unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Darwin-7.0.1-ppc)
Page:
Section:
Apropos / Subsearch:
optional field

SLAPD.CONF(5)                 File Formats Manual                SLAPD.CONF(5)



NAME
       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The  file  /etc/openldap/slapd.conf  contains configuration information
       for the slapd(8) daemon.  This configuration file is also used  by  the
       slurpd(8)  replication  daemon and by the SLAPD tools slapadd(8), slap-
       cat(8), and slapindex(8).

       The slapd.conf file  consists  of  a  series  of  global  configuration
       options  that  apply to slapd as a whole (including all backends), fol-
       lowed by zero or more database backend definitions that contain  infor-
       mation specific to a backend instance.

       The general format of slapd.conf is as follows:

           # comment - these options apply to every database
           <global configuration options>
           # first database definition & configuration options
           database   <backend 1 type>
           <configuration options specific to backend 1>
           # subsequent database definitions & configuration options
           ...

       As  many  backend-specific sections as desired may be included.  Global
       options can be overridden in a backend (for options  that  appear  more
       than  once, the last appearance in the slapd.conf file is used).  Blank
       lines and comment lines beginning with a `#' character are ignored.  If
       a  line begins with white space, it is considered a continuation of the
       previous line.

       Arguments on configuration lines are separated by white  space.  If  an
       argument  contains white space, the argument should be enclosed in dou-
       ble quotes.  If an argument contains a double quote (`"')  or  a  back-
       slash  character (`\'), the character should be preceded by a backslash
       character.

       The specific configuration options available are discussed below in the
       Global  Configuration  Options,  General  Backend  Options, and General
       Database  Options.   Backend-specific  options  are  discussed  in  the
       slapd-<&lt;backend>&gt;(5)  manual  pages.   Refer to the "OpenLDAP Administra-
       tor's Guide" for more details on the slapd configuration file.

GLOBAL CONFIGURATION OPTIONS
       Options described in this section apply to all backends, unless specif-
       ically  overridden  in  a  backend definition. Arguments that should be
       replaced by actual text are shown in brackets <>.

       access to <&lt;what>&gt; [ by <&lt;who>&gt; <&lt;access>&gt; <&lt;control>&gt; ]+
              Grant access (specified by <access>) to a set of entries  and/or
              attributes  (specified  by  <what>)  by  one  or more requestors
              (specified by <who>).  See slapd.access(5) and  the  "OpenLDAP's
              Administrator's Guide" for details.

       allow <&lt;features>&gt;
              Specify  a  set  of features (separated by white space) to allow
              (default  none).   bind_v2  allows  acceptance  of  LDAPv2  bind
              requests.   Note  that slapd(8) does not truely implement LDAPv2
              (RFC 1777), now  Historic  (RFC  3494).   bind_anon_cred  allows
              anonymous  bind when credentials are not empty (e.g.  when DN is
              empty).  bind_anon_dn allows  unauthenticated  (anonymous)  bind
              when DN is not empty.  update_anon allow unauthenticated (anony-
              mous) update operations to be processed (subject to access  con-
              trols and other administrative limits).

       argsfile <&lt;filename>&gt;
              The  (  absolute  )  name  of  a  file  that will hold the slapd
              server's command line options if started without  the  debugging
              command line option.

       attributeoptions [option-name]...
              Define  tagging  attribute options or option tag/range prefixes.
              Options must not end with `-', prefixes must end with `-'.   The
              `lang-'  prefix  is predefined.  If you use the attributeoptions
              directive, `lang-' will no longer be defined and you must  spec-
              ify it explicitly if you want it defined.

              An  attribute  description with a tagging option is a subtype of
              that attribute description without the option.  Except for that,
              options  defined  this  way have no special semantics.  Prefixes
              defined this way work like the `lang-' options:  They  define  a
              prefix  for  tagging options starting with the prefix.  That is,
              if you define the prefix `x-foo-', you can use  the  option  `x-
              foo-bar'.   Furthermore,  in  a  search  or compare, a prefix or
              range name (with a trailing `-') matches  all  options  starting
              with  that  name, as well as the option with the range name sans
              the trailing `-'.  That is, `x-foo-bar-' matches `x-foo-bar' and
              `x-foo-bar-baz'.

              RFC2251 reserves options beginning with `x-' for private experi-
              ments.  Other  options  should  be  registered  with  IANA,  see
              RFC3383  section  3.4.   OpenLDAP  also  has the `binary' option
              built in, but this is a transfer option, not a tagging option.

       attributetype  ( <&lt;oid>&gt;  [NAME <&lt;name>&gt;]  [OBSOLETE]  [DESC <&lt;description>&gt;]
              [SUP <&lt;oid>&gt;]   [EQUALITY <&lt;oid>&gt;]  [ORDERING <&lt;oid>&gt;]  [SUBSTR <&lt;oid>&gt;]
              [SYNTAX <&lt;oidlen>&gt;]          [SINGLE-VALUE]           [COLLECTIVE]
              [NO-USER-MODIFICATION] [USAGE <&lt;attributeUsage>&gt;] )
              Specify an attribute type using the LDAPv3 syntax defined in RFC
              2252.  The slapd parser  extends  the  RFC  2252  definition  by
              allowing string forms as well as numeric OIDs to be used for the
              attribute   OID   and   attribute   syntax   OID.    (See    the
              objectidentifier description.)

       concurrency <&lt;integer>&gt;
              Specify  a  desired  level  of  concurrency.   Provided  to  the
              underlying thread system as a  hint.   The  default  is  not  to
              provide any hint.

       conn_max_pending <&lt;integer>&gt;
              Specify  the maximum number of pending requests for an anonymous
              session.  If requests are submitted faster than the  server  can
              process them, they will be queued up to this limit. If the limit
              is exceeded, the session is closed. The default is 100.

       conn_max_pending_auth <&lt;integer>&gt;
              Specify  the  maximum  number  of  pending   requests   for   an
              authenticated session.  The default is 1000.

       defaultsearchbase <&lt;dn>&gt;
              Specify  a default search base to use when client submits a non-
              base search request with an empty base DN.

       disallow <&lt;features>&gt;
              Specify a set of features (separated by white space) to disallow
              (default none).  bind_anon disables acceptance of anonymous bind
              requests.  bind_simple disables  simple  (bind)  authentication.
              bind_krbv4   disables   Kerberos   V4   (bind)   authentication.
              tls_2_anon disables Start TLS from forcing session to  anonymous
              status  (see  also  tls_authc).   tls_authc disables StartTLS if
              authenticated (see also tls_2_anon).

       gentlehup { on | off }
              A SIGHUP signal will only  cause  a  'gentle'  shutdown-attempt:
              Slapd  will  stop  listening  for  new connections, but will not
              close the connections to  the  current  clients.   Future  write
              operations    return    unwilling-to-perform,   though.    Slapd
              terminates when all clients have closed  their  connections  (if
              they ever do), or - as before - if it receives a SIGTERM signal.
              This can be useful if you wish to terminate the server and start
              a new slapd server with another database, without disrupting the
              currently active clients.  The default is off.  You may wish  to
              use idletimeout along with this option.

       idletimeout <&lt;integer>&gt;
              Specify the number of seconds to wait before forcibly closing an
              idle client  connection.   A  idletimeout  of  0  disables  this
              feature.  The default is 0.

       include <&lt;filename>&gt;
              Read  additional  configuration  information from the given file
              before continuing with the next line of the current file.

       limits <&lt;who>&gt; <&lt;limit>&gt; [<&lt;limit>&gt; [...]]
              Specify  time  and  size  limits  based  on  who  initiated   an
              operation.  The argument who can be any of

                     anonymous | users | [dn[.<style>]=]<pattern>

              with

                     <style>  ::=  exact  |  base | one | subtree | children |
                     regex | anonymous

              Anonymous is hit  when  a  search  is  performed  without  prior
              binding;   users  is  hit  when  a  search  is  performed  by  a
              successfully bound user; otherwise a regex dn pattern is assumed
              unless  otherwise  specified  by  qualifying  the (optional) key
              string dn with exact or base (which are synonims), to require an
              exact  match;  with  one,  to require exactly one level of depth
              match;  with  subtree,  to  allow  any  level  of  depth  match,
              including  the exact match; with children, to allow any level of
              depth match, not including the  exact  match;  regex  explicitly
              requires   the  (default)  match  based  on  regular  expression
              pattern, as detailed in regex(7).   Finally,  anonymous  matches
              unbound  operations;  the  pattern  field  is ignored.  The same
              behavior is obtained by using the  anonymous  form  of  the  who
              clause.

              The currently supported limits are size and time.

              The  syntax  for  time  limits  is time[.{soft|hard}]=<&lt;integer>&gt;,
              where  integer  is  the  number  of  seconds  slapd  will  spend
              answering  a  search  request.   If  no time limit is explicitly
              requested by  the  client,  the  soft  limit  is  used;  if  the
              requested time limit exceedes the hard limit, an "Administrative
              limit exceeded" is returned.  If the hard limit is set to  0  or
              to the keyword "soft", the soft limit is used in either case; if
              it is set to -1 or to the  keyword  "none",  no  hard  limit  is
              enforced.  Explicit requests for time limits smaller or equal to
              the hard limit are honored.  If no flag is  set,  the  value  is
              assigned  to  the soft limit, and the hard limit is set to zero,
              to preserve the original behavior.

              The        syntax        for        size        limits        is
              size[.{soft|hard|unchecked}]=<&lt;integer>&gt;,  where  integer  is  the
              maximum number of entries slapd will return answering  a  search
              request.   If  no  size  limit  is  explicitly  requested by the
              client, the soft limit is used;  if  the  requested  size  limit
              exceedes  the  hard limit, an "Administrative limit exceeded" is
              returned.  If the hard limit is set  to  0  or  to  the  keyword
              "soft",  the  soft limit is used in either case; if it is set to
              -1 or  to  the  keyword  "none",  no  hard  limit  is  enforced.
              Explicit  requests  for size limits smaller or equal to the hard
              limit are honored.  The unchecked  flag  sets  a  limit  on  the
              number of candidates a search request is allowed to examine.  If
              the selected candidates exceed the unchecked limit,  the  search
              will  abort  with "Unwilling to perform".  If it is set to -1 or
              to the keyword "none", no limit is applied (the default).  If no
              flag  is  set,  the value is assigned to the soft limit, and the
              hard limit is set to zero, to preserve the original behavior.

              In case of no match, the global limits are  used.   The  default
              values  are the same of sizelimit and timelimit; no limit is set
              on unchecked.

       loglevel <&lt;integer>&gt;
              Specify the level at which debugging  statements  and  operation
              statistics   should   be  syslogged  (currently  logged  to  the
              syslogd(8) LOG_LOCAL4 facility).  Log levels are  additive,  and
              available levels are:
                     1      trace function calls
                     2      debug packet handling
                     4      heavy trace debugging
                     8      connection management
                     16     print out packets sent and received
                     32     search filter processing
                     64     configuration file processing
                     128    access control list processing
                     256    stats log connections/operations/results
                     512    stats log entries sent
                     1024   print communication with shell backends
                     2048   entry parsing

       moduleload <&lt;filename>&gt;
              Specify  the  name of a dynamically loadable module to load. The
              filename may be an absolute path name or a simple filename. Non-
              absolute  names are searched for in the directories specified by
              the modulepath option. This option and the modulepath option are
              only usable if slapd was compiled with --enable-modules.

       modulepath <&lt;pathspec>&gt;
              Specify  a  list  of directories to search for loadable modules.
              Typically the path is colon-separated but this  depends  on  the
              operating system.

       objectclass  (  <&lt;oid>&gt; [NAME <&lt;name>&gt;] [DESC <&lt;description] [OBSOLETE] [SUP
              <&lt;oids>&gt;] [{ ABSTRACT | STRUCTURAL | AUXILIARY  }]  [MUST  <&lt;oids>&gt;]
              [MAY <&lt;oids>&gt;] )
              Specify  an  objectclass  using the LDAPv3 syntax defined in RFC
              2252.  The slapd parser  extends  the  RFC  2252  definition  by
              allowing string forms as well as numeric OIDs to be used for the
              object  class  OID.   (See  the  objectidentifier  description.)
              Object classes are "STRUCTURAL" by default.

       objectidentifier <&lt;name>&gt; { <&lt;oid>&gt; | <&lt;name>&gt;[:<&lt;suffix>&gt;] }
              Define  a  string name that equates to the given OID. The string
              can be used in place of  the  numeric  OID  in  objectclass  and
              attribute  definitions.  The name can also be used with a suffix
              of the form ":xx" in which case the value "oid.xx" will be used.

       password-hash <&lt;hash>&gt;
              This option sets the hash to  be  used  in  generation  of  user
              passwords,  stored  in  userPassword,  during processing of LDAP
              Password Modify Extended Operations (RFC 3052).  The <hash> must
              be   one   of   {SSHA},   {SHA},  {SMD5},  {MD5},  {CRYPT},  and
              {CLEARTEXT}.  The default is {SSHA}.

              {SHA} and {SSHA} use  the  SHA-1  algorithm  (FIPS  160-1),  the
              latter with a seed.

              {MD5}  and  {SMD5}  use the MD5 algorithm (RFC 1321), the latter
              with a seed.

              {CRYPT} uses the crypt(3).

              {CLEARTEXT} indicates that the new password should be  added  to
              userPassword as clear text.

              Note   that   this   option  does  not  alter  the  normal  user
              applications handling of userPassword during LDAP  Add,  Modify,
              or other LDAP operations.

       password-crypt-salt-format <&lt;format>&gt;
              Specify   the  format  of  the  salt  passed  to  crypt(3)  when
              generating  {CRYPT}   passwords   (see   password-hash)   during
              processing  of  LDAP  Password  Modify  Extended Operations (RFC
              3062).

              This string needs to be in sprintf(3) format and may include one
              (and   only   one)  %s  conversion.   This  conversion  will  be
              substituted with a string random characters from  [A-Za-z0-9./].
              For  example, "%.2s" provides a two character salt and "$1$%.8s"
              tells some versions of crypt(3) to  use  an  MD5  algorithm  and
              provides  8  random  characters  of  salt.  The default is "%s",
              which provides 31 characters of salt.

       pidfile <&lt;filename>&gt;
              The ( absolute ) name  of  a  file  that  will  hold  the  slapd
              server's  process  ID  (  see getpid(2) ) if started without the
              debugging command line option.

       referral <&lt;url>&gt;
              Specify the referral to pass back when slapd(8)  cannot  find  a
              local  database  to  handle  a  request.   If specified multiple
              times, each url is provided.

       require <&lt;conditions>&gt;
              Specify a set  of  conditions  (separated  by  white  space)  to
              require (default none).  The directive may be specified globally
              and/or per-database.  bind  requires  bind  operation  prior  to
              directory  operations.  LDAPv3 requires session to be using LDAP
              version 3.  authc requires  authentication  prior  to  directory
              operations.    SASL   requires   SASL  authentication  prior  to
              directory operations.   strong  requires  strong  authentication
              prior  to  directory  operations.   The  strong  keyword  allows
              protected   "simple"   authentication   as    well    as    SASL
              authentication.   none  may  be  used  to  require no conditions
              (useful for clearly globally set conditions within a  particular
              database).

       reverse-lookup on | off
              Enable/disable client name unverified reverse lookup (default is
              off if compiled with --enable-rlookups).

       rootDSE <&lt;file>&gt;
              Specify the name of an  LDIF(5)  file  containing  user  defined
              attributes  for  the root DSE.  These attributes are returned in
              addition to the attributes normally produced by slapd.

       sasl-authz-policy <&lt;policy>&gt;
              Used to specify which rules to use for SASL Proxy Authorization.
              Proxy  authorization  allows  a  client  to  authenticate to the
              server using one user's credentials,  but  specify  a  different
              identity  to  use for authorization and access control purposes.
              It essentially allows user A to login as user B, using user  A's
              password.   The  none flag disables proxy authorization. This is
              the default setting.  The  from  flag  will  use  rules  in  the
              saslAuthzFrom  attribute  of  the authorization DN.  The to flag
              will  use  rules   in   the   saslAuthzTo   attribute   of   the
              authentication  DN.  The both flag will allow both of the above.
              The rules are simply regular expressions  specifying  which  DNs
              are  allowed  to  perform proxy authorization. The saslAuthzFrom
              attribute in an entry specifies which other users are allowed to
              proxy login to this entry. The saslAuthzTo attribute in an entry
              specifies which other users this user can authorize as.  Use  of
              saslAuthzTo  rules  can be easily abused if users are allowed to
              write arbitrary  values  to  this  attribute.   In  general  the
              saslAuthzTo attribute must be protected with ACLs such that only
              privileged users can modify it.

       sasl-host <&lt;fqdn>&gt;
              Used to specify the fully qualified domain name  used  for  SASL
              processing.

       sasl-realm <&lt;realm>&gt;
              Specify SASL realm.  Default is empty.

       sasl-regexp <&lt;match>&gt; <&lt;replace>&gt;
              Used  by  the  SASL  authorization  mechanism  to convert a SASL
              authenticated username to an  LDAP  DN.  When  an  authorization
              request is received, the SASL USERNAME, REALM, and MECHANISM are
              taken, when available, and combined into a SASL name of the form

                     uid=<&lt;username>&gt;[,cn=<&lt;realm>&gt;],cn=<&lt;mechanism>&gt;,cn=auth

              This SASL name  is  then  compared  against  the  match  regular
              expression,  and  if  the  match is successful, the SASL name is
              replaced with the replace string. If there are wildcard  strings
              in   the   match   regular   expression  that  are  enclosed  in
              parenthesis, e.g.

                            uid=(.*),cn=.*

              then the portion of the SASL name that matched the wildcard will
              be  stored in the numbered placeholder variable $1. If there are
              other wildcard strings in parenthesis, the matching strings will
              be  in  $2, $3, etc. up to $9. The placeholders can then be used
              in the replace string, e.g.

                            cn=$1,ou=Accounts,dc=$2,dc=$4.

              The replaced SASL name can be either a DN or an LDAP URI. If the
              latter,  the  slapd  server  will  use the URI to search its own
              database, and if the search returns exactly one entry, the  SASL
              name  is replaced by the DN of that entry.  Multiple sasl-regexp
              options can be given in the  configuration  file  to  allow  for
              multiple   matching   and  replacement  patterns.  The  matching
              patterns are checked in the  order  they  appear  in  the  file,
              stopping at the first successful match.


       sasl-secprops <&lt;properties>&gt;
              Used  to  specify Cyrus SASL security properties.  The none flag
              (without any  other  properities)  causes  the  flag  properites
              default, "noanonymous,noplain", to be cleared.  The noplain flag
              disables mechanisms susceptible to simple passive attacks.   The
              noactive flag disables mechanisms susceptible to active attacks.
              The nodict  flag  disables  mechanisms  susceptible  to  passive
              dictionary  attacks.   The  noanonymous flag disables mechanisms
              which support anonymous  login.   The  forwardsec  flag  require
              forward   secrecy   between   sessions.   The  passcred  require
              mechanisms which pass client credentials (and  allow  mechanisms
              which  can  pass  credentials  to  do  so).  The minssf=<&lt;factor>&gt;
              property specifies  the  minimum  acceptable  security  strength
              factor  as  an  integer approximate to effective key length used
              for encryption.  0  (zero)  implies  no  protection,  1  implies
              integrity  protection only, 56 allows DES or other weak ciphers,
              112 allows triple DES and other strong ciphers, 128 allows  RC4,
              Blowfish  and  other  modern  strong ciphers.  The default is 0.
              The maxssf=<&lt;factor>&gt; property specifies  the  maximum  acceptable
              security strength factor as an integer (see minssf description).
              The  default  is  INT_MAX.    The   maxbufsize=<&lt;size>&gt;   property
              specifies   the  maximum  security  layer  receive  buffer  size
              allowed.  0 disables security layers.  The default is 65536.

       schemadn <&lt;dn>&gt;
              Specify the distinguished name for the subschema  subentry  that
              controls   the   entries   on   this  server.   The  default  is
              "cn=Subschema".

       security <&lt;factors>&gt;
              Specify a set of factors (separated by white space) to  require.
              An  integer  value is associated with each factor and is roughly
              equivalent of the encryption key length to require.  A value  of
              112 is equivalent to 3DES, 128 to Blowfish, etc..  The directive
              may  be  specified  globally   and/or   per-database.    ssf=<&lt;n>&gt;
              specifies  the  overall security strength factor.  transport=<&lt;n>&gt;
              specifies  the  transport  security  strength  factor.   tls=<&lt;n>&gt;
              specifies  the TLS security strength factor.  sasl=<&lt;n>&gt; specifies
              the SASL security strength factor.  update_ssf=<&lt;n>&gt; specifies the
              overall  security  strength  factor  to  require  for  directory
              updates.  update_transport=<&lt;n>&gt; specifies the transport  security
              strength    factor    to    require   for   directory   updates.
              update_tls=<&lt;n>&gt; specifies the TLS  security  strength  factor  to
              require  for  directory  updates.  update_sasl=<&lt;n>&gt; specifies the
              SASL security strength factor to require for directory  updates.
              simple_bind=<&lt;n>&gt;  specifies the security strength factor required
              for simple  username/password  authentication.   Note  that  the
              transport   factor  is  measure  of  security  provided  by  the
              underlying transport, e.g. ldapi:// (and eventually IPSEC).   It
              is not normally used.

       sizelimit {<&lt;integer>&gt;|unlimited}

       sizelimit size[.{soft|hard|unchecked}]=<&lt;integer>&gt; [...]
              Specify  the  maximum  number of entries to return from a search
              operation.  The default size limit is 500.  Use -1 or  unlimited
              to  specify  no  limits.   The second format allows a fine grain
              setting of the size limits.  Extra args can be added on the same
              line.  See limits for an explanation of the different flags.

       sockbuf_max_incoming <&lt;integer>&gt;
              Specify  the  maximum  incoming  LDAP  PDU  size  for  anonymous
              sessions.  The default is 262143.

       sockbuf_max_incoming_auth <&lt;integer>&gt;
              Specify the maximum incoming LDAP  PDU  size  for  authenticated
              sessions.  The default is 4194303.

       srvtab <&lt;filename>&gt;
              Specify the srvtab file in which the kerberos keys necessary for
              authenticating clients using kerberos can be found. This  option
              is only meaningful if you are using Kerberos authentication.

       threads <&lt;integer>&gt;
              Specify  the  maximum  size  of  the  primary  thread pool.  The
              default is 16.

       timelimit {<&lt;integer>&gt;|unlimited}

       timelimit time[.{soft|hard}]=<&lt;integer>&gt; [...]
              Specify the maximum number of seconds (in real time) slapd  will
              spend  answering  a  search  request.  The default time limit is
              3600.  Use -1 or unlimited to specify  no  limits.   The  second
              format  allows  a  fine grain setting of the time limits.  Extra
              args can  be  added  on  the  same  line.   See  limits  for  an
              explanation of the different flags.

       ucdata-path <&lt;path>&gt;
              Specify  the  path  to  the  directory  containing  the  Unicode
              character tables. The default path is /var/db/openldap/ucdata.

TLS OPTIONS
       If slapd is built with support for Transport Layer Security, there  are
       more options you can specify.

       TLSCipherSuite <&lt;cipher-suite-spec>&gt;
              Permits  configuring  what  ciphers  will  be  accepted  and the
              preference  order.   <cipher-suite-spec>  should  be  a   cipher
              specification for OpenSSL.  Example:

              TLSCipherSuite HIGH:MEDIUM:+SSLv2

              To check what ciphers a given spec selects, use:

              openssl ciphers -v <cipher-suite-spec>

       TLSCACertificateFile <&lt;filename>&gt;
              Specifies  the  file  that  contains certificates for all of the
              Certificate Authorities that slapd will recognize.

       TLSCACertificatePath <&lt;path>&gt;
              Specifies the path of  a  directory  that  contains  Certificate
              Authority  certificates  in  separate  individual files. Usually
              only one of this or the TLSCACertificateFile is used.

       TLSCertificateFile <&lt;filename>&gt;
              Specifies the file that contains the slapd server certificate.

       TLSCertificateKeyFile <&lt;filename>&gt;
              Specifies the file that contains the slapd  server  private  key
              that  matches  the  certificate stored in the TLSCertificateFile
              file.  Currently, the private key must not be protected  with  a
              password,  so  it is of critical importance that it is protected
              carefully.

       TLSRandFile <&lt;filename>&gt;
              Specifies  the  file   to   obtain   random   bits   from   when
              /dev/[u]random  is  not available.  Generally set to the name of
              the EGD/PRNGD socket.  The  environment  variable  RANDFILE  can
              also be used to specify the filename.

       TLSVerifyClient <&lt;level>&gt;
              Specifies  what  checks  to perform on client certificates in an
              incoming TLS session, if any.  The <&lt;level>&gt; can be  specified  as
              one of the following keywords:

              never  This is the default.  slapd will not ask the client for a
                     certificate.

              allow  The client certificate is requested.  If  no  certificate
                     is  provided,  the  session  proceeds normally.  If a bad
                     certificate is provided,  it  will  be  ignored  and  the
                     session proceeds normally.

              try    The  client  certificate is requested.  If no certificate
                     is provided, the session proceeds  normally.   If  a  bad
                     certificate  is  provided,  the  session  is  immediately
                     terminated.

              demand | hard | true
                     These keywords  are  all  equivalent,  for  compatibility
                     reasons.   The  client  certificate  is requested.  If no
                     certificate  is  provided,  or  a  bad   certificate   is
                     provided, the session is immediately terminated.

                     Note that a valid client certificate is required in order
                     to use the SASL EXTERNAL authentication mechanism with  a
                     TLS  session.   As  such,  a  non-default TLSVerifyClient
                     setting  must  be  chosen   to   enable   SASL   EXTERNAL
                     authentication.

GENERAL BACKEND OPTIONS
       Options  in  this  section only apply to the configuration file section
       for the specified  backend.   They  are  supported  by  every  type  of
       backend.

       backend <&lt;databasetype>&gt;
              Mark  the  beginning  of  a  backend  definition. <databasetype>
              should be one of bdb, dnssrv, ldap, ldbm, meta,  monitor,  null,
              passwd,  perl,  shell,  sql,  or tcl, depending on which backend
              will serve the database.


GENERAL DATABASE OPTIONS
       Options in this section only apply to the  configuration  file  section
       for  the  database  in  which  they are defined.  They are supported by
       every type of backend.  Note that the database and at least one  suffix
       option are mandatory for each database.

       database <&lt;databasetype>&gt;
              Mark  the  beginning  of  a  new  database  instance definition.
              <databasetype> should be one of bdb, dnssrv, ldap,  ldbm,  meta,
              monitor,  null,  passwd,  perl, shell, sql, or tcl, depending on
              which backend will serve the database.

       lastmod on | off
              Controls  whether  slapd   will   automatically   maintain   the
              modifiersName,      modifyTimestamp,      creatorsName,      and
              createTimestamp attributes for entries.  By default, lastmod  is
              on.

       maxderefdepth <&lt;depth>&gt;
              Specifies  the  maximum  number  of  aliases to dereference when
              trying to resolve an entry, used to avoid inifinite alias loops.
              The default is 1.

       readonly on | off
              This  option  puts  the  database  into  "read-only"  mode.  Any
              attempts to modify the database will  return  an  "unwilling  to
              perform" error.  By default, readonly is off.

       replica   host=<&lt;hostname>&gt;[:port]   [tls=yes|critical]  [suffix=<&lt;suffix>&gt;
              [...]]      bindmethod=simple|sasl     [binddn=<&lt;simple      DN>&gt;]
              [credentials=<&lt;simple     password>&gt;]    [saslmech=<&lt;SASL    mech>&gt;]
              [secprops=<&lt;properties>&gt;] [realm=<&lt;realm>&gt;] [authcId=<&lt;authentication
              ID>&gt;] [authzId=<&lt;authorization ID>&gt;] [attr[!]=<&lt;attr list>&gt;]
              Specify  a  replication  site  for  this database.  Refer to the
              "OpenLDAP Administrator's Guide"  for  detailed  information  on
              setting  up  a  replicated slapd directory service. Zero or more
              suffix instances can be used to select the subtrees that will be
              replicated  (defaults  to  all  the  database).  A bindmethod of
              simple requires the options binddn and  credentials  and  should
              only  be used when adequate security services (e.g TLS or IPSEC)
              are in place. A bindmethod of sasl requires the option saslmech.
              Specific  security properties (as with the sasl-secprops keyword
              above) for a SASL bind can be set with the  secprops  option.  A
              non-default SASL realm can be set with the realm option.  If the
              mechanism will use Kerberos, a kerberos instance should be given
              in authcId.  An attr list can be given after the attr keyword to
              allow the selective replication of the listed  attributes  only;
              if  the  optional  !   mark  is  used,  the  list  is considered
              exclusive, i.e. the listed attributes are not replicated.  If an
              objectClass  is listed, all the related attributes are (are not)
              replicated.

       replogfile <&lt;filename>&gt;
              Specify the name of the replication log file to log changes  to.
              The replication log is typically written by slapd(8) and read by
              slurpd(8).   See  slapd.replog(5)  for  more  information.   The
              specified  file  should  be  located in a directory with limited
              read/write/execute access as the replication  logs  may  contain
              sensitive information.

       rootdn <&lt;dn>&gt;
              Specify  the  distinguished  name  that is not subject to access
              control or administrative limit restrictions for  operations  on
              this  database.   This  DN  may or may not be associated with an
              entry.  An empty root DN (the default) specifies no root  access
              is  to  be  granted.   It is recommended that the rootdn only be
              specified when needed  (such  as  when  initially  populating  a
              database).   If the rootdn is within a namingContext (suffix) of
              the database, a simple bind password may also be provided  using
              the rootpw directive.

       rootpw <&lt;password>&gt;
              Specify  a  password  (or  hash of the password) for the rootdn.
              The password can only  be  set  if  the  rootdn  is  within  the
              namingContext (suffix) of the database.  This option accepts all
              RFC 2307 userPassword formats known to the server (see password-
              hash  desription)  as  well  as cleartext.  slappasswd(8) may be
              used to generate a hash of a password.   Cleartext  and  {CRYPT}
              passwords   are   not  recommended.   If  empty  (the  default),
              authentication of the root DN is by  other  means  (e.g.  SASL).
              Use of SASL is encouraged.

       suffix <&lt;dn suffix>&gt;
              Specify  the  DN  suffix  of queries that will be passed to this
              backend database.  Multiple suffix lines can  be  given  and  at
              least  one  is  required  for  each database definition.  If the
              suffix of one database is "inside" that of another, the database
              with the inner suffix must come first in the configuration file.

       subordinate
              Specify  that  the  current backend database is a subordinate of
              another backend database. A subordinate database may  have  only
              one  suffix.  This option may be used to glue multiple databases
              into a single namingContext.   If  the  suffix  of  the  current
              database  is  within  the  namingContext of a superior database,
              searches against the superior database will be propagated to the
              subordinate  as  well.  All  of  the databases associated with a
              single namingContext should have identical rootdns.  Behavior of
              other   LDAP  operations  is  unaffected  by  this  setting.  In
              particular, it is not possible to use moddn  to  move  an  entry
              from   one   subordinate   to  another  subordinate  within  the
              namingContext.

       updatedn <&lt;dn>&gt;
              This option is only applicable in a slave slapd.   It  specifies
              the  DN  allowed to make changes to the replica (typically, this
              is the  DN  slurpd(8)  binds  as  when  making  changes  to  the
              replica).

       updateref <&lt;url>&gt;
              Specify  the  referral  to  pass  back when slapd(8) is asked to
              modify a  replicated  local  database.   If  specified  multiple
              times, each url is provided.

DATABASE-SPECIFIC OPTIONS
       Each  database  may  allow  specific  configuration  options;  they are
       documented separately in the slapd-<&lt;backend>&gt;(5) manual pages.

EXAMPLES
       Here is a short example of a configuration file:

              include   /etc/openldap/schema/core.schema
              pidfile   /var/run/slapd.pid

              # Subtypes of "name" (e.g. "cn" and "ou") with the
              # option ";x-hidden" can be searched for/compared,
              # but are not shown.  See slapd.access(5).
              attributeoptions x-hidden lang-
              access to attr=name;x-hidden by * =cs

              database  bdb
              suffix    "dc=our-domain,dc=com"
              # The database directory MUST exist prior to
              # running slapd AND should only be accessible
              # by the slapd/tools. Mode 700 recommended.
              directory /var/db/openldap/openldap-data
              # Indices to maintain
              index     objectClass  eq
              index     cn,sn,mail   pres,eq,approx,sub

              # We serve small clients that do not handle referrals,
              # so handle remote lookups on their behalf.
              database  ldap
              suffix    ""
              uri       ldap://ldap.some-server.com/
              lastmod   off

       "OpenLDAP Administrator's Guide" contains a longer annotated example of
       a configuration file.  The original /etc/openldap/slapd.conf is another
       example.

FILES
       /etc/openldap/slapd.conf
              default slapd configuration file

SEE ALSO
       ldap(3), slapd-bdb(5), slapd-dnssrv(5),  slapd-ldap(5),  slapd-ldbm(5),
       slapd-meta(5),  slapd-null(5),  slapd-passwd(5),  slapd-perl(5), slapd-
       shell(5), slapd-sql(5), slapd-tcl(5), slapd.replog(5), slapd.access(5),
       locale(5),     slapd(8),    slapadd(8),    slapcat(8),    slapindex(8),
       slappassword(8), slurpd(8),

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS
       OpenLDAP  is  developed  and  maintained  by   The   OpenLDAP   Project
       (http://www.openldap.org/).   OpenLDAP  is  derived  from University of
       Michigan LDAP 3.3 Release.



OpenLDAP 2.1.22                   06-26-2003                     SLAPD.CONF(5)