slapd.conf.5

ldap服务器源码

Specify the steps used in subany index lookups. This value sets the offset
for the segments of a filter string that are processed for a subany index
lookup. The default is 2. For example, with the default values, a search
using this filter "cn=*abcdefgh*" would generate index lookups for
"abcd", "cdef", and "efgh".

.\"-- NEW_LOGGING option --
.\".TP
.\".B logfile <filename>
.\"Specify a file for recording debug log messages. By default these messages
.\"only go to stderr and are not recorded anywhere else. Specifying a logfile
.\"copies messages to both stderr and the logfile.
.TP
.B localSSF <SSF>
Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
such as those to the ldapi:// listener.  For a description of SSF values,
see 
.BR sasl-secprops 's
.B minssf
option description.  The default is 71.
.TP
.B loglevel <integer> [...]
Specify the level at which debugging statements and operation 
statistics should be syslogged (currently logged to the
.BR syslogd (8) 
LOG_LOCAL4 facility).
They must be considered subsystems rather than increasingly verbose 
log levels.
Some messages with higher priority are logged regardless 
of the configured loglevel as soon as some logging is configured,
otherwise anything is logged at all.
Log levels are additive, and available levels are:
.RS
.RS
.PD 0
.TP
.B 1
.B (0x1 trace)
trace function calls
.TP
.B 2
.B (0x2 packet)
debug packet handling
.TP
.B 4
.B (0x4 args)
heavy trace debugging (function args)
.TP
.B 8
.B (0x8 conns)
connection management
.TP
.B 16
.B (0x10 BER)
print out packets sent and received
.TP
.B 32
.B (0x20 filter)
search filter processing
.TP
.B 64
.B (0x40 config)
configuration file processing
.TP
.B 128
.B (0x80 ACL)
access control list processing
.TP
.B 256
.B (0x100 stats)
stats log connections/operations/results
.TP
.B 512
.B (0x200 stats2)
stats log entries sent
.TP
.B 1024
.B (0x400 shell)
print communication with shell backends
.TP
.B 2048
.B (0x800 parse)
entry parsing
.TP
.B 4096
.B (0x1000 cache)
caching (unused)
.TP
.B 8192
.B (0x2000 index)
data indexing (unused)
.TP
.B 16384
.B (0x4000 sync)
LDAPSync replication
.TP
.B 32768
.B (0x8000 none)
only messages that get logged whatever log level is set
.PD
.RE
The desired log level can be input as a single integer that combines 
the (ORed) desired levels, both in decimal or in hexadecimal notation,
as a list of integers (that are ORed internally),
or as a list of the names that are shown between brackets, such that
.LP
.nf
    loglevel 129
    loglevel 0x81
    loglevel 128 1
    loglevel 0x80 0x1
    loglevel acl trace
.fi
.LP
are equivalent.
The keyword 
.B any
can be used as a shortcut to enable logging at all levels (equivalent to -1).
The keyword
.BR none ,
or the equivalent integer representation, causes those messages
that are logged regardless of the configured loglevel to be logged.
In fact, if no loglevel (or a 0 level) is defined, no logging occurs, 
so at least the 
.B none
level is required to have high priority messages logged.
.RE
.TP
.B moduleload <filename>
Specify the name of a dynamically loadable module to load. The filename
may be an absolute path name or a simple filename. Non-absolute names
are searched for in the directories specified by the
.B modulepath
option. This option and the
.B modulepath
option are only usable if slapd was compiled with --enable-modules.
.TP
.B modulepath <pathspec>
Specify a list of directories to search for loadable modules. Typically
the path is colon-separated but this depends on the operating system.
.HP
.hy 0
.B objectclass "(\ <oid>\
 [NAME\ <name>]\
 [DESC\ <description>]\
 [OBSOLETE]\
 [SUP\ <oids>]\
 [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
 [MUST\ <oids>] [MAY\ <oids>] )"
.RS
Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
The slapd parser extends the RFC 4512 definition by allowing string
forms as well as numeric OIDs to be used for the object class OID.
(See the
.B
objectidentifier
description.)  Object classes are "STRUCTURAL" by default.
.RE
.TP
.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }"
Define a string name that equates to the given OID. The string can be used
in place of the numeric OID in objectclass and attribute definitions. The
name can also be used with a suffix of the form ":xx" in which case the
value "oid.xx" will be used.
.TP
.B password-hash <hash> [<hash>...]
This option configures one or more hashes to be used in generation of user
passwords stored in the userPassword attribute during processing of
LDAP Password Modify Extended Operations (RFC 3062).
The <hash> must be one of
.BR {SSHA} ,
.BR {SHA} ,
.BR {SMD5} ,
.BR {MD5} ,
.BR {CRYPT} ,
and
.BR {CLEARTEXT} .
The default is
.BR {SSHA} .

.B {SHA}
and
.B {SSHA}
use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.

.B {MD5}
and
.B {SMD5}
use the MD5 algorithm (RFC 1321), the latter with a seed.

.B {CRYPT}
uses the
.BR crypt (3).

.B {CLEARTEXT}
indicates that the new password should be
added to userPassword as clear text.

Note that this option does not alter the normal user applications
handling of userPassword during LDAP Add, Modify, or other LDAP operations.
.TP
.B password\-crypt\-salt\-format <format>
Specify the format of the salt passed to
.BR crypt (3)
when generating {CRYPT} passwords (see
.BR password\-hash )
during processing of LDAP Password Modify Extended Operations (RFC 3062).

This string needs to be in
.BR sprintf (3)
format and may include one (and only one) %s conversion.
This conversion will be substituted with a string of random
characters from [A\-Za\-z0\-9./].  For example, "%.2s"
provides a two character salt and "$1$%.8s" tells some
versions of crypt(3) to use an MD5 algorithm and provides
8 random characters of salt.  The default is "%s", which
provides 31 characters of salt.
.TP
.B pidfile <filename>
The ( absolute ) name of a file that will hold the 
.B slapd
server's process ID ( see
.BR getpid (2)
) if started without the debugging command line option.
.TP
.B referral <url>
Specify the referral to pass back when
.BR slapd (8)
cannot find a local database to handle a request.
If specified multiple times, each url is provided.
.TP
.B replica-argsfile
The ( absolute ) name of a file that will hold the 
.B slurpd
server's command line options
if started without the debugging command line option.
.TP
.B replica-pidfile
The ( absolute ) name of a file that will hold the 
.B slurpd
server's process ID ( see
.BR getpid (2)
) if started without the debugging command line option.
.TP
.B replicationinterval
The number of seconds 
.B slurpd 
waits before checking the replogfile for changes.
.TP
.B require <conditions>
Specify a set of conditions (separated by white space) to
require (default none).
The directive may be specified globally and/or per-database;
databases inherit global conditions, so per-database specifications
are additive.
.B bind
requires bind operation prior to directory operations.
.B LDAPv3
requires session to be using LDAP version 3.
.B authc
requires authentication prior to directory operations.
.B SASL
requires SASL authentication prior to directory operations.
.B strong
requires strong authentication prior to directory operations.
The strong keyword allows protected "simple" authentication
as well as SASL authentication.
.B none
may be used to require no conditions (useful to clear out globally
set conditions within a particular database); it must occur first
in the list of conditions.
.TP
.B reverse-lookup on | off
Enable/disable client name unverified reverse lookup (default is 
.BR off 
if compiled with --enable-rlookups).
.TP
.B rootDSE <file>
Specify the name of an LDIF(5) file containing user defined attributes
for the root DSE.  These attributes are returned in addition to the
attributes normally produced by slapd.
.TP
.B sasl-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
.B sasl-realm <realm>
Specify SASL realm.  Default is empty.
.TP
.B sasl-secprops <properties>
Used to specify Cyrus SASL security properties.
The
.B none
flag (without any other properties) causes the flag properties
default, "noanonymous,noplain", to be cleared.
The
.B noplain
flag disables mechanisms susceptible to simple passive attacks.
The
.B noactive
flag disables mechanisms susceptible to active attacks.
The
.B nodict
flag disables mechanisms susceptible to passive dictionary attacks.
The
.B noanonymous
flag disables mechanisms which support anonymous login.
The
.B forwardsec
flag require forward secrecy between sessions.
The
.B passcred
require mechanisms which pass client credentials (and allow
mechanisms which can pass credentials to do so).
The
.B minssf=<factor> 
property specifies the minimum acceptable
.I security strength factor
as an integer approximate to effective key length used for
encryption.  0 (zero) implies no protection, 1 implies integrity
protection only, 56 allows DES or other weak ciphers, 112
allows triple DES and other strong ciphers, 128 allows RC4,
Blowfish and other modern strong ciphers.  The default is 0.
The
.B maxssf=<factor> 
property specifies the maximum acceptable
.I security strength factor
as an integer (see minssf description).  The default is INT_MAX.
The
.B maxbufsize=<size> 
property specifies the maximum security layer receive buffer
size allowed.  0 disables security layers.  The default is 65536.
.TP
.B schemadn <dn>
Specify the distinguished name for the subschema subentry that
controls the entries on this server.  The default is "cn=Subschema".
.TP
.B security <factors>
Specify a set of security strength factors (separated by white space)
to require (see
.BR sasl-secprops 's
.B minssf
option for a description of security strength factors).
The directive may be specified globally and/or per-database.
.B ssf=<n>
specifies the overall security strength factor.
.B transport=<n>
specifies the transport security strength factor.
.B tls=<n>
specifies the TLS security strength factor.
.B sasl=<n>
specifies the SASL security strength factor.
.B update_ssf=<n>
specifies the overall security strength factor to require for
directory updates.
.B update_transport=<n>
specifies the transport security strength factor to require for
directory updates.
.B update_tls=<n>
specifies the TLS security strength factor to require for
directory updates.
.B update_sasl=<n>
specifies the SASL security strength factor to require for
directory updates.
.B simple_bind=<n>
specifies the security strength factor required for
.I simple
username/password authentication.
Note that the
.B transport
factor is measure of security provided by the underlying transport,
e.g. ldapi:// (and eventually IPSEC).  It is not normally used.
.TP
.B sizelimit {<integer>|unlimited}
.TP
.B sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
Specify the maximum number of entries to return from a search operation.
The default size limit is 500.
Use
.B unlimited
to specify no limits.
The second format allows a fine grain setting of the size limits.
Extra args can be added on the same line.
See
.BR limits
for an explanation of the different flags.
.TP
.B sockbuf_max_incoming <integer>
Specify the maximum incoming LDAP PDU size for anonymous sessions.
The default is 262143.
.TP
.B sockbuf_max_incoming_auth <integer>
Specify the maximum incoming LDAP PDU size for authenticated sessions.
The default is 4194303.
.TP
.B threads <integer>
Specify the maximum size of the primary thread pool.
The default is 16; the minimum value is 2.
.TP
.B timelimit {<integer>|unlimited}
.TP
.B timelimit time[.{soft|hard}]=<integer> [...]
Specify the maximum number of seconds (in real time)
.B slapd
will spend answering a search request.  The default time limit is 3600.
Use
.B unlimited
to specify no limits.
The second format allows a fine grain setting of the time limits.
Extra args can be added on the same line.
See
.BR limits
for an explanation of the different flags.
.TP
.B tool-threads <integer>
Specify the maximum number of threads to use in tool mode.
This should not be greater than the number of CPUs in the system.
The default is 1.
.\"ucdata-path is obsolete / ignored...
.\".TP
.\".B ucdata-path <path>
.\"Specify the path to the directory containing the Unicode character
.\"tables. The default path is DATADIR/ucdata.
.SH TLS OPTIONS
If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
<cipher-suite-spec> should be a cipher specification for OpenSSL.  Example:

TLSCipherSuite HIGH:MEDIUM:+SSLv2

To check what ciphers a given spec selects, use:

openssl ciphers -v <cipher-suite-spec>
.TP
.B TLSCACertificateFile <filename>
Specifies the file that contains certificates for all of the Certificate
Authorities that
.B slapd
will recognize.
.TP
.B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the TLSCACertificateFile is used.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
.B slapd
server certificate.
.TP
.B TLSCertificateKeyFile <filename>
Specifies the file that contains the
.B slapd
server private key that matches the certificate stored in the
.B TLSCertificateFile
file.  Currently, the private key must not be protected with a password, so
it is of critical importance that it is protected carefully. 
.TP
.B TLSDHParamFile <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange.  This is required in order to use a DSA certificate on
the server. If multiple sets of parameters are present in the file, all of
them will be processed.  Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
be done.
.TP
.B TLSRandFile <filename>
Specifies the file to obtain random bits from when /dev/[u]random
is not available.  Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
.TP
.B TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an
incoming TLS session, if any.
The
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B never
This is the default.