slapd.conf.5

ldap服务器源码

.B slapd
will not ask the client for a certificate.
.TP
.B allow
The client certificate is requested.  If no certificate is provided,
the session proceeds normally.  If a bad certificate is provided,
it will be ignored and the session proceeds normally.
.TP
.B try
The client certificate is requested.  If no certificate is provided,
the session proceeds normally.  If a bad certificate is provided,
the session is immediately terminated.
.TP
.B demand | hard | true
These keywords are all equivalent, for compatibility reasons.
The client certificate is requested.  If no certificate is provided,
or a bad certificate is provided, the session is immediately terminated.

Note that a valid client certificate is required in order to use the
SASL EXTERNAL authentication mechanism with a TLS session.  As such,
a non-default
.B TLSVerifyClient
setting must be chosen to enable SASL EXTERNAL authentication.
.RE
.TP
.B TLSCRLCheck <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be 
used to verify if the client certificates have not been revoked. This
requires
.B TLSCACertificatePath
parameter to be set.
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B none
No CRL checks are performed
.TP
.B peer
Check the CRL of the peer certificate
.TP
.B all
Check the CRL for a whole certificate chain
.RE
.SH GENERAL BACKEND OPTIONS
Options in this section only apply to the configuration file section
for the specified backend.  They are supported by every
type of backend.
.TP
.B backend <databasetype>
Mark the beginning of a backend definition. <databasetype>
should be one of
.BR bdb ,
.BR config ,
.BR dnssrv ,
.BR hdb ,
.BR ldap ,
.BR ldbm ,
.BR ldif ,
.BR meta ,
.BR monitor ,
.BR null ,
.BR passwd ,
.BR perl ,
.BR relay ,
.BR shell ,
or
.BR sql ,
depending on which backend will serve the database.

.SH GENERAL DATABASE OPTIONS
Options in this section only apply to the configuration file section
for the database in which they are defined.  They are supported by every
type of backend.  Note that the
.B database
and at least one
.B suffix
option are mandatory for each database.
.TP
.B database <databasetype>
Mark the beginning of a new database instance definition. <databasetype>
should be one of
.BR bdb ,
.BR config ,
.BR dnssrv ,
.BR hdb ,
.BR ldap ,
.BR ldbm ,
.BR ldif ,
.BR meta ,
.BR monitor ,
.BR null ,
.BR passwd ,
.BR perl ,
.BR relay ,
.BR shell ,
or
.BR sql ,
depending on which backend will serve the database.
.TP
.B lastmod on | off
Controls whether
.B slapd
will automatically maintain the 
modifiersName, modifyTimestamp, creatorsName, and 
createTimestamp attributes for entries. It also controls
the entryCSN and entryUUID attributes, which are needed
by the syncrepl provider. By default, lastmod is on.
.TP
.B limits <who> <limit> [<limit> [...]]
Specify time and size limits based on who initiated an operation.
The argument
.B who
can be any of
.RS
.RS
.TP
anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>

.RE
with
.RS
.TP
<style> ::= exact | base | onelevel | subtree | children | regex | anonymous

.RE
The term
.B anonymous
matches all unauthenticated clients.
The term
.B users
matches all authenticated clients;
otherwise an
.B exact
dn pattern is assumed unless otherwise specified by qualifying 
the (optional) key string
.B dn
with 
.B exact
or
.B base
(which are synonyms), to require an exact match; with
.BR onelevel , 
to require exactly one level of depth match; with
.BR subtree ,
to allow any level of depth match, including the exact match; with
.BR children ,
to allow any level of depth match, not including the exact match;
.BR regex
explicitly requires the (default) match based on POSIX (''extended'')
regular expression pattern.
Finally,
.B anonymous
matches unbound operations; the 
.B pattern
field is ignored.
The same behavior is obtained by using the 
.B anonymous
form of the
.B who
clause.
The term
.BR group ,
with the optional objectClass
.B oc
and attributeType
.B at
fields, followed by
.BR pattern ,
sets the limits for any DN listed in the values of the
.B at
attribute (default
.BR member )
of the 
.B oc
group objectClass (default
.BR groupOfNames )
whose DN exactly matches
.BR pattern .

The currently supported limits are 
.B size
and 
.BR time .

The syntax for time limits is 
.BR time[.{soft|hard}]=<integer> ,
where 
.I integer
is the number of seconds slapd will spend answering a search request.
If no time limit is explicitly requested by the client, the 
.BR soft
limit is used; if the requested time limit exceeds the
.BR hard
.\"limit, an
.\".I "Administrative limit exceeded"
.\"error is returned.
limit, the value of the limit is used instead.
If the
.BR hard
limit is set to the keyword 
.IR soft ,
the soft limit is used in either case; if it is set to the keyword 
.IR unlimited , 
no hard limit is enforced.
Explicit requests for time limits smaller or equal to the
.BR hard 
limit are honored.
If no limit specifier is set, the value is assigned to the 
.BR soft 
limit, and the
.BR hard
limit is set to
.IR soft ,
to preserve the original behavior.

The syntax for size limits is
.BR size[.{soft|hard|unchecked}]=<integer> ,
where
.I integer
is the maximum number of entries slapd will return answering a search 
request.
If no size limit is explicitly requested by the client, the
.BR soft
limit is used; if the requested size limit exceeds the
.BR hard
.\"limit, an 
.\".I "Administrative limit exceeded"
.\"error is returned.
limit, the value of the limit is used instead.
If the 
.BR hard
limit is set to the keyword 
.IR soft , 
the soft limit is used in either case; if it is set to the keyword
.IR unlimited , 
no hard limit is enforced.
Explicit requests for size limits smaller or equal to the
.BR hard
limit are honored.
The
.BR unchecked
specifier sets a limit on the number of candidates a search request is allowed
to examine.
The rationale behind it is that searches for non-properly indexed
attributes may result in large sets of candidates, which must be 
examined by
.BR slapd (8)
to determine whether they match the search filter or not.
The
.B unchecked
limit provides a means to drop such operations before they are even 
started.
If the selected candidates exceed the 
.BR unchecked
limit, the search will abort with 
.IR "Unwilling to perform" .
If it is set to the keyword 
.IR unlimited , 
no limit is applied (the default).
If it is set to
.IR disable ,
the search is not even performed; this can be used to disallow searches
for a specific set of users.
If no limit specifier is set, the value is assigned to the
.BR soft 
limit, and the
.BR hard
limit is set to
.IR soft ,
to preserve the original behavior.

In case of no match, the global limits are used.
The default values are the same of
.B sizelimit
and
.BR timelimit ;
no limit is set on 
.BR unchecked .

If 
.B pagedResults
control is requested, the 
.B hard
size limit is used by default, because the request of a specific page size
is considered an explicit request for a limitation on the number
of entries to be returned.
However, the size limit applies to the total count of entries returned within
the search, and not to a single page.
Additional size limits may be enforced; the syntax is
.BR size.pr={<integer>|noEstimate|unlimited} ,
where
.I integer
is the max page size if no explicit limit is set; the keyword
.I noEstimate
inhibits the server from returning an estimate of the total number
of entries that might be returned
(note: the current implementation does not return any estimate).
The keyword
.I unlimited
indicates that no limit is applied to the pagedResults control page size.
The syntax
.B size.prtotal={<integer>|unlimited|disabled}
allows to set a limit on the total number of entries that a pagedResults
control allows to return.
By default it is set to the 
.B hard
limit.
When set, 
.I integer
is the max number of entries that the whole search with pagedResults control
can return.
Use 
.I unlimited
to allow unlimited number of entries to be returned, e.g. to allow
the use of the pagedResults control as a means to circumvent size 
limitations on regular searches; the keyword
.I disabled
disables the control, i.e. no paged results can be returned.
Note that the total number of entries returned when the pagedResults control 
is requested cannot exceed the 
.B hard 
size limit of regular searches unless extended by the
.B prtotal
switch.
.RE
.TP
.B maxderefdepth <depth>
Specifies the maximum number of aliases to dereference when trying to
resolve an entry, used to avoid infinite alias loops. The default is 1.
.TP
.B overlay <overlay-name>
Add the specified overlay to this database. An overlay is a piece of
code that intercepts database operations in order to extend or change
them. Overlays are pushed onto
a stack over the database, and so they will execute in the reverse
of the order in which they were configured and the database itself
will receive control last of all.
.TP
.B readonly on | off
This option puts the database into "read-only" mode.  Any attempts to 
modify the database will return an "unwilling to perform" error.  By
default, readonly is off.
.HP
.hy 0
.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port] 
.B [starttls=yes|critical]
.B [suffix=<suffix> [...]]
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
.B [attr[!]=<attr list>]
.RS
Specify a replication site for this database.  Refer to the "OpenLDAP 
Administrator's Guide" for detailed information on setting up a replicated
.B slapd
directory service. Zero or more
.B suffix
instances can be used to select the subtrees that will be replicated
(defaults to all the database). 
.B host
is deprecated in favor of the
.B uri
option.
.B uri
allows the replica LDAP server to be specified as an LDAP URI. 
A
.B bindmethod
of
.B simple
requires the options
.B binddn 
and
.B credentials  
and should only be used when adequate security services 
(e.g TLS or IPSEC) are in place. A
.B bindmethod 
of
.B sasl 
requires the option
.B saslmech. 
Specific security properties (as with the
.B sasl-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non-default SASL realm can be set with the
.B realm
option.
If the 
.B mechanism
will use Kerberos, a kerberos instance should be given in 
.B authcId.
An
.B attr list
can be given after the 
.B attr
keyword to allow the selective replication of the listed attributes only;
if the optional 
.B !
mark is used, the list is considered exclusive, i.e. the listed attributes
are not replicated.
If an objectClass is listed, all the related attributes
are (are not) replicated.
.RE
.TP
.B replogfile <filename>
Specify the name of the replication log file to log changes to.  
The replication log is typically written by
.BR slapd (8)
and read by
.BR slurpd (8).
See
.BR slapd.replog (5)
for more information.  The specified file should be located
in a directory with limited read/write/execute access as the replication
logs may contain sensitive information.
.TP
.B restrict <oplist>
Specify a whitespace separated list of operations that are restricted.
If defined inside a database specification, restrictions apply only
to that database, otherwise they are global.
Operations can be any of 
.BR add ,
.BR bind ,
.BR compare ,
.BR delete ,
.BR extended[=<OID>] ,
.BR modify ,
.BR rename ,
.BR search ,
or the special pseudo-operations
.B read
and
.BR write ,
which respectively summarize read and write operations.
The use of 
.I restrict write
is equivalent to 
.I readonly on
(see above).
The 
.B extended
keyword allows to indicate the OID of the specific operation
to be restricted.
.TP
.B rootdn <dn>
Specify the distinguished name that is not subject to access control 
or administrative limit restrictions for operations on this database.
This DN may or may not be associated with an entry.  An empty root
DN (the default) specifies no root access is to be granted.  It is
recommended that the rootdn only be specified when needed (such as
when initially populating a database).  If the rootdn is within
a namingContext (suffix) of the database, a simple bind password
may also be provided using the
.B rootpw
directive. Note that the rootdn is always needed when using syncrepl.
.TP
.B rootpw <password>
Specify a password (or hash of the password) for the rootdn.  The
password can only be set if the rootdn is within the namingContext
(suffix) of the database.
This option accepts all RFC 2307 userPassword formats known to
the server (see 
.B password-hash
description) as well as cleartext.
.BR slappasswd (8) 
may be used to generate a hash of a password.  Cleartext
and \fB{CRYPT}\fP passwords are not recommended.  If empty
(the default), authentication of the root DN is by other means
(e.g. SASL).  Use of SASL is encouraged.
.TP
.B suffix <dn suffix>
Specify the DN suffix of queries that will be passed to this 
backend database.  Multiple suffix lines can be given and at least one is 
required for each database definition.
If the suffix of one database is "inside" that of another, the database
with the inner suffix must come first in the configuration file.
.TP
.B subordinate [advertise]
Specify that the current backend database is a subordinate of another
backend database. A subordinate  database may have only one suffix. This
option may be used to glue multiple databases into a single namingContext.
If the suffix of the current database is within the namingContext of a
superior database, searches against the superior database will be
propagated to the subordinate as well. All of the databases
associated with a single namingContext should have identical rootdns.
Behavior of other LDAP operations is unaffected by this setting. In