[PATCH] openldap: Update to version 2.6.8

- Update from version 2.6.5 to 2.6.8 - Update of rootfile - Replacement of previous 2.6.5-consolideated patch with 2.6.8-consolidated patch - Changelog 2.6.8 Fixed libldap exit handling with OpenSSL3 again (ITS#9952) Fixed libldap OpenSSL channel binding digest (ITS#10216) Fixed slapd handling of large uid/gids peercred auth (ITS#10211) Fixed slapd-asyncmeta/meta target structure allocations (ITS#10197) Fixed slapd-meta with dynlist (ITS#10164) Fixed slapd-meta binds when proxying internal op (ITS#10165) Added slapo-nestgroup overlay (ITS#10161) Added slapo-memberof 'addcheck' option (ITS#10167) Fixed slapo-accesslog startup initialization (ITS#10170) Fixed slapo-constraint double free on invalid attr (ITS#10204) Fixed slapo-dynlist with abandoned operations (ITS#10044) Build Fixed build with gcc14.x (ITS#10166) Fixed back-perl with clang15 (ITS#10177) Fixed to reduce systemd dependencies (ITS#10214) Contrib Added slapo-alias contrib module (ITS#10104, ITS#10182) Fixed slapo-autogroup to work with slapo-dynlist (ITS#10185) Fixed smbk5pwd implicit function declaration (ITS#10206) Documentation Fixed slapo-memberof exattr requirements (ITS#7400) Fixed slapo-memberof is no longer deprecated (ITS#7400) Minor Cleanup ITS#9921 ITS#10103 ITS#10171 ITS#10172 ITS#10173 ITS#10179 ITS#10183 ITS#10186 ITS#10188 ITS#10193 ITS#10209 2.6.7 Added slapo-dynlist option to disable filter support (ITS#10025) Fixed liblber missing newline on long msg (ITS#10105) Fixed libldap exit handling with OpenSSL3 (ITS#9952) Fixed libldap with TLS and multiple ldap URIs (ITS#10101) Fixed libldap OpenSSL cipher suite handling (ITS#10094) Fixed libldap OpenSSL 3.0 and Diffie-Hellman param files (ITS#10124) Fixed libldap timestamps on Windows (ITS#10100) Fixed lloadd to work when resolv.conf is missing (ITS#10070) Fixed lloadd handling of closing connection (ITS#10083) Fixed lloadd tiers to be correctly linked on startup (ITS#10142) Fixed slapd to honour disclose in matchedDN handling (ITS#10139) Fixed slapd handling of regex testing in ACLs (ITS#10089) Fixed slapd sync replication with glued database (ITS#10080) Fixed slapd local logging on Windows (ITS#10092) Fixed slapd-asyncmeta when remote suffix is empty (ITS#10076) Fixed slapo-dynlist so it can't be global (ITS#10091) Build Fixed lloadd type mismatches (ITS#10074) Fixed builds for Windows (ITS#10117) Fixed build with clang16 (ITS#10123) Documentation Fixed slapo-homedir(5) attribute name for olcHomedirArchivePath (ITS#10057) Minor Cleanup ITS#10059 ITS#10068 ITS#10098 ITS#10109 ITS#10110 ITS#10129 ITS#10130 ITS#10135 ITS#10143 ITS#10144 ITS#10145 ITS#10153 2.6.6 Fixed slapd cn=config incorrect handling of paused (ITS#10045) Fixed slapd-meta to account for MOD ops being optional (ITS#10067) Fixed slapd-asyncmeta to account for MOD ops being optional (ITS#10067)

Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/openldap | 1 + lfs/openldap | 20 +- .../openldap-2.6.5-consolidated-1.patch | 4640 ----------------- .../openldap-2.6.8-consolidated-1.patch | 175 + 4 files changed, 186 insertions(+), 4650 deletions(-) delete mode 100644 src/patches/openldap-2.6.5-consolidated-1.patch create mode 100644 src/patches/openldap-2.6.8-consolidated-1.patch

diff --git a/config/rootfiles/common/openldap b/config/rootfiles/common/openldap index 45e731ee4..eb9961c0b 100644 --- a/config/rootfiles/common/openldap +++ b/config/rootfiles/common/openldap @@ -262,6 +262,7 @@ usr/lib/libldap.so.2.0.200 #usr/share/man/man5/slapo-dynlist.5 #usr/share/man/man5/slapo-homedir.5 #usr/share/man/man5/slapo-memberof.5 +#usr/share/man/man5/slapo-nestgroup.5 #usr/share/man/man5/slapo-otp.5 #usr/share/man/man5/slapo-pbind.5 #usr/share/man/man5/slapo-pcache.5 diff --git a/lfs/openldap b/lfs/openldap index c2c3e3f87..ce92bd950 100644 --- a/lfs/openldap +++ b/lfs/openldap @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 2.6.5 +VER = 2.6.8

THISAPP = openldap-$(VER) DL_FILE = $(THISAPP).tgz @@ -42,7 +42,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = 20370fc620ed0c4ef96d68d306dc42b0d87d1716579904cc362f9d368a76b0c39919e248b32453526f5ba1612b74de6056df1cef406e94b01d0a70277692d2d8 +$(DL_FILE)_BLAKE2 = 2aefdcaca12776c70084aff7b3e216126d8305ed7f9ba444b673ee671c5ac6129eb5fa9519e832acfb3e695b2e4e9474bcff36a3b6406000e2ef1f057863b4f5

install : $(TARGET)

@@ -72,15 +72,15 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.6.5-consolidated-1.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.6.8-consolidated-1.patch cd $(DIR_APP) && autoconf cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --sysconfdir=/etc \ - --enable-dynamic \ - --disable-perl \ - --disable-static \ - --disable-slapd + --prefix=/usr \ + --sysconfdir=/etc \ + --enable-dynamic \ + --disable-perl \ + --disable-static \ + --disable-slapd cd $(DIR_APP) && make depend cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/patches/openldap-2.6.5-consolidated-1.patch b/src/patches/openldap-2.6.5-consolidated-1.patch deleted file mode 100644 index d8a2d4b4c..000000000 --- a/src/patches/openldap-2.6.5-consolidated-1.patch +++ /dev/null @@ -1,4640 +0,0 @@ -diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd.conf.5 openldap-2.6.2/doc/man/man5/slapd.conf.5 ---- openldap-2.6.2.orig/doc/man/man5/slapd.conf.5 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/doc/man/man5/slapd.conf.5 2022-05-05 12:05:53.309727745 +0200 -@@ -2122,7 +2122,7 @@ suffix "dc=our-domain,dc=com" - # The database directory MUST exist prior to - # running slapd AND should only be accessible - # by the slapd/tools. Mode 0700 recommended. --directory LOCALSTATEDIR/openldap-data -+directory LOCALSTATEDIR/lib/openldap - # Indices to maintain - index objectClass eq - index cn,sn,mail pres,eq,approx,sub -diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd.conf.5.orig openldap-2.6.2/doc/man/man5/slapd.conf.5.orig ---- openldap-2.6.2.orig/doc/man/man5/slapd.conf.5.orig 1970-01-01 01:00:00.000000000 +0100 -+++ openldap-2.6.2/doc/man/man5/slapd.conf.5.orig 2022-05-04 16:55:23.000000000 +0200 -@@ -0,0 +1,2167 @@ -+.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION" -+." Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. -+." Copying restrictions apply. See COPYRIGHT/LICENSE. -+." $OpenLDAP$ -+.SH NAME -+slapd.conf - configuration file for slapd, the stand-alone LDAP daemon -+.SH SYNOPSIS -+ETCDIR/slapd.conf -+.SH DESCRIPTION -+The file -+.B ETCDIR/slapd.conf -+contains configuration information for the -+.BR slapd (8) -+daemon. This configuration file is also used by the SLAPD tools -+.BR slapacl (8), -+.BR slapadd (8), -+.BR slapauth (8), -+.BR slapcat (8), -+.BR slapdn (8), -+.BR slapindex (8), -+.BR slapmodify (8), -+and -+.BR slaptest (8). -+.LP -+The -+.B slapd.conf -+file consists of a series of global configuration options that apply to -+.B slapd -+as a whole (including all backends), followed by zero or more database -+backend definitions that contain information specific to a backend -+instance. -+The configuration options are case-insensitive; -+their value, on a case by case basis, may be case-sensitive. -+.LP -+The general format of -+.B slapd.conf -+is as follows: -+.LP -+.nf -+ # comment - these options apply to every database -+ <global configuration options> -+ # first database definition & configuration options -+ database <backend 1 type> -+ <configuration options specific to backend 1> -+ # subsequent database definitions & configuration options -+ ... -+.fi -+.LP -+As many backend-specific sections as desired may be included. Global -+options can be overridden in a backend (for options that appear more -+than once, the last appearance in the -+.B slapd.conf -+file is used). -+.LP -+If a line begins with white space, it is considered a continuation -+of the previous line. No physical line should be over 2000 bytes -+long. -+.LP -+Blank lines and comment lines beginning with -+a `#' character are ignored. Note: continuation lines are unwrapped -+before comment processing is applied. -+.LP -+Arguments on configuration lines are separated by white space. If an -+argument contains white space, the argument should be enclosed in -+double quotes. If an argument contains a double quote (`"') or a -+backslash character (`\'), the character should be preceded by a -+backslash character. -+.LP -+The specific configuration options available are discussed below in the -+Global Configuration Options, General Backend Options, and General Database -+Options. Backend-specific options are discussed in the -+.B slapd-<backend>(5) -+manual pages. Refer to the "OpenLDAP Administrator's Guide" for more -+details on the slapd configuration file. -+.SH GLOBAL CONFIGURATION OPTIONS -+Options described in this section apply to all backends, unless specifically -+overridden in a backend definition. Arguments that should be replaced by -+actual text are shown in brackets <>. -+.TP -+.B access to <what> "[ by <who> <access> <control> ]+" -+Grant access (specified by <access>) to a set of entries and/or -+attributes (specified by <what>) by one or more requestors (specified -+by <who>). -+If no access controls are present, the default policy -+allows anyone and everyone to read anything but restricts -+updates to rootdn. (e.g., "access to * by * read"). -+The rootdn can always read and write EVERYTHING! -+See -+.BR slapd.access (5) -+and the "OpenLDAP's Administrator's Guide" for details. -+.TP -+.B allow <features> -+Specify a set of features (separated by white space) to -+allow (default none). -+.B bind_v2 -+allows acceptance of LDAPv2 bind requests. Note that -+.BR slapd (8) -+does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494). -+.B bind_anon_cred -+allows anonymous bind when credentials are not empty (e.g. -+when DN is empty). -+.B bind_anon_dn -+allows unauthenticated (anonymous) bind when DN is not empty. -+.B update_anon -+allows unauthenticated (anonymous) update operations to be processed -+(subject to access controls and other administrative limits). -+.B proxy_authz_anon -+allows unauthenticated (anonymous) proxy authorization control to be processed -+(subject to access controls, authorization and other administrative limits). -+.TP -+.B argsfile <filename> -+The (absolute) name of a file that will hold the -+.B slapd -+server's command line (program name and options). -+.TP -+.B attributeoptions [option-name]... -+Define tagging attribute options or option tag/range prefixes. -+Options must not end with `-', prefixes must end with `-'. -+The `lang-' prefix is predefined. -+If you use the -+.B attributeoptions -+directive, `lang-' will no longer be defined and you must specify it -+explicitly if you want it defined. -+ -+An attribute description with a tagging option is a subtype of that -+attribute description without the option. -+Except for that, options defined this way have no special semantics. -+Prefixes defined this way work like the `lang-' options: -+They define a prefix for tagging options starting with the prefix. -+That is, if you define the prefix `x-foo-', you can use the option -+`x-foo-bar'. -+Furthermore, in a search or compare, a prefix or range name (with -+a trailing `-') matches all options starting with that name, as well -+as the option with the range name sans the trailing `-'. -+That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'. -+ -+RFC 4520 reserves options beginning with `x-' for private experiments. -+Other options should be registered with IANA, see RFC 4520 section 3.5. -+OpenLDAP also has the `binary' option built in, but this is a transfer -+option, not a tagging option. -+.HP -+.hy 0 -+.B attributetype "(\ <oid>\ -+ [NAME\ <name>]\ -+ [DESC\ <description>]\ -+ [OBSOLETE]\ -+ [SUP\ <oid>]\ -+ [EQUALITY\ <oid>]\ -+ [ORDERING\ <oid>]\ -+ [SUBSTR\ <oid>]\ -+ [SYNTAX\ <oidlen>]\ -+ [SINGLE-VALUE]\ -+ [COLLECTIVE]\ -+ [NO-USER-MODIFICATION]\ -+ [USAGE\ <attributeUsage>]\ )" -+.RS -+Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the attribute OID and -+attribute syntax OID. -+(See the -+.B objectidentifier -+description.) -+.RE -+.TP -+.B authid-rewrite<cmd> <args> -+Used by the authentication framework to convert simple user names -+to an LDAP DN used for authorization purposes. -+Its purpose is analogous to that of -+.BR authz-regexp -+(see below). -+The prefix \fIauthid-\fP is followed by a set of rules analogous -+to those described in -+.BR slapo-rwm (5) -+for data rewriting (replace the \fIrwm-\fP prefix with \fIauthid-\fP). -+.B authid-rewrite<cmd> -+and -+.B authz-regexp -+rules should not be intermixed. -+.TP -+.B authz-policy <policy> -+Used to specify which rules to use for Proxy Authorization. Proxy -+authorization allows a client to authenticate to the server using one -+user's credentials, but specify a different identity to use for authorization -+and access control purposes. It essentially allows user A to login as user -+B, using user A's password. -+The -+.B none -+flag disables proxy authorization. This is the default setting. -+The -+.B from -+flag will use rules in the -+.I authzFrom -+attribute of the authorization DN. -+The -+.B to -+flag will use rules in the -+.I authzTo -+attribute of the authentication DN. -+The -+.B any -+flag, an alias for the deprecated value of -+.BR both , -+will allow any of the above, whatever succeeds first (checked in -+.BR to , -+.B from -+sequence. -+The -+.B all -+flag requires both authorizations to succeed. -+.LP -+.RS -+The rules are mechanisms to specify which identities are allowed -+to perform proxy authorization. -+The -+.I authzFrom -+attribute in an entry specifies which other users -+are allowed to proxy login to this entry. The -+.I authzTo -+attribute in -+an entry specifies which other users this user can authorize as. Use of -+.I authzTo -+rules can be easily -+abused if users are allowed to write arbitrary values to this attribute. -+In general the -+.I authzTo -+attribute must be protected with ACLs such that -+only privileged users can modify it. -+The value of -+.I authzFrom -+and -+.I authzTo -+describes an -+.B identity -+or a set of identities; it can take five forms: -+.RS -+.TP -+.B ldap:///<base>??[<scope>]?<filter> -+.RE -+.RS -+.B dn[.<dnstyle>]:<pattern> -+.RE -+.RS -+.B u[.<mech>[/<realm>]]:<pattern> -+.RE -+.RS -+.B group[/objectClass[/attributeType]]:<pattern> -+.RE -+.RS -+.B <pattern> -+.RE -+.RS -+ -+.B <dnstyle>:={exact|onelevel|children|subtree|regex} -+ -+.RE -+The first form is a valid LDAP -+.B URI -+where the -+.IR <host>:<port> , -+the -+.I <attrs> -+and the -+.I <extensions> -+portions must be absent, so that the search occurs locally on either -+.I authzFrom -+or -+.IR authzTo . -+ -+.LP -+The second form is a -+.BR DN . -+The optional -+.B dnstyle -+modifiers -+.IR exact , -+.IR onelevel , -+.IR children , -+and -+.I subtree -+provide exact, onelevel, children and subtree matches, which cause -+.I <pattern> -+to be normalized according to the DN normalization rules. -+The special -+.B dnstyle -+modifier -+.I regex -+causes the -+.I <pattern> -+to be treated as a POSIX (''extended'') regular expression, as -+discussed in -+.BR regex (7) -+and/or -+.BR re_format (7). -+A pattern of -+.I * -+means any non-anonymous DN. -+ -+.LP -+The third form is a SASL -+.BR id . -+The optional fields -+.I <mech> -+and -+.I <realm> -+allow specification of a SASL -+.BR mechanism , -+and eventually a SASL -+.BR realm , -+for those mechanisms that support one. -+The need to allow the specification of a mechanism is still debated, -+and users are strongly discouraged to rely on this possibility. -+ -+.LP -+The fourth form is a group specification. -+It consists of the keyword -+.BR group , -+optionally followed by the specification of the group -+.B objectClass -+and -+.BR attributeType . -+The -+.B objectClass -+defaults to -+.IR groupOfNames . -+The -+.B attributeType -+defaults to -+.IR member . -+The group with DN -+.B <pattern> -+is searched with base scope, filtered on the specified -+.BR objectClass . -+The values of the resulting -+.B attributeType -+are searched for the asserted DN. -+ -+.LP -+The fifth form is provided for backwards compatibility. If no identity -+type is provided, i.e. only -+.B <pattern> -+is present, an -+.I exact DN -+is assumed; as a consequence, -+.B <pattern> -+is subjected to DN normalization. -+ -+.LP -+Since the interpretation of -+.I authzFrom -+and -+.I authzTo -+can impact security, users are strongly encouraged -+to explicitly set the type of identity specification that is being used. -+A subset of these rules can be used as third arg in the -+.B authz-regexp -+statement (see below); significantly, the -+.IR URI , -+provided it results in exactly one entry, -+and the -+.I dn.exact:<dn> -+forms. -+.RE -+.TP -+.B authz-regexp <match> <replace> -+Used by the authentication framework to convert simple user names, -+such as provided by SASL subsystem, or extracted from certificates -+in case of cert-based SASL EXTERNAL, or provided within the RFC 4370 -+"proxied authorization" control, to an LDAP DN used for -+authorization purposes. Note that the resulting DN need not refer -+to an existing entry to be considered valid. When an authorization -+request is received from the SASL subsystem, the SASL -+.BR USERNAME , -+.BR REALM , -+and -+.B MECHANISM -+are taken, when available, and combined into a name of the form -+.RS -+.RS -+.TP -+.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth -+ -+.RE -+This name is then compared against the -+.B match -+POSIX (''extended'') regular expression, and if the match is successful, -+the name is replaced with the -+.B replace -+string. If there are wildcard strings in the -+.B match -+regular expression that are enclosed in parenthesis, e.g. -+.RS -+.TP -+.B UID=([^,]*),CN=.* -+ -+.RE -+then the portion of the name that matched the wildcard will be stored -+in the numbered placeholder variable $1. If there are other wildcard strings -+in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The -+placeholders can then be used in the -+.B replace -+string, e.g. -+.RS -+.TP -+.B UID=$1,OU=Accounts,DC=example,DC=com -+ -+.RE -+The replaced name can be either a DN, i.e. a string prefixed by "dn:", -+or an LDAP URI. -+If the latter, the server will use the URI to search its own database(s) -+and, if the search returns exactly one entry, the name is -+replaced by the DN of that entry. The LDAP URI must have no -+hostport, attrs, or extensions components, but the filter is mandatory, -+e.g. -+.RS -+.TP -+.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) -+ -+.RE -+The protocol portion of the URI must be strictly -+.BR ldap . -+Note that this search is subject to access controls. Specifically, -+the authentication identity must have "auth" access in the subject. -+ -+Multiple -+.B authz-regexp -+options can be given in the configuration file to allow for multiple matching -+and replacement patterns. The matching patterns are checked in the order they -+appear in the file, stopping at the first successful match. -+ -+.".B Caution: -+."Because the plus sign + is a character recognized by the regular expression engine, -+."and it will appear in names that include a REALM, be careful to escape the -+."plus sign with a backslash \+ to remove the character's special meaning. -+.RE -+.TP -+.B concurrency <integer> -+Specify a desired level of concurrency. Provided to the underlying -+thread system as a hint. The default is not to provide any hint. This setting -+is only meaningful on some platforms where there is not a one to one -+correspondence between user threads and kernel threads. -+.TP -+.B conn_max_pending <integer> -+Specify the maximum number of pending requests for an anonymous session. -+If requests are submitted faster than the server can process them, they -+will be queued up to this limit. If the limit is exceeded, the session -+is closed. The default is 100. -+.TP -+.B conn_max_pending_auth <integer> -+Specify the maximum number of pending requests for an authenticated session. -+The default is 1000. -+.TP -+.B defaultsearchbase <dn> -+Specify a default search base to use when client submits a -+non-base search request with an empty base DN. -+Base scoped search requests with an empty base DN are not affected. -+.TP -+.B disallow <features> -+Specify a set of features (separated by white space) to -+disallow (default none). -+.B bind_anon -+disables acceptance of anonymous bind requests. Note that this setting -+does not prohibit anonymous directory access (See "require authc"). -+.B bind_simple -+disables simple (bind) authentication. -+.B tls_2_anon -+disables forcing session to anonymous status (see also -+.BR tls_authc ) -+upon StartTLS operation receipt. -+.B tls_authc -+disallows the StartTLS operation if authenticated (see also -+.BR tls_2_anon ). -+.B proxy_authz_non_critical -+disables acceptance of the proxied authorization control (RFC4370) -+with criticality set to FALSE. -+.B dontusecopy_non_critical -+disables acceptance of the dontUseCopy control (a work in progress) -+with criticality set to FALSE. -+.HP -+.hy 0 -+.B ditcontentrule "(\ <oid>\ -+ [NAME\ <name>]\ -+ [DESC\ <description>]\ -+ [OBSOLETE]\ -+ [AUX\ <oids>]\ -+ [MUST\ <oids>]\ -+ [MAY\ <oids>]\ -+ [NOT\ <oids>]\ )" -+.RS -+Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the attribute OID and -+attribute syntax OID. -+(See the -+.B objectidentifier -+description.) -+.RE -+.TP -+.B gentlehup { on | off } -+A SIGHUP signal will only cause a 'gentle' shutdown-attempt: -+.B Slapd -+will stop listening for new connections, but will not close the -+connections to the current clients. Future write operations return -+unwilling-to-perform, though. Slapd terminates when all clients -+have closed their connections (if they ever do), or - as before - -+if it receives a SIGTERM signal. This can be useful if you wish to -+terminate the server and start a new -+.B slapd -+server -+.B with another database, -+without disrupting the currently active clients. -+The default is off. You may wish to use -+.B idletimeout -+along with this option. -+.TP -+.B idletimeout <integer> -+Specify the number of seconds to wait before forcibly closing -+an idle client connection. A setting of 0 disables this -+feature. The default is 0. You may also want to set the -+.B writetimeout -+option. -+.TP -+.B include <filename> -+Read additional configuration information from the given file before -+continuing with the next line of the current file. -+.TP -+.B index_hash64 { on | off } -+Use a 64 bit hash for indexing. The default is to use 32 bit hashes. -+These hashes are used for equality and substring indexing. The 64 bit -+version may be needed to avoid index collisions when the number of -+indexed values exceeds ~64 million. (Note that substring indexing -+generates multiple index values per actual attribute value.) -+Indices generated with 32 bit hashes are incompatible with the 64 bit -+version, and vice versa. Any existing databases must be fully reloaded -+when changing this setting. This directive is only supported on 64 bit CPUs. -+.TP -+.B index_intlen <integer> -+Specify the key length for ordered integer indices. The most significant -+bytes of the binary integer will be used for index keys. The default -+value is 4, which provides exact indexing for 31 bit values. -+A floating point representation is used to index too large values. -+.TP -+.B index_substr_if_maxlen <integer> -+Specify the maximum length for subinitial and subfinal indices. Only -+this many characters of an attribute value will be processed by the -+indexing functions; any excess characters are ignored. The default is 4. -+.TP -+.B index_substr_if_minlen <integer> -+Specify the minimum length for subinitial and subfinal indices. An -+attribute value must have at least this many characters in order to be -+processed by the indexing functions. The default is 2. -+.TP -+.B index_substr_any_len <integer> -+Specify the length used for subany indices. An attribute value must have -+at least this many characters in order to be processed. Attribute values -+longer than this length will be processed in segments of this length. The -+default is 4. The subany index will also be used in subinitial and -+subfinal index lookups when the filter string is longer than the -+.I index_substr_if_maxlen -+value. -+.TP -+.B index_substr_any_step <integer> -+Specify the steps used in subany index lookups. This value sets the offset -+for the segments of a filter string that are processed for a subany index -+lookup. The default is 2. For example, with the default values, a search -+using this filter "cn=*abcdefgh*" would generate index lookups for -+"abcd", "cdef", and "efgh". -+ -+.LP -+Note: Indexing support depends on the particular backend in use. Also, -+changing these settings will generally require deleting any indices that -+depend on these parameters and recreating them with -+.BR slapindex (8). -+ -+.HP -+.hy 0 -+.B ldapsyntax "(\ <oid>\ -+ [DESC\ <description>]\ -+ [X-SUBST <substitute-syntax>]\ )" -+.RS -+Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the syntax OID. -+(See the -+.B objectidentifier -+description.) -+The slapd parser also honors the -+.B X-SUBST -+extension (an OpenLDAP-specific extension), which allows one to use the -+.B ldapsyntax -+statement to define a non-implemented syntax along with another syntax, -+the extension value -+.IR substitute-syntax , -+as its temporary replacement. -+The -+.I substitute-syntax -+must be defined. -+This allows one to define attribute types that make use of non-implemented syntaxes -+using the correct syntax OID. -+Unless -+.B X-SUBST -+is used, this configuration statement would result in an error, -+since no handlers would be associated to the resulting syntax structure. -+.RE -+ -+.TP -+.B listener-threads <integer> -+Specify the number of threads to use for the connection manager. -+The default is 1 and this is typically adequate for up to 16 CPU cores. -+The value should be set to a power of 2. -+.TP -+.B localSSF <SSF> -+Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, -+such as those to the ldapi:// listener. For a description of SSF values, -+see -+.BR sasl-secprops 's -+.B minssf -+option description. The default is 71. -+.TP -+.B logfile <filename> -+Specify a file for recording slapd debug messages. By default these messages -+only go to stderr, are not recorded anywhere else, and are unrelated to -+messages exposed by the -+.B loglevel -+configuration parameter. Specifying a logfile copies messages to both stderr -+and the logfile. -+.TP -+.B logfile-format debug | syslog-utc | syslog-localtime -+Specify the prefix format for messages written to the logfile. The debug -+format is the normal format used for slapd debug messages, with a timestamp -+in hexadecimal, followed by a thread ID. The other options are to -+use syslog(3) style prefixes, with timestamps either in UTC or in the -+local timezone. The default is debug format. -+.TP -+.B logfile-only on | off -+Specify that debug messages should only go to the configured logfile, and -+not to stderr. -+.TP -+.B logfile-rotate <max> <Mbytes> <hours> -+Specify automatic rotation for the configured logfile as the maximum -+number of old logfiles to retain, a maximum size in megabytes to allow a -+logfile to grow before rotation, and a maximum age in hours for a logfile -+to be used before rotation. The maximum number must be in the range 1-99. -+Setting Mbytes or hours to zero disables the size or age check, respectively. -+At least one of Mbytes or hours must be non-zero. By default no automatic -+rotation will be performed. -+.TP -+.B loglevel <integer> [...] -+Specify the level at which debugging statements and operation -+statistics should be syslogged (currently logged to the -+.BR syslogd (8) -+LOG_LOCAL4 facility). -+They must be considered subsystems rather than increasingly verbose -+log levels. -+Some messages with higher priority are logged regardless -+of the configured loglevel as soon as any logging is configured. -+Log levels are additive, and available levels are: -+.RS -+.RS -+.PD 0 -+.TP -+.B 1 -+.B (0x1 trace) -+trace function calls -+.TP -+.B 2 -+.B (0x2 packets) -+debug packet handling -+.TP -+.B 4 -+.B (0x4 args) -+heavy trace debugging (function args) -+.TP -+.B 8 -+.B (0x8 conns) -+connection management -+.TP -+.B 16 -+.B (0x10 BER) -+print out packets sent and received -+.TP -+.B 32 -+.B (0x20 filter) -+search filter processing -+.TP -+.B 64 -+.B (0x40 config) -+configuration file processing -+.TP -+.B 128 -+.B (0x80 ACL) -+access control list processing -+.TP -+.B 256 -+.B (0x100 stats) -+connections, LDAP operations, results (recommended) -+.TP -+.B 512 -+.B (0x200 stats2) -+stats2 log entries sent -+.TP -+.B 1024 -+.B (0x400 shell) -+print communication with shell backends -+.TP -+.B 2048 -+.B (0x800 parse) -+entry parsing -+".TP -+".B 4096 -+".B (0x1000 cache) -+"caching (unused) -+".TP -+".B 8192 -+".B (0x2000 index) -+"data indexing (unused) -+.TP -+.B 16384 -+.B (0x4000 sync) -+LDAPSync replication -+.TP -+.B 32768 -+.B (0x8000 none) -+only messages that get logged whatever log level is set -+.PD -+.RE -+The desired log level can be input as a single integer that combines -+the (ORed) desired levels, both in decimal or in hexadecimal notation, -+as a list of integers (that are ORed internally), -+or as a list of the names that are shown between parentheses, such that -+.LP -+.nf -+ loglevel 129 -+ loglevel 0x81 -+ loglevel 128 1 -+ loglevel 0x80 0x1 -+ loglevel acl trace -+.fi -+.LP -+are equivalent. -+The keyword -+.B any -+can be used as a shortcut to enable logging at all levels (equivalent to -1). -+The keyword -+.BR none , -+or the equivalent integer representation, causes those messages -+that are logged regardless of the configured loglevel to be logged. -+In fact, if loglevel is set to 0, no logging occurs, -+so at least the -+.B none -+level is required to have high priority messages logged. -+ -+Note that the -+.BR packets , -+.BR BER , -+and -+.B parse -+levels are only available as debug output on stderr, and are not -+sent to syslog. -+ -+The loglevel defaults to \fBstats\fP. -+This level should usually also be included when using other loglevels, to -+help analyze the logs. -+.RE -+.TP -+.B maxfilterdepth <integer> -+Specify the maximum depth of nested filters in search requests. -+The default is 1000. -+.TP -+.B moduleload <filename> [<arguments>...] -+Specify the name of a dynamically loadable module to load and any -+additional arguments if supported by the module. The filename -+may be an absolute path name or a simple filename. Non-absolute names -+are searched for in the directories specified by the -+.B modulepath -+option. This option and the -+.B modulepath -+option are only usable if slapd was compiled with --enable-modules. -+.TP -+.B modulepath <pathspec> -+Specify a list of directories to search for loadable modules. Typically -+the path is colon-separated but this depends on the operating system. -+The default is MODULEDIR, which is where the standard OpenLDAP install -+will place its modules. -+.HP -+.hy 0 -+.B objectclass "(\ <oid>\ -+ [NAME\ <name>]\ -+ [DESC\ <description>]\ -+ [OBSOLETE]\ -+ [SUP\ <oids>]\ -+ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ -+ [MUST\ <oids>] [MAY\ <oids>] )" -+.RS -+Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the object class OID. -+(See the -+.B -+objectidentifier -+description.) Object classes are "STRUCTURAL" by default. -+.RE -+.TP -+.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }" -+Define a string name that equates to the given OID. The string can be used -+in place of the numeric OID in objectclass and attribute definitions. The -+name can also be used with a suffix of the form ":xx" in which case the -+value "oid.xx" will be used. -+.TP -+.B password-hash <hash> [<hash>...] -+This option configures one or more hashes to be used in generation of user -+passwords stored in the userPassword attribute during processing of -+LDAP Password Modify Extended Operations (RFC 3062). -+The <hash> must be one of -+.BR {SSHA} , -+.BR {SHA} , -+.BR {SMD5} , -+.BR {MD5} , -+.BR {CRYPT} , -+and -+.BR {CLEARTEXT} . -+The default is -+.BR {SSHA} . -+ -+.B {SHA} -+and -+.B {SSHA} -+use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. -+ -+.B {MD5} -+and -+.B {SMD5} -+use the MD5 algorithm (RFC 1321), the latter with a seed. -+ -+.B {CRYPT} -+uses the -+.BR crypt (3). -+ -+.B {CLEARTEXT} -+indicates that the new password should be -+added to userPassword as clear text. -+ -+Note that this option does not alter the normal user applications -+handling of userPassword during LDAP Add, Modify, or other LDAP operations. -+.TP -+.B password-crypt-salt-format <format> -+Specify the format of the salt passed to -+.BR crypt (3) -+when generating {CRYPT} passwords (see -+.BR password-hash ) -+during processing of LDAP Password Modify Extended Operations (RFC 3062). -+ -+This string needs to be in -+.BR sprintf (3) -+format and may include one (and only one) %s conversion. -+This conversion will be substituted with a string of random -+characters from [A-Za-z0-9./]. For example, "%.2s" -+provides a two character salt and "$1$%.8s" tells some -+versions of crypt(3) to use an MD5 algorithm and provides -+8 random characters of salt. The default is "%s", which -+provides 31 characters of salt. -+.TP -+.B pidfile <filename> -+The (absolute) name of a file that will hold the -+.B slapd -+server's process ID (see -+.BR getpid (2)). -+.TP -+.B pluginlog: <filename> -+The ( absolute ) name of a file that will contain log -+messages from -+.B SLAPI -+plugins. See -+.BR slapd.plugin (5) -+for details. -+.TP -+.B referral <url> -+Specify the referral to pass back when -+.BR slapd (8) -+cannot find a local database to handle a request. -+If specified multiple times, each url is provided. -+.TP -+.B require <conditions> -+Specify a set of conditions (separated by white space) to -+require (default none). -+The directive may be specified globally and/or per-database; -+databases inherit global conditions, so per-database specifications -+are additive. -+.B bind -+requires bind operation prior to directory operations. -+.B LDAPv3 -+requires session to be using LDAP version 3. -+.B authc -+requires authentication prior to directory operations. -+.B SASL -+requires SASL authentication prior to directory operations. -+.B strong -+requires strong authentication prior to directory operations. -+The strong keyword allows protected "simple" authentication -+as well as SASL authentication. -+.B none -+may be used to require no conditions (useful to clear out globally -+set conditions within a particular database); it must occur first -+in the list of conditions. -+.TP -+.B reverse-lookup on | off -+Enable/disable client name unverified reverse lookup (default is -+.BR off -+if compiled with --enable-rlookups). -+.TP -+.B rootDSE <file> -+Specify the name of an LDIF(5) file containing user defined attributes -+for the root DSE. These attributes are returned in addition to the -+attributes normally produced by slapd. -+ -+The root DSE is an entry with information about the server and its -+capabilities, in operational attributes. -+It has the empty DN, and can be read with e.g.: -+.ti +4 -+ldapsearch -x -b "" -s base "+" -+.br -+See RFC 4512 section 5.1 for details. -+.TP -+.B sasl-auxprops <plugin> [...] -+Specify which auxprop plugins to use for authentication lookups. The -+default is empty, which just uses slapd's internal support. Usually -+no other auxprop plugins are needed. -+.TP -+.B sasl-auxprops-dontusecopy <attr> [...] -+Specify which attribute(s) should be subject to the don't use copy control. This -+is necessary for some SASL mechanisms such as OTP to work in a replicated -+environment. The attribute "cmusaslsecretOTP" is the default value. -+.TP -+.B sasl-auxprops-dontusecopy-ignore on | off -+Used to disable replication of the attribute(s) defined by -+sasl-auxprops-dontusecopy and instead use a local value for the attribute. This -+allows the SASL mechanism to continue to work if the provider is offline. This can -+cause replication inconsistency. Defaults to off. -+.TP -+.B sasl-host <fqdn> -+Used to specify the fully qualified domain name used for SASL processing. -+.TP -+.B sasl-realm <realm> -+Specify SASL realm. Default is empty. -+.TP -+.B sasl-cbinding none | tls-unique | tls-endpoint -+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. -+Default is none. -+.TP -+.B sasl-secprops <properties> -+Used to specify Cyrus SASL security properties. -+The -+.B none -+flag (without any other properties) causes the flag properties -+default, "noanonymous,noplain", to be cleared. -+The -+.B noplain -+flag disables mechanisms susceptible to simple passive attacks. -+The -+.B noactive -+flag disables mechanisms susceptible to active attacks. -+The -+.B nodict -+flag disables mechanisms susceptible to passive dictionary attacks. -+The -+.B noanonymous -+flag disables mechanisms which support anonymous login. -+The -+.B forwardsec -+flag require forward secrecy between sessions. -+The -+.B passcred -+require mechanisms which pass client credentials (and allow -+mechanisms which can pass credentials to do so). -+The -+.B minssf=<factor> -+property specifies the minimum acceptable -+.I security strength factor -+as an integer approximate to effective key length used for -+encryption. 0 (zero) implies no protection, 1 implies integrity -+protection only, 128 allows RC4, Blowfish and other similar ciphers, -+256 will require modern ciphers. The default is 0. -+The -+.B maxssf=<factor> -+property specifies the maximum acceptable -+.I security strength factor -+as an integer (see minssf description). The default is INT_MAX. -+The -+.B maxbufsize=<size> -+property specifies the maximum security layer receive buffer -+size allowed. 0 disables security layers. The default is 65536. -+.TP -+.B schemadn <dn> -+Specify the distinguished name for the subschema subentry that -+controls the entries on this server. The default is "cn=Subschema". -+.TP -+.B security <factors> -+Specify a set of security strength factors (separated by white space) -+to require (see -+.BR sasl-secprops 's -+.B minssf -+option for a description of security strength factors). -+The directive may be specified globally and/or per-database. -+.B ssf=<n> -+specifies the overall security strength factor. -+.B transport=<n> -+specifies the transport security strength factor. -+.B tls=<n> -+specifies the TLS security strength factor. -+.B sasl=<n> -+specifies the SASL security strength factor. -+.B update_ssf=<n> -+specifies the overall security strength factor to require for -+directory updates. -+.B update_transport=<n> -+specifies the transport security strength factor to require for -+directory updates. -+.B update_tls=<n> -+specifies the TLS security strength factor to require for -+directory updates. -+.B update_sasl=<n> -+specifies the SASL security strength factor to require for -+directory updates. -+.B simple_bind=<n> -+specifies the security strength factor required for -+.I simple -+username/password authentication. -+Note that the -+.B transport -+factor is measure of security provided by the underlying transport, -+e.g. ldapi:// (and eventually IPSEC). It is not normally used. -+.TP -+.B serverID <integer> [<URL>] -+Specify an integer ID from 0 to 4095 for this server. The ID may also be -+specified as a hexadecimal ID by prefixing the value with "0x". -+Non-zero IDs are required when using multi-provider replication and each -+provider must have a unique non-zero ID. Note that this requirement also -+applies to separate providers contributing to a glued set of databases. -+If the URL is provided, this directive may be specified -+multiple times, providing a complete list of participating servers -+and their IDs. The fully qualified hostname of each server should be -+used in the supplied URLs. The IDs are used in the "replica id" field -+of all CSNs generated by the specified server. The default value is zero, which -+is only valid for single provider replication. -+Example: -+.LP -+.nf -+ serverID 1 ldap://ldap1.example.com -+ serverID 2 ldap://ldap2.example.com -+.fi -+.TP -+.B sizelimit {<integer>|unlimited} -+.TP -+.B sizelimit size[.{soft|hard}]=<integer> [...] -+Specify the maximum number of entries to return from a search operation. -+The default size limit is 500. -+Use -+.B unlimited -+to specify no limits. -+The second format allows a fine grain setting of the size limits. -+If no special qualifiers are specified, both soft and hard limits are set. -+Extra args can be added on the same line. -+Additional qualifiers are available; see -+.BR limits -+for an explanation of all of the different flags. -+.TP -+.B sockbuf_max_incoming <integer> -+Specify the maximum incoming LDAP PDU size for anonymous sessions. -+The default is 262143. -+.TP -+.B sockbuf_max_incoming_auth <integer> -+Specify the maximum incoming LDAP PDU size for authenticated sessions. -+The default is 4194303. -+.TP -+.B sortvals <attr> [...] -+Specify a list of multi-valued attributes whose values will always -+be maintained in sorted order. Using this option will allow Modify, -+Compare, and filter evaluations on these attributes to be performed -+more efficiently. The resulting sort order depends on the -+attributes' syntax and matching rules and may not correspond to -+lexical order or any other recognizable order. -+.TP -+.B tcp-buffer [listener=<URL>] [{read|write}=]<size> -+Specify the size of the TCP buffer. -+A global value for both read and write TCP buffers related to any listener -+is defined, unless the listener is explicitly specified, -+or either the read or write qualifiers are used. -+See -+.BR tcp (7) -+for details. -+Note that some OS-es implement automatic TCP buffer tuning. -+.TP -+.B threads <integer> -+Specify the maximum size of the primary thread pool. -+The default is 16; the minimum value is 2. -+.TP -+.B threadqueues <integer> -+Specify the number of work queues to use for the primary thread pool. -+The default is 1 and this is typically adequate for up to 8 CPU cores. -+The value should not exceed the number of CPUs in the system. -+.TP -+.B timelimit {<integer>|unlimited} -+.TP -+.B timelimit time[.{soft|hard}]=<integer> [...] -+Specify the maximum number of seconds (in real time) -+.B slapd -+will spend answering a search request. The default time limit is 3600. -+Use -+.B unlimited -+to specify no limits. -+The second format allows a fine grain setting of the time limits. -+Extra args can be added on the same line. See -+.BR limits -+for an explanation of the different flags. -+.TP -+.B tool-threads <integer> -+Specify the maximum number of threads to use in tool mode. -+This should not be greater than the number of CPUs in the system. -+The default is 1. -+.TP -+.B writetimeout <integer> -+Specify the number of seconds to wait before forcibly closing -+a connection with an outstanding write. This allows recovery from -+various network hang conditions. A writetimeout of 0 disables this -+feature. The default is 0. -+.SH TLS OPTIONS -+If -+.B slapd -+is built with support for Transport Layer Security, there are more options -+you can specify. -+.TP -+.B TLSCipherSuite <cipher-suite-spec> -+Permits configuring what ciphers will be accepted and the preference order. -+<cipher-suite-spec> should be a cipher specification for the TLS library -+in use (OpenSSL or GnuTLS). -+Example: -+.RS -+.RS -+.TP -+.I OpenSSL: -+TLSCipherSuite HIGH:MEDIUM:+SSLv2 -+.TP -+.I GnuTLS: -+TLSCiphersuite SECURE256:!AES-128-CBC -+.RE -+ -+To check what ciphers a given spec selects in OpenSSL, use: -+ -+.nf -+ openssl ciphers -v <cipher-suite-spec> -+.fi -+ -+With GnuTLS the available specs can be found in the manual page of -+.BR gnutls-cli (1) -+(see the description of the -+option -+.BR --priority ). -+ -+In older versions of GnuTLS, where gnutls-cli does not support the option -+--priority, you can obtain the (em more limited (em list of ciphers by calling: -+ -+.nf -+ gnutls-cli -l -+.fi -+.RE -+.TP -+.B TLSCACertificateFile <filename> -+Specifies the file that contains certificates for all of the Certificate -+Authorities that -+.B slapd -+will recognize. The certificate for -+the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among -+these certificates. If the signing CA was not a top-level (root) CA, -+certificates for the entire sequence of CA's from the signing CA to -+the top-level CA should be present. Multiple certificates are simply -+appended to the file; the order is not significant. -+.TP -+.B TLSCACertificatePath <path> -+Specifies the path of directories that contain Certificate Authority -+certificates in separate individual files. Usually only one of this -+or the TLSCACertificateFile is used. If both are specified, both -+locations will be used. Multiple directories may be specified, -+separated by a semi-colon. -+.TP -+.B TLSCertificateFile <filename> -+Specifies the file that contains the -+.B slapd -+server certificate. -+ -+When using OpenSSL that file may also contain any number of intermediate -+certificates after the server certificate. -+.TP -+.B TLSCertificateKeyFile <filename> -+Specifies the file that contains the -+.B slapd -+server private key that matches the certificate stored in the -+.B TLSCertificateFile -+file. Currently, the private key must not be protected with a password, so -+it is of critical importance that it is protected carefully. -+.TP -+.B TLSDHParamFile <filename> -+This directive specifies the file that contains parameters for Diffie-Hellman -+ephemeral key exchange. This is required in order to use a DSA certificate on -+the server, or an RSA certificate missing the "key encipherment" key usage. -+Note that setting this option may also enable -+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -+Anonymous key exchanges should generally be avoided since they provide no -+actual client or server authentication and provide no protection against -+man-in-the-middle attacks. -+You should append "!ADH" to your cipher suites to ensure that these suites -+are not used. -+.TP -+.B TLSECName <name> -+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman -+ephemeral key exchange. This option is only used for OpenSSL. -+This option is not used with GnuTLS; the curves may be -+chosen in the GnuTLS ciphersuite specification. -+.TP -+.B TLSProtocolMin <major>[.<minor>] -+Specifies minimum SSL/TLS protocol version that will be negotiated. -+If the server doesn't support at least that version, -+the SSL handshake will fail. -+To require TLS 1.x or higher, set this option to 3.(x+1), -+e.g., -+ -+.nf -+ TLSProtocolMin 3.2 -+.fi -+ -+would require TLS 1.1. -+Specifying a minimum that is higher than that supported by the -+OpenLDAP implementation will result in it requiring the -+highest level that it does support. -+This directive is ignored with GnuTLS. -+.TP -+.B TLSRandFile <filename> -+Specifies the file to obtain random bits from when /dev/[u]random -+is not available. Generally set to the name of the EGD/PRNGD socket. -+The environment variable RANDFILE can also be used to specify the filename. -+This directive is ignored with GnuTLS. -+.TP -+.B TLSVerifyClient <level> -+Specifies what checks to perform on client certificates in an -+incoming TLS session, if any. -+The -+.B <level> -+can be specified as one of the following keywords: -+.RS -+.TP -+.B never -+This is the default. -+.B slapd -+will not ask the client for a certificate. -+.TP -+.B allow -+The client certificate is requested. If no certificate is provided, -+the session proceeds normally. If a bad certificate is provided, -+it will be ignored and the session proceeds normally. -+.TP -+.B try -+The client certificate is requested. If no certificate is provided, -+the session proceeds normally. If a bad certificate is provided, -+the session is immediately terminated. -+.TP -+.B demand | hard | true -+These keywords are all equivalent, for compatibility reasons. -+The client certificate is requested. If no certificate is provided, -+or a bad certificate is provided, the session is immediately terminated. -+ -+Note that a valid client certificate is required in order to use the -+SASL EXTERNAL authentication mechanism with a TLS session. As such, -+a non-default -+.B TLSVerifyClient -+setting must be chosen to enable SASL EXTERNAL authentication. -+.RE -+.TP -+.B TLSCRLCheck <level> -+Specifies if the Certificate Revocation List (CRL) of the CA should be -+used to verify if the client certificates have not been revoked. This -+requires -+.B TLSCACertificatePath -+parameter to be set. This directive is ignored with GnuTLS. -+.B <level> -+can be specified as one of the following keywords: -+.RS -+.TP -+.B none -+No CRL checks are performed -+.TP -+.B peer -+Check the CRL of the peer certificate -+.TP -+.B all -+Check the CRL for a whole certificate chain -+.RE -+.TP -+.B TLSCRLFile <filename> -+Specifies a file containing a Certificate Revocation List to be used -+for verifying that certificates have not been revoked. This directive is -+only valid when using GnuTLS. -+.SH GENERAL BACKEND OPTIONS -+Options in this section only apply to the configuration file section -+of all instances of the specified backend. All backends may support -+this class of options, but currently only back-mdb does. -+.TP -+.B backend <databasetype> -+Mark the beginning of a backend definition. <databasetype> -+should be one of -+.BR asyncmeta , -+.BR config , -+.BR dnssrv , -+.BR ldap , -+.BR ldif , -+.BR mdb , -+.BR meta , -+.BR monitor , -+.BR null , -+.BR passwd , -+.BR perl , -+.BR relay , -+.BR sock , -+.BR sql , -+or -+.BR wt . -+At present, only back-mdb implements any options of this type, so this -+setting is not needed for any other backends. -+ -+.SH GENERAL DATABASE OPTIONS -+Options in this section only apply to the configuration file section -+for the database in which they are defined. They are supported by every -+type of backend. Note that the -+.B database -+and at least one -+.B suffix -+option are mandatory for each database. -+.TP -+.B database <databasetype> -+Mark the beginning of a new database instance definition. <databasetype> -+should be one of -+.BR asyncmeta , -+.BR config , -+.BR dnssrv , -+.BR ldap , -+.BR ldif , -+.BR mdb , -+.BR meta , -+.BR monitor , -+.BR null , -+.BR passwd , -+.BR perl , -+.BR relay , -+.BR sock , -+.BR sql , -+or -+.BR wt , -+depending on which backend will serve the database. -+ -+LDAP operations, even subtree searches, normally access only one -+database. -+That can be changed by gluing databases together with the -+.B subordinate -+keyword. -+Access controls and some overlays can also involve multiple databases. -+.TP -+.B add_content_acl on | off -+Controls whether Add operations will perform ACL checks on -+the content of the entry being added. This check is off -+by default. See the -+.BR slapd.access (5) -+manual page for more details on ACL requirements for -+Add operations. -+.TP -+.B extra_attrs <attrlist> -+Lists what attributes need to be added to search requests. -+Local storage backends return the entire entry to the frontend. -+The frontend takes care of only returning the requested attributes -+that are allowed by ACLs. -+However, features like access checking and so may need specific -+attributes that are not automatically returned by remote storage -+backends, like proxy backends and so on. -+.B <attrlist> -+is a list of attributes that are needed for internal purposes -+and thus always need to be collected, even when not explicitly -+requested by clients. -+.TP -+.B hidden on | off -+Controls whether the database will be used to answer -+queries. A database that is hidden will never be -+selected to answer any queries, and any suffix configured -+on the database will be ignored in checks for conflicts -+with other databases. By default, hidden is off. -+.TP -+.B lastmod on | off -+Controls whether -+.B slapd -+will automatically maintain the -+modifiersName, modifyTimestamp, creatorsName, and -+createTimestamp attributes for entries. It also controls -+the entryCSN and entryUUID attributes, which are needed -+by the syncrepl provider. By default, lastmod is on. -+.TP -+.B lastbind on | off -+Controls whether -+.B slapd -+will automatically maintain the pwdLastSuccess attribute for -+entries. By default, lastbind is off. -+.TP -+.B lastbind-precision <integer> -+If lastbind is enabled, specifies how frequently pwdLastSuccess -+will be updated. More than -+.B integer -+seconds must have passed since the last successful bind. In a -+replicated environment with frequent bind activity it may be -+useful to set this to a large value. -+.TP -+.B limits <selector> <limit> [<limit> [...]] -+Specify time and size limits based on the operation's initiator or -+base DN. -+The argument -+.B <selector> -+can be any of -+.RS -+.RS -+.TP -+anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern> -+ -+.RE -+with -+.RS -+.TP -+<dnspec> ::= dn[.<type>][.<style>] -+.TP -+<type> ::= self | this -+.TP -+<style> ::= exact | base | onelevel | subtree | children | regex | anonymous -+ -+.RE -+DN type -+.B self -+is the default and means the bound user, while -+.B this -+means the base DN of the operation. -+The term -+.B anonymous -+matches all unauthenticated clients. -+The term -+.B users -+matches all authenticated clients; -+otherwise an -+.B exact -+dn pattern is assumed unless otherwise specified by qualifying -+the (optional) key string -+.B dn -+with -+.B exact -+or -+.B base -+(which are synonyms), to require an exact match; with -+.BR onelevel , -+to require exactly one level of depth match; with -+.BR subtree , -+to allow any level of depth match, including the exact match; with -+.BR children , -+to allow any level of depth match, not including the exact match; -+.BR regex -+explicitly requires the (default) match based on POSIX (''extended'') -+regular expression pattern. -+Finally, -+.B anonymous -+matches unbound operations; the -+.B pattern -+field is ignored. -+The same behavior is obtained by using the -+.B anonymous -+form of the -+.B <selector> -+clause. -+The term -+.BR group , -+with the optional objectClass -+.B oc -+and attributeType -+.B at -+fields, followed by -+.BR pattern , -+sets the limits for any DN listed in the values of the -+.B at -+attribute (default -+.BR member ) -+of the -+.B oc -+group objectClass (default -+.BR groupOfNames ) -+whose DN exactly matches -+.BR pattern . -+ -+The currently supported limits are -+.B size -+and -+.BR time . -+ -+The syntax for time limits is -+.BR time[.{soft|hard}]=<integer> , -+where -+.I integer -+is the number of seconds slapd will spend answering a search request. -+If no time limit is explicitly requested by the client, the -+.BR soft -+limit is used; if the requested time limit exceeds the -+.BR hard -+."limit, an -+.".I "Administrative limit exceeded" -+."error is returned. -+limit, the value of the limit is used instead. -+If the -+.BR hard -+limit is set to the keyword -+.IR soft , -+the soft limit is used in either case; if it is set to the keyword -+.IR unlimited , -+no hard limit is enforced. -+Explicit requests for time limits smaller or equal to the -+.BR hard -+limit are honored. -+If no limit specifier is set, the value is assigned to the -+.BR soft -+limit, and the -+.BR hard -+limit is set to -+.IR soft , -+to preserve the original behavior. -+ -+The syntax for size limits is -+.BR size[.{soft|hard|unchecked}]=<integer> , -+where -+.I integer -+is the maximum number of entries slapd will return answering a search -+request. -+If no size limit is explicitly requested by the client, the -+.BR soft -+limit is used; if the requested size limit exceeds the -+.BR hard -+."limit, an -+.".I "Administrative limit exceeded" -+."error is returned. -+limit, the value of the limit is used instead. -+If the -+.BR hard -+limit is set to the keyword -+.IR soft , -+the soft limit is used in either case; if it is set to the keyword -+.IR unlimited , -+no hard limit is enforced. -+Explicit requests for size limits smaller or equal to the -+.BR hard -+limit are honored. -+The -+.BR unchecked -+specifier sets a limit on the number of candidates a search request is allowed -+to examine. -+The rationale behind it is that searches for non-properly indexed -+attributes may result in large sets of candidates, which must be -+examined by -+.BR slapd (8) -+to determine whether they match the search filter or not. -+The -+.B unchecked -+limit provides a means to drop such operations before they are even -+started. -+If the selected candidates exceed the -+.BR unchecked -+limit, the search will abort with -+.IR "Unwilling to perform" . -+If it is set to the keyword -+.IR unlimited , -+no limit is applied (the default). -+If it is set to -+.IR disabled , -+the search is not even performed; this can be used to disallow searches -+for a specific set of users. -+If no limit specifier is set, the value is assigned to the -+.BR soft -+limit, and the -+.BR hard -+limit is set to -+.IR soft , -+to preserve the original behavior. -+ -+In case of no match, the global limits are used. -+The default values are the same as for -+.B sizelimit -+and -+.BR timelimit ; -+no limit is set on -+.BR unchecked . -+ -+If -+.B pagedResults -+control is requested, the -+.B hard -+size limit is used by default, because the request of a specific page size -+is considered an explicit request for a limitation on the number -+of entries to be returned. -+However, the size limit applies to the total count of entries returned within -+the search, and not to a single page. -+Additional size limits may be enforced; the syntax is -+.BR size.pr={<integer>|noEstimate|unlimited} , -+where -+.I integer -+is the max page size if no explicit limit is set; the keyword -+.I noEstimate -+inhibits the server from returning an estimate of the total number -+of entries that might be returned -+(note: the current implementation does not return any estimate). -+The keyword -+.I unlimited -+indicates that no limit is applied to the pagedResults control page size. -+The syntax -+.B size.prtotal={<integer>|hard|unlimited|disabled} -+allows one to set a limit on the total number of entries that the pagedResults -+control will return. -+By default it is set to the -+.B hard -+limit which will use the size.hard value. -+When set, -+.I integer -+is the max number of entries that the whole search with pagedResults control -+can return. -+Use -+.I unlimited -+to allow unlimited number of entries to be returned, e.g. to allow -+the use of the pagedResults control as a means to circumvent size -+limitations on regular searches; the keyword -+.I disabled -+disables the control, i.e. no paged results can be returned. -+Note that the total number of entries returned when the pagedResults control -+is requested cannot exceed the -+.B hard -+size limit of regular searches unless extended by the -+.B prtotal -+switch. -+ -+The \fBlimits\fP statement is typically used to let an unlimited -+number of entries be returned by searches performed -+with the identity used by the consumer for synchronization purposes -+by means of the RFC 4533 LDAP Content Synchronization protocol -+(see \fBsyncrepl\fP for details). -+ -+When using subordinate databases, it is necessary for any limits that -+are to be applied across the parent and its subordinates to be defined in -+both the parent and its subordinates. Otherwise the settings on the -+subordinate databases are not honored. -+.RE -+.TP -+.B maxderefdepth <depth> -+Specifies the maximum number of aliases to dereference when trying to -+resolve an entry, used to avoid infinite alias loops. The default is 15. -+.TP -+.B multiprovider on | off -+This option puts a consumer database into Multi-Provider mode. Update -+operations will be accepted from any user, not just the updatedn. The -+database must already be configured as a syncrepl consumer -+before this keyword may be set. This mode also requires a -+.B serverID -+(see above) to be configured. -+By default, multiprovider is off. -+.TP -+.B monitoring on | off -+This option enables database-specific monitoring in the entry related -+to the current database in the "cn=Databases,cn=Monitor" subtree -+of the monitor database, if the monitor database is enabled. -+Currently, only the MDB database provides database-specific monitoring. -+If monitoring is supported by the backend it defaults to on, otherwise -+off. -+.TP -+.B overlay <overlay-name> -+Add the specified overlay to this database. An overlay is a piece of -+code that intercepts database operations in order to extend or change -+them. Overlays are pushed onto -+a stack over the database, and so they will execute in the reverse -+of the order in which they were configured and the database itself -+will receive control last of all. See the -+.BR slapd.overlays (5) -+manual page for an overview of the available overlays. -+Note that all of the database's -+regular settings should be configured before any overlay settings. -+.TP -+.B readonly on | off -+This option puts the database into "read-only" mode. Any attempts to -+modify the database will return an "unwilling to perform" error. By -+default, readonly is off. -+.TP -+.B restrict <oplist> -+Specify a whitespace separated list of operations that are restricted. -+If defined inside a database specification, restrictions apply only -+to that database, otherwise they are global. -+Operations can be any of -+.BR add , -+.BR bind , -+.BR compare , -+.BR delete , -+.BR extended[=<OID>] , -+.BR modify , -+.BR rename , -+.BR search , -+or the special pseudo-operations -+.B read -+and -+.BR write , -+which respectively summarize read and write operations. -+The use of -+.I restrict write -+is equivalent to -+.I readonly on -+(see above). -+The -+.B extended -+keyword allows one to indicate the OID of the specific operation -+to be restricted. -+.TP -+.B rootdn <dn> -+Specify the distinguished name that is not subject to access control -+or administrative limit restrictions for operations on this database. -+This DN may or may not be associated with an entry. An empty root -+DN (the default) specifies no root access is to be granted. It is -+recommended that the rootdn only be specified when needed (such as -+when initially populating a database). If the rootdn is within -+a namingContext (suffix) of the database, a simple bind password -+may also be provided using the -+.B rootpw -+directive. Many optional features, including syncrepl, require the -+rootdn to be defined for the database. -+.TP -+.B rootpw <password> -+Specify a password (or hash of the password) for the rootdn. The -+password can only be set if the rootdn is within the namingContext -+(suffix) of the database. -+This option accepts all RFC 2307 userPassword formats known to -+the server (see -+.B password-hash -+description) as well as cleartext. -+.BR slappasswd (8) -+may be used to generate a hash of a password. Cleartext -+and \fB{CRYPT}\fP passwords are not recommended. If empty -+(the default), authentication of the root DN is by other means -+(e.g. SASL). Use of SASL is encouraged. -+.TP -+.B suffix <dn suffix> -+Specify the DN suffix of queries that will be passed to this -+backend database. Multiple suffix lines can be given and at least one is -+required for each database definition. -+ -+If the suffix of one database is "inside" that of another, the database -+with the inner suffix must come first in the configuration file. -+You may also want to glue such databases together with the -+.B subordinate -+keyword. -+.TP -+.B subordinate [advertise] -+Specify that the current backend database is a subordinate of another -+backend database. A subordinate database may have only one suffix. This -+option may be used to glue multiple databases into a single namingContext. -+If the suffix of the current database is within the namingContext of a -+superior database, searches against the superior database will be -+propagated to the subordinate as well. All of the databases -+associated with a single namingContext should have identical rootdns. -+Behavior of other LDAP operations is unaffected by this setting. In -+particular, it is not possible to use moddn to move an entry from -+one subordinate to another subordinate within the namingContext. -+ -+If the optional \fBadvertise\fP flag is supplied, the naming context of -+this database is advertised in the root DSE. The default is to hide this -+database context, so that only the superior context is visible. -+ -+If the slap tools -+.BR slapcat (8), -+.BR slapadd (8), -+.BR slapmodify (8), -+or -+.BR slapindex (8) -+are used on the superior database, any glued subordinates that support -+these tools are opened as well. -+ -+Databases that are glued together should usually be configured with the -+same indices (assuming they support indexing), even for attributes that -+only exist in some of these databases. In general, all of the glued -+databases should be configured as similarly as possible, since the intent -+is to provide the appearance of a single directory. -+ -+Note that the \fIsubordinate\fP functionality is implemented internally -+by the \fIglue\fP overlay and as such its behavior will interact with other -+overlays in use. By default, the glue overlay is automatically configured as -+the last overlay on the superior backend. Its position on the backend -+can be explicitly configured by setting an \fBoverlay glue\fP directive -+at the desired position. This explicit configuration is necessary e.g. -+when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP -+in order to work over all of the glued databases. E.g. -+.RS -+.nf -+ database mdb -+ suffix dc=example,dc=com -+ ... -+ overlay glue -+ overlay syncprov -+.fi -+.RE -+.TP -+.B sync_use_subentry -+Store the syncrepl contextCSN in a subentry instead of the context entry -+of the database. The subentry's RDN will be "cn=ldapsync". By default -+the contextCSN is stored in the context entry. -+.HP -+.hy 0 -+.B syncrepl rid=<replica ID> -+.B provider=ldap[s]://<hostname>[:port] -+.B searchbase=<base DN> -+.B [type=refreshOnly|refreshAndPersist] -+.B [interval=dd:hh:mm:ss] -+.B [retry=[<retry interval> <# of retries>]+] -+.B [filter=<filter str>] -+.B [scope=sub|one|base|subord] -+.B [attrs=<attr list>] -+.B [exattrs=<attr list>] -+.B [attrsonly] -+.B [sizelimit=<limit>] -+.B [timelimit=<limit>] -+.B [schemachecking=on|off] -+.B [network-timeout=<seconds>] -+.B [timeout=<seconds>] -+.B [tcp-user-timeout=<milliseconds>] -+.B [bindmethod=simple|sasl] -+.B [binddn=<dn>] -+.B [saslmech=<mech>] -+.B [authcid=<identity>] -+.B [authzid=<identity>] -+.B [credentials=<passwd>] -+.B [realm=<realm>] -+.B [secprops=<properties>] -+.B [keepalive=<idle>:<probes>:<interval>] -+.B [starttls=yes|critical] -+.B [tls_cert=<file>] -+.B [tls_key=<file>] -+.B [tls_cacert=<file>] -+.B [tls_cacertdir=<path>] -+.B [tls_reqcert=never|allow|try|demand] -+.B [tls_reqsan=never|allow|try|demand] -+.B [tls_cipher_suite=<ciphers>] -+.B [tls_ecname=<names>] -+.B [tls_crlcheck=none|peer|all] -+.B [tls_protocol_min=<major>[.<minor>]] -+.B [suffixmassage=<real DN>] -+.B [logbase=<base DN>] -+.B [logfilter=<filter str>] -+.B [syncdata=default|accesslog|changelog] -+.B [lazycommit] -+.RS -+Specify the current database as a consumer which is kept up-to-date with the -+provider content by establishing the current -+.BR slapd (8) -+as a replication consumer site running a -+.B syncrepl -+replication engine. -+The consumer content is kept synchronized to the provider content using -+the LDAP Content Synchronization protocol. Refer to the -+"OpenLDAP Administrator's Guide" for detailed information on -+setting up a replicated -+.B slapd -+directory service using the -+.B syncrepl -+replication engine. -+ -+.B rid -+identifies the current -+.B syncrepl -+directive within the replication consumer site. -+It is a non-negative integer not greater than 999 (limited -+to three decimal digits). -+ -+.B provider -+specifies the replication provider site containing the provider content -+as an LDAP URI. If <port> is not given, the standard LDAP port number -+(389 or 636) is used. -+ -+The content of the -+.B syncrepl -+consumer is defined using a search -+specification as its result set. The consumer -+.B slapd -+will send search requests to the provider -+.B slapd -+according to the search specification. The search specification includes -+.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", " -+and -+.B timelimit -+parameters as in the normal search specification. The -+.B exattrs -+option may also be used to specify attributes that should be omitted -+from incoming entries. -+The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to -+\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The -+\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational -+attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default. -+The \fBsizelimit\fP and \fBtimelimit\fP only -+accept "unlimited" and positive integers, and both default to "unlimited". -+The \fBsizelimit\fP and \fBtimelimit\fP parameters define -+a consumer requested limitation on the number of entries that can be returned -+by the LDAP Content Synchronization operation; these should be left unchanged -+from the default otherwise replication may never succeed. -+Note, however, that any provider-side limits for the replication identity -+will be enforced by the provider regardless of the limits requested -+by the LDAP Content Synchronization operation, much like for any other -+search operation. -+ -+The LDAP Content Synchronization protocol has two operation types. -+In the -+.B refreshOnly -+operation, the next synchronization search operation -+is periodically rescheduled at an interval time (specified by -+.B interval -+parameter; 1 day by default) -+after each synchronization operation finishes. -+In the -+.B refreshAndPersist -+operation, a synchronization search remains persistent in the provider slapd. -+Further updates to the provider will generate -+.B searchResultEntry -+to the consumer slapd as the search responses to the persistent -+synchronization search. If the initial search fails due to an error, the -+next synchronization search operation is periodically rescheduled at an -+interval time (specified by -+.B interval -+parameter; 1 day by default) -+ -+If an error occurs during replication, the consumer will attempt to -+reconnect according to the -+.B retry -+parameter which is a list of the <retry interval> and <# of retries> pairs. -+For example, retry="60 10 300 3" lets the consumer retry every 60 seconds -+for the first 10 times and then retry every 300 seconds for the next 3 -+times before stop retrying. The `+' in <# of retries> means indefinite -+number of retries until success. -+If no -+.B retry -+is specified, by default syncrepl retries every hour forever. -+ -+The schema checking can be enforced at the LDAP Sync -+consumer site by turning on the -+.B schemachecking -+parameter. The default is \fBoff\fP. -+Schema checking \fBon\fP means that replicated entries must have -+a structural objectClass, must obey to objectClass requirements -+in terms of required/allowed attributes, and that naming attributes -+and distinguished values must be present. -+As a consequence, schema checking should be \fBoff\fP when partial -+replication is used. -+ -+The -+.B network-timeout -+parameter sets how long the consumer will wait to establish a -+network connection to the provider. Once a connection is -+established, the -+.B timeout -+parameter determines how long the consumer will wait for the initial -+Bind request to complete. The defaults for these parameters come -+from -+.BR ldap.conf (5). -+The -+.B tcp-user-timeout -+parameter, if non-zero, corresponds to the -+.B TCP_USER_TIMEOUT -+set on the target connections, overriding the operating system setting. -+Only some systems support the customization of this parameter, it is -+ignored otherwise and system-wide settings are used. -+ -+A -+.B bindmethod -+of -+.B simple -+requires the options -+.B binddn -+and -+.B credentials -+and should only be used when adequate security services -+(e.g. TLS or IPSEC) are in place. -+.B REMEMBER: simple bind credentials must be in cleartext! -+A -+.B bindmethod -+of -+.B sasl -+requires the option -+.B saslmech. -+Depending on the mechanism, an authentication identity and/or -+credentials can be specified using -+.B authcid -+and -+.B credentials. -+The -+.B authzid -+parameter may be used to specify an authorization identity. -+Specific security properties (as with the -+.B sasl-secprops -+keyword above) for a SASL bind can be set with the -+.B secprops -+option. A non default SASL realm can be set with the -+.B realm -+option. -+The identity used for synchronization by the consumer should be allowed -+to receive an unlimited number of entries in response to a search request. -+The provider, other than allowing authentication of the syncrepl identity, -+should grant that identity appropriate access privileges to the data -+that is being replicated (\fBaccess\fP directive), and appropriate time -+and size limits. -+This can be accomplished by either allowing unlimited \fBsizelimit\fP -+and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement -+in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP -+for details). -+ -+The -+.B keepalive -+parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP -+used to check whether a socket is alive; -+.I idle -+is the number of seconds a connection needs to remain idle before TCP -+starts sending keepalive probes; -+.I probes -+is the maximum number of keepalive probes TCP should send before dropping -+the connection; -+.I interval -+is interval in seconds between individual keepalive probes. -+Only some systems support the customization of these values; -+the -+.B keepalive -+parameter is ignored otherwise, and system-wide settings are used. -+ -+The -+.B starttls -+parameter specifies use of the StartTLS extended operation -+to establish a TLS session before Binding to the provider. If the -+.B critical -+argument is supplied, the session will be aborted if the StartTLS request -+fails. Otherwise the syncrepl session continues without TLS. The -+.B tls_reqcert -+setting defaults to "demand", the -+.B tls_reqsan -+setting defaults to "allow", and the other TLS settings -+default to the same as the main slapd TLS settings. -+ -+The -+.B suffixmassage -+parameter allows the consumer to pull entries from a remote directory -+whose DN suffix differs from the local directory. The portion of the -+remote entries' DNs that matches the \fIsearchbase\fP will be replaced -+with the suffixmassage DN. -+ -+Rather than replicating whole entries, the consumer can query logs of -+data modifications. This mode of operation is referred to as \fIdelta -+syncrepl\fP. In addition to the above parameters, the -+.B logbase -+and -+.B logfilter -+parameters must be set appropriately for the log that will be used. The -+.B syncdata -+parameter must be set to either "accesslog" if the log conforms to the -+.BR slapo-accesslog (5) -+log format, or "changelog" if the log conforms -+to the obsolete \fIchangelog\fP format. If the -+.B syncdata -+parameter is omitted or set to "default" then the log parameters are -+ignored. -+ -+The -+.B lazycommit -+parameter tells the underlying database that it can store changes without -+performing a full flush after each change. This may improve performance -+for the consumer, while sacrificing safety or durability. -+.RE -+.TP -+.B updatedn <dn> -+This option is only applicable in a replica -+database. -+It specifies the DN permitted to update (subject to access controls) -+the replica. It is only needed in certain push-mode -+replication scenarios. Generally, this DN -+.I should not -+be the same as the -+.B rootdn -+used at the provider. -+.TP -+.B updateref <url> -+Specify the referral to pass back when -+.BR slapd (8) -+is asked to modify a replicated local database. -+If specified multiple times, each url is provided. -+ -+.SH DATABASE-SPECIFIC OPTIONS -+Each database may allow specific configuration options; they are -+documented separately in the backends' manual pages. See the -+.BR slapd.backends (5) -+manual page for an overview of available backends. -+.SH EXAMPLES -+.LP -+Here is a short example of a configuration file: -+.LP -+.RS -+.nf -+include SYSCONFDIR/schema/core.schema -+pidfile LOCALSTATEDIR/run/slapd.pid -+ -+# Subtypes of "name" (e.g. "cn" and "ou") with the -+# option ";x-hidden" can be searched for/compared, -+# but are not shown. See \fBslapd.access\fP(5). -+attributeoptions x-hidden lang- -+access to attrs=name;x-hidden by * =cs -+ -+# Protect passwords. See \fBslapd.access\fP(5). -+access to attrs=userPassword by * auth -+# Read access to other attributes and entries. -+access to * by * read -+ -+database mdb -+suffix "dc=our-domain,dc=com" -+# The database directory MUST exist prior to -+# running slapd AND should only be accessible -+# by the slapd/tools. Mode 0700 recommended. -+directory LOCALSTATEDIR/openldap-data -+# Indices to maintain -+index objectClass eq -+index cn,sn,mail pres,eq,approx,sub -+ -+# We serve small clients that do not handle referrals, -+# so handle remote lookups on their behalf. -+database ldap -+suffix "" -+uri ldap://ldap.some-server.com/ -+lastmod off -+.fi -+.RE -+.LP -+"OpenLDAP Administrator's Guide" contains a longer annotated -+example of a configuration file. -+The original ETCDIR/slapd.conf is another example. -+.SH FILES -+.TP -+ETCDIR/slapd.conf -+default slapd configuration file -+.SH SEE ALSO -+.BR ldap (3), -+.BR gnutls-cli (1), -+.BR slapd-config (5), -+.BR slapd.access (5), -+.BR slapd.backends (5), -+.BR slapd.overlays (5), -+.BR slapd.plugin (5), -+.BR slapd (8), -+.BR slapacl (8), -+.BR slapadd (8), -+.BR slapauth (8), -+.BR slapcat (8), -+.BR slapdn (8), -+.BR slapindex (8), -+.BR slapmodify (8), -+.BR slappasswd (8), -+.BR slaptest (8). -+.LP -+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) -+.SH ACKNOWLEDGEMENTS -+.so ../Project -diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd-config.5 openldap-2.6.2/doc/man/man5/slapd-config.5 ---- openldap-2.6.2.orig/doc/man/man5/slapd-config.5 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/doc/man/man5/slapd-config.5 2022-05-05 12:05:53.312727754 +0200 -@@ -2233,7 +2233,7 @@ olcSuffix: "dc=our-domain,dc=com" - # The database directory MUST exist prior to - # running slapd AND should only be accessible - # by the slapd/tools. Mode 0700 recommended. --olcDbDirectory: LOCALSTATEDIR/openldap-data -+olcDbDirectory: LOCALSTATEDIR/lib/openldap - # Indices to maintain - olcDbIndex: objectClass eq - olcDbIndex: cn,sn,mail pres,eq,approx,sub -diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd-config.5.orig openldap-2.6.2/doc/man/man5/slapd-config.5.orig ---- openldap-2.6.2.orig/doc/man/man5/slapd-config.5.orig 1970-01-01 01:00:00.000000000 +0100 -+++ openldap-2.6.2/doc/man/man5/slapd-config.5.orig 2022-05-04 16:55:23.000000000 +0200 -@@ -0,0 +1,2302 @@ -+.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION" -+." Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. -+." Copying restrictions apply. See COPYRIGHT/LICENSE. -+." $OpenLDAP$ -+.SH NAME -+slapd-config - configuration backend to slapd -+.SH SYNOPSIS -+ETCDIR/slapd.d -+.SH DESCRIPTION -+The -+.B config -+backend manages all of the configuration information for the -+.BR slapd (8) -+daemon. This configuration information is also used by the SLAPD tools -+.BR slapacl (8), -+.BR slapadd (8), -+.BR slapauth (8), -+.BR slapcat (8), -+.BR slapdn (8), -+.BR slapindex (8), -+.BR slapmodify (8), -+and -+.BR slaptest (8). -+.LP -+The -+.B config -+backend is backward compatible with the older -+.BR slapd.conf (5) -+file but provides the ability to change the configuration dynamically -+at runtime. If slapd is run with only a -+.B slapd.conf -+file dynamic changes will be allowed but they will not persist across -+a server restart. Dynamic changes are only saved when slapd is running -+from a -+.B slapd.d -+configuration directory. -+.LP -+ -+Unlike other backends, there can only be one instance of the -+.B config -+backend, and most of its structure is predefined. The root of the -+database is hardcoded to -+.B "cn=config" -+and this root entry contains -+global settings for slapd. Multiple child entries underneath the -+root entry are used to carry various other settings: -+.RS -+.TP -+.B cn=Module -+dynamically loaded modules -+.TP -+.B cn=Schema -+schema definitions -+.TP -+.B olcBackend=xxx -+backend-specific settings -+.TP -+.B olcDatabase=xxx -+database-specific settings -+.RE -+ -+The -+.B cn=Module -+entries will only appear in configurations where slapd -+was built with support for dynamically loaded modules. There can be -+multiple entries, one for each configured module path. Within each -+entry there will be values recorded for each module loaded on a -+given path. These entries have no children. -+ -+The -+.B cn=Schema -+entry contains all of the hardcoded schema elements. -+The children of this entry contain all user-defined schema elements. -+In schema that were loaded from include files, the child entry will -+be named after the include file from which the schema was loaded. -+Typically the first child in this subtree will be -+.BR cn=core,cn=schema,cn=config . -+ -+.B olcBackend -+entries are for storing settings specific to a single -+backend type (and thus global to all database instances of that type). -+At present, only back-mdb implements any options of this type, so this -+setting is not needed for any other backends. -+ -+.B olcDatabase -+entries store settings specific to a single database -+instance. These entries may have -+.B olcOverlay -+child entries corresponding -+to any overlays configured on the database. The olcDatabase and -+olcOverlay entries may also have miscellaneous child entries for -+other settings as needed. There are two special database entries -+that are predefined - one is an entry for the config database itself, -+and the other is for the "frontend" database. Settings in the -+frontend database are inherited by the other databases, unless -+they are explicitly overridden in a specific database. -+.LP -+The specific configuration options available are discussed below in the -+Global Configuration Options, General Backend Options, and General Database -+Options. Options are set by defining LDAP attributes with specific values. -+In general the names of the LDAP attributes are the same as the corresponding -+.B slapd.conf -+keyword, with an "olc" prefix added on. -+ -+The parser for many of these attributes is the same as used for parsing -+the slapd.conf keywords. As such, slapd.conf keywords that allow multiple -+items to be specified on one line, separated by whitespace, will allow -+multiple items to be specified in one attribute value. However, when -+reading the attribute via LDAP, the items will be returned as individual -+attribute values. -+ -+Backend-specific options are discussed in the -+.B slapd-<backend>(5) -+manual pages. Refer to the "OpenLDAP Administrator's Guide" for more -+details on configuring slapd. -+.SH GLOBAL CONFIGURATION OPTIONS -+Options described in this section apply to the server as a whole. -+Arguments that should be replaced by -+actual text are shown in brackets <>. -+ -+These options may only be specified in the -+.B cn=config -+entry. This entry must have an objectClass of -+.BR olcGlobal . -+ -+.TP -+.B olcAllows: <features> -+Specify a set of features to allow (default none). -+.B bind_v2 -+allows acceptance of LDAPv2 bind requests. Note that -+.BR slapd (8) -+does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494). -+.B bind_anon_cred -+allows anonymous bind when credentials are not empty (e.g. -+when DN is empty). -+.B bind_anon_dn -+allows unauthenticated (anonymous) bind when DN is not empty. -+.B update_anon -+allows unauthenticated (anonymous) update operations to be processed -+(subject to access controls and other administrative limits). -+.B proxy_authz_anon -+allows unauthenticated (anonymous) proxy authorization control to be processed -+(subject to access controls, authorization and other administrative limits). -+.TP -+.B olcArgsFile: <filename> -+The (absolute) name of a file that will hold the -+.B slapd -+server's command line (program name and options). -+.TP -+.B olcAttributeOptions: <option-name>... -+Define tagging attribute options or option tag/range prefixes. -+Options must not end with `-', prefixes must end with `-'. -+The `lang-' prefix is predefined. -+If you use the -+.B olcAttributeOptions -+directive, `lang-' will no longer be defined and you must specify it -+explicitly if you want it defined. -+ -+An attribute description with a tagging option is a subtype of that -+attribute description without the option. -+Except for that, options defined this way have no special semantics. -+Prefixes defined this way work like the `lang-' options: -+They define a prefix for tagging options starting with the prefix. -+That is, if you define the prefix `x-foo-', you can use the option -+`x-foo-bar'. -+Furthermore, in a search or compare, a prefix or range name (with -+a trailing `-') matches all options starting with that name, as well -+as the option with the range name sans the trailing `-'. -+That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'. -+ -+RFC 4520 reserves options beginning with `x-' for private experiments. -+Other options should be registered with IANA, see RFC 4520 section 3.5. -+OpenLDAP also has the `binary' option built in, but this is a transfer -+option, not a tagging option. -+.TP -+.B olcAuthIDRewrite: <rewrite-rule> -+Used by the authentication framework to convert simple user names -+to an LDAP DN used for authorization purposes. -+Its purpose is analogous to that of -+.BR olcAuthzRegexp -+(see below). -+The -+.B rewrite-rule -+is a set of rules analogous to those described in -+.BR slapo-rwm (5) -+for data rewriting (after stripping the \fIrwm-\fP prefix). -+.B olcAuthIDRewrite -+and -+.B olcAuthzRegexp -+should not be intermixed. -+.TP -+.B olcAuthzPolicy: <policy> -+Used to specify which rules to use for Proxy Authorization. Proxy -+authorization allows a client to authenticate to the server using one -+user's credentials, but specify a different identity to use for authorization -+and access control purposes. It essentially allows user A to login as user -+B, using user A's password. -+The -+.B none -+flag disables proxy authorization. This is the default setting. -+The -+.B from -+flag will use rules in the -+.I authzFrom -+attribute of the authorization DN. -+The -+.B to -+flag will use rules in the -+.I authzTo -+attribute of the authentication DN. -+The -+.B any -+flag, an alias for the deprecated value of -+.BR both , -+will allow any of the above, whatever succeeds first (checked in -+.BR to , -+.B from -+sequence. -+The -+.B all -+flag requires both authorizations to succeed. -+.LP -+.RS -+The rules are mechanisms to specify which identities are allowed -+to perform proxy authorization. -+The -+.I authzFrom -+attribute in an entry specifies which other users -+are allowed to proxy login to this entry. The -+.I authzTo -+attribute in -+an entry specifies which other users this user can authorize as. Use of -+.I authzTo -+rules can be easily -+abused if users are allowed to write arbitrary values to this attribute. -+In general the -+.I authzTo -+attribute must be protected with ACLs such that -+only privileged users can modify it. -+The value of -+.I authzFrom -+and -+.I authzTo -+describes an -+.B identity -+or a set of identities; it can take five forms: -+.RS -+.TP -+.B ldap:///<base>??[<scope>]?<filter> -+.RE -+.RS -+.B dn[.<dnstyle>]:<pattern> -+.RE -+.RS -+.B u[.<mech>[<realm>]]:<pattern> -+.RE -+.RS -+.B group[/objectClass[/attributeType]]:<pattern> -+.RE -+.RS -+.B <pattern> -+.RE -+.RS -+ -+.B <dnstyle>:={exact|onelevel|children|subtree|regex} -+ -+.RE -+The first form is a valid LDAP -+.B URI -+where the -+.IR <host>:<port> , -+the -+.I <attrs> -+and the -+.I <extensions> -+portions must be absent, so that the search occurs locally on either -+.I authzFrom -+or -+.IR authzTo . -+ -+.LP -+The second form is a -+.BR DN , -+with the optional style modifiers -+.IR exact , -+.IR onelevel , -+.IR children , -+and -+.I subtree -+for exact, onelevel, children and subtree matches, which cause -+.I <pattern> -+to be normalized according to the DN normalization rules, or the special -+.I regex -+style, which causes the -+.I <pattern> -+to be treated as a POSIX (''extended'') regular expression, as -+discussed in -+.BR regex (7) -+and/or -+.BR re_format (7). -+A pattern of -+.I * -+means any non-anonymous DN. -+ -+.LP -+The third form is a SASL -+.BR id , -+with the optional fields -+.I <mech> -+and -+.I <realm> -+that allow to specify a SASL -+.BR mechanism , -+and eventually a SASL -+.BR realm , -+for those mechanisms that support one. -+The need to allow the specification of a mechanism is still debated, -+and users are strongly discouraged to rely on this possibility. -+ -+.LP -+The fourth form is a group specification. -+It consists of the keyword -+.BR group , -+optionally followed by the specification of the group -+.B objectClass -+and -+.BR attributeType . -+The -+.B objectClass -+defaults to -+.IR groupOfNames . -+The -+.B attributeType -+defaults to -+.IR member . -+The group with DN -+.B <pattern> -+is searched with base scope, filtered on the specified -+.BR objectClass . -+The values of the resulting -+.B attributeType -+are searched for the asserted DN. -+ -+.LP -+The fifth form is provided for backwards compatibility. If no identity -+type is provided, i.e. only -+.B <pattern> -+is present, an -+.I exact DN -+is assumed; as a consequence, -+.B <pattern> -+is subjected to DN normalization. -+ -+.LP -+Since the interpretation of -+.I authzFrom -+and -+.I authzTo -+can impact security, users are strongly encouraged -+to explicitly set the type of identity specification that is being used. -+A subset of these rules can be used as third arg in the -+.B olcAuthzRegexp -+statement (see below); significantly, the -+.IR URI , -+provided it results in exactly one entry, -+and the -+.I dn.exact:<dn> -+forms. -+.RE -+.TP -+.B olcAuthzRegexp: <match> <replace> -+Used by the authentication framework to convert simple user names, -+such as provided by SASL subsystem, or extracted from certificates -+in case of cert-based SASL EXTERNAL, or provided within the RFC 4370 -+"proxied authorization" control, to an LDAP DN used for -+authorization purposes. Note that the resulting DN need not refer -+to an existing entry to be considered valid. When an authorization -+request is received from the SASL subsystem, the SASL -+.BR USERNAME , -+.BR REALM , -+and -+.B MECHANISM -+are taken, when available, and combined into a name of the form -+.RS -+.RS -+.TP -+.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth -+ -+.RE -+This name is then compared against the -+.B match -+POSIX (''extended'') regular expression, and if the match is successful, -+the name is replaced with the -+.B replace -+string. If there are wildcard strings in the -+.B match -+regular expression that are enclosed in parenthesis, e.g. -+.RS -+.TP -+.B UID=([^,]*),CN=.* -+ -+.RE -+then the portion of the name that matched the wildcard will be stored -+in the numbered placeholder variable $1. If there are other wildcard strings -+in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The -+placeholders can then be used in the -+.B replace -+string, e.g. -+.RS -+.TP -+.B UID=$1,OU=Accounts,DC=example,DC=com -+ -+.RE -+The replaced name can be either a DN, i.e. a string prefixed by "dn:", -+or an LDAP URI. -+If the latter, the server will use the URI to search its own database(s) -+and, if the search returns exactly one entry, the name is -+replaced by the DN of that entry. The LDAP URI must have no -+hostport, attrs, or extensions components, but the filter is mandatory, -+e.g. -+.RS -+.TP -+.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) -+ -+.RE -+The protocol portion of the URI must be strictly -+.BR ldap . -+Note that this search is subject to access controls. Specifically, -+the authentication identity must have "auth" access in the subject. -+ -+Multiple -+.B olcAuthzRegexp -+values can be specified to allow for multiple matching -+and replacement patterns. The matching patterns are checked in the order they -+appear in the attribute, stopping at the first successful match. -+ -+.".B Caution: -+."Because the plus sign + is a character recognized by the regular expression engine, -+."and it will appear in names that include a REALM, be careful to escape the -+."plus sign with a backslash \+ to remove the character's special meaning. -+.RE -+.TP -+.B olcConcurrency: <integer> -+Specify a desired level of concurrency. Provided to the underlying -+thread system as a hint. The default is not to provide any hint. This setting -+is only meaningful on some platforms where there is not a one to one -+correspondence between user threads and kernel threads. -+.TP -+.B olcConnMaxPending: <integer> -+Specify the maximum number of pending requests for an anonymous session. -+If requests are submitted faster than the server can process them, they -+will be queued up to this limit. If the limit is exceeded, the session -+is closed. The default is 100. -+.TP -+.B olcConnMaxPendingAuth: <integer> -+Specify the maximum number of pending requests for an authenticated session. -+The default is 1000. -+.TP -+.B olcDisallows: <features> -+Specify a set of features to disallow (default none). -+.B bind_anon -+disables acceptance of anonymous bind requests. Note that this setting -+does not prohibit anonymous directory access (See "require authc"). -+.B bind_simple -+disables simple (bind) authentication. -+.B tls_2_anon -+disables forcing session to anonymous status (see also -+.BR tls_authc ) -+upon StartTLS operation receipt. -+.B tls_authc -+disallows the StartTLS operation if authenticated (see also -+.BR tls_2_anon ). -+.B proxy_authz_non_critical -+disables acceptance of the proxied authorization control (RFC4370) -+with criticality set to FALSE. -+.B dontusecopy_non_critical -+disables acceptance of the dontUseCopy control (a work in progress) -+with criticality set to FALSE. -+.TP -+.B olcGentleHUP: { TRUE | FALSE } -+A SIGHUP signal will only cause a 'gentle' shutdown-attempt: -+.B Slapd -+will stop listening for new connections, but will not close the -+connections to the current clients. Future write operations return -+unwilling-to-perform, though. Slapd terminates when all clients -+have closed their connections (if they ever do), or - as before - -+if it receives a SIGTERM signal. This can be useful if you wish to -+terminate the server and start a new -+.B slapd -+server -+.B with another database, -+without disrupting the currently active clients. -+The default is FALSE. You may wish to use -+.B olcIdleTimeout -+along with this option. -+.TP -+.B olcIdleTimeout: <integer> -+Specify the number of seconds to wait before forcibly closing -+an idle client connection. A setting of 0 disables this -+feature. The default is 0. You may also want to set the -+.B olcWriteTimeout -+option. -+.TP -+.B olcIndexHash64: { on | off } -+Use a 64 bit hash for indexing. The default is to use 32 bit hashes. -+These hashes are used for equality and substring indexing. The 64 bit -+version may be needed to avoid index collisions when the number of -+indexed values exceeds ~64 million. (Note that substring indexing -+generates multiple index values per actual attribute value.) -+Indices generated with 32 bit hashes are incompatible with the 64 bit -+version, and vice versa. Any existing databases must be fully reloaded -+when changing this setting. This directive is only supported on 64 bit CPUs. -+.TP -+.B olcIndexIntLen: <integer> -+Specify the key length for ordered integer indices. The most significant -+bytes of the binary integer will be used for index keys. The default -+value is 4, which provides exact indexing for 31 bit values. -+A floating point representation is used to index too large values. -+.TP -+.B olcIndexSubstrIfMaxlen: <integer> -+Specify the maximum length for subinitial and subfinal indices. Only -+this many characters of an attribute value will be processed by the -+indexing functions; any excess characters are ignored. The default is 4. -+.TP -+.B olcIndexSubstrIfMinlen: <integer> -+Specify the minimum length for subinitial and subfinal indices. An -+attribute value must have at least this many characters in order to be -+processed by the indexing functions. The default is 2. -+.TP -+.B olcIndexSubstrAnyLen: <integer> -+Specify the length used for subany indices. An attribute value must have -+at least this many characters in order to be processed. Attribute values -+longer than this length will be processed in segments of this length. The -+default is 4. The subany index will also be used in subinitial and -+subfinal index lookups when the filter string is longer than the -+.I olcIndexSubstrIfMaxlen -+value. -+.TP -+.B olcIndexSubstrAnyStep: <integer> -+Specify the steps used in subany index lookups. This value sets the offset -+for the segments of a filter string that are processed for a subany index -+lookup. The default is 2. For example, with the default values, a search -+using this filter "cn=*abcdefgh*" would generate index lookups for -+"abcd", "cdef", and "efgh". -+ -+.LP -+Note: Indexing support depends on the particular backend in use. Also, -+changing these settings will generally require deleting any indices that -+depend on these parameters and recreating them with -+.BR slapindex (8). -+ -+.TP -+.B olcListenerThreads: <integer> -+Specify the number of threads to use for the connection manager. -+The default is 1 and this is typically adequate for up to 16 CPU cores. -+The value should be set to a power of 2. -+.TP -+.B olcLocalSSF: <SSF> -+Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, -+such as those to the ldapi:// listener. For a description of SSF values, -+see -+.BR olcSaslSecProps 's -+.B minssf -+option description. The default is 71. -+.TP -+.B olcLogFile: <filename> -+Specify a file for recording slapd debug messages. By default these messages -+only go to stderr, are not recorded anywhere else, and are unrelated to -+messages exposed by the -+.B olcLogLevel -+configuration parameter. Specifying a logfile copies messages to both stderr -+and the logfile. -+.TP -+.B olcLogFileFormat: debug | syslog-utc | syslog-localtime -+Specify the prefix format for messages written to the logfile. The debug -+format is the normal format used for slapd debug messages, with a timestamp -+in hexadecimal, followed by a thread ID. The other options are to -+use syslog(3) style prefixes, with timestamps either in UTC or in the -+local timezone. The default is debug format. -+.TP -+.B olcLogFileOnly: TRUE | FALSE -+Specify that debug messages should only go to the configured logfile, and -+not to stderr. -+.TP -+.B olcLogFileRotate: <max> <Mbytes> <hours> -+Specify automatic rotation for the configured logfile as the maximum -+number of old logfiles to retain, a maximum size in megabytes to allow a -+logfile to grow before rotation, and a maximum age in hours for a logfile -+to be used before rotation. The maximum number must be in the range 1-99. -+Setting Mbytes or hours to zero disables the size or age check, respectively. -+At least one of Mbytes or hours must be non-zero. By default no automatic -+rotation will be performed. -+.TP -+.B olcLogLevel: <integer> [...] -+Specify the level at which debugging statements and operation -+statistics should be syslogged (currently logged to the -+.BR syslogd (8) -+LOG_LOCAL4 facility). -+They must be considered subsystems rather than increasingly verbose -+log levels. -+Some messages with higher priority are logged regardless -+of the configured loglevel as soon as any logging is configured. -+Log levels are additive, and available levels are: -+.RS -+.RS -+.PD 0 -+.TP -+.B 1 -+.B (0x1 trace) -+trace function calls -+.TP -+.B 2 -+.B (0x2 packets) -+debug packet handling -+.TP -+.B 4 -+.B (0x4 args) -+heavy trace debugging (function args) -+.TP -+.B 8 -+.B (0x8 conns) -+connection management -+.TP -+.B 16 -+.B (0x10 BER) -+print out packets sent and received -+.TP -+.B 32 -+.B (0x20 filter) -+search filter processing -+.TP -+.B 64 -+.B (0x40 config) -+configuration file processing -+.TP -+.B 128 -+.B (0x80 ACL) -+access control list processing -+.TP -+.B 256 -+.B (0x100 stats) -+connections, LDAP operations, results (recommended) -+.TP -+.B 512 -+.B (0x200 stats2) -+stats2 log entries sent -+.TP -+.B 1024 -+.B (0x400 shell) -+print communication with shell backends -+.TP -+.B 2048 -+.B (0x800 parse) -+entry parsing -+".TP -+".B 4096 -+".B (0x1000 cache) -+"caching (unused) -+".TP -+".B 8192 -+".B (0x2000 index) -+"data indexing (unused) -+.TP -+.B 16384 -+.B (0x4000 sync) -+LDAPSync replication -+.TP -+.B 32768 -+.B (0x8000 none) -+only messages that get logged whatever log level is set -+.PD -+.RE -+The desired log level can be input as a single integer that combines -+the (ORed) desired levels, both in decimal or in hexadecimal notation, -+as a list of integers (that are ORed internally), -+or as a list of the names that are shown between parenthesis, such that -+.LP -+.nf -+ olcLogLevel: 129 -+ olcLogLevel: 0x81 -+ olcLogLevel: 128 1 -+ olcLogLevel: 0x80 0x1 -+ olcLogLevel: acl trace -+.fi -+.LP -+are equivalent. -+The keyword -+.B any -+can be used as a shortcut to enable logging at all levels (equivalent to -1). -+The keyword -+.BR none , -+or the equivalent integer representation, causes those messages -+that are logged regardless of the configured olcLogLevel to be logged. -+In fact, if no olcLogLevel (or a 0 level) is defined, no logging occurs, -+so at least the -+.B none -+level is required to have high priority messages logged. -+ -+Note that the -+.BR packets , -+.BR BER , -+and -+.B parse -+levels are only available as debug output on stderr, and are not -+sent to syslog. -+ -+This setting defaults to \fBstats\fP. -+This level should usually also be included when using other loglevels, to -+help analyze the logs. -+.RE -+.TP -+.B olcMaxFilterDepth: <integer> -+Specify the maximum depth of nested filters in search requests. -+The default is 1000. -+.TP -+.B olcPasswordCryptSaltFormat: <format> -+Specify the format of the salt passed to -+.BR crypt (3) -+when generating {CRYPT} passwords (see -+.BR olcPasswordHash ) -+during processing of LDAP Password Modify Extended Operations (RFC 3062). -+ -+This string needs to be in -+.BR sprintf (3) -+format and may include one (and only one) %s conversion. -+This conversion will be substituted with a string of random -+characters from [A-Za-z0-9./]. For example, "%.2s" -+provides a two character salt and "$1$%.8s" tells some -+versions of crypt(3) to use an MD5 algorithm and provides -+8 random characters of salt. The default is "%s", which -+provides 31 characters of salt. -+.TP -+.B olcPidFile: <filename> -+The (absolute) name of a file that will hold the -+.B slapd -+server's process ID (see -+.BR getpid (2)). -+.TP -+.B olcPluginLogFile: <filename> -+The ( absolute ) name of a file that will contain log -+messages from -+.B SLAPI -+plugins. See -+.BR slapd.plugin (5) -+for details. -+.TP -+.B olcReferral: <url> -+Specify the referral to pass back when -+.BR slapd (8) -+cannot find a local database to handle a request. -+If multiple values are specified, each url is provided. -+.TP -+.B olcReverseLookup: TRUE | FALSE -+Enable/disable client name unverified reverse lookup (default is -+.BR FALSE -+if compiled with --enable-rlookups). -+.TP -+.B olcRootDSE: <file> -+Specify the name of an LDIF(5) file containing user defined attributes -+for the root DSE. These attributes are returned in addition to the -+attributes normally produced by slapd. -+ -+The root DSE is an entry with information about the server and its -+capabilities, in operational attributes. -+It has the empty DN, and can be read with e.g.: -+.ti +4 -+ldapsearch -x -b "" -s base "+" -+.br -+See RFC 4512 section 5.1 for details. -+.TP -+.B olcSaslAuxprops: <plugin> [...] -+Specify which auxprop plugins to use for authentication lookups. The -+default is empty, which just uses slapd's internal support. Usually -+no other auxprop plugins are needed. -+.TP -+.B olcSaslAuxpropsDontUseCopy: <attr> [...] -+Specify which attribute(s) should be subject to the don't use copy control. This -+is necessary for some SASL mechanisms such as OTP to work in a replicated -+environment. The attribute "cmusaslsecretOTP" is the default value. -+.TP -+.B olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE -+Used to disable replication of the attribute(s) defined by -+olcSaslAuxpropsDontUseCopy and instead use a local value for the attribute. This -+allows the SASL mechanism to continue to work if the provider is offline. This can -+cause replication inconsistency. Defaults to FALSE. -+.TP -+.B olcSaslHost: <fqdn> -+Used to specify the fully qualified domain name used for SASL processing. -+.TP -+.B olcSaslRealm: <realm> -+Specify SASL realm. Default is empty. -+.TP -+.B olcSaslCbinding: none | tls-unique | tls-endpoint -+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. -+Default is none. -+.TP -+.B olcSaslSecProps: <properties> -+Used to specify Cyrus SASL security properties. -+The -+.B none -+flag (without any other properties) causes the flag properties -+default, "noanonymous,noplain", to be cleared. -+The -+.B noplain -+flag disables mechanisms susceptible to simple passive attacks. -+The -+.B noactive -+flag disables mechanisms susceptible to active attacks. -+The -+.B nodict -+flag disables mechanisms susceptible to passive dictionary attacks. -+The -+.B noanonymous -+flag disables mechanisms which support anonymous login. -+The -+.B forwardsec -+flag require forward secrecy between sessions. -+The -+.B passcred -+require mechanisms which pass client credentials (and allow -+mechanisms which can pass credentials to do so). -+The -+.B minssf=<factor> -+property specifies the minimum acceptable -+.I security strength factor -+as an integer approximate to effective key length used for -+encryption. 0 (zero) implies no protection, 1 implies integrity -+protection only, 128 allows RC4, Blowfish and other similar ciphers, -+256 will require modern ciphers. The default is 0. -+The -+.B maxssf=<factor> -+property specifies the maximum acceptable -+.I security strength factor -+as an integer (see minssf description). The default is INT_MAX. -+The -+.B maxbufsize=<size> -+property specifies the maximum security layer receive buffer -+size allowed. 0 disables security layers. The default is 65536. -+.TP -+.B olcServerID: <integer> [<URL>] -+Specify an integer ID from 0 to 4095 for this server. The ID may also be -+specified as a hexadecimal ID by prefixing the value with "0x". -+Non-zero IDs are required when using multi-provider replication and each -+provider must have a unique non-zero ID. Note that this requirement also -+applies to separate providers contributing to a glued set of databases. -+If the URL is provided, this directive may be specified -+multiple times, providing a complete list of participating servers -+and their IDs. The fully qualified hostname of each server should be -+used in the supplied URLs. The IDs are used in the "replica id" field -+of all CSNs generated by the specified server. The default value is zero, which -+is only valid for single provider replication. -+Example: -+.LP -+.nf -+ olcServerID: 1 ldap://ldap1.example.com -+ olcServerID: 2 ldap://ldap2.example.com -+.fi -+.TP -+.B olcSockbufMaxIncoming: <integer> -+Specify the maximum incoming LDAP PDU size for anonymous sessions. -+The default is 262143. -+.TP -+.B olcSockbufMaxIncomingAuth: <integer> -+Specify the maximum incoming LDAP PDU size for authenticated sessions. -+The default is 4194303. -+.TP -+.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size> -+Specify the size of the TCP buffer. -+A global value for both read and write TCP buffers related to any listener -+is defined, unless the listener is explicitly specified, -+or either the read or write qualifiers are used. -+See -+.BR tcp (7) -+for details. -+Note that some OS-es implement automatic TCP buffer tuning. -+.TP -+.B olcThreads: <integer> -+Specify the maximum size of the primary thread pool. -+The default is 16; the minimum value is 2. -+.TP -+.B olcThreadQueues: <integer> -+Specify the number of work queues to use for the primary thread pool. -+The default is 1 and this is typically adequate for up to 8 CPU cores. -+The value should not exceed the number of CPUs in the system. -+.TP -+.B olcToolThreads: <integer> -+Specify the maximum number of threads to use in tool mode. -+This should not be greater than the number of CPUs in the system. -+The default is 1. -+.TP -+.B olcWriteTimeout: <integer> -+Specify the number of seconds to wait before forcibly closing -+a connection with an outstanding write. This allows recovery from -+various network hang conditions. A setting of 0 disables this -+feature. The default is 0. -+.SH TLS OPTIONS -+If -+.B slapd -+is built with support for Transport Layer Security, there are more options -+you can specify. -+.TP -+.B olcTLSCipherSuite: <cipher-suite-spec> -+Permits configuring what ciphers will be accepted and the preference order. -+<cipher-suite-spec> should be a cipher specification for the TLS library -+in use (OpenSSL or GnuTLS). -+Example: -+.RS -+.RS -+.TP -+.I OpenSSL: -+olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 -+.TP -+.I GnuTLS: -+olcTLSCiphersuite: SECURE256:!AES-128-CBC -+.RE -+ -+To check what ciphers a given spec selects in OpenSSL, use: -+ -+.nf -+ openssl ciphers -v <cipher-suite-spec> -+.fi -+ -+With GnuTLS the available specs can be found in the manual page of -+.BR gnutls-cli (1) -+(see the description of the -+option -+.BR --priority ). -+ -+In older versions of GnuTLS, where gnutls-cli does not support the option -+--priority, you can obtain the (em more limited (em list of ciphers by calling: -+ -+.nf -+ gnutls-cli -l -+.fi -+.RE -+.TP -+.B olcTLSCACertificateFile: <filename> -+Specifies the file that contains certificates for all of the Certificate -+Authorities that -+.B slapd -+will recognize. The certificate for -+the CA that signed the server certificate must be included among -+these certificates. If the signing CA was not a top-level (root) CA, -+certificates for the entire sequence of CA's from the signing CA to -+the top-level CA should be present. Multiple certificates are simply -+appended to the file; the order is not significant. -+.TP -+.B olcTLSCACertificatePath: <path> -+Specifies the path of directories that contain Certificate Authority -+certificates in separate individual files. Usually only one of this -+or the olcTLSCACertificateFile is defined. If both are specified, both -+locations will be used. Multiple directories may be specified, -+separated by a semi-colon. -+.TP -+.B olcTLSCertificateFile: <filename> -+Specifies the file that contains the -+.B slapd -+server certificate. -+ -+When using OpenSSL that file may also contain any number of intermediate -+certificates after the server certificate. -+.TP -+.B olcTLSCertificateKeyFile: <filename> -+Specifies the file that contains the -+.B slapd -+server private key that matches the certificate stored in the -+.B olcTLSCertificateFile -+file. If the private key is protected with a password, the password must -+be manually typed in when slapd starts. Usually the private key is not -+protected with a password, to allow slapd to start without manual -+intervention, so -+it is of critical importance that the file is protected carefully. -+.TP -+.B olcTLSDHParamFile: <filename> -+This directive specifies the file that contains parameters for Diffie-Hellman -+ephemeral key exchange. This is required in order to use a DSA certificate on -+the server, or an RSA certificate missing the "key encipherment" key usage. -+Note that setting this option may also enable -+Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -+Anonymous key exchanges should generally be avoided since they provide no -+actual client or server authentication and provide no protection against -+man-in-the-middle attacks. -+You should append "!ADH" to your cipher suites to ensure that these suites -+are not used. -+.TP -+.B olcTLSECName: <name> -+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman -+ephemeral key exchange. This option is only used for OpenSSL. -+This option is not used with GnuTLS; the curves may be -+chosen in the GnuTLS ciphersuite specification. -+.TP -+.B olcTLSProtocolMin: <major>[.<minor>] -+Specifies minimum SSL/TLS protocol version that will be negotiated. -+If the server doesn't support at least that version, -+the SSL handshake will fail. -+To require TLS 1.x or higher, set this option to 3.(x+1), -+e.g., -+ -+.nf -+ olcTLSProtocolMin: 3.2 -+.fi -+ -+would require TLS 1.1. -+Specifying a minimum that is higher than that supported by the -+OpenLDAP implementation will result in it requiring the -+highest level that it does support. -+This directive is ignored with GnuTLS. -+.TP -+.B olcTLSRandFile: <filename> -+Specifies the file to obtain random bits from when /dev/[u]random -+is not available. Generally set to the name of the EGD/PRNGD socket. -+The environment variable RANDFILE can also be used to specify the filename. -+This directive is ignored with GnuTLS. -+.TP -+.B olcTLSVerifyClient: <level> -+Specifies what checks to perform on client certificates in an -+incoming TLS session, if any. -+The -+.B <level> -+can be specified as one of the following keywords: -+.RS -+.TP -+.B never -+This is the default. -+.B slapd -+will not ask the client for a certificate. -+.TP -+.B allow -+The client certificate is requested. If no certificate is provided, -+the session proceeds normally. If a bad certificate is provided, -+it will be ignored and the session proceeds normally. -+.TP -+.B try -+The client certificate is requested. If no certificate is provided, -+the session proceeds normally. If a bad certificate is provided, -+the session is immediately terminated. -+.TP -+.B demand | hard | true -+These keywords are all equivalent, for compatibility reasons. -+The client certificate is requested. If no certificate is provided, -+or a bad certificate is provided, the session is immediately terminated. -+ -+Note that a valid client certificate is required in order to use the -+SASL EXTERNAL authentication mechanism with a TLS session. As such, -+a non-default -+.B olcTLSVerifyClient -+setting must be chosen to enable SASL EXTERNAL authentication. -+.RE -+.TP -+.B olcTLSCRLCheck: <level> -+Specifies if the Certificate Revocation List (CRL) of the CA should be -+used to verify if the client certificates have not been revoked. This -+requires -+.B olcTLSCACertificatePath -+parameter to be set. This parameter is ignored with GnuTLS. -+.B <level> -+can be specified as one of the following keywords: -+.RS -+.TP -+.B none -+No CRL checks are performed -+.TP -+.B peer -+Check the CRL of the peer certificate -+.TP -+.B all -+Check the CRL for a whole certificate chain -+.RE -+.TP -+.B olcTLSCRLFile: <filename> -+Specifies a file containing a Certificate Revocation List to be used -+for verifying that certificates have not been revoked. This parameter is -+only valid when using GnuTLS. -+.SH DYNAMIC MODULE OPTIONS -+If -+.B slapd -+is compiled with --enable-modules then the module-related entries will -+be available. These entries are named -+.B cn=module{x},cn=config -+and -+must have the olcModuleList objectClass. One entry should be created -+per -+.B olcModulePath. -+Normally the config engine generates the "{x}" index in the RDN -+automatically, so it can be omitted when initially loading these entries. -+.TP -+.B olcModuleLoad: <filename> [<arguments>...] -+Specify the name of a dynamically loadable module to load and any -+additional arguments if supported by the module. The filename -+may be an absolute path name or a simple filename. Non-absolute names -+are searched for in the directories specified by the -+.B olcModulePath -+option. -+.TP -+.B olcModulePath: <pathspec> -+Specify a list of directories to search for loadable modules. Typically -+the path is colon-separated but this depends on the operating system. -+The default is MODULEDIR, which is where the standard OpenLDAP install -+will place its modules. -+.SH SCHEMA OPTIONS -+Schema definitions are created as entries in the -+.B cn=schema,cn=config -+subtree. These entries must have the olcSchemaConfig objectClass. -+As noted above, the actual -+.B cn=schema,cn=config -+entry is predefined and any values specified for it are ignored. -+ -+.HP -+.hy 0 -+.B olcAttributetypes: "(\ <oid>\ -+ [NAME\ <name>]\ -+ [DESC\ <description>]\ -+ [OBSOLETE]\ -+ [SUP\ <oid>]\ -+ [EQUALITY\ <oid>]\ -+ [ORDERING\ <oid>]\ -+ [SUBSTR\ <oid>]\ -+ [SYNTAX\ <oidlen>]\ -+ [SINGLE-VALUE]\ -+ [COLLECTIVE]\ -+ [NO-USER-MODIFICATION]\ -+ [USAGE\ <attributeUsage>]\ )" -+.RS -+Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the attribute OID and -+attribute syntax OID. -+(See the -+.B olcObjectIdentifier -+description.) -+.RE -+ -+.HP -+.hy 0 -+.B olcDitContentRules: "(\ <oid>\ -+ [NAME\ <name>]\ -+ [DESC\ <description>]\ -+ [OBSOLETE]\ -+ [AUX\ <oids>]\ -+ [MUST\ <oids>]\ -+ [MAY\ <oids>]\ -+ [NOT\ <oids>]\ )" -+.RS -+Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the attribute OID and -+attribute syntax OID. -+(See the -+.B olcObjectIdentifier -+description.) -+.RE -+ -+.HP -+.hy 0 -+.B olcLdapSyntaxes "(\ <oid>\ -+ [DESC\ <description>]\ -+ [X-SUBST <substitute-syntax>]\ )" -+.RS -+Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the syntax OID. -+(See the -+.B objectidentifier -+description.) -+The slapd parser also honors the -+.B X-SUBST -+extension (an OpenLDAP-specific extension), which allows one to use the -+.B olcLdapSyntaxes -+attribute to define a non-implemented syntax along with another syntax, -+the extension value -+.IR substitute-syntax , -+as its temporary replacement. -+The -+.I substitute-syntax -+must be defined. -+This allows one to define attribute types that make use of non-implemented syntaxes -+using the correct syntax OID. -+Unless -+.B X-SUBST -+is used, this configuration statement would result in an error, -+since no handlers would be associated to the resulting syntax structure. -+.RE -+ -+.HP -+.hy 0 -+.B olcObjectClasses: "(\ <oid>\ -+ [NAME\ <name>]\ -+ [DESC\ <description>]\ -+ [OBSOLETE]\ -+ [SUP\ <oids>]\ -+ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ -+ [MUST\ <oids>] [MAY\ <oids>] )" -+.RS -+Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. -+The slapd parser extends the RFC 4512 definition by allowing string -+forms as well as numeric OIDs to be used for the object class OID. -+(See the -+.B -+olcObjectIdentifier -+description.) Object classes are "STRUCTURAL" by default. -+.RE -+.TP -+.B olcObjectIdentifier: <name> "{ <oid> | <name>[:<suffix>] }" -+Define a string name that equates to the given OID. The string can be used -+in place of the numeric OID in objectclass and attribute definitions. The -+name can also be used with a suffix of the form ":xx" in which case the -+value "oid.xx" will be used. -+ -+.SH GENERAL BACKEND OPTIONS -+Options in these entries only apply to the configuration of a single -+type of backend. All backends may support this class of options, but -+currently only back-mdb does. -+The entry must be named -+.B olcBackend=<databasetype>,cn=config -+and must have the olcBackendConfig objectClass. -+<databasetype> -+should be one of -+.BR asyncmeta , -+.BR config , -+.BR dnssrv , -+.BR ldap , -+.BR ldif , -+.BR mdb , -+.BR meta , -+.BR monitor , -+.BR null , -+.BR passwd , -+.BR perl , -+.BR relay , -+.BR sock , -+.BR sql , -+or -+.BR wt . -+At present, only back-mdb implements any options of this type, so this -+entry should not be used for any other backends. -+ -+.SH DATABASE OPTIONS -+Database options are set in entries named -+.B olcDatabase={x}<databasetype>,cn=config -+and must have the olcDatabaseConfig objectClass. Normally the config -+engine generates the "{x}" index in the RDN automatically, so it -+can be omitted when initially loading these entries. -+ -+The special frontend database is always numbered "{-1}" and the config -+database is always numbered "{0}". -+ -+.SH GLOBAL DATABASE OPTIONS -+Options in this section may be set in the special "frontend" database -+and inherited in all the other databases. These options may be altered -+by further settings in each specific database. The frontend entry must -+be named -+.B olcDatabase=frontend,cn=config -+and must have the olcFrontendConfig objectClass. -+.TP -+.B olcAccess: to <what> "[ by <who> <access> <control> ]+" -+Grant access (specified by <access>) to a set of entries and/or -+attributes (specified by <what>) by one or more requestors (specified -+by <who>). -+If no access controls are present, the default policy -+allows anyone and everyone to read anything but restricts -+updates to rootdn. (e.g., "olcAccess: to * by * read"). -+See -+.BR slapd.access (5) -+and the "OpenLDAP Administrator's Guide" for details. -+ -+Access controls set in the frontend are appended to any access -+controls set on the specific databases. -+The rootdn of a database can always read and write EVERYTHING -+in that database. -+ -+Extra special care must be taken with the access controls on the -+config database. Unlike other databases, the default policy for the -+config database is to only allow access to the rootdn. Regular users -+should not have read access, and write access should be granted very -+carefully to privileged administrators. -+ -+.TP -+.B olcDefaultSearchBase: <dn> -+Specify a default search base to use when client submits a -+non-base search request with an empty base DN. -+Base scoped search requests with an empty base DN are not affected. -+This setting is only allowed in the frontend entry. -+.TP -+.B olcExtraAttrs: <attr> -+Lists what attributes need to be added to search requests. -+Local storage backends return the entire entry to the frontend. -+The frontend takes care of only returning the requested attributes -+that are allowed by ACLs. -+However, features like access checking and so may need specific -+attributes that are not automatically returned by remote storage -+backends, like proxy backends and so on. -+.B <attr> -+is an attribute that is needed for internal purposes -+and thus always needs to be collected, even when not explicitly -+requested by clients. -+This attribute is multi-valued. -+.TP -+.B olcPasswordHash: <hash> [<hash>...] -+This option configures one or more hashes to be used in generation of user -+passwords stored in the userPassword attribute during processing of -+LDAP Password Modify Extended Operations (RFC 3062). -+The <hash> must be one of -+.BR {SSHA} , -+.BR {SHA} , -+.BR {SMD5} , -+.BR {MD5} , -+.BR {CRYPT} , -+and -+.BR {CLEARTEXT} . -+The default is -+.BR {SSHA} . -+ -+.B {SHA} -+and -+.B {SSHA} -+use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. -+ -+.B {MD5} -+and -+.B {SMD5} -+use the MD5 algorithm (RFC 1321), the latter with a seed. -+ -+.B {CRYPT} -+uses the -+.BR crypt (3). -+ -+.B {CLEARTEXT} -+indicates that the new password should be -+added to userPassword as clear text. -+ -+Note that this option does not alter the normal user applications -+handling of userPassword during LDAP Add, Modify, or other LDAP operations. -+This setting is only allowed in the frontend entry. -+.TP -+.B olcReadOnly: TRUE | FALSE -+This option puts the database into "read-only" mode. Any attempts to -+modify the database will return an "unwilling to perform" error. By -+default, olcReadOnly is FALSE. Note that when this option is set -+TRUE on the frontend, it cannot be reset without restarting the -+server, since further writes to the config database will be rejected. -+.TP -+.B olcRequires: <conditions> -+Specify a set of conditions to require (default none). -+The directive may be specified globally and/or per-database; -+databases inherit global conditions, so per-database specifications -+are additive. -+.B bind -+requires bind operation prior to directory operations. -+.B LDAPv3 -+requires session to be using LDAP version 3. -+.B authc -+requires authentication prior to directory operations. -+.B SASL -+requires SASL authentication prior to directory operations. -+.B strong -+requires strong authentication prior to directory operations. -+The strong keyword allows protected "simple" authentication -+as well as SASL authentication. -+.B none -+may be used to require no conditions (useful to clear out globally -+set conditions within a particular database); it must occur first -+in the list of conditions. -+.TP -+.B olcRestrict: <oplist> -+Specify a list of operations that are restricted. -+Restrictions on a specific database override any frontend setting. -+Operations can be any of -+.BR add , -+.BR bind , -+.BR compare , -+.BR delete , -+.BR extended[=<OID>] , -+.BR modify , -+.BR rename , -+.BR search , -+or the special pseudo-operations -+.B read -+and -+.BR write , -+which respectively summarize read and write operations. -+The use of -+.I restrict write -+is equivalent to -+.I olcReadOnly: TRUE -+(see above). -+The -+.B extended -+keyword allows one to indicate the OID of the specific operation -+to be restricted. -+.TP -+.B olcSchemaDN: <dn> -+Specify the distinguished name for the subschema subentry that -+controls the entries on this server. The default is "cn=Subschema". -+.TP -+.B olcSecurity: <factors> -+Specify a set of security strength factors (separated by white space) -+to require (see -+.BR olcSaslSecprops 's -+.B minssf -+option for a description of security strength factors). -+The directive may be specified globally and/or per-database. -+.B ssf=<n> -+specifies the overall security strength factor. -+.B transport=<n> -+specifies the transport security strength factor. -+.B tls=<n> -+specifies the TLS security strength factor. -+.B sasl=<n> -+specifies the SASL security strength factor. -+.B update_ssf=<n> -+specifies the overall security strength factor to require for -+directory updates. -+.B update_transport=<n> -+specifies the transport security strength factor to require for -+directory updates. -+.B update_tls=<n> -+specifies the TLS security strength factor to require for -+directory updates. -+.B update_sasl=<n> -+specifies the SASL security strength factor to require for -+directory updates. -+.B simple_bind=<n> -+specifies the security strength factor required for -+.I simple -+username/password authentication. -+Note that the -+.B transport -+factor is measure of security provided by the underlying transport, -+e.g. ldapi:// (and eventually IPSEC). It is not normally used. -+.TP -+.B olcSizeLimit: {<integer>|unlimited} -+.TP -+.B olcSizeLimit: size[.{soft|hard}]=<integer> [...] -+Specify the maximum number of entries to return from a search operation. -+The default size limit is 500. -+Use -+.B unlimited -+to specify no limits. -+The second format allows a fine grain setting of the size limits. -+If no special qualifiers are specified, both soft and hard limits are set. -+Extra args can be added in the same value. -+Additional qualifiers are available; see -+.BR olcLimits -+for an explanation of all of the different flags. -+.TP -+.B olcSortVals: <attr> [...] -+Specify a list of multi-valued attributes whose values will always -+be maintained in sorted order. Using this option will allow Modify, -+Compare, and filter evaluations on these attributes to be performed -+more efficiently. The resulting sort order depends on the -+attributes' syntax and matching rules and may not correspond to -+lexical order or any other recognizable order. -+This setting is only allowed in the frontend entry. -+.TP -+.B olcTimeLimit: {<integer>|unlimited} -+.TP -+.B olcTimeLimit: time[.{soft|hard}]=<integer> [...] -+Specify the maximum number of seconds (in real time) -+.B slapd -+will spend answering a search request. The default time limit is 3600. -+Use -+.B unlimited -+to specify no limits. -+The second format allows a fine grain setting of the time limits. -+Extra args can be added in the same value. See -+.BR olcLimits -+for an explanation of the different flags. -+ -+.SH GENERAL DATABASE OPTIONS -+Options in this section only apply to the specific database for -+which they are defined. They are supported by every -+type of backend. All of the Global Database Options may also be -+used here. -+.TP -+.B olcAddContentAcl: TRUE | FALSE -+Controls whether Add operations will perform ACL checks on -+the content of the entry being added. This check is off -+by default. See the -+.BR slapd.access (5) -+manual page for more details on ACL requirements for -+Add operations. -+.TP -+.B olcHidden: TRUE | FALSE -+Controls whether the database will be used to answer -+queries. A database that is hidden will never be -+selected to answer any queries, and any suffix configured -+on the database will be ignored in checks for conflicts -+with other databases. By default, olcHidden is FALSE. -+.TP -+.B olcLastMod: TRUE | FALSE -+Controls whether -+.B slapd -+will automatically maintain the -+modifiersName, modifyTimestamp, creatorsName, and -+createTimestamp attributes for entries. It also controls -+the entryCSN and entryUUID attributes, which are needed -+by the syncrepl provider. By default, olcLastMod is TRUE. -+.TP -+.B olcLastBind: TRUE | FALSE -+Controls whether -+.B slapd -+will automatically maintain the pwdLastSuccess attribute for -+entries. By default, olcLastBind is FALSE. -+.TP -+.B olcLastBindPrecision: <integer> -+If olcLastBind is enabled, specifies how frequently pwdLastSuccess -+will be updated. More than -+.B integer -+seconds must have passed since the last successful bind. In a -+replicated environment with frequent bind activity it may be -+useful to set this to a large value. -+.TP -+.B olcLimits: <selector> <limit> [<limit> [...]] -+Specify time and size limits based on the operation's initiator or -+base DN. -+The argument -+.B <selector> -+can be any of -+.RS -+.RS -+.TP -+anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern> -+ -+.RE -+with -+.RS -+.TP -+<dnspec> ::= dn[.<type>][.<style>] -+.TP -+<type> ::= self | this -+.TP -+<style> ::= exact | base | onelevel | subtree | children | regex | anonymous -+ -+.RE -+DN type -+.B self -+is the default and means the bound user, while -+.B this -+means the base DN of the operation. -+The term -+.B anonymous -+matches all unauthenticated clients. -+The term -+.B users -+matches all authenticated clients; -+otherwise an -+.B exact -+dn pattern is assumed unless otherwise specified by qualifying -+the (optional) key string -+.B dn -+with -+.B exact -+or -+.B base -+(which are synonyms), to require an exact match; with -+.BR onelevel , -+to require exactly one level of depth match; with -+.BR subtree , -+to allow any level of depth match, including the exact match; with -+.BR children , -+to allow any level of depth match, not including the exact match; -+.BR regex -+explicitly requires the (default) match based on POSIX (''extended'') -+regular expression pattern. -+Finally, -+.B anonymous -+matches unbound operations; the -+.B pattern -+field is ignored. -+The same behavior is obtained by using the -+.B anonymous -+form of the -+.B <selector> -+clause. -+The term -+.BR group , -+with the optional objectClass -+.B oc -+and attributeType -+.B at -+fields, followed by -+.BR pattern , -+sets the limits for any DN listed in the values of the -+.B at -+attribute (default -+.BR member ) -+of the -+.B oc -+group objectClass (default -+.BR groupOfNames ) -+whose DN exactly matches -+.BR pattern . -+ -+The currently supported limits are -+.B size -+and -+.BR time . -+ -+The syntax for time limits is -+.BR time[.{soft|hard}]=<integer> , -+where -+.I integer -+is the number of seconds slapd will spend answering a search request. -+If no time limit is explicitly requested by the client, the -+.BR soft -+limit is used; if the requested time limit exceeds the -+.BR hard -+."limit, an -+.".I "Administrative limit exceeded" -+."error is returned. -+limit, the value of the limit is used instead. -+If the -+.BR hard -+limit is set to the keyword -+.IR soft , -+the soft limit is used in either case; if it is set to the keyword -+.IR unlimited , -+no hard limit is enforced. -+Explicit requests for time limits smaller or equal to the -+.BR hard -+limit are honored. -+If no limit specifier is set, the value is assigned to the -+.BR soft -+limit, and the -+.BR hard -+limit is set to -+.IR soft , -+to preserve the original behavior. -+ -+The syntax for size limits is -+.BR size[.{soft|hard|unchecked}]=<integer> , -+where -+.I integer -+is the maximum number of entries slapd will return answering a search -+request. -+If no size limit is explicitly requested by the client, the -+.BR soft -+limit is used; if the requested size limit exceeds the -+.BR hard -+."limit, an -+.".I "Administrative limit exceeded" -+."error is returned. -+limit, the value of the limit is used instead. -+If the -+.BR hard -+limit is set to the keyword -+.IR soft , -+the soft limit is used in either case; if it is set to the keyword -+.IR unlimited , -+no hard limit is enforced. -+Explicit requests for size limits smaller or equal to the -+.BR hard -+limit are honored. -+The -+.BR unchecked -+specifier sets a limit on the number of candidates a search request is allowed -+to examine. -+The rationale behind it is that searches for non-properly indexed -+attributes may result in large sets of candidates, which must be -+examined by -+.BR slapd (8) -+to determine whether they match the search filter or not. -+The -+.B unchecked -+limit provides a means to drop such operations before they are even -+started. -+If the selected candidates exceed the -+.BR unchecked -+limit, the search will abort with -+.IR "Unwilling to perform" . -+If it is set to the keyword -+.IR unlimited , -+no limit is applied (the default). -+If it is set to -+.IR disabled , -+the search is not even performed; this can be used to disallow searches -+for a specific set of users. -+If no limit specifier is set, the value is assigned to the -+.BR soft -+limit, and the -+.BR hard -+limit is set to -+.IR soft , -+to preserve the original behavior. -+ -+In case of no match, the global limits are used. -+The default values are the same as for -+.B olcSizeLimit -+and -+.BR olcTimeLimit ; -+no limit is set on -+.BR unchecked . -+ -+If -+.B pagedResults -+control is requested, the -+.B hard -+size limit is used by default, because the request of a specific page size -+is considered an explicit request for a limitation on the number -+of entries to be returned. -+However, the size limit applies to the total count of entries returned within -+the search, and not to a single page. -+Additional size limits may be enforced; the syntax is -+.BR size.pr={<integer>|noEstimate|unlimited} , -+where -+.I integer -+is the max page size if no explicit limit is set; the keyword -+.I noEstimate -+inhibits the server from returning an estimate of the total number -+of entries that might be returned -+(note: the current implementation does not return any estimate). -+The keyword -+.I unlimited -+indicates that no limit is applied to the pagedResults control page size. -+The syntax -+.B size.prtotal={<integer>|hard|unlimited|disabled} -+allows one to set a limit on the total number of entries that the pagedResults -+control will return. -+By default it is set to the -+.B hard -+limit which will use the size.hard value. -+When set, -+.I integer -+is the max number of entries that the whole search with pagedResults control -+can return. -+Use -+.I unlimited -+to allow unlimited number of entries to be returned, e.g. to allow -+the use of the pagedResults control as a means to circumvent size -+limitations on regular searches; the keyword -+.I disabled -+disables the control, i.e. no paged results can be returned. -+Note that the total number of entries returned when the pagedResults control -+is requested cannot exceed the -+.B hard -+size limit of regular searches unless extended by the -+.B prtotal -+switch. -+ -+The \fBolcLimits\fP statement is typically used to let an unlimited -+number of entries be returned by searches performed -+with the identity used by the consumer for synchronization purposes -+by means of the RFC 4533 LDAP Content Synchronization protocol -+(see \fBolcSyncrepl\fP for details). -+ -+When using subordinate databases, it is necessary for any limits that -+are to be applied across the parent and its subordinates to be defined in -+both the parent and its subordinates. Otherwise the settings on the -+subordinate databases are not honored. -+.RE -+.TP -+.B olcMaxDerefDepth: <depth> -+Specifies the maximum number of aliases to dereference when trying to -+resolve an entry, used to avoid infinite alias loops. The default is 15. -+.TP -+.B olcMultiProvider: TRUE | FALSE -+This option puts a consumer database into Multi-Provider mode. Update -+operations will be accepted from any user, not just the updatedn. The -+database must already be configured as a syncrepl consumer -+before this keyword may be set. This mode also requires a -+.B olcServerID -+(see above) to be configured. -+By default, this setting is FALSE. -+.TP -+.B olcMonitoring: TRUE | FALSE -+This option enables database-specific monitoring in the entry related -+to the current database in the "cn=Databases,cn=Monitor" subtree -+of the monitor database, if the monitor database is enabled. -+Currently, only the MDB database provides database-specific monitoring. -+If monitoring is supported by the backend it defaults to TRUE, otherwise -+FALSE. -+.TP -+.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>] -+Configure a SLAPI plugin. See the -+.BR slapd.plugin (5) -+manpage for more details. -+.TP -+.B olcRootDN: <dn> -+Specify the distinguished name that is not subject to access control -+or administrative limit restrictions for operations on this database. -+This DN may or may not be associated with an entry. An empty root -+DN (the default) specifies no root access is to be granted. It is -+recommended that the rootdn only be specified when needed (such as -+when initially populating a database). If the rootdn is within -+a namingContext (suffix) of the database, a simple bind password -+may also be provided using the -+.B olcRootPW -+directive. Many optional features, including syncrepl, require the -+rootdn to be defined for the database. -+The -+.B olcRootDN -+of the -+.B cn=config -+database defaults to -+.B cn=config -+itself. -+.TP -+.B olcRootPW: <password> -+Specify a password (or hash of the password) for the rootdn. The -+password can only be set if the rootdn is within the namingContext -+(suffix) of the database. -+This option accepts all RFC 2307 userPassword formats known to -+the server (see -+.B olcPasswordHash -+description) as well as cleartext. -+.BR slappasswd (8) -+may be used to generate a hash of a password. Cleartext -+and \fB{CRYPT}\fP passwords are not recommended. If empty -+(the default), authentication of the root DN is by other means -+(e.g. SASL). Use of SASL is encouraged. -+.TP -+.B olcSubordinate: [TRUE | FALSE | advertise] -+Specify that the current backend database is a subordinate of another -+backend database. A subordinate database may have only one suffix. This -+option may be used to glue multiple databases into a single namingContext. -+If the suffix of the current database is within the namingContext of a -+superior database, searches against the superior database will be -+propagated to the subordinate as well. All of the databases -+associated with a single namingContext should have identical rootdns. -+Behavior of other LDAP operations is unaffected by this setting. In -+particular, it is not possible to use moddn to move an entry from -+one subordinate to another subordinate within the namingContext. -+ -+If the optional \fBadvertise\fP flag is supplied, the naming context of -+this database is advertised in the root DSE. The default is to hide this -+database context, so that only the superior context is visible. -+ -+If the slap tools -+.BR slapcat (8), -+.BR slapadd (8), -+.BR slapmodify (8), -+or -+.BR slapindex (8) -+are used on the superior database, any glued subordinates that support -+these tools are opened as well. -+ -+Databases that are glued together should usually be configured with the -+same indices (assuming they support indexing), even for attributes that -+only exist in some of these databases. In general, all of the glued -+databases should be configured as similarly as possible, since the intent -+is to provide the appearance of a single directory. -+ -+Note that the subordinate functionality is implemented internally -+by the \fIglue\fP overlay and as such its behavior will interact with other -+overlays in use. By default, the glue overlay is automatically configured as -+the last overlay on the superior database. Its position on the database -+can be explicitly configured by setting an \fBoverlay glue\fP directive -+at the desired position. This explicit configuration is necessary e.g. -+when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP -+in order to work over all of the glued databases. E.g. -+.RS -+.nf -+ dn: olcDatabase={1}mdb,cn=config -+ olcSuffix: dc=example,dc=com -+ ... -+ -+ dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config -+ ... -+ -+ dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config -+ ... -+.fi -+.RE -+See the Overlays section below for more details. -+.TP -+.B olcSuffix: <dn suffix> -+Specify the DN suffix of queries that will be passed to this -+backend database. Multiple suffix lines can be given and at least one is -+required for each database definition. -+ -+If the suffix of one database is "inside" that of another, the database -+with the inner suffix must come first in the configuration file. -+You may also want to glue such databases together with the -+.B olcSubordinate -+attribute. -+.TP -+.B olcSyncUseSubentry: TRUE | FALSE -+Store the syncrepl contextCSN in a subentry instead of the context entry -+of the database. The subentry's RDN will be "cn=ldapsync". The default is -+FALSE, meaning the contextCSN is stored in the context entry. -+.HP -+.hy 0 -+.B olcSyncrepl: rid=<replica ID> -+.B provider=ldap[s]://<hostname>[:port] -+.B searchbase=<base DN> -+.B [type=refreshOnly|refreshAndPersist] -+.B [interval=dd:hh:mm:ss] -+.B [retry=[<retry interval> <# of retries>]+] -+.B [filter=<filter str>] -+.B [scope=sub|one|base|subord] -+.B [attrs=<attr list>] -+.B [exattrs=<attr list>] -+.B [attrsonly] -+.B [sizelimit=<limit>] -+.B [timelimit=<limit>] -+.B [schemachecking=on|off] -+.B [network-timeout=<seconds>] -+.B [timeout=<seconds>] -+.B [tcp-user-timeout=<milliseconds>] -+.B [bindmethod=simple|sasl] -+.B [binddn=<dn>] -+.B [saslmech=<mech>] -+.B [authcid=<identity>] -+.B [authzid=<identity>] -+.B [credentials=<passwd>] -+.B [realm=<realm>] -+.B [secprops=<properties>] -+.B [keepalive=<idle>:<probes>:<interval>] -+.B [starttls=yes|critical] -+.B [tls_cert=<file>] -+.B [tls_key=<file>] -+.B [tls_cacert=<file>] -+.B [tls_cacertdir=<path>] -+.B [tls_reqcert=never|allow|try|demand] -+.B [tls_reqsan=never|allow|try|demand] -+.B [tls_cipher_suite=<ciphers>] -+.B [tls_ecname=<names>] -+.B [tls_crlcheck=none|peer|all] -+.B [tls_protocol_min=<major>[.<minor>]] -+.B [suffixmassage=<real DN>] -+.B [logbase=<base DN>] -+.B [logfilter=<filter str>] -+.B [syncdata=default|accesslog|changelog] -+.B [lazycommit] -+.RS -+Specify the current database as a consumer which is kept up-to-date with the -+provider content by establishing the current -+.BR slapd (8) -+as a replication consumer site running a -+.B syncrepl -+replication engine. -+The consumer content is kept synchronized to the provider content using -+the LDAP Content Synchronization protocol. Refer to the -+"OpenLDAP Administrator's Guide" for detailed information on -+setting up a replicated -+.B slapd -+directory service using the -+.B syncrepl -+replication engine. -+ -+.B rid -+identifies the current -+.B syncrepl -+directive within the replication consumer site. -+It is a non-negative integer not greater than 999 (limited -+to three decimal digits). -+ -+.B provider -+specifies the replication provider site containing the provider content -+as an LDAP URI. If <port> is not given, the standard LDAP port number -+(389 or 636) is used. -+ -+The content of the -+.B syncrepl -+consumer is defined using a search -+specification as its result set. The consumer -+.B slapd -+will send search requests to the provider -+.B slapd -+according to the search specification. The search specification includes -+.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", " -+and -+.B timelimit -+parameters as in the normal search specification. The -+.B exattrs -+option may also be used to specify attributes that should be omitted -+from incoming entries. -+The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to -+\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The -+\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational -+attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default. -+The \fBsizelimit\fP and \fBtimelimit\fP only -+accept "unlimited" and positive integers, and both default to "unlimited". -+The \fBsizelimit\fP and \fBtimelimit\fP parameters define -+a consumer requested limitation on the number of entries that can be returned -+by the LDAP Content Synchronization operation; these should be left unchanged -+from the default otherwise replication may never succeed. -+Note, however, that any provider-side limits for the replication identity -+will be enforced by the provider regardless of the limits requested -+by the LDAP Content Synchronization operation, much like for any other -+search operation. -+ -+The LDAP Content Synchronization protocol has two operation types. -+In the -+.B refreshOnly -+operation, the next synchronization search operation -+is periodically rescheduled at an interval time (specified by -+.B interval -+parameter; 1 day by default) -+after each synchronization operation finishes. -+In the -+.B refreshAndPersist -+operation, a synchronization search remains persistent in the provider slapd. -+Further updates to the provider will generate -+.B searchResultEntry -+to the consumer slapd as the search responses to the persistent -+synchronization search. If the initial search fails due to an error, the -+next synchronization search operation is periodically rescheduled at an -+interval time (specified by -+.B interval -+parameter; 1 day by default) -+ -+If an error occurs during replication, the consumer will attempt to -+reconnect according to the -+.B retry -+parameter which is a list of the <retry interval> and <# of retries> pairs. -+For example, retry="60 10 300 3" lets the consumer retry every 60 seconds -+for the first 10 times and then retry every 300 seconds for the next 3 -+times before stop retrying. The `+' in <# of retries> means indefinite -+number of retries until success. -+If no -+.B retry -+is specified, by default syncrepl retries every hour forever. -+ -+The schema checking can be enforced at the LDAP Sync -+consumer site by turning on the -+.B schemachecking -+parameter. The default is \fBoff\fP. -+Schema checking \fBon\fP means that replicated entries must have -+a structural objectClass, must obey to objectClass requirements -+in terms of required/allowed attributes, and that naming attributes -+and distinguished values must be present. -+As a consequence, schema checking should be \fBoff\fP when partial -+replication is used. -+ -+The -+.B network-timeout -+parameter sets how long the consumer will wait to establish a -+network connection to the provider. Once a connection is -+established, the -+.B timeout -+parameter determines how long the consumer will wait for the initial -+Bind request to complete. The defaults for these parameters come -+from -+.BR ldap.conf (5). -+The -+.B tcp-user-timeout -+parameter, if non-zero, corresponds to the -+.B TCP_USER_TIMEOUT -+set on the target connections, overriding the operating system setting. -+Only some systems support the customization of this parameter, it is -+ignored otherwise and system-wide settings are used. -+ -+A -+.B bindmethod -+of -+.B simple -+requires the options -+.B binddn -+and -+.B credentials -+and should only be used when adequate security services -+(e.g. TLS or IPSEC) are in place. -+.B REMEMBER: simple bind credentials must be in cleartext! -+A -+.B bindmethod -+of -+.B sasl -+requires the option -+.B saslmech. -+Depending on the mechanism, an authentication identity and/or -+credentials can be specified using -+.B authcid -+and -+.B credentials. -+The -+.B authzid -+parameter may be used to specify an authorization identity. -+Specific security properties (as with the -+.B sasl-secprops -+keyword above) for a SASL bind can be set with the -+.B secprops -+option. A non default SASL realm can be set with the -+.B realm -+option. -+The identity used for synchronization by the consumer should be allowed -+to receive an unlimited number of entries in response to a search request. -+The provider, other than allowing authentication of the syncrepl identity, -+should grant that identity appropriate access privileges to the data -+that is being replicated (\fBaccess\fP directive), and appropriate time -+and size limits. -+This can be accomplished by either allowing unlimited \fBsizelimit\fP -+and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement -+in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP -+for details). -+ -+The -+.B keepalive -+parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP -+used to check whether a socket is alive; -+.I idle -+is the number of seconds a connection needs to remain idle before TCP -+starts sending keepalive probes; -+.I probes -+is the maximum number of keepalive probes TCP should send before dropping -+the connection; -+.I interval -+is interval in seconds between individual keepalive probes. -+Only some systems support the customization of these values; -+the -+.B keepalive -+parameter is ignored otherwise, and system-wide settings are used. -+ -+The -+.B starttls -+parameter specifies use of the StartTLS extended operation -+to establish a TLS session before Binding to the provider. If the -+.B critical -+argument is supplied, the session will be aborted if the StartTLS request -+fails. Otherwise the syncrepl session continues without TLS. The -+.B tls_reqcert -+setting defaults to "demand", the -+.B tls_reqsan -+setting defaults to "allow", and the other TLS settings -+default to the same as the main slapd TLS settings. -+ -+The -+.B suffixmassage -+parameter allows the consumer to pull entries from a remote directory -+whose DN suffix differs from the local directory. The portion of the -+remote entries' DNs that matches the \fIsearchbase\fP will be replaced -+with the suffixmassage DN. -+ -+Rather than replicating whole entries, the consumer can query logs of -+data modifications. This mode of operation is referred to as \fIdelta -+syncrepl\fP. In addition to the above parameters, the -+.B logbase -+and -+.B logfilter -+parameters must be set appropriately for the log that will be used. The -+.B syncdata -+parameter must be set to either "accesslog" if the log conforms to the -+.BR slapo-accesslog (5) -+log format, or "changelog" if the log conforms -+to the obsolete \fIchangelog\fP format. If the -+.B syncdata -+parameter is omitted or set to "default" then the log parameters are -+ignored. -+ -+The -+.B lazycommit -+parameter tells the underlying database that it can store changes without -+performing a full flush after each change. This may improve performance -+for the consumer, while sacrificing safety or durability. -+.RE -+.TP -+.B olcUpdateDN: <dn> -+This option is only applicable in a replica -+database. -+It specifies the DN permitted to update (subject to access controls) -+the replica. It is only needed in certain push-mode -+replication scenarios. Generally, this DN -+.I should not -+be the same as the -+.B rootdn -+used at the provider. -+.TP -+.B olcUpdateRef: <url> -+Specify the referral to pass back when -+.BR slapd (8) -+is asked to modify a replicated local database. -+If multiple values are specified, each url is provided. -+ -+.SH DATABASE-SPECIFIC OPTIONS -+Each database may allow specific configuration options; they are -+documented separately in the backends' manual pages. See the -+.BR slapd.backends (5) -+manual page for an overview of available backends. -+.SH OVERLAYS -+An overlay is a piece of -+code that intercepts database operations in order to extend or change -+them. Overlays are pushed onto -+a stack over the database, and so they will execute in the reverse -+of the order in which they were configured and the database itself -+will receive control last of all. -+ -+Overlays must be configured as child entries of a specific database. The -+entry's RDN must be of the form -+.B olcOverlay={x}<overlaytype> -+and the entry must have the olcOverlayConfig objectClass. Normally the -+config engine generates the "{x}" index in the RDN automatically, so -+it can be omitted when initially loading these entries. -+ -+See the -+.BR slapd.overlays (5) -+manual page for an overview of available overlays. -+.SH EXAMPLES -+.LP -+Here is a short example of a configuration in LDIF suitable for use with -+.BR slapadd (8) -+: -+.LP -+.RS -+.nf -+dn: cn=config -+objectClass: olcGlobal -+cn: config -+olcPidFile: LOCALSTATEDIR/run/slapd.pid -+olcAttributeOptions: x-hidden lang- -+ -+dn: cn=schema,cn=config -+objectClass: olcSchemaConfig -+cn: schema -+ -+include: file://SYSCONFDIR/schema/core.ldif -+ -+dn: olcDatabase=frontend,cn=config -+objectClass: olcDatabaseConfig -+objectClass: olcFrontendConfig -+olcDatabase: frontend -+# Subtypes of "name" (e.g. "cn" and "ou") with the -+# option ";x-hidden" can be searched for/compared, -+# but are not shown. See \fBslapd.access\fP(5). -+olcAccess: to attrs=name;x-hidden by * =cs -+# Protect passwords. See \fBslapd.access\fP(5). -+olcAccess: to attrs=userPassword by * auth -+# Read access to other attributes and entries. -+olcAccess: to * by * read -+ -+# set a rootpw for the config database so we can bind. -+# deny access to everyone else. -+dn: olcDatabase=config,cn=config -+objectClass: olcDatabaseConfig -+olcDatabase: config -+olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy -+olcAccess: to * by * none -+ -+dn: olcDatabase=mdb,cn=config -+objectClass: olcDatabaseConfig -+objectClass: olcMdbConfig -+olcDatabase: mdb -+olcSuffix: "dc=our-domain,dc=com" -+# The database directory MUST exist prior to -+# running slapd AND should only be accessible -+# by the slapd/tools. Mode 0700 recommended. -+olcDbDirectory: LOCALSTATEDIR/openldap-data -+# Indices to maintain -+olcDbIndex: objectClass eq -+olcDbIndex: cn,sn,mail pres,eq,approx,sub -+ -+# We serve small clients that do not handle referrals, -+# so handle remote lookups on their behalf. -+dn: olcDatabase=ldap,cn=config -+objectClass: olcDatabaseConfig -+objectClass: olcLdapConfig -+olcDatabase: ldap -+olcSuffix: "" -+olcDbUri: ldap://ldap.some-server.com/ -+.fi -+.RE -+.LP -+Assuming the above data was saved in a file named "config.ldif" and the -+ETCDIR/slapd.d directory has been created, this command will initialize -+the configuration: -+.RS -+.nf -+slapadd -F ETCDIR/slapd.d -n 0 -l config.ldif -+.fi -+.RE -+ -+.LP -+"OpenLDAP Administrator's Guide" contains a longer annotated -+example of a slapd configuration. -+ -+Alternatively, an existing slapd.conf file can be converted to the new -+format using slapd or any of the slap tools: -+.RS -+.nf -+slaptest -f ETCDIR/slapd.conf -F ETCDIR/slapd.d -+.fi -+.RE -+ -+.SH FILES -+.TP -+ETCDIR/slapd.conf -+default slapd configuration file -+.TP -+ETCDIR/slapd.d -+default slapd configuration directory -+.SH SEE ALSO -+.BR ldap (3), -+.BR ldif (5), -+.BR gnutls-cli (1), -+.BR slapd.access (5), -+.BR slapd.backends (5), -+.BR slapd.conf (5), -+.BR slapd.overlays (5), -+.BR slapd.plugin (5), -+.BR slapd (8), -+.BR slapacl (8), -+.BR slapadd (8), -+.BR slapauth (8), -+.BR slapcat (8), -+.BR slapdn (8), -+.BR slapindex (8), -+.BR slapmodify (8), -+.BR slappasswd (8), -+.BR slaptest (8). -+.LP -+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) -+.SH ACKNOWLEDGEMENTS -+.so ../Project -diff -Naurp openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h ---- openldap-2.6.2.orig/include/ldap_defaults.h 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/include/ldap_defaults.h 2022-05-05 12:07:08.783961875 +0200 -@@ -40,7 +40,8 @@ - - /* default ldapi:// socket */ - #ifndef LDAPI_SOCK --#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" -+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi" -+ - #endif - - /* -@@ -54,7 +55,8 @@ - #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" - #endif - #ifndef SLAPD_DEFAULT_DB_DIR --#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" -+#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap" -+ - #endif - #define SLAPD_DEFAULT_DB_MODE 0600 - /* default max deref depth for aliases */ -diff -Naurp openldap-2.6.2.orig/libraries/liblber/Makefile.in openldap-2.6.2/libraries/liblber/Makefile.in ---- openldap-2.6.2.orig/libraries/liblber/Makefile.in 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/libraries/liblber/Makefile.in 2022-05-05 12:05:53.313727757 +0200 -@@ -51,6 +51,6 @@ idtest: $(XLIBS) idtest.o - - install-local: FORCE - -$(MKDIR) $(DESTDIR)$(libdir) -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) - $(LTFINISH) $(DESTDIR)$(libdir) - -diff -Naurp openldap-2.6.2.orig/libraries/libldap/Makefile.in openldap-2.6.2/libraries/libldap/Makefile.in ---- openldap-2.6.2.orig/libraries/libldap/Makefile.in 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/libraries/libldap/Makefile.in 2022-05-05 12:05:53.327727801 +0200 -@@ -82,7 +82,7 @@ CFFILES=ldap.conf - - install-local: $(CFFILES) FORCE - -$(MKDIR) $(DESTDIR)$(libdir) -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) - $(LTFINISH) $(DESTDIR)$(libdir) - -$(MKDIR) $(DESTDIR)$(sysconfdir) - @for i in $(CFFILES); do \ -diff -Naurp openldap-2.6.2.orig/servers/slapd/Makefile.in openldap-2.6.2/servers/slapd/Makefile.in ---- openldap-2.6.2.orig/servers/slapd/Makefile.in 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/servers/slapd/Makefile.in 2022-05-05 12:05:53.329727807 +0200 -@@ -374,9 +374,10 @@ install-local-srv: install-slapd install - - install-slapd: FORCE - -$(MKDIR) $(DESTDIR)$(libexecdir) -+ -$(MKDIR) $(DESTDIR)$(sbindir) - -$(MKDIR) $(DESTDIR)$(localstatedir)/run - $(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \ -- slapd$(EXEEXT) $(DESTDIR)$(libexecdir) -+ slapd$(EXEEXT) $(DESTDIR)$(sbindir) - @for i in $(SUBDIRS); do \ - if test -d $$i && test -f $$i/Makefile ; then \ - echo; echo " cd $$i && $(MAKE) $(MFLAGS) install"; \ -@@ -452,9 +453,9 @@ install-conf: FORCE - - install-db-config: FORCE - @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) -- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data -+ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap - $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ -- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example -+ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example - $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ - $(DESTDIR)$(sysconfdir)/DB_CONFIG.example - -@@ -462,6 +463,6 @@ install-tools: FORCE - -$(MKDIR) $(DESTDIR)$(sbindir) - for i in $(SLAPTOOLS); do \ - $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ -- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ -+ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ - done - -diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.conf openldap-2.6.2/servers/slapd/slapd.conf ---- openldap-2.6.2.orig/servers/slapd/slapd.conf 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/servers/slapd/slapd.conf 2022-05-05 12:05:53.331727813 +0200 -@@ -10,8 +10,9 @@ include %SYSCONFDIR%/schema/core.schema - # service AND an understanding of referrals. - #referral ldap://root.openldap.org - --pidfile %LOCALSTATEDIR%/run/slapd.pid --argsfile %LOCALSTATEDIR%/run/slapd.args -+pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid -+argsfile %LOCALSTATEDIR%/run/openldap/slapd.args -+ - - # Load dynamic backend modules: - modulepath %MODULEDIR% -@@ -69,7 +70,7 @@ rootpw secret - # The database directory MUST exist prior to running slapd AND - # should only be accessible by the slapd and slap tools. - # Mode 700 recommended. --directory %LOCALSTATEDIR%/openldap-data -+directory %LOCALSTATEDIR%/lib/openldap - # Indices to maintain - index objectClass eq - -diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.ldif openldap-2.6.2/servers/slapd/slapd.ldif ---- openldap-2.6.2.orig/servers/slapd/slapd.ldif 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/servers/slapd/slapd.ldif 2022-05-05 12:05:53.332727816 +0200 -@@ -9,8 +9,8 @@ cn: config - # - # Define global ACLs to disable default read access. - # --olcArgsFile: %LOCALSTATEDIR%/run/slapd.args --olcPidFile: %LOCALSTATEDIR%/run/slapd.pid -+olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args -+olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid - # - # Do not enable referrals until AFTER you have a working directory - # service AND an understanding of referrals. -@@ -88,7 +88,7 @@ olcRootPW: secret - # The database directory MUST exist prior to running slapd AND - # should only be accessible by the slapd and slap tools. - # Mode 700 recommended. --olcDbDirectory: %LOCALSTATEDIR%/openldap-data -+olcDbDirectory: %LOCALSTATEDIR%/lib/openldap - # Indices to maintain - olcDbIndex: objectClass eq - -diff -Naurp openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in openldap-2.6.2/servers/slapd/slapi/Makefile.in ---- openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in 2022-05-04 16:55:23.000000000 +0200 -+++ openldap-2.6.2/servers/slapd/slapi/Makefile.in 2022-05-05 12:05:53.333727819 +0200 -@@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@ - install-local: FORCE - if test "$(BUILD_MOD)" = "yes"; then \ - $(MKDIR) $(DESTDIR)$(libdir); \ -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \ -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \ - fi - diff --git a/src/patches/openldap-2.6.8-consolidated-1.patch b/src/patches/openldap-2.6.8-consolidated-1.patch new file mode 100644 index 000000000..62dea2600 --- /dev/null +++ b/src/patches/openldap-2.6.8-consolidated-1.patch @@ -0,0 +1,175 @@ +Submitted by: Xi Ruoyao <xry111 at xry111 dot site> +Date: 2024-01-30 +Initial Package Version: 2.6.7 +Upstream Status: BLFS Specific +Origin: Armin K. <krejzi at email dot com> and Debian. + Rediffed multiple times by various editors. + For 2.6.7, manually edited to remove the bogus + ".orig" file creation, and change + %LOCALSTATEDIR%/run to /run because /var/run has + been deprecated. + +diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd.conf.5 openldap-2.6.2/doc/man/man5/slapd.conf.5 +--- openldap-2.6.2.orig/doc/man/man5/slapd.conf.5 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/doc/man/man5/slapd.conf.5 2022-05-05 12:05:53.309727745 +0200 +@@ -2122,7 +2122,7 @@ suffix "dc=our-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-directory LOCALSTATEDIR/openldap-data ++directory LOCALSTATEDIR/lib/openldap + # Indices to maintain + index objectClass eq + index cn,sn,mail pres,eq,approx,sub +diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd-config.5 openldap-2.6.2/doc/man/man5/slapd-config.5 +--- openldap-2.6.2.orig/doc/man/man5/slapd-config.5 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/doc/man/man5/slapd-config.5 2022-05-05 12:05:53.312727754 +0200 +@@ -2233,7 +2233,7 @@ olcSuffix: "dc=our-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-olcDbDirectory: LOCALSTATEDIR/openldap-data ++olcDbDirectory: LOCALSTATEDIR/lib/openldap + # Indices to maintain + olcDbIndex: objectClass eq + olcDbIndex: cn,sn,mail pres,eq,approx,sub + +diff -Naurp openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h +--- openldap-2.6.2.orig/include/ldap_defaults.h 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/include/ldap_defaults.h 2022-05-05 12:07:08.783961875 +0200 +@@ -40,7 +40,8 @@ + + /* default ldapi:// socket */ + #ifndef LDAPI_SOCK +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK "/run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi" ++ + #endif + + /* +@@ -54,7 +55,8 @@ + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" + #endif + #ifndef SLAPD_DEFAULT_DB_DIR +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap" ++ + #endif + #define SLAPD_DEFAULT_DB_MODE 0600 + /* default max deref depth for aliases */ +diff -Naurp openldap-2.6.2.orig/libraries/liblber/Makefile.in openldap-2.6.2/libraries/liblber/Makefile.in +--- openldap-2.6.2.orig/libraries/liblber/Makefile.in 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/libraries/liblber/Makefile.in 2022-05-05 12:05:53.313727757 +0200 +@@ -51,6 +51,6 @@ idtest: $(XLIBS) idtest.o + + install-local: FORCE + -$(MKDIR) $(DESTDIR)$(libdir) +- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) ++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) + $(LTFINISH) $(DESTDIR)$(libdir) + +diff -Naurp openldap-2.6.2.orig/libraries/libldap/Makefile.in openldap-2.6.2/libraries/libldap/Makefile.in +--- openldap-2.6.2.orig/libraries/libldap/Makefile.in 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/libraries/libldap/Makefile.in 2022-05-05 12:05:53.327727801 +0200 +@@ -82,7 +82,7 @@ CFFILES=ldap.conf + + install-local: $(CFFILES) FORCE + -$(MKDIR) $(DESTDIR)$(libdir) +- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) ++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) + $(LTFINISH) $(DESTDIR)$(libdir) + -$(MKDIR) $(DESTDIR)$(sysconfdir) + @for i in $(CFFILES); do \ +diff -Naurp openldap-2.6.2.orig/servers/slapd/Makefile.in openldap-2.6.2/servers/slapd/Makefile.in +--- openldap-2.6.2.orig/servers/slapd/Makefile.in 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/servers/slapd/Makefile.in 2022-05-05 12:05:53.329727807 +0200 +@@ -374,9 +374,10 @@ install-local-srv: install-slapd install + + install-slapd: FORCE + -$(MKDIR) $(DESTDIR)$(libexecdir) ++ -$(MKDIR) $(DESTDIR)$(sbindir) + -$(MKDIR) $(DESTDIR)$(localstatedir)/run + $(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \ +- slapd$(EXEEXT) $(DESTDIR)$(libexecdir) ++ slapd$(EXEEXT) $(DESTDIR)$(sbindir) + @for i in $(SUBDIRS); do \ + if test -d $$i && test -f $$i/Makefile ; then \ + echo; echo " cd $$i && $(MAKE) $(MFLAGS) install"; \ +@@ -452,9 +453,9 @@ install-conf: FORCE + + install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example ++ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + +@@ -462,6 +463,6 @@ install-tools: FORCE + -$(MKDIR) $(DESTDIR)$(sbindir) + for i in $(SLAPTOOLS); do \ + $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ +- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ ++ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ + done + +diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.conf openldap-2.6.2/servers/slapd/slapd.conf +--- openldap-2.6.2.orig/servers/slapd/slapd.conf 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/servers/slapd/slapd.conf 2022-05-05 12:05:53.331727813 +0200 +@@ -10,8 +10,9 @@ include %SYSCONFDIR%/schema/core.schema + # service AND an understanding of referrals. + #referral ldap://root.openldap.org + +-pidfile %LOCALSTATEDIR%/run/slapd.pid +-argsfile %LOCALSTATEDIR%/run/slapd.args ++pidfile /run/openldap/slapd.pid ++argsfile /run/openldap/slapd.args ++ + + # Load dynamic backend modules: + modulepath %MODULEDIR% +@@ -69,7 +70,7 @@ rootpw secret + # The database directory MUST exist prior to running slapd AND + # should only be accessible by the slapd and slap tools. + # Mode 700 recommended. +-directory %LOCALSTATEDIR%/openldap-data ++directory %LOCALSTATEDIR%/lib/openldap + # Indices to maintain + index objectClass eq + +diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.ldif openldap-2.6.2/servers/slapd/slapd.ldif +--- openldap-2.6.2.orig/servers/slapd/slapd.ldif 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/servers/slapd/slapd.ldif 2022-05-05 12:05:53.332727816 +0200 +@@ -9,8 +9,8 @@ cn: config + # + # Define global ACLs to disable default read access. + # +-olcArgsFile: %LOCALSTATEDIR%/run/slapd.args +-olcPidFile: %LOCALSTATEDIR%/run/slapd.pid ++olcArgsFile: /run/openldap/slapd.args ++olcPidFile: /run/openldap/slapd.pid + # + # Do not enable referrals until AFTER you have a working directory + # service AND an understanding of referrals. +@@ -88,7 +88,7 @@ olcRootPW: secret + # The database directory MUST exist prior to running slapd AND + # should only be accessible by the slapd and slap tools. + # Mode 700 recommended. +-olcDbDirectory: %LOCALSTATEDIR%/openldap-data ++olcDbDirectory: %LOCALSTATEDIR%/lib/openldap + # Indices to maintain + olcDbIndex: objectClass eq + +diff -Naurp openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in openldap-2.6.2/servers/slapd/slapi/Makefile.in +--- openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/servers/slapd/slapi/Makefile.in 2022-05-05 12:05:53.333727819 +0200 +@@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@ + install-local: FORCE + if test "$(BUILD_MOD)" = "yes"; then \ + $(MKDIR) $(DESTDIR)$(libdir); \ +- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \ ++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \ + fi +