Reviewed-by: Peter Müller > - Update from version 2.4.49 to 2.6.1 > - Update of rootfile > - Update of consolidated patch to 2.6.1 > - Removal of old patches > - Changelog > OpenLDAP 2.6.1 Release (2022/01/20) > Fixed libldap to init client socket port (ITS#9743) > Fixed libldap with referrals (ITS#9781) > Added slapd config keyword for logfile format (ITS#9745) > Fixed slapd to allow objectClass edits with no net change (ITS#9772) > Fixed slapd configtable population (ITS#9576) > Fixed slapd to only set loglevel in server mode (ITS#9715) > Fixed slapd logfile-rotate use of uninitialized variable (ITS#9730) > Fixed slapd passwd scheme handling with slapd.conf (ITS#9750) > Fixed slapd postread support for modrdn (ITS#7080) > Fixed slapd syncrepl recreation of deleted entries (ITS#9282) > Fixed slapd syncrepl replication with ODSEE (ITS#9707) > Fixed slapd syncrepl to properly replicate glue entries (ITS#9647) > Fixed slapd syncrepl to reject REFRESH for precise resync (ITS#9742) > Fixed slapd syncrepl to avoid busy loop during refresh (ITS#9584) > Fixed slapd syncrepl when X-ORDERED is specified (ITS#9761) > Fixed slapd syncrepl to better handle out of order delete ops (ITS#9751) > Fixed slapd syncrepl to correctly close connections when config is deleted (ITS#9776) > Fixed slapd-mdb to update indices correctly on replace ops (ITS#9753) > Fixed slapd-wt to set correct flags (ITS#9760) > Fixed slapo-accesslog to fix assertion due to deprecated code (ITS#9738) > Fixed slapo-accesslog to fix inconsistently normalized minCSN (ITS#9752) > Fixed slapo-accesslog delete handling of multi-valued config attrs (ITS#9493) > Fixed slapo-autogroup to maintain values in insertion order (ITS#9766) > Fixed slapo-constraint to maintain values in insertion order (ITS#9770) > Fixed slapo-dyngroup to maintain values in insertion order (ITS#9762) > Fixed slapo-dynlist compare operation for static groups (ITS#9747) > Fixed slapo-dynlist static group filter with multiple members (ITS#9779) > Fixed slapo-ppolicy when not built modularly (ITS#9733) > Fixed slapo-refint to maintain values in insertion order (ITS#9763) > Fixed slapo-retcode to honor requested insert position (ITS#9759) > Fixed slapo-sock cn=config support (ITS#9758) > Fixed slapo-syncprov memory leak (ITS#8039) > Fixed slapo-syncprov to generate a more accurate accesslog query (ITS#9756) > Fixed slapo-syncprov to allow empty DB to host persistent syncrepl connections (ITS#9691) > Fixed slapo-syncprov to consider all deletes for sycnInfo messages (ITS#5972) > Fixed slapo-translucent to warn on invalid config (ITS#9768) > Fixed slapo-unique to warn on invalid config (ITS#9767) > Fixed slapo-valsort to maintain values in insertion order (ITS#9764) > Build Environment > Fix test022 to preserve DELAY search output (ITS#9718) > Fix slapd-watcher to allow startup when servers are down (ITS#9727) > Contrib > Fixed slapo-lastbind to work with 2.6 lastbind-precision configuration (ITS#9725) > Documentation > Fixed slapd.conf(5)/slapd-config(5) documentation on lastbind-precision (ITS#9728) > Fixed slapo-accesslog(5) to clarify logoldattr usage (ITS#9749) > OpenLDAP 2.6.0 Release (2021/10/25) > Initial release for "general use". > OpenLDAP 2.5.7 Release (2021/08/18) > Fixed lloadd client state tracking (ITS#9624) > Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611) > Fixed slapd-ldif duplicate controls response (ITS#9497) > Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621) > Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958) > Fixed slapd-mdb idlexp maximum size handling (ITS#9637) > Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628) > Fixed slapd-sql to add support for ppolicy attributes (ITS#9629) > Fixed slapd-sql to close transactions after bind and search (ITS#9630) > Fixed slapo-accesslog to make reqMod optional (ITS#9569) > Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625) > Documentation > slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637) > slapo-accesslog(5) note that reqMod is optional (ITS#9569) > Add ldapvc(1) man page (ITS#9549) > Add guide section on load balancer (ITS#9443) > Updated guide to document multiprovider as replacement for mirrormode (ITS#9200) > Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200) > Updated guide to document removal of deprecated options from client tools (ITS#9200) > OpenLDAP 2.5.6 Release (2021/07/27) > Fixed libldap buffer overflow (ITS#9578) > Fixed libldap missing mutex unlock on connection alloc failure (ITS#9590) > Fixed lloadd cn=config olcBkLloadClientMaxPending setting (ITS#8747) > Fixed slapd multiple config defaults (ITS#9363) > Fixed slapd ipv6 addresses to work with tcp wrappers (ITS#9603) > Fixed slapo-syncprov delete of nonexistent sessionlog (ITS#9608) > Build > Fixed library symbol versioning on Solaris (ITS#9591) > Fixed compile warning in libldap/tpool.c (ITS#9601) > Fixed compile warning in libldap/tls_o.c (ITS#9602) > Contrib > Fixed ppm module for sysconfdir (ITS#7832) > Documentation > Updated guide to document multival, idlexp, and maxentrysize (ITS#9613, ITS#9614) > OpenLDAP 2.5.5 Release (2021/06/03) > Added libldap LDAP_OPT_TCP_USER_TIMEOUT support (ITS#9502) > Added lloadd tcp-user-timeout support (ITS#9502) > Added slapd-asyncmeta tcp-user-timeout support (ITS#9502) > Added slapd-ldap tcp-user-timeout support (ITS#9502) > Added slapd-meta tcp-user-timeout support (ITS#9502) > Fixed incorrect control OIDs for AuthZ Identity (ITS#9542) > Fixed libldap typo in util-int.c (ITS#9541) > Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530) > Fixed libldap better TLS1.3 cipher suite handling (ITS#9521, ITS#9546) > Fixed lloadd multiple issues (ITS#8747) > Fixed slapd slap_op_time to avoid duplicates across restarts (ITS#9537) > Fixed slapd typo in daemon.c (ITS#9541) > Fixed slapd slapi compilation (ITS#9544) > Fixed slapd to handle empty DN in extended filters (ITS#9551) > Fixed slapd syncrepl searches with empty base (ITS#6467) > Fixed slapd syncrepl refresh on startup (ITS#9324, ITS#9534) > Fixed slapd abort due to typo (ITS#9561) > Fixed slapd-asyncmeta quarantine handling (ITS#8721) > Fixed slapd-asyncmeta to have a default operations timeout (ITS#9555) > Fixed slapd-ldap quarantine handling (ITS#8721) > Fixed slapd-mdb deletion of context entry (ITS#9531) > Fixed slapd-mdb off-by-one affecting search scope (ITS#9557) > Fixed slapd-meta quarantine handling (ITS#8721) > Fixed slapo-accesslog to record reqNewDN for modRDN ops (ITS#9552) > Fixed slapo-pcache locking during expiration (ITS#9529) > Build > Fixed slappw-argon2 module installation (ITS#9548) > Contrib > Update ldapc++/ldaptcl to use configure.ac (ITS#9554) > Documentation > ldap_first_attribute(3) - Document ldap_get_attribute_ber (ITS#8820) > ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559) > OpenLDAP 2.5.4 Release (2021/04/29) > Initial release for "general use". > OpenLDAP 2.4.57 Release (2021/01/18) > Fixed ldapexop to use correct return code (ITS#9417) > Fixed slapd to remove asserts in UUIDNormalize (ITS#9391) > Fixed slapd to remove assert in csnValidate (ITS#9410) > Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427) > Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424) > Fixed slapd AVA sort with invalid RDN (ITS#9412) > Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425) > Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407) > Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409) > Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413) > Fixed slapd modrdn memory leak (ITS#9420) > Fixed slapd double-free in vrfilter (ITS#9408) > Fixed slapd cancel operation to correctly terminate (ITS#9428) > Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400) > Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394) > OpenLDAP 2.4.56 Release (2020/11/10) > Fixed slapd to remove assert in certificateListValidate (ITS#9383) > Fixed slapd to remove assert in csnNormalize23 (ITS#9384) > Fixed slapd to better parse ldapi listener URIs (ITS#9379) > OpenLDAP 2.4.55 Release (2020/10/26) > Fixed slapd normalization handling with modrdn (ITS#9370) > Fixed slapd-meta to check ldap_install_tls return code (ITS#9366) > Contrib > Fixed nssov misplaced semicolon (ITS#8731, ITS#9368) > OpenLDAP 2.4.54 Release (2020/10/12) > Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) > Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) > Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) > Fixed slapd syncrepl to be fully serialized (ITS#8102) > Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345) > Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355) > Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) > Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) > Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353) > Fixed slapo-accesslog normalizer for reqStart (ITS#9358) > Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361) > Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) > Fixed slapo-syncprov sessionlog to use a TAVL tree (ITS#8486) > OpenLDAP 2.4.53 Release (2020/09/07) > Added slapd syncrepl additional SYNC logging (ITS#9043) > Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282) > Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338) > Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334) > Build > Require OpenSSL 1.0.2 or later (ITS#9323) > Fixed libldap compilation issue with broken C compilers (ITS#9332) > OpenLDAP 2.4.52 Release (2020/08/28) > Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318) > Added libldap OpenSSL support for multiple EECDH curves (ITS#9054) > Added slapd OpenSSL support for multiple EECDH curves (ITS#9054) > Fixed librewrite malloc/free corruption (ITS#9249) > Fixed libldap hang when using UDP and server down (ITS#9328) > Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324) > Fixed slapd syncrepl regression that could trigger an assert (ITS#9329) > Fixed slapd-mdb index error with collapsed range (ITS#9135) > OpenLDAP 2.4.51 Release (2020/08/11) > Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) > Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) > Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287) > Fixed slapd to enforce singular existence of some overlays (ITS#9309) > Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227) > Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282) > Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295) > Fixed slapd-perl dynamic config with threaded slapd (ITS#7573) > Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) > Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) > Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309) > Fixed slapo-chain to check referral (ITS#9262) > Build Environment > Fix test064 so it no longer uses bashisms (ITS#9263) > Contrib > Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248) > slapo-allowed - Fix usage of unitialized variable (ITS#9308) > Documentation > ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271) > OpenLDAP 2.4.50 Release (2020/04/28) > Fixed client benign typos (ITS#8890) > Fixed libldap type cast (ITS#9175) > Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) > Fixed libldap_r race on Windows mutex initialization (ITS#9181) > Fixed liblunicode memory leak (ITS#9198) > Fixed slapd benign typos (ITS#8890) > Fixed slapd to limit depth of nested filters (ITS#9202) > Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214) > Fixed slapo-pcache database initialization (ITS#9182) > Fixed slapo-ppolicy callback (ITS#9171) > Build > Fix olcDatabaseDummy initialization for windows (ITS#7074) > Fix detection for ws2tcpip.h for windows (ITS#8383) > Fix back-mdb types for windows (ITS#7878) > Contrib > Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855) > Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206) > Documentation > slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003) > slapd-meta(5) - Remove client-pr option (ITS#8683) > slapindex(8) - Fix truncate option information for back-mdb (ITS#9230) > > Signed-off-by: Adolf Belka > --- > config/rootfiles/common/openldap | 33 +- > lfs/openldap | 6 +- > .../openldap-2.4.49-consolidated-1.patch | 371 -- > .../openldap-2.6.1-consolidated-2.patch | 4689 +++++++++++++++++ > src/patches/openldap-gcc44-fixes.patch | 31 - > 5 files changed, 4713 insertions(+), 417 deletions(-) > delete mode 100644 src/patches/openldap-2.4.49-consolidated-1.patch > create mode 100644 src/patches/openldap-2.6.1-consolidated-2.patch > delete mode 100644 src/patches/openldap-gcc44-fixes.patch > > diff --git a/config/rootfiles/common/openldap b/config/rootfiles/common/openldap > index 8d42b8880..45e731ee4 100644 > --- a/config/rootfiles/common/openldap > +++ b/config/rootfiles/common/openldap > @@ -10,6 +10,7 @@ > #usr/bin/ldappasswd > #usr/bin/ldapsearch > #usr/bin/ldapurl > +#usr/bin/ldapvc > #usr/bin/ldapwhoami > #usr/include/lber.h > #usr/include/lber_types.h > @@ -21,18 +22,16 @@ > #usr/include/ldif.h > #usr/include/openldap.h > #usr/include/slapi-plugin.h > -usr/lib/liblber-2.4.so.2 > -usr/lib/liblber-2.4.so.2.10.12 > #usr/lib/liblber.la > #usr/lib/liblber.so > -usr/lib/libldap-2.4.so.2 > -usr/lib/libldap-2.4.so.2.10.12 > +usr/lib/liblber.so.2 > +usr/lib/liblber.so.2.0.200 > #usr/lib/libldap.la > #usr/lib/libldap.so > -usr/lib/libldap_r-2.4.so.2 > -usr/lib/libldap_r-2.4.so.2.10.12 > -#usr/lib/libldap_r.la > -#usr/lib/libldap_r.so > +usr/lib/libldap.so.2 > +usr/lib/libldap.so.2.0.200 > +#usr/lib/pkgconfig/lber.pc > +#usr/lib/pkgconfig/ldap.pc > #usr/share/man/man1/ldapadd.1 > #usr/share/man/man1/ldapcompare.1 > #usr/share/man/man1/ldapdelete.1 > @@ -42,6 +41,7 @@ usr/lib/libldap_r-2.4.so.2.10.12 > #usr/share/man/man1/ldappasswd.1 > #usr/share/man/man1/ldapsearch.1 > #usr/share/man/man1/ldapurl.1 > +#usr/share/man/man1/ldapvc.1 > #usr/share/man/man1/ldapwhoami.1 > #usr/share/man/man3/ber_alloc_t.3 > #usr/share/man/man3/ber_bvarray_add.3 > @@ -136,6 +136,7 @@ usr/lib/libldap_r-2.4.so.2.10.12 > #usr/share/man/man3/ldap_first_message.3 > #usr/share/man/man3/ldap_first_reference.3 > #usr/share/man/man3/ldap_free_urldesc.3 > +#usr/share/man/man3/ldap_get_attribute_ber.3 > #usr/share/man/man3/ldap_get_dn.3 > #usr/share/man/man3/ldap_get_option.3 > #usr/share/man/man3/ldap_get_values.3 > @@ -175,6 +176,7 @@ usr/lib/libldap_r-2.4.so.2.10.12 > #usr/share/man/man3/ldap_objectclass_free.3 > #usr/share/man/man3/ldap_open.3 > #usr/share/man/man3/ldap_parse_extended_result.3 > +#usr/share/man/man3/ldap_parse_intermediate.3 > #usr/share/man/man3/ldap_parse_reference.3 > #usr/share/man/man3/ldap_parse_result.3 > #usr/share/man/man3/ldap_parse_sasl_bind_result.3 > @@ -227,23 +229,22 @@ usr/lib/libldap_r-2.4.so.2.10.12 > #usr/share/man/man3/ldap_value_free_len.3 > #usr/share/man/man5/ldap.conf.5 > #usr/share/man/man5/ldif.5 > -#usr/share/man/man5/slapd-bdb.5 > +#usr/share/man/man5/lloadd.conf.5 > +#usr/share/man/man5/slapd-asyncmeta.5 > #usr/share/man/man5/slapd-config.5 > #usr/share/man/man5/slapd-dnssrv.5 > -#usr/share/man/man5/slapd-hdb.5 > #usr/share/man/man5/slapd-ldap.5 > #usr/share/man/man5/slapd-ldif.5 > #usr/share/man/man5/slapd-mdb.5 > #usr/share/man/man5/slapd-meta.5 > #usr/share/man/man5/slapd-monitor.5 > -#usr/share/man/man5/slapd-ndb.5 > #usr/share/man/man5/slapd-null.5 > #usr/share/man/man5/slapd-passwd.5 > #usr/share/man/man5/slapd-perl.5 > #usr/share/man/man5/slapd-relay.5 > -#usr/share/man/man5/slapd-shell.5 > #usr/share/man/man5/slapd-sock.5 > #usr/share/man/man5/slapd-sql.5 > +#usr/share/man/man5/slapd-wt.5 > #usr/share/man/man5/slapd.access.5 > #usr/share/man/man5/slapd.backends.5 > #usr/share/man/man5/slapd.conf.5 > @@ -251,17 +252,22 @@ usr/lib/libldap_r-2.4.so.2.10.12 > #usr/share/man/man5/slapd.plugin.5 > #usr/share/man/man5/slapo-accesslog.5 > #usr/share/man/man5/slapo-auditlog.5 > +#usr/share/man/man5/slapo-autoca.5 > #usr/share/man/man5/slapo-chain.5 > #usr/share/man/man5/slapo-collect.5 > #usr/share/man/man5/slapo-constraint.5 > #usr/share/man/man5/slapo-dds.5 > +#usr/share/man/man5/slapo-deref.5 > #usr/share/man/man5/slapo-dyngroup.5 > #usr/share/man/man5/slapo-dynlist.5 > +#usr/share/man/man5/slapo-homedir.5 > #usr/share/man/man5/slapo-memberof.5 > +#usr/share/man/man5/slapo-otp.5 > #usr/share/man/man5/slapo-pbind.5 > #usr/share/man/man5/slapo-pcache.5 > #usr/share/man/man5/slapo-ppolicy.5 > #usr/share/man/man5/slapo-refint.5 > +#usr/share/man/man5/slapo-remoteauth.5 > #usr/share/man/man5/slapo-retcode.5 > #usr/share/man/man5/slapo-rwm.5 > #usr/share/man/man5/slapo-sock.5 > @@ -270,6 +276,8 @@ usr/lib/libldap_r-2.4.so.2.10.12 > #usr/share/man/man5/slapo-translucent.5 > #usr/share/man/man5/slapo-unique.5 > #usr/share/man/man5/slapo-valsort.5 > +#usr/share/man/man5/slappw-argon2.5 > +#usr/share/man/man8/lloadd.8 > #usr/share/man/man8/slapacl.8 > #usr/share/man/man8/slapadd.8 > #usr/share/man/man8/slapauth.8 > @@ -277,6 +285,7 @@ usr/lib/libldap_r-2.4.so.2.10.12 > #usr/share/man/man8/slapd.8 > #usr/share/man/man8/slapdn.8 > #usr/share/man/man8/slapindex.8 > +#usr/share/man/man8/slapmodify.8 > #usr/share/man/man8/slappasswd.8 > #usr/share/man/man8/slapschema.8 > #usr/share/man/man8/slaptest.8 > diff --git a/lfs/openldap b/lfs/openldap > index 60d46a249..195aa4af2 100644 > --- a/lfs/openldap > +++ b/lfs/openldap > @@ -24,7 +24,7 @@ > > include Config > > -VER = 2.4.49 > +VER = 2.6.1 > > THISAPP = openldap-$(VER) > DL_FILE = $(THISAPP).tgz > @@ -42,7 +42,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = ee777588d758f6704b0d38b90feb85b27e2307510a05d1d147324e9958a6f6fc5bc7dd521a1462971c3f707429ad38fab734f508d71fd88b447770e112e844a2 > +$(DL_FILE)_BLAKE2 = 08bb7ec0354d689b65673d6c4c05a3299ba4f1655cbcccb710b6c9ca66fd636d6b2d89faa8d32278d253a1647deae8b1e86e8e275b890208bfac4ca663a40523 > > install : $(TARGET) > > @@ -72,7 +72,7 @@ $(subst %,%_BLAKE2,$(objects)) : > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.4.49-consolidated-1.patch > + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.6.1-consolidated-2.patch > cd $(DIR_APP) && autoconf > cd $(DIR_APP) && ./configure \ > --prefix=/usr \ > diff --git a/src/patches/openldap-2.4.49-consolidated-1.patch b/src/patches/openldap-2.4.49-consolidated-1.patch > deleted file mode 100644 > index 8cd2656e3..000000000 > --- a/src/patches/openldap-2.4.49-consolidated-1.patch > +++ /dev/null > @@ -1,371 +0,0 @@ > -Submitted by: Bruce Dubbs > -Date: 2012-03-26 > -Initial Package Version: 2.4.40 > -Upstream Status: BLFS Specific > -Origin: Armin K. and Debian > -Comment: Rediffed by Fernando de Oliveira - com dot br> for version 2.4.44 - 2016.02.06 > - Rediffed by Pierre Labastie - neuf dot fr> to add mdb backend and slapd.ldif. See > - ticket #7394 - 2016.02.24 > -Description: Consolidate earlier patches to: > - 1. Update various installation options, such as ldap database path, > - configuration file options, slapd install location, etc. > - 2. Remove reference to bdb module > - 3. Enables symbol versioning in ldap libraries. Without these changes > - some applications might generate a warning about missing symbol versions. > - > -diff -Naur openldap-2.4.40.orig/build/openldap.m4 openldap-2.4.40/build/openldap.m4 > ---- openldap-2.4.40.orig/build/openldap.m4 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/build/openldap.m4 2015-03-26 15:37:39.801077750 -0500 > -@@ -1142,3 +1142,54 @@ > - #endif > - ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])]) > - ]) > -+ > -+dnl ==================================================================== > -+dnl check for symbol versioning support > -+AC_DEFUN([OL_SYMBOL_VERSIONING], > -+[AC_CACHE_CHECK([for .symver assembler directive], > -+ [ol_cv_asm_symver_directive],[ > -+cat > conftest.s < -+${libc_cv_dot_text} > -+_sym: > -+.symver _sym,sym(a)VERS > -+EOF > -+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then > -+ ol_cv_asm_symver_directive=yes > -+else > -+ ol_cv_asm_symver_directive=no > -+fi > -+rm -f conftest*]) > -+AC_CACHE_CHECK([for ld --version-script], > -+ [ol_cv_ld_version_script_option],[ > -+if test $ol_cv_asm_symver_directive = yes; then > -+ cat > conftest.s < -+${libc_cv_dot_text} > -+_sym: > -+.symver _sym,sym(a)VERS > -+EOF > -+ cat > conftest.map < -+VERS_1 { > -+ global: sym; > -+}; > -+ > -+VERS_2 { > -+ global: sym; > -+} VERS_1; > -+EOF > -+ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then > -+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared > -+ -o conftest.so conftest.o > -+ -Wl,--version-script,conftest.map > -+ 1>&AS_MESSAGE_LOG_FD]); > -+ then > -+ ol_cv_ld_version_script_option=yes > -+ else > -+ ol_cv_ld_version_script_option=no > -+ fi > -+ else > -+ ol_cv_ld_version_script_option=no > -+ fi > -+else > -+ ol_cv_ld_version_script_option=no > -+fi > -+rm -f conftest*])]) > -diff -Naur openldap-2.4.40.orig/build/top.mk openldap-2.4.40/build/top.mk > ---- openldap-2.4.40.orig/build/top.mk 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/build/top.mk 2015-03-26 15:37:39.801077750 -0500 > -@@ -104,6 +104,9 @@ > - # LINK_LIBS referenced in library and module link commands. > - LINK_LIBS = $(MOD_LIBS) $(@PLAT(a)_LINK_LIBS) > - > -+# option to pass to $(CC) to support library symbol versioning, if any > -+VERSION_OPTION = @VERSION_OPTION@ > -+ > - LTSTATIC = @LTSTATIC@ > - > - LTLINK = $(LIBTOOL) --mode=link \ > -@@ -113,7 +116,7 @@ > - $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c > - > - LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ > -- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) > -+ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS) > - > - LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ > - $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c > -diff -Naur openldap-2.4.40.orig/configure.in openldap-2.4.40/configure.in > ---- openldap-2.4.40.orig/configure.in 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/configure.in 2015-03-26 15:37:39.801077750 -0500 > -@@ -1916,6 +1916,13 @@ > - fi > - AC_SUBST(LTSTATIC)dnl > - > -+VERSION_OPTION="" > -+OL_SYMBOL_VERSIONING > -+if test $ol_cv_ld_version_script_option = yes ; then > -+ VERSION_OPTION="-Wl,--version-script=" > -+fi > -+AC_SUBST(VERSION_OPTION) > -+ > - dnl ---------------------------------------------------------------- > - if test $ol_enable_wrappers != no ; then > - AC_CHECK_HEADERS(tcpd.h,[ > -diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd-bdb.5 openldap-2.4.40/doc/man/man5/slapd-bdb.5 > ---- openldap-2.4.40.orig/doc/man/man5/slapd-bdb.5 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/doc/man/man5/slapd-bdb.5 2015-03-26 15:36:59.637464038 -0500 > -@@ -135,7 +135,7 @@ > - associated indexes live. > - A separate directory must be specified for each database. > - The default is > --.BR LOCALSTATEDIR/openldap\-data . > -+.BR LOCALSTATEDIR/lib/openldap . > - .TP > - .B dirtyread > - Allow reads of modified but not yet committed data. > -diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd-config.5 openldap-2.4.40/doc/man/man5/slapd-config.5 > ---- openldap-2.4.40.orig/doc/man/man5/slapd-config.5 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/doc/man/man5/slapd-config.5 2015-03-26 15:36:59.638464004 -0500 > -@@ -2051,7 +2051,7 @@ > - # The database directory MUST exist prior to > - # running slapd AND should only be accessible > - # by the slapd/tools. Mode 0700 recommended. > --olcDbDirectory: LOCALSTATEDIR/openldap\-data > -+olcDbDirectory: LOCALSTATEDIR/lib/openldap > - # Indices to maintain > - olcDbIndex: objectClass eq > - olcDbIndex: cn,sn,mail pres,eq,approx,sub > -diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd.conf.5 openldap-2.4.40/doc/man/man5/slapd.conf.5 > ---- openldap-2.4.40.orig/doc/man/man5/slapd.conf.5 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/doc/man/man5/slapd.conf.5 2015-03-26 15:36:59.638464004 -0500 > -@@ -2021,7 +2021,7 @@ > - # The database directory MUST exist prior to > - # running slapd AND should only be accessible > - # by the slapd/tools. Mode 0700 recommended. > --directory LOCALSTATEDIR/openldap\-data > -+directory LOCALSTATEDIR/lib/openldap > - # Indices to maintain > - index objectClass eq > - index cn,sn,mail pres,eq,approx,sub > -diff -Naur openldap-2.4.40.orig/include/ldap_defaults.h openldap-2.4.40/include/ldap_defaults.h > ---- openldap-2.4.40.orig/include/ldap_defaults.h 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/include/ldap_defaults.h 2015-03-26 15:36:59.638464004 -0500 > -@@ -39,7 +39,7 @@ > - #define LDAP_ENV_PREFIX "LDAP" > - > - /* default ldapi:// socket */ > --#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" > -+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi" > - > - /* > - * SLAPD DEFINITIONS > -@@ -47,7 +47,7 @@ > - /* location of the default slapd config file */ > - #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" > - #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" > --#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" > -+#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap" > - #define SLAPD_DEFAULT_DB_MODE 0600 > - #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" > - /* default max deref depth for aliases */ > -diff -Naur openldap-2.4.40.orig/libraries/liblber/Makefile.in openldap-2.4.40/libraries/liblber/Makefile.in > ---- openldap-2.4.40.orig/libraries/liblber/Makefile.in 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/libraries/liblber/Makefile.in 2015-03-26 15:37:39.801077750 -0500 > -@@ -38,6 +38,9 @@ > - XXLIBS = > - NT_LINK_LIBS = $(AC_LIBS) > - UNIX_LINK_LIBS = $(AC_LIBS) > -+ifneq (,$(VERSION_OPTION)) > -+ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map" > -+endif > - > - dtest: $(XLIBS) dtest.o > - $(LTLINK) -o $@ dtest.o $(LIBS) > -@@ -48,6 +51,6 @@ > - > - install-local: FORCE > - -$(MKDIR) $(DESTDIR)$(libdir) > -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) > -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) > - $(LTFINISH) $(DESTDIR)$(libdir) > - > -diff -Naur openldap-2.4.40.orig/libraries/liblber/liblber.map openldap-2.4.40/libraries/liblber/liblber.map > ---- openldap-2.4.40.orig/libraries/liblber/liblber.map 1969-12-31 18:00:00.000000000 -0600 > -+++ openldap-2.4.40/libraries/liblber/liblber.map 2015-03-26 15:37:39.801077750 -0500 > -@@ -0,0 +1,8 @@ > -+OPENLDAP_2.4_2 { > -+ global: > -+ ber_*; > -+ der_alloc; > -+ lutil_*; > -+ local: > -+ *; > -+}; > -diff -Naur openldap-2.4.40.orig/libraries/libldap/Makefile.in openldap-2.4.40/libraries/libldap/Makefile.in > ---- openldap-2.4.40.orig/libraries/libldap/Makefile.in 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/libraries/libldap/Makefile.in 2015-03-26 15:37:39.802077716 -0500 > -@@ -52,6 +52,9 @@ > - XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) > - NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) > - UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) > -+ifneq (,$(VERSION_OPTION)) > -+ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map > -+endif > - > - apitest: $(XLIBS) apitest.o > - $(LTLINK) -o $@ apitest.o $(LIBS) > -@@ -68,7 +71,7 @@ > - > - install-local: $(CFFILES) FORCE > - -$(MKDIR) $(DESTDIR)$(libdir) > -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) > -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) > - $(LTFINISH) $(DESTDIR)$(libdir) > - -$(MKDIR) $(DESTDIR)$(sysconfdir) > - @for i in $(CFFILES); do \ > -diff -Naur openldap-2.4.40.orig/libraries/libldap/libldap.map openldap-2.4.40/libraries/libldap/libldap.map > ---- openldap-2.4.40.orig/libraries/libldap/libldap.map 1969-12-31 18:00:00.000000000 -0600 > -+++ openldap-2.4.40/libraries/libldap/libldap.map 2015-03-26 15:37:39.802077716 -0500 > -@@ -0,0 +1,7 @@ > -+OPENLDAP_2.4_2 { > -+ global: > -+ ldap_*; > -+ ldif_*; > -+ local: > -+ *; > -+}; > -diff -Naur openldap-2.4.40.orig/libraries/libldap_r/Makefile.in openldap-2.4.40/libraries/libldap_r/Makefile.in > ---- openldap-2.4.40.orig/libraries/libldap_r/Makefile.in 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/libraries/libldap_r/Makefile.in 2015-03-26 15:37:39.802077716 -0500 > -@@ -61,6 +61,9 @@ > - XXXLIBS = $(LTHREAD_LIBS) > - NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) > - UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) > -+ifneq (,$(VERSION_OPTION)) > -+ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map" > -+endif > - > - .links : Makefile > - @for i in $(XXSRCS); do \ > -@@ -83,6 +86,6 @@ > - > - install-local: $(CFFILES) FORCE > - -$(MKDIR) $(DESTDIR)$(libdir) > -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) > -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) > - $(LTFINISH) $(DESTDIR)$(libdir) > - > -diff -Naur openldap-2.4.40.orig/servers/slapd/Makefile.in openldap-2.4.40/servers/slapd/Makefile.in > ---- openldap-2.4.40.orig/servers/slapd/Makefile.in 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/servers/slapd/Makefile.in 2015-03-26 15:36:59.639463969 -0500 > -@@ -376,10 +376,10 @@ > - install-conf install-dbc-maybe install-schema install-tools > - > - install-slapd: FORCE > -- -$(MKDIR) $(DESTDIR)$(libexecdir) > -+ -$(MKDIR) $(DESTDIR)$(sbindir) > - -$(MKDIR) $(DESTDIR)$(localstatedir)/run > - $(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \ > -- slapd$(EXEEXT) $(DESTDIR)$(libexecdir) > -+ slapd$(EXEEXT) $(DESTDIR)$(sbindir) > - @for i in $(SUBDIRS); do \ > - if test -d $$i && test -f $$i/Makefile ; then \ > - echo; echo " cd $$i; $(MAKE) $(MFLAGS) install"; \ > -@@ -445,9 +445,9 @@ > - > - install-db-config: FORCE > - @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) > -- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data > -+ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap > - $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ > -- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example > -+ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example > - $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ > - $(DESTDIR)$(sysconfdir)/DB_CONFIG.example > - > -@@ -455,6 +455,6 @@ > - -$(MKDIR) $(DESTDIR)$(sbindir) > - for i in $(SLAPTOOLS); do \ > - $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ > -- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ > -+ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ > - done > - > -diff -Naur openldap-2.4.44.orig/servers/slapd/slapd.conf openldap-2.4.44/servers/slapd/slapd.conf > ---- openldap-2.4.44.orig/servers/slapd/slapd.conf 2016-02-06 00:57:45.000000000 +0100 > -+++ openldap-2.4.44/servers/slapd/slapd.conf 2016-02-22 23:01:47.681372594 +0100 > -@@ -10,12 +10,12 @@ > - # service AND an understanding of referrals. > - #referral ldap://root.openldap.org > - > --pidfile %LOCALSTATEDIR%/run/slapd.pid > --argsfile %LOCALSTATEDIR%/run/slapd.args > -+pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid > -+argsfile %LOCALSTATEDIR%/run/openldap/slapd.args > - > - # Load dynamic backend modules: > --# modulepath %MODULEDIR% > --# moduleload back_mdb.la > -+modulepath %MODULEDIR% > -+moduleload back_mdb.la > - # moduleload back_ldap.la > - > - # Sample security restrictions > -@@ -60,6 +60,6 @@ > - # The database directory MUST exist prior to running slapd AND > - # should only be accessible by the slapd and slap tools. > - # Mode 700 recommended. > --directory %LOCALSTATEDIR%/openldap-data > -+directory %LOCALSTATEDIR%/lib/openldap > - # Indices to maintain > - index objectClass eq > -diff -Naur openldap-2.4.44.orig/servers/slapd/slapd.ldif openldap-2.4.44/servers/slapd/slapd.ldif > ---- openldap-2.4.44.orig/servers/slapd/slapd.ldif 2016-02-06 00:57:45.000000000 +0100 > -+++ openldap-2.4.44/servers/slapd/slapd.ldif 2016-02-22 22:59:57.824364446 +0100 > -@@ -9,8 +9,8 @@ > - # > - # Define global ACLs to disable default read access. > - # > --olcArgsFile: %LOCALSTATEDIR%/run/slapd.args > --olcPidFile: %LOCALSTATEDIR%/run/slapd.pid > -+olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args > -+olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid > - # > - # Do not enable referrals until AFTER you have a working directory > - # service AND an understanding of referrals. > -@@ -26,10 +26,11 @@ > - # > - # Load dynamic backend modules: > - # > --#dn: cn=module,cn=config > --#objectClass: olcModuleList > --#cn: module > --#olcModulepath: %MODULEDIR% > -+dn: cn=module,cn=config > -+objectClass: olcModuleList > -+cn: module > -+olcModulepath: %MODULEDIR% > -+olcModuleload: back_mdb.la > - #olcModuleload: back_bdb.la > - #olcModuleload: back_hdb.la > - #olcModuleload: back_ldap.la > -@@ -90,6 +91,6 @@ > - # The database directory MUST exist prior to running slapd AND > - # should only be accessible by the slapd and slap tools. > - # Mode 700 recommended. > --olcDbDirectory: %LOCALSTATEDIR%/openldap-data > -+olcDbDirectory: %LOCALSTATEDIR%/lib/openldap > - # Indices to maintain > - olcDbIndex: objectClass eq > -diff -Naur openldap-2.4.40.orig/servers/slapd/slapi/Makefile.in openldap-2.4.40/servers/slapd/slapi/Makefile.in > ---- openldap-2.4.40.orig/servers/slapd/slapi/Makefile.in 2014-09-18 20:48:49.000000000 -0500 > -+++ openldap-2.4.40/servers/slapd/slapi/Makefile.in 2015-03-26 15:36:59.639463969 -0500 > -@@ -46,6 +46,6 @@ > - install-local: FORCE > - if test "$(BUILD_MOD)" = "yes"; then \ > - $(MKDIR) $(DESTDIR)$(libdir); \ > -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \ > -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \ > - fi > - > diff --git a/src/patches/openldap-2.6.1-consolidated-2.patch b/src/patches/openldap-2.6.1-consolidated-2.patch > new file mode 100644 > index 000000000..eb7396ad6 > --- /dev/null > +++ b/src/patches/openldap-2.6.1-consolidated-2.patch > @@ -0,0 +1,4689 @@ > +Submitted by: Bruce Dubbs > +Date: 2012-03-26 > +Initial Package Version: 2.4.40 > +Upstream Status: BLFS Specific > +Origin: Armin K. and Debian > +Comment: Rediffed by Fernando de Oliveira + com dot br> for version 2.4.44 - 2016.02.06 > + Rediffed by Pierre Labastie + neuf dot fr> to add mdb backend and slapd.ldif. See > + ticket #7394 - 2016.02.24 > + Rediffed by Douglas R. Reno + dot org> to function on 2.4.51. - 2020-08-13 > + Fixed the rediff to use a .c file instead of a .s, fixing > + the test by Douglas R. Reno - 2020-08-13 > + Rediffed by Tim Tassonis to > + remove now integrated symbol versioning stuff and > + remove changes to now non-existent slapd-bdb.5 file - 2021-05-03 > + Rediffed by Douglas R. Reno - 2022-02-13 - updated man > + pages for lloadd.8 and slapd.8 to use the proper path. > +Description: Consolidate earlier patches to: > + 1. Update various installation options, such as ldap database path, > + configuration file options, slapd install location, etc. > + 2. Remove reference to bdb module > + > + > +diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 openldap-2.6.1/doc/man/man5/slapd.conf.5 > +--- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 2022-01-19 12:32:34.000000000 -0600 > ++++ openldap-2.6.1/doc/man/man5/slapd.conf.5 2022-02-13 15:54:13.654979570 -0600 > +@@ -2123,7 +2123,7 @@ suffix "dc=our\-domain,dc=com" > + # The database directory MUST exist prior to > + # running slapd AND should only be accessible > + # by the slapd/tools. Mode 0700 recommended. > +-directory LOCALSTATEDIR/openldap\-data > ++directory LOCALSTATEDIR/lib/openldap > + # Indices to maintain > + index objectClass eq > + index cn,sn,mail pres,eq,approx,sub > +diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig openldap-2.6.1/doc/man/man5/slapd.conf.5.orig > +--- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig 1969-12-31 18:00:00.000000000 -0600 > ++++ openldap-2.6.1/doc/man/man5/slapd.conf.5.orig 2022-01-19 12:32:34.000000000 -0600 > +@@ -0,0 +1,2168 @@ > ++.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION" > ++.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. > ++.\" Copying restrictions apply. See COPYRIGHT/LICENSE. > ++.\" $OpenLDAP$ > ++.SH NAME > ++slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon > ++.SH SYNOPSIS > ++ETCDIR/slapd.conf > ++.SH DESCRIPTION > ++The file > ++.B ETCDIR/slapd.conf > ++contains configuration information for the > ++.BR slapd (8) > ++daemon. This configuration file is also used by the SLAPD tools > ++.BR slapacl (8), > ++.BR slapadd (8), > ++.BR slapauth (8), > ++.BR slapcat (8), > ++.BR slapdn (8), > ++.BR slapindex (8), > ++.BR slapmodify (8), > ++and > ++.BR slaptest (8). > ++.LP > ++The > ++.B slapd.conf > ++file consists of a series of global configuration options that apply to > ++.B slapd > ++as a whole (including all backends), followed by zero or more database > ++backend definitions that contain information specific to a backend > ++instance. > ++The configuration options are case-insensitive; > ++their value, on a case by case basis, may be case-sensitive. > ++.LP > ++The general format of > ++.B slapd.conf > ++is as follows: > ++.LP > ++.nf > ++ # comment - these options apply to every database > ++ > ++ # first database definition & configuration options > ++ database > ++ > ++ # subsequent database definitions & configuration options > ++ ... > ++.fi > ++.LP > ++As many backend-specific sections as desired may be included. Global > ++options can be overridden in a backend (for options that appear more > ++than once, the last appearance in the > ++.B slapd.conf > ++file is used). > ++.LP > ++If a line begins with white space, it is considered a continuation > ++of the previous line. No physical line should be over 2000 bytes > ++long. > ++.LP > ++Blank lines and comment lines beginning with > ++a `#' character are ignored. Note: continuation lines are unwrapped > ++before comment processing is applied. > ++.LP > ++Arguments on configuration lines are separated by white space. If an > ++argument contains white space, the argument should be enclosed in > ++double quotes. If an argument contains a double quote (`"') or a > ++backslash character (`\\'), the character should be preceded by a > ++backslash character. > ++.LP > ++The specific configuration options available are discussed below in the > ++Global Configuration Options, General Backend Options, and General Database > ++Options. Backend-specific options are discussed in the > ++.B slapd\-(5) > ++manual pages. Refer to the "OpenLDAP Administrator's Guide" for more > ++details on the slapd configuration file. > ++.SH GLOBAL CONFIGURATION OPTIONS > ++Options described in this section apply to all backends, unless specifically > ++overridden in a backend definition. Arguments that should be replaced by > ++actual text are shown in brackets <>. > ++.TP > ++.B access to "[ by ]+" > ++Grant access (specified by ) to a set of entries and/or > ++attributes (specified by ) by one or more requestors (specified > ++by ). > ++If no access controls are present, the default policy > ++allows anyone and everyone to read anything but restricts > ++updates to rootdn. (e.g., "access to * by * read"). > ++The rootdn can always read and write EVERYTHING! > ++See > ++.BR slapd.access (5) > ++and the "OpenLDAP's Administrator's Guide" for details. > ++.TP > ++.B allow > ++Specify a set of features (separated by white space) to > ++allow (default none). > ++.B bind_v2 > ++allows acceptance of LDAPv2 bind requests. Note that > ++.BR slapd (8) > ++does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494). > ++.B bind_anon_cred > ++allows anonymous bind when credentials are not empty (e.g. > ++when DN is empty). > ++.B bind_anon_dn > ++allows unauthenticated (anonymous) bind when DN is not empty. > ++.B update_anon > ++allows unauthenticated (anonymous) update operations to be processed > ++(subject to access controls and other administrative limits). > ++.B proxy_authz_anon > ++allows unauthenticated (anonymous) proxy authorization control to be processed > ++(subject to access controls, authorization and other administrative limits). > ++.TP > ++.B argsfile > ++The (absolute) name of a file that will hold the > ++.B slapd > ++server's command line (program name and options). > ++.TP > ++.B attributeoptions [option-name]... > ++Define tagging attribute options or option tag/range prefixes. > ++Options must not end with `\-', prefixes must end with `\-'. > ++The `lang\-' prefix is predefined. > ++If you use the > ++.B attributeoptions > ++directive, `lang\-' will no longer be defined and you must specify it > ++explicitly if you want it defined. > ++ > ++An attribute description with a tagging option is a subtype of that > ++attribute description without the option. > ++Except for that, options defined this way have no special semantics. > ++Prefixes defined this way work like the `lang\-' options: > ++They define a prefix for tagging options starting with the prefix. > ++That is, if you define the prefix `x\-foo\-', you can use the option > ++`x\-foo\-bar'. > ++Furthermore, in a search or compare, a prefix or range name (with > ++a trailing `\-') matches all options starting with that name, as well > ++as the option with the range name sans the trailing `\-'. > ++That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'. > ++ > ++RFC 4520 reserves options beginning with `x\-' for private experiments. > ++Other options should be registered with IANA, see RFC 4520 section 3.5. > ++OpenLDAP also has the `binary' option built in, but this is a transfer > ++option, not a tagging option. > ++.HP > ++.hy 0 > ++.B attributetype "(\ \ > ++ [NAME\ ]\ > ++ [DESC\ ]\ > ++ [OBSOLETE]\ > ++ [SUP\ ]\ > ++ [EQUALITY\ ]\ > ++ [ORDERING\ ]\ > ++ [SUBSTR\ ]\ > ++ [SYNTAX\ ]\ > ++ [SINGLE\-VALUE]\ > ++ [COLLECTIVE]\ > ++ [NO\-USER\-MODIFICATION]\ > ++ [USAGE\ ]\ )" > ++.RS > ++Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. > ++The slapd parser extends the RFC 4512 definition by allowing string > ++forms as well as numeric OIDs to be used for the attribute OID and > ++attribute syntax OID. > ++(See the > ++.B objectidentifier > ++description.) > ++.RE > ++.TP > ++.B authid\-rewrite > ++Used by the authentication framework to convert simple user names > ++to an LDAP DN used for authorization purposes. > ++Its purpose is analogous to that of > ++.BR authz-regexp > ++(see below). > ++The prefix \fIauthid\-\fP is followed by a set of rules analogous > ++to those described in > ++.BR slapo\-rwm (5) > ++for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP). > ++.B authid\-rewrite > ++and > ++.B authz\-regexp > ++rules should not be intermixed. > ++.TP > ++.B authz\-policy > ++Used to specify which rules to use for Proxy Authorization. Proxy > ++authorization allows a client to authenticate to the server using one > ++user's credentials, but specify a different identity to use for authorization > ++and access control purposes. It essentially allows user A to login as user > ++B, using user A's password. > ++The > ++.B none > ++flag disables proxy authorization. This is the default setting. > ++The > ++.B from > ++flag will use rules in the > ++.I authzFrom > ++attribute of the authorization DN. > ++The > ++.B to > ++flag will use rules in the > ++.I authzTo > ++attribute of the authentication DN. > ++The > ++.B any > ++flag, an alias for the deprecated value of > ++.BR both , > ++will allow any of the above, whatever succeeds first (checked in > ++.BR to , > ++.B from > ++sequence. > ++The > ++.B all > ++flag requires both authorizations to succeed. > ++.LP > ++.RS > ++The rules are mechanisms to specify which identities are allowed > ++to perform proxy authorization. > ++The > ++.I authzFrom > ++attribute in an entry specifies which other users > ++are allowed to proxy login to this entry. The > ++.I authzTo > ++attribute in > ++an entry specifies which other users this user can authorize as. Use of > ++.I authzTo > ++rules can be easily > ++abused if users are allowed to write arbitrary values to this attribute. > ++In general the > ++.I authzTo > ++attribute must be protected with ACLs such that > ++only privileged users can modify it. > ++The value of > ++.I authzFrom > ++and > ++.I authzTo > ++describes an > ++.B identity > ++or a set of identities; it can take five forms: > ++.RS > ++.TP > ++.B ldap:///??[]? > ++.RE > ++.RS > ++.B dn[.]: > ++.RE > ++.RS > ++.B u[.[/]]: > ++.RE > ++.RS > ++.B group[/objectClass[/attributeType]]: > ++.RE > ++.RS > ++.B > ++.RE > ++.RS > ++ > ++.B :={exact|onelevel|children|subtree|regex} > ++ > ++.RE > ++The first form is a valid LDAP > ++.B URI > ++where the > ++.IR : , > ++the > ++.I > ++and the > ++.I > ++portions must be absent, so that the search occurs locally on either > ++.I authzFrom > ++or > ++.IR authzTo . > ++ > ++.LP > ++The second form is a > ++.BR DN . > ++The optional > ++.B dnstyle > ++modifiers > ++.IR exact , > ++.IR onelevel , > ++.IR children , > ++and > ++.I subtree > ++provide exact, onelevel, children and subtree matches, which cause > ++.I > ++to be normalized according to the DN normalization rules. > ++The special > ++.B dnstyle > ++modifier > ++.I regex > ++causes the > ++.I > ++to be treated as a POSIX (''extended'') regular expression, as > ++discussed in > ++.BR regex (7) > ++and/or > ++.BR re_format (7). > ++A pattern of > ++.I * > ++means any non-anonymous DN. > ++ > ++.LP > ++The third form is a SASL > ++.BR id . > ++The optional fields > ++.I > ++and > ++.I > ++allow specification of a SASL > ++.BR mechanism , > ++and eventually a SASL > ++.BR realm , > ++for those mechanisms that support one. > ++The need to allow the specification of a mechanism is still debated, > ++and users are strongly discouraged to rely on this possibility. > ++ > ++.LP > ++The fourth form is a group specification. > ++It consists of the keyword > ++.BR group , > ++optionally followed by the specification of the group > ++.B objectClass > ++and > ++.BR attributeType . > ++The > ++.B objectClass > ++defaults to > ++.IR groupOfNames . > ++The > ++.B attributeType > ++defaults to > ++.IR member . > ++The group with DN > ++.B > ++is searched with base scope, filtered on the specified > ++.BR objectClass . > ++The values of the resulting > ++.B attributeType > ++are searched for the asserted DN. > ++ > ++.LP > ++The fifth form is provided for backwards compatibility. If no identity > ++type is provided, i.e. only > ++.B > ++is present, an > ++.I exact DN > ++is assumed; as a consequence, > ++.B > ++is subjected to DN normalization. > ++ > ++.LP > ++Since the interpretation of > ++.I authzFrom > ++and > ++.I authzTo > ++can impact security, users are strongly encouraged > ++to explicitly set the type of identity specification that is being used. > ++A subset of these rules can be used as third arg in the > ++.B authz\-regexp > ++statement (see below); significantly, the > ++.IR URI , > ++provided it results in exactly one entry, > ++and the > ++.I dn.exact: > ++forms. > ++.RE > ++.TP > ++.B authz\-regexp > ++Used by the authentication framework to convert simple user names, > ++such as provided by SASL subsystem, or extracted from certificates > ++in case of cert-based SASL EXTERNAL, or provided within the RFC 4370 > ++"proxied authorization" control, to an LDAP DN used for > ++authorization purposes. Note that the resulting DN need not refer > ++to an existing entry to be considered valid. When an authorization > ++request is received from the SASL subsystem, the SASL > ++.BR USERNAME , > ++.BR REALM , > ++and > ++.B MECHANISM > ++are taken, when available, and combined into a name of the form > ++.RS > ++.RS > ++.TP > ++.B UID=[[,CN=],CN=],CN=auth > ++ > ++.RE > ++This name is then compared against the > ++.B match > ++POSIX (''extended'') regular expression, and if the match is successful, > ++the name is replaced with the > ++.B replace > ++string. If there are wildcard strings in the > ++.B match > ++regular expression that are enclosed in parenthesis, e.g. > ++.RS > ++.TP > ++.B UID=([^,]*),CN=.* > ++ > ++.RE > ++then the portion of the name that matched the wildcard will be stored > ++in the numbered placeholder variable $1. If there are other wildcard strings > ++in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The > ++placeholders can then be used in the > ++.B replace > ++string, e.g. > ++.RS > ++.TP > ++.B UID=$1,OU=Accounts,DC=example,DC=com > ++ > ++.RE > ++The replaced name can be either a DN, i.e. a string prefixed by "dn:", > ++or an LDAP URI. > ++If the latter, the server will use the URI to search its own database(s) > ++and, if the search returns exactly one entry, the name is > ++replaced by the DN of that entry. The LDAP URI must have no > ++hostport, attrs, or extensions components, but the filter is mandatory, > ++e.g. > ++.RS > ++.TP > ++.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) > ++ > ++.RE > ++The protocol portion of the URI must be strictly > ++.BR ldap . > ++Note that this search is subject to access controls. Specifically, > ++the authentication identity must have "auth" access in the subject. > ++ > ++Multiple > ++.B authz\-regexp > ++options can be given in the configuration file to allow for multiple matching > ++and replacement patterns. The matching patterns are checked in the order they > ++appear in the file, stopping at the first successful match. > ++ > ++.\".B Caution: > ++.\"Because the plus sign + is a character recognized by the regular expression engine, > ++.\"and it will appear in names that include a REALM, be careful to escape the > ++.\"plus sign with a backslash \\+ to remove the character's special meaning. > ++.RE > ++.TP > ++.B concurrency > ++Specify a desired level of concurrency. Provided to the underlying > ++thread system as a hint. The default is not to provide any hint. This setting > ++is only meaningful on some platforms where there is not a one to one > ++correspondence between user threads and kernel threads. > ++.TP > ++.B conn_max_pending > ++Specify the maximum number of pending requests for an anonymous session. > ++If requests are submitted faster than the server can process them, they > ++will be queued up to this limit. If the limit is exceeded, the session > ++is closed. The default is 100. > ++.TP > ++.B conn_max_pending_auth > ++Specify the maximum number of pending requests for an authenticated session. > ++The default is 1000. > ++.TP > ++.B defaultsearchbase > ++Specify a default search base to use when client submits a > ++non-base search request with an empty base DN. > ++Base scoped search requests with an empty base DN are not affected. > ++.TP > ++.B disallow > ++Specify a set of features (separated by white space) to > ++disallow (default none). > ++.B bind_anon > ++disables acceptance of anonymous bind requests. Note that this setting > ++does not prohibit anonymous directory access (See "require authc"). > ++.B bind_simple > ++disables simple (bind) authentication. > ++.B tls_2_anon > ++disables forcing session to anonymous status (see also > ++.BR tls_authc ) > ++upon StartTLS operation receipt. > ++.B tls_authc > ++disallows the StartTLS operation if authenticated (see also > ++.BR tls_2_anon ). > ++.B proxy_authz_non_critical > ++disables acceptance of the proxied authorization control (RFC4370) > ++with criticality set to FALSE. > ++.B dontusecopy_non_critical > ++disables acceptance of the dontUseCopy control (a work in progress) > ++with criticality set to FALSE. > ++.HP > ++.hy 0 > ++.B ditcontentrule "(\ \ > ++ [NAME\ ]\ > ++ [DESC\ ]\ > ++ [OBSOLETE]\ > ++ [AUX\ ]\ > ++ [MUST\ ]\ > ++ [MAY\ ]\ > ++ [NOT\ ]\ )" > ++.RS > ++Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. > ++The slapd parser extends the RFC 4512 definition by allowing string > ++forms as well as numeric OIDs to be used for the attribute OID and > ++attribute syntax OID. > ++(See the > ++.B objectidentifier > ++description.) > ++.RE > ++.TP > ++.B gentlehup { on | off } > ++A SIGHUP signal will only cause a 'gentle' shutdown-attempt: > ++.B Slapd > ++will stop listening for new connections, but will not close the > ++connections to the current clients. Future write operations return > ++unwilling-to-perform, though. Slapd terminates when all clients > ++have closed their connections (if they ever do), or \- as before \- > ++if it receives a SIGTERM signal. This can be useful if you wish to > ++terminate the server and start a new > ++.B slapd > ++server > ++.B with another database, > ++without disrupting the currently active clients. > ++The default is off. You may wish to use > ++.B idletimeout > ++along with this option. > ++.TP > ++.B idletimeout > ++Specify the number of seconds to wait before forcibly closing > ++an idle client connection. A setting of 0 disables this > ++feature. The default is 0. You may also want to set the > ++.B writetimeout > ++option. > ++.TP > ++.B include > ++Read additional configuration information from the given file before > ++continuing with the next line of the current file. > ++.TP > ++.B index_hash64 { on | off } > ++Use a 64 bit hash for indexing. The default is to use 32 bit hashes. > ++These hashes are used for equality and substring indexing. The 64 bit > ++version may be needed to avoid index collisions when the number of > ++indexed values exceeds ~64 million. (Note that substring indexing > ++generates multiple index values per actual attribute value.) > ++Indices generated with 32 bit hashes are incompatible with the 64 bit > ++version, and vice versa. Any existing databases must be fully reloaded > ++when changing this setting. This directive is only supported on 64 bit CPUs. > ++.TP > ++.B index_intlen > ++Specify the key length for ordered integer indices. The most significant > ++bytes of the binary integer will be used for index keys. The default > ++value is 4, which provides exact indexing for 31 bit values. > ++A floating point representation is used to index too large values. > ++.TP > ++.B index_substr_if_maxlen > ++Specify the maximum length for subinitial and subfinal indices. Only > ++this many characters of an attribute value will be processed by the > ++indexing functions; any excess characters are ignored. The default is 4. > ++.TP > ++.B index_substr_if_minlen > ++Specify the minimum length for subinitial and subfinal indices. An > ++attribute value must have at least this many characters in order to be > ++processed by the indexing functions. The default is 2. > ++.TP > ++.B index_substr_any_len > ++Specify the length used for subany indices. An attribute value must have > ++at least this many characters in order to be processed. Attribute values > ++longer than this length will be processed in segments of this length. The > ++default is 4. The subany index will also be used in subinitial and > ++subfinal index lookups when the filter string is longer than the > ++.I index_substr_if_maxlen > ++value. > ++.TP > ++.B index_substr_any_step > ++Specify the steps used in subany index lookups. This value sets the offset > ++for the segments of a filter string that are processed for a subany index > ++lookup. The default is 2. For example, with the default values, a search > ++using this filter "cn=*abcdefgh*" would generate index lookups for > ++"abcd", "cdef", and "efgh". > ++ > ++.LP > ++Note: Indexing support depends on the particular backend in use. Also, > ++changing these settings will generally require deleting any indices that > ++depend on these parameters and recreating them with > ++.BR slapindex (8). > ++ > ++.HP > ++.hy 0 > ++.B ldapsyntax "(\ \ > ++ [DESC\ ]\ > ++ [X\-SUBST ]\ )" > ++.RS > ++Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512. > ++The slapd parser extends the RFC 4512 definition by allowing string > ++forms as well as numeric OIDs to be used for the syntax OID. > ++(See the > ++.B objectidentifier > ++description.) > ++The slapd parser also honors the > ++.B X\-SUBST > ++extension (an OpenLDAP-specific extension), which allows one to use the > ++.B ldapsyntax > ++statement to define a non-implemented syntax along with another syntax, > ++the extension value > ++.IR substitute-syntax , > ++as its temporary replacement. > ++The > ++.I substitute-syntax > ++must be defined. > ++This allows one to define attribute types that make use of non-implemented syntaxes > ++using the correct syntax OID. > ++Unless > ++.B X\-SUBST > ++is used, this configuration statement would result in an error, > ++since no handlers would be associated to the resulting syntax structure. > ++.RE > ++ > ++.TP > ++.B listener-threads > ++Specify the number of threads to use for the connection manager. > ++The default is 1 and this is typically adequate for up to 16 CPU cores. > ++The value should be set to a power of 2. > ++.TP > ++.B localSSF > ++Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, > ++such as those to the ldapi:// listener. For a description of SSF values, > ++see > ++.BR sasl-secprops 's > ++.B minssf > ++option description. The default is 71. > ++.TP > ++.B logfile > ++Specify a file for recording slapd debug messages. By default these messages > ++only go to stderr, are not recorded anywhere else, and are unrelated to > ++messages exposed by the > ++.B loglevel > ++configuration parameter. Specifying a logfile copies messages to both stderr > ++and the logfile. > ++.TP > ++.B logfile-format debug | syslog-utc | syslog-localtime > ++Specify the prefix format for messages written to the logfile. The debug > ++format is the normal format used for slapd debug messages, with a timestamp > ++in hexadecimal, followed by a thread ID. The other options are to > ++use syslog(3) style prefixes, with timestamps either in UTC or in the > ++local timezone. The default is debug format. > ++.TP > ++.B logfile-only on | off > ++Specify that debug messages should only go to the configured logfile, and > ++not to stderr. > ++.TP > ++.B logfile-rotate > ++Specify automatic rotation for the configured logfile as the maximum > ++number of old logfiles to retain, a maximum size in megabytes to allow a > ++logfile to grow before rotation, and a maximum age in hours for a logfile > ++to be used before rotation. The maximum number must be in the range 1-99. > ++Setting Mbytes or hours to zero disables the size or age check, respectively. > ++At least one of Mbytes or hours must be non-zero. By default no automatic > ++rotation will be performed. > ++.TP > ++.B loglevel [...] > ++Specify the level at which debugging statements and operation > ++statistics should be syslogged (currently logged to the > ++.BR syslogd (8) > ++LOG_LOCAL4 facility). > ++They must be considered subsystems rather than increasingly verbose > ++log levels. > ++Some messages with higher priority are logged regardless > ++of the configured loglevel as soon as any logging is configured. > ++Log levels are additive, and available levels are: > ++.RS > ++.RS > ++.PD 0 > ++.TP > ++.B 1 > ++.B (0x1 trace) > ++trace function calls > ++.TP > ++.B 2 > ++.B (0x2 packets) > ++debug packet handling > ++.TP > ++.B 4 > ++.B (0x4 args) > ++heavy trace debugging (function args) > ++.TP > ++.B 8 > ++.B (0x8 conns) > ++connection management > ++.TP > ++.B 16 > ++.B (0x10 BER) > ++print out packets sent and received > ++.TP > ++.B 32 > ++.B (0x20 filter) > ++search filter processing > ++.TP > ++.B 64 > ++.B (0x40 config) > ++configuration file processing > ++.TP > ++.B 128 > ++.B (0x80 ACL) > ++access control list processing > ++.TP > ++.B 256 > ++.B (0x100 stats) > ++connections, LDAP operations, results (recommended) > ++.TP > ++.B 512 > ++.B (0x200 stats2) > ++stats2 log entries sent > ++.TP > ++.B 1024 > ++.B (0x400 shell) > ++print communication with shell backends > ++.TP > ++.B 2048 > ++.B (0x800 parse) > ++entry parsing > ++\".TP > ++\".B 4096 > ++\".B (0x1000 cache) > ++\"caching (unused) > ++\".TP > ++\".B 8192 > ++\".B (0x2000 index) > ++\"data indexing (unused) > ++.TP > ++.B 16384 > ++.B (0x4000 sync) > ++LDAPSync replication > ++.TP > ++.B 32768 > ++.B (0x8000 none) > ++only messages that get logged whatever log level is set > ++.PD > ++.RE > ++The desired log level can be input as a single integer that combines > ++the (ORed) desired levels, both in decimal or in hexadecimal notation, > ++as a list of integers (that are ORed internally), > ++or as a list of the names that are shown between parentheses, such that > ++.LP > ++.nf > ++ loglevel 129 > ++ loglevel 0x81 > ++ loglevel 128 1 > ++ loglevel 0x80 0x1 > ++ loglevel acl trace > ++.fi > ++.LP > ++are equivalent. > ++The keyword > ++.B any > ++can be used as a shortcut to enable logging at all levels (equivalent to \-1). > ++The keyword > ++.BR none , > ++or the equivalent integer representation, causes those messages > ++that are logged regardless of the configured loglevel to be logged. > ++In fact, if loglevel is set to 0, no logging occurs, > ++so at least the > ++.B none > ++level is required to have high priority messages logged. > ++ > ++Note that the > ++.BR packets , > ++.BR BER , > ++and > ++.B parse > ++levels are only available as debug output on stderr, and are not > ++sent to syslog. > ++ > ++The loglevel defaults to \fBstats\fP. > ++This level should usually also be included when using other loglevels, to > ++help analyze the logs. > ++.RE > ++.TP > ++.B maxfilterdepth > ++Specify the maximum depth of nested filters in search requests. > ++The default is 1000. > ++.TP > ++.B moduleload [...] > ++Specify the name of a dynamically loadable module to load and any > ++additional arguments if supported by the module. The filename > ++may be an absolute path name or a simple filename. Non-absolute names > ++are searched for in the directories specified by the > ++.B modulepath > ++option. This option and the > ++.B modulepath > ++option are only usable if slapd was compiled with \-\-enable\-modules. > ++.TP > ++.B modulepath > ++Specify a list of directories to search for loadable modules. Typically > ++the path is colon-separated but this depends on the operating system. > ++The default is MODULEDIR, which is where the standard OpenLDAP install > ++will place its modules. > ++.HP > ++.hy 0 > ++.B objectclass "(\ \ > ++ [NAME\ ]\ > ++ [DESC\ ]\ > ++ [OBSOLETE]\ > ++ [SUP\ ]\ > ++ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ > ++ [MUST\ ] [MAY\ ] )" > ++.RS > ++Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. > ++The slapd parser extends the RFC 4512 definition by allowing string > ++forms as well as numeric OIDs to be used for the object class OID. > ++(See the > ++.B > ++objectidentifier > ++description.) Object classes are "STRUCTURAL" by default. > ++.RE > ++.TP > ++.B objectidentifier "{ | [:] }" > ++Define a string name that equates to the given OID. The string can be used > ++in place of the numeric OID in objectclass and attribute definitions. The > ++name can also be used with a suffix of the form ":xx" in which case the > ++value "oid.xx" will be used. > ++.TP > ++.B password\-hash [...] > ++This option configures one or more hashes to be used in generation of user > ++passwords stored in the userPassword attribute during processing of > ++LDAP Password Modify Extended Operations (RFC 3062). > ++The must be one of > ++.BR {SSHA} , > ++.BR {SHA} , > ++.BR {SMD5} , > ++.BR {MD5} , > ++.BR {CRYPT} , > ++and > ++.BR {CLEARTEXT} . > ++The default is > ++.BR {SSHA} . > ++ > ++.B {SHA} > ++and > ++.B {SSHA} > ++use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. > ++ > ++.B {MD5} > ++and > ++.B {SMD5} > ++use the MD5 algorithm (RFC 1321), the latter with a seed. > ++ > ++.B {CRYPT} > ++uses the > ++.BR crypt (3). > ++ > ++.B {CLEARTEXT} > ++indicates that the new password should be > ++added to userPassword as clear text. > ++ > ++Note that this option does not alter the normal user applications > ++handling of userPassword during LDAP Add, Modify, or other LDAP operations. > ++.TP > ++.B password\-crypt\-salt\-format > ++Specify the format of the salt passed to > ++.BR crypt (3) > ++when generating {CRYPT} passwords (see > ++.BR password\-hash ) > ++during processing of LDAP Password Modify Extended Operations (RFC 3062). > ++ > ++This string needs to be in > ++.BR sprintf (3) > ++format and may include one (and only one) %s conversion. > ++This conversion will be substituted with a string of random > ++characters from [A\-Za\-z0\-9./]. For example, "%.2s" > ++provides a two character salt and "$1$%.8s" tells some > ++versions of crypt(3) to use an MD5 algorithm and provides > ++8 random characters of salt. The default is "%s", which > ++provides 31 characters of salt. > ++.TP > ++.B pidfile > ++The (absolute) name of a file that will hold the > ++.B slapd > ++server's process ID (see > ++.BR getpid (2)). > ++.TP > ++.B pluginlog: > ++The ( absolute ) name of a file that will contain log > ++messages from > ++.B SLAPI > ++plugins. See > ++.BR slapd.plugin (5) > ++for details. > ++.TP > ++.B referral > ++Specify the referral to pass back when > ++.BR slapd (8) > ++cannot find a local database to handle a request. > ++If specified multiple times, each url is provided. > ++.TP > ++.B require > ++Specify a set of conditions (separated by white space) to > ++require (default none). > ++The directive may be specified globally and/or per-database; > ++databases inherit global conditions, so per-database specifications > ++are additive. > ++.B bind > ++requires bind operation prior to directory operations. > ++.B LDAPv3 > ++requires session to be using LDAP version 3. > ++.B authc > ++requires authentication prior to directory operations. > ++.B SASL > ++requires SASL authentication prior to directory operations. > ++.B strong > ++requires strong authentication prior to directory operations. > ++The strong keyword allows protected "simple" authentication > ++as well as SASL authentication. > ++.B none > ++may be used to require no conditions (useful to clear out globally > ++set conditions within a particular database); it must occur first > ++in the list of conditions. > ++.TP > ++.B reverse\-lookup on | off > ++Enable/disable client name unverified reverse lookup (default is > ++.BR off > ++if compiled with \-\-enable\-rlookups). > ++.TP > ++.B rootDSE > ++Specify the name of an LDIF(5) file containing user defined attributes > ++for the root DSE. These attributes are returned in addition to the > ++attributes normally produced by slapd. > ++ > ++The root DSE is an entry with information about the server and its > ++capabilities, in operational attributes. > ++It has the empty DN, and can be read with e.g.: > ++.ti +4 > ++ldapsearch \-x \-b "" \-s base "+" > ++.br > ++See RFC 4512 section 5.1 for details. > ++.TP > ++.B sasl\-auxprops [...] > ++Specify which auxprop plugins to use for authentication lookups. The > ++default is empty, which just uses slapd's internal support. Usually > ++no other auxprop plugins are needed. > ++.TP > ++.B sasl\-auxprops\-dontusecopy [...] > ++Specify which attribute(s) should be subject to the don't use copy control. This > ++is necessary for some SASL mechanisms such as OTP to work in a replicated > ++environment. The attribute "cmusaslsecretOTP" is the default value. > ++.TP > ++.B sasl\-auxprops\-dontusecopy\-ignore on | off > ++Used to disable replication of the attribute(s) defined by > ++sasl-auxprops-dontusecopy and instead use a local value for the attribute. This > ++allows the SASL mechanism to continue to work if the provider is offline. This can > ++cause replication inconsistency. Defaults to off. > ++.TP > ++.B sasl\-host > ++Used to specify the fully qualified domain name used for SASL processing. > ++.TP > ++.B sasl\-realm > ++Specify SASL realm. Default is empty. > ++.TP > ++.B sasl\-cbinding none | tls-unique | tls-endpoint > ++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. > ++Default is none. > ++.TP > ++.B sasl\-secprops > ++Used to specify Cyrus SASL security properties. > ++The > ++.B none > ++flag (without any other properties) causes the flag properties > ++default, "noanonymous,noplain", to be cleared. > ++The > ++.B noplain > ++flag disables mechanisms susceptible to simple passive attacks. > ++The > ++.B noactive > ++flag disables mechanisms susceptible to active attacks. > ++The > ++.B nodict > ++flag disables mechanisms susceptible to passive dictionary attacks. > ++The > ++.B noanonymous > ++flag disables mechanisms which support anonymous login. > ++The > ++.B forwardsec > ++flag require forward secrecy between sessions. > ++The > ++.B passcred > ++require mechanisms which pass client credentials (and allow > ++mechanisms which can pass credentials to do so). > ++The > ++.B minssf= > ++property specifies the minimum acceptable > ++.I security strength factor > ++as an integer approximate to effective key length used for > ++encryption. 0 (zero) implies no protection, 1 implies integrity > ++protection only, 128 allows RC4, Blowfish and other similar ciphers, > ++256 will require modern ciphers. The default is 0. > ++The > ++.B maxssf= > ++property specifies the maximum acceptable > ++.I security strength factor > ++as an integer (see minssf description). The default is INT_MAX. > ++The > ++.B maxbufsize= > ++property specifies the maximum security layer receive buffer > ++size allowed. 0 disables security layers. The default is 65536. > ++.TP > ++.B schemadn > ++Specify the distinguished name for the subschema subentry that > ++controls the entries on this server. The default is "cn=Subschema". > ++.TP > ++.B security > ++Specify a set of security strength factors (separated by white space) > ++to require (see > ++.BR sasl\-secprops 's > ++.B minssf > ++option for a description of security strength factors). > ++The directive may be specified globally and/or per-database. > ++.B ssf= > ++specifies the overall security strength factor. > ++.B transport= > ++specifies the transport security strength factor. > ++.B tls= > ++specifies the TLS security strength factor. > ++.B sasl= > ++specifies the SASL security strength factor. > ++.B update_ssf= > ++specifies the overall security strength factor to require for > ++directory updates. > ++.B update_transport= > ++specifies the transport security strength factor to require for > ++directory updates. > ++.B update_tls= > ++specifies the TLS security strength factor to require for > ++directory updates. > ++.B update_sasl= > ++specifies the SASL security strength factor to require for > ++directory updates. > ++.B simple_bind= > ++specifies the security strength factor required for > ++.I simple > ++username/password authentication. > ++Note that the > ++.B transport > ++factor is measure of security provided by the underlying transport, > ++e.g. ldapi:// (and eventually IPSEC). It is not normally used. > ++.TP > ++.B serverID [] > ++Specify an integer ID from 0 to 4095 for this server. The ID may also be > ++specified as a hexadecimal ID by prefixing the value with "0x". > ++Non-zero IDs are required when using multi-provider replication and each > ++provider must have a unique non-zero ID. Note that this requirement also > ++applies to separate providers contributing to a glued set of databases. > ++If the URL is provided, this directive may be specified > ++multiple times, providing a complete list of participating servers > ++and their IDs. The fully qualified hostname of each server should be > ++used in the supplied URLs. The IDs are used in the "replica id" field > ++of all CSNs generated by the specified server. The default value is zero, which > ++is only valid for single provider replication. > ++Example: > ++.LP > ++.nf > ++ serverID 1 ldap://ldap1.example.com > ++ serverID 2 ldap://ldap2.example.com > ++.fi > ++.TP > ++.B sizelimit {|unlimited} > ++.TP > ++.B sizelimit size[.{soft|hard}]= [...] > ++Specify the maximum number of entries to return from a search operation. > ++The default size limit is 500. > ++Use > ++.B unlimited > ++to specify no limits. > ++The second format allows a fine grain setting of the size limits. > ++If no special qualifiers are specified, both soft and hard limits are set. > ++Extra args can be added on the same line. > ++Additional qualifiers are available; see > ++.BR limits > ++for an explanation of all of the different flags. > ++.TP > ++.B sockbuf_max_incoming > ++Specify the maximum incoming LDAP PDU size for anonymous sessions. > ++The default is 262143. > ++.TP > ++.B sockbuf_max_incoming_auth > ++Specify the maximum incoming LDAP PDU size for authenticated sessions. > ++The default is 4194303. > ++.TP > ++.B sortvals [...] > ++Specify a list of multi-valued attributes whose values will always > ++be maintained in sorted order. Using this option will allow Modify, > ++Compare, and filter evaluations on these attributes to be performed > ++more efficiently. The resulting sort order depends on the > ++attributes' syntax and matching rules and may not correspond to > ++lexical order or any other recognizable order. > ++.TP > ++.B tcp-buffer [listener=] [{read|write}=] > ++Specify the size of the TCP buffer. > ++A global value for both read and write TCP buffers related to any listener > ++is defined, unless the listener is explicitly specified, > ++or either the read or write qualifiers are used. > ++See > ++.BR tcp (7) > ++for details. > ++Note that some OS-es implement automatic TCP buffer tuning. > ++.TP > ++.B threads > ++Specify the maximum size of the primary thread pool. > ++The default is 16; the minimum value is 2. > ++.TP > ++.B threadqueues > ++Specify the number of work queues to use for the primary thread pool. > ++The default is 1 and this is typically adequate for up to 8 CPU cores. > ++The value should not exceed the number of CPUs in the system. > ++.TP > ++.B timelimit {|unlimited} > ++.TP > ++.B timelimit time[.{soft|hard}]= [...] > ++Specify the maximum number of seconds (in real time) > ++.B slapd > ++will spend answering a search request. The default time limit is 3600. > ++Use > ++.B unlimited > ++to specify no limits. > ++The second format allows a fine grain setting of the time limits. > ++Extra args can be added on the same line. See > ++.BR limits > ++for an explanation of the different flags. > ++.TP > ++.B tool\-threads > ++Specify the maximum number of threads to use in tool mode. > ++This should not be greater than the number of CPUs in the system. > ++The default is 1. > ++.TP > ++.B writetimeout > ++Specify the number of seconds to wait before forcibly closing > ++a connection with an outstanding write. This allows recovery from > ++various network hang conditions. A writetimeout of 0 disables this > ++feature. The default is 0. > ++.SH TLS OPTIONS > ++If > ++.B slapd > ++is built with support for Transport Layer Security, there are more options > ++you can specify. > ++.TP > ++.B TLSCipherSuite > ++Permits configuring what ciphers will be accepted and the preference order. > ++ should be a cipher specification for the TLS library > ++in use (OpenSSL or GnuTLS). > ++Example: > ++.RS > ++.RS > ++.TP > ++.I OpenSSL: > ++TLSCipherSuite HIGH:MEDIUM:+SSLv2 > ++.TP > ++.I GnuTLS: > ++TLSCiphersuite SECURE256:!AES-128-CBC > ++.RE > ++ > ++To check what ciphers a given spec selects in OpenSSL, use: > ++ > ++.nf > ++ openssl ciphers \-v > ++.fi > ++ > ++With GnuTLS the available specs can be found in the manual page of > ++.BR gnutls\-cli (1) > ++(see the description of the > ++option > ++.BR \-\-priority ). > ++ > ++In older versions of GnuTLS, where gnutls\-cli does not support the option > ++\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling: > ++ > ++.nf > ++ gnutls\-cli \-l > ++.fi > ++.RE > ++.TP > ++.B TLSCACertificateFile > ++Specifies the file that contains certificates for all of the Certificate > ++Authorities that > ++.B slapd > ++will recognize. The certificate for > ++the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among > ++these certificates. If the signing CA was not a top-level (root) CA, > ++certificates for the entire sequence of CA's from the signing CA to > ++the top-level CA should be present. Multiple certificates are simply > ++appended to the file; the order is not significant. > ++.TP > ++.B TLSCACertificatePath > ++Specifies the path of directories that contain Certificate Authority > ++certificates in separate individual files. Usually only one of this > ++or the TLSCACertificateFile is used. If both are specified, both > ++locations will be used. Multiple directories may be specified, > ++separated by a semi-colon. > ++.TP > ++.B TLSCertificateFile > ++Specifies the file that contains the > ++.B slapd > ++server certificate. > ++ > ++When using OpenSSL that file may also contain any number of intermediate > ++certificates after the server certificate. > ++.TP > ++.B TLSCertificateKeyFile > ++Specifies the file that contains the > ++.B slapd > ++server private key that matches the certificate stored in the > ++.B TLSCertificateFile > ++file. Currently, the private key must not be protected with a password, so > ++it is of critical importance that it is protected carefully. > ++.TP > ++.B TLSDHParamFile > ++This directive specifies the file that contains parameters for Diffie-Hellman > ++ephemeral key exchange. This is required in order to use a DSA certificate on > ++the server, or an RSA certificate missing the "key encipherment" key usage. > ++Note that setting this option may also enable > ++Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. > ++Anonymous key exchanges should generally be avoided since they provide no > ++actual client or server authentication and provide no protection against > ++man-in-the-middle attacks. > ++You should append "!ADH" to your cipher suites to ensure that these suites > ++are not used. > ++.TP > ++.B TLSECName > ++Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman > ++ephemeral key exchange. This option is only used for OpenSSL. > ++This option is not used with GnuTLS; the curves may be > ++chosen in the GnuTLS ciphersuite specification. > ++.TP > ++.B TLSProtocolMin [.] > ++Specifies minimum SSL/TLS protocol version that will be negotiated. > ++If the server doesn't support at least that version, > ++the SSL handshake will fail. > ++To require TLS 1.x or higher, set this option to 3.(x+1), > ++e.g., > ++ > ++.nf > ++ TLSProtocolMin 3.2 > ++.fi > ++ > ++would require TLS 1.1. > ++Specifying a minimum that is higher than that supported by the > ++OpenLDAP implementation will result in it requiring the > ++highest level that it does support. > ++This directive is ignored with GnuTLS. > ++.TP > ++.B TLSRandFile > ++Specifies the file to obtain random bits from when /dev/[u]random > ++is not available. Generally set to the name of the EGD/PRNGD socket. > ++The environment variable RANDFILE can also be used to specify the filename. > ++This directive is ignored with GnuTLS. > ++.TP > ++.B TLSVerifyClient > ++Specifies what checks to perform on client certificates in an > ++incoming TLS session, if any. > ++The > ++.B > ++can be specified as one of the following keywords: > ++.RS > ++.TP > ++.B never > ++This is the default. > ++.B slapd > ++will not ask the client for a certificate. > ++.TP > ++.B allow > ++The client certificate is requested. If no certificate is provided, > ++the session proceeds normally. If a bad certificate is provided, > ++it will be ignored and the session proceeds normally. > ++.TP > ++.B try > ++The client certificate is requested. If no certificate is provided, > ++the session proceeds normally. If a bad certificate is provided, > ++the session is immediately terminated. > ++.TP > ++.B demand | hard | true > ++These keywords are all equivalent, for compatibility reasons. > ++The client certificate is requested. If no certificate is provided, > ++or a bad certificate is provided, the session is immediately terminated. > ++ > ++Note that a valid client certificate is required in order to use the > ++SASL EXTERNAL authentication mechanism with a TLS session. As such, > ++a non-default > ++.B TLSVerifyClient > ++setting must be chosen to enable SASL EXTERNAL authentication. > ++.RE > ++.TP > ++.B TLSCRLCheck > ++Specifies if the Certificate Revocation List (CRL) of the CA should be > ++used to verify if the client certificates have not been revoked. This > ++requires > ++.B TLSCACertificatePath > ++parameter to be set. This directive is ignored with GnuTLS. > ++.B > ++can be specified as one of the following keywords: > ++.RS > ++.TP > ++.B none > ++No CRL checks are performed > ++.TP > ++.B peer > ++Check the CRL of the peer certificate > ++.TP > ++.B all > ++Check the CRL for a whole certificate chain > ++.RE > ++.TP > ++.B TLSCRLFile > ++Specifies a file containing a Certificate Revocation List to be used > ++for verifying that certificates have not been revoked. This directive is > ++only valid when using GnuTLS. > ++.SH GENERAL BACKEND OPTIONS > ++Options in this section only apply to the configuration file section > ++of all instances of the specified backend. All backends may support > ++this class of options, but currently only back-mdb does. > ++.TP > ++.B backend > ++Mark the beginning of a backend definition. > ++should be one of > ++.BR asyncmeta , > ++.BR config , > ++.BR dnssrv , > ++.BR ldap , > ++.BR ldif , > ++.BR mdb , > ++.BR meta , > ++.BR monitor , > ++.BR null , > ++.BR passwd , > ++.BR perl , > ++.BR relay , > ++.BR sock , > ++.BR sql , > ++or > ++.BR wt . > ++At present, only back-mdb implements any options of this type, so this > ++setting is not needed for any other backends. > ++ > ++.SH GENERAL DATABASE OPTIONS > ++Options in this section only apply to the configuration file section > ++for the database in which they are defined. They are supported by every > ++type of backend. Note that the > ++.B database > ++and at least one > ++.B suffix > ++option are mandatory for each database. > ++.TP > ++.B database > ++Mark the beginning of a new database instance definition. > ++should be one of > ++.BR asyncmeta , > ++.BR config , > ++.BR dnssrv , > ++.BR ldap , > ++.BR ldif , > ++.BR mdb , > ++.BR meta , > ++.BR monitor , > ++.BR null , > ++.BR passwd , > ++.BR perl , > ++.BR relay , > ++.BR sock , > ++.BR sql , > ++or > ++.BR wt , > ++depending on which backend will serve the database. > ++ > ++LDAP operations, even subtree searches, normally access only one > ++database. > ++That can be changed by gluing databases together with the > ++.B subordinate > ++keyword. > ++Access controls and some overlays can also involve multiple databases. > ++.TP > ++.B add_content_acl on | off > ++Controls whether Add operations will perform ACL checks on > ++the content of the entry being added. This check is off > ++by default. See the > ++.BR slapd.access (5) > ++manual page for more details on ACL requirements for > ++Add operations. > ++.TP > ++.B extra_attrs > ++Lists what attributes need to be added to search requests. > ++Local storage backends return the entire entry to the frontend. > ++The frontend takes care of only returning the requested attributes > ++that are allowed by ACLs. > ++However, features like access checking and so may need specific > ++attributes that are not automatically returned by remote storage > ++backends, like proxy backends and so on. > ++.B > ++is a list of attributes that are needed for internal purposes > ++and thus always need to be collected, even when not explicitly > ++requested by clients. > ++.TP > ++.B hidden on | off > ++Controls whether the database will be used to answer > ++queries. A database that is hidden will never be > ++selected to answer any queries, and any suffix configured > ++on the database will be ignored in checks for conflicts > ++with other databases. By default, hidden is off. > ++.TP > ++.B lastmod on | off > ++Controls whether > ++.B slapd > ++will automatically maintain the > ++modifiersName, modifyTimestamp, creatorsName, and > ++createTimestamp attributes for entries. It also controls > ++the entryCSN and entryUUID attributes, which are needed > ++by the syncrepl provider. By default, lastmod is on. > ++.TP > ++.B lastbind on | off > ++Controls whether > ++.B slapd > ++will automatically maintain the pwdLastSuccess attribute for > ++entries. By default, lastbind is off. > ++.TP > ++.B lastbind-precision > ++If lastbind is enabled, specifies how frequently pwdLastSuccess > ++will be updated. More than > ++.B integer > ++seconds must have passed since the last successful bind. In a > ++replicated environment with frequent bind activity it may be > ++useful to set this to a large value. > ++.TP > ++.B limits [ [...]] > ++Specify time and size limits based on the operation's initiator or > ++base DN. > ++The argument > ++.B > ++can be any of > ++.RS > ++.RS > ++.TP > ++anonymous | users | [=] | group[/oc[/at]]= > ++ > ++.RE > ++with > ++.RS > ++.TP > ++ ::= dn[.][.