Yolinux.com

SLAPD.CONF manpage

Search topic Section


SLAPD.CONF(5)		      File Formats Manual		 SLAPD.CONF(5)



NAME
       slapd.conf - configuration file for slapd, the stand-alone LDAP daemon

SYNOPSIS
       /etc/openldap/slapd.conf

DESCRIPTION
       The  file  /etc/openldap/slapd.conf  contains configuration information
       for the slapd(8) daemon.	 This configuration file is also used  by  the
       SLAPD tools slapacl(8), slapadd(8), slapauth(8), slapcat(8), slapdn(8),
       slapindex(8), and slaptest(8).

       The slapd.conf file  consists  of  a  series  of	 global	 configuration
       options	that  apply to slapd as a whole (including all backends), fol-
       lowed by zero or more database backend definitions that contain	infor-
       mation  specific	 to a backend instance.	 The configuration options are
       case-insensitive; their value, on a case by case basis,	may  be	 case-
       sensitive.

       The general format of slapd.conf is as follows:

	   # comment - these options apply to every database
	   <global configuration options>
	   # first database definition & configuration options
	   database <backend 1 type>
	   <configuration options specific to backend 1>
	   # subsequent database definitions & configuration options
	   ...

       As  many	 backend-specific sections as desired may be included.	Global
       options can be overridden in a backend (for options  that  appear  more
       than once, the last appearance in the slapd.conf file is used).

       If  a  line begins with white space, it is considered a continuation of
       the previous line.  No physical line should be over 2000 bytes long.

       Blank lines and comment	lines  beginning  with	a  `#'	character  are
       ignored.	  Note:	 continuation  lines are unwrapped before comment pro-
       cessing is applied.

       Arguments on configuration lines are separated by white	space.	If  an
       argument	 contains white space, the argument should be enclosed in dou-
       ble quotes.  If an argument contains a double quote (`"')  or  a	 back-
       slash  character (`\'), the character should be preceded by a backslash
       character.

       The specific configuration options available are discussed below in the
       Global  Configuration  Options,	General	 Backend  Options, and General
       Database	 Options.   Backend-specific  options  are  discussed  in  the
       slapd-<backend>(5)  manual  pages.   Refer to the "OpenLDAP Administra-
       tor's Guide" for more details on the slapd configuration file.

GLOBAL CONFIGURATION OPTIONS
       Options described in this section apply to all backends, unless specif-
       ically  overridden  in  a  backend definition. Arguments that should be
       replaced by actual text are shown in brackets <>.

       access to <what> [ by <who> <access> <control> ]+
	      Grant access (specified by <access>) to a set of entries	and/or
	      attributes  (specified  by  <what>)  by  one  or more requestors
	      (specified by <who>).  If no access controls  are	 present,  the
	      default  policy  allows anyone and everyone to read anything but
	      restricts updates to rootdn.  (e.g., "access to * by  *  read").
	      The   rootdn   can   always  read	 and  write  EVERYTHING!   See
	      slapd.access(5) and the "OpenLDAP's Administrator's  Guide"  for
	      details.

       allow <features>
	      Specify  a  set  of features (separated by white space) to allow
	      (default	none).	 bind_v2  allows  acceptance  of  LDAPv2  bind
	      requests.	  Note	that  slapd(8) does not truly implement LDAPv2
	      (RFC 1777), now  Historic	 (RFC  3494).	bind_anon_cred	allows
	      anonymous	 bind when credentials are not empty (e.g.  when DN is
	      empty).  bind_anon_dn allows  unauthenticated  (anonymous)  bind
	      when  DN	is  not	 empty.	  update_anon  allows  unauthenticated
	      (anonymous) update operations to be processed (subject to access
	      controls	and  other  administrative  limits).  proxy_authz_anon
	      allows unauthenticated (anonymous) proxy	authorization  control
	      to  be  processed (subject to access controls, authorization and
	      other administrative limits).

       argsfile <filename>
	      The (absolute) name of a file that will hold the slapd  server's
	      command line (program name and options).

       attributeoptions [option-name]...
	      Define  tagging  attribute options or option tag/range prefixes.
	      Options must not end with `-', prefixes must end with `-'.   The
	      `lang-'  prefix  is predefined.  If you use the attributeoptions
	      directive, `lang-' will no longer be defined and you must	 spec-
	      ify it explicitly if you want it defined.

	      An  attribute  description with a tagging option is a subtype of
	      that attribute description without the option.  Except for that,
	      options  defined	this  way have no special semantics.  Prefixes
	      defined this way work like the `lang-' options:  They  define  a
	      prefix  for  tagging options starting with the prefix.  That is,
	      if you define the	 prefix	 `x-foo-',  you	 can  use  the	option
	      `x-foo-bar'.   Furthermore,  in a search or compare, a prefix or
	      range name (with a trailing `-') matches	all  options  starting
	      with  that  name, as well as the option with the range name sans
	      the trailing `-'.	 That is, `x-foo-bar-' matches `x-foo-bar' and
	      `x-foo-bar-baz'.

	      RFC 4520 reserves options beginning with `x-' for private exper-
	      iments.  Other options should be registered with IANA,  see  RFC
	      4520  section  3.5.  OpenLDAP also has the `binary' option built
	      in, but this is a transfer option, not a tagging option.

       attributetype  ( <oid>  [NAME <name>]  [DESC <description>]  [OBSOLETE]
	      [SUP <oid>]   [EQUALITY <oid>]  [ORDERING <oid>]	[SUBSTR <oid>]
	      [SYNTAX <oidlen>]		 [SINGLE-VALUE]		  [COLLECTIVE]
	      [NO-USER-MODIFICATION] [USAGE <attributeUsage>] )
	      Specify an attribute type using the LDAPv3 syntax defined in RFC
	      4512.  The slapd parser  extends	the  RFC  4512	definition  by
	      allowing string forms as well as numeric OIDs to be used for the
	      attribute	  OID	and   attribute	  syntax   OID.	   (See	   the
	      objectidentifier description.)

       authid-rewrite<cmd> <args>
	      Used  by	the  authentication  framework	to convert simple user
	      names to an  LDAP	 DN  used  for	authorization  purposes.   Its
	      purpose  is  analogous to that of authz-regexp (see below).  The
	      prefix authid- is followed by a set of rules analogous to	 those
	      described	 in  slapo-rwm(5) for data rewriting (replace the rwm-
	      prefix  with  authid-).	authid-rewrite<cmd>  and  authz-regexp
	      rules should not be intermixed.

       authz-policy <policy>
	      Used  to	specify	 which	rules  to use for Proxy Authorization.
	      Proxy authorization allows  a  client  to	 authenticate  to  the
	      server  using  one  user's  credentials, but specify a different
	      identity to use for authorization and access  control  purposes.
	      It  essentially allows user A to login as user B, using user A's
	      password.	 The none flag disables proxy authorization.  This  is
	      the  default  setting.   The  from  flag	will  use rules in the
	      authzFrom attribute of the authorization DN.  The to  flag  will
	      use  rules  in  the  authzTo attribute of the authentication DN.
	      The any flag, an alias for the deprecated value  of  both,  will
	      allow  any of the above, whatever succeeds first (checked in to,
	      from sequence.  The all flag  requires  both  authorizations  to
	      succeed.

	      The rules are mechanisms to specify which identities are allowed
	      to perform proxy authorization.  The authzFrom attribute	in  an
	      entry  specifies which other users are allowed to proxy login to
	      this entry. The authzTo attribute in an  entry  specifies	 which
	      other  users  this  user can authorize as.  Use of authzTo rules
	      can be easily abused if users are	 allowed  to  write  arbitrary
	      values to this attribute.	 In general the authzTo attribute must
	      be protected with ACLs  such  that  only	privileged  users  can
	      modify  it.   The	 value	of  authzFrom and authzTo describes an
	      identity or a set of identities; it can take five forms:

		     ldap:///<base>??[<scope>]?<filter>
		     dn[.<dnstyle>]:<pattern>
		     u[.<mech>[/<realm>]]:<pattern>
		     group[/objectClass[/attributeType]]:<pattern>
		     <pattern>

		     <dnstyle>:={exact|onelevel|children|subtree|regex}

	      The first form is a valid LDAP URI where the <host>:<port>,  the
	      <attrs>  and  the	 <extensions> portions must be absent, so that
	      the search occurs locally on either authzFrom or	authzTo.   The
	      second  form  is	a DN, with the optional style modifiers exact,
	      onelevel, children, and subtree for  exact,  onelevel,  children
	      and  subtree  matches,  which  cause  <pattern> to be normalized
	      according to the DN normalization rules, or  the	special	 regex
	      style,  which  causes  the  <pattern>  to	 be treated as a POSIX
	      (''extended'') regular  expression,  as  discussed  in  regex(7)
	      and/or re_format(7).  A pattern of * means any non-anonymous DN.
	      The third form is a SASL id, with the optional fields <mech> and
	      <realm> that allow to specify a SASL mechanism, and eventually a
	      SASL realm, for those mechanisms that support one.  The need  to
	      allow  the  specification	 of  a mechanism is still debated, and
	      users are strongly discouraged to rely on this possibility.  The
	      fourth  form is a group specification, consisting of the keyword
	      group, optionally followed by the	 specification	of  the	 group
	      objectClass   and	 member	 attributeType.	  The  group  with  DN
	      <pattern> is searched with base scope, and in case of match, the
	      values of the member attributeType are searched for the asserted
	      DN.   For	 backwards  compatibility,  if	no  identity  type  is
	      provided,	 i.e.  only  <pattern>	is  present,  an  exact	 DN is
	      assumed;	as  a  consequence,  <pattern>	is  subjected  to   DN
	      normalization.	Since  the  interpretation  of	authzFrom  and
	      authzTo can impact security, users are  strongly	encouraged  to
	      explicitly  set the type of identity specification that is being
	      used.  A subset of these rules can be used as third arg  in  the
	      authz-regexp  statement  (see  below);  significantly,  the URI,
	      provided it results in exactly one entry, and the	 dn.exact:<dn>
	      forms.

       authz-regexp <match> <replace>
	      Used  by	the  authentication  framework	to convert simple user
	      names, such as provided by SASL  subsystem,  or  extracted  from
	      certificates  in	case  of cert-based SASL EXTERNAL, or provided
	      within the RFC 4370 "proxied authorization" control, to an  LDAP
	      DN  used for authorization purposes.  Note that the resulting DN
	      need not refer to an existing  entry  to	be  considered	valid.
	      When   an	 authorization	request	 is  received  from  the  SASL
	      subsystem, the SASL USERNAME, REALM, and	MECHANISM  are	taken,
	      when available, and combined into a name of the form

		     UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth

	      This   name   is	 then	compared   against   the  match	 POSIX
	      (''extended'')  regular  expression,  and	 if   the   match   is
	      successful,  the	name  is replaced with the replace string.  If
	      there are wildcard strings in the match regular expression  that
	      are enclosed in parenthesis, e.g.

		     UID=([^,]*),CN=.*

	      then  the	 portion of the name that matched the wildcard will be
	      stored in the numbered placeholder variable  $1.	If  there  are
	      other wildcard strings in parenthesis, the matching strings will
	      be in $2, $3, etc. up to $9. The placeholders can then  be  used
	      in the replace string, e.g.

		     UID=$1,OU=Accounts,DC=example,DC=com

	      The  replaced name can be either a DN, i.e. a string prefixed by
	      "dn:", or an LDAP URI.  If the latter, the server will  use  the
	      URI  to  search  its  own database(s) and, if the search returns
	      exactly one entry, the name is replaced by the DN of that entry.
	      The  LDAP	 URI  must  have  no  hostport,	 attrs,	 or extensions
	      components, but the filter is mandatory, e.g.

		     ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)

	      The protocol portion of the URI must  be	strictly  ldap.	  Note
	      that  this  search is subject to access controls.	 Specifically,
	      the authentication identity  must	 have  "auth"  access  in  the
	      subject.

	      Multiple	authz-regexp options can be given in the configuration
	      file to allow for multiple matching  and	replacement  patterns.
	      The  matching  patterns  are checked in the order they appear in
	      the file, stopping at the first successful match.


       concurrency <integer>
	      Specify  a  desired  level  of  concurrency.   Provided  to  the
	      underlying  thread  system  as  a	 hint.	 The default is not to
	      provide any hint.

       conn_max_pending <integer>
	      Specify the maximum number of pending requests for an  anonymous
	      session.	 If  requests are submitted faster than the server can
	      process them, they will be queued up to this limit. If the limit
	      is exceeded, the session is closed. The default is 100.

       conn_max_pending_auth <integer>
	      Specify	the   maximum	number	of  pending  requests  for  an
	      authenticated session.  The default is 1000.

       defaultsearchbase <dn>
	      Specify a default search base to use when client submits a  non-
	      base  search  request with an empty base DN.  Base scoped search
	      requests with an empty base DN are not affected.

       disallow <features>
	      Specify a set of features (separated by white space) to disallow
	      (default none).  bind_anon disables acceptance of anonymous bind
	      requests.	 Note that this setting does  not  prohibit  anonymous
	      directory	 access	 (See  "require authc").  bind_simple disables
	      simple  (bind)  authentication.	tls_2_anon  disables   forcing
	      session  to  anonymous status (see also tls_authc) upon StartTLS
	      operation receipt.  tls_authc disallows the  StartTLS  operation
	      if	authenticated	    (see       also	  tls_2_anon).
	      proxy_authz_non_critical	disables  acceptance  of  the  proxied
	      authorization  control  (RFC4370)	 when  criticality  is	FALSE.
	      dontusecopy_non_critical disables acceptance of the  dontUseCopy
	      control (a work in progress) when criticality is FALSE.

       ditcontentrule  ( <oid>	[NAME <name>]  [DESC <description>] [OBSOLETE]
	      [AUX <oids>] [MUST <oids>] [MAY <oids>] [NOT <oids>] )
	      Specify an DIT Content Rule using the LDAPv3 syntax  defined  in
	      RFC  4512.   The slapd parser extends the RFC 4512 definition by
	      allowing string forms as well as numeric OIDs to be used for the
	      attribute	   OID	 and   attribute   syntax   OID.    (See   the
	      objectidentifier description.)

       gentlehup { on | off }
	      A SIGHUP signal will only	 cause	a  'gentle'  shutdown-attempt:
	      Slapd  will  stop	 listening  for	 new connections, but will not
	      close the connections to	the  current  clients.	 Future	 write
	      operations    return    unwilling-to-perform,   though.	 Slapd
	      terminates when all clients have closed  their  connections  (if
	      they ever do), or - as before - if it receives a SIGTERM signal.
	      This can be useful if you wish to terminate the server and start
	      a new slapd server with another database, without disrupting the
	      currently active clients.	 The default is off.  You may wish  to
	      use idletimeout along with this option.

       idletimeout <integer>
	      Specify the number of seconds to wait before forcibly closing an
	      idle client  connection.	 A  idletimeout	 of  0	disables  this
	      feature.	 The  default  is  0.  You  may	 also  want to set the
	      writetimeout option.

       include <filename>
	      Read additional configuration information from  the  given  file
	      before continuing with the next line of the current file.

       index_intlen <integer>
	      Specify  the  key	 length	 for ordered integer indices. The most
	      significant bytes of the binary integer will be used  for	 index
	      keys.  The default value is 4, which provides exact indexing for
	      31 bit values.  A floating point representation is used to index
	      too large values.

       index_substr_if_minlen <integer>
	      Specify  the minimum length for subinitial and subfinal indices.
	      An attribute value must have at least this  many	characters  in
	      order  to be processed by the indexing functions. The default is
	      2.

       index_substr_if_maxlen <integer>
	      Specify the maximum length for subinitial and subfinal  indices.
	      Only  this  many	characters  of	an  attribute  value  will  be
	      processed by the indexing functions; any excess  characters  are
	      ignored. The default is 4.

       index_substr_any_len <integer>
	      Specify  the  length used for subany indices. An attribute value
	      must  have  at  least  this  many	 characters  in	 order	to  be
	      processed.  Attribute  values  longer  than  this length will be
	      processed in segments of this length.  The  default  is  4.  The
	      subany  index will also be used in subinitial and subfinal index
	      lookups  when   the   filter   string   is   longer   than   the
	      index_substr_if_maxlen value.

       index_substr_any_step <integer>
	      Specify  the steps used in subany index lookups. This value sets
	      the offset  for  the  segments  of  a  filter  string  that  are
	      processed	 for  a	 subany	 index	lookup.	 The default is 2. For
	      example, with the default values, a  search  using  this	filter
	      "cn=*abcdefgh*" would generate index lookups for "abcd", "cdef",
	      and "efgh".


       Note: Indexing support depends on the particular backend in use.	 Also,
       changing	 these	settings  will	generally require deleting any indices
       that depend on these parameters and recreating them with slapindex(8).


       ldapsyntax ( <oid> [DESC <description>] [X-SUBST <substitute-syntax>] )

	      Specify  an  LDAP	 syntax using the LDAPv3 syntax defined in RFC
	      4512.  The slapd parser  extends	the  RFC  4512	definition  by
	      allowing string forms as well as numeric OIDs to be used for the
	      syntax OID.  (See the objectidentifier description.)  The	 slapd
	      parser  also  honors the X-SUBST extension (an OpenLDAP-specific
	      extension), which allows to  use	the  ldapsyntax	 statement  to
	      define  a	 non-implemented syntax along with another syntax, the
	      extension value substitute-syntax, as its temporary replacement.
	      The  substitute-syntax  must  be defined.	 This allows to define
	      attribute types that make use of non-implemented syntaxes	 using
	      the   correct   syntax   OID.   Unless  X-SUBST  is  used,  this
	      configuration statement would  result  in	 an  error,  since  no
	      handlers would be associated to the resulting syntax structure.


       listener-threads <integer>
	      Specify the number of threads to use for the connection manager.
	      The default is 1 and this is typically adequate for up to 16 CPU
	      cores.  The value should be set to a power of 2.

       localSSF <SSF>
	      Specifies	 the  Security Strength Factor (SSF) to be given local
	      LDAP sessions, such as those to the ldapi://  listener.	For  a
	      description  of  SSF  values,  see sasl-secprops's minssf option
	      description.  The default is 71.

       logfile <filename>
	      Specify a file for recording  debug  log	messages.  By  default
	      these  messages  only go to stderr and are not recorded anywhere
	      else. Specifying a logfile copies messages to  both  stderr  and
	      the logfile.

       loglevel <integer> [...]
	      Specify  the  level  at which debugging statements and operation
	      statistics  should  be  syslogged	 (currently  logged   to   the
	      syslogd(8)   LOG_LOCAL4  facility).   They  must	be  considered
	      subsystems rather than increasingly verbose  log	levels.	  Some
	      messages	with  higher  priority	are  logged  regardless of the
	      configured loglevel as soon as any logging is  configured.   Log
	      levels are additive, and available levels are:
		     1	    (0x1 trace) trace function calls
		     2	    (0x2 packets) debug packet handling
		     4	    (0x4 args) heavy trace debugging (function args)
		     8	    (0x8 conns) connection management
		     16	    (0x10 BER) print out packets sent and received
		     32	    (0x20 filter) search filter processing
		     64	    (0x40 config) configuration file processing
		     128    (0x80 ACL) access control list processing
		     256    (0x100   stats)   connections,   LDAP  operations,
			    results (recommended)
		     512    (0x200 stats2) stats log entries sent
		     1024   (0x400  shell)  print  communication  with	 shell
			    backends
		     2048   (0x800 parse) entry parsing








		     16384  (0x4000 sync) LDAPSync replication
		     32768  (0x8000   none)  only  messages  that  get	logged
			    whatever log level is set
	      The desired log level can be input  as  a	 single	 integer  that
	      combines	the  (ORed)  desired  levels,  both  in	 decimal or in
	      hexadecimal notation, as a  list	of  integers  (that  are  ORed
	      internally),  or	as  a list of the names that are shown between
	      brackets, such that

		  loglevel 129
		  loglevel 0x81
		  loglevel 128 1
		  loglevel 0x80 0x1
		  loglevel acl trace

	      are equivalent.  The keyword any can be used as  a  shortcut  to
	      enable  logging  at  all levels (equivalent to -1).  The keyword
	      none, or the equivalent  integer	representation,	 causes	 those
	      messages	that  are logged regardless of the configured loglevel
	      to be logged.  In fact, if loglevel is  set  to  0,  no  logging
	      occurs,  so  at  least  the  none level is required to have high
	      priority messages logged.

	      The loglevel defaults to stats.  This level should usually  also
	      be  included  when  using	 other	loglevels, to help analyze the
	      logs.

       moduleload <filename>
	      Specify the name of a dynamically loadable module to  load.  The
	      filename may be an absolute path name or a simple filename. Non-
	      absolute names are searched for in the directories specified  by
	      the modulepath option. This option and the modulepath option are
	      only usable if slapd was compiled with --enable-modules.

       modulepath <pathspec>
	      Specify a list of directories to search  for  loadable  modules.
	      Typically	 the  path  is colon-separated but this depends on the
	      operating system.	 The default is /usr/lib64/openldap, which  is
	      where the standard OpenLDAP install will place its modules.

       objectclass   ( <oid>   [NAME <name>]  [DESC <description>]  [OBSOLETE]
	      [SUP <oids>]  [{	ABSTRACT   |   STRUCTURAL   |	AUXILIARY   }]
	      [MUST <oids>] [MAY <oids>] )
	      Specify  an  objectclass	using the LDAPv3 syntax defined in RFC
	      4512.  The slapd parser  extends	the  RFC  4512	definition  by
	      allowing string forms as well as numeric OIDs to be used for the
	      object  class  OID.   (See  the  objectidentifier	 description.)
	      Object classes are "STRUCTURAL" by default.

       objectidentifier <name> { <oid> | <name>[:<suffix>] }
	      Define  a	 string name that equates to the given OID. The string
	      can be used in place of  the  numeric  OID  in  objectclass  and
	      attribute	 definitions.  The name can also be used with a suffix
	      of the form ":xx" in which case the value "oid.xx" will be used.

       password-hash <hash> [<hash>...]
	      This option  configures  one  or	more  hashes  to  be  used  in
	      generation   of	user  passwords	 stored	 in  the  userPassword
	      attribute during processing of  LDAP  Password  Modify  Extended
	      Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
	      {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.	The default is {SSHA}.

	      {SHA} and {SSHA} use  the	 SHA-1	algorithm  (FIPS  160-1),  the
	      latter with a seed.

	      {MD5}  and  {SMD5}  use the MD5 algorithm (RFC 1321), the latter
	      with a seed.

	      {CRYPT} uses the crypt(3).

	      {CLEARTEXT} indicates that the new password should be  added  to
	      userPassword as clear text.

	      Note   that   this   option  does	 not  alter  the  normal  user
	      applications handling of userPassword during LDAP	 Add,  Modify,
	      or other LDAP operations.

       password-crypt-salt-format <format>
	      Specify	the  format  of	 the  salt  passed  to	crypt(3)  when
	      generating  {CRYPT}   passwords	(see   password-hash)	during
	      processing  of  LDAP  Password  Modify  Extended Operations (RFC
	      3062).

	      This string needs to be in sprintf(3) format and may include one
	      (and   only   one)  %s  conversion.   This  conversion  will  be
	      substituted  with	  a   string   of   random   characters	  from
	      [A-Za-z0-9./].   For  example,  "%.2s"  provides a two character
	      salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5
	      algorithm and provides 8 random characters of salt.  The default
	      is "%s", which provides 31 characters of salt.

       pidfile <filename>
	      The (absolute) name of a file that will hold the slapd  server's
	      process ID (see getpid(2)).

       referral <url>
	      Specify  the  referral  to pass back when slapd(8) cannot find a
	      local database to	 handle	 a  request.   If  specified  multiple
	      times, each url is provided.

       require <conditions>
	      Specify  a  set  of  conditions  (separated  by  white space) to
	      require (default none).  The directive may be specified globally
	      and/or  per-database;  databases	inherit	 global conditions, so
	      per-database specifications are additive.	  bind	requires  bind
	      operation	  prior	 to  directory	operations.   LDAPv3  requires
	      session  to  be  using   LDAP   version	3.    authc   requires
	      authentication  prior  to	 directory  operations.	 SASL requires
	      SASL  authentication  prior  to  directory  operations.	strong
	      requires	strong	authentication	prior to directory operations.
	      The strong keyword allows protected "simple"  authentication  as
	      well  as	SASL  authentication.	none may be used to require no
	      conditions (useful to clear out globally set conditions within a
	      particular  database);  it  must	occur  first  in  the  list of
	      conditions.

       reverse-lookup on | off
	      Enable/disable client name unverified reverse lookup (default is
	      off if compiled with --enable-rlookups).

       rootDSE <file>
	      Specify  the  name  of  an  LDIF(5) file containing user defined
	      attributes for the root DSE.  These attributes are  returned  in
	      addition to the attributes normally produced by slapd.

	      The  root	 DSE is an entry with information about the server and
	      its capabilities, in operational attributes.  It has  the	 empty
	      DN, and can be read with e.g.:
		  ldapsearch -x -b "" -s base "+"
	      See RFC 4512 section 5.1 for details.

       sasl-auxprops <plugin> [...]
	      Specify which auxprop plugins to use for authentication lookups.
	      The default is empty, which just uses slapd's internal  support.
	      Usually no other auxprop plugins are needed.

       sasl-host <fqdn>
	      Used  to	specify	 the fully qualified domain name used for SASL
	      processing.

       sasl-realm <realm>
	      Specify SASL realm.  Default is empty.

       sasl-secprops <properties>
	      Used to specify Cyrus SASL security properties.  The  none  flag
	      (without	any  other  properties)	 causes	 the  flag  properties
	      default, "noanonymous,noplain", to be cleared.  The noplain flag
	      disables	mechanisms susceptible to simple passive attacks.  The
	      noactive flag disables mechanisms susceptible to active attacks.
	      The  nodict  flag	 disables  mechanisms  susceptible  to passive
	      dictionary attacks.  The noanonymous  flag  disables  mechanisms
	      which  support  anonymous	 login.	  The  forwardsec flag require
	      forward  secrecy	between	 sessions.    The   passcred   require
	      mechanisms  which	 pass client credentials (and allow mechanisms
	      which can pass  credentials  to  do  so).	  The  minssf=<factor>
	      property	specifies  the	minimum	 acceptable  security strength
	      factor as an integer approximate to effective  key  length  used
	      for  encryption.	 0  (zero)  implies  no	 protection, 1 implies
	      integrity protection only, 56 allows DES or other weak  ciphers,
	      112  allows triple DES and other strong ciphers, 128 allows RC4,
	      Blowfish and other modern strong ciphers.	  The  default	is  0.
	      The  maxssf=<factor>  property  specifies the maximum acceptable
	      security strength factor as an integer (see minssf description).
	      The   default   is   INT_MAX.   The  maxbufsize=<size>  property
	      specifies	 the  maximum  security	 layer	receive	 buffer	  size
	      allowed.	0 disables security layers.  The default is 65536.

       schemadn <dn>
	      Specify  the  distinguished name for the subschema subentry that
	      controls	the  entries  on  this	 server.    The	  default   is
	      "cn=Subschema".

       security <factors>
	      Specify  a  set of security strength factors (separated by white
	      space) to require	 (see  sasl-secprops's	minssf	option	for  a
	      description of security strength factors).  The directive may be
	      specified globally and/or per-database.  ssf=<n>	specifies  the
	      overall  security	 strength factor.  transport=<n> specifies the
	      transport security strength factor.  tls=<n> specifies  the  TLS
	      security	strength factor.  sasl=<n> specifies the SASL security
	      strength factor.	update_ssf=<n> specifies the overall  security
	      strength	  factor    to	  require   for	  directory   updates.
	      update_transport=<n> specifies the transport  security  strength
	      factor   to   require  for  directory  updates.	update_tls=<n>
	      specifies the  TLS  security  strength  factor  to  require  for
	      directory	 updates.  update_sasl=<n> specifies the SASL security
	      strength	 factor	  to   require	  for	 directory    updates.
	      simple_bind=<n>  specifies the security strength factor required
	      for simple  username/password  authentication.   Note  that  the
	      transport	  factor  is  measure  of  security  provided  by  the
	      underlying transport, e.g. ldapi:// (and eventually IPSEC).   It
	      is not normally used.

       serverID <integer> [<URL>]
	      Specify an integer ID from 0 to 4095 for this server (limited to
	      3 hexadecimal digits).  The  ID  may  also  be  specified	 as  a
	      hexadecimal  ID by prefixing the value with "0x".	 These IDs are
	      required when using multimaster replication and each master must
	      have  a  unique  ID.  Note that this requirement also applies to
	      separate masters contributing to a glued set of  databases.   If
	      the  URL	is  provided, this directive may be specified multiple
	      times, providing a complete list of  participating  servers  and
	      their IDs. The fully qualified hostname of each server should be
	      used in the supplied URLs. The IDs are used in the "replica  id"
	      field of all CSNs generated by the specified server. The default
	      value is zero.  Example:

	    serverID 1

       sizelimit {<integer>|unlimited}

       sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
	      Specify the maximum number of entries to return  from  a	search
	      operation.   The	default	 size  limit is 500.  Use unlimited to
	      specify no limits.   The	second	format	allows	a  fine	 grain
	      setting of the size limits.  Extra args can be added on the same
	      line.  See limits for an explanation of the different flags.

       sockbuf_max_incoming <integer>
	      Specify  the  maximum  incoming  LDAP  PDU  size	for  anonymous
	      sessions.	 The default is 262143.

       sockbuf_max_incoming_auth <integer>
	      Specify  the  maximum  incoming  LDAP PDU size for authenticated
	      sessions.	 The default is 4194303.

       sortvals <attr> [...]
	      Specify a list of	 multi-valued  attributes  whose  values  will
	      always  be  maintained  in  sorted order. Using this option will
	      allow  Modify,  Compare,	and  filter   evaluations   on	 these
	      attributes  to be performed more efficiently. The resulting sort
	      order depends on the attributes' syntax and matching  rules  and
	      may  not	correspond  to lexical order or any other recognizable
	      order.

       tcp-buffer [listener=<URL>] [{read|write}=]<size>
	      Specify the size of the TCP buffer.  A  global  value  for  both
	      read  and	 write TCP buffers related to any listener is defined,
	      unless the listener is explicitly specified, or either the  read
	      or  write	 qualifiers  are  used.	 See tcp(7) for details.  Note
	      that some OS-es implement automatic TCP buffer tuning.

       threads <integer>
	      Specify the maximum  size	 of  the  primary  thread  pool.   The
	      default is 16; the minimum value is 2.

       timelimit {<integer>|unlimited}

       timelimit time[.{soft|hard}]=<integer> [...]
	      Specify  the maximum number of seconds (in real time) slapd will
	      spend answering a search request.	 The  default  time  limit  is
	      3600.   Use  unlimited  to specify no limits.  The second format
	      allows a fine grain setting of the time limits.  Extra args  can
	      be added on the same line.  See limits for an explanation of the
	      different flags.

       tool-threads <integer>
	      Specify the maximum number of threads to use in tool mode.  This
	      should  not  be  greater	than the number of CPUs in the system.
	      The default is 1.

       writetimeout <integer>
	      Specify the number of seconds to wait before forcibly closing  a
	      connection  with an outstanding write. This allows recovery from
	      various network hang conditions.	A writetimeout of  0  disables
	      this feature.  The default is 0.

TLS OPTIONS
       If  slapd is built with support for Transport Layer Security, there are
       more options you can specify.

       TLSCipherSuite <cipher-suite-spec>
	      Permits configuring  what	 ciphers  will	be  accepted  and  the
	      preference   order.   <cipher-suite-spec>	 should	 be  a	cipher
	      specification for the TLS library in use	(OpenSSL,  GnuTLS,  or
	      Mozilla NSS).  Example:

		     OpenSSL:
			    TLSCipherSuite HIGH:MEDIUM:+SSLv2

		     GnuTLS:
			    TLSCiphersuite SECURE256:!AES-128-CBC

	      To check what ciphers a given spec selects in OpenSSL, use:

		   openssl ciphers -v <cipher-suite-spec>

	      With  GnuTLS the available specs can be found in the manual page
	      of gnutls-cli(1) (see the description of the option --priority).

	      In older versions of GnuTLS, where gnutls-cli does  not  support
	      the  option  --priority,	you  can obtain the -- more limited --
	      list of ciphers by calling:

		   gnutls-cli -l

	      When using Mozilla NSS, the OpenSSL cipher suite	specifications
	      are  used	 and  translated  into	the  format used internally by
	      Mozilla NSS.  There isn't an easy way to list the cipher	suites
	      from  the command line.  The authoritative list is in the source
	      code for Mozilla NSS in the file sslinfo.c in the structure
		      static const SSLCipherSuiteInfo suiteInfo[]

       TLSCACertificateFile <filename>
	      Specifies the file that contains certificates  for  all  of  the
	      Certificate Authorities that slapd will recognize.

       TLSCACertificatePath <path>
	      Specifies	 the  path  of	a  directory that contains Certificate
	      Authority certificates in	 separate  individual  files.  Usually
	      only one of this or the TLSCACertificateFile is defined. If both
	      are specified, both locations will be used.  This	 directive  is
	      not supported when using GnuTLS.

	      When  using  Mozilla  NSS,  <path>  may  contain	a  Mozilla NSS
	      cert/key database.  If <path> contains a	Mozilla	 NSS  cert/key
	      database	and  CA	 cert  files,  OpenLDAP	 will use the cert/key
	      database and will ignore the CA cert files.

       TLSCertificateFile <filename>
	      Specifies the file that contains the slapd server certificate.

	      When using Mozilla NSS, if using a cert/key database  (specified
	      with  TLSCACertificatePath),  TLSCertificateFile	specifies  the
	      name of the certificate to use:
		   TLSCertificateFile Server-Cert
	      If using a token other than the internal built in token, specify
	      the token name first, followed by a colon:
		   TLSCertificateFile my hardware device:Server-Cert
	      Use certutil -L to list the certificates by name:
		   certutil -d /path/to/certdbdir -L

       TLSCertificateKeyFile <filename>
	      Specifies	 the  file  that contains the slapd server private key
	      that matches the certificate stored  in  the  TLSCertificateFile
	      file.  If	 the  private  key  is	protected with a password, the
	      password must be manually typed in when slapd  starts.   Usually
	      the private key is not protected with a password, to allow slapd
	      to start without manual  intervention,  so  it  is  of  critical
	      importance that the file is protected carefully.

	      When using Mozilla NSS, TLSCertificateKeyFile specifies the name
	      of a file that  contains	the  password  for  the	 key  for  the
	      certificate  specified  with  TLSCertificateFile.	  The  modutil
	      command can be used to turn  off	password  protection  for  the
	      cert/key	 database.    For   example,  if  TLSCACertificatePath
	      specifes /etc/openldap/certdb as the location  of	 the  cert/key
	      database,	 use  modutil  to  change  the	password  to the empty
	      string:
		   modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
	      You must have the old password,  if  any.	  Ignore  the  WARNING
	      about the running browser.  Press 'Enter' for the new password.


       TLSDHParamFile <filename>
	      This  directive  specifies the file that contains parameters for
	      Diffie-Hellman ephemeral key  exchange.	This  is  required  in
	      order  to	 use a DSA certificate on the server. If multiple sets
	      of parameters are present in the	file,  all  of	them  will  be
	      processed.   Note	 that  setting	this  option  may  also enable
	      Anonymous Diffie-Hellman key exchanges  in  certain  non-default
	      cipher  suites.	You should append "!ADH" to your cipher suites
	      if  you  have  changed  them  from  the  default,	 otherwise  no
	      certificate  exchanges  or verification will be done. When using
	      GnuTLS these parameters are always generated  randomly  so  this
	      directive	 is  ignored.	This  directive	 is ignored when using
	      Mozilla NSS.

       TLSProtocolMin <major>[.<minor>]
	      Specifies	 minimum  SSL/TLS  protocol  version  that   will   be
	      negotiated.   If	the  server  doesn't  support  at  least  that
	      version, the SSL handshake will fail.  To	 require  TLS  1.x  or
	      higher, set this option to 3.(x+1), e.g.,

		   TLSProtocolMin 3.2

	      would require TLS 1.1.  Specifying a minimum that is higher than
	      that supported by the OpenLDAP implementation will result in  it
	      requiring	  the  highest	level  that  it	 does  support.	  This
	      directive is ignored with GnuTLS.

       TLSRandFile <filename>
	      Specifies	 the  file   to	  obtain   random   bits   from	  when
	      /dev/[u]random  is  not available.  Generally set to the name of
	      the EGD/PRNGD socket.  The  environment  variable	 RANDFILE  can
	      also be used to specify the filename.  This directive is ignored
	      with GnuTLS and Mozilla NSS.

       TLSVerifyClient <level>
	      Specifies what checks to perform on client  certificates	in  an
	      incoming	TLS  session, if any.  The <level> can be specified as
	      one of the following keywords:

	      never  This is the default.  slapd will not ask the client for a
		     certificate.

	      allow  The  client  certificate is requested.  If no certificate
		     is provided, the session proceeds	normally.   If	a  bad
		     certificate  is  provided,	 it  will  be  ignored and the
		     session proceeds normally.

	      try    The client certificate is requested.  If  no  certificate
		     is	 provided,  the	 session  proceeds normally.  If a bad
		     certificate  is  provided,	 the  session  is  immediately
		     terminated.

	      demand | hard | true
		     These  keywords  are  all	equivalent,  for compatibility
		     reasons.  The client certificate  is  requested.	If  no
		     certificate   is	provided,  or  a  bad  certificate  is
		     provided, the session is immediately terminated.

		     Note that a valid client certificate is required in order
		     to	 use the SASL EXTERNAL authentication mechanism with a
		     TLS session.   As	such,  a  non-default  TLSVerifyClient
		     setting   must   be   chosen   to	enable	SASL  EXTERNAL
		     authentication.

       TLSCRLCheck <level>
	      Specifies if the Certificate Revocation List  (CRL)  of  the  CA
	      should  be  used	to  verify if the client certificates have not
	      been revoked. This requires TLSCACertificatePath parameter to be
	      set.  This  directive  is	 ignored  with GnuTLS and Mozilla NSS.
	      <level> can be specified as one of the following keywords:

	      none   No CRL checks are performed

	      peer   Check the CRL of the peer certificate

	      all    Check the CRL for a whole certificate chain

       TLSCRLFile <filename>
	      Specifies a file containing a Certificate Revocation List to  be
	      used for verifying that certificates have not been revoked. This
	      directive is only valid when using GnuTLS and Mozilla NSS.

GENERAL BACKEND OPTIONS
       Options in this section only apply to the  configuration	 file  section
       for  the	 specified  backend.   They  are  supported  by	 every type of
       backend.

       backend <databasetype>
	      Mark the	beginning  of  a  backend  definition.	<databasetype>
	      should  be  one  of  bdb,	 config, dnssrv, hdb, ldap, ldif, mdb,
	      meta,  monitor,  null,  passwd,  perl,  relay,  shell,  or  sql,
	      depending on which backend will serve the database.


GENERAL DATABASE OPTIONS
       Options	in  this  section only apply to the configuration file section
       for the database in which they are  defined.   They  are	 supported  by
       every  type of backend.	Note that the database and at least one suffix
       option are mandatory for each database.

       database <databasetype>
	      Mark the	beginning  of  a  new  database	 instance  definition.
	      <databasetype>  should be one of bdb, config, dnssrv, hdb, ldap,
	      ldif, mdb, meta, monitor, null, passwd, perl, relay,  shell,  or
	      sql, depending on which backend will serve the database.

	      LDAP operations, even subtree searches, normally access only one
	      database.	 That can be changed by gluing databases together with
	      the  subordinate keyword.	 Access controls and some overlays can
	      also involve multiple databases.

       add_content_acl on | off
	      Controls whether Add operations will perform ACL checks  on  the
	      content  of the entry being added. This check is off by default.
	      See the slapd.access(5) manual page  for	more  details  on  ACL
	      requirements for Add operations.

       extra_attrs <attrlist>
	      Lists  what  attributes  need  to	 be  added to search requests.
	      Local storage backends return the entire entry to the  frontend.
	      The   frontend  takes  care  of  only  returning	the  requested
	      attributes that are allowed by  ACLs.   However,	features  like
	      access checking and so may need specific attributes that are not
	      automatically returned by remote storage	backends,  like	 proxy
	      backends and so on.  <attrlist> is a list of attributes that are
	      needed  for  internal  purposes  and  thus  always  need	to  be
	      collected, even when not explicitly requested by clients.

       hidden on | off
	      Controls	whether the database will be used to answer queries. A
	      database that is hidden will never be  selected  to  answer  any
	      queries,	and  any  suffix  configured  on  the database will be
	      ignored  in  checks  for	conflicts  with	 other	databases.  By
	      default, hidden is off.

       lastmod on | off
	      Controls	 whether   slapd   will	  automatically	 maintain  the
	      modifiersName,	  modifyTimestamp,	creatorsName,	   and
	      createTimestamp  attributes  for	entries.  It also controls the
	      entryCSN and entryUUID  attributes,  which  are  needed  by  the
	      syncrepl provider. By default, lastmod is on.

       limits <selector> <limit> [<limit> [...]]
	      Specify  time and size limits based on the operation's initiator
	      or base DN.  The argument <selector> can be any of

		     anonymous	  |    users	|    [<dnspec>=]<pattern>    |
		     group[/oc[/at]]=<pattern>

	      with

		     <dnspec> ::= dn[.<type>][.<style>]

		     <type>  ::= self | this

		     <style>  ::= exact | base | onelevel | subtree | children
		     | regex | anonymous

	      DN type self is the default and means the bound user, while this
	      means  the base DN of the operation.  The term anonymous matches
	      all  unauthenticated  clients.   The  term  users	 matches   all
	      authenticated  clients; otherwise an exact dn pattern is assumed
	      unless otherwise specified  by  qualifying  the  (optional)  key
	      string dn with exact or base (which are synonyms), to require an
	      exact match; with onelevel, to  require  exactly	one  level  of
	      depth  match;  with  subtree, to allow any level of depth match,
	      including the exact match; with children, to allow any level  of
	      depth  match,  not  including  the exact match; regex explicitly
	      requires the  (default)  match  based  on	 POSIX	(''extended'')
	      regular  expression pattern.  Finally, anonymous matches unbound
	      operations; the pattern field is ignored.	 The same behavior  is
	      obtained	by  using the anonymous form of the <selector> clause.
	      The  term	 group,	 with  the   optional	objectClass   oc   and
	      attributeType  at	 fields,  followed by pattern, sets the limits
	      for any DN listed in the values of  the  at  attribute  (default
	      member) of the oc group objectClass (default groupOfNames) whose
	      DN exactly matches pattern.

	      The currently supported limits are size and time.

	      The syntax  for  time  limits  is	 time[.{soft|hard}]=<integer>,
	      where  integer  is  the  number  of  seconds  slapd  will	 spend
	      answering a search request.  If  no  time	 limit	is  explicitly
	      requested	 by  the  client,  the	soft  limit  is	 used;	if the
	      requested time limit exceeds the hard limit, the	value  of  the
	      limit  is used instead.  If the hard limit is set to the keyword
	      soft, the soft limit is used in either case; if it is set to the
	      keyword unlimited, no hard limit is enforced.  Explicit requests
	      for time limits smaller or equal to the hard limit are  honored.
	      If  no limit specifier is set, the value is assigned to the soft
	      limit, and the hard limit	 is  set  to  soft,  to	 preserve  the
	      original behavior.

	      The	 syntax	       for	  size	      limits	    is
	      size[.{soft|hard|unchecked}]=<integer>,  where  integer  is  the
	      maximum  number  of entries slapd will return answering a search
	      request.	If no  size  limit  is	explicitly  requested  by  the
	      client,  the  soft  limit	 is  used; if the requested size limit
	      exceeds the hard limit, the value of the limit is used  instead.
	      If  the hard limit is set to the keyword soft, the soft limit is
	      used in either case; if it is set to the keyword	unlimited,  no
	      hard  limit  is  enforced.   Explicit  requests  for size limits
	      smaller or equal to the hard limit are honored.	The  unchecked
	      specifier	 sets  a  limit	 on  the number of candidates a search
	      request is allowed to examine.  The rationale behind it is  that
	      searches for non-properly indexed attributes may result in large
	      sets of candidates,  which  must	be  examined  by  slapd(8)  to
	      determine	 whether  they	match  the  search filter or not.  The
	      unchecked limit provides a means to drop such operations	before
	      they  are	 even  started.	 If the selected candidates exceed the
	      unchecked	 limit,	 the  search  will  abort  with	 Unwilling  to
	      perform.	 If  it	 is  set to the keyword unlimited, no limit is
	      applied (the default).  If it is set to disabled, the search  is
	      not  even performed; this can be used to disallow searches for a
	      specific set of users.  If no limit specifier is set, the	 value
	      is  assigned  to	the  soft  limit, and the hard limit is set to
	      soft, to preserve the original behavior.

	      In case of no match, the global limits are  used.	  The  default
	      values  are the same as for sizelimit and timelimit; no limit is
	      set on unchecked.

	      If pagedResults control is requested, the	 hard  size  limit  is
	      used  by default, because the request of a specific page size is
	      considered an explicit request for a limitation on the number of
	      entries  to be returned.	However, the size limit applies to the
	      total count of entries returned within the search, and not to  a
	      single page.  Additional size limits may be enforced; the syntax
	      is size.pr={<integer>|noEstimate|unlimited},  where  integer  is
	      the  max	page  size  if	no  explicit limit is set; the keyword
	      noEstimate inhibits the server from returning an estimate of the
	      total  number  of	 entries  that	might  be  returned (note: the
	      current implementation  does  not	 return	 any  estimate).   The
	      keyword  unlimited  indicates  that  no  limit is applied to the
	      pagedResults     control	   page	    size.      The	syntax
	      size.prtotal={<integer>|unlimited|disabled}   allows  to	set  a
	      limit on the total number of entries that a pagedResults control
	      allows to return.	 By default it is set to the hard limit.  When
	      set, integer is the max number of entries that the whole	search
	      with  pagedResults  control  can return.	Use unlimited to allow
	      unlimited number of entries to be returned, e.g.	to  allow  the
	      use  of  the  pagedResults control as a means to circumvent size
	      limitations on regular searches; the keyword  disabled  disables
	      the  control,  i.e. no paged results can be returned.  Note that
	      the total number	of  entries  returned  when  the  pagedResults
	      control  is  requested  cannot  exceed  the  hard	 size limit of
	      regular searches unless extended by the prtotal switch.

	      The limits statement is  typically  used	to  let	 an  unlimited
	      number  of  entries  be  returned by searches performed with the
	      identity used by the consumer for	 synchronization  purposes  by
	      means of the RFC 4533 LDAP Content Synchronization protocol (see
	      syncrepl for details).

       maxderefdepth <depth>
	      Specifies the maximum number  of	aliases	 to  dereference  when
	      trying  to resolve an entry, used to avoid infinite alias loops.
	      The default is 15.

       mirrormode on | off
	      This option puts a replica database into "mirror" mode.	Update
	      operations  will	be  accepted  from  any	 user,	not  just  the
	      updatedn.	 The database must already be configured as a syncrepl
	      consumer before this keyword may be set. This mode also requires
	      a serverID (see above) to be configured.	By default, mirrormode
	      is off.

       monitoring on | off
	      This  option  enables  database-specific monitoring in the entry
	      related to the current database in the "cn=Databases,cn=Monitor"
	      subtree  of  the	monitor	 database,  if the monitor database is
	      enabled.	Currently, only the BDB and the HDB databases  provide
	      database-specific	  monitoring.	The  default  depends  on  the
	      backend type.

       overlay <overlay-name>
	      Add the specified overlay to this	 database.  An	overlay	 is  a
	      piece  of	 code  that intercepts database operations in order to
	      extend or change them. Overlays are pushed onto a stack over the
	      database,	 and  so they will execute in the reverse of the order
	      in which they were  configured  and  the	database  itself  will
	      receive  control	last  of all. See the slapd.overlays(5) manual
	      page for an overview of the available overlays.  Note  that  all
	      of  the  database's regular settings should be configured before
	      any overlay settings.

       readonly on | off
	      This option  puts	 the  database	into  "read-only"  mode.   Any
	      attempts	to  modify  the	 database will return an "unwilling to
	      perform" error.  By default, readonly is off.

       restrict <oplist>
	      Specify a whitespace  separated  list  of	 operations  that  are
	      restricted.    If	  defined  inside  a  database	specification,
	      restrictions apply only to that  database,  otherwise  they  are
	      global.	Operations  can	 be any of add, bind, compare, delete,
	      extended[=<OID>], modify, rename, search, or the special pseudo-
	      operations read and write, which respectively summarize read and
	      write operations.	 The use of restrict write  is	equivalent  to
	      readonly	on  (see  above).   The	 extended  keyword  allows  to
	      indicate the OID of the specific operation to be restricted.

       rootdn <dn>
	      Specify the distinguished name that is  not  subject  to	access
	      control  or  administrative limit restrictions for operations on
	      this database.  This DN may or may not  be  associated  with  an
	      entry.   An empty root DN (the default) specifies no root access
	      is to be granted.	 It is recommended that	 the  rootdn  only  be
	      specified	 when  needed  (such  as  when	initially populating a
	      database).  If the rootdn is within a namingContext (suffix)  of
	      the  database, a simple bind password may also be provided using
	      the  rootpw  directive.  Many   optional	 features,   including
	      syncrepl, require the rootdn to be defined for the database.

       rootpw <password>
	      Specify  a  password  (or	 hash of the password) for the rootdn.
	      The password can only  be	 set  if  the  rootdn  is  within  the
	      namingContext (suffix) of the database.  This option accepts all
	      RFC  2307	 userPassword  formats	known  to  the	 server	  (see
	      password-hash  description) as well as cleartext.	 slappasswd(8)
	      may be used to generate a hash of	 a  password.	Cleartext  and
	      {CRYPT}  passwords are not recommended.  If empty (the default),
	      authentication of the root DN is by  other  means	 (e.g.	SASL).
	      Use of SASL is encouraged.

       suffix <dn suffix>
	      Specify  the  DN	suffix	of queries that will be passed to this
	      backend database.	 Multiple suffix lines can  be	given  and  at
	      least one is required for each database definition.

	      If  the  suffix of one database is "inside" that of another, the
	      database	with  the  inner  suffix  must	come  first   in   the
	      configuration  file.   You  may also want to glue such databases
	      together with the subordinate keyword.

       subordinate [advertise]
	      Specify that the current backend database is  a  subordinate  of
	      another  backend database. A subordinate	database may have only
	      one suffix. This option may be used to glue  multiple  databases
	      into  a  single  namingContext.	If  the	 suffix of the current
	      database is within the namingContext  of	a  superior  database,
	      searches against the superior database will be propagated to the
	      subordinate as well. All of  the	databases  associated  with  a
	      single namingContext should have identical rootdns.  Behavior of
	      other  LDAP  operations  is  unaffected  by  this	 setting.   In
	      particular,  it  is  not	possible to use moddn to move an entry
	      from  one	 subordinate  to  another   subordinate	  within   the
	      namingContext.

	      If  the  optional advertise flag is supplied, the naming context
	      of this database is advertised in the root DSE. The  default  is
	      to hide this database context, so that only the superior context
	      is visible.

	      If the slap tools slapcat(8), slapadd(8),	 or  slapindex(8)  are
	      used  on	the  superior  database,  any  glued subordinates that
	      support these tools are opened as well.

	      Databases that are glued together should usually	be  configured
	      with the same indices (assuming they support indexing), even for
	      attributes that only  exist  in  some  of	 these	databases.  In
	      general,	all  of	 the  glued  databases should be configured as
	      similarly as possible,  since  the  intent  is  to  provide  the
	      appearance of a single directory.

	      Note   that   the	  subordinate	functionality  is  implemented
	      internally by the glue overlay and as  such  its	behavior  will
	      interact	with  other  overlays  in  use.	 By  default, the glue
	      overlay is automatically configured as the last overlay  on  the
	      superior	backend. Its position on the backend can be explicitly
	      configured by setting an overlay glue directive at  the  desired
	      position.	 This  explicit	 configuration is necessary e.g.  when
	      using the syncprov overlay, which needs to follow glue in	 order
	      to work over all of the glued databases. E.g.
		   database bdb
		   suffix dc=example,dc=com
		   ...
		   overlay glue
		   overlay syncprov

       sync_use_subentry
	      Store  the  syncrepl  contextCSN	in  a  subentry instead of the
	      context entry of	the  database.	The  subentry's	 RDN  will  be
	      "cn=ldapsync".  By  default  the	contextCSN  is	stored	in the
	      context entry.

       syncrepl	   rid=<replica	   ID>	  provider=ldap[s]://<hostname>[:port]
	      searchbase=<base	   DN>	  [type=refreshOnly|refreshAndPersist]
	      [interval=dd:hh:mm:ss]   [retry=[<retry	 interval>    <#    of
	      retries>]+]  [filter=<filter  str>]  [scope=sub|one|base|subord]
	      [attrs=<attr   list>]    [exattrs=<attr	 list>]	   [attrsonly]
	      [sizelimit=<limit>]  [timelimit=<limit>] [schemachecking=on|off]
	      [network-timeout=<seconds>]		   [timeout=<seconds>]
	      [bindmethod=simple|sasl]	   [binddn=<dn>]     [saslmech=<mech>]
	      [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
	      [realm=<realm>]			       [secprops=<properties>]
	      [keepalive=<idle>:<probes>:<interval>]   [starttls=yes|critical]
	      [tls_cert=<file>]	     [tls_key=<file>]	   [tls_cacert=<file>]
	      [tls_cacertdir=<path>]	  [tls_reqcert=never|allow|try|demand]
	      [tls_ciphersuite=<ciphers>]	  [tls_crlcheck=none|peer|all]
	      [tls_protocol_min=<major>[.<minor>]]  [suffixmassage=<real  DN>]
	      [logbase=<base	    DN>]	[logfilter=<filter	 str>]
	      [syncdata=default|accesslog|changelog]
	      Specify the current database as a replica which is  kept	up-to-
	      date  with  the  master  content	by  establishing  the  current
	      slapd(8) as a  replication  consumer  site  running  a  syncrepl
	      replication engine.  The replica content is kept synchronized to
	      the  master  content  using  the	LDAP  Content  Synchronization
	      protocol.	 Refer	to  the	 "OpenLDAP  Administrator's Guide" for
	      detailed information on setting up a replicated slapd  directory
	      service using the syncrepl replication engine.

	      rid   identifies	the  current  syncrepl	directive  within  the
	      replication consumer site.  It is	 a  non-negative  integer  not
	      greater than 999 (limited to three decimal digits).

	      provider	specifies the replication provider site containing the
	      master content as an LDAP URI.  If  <port>  is  not  given,  the
	      standard LDAP port number (389 or 636) is used.

	      The  content  of	the syncrepl replica is defined using a search
	      specification as its result set. The consumer  slapd  will  send
	      search  requests	to  the provider slapd according to the search
	      specification. The  search  specification	 includes  searchbase,
	      scope,   filter,	attrs,	attrsonly,  sizelimit,	and  timelimit
	      parameters as in the normal  search  specification.   The	 scope
	      defaults	to  sub, the filter defaults to (objectclass=*), while
	      there is no default searchbase. The attrs list defaults to "*,+"
	      to  return all user and operational attributes, and attrsonly is
	      unset by default.	  The  sizelimit  and  timelimit  only	accept
	      "unlimited"   and	  positive   integers,	and  both  default  to
	      "unlimited".  The sizelimit and timelimit	 parameters  define  a
	      consumer	requested limitation on the number of entries that can
	      be returned by the LDAP Content  Synchronization	operation;  as
	      such,  it	 is intended to implement partial replication based on
	      the size of the replicated database and on the time required  by
	      the  synchronization.   Note,  however,  that  any provider-side
	      limits for the replication identity  will	 be  enforced  by  the
	      provider	regardless of the limits requested by the LDAP Content
	      Synchronization  operation,  much	 like  for  any	 other	search
	      operation.    exattrs   option  may  also	 be  used  to  specify
	      attributes that should be omitted from  incoming	entries.   The
	      scope  defaults  to sub, the filter defaults to (objectclass=*),
	      and there is no default searchbase. The attrs list  defaults  to
	      "*,+"  to	 return	 all  user  and	 operational  attributes,  and
	      attrsonly and exattrs are unset by default.  The	sizelimit  and
	      timelimit	 only  accept  "unlimited"  and positive integers, and
	      both default to "unlimited".  Note, however, that any  provider-
	      side limits for the replication identity will be enforced by the
	      provider regardless of the limits requested by the LDAP  Content
	      Synchronization  operation,  much	 like  for  any	 other	search
	      operation.

	      The LDAP Content	Synchronization	 protocol  has	two  operation
	      types.   In  the refreshOnly operation, the next synchronization
	      search operation is periodically rescheduled at an interval time
	      (specified  by  interval parameter; 1 day by default) after each
	      synchronization operation finishes.   In	the  refreshAndPersist
	      operation,  a  synchronization  search remains persistent in the
	      provider slapd.  Further updates	to  the	 master	 replica  will
	      generate	searchResultEntry  to the consumer slapd as the search
	      responses to the persistent synchronization search.

	      If an error occurs during replication, the consumer will attempt
	      to reconnect according to the retry parameter which is a list of
	      the <retry interval> and <# of  retries>	pairs.	 For  example,
	      retry="60 10 300 3" lets the consumer retry every 60 seconds for
	      the first 10 times and then retry every 300 seconds for the next
	      3	 times	before	stop retrying. The `+' in <# of retries> means
	      indefinite number of retries until success.   If	no  retry  was
	      specified, by default syncrepl retries every hour forever.

	      The  schema  checking  can be enforced at the LDAP Sync consumer
	      site by turning on the schemachecking parameter. The default  is
	      off.  Schema checking on means that replicated entries must have
	      a structural objectClass, must obey to objectClass  requirements
	      in   terms  of  required/allowed	attributes,  and  that	naming
	      attributes and distinguished  values  must  be  present.	 As  a
	      consequence,   schema   checking	should	be  off	 when  partial
	      replication is used.

	      The network-timeout parameter sets how long  the	consumer  will
	      wait  to	establish a network connection to the provider. Once a
	      connection is established, the timeout parameter determines  how
	      long  the	 consumer  will	 wait  for the initial Bind request to
	      complete.	 The  defaults	for   these   parameters   come	  from
	      ldap.conf(5).

	      A	  bindmethod   of  simple  requires  the  options  binddn  and
	      credentials and should  only  be	used  when  adequate  security
	      services	(e.g.  TLS  or	IPSEC) are in place.  REMEMBER: simple
	      bind credentials must be in cleartext!   A  bindmethod  of  sasl
	      requires	the  option  saslmech.	Depending on the mechanism, an
	      authentication identity  and/or  credentials  can	 be  specified
	      using  authcid  and  credentials.	  The authzid parameter may be
	      used to specify an authorization	identity.   Specific  security
	      properties  (as with the sasl-secprops keyword above) for a SASL
	      bind can be set with the secprops option.	 A  non	 default  SASL
	      realm  can  be set with the realm option.	 The identity used for
	      synchronization by the consumer should be allowed to receive  an
	      unlimited	 number	 of  entries  in response to a search request.
	      The provider, other than allow authentication  of	 the  syncrepl
	      identity,	  should   grant   that	 identity  appropriate	access
	      privileges  to  the  data	 that  is  being  replicated   (access
	      directive),  and	appropriate time and size limits.  This can be
	      accomplished  by	either	allowing   unlimited   sizelimit   and
	      timelimit,  or by setting an appropriate limits statement in the
	      consumer's configuration (see sizelimit and limits for details).

	      The keepalive parameter sets the values  of  idle,  probes,  and
	      interval	used  to  check whether a socket is alive; idle is the
	      number of seconds a connection needs to remain idle  before  TCP
	      starts sending keepalive probes; probes is the maximum number of
	      keepalive probes TCP should send before dropping the connection;
	      interval	is  interval  in  seconds between individual keepalive
	      probes.  Only some systems support the  customization  of	 these
	      values;  the  keepalive  parameter  is  ignored  otherwise,  and
	      system-wide settings are used.

	      The starttls parameter specifies use of  the  StartTLS  extended
	      operation	 to  establish	a  TLS	session	 before Binding to the
	      provider. If the critical argument is supplied, the session will
	      be aborted if the StartTLS request fails. Otherwise the syncrepl
	      session continues without TLS. The tls_reqcert setting  defaults
	      to  "demand"  and	 the other TLS settings default to the same as
	      the main slapd TLS settings.

	      The suffixmassage parameter allows the consumer to pull  entries
	      from  a  remote directory whose DN suffix differs from the local
	      directory. The portion of the remote entries' DNs	 that  matches
	      the searchbase will be replaced with the suffixmassage DN.

	      Rather  than  replicating	 whole entries, the consumer can query
	      logs of data modifications. This mode of operation  is  referred
	      to  as  delta syncrepl. In addition to the above parameters, the
	      logbase and logfilter parameters must be set  appropriately  for
	      the log that will be used. The syncdata parameter must be set to
	      either "accesslog" if the log conforms to the slapo-accesslog(5)
	      log  format,  or "changelog" if the log conforms to the obsolete
	      changelog format. If the syncdata parameter is omitted or set to
	      "default" then the log parameters are ignored.

       updatedn <dn>
	      This  option  is	only  applicable  in  a	 slave	database.   It
	      specifies	 the  DN  permitted  to	 update	 (subject  to	access
	      controls)	 the  replica.	It is only needed in certain push-mode
	      replication scenarios.  Generally, this DN  should  not  be  the
	      same as the rootdn used at the master.

       updateref <url>
	      Specify  the  referral  to  pass	back when slapd(8) is asked to
	      modify a	replicated  local  database.   If  specified  multiple
	      times, each url is provided.


DATABASE-SPECIFIC OPTIONS
       Each  database  may  allow  specific  configuration  options;  they are
       documented  separately  in  the	backends'  manual   pages.   See   the
       slapd.backends(5) manual page for an overview of available backends.

EXAMPLES
       Here is a short example of a configuration file:

	      include	/etc/openldap/schema/core.schema
	      pidfile	/var/run/slapd.pid

	      # Subtypes of "name" (e.g. "cn" and "ou") with the
	      # option ";x-hidden" can be searched for/compared,
	      # but are not shown.  See slapd.access(5).
	      attributeoptions x-hidden lang-
	      access to attrs=name;x-hidden by * =cs

	      # Protect passwords.  See slapd.access(5).
	      access	to attrs=userPassword  by * auth
	      # Read access to other attributes and entries.
	      access	to *  by * read

	      database	bdb
	      suffix	"dc=our-domain,dc=com"
	      # The database directory MUST exist prior to
	      # running slapd AND should only be accessible
	      # by the slapd/tools. Mode 0700 recommended.
	      directory /var/openldap-data
	      # Indices to maintain
	      index	objectClass  eq
	      index	cn,sn,mail   pres,eq,approx,sub

	      # We serve small clients that do not handle referrals,
	      # so handle remote lookups on their behalf.
	      database	ldap
	      suffix	""
	      uri	ldap://ldap.some-server.com/
	      lastmod	off

       "OpenLDAP Administrator's Guide" contains a longer annotated example of
       a configuration file.  The original /etc/openldap/slapd.conf is another
       example.

FILES
       /etc/openldap/slapd.conf
	      default slapd configuration file

SEE ALSO
       ldap(3),	     gnutls-cli(1),	 slapd-config(5),     slapd.access(5),
       slapd.backends(5),   slapd.overlays(5),	 slapd.plugin(5),    slapd(8),
       slapacl(8),    slapadd(8),    slapauth(8),    slapcat(8),    slapdn(8),
       slapindex(8), slappasswd(8), slaptest(8).

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS
       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
       <http://www.openldap.org/>.    OpenLDAP	 Software   is	 derived  from
       University of Michigan LDAP 3.3 Release.



OpenLDAP 2.4.40			  2014/09/20			 SLAPD.CONF(5)