  require
          forward   secrecy   between   sessions.   The  passcred  require
          mechanisms which pass client credentials (and  allow  mechanisms
          which  can  pass  credentials  to  do  so).  The minssf=<factor>
          property specifies  the  minimum  acceptable  security  strength
          factor  as  an  integer approximate to effective key length used
          for encryption.  0  (zero)  implies  no  protection,  1  implies
          integrity  protection only, 56 allows DES or other weak ciphers,
          112 allows triple DES and other strong ciphers, 128 allows  RC4,
          Blowfish  and  other  modern  strong ciphers.  The default is 0.
          The maxssf=<factor> property specifies  the  maximum  acceptable
          security strength factor as an integer (see minssf description).
          The  default  is  INT_MAX.    The   maxbufsize=<size>   property
          specifies   the  maximum  security  layer  receive  buffer  size
          allowed.  0 disables security layers.  The default is 65536.

   schemadn <dn>
          Specify the distinguished name for the subschema  subentry  that
          controls   the   entries   on   this  server.   The  default  is
          "cn=Subschema".

   security <factors>
          Specify a set of security strength factors (separated  by  white
          space)  to  require  (see  sasl-secprops's  minssf  option for a
          description of security strength factors).  The directive may be
          specified  globally  and/or per-database.  ssf=<n> specifies the
          overall security strength factor.  transport=<n>  specifies  the
          transport  security  strength factor.  tls=<n> specifies the TLS
          security strength factor.  sasl=<n> specifies the SASL  security
          strength  factor.  update_ssf=<n> specifies the overall security
          strength   factor   to   require    for    directory    updates.
          update_transport=<n>  specifies  the transport security strength
          factor  to  require  for  directory   updates.    update_tls=<n>
          specifies  the  TLS  security  strength  factor  to  require for
          directory updates.  update_sasl=<n> specifies the SASL  security
          strength    factor    to    require   for   directory   updates.
          simple_bind=<n> specifies the security strength factor  required
          for  simple  username/password  authentication.   Note  that the
          transport  factor  is  measure  of  security  provided  by   the
          underlying  transport, e.g. ldapi:// (and eventually IPSEC).  It
          is not normally used.

   serverID <integer> [<URL>]
          Specify an integer ID from 0 to 4095 for this server (limited to
          3  hexadecimal  digits).   The  ID  may  also  be specified as a
          hexadecimal ID by prefixing the value with "0x".  These IDs  are
          required when using multimaster replication and each master must
          have a unique ID. Note that this  requirement  also  applies  to
          separate  masters  contributing to a glued set of databases.  If
          the URL is provided, this directive may  be  specified  multiple
          times,  providing  a  complete list of participating servers and
          their IDs. The fully qualified hostname of each server should be
          used  in the supplied URLs. The IDs are used in the "replica id"
          field of all CSNs generated by the specified server. The default
          value is zero.  Example:

        serverID 1

   sizelimit {<integer>|unlimited}

   sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
          Specify  the  maximum  number of entries to return from a search
          operation.  The default size limit is  500.   Use  unlimited  to
          specify  no  limits.   The  second  format  allows  a fine grain
          setting of the size limits.  Extra args can be added on the same
          line.  See limits for an explanation of the different flags.

   sockbuf_max_incoming <integer>
          Specify  the  maximum  incoming  LDAP  PDU  size  for  anonymous
          sessions.  The default is 262143.

   sockbuf_max_incoming_auth <integer>
          Specify the maximum incoming LDAP  PDU  size  for  authenticated
          sessions.  The default is 4194303.

   sortvals <attr> [...]
          Specify  a  list  of  multi-valued  attributes whose values will
          always be maintained in sorted order.  Using  this  option  will
          allow   Modify,   Compare,   and  filter  evaluations  on  these
          attributes to be performed more efficiently. The resulting  sort
          order  depends  on the attributes' syntax and matching rules and
          may not correspond to lexical order or  any  other  recognizable
          order.

   tcp-buffer [listener=<URL>] [{read|write}=]<size>
          Specify  the  size  of  the TCP buffer.  A global value for both
          read and write TCP buffers related to any listener  is  defined,
          unless  the listener is explicitly specified, or either the read
          or write qualifiers are used.  See  tcp(7)  for  details.   Note
          that some OS-es implement automatic TCP buffer tuning.

   threads <integer>
          Specify  the  maximum  size  of  the  primary  thread pool.  The
          default is 16; the minimum value is 2.

   timelimit {<integer>|unlimited}

   timelimit time[.{soft|hard}]=<integer> [...]
          Specify the maximum number of seconds (in real time) slapd  will
          spend  answering  a  search  request.  The default time limit is
          3600.  Use unlimited to specify no limits.   The  second  format
          allows  a fine grain setting of the time limits.  Extra args can
          be added on the same line.  See limits for an explanation of the
          different flags.

   tool-threads <integer>
          Specify the maximum number of threads to use in tool mode.  This
          should not be greater than the number of  CPUs  in  the  system.
          The default is 1.

   writetimeout <integer>
          Specify  the number of seconds to wait before forcibly closing a
          connection with an outstanding write. This allows recovery  from
          various  network  hang conditions.  A writetimeout of 0 disables
          this feature.  The default is 0.

TLS OPTIONS

   If slapd is built with support for Transport Layer Security, there  are
   more options you can specify.

   TLSCipherSuite <cipher-suite-spec>
          Permits  configuring  what  ciphers  will  be  accepted  and the
          preference  order.   <cipher-suite-spec>  should  be  a   cipher
          specification  for  the  TLS library in use (OpenSSL, GnuTLS, or
          Mozilla NSS).  Example:

                 OpenSSL:
                        TLSCipherSuite HIGH:MEDIUM:+SSLv2

                 GnuTLS:
                        TLSCiphersuite SECURE256:!AES-128-CBC

          To check what ciphers a given spec selects in OpenSSL, use:

               openssl ciphers -v <cipher-suite-spec>

          With GnuTLS the available specs can be found in the manual  page
          of gnutls-cli(1) (see the description of the option --priority).

          In  older  versions of GnuTLS, where gnutls-cli does not support
          the option --priority, you can obtain the --- more limited ---  list
          of ciphers by calling:

               gnutls-cli -l

          When  using Mozilla NSS, the OpenSSL cipher suite specifications
          are used and translated  into  the  format  used  internally  by
          Mozilla  NSS.  There isn't an easy way to list the cipher suites
          from the command line.  The authoritative list is in the  source
          code for Mozilla NSS in the file sslinfo.c in the structure
                  static const SSLCipherSuiteInfo suiteInfo[]

   TLSCACertificateFile <filename>
          Specifies  the  file  that  contains certificates for all of the
          Certificate  Authorities  that  slapd   will   recognize.    The
          certificate  for  the CA that signed the server certificate must
          be included among these certificates. If the signing CA was  not
          a  top-level  (root) CA, certificates for the entire sequence of
          CA's from the signing CA to the top-level CA should be  present.
          Multiple certificates are simply appended to the file; the order
          is not significant.

   TLSCACertificatePath <path>
          Specifies the path of  a  directory  that  contains  Certificate
          Authority  certificates  in  separate  individual files. Usually
          only one of this  or  the  TLSCACertificateFile  is  used.  This
          directive is not supported when using GnuTLS.

          When  using  Mozilla  NSS,  <path>  may  contain  a  Mozilla NSS
          cert/key database.  If <path> contains a  Mozilla  NSS  cert/key
          database  and  CA  cert  files,  OpenLDAP  will use the cert/key
          database and will ignore the CA cert files.

   TLSCertificateFile <filename>
          Specifies the file that contains the slapd server certificate.

          When using Mozilla NSS, if using a cert/key database  (specified
          with  TLSCACertificatePath),  TLSCertificateFile  specifies  the
          name of the certificate to use:
               TLSCertificateFile Server-Cert
          If using a token other than the internal built in token, specify
          the token name first, followed by a colon:
               TLSCertificateFile my hardware device:Server-Cert
          Use certutil -L to list the certificates by name:
               certutil -d /path/to/certdbdir -L

   TLSCertificateKeyFile <filename>
          Specifies  the  file  that contains the slapd server private key
          that matches the certificate stored  in  the  TLSCertificateFile
          file.   Currently,  the private key must not be protected with a
          password, so it is of critical importance that it  is  protected
          carefully.

          When using Mozilla NSS, TLSCertificateKeyFile specifies the name
          of a file that  contains  the  password  for  the  key  for  the
          certificate  specified  with  TLSCertificateFile.   The  modutil
          command can be used to turn  off  password  protection  for  the
          cert/key   database.    For   example,  if  TLSCACertificatePath
          specifes /etc/openldap/certdb as the location  of  the  cert/key
          database,  use  modutil  to  change  the  password  to the empty
          string:
               modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
          You must have the old password,  if  any.   Ignore  the  WARNING
          about the running browser.  Press 'Enter' for the new password.

   TLSDHParamFile <filename>
          This  directive  specifies the file that contains parameters for
          Diffie-Hellman ephemeral key  exchange.   This  is  required  in
          order  to  use a DSA certificate on the server. If multiple sets
          of parameters are present in the  file,  all  of  them  will  be
          processed.   Note  that  setting  this  option  may  also enable
          Anonymous Diffie-Hellman key exchanges  in  certain  non-default
          cipher  suites.   You should append "!ADH" to your cipher suites
          if  you  have  changed  them  from  the  default,  otherwise  no
          certificate  exchanges  or verification will be done. When using
          GnuTLS these parameters are always generated  randomly  so  this
          directive  is  ignored.   This  directive  is ignored when using
          Mozilla NSS.

   TLSProtocolMin <major>[.<minor>]
          Specifies  minimum  SSL/TLS  protocol  version  that   will   be
          negotiated.   If  the  server  doesn't  support  at  least  that
          version, the SSL handshake will fail.  To  require  TLS  1.x  or
          higher, set this option to 3.(x+1), e.g.,

               TLSProtocolMin 3.2

          would require TLS 1.1.  Specifying a minimum that is higher than
          that supported by the OpenLDAP implementation will result in  it
          requiring   the  highest  level  that  it  does  support.   This
          directive is ignored with GnuTLS.

   TLSRandFile <filename>
          Specifies  the  file   to   obtain   random   bits   from   when
          /dev/[u]random  is  not available.  Generally set to the name of
          the EGD/PRNGD socket.  The  environment  variable  RANDFILE  can
          also be used to specify the filename.  This directive is ignored
          with GnuTLS and Mozilla NSS.

   TLSVerifyClient <level>
          Specifies what checks to perform on client  certificates  in  an
          incoming  TLS  session, if any.  The <level> can be specified as
          one of the following keywords:

          never  This is the default.  slapd will not ask the client for a
                 certificate.

          allow  The  client  certificate is requested.  If no certificate
                 is provided, the session proceeds  normally.   If  a  bad
                 certificate  is  provided,  it  will  be  ignored and the
                 session proceeds normally.

          try    The client certificate is requested.  If  no  certificate
                 is  provided,  the  session  proceeds normally.  If a bad
                 certificate  is  provided,  the  session  is  immediately
                 terminated.

          demand | hard | true
                 These  keywords  are  all  equivalent,  for compatibility
                 reasons.  The client certificate  is  requested.   If  no
                 certificate   is   provided,  or  a  bad  certificate  is
                 provided, the session is immediately terminated.

                 Note that a valid client certificate is required in order
                 to  use the SASL EXTERNAL authentication mechanism with a
                 TLS session.   As  such,  a  non-default  TLSVerifyClient
                 setting   must   be   chosen   to  enable  SASL  EXTERNAL
                 authentication.

   TLSCRLCheck <level>
          Specifies if the Certificate Revocation List  (CRL)  of  the  CA
          should  be  used  to  verify if the client certificates have not
          been revoked. This requires TLSCACertificatePath parameter to be
          set.  This  directive  is  ignored  with GnuTLS and Mozilla NSS.
          <level> can be specified as one of the following keywords:

          none   No CRL checks are performed

          peer   Check the CRL of the peer certificate

          all    Check the CRL for a whole certificate chain

   TLSCRLFile <filename>
          Specifies a file containing a Certificate Revocation List to  be
          used for verifying that certificates have not been revoked. This
          directive is only valid when using GnuTLS and Mozilla NSS.

GENERAL BACKEND OPTIONS

   Options in this section only apply to the  configuration  file  section
   for  the  specified  backend.   They  are  supported  by  every type of
   backend.

   backend <databasetype>
          Mark the  beginning  of  a  backend  definition.  <databasetype>
          should  be  one  of  bdb,  config, dnssrv, hdb, ldap, ldif, mdb,
          meta,  monitor,  null,  passwd,  perl,  relay,  shell,  or  sql,
          depending on which backend will serve the database.

GENERAL DATABASE OPTIONS

   Options  in  this  section only apply to the configuration file section
   for the database in which they are  defined.   They  are  supported  by
   every  type of backend.  Note that the database and at least one suffix
   option are mandatory for each database.

   database <databasetype>
          Mark the  beginning  of  a  new  database  instance  definition.
          <databasetype>  should be one of bdb, config, dnssrv, hdb, ldap,
          ldif, mdb, meta, monitor, null, passwd, perl, relay,  shell,  or
          sql, depending on which backend will serve the database.

          LDAP operations, even subtree searches, normally access only one
          database.  That can be changed by gluing databases together with
          the  subordinate keyword.  Access controls and some overlays can
          also involve multiple databases.

   add_content_acl on | off
          Controls whether Add operations will perform ACL checks  on  the
          content  of the entry being added. This check is off by default.
          See the slapd.access(5) manual page  for  more  details  on  ACL
          requirements for Add operations.

   extra_attrs <attrlist>
          Lists  what  attributes  need  to  be  added to search requests.
          Local storage backends return the entire entry to the  frontend.
          The   frontend  takes  care  of  only  returning  the  requested
          attributes that are allowed by  ACLs.   However,  features  like
          access checking and so may need specific attributes that are not
          automatically returned by remote storage  backends,  like  proxy
          backends and so on.  <attrlist> is a list of attributes that are
          needed  for  internal  purposes  and  thus  always  need  to  be
          collected, even when not explicitly requested by clients.

   hidden on | off
          Controls  whether the database will be used to answer queries. A
          database that is hidden will never be  selected  to  answer  any
          queries,  and  any  suffix  configured  on  the database will be
          ignored  in  checks  for  conflicts  with  other  databases.  By
          default, hidden is off.

   lastmod on | off
          Controls   whether   slapd   will   automatically  maintain  the
          modifiersName,      modifyTimestamp,      creatorsName,      and
          createTimestamp  attributes  for  entries.  It also controls the
          entryCSN and entryUUID  attributes,  which  are  needed  by  the
          syncrepl provider. By default, lastmod is on.

   limits <selector> <limit> [<limit> [...]]
          Specify  time and size limits based on the operation's initiator
          or base DN.  The argument <selector> can be any of

                 anonymous    |    users    |    [<dnspec>=]<pattern>    |
                 group[/oc[/at]]=<pattern>

          with

                 <dnspec> ::= dn[.<type>][.<style>]

                 <type>  ::= self | this

                 <style>  ::= exact | base | onelevel | subtree | children
                 | regex | anonymous

          DN type self is the default and means the bound user, while this
          means  the base DN of the operation.  The term anonymous matches
          all  unauthenticated  clients.   The  term  users  matches   all
          authenticated  clients; otherwise an exact dn pattern is assumed
          unless otherwise specified  by  qualifying  the  (optional)  key
          string dn with exact or base (which are synonyms), to require an
          exact match; with onelevel, to  require  exactly  one  level  of
          depth  match;  with  subtree, to allow any level of depth match,
          including the exact match; with children, to allow any level  of
          depth  match,  not  including  the exact match; regex explicitly
          requires the  (default)  match  based  on  POSIX  (''extended'')
          regular  expression pattern.  Finally, anonymous matches unbound
          operations; the pattern field is ignored.  The same behavior  is
          obtained  by  using the anonymous form of the <selector> clause.
          The  term  group,  with  the   optional   objectClass   oc   and
          attributeType  at  fields,  followed by pattern, sets the limits
          for any DN listed in the values of  the  at  attribute  (default
          member) of the oc group objectClass (default groupOfNames) whose
          DN exactly matches pattern.

          The currently supported limits are size and time.

          The syntax  for  time  limits  is  time[.{soft|hard}]=<integer>,
          where  integer  is  the  number  of  seconds  slapd  will  spend
          answering a search request.  If  no  time  limit  is  explicitly
          requested  by  the  client,  the  soft  limit  is  used;  if the
          requested time limit exceeds the hard limit, the  value  of  the
          limit  is used instead.  If the hard limit is set to the keyword
          soft, the soft limit is used in either case; if it is set to the
          keyword unlimited, no hard limit is enforced.  Explicit requests
          for time limits smaller or equal to the hard limit are  honored.
          If  no limit specifier is set, the value is assigned to the soft
          limit, and the hard limit  is  set  to  soft,  to  preserve  the
          original behavior.

          The        syntax        for        size        limits        is
          size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
          maximum  number  of entries slapd will return answering a search
          request.  If no  size  limit  is  explicitly  requested  by  the
          client,  the  soft  limit  is  used; if the requested size limit
          exceeds the hard limit, the value of the limit is used  instead.
          If  the hard limit is set to the keyword soft, the soft limit is
          used in either case; if it is set to the keyword  unlimited,  no
          hard  limit  is  enforced.   Explicit  requests  for size limits
          smaller or equal to the hard limit are honored.   The  unchecked
          specifier  sets  a  limit  on  the number of candidates a search
          request is allowed to examine.  The rationale behind it is  that
          searches for non-properly indexed attributes may result in large
          sets of candidates,  which  must  be  examined  by  slapd(8)  to
          determine  whether  they  match  the  search filter or not.  The
          unchecked limit provides a means to drop such operations  before
          they  are  even  started.  If the selected candidates exceed the
          unchecked  limit,  the  search  will  abort  with  Unwilling  to
          perform.   If  it  is  set to the keyword unlimited, no limit is
          applied (the default).  If it is set to disabled, the search  is
          not  even performed; this can be used to disallow searches for a
          specific set of users.  If no limit specifier is set, the  value
          is  assigned  to  the  soft  limit, and the hard limit is set to
          soft, to preserve the original behavior.

          In case of no match, the global limits are  used.   The  default
          values  are the same as for sizelimit and timelimit; no limit is
          set on unchecked.

          If pagedResults control is requested, the  hard  size  limit  is
          used  by default, because the request of a specific page size is
          considered an explicit request for a limitation on the number of
          entries  to be returned.  However, the size limit applies to the
          total count of entries returned within the search, and not to  a
          single page.  Additional size limits may be enforced; the syntax
          is size.pr={<integer>|noEstimate|unlimited},  where  integer  is
          the  max  page  size  if  no  explicit limit is set; the keyword
          noEstimate inhibits the server from returning an estimate of the
          total  number  of  entries  that  might  be  returned (note: the
          current implementation  does  not  return  any  estimate).   The
          keyword  unlimited  indicates  that  no  limit is applied to the
          pagedResults     control     page     size.      The      syntax
          size.prtotal={<integer>|unlimited|disabled}   allows  to  set  a
          limit on the total number of entries that a pagedResults control
          allows to return.  By default it is set to the hard limit.  When
          set, integer is the max number of entries that the whole  search
          with  pagedResults  control  can return.  Use unlimited to allow
          unlimited number of entries to be returned, e.g.  to  allow  the
          use  of  the  pagedResults control as a means to circumvent size
          limitations on regular searches; the keyword  disabled  disables
          the  control,  i.e. no paged results can be returned.  Note that
          the total number  of  entries  returned  when  the  pagedResults
          control  is  requested  cannot  exceed  the  hard  size limit of
          regular searches unless extended by the prtotal switch.

          The limits statement is  typically  used  to  let  an  unlimited
          number  of  entries  be  returned by searches performed with the
          identity used by the consumer for  synchronization  purposes  by
          means of the RFC 4533 LDAP Content Synchronization protocol (see
          syncrepl for details).

   maxderefdepth <depth>
          Specifies the maximum number  of  aliases  to  dereference  when
          trying  to resolve an entry, used to avoid infinite alias loops.
          The default is 15.

   mirrormode on | off
          This option puts a replica database into "mirror" mode.   Update
          operations  will  be  accepted  from  any  user,  not  just  the
          updatedn.  The database must already be configured as a syncrepl
          consumer before this keyword may be set. This mode also requires
          a serverID (see above) to be configured.  By default, mirrormode
          is off.

   monitoring on | off
          This  option  enables  database-specific monitoring in the entry
          related to the current database in the "cn=Databases,cn=Monitor"
          subtree  of  the  monitor  database,  if the monitor database is
          enabled.  Currently, only the BDB and the HDB databases  provide
          database-specific   monitoring.   The  default  depends  on  the
          backend type.

   overlay <overlay-name>
          Add the specified overlay to this  database.  An  overlay  is  a
          piece  of  code  that intercepts database operations in order to
          extend or change them. Overlays are pushed onto a stack over the
          database,  and  so they will execute in the reverse of the order
          in which they were  configured  and  the  database  itself  will
          receive  control  last  of all. See the slapd.overlays(5) manual
          page for an overview of the available overlays.  Note  that  all
          of  the  database's regular settings should be configured before
          any overlay settings.

   readonly on | off
          This option  puts  the  database  into  "read-only"  mode.   Any
          attempts  to  modify  the  database will return an "unwilling to
          perform" error.  By default, readonly is off.

   restrict <oplist>
          Specify a whitespace  separated  list  of  operations  that  are
          restricted.    If   defined  inside  a  database  specification,
          restrictions apply only to that  database,  otherwise  they  are
          global.   Operations  can  be any of add, bind, compare, delete,
          extended[=<OID>], modify, rename, search, or the special pseudo-
          operations read and write, which respectively summarize read and
          write operations.  The use of restrict write  is  equivalent  to
          readonly  on  (see  above).   The  extended  keyword  allows  to
          indicate the OID of the specific operation to be restricted.

   rootdn <dn>
          Specify the distinguished name that is  not  subject  to  access
          control  or  administrative limit restrictions for operations on
          this database.  This DN may or may not  be  associated  with  an
          entry.   An empty root DN (the default) specifies no root access
          is to be granted.  It is recommended that  the  rootdn  only  be
          specified  when  needed  (such  as  when  initially populating a
          database).  If the rootdn is within a namingContext (suffix)  of
          the  database, a simple bind password may also be provided using
          the  rootpw  directive.  Many   optional   features,   including
          syncrepl, require the rootdn to be defined for the database.

   rootpw <password>
          Specify  a  password  (or  hash of the password) for the rootdn.
          The password can only  be  set  if  the  rootdn  is  within  the
          namingContext (suffix) of the database.  This option accepts all
          RFC  2307  userPassword  formats  known  to  the   server   (see
          password-hash  description) as well as cleartext.  slappasswd(8)
          may be used to generate a hash of  a  password.   Cleartext  and
          {CRYPT}  passwords are not recommended.  If empty (the default),
          authentication of the root DN is by  other  means  (e.g.  SASL).
          Use of SASL is encouraged.

   suffix <dn suffix>
          Specify  the  DN  suffix  of queries that will be passed to this
          backend database.  Multiple suffix lines can  be  given  and  at
          least one is required for each database definition.

          If  the  suffix of one database is "inside" that of another, the
          database  with  the  inner  suffix  must  come  first   in   the
          configuration  file.   You  may also want to glue such databases
          together with the subordinate keyword.

   subordinate [advertise]
          Specify that the current backend database is  a  subordinate  of
          another  backend database. A subordinate  database may have only
          one suffix. This option may be used to glue  multiple  databases
          into  a  single  namingContext.   If  the  suffix of the current
          database is within the namingContext  of  a  superior  database,
          searches against the superior database will be propagated to the
          subordinate as well. All of  the  databases  associated  with  a
          single namingContext should have identical rootdns.  Behavior of
          other  LDAP  operations  is  unaffected  by  this  setting.   In
          particular,  it  is  not  possible to use moddn to move an entry
          from  one  subordinate  to  another   subordinate   within   the
          namingContext.

          If  the  optional advertise flag is supplied, the naming context
          of this database is advertised in the root DSE. The  default  is
          to hide this database context, so that only the superior context
          is visible.

          If the slap tools slapcat(8), slapadd(8),  or  slapindex(8)  are
          used  on  the  superior  database,  any  glued subordinates that
          support these tools are opened as well.

          Databases that are glued together should usually  be  configured
          with the same indices (assuming they support indexing), even for
          attributes that only  exist  in  some  of  these  databases.  In
          general,  all  of  the  glued  databases should be configured as
          similarly as possible,  since  the  intent  is  to  provide  the
          appearance of a single directory.

          Note   that   the   subordinate   functionality  is  implemented
          internally by the glue overlay and as  such  its  behavior  will
          interact  with  other  overlays  in  use.  By  default, the glue
          overlay is automatically configured as the last overlay  on  the
          superior  backend. Its position on the backend can be explicitly
          configured by setting an overlay glue directive at  the  desired
          position.  This  explicit  configuration is necessary e.g.  when
          using the syncprov overlay, which needs to follow glue in  order
          to work over all of the glued databases. E.g.
               database bdb
               suffix dc=example,dc=com
               ...
               overlay glue
               overlay syncprov

   sync_use_subentry
          Store  the  syncrepl  contextCSN  in  a  subentry instead of the
          context entry of  the  database.  The  subentry's  RDN  will  be
          "cn=ldapsync".  By  default  the  contextCSN  is  stored  in the
          context entry.

   syncrepl    rid=<replica    ID>    provider=ldap[s]://<hostname>[:port]
          searchbase=<base     DN>    [type=refreshOnly|refreshAndPersist]
          [interval=dd:hh:mm:ss]   [retry=[<retry    interval>    <#    of
          retries>]+]  [filter=<filter  str>]  [scope=sub|one|base|subord]
          [attrs=<attr   list>]    [exattrs=<attr    list>]    [attrsonly]
          [sizelimit=<limit>]  [timelimit=<limit>] [schemachecking=on|off]
          [network-timeout=<seconds>]                  [timeout=<seconds>]
          [bindmethod=simple|sasl]     [binddn=<dn>]     [saslmech=<mech>]
          [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
          [realm=<realm>]                          [secprops=<properties>]
          [keepalive=<idle>:<probes>:<interval>]   [starttls=yes|critical]
          [tls_cert=<file>]      [tls_key=<file>]      [tls_cacert=<file>]
          [tls_cacertdir=<path>]      [tls_reqcert=never|allow|try|demand]
          [tls_cipher_suite=<ciphers>]        [tls_crlcheck=none|peer|all]
          [tls_protocol_min=<major>[.<minor>]]  [suffixmassage=<real  DN>]
          [logbase=<base        DN>]        [logfilter=<filter       str>]
          [syncdata=default|accesslog|changelog]
          Specify the current database as a replica which is  kept  up-to-
          date  with  the  master  content  by  establishing  the  current
          slapd(8) as a  replication  consumer  site  running  a  syncrepl
          replication engine.  The replica content is kept synchronized to
          the  master  content  using  the  LDAP  Content  Synchronization
          protocol.  Refer  to  the  "OpenLDAP  Administrator's Guide" for
          detailed information on setting up a replicated slapd  directory
          service using the syncrepl replication engine.

          rid   identifies  the  current  syncrepl  directive  within  the
          replication consumer site.  It is  a  non-negative  integer  not
          greater than 999 (limited to three decimal digits).

          provider  specifies the replication provider site containing the
          master content as an LDAP URI.  If  <port>  is  not  given,  the
          standard LDAP port number (389 or 636) is used.

          The  content  of  the syncrepl replica is defined using a search
          specification as its result set. The consumer  slapd  will  send
          search  requests  to  the provider slapd according to the search
          specification. The  search  specification  includes  searchbase,
          scope,   filter,  attrs,  attrsonly,  sizelimit,  and  timelimit
          parameters as in the normal  search  specification.   The  scope
          defaults  to  sub, the filter defaults to (objectclass=*), while
          there is no default searchbase. The attrs list defaults to "*,+"
          to  return all user and operational attributes, and attrsonly is
          unset by default.   The  sizelimit  and  timelimit  only  accept
          "unlimited"   and   positive   integers,  and  both  default  to
          "unlimited".  The sizelimit and timelimit  parameters  define  a
          consumer  requested limitation on the number of entries that can
          be returned by the LDAP Content  Synchronization  operation;  as
          such,  it  is intended to implement partial replication based on
          the size of the replicated database and on the time required  by
          the  synchronization.   Note,  however,  that  any provider-side
          limits for the replication identity  will  be  enforced  by  the
          provider  regardless of the limits requested by the LDAP Content
          Synchronization  operation,  much  like  for  any  other  search
          operation.    exattrs   option  may  also  be  used  to  specify
          attributes that should be omitted from  incoming  entries.   The
          scope  defaults  to sub, the filter defaults to (objectclass=*),
          and there is no default searchbase. The attrs list  defaults  to
          "*,+"  to  return  all  user  and  operational  attributes,  and
          attrsonly and exattrs are unset by default.  The  sizelimit  and
          timelimit  only  accept  "unlimited"  and positive integers, and
          both default to "unlimited".  Note, however, that any  provider-
          side limits for the replication identity will be enforced by the
          provider regardless of the limits requested by the LDAP  Content
          Synchronization  operation,  much  like  for  any  other  search
          operation.

          The LDAP Content  Synchronization  protocol  has  two  operation
          types.   In  the refreshOnly operation, the next synchronization
          search operation is periodically rescheduled at an interval time
          (specified  by  interval parameter; 1 day by default) after each
          synchronization operation finishes.   In  the  refreshAndPersist
          operation,  a  synchronization  search remains persistent in the
          provider slapd.  Further updates  to  the  master  replica  will
          generate  searchResultEntry  to the consumer slapd as the search
          responses to the persistent synchronization search.

          If an error occurs during replication, the consumer will attempt
          to reconnect according to the retry parameter which is a list of
          the <retry interval> and <# of  retries>  pairs.   For  example,
          retry="60 10 300 3" lets the consumer retry every 60 seconds for
          the first 10 times and then retry every 300 seconds for the next
          3  times  before  stop retrying. The `+' in <# of retries> means
          indefinite number of retries until success.   If  no  retry  was
          specified, by default syncrepl retries every hour forever.

          The  schema  checking  can be enforced at the LDAP Sync consumer
          site by turning on the schemachecking parameter. The default  is
          off.  Schema checking on means that replicated entries must have
          a structural objectClass, must obey to objectClass  requirements
          in   terms  of  required/allowed  attributes,  and  that  naming
          attributes and distinguished  values  must  be  present.   As  a
          consequence,   schema   checking  should  be  off  when  partial
          replication is used.

          The network-timeout parameter sets how long  the  consumer  will
          wait  to  establish a network connection to the provider. Once a
          connection is established, the timeout parameter determines  how
          long  the  consumer  will  wait  for the initial Bind request to
          complete.  The  defaults  for   these   parameters   come   from
          ldap.conf(5).

          A   bindmethod   of  simple  requires  the  options  binddn  and
          credentials and should  only  be  used  when  adequate  security
          services  (e.g.  TLS  or  IPSEC) are in place.  REMEMBER: simple
          bind credentials must be in cleartext!   A  bindmethod  of  sasl
          requires  the  option  saslmech.  Depending on the mechanism, an
          authentication identity  and/or  credentials  can  be  specified
          using  authcid  and  credentials.   The authzid parameter may be
          used to specify an authorization  identity.   Specific  security
          properties  (as with the sasl-secprops keyword above) for a SASL
          bind can be set with the secprops option.  A  non  default  SASL
          realm  can  be set with the realm option.  The identity used for
          synchronization by the consumer should be allowed to receive  an
          unlimited  number  of  entries  in response to a search request.
          The provider, other than allow authentication  of  the  syncrepl
          identity,   should   grant   that  identity  appropriate  access
          privileges  to  the  data  that  is  being  replicated   (access
          directive),  and  appropriate time and size limits.  This can be
          accomplished  by  either  allowing   unlimited   sizelimit   and
          timelimit,  or by setting an appropriate limits statement in the
          consumer's configuration (see sizelimit and limits for details).

          The keepalive parameter sets the values  of  idle,  probes,  and
          interval  used  to  check whether a socket is alive; idle is the
          number of seconds a connection needs to remain idle  before  TCP
          starts sending keepalive probes; probes is the maximum number of
          keepalive probes TCP should send before dropping the connection;
          interval  is  interval  in  seconds between individual keepalive
          probes.  Only some systems support the  customization  of  these
          values;  the  keepalive  parameter  is  ignored  otherwise,  and
          system-wide settings are used.

          The starttls parameter specifies use of  the  StartTLS  extended
          operation  to  establish  a  TLS  session  before Binding to the
          provider. If the critical argument is supplied, the session will
          be aborted if the StartTLS request fails. Otherwise the syncrepl
          session continues without TLS. The tls_reqcert setting  defaults
          to  "demand"  and  the other TLS settings default to the same as
          the main slapd TLS settings.

          The suffixmassage parameter allows the consumer to pull  entries
          from  a  remote directory whose DN suffix differs from the local
          directory. The portion of the remote entries' DNs  that  matches
          the searchbase will be replaced with the suffixmassage DN.

          Rather  than  replicating  whole entries, the consumer can query
          logs of data modifications. This mode of operation  is  referred
          to  as  delta syncrepl. In addition to the above parameters, the
          logbase and logfilter parameters must be set  appropriately  for
          the log that will be used. The syncdata parameter must be set to
          either "accesslog" if the log conforms to the slapo-accesslog(5)
          log  format,  or "changelog" if the log conforms to the obsolete
          changelog format. If the syncdata parameter is omitted or set to
          "default" then the log parameters are ignored.

   updatedn <dn>
          This  option  is  only  applicable  in  a  slave  database.   It
          specifies  the  DN  permitted  to  update  (subject  to   access
          controls)  the  replica.  It is only needed in certain push-mode
          replication scenarios.  Generally, this DN  should  not  be  the
          same as the rootdn used at the master.

   updateref <url>
          Specify  the  referral  to  pass  back when slapd(8) is asked to
          modify a  replicated  local  database.   If  specified  multiple
          times, each url is provided.

DATABASE-SPECIFIC OPTIONS

   Each  database  may  allow  specific  configuration  options;  they are
   documented  separately  in  the  backends'  manual   pages.   See   the
   slapd.backends(5) manual page for an overview of available backends.

EXAMPLES

   Here is a short example of a configuration file:

          include   /etc/ldap/schema/core.schema
          pidfile   /var/run/slapd.pid

          # Subtypes of "name" (e.g. "cn" and "ou") with the
          # option ";x-hidden" can be searched for/compared,
          # but are not shown.  See slapd.access(5).
          attributeoptions x-hidden lang-
          access to attrs=name;x-hidden by * =cs

          # Protect passwords.  See slapd.access(5).
          access    to attrs=userPassword  by * auth
          # Read access to other attributes and entries.
          access    to *  by * read

          database  bdb
          suffix    "dc=our-domain,dc=com"
          # The database directory MUST exist prior to
          # running slapd AND should only be accessible
          # by the slapd/tools. Mode 0700 recommended.
          directory /var/lib/ldap
          # Indices to maintain
          index     objectClass  eq
          index     cn,sn,mail   pres,eq,approx,sub

          # We serve small clients that do not handle referrals,
          # so handle remote lookups on their behalf.
          database  ldap
          suffix    ""
          uri       ldap://ldap.some-server.com/
          lastmod   off

   "OpenLDAP Administrator's Guide" contains a longer annotated example of
   a configuration file.  The  original  /etc/ldap/slapd.conf  is  another
   example.

FILES

   /etc/ldap/slapd.conf
          default slapd configuration file

SEE ALSO

   ldap(3),      gnutls-cli(1),      slapd-config(5),     slapd.access(5),
   slapd.backends(5),   slapd.overlays(5),   slapd.plugin(5),    slapd(8),
   slapacl(8),    slapadd(8),    slapauth(8),    slapcat(8),    slapdn(8),
   slapindex(8), slappasswd(8), slaptest(8).

   "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS

   OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
   <http://www.openldap.org/>.    OpenLDAP   Software   is   derived  from
   University of Michigan LDAP 3.3 Release.





Opportunity


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.





Free Software


Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.


Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.





Free Books


The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.


Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.





Education


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.


Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.