openldap: Update to version 2.6.1
Commit Message
- Update from version 2.4.49 to 2.6.1
- Update of rootfile
- Update of consolidated patch to 2.6.1
- Removal of old patches
- Changelog
OpenLDAP 2.6.1 Release (2022/01/20)
Fixed libldap to init client socket port (ITS#9743)
Fixed libldap with referrals (ITS#9781)
Added slapd config keyword for logfile format (ITS#9745)
Fixed slapd to allow objectClass edits with no net change (ITS#9772)
Fixed slapd configtable population (ITS#9576)
Fixed slapd to only set loglevel in server mode (ITS#9715)
Fixed slapd logfile-rotate use of uninitialized variable (ITS#9730)
Fixed slapd passwd scheme handling with slapd.conf (ITS#9750)
Fixed slapd postread support for modrdn (ITS#7080)
Fixed slapd syncrepl recreation of deleted entries (ITS#9282)
Fixed slapd syncrepl replication with ODSEE (ITS#9707)
Fixed slapd syncrepl to properly replicate glue entries (ITS#9647)
Fixed slapd syncrepl to reject REFRESH for precise resync (ITS#9742)
Fixed slapd syncrepl to avoid busy loop during refresh (ITS#9584)
Fixed slapd syncrepl when X-ORDERED is specified (ITS#9761)
Fixed slapd syncrepl to better handle out of order delete ops (ITS#9751)
Fixed slapd syncrepl to correctly close connections when config is deleted (ITS#9776)
Fixed slapd-mdb to update indices correctly on replace ops (ITS#9753)
Fixed slapd-wt to set correct flags (ITS#9760)
Fixed slapo-accesslog to fix assertion due to deprecated code (ITS#9738)
Fixed slapo-accesslog to fix inconsistently normalized minCSN (ITS#9752)
Fixed slapo-accesslog delete handling of multi-valued config attrs (ITS#9493)
Fixed slapo-autogroup to maintain values in insertion order (ITS#9766)
Fixed slapo-constraint to maintain values in insertion order (ITS#9770)
Fixed slapo-dyngroup to maintain values in insertion order (ITS#9762)
Fixed slapo-dynlist compare operation for static groups (ITS#9747)
Fixed slapo-dynlist static group filter with multiple members (ITS#9779)
Fixed slapo-ppolicy when not built modularly (ITS#9733)
Fixed slapo-refint to maintain values in insertion order (ITS#9763)
Fixed slapo-retcode to honor requested insert position (ITS#9759)
Fixed slapo-sock cn=config support (ITS#9758)
Fixed slapo-syncprov memory leak (ITS#8039)
Fixed slapo-syncprov to generate a more accurate accesslog query (ITS#9756)
Fixed slapo-syncprov to allow empty DB to host persistent syncrepl connections (ITS#9691)
Fixed slapo-syncprov to consider all deletes for sycnInfo messages (ITS#5972)
Fixed slapo-translucent to warn on invalid config (ITS#9768)
Fixed slapo-unique to warn on invalid config (ITS#9767)
Fixed slapo-valsort to maintain values in insertion order (ITS#9764)
Build Environment
Fix test022 to preserve DELAY search output (ITS#9718)
Fix slapd-watcher to allow startup when servers are down (ITS#9727)
Contrib
Fixed slapo-lastbind to work with 2.6 lastbind-precision configuration (ITS#9725)
Documentation
Fixed slapd.conf(5)/slapd-config(5) documentation on lastbind-precision (ITS#9728)
Fixed slapo-accesslog(5) to clarify logoldattr usage (ITS#9749)
OpenLDAP 2.6.0 Release (2021/10/25)
Initial release for "general use".
OpenLDAP 2.5.7 Release (2021/08/18)
Fixed lloadd client state tracking (ITS#9624)
Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611)
Fixed slapd-ldif duplicate controls response (ITS#9497)
Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621)
Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958)
Fixed slapd-mdb idlexp maximum size handling (ITS#9637)
Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628)
Fixed slapd-sql to add support for ppolicy attributes (ITS#9629)
Fixed slapd-sql to close transactions after bind and search (ITS#9630)
Fixed slapo-accesslog to make reqMod optional (ITS#9569)
Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625)
Documentation
slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637)
slapo-accesslog(5) note that reqMod is optional (ITS#9569)
Add ldapvc(1) man page (ITS#9549)
Add guide section on load balancer (ITS#9443)
Updated guide to document multiprovider as replacement for mirrormode (ITS#9200)
Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200)
Updated guide to document removal of deprecated options from client tools (ITS#9200)
OpenLDAP 2.5.6 Release (2021/07/27)
Fixed libldap buffer overflow (ITS#9578)
Fixed libldap missing mutex unlock on connection alloc failure (ITS#9590)
Fixed lloadd cn=config olcBkLloadClientMaxPending setting (ITS#8747)
Fixed slapd multiple config defaults (ITS#9363)
Fixed slapd ipv6 addresses to work with tcp wrappers (ITS#9603)
Fixed slapo-syncprov delete of nonexistent sessionlog (ITS#9608)
Build
Fixed library symbol versioning on Solaris (ITS#9591)
Fixed compile warning in libldap/tpool.c (ITS#9601)
Fixed compile warning in libldap/tls_o.c (ITS#9602)
Contrib
Fixed ppm module for sysconfdir (ITS#7832)
Documentation
Updated guide to document multival, idlexp, and maxentrysize (ITS#9613, ITS#9614)
OpenLDAP 2.5.5 Release (2021/06/03)
Added libldap LDAP_OPT_TCP_USER_TIMEOUT support (ITS#9502)
Added lloadd tcp-user-timeout support (ITS#9502)
Added slapd-asyncmeta tcp-user-timeout support (ITS#9502)
Added slapd-ldap tcp-user-timeout support (ITS#9502)
Added slapd-meta tcp-user-timeout support (ITS#9502)
Fixed incorrect control OIDs for AuthZ Identity (ITS#9542)
Fixed libldap typo in util-int.c (ITS#9541)
Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530)
Fixed libldap better TLS1.3 cipher suite handling (ITS#9521, ITS#9546)
Fixed lloadd multiple issues (ITS#8747)
Fixed slapd slap_op_time to avoid duplicates across restarts (ITS#9537)
Fixed slapd typo in daemon.c (ITS#9541)
Fixed slapd slapi compilation (ITS#9544)
Fixed slapd to handle empty DN in extended filters (ITS#9551)
Fixed slapd syncrepl searches with empty base (ITS#6467)
Fixed slapd syncrepl refresh on startup (ITS#9324, ITS#9534)
Fixed slapd abort due to typo (ITS#9561)
Fixed slapd-asyncmeta quarantine handling (ITS#8721)
Fixed slapd-asyncmeta to have a default operations timeout (ITS#9555)
Fixed slapd-ldap quarantine handling (ITS#8721)
Fixed slapd-mdb deletion of context entry (ITS#9531)
Fixed slapd-mdb off-by-one affecting search scope (ITS#9557)
Fixed slapd-meta quarantine handling (ITS#8721)
Fixed slapo-accesslog to record reqNewDN for modRDN ops (ITS#9552)
Fixed slapo-pcache locking during expiration (ITS#9529)
Build
Fixed slappw-argon2 module installation (ITS#9548)
Contrib
Update ldapc++/ldaptcl to use configure.ac (ITS#9554)
Documentation
ldap_first_attribute(3) - Document ldap_get_attribute_ber (ITS#8820)
ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559)
OpenLDAP 2.5.4 Release (2021/04/29)
Initial release for "general use".
OpenLDAP 2.4.57 Release (2021/01/18)
Fixed ldapexop to use correct return code (ITS#9417)
Fixed slapd to remove asserts in UUIDNormalize (ITS#9391)
Fixed slapd to remove assert in csnValidate (ITS#9410)
Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427)
Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424)
Fixed slapd AVA sort with invalid RDN (ITS#9412)
Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425)
Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407)
Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409)
Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413)
Fixed slapd modrdn memory leak (ITS#9420)
Fixed slapd double-free in vrfilter (ITS#9408)
Fixed slapd cancel operation to correctly terminate (ITS#9428)
Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400)
Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394)
OpenLDAP 2.4.56 Release (2020/11/10)
Fixed slapd to remove assert in certificateListValidate (ITS#9383)
Fixed slapd to remove assert in csnNormalize23 (ITS#9384)
Fixed slapd to better parse ldapi listener URIs (ITS#9379)
OpenLDAP 2.4.55 Release (2020/10/26)
Fixed slapd normalization handling with modrdn (ITS#9370)
Fixed slapd-meta to check ldap_install_tls return code (ITS#9366)
Contrib
Fixed nssov misplaced semicolon (ITS#8731, ITS#9368)
OpenLDAP 2.4.54 Release (2020/10/12)
Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342)
Fixed slapd delta-syncrepl to be fully serialized (ITS#9330)
Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352)
Fixed slapd syncrepl to be fully serialized (ITS#8102)
Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345)
Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355)
Fixed slapd syncrepl to not create empty ADD ops (ITS#9359)
Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295)
Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353)
Fixed slapo-accesslog normalizer for reqStart (ITS#9358)
Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361)
Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015)
Fixed slapo-syncprov sessionlog to use a TAVL tree (ITS#8486)
OpenLDAP 2.4.53 Release (2020/09/07)
Added slapd syncrepl additional SYNC logging (ITS#9043)
Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282)
Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338)
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
Build
Require OpenSSL 1.0.2 or later (ITS#9323)
Fixed libldap compilation issue with broken C compilers (ITS#9332)
OpenLDAP 2.4.52 Release (2020/08/28)
Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318)
Added libldap OpenSSL support for multiple EECDH curves (ITS#9054)
Added slapd OpenSSL support for multiple EECDH curves (ITS#9054)
Fixed librewrite malloc/free corruption (ITS#9249)
Fixed libldap hang when using UDP and server down (ITS#9328)
Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324)
Fixed slapd syncrepl regression that could trigger an assert (ITS#9329)
Fixed slapd-mdb index error with collapsed range (ITS#9135)
OpenLDAP 2.4.51 Release (2020/08/11)
Added slapo-ppolicy implement Netscape password policy controls (ITS#9279)
Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650)
Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287)
Fixed slapd to enforce singular existence of some overlays (ITS#9309)
Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227)
Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282)
Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295)
Fixed slapd-perl dynamic config with threaded slapd (ITS#7573)
Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285)
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302)
Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309)
Fixed slapo-chain to check referral (ITS#9262)
Build Environment
Fix test064 so it no longer uses bashisms (ITS#9263)
Contrib
Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248)
slapo-allowed - Fix usage of unitialized variable (ITS#9308)
Documentation
ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271)
OpenLDAP 2.4.50 Release (2020/04/28)
Fixed client benign typos (ITS#8890)
Fixed libldap type cast (ITS#9175)
Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650)
Fixed libldap_r race on Windows mutex initialization (ITS#9181)
Fixed liblunicode memory leak (ITS#9198)
Fixed slapd benign typos (ITS#8890)
Fixed slapd to limit depth of nested filters (ITS#9202)
Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214)
Fixed slapo-pcache database initialization (ITS#9182)
Fixed slapo-ppolicy callback (ITS#9171)
Build
Fix olcDatabaseDummy initialization for windows (ITS#7074)
Fix detection for ws2tcpip.h for windows (ITS#8383)
Fix back-mdb types for windows (ITS#7878)
Contrib
Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855)
Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206)
Documentation
slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003)
slapd-meta(5) - Remove client-pr option (ITS#8683)
slapindex(8) - Fix truncate option information for back-mdb (ITS#9230)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/openldap | 33 +-
lfs/openldap | 6 +-
.../openldap-2.4.49-consolidated-1.patch | 371 --
.../openldap-2.6.1-consolidated-2.patch | 4689 +++++++++++++++++
src/patches/openldap-gcc44-fixes.patch | 31 -
5 files changed, 4713 insertions(+), 417 deletions(-)
delete mode 100644 src/patches/openldap-2.4.49-consolidated-1.patch
create mode 100644 src/patches/openldap-2.6.1-consolidated-2.patch
delete mode 100644 src/patches/openldap-gcc44-fixes.patch
Comments
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
> - Update from version 2.4.49 to 2.6.1
> - Update of rootfile
> - Update of consolidated patch to 2.6.1
> - Removal of old patches
> - Changelog
> OpenLDAP 2.6.1 Release (2022/01/20)
> Fixed libldap to init client socket port (ITS#9743)
> Fixed libldap with referrals (ITS#9781)
> Added slapd config keyword for logfile format (ITS#9745)
> Fixed slapd to allow objectClass edits with no net change (ITS#9772)
> Fixed slapd configtable population (ITS#9576)
> Fixed slapd to only set loglevel in server mode (ITS#9715)
> Fixed slapd logfile-rotate use of uninitialized variable (ITS#9730)
> Fixed slapd passwd scheme handling with slapd.conf (ITS#9750)
> Fixed slapd postread support for modrdn (ITS#7080)
> Fixed slapd syncrepl recreation of deleted entries (ITS#9282)
> Fixed slapd syncrepl replication with ODSEE (ITS#9707)
> Fixed slapd syncrepl to properly replicate glue entries (ITS#9647)
> Fixed slapd syncrepl to reject REFRESH for precise resync (ITS#9742)
> Fixed slapd syncrepl to avoid busy loop during refresh (ITS#9584)
> Fixed slapd syncrepl when X-ORDERED is specified (ITS#9761)
> Fixed slapd syncrepl to better handle out of order delete ops (ITS#9751)
> Fixed slapd syncrepl to correctly close connections when config is deleted (ITS#9776)
> Fixed slapd-mdb to update indices correctly on replace ops (ITS#9753)
> Fixed slapd-wt to set correct flags (ITS#9760)
> Fixed slapo-accesslog to fix assertion due to deprecated code (ITS#9738)
> Fixed slapo-accesslog to fix inconsistently normalized minCSN (ITS#9752)
> Fixed slapo-accesslog delete handling of multi-valued config attrs (ITS#9493)
> Fixed slapo-autogroup to maintain values in insertion order (ITS#9766)
> Fixed slapo-constraint to maintain values in insertion order (ITS#9770)
> Fixed slapo-dyngroup to maintain values in insertion order (ITS#9762)
> Fixed slapo-dynlist compare operation for static groups (ITS#9747)
> Fixed slapo-dynlist static group filter with multiple members (ITS#9779)
> Fixed slapo-ppolicy when not built modularly (ITS#9733)
> Fixed slapo-refint to maintain values in insertion order (ITS#9763)
> Fixed slapo-retcode to honor requested insert position (ITS#9759)
> Fixed slapo-sock cn=config support (ITS#9758)
> Fixed slapo-syncprov memory leak (ITS#8039)
> Fixed slapo-syncprov to generate a more accurate accesslog query (ITS#9756)
> Fixed slapo-syncprov to allow empty DB to host persistent syncrepl connections (ITS#9691)
> Fixed slapo-syncprov to consider all deletes for sycnInfo messages (ITS#5972)
> Fixed slapo-translucent to warn on invalid config (ITS#9768)
> Fixed slapo-unique to warn on invalid config (ITS#9767)
> Fixed slapo-valsort to maintain values in insertion order (ITS#9764)
> Build Environment
> Fix test022 to preserve DELAY search output (ITS#9718)
> Fix slapd-watcher to allow startup when servers are down (ITS#9727)
> Contrib
> Fixed slapo-lastbind to work with 2.6 lastbind-precision configuration (ITS#9725)
> Documentation
> Fixed slapd.conf(5)/slapd-config(5) documentation on lastbind-precision (ITS#9728)
> Fixed slapo-accesslog(5) to clarify logoldattr usage (ITS#9749)
> OpenLDAP 2.6.0 Release (2021/10/25)
> Initial release for "general use".
> OpenLDAP 2.5.7 Release (2021/08/18)
> Fixed lloadd client state tracking (ITS#9624)
> Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611)
> Fixed slapd-ldif duplicate controls response (ITS#9497)
> Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621)
> Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958)
> Fixed slapd-mdb idlexp maximum size handling (ITS#9637)
> Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628)
> Fixed slapd-sql to add support for ppolicy attributes (ITS#9629)
> Fixed slapd-sql to close transactions after bind and search (ITS#9630)
> Fixed slapo-accesslog to make reqMod optional (ITS#9569)
> Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625)
> Documentation
> slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637)
> slapo-accesslog(5) note that reqMod is optional (ITS#9569)
> Add ldapvc(1) man page (ITS#9549)
> Add guide section on load balancer (ITS#9443)
> Updated guide to document multiprovider as replacement for mirrormode (ITS#9200)
> Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200)
> Updated guide to document removal of deprecated options from client tools (ITS#9200)
> OpenLDAP 2.5.6 Release (2021/07/27)
> Fixed libldap buffer overflow (ITS#9578)
> Fixed libldap missing mutex unlock on connection alloc failure (ITS#9590)
> Fixed lloadd cn=config olcBkLloadClientMaxPending setting (ITS#8747)
> Fixed slapd multiple config defaults (ITS#9363)
> Fixed slapd ipv6 addresses to work with tcp wrappers (ITS#9603)
> Fixed slapo-syncprov delete of nonexistent sessionlog (ITS#9608)
> Build
> Fixed library symbol versioning on Solaris (ITS#9591)
> Fixed compile warning in libldap/tpool.c (ITS#9601)
> Fixed compile warning in libldap/tls_o.c (ITS#9602)
> Contrib
> Fixed ppm module for sysconfdir (ITS#7832)
> Documentation
> Updated guide to document multival, idlexp, and maxentrysize (ITS#9613, ITS#9614)
> OpenLDAP 2.5.5 Release (2021/06/03)
> Added libldap LDAP_OPT_TCP_USER_TIMEOUT support (ITS#9502)
> Added lloadd tcp-user-timeout support (ITS#9502)
> Added slapd-asyncmeta tcp-user-timeout support (ITS#9502)
> Added slapd-ldap tcp-user-timeout support (ITS#9502)
> Added slapd-meta tcp-user-timeout support (ITS#9502)
> Fixed incorrect control OIDs for AuthZ Identity (ITS#9542)
> Fixed libldap typo in util-int.c (ITS#9541)
> Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530)
> Fixed libldap better TLS1.3 cipher suite handling (ITS#9521, ITS#9546)
> Fixed lloadd multiple issues (ITS#8747)
> Fixed slapd slap_op_time to avoid duplicates across restarts (ITS#9537)
> Fixed slapd typo in daemon.c (ITS#9541)
> Fixed slapd slapi compilation (ITS#9544)
> Fixed slapd to handle empty DN in extended filters (ITS#9551)
> Fixed slapd syncrepl searches with empty base (ITS#6467)
> Fixed slapd syncrepl refresh on startup (ITS#9324, ITS#9534)
> Fixed slapd abort due to typo (ITS#9561)
> Fixed slapd-asyncmeta quarantine handling (ITS#8721)
> Fixed slapd-asyncmeta to have a default operations timeout (ITS#9555)
> Fixed slapd-ldap quarantine handling (ITS#8721)
> Fixed slapd-mdb deletion of context entry (ITS#9531)
> Fixed slapd-mdb off-by-one affecting search scope (ITS#9557)
> Fixed slapd-meta quarantine handling (ITS#8721)
> Fixed slapo-accesslog to record reqNewDN for modRDN ops (ITS#9552)
> Fixed slapo-pcache locking during expiration (ITS#9529)
> Build
> Fixed slappw-argon2 module installation (ITS#9548)
> Contrib
> Update ldapc++/ldaptcl to use configure.ac (ITS#9554)
> Documentation
> ldap_first_attribute(3) - Document ldap_get_attribute_ber (ITS#8820)
> ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559)
> OpenLDAP 2.5.4 Release (2021/04/29)
> Initial release for "general use".
> OpenLDAP 2.4.57 Release (2021/01/18)
> Fixed ldapexop to use correct return code (ITS#9417)
> Fixed slapd to remove asserts in UUIDNormalize (ITS#9391)
> Fixed slapd to remove assert in csnValidate (ITS#9410)
> Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427)
> Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424)
> Fixed slapd AVA sort with invalid RDN (ITS#9412)
> Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425)
> Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407)
> Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409)
> Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413)
> Fixed slapd modrdn memory leak (ITS#9420)
> Fixed slapd double-free in vrfilter (ITS#9408)
> Fixed slapd cancel operation to correctly terminate (ITS#9428)
> Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400)
> Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394)
> OpenLDAP 2.4.56 Release (2020/11/10)
> Fixed slapd to remove assert in certificateListValidate (ITS#9383)
> Fixed slapd to remove assert in csnNormalize23 (ITS#9384)
> Fixed slapd to better parse ldapi listener URIs (ITS#9379)
> OpenLDAP 2.4.55 Release (2020/10/26)
> Fixed slapd normalization handling with modrdn (ITS#9370)
> Fixed slapd-meta to check ldap_install_tls return code (ITS#9366)
> Contrib
> Fixed nssov misplaced semicolon (ITS#8731, ITS#9368)
> OpenLDAP 2.4.54 Release (2020/10/12)
> Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342)
> Fixed slapd delta-syncrepl to be fully serialized (ITS#9330)
> Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352)
> Fixed slapd syncrepl to be fully serialized (ITS#8102)
> Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345)
> Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355)
> Fixed slapd syncrepl to not create empty ADD ops (ITS#9359)
> Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295)
> Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353)
> Fixed slapo-accesslog normalizer for reqStart (ITS#9358)
> Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361)
> Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015)
> Fixed slapo-syncprov sessionlog to use a TAVL tree (ITS#8486)
> OpenLDAP 2.4.53 Release (2020/09/07)
> Added slapd syncrepl additional SYNC logging (ITS#9043)
> Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282)
> Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338)
> Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
> Build
> Require OpenSSL 1.0.2 or later (ITS#9323)
> Fixed libldap compilation issue with broken C compilers (ITS#9332)
> OpenLDAP 2.4.52 Release (2020/08/28)
> Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318)
> Added libldap OpenSSL support for multiple EECDH curves (ITS#9054)
> Added slapd OpenSSL support for multiple EECDH curves (ITS#9054)
> Fixed librewrite malloc/free corruption (ITS#9249)
> Fixed libldap hang when using UDP and server down (ITS#9328)
> Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324)
> Fixed slapd syncrepl regression that could trigger an assert (ITS#9329)
> Fixed slapd-mdb index error with collapsed range (ITS#9135)
> OpenLDAP 2.4.51 Release (2020/08/11)
> Added slapo-ppolicy implement Netscape password policy controls (ITS#9279)
> Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650)
> Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287)
> Fixed slapd to enforce singular existence of some overlays (ITS#9309)
> Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227)
> Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282)
> Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295)
> Fixed slapd-perl dynamic config with threaded slapd (ITS#7573)
> Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285)
> Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302)
> Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309)
> Fixed slapo-chain to check referral (ITS#9262)
> Build Environment
> Fix test064 so it no longer uses bashisms (ITS#9263)
> Contrib
> Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248)
> slapo-allowed - Fix usage of unitialized variable (ITS#9308)
> Documentation
> ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271)
> OpenLDAP 2.4.50 Release (2020/04/28)
> Fixed client benign typos (ITS#8890)
> Fixed libldap type cast (ITS#9175)
> Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650)
> Fixed libldap_r race on Windows mutex initialization (ITS#9181)
> Fixed liblunicode memory leak (ITS#9198)
> Fixed slapd benign typos (ITS#8890)
> Fixed slapd to limit depth of nested filters (ITS#9202)
> Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214)
> Fixed slapo-pcache database initialization (ITS#9182)
> Fixed slapo-ppolicy callback (ITS#9171)
> Build
> Fix olcDatabaseDummy initialization for windows (ITS#7074)
> Fix detection for ws2tcpip.h for windows (ITS#8383)
> Fix back-mdb types for windows (ITS#7878)
> Contrib
> Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855)
> Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206)
> Documentation
> slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003)
> slapd-meta(5) - Remove client-pr option (ITS#8683)
> slapindex(8) - Fix truncate option information for back-mdb (ITS#9230)
>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/rootfiles/common/openldap | 33 +-
> lfs/openldap | 6 +-
> .../openldap-2.4.49-consolidated-1.patch | 371 --
> .../openldap-2.6.1-consolidated-2.patch | 4689 +++++++++++++++++
> src/patches/openldap-gcc44-fixes.patch | 31 -
> 5 files changed, 4713 insertions(+), 417 deletions(-)
> delete mode 100644 src/patches/openldap-2.4.49-consolidated-1.patch
> create mode 100644 src/patches/openldap-2.6.1-consolidated-2.patch
> delete mode 100644 src/patches/openldap-gcc44-fixes.patch
>
> diff --git a/config/rootfiles/common/openldap b/config/rootfiles/common/openldap
> index 8d42b8880..45e731ee4 100644
> --- a/config/rootfiles/common/openldap
> +++ b/config/rootfiles/common/openldap
> @@ -10,6 +10,7 @@
> #usr/bin/ldappasswd
> #usr/bin/ldapsearch
> #usr/bin/ldapurl
> +#usr/bin/ldapvc
> #usr/bin/ldapwhoami
> #usr/include/lber.h
> #usr/include/lber_types.h
> @@ -21,18 +22,16 @@
> #usr/include/ldif.h
> #usr/include/openldap.h
> #usr/include/slapi-plugin.h
> -usr/lib/liblber-2.4.so.2
> -usr/lib/liblber-2.4.so.2.10.12
> #usr/lib/liblber.la
> #usr/lib/liblber.so
> -usr/lib/libldap-2.4.so.2
> -usr/lib/libldap-2.4.so.2.10.12
> +usr/lib/liblber.so.2
> +usr/lib/liblber.so.2.0.200
> #usr/lib/libldap.la
> #usr/lib/libldap.so
> -usr/lib/libldap_r-2.4.so.2
> -usr/lib/libldap_r-2.4.so.2.10.12
> -#usr/lib/libldap_r.la
> -#usr/lib/libldap_r.so
> +usr/lib/libldap.so.2
> +usr/lib/libldap.so.2.0.200
> +#usr/lib/pkgconfig/lber.pc
> +#usr/lib/pkgconfig/ldap.pc
> #usr/share/man/man1/ldapadd.1
> #usr/share/man/man1/ldapcompare.1
> #usr/share/man/man1/ldapdelete.1
> @@ -42,6 +41,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
> #usr/share/man/man1/ldappasswd.1
> #usr/share/man/man1/ldapsearch.1
> #usr/share/man/man1/ldapurl.1
> +#usr/share/man/man1/ldapvc.1
> #usr/share/man/man1/ldapwhoami.1
> #usr/share/man/man3/ber_alloc_t.3
> #usr/share/man/man3/ber_bvarray_add.3
> @@ -136,6 +136,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
> #usr/share/man/man3/ldap_first_message.3
> #usr/share/man/man3/ldap_first_reference.3
> #usr/share/man/man3/ldap_free_urldesc.3
> +#usr/share/man/man3/ldap_get_attribute_ber.3
> #usr/share/man/man3/ldap_get_dn.3
> #usr/share/man/man3/ldap_get_option.3
> #usr/share/man/man3/ldap_get_values.3
> @@ -175,6 +176,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
> #usr/share/man/man3/ldap_objectclass_free.3
> #usr/share/man/man3/ldap_open.3
> #usr/share/man/man3/ldap_parse_extended_result.3
> +#usr/share/man/man3/ldap_parse_intermediate.3
> #usr/share/man/man3/ldap_parse_reference.3
> #usr/share/man/man3/ldap_parse_result.3
> #usr/share/man/man3/ldap_parse_sasl_bind_result.3
> @@ -227,23 +229,22 @@ usr/lib/libldap_r-2.4.so.2.10.12
> #usr/share/man/man3/ldap_value_free_len.3
> #usr/share/man/man5/ldap.conf.5
> #usr/share/man/man5/ldif.5
> -#usr/share/man/man5/slapd-bdb.5
> +#usr/share/man/man5/lloadd.conf.5
> +#usr/share/man/man5/slapd-asyncmeta.5
> #usr/share/man/man5/slapd-config.5
> #usr/share/man/man5/slapd-dnssrv.5
> -#usr/share/man/man5/slapd-hdb.5
> #usr/share/man/man5/slapd-ldap.5
> #usr/share/man/man5/slapd-ldif.5
> #usr/share/man/man5/slapd-mdb.5
> #usr/share/man/man5/slapd-meta.5
> #usr/share/man/man5/slapd-monitor.5
> -#usr/share/man/man5/slapd-ndb.5
> #usr/share/man/man5/slapd-null.5
> #usr/share/man/man5/slapd-passwd.5
> #usr/share/man/man5/slapd-perl.5
> #usr/share/man/man5/slapd-relay.5
> -#usr/share/man/man5/slapd-shell.5
> #usr/share/man/man5/slapd-sock.5
> #usr/share/man/man5/slapd-sql.5
> +#usr/share/man/man5/slapd-wt.5
> #usr/share/man/man5/slapd.access.5
> #usr/share/man/man5/slapd.backends.5
> #usr/share/man/man5/slapd.conf.5
> @@ -251,17 +252,22 @@ usr/lib/libldap_r-2.4.so.2.10.12
> #usr/share/man/man5/slapd.plugin.5
> #usr/share/man/man5/slapo-accesslog.5
> #usr/share/man/man5/slapo-auditlog.5
> +#usr/share/man/man5/slapo-autoca.5
> #usr/share/man/man5/slapo-chain.5
> #usr/share/man/man5/slapo-collect.5
> #usr/share/man/man5/slapo-constraint.5
> #usr/share/man/man5/slapo-dds.5
> +#usr/share/man/man5/slapo-deref.5
> #usr/share/man/man5/slapo-dyngroup.5
> #usr/share/man/man5/slapo-dynlist.5
> +#usr/share/man/man5/slapo-homedir.5
> #usr/share/man/man5/slapo-memberof.5
> +#usr/share/man/man5/slapo-otp.5
> #usr/share/man/man5/slapo-pbind.5
> #usr/share/man/man5/slapo-pcache.5
> #usr/share/man/man5/slapo-ppolicy.5
> #usr/share/man/man5/slapo-refint.5
> +#usr/share/man/man5/slapo-remoteauth.5
> #usr/share/man/man5/slapo-retcode.5
> #usr/share/man/man5/slapo-rwm.5
> #usr/share/man/man5/slapo-sock.5
> @@ -270,6 +276,8 @@ usr/lib/libldap_r-2.4.so.2.10.12
> #usr/share/man/man5/slapo-translucent.5
> #usr/share/man/man5/slapo-unique.5
> #usr/share/man/man5/slapo-valsort.5
> +#usr/share/man/man5/slappw-argon2.5
> +#usr/share/man/man8/lloadd.8
> #usr/share/man/man8/slapacl.8
> #usr/share/man/man8/slapadd.8
> #usr/share/man/man8/slapauth.8
> @@ -277,6 +285,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
> #usr/share/man/man8/slapd.8
> #usr/share/man/man8/slapdn.8
> #usr/share/man/man8/slapindex.8
> +#usr/share/man/man8/slapmodify.8
> #usr/share/man/man8/slappasswd.8
> #usr/share/man/man8/slapschema.8
> #usr/share/man/man8/slaptest.8
> diff --git a/lfs/openldap b/lfs/openldap
> index 60d46a249..195aa4af2 100644
> --- a/lfs/openldap
> +++ b/lfs/openldap
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 2.4.49
> +VER = 2.6.1
>
> THISAPP = openldap-$(VER)
> DL_FILE = $(THISAPP).tgz
> @@ -42,7 +42,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = ee777588d758f6704b0d38b90feb85b27e2307510a05d1d147324e9958a6f6fc5bc7dd521a1462971c3f707429ad38fab734f508d71fd88b447770e112e844a2
> +$(DL_FILE)_BLAKE2 = 08bb7ec0354d689b65673d6c4c05a3299ba4f1655cbcccb710b6c9ca66fd636d6b2d89faa8d32278d253a1647deae8b1e86e8e275b890208bfac4ca663a40523
>
> install : $(TARGET)
>
> @@ -72,7 +72,7 @@ $(subst %,%_BLAKE2,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.4.49-consolidated-1.patch
> + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.6.1-consolidated-2.patch
> cd $(DIR_APP) && autoconf
> cd $(DIR_APP) && ./configure \
> --prefix=/usr \
> diff --git a/src/patches/openldap-2.4.49-consolidated-1.patch b/src/patches/openldap-2.4.49-consolidated-1.patch
> deleted file mode 100644
> index 8cd2656e3..000000000
> --- a/src/patches/openldap-2.4.49-consolidated-1.patch
> +++ /dev/null
> @@ -1,371 +0,0 @@
> -Submitted by: Bruce Dubbs <bdubbs at linuxfromscratch.org>
> -Date: 2012-03-26
> -Initial Package Version: 2.4.40
> -Upstream Status: BLFS Specific
> -Origin: Armin K. <krejzi at email dot com> and Debian
> -Comment: Rediffed by Fernando de Oliveira <famobr at yahoo dot
> - com dot br> for version 2.4.44 - 2016.02.06
> - Rediffed by Pierre Labastie <pierre dot labastie at
> - neuf dot fr> to add mdb backend and slapd.ldif. See
> - ticket #7394 - 2016.02.24
> -Description: Consolidate earlier patches to:
> - 1. Update various installation options, such as ldap database path,
> - configuration file options, slapd install location, etc.
> - 2. Remove reference to bdb module
> - 3. Enables symbol versioning in ldap libraries. Without these changes
> - some applications might generate a warning about missing symbol versions.
> -
> -diff -Naur openldap-2.4.40.orig/build/openldap.m4 openldap-2.4.40/build/openldap.m4
> ---- openldap-2.4.40.orig/build/openldap.m4 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/build/openldap.m4 2015-03-26 15:37:39.801077750 -0500
> -@@ -1142,3 +1142,54 @@
> - #endif
> - ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
> - ])
> -+
> -+dnl ====================================================================
> -+dnl check for symbol versioning support
> -+AC_DEFUN([OL_SYMBOL_VERSIONING],
> -+[AC_CACHE_CHECK([for .symver assembler directive],
> -+ [ol_cv_asm_symver_directive],[
> -+cat > conftest.s <<EOF
> -+${libc_cv_dot_text}
> -+_sym:
> -+.symver _sym,sym@VERS
> -+EOF
> -+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
> -+ ol_cv_asm_symver_directive=yes
> -+else
> -+ ol_cv_asm_symver_directive=no
> -+fi
> -+rm -f conftest*])
> -+AC_CACHE_CHECK([for ld --version-script],
> -+ [ol_cv_ld_version_script_option],[
> -+if test $ol_cv_asm_symver_directive = yes; then
> -+ cat > conftest.s <<EOF
> -+${libc_cv_dot_text}
> -+_sym:
> -+.symver _sym,sym@VERS
> -+EOF
> -+ cat > conftest.map <<EOF
> -+VERS_1 {
> -+ global: sym;
> -+};
> -+
> -+VERS_2 {
> -+ global: sym;
> -+} VERS_1;
> -+EOF
> -+ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
> -+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
> -+ -o conftest.so conftest.o
> -+ -Wl,--version-script,conftest.map
> -+ 1>&AS_MESSAGE_LOG_FD]);
> -+ then
> -+ ol_cv_ld_version_script_option=yes
> -+ else
> -+ ol_cv_ld_version_script_option=no
> -+ fi
> -+ else
> -+ ol_cv_ld_version_script_option=no
> -+ fi
> -+else
> -+ ol_cv_ld_version_script_option=no
> -+fi
> -+rm -f conftest*])])
> -diff -Naur openldap-2.4.40.orig/build/top.mk openldap-2.4.40/build/top.mk
> ---- openldap-2.4.40.orig/build/top.mk 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/build/top.mk 2015-03-26 15:37:39.801077750 -0500
> -@@ -104,6 +104,9 @@
> - # LINK_LIBS referenced in library and module link commands.
> - LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
> -
> -+# option to pass to $(CC) to support library symbol versioning, if any
> -+VERSION_OPTION = @VERSION_OPTION@
> -+
> - LTSTATIC = @LTSTATIC@
> -
> - LTLINK = $(LIBTOOL) --mode=link \
> -@@ -113,7 +116,7 @@
> - $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
> -
> - LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
> -- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
> -+ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)
> -
> - LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
> - $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
> -diff -Naur openldap-2.4.40.orig/configure.in openldap-2.4.40/configure.in
> ---- openldap-2.4.40.orig/configure.in 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/configure.in 2015-03-26 15:37:39.801077750 -0500
> -@@ -1916,6 +1916,13 @@
> - fi
> - AC_SUBST(LTSTATIC)dnl
> -
> -+VERSION_OPTION=""
> -+OL_SYMBOL_VERSIONING
> -+if test $ol_cv_ld_version_script_option = yes ; then
> -+ VERSION_OPTION="-Wl,--version-script="
> -+fi
> -+AC_SUBST(VERSION_OPTION)
> -+
> - dnl ----------------------------------------------------------------
> - if test $ol_enable_wrappers != no ; then
> - AC_CHECK_HEADERS(tcpd.h,[
> -diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd-bdb.5 openldap-2.4.40/doc/man/man5/slapd-bdb.5
> ---- openldap-2.4.40.orig/doc/man/man5/slapd-bdb.5 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/doc/man/man5/slapd-bdb.5 2015-03-26 15:36:59.637464038 -0500
> -@@ -135,7 +135,7 @@
> - associated indexes live.
> - A separate directory must be specified for each database.
> - The default is
> --.BR LOCALSTATEDIR/openldap\-data .
> -+.BR LOCALSTATEDIR/lib/openldap .
> - .TP
> - .B dirtyread
> - Allow reads of modified but not yet committed data.
> -diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd-config.5 openldap-2.4.40/doc/man/man5/slapd-config.5
> ---- openldap-2.4.40.orig/doc/man/man5/slapd-config.5 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/doc/man/man5/slapd-config.5 2015-03-26 15:36:59.638464004 -0500
> -@@ -2051,7 +2051,7 @@
> - # The database directory MUST exist prior to
> - # running slapd AND should only be accessible
> - # by the slapd/tools. Mode 0700 recommended.
> --olcDbDirectory: LOCALSTATEDIR/openldap\-data
> -+olcDbDirectory: LOCALSTATEDIR/lib/openldap
> - # Indices to maintain
> - olcDbIndex: objectClass eq
> - olcDbIndex: cn,sn,mail pres,eq,approx,sub
> -diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd.conf.5 openldap-2.4.40/doc/man/man5/slapd.conf.5
> ---- openldap-2.4.40.orig/doc/man/man5/slapd.conf.5 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/doc/man/man5/slapd.conf.5 2015-03-26 15:36:59.638464004 -0500
> -@@ -2021,7 +2021,7 @@
> - # The database directory MUST exist prior to
> - # running slapd AND should only be accessible
> - # by the slapd/tools. Mode 0700 recommended.
> --directory LOCALSTATEDIR/openldap\-data
> -+directory LOCALSTATEDIR/lib/openldap
> - # Indices to maintain
> - index objectClass eq
> - index cn,sn,mail pres,eq,approx,sub
> -diff -Naur openldap-2.4.40.orig/include/ldap_defaults.h openldap-2.4.40/include/ldap_defaults.h
> ---- openldap-2.4.40.orig/include/ldap_defaults.h 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/include/ldap_defaults.h 2015-03-26 15:36:59.638464004 -0500
> -@@ -39,7 +39,7 @@
> - #define LDAP_ENV_PREFIX "LDAP"
> -
> - /* default ldapi:// socket */
> --#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
> -+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"
> -
> - /*
> - * SLAPD DEFINITIONS
> -@@ -47,7 +47,7 @@
> - /* location of the default slapd config file */
> - #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
> - #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
> --#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
> -+#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"
> - #define SLAPD_DEFAULT_DB_MODE 0600
> - #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata"
> - /* default max deref depth for aliases */
> -diff -Naur openldap-2.4.40.orig/libraries/liblber/Makefile.in openldap-2.4.40/libraries/liblber/Makefile.in
> ---- openldap-2.4.40.orig/libraries/liblber/Makefile.in 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/libraries/liblber/Makefile.in 2015-03-26 15:37:39.801077750 -0500
> -@@ -38,6 +38,9 @@
> - XXLIBS =
> - NT_LINK_LIBS = $(AC_LIBS)
> - UNIX_LINK_LIBS = $(AC_LIBS)
> -+ifneq (,$(VERSION_OPTION))
> -+ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"
> -+endif
> -
> - dtest: $(XLIBS) dtest.o
> - $(LTLINK) -o $@ dtest.o $(LIBS)
> -@@ -48,6 +51,6 @@
> -
> - install-local: FORCE
> - -$(MKDIR) $(DESTDIR)$(libdir)
> -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
> -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
> - $(LTFINISH) $(DESTDIR)$(libdir)
> -
> -diff -Naur openldap-2.4.40.orig/libraries/liblber/liblber.map openldap-2.4.40/libraries/liblber/liblber.map
> ---- openldap-2.4.40.orig/libraries/liblber/liblber.map 1969-12-31 18:00:00.000000000 -0600
> -+++ openldap-2.4.40/libraries/liblber/liblber.map 2015-03-26 15:37:39.801077750 -0500
> -@@ -0,0 +1,8 @@
> -+OPENLDAP_2.4_2 {
> -+ global:
> -+ ber_*;
> -+ der_alloc;
> -+ lutil_*;
> -+ local:
> -+ *;
> -+};
> -diff -Naur openldap-2.4.40.orig/libraries/libldap/Makefile.in openldap-2.4.40/libraries/libldap/Makefile.in
> ---- openldap-2.4.40.orig/libraries/libldap/Makefile.in 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/libraries/libldap/Makefile.in 2015-03-26 15:37:39.802077716 -0500
> -@@ -52,6 +52,9 @@
> - XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
> - NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> - UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> -+ifneq (,$(VERSION_OPTION))
> -+ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
> -+endif
> -
> - apitest: $(XLIBS) apitest.o
> - $(LTLINK) -o $@ apitest.o $(LIBS)
> -@@ -68,7 +71,7 @@
> -
> - install-local: $(CFFILES) FORCE
> - -$(MKDIR) $(DESTDIR)$(libdir)
> -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
> -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
> - $(LTFINISH) $(DESTDIR)$(libdir)
> - -$(MKDIR) $(DESTDIR)$(sysconfdir)
> - @for i in $(CFFILES); do \
> -diff -Naur openldap-2.4.40.orig/libraries/libldap/libldap.map openldap-2.4.40/libraries/libldap/libldap.map
> ---- openldap-2.4.40.orig/libraries/libldap/libldap.map 1969-12-31 18:00:00.000000000 -0600
> -+++ openldap-2.4.40/libraries/libldap/libldap.map 2015-03-26 15:37:39.802077716 -0500
> -@@ -0,0 +1,7 @@
> -+OPENLDAP_2.4_2 {
> -+ global:
> -+ ldap_*;
> -+ ldif_*;
> -+ local:
> -+ *;
> -+};
> -diff -Naur openldap-2.4.40.orig/libraries/libldap_r/Makefile.in openldap-2.4.40/libraries/libldap_r/Makefile.in
> ---- openldap-2.4.40.orig/libraries/libldap_r/Makefile.in 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/libraries/libldap_r/Makefile.in 2015-03-26 15:37:39.802077716 -0500
> -@@ -61,6 +61,9 @@
> - XXXLIBS = $(LTHREAD_LIBS)
> - NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
> - UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
> -+ifneq (,$(VERSION_OPTION))
> -+ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
> -+endif
> -
> - .links : Makefile
> - @for i in $(XXSRCS); do \
> -@@ -83,6 +86,6 @@
> -
> - install-local: $(CFFILES) FORCE
> - -$(MKDIR) $(DESTDIR)$(libdir)
> -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
> -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
> - $(LTFINISH) $(DESTDIR)$(libdir)
> -
> -diff -Naur openldap-2.4.40.orig/servers/slapd/Makefile.in openldap-2.4.40/servers/slapd/Makefile.in
> ---- openldap-2.4.40.orig/servers/slapd/Makefile.in 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/servers/slapd/Makefile.in 2015-03-26 15:36:59.639463969 -0500
> -@@ -376,10 +376,10 @@
> - install-conf install-dbc-maybe install-schema install-tools
> -
> - install-slapd: FORCE
> -- -$(MKDIR) $(DESTDIR)$(libexecdir)
> -+ -$(MKDIR) $(DESTDIR)$(sbindir)
> - -$(MKDIR) $(DESTDIR)$(localstatedir)/run
> - $(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \
> -- slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
> -+ slapd$(EXEEXT) $(DESTDIR)$(sbindir)
> - @for i in $(SUBDIRS); do \
> - if test -d $$i && test -f $$i/Makefile ; then \
> - echo; echo " cd $$i; $(MAKE) $(MFLAGS) install"; \
> -@@ -445,9 +445,9 @@
> -
> - install-db-config: FORCE
> - @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
> -- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
> -+ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap
> - $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
> -- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
> -+ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example
> - $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
> - $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
> -
> -@@ -455,6 +455,6 @@
> - -$(MKDIR) $(DESTDIR)$(sbindir)
> - for i in $(SLAPTOOLS); do \
> - $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
> -- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
> -+ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
> - done
> -
> -diff -Naur openldap-2.4.44.orig/servers/slapd/slapd.conf openldap-2.4.44/servers/slapd/slapd.conf
> ---- openldap-2.4.44.orig/servers/slapd/slapd.conf 2016-02-06 00:57:45.000000000 +0100
> -+++ openldap-2.4.44/servers/slapd/slapd.conf 2016-02-22 23:01:47.681372594 +0100
> -@@ -10,12 +10,12 @@
> - # service AND an understanding of referrals.
> - #referral ldap://root.openldap.org
> -
> --pidfile %LOCALSTATEDIR%/run/slapd.pid
> --argsfile %LOCALSTATEDIR%/run/slapd.args
> -+pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid
> -+argsfile %LOCALSTATEDIR%/run/openldap/slapd.args
> -
> - # Load dynamic backend modules:
> --# modulepath %MODULEDIR%
> --# moduleload back_mdb.la
> -+modulepath %MODULEDIR%
> -+moduleload back_mdb.la
> - # moduleload back_ldap.la
> -
> - # Sample security restrictions
> -@@ -60,6 +60,6 @@
> - # The database directory MUST exist prior to running slapd AND
> - # should only be accessible by the slapd and slap tools.
> - # Mode 700 recommended.
> --directory %LOCALSTATEDIR%/openldap-data
> -+directory %LOCALSTATEDIR%/lib/openldap
> - # Indices to maintain
> - index objectClass eq
> -diff -Naur openldap-2.4.44.orig/servers/slapd/slapd.ldif openldap-2.4.44/servers/slapd/slapd.ldif
> ---- openldap-2.4.44.orig/servers/slapd/slapd.ldif 2016-02-06 00:57:45.000000000 +0100
> -+++ openldap-2.4.44/servers/slapd/slapd.ldif 2016-02-22 22:59:57.824364446 +0100
> -@@ -9,8 +9,8 @@
> - #
> - # Define global ACLs to disable default read access.
> - #
> --olcArgsFile: %LOCALSTATEDIR%/run/slapd.args
> --olcPidFile: %LOCALSTATEDIR%/run/slapd.pid
> -+olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args
> -+olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid
> - #
> - # Do not enable referrals until AFTER you have a working directory
> - # service AND an understanding of referrals.
> -@@ -26,10 +26,11 @@
> - #
> - # Load dynamic backend modules:
> - #
> --#dn: cn=module,cn=config
> --#objectClass: olcModuleList
> --#cn: module
> --#olcModulepath: %MODULEDIR%
> -+dn: cn=module,cn=config
> -+objectClass: olcModuleList
> -+cn: module
> -+olcModulepath: %MODULEDIR%
> -+olcModuleload: back_mdb.la
> - #olcModuleload: back_bdb.la
> - #olcModuleload: back_hdb.la
> - #olcModuleload: back_ldap.la
> -@@ -90,6 +91,6 @@
> - # The database directory MUST exist prior to running slapd AND
> - # should only be accessible by the slapd and slap tools.
> - # Mode 700 recommended.
> --olcDbDirectory: %LOCALSTATEDIR%/openldap-data
> -+olcDbDirectory: %LOCALSTATEDIR%/lib/openldap
> - # Indices to maintain
> - olcDbIndex: objectClass eq
> -diff -Naur openldap-2.4.40.orig/servers/slapd/slapi/Makefile.in openldap-2.4.40/servers/slapd/slapi/Makefile.in
> ---- openldap-2.4.40.orig/servers/slapd/slapi/Makefile.in 2014-09-18 20:48:49.000000000 -0500
> -+++ openldap-2.4.40/servers/slapd/slapi/Makefile.in 2015-03-26 15:36:59.639463969 -0500
> -@@ -46,6 +46,6 @@
> - install-local: FORCE
> - if test "$(BUILD_MOD)" = "yes"; then \
> - $(MKDIR) $(DESTDIR)$(libdir); \
> -- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \
> -+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \
> - fi
> -
> diff --git a/src/patches/openldap-2.6.1-consolidated-2.patch b/src/patches/openldap-2.6.1-consolidated-2.patch
> new file mode 100644
> index 000000000..eb7396ad6
> --- /dev/null
> +++ b/src/patches/openldap-2.6.1-consolidated-2.patch
> @@ -0,0 +1,4689 @@
> +Submitted by: Bruce Dubbs <bdubbs at linuxfromscratch.org>
> +Date: 2012-03-26
> +Initial Package Version: 2.4.40
> +Upstream Status: BLFS Specific
> +Origin: Armin K. <krejzi at email dot com> and Debian
> +Comment: Rediffed by Fernando de Oliveira <famobr at yahoo dot
> + com dot br> for version 2.4.44 - 2016.02.06
> + Rediffed by Pierre Labastie <pierre dot labastie at
> + neuf dot fr> to add mdb backend and slapd.ldif. See
> + ticket #7394 - 2016.02.24
> + Rediffed by Douglas R. Reno <renodr at linuxfromscratch
> + dot org> to function on 2.4.51. - 2020-08-13
> + Fixed the rediff to use a .c file instead of a .s, fixing
> + the test by Douglas R. Reno - 2020-08-13
> + Rediffed by Tim Tassonis <stuff at decentral.ch> to
> + remove now integrated symbol versioning stuff and
> + remove changes to now non-existent slapd-bdb.5 file - 2021-05-03
> + Rediffed by Douglas R. Reno - 2022-02-13 - updated man
> + pages for lloadd.8 and slapd.8 to use the proper path.
> +Description: Consolidate earlier patches to:
> + 1. Update various installation options, such as ldap database path,
> + configuration file options, slapd install location, etc.
> + 2. Remove reference to bdb module
> +
> +
> +diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 openldap-2.6.1/doc/man/man5/slapd.conf.5
> +--- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/doc/man/man5/slapd.conf.5 2022-02-13 15:54:13.654979570 -0600
> +@@ -2123,7 +2123,7 @@ suffix "dc=our\-domain,dc=com"
> + # The database directory MUST exist prior to
> + # running slapd AND should only be accessible
> + # by the slapd/tools. Mode 0700 recommended.
> +-directory LOCALSTATEDIR/openldap\-data
> ++directory LOCALSTATEDIR/lib/openldap
> + # Indices to maintain
> + index objectClass eq
> + index cn,sn,mail pres,eq,approx,sub
> +diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig openldap-2.6.1/doc/man/man5/slapd.conf.5.orig
> +--- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig 1969-12-31 18:00:00.000000000 -0600
> ++++ openldap-2.6.1/doc/man/man5/slapd.conf.5.orig 2022-01-19 12:32:34.000000000 -0600
> +@@ -0,0 +1,2168 @@
> ++.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
> ++.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
> ++.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
> ++.\" $OpenLDAP$
> ++.SH NAME
> ++slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
> ++.SH SYNOPSIS
> ++ETCDIR/slapd.conf
> ++.SH DESCRIPTION
> ++The file
> ++.B ETCDIR/slapd.conf
> ++contains configuration information for the
> ++.BR slapd (8)
> ++daemon. This configuration file is also used by the SLAPD tools
> ++.BR slapacl (8),
> ++.BR slapadd (8),
> ++.BR slapauth (8),
> ++.BR slapcat (8),
> ++.BR slapdn (8),
> ++.BR slapindex (8),
> ++.BR slapmodify (8),
> ++and
> ++.BR slaptest (8).
> ++.LP
> ++The
> ++.B slapd.conf
> ++file consists of a series of global configuration options that apply to
> ++.B slapd
> ++as a whole (including all backends), followed by zero or more database
> ++backend definitions that contain information specific to a backend
> ++instance.
> ++The configuration options are case-insensitive;
> ++their value, on a case by case basis, may be case-sensitive.
> ++.LP
> ++The general format of
> ++.B slapd.conf
> ++is as follows:
> ++.LP
> ++.nf
> ++ # comment - these options apply to every database
> ++ <global configuration options>
> ++ # first database definition & configuration options
> ++ database <backend 1 type>
> ++ <configuration options specific to backend 1>
> ++ # subsequent database definitions & configuration options
> ++ ...
> ++.fi
> ++.LP
> ++As many backend-specific sections as desired may be included. Global
> ++options can be overridden in a backend (for options that appear more
> ++than once, the last appearance in the
> ++.B slapd.conf
> ++file is used).
> ++.LP
> ++If a line begins with white space, it is considered a continuation
> ++of the previous line. No physical line should be over 2000 bytes
> ++long.
> ++.LP
> ++Blank lines and comment lines beginning with
> ++a `#' character are ignored. Note: continuation lines are unwrapped
> ++before comment processing is applied.
> ++.LP
> ++Arguments on configuration lines are separated by white space. If an
> ++argument contains white space, the argument should be enclosed in
> ++double quotes. If an argument contains a double quote (`"') or a
> ++backslash character (`\\'), the character should be preceded by a
> ++backslash character.
> ++.LP
> ++The specific configuration options available are discussed below in the
> ++Global Configuration Options, General Backend Options, and General Database
> ++Options. Backend-specific options are discussed in the
> ++.B slapd\-<backend>(5)
> ++manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
> ++details on the slapd configuration file.
> ++.SH GLOBAL CONFIGURATION OPTIONS
> ++Options described in this section apply to all backends, unless specifically
> ++overridden in a backend definition. Arguments that should be replaced by
> ++actual text are shown in brackets <>.
> ++.TP
> ++.B access to <what> "[ by <who> <access> <control> ]+"
> ++Grant access (specified by <access>) to a set of entries and/or
> ++attributes (specified by <what>) by one or more requestors (specified
> ++by <who>).
> ++If no access controls are present, the default policy
> ++allows anyone and everyone to read anything but restricts
> ++updates to rootdn. (e.g., "access to * by * read").
> ++The rootdn can always read and write EVERYTHING!
> ++See
> ++.BR slapd.access (5)
> ++and the "OpenLDAP's Administrator's Guide" for details.
> ++.TP
> ++.B allow <features>
> ++Specify a set of features (separated by white space) to
> ++allow (default none).
> ++.B bind_v2
> ++allows acceptance of LDAPv2 bind requests. Note that
> ++.BR slapd (8)
> ++does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
> ++.B bind_anon_cred
> ++allows anonymous bind when credentials are not empty (e.g.
> ++when DN is empty).
> ++.B bind_anon_dn
> ++allows unauthenticated (anonymous) bind when DN is not empty.
> ++.B update_anon
> ++allows unauthenticated (anonymous) update operations to be processed
> ++(subject to access controls and other administrative limits).
> ++.B proxy_authz_anon
> ++allows unauthenticated (anonymous) proxy authorization control to be processed
> ++(subject to access controls, authorization and other administrative limits).
> ++.TP
> ++.B argsfile <filename>
> ++The (absolute) name of a file that will hold the
> ++.B slapd
> ++server's command line (program name and options).
> ++.TP
> ++.B attributeoptions [option-name]...
> ++Define tagging attribute options or option tag/range prefixes.
> ++Options must not end with `\-', prefixes must end with `\-'.
> ++The `lang\-' prefix is predefined.
> ++If you use the
> ++.B attributeoptions
> ++directive, `lang\-' will no longer be defined and you must specify it
> ++explicitly if you want it defined.
> ++
> ++An attribute description with a tagging option is a subtype of that
> ++attribute description without the option.
> ++Except for that, options defined this way have no special semantics.
> ++Prefixes defined this way work like the `lang\-' options:
> ++They define a prefix for tagging options starting with the prefix.
> ++That is, if you define the prefix `x\-foo\-', you can use the option
> ++`x\-foo\-bar'.
> ++Furthermore, in a search or compare, a prefix or range name (with
> ++a trailing `\-') matches all options starting with that name, as well
> ++as the option with the range name sans the trailing `\-'.
> ++That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
> ++
> ++RFC 4520 reserves options beginning with `x\-' for private experiments.
> ++Other options should be registered with IANA, see RFC 4520 section 3.5.
> ++OpenLDAP also has the `binary' option built in, but this is a transfer
> ++option, not a tagging option.
> ++.HP
> ++.hy 0
> ++.B attributetype "(\ <oid>\
> ++ [NAME\ <name>]\
> ++ [DESC\ <description>]\
> ++ [OBSOLETE]\
> ++ [SUP\ <oid>]\
> ++ [EQUALITY\ <oid>]\
> ++ [ORDERING\ <oid>]\
> ++ [SUBSTR\ <oid>]\
> ++ [SYNTAX\ <oidlen>]\
> ++ [SINGLE\-VALUE]\
> ++ [COLLECTIVE]\
> ++ [NO\-USER\-MODIFICATION]\
> ++ [USAGE\ <attributeUsage>]\ )"
> ++.RS
> ++Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the attribute OID and
> ++attribute syntax OID.
> ++(See the
> ++.B objectidentifier
> ++description.)
> ++.RE
> ++.TP
> ++.B authid\-rewrite<cmd> <args>
> ++Used by the authentication framework to convert simple user names
> ++to an LDAP DN used for authorization purposes.
> ++Its purpose is analogous to that of
> ++.BR authz-regexp
> ++(see below).
> ++The prefix \fIauthid\-\fP is followed by a set of rules analogous
> ++to those described in
> ++.BR slapo\-rwm (5)
> ++for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP).
> ++.B authid\-rewrite<cmd>
> ++and
> ++.B authz\-regexp
> ++rules should not be intermixed.
> ++.TP
> ++.B authz\-policy <policy>
> ++Used to specify which rules to use for Proxy Authorization. Proxy
> ++authorization allows a client to authenticate to the server using one
> ++user's credentials, but specify a different identity to use for authorization
> ++and access control purposes. It essentially allows user A to login as user
> ++B, using user A's password.
> ++The
> ++.B none
> ++flag disables proxy authorization. This is the default setting.
> ++The
> ++.B from
> ++flag will use rules in the
> ++.I authzFrom
> ++attribute of the authorization DN.
> ++The
> ++.B to
> ++flag will use rules in the
> ++.I authzTo
> ++attribute of the authentication DN.
> ++The
> ++.B any
> ++flag, an alias for the deprecated value of
> ++.BR both ,
> ++will allow any of the above, whatever succeeds first (checked in
> ++.BR to ,
> ++.B from
> ++sequence.
> ++The
> ++.B all
> ++flag requires both authorizations to succeed.
> ++.LP
> ++.RS
> ++The rules are mechanisms to specify which identities are allowed
> ++to perform proxy authorization.
> ++The
> ++.I authzFrom
> ++attribute in an entry specifies which other users
> ++are allowed to proxy login to this entry. The
> ++.I authzTo
> ++attribute in
> ++an entry specifies which other users this user can authorize as. Use of
> ++.I authzTo
> ++rules can be easily
> ++abused if users are allowed to write arbitrary values to this attribute.
> ++In general the
> ++.I authzTo
> ++attribute must be protected with ACLs such that
> ++only privileged users can modify it.
> ++The value of
> ++.I authzFrom
> ++and
> ++.I authzTo
> ++describes an
> ++.B identity
> ++or a set of identities; it can take five forms:
> ++.RS
> ++.TP
> ++.B ldap:///<base>??[<scope>]?<filter>
> ++.RE
> ++.RS
> ++.B dn[.<dnstyle>]:<pattern>
> ++.RE
> ++.RS
> ++.B u[.<mech>[/<realm>]]:<pattern>
> ++.RE
> ++.RS
> ++.B group[/objectClass[/attributeType]]:<pattern>
> ++.RE
> ++.RS
> ++.B <pattern>
> ++.RE
> ++.RS
> ++
> ++.B <dnstyle>:={exact|onelevel|children|subtree|regex}
> ++
> ++.RE
> ++The first form is a valid LDAP
> ++.B URI
> ++where the
> ++.IR <host>:<port> ,
> ++the
> ++.I <attrs>
> ++and the
> ++.I <extensions>
> ++portions must be absent, so that the search occurs locally on either
> ++.I authzFrom
> ++or
> ++.IR authzTo .
> ++
> ++.LP
> ++The second form is a
> ++.BR DN .
> ++The optional
> ++.B dnstyle
> ++modifiers
> ++.IR exact ,
> ++.IR onelevel ,
> ++.IR children ,
> ++and
> ++.I subtree
> ++provide exact, onelevel, children and subtree matches, which cause
> ++.I <pattern>
> ++to be normalized according to the DN normalization rules.
> ++The special
> ++.B dnstyle
> ++modifier
> ++.I regex
> ++causes the
> ++.I <pattern>
> ++to be treated as a POSIX (''extended'') regular expression, as
> ++discussed in
> ++.BR regex (7)
> ++and/or
> ++.BR re_format (7).
> ++A pattern of
> ++.I *
> ++means any non-anonymous DN.
> ++
> ++.LP
> ++The third form is a SASL
> ++.BR id .
> ++The optional fields
> ++.I <mech>
> ++and
> ++.I <realm>
> ++allow specification of a SASL
> ++.BR mechanism ,
> ++and eventually a SASL
> ++.BR realm ,
> ++for those mechanisms that support one.
> ++The need to allow the specification of a mechanism is still debated,
> ++and users are strongly discouraged to rely on this possibility.
> ++
> ++.LP
> ++The fourth form is a group specification.
> ++It consists of the keyword
> ++.BR group ,
> ++optionally followed by the specification of the group
> ++.B objectClass
> ++and
> ++.BR attributeType .
> ++The
> ++.B objectClass
> ++defaults to
> ++.IR groupOfNames .
> ++The
> ++.B attributeType
> ++defaults to
> ++.IR member .
> ++The group with DN
> ++.B <pattern>
> ++is searched with base scope, filtered on the specified
> ++.BR objectClass .
> ++The values of the resulting
> ++.B attributeType
> ++are searched for the asserted DN.
> ++
> ++.LP
> ++The fifth form is provided for backwards compatibility. If no identity
> ++type is provided, i.e. only
> ++.B <pattern>
> ++is present, an
> ++.I exact DN
> ++is assumed; as a consequence,
> ++.B <pattern>
> ++is subjected to DN normalization.
> ++
> ++.LP
> ++Since the interpretation of
> ++.I authzFrom
> ++and
> ++.I authzTo
> ++can impact security, users are strongly encouraged
> ++to explicitly set the type of identity specification that is being used.
> ++A subset of these rules can be used as third arg in the
> ++.B authz\-regexp
> ++statement (see below); significantly, the
> ++.IR URI ,
> ++provided it results in exactly one entry,
> ++and the
> ++.I dn.exact:<dn>
> ++forms.
> ++.RE
> ++.TP
> ++.B authz\-regexp <match> <replace>
> ++Used by the authentication framework to convert simple user names,
> ++such as provided by SASL subsystem, or extracted from certificates
> ++in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
> ++"proxied authorization" control, to an LDAP DN used for
> ++authorization purposes. Note that the resulting DN need not refer
> ++to an existing entry to be considered valid. When an authorization
> ++request is received from the SASL subsystem, the SASL
> ++.BR USERNAME ,
> ++.BR REALM ,
> ++and
> ++.B MECHANISM
> ++are taken, when available, and combined into a name of the form
> ++.RS
> ++.RS
> ++.TP
> ++.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
> ++
> ++.RE
> ++This name is then compared against the
> ++.B match
> ++POSIX (''extended'') regular expression, and if the match is successful,
> ++the name is replaced with the
> ++.B replace
> ++string. If there are wildcard strings in the
> ++.B match
> ++regular expression that are enclosed in parenthesis, e.g.
> ++.RS
> ++.TP
> ++.B UID=([^,]*),CN=.*
> ++
> ++.RE
> ++then the portion of the name that matched the wildcard will be stored
> ++in the numbered placeholder variable $1. If there are other wildcard strings
> ++in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
> ++placeholders can then be used in the
> ++.B replace
> ++string, e.g.
> ++.RS
> ++.TP
> ++.B UID=$1,OU=Accounts,DC=example,DC=com
> ++
> ++.RE
> ++The replaced name can be either a DN, i.e. a string prefixed by "dn:",
> ++or an LDAP URI.
> ++If the latter, the server will use the URI to search its own database(s)
> ++and, if the search returns exactly one entry, the name is
> ++replaced by the DN of that entry. The LDAP URI must have no
> ++hostport, attrs, or extensions components, but the filter is mandatory,
> ++e.g.
> ++.RS
> ++.TP
> ++.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
> ++
> ++.RE
> ++The protocol portion of the URI must be strictly
> ++.BR ldap .
> ++Note that this search is subject to access controls. Specifically,
> ++the authentication identity must have "auth" access in the subject.
> ++
> ++Multiple
> ++.B authz\-regexp
> ++options can be given in the configuration file to allow for multiple matching
> ++and replacement patterns. The matching patterns are checked in the order they
> ++appear in the file, stopping at the first successful match.
> ++
> ++.\".B Caution:
> ++.\"Because the plus sign + is a character recognized by the regular expression engine,
> ++.\"and it will appear in names that include a REALM, be careful to escape the
> ++.\"plus sign with a backslash \\+ to remove the character's special meaning.
> ++.RE
> ++.TP
> ++.B concurrency <integer>
> ++Specify a desired level of concurrency. Provided to the underlying
> ++thread system as a hint. The default is not to provide any hint. This setting
> ++is only meaningful on some platforms where there is not a one to one
> ++correspondence between user threads and kernel threads.
> ++.TP
> ++.B conn_max_pending <integer>
> ++Specify the maximum number of pending requests for an anonymous session.
> ++If requests are submitted faster than the server can process them, they
> ++will be queued up to this limit. If the limit is exceeded, the session
> ++is closed. The default is 100.
> ++.TP
> ++.B conn_max_pending_auth <integer>
> ++Specify the maximum number of pending requests for an authenticated session.
> ++The default is 1000.
> ++.TP
> ++.B defaultsearchbase <dn>
> ++Specify a default search base to use when client submits a
> ++non-base search request with an empty base DN.
> ++Base scoped search requests with an empty base DN are not affected.
> ++.TP
> ++.B disallow <features>
> ++Specify a set of features (separated by white space) to
> ++disallow (default none).
> ++.B bind_anon
> ++disables acceptance of anonymous bind requests. Note that this setting
> ++does not prohibit anonymous directory access (See "require authc").
> ++.B bind_simple
> ++disables simple (bind) authentication.
> ++.B tls_2_anon
> ++disables forcing session to anonymous status (see also
> ++.BR tls_authc )
> ++upon StartTLS operation receipt.
> ++.B tls_authc
> ++disallows the StartTLS operation if authenticated (see also
> ++.BR tls_2_anon ).
> ++.B proxy_authz_non_critical
> ++disables acceptance of the proxied authorization control (RFC4370)
> ++with criticality set to FALSE.
> ++.B dontusecopy_non_critical
> ++disables acceptance of the dontUseCopy control (a work in progress)
> ++with criticality set to FALSE.
> ++.HP
> ++.hy 0
> ++.B ditcontentrule "(\ <oid>\
> ++ [NAME\ <name>]\
> ++ [DESC\ <description>]\
> ++ [OBSOLETE]\
> ++ [AUX\ <oids>]\
> ++ [MUST\ <oids>]\
> ++ [MAY\ <oids>]\
> ++ [NOT\ <oids>]\ )"
> ++.RS
> ++Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the attribute OID and
> ++attribute syntax OID.
> ++(See the
> ++.B objectidentifier
> ++description.)
> ++.RE
> ++.TP
> ++.B gentlehup { on | off }
> ++A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
> ++.B Slapd
> ++will stop listening for new connections, but will not close the
> ++connections to the current clients. Future write operations return
> ++unwilling-to-perform, though. Slapd terminates when all clients
> ++have closed their connections (if they ever do), or \- as before \-
> ++if it receives a SIGTERM signal. This can be useful if you wish to
> ++terminate the server and start a new
> ++.B slapd
> ++server
> ++.B with another database,
> ++without disrupting the currently active clients.
> ++The default is off. You may wish to use
> ++.B idletimeout
> ++along with this option.
> ++.TP
> ++.B idletimeout <integer>
> ++Specify the number of seconds to wait before forcibly closing
> ++an idle client connection. A setting of 0 disables this
> ++feature. The default is 0. You may also want to set the
> ++.B writetimeout
> ++option.
> ++.TP
> ++.B include <filename>
> ++Read additional configuration information from the given file before
> ++continuing with the next line of the current file.
> ++.TP
> ++.B index_hash64 { on | off }
> ++Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
> ++These hashes are used for equality and substring indexing. The 64 bit
> ++version may be needed to avoid index collisions when the number of
> ++indexed values exceeds ~64 million. (Note that substring indexing
> ++generates multiple index values per actual attribute value.)
> ++Indices generated with 32 bit hashes are incompatible with the 64 bit
> ++version, and vice versa. Any existing databases must be fully reloaded
> ++when changing this setting. This directive is only supported on 64 bit CPUs.
> ++.TP
> ++.B index_intlen <integer>
> ++Specify the key length for ordered integer indices. The most significant
> ++bytes of the binary integer will be used for index keys. The default
> ++value is 4, which provides exact indexing for 31 bit values.
> ++A floating point representation is used to index too large values.
> ++.TP
> ++.B index_substr_if_maxlen <integer>
> ++Specify the maximum length for subinitial and subfinal indices. Only
> ++this many characters of an attribute value will be processed by the
> ++indexing functions; any excess characters are ignored. The default is 4.
> ++.TP
> ++.B index_substr_if_minlen <integer>
> ++Specify the minimum length for subinitial and subfinal indices. An
> ++attribute value must have at least this many characters in order to be
> ++processed by the indexing functions. The default is 2.
> ++.TP
> ++.B index_substr_any_len <integer>
> ++Specify the length used for subany indices. An attribute value must have
> ++at least this many characters in order to be processed. Attribute values
> ++longer than this length will be processed in segments of this length. The
> ++default is 4. The subany index will also be used in subinitial and
> ++subfinal index lookups when the filter string is longer than the
> ++.I index_substr_if_maxlen
> ++value.
> ++.TP
> ++.B index_substr_any_step <integer>
> ++Specify the steps used in subany index lookups. This value sets the offset
> ++for the segments of a filter string that are processed for a subany index
> ++lookup. The default is 2. For example, with the default values, a search
> ++using this filter "cn=*abcdefgh*" would generate index lookups for
> ++"abcd", "cdef", and "efgh".
> ++
> ++.LP
> ++Note: Indexing support depends on the particular backend in use. Also,
> ++changing these settings will generally require deleting any indices that
> ++depend on these parameters and recreating them with
> ++.BR slapindex (8).
> ++
> ++.HP
> ++.hy 0
> ++.B ldapsyntax "(\ <oid>\
> ++ [DESC\ <description>]\
> ++ [X\-SUBST <substitute-syntax>]\ )"
> ++.RS
> ++Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the syntax OID.
> ++(See the
> ++.B objectidentifier
> ++description.)
> ++The slapd parser also honors the
> ++.B X\-SUBST
> ++extension (an OpenLDAP-specific extension), which allows one to use the
> ++.B ldapsyntax
> ++statement to define a non-implemented syntax along with another syntax,
> ++the extension value
> ++.IR substitute-syntax ,
> ++as its temporary replacement.
> ++The
> ++.I substitute-syntax
> ++must be defined.
> ++This allows one to define attribute types that make use of non-implemented syntaxes
> ++using the correct syntax OID.
> ++Unless
> ++.B X\-SUBST
> ++is used, this configuration statement would result in an error,
> ++since no handlers would be associated to the resulting syntax structure.
> ++.RE
> ++
> ++.TP
> ++.B listener-threads <integer>
> ++Specify the number of threads to use for the connection manager.
> ++The default is 1 and this is typically adequate for up to 16 CPU cores.
> ++The value should be set to a power of 2.
> ++.TP
> ++.B localSSF <SSF>
> ++Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
> ++such as those to the ldapi:// listener. For a description of SSF values,
> ++see
> ++.BR sasl-secprops 's
> ++.B minssf
> ++option description. The default is 71.
> ++.TP
> ++.B logfile <filename>
> ++Specify a file for recording slapd debug messages. By default these messages
> ++only go to stderr, are not recorded anywhere else, and are unrelated to
> ++messages exposed by the
> ++.B loglevel
> ++configuration parameter. Specifying a logfile copies messages to both stderr
> ++and the logfile.
> ++.TP
> ++.B logfile-format debug | syslog-utc | syslog-localtime
> ++Specify the prefix format for messages written to the logfile. The debug
> ++format is the normal format used for slapd debug messages, with a timestamp
> ++in hexadecimal, followed by a thread ID. The other options are to
> ++use syslog(3) style prefixes, with timestamps either in UTC or in the
> ++local timezone. The default is debug format.
> ++.TP
> ++.B logfile-only on | off
> ++Specify that debug messages should only go to the configured logfile, and
> ++not to stderr.
> ++.TP
> ++.B logfile-rotate <max> <Mbytes> <hours>
> ++Specify automatic rotation for the configured logfile as the maximum
> ++number of old logfiles to retain, a maximum size in megabytes to allow a
> ++logfile to grow before rotation, and a maximum age in hours for a logfile
> ++to be used before rotation. The maximum number must be in the range 1-99.
> ++Setting Mbytes or hours to zero disables the size or age check, respectively.
> ++At least one of Mbytes or hours must be non-zero. By default no automatic
> ++rotation will be performed.
> ++.TP
> ++.B loglevel <integer> [...]
> ++Specify the level at which debugging statements and operation
> ++statistics should be syslogged (currently logged to the
> ++.BR syslogd (8)
> ++LOG_LOCAL4 facility).
> ++They must be considered subsystems rather than increasingly verbose
> ++log levels.
> ++Some messages with higher priority are logged regardless
> ++of the configured loglevel as soon as any logging is configured.
> ++Log levels are additive, and available levels are:
> ++.RS
> ++.RS
> ++.PD 0
> ++.TP
> ++.B 1
> ++.B (0x1 trace)
> ++trace function calls
> ++.TP
> ++.B 2
> ++.B (0x2 packets)
> ++debug packet handling
> ++.TP
> ++.B 4
> ++.B (0x4 args)
> ++heavy trace debugging (function args)
> ++.TP
> ++.B 8
> ++.B (0x8 conns)
> ++connection management
> ++.TP
> ++.B 16
> ++.B (0x10 BER)
> ++print out packets sent and received
> ++.TP
> ++.B 32
> ++.B (0x20 filter)
> ++search filter processing
> ++.TP
> ++.B 64
> ++.B (0x40 config)
> ++configuration file processing
> ++.TP
> ++.B 128
> ++.B (0x80 ACL)
> ++access control list processing
> ++.TP
> ++.B 256
> ++.B (0x100 stats)
> ++connections, LDAP operations, results (recommended)
> ++.TP
> ++.B 512
> ++.B (0x200 stats2)
> ++stats2 log entries sent
> ++.TP
> ++.B 1024
> ++.B (0x400 shell)
> ++print communication with shell backends
> ++.TP
> ++.B 2048
> ++.B (0x800 parse)
> ++entry parsing
> ++\".TP
> ++\".B 4096
> ++\".B (0x1000 cache)
> ++\"caching (unused)
> ++\".TP
> ++\".B 8192
> ++\".B (0x2000 index)
> ++\"data indexing (unused)
> ++.TP
> ++.B 16384
> ++.B (0x4000 sync)
> ++LDAPSync replication
> ++.TP
> ++.B 32768
> ++.B (0x8000 none)
> ++only messages that get logged whatever log level is set
> ++.PD
> ++.RE
> ++The desired log level can be input as a single integer that combines
> ++the (ORed) desired levels, both in decimal or in hexadecimal notation,
> ++as a list of integers (that are ORed internally),
> ++or as a list of the names that are shown between parentheses, such that
> ++.LP
> ++.nf
> ++ loglevel 129
> ++ loglevel 0x81
> ++ loglevel 128 1
> ++ loglevel 0x80 0x1
> ++ loglevel acl trace
> ++.fi
> ++.LP
> ++are equivalent.
> ++The keyword
> ++.B any
> ++can be used as a shortcut to enable logging at all levels (equivalent to \-1).
> ++The keyword
> ++.BR none ,
> ++or the equivalent integer representation, causes those messages
> ++that are logged regardless of the configured loglevel to be logged.
> ++In fact, if loglevel is set to 0, no logging occurs,
> ++so at least the
> ++.B none
> ++level is required to have high priority messages logged.
> ++
> ++Note that the
> ++.BR packets ,
> ++.BR BER ,
> ++and
> ++.B parse
> ++levels are only available as debug output on stderr, and are not
> ++sent to syslog.
> ++
> ++The loglevel defaults to \fBstats\fP.
> ++This level should usually also be included when using other loglevels, to
> ++help analyze the logs.
> ++.RE
> ++.TP
> ++.B maxfilterdepth <integer>
> ++Specify the maximum depth of nested filters in search requests.
> ++The default is 1000.
> ++.TP
> ++.B moduleload <filename> [<arguments>...]
> ++Specify the name of a dynamically loadable module to load and any
> ++additional arguments if supported by the module. The filename
> ++may be an absolute path name or a simple filename. Non-absolute names
> ++are searched for in the directories specified by the
> ++.B modulepath
> ++option. This option and the
> ++.B modulepath
> ++option are only usable if slapd was compiled with \-\-enable\-modules.
> ++.TP
> ++.B modulepath <pathspec>
> ++Specify a list of directories to search for loadable modules. Typically
> ++the path is colon-separated but this depends on the operating system.
> ++The default is MODULEDIR, which is where the standard OpenLDAP install
> ++will place its modules.
> ++.HP
> ++.hy 0
> ++.B objectclass "(\ <oid>\
> ++ [NAME\ <name>]\
> ++ [DESC\ <description>]\
> ++ [OBSOLETE]\
> ++ [SUP\ <oids>]\
> ++ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
> ++ [MUST\ <oids>] [MAY\ <oids>] )"
> ++.RS
> ++Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the object class OID.
> ++(See the
> ++.B
> ++objectidentifier
> ++description.) Object classes are "STRUCTURAL" by default.
> ++.RE
> ++.TP
> ++.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }"
> ++Define a string name that equates to the given OID. The string can be used
> ++in place of the numeric OID in objectclass and attribute definitions. The
> ++name can also be used with a suffix of the form ":xx" in which case the
> ++value "oid.xx" will be used.
> ++.TP
> ++.B password\-hash <hash> [<hash>...]
> ++This option configures one or more hashes to be used in generation of user
> ++passwords stored in the userPassword attribute during processing of
> ++LDAP Password Modify Extended Operations (RFC 3062).
> ++The <hash> must be one of
> ++.BR {SSHA} ,
> ++.BR {SHA} ,
> ++.BR {SMD5} ,
> ++.BR {MD5} ,
> ++.BR {CRYPT} ,
> ++and
> ++.BR {CLEARTEXT} .
> ++The default is
> ++.BR {SSHA} .
> ++
> ++.B {SHA}
> ++and
> ++.B {SSHA}
> ++use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
> ++
> ++.B {MD5}
> ++and
> ++.B {SMD5}
> ++use the MD5 algorithm (RFC 1321), the latter with a seed.
> ++
> ++.B {CRYPT}
> ++uses the
> ++.BR crypt (3).
> ++
> ++.B {CLEARTEXT}
> ++indicates that the new password should be
> ++added to userPassword as clear text.
> ++
> ++Note that this option does not alter the normal user applications
> ++handling of userPassword during LDAP Add, Modify, or other LDAP operations.
> ++.TP
> ++.B password\-crypt\-salt\-format <format>
> ++Specify the format of the salt passed to
> ++.BR crypt (3)
> ++when generating {CRYPT} passwords (see
> ++.BR password\-hash )
> ++during processing of LDAP Password Modify Extended Operations (RFC 3062).
> ++
> ++This string needs to be in
> ++.BR sprintf (3)
> ++format and may include one (and only one) %s conversion.
> ++This conversion will be substituted with a string of random
> ++characters from [A\-Za\-z0\-9./]. For example, "%.2s"
> ++provides a two character salt and "$1$%.8s" tells some
> ++versions of crypt(3) to use an MD5 algorithm and provides
> ++8 random characters of salt. The default is "%s", which
> ++provides 31 characters of salt.
> ++.TP
> ++.B pidfile <filename>
> ++The (absolute) name of a file that will hold the
> ++.B slapd
> ++server's process ID (see
> ++.BR getpid (2)).
> ++.TP
> ++.B pluginlog: <filename>
> ++The ( absolute ) name of a file that will contain log
> ++messages from
> ++.B SLAPI
> ++plugins. See
> ++.BR slapd.plugin (5)
> ++for details.
> ++.TP
> ++.B referral <url>
> ++Specify the referral to pass back when
> ++.BR slapd (8)
> ++cannot find a local database to handle a request.
> ++If specified multiple times, each url is provided.
> ++.TP
> ++.B require <conditions>
> ++Specify a set of conditions (separated by white space) to
> ++require (default none).
> ++The directive may be specified globally and/or per-database;
> ++databases inherit global conditions, so per-database specifications
> ++are additive.
> ++.B bind
> ++requires bind operation prior to directory operations.
> ++.B LDAPv3
> ++requires session to be using LDAP version 3.
> ++.B authc
> ++requires authentication prior to directory operations.
> ++.B SASL
> ++requires SASL authentication prior to directory operations.
> ++.B strong
> ++requires strong authentication prior to directory operations.
> ++The strong keyword allows protected "simple" authentication
> ++as well as SASL authentication.
> ++.B none
> ++may be used to require no conditions (useful to clear out globally
> ++set conditions within a particular database); it must occur first
> ++in the list of conditions.
> ++.TP
> ++.B reverse\-lookup on | off
> ++Enable/disable client name unverified reverse lookup (default is
> ++.BR off
> ++if compiled with \-\-enable\-rlookups).
> ++.TP
> ++.B rootDSE <file>
> ++Specify the name of an LDIF(5) file containing user defined attributes
> ++for the root DSE. These attributes are returned in addition to the
> ++attributes normally produced by slapd.
> ++
> ++The root DSE is an entry with information about the server and its
> ++capabilities, in operational attributes.
> ++It has the empty DN, and can be read with e.g.:
> ++.ti +4
> ++ldapsearch \-x \-b "" \-s base "+"
> ++.br
> ++See RFC 4512 section 5.1 for details.
> ++.TP
> ++.B sasl\-auxprops <plugin> [...]
> ++Specify which auxprop plugins to use for authentication lookups. The
> ++default is empty, which just uses slapd's internal support. Usually
> ++no other auxprop plugins are needed.
> ++.TP
> ++.B sasl\-auxprops\-dontusecopy <attr> [...]
> ++Specify which attribute(s) should be subject to the don't use copy control. This
> ++is necessary for some SASL mechanisms such as OTP to work in a replicated
> ++environment. The attribute "cmusaslsecretOTP" is the default value.
> ++.TP
> ++.B sasl\-auxprops\-dontusecopy\-ignore on | off
> ++Used to disable replication of the attribute(s) defined by
> ++sasl-auxprops-dontusecopy and instead use a local value for the attribute. This
> ++allows the SASL mechanism to continue to work if the provider is offline. This can
> ++cause replication inconsistency. Defaults to off.
> ++.TP
> ++.B sasl\-host <fqdn>
> ++Used to specify the fully qualified domain name used for SASL processing.
> ++.TP
> ++.B sasl\-realm <realm>
> ++Specify SASL realm. Default is empty.
> ++.TP
> ++.B sasl\-cbinding none | tls-unique | tls-endpoint
> ++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
> ++Default is none.
> ++.TP
> ++.B sasl\-secprops <properties>
> ++Used to specify Cyrus SASL security properties.
> ++The
> ++.B none
> ++flag (without any other properties) causes the flag properties
> ++default, "noanonymous,noplain", to be cleared.
> ++The
> ++.B noplain
> ++flag disables mechanisms susceptible to simple passive attacks.
> ++The
> ++.B noactive
> ++flag disables mechanisms susceptible to active attacks.
> ++The
> ++.B nodict
> ++flag disables mechanisms susceptible to passive dictionary attacks.
> ++The
> ++.B noanonymous
> ++flag disables mechanisms which support anonymous login.
> ++The
> ++.B forwardsec
> ++flag require forward secrecy between sessions.
> ++The
> ++.B passcred
> ++require mechanisms which pass client credentials (and allow
> ++mechanisms which can pass credentials to do so).
> ++The
> ++.B minssf=<factor>
> ++property specifies the minimum acceptable
> ++.I security strength factor
> ++as an integer approximate to effective key length used for
> ++encryption. 0 (zero) implies no protection, 1 implies integrity
> ++protection only, 128 allows RC4, Blowfish and other similar ciphers,
> ++256 will require modern ciphers. The default is 0.
> ++The
> ++.B maxssf=<factor>
> ++property specifies the maximum acceptable
> ++.I security strength factor
> ++as an integer (see minssf description). The default is INT_MAX.
> ++The
> ++.B maxbufsize=<size>
> ++property specifies the maximum security layer receive buffer
> ++size allowed. 0 disables security layers. The default is 65536.
> ++.TP
> ++.B schemadn <dn>
> ++Specify the distinguished name for the subschema subentry that
> ++controls the entries on this server. The default is "cn=Subschema".
> ++.TP
> ++.B security <factors>
> ++Specify a set of security strength factors (separated by white space)
> ++to require (see
> ++.BR sasl\-secprops 's
> ++.B minssf
> ++option for a description of security strength factors).
> ++The directive may be specified globally and/or per-database.
> ++.B ssf=<n>
> ++specifies the overall security strength factor.
> ++.B transport=<n>
> ++specifies the transport security strength factor.
> ++.B tls=<n>
> ++specifies the TLS security strength factor.
> ++.B sasl=<n>
> ++specifies the SASL security strength factor.
> ++.B update_ssf=<n>
> ++specifies the overall security strength factor to require for
> ++directory updates.
> ++.B update_transport=<n>
> ++specifies the transport security strength factor to require for
> ++directory updates.
> ++.B update_tls=<n>
> ++specifies the TLS security strength factor to require for
> ++directory updates.
> ++.B update_sasl=<n>
> ++specifies the SASL security strength factor to require for
> ++directory updates.
> ++.B simple_bind=<n>
> ++specifies the security strength factor required for
> ++.I simple
> ++username/password authentication.
> ++Note that the
> ++.B transport
> ++factor is measure of security provided by the underlying transport,
> ++e.g. ldapi:// (and eventually IPSEC). It is not normally used.
> ++.TP
> ++.B serverID <integer> [<URL>]
> ++Specify an integer ID from 0 to 4095 for this server. The ID may also be
> ++specified as a hexadecimal ID by prefixing the value with "0x".
> ++Non-zero IDs are required when using multi-provider replication and each
> ++provider must have a unique non-zero ID. Note that this requirement also
> ++applies to separate providers contributing to a glued set of databases.
> ++If the URL is provided, this directive may be specified
> ++multiple times, providing a complete list of participating servers
> ++and their IDs. The fully qualified hostname of each server should be
> ++used in the supplied URLs. The IDs are used in the "replica id" field
> ++of all CSNs generated by the specified server. The default value is zero, which
> ++is only valid for single provider replication.
> ++Example:
> ++.LP
> ++.nf
> ++ serverID 1 ldap://ldap1.example.com
> ++ serverID 2 ldap://ldap2.example.com
> ++.fi
> ++.TP
> ++.B sizelimit {<integer>|unlimited}
> ++.TP
> ++.B sizelimit size[.{soft|hard}]=<integer> [...]
> ++Specify the maximum number of entries to return from a search operation.
> ++The default size limit is 500.
> ++Use
> ++.B unlimited
> ++to specify no limits.
> ++The second format allows a fine grain setting of the size limits.
> ++If no special qualifiers are specified, both soft and hard limits are set.
> ++Extra args can be added on the same line.
> ++Additional qualifiers are available; see
> ++.BR limits
> ++for an explanation of all of the different flags.
> ++.TP
> ++.B sockbuf_max_incoming <integer>
> ++Specify the maximum incoming LDAP PDU size for anonymous sessions.
> ++The default is 262143.
> ++.TP
> ++.B sockbuf_max_incoming_auth <integer>
> ++Specify the maximum incoming LDAP PDU size for authenticated sessions.
> ++The default is 4194303.
> ++.TP
> ++.B sortvals <attr> [...]
> ++Specify a list of multi-valued attributes whose values will always
> ++be maintained in sorted order. Using this option will allow Modify,
> ++Compare, and filter evaluations on these attributes to be performed
> ++more efficiently. The resulting sort order depends on the
> ++attributes' syntax and matching rules and may not correspond to
> ++lexical order or any other recognizable order.
> ++.TP
> ++.B tcp-buffer [listener=<URL>] [{read|write}=]<size>
> ++Specify the size of the TCP buffer.
> ++A global value for both read and write TCP buffers related to any listener
> ++is defined, unless the listener is explicitly specified,
> ++or either the read or write qualifiers are used.
> ++See
> ++.BR tcp (7)
> ++for details.
> ++Note that some OS-es implement automatic TCP buffer tuning.
> ++.TP
> ++.B threads <integer>
> ++Specify the maximum size of the primary thread pool.
> ++The default is 16; the minimum value is 2.
> ++.TP
> ++.B threadqueues <integer>
> ++Specify the number of work queues to use for the primary thread pool.
> ++The default is 1 and this is typically adequate for up to 8 CPU cores.
> ++The value should not exceed the number of CPUs in the system.
> ++.TP
> ++.B timelimit {<integer>|unlimited}
> ++.TP
> ++.B timelimit time[.{soft|hard}]=<integer> [...]
> ++Specify the maximum number of seconds (in real time)
> ++.B slapd
> ++will spend answering a search request. The default time limit is 3600.
> ++Use
> ++.B unlimited
> ++to specify no limits.
> ++The second format allows a fine grain setting of the time limits.
> ++Extra args can be added on the same line. See
> ++.BR limits
> ++for an explanation of the different flags.
> ++.TP
> ++.B tool\-threads <integer>
> ++Specify the maximum number of threads to use in tool mode.
> ++This should not be greater than the number of CPUs in the system.
> ++The default is 1.
> ++.TP
> ++.B writetimeout <integer>
> ++Specify the number of seconds to wait before forcibly closing
> ++a connection with an outstanding write. This allows recovery from
> ++various network hang conditions. A writetimeout of 0 disables this
> ++feature. The default is 0.
> ++.SH TLS OPTIONS
> ++If
> ++.B slapd
> ++is built with support for Transport Layer Security, there are more options
> ++you can specify.
> ++.TP
> ++.B TLSCipherSuite <cipher-suite-spec>
> ++Permits configuring what ciphers will be accepted and the preference order.
> ++<cipher-suite-spec> should be a cipher specification for the TLS library
> ++in use (OpenSSL or GnuTLS).
> ++Example:
> ++.RS
> ++.RS
> ++.TP
> ++.I OpenSSL:
> ++TLSCipherSuite HIGH:MEDIUM:+SSLv2
> ++.TP
> ++.I GnuTLS:
> ++TLSCiphersuite SECURE256:!AES-128-CBC
> ++.RE
> ++
> ++To check what ciphers a given spec selects in OpenSSL, use:
> ++
> ++.nf
> ++ openssl ciphers \-v <cipher-suite-spec>
> ++.fi
> ++
> ++With GnuTLS the available specs can be found in the manual page of
> ++.BR gnutls\-cli (1)
> ++(see the description of the
> ++option
> ++.BR \-\-priority ).
> ++
> ++In older versions of GnuTLS, where gnutls\-cli does not support the option
> ++\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
> ++
> ++.nf
> ++ gnutls\-cli \-l
> ++.fi
> ++.RE
> ++.TP
> ++.B TLSCACertificateFile <filename>
> ++Specifies the file that contains certificates for all of the Certificate
> ++Authorities that
> ++.B slapd
> ++will recognize. The certificate for
> ++the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among
> ++these certificates. If the signing CA was not a top-level (root) CA,
> ++certificates for the entire sequence of CA's from the signing CA to
> ++the top-level CA should be present. Multiple certificates are simply
> ++appended to the file; the order is not significant.
> ++.TP
> ++.B TLSCACertificatePath <path>
> ++Specifies the path of directories that contain Certificate Authority
> ++certificates in separate individual files. Usually only one of this
> ++or the TLSCACertificateFile is used. If both are specified, both
> ++locations will be used. Multiple directories may be specified,
> ++separated by a semi-colon.
> ++.TP
> ++.B TLSCertificateFile <filename>
> ++Specifies the file that contains the
> ++.B slapd
> ++server certificate.
> ++
> ++When using OpenSSL that file may also contain any number of intermediate
> ++certificates after the server certificate.
> ++.TP
> ++.B TLSCertificateKeyFile <filename>
> ++Specifies the file that contains the
> ++.B slapd
> ++server private key that matches the certificate stored in the
> ++.B TLSCertificateFile
> ++file. Currently, the private key must not be protected with a password, so
> ++it is of critical importance that it is protected carefully.
> ++.TP
> ++.B TLSDHParamFile <filename>
> ++This directive specifies the file that contains parameters for Diffie-Hellman
> ++ephemeral key exchange. This is required in order to use a DSA certificate on
> ++the server, or an RSA certificate missing the "key encipherment" key usage.
> ++Note that setting this option may also enable
> ++Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
> ++Anonymous key exchanges should generally be avoided since they provide no
> ++actual client or server authentication and provide no protection against
> ++man-in-the-middle attacks.
> ++You should append "!ADH" to your cipher suites to ensure that these suites
> ++are not used.
> ++.TP
> ++.B TLSECName <name>
> ++Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
> ++ephemeral key exchange. This option is only used for OpenSSL.
> ++This option is not used with GnuTLS; the curves may be
> ++chosen in the GnuTLS ciphersuite specification.
> ++.TP
> ++.B TLSProtocolMin <major>[.<minor>]
> ++Specifies minimum SSL/TLS protocol version that will be negotiated.
> ++If the server doesn't support at least that version,
> ++the SSL handshake will fail.
> ++To require TLS 1.x or higher, set this option to 3.(x+1),
> ++e.g.,
> ++
> ++.nf
> ++ TLSProtocolMin 3.2
> ++.fi
> ++
> ++would require TLS 1.1.
> ++Specifying a minimum that is higher than that supported by the
> ++OpenLDAP implementation will result in it requiring the
> ++highest level that it does support.
> ++This directive is ignored with GnuTLS.
> ++.TP
> ++.B TLSRandFile <filename>
> ++Specifies the file to obtain random bits from when /dev/[u]random
> ++is not available. Generally set to the name of the EGD/PRNGD socket.
> ++The environment variable RANDFILE can also be used to specify the filename.
> ++This directive is ignored with GnuTLS.
> ++.TP
> ++.B TLSVerifyClient <level>
> ++Specifies what checks to perform on client certificates in an
> ++incoming TLS session, if any.
> ++The
> ++.B <level>
> ++can be specified as one of the following keywords:
> ++.RS
> ++.TP
> ++.B never
> ++This is the default.
> ++.B slapd
> ++will not ask the client for a certificate.
> ++.TP
> ++.B allow
> ++The client certificate is requested. If no certificate is provided,
> ++the session proceeds normally. If a bad certificate is provided,
> ++it will be ignored and the session proceeds normally.
> ++.TP
> ++.B try
> ++The client certificate is requested. If no certificate is provided,
> ++the session proceeds normally. If a bad certificate is provided,
> ++the session is immediately terminated.
> ++.TP
> ++.B demand | hard | true
> ++These keywords are all equivalent, for compatibility reasons.
> ++The client certificate is requested. If no certificate is provided,
> ++or a bad certificate is provided, the session is immediately terminated.
> ++
> ++Note that a valid client certificate is required in order to use the
> ++SASL EXTERNAL authentication mechanism with a TLS session. As such,
> ++a non-default
> ++.B TLSVerifyClient
> ++setting must be chosen to enable SASL EXTERNAL authentication.
> ++.RE
> ++.TP
> ++.B TLSCRLCheck <level>
> ++Specifies if the Certificate Revocation List (CRL) of the CA should be
> ++used to verify if the client certificates have not been revoked. This
> ++requires
> ++.B TLSCACertificatePath
> ++parameter to be set. This directive is ignored with GnuTLS.
> ++.B <level>
> ++can be specified as one of the following keywords:
> ++.RS
> ++.TP
> ++.B none
> ++No CRL checks are performed
> ++.TP
> ++.B peer
> ++Check the CRL of the peer certificate
> ++.TP
> ++.B all
> ++Check the CRL for a whole certificate chain
> ++.RE
> ++.TP
> ++.B TLSCRLFile <filename>
> ++Specifies a file containing a Certificate Revocation List to be used
> ++for verifying that certificates have not been revoked. This directive is
> ++only valid when using GnuTLS.
> ++.SH GENERAL BACKEND OPTIONS
> ++Options in this section only apply to the configuration file section
> ++of all instances of the specified backend. All backends may support
> ++this class of options, but currently only back-mdb does.
> ++.TP
> ++.B backend <databasetype>
> ++Mark the beginning of a backend definition. <databasetype>
> ++should be one of
> ++.BR asyncmeta ,
> ++.BR config ,
> ++.BR dnssrv ,
> ++.BR ldap ,
> ++.BR ldif ,
> ++.BR mdb ,
> ++.BR meta ,
> ++.BR monitor ,
> ++.BR null ,
> ++.BR passwd ,
> ++.BR perl ,
> ++.BR relay ,
> ++.BR sock ,
> ++.BR sql ,
> ++or
> ++.BR wt .
> ++At present, only back-mdb implements any options of this type, so this
> ++setting is not needed for any other backends.
> ++
> ++.SH GENERAL DATABASE OPTIONS
> ++Options in this section only apply to the configuration file section
> ++for the database in which they are defined. They are supported by every
> ++type of backend. Note that the
> ++.B database
> ++and at least one
> ++.B suffix
> ++option are mandatory for each database.
> ++.TP
> ++.B database <databasetype>
> ++Mark the beginning of a new database instance definition. <databasetype>
> ++should be one of
> ++.BR asyncmeta ,
> ++.BR config ,
> ++.BR dnssrv ,
> ++.BR ldap ,
> ++.BR ldif ,
> ++.BR mdb ,
> ++.BR meta ,
> ++.BR monitor ,
> ++.BR null ,
> ++.BR passwd ,
> ++.BR perl ,
> ++.BR relay ,
> ++.BR sock ,
> ++.BR sql ,
> ++or
> ++.BR wt ,
> ++depending on which backend will serve the database.
> ++
> ++LDAP operations, even subtree searches, normally access only one
> ++database.
> ++That can be changed by gluing databases together with the
> ++.B subordinate
> ++keyword.
> ++Access controls and some overlays can also involve multiple databases.
> ++.TP
> ++.B add_content_acl on | off
> ++Controls whether Add operations will perform ACL checks on
> ++the content of the entry being added. This check is off
> ++by default. See the
> ++.BR slapd.access (5)
> ++manual page for more details on ACL requirements for
> ++Add operations.
> ++.TP
> ++.B extra_attrs <attrlist>
> ++Lists what attributes need to be added to search requests.
> ++Local storage backends return the entire entry to the frontend.
> ++The frontend takes care of only returning the requested attributes
> ++that are allowed by ACLs.
> ++However, features like access checking and so may need specific
> ++attributes that are not automatically returned by remote storage
> ++backends, like proxy backends and so on.
> ++.B <attrlist>
> ++is a list of attributes that are needed for internal purposes
> ++and thus always need to be collected, even when not explicitly
> ++requested by clients.
> ++.TP
> ++.B hidden on | off
> ++Controls whether the database will be used to answer
> ++queries. A database that is hidden will never be
> ++selected to answer any queries, and any suffix configured
> ++on the database will be ignored in checks for conflicts
> ++with other databases. By default, hidden is off.
> ++.TP
> ++.B lastmod on | off
> ++Controls whether
> ++.B slapd
> ++will automatically maintain the
> ++modifiersName, modifyTimestamp, creatorsName, and
> ++createTimestamp attributes for entries. It also controls
> ++the entryCSN and entryUUID attributes, which are needed
> ++by the syncrepl provider. By default, lastmod is on.
> ++.TP
> ++.B lastbind on | off
> ++Controls whether
> ++.B slapd
> ++will automatically maintain the pwdLastSuccess attribute for
> ++entries. By default, lastbind is off.
> ++.TP
> ++.B lastbind-precision <integer>
> ++If lastbind is enabled, specifies how frequently pwdLastSuccess
> ++will be updated. More than
> ++.B integer
> ++seconds must have passed since the last successful bind. In a
> ++replicated environment with frequent bind activity it may be
> ++useful to set this to a large value.
> ++.TP
> ++.B limits <selector> <limit> [<limit> [...]]
> ++Specify time and size limits based on the operation's initiator or
> ++base DN.
> ++The argument
> ++.B <selector>
> ++can be any of
> ++.RS
> ++.RS
> ++.TP
> ++anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
> ++
> ++.RE
> ++with
> ++.RS
> ++.TP
> ++<dnspec> ::= dn[.<type>][.<style>]
> ++.TP
> ++<type> ::= self | this
> ++.TP
> ++<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
> ++
> ++.RE
> ++DN type
> ++.B self
> ++is the default and means the bound user, while
> ++.B this
> ++means the base DN of the operation.
> ++The term
> ++.B anonymous
> ++matches all unauthenticated clients.
> ++The term
> ++.B users
> ++matches all authenticated clients;
> ++otherwise an
> ++.B exact
> ++dn pattern is assumed unless otherwise specified by qualifying
> ++the (optional) key string
> ++.B dn
> ++with
> ++.B exact
> ++or
> ++.B base
> ++(which are synonyms), to require an exact match; with
> ++.BR onelevel ,
> ++to require exactly one level of depth match; with
> ++.BR subtree ,
> ++to allow any level of depth match, including the exact match; with
> ++.BR children ,
> ++to allow any level of depth match, not including the exact match;
> ++.BR regex
> ++explicitly requires the (default) match based on POSIX (''extended'')
> ++regular expression pattern.
> ++Finally,
> ++.B anonymous
> ++matches unbound operations; the
> ++.B pattern
> ++field is ignored.
> ++The same behavior is obtained by using the
> ++.B anonymous
> ++form of the
> ++.B <selector>
> ++clause.
> ++The term
> ++.BR group ,
> ++with the optional objectClass
> ++.B oc
> ++and attributeType
> ++.B at
> ++fields, followed by
> ++.BR pattern ,
> ++sets the limits for any DN listed in the values of the
> ++.B at
> ++attribute (default
> ++.BR member )
> ++of the
> ++.B oc
> ++group objectClass (default
> ++.BR groupOfNames )
> ++whose DN exactly matches
> ++.BR pattern .
> ++
> ++The currently supported limits are
> ++.B size
> ++and
> ++.BR time .
> ++
> ++The syntax for time limits is
> ++.BR time[.{soft|hard}]=<integer> ,
> ++where
> ++.I integer
> ++is the number of seconds slapd will spend answering a search request.
> ++If no time limit is explicitly requested by the client, the
> ++.BR soft
> ++limit is used; if the requested time limit exceeds the
> ++.BR hard
> ++.\"limit, an
> ++.\".I "Administrative limit exceeded"
> ++.\"error is returned.
> ++limit, the value of the limit is used instead.
> ++If the
> ++.BR hard
> ++limit is set to the keyword
> ++.IR soft ,
> ++the soft limit is used in either case; if it is set to the keyword
> ++.IR unlimited ,
> ++no hard limit is enforced.
> ++Explicit requests for time limits smaller or equal to the
> ++.BR hard
> ++limit are honored.
> ++If no limit specifier is set, the value is assigned to the
> ++.BR soft
> ++limit, and the
> ++.BR hard
> ++limit is set to
> ++.IR soft ,
> ++to preserve the original behavior.
> ++
> ++The syntax for size limits is
> ++.BR size[.{soft|hard|unchecked}]=<integer> ,
> ++where
> ++.I integer
> ++is the maximum number of entries slapd will return answering a search
> ++request.
> ++If no size limit is explicitly requested by the client, the
> ++.BR soft
> ++limit is used; if the requested size limit exceeds the
> ++.BR hard
> ++.\"limit, an
> ++.\".I "Administrative limit exceeded"
> ++.\"error is returned.
> ++limit, the value of the limit is used instead.
> ++If the
> ++.BR hard
> ++limit is set to the keyword
> ++.IR soft ,
> ++the soft limit is used in either case; if it is set to the keyword
> ++.IR unlimited ,
> ++no hard limit is enforced.
> ++Explicit requests for size limits smaller or equal to the
> ++.BR hard
> ++limit are honored.
> ++The
> ++.BR unchecked
> ++specifier sets a limit on the number of candidates a search request is allowed
> ++to examine.
> ++The rationale behind it is that searches for non-properly indexed
> ++attributes may result in large sets of candidates, which must be
> ++examined by
> ++.BR slapd (8)
> ++to determine whether they match the search filter or not.
> ++The
> ++.B unchecked
> ++limit provides a means to drop such operations before they are even
> ++started.
> ++If the selected candidates exceed the
> ++.BR unchecked
> ++limit, the search will abort with
> ++.IR "Unwilling to perform" .
> ++If it is set to the keyword
> ++.IR unlimited ,
> ++no limit is applied (the default).
> ++If it is set to
> ++.IR disabled ,
> ++the search is not even performed; this can be used to disallow searches
> ++for a specific set of users.
> ++If no limit specifier is set, the value is assigned to the
> ++.BR soft
> ++limit, and the
> ++.BR hard
> ++limit is set to
> ++.IR soft ,
> ++to preserve the original behavior.
> ++
> ++In case of no match, the global limits are used.
> ++The default values are the same as for
> ++.B sizelimit
> ++and
> ++.BR timelimit ;
> ++no limit is set on
> ++.BR unchecked .
> ++
> ++If
> ++.B pagedResults
> ++control is requested, the
> ++.B hard
> ++size limit is used by default, because the request of a specific page size
> ++is considered an explicit request for a limitation on the number
> ++of entries to be returned.
> ++However, the size limit applies to the total count of entries returned within
> ++the search, and not to a single page.
> ++Additional size limits may be enforced; the syntax is
> ++.BR size.pr={<integer>|noEstimate|unlimited} ,
> ++where
> ++.I integer
> ++is the max page size if no explicit limit is set; the keyword
> ++.I noEstimate
> ++inhibits the server from returning an estimate of the total number
> ++of entries that might be returned
> ++(note: the current implementation does not return any estimate).
> ++The keyword
> ++.I unlimited
> ++indicates that no limit is applied to the pagedResults control page size.
> ++The syntax
> ++.B size.prtotal={<integer>|hard|unlimited|disabled}
> ++allows one to set a limit on the total number of entries that the pagedResults
> ++control will return.
> ++By default it is set to the
> ++.B hard
> ++limit which will use the size.hard value.
> ++When set,
> ++.I integer
> ++is the max number of entries that the whole search with pagedResults control
> ++can return.
> ++Use
> ++.I unlimited
> ++to allow unlimited number of entries to be returned, e.g. to allow
> ++the use of the pagedResults control as a means to circumvent size
> ++limitations on regular searches; the keyword
> ++.I disabled
> ++disables the control, i.e. no paged results can be returned.
> ++Note that the total number of entries returned when the pagedResults control
> ++is requested cannot exceed the
> ++.B hard
> ++size limit of regular searches unless extended by the
> ++.B prtotal
> ++switch.
> ++
> ++The \fBlimits\fP statement is typically used to let an unlimited
> ++number of entries be returned by searches performed
> ++with the identity used by the consumer for synchronization purposes
> ++by means of the RFC 4533 LDAP Content Synchronization protocol
> ++(see \fBsyncrepl\fP for details).
> ++
> ++When using subordinate databases, it is necessary for any limits that
> ++are to be applied across the parent and its subordinates to be defined in
> ++both the parent and its subordinates. Otherwise the settings on the
> ++subordinate databases are not honored.
> ++.RE
> ++.TP
> ++.B maxderefdepth <depth>
> ++Specifies the maximum number of aliases to dereference when trying to
> ++resolve an entry, used to avoid infinite alias loops. The default is 15.
> ++.TP
> ++.B multiprovider on | off
> ++This option puts a consumer database into Multi-Provider mode. Update
> ++operations will be accepted from any user, not just the updatedn. The
> ++database must already be configured as a syncrepl consumer
> ++before this keyword may be set. This mode also requires a
> ++.B serverID
> ++(see above) to be configured.
> ++By default, multiprovider is off.
> ++.TP
> ++.B monitoring on | off
> ++This option enables database-specific monitoring in the entry related
> ++to the current database in the "cn=Databases,cn=Monitor" subtree
> ++of the monitor database, if the monitor database is enabled.
> ++Currently, only the MDB database provides database-specific monitoring.
> ++If monitoring is supported by the backend it defaults to on, otherwise
> ++off.
> ++.TP
> ++.B overlay <overlay-name>
> ++Add the specified overlay to this database. An overlay is a piece of
> ++code that intercepts database operations in order to extend or change
> ++them. Overlays are pushed onto
> ++a stack over the database, and so they will execute in the reverse
> ++of the order in which they were configured and the database itself
> ++will receive control last of all. See the
> ++.BR slapd.overlays (5)
> ++manual page for an overview of the available overlays.
> ++Note that all of the database's
> ++regular settings should be configured before any overlay settings.
> ++.TP
> ++.B readonly on | off
> ++This option puts the database into "read-only" mode. Any attempts to
> ++modify the database will return an "unwilling to perform" error. By
> ++default, readonly is off.
> ++.TP
> ++.B restrict <oplist>
> ++Specify a whitespace separated list of operations that are restricted.
> ++If defined inside a database specification, restrictions apply only
> ++to that database, otherwise they are global.
> ++Operations can be any of
> ++.BR add ,
> ++.BR bind ,
> ++.BR compare ,
> ++.BR delete ,
> ++.BR extended[=<OID>] ,
> ++.BR modify ,
> ++.BR rename ,
> ++.BR search ,
> ++or the special pseudo-operations
> ++.B read
> ++and
> ++.BR write ,
> ++which respectively summarize read and write operations.
> ++The use of
> ++.I restrict write
> ++is equivalent to
> ++.I readonly on
> ++(see above).
> ++The
> ++.B extended
> ++keyword allows one to indicate the OID of the specific operation
> ++to be restricted.
> ++.TP
> ++.B rootdn <dn>
> ++Specify the distinguished name that is not subject to access control
> ++or administrative limit restrictions for operations on this database.
> ++This DN may or may not be associated with an entry. An empty root
> ++DN (the default) specifies no root access is to be granted. It is
> ++recommended that the rootdn only be specified when needed (such as
> ++when initially populating a database). If the rootdn is within
> ++a namingContext (suffix) of the database, a simple bind password
> ++may also be provided using the
> ++.B rootpw
> ++directive. Many optional features, including syncrepl, require the
> ++rootdn to be defined for the database.
> ++.TP
> ++.B rootpw <password>
> ++Specify a password (or hash of the password) for the rootdn. The
> ++password can only be set if the rootdn is within the namingContext
> ++(suffix) of the database.
> ++This option accepts all RFC 2307 userPassword formats known to
> ++the server (see
> ++.B password\-hash
> ++description) as well as cleartext.
> ++.BR slappasswd (8)
> ++may be used to generate a hash of a password. Cleartext
> ++and \fB{CRYPT}\fP passwords are not recommended. If empty
> ++(the default), authentication of the root DN is by other means
> ++(e.g. SASL). Use of SASL is encouraged.
> ++.TP
> ++.B suffix <dn suffix>
> ++Specify the DN suffix of queries that will be passed to this
> ++backend database. Multiple suffix lines can be given and at least one is
> ++required for each database definition.
> ++
> ++If the suffix of one database is "inside" that of another, the database
> ++with the inner suffix must come first in the configuration file.
> ++You may also want to glue such databases together with the
> ++.B subordinate
> ++keyword.
> ++.TP
> ++.B subordinate [advertise]
> ++Specify that the current backend database is a subordinate of another
> ++backend database. A subordinate database may have only one suffix. This
> ++option may be used to glue multiple databases into a single namingContext.
> ++If the suffix of the current database is within the namingContext of a
> ++superior database, searches against the superior database will be
> ++propagated to the subordinate as well. All of the databases
> ++associated with a single namingContext should have identical rootdns.
> ++Behavior of other LDAP operations is unaffected by this setting. In
> ++particular, it is not possible to use moddn to move an entry from
> ++one subordinate to another subordinate within the namingContext.
> ++
> ++If the optional \fBadvertise\fP flag is supplied, the naming context of
> ++this database is advertised in the root DSE. The default is to hide this
> ++database context, so that only the superior context is visible.
> ++
> ++If the slap tools
> ++.BR slapcat (8),
> ++.BR slapadd (8),
> ++.BR slapmodify (8),
> ++or
> ++.BR slapindex (8)
> ++are used on the superior database, any glued subordinates that support
> ++these tools are opened as well.
> ++
> ++Databases that are glued together should usually be configured with the
> ++same indices (assuming they support indexing), even for attributes that
> ++only exist in some of these databases. In general, all of the glued
> ++databases should be configured as similarly as possible, since the intent
> ++is to provide the appearance of a single directory.
> ++
> ++Note that the \fIsubordinate\fP functionality is implemented internally
> ++by the \fIglue\fP overlay and as such its behavior will interact with other
> ++overlays in use. By default, the glue overlay is automatically configured as
> ++the last overlay on the superior backend. Its position on the backend
> ++can be explicitly configured by setting an \fBoverlay glue\fP directive
> ++at the desired position. This explicit configuration is necessary e.g.
> ++when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
> ++in order to work over all of the glued databases. E.g.
> ++.RS
> ++.nf
> ++ database mdb
> ++ suffix dc=example,dc=com
> ++ ...
> ++ overlay glue
> ++ overlay syncprov
> ++.fi
> ++.RE
> ++.TP
> ++.B sync_use_subentry
> ++Store the syncrepl contextCSN in a subentry instead of the context entry
> ++of the database. The subentry's RDN will be "cn=ldapsync". By default
> ++the contextCSN is stored in the context entry.
> ++.HP
> ++.hy 0
> ++.B syncrepl rid=<replica ID>
> ++.B provider=ldap[s]://<hostname>[:port]
> ++.B searchbase=<base DN>
> ++.B [type=refreshOnly|refreshAndPersist]
> ++.B [interval=dd:hh:mm:ss]
> ++.B [retry=[<retry interval> <# of retries>]+]
> ++.B [filter=<filter str>]
> ++.B [scope=sub|one|base|subord]
> ++.B [attrs=<attr list>]
> ++.B [exattrs=<attr list>]
> ++.B [attrsonly]
> ++.B [sizelimit=<limit>]
> ++.B [timelimit=<limit>]
> ++.B [schemachecking=on|off]
> ++.B [network\-timeout=<seconds>]
> ++.B [timeout=<seconds>]
> ++.B [tcp\-user\-timeout=<milliseconds>]
> ++.B [bindmethod=simple|sasl]
> ++.B [binddn=<dn>]
> ++.B [saslmech=<mech>]
> ++.B [authcid=<identity>]
> ++.B [authzid=<identity>]
> ++.B [credentials=<passwd>]
> ++.B [realm=<realm>]
> ++.B [secprops=<properties>]
> ++.B [keepalive=<idle>:<probes>:<interval>]
> ++.B [starttls=yes|critical]
> ++.B [tls_cert=<file>]
> ++.B [tls_key=<file>]
> ++.B [tls_cacert=<file>]
> ++.B [tls_cacertdir=<path>]
> ++.B [tls_reqcert=never|allow|try|demand]
> ++.B [tls_reqsan=never|allow|try|demand]
> ++.B [tls_cipher_suite=<ciphers>]
> ++.B [tls_ecname=<names>]
> ++.B [tls_crlcheck=none|peer|all]
> ++.B [tls_protocol_min=<major>[.<minor>]]
> ++.B [suffixmassage=<real DN>]
> ++.B [logbase=<base DN>]
> ++.B [logfilter=<filter str>]
> ++.B [syncdata=default|accesslog|changelog]
> ++.B [lazycommit]
> ++.RS
> ++Specify the current database as a consumer which is kept up-to-date with the
> ++provider content by establishing the current
> ++.BR slapd (8)
> ++as a replication consumer site running a
> ++.B syncrepl
> ++replication engine.
> ++The consumer content is kept synchronized to the provider content using
> ++the LDAP Content Synchronization protocol. Refer to the
> ++"OpenLDAP Administrator's Guide" for detailed information on
> ++setting up a replicated
> ++.B slapd
> ++directory service using the
> ++.B syncrepl
> ++replication engine.
> ++
> ++.B rid
> ++identifies the current
> ++.B syncrepl
> ++directive within the replication consumer site.
> ++It is a non-negative integer not greater than 999 (limited
> ++to three decimal digits).
> ++
> ++.B provider
> ++specifies the replication provider site containing the provider content
> ++as an LDAP URI. If <port> is not given, the standard LDAP port number
> ++(389 or 636) is used.
> ++
> ++The content of the
> ++.B syncrepl
> ++consumer is defined using a search
> ++specification as its result set. The consumer
> ++.B slapd
> ++will send search requests to the provider
> ++.B slapd
> ++according to the search specification. The search specification includes
> ++.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
> ++and
> ++.B timelimit
> ++parameters as in the normal search specification. The
> ++.B exattrs
> ++option may also be used to specify attributes that should be omitted
> ++from incoming entries.
> ++The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
> ++\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
> ++\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
> ++attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
> ++The \fBsizelimit\fP and \fBtimelimit\fP only
> ++accept "unlimited" and positive integers, and both default to "unlimited".
> ++The \fBsizelimit\fP and \fBtimelimit\fP parameters define
> ++a consumer requested limitation on the number of entries that can be returned
> ++by the LDAP Content Synchronization operation; as such, it is intended
> ++to implement partial replication based on the size of the replicated database
> ++and on the time required by the synchronization.
> ++Note, however, that any provider-side limits for the replication identity
> ++will be enforced by the provider regardless of the limits requested
> ++by the LDAP Content Synchronization operation, much like for any other
> ++search operation.
> ++
> ++The LDAP Content Synchronization protocol has two operation types.
> ++In the
> ++.B refreshOnly
> ++operation, the next synchronization search operation
> ++is periodically rescheduled at an interval time (specified by
> ++.B interval
> ++parameter; 1 day by default)
> ++after each synchronization operation finishes.
> ++In the
> ++.B refreshAndPersist
> ++operation, a synchronization search remains persistent in the provider slapd.
> ++Further updates to the provider will generate
> ++.B searchResultEntry
> ++to the consumer slapd as the search responses to the persistent
> ++synchronization search. If the initial search fails due to an error, the
> ++next synchronization search operation is periodically rescheduled at an
> ++interval time (specified by
> ++.B interval
> ++parameter; 1 day by default)
> ++
> ++If an error occurs during replication, the consumer will attempt to
> ++reconnect according to the
> ++.B retry
> ++parameter which is a list of the <retry interval> and <# of retries> pairs.
> ++For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
> ++for the first 10 times and then retry every 300 seconds for the next 3
> ++times before stop retrying. The `+' in <# of retries> means indefinite
> ++number of retries until success.
> ++If no
> ++.B retry
> ++is specified, by default syncrepl retries every hour forever.
> ++
> ++The schema checking can be enforced at the LDAP Sync
> ++consumer site by turning on the
> ++.B schemachecking
> ++parameter. The default is \fBoff\fP.
> ++Schema checking \fBon\fP means that replicated entries must have
> ++a structural objectClass, must obey to objectClass requirements
> ++in terms of required/allowed attributes, and that naming attributes
> ++and distinguished values must be present.
> ++As a consequence, schema checking should be \fBoff\fP when partial
> ++replication is used.
> ++
> ++The
> ++.B network\-timeout
> ++parameter sets how long the consumer will wait to establish a
> ++network connection to the provider. Once a connection is
> ++established, the
> ++.B timeout
> ++parameter determines how long the consumer will wait for the initial
> ++Bind request to complete. The defaults for these parameters come
> ++from
> ++.BR ldap.conf (5).
> ++The
> ++.B tcp\-user\-timeout
> ++parameter, if non-zero, corresponds to the
> ++.B TCP_USER_TIMEOUT
> ++set on the target connections, overriding the operating system setting.
> ++Only some systems support the customization of this parameter, it is
> ++ignored otherwise and system-wide settings are used.
> ++
> ++A
> ++.B bindmethod
> ++of
> ++.B simple
> ++requires the options
> ++.B binddn
> ++and
> ++.B credentials
> ++and should only be used when adequate security services
> ++(e.g. TLS or IPSEC) are in place.
> ++.B REMEMBER: simple bind credentials must be in cleartext!
> ++A
> ++.B bindmethod
> ++of
> ++.B sasl
> ++requires the option
> ++.B saslmech.
> ++Depending on the mechanism, an authentication identity and/or
> ++credentials can be specified using
> ++.B authcid
> ++and
> ++.B credentials.
> ++The
> ++.B authzid
> ++parameter may be used to specify an authorization identity.
> ++Specific security properties (as with the
> ++.B sasl\-secprops
> ++keyword above) for a SASL bind can be set with the
> ++.B secprops
> ++option. A non default SASL realm can be set with the
> ++.B realm
> ++option.
> ++The identity used for synchronization by the consumer should be allowed
> ++to receive an unlimited number of entries in response to a search request.
> ++The provider, other than allowing authentication of the syncrepl identity,
> ++should grant that identity appropriate access privileges to the data
> ++that is being replicated (\fBaccess\fP directive), and appropriate time
> ++and size limits.
> ++This can be accomplished by either allowing unlimited \fBsizelimit\fP
> ++and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
> ++in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
> ++for details).
> ++
> ++The
> ++.B keepalive
> ++parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
> ++used to check whether a socket is alive;
> ++.I idle
> ++is the number of seconds a connection needs to remain idle before TCP
> ++starts sending keepalive probes;
> ++.I probes
> ++is the maximum number of keepalive probes TCP should send before dropping
> ++the connection;
> ++.I interval
> ++is interval in seconds between individual keepalive probes.
> ++Only some systems support the customization of these values;
> ++the
> ++.B keepalive
> ++parameter is ignored otherwise, and system-wide settings are used.
> ++
> ++The
> ++.B starttls
> ++parameter specifies use of the StartTLS extended operation
> ++to establish a TLS session before Binding to the provider. If the
> ++.B critical
> ++argument is supplied, the session will be aborted if the StartTLS request
> ++fails. Otherwise the syncrepl session continues without TLS. The
> ++.B tls_reqcert
> ++setting defaults to "demand", the
> ++.B tls_reqsan
> ++setting defaults to "allow", and the other TLS settings
> ++default to the same as the main slapd TLS settings.
> ++
> ++The
> ++.B suffixmassage
> ++parameter allows the consumer to pull entries from a remote directory
> ++whose DN suffix differs from the local directory. The portion of the
> ++remote entries' DNs that matches the \fIsearchbase\fP will be replaced
> ++with the suffixmassage DN.
> ++
> ++Rather than replicating whole entries, the consumer can query logs of
> ++data modifications. This mode of operation is referred to as \fIdelta
> ++syncrepl\fP. In addition to the above parameters, the
> ++.B logbase
> ++and
> ++.B logfilter
> ++parameters must be set appropriately for the log that will be used. The
> ++.B syncdata
> ++parameter must be set to either "accesslog" if the log conforms to the
> ++.BR slapo\-accesslog (5)
> ++log format, or "changelog" if the log conforms
> ++to the obsolete \fIchangelog\fP format. If the
> ++.B syncdata
> ++parameter is omitted or set to "default" then the log parameters are
> ++ignored.
> ++
> ++The
> ++.B lazycommit
> ++parameter tells the underlying database that it can store changes without
> ++performing a full flush after each change. This may improve performance
> ++for the consumer, while sacrificing safety or durability.
> ++.RE
> ++.TP
> ++.B updatedn <dn>
> ++This option is only applicable in a replica
> ++database.
> ++It specifies the DN permitted to update (subject to access controls)
> ++the replica. It is only needed in certain push-mode
> ++replication scenarios. Generally, this DN
> ++.I should not
> ++be the same as the
> ++.B rootdn
> ++used at the provider.
> ++.TP
> ++.B updateref <url>
> ++Specify the referral to pass back when
> ++.BR slapd (8)
> ++is asked to modify a replicated local database.
> ++If specified multiple times, each url is provided.
> ++
> ++.SH DATABASE-SPECIFIC OPTIONS
> ++Each database may allow specific configuration options; they are
> ++documented separately in the backends' manual pages. See the
> ++.BR slapd.backends (5)
> ++manual page for an overview of available backends.
> ++.SH EXAMPLES
> ++.LP
> ++Here is a short example of a configuration file:
> ++.LP
> ++.RS
> ++.nf
> ++include SYSCONFDIR/schema/core.schema
> ++pidfile LOCALSTATEDIR/run/slapd.pid
> ++
> ++# Subtypes of "name" (e.g. "cn" and "ou") with the
> ++# option ";x\-hidden" can be searched for/compared,
> ++# but are not shown. See \fBslapd.access\fP(5).
> ++attributeoptions x\-hidden lang\-
> ++access to attrs=name;x\-hidden by * =cs
> ++
> ++# Protect passwords. See \fBslapd.access\fP(5).
> ++access to attrs=userPassword by * auth
> ++# Read access to other attributes and entries.
> ++access to * by * read
> ++
> ++database mdb
> ++suffix "dc=our\-domain,dc=com"
> ++# The database directory MUST exist prior to
> ++# running slapd AND should only be accessible
> ++# by the slapd/tools. Mode 0700 recommended.
> ++directory LOCALSTATEDIR/openldap\-data
> ++# Indices to maintain
> ++index objectClass eq
> ++index cn,sn,mail pres,eq,approx,sub
> ++
> ++# We serve small clients that do not handle referrals,
> ++# so handle remote lookups on their behalf.
> ++database ldap
> ++suffix ""
> ++uri ldap://ldap.some\-server.com/
> ++lastmod off
> ++.fi
> ++.RE
> ++.LP
> ++"OpenLDAP Administrator's Guide" contains a longer annotated
> ++example of a configuration file.
> ++The original ETCDIR/slapd.conf is another example.
> ++.SH FILES
> ++.TP
> ++ETCDIR/slapd.conf
> ++default slapd configuration file
> ++.SH SEE ALSO
> ++.BR ldap (3),
> ++.BR gnutls\-cli (1),
> ++.BR slapd\-config (5),
> ++.BR slapd.access (5),
> ++.BR slapd.backends (5),
> ++.BR slapd.overlays (5),
> ++.BR slapd.plugin (5),
> ++.BR slapd (8),
> ++.BR slapacl (8),
> ++.BR slapadd (8),
> ++.BR slapauth (8),
> ++.BR slapcat (8),
> ++.BR slapdn (8),
> ++.BR slapindex (8),
> ++.BR slapmodify (8),
> ++.BR slappasswd (8),
> ++.BR slaptest (8).
> ++.LP
> ++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
> ++.SH ACKNOWLEDGEMENTS
> ++.so ../Project
> +diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd-config.5 openldap-2.6.1/doc/man/man5/slapd-config.5
> +--- openldap-2.6.1.orig/doc/man/man5/slapd-config.5 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/doc/man/man5/slapd-config.5 2022-02-13 15:54:13.654979570 -0600
> +@@ -2234,7 +2234,7 @@ olcSuffix: "dc=our\-domain,dc=com"
> + # The database directory MUST exist prior to
> + # running slapd AND should only be accessible
> + # by the slapd/tools. Mode 0700 recommended.
> +-olcDbDirectory: LOCALSTATEDIR/openldap\-data
> ++olcDbDirectory: LOCALSTATEDIR/lib/openldap
> + # Indices to maintain
> + olcDbIndex: objectClass eq
> + olcDbIndex: cn,sn,mail pres,eq,approx,sub
> +diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd-config.5.orig openldap-2.6.1/doc/man/man5/slapd-config.5.orig
> +--- openldap-2.6.1.orig/doc/man/man5/slapd-config.5.orig 1969-12-31 18:00:00.000000000 -0600
> ++++ openldap-2.6.1/doc/man/man5/slapd-config.5.orig 2022-01-19 12:32:34.000000000 -0600
> +@@ -0,0 +1,2303 @@
> ++.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
> ++.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
> ++.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
> ++.\" $OpenLDAP$
> ++.SH NAME
> ++slapd\-config \- configuration backend to slapd
> ++.SH SYNOPSIS
> ++ETCDIR/slapd.d
> ++.SH DESCRIPTION
> ++The
> ++.B config
> ++backend manages all of the configuration information for the
> ++.BR slapd (8)
> ++daemon. This configuration information is also used by the SLAPD tools
> ++.BR slapacl (8),
> ++.BR slapadd (8),
> ++.BR slapauth (8),
> ++.BR slapcat (8),
> ++.BR slapdn (8),
> ++.BR slapindex (8),
> ++.BR slapmodify (8),
> ++and
> ++.BR slaptest (8).
> ++.LP
> ++The
> ++.B config
> ++backend is backward compatible with the older
> ++.BR slapd.conf (5)
> ++file but provides the ability to change the configuration dynamically
> ++at runtime. If slapd is run with only a
> ++.B slapd.conf
> ++file dynamic changes will be allowed but they will not persist across
> ++a server restart. Dynamic changes are only saved when slapd is running
> ++from a
> ++.B slapd.d
> ++configuration directory.
> ++.LP
> ++
> ++Unlike other backends, there can only be one instance of the
> ++.B config
> ++backend, and most of its structure is predefined. The root of the
> ++database is hardcoded to
> ++.B "cn=config"
> ++and this root entry contains
> ++global settings for slapd. Multiple child entries underneath the
> ++root entry are used to carry various other settings:
> ++.RS
> ++.TP
> ++.B cn=Module
> ++dynamically loaded modules
> ++.TP
> ++.B cn=Schema
> ++schema definitions
> ++.TP
> ++.B olcBackend=xxx
> ++backend-specific settings
> ++.TP
> ++.B olcDatabase=xxx
> ++database-specific settings
> ++.RE
> ++
> ++The
> ++.B cn=Module
> ++entries will only appear in configurations where slapd
> ++was built with support for dynamically loaded modules. There can be
> ++multiple entries, one for each configured module path. Within each
> ++entry there will be values recorded for each module loaded on a
> ++given path. These entries have no children.
> ++
> ++The
> ++.B cn=Schema
> ++entry contains all of the hardcoded schema elements.
> ++The children of this entry contain all user-defined schema elements.
> ++In schema that were loaded from include files, the child entry will
> ++be named after the include file from which the schema was loaded.
> ++Typically the first child in this subtree will be
> ++.BR cn=core,cn=schema,cn=config .
> ++
> ++.B olcBackend
> ++entries are for storing settings specific to a single
> ++backend type (and thus global to all database instances of that type).
> ++At present, only back-mdb implements any options of this type, so this
> ++setting is not needed for any other backends.
> ++
> ++.B olcDatabase
> ++entries store settings specific to a single database
> ++instance. These entries may have
> ++.B olcOverlay
> ++child entries corresponding
> ++to any overlays configured on the database. The olcDatabase and
> ++olcOverlay entries may also have miscellaneous child entries for
> ++other settings as needed. There are two special database entries
> ++that are predefined \- one is an entry for the config database itself,
> ++and the other is for the "frontend" database. Settings in the
> ++frontend database are inherited by the other databases, unless
> ++they are explicitly overridden in a specific database.
> ++.LP
> ++The specific configuration options available are discussed below in the
> ++Global Configuration Options, General Backend Options, and General Database
> ++Options. Options are set by defining LDAP attributes with specific values.
> ++In general the names of the LDAP attributes are the same as the corresponding
> ++.B slapd.conf
> ++keyword, with an "olc" prefix added on.
> ++
> ++The parser for many of these attributes is the same as used for parsing
> ++the slapd.conf keywords. As such, slapd.conf keywords that allow multiple
> ++items to be specified on one line, separated by whitespace, will allow
> ++multiple items to be specified in one attribute value. However, when
> ++reading the attribute via LDAP, the items will be returned as individual
> ++attribute values.
> ++
> ++Backend-specific options are discussed in the
> ++.B slapd\-<backend>(5)
> ++manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
> ++details on configuring slapd.
> ++.SH GLOBAL CONFIGURATION OPTIONS
> ++Options described in this section apply to the server as a whole.
> ++Arguments that should be replaced by
> ++actual text are shown in brackets <>.
> ++
> ++These options may only be specified in the
> ++.B cn=config
> ++entry. This entry must have an objectClass of
> ++.BR olcGlobal .
> ++
> ++.TP
> ++.B olcAllows: <features>
> ++Specify a set of features to allow (default none).
> ++.B bind_v2
> ++allows acceptance of LDAPv2 bind requests. Note that
> ++.BR slapd (8)
> ++does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
> ++.B bind_anon_cred
> ++allows anonymous bind when credentials are not empty (e.g.
> ++when DN is empty).
> ++.B bind_anon_dn
> ++allows unauthenticated (anonymous) bind when DN is not empty.
> ++.B update_anon
> ++allows unauthenticated (anonymous) update operations to be processed
> ++(subject to access controls and other administrative limits).
> ++.B proxy_authz_anon
> ++allows unauthenticated (anonymous) proxy authorization control to be processed
> ++(subject to access controls, authorization and other administrative limits).
> ++.TP
> ++.B olcArgsFile: <filename>
> ++The (absolute) name of a file that will hold the
> ++.B slapd
> ++server's command line (program name and options).
> ++.TP
> ++.B olcAttributeOptions: <option-name>...
> ++Define tagging attribute options or option tag/range prefixes.
> ++Options must not end with `\-', prefixes must end with `\-'.
> ++The `lang\-' prefix is predefined.
> ++If you use the
> ++.B olcAttributeOptions
> ++directive, `lang\-' will no longer be defined and you must specify it
> ++explicitly if you want it defined.
> ++
> ++An attribute description with a tagging option is a subtype of that
> ++attribute description without the option.
> ++Except for that, options defined this way have no special semantics.
> ++Prefixes defined this way work like the `lang\-' options:
> ++They define a prefix for tagging options starting with the prefix.
> ++That is, if you define the prefix `x\-foo\-', you can use the option
> ++`x\-foo\-bar'.
> ++Furthermore, in a search or compare, a prefix or range name (with
> ++a trailing `\-') matches all options starting with that name, as well
> ++as the option with the range name sans the trailing `\-'.
> ++That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
> ++
> ++RFC 4520 reserves options beginning with `x\-' for private experiments.
> ++Other options should be registered with IANA, see RFC 4520 section 3.5.
> ++OpenLDAP also has the `binary' option built in, but this is a transfer
> ++option, not a tagging option.
> ++.TP
> ++.B olcAuthIDRewrite: <rewrite\-rule>
> ++Used by the authentication framework to convert simple user names
> ++to an LDAP DN used for authorization purposes.
> ++Its purpose is analogous to that of
> ++.BR olcAuthzRegexp
> ++(see below).
> ++The
> ++.B rewrite\-rule
> ++is a set of rules analogous to those described in
> ++.BR slapo\-rwm (5)
> ++for data rewriting (after stripping the \fIrwm\-\fP prefix).
> ++.B olcAuthIDRewrite
> ++and
> ++.B olcAuthzRegexp
> ++should not be intermixed.
> ++.TP
> ++.B olcAuthzPolicy: <policy>
> ++Used to specify which rules to use for Proxy Authorization. Proxy
> ++authorization allows a client to authenticate to the server using one
> ++user's credentials, but specify a different identity to use for authorization
> ++and access control purposes. It essentially allows user A to login as user
> ++B, using user A's password.
> ++The
> ++.B none
> ++flag disables proxy authorization. This is the default setting.
> ++The
> ++.B from
> ++flag will use rules in the
> ++.I authzFrom
> ++attribute of the authorization DN.
> ++The
> ++.B to
> ++flag will use rules in the
> ++.I authzTo
> ++attribute of the authentication DN.
> ++The
> ++.B any
> ++flag, an alias for the deprecated value of
> ++.BR both ,
> ++will allow any of the above, whatever succeeds first (checked in
> ++.BR to ,
> ++.B from
> ++sequence.
> ++The
> ++.B all
> ++flag requires both authorizations to succeed.
> ++.LP
> ++.RS
> ++The rules are mechanisms to specify which identities are allowed
> ++to perform proxy authorization.
> ++The
> ++.I authzFrom
> ++attribute in an entry specifies which other users
> ++are allowed to proxy login to this entry. The
> ++.I authzTo
> ++attribute in
> ++an entry specifies which other users this user can authorize as. Use of
> ++.I authzTo
> ++rules can be easily
> ++abused if users are allowed to write arbitrary values to this attribute.
> ++In general the
> ++.I authzTo
> ++attribute must be protected with ACLs such that
> ++only privileged users can modify it.
> ++The value of
> ++.I authzFrom
> ++and
> ++.I authzTo
> ++describes an
> ++.B identity
> ++or a set of identities; it can take five forms:
> ++.RS
> ++.TP
> ++.B ldap:///<base>??[<scope>]?<filter>
> ++.RE
> ++.RS
> ++.B dn[.<dnstyle>]:<pattern>
> ++.RE
> ++.RS
> ++.B u[.<mech>[<realm>]]:<pattern>
> ++.RE
> ++.RS
> ++.B group[/objectClass[/attributeType]]:<pattern>
> ++.RE
> ++.RS
> ++.B <pattern>
> ++.RE
> ++.RS
> ++
> ++.B <dnstyle>:={exact|onelevel|children|subtree|regex}
> ++
> ++.RE
> ++The first form is a valid LDAP
> ++.B URI
> ++where the
> ++.IR <host>:<port> ,
> ++the
> ++.I <attrs>
> ++and the
> ++.I <extensions>
> ++portions must be absent, so that the search occurs locally on either
> ++.I authzFrom
> ++or
> ++.IR authzTo .
> ++
> ++.LP
> ++The second form is a
> ++.BR DN ,
> ++with the optional style modifiers
> ++.IR exact ,
> ++.IR onelevel ,
> ++.IR children ,
> ++and
> ++.I subtree
> ++for exact, onelevel, children and subtree matches, which cause
> ++.I <pattern>
> ++to be normalized according to the DN normalization rules, or the special
> ++.I regex
> ++style, which causes the
> ++.I <pattern>
> ++to be treated as a POSIX (''extended'') regular expression, as
> ++discussed in
> ++.BR regex (7)
> ++and/or
> ++.BR re_format (7).
> ++A pattern of
> ++.I *
> ++means any non-anonymous DN.
> ++
> ++.LP
> ++The third form is a SASL
> ++.BR id ,
> ++with the optional fields
> ++.I <mech>
> ++and
> ++.I <realm>
> ++that allow to specify a SASL
> ++.BR mechanism ,
> ++and eventually a SASL
> ++.BR realm ,
> ++for those mechanisms that support one.
> ++The need to allow the specification of a mechanism is still debated,
> ++and users are strongly discouraged to rely on this possibility.
> ++
> ++.LP
> ++The fourth form is a group specification.
> ++It consists of the keyword
> ++.BR group ,
> ++optionally followed by the specification of the group
> ++.B objectClass
> ++and
> ++.BR attributeType .
> ++The
> ++.B objectClass
> ++defaults to
> ++.IR groupOfNames .
> ++The
> ++.B attributeType
> ++defaults to
> ++.IR member .
> ++The group with DN
> ++.B <pattern>
> ++is searched with base scope, filtered on the specified
> ++.BR objectClass .
> ++The values of the resulting
> ++.B attributeType
> ++are searched for the asserted DN.
> ++
> ++.LP
> ++The fifth form is provided for backwards compatibility. If no identity
> ++type is provided, i.e. only
> ++.B <pattern>
> ++is present, an
> ++.I exact DN
> ++is assumed; as a consequence,
> ++.B <pattern>
> ++is subjected to DN normalization.
> ++
> ++.LP
> ++Since the interpretation of
> ++.I authzFrom
> ++and
> ++.I authzTo
> ++can impact security, users are strongly encouraged
> ++to explicitly set the type of identity specification that is being used.
> ++A subset of these rules can be used as third arg in the
> ++.B olcAuthzRegexp
> ++statement (see below); significantly, the
> ++.IR URI ,
> ++provided it results in exactly one entry,
> ++and the
> ++.I dn.exact:<dn>
> ++forms.
> ++.RE
> ++.TP
> ++.B olcAuthzRegexp: <match> <replace>
> ++Used by the authentication framework to convert simple user names,
> ++such as provided by SASL subsystem, or extracted from certificates
> ++in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
> ++"proxied authorization" control, to an LDAP DN used for
> ++authorization purposes. Note that the resulting DN need not refer
> ++to an existing entry to be considered valid. When an authorization
> ++request is received from the SASL subsystem, the SASL
> ++.BR USERNAME ,
> ++.BR REALM ,
> ++and
> ++.B MECHANISM
> ++are taken, when available, and combined into a name of the form
> ++.RS
> ++.RS
> ++.TP
> ++.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
> ++
> ++.RE
> ++This name is then compared against the
> ++.B match
> ++POSIX (''extended'') regular expression, and if the match is successful,
> ++the name is replaced with the
> ++.B replace
> ++string. If there are wildcard strings in the
> ++.B match
> ++regular expression that are enclosed in parenthesis, e.g.
> ++.RS
> ++.TP
> ++.B UID=([^,]*),CN=.*
> ++
> ++.RE
> ++then the portion of the name that matched the wildcard will be stored
> ++in the numbered placeholder variable $1. If there are other wildcard strings
> ++in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
> ++placeholders can then be used in the
> ++.B replace
> ++string, e.g.
> ++.RS
> ++.TP
> ++.B UID=$1,OU=Accounts,DC=example,DC=com
> ++
> ++.RE
> ++The replaced name can be either a DN, i.e. a string prefixed by "dn:",
> ++or an LDAP URI.
> ++If the latter, the server will use the URI to search its own database(s)
> ++and, if the search returns exactly one entry, the name is
> ++replaced by the DN of that entry. The LDAP URI must have no
> ++hostport, attrs, or extensions components, but the filter is mandatory,
> ++e.g.
> ++.RS
> ++.TP
> ++.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
> ++
> ++.RE
> ++The protocol portion of the URI must be strictly
> ++.BR ldap .
> ++Note that this search is subject to access controls. Specifically,
> ++the authentication identity must have "auth" access in the subject.
> ++
> ++Multiple
> ++.B olcAuthzRegexp
> ++values can be specified to allow for multiple matching
> ++and replacement patterns. The matching patterns are checked in the order they
> ++appear in the attribute, stopping at the first successful match.
> ++
> ++.\".B Caution:
> ++.\"Because the plus sign + is a character recognized by the regular expression engine,
> ++.\"and it will appear in names that include a REALM, be careful to escape the
> ++.\"plus sign with a backslash \\+ to remove the character's special meaning.
> ++.RE
> ++.TP
> ++.B olcConcurrency: <integer>
> ++Specify a desired level of concurrency. Provided to the underlying
> ++thread system as a hint. The default is not to provide any hint. This setting
> ++is only meaningful on some platforms where there is not a one to one
> ++correspondence between user threads and kernel threads.
> ++.TP
> ++.B olcConnMaxPending: <integer>
> ++Specify the maximum number of pending requests for an anonymous session.
> ++If requests are submitted faster than the server can process them, they
> ++will be queued up to this limit. If the limit is exceeded, the session
> ++is closed. The default is 100.
> ++.TP
> ++.B olcConnMaxPendingAuth: <integer>
> ++Specify the maximum number of pending requests for an authenticated session.
> ++The default is 1000.
> ++.TP
> ++.B olcDisallows: <features>
> ++Specify a set of features to disallow (default none).
> ++.B bind_anon
> ++disables acceptance of anonymous bind requests. Note that this setting
> ++does not prohibit anonymous directory access (See "require authc").
> ++.B bind_simple
> ++disables simple (bind) authentication.
> ++.B tls_2_anon
> ++disables forcing session to anonymous status (see also
> ++.BR tls_authc )
> ++upon StartTLS operation receipt.
> ++.B tls_authc
> ++disallows the StartTLS operation if authenticated (see also
> ++.BR tls_2_anon ).
> ++.B proxy_authz_non_critical
> ++disables acceptance of the proxied authorization control (RFC4370)
> ++with criticality set to FALSE.
> ++.B dontusecopy_non_critical
> ++disables acceptance of the dontUseCopy control (a work in progress)
> ++with criticality set to FALSE.
> ++.TP
> ++.B olcGentleHUP: { TRUE | FALSE }
> ++A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
> ++.B Slapd
> ++will stop listening for new connections, but will not close the
> ++connections to the current clients. Future write operations return
> ++unwilling-to-perform, though. Slapd terminates when all clients
> ++have closed their connections (if they ever do), or \- as before \-
> ++if it receives a SIGTERM signal. This can be useful if you wish to
> ++terminate the server and start a new
> ++.B slapd
> ++server
> ++.B with another database,
> ++without disrupting the currently active clients.
> ++The default is FALSE. You may wish to use
> ++.B olcIdleTimeout
> ++along with this option.
> ++.TP
> ++.B olcIdleTimeout: <integer>
> ++Specify the number of seconds to wait before forcibly closing
> ++an idle client connection. A setting of 0 disables this
> ++feature. The default is 0. You may also want to set the
> ++.B olcWriteTimeout
> ++option.
> ++.TP
> ++.B olcIndexHash64: { on | off }
> ++Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
> ++These hashes are used for equality and substring indexing. The 64 bit
> ++version may be needed to avoid index collisions when the number of
> ++indexed values exceeds ~64 million. (Note that substring indexing
> ++generates multiple index values per actual attribute value.)
> ++Indices generated with 32 bit hashes are incompatible with the 64 bit
> ++version, and vice versa. Any existing databases must be fully reloaded
> ++when changing this setting. This directive is only supported on 64 bit CPUs.
> ++.TP
> ++.B olcIndexIntLen: <integer>
> ++Specify the key length for ordered integer indices. The most significant
> ++bytes of the binary integer will be used for index keys. The default
> ++value is 4, which provides exact indexing for 31 bit values.
> ++A floating point representation is used to index too large values.
> ++.TP
> ++.B olcIndexSubstrIfMaxlen: <integer>
> ++Specify the maximum length for subinitial and subfinal indices. Only
> ++this many characters of an attribute value will be processed by the
> ++indexing functions; any excess characters are ignored. The default is 4.
> ++.TP
> ++.B olcIndexSubstrIfMinlen: <integer>
> ++Specify the minimum length for subinitial and subfinal indices. An
> ++attribute value must have at least this many characters in order to be
> ++processed by the indexing functions. The default is 2.
> ++.TP
> ++.B olcIndexSubstrAnyLen: <integer>
> ++Specify the length used for subany indices. An attribute value must have
> ++at least this many characters in order to be processed. Attribute values
> ++longer than this length will be processed in segments of this length. The
> ++default is 4. The subany index will also be used in subinitial and
> ++subfinal index lookups when the filter string is longer than the
> ++.I olcIndexSubstrIfMaxlen
> ++value.
> ++.TP
> ++.B olcIndexSubstrAnyStep: <integer>
> ++Specify the steps used in subany index lookups. This value sets the offset
> ++for the segments of a filter string that are processed for a subany index
> ++lookup. The default is 2. For example, with the default values, a search
> ++using this filter "cn=*abcdefgh*" would generate index lookups for
> ++"abcd", "cdef", and "efgh".
> ++
> ++.LP
> ++Note: Indexing support depends on the particular backend in use. Also,
> ++changing these settings will generally require deleting any indices that
> ++depend on these parameters and recreating them with
> ++.BR slapindex (8).
> ++
> ++.TP
> ++.B olcListenerThreads: <integer>
> ++Specify the number of threads to use for the connection manager.
> ++The default is 1 and this is typically adequate for up to 16 CPU cores.
> ++The value should be set to a power of 2.
> ++.TP
> ++.B olcLocalSSF: <SSF>
> ++Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
> ++such as those to the ldapi:// listener. For a description of SSF values,
> ++see
> ++.BR olcSaslSecProps 's
> ++.B minssf
> ++option description. The default is 71.
> ++.TP
> ++.B olcLogFile: <filename>
> ++Specify a file for recording slapd debug messages. By default these messages
> ++only go to stderr, are not recorded anywhere else, and are unrelated to
> ++messages exposed by the
> ++.B olcLogLevel
> ++configuration parameter. Specifying a logfile copies messages to both stderr
> ++and the logfile.
> ++.TP
> ++.B olcLogFileFormat: debug | syslog-utc | syslog-localtime
> ++Specify the prefix format for messages written to the logfile. The debug
> ++format is the normal format used for slapd debug messages, with a timestamp
> ++in hexadecimal, followed by a thread ID. The other options are to
> ++use syslog(3) style prefixes, with timestamps either in UTC or in the
> ++local timezone. The default is debug format.
> ++.TP
> ++.B olcLogFileOnly: TRUE | FALSE
> ++Specify that debug messages should only go to the configured logfile, and
> ++not to stderr.
> ++.TP
> ++.B olcLogFileRotate: <max> <Mbytes> <hours>
> ++Specify automatic rotation for the configured logfile as the maximum
> ++number of old logfiles to retain, a maximum size in megabytes to allow a
> ++logfile to grow before rotation, and a maximum age in hours for a logfile
> ++to be used before rotation. The maximum number must be in the range 1-99.
> ++Setting Mbytes or hours to zero disables the size or age check, respectively.
> ++At least one of Mbytes or hours must be non-zero. By default no automatic
> ++rotation will be performed.
> ++.TP
> ++.B olcLogLevel: <integer> [...]
> ++Specify the level at which debugging statements and operation
> ++statistics should be syslogged (currently logged to the
> ++.BR syslogd (8)
> ++LOG_LOCAL4 facility).
> ++They must be considered subsystems rather than increasingly verbose
> ++log levels.
> ++Some messages with higher priority are logged regardless
> ++of the configured loglevel as soon as any logging is configured.
> ++Log levels are additive, and available levels are:
> ++.RS
> ++.RS
> ++.PD 0
> ++.TP
> ++.B 1
> ++.B (0x1 trace)
> ++trace function calls
> ++.TP
> ++.B 2
> ++.B (0x2 packets)
> ++debug packet handling
> ++.TP
> ++.B 4
> ++.B (0x4 args)
> ++heavy trace debugging (function args)
> ++.TP
> ++.B 8
> ++.B (0x8 conns)
> ++connection management
> ++.TP
> ++.B 16
> ++.B (0x10 BER)
> ++print out packets sent and received
> ++.TP
> ++.B 32
> ++.B (0x20 filter)
> ++search filter processing
> ++.TP
> ++.B 64
> ++.B (0x40 config)
> ++configuration file processing
> ++.TP
> ++.B 128
> ++.B (0x80 ACL)
> ++access control list processing
> ++.TP
> ++.B 256
> ++.B (0x100 stats)
> ++connections, LDAP operations, results (recommended)
> ++.TP
> ++.B 512
> ++.B (0x200 stats2)
> ++stats2 log entries sent
> ++.TP
> ++.B 1024
> ++.B (0x400 shell)
> ++print communication with shell backends
> ++.TP
> ++.B 2048
> ++.B (0x800 parse)
> ++entry parsing
> ++\".TP
> ++\".B 4096
> ++\".B (0x1000 cache)
> ++\"caching (unused)
> ++\".TP
> ++\".B 8192
> ++\".B (0x2000 index)
> ++\"data indexing (unused)
> ++.TP
> ++.B 16384
> ++.B (0x4000 sync)
> ++LDAPSync replication
> ++.TP
> ++.B 32768
> ++.B (0x8000 none)
> ++only messages that get logged whatever log level is set
> ++.PD
> ++.RE
> ++The desired log level can be input as a single integer that combines
> ++the (ORed) desired levels, both in decimal or in hexadecimal notation,
> ++as a list of integers (that are ORed internally),
> ++or as a list of the names that are shown between parenthesis, such that
> ++.LP
> ++.nf
> ++ olcLogLevel: 129
> ++ olcLogLevel: 0x81
> ++ olcLogLevel: 128 1
> ++ olcLogLevel: 0x80 0x1
> ++ olcLogLevel: acl trace
> ++.fi
> ++.LP
> ++are equivalent.
> ++The keyword
> ++.B any
> ++can be used as a shortcut to enable logging at all levels (equivalent to \-1).
> ++The keyword
> ++.BR none ,
> ++or the equivalent integer representation, causes those messages
> ++that are logged regardless of the configured olcLogLevel to be logged.
> ++In fact, if no olcLogLevel (or a 0 level) is defined, no logging occurs,
> ++so at least the
> ++.B none
> ++level is required to have high priority messages logged.
> ++
> ++Note that the
> ++.BR packets ,
> ++.BR BER ,
> ++and
> ++.B parse
> ++levels are only available as debug output on stderr, and are not
> ++sent to syslog.
> ++
> ++This setting defaults to \fBstats\fP.
> ++This level should usually also be included when using other loglevels, to
> ++help analyze the logs.
> ++.RE
> ++.TP
> ++.B olcMaxFilterDepth: <integer>
> ++Specify the maximum depth of nested filters in search requests.
> ++The default is 1000.
> ++.TP
> ++.B olcPasswordCryptSaltFormat: <format>
> ++Specify the format of the salt passed to
> ++.BR crypt (3)
> ++when generating {CRYPT} passwords (see
> ++.BR olcPasswordHash )
> ++during processing of LDAP Password Modify Extended Operations (RFC 3062).
> ++
> ++This string needs to be in
> ++.BR sprintf (3)
> ++format and may include one (and only one) %s conversion.
> ++This conversion will be substituted with a string of random
> ++characters from [A\-Za\-z0\-9./]. For example, "%.2s"
> ++provides a two character salt and "$1$%.8s" tells some
> ++versions of crypt(3) to use an MD5 algorithm and provides
> ++8 random characters of salt. The default is "%s", which
> ++provides 31 characters of salt.
> ++.TP
> ++.B olcPidFile: <filename>
> ++The (absolute) name of a file that will hold the
> ++.B slapd
> ++server's process ID (see
> ++.BR getpid (2)).
> ++.TP
> ++.B olcPluginLogFile: <filename>
> ++The ( absolute ) name of a file that will contain log
> ++messages from
> ++.B SLAPI
> ++plugins. See
> ++.BR slapd.plugin (5)
> ++for details.
> ++.TP
> ++.B olcReferral: <url>
> ++Specify the referral to pass back when
> ++.BR slapd (8)
> ++cannot find a local database to handle a request.
> ++If multiple values are specified, each url is provided.
> ++.TP
> ++.B olcReverseLookup: TRUE | FALSE
> ++Enable/disable client name unverified reverse lookup (default is
> ++.BR FALSE
> ++if compiled with \-\-enable\-rlookups).
> ++.TP
> ++.B olcRootDSE: <file>
> ++Specify the name of an LDIF(5) file containing user defined attributes
> ++for the root DSE. These attributes are returned in addition to the
> ++attributes normally produced by slapd.
> ++
> ++The root DSE is an entry with information about the server and its
> ++capabilities, in operational attributes.
> ++It has the empty DN, and can be read with e.g.:
> ++.ti +4
> ++ldapsearch \-x \-b "" \-s base "+"
> ++.br
> ++See RFC 4512 section 5.1 for details.
> ++.TP
> ++.B olcSaslAuxprops: <plugin> [...]
> ++Specify which auxprop plugins to use for authentication lookups. The
> ++default is empty, which just uses slapd's internal support. Usually
> ++no other auxprop plugins are needed.
> ++.TP
> ++.B olcSaslAuxpropsDontUseCopy: <attr> [...]
> ++Specify which attribute(s) should be subject to the don't use copy control. This
> ++is necessary for some SASL mechanisms such as OTP to work in a replicated
> ++environment. The attribute "cmusaslsecretOTP" is the default value.
> ++.TP
> ++.B olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE
> ++Used to disable replication of the attribute(s) defined by
> ++olcSaslAuxpropsDontUseCopy and instead use a local value for the attribute. This
> ++allows the SASL mechanism to continue to work if the provider is offline. This can
> ++cause replication inconsistency. Defaults to FALSE.
> ++.TP
> ++.B olcSaslHost: <fqdn>
> ++Used to specify the fully qualified domain name used for SASL processing.
> ++.TP
> ++.B olcSaslRealm: <realm>
> ++Specify SASL realm. Default is empty.
> ++.TP
> ++.B olcSaslCbinding: none | tls-unique | tls-endpoint
> ++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
> ++Default is none.
> ++.TP
> ++.B olcSaslSecProps: <properties>
> ++Used to specify Cyrus SASL security properties.
> ++The
> ++.B none
> ++flag (without any other properties) causes the flag properties
> ++default, "noanonymous,noplain", to be cleared.
> ++The
> ++.B noplain
> ++flag disables mechanisms susceptible to simple passive attacks.
> ++The
> ++.B noactive
> ++flag disables mechanisms susceptible to active attacks.
> ++The
> ++.B nodict
> ++flag disables mechanisms susceptible to passive dictionary attacks.
> ++The
> ++.B noanonymous
> ++flag disables mechanisms which support anonymous login.
> ++The
> ++.B forwardsec
> ++flag require forward secrecy between sessions.
> ++The
> ++.B passcred
> ++require mechanisms which pass client credentials (and allow
> ++mechanisms which can pass credentials to do so).
> ++The
> ++.B minssf=<factor>
> ++property specifies the minimum acceptable
> ++.I security strength factor
> ++as an integer approximate to effective key length used for
> ++encryption. 0 (zero) implies no protection, 1 implies integrity
> ++protection only, 128 allows RC4, Blowfish and other similar ciphers,
> ++256 will require modern ciphers. The default is 0.
> ++The
> ++.B maxssf=<factor>
> ++property specifies the maximum acceptable
> ++.I security strength factor
> ++as an integer (see minssf description). The default is INT_MAX.
> ++The
> ++.B maxbufsize=<size>
> ++property specifies the maximum security layer receive buffer
> ++size allowed. 0 disables security layers. The default is 65536.
> ++.TP
> ++.B olcServerID: <integer> [<URL>]
> ++Specify an integer ID from 0 to 4095 for this server. The ID may also be
> ++specified as a hexadecimal ID by prefixing the value with "0x".
> ++Non-zero IDs are required when using multi-provider replication and each
> ++provider must have a unique non-zero ID. Note that this requirement also
> ++applies to separate providers contributing to a glued set of databases.
> ++If the URL is provided, this directive may be specified
> ++multiple times, providing a complete list of participating servers
> ++and their IDs. The fully qualified hostname of each server should be
> ++used in the supplied URLs. The IDs are used in the "replica id" field
> ++of all CSNs generated by the specified server. The default value is zero, which
> ++is only valid for single provider replication.
> ++Example:
> ++.LP
> ++.nf
> ++ olcServerID: 1 ldap://ldap1.example.com
> ++ olcServerID: 2 ldap://ldap2.example.com
> ++.fi
> ++.TP
> ++.B olcSockbufMaxIncoming: <integer>
> ++Specify the maximum incoming LDAP PDU size for anonymous sessions.
> ++The default is 262143.
> ++.TP
> ++.B olcSockbufMaxIncomingAuth: <integer>
> ++Specify the maximum incoming LDAP PDU size for authenticated sessions.
> ++The default is 4194303.
> ++.TP
> ++.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
> ++Specify the size of the TCP buffer.
> ++A global value for both read and write TCP buffers related to any listener
> ++is defined, unless the listener is explicitly specified,
> ++or either the read or write qualifiers are used.
> ++See
> ++.BR tcp (7)
> ++for details.
> ++Note that some OS-es implement automatic TCP buffer tuning.
> ++.TP
> ++.B olcThreads: <integer>
> ++Specify the maximum size of the primary thread pool.
> ++The default is 16; the minimum value is 2.
> ++.TP
> ++.B olcThreadQueues: <integer>
> ++Specify the number of work queues to use for the primary thread pool.
> ++The default is 1 and this is typically adequate for up to 8 CPU cores.
> ++The value should not exceed the number of CPUs in the system.
> ++.TP
> ++.B olcToolThreads: <integer>
> ++Specify the maximum number of threads to use in tool mode.
> ++This should not be greater than the number of CPUs in the system.
> ++The default is 1.
> ++.TP
> ++.B olcWriteTimeout: <integer>
> ++Specify the number of seconds to wait before forcibly closing
> ++a connection with an outstanding write. This allows recovery from
> ++various network hang conditions. A setting of 0 disables this
> ++feature. The default is 0.
> ++.SH TLS OPTIONS
> ++If
> ++.B slapd
> ++is built with support for Transport Layer Security, there are more options
> ++you can specify.
> ++.TP
> ++.B olcTLSCipherSuite: <cipher-suite-spec>
> ++Permits configuring what ciphers will be accepted and the preference order.
> ++<cipher-suite-spec> should be a cipher specification for the TLS library
> ++in use (OpenSSL or GnuTLS).
> ++Example:
> ++.RS
> ++.RS
> ++.TP
> ++.I OpenSSL:
> ++olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
> ++.TP
> ++.I GnuTLS:
> ++olcTLSCiphersuite: SECURE256:!AES-128-CBC
> ++.RE
> ++
> ++To check what ciphers a given spec selects in OpenSSL, use:
> ++
> ++.nf
> ++ openssl ciphers \-v <cipher-suite-spec>
> ++.fi
> ++
> ++With GnuTLS the available specs can be found in the manual page of
> ++.BR gnutls\-cli (1)
> ++(see the description of the
> ++option
> ++.BR \-\-priority ).
> ++
> ++In older versions of GnuTLS, where gnutls\-cli does not support the option
> ++\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
> ++
> ++.nf
> ++ gnutls\-cli \-l
> ++.fi
> ++.RE
> ++.TP
> ++.B olcTLSCACertificateFile: <filename>
> ++Specifies the file that contains certificates for all of the Certificate
> ++Authorities that
> ++.B slapd
> ++will recognize. The certificate for
> ++the CA that signed the server certificate must be included among
> ++these certificates. If the signing CA was not a top-level (root) CA,
> ++certificates for the entire sequence of CA's from the signing CA to
> ++the top-level CA should be present. Multiple certificates are simply
> ++appended to the file; the order is not significant.
> ++.TP
> ++.B olcTLSCACertificatePath: <path>
> ++Specifies the path of directories that contain Certificate Authority
> ++certificates in separate individual files. Usually only one of this
> ++or the olcTLSCACertificateFile is defined. If both are specified, both
> ++locations will be used. Multiple directories may be specified,
> ++separated by a semi-colon.
> ++.TP
> ++.B olcTLSCertificateFile: <filename>
> ++Specifies the file that contains the
> ++.B slapd
> ++server certificate.
> ++
> ++When using OpenSSL that file may also contain any number of intermediate
> ++certificates after the server certificate.
> ++.TP
> ++.B olcTLSCertificateKeyFile: <filename>
> ++Specifies the file that contains the
> ++.B slapd
> ++server private key that matches the certificate stored in the
> ++.B olcTLSCertificateFile
> ++file. If the private key is protected with a password, the password must
> ++be manually typed in when slapd starts. Usually the private key is not
> ++protected with a password, to allow slapd to start without manual
> ++intervention, so
> ++it is of critical importance that the file is protected carefully.
> ++.TP
> ++.B olcTLSDHParamFile: <filename>
> ++This directive specifies the file that contains parameters for Diffie-Hellman
> ++ephemeral key exchange. This is required in order to use a DSA certificate on
> ++the server, or an RSA certificate missing the "key encipherment" key usage.
> ++Note that setting this option may also enable
> ++Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
> ++Anonymous key exchanges should generally be avoided since they provide no
> ++actual client or server authentication and provide no protection against
> ++man-in-the-middle attacks.
> ++You should append "!ADH" to your cipher suites to ensure that these suites
> ++are not used.
> ++.TP
> ++.B olcTLSECName: <name>
> ++Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
> ++ephemeral key exchange. This option is only used for OpenSSL.
> ++This option is not used with GnuTLS; the curves may be
> ++chosen in the GnuTLS ciphersuite specification.
> ++.TP
> ++.B olcTLSProtocolMin: <major>[.<minor>]
> ++Specifies minimum SSL/TLS protocol version that will be negotiated.
> ++If the server doesn't support at least that version,
> ++the SSL handshake will fail.
> ++To require TLS 1.x or higher, set this option to 3.(x+1),
> ++e.g.,
> ++
> ++.nf
> ++ olcTLSProtocolMin: 3.2
> ++.fi
> ++
> ++would require TLS 1.1.
> ++Specifying a minimum that is higher than that supported by the
> ++OpenLDAP implementation will result in it requiring the
> ++highest level that it does support.
> ++This directive is ignored with GnuTLS.
> ++.TP
> ++.B olcTLSRandFile: <filename>
> ++Specifies the file to obtain random bits from when /dev/[u]random
> ++is not available. Generally set to the name of the EGD/PRNGD socket.
> ++The environment variable RANDFILE can also be used to specify the filename.
> ++This directive is ignored with GnuTLS.
> ++.TP
> ++.B olcTLSVerifyClient: <level>
> ++Specifies what checks to perform on client certificates in an
> ++incoming TLS session, if any.
> ++The
> ++.B <level>
> ++can be specified as one of the following keywords:
> ++.RS
> ++.TP
> ++.B never
> ++This is the default.
> ++.B slapd
> ++will not ask the client for a certificate.
> ++.TP
> ++.B allow
> ++The client certificate is requested. If no certificate is provided,
> ++the session proceeds normally. If a bad certificate is provided,
> ++it will be ignored and the session proceeds normally.
> ++.TP
> ++.B try
> ++The client certificate is requested. If no certificate is provided,
> ++the session proceeds normally. If a bad certificate is provided,
> ++the session is immediately terminated.
> ++.TP
> ++.B demand | hard | true
> ++These keywords are all equivalent, for compatibility reasons.
> ++The client certificate is requested. If no certificate is provided,
> ++or a bad certificate is provided, the session is immediately terminated.
> ++
> ++Note that a valid client certificate is required in order to use the
> ++SASL EXTERNAL authentication mechanism with a TLS session. As such,
> ++a non-default
> ++.B olcTLSVerifyClient
> ++setting must be chosen to enable SASL EXTERNAL authentication.
> ++.RE
> ++.TP
> ++.B olcTLSCRLCheck: <level>
> ++Specifies if the Certificate Revocation List (CRL) of the CA should be
> ++used to verify if the client certificates have not been revoked. This
> ++requires
> ++.B olcTLSCACertificatePath
> ++parameter to be set. This parameter is ignored with GnuTLS.
> ++.B <level>
> ++can be specified as one of the following keywords:
> ++.RS
> ++.TP
> ++.B none
> ++No CRL checks are performed
> ++.TP
> ++.B peer
> ++Check the CRL of the peer certificate
> ++.TP
> ++.B all
> ++Check the CRL for a whole certificate chain
> ++.RE
> ++.TP
> ++.B olcTLSCRLFile: <filename>
> ++Specifies a file containing a Certificate Revocation List to be used
> ++for verifying that certificates have not been revoked. This parameter is
> ++only valid when using GnuTLS.
> ++.SH DYNAMIC MODULE OPTIONS
> ++If
> ++.B slapd
> ++is compiled with \-\-enable\-modules then the module-related entries will
> ++be available. These entries are named
> ++.B cn=module{x},cn=config
> ++and
> ++must have the olcModuleList objectClass. One entry should be created
> ++per
> ++.B olcModulePath.
> ++Normally the config engine generates the "{x}" index in the RDN
> ++automatically, so it can be omitted when initially loading these entries.
> ++.TP
> ++.B olcModuleLoad: <filename> [<arguments>...]
> ++Specify the name of a dynamically loadable module to load and any
> ++additional arguments if supported by the module. The filename
> ++may be an absolute path name or a simple filename. Non-absolute names
> ++are searched for in the directories specified by the
> ++.B olcModulePath
> ++option.
> ++.TP
> ++.B olcModulePath: <pathspec>
> ++Specify a list of directories to search for loadable modules. Typically
> ++the path is colon-separated but this depends on the operating system.
> ++The default is MODULEDIR, which is where the standard OpenLDAP install
> ++will place its modules.
> ++.SH SCHEMA OPTIONS
> ++Schema definitions are created as entries in the
> ++.B cn=schema,cn=config
> ++subtree. These entries must have the olcSchemaConfig objectClass.
> ++As noted above, the actual
> ++.B cn=schema,cn=config
> ++entry is predefined and any values specified for it are ignored.
> ++
> ++.HP
> ++.hy 0
> ++.B olcAttributetypes: "(\ <oid>\
> ++ [NAME\ <name>]\
> ++ [DESC\ <description>]\
> ++ [OBSOLETE]\
> ++ [SUP\ <oid>]\
> ++ [EQUALITY\ <oid>]\
> ++ [ORDERING\ <oid>]\
> ++ [SUBSTR\ <oid>]\
> ++ [SYNTAX\ <oidlen>]\
> ++ [SINGLE\-VALUE]\
> ++ [COLLECTIVE]\
> ++ [NO\-USER\-MODIFICATION]\
> ++ [USAGE\ <attributeUsage>]\ )"
> ++.RS
> ++Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the attribute OID and
> ++attribute syntax OID.
> ++(See the
> ++.B olcObjectIdentifier
> ++description.)
> ++.RE
> ++
> ++.HP
> ++.hy 0
> ++.B olcDitContentRules: "(\ <oid>\
> ++ [NAME\ <name>]\
> ++ [DESC\ <description>]\
> ++ [OBSOLETE]\
> ++ [AUX\ <oids>]\
> ++ [MUST\ <oids>]\
> ++ [MAY\ <oids>]\
> ++ [NOT\ <oids>]\ )"
> ++.RS
> ++Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the attribute OID and
> ++attribute syntax OID.
> ++(See the
> ++.B olcObjectIdentifier
> ++description.)
> ++.RE
> ++
> ++.HP
> ++.hy 0
> ++.B olcLdapSyntaxes "(\ <oid>\
> ++ [DESC\ <description>]\
> ++ [X\-SUBST <substitute-syntax>]\ )"
> ++.RS
> ++Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the syntax OID.
> ++(See the
> ++.B objectidentifier
> ++description.)
> ++The slapd parser also honors the
> ++.B X\-SUBST
> ++extension (an OpenLDAP-specific extension), which allows one to use the
> ++.B olcLdapSyntaxes
> ++attribute to define a non-implemented syntax along with another syntax,
> ++the extension value
> ++.IR substitute-syntax ,
> ++as its temporary replacement.
> ++The
> ++.I substitute-syntax
> ++must be defined.
> ++This allows one to define attribute types that make use of non-implemented syntaxes
> ++using the correct syntax OID.
> ++Unless
> ++.B X\-SUBST
> ++is used, this configuration statement would result in an error,
> ++since no handlers would be associated to the resulting syntax structure.
> ++.RE
> ++
> ++.HP
> ++.hy 0
> ++.B olcObjectClasses: "(\ <oid>\
> ++ [NAME\ <name>]\
> ++ [DESC\ <description>]\
> ++ [OBSOLETE]\
> ++ [SUP\ <oids>]\
> ++ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
> ++ [MUST\ <oids>] [MAY\ <oids>] )"
> ++.RS
> ++Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
> ++The slapd parser extends the RFC 4512 definition by allowing string
> ++forms as well as numeric OIDs to be used for the object class OID.
> ++(See the
> ++.B
> ++olcObjectIdentifier
> ++description.) Object classes are "STRUCTURAL" by default.
> ++.RE
> ++.TP
> ++.B olcObjectIdentifier: <name> "{ <oid> | <name>[:<suffix>] }"
> ++Define a string name that equates to the given OID. The string can be used
> ++in place of the numeric OID in objectclass and attribute definitions. The
> ++name can also be used with a suffix of the form ":xx" in which case the
> ++value "oid.xx" will be used.
> ++
> ++.SH GENERAL BACKEND OPTIONS
> ++Options in these entries only apply to the configuration of a single
> ++type of backend. All backends may support this class of options, but
> ++currently only back-mdb does.
> ++The entry must be named
> ++.B olcBackend=<databasetype>,cn=config
> ++and must have the olcBackendConfig objectClass.
> ++<databasetype>
> ++should be one of
> ++.BR asyncmeta ,
> ++.BR config ,
> ++.BR dnssrv ,
> ++.BR ldap ,
> ++.BR ldif ,
> ++.BR mdb ,
> ++.BR meta ,
> ++.BR monitor ,
> ++.BR null ,
> ++.BR passwd ,
> ++.BR perl ,
> ++.BR relay ,
> ++.BR sock ,
> ++.BR sql ,
> ++or
> ++.BR wt .
> ++At present, only back-mdb implements any options of this type, so this
> ++entry should not be used for any other backends.
> ++
> ++.SH DATABASE OPTIONS
> ++Database options are set in entries named
> ++.B olcDatabase={x}<databasetype>,cn=config
> ++and must have the olcDatabaseConfig objectClass. Normally the config
> ++engine generates the "{x}" index in the RDN automatically, so it
> ++can be omitted when initially loading these entries.
> ++
> ++The special frontend database is always numbered "{\-1}" and the config
> ++database is always numbered "{0}".
> ++
> ++.SH GLOBAL DATABASE OPTIONS
> ++Options in this section may be set in the special "frontend" database
> ++and inherited in all the other databases. These options may be altered
> ++by further settings in each specific database. The frontend entry must
> ++be named
> ++.B olcDatabase=frontend,cn=config
> ++and must have the olcFrontendConfig objectClass.
> ++.TP
> ++.B olcAccess: to <what> "[ by <who> <access> <control> ]+"
> ++Grant access (specified by <access>) to a set of entries and/or
> ++attributes (specified by <what>) by one or more requestors (specified
> ++by <who>).
> ++If no access controls are present, the default policy
> ++allows anyone and everyone to read anything but restricts
> ++updates to rootdn. (e.g., "olcAccess: to * by * read").
> ++See
> ++.BR slapd.access (5)
> ++and the "OpenLDAP Administrator's Guide" for details.
> ++
> ++Access controls set in the frontend are appended to any access
> ++controls set on the specific databases.
> ++The rootdn of a database can always read and write EVERYTHING
> ++in that database.
> ++
> ++Extra special care must be taken with the access controls on the
> ++config database. Unlike other databases, the default policy for the
> ++config database is to only allow access to the rootdn. Regular users
> ++should not have read access, and write access should be granted very
> ++carefully to privileged administrators.
> ++
> ++.TP
> ++.B olcDefaultSearchBase: <dn>
> ++Specify a default search base to use when client submits a
> ++non-base search request with an empty base DN.
> ++Base scoped search requests with an empty base DN are not affected.
> ++This setting is only allowed in the frontend entry.
> ++.TP
> ++.B olcExtraAttrs: <attr>
> ++Lists what attributes need to be added to search requests.
> ++Local storage backends return the entire entry to the frontend.
> ++The frontend takes care of only returning the requested attributes
> ++that are allowed by ACLs.
> ++However, features like access checking and so may need specific
> ++attributes that are not automatically returned by remote storage
> ++backends, like proxy backends and so on.
> ++.B <attr>
> ++is an attribute that is needed for internal purposes
> ++and thus always needs to be collected, even when not explicitly
> ++requested by clients.
> ++This attribute is multi-valued.
> ++.TP
> ++.B olcPasswordHash: <hash> [<hash>...]
> ++This option configures one or more hashes to be used in generation of user
> ++passwords stored in the userPassword attribute during processing of
> ++LDAP Password Modify Extended Operations (RFC 3062).
> ++The <hash> must be one of
> ++.BR {SSHA} ,
> ++.BR {SHA} ,
> ++.BR {SMD5} ,
> ++.BR {MD5} ,
> ++.BR {CRYPT} ,
> ++and
> ++.BR {CLEARTEXT} .
> ++The default is
> ++.BR {SSHA} .
> ++
> ++.B {SHA}
> ++and
> ++.B {SSHA}
> ++use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
> ++
> ++.B {MD5}
> ++and
> ++.B {SMD5}
> ++use the MD5 algorithm (RFC 1321), the latter with a seed.
> ++
> ++.B {CRYPT}
> ++uses the
> ++.BR crypt (3).
> ++
> ++.B {CLEARTEXT}
> ++indicates that the new password should be
> ++added to userPassword as clear text.
> ++
> ++Note that this option does not alter the normal user applications
> ++handling of userPassword during LDAP Add, Modify, or other LDAP operations.
> ++This setting is only allowed in the frontend entry.
> ++.TP
> ++.B olcReadOnly: TRUE | FALSE
> ++This option puts the database into "read-only" mode. Any attempts to
> ++modify the database will return an "unwilling to perform" error. By
> ++default, olcReadOnly is FALSE. Note that when this option is set
> ++TRUE on the frontend, it cannot be reset without restarting the
> ++server, since further writes to the config database will be rejected.
> ++.TP
> ++.B olcRequires: <conditions>
> ++Specify a set of conditions to require (default none).
> ++The directive may be specified globally and/or per-database;
> ++databases inherit global conditions, so per-database specifications
> ++are additive.
> ++.B bind
> ++requires bind operation prior to directory operations.
> ++.B LDAPv3
> ++requires session to be using LDAP version 3.
> ++.B authc
> ++requires authentication prior to directory operations.
> ++.B SASL
> ++requires SASL authentication prior to directory operations.
> ++.B strong
> ++requires strong authentication prior to directory operations.
> ++The strong keyword allows protected "simple" authentication
> ++as well as SASL authentication.
> ++.B none
> ++may be used to require no conditions (useful to clear out globally
> ++set conditions within a particular database); it must occur first
> ++in the list of conditions.
> ++.TP
> ++.B olcRestrict: <oplist>
> ++Specify a list of operations that are restricted.
> ++Restrictions on a specific database override any frontend setting.
> ++Operations can be any of
> ++.BR add ,
> ++.BR bind ,
> ++.BR compare ,
> ++.BR delete ,
> ++.BR extended[=<OID>] ,
> ++.BR modify ,
> ++.BR rename ,
> ++.BR search ,
> ++or the special pseudo-operations
> ++.B read
> ++and
> ++.BR write ,
> ++which respectively summarize read and write operations.
> ++The use of
> ++.I restrict write
> ++is equivalent to
> ++.I olcReadOnly: TRUE
> ++(see above).
> ++The
> ++.B extended
> ++keyword allows one to indicate the OID of the specific operation
> ++to be restricted.
> ++.TP
> ++.B olcSchemaDN: <dn>
> ++Specify the distinguished name for the subschema subentry that
> ++controls the entries on this server. The default is "cn=Subschema".
> ++.TP
> ++.B olcSecurity: <factors>
> ++Specify a set of security strength factors (separated by white space)
> ++to require (see
> ++.BR olcSaslSecprops 's
> ++.B minssf
> ++option for a description of security strength factors).
> ++The directive may be specified globally and/or per-database.
> ++.B ssf=<n>
> ++specifies the overall security strength factor.
> ++.B transport=<n>
> ++specifies the transport security strength factor.
> ++.B tls=<n>
> ++specifies the TLS security strength factor.
> ++.B sasl=<n>
> ++specifies the SASL security strength factor.
> ++.B update_ssf=<n>
> ++specifies the overall security strength factor to require for
> ++directory updates.
> ++.B update_transport=<n>
> ++specifies the transport security strength factor to require for
> ++directory updates.
> ++.B update_tls=<n>
> ++specifies the TLS security strength factor to require for
> ++directory updates.
> ++.B update_sasl=<n>
> ++specifies the SASL security strength factor to require for
> ++directory updates.
> ++.B simple_bind=<n>
> ++specifies the security strength factor required for
> ++.I simple
> ++username/password authentication.
> ++Note that the
> ++.B transport
> ++factor is measure of security provided by the underlying transport,
> ++e.g. ldapi:// (and eventually IPSEC). It is not normally used.
> ++.TP
> ++.B olcSizeLimit: {<integer>|unlimited}
> ++.TP
> ++.B olcSizeLimit: size[.{soft|hard}]=<integer> [...]
> ++Specify the maximum number of entries to return from a search operation.
> ++The default size limit is 500.
> ++Use
> ++.B unlimited
> ++to specify no limits.
> ++The second format allows a fine grain setting of the size limits.
> ++If no special qualifiers are specified, both soft and hard limits are set.
> ++Extra args can be added in the same value.
> ++Additional qualifiers are available; see
> ++.BR olcLimits
> ++for an explanation of all of the different flags.
> ++.TP
> ++.B olcSortVals: <attr> [...]
> ++Specify a list of multi-valued attributes whose values will always
> ++be maintained in sorted order. Using this option will allow Modify,
> ++Compare, and filter evaluations on these attributes to be performed
> ++more efficiently. The resulting sort order depends on the
> ++attributes' syntax and matching rules and may not correspond to
> ++lexical order or any other recognizable order.
> ++This setting is only allowed in the frontend entry.
> ++.TP
> ++.B olcTimeLimit: {<integer>|unlimited}
> ++.TP
> ++.B olcTimeLimit: time[.{soft|hard}]=<integer> [...]
> ++Specify the maximum number of seconds (in real time)
> ++.B slapd
> ++will spend answering a search request. The default time limit is 3600.
> ++Use
> ++.B unlimited
> ++to specify no limits.
> ++The second format allows a fine grain setting of the time limits.
> ++Extra args can be added in the same value. See
> ++.BR olcLimits
> ++for an explanation of the different flags.
> ++
> ++.SH GENERAL DATABASE OPTIONS
> ++Options in this section only apply to the specific database for
> ++which they are defined. They are supported by every
> ++type of backend. All of the Global Database Options may also be
> ++used here.
> ++.TP
> ++.B olcAddContentAcl: TRUE | FALSE
> ++Controls whether Add operations will perform ACL checks on
> ++the content of the entry being added. This check is off
> ++by default. See the
> ++.BR slapd.access (5)
> ++manual page for more details on ACL requirements for
> ++Add operations.
> ++.TP
> ++.B olcHidden: TRUE | FALSE
> ++Controls whether the database will be used to answer
> ++queries. A database that is hidden will never be
> ++selected to answer any queries, and any suffix configured
> ++on the database will be ignored in checks for conflicts
> ++with other databases. By default, olcHidden is FALSE.
> ++.TP
> ++.B olcLastMod: TRUE | FALSE
> ++Controls whether
> ++.B slapd
> ++will automatically maintain the
> ++modifiersName, modifyTimestamp, creatorsName, and
> ++createTimestamp attributes for entries. It also controls
> ++the entryCSN and entryUUID attributes, which are needed
> ++by the syncrepl provider. By default, olcLastMod is TRUE.
> ++.TP
> ++.B olcLastBind: TRUE | FALSE
> ++Controls whether
> ++.B slapd
> ++will automatically maintain the pwdLastSuccess attribute for
> ++entries. By default, olcLastBind is FALSE.
> ++.TP
> ++.B olcLastBindPrecision: <integer>
> ++If olcLastBind is enabled, specifies how frequently pwdLastSuccess
> ++will be updated. More than
> ++.B integer
> ++seconds must have passed since the last successful bind. In a
> ++replicated environment with frequent bind activity it may be
> ++useful to set this to a large value.
> ++.TP
> ++.B olcLimits: <selector> <limit> [<limit> [...]]
> ++Specify time and size limits based on the operation's initiator or
> ++base DN.
> ++The argument
> ++.B <selector>
> ++can be any of
> ++.RS
> ++.RS
> ++.TP
> ++anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
> ++
> ++.RE
> ++with
> ++.RS
> ++.TP
> ++<dnspec> ::= dn[.<type>][.<style>]
> ++.TP
> ++<type> ::= self | this
> ++.TP
> ++<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
> ++
> ++.RE
> ++DN type
> ++.B self
> ++is the default and means the bound user, while
> ++.B this
> ++means the base DN of the operation.
> ++The term
> ++.B anonymous
> ++matches all unauthenticated clients.
> ++The term
> ++.B users
> ++matches all authenticated clients;
> ++otherwise an
> ++.B exact
> ++dn pattern is assumed unless otherwise specified by qualifying
> ++the (optional) key string
> ++.B dn
> ++with
> ++.B exact
> ++or
> ++.B base
> ++(which are synonyms), to require an exact match; with
> ++.BR onelevel ,
> ++to require exactly one level of depth match; with
> ++.BR subtree ,
> ++to allow any level of depth match, including the exact match; with
> ++.BR children ,
> ++to allow any level of depth match, not including the exact match;
> ++.BR regex
> ++explicitly requires the (default) match based on POSIX (''extended'')
> ++regular expression pattern.
> ++Finally,
> ++.B anonymous
> ++matches unbound operations; the
> ++.B pattern
> ++field is ignored.
> ++The same behavior is obtained by using the
> ++.B anonymous
> ++form of the
> ++.B <selector>
> ++clause.
> ++The term
> ++.BR group ,
> ++with the optional objectClass
> ++.B oc
> ++and attributeType
> ++.B at
> ++fields, followed by
> ++.BR pattern ,
> ++sets the limits for any DN listed in the values of the
> ++.B at
> ++attribute (default
> ++.BR member )
> ++of the
> ++.B oc
> ++group objectClass (default
> ++.BR groupOfNames )
> ++whose DN exactly matches
> ++.BR pattern .
> ++
> ++The currently supported limits are
> ++.B size
> ++and
> ++.BR time .
> ++
> ++The syntax for time limits is
> ++.BR time[.{soft|hard}]=<integer> ,
> ++where
> ++.I integer
> ++is the number of seconds slapd will spend answering a search request.
> ++If no time limit is explicitly requested by the client, the
> ++.BR soft
> ++limit is used; if the requested time limit exceeds the
> ++.BR hard
> ++.\"limit, an
> ++.\".I "Administrative limit exceeded"
> ++.\"error is returned.
> ++limit, the value of the limit is used instead.
> ++If the
> ++.BR hard
> ++limit is set to the keyword
> ++.IR soft ,
> ++the soft limit is used in either case; if it is set to the keyword
> ++.IR unlimited ,
> ++no hard limit is enforced.
> ++Explicit requests for time limits smaller or equal to the
> ++.BR hard
> ++limit are honored.
> ++If no limit specifier is set, the value is assigned to the
> ++.BR soft
> ++limit, and the
> ++.BR hard
> ++limit is set to
> ++.IR soft ,
> ++to preserve the original behavior.
> ++
> ++The syntax for size limits is
> ++.BR size[.{soft|hard|unchecked}]=<integer> ,
> ++where
> ++.I integer
> ++is the maximum number of entries slapd will return answering a search
> ++request.
> ++If no size limit is explicitly requested by the client, the
> ++.BR soft
> ++limit is used; if the requested size limit exceeds the
> ++.BR hard
> ++.\"limit, an
> ++.\".I "Administrative limit exceeded"
> ++.\"error is returned.
> ++limit, the value of the limit is used instead.
> ++If the
> ++.BR hard
> ++limit is set to the keyword
> ++.IR soft ,
> ++the soft limit is used in either case; if it is set to the keyword
> ++.IR unlimited ,
> ++no hard limit is enforced.
> ++Explicit requests for size limits smaller or equal to the
> ++.BR hard
> ++limit are honored.
> ++The
> ++.BR unchecked
> ++specifier sets a limit on the number of candidates a search request is allowed
> ++to examine.
> ++The rationale behind it is that searches for non-properly indexed
> ++attributes may result in large sets of candidates, which must be
> ++examined by
> ++.BR slapd (8)
> ++to determine whether they match the search filter or not.
> ++The
> ++.B unchecked
> ++limit provides a means to drop such operations before they are even
> ++started.
> ++If the selected candidates exceed the
> ++.BR unchecked
> ++limit, the search will abort with
> ++.IR "Unwilling to perform" .
> ++If it is set to the keyword
> ++.IR unlimited ,
> ++no limit is applied (the default).
> ++If it is set to
> ++.IR disabled ,
> ++the search is not even performed; this can be used to disallow searches
> ++for a specific set of users.
> ++If no limit specifier is set, the value is assigned to the
> ++.BR soft
> ++limit, and the
> ++.BR hard
> ++limit is set to
> ++.IR soft ,
> ++to preserve the original behavior.
> ++
> ++In case of no match, the global limits are used.
> ++The default values are the same as for
> ++.B olcSizeLimit
> ++and
> ++.BR olcTimeLimit ;
> ++no limit is set on
> ++.BR unchecked .
> ++
> ++If
> ++.B pagedResults
> ++control is requested, the
> ++.B hard
> ++size limit is used by default, because the request of a specific page size
> ++is considered an explicit request for a limitation on the number
> ++of entries to be returned.
> ++However, the size limit applies to the total count of entries returned within
> ++the search, and not to a single page.
> ++Additional size limits may be enforced; the syntax is
> ++.BR size.pr={<integer>|noEstimate|unlimited} ,
> ++where
> ++.I integer
> ++is the max page size if no explicit limit is set; the keyword
> ++.I noEstimate
> ++inhibits the server from returning an estimate of the total number
> ++of entries that might be returned
> ++(note: the current implementation does not return any estimate).
> ++The keyword
> ++.I unlimited
> ++indicates that no limit is applied to the pagedResults control page size.
> ++The syntax
> ++.B size.prtotal={<integer>|hard|unlimited|disabled}
> ++allows one to set a limit on the total number of entries that the pagedResults
> ++control will return.
> ++By default it is set to the
> ++.B hard
> ++limit which will use the size.hard value.
> ++When set,
> ++.I integer
> ++is the max number of entries that the whole search with pagedResults control
> ++can return.
> ++Use
> ++.I unlimited
> ++to allow unlimited number of entries to be returned, e.g. to allow
> ++the use of the pagedResults control as a means to circumvent size
> ++limitations on regular searches; the keyword
> ++.I disabled
> ++disables the control, i.e. no paged results can be returned.
> ++Note that the total number of entries returned when the pagedResults control
> ++is requested cannot exceed the
> ++.B hard
> ++size limit of regular searches unless extended by the
> ++.B prtotal
> ++switch.
> ++
> ++The \fBolcLimits\fP statement is typically used to let an unlimited
> ++number of entries be returned by searches performed
> ++with the identity used by the consumer for synchronization purposes
> ++by means of the RFC 4533 LDAP Content Synchronization protocol
> ++(see \fBolcSyncrepl\fP for details).
> ++
> ++When using subordinate databases, it is necessary for any limits that
> ++are to be applied across the parent and its subordinates to be defined in
> ++both the parent and its subordinates. Otherwise the settings on the
> ++subordinate databases are not honored.
> ++.RE
> ++.TP
> ++.B olcMaxDerefDepth: <depth>
> ++Specifies the maximum number of aliases to dereference when trying to
> ++resolve an entry, used to avoid infinite alias loops. The default is 15.
> ++.TP
> ++.B olcMultiProvider: TRUE | FALSE
> ++This option puts a consumer database into Multi-Provider mode. Update
> ++operations will be accepted from any user, not just the updatedn. The
> ++database must already be configured as a syncrepl consumer
> ++before this keyword may be set. This mode also requires a
> ++.B olcServerID
> ++(see above) to be configured.
> ++By default, this setting is FALSE.
> ++.TP
> ++.B olcMonitoring: TRUE | FALSE
> ++This option enables database-specific monitoring in the entry related
> ++to the current database in the "cn=Databases,cn=Monitor" subtree
> ++of the monitor database, if the monitor database is enabled.
> ++Currently, only the MDB database provides database-specific monitoring.
> ++If monitoring is supported by the backend it defaults to TRUE, otherwise
> ++FALSE.
> ++.TP
> ++.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
> ++Configure a SLAPI plugin. See the
> ++.BR slapd.plugin (5)
> ++manpage for more details.
> ++.TP
> ++.B olcRootDN: <dn>
> ++Specify the distinguished name that is not subject to access control
> ++or administrative limit restrictions for operations on this database.
> ++This DN may or may not be associated with an entry. An empty root
> ++DN (the default) specifies no root access is to be granted. It is
> ++recommended that the rootdn only be specified when needed (such as
> ++when initially populating a database). If the rootdn is within
> ++a namingContext (suffix) of the database, a simple bind password
> ++may also be provided using the
> ++.B olcRootPW
> ++directive. Many optional features, including syncrepl, require the
> ++rootdn to be defined for the database.
> ++The
> ++.B olcRootDN
> ++of the
> ++.B cn=config
> ++database defaults to
> ++.B cn=config
> ++itself.
> ++.TP
> ++.B olcRootPW: <password>
> ++Specify a password (or hash of the password) for the rootdn. The
> ++password can only be set if the rootdn is within the namingContext
> ++(suffix) of the database.
> ++This option accepts all RFC 2307 userPassword formats known to
> ++the server (see
> ++.B olcPasswordHash
> ++description) as well as cleartext.
> ++.BR slappasswd (8)
> ++may be used to generate a hash of a password. Cleartext
> ++and \fB{CRYPT}\fP passwords are not recommended. If empty
> ++(the default), authentication of the root DN is by other means
> ++(e.g. SASL). Use of SASL is encouraged.
> ++.TP
> ++.B olcSubordinate: [TRUE | FALSE | advertise]
> ++Specify that the current backend database is a subordinate of another
> ++backend database. A subordinate database may have only one suffix. This
> ++option may be used to glue multiple databases into a single namingContext.
> ++If the suffix of the current database is within the namingContext of a
> ++superior database, searches against the superior database will be
> ++propagated to the subordinate as well. All of the databases
> ++associated with a single namingContext should have identical rootdns.
> ++Behavior of other LDAP operations is unaffected by this setting. In
> ++particular, it is not possible to use moddn to move an entry from
> ++one subordinate to another subordinate within the namingContext.
> ++
> ++If the optional \fBadvertise\fP flag is supplied, the naming context of
> ++this database is advertised in the root DSE. The default is to hide this
> ++database context, so that only the superior context is visible.
> ++
> ++If the slap tools
> ++.BR slapcat (8),
> ++.BR slapadd (8),
> ++.BR slapmodify (8),
> ++or
> ++.BR slapindex (8)
> ++are used on the superior database, any glued subordinates that support
> ++these tools are opened as well.
> ++
> ++Databases that are glued together should usually be configured with the
> ++same indices (assuming they support indexing), even for attributes that
> ++only exist in some of these databases. In general, all of the glued
> ++databases should be configured as similarly as possible, since the intent
> ++is to provide the appearance of a single directory.
> ++
> ++Note that the subordinate functionality is implemented internally
> ++by the \fIglue\fP overlay and as such its behavior will interact with other
> ++overlays in use. By default, the glue overlay is automatically configured as
> ++the last overlay on the superior database. Its position on the database
> ++can be explicitly configured by setting an \fBoverlay glue\fP directive
> ++at the desired position. This explicit configuration is necessary e.g.
> ++when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
> ++in order to work over all of the glued databases. E.g.
> ++.RS
> ++.nf
> ++ dn: olcDatabase={1}mdb,cn=config
> ++ olcSuffix: dc=example,dc=com
> ++ ...
> ++
> ++ dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config
> ++ ...
> ++
> ++ dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
> ++ ...
> ++.fi
> ++.RE
> ++See the Overlays section below for more details.
> ++.TP
> ++.B olcSuffix: <dn suffix>
> ++Specify the DN suffix of queries that will be passed to this
> ++backend database. Multiple suffix lines can be given and at least one is
> ++required for each database definition.
> ++
> ++If the suffix of one database is "inside" that of another, the database
> ++with the inner suffix must come first in the configuration file.
> ++You may also want to glue such databases together with the
> ++.B olcSubordinate
> ++attribute.
> ++.TP
> ++.B olcSyncUseSubentry: TRUE | FALSE
> ++Store the syncrepl contextCSN in a subentry instead of the context entry
> ++of the database. The subentry's RDN will be "cn=ldapsync". The default is
> ++FALSE, meaning the contextCSN is stored in the context entry.
> ++.HP
> ++.hy 0
> ++.B olcSyncrepl: rid=<replica ID>
> ++.B provider=ldap[s]://<hostname>[:port]
> ++.B searchbase=<base DN>
> ++.B [type=refreshOnly|refreshAndPersist]
> ++.B [interval=dd:hh:mm:ss]
> ++.B [retry=[<retry interval> <# of retries>]+]
> ++.B [filter=<filter str>]
> ++.B [scope=sub|one|base|subord]
> ++.B [attrs=<attr list>]
> ++.B [exattrs=<attr list>]
> ++.B [attrsonly]
> ++.B [sizelimit=<limit>]
> ++.B [timelimit=<limit>]
> ++.B [schemachecking=on|off]
> ++.B [network\-timeout=<seconds>]
> ++.B [timeout=<seconds>]
> ++.B [tcp\-user\-timeout=<milliseconds>]
> ++.B [bindmethod=simple|sasl]
> ++.B [binddn=<dn>]
> ++.B [saslmech=<mech>]
> ++.B [authcid=<identity>]
> ++.B [authzid=<identity>]
> ++.B [credentials=<passwd>]
> ++.B [realm=<realm>]
> ++.B [secprops=<properties>]
> ++.B [keepalive=<idle>:<probes>:<interval>]
> ++.B [starttls=yes|critical]
> ++.B [tls_cert=<file>]
> ++.B [tls_key=<file>]
> ++.B [tls_cacert=<file>]
> ++.B [tls_cacertdir=<path>]
> ++.B [tls_reqcert=never|allow|try|demand]
> ++.B [tls_reqsan=never|allow|try|demand]
> ++.B [tls_cipher_suite=<ciphers>]
> ++.B [tls_ecname=<names>]
> ++.B [tls_crlcheck=none|peer|all]
> ++.B [tls_protocol_min=<major>[.<minor>]]
> ++.B [suffixmassage=<real DN>]
> ++.B [logbase=<base DN>]
> ++.B [logfilter=<filter str>]
> ++.B [syncdata=default|accesslog|changelog]
> ++.B [lazycommit]
> ++.RS
> ++Specify the current database as a consumer which is kept up-to-date with the
> ++provider content by establishing the current
> ++.BR slapd (8)
> ++as a replication consumer site running a
> ++.B syncrepl
> ++replication engine.
> ++The consumer content is kept synchronized to the provider content using
> ++the LDAP Content Synchronization protocol. Refer to the
> ++"OpenLDAP Administrator's Guide" for detailed information on
> ++setting up a replicated
> ++.B slapd
> ++directory service using the
> ++.B syncrepl
> ++replication engine.
> ++
> ++.B rid
> ++identifies the current
> ++.B syncrepl
> ++directive within the replication consumer site.
> ++It is a non-negative integer not greater than 999 (limited
> ++to three decimal digits).
> ++
> ++.B provider
> ++specifies the replication provider site containing the provider content
> ++as an LDAP URI. If <port> is not given, the standard LDAP port number
> ++(389 or 636) is used.
> ++
> ++The content of the
> ++.B syncrepl
> ++consumer is defined using a search
> ++specification as its result set. The consumer
> ++.B slapd
> ++will send search requests to the provider
> ++.B slapd
> ++according to the search specification. The search specification includes
> ++.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
> ++and
> ++.B timelimit
> ++parameters as in the normal search specification. The
> ++.B exattrs
> ++option may also be used to specify attributes that should be omitted
> ++from incoming entries.
> ++The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
> ++\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
> ++\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
> ++attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
> ++The \fBsizelimit\fP and \fBtimelimit\fP only
> ++accept "unlimited" and positive integers, and both default to "unlimited".
> ++The \fBsizelimit\fP and \fBtimelimit\fP parameters define
> ++a consumer requested limitation on the number of entries that can be returned
> ++by the LDAP Content Synchronization operation; as such, it is intended
> ++to implement partial replication based on the size of the replicated database
> ++and on the time required by the synchronization.
> ++Note, however, that any provider-side limits for the replication identity
> ++will be enforced by the provider regardless of the limits requested
> ++by the LDAP Content Synchronization operation, much like for any other
> ++search operation.
> ++
> ++The LDAP Content Synchronization protocol has two operation types.
> ++In the
> ++.B refreshOnly
> ++operation, the next synchronization search operation
> ++is periodically rescheduled at an interval time (specified by
> ++.B interval
> ++parameter; 1 day by default)
> ++after each synchronization operation finishes.
> ++In the
> ++.B refreshAndPersist
> ++operation, a synchronization search remains persistent in the provider slapd.
> ++Further updates to the provider will generate
> ++.B searchResultEntry
> ++to the consumer slapd as the search responses to the persistent
> ++synchronization search. If the initial search fails due to an error, the
> ++next synchronization search operation is periodically rescheduled at an
> ++interval time (specified by
> ++.B interval
> ++parameter; 1 day by default)
> ++
> ++If an error occurs during replication, the consumer will attempt to
> ++reconnect according to the
> ++.B retry
> ++parameter which is a list of the <retry interval> and <# of retries> pairs.
> ++For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
> ++for the first 10 times and then retry every 300 seconds for the next 3
> ++times before stop retrying. The `+' in <# of retries> means indefinite
> ++number of retries until success.
> ++If no
> ++.B retry
> ++is specified, by default syncrepl retries every hour forever.
> ++
> ++The schema checking can be enforced at the LDAP Sync
> ++consumer site by turning on the
> ++.B schemachecking
> ++parameter. The default is \fBoff\fP.
> ++Schema checking \fBon\fP means that replicated entries must have
> ++a structural objectClass, must obey to objectClass requirements
> ++in terms of required/allowed attributes, and that naming attributes
> ++and distinguished values must be present.
> ++As a consequence, schema checking should be \fBoff\fP when partial
> ++replication is used.
> ++
> ++The
> ++.B network\-timeout
> ++parameter sets how long the consumer will wait to establish a
> ++network connection to the provider. Once a connection is
> ++established, the
> ++.B timeout
> ++parameter determines how long the consumer will wait for the initial
> ++Bind request to complete. The defaults for these parameters come
> ++from
> ++.BR ldap.conf (5).
> ++The
> ++.B tcp\-user\-timeout
> ++parameter, if non-zero, corresponds to the
> ++.B TCP_USER_TIMEOUT
> ++set on the target connections, overriding the operating system setting.
> ++Only some systems support the customization of this parameter, it is
> ++ignored otherwise and system-wide settings are used.
> ++
> ++A
> ++.B bindmethod
> ++of
> ++.B simple
> ++requires the options
> ++.B binddn
> ++and
> ++.B credentials
> ++and should only be used when adequate security services
> ++(e.g. TLS or IPSEC) are in place.
> ++.B REMEMBER: simple bind credentials must be in cleartext!
> ++A
> ++.B bindmethod
> ++of
> ++.B sasl
> ++requires the option
> ++.B saslmech.
> ++Depending on the mechanism, an authentication identity and/or
> ++credentials can be specified using
> ++.B authcid
> ++and
> ++.B credentials.
> ++The
> ++.B authzid
> ++parameter may be used to specify an authorization identity.
> ++Specific security properties (as with the
> ++.B sasl\-secprops
> ++keyword above) for a SASL bind can be set with the
> ++.B secprops
> ++option. A non default SASL realm can be set with the
> ++.B realm
> ++option.
> ++The identity used for synchronization by the consumer should be allowed
> ++to receive an unlimited number of entries in response to a search request.
> ++The provider, other than allowing authentication of the syncrepl identity,
> ++should grant that identity appropriate access privileges to the data
> ++that is being replicated (\fBaccess\fP directive), and appropriate time
> ++and size limits.
> ++This can be accomplished by either allowing unlimited \fBsizelimit\fP
> ++and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
> ++in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
> ++for details).
> ++
> ++The
> ++.B keepalive
> ++parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
> ++used to check whether a socket is alive;
> ++.I idle
> ++is the number of seconds a connection needs to remain idle before TCP
> ++starts sending keepalive probes;
> ++.I probes
> ++is the maximum number of keepalive probes TCP should send before dropping
> ++the connection;
> ++.I interval
> ++is interval in seconds between individual keepalive probes.
> ++Only some systems support the customization of these values;
> ++the
> ++.B keepalive
> ++parameter is ignored otherwise, and system-wide settings are used.
> ++
> ++The
> ++.B starttls
> ++parameter specifies use of the StartTLS extended operation
> ++to establish a TLS session before Binding to the provider. If the
> ++.B critical
> ++argument is supplied, the session will be aborted if the StartTLS request
> ++fails. Otherwise the syncrepl session continues without TLS. The
> ++.B tls_reqcert
> ++setting defaults to "demand", the
> ++.B tls_reqsan
> ++setting defaults to "allow", and the other TLS settings
> ++default to the same as the main slapd TLS settings.
> ++
> ++The
> ++.B suffixmassage
> ++parameter allows the consumer to pull entries from a remote directory
> ++whose DN suffix differs from the local directory. The portion of the
> ++remote entries' DNs that matches the \fIsearchbase\fP will be replaced
> ++with the suffixmassage DN.
> ++
> ++Rather than replicating whole entries, the consumer can query logs of
> ++data modifications. This mode of operation is referred to as \fIdelta
> ++syncrepl\fP. In addition to the above parameters, the
> ++.B logbase
> ++and
> ++.B logfilter
> ++parameters must be set appropriately for the log that will be used. The
> ++.B syncdata
> ++parameter must be set to either "accesslog" if the log conforms to the
> ++.BR slapo\-accesslog (5)
> ++log format, or "changelog" if the log conforms
> ++to the obsolete \fIchangelog\fP format. If the
> ++.B syncdata
> ++parameter is omitted or set to "default" then the log parameters are
> ++ignored.
> ++
> ++The
> ++.B lazycommit
> ++parameter tells the underlying database that it can store changes without
> ++performing a full flush after each change. This may improve performance
> ++for the consumer, while sacrificing safety or durability.
> ++.RE
> ++.TP
> ++.B olcUpdateDN: <dn>
> ++This option is only applicable in a replica
> ++database.
> ++It specifies the DN permitted to update (subject to access controls)
> ++the replica. It is only needed in certain push-mode
> ++replication scenarios. Generally, this DN
> ++.I should not
> ++be the same as the
> ++.B rootdn
> ++used at the provider.
> ++.TP
> ++.B olcUpdateRef: <url>
> ++Specify the referral to pass back when
> ++.BR slapd (8)
> ++is asked to modify a replicated local database.
> ++If multiple values are specified, each url is provided.
> ++
> ++.SH DATABASE-SPECIFIC OPTIONS
> ++Each database may allow specific configuration options; they are
> ++documented separately in the backends' manual pages. See the
> ++.BR slapd.backends (5)
> ++manual page for an overview of available backends.
> ++.SH OVERLAYS
> ++An overlay is a piece of
> ++code that intercepts database operations in order to extend or change
> ++them. Overlays are pushed onto
> ++a stack over the database, and so they will execute in the reverse
> ++of the order in which they were configured and the database itself
> ++will receive control last of all.
> ++
> ++Overlays must be configured as child entries of a specific database. The
> ++entry's RDN must be of the form
> ++.B olcOverlay={x}<overlaytype>
> ++and the entry must have the olcOverlayConfig objectClass. Normally the
> ++config engine generates the "{x}" index in the RDN automatically, so
> ++it can be omitted when initially loading these entries.
> ++
> ++See the
> ++.BR slapd.overlays (5)
> ++manual page for an overview of available overlays.
> ++.SH EXAMPLES
> ++.LP
> ++Here is a short example of a configuration in LDIF suitable for use with
> ++.BR slapadd (8)
> ++:
> ++.LP
> ++.RS
> ++.nf
> ++dn: cn=config
> ++objectClass: olcGlobal
> ++cn: config
> ++olcPidFile: LOCALSTATEDIR/run/slapd.pid
> ++olcAttributeOptions: x\-hidden lang\-
> ++
> ++dn: cn=schema,cn=config
> ++objectClass: olcSchemaConfig
> ++cn: schema
> ++
> ++include: file://SYSCONFDIR/schema/core.ldif
> ++
> ++dn: olcDatabase=frontend,cn=config
> ++objectClass: olcDatabaseConfig
> ++objectClass: olcFrontendConfig
> ++olcDatabase: frontend
> ++# Subtypes of "name" (e.g. "cn" and "ou") with the
> ++# option ";x\-hidden" can be searched for/compared,
> ++# but are not shown. See \fBslapd.access\fP(5).
> ++olcAccess: to attrs=name;x\-hidden by * =cs
> ++# Protect passwords. See \fBslapd.access\fP(5).
> ++olcAccess: to attrs=userPassword by * auth
> ++# Read access to other attributes and entries.
> ++olcAccess: to * by * read
> ++
> ++# set a rootpw for the config database so we can bind.
> ++# deny access to everyone else.
> ++dn: olcDatabase=config,cn=config
> ++objectClass: olcDatabaseConfig
> ++olcDatabase: config
> ++olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
> ++olcAccess: to * by * none
> ++
> ++dn: olcDatabase=mdb,cn=config
> ++objectClass: olcDatabaseConfig
> ++objectClass: olcMdbConfig
> ++olcDatabase: mdb
> ++olcSuffix: "dc=our\-domain,dc=com"
> ++# The database directory MUST exist prior to
> ++# running slapd AND should only be accessible
> ++# by the slapd/tools. Mode 0700 recommended.
> ++olcDbDirectory: LOCALSTATEDIR/openldap\-data
> ++# Indices to maintain
> ++olcDbIndex: objectClass eq
> ++olcDbIndex: cn,sn,mail pres,eq,approx,sub
> ++
> ++# We serve small clients that do not handle referrals,
> ++# so handle remote lookups on their behalf.
> ++dn: olcDatabase=ldap,cn=config
> ++objectClass: olcDatabaseConfig
> ++objectClass: olcLdapConfig
> ++olcDatabase: ldap
> ++olcSuffix: ""
> ++olcDbUri: ldap://ldap.some\-server.com/
> ++.fi
> ++.RE
> ++.LP
> ++Assuming the above data was saved in a file named "config.ldif" and the
> ++ETCDIR/slapd.d directory has been created, this command will initialize
> ++the configuration:
> ++.RS
> ++.nf
> ++slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
> ++.fi
> ++.RE
> ++
> ++.LP
> ++"OpenLDAP Administrator's Guide" contains a longer annotated
> ++example of a slapd configuration.
> ++
> ++Alternatively, an existing slapd.conf file can be converted to the new
> ++format using slapd or any of the slap tools:
> ++.RS
> ++.nf
> ++slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
> ++.fi
> ++.RE
> ++
> ++.SH FILES
> ++.TP
> ++ETCDIR/slapd.conf
> ++default slapd configuration file
> ++.TP
> ++ETCDIR/slapd.d
> ++default slapd configuration directory
> ++.SH SEE ALSO
> ++.BR ldap (3),
> ++.BR ldif (5),
> ++.BR gnutls\-cli (1),
> ++.BR slapd.access (5),
> ++.BR slapd.backends (5),
> ++.BR slapd.conf (5),
> ++.BR slapd.overlays (5),
> ++.BR slapd.plugin (5),
> ++.BR slapd (8),
> ++.BR slapacl (8),
> ++.BR slapadd (8),
> ++.BR slapauth (8),
> ++.BR slapcat (8),
> ++.BR slapdn (8),
> ++.BR slapindex (8),
> ++.BR slapmodify (8),
> ++.BR slappasswd (8),
> ++.BR slaptest (8).
> ++.LP
> ++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
> ++.SH ACKNOWLEDGEMENTS
> ++.so ../Project
> +diff -Naurp openldap-2.6.1.orig/doc/man/man8/lloadd.8 openldap-2.6.1/doc/man/man8/lloadd.8
> +--- openldap-2.6.1.orig/doc/man/man8/lloadd.8 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/doc/man/man8/lloadd.8 2022-02-13 15:55:12.222721830 -0600
> +@@ -5,7 +5,7 @@
> + .SH NAME
> + lloadd \- LDAP Load Balancer Daemon
> + .SH SYNOPSIS
> +-.B LIBEXECDIR/lloadd
> ++.B SBINDIR/lloadd
> + [\c
> + .BR \-4 | \-6 ]
> + [\c
> +diff -Naurp openldap-2.6.1.orig/doc/man/man8/slapd.8 openldap-2.6.1/doc/man/man8/slapd.8
> +--- openldap-2.6.1.orig/doc/man/man8/slapd.8 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/doc/man/man8/slapd.8 2022-02-13 15:55:00.466773546 -0600
> +@@ -5,7 +5,7 @@
> + .SH NAME
> + slapd \- Stand-alone LDAP Daemon
> + .SH SYNOPSIS
> +-.B LIBEXECDIR/slapd
> ++.B SBINDIR/slapd
> + [\c
> + .BR \-V [ V [ V ]]
> + [\c
> +diff -Naurp openldap-2.6.1.orig/include/ldap_defaults.h openldap-2.6.1/include/ldap_defaults.h
> +--- openldap-2.6.1.orig/include/ldap_defaults.h 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/include/ldap_defaults.h 2022-02-13 15:54:13.654979570 -0600
> +@@ -39,7 +39,7 @@
> + #define LDAP_ENV_PREFIX "LDAP"
> +
> + /* default ldapi:// socket */
> +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
> ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"
> +
> + /*
> + * SLAPD DEFINITIONS
> +@@ -47,7 +47,7 @@
> + /* location of the default slapd config file */
> + #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
> + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
> +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
> ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"
> + #define SLAPD_DEFAULT_DB_MODE 0600
> + #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata"
> + /* default max deref depth for aliases */
> +diff -Naurp openldap-2.6.1.orig/libraries/liblber/Makefile.in openldap-2.6.1/libraries/liblber/Makefile.in
> +--- openldap-2.6.1.orig/libraries/liblber/Makefile.in 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/libraries/liblber/Makefile.in 2022-02-13 15:54:13.654979570 -0600
> +@@ -51,6 +51,6 @@ idtest: $(XLIBS) idtest.o
> +
> + install-local: FORCE
> + -$(MKDIR) $(DESTDIR)$(libdir)
> +- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
> ++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
> + $(LTFINISH) $(DESTDIR)$(libdir)
> +
> +diff -Naurp openldap-2.6.1.orig/libraries/libldap/Makefile.in openldap-2.6.1/libraries/libldap/Makefile.in
> +--- openldap-2.6.1.orig/libraries/libldap/Makefile.in 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/libraries/libldap/Makefile.in 2022-02-13 15:54:13.654979570 -0600
> +@@ -82,7 +82,7 @@ CFFILES=ldap.conf
> +
> + install-local: $(CFFILES) FORCE
> + -$(MKDIR) $(DESTDIR)$(libdir)
> +- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
> ++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
> + $(LTFINISH) $(DESTDIR)$(libdir)
> + -$(MKDIR) $(DESTDIR)$(sysconfdir)
> + @for i in $(CFFILES); do \
> +diff -Naurp openldap-2.6.1.orig/servers/slapd/Makefile.in openldap-2.6.1/servers/slapd/Makefile.in
> +--- openldap-2.6.1.orig/servers/slapd/Makefile.in 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/servers/slapd/Makefile.in 2022-02-13 15:54:13.655979565 -0600
> +@@ -374,9 +374,10 @@ install-local-srv: install-slapd install
> +
> + install-slapd: FORCE
> + -$(MKDIR) $(DESTDIR)$(libexecdir)
> ++ -$(MKDIR) $(DESTDIR)$(sbindir)
> + -$(MKDIR) $(DESTDIR)$(localstatedir)/run
> + $(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \
> +- slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
> ++ slapd$(EXEEXT) $(DESTDIR)$(sbindir)
> + @for i in $(SUBDIRS); do \
> + if test -d $$i && test -f $$i/Makefile ; then \
> + echo; echo " cd $$i && $(MAKE) $(MFLAGS) install"; \
> +@@ -452,9 +453,9 @@ install-conf: FORCE
> +
> + install-db-config: FORCE
> + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
> +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
> ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap
> + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
> +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
> ++ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example
> + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
> + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
> +
> +@@ -462,6 +463,6 @@ install-tools: FORCE
> + -$(MKDIR) $(DESTDIR)$(sbindir)
> + for i in $(SLAPTOOLS); do \
> + $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
> +- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
> ++ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
> + done
> +
> +diff -Naurp openldap-2.6.1.orig/servers/slapd/slapd.conf openldap-2.6.1/servers/slapd/slapd.conf
> +--- openldap-2.6.1.orig/servers/slapd/slapd.conf 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/servers/slapd/slapd.conf 2022-02-13 15:54:13.655979565 -0600
> +@@ -10,8 +10,9 @@ include %SYSCONFDIR%/schema/core.schema
> + # service AND an understanding of referrals.
> + #referral ldap://root.openldap.org
> +
> +-pidfile %LOCALSTATEDIR%/run/slapd.pid
> +-argsfile %LOCALSTATEDIR%/run/slapd.args
> ++pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid
> ++argsfile %LOCALSTATEDIR%/run/openldap/slapd.args
> ++
> +
> + # Load dynamic backend modules:
> + modulepath %MODULEDIR%
> +@@ -69,7 +70,7 @@ rootpw secret
> + # The database directory MUST exist prior to running slapd AND
> + # should only be accessible by the slapd and slap tools.
> + # Mode 700 recommended.
> +-directory %LOCALSTATEDIR%/openldap-data
> ++directory %LOCALSTATEDIR%/lib/openldap
> + # Indices to maintain
> + index objectClass eq
> +
> +diff -Naurp openldap-2.6.1.orig/servers/slapd/slapd.ldif openldap-2.6.1/servers/slapd/slapd.ldif
> +--- openldap-2.6.1.orig/servers/slapd/slapd.ldif 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/servers/slapd/slapd.ldif 2022-02-13 15:54:13.655979565 -0600
> +@@ -9,8 +9,8 @@ cn: config
> + #
> + # Define global ACLs to disable default read access.
> + #
> +-olcArgsFile: %LOCALSTATEDIR%/run/slapd.args
> +-olcPidFile: %LOCALSTATEDIR%/run/slapd.pid
> ++olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args
> ++olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid
> + #
> + # Do not enable referrals until AFTER you have a working directory
> + # service AND an understanding of referrals.
> +@@ -88,7 +88,7 @@ olcRootPW: secret
> + # The database directory MUST exist prior to running slapd AND
> + # should only be accessible by the slapd and slap tools.
> + # Mode 700 recommended.
> +-olcDbDirectory: %LOCALSTATEDIR%/openldap-data
> ++olcDbDirectory: %LOCALSTATEDIR%/lib/openldap
> + # Indices to maintain
> + olcDbIndex: objectClass eq
> +
> +diff -Naurp openldap-2.6.1.orig/servers/slapd/slapi/Makefile.in openldap-2.6.1/servers/slapd/slapi/Makefile.in
> +--- openldap-2.6.1.orig/servers/slapd/slapi/Makefile.in 2022-01-19 12:32:34.000000000 -0600
> ++++ openldap-2.6.1/servers/slapd/slapi/Makefile.in 2022-02-13 15:54:13.655979565 -0600
> +@@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@
> + install-local: FORCE
> + if test "$(BUILD_MOD)" = "yes"; then \
> + $(MKDIR) $(DESTDIR)$(libdir); \
> +- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \
> ++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \
> + fi
> +
> diff --git a/src/patches/openldap-gcc44-fixes.patch b/src/patches/openldap-gcc44-fixes.patch
> deleted file mode 100644
> index 53b8ea047..000000000
> --- a/src/patches/openldap-gcc44-fixes.patch
> +++ /dev/null
> @@ -1,31 +0,0 @@
> ---- include/ldap_pvt_thread.h~ 2008-11-12 07:37:16.000000000 +0000
> -+++ include/ldap_pvt_thread.h 2008-11-12 08:01:45.000000000 +0000
> -@@ -59,12 +59,12 @@
> -
> - #ifndef LDAP_PVT_THREAD_H_DONE
> - #define LDAP_PVT_THREAD_SET_STACK_SIZE
> --#ifndef LDAP_PVT_THREAD_STACK_SIZE
> -- /* LARGE stack. Will be twice as large on 64 bit machine. */
> --#define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) )
> - /* May be explicitly defined to zero to disable it */
> --#elif LDAP_PVT_THREAD_STACK_SIZE == 0
> -+#if LDAP_PVT_THREAD_STACK_SIZE == 0
> - #undef LDAP_PVT_THREAD_SET_STACK_SIZE
> -+#elif !defined(LDAP_PVT_THREAD_STACK_SIZE)
> -+ /* LARGE stack. Will be twice as large on 64 bit machine. */
> -+#define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) )
> - #endif
> - #endif /* !LDAP_PVT_THREAD_H_DONE */
> -
> ---- libraries/libldap/os-ip.c~ 2008-11-12 07:33:10.000000000 +0000
> -+++ libraries/libldap/os-ip.c 2008-11-12 07:33:31.000000000 +0000
> -@@ -690,7 +690,7 @@
> - char *herr;
> - #ifdef NI_MAXHOST
> - char hbuf[NI_MAXHOST];
> --#elif defined( MAXHOSTNAMELEN
> -+#elif defined( MAXHOSTNAMELEN )
> - char hbuf[MAXHOSTNAMELEN];
> - #else
> - char hbuf[256];
> -
@@ -10,6 +10,7 @@
#usr/bin/ldappasswd
#usr/bin/ldapsearch
#usr/bin/ldapurl
+#usr/bin/ldapvc
#usr/bin/ldapwhoami
#usr/include/lber.h
#usr/include/lber_types.h
@@ -21,18 +22,16 @@
#usr/include/ldif.h
#usr/include/openldap.h
#usr/include/slapi-plugin.h
-usr/lib/liblber-2.4.so.2
-usr/lib/liblber-2.4.so.2.10.12
#usr/lib/liblber.la
#usr/lib/liblber.so
-usr/lib/libldap-2.4.so.2
-usr/lib/libldap-2.4.so.2.10.12
+usr/lib/liblber.so.2
+usr/lib/liblber.so.2.0.200
#usr/lib/libldap.la
#usr/lib/libldap.so
-usr/lib/libldap_r-2.4.so.2
-usr/lib/libldap_r-2.4.so.2.10.12
-#usr/lib/libldap_r.la
-#usr/lib/libldap_r.so
+usr/lib/libldap.so.2
+usr/lib/libldap.so.2.0.200
+#usr/lib/pkgconfig/lber.pc
+#usr/lib/pkgconfig/ldap.pc
#usr/share/man/man1/ldapadd.1
#usr/share/man/man1/ldapcompare.1
#usr/share/man/man1/ldapdelete.1
@@ -42,6 +41,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
#usr/share/man/man1/ldappasswd.1
#usr/share/man/man1/ldapsearch.1
#usr/share/man/man1/ldapurl.1
+#usr/share/man/man1/ldapvc.1
#usr/share/man/man1/ldapwhoami.1
#usr/share/man/man3/ber_alloc_t.3
#usr/share/man/man3/ber_bvarray_add.3
@@ -136,6 +136,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
#usr/share/man/man3/ldap_first_message.3
#usr/share/man/man3/ldap_first_reference.3
#usr/share/man/man3/ldap_free_urldesc.3
+#usr/share/man/man3/ldap_get_attribute_ber.3
#usr/share/man/man3/ldap_get_dn.3
#usr/share/man/man3/ldap_get_option.3
#usr/share/man/man3/ldap_get_values.3
@@ -175,6 +176,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
#usr/share/man/man3/ldap_objectclass_free.3
#usr/share/man/man3/ldap_open.3
#usr/share/man/man3/ldap_parse_extended_result.3
+#usr/share/man/man3/ldap_parse_intermediate.3
#usr/share/man/man3/ldap_parse_reference.3
#usr/share/man/man3/ldap_parse_result.3
#usr/share/man/man3/ldap_parse_sasl_bind_result.3
@@ -227,23 +229,22 @@ usr/lib/libldap_r-2.4.so.2.10.12
#usr/share/man/man3/ldap_value_free_len.3
#usr/share/man/man5/ldap.conf.5
#usr/share/man/man5/ldif.5
-#usr/share/man/man5/slapd-bdb.5
+#usr/share/man/man5/lloadd.conf.5
+#usr/share/man/man5/slapd-asyncmeta.5
#usr/share/man/man5/slapd-config.5
#usr/share/man/man5/slapd-dnssrv.5
-#usr/share/man/man5/slapd-hdb.5
#usr/share/man/man5/slapd-ldap.5
#usr/share/man/man5/slapd-ldif.5
#usr/share/man/man5/slapd-mdb.5
#usr/share/man/man5/slapd-meta.5
#usr/share/man/man5/slapd-monitor.5
-#usr/share/man/man5/slapd-ndb.5
#usr/share/man/man5/slapd-null.5
#usr/share/man/man5/slapd-passwd.5
#usr/share/man/man5/slapd-perl.5
#usr/share/man/man5/slapd-relay.5
-#usr/share/man/man5/slapd-shell.5
#usr/share/man/man5/slapd-sock.5
#usr/share/man/man5/slapd-sql.5
+#usr/share/man/man5/slapd-wt.5
#usr/share/man/man5/slapd.access.5
#usr/share/man/man5/slapd.backends.5
#usr/share/man/man5/slapd.conf.5
@@ -251,17 +252,22 @@ usr/lib/libldap_r-2.4.so.2.10.12
#usr/share/man/man5/slapd.plugin.5
#usr/share/man/man5/slapo-accesslog.5
#usr/share/man/man5/slapo-auditlog.5
+#usr/share/man/man5/slapo-autoca.5
#usr/share/man/man5/slapo-chain.5
#usr/share/man/man5/slapo-collect.5
#usr/share/man/man5/slapo-constraint.5
#usr/share/man/man5/slapo-dds.5
+#usr/share/man/man5/slapo-deref.5
#usr/share/man/man5/slapo-dyngroup.5
#usr/share/man/man5/slapo-dynlist.5
+#usr/share/man/man5/slapo-homedir.5
#usr/share/man/man5/slapo-memberof.5
+#usr/share/man/man5/slapo-otp.5
#usr/share/man/man5/slapo-pbind.5
#usr/share/man/man5/slapo-pcache.5
#usr/share/man/man5/slapo-ppolicy.5
#usr/share/man/man5/slapo-refint.5
+#usr/share/man/man5/slapo-remoteauth.5
#usr/share/man/man5/slapo-retcode.5
#usr/share/man/man5/slapo-rwm.5
#usr/share/man/man5/slapo-sock.5
@@ -270,6 +276,8 @@ usr/lib/libldap_r-2.4.so.2.10.12
#usr/share/man/man5/slapo-translucent.5
#usr/share/man/man5/slapo-unique.5
#usr/share/man/man5/slapo-valsort.5
+#usr/share/man/man5/slappw-argon2.5
+#usr/share/man/man8/lloadd.8
#usr/share/man/man8/slapacl.8
#usr/share/man/man8/slapadd.8
#usr/share/man/man8/slapauth.8
@@ -277,6 +285,7 @@ usr/lib/libldap_r-2.4.so.2.10.12
#usr/share/man/man8/slapd.8
#usr/share/man/man8/slapdn.8
#usr/share/man/man8/slapindex.8
+#usr/share/man/man8/slapmodify.8
#usr/share/man/man8/slappasswd.8
#usr/share/man/man8/slapschema.8
#usr/share/man/man8/slaptest.8
@@ -24,7 +24,7 @@
include Config
-VER = 2.4.49
+VER = 2.6.1
THISAPP = openldap-$(VER)
DL_FILE = $(THISAPP).tgz
@@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = ee777588d758f6704b0d38b90feb85b27e2307510a05d1d147324e9958a6f6fc5bc7dd521a1462971c3f707429ad38fab734f508d71fd88b447770e112e844a2
+$(DL_FILE)_BLAKE2 = 08bb7ec0354d689b65673d6c4c05a3299ba4f1655cbcccb710b6c9ca66fd636d6b2d89faa8d32278d253a1647deae8b1e86e8e275b890208bfac4ca663a40523
install : $(TARGET)
@@ -72,7 +72,7 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.4.49-consolidated-1.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openldap-2.6.1-consolidated-2.patch
cd $(DIR_APP) && autoconf
cd $(DIR_APP) && ./configure \
--prefix=/usr \
deleted file mode 100644
@@ -1,371 +0,0 @@
-Submitted by: Bruce Dubbs <bdubbs at linuxfromscratch.org>
-Date: 2012-03-26
-Initial Package Version: 2.4.40
-Upstream Status: BLFS Specific
-Origin: Armin K. <krejzi at email dot com> and Debian
-Comment: Rediffed by Fernando de Oliveira <famobr at yahoo dot
- com dot br> for version 2.4.44 - 2016.02.06
- Rediffed by Pierre Labastie <pierre dot labastie at
- neuf dot fr> to add mdb backend and slapd.ldif. See
- ticket #7394 - 2016.02.24
-Description: Consolidate earlier patches to:
- 1. Update various installation options, such as ldap database path,
- configuration file options, slapd install location, etc.
- 2. Remove reference to bdb module
- 3. Enables symbol versioning in ldap libraries. Without these changes
- some applications might generate a warning about missing symbol versions.
-
-diff -Naur openldap-2.4.40.orig/build/openldap.m4 openldap-2.4.40/build/openldap.m4
---- openldap-2.4.40.orig/build/openldap.m4 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/build/openldap.m4 2015-03-26 15:37:39.801077750 -0500
-@@ -1142,3 +1142,54 @@
- #endif
- ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
- ])
-+
-+dnl ====================================================================
-+dnl check for symbol versioning support
-+AC_DEFUN([OL_SYMBOL_VERSIONING],
-+[AC_CACHE_CHECK([for .symver assembler directive],
-+ [ol_cv_asm_symver_directive],[
-+cat > conftest.s <<EOF
-+${libc_cv_dot_text}
-+_sym:
-+.symver _sym,sym@VERS
-+EOF
-+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
-+ ol_cv_asm_symver_directive=yes
-+else
-+ ol_cv_asm_symver_directive=no
-+fi
-+rm -f conftest*])
-+AC_CACHE_CHECK([for ld --version-script],
-+ [ol_cv_ld_version_script_option],[
-+if test $ol_cv_asm_symver_directive = yes; then
-+ cat > conftest.s <<EOF
-+${libc_cv_dot_text}
-+_sym:
-+.symver _sym,sym@VERS
-+EOF
-+ cat > conftest.map <<EOF
-+VERS_1 {
-+ global: sym;
-+};
-+
-+VERS_2 {
-+ global: sym;
-+} VERS_1;
-+EOF
-+ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
-+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
-+ -o conftest.so conftest.o
-+ -Wl,--version-script,conftest.map
-+ 1>&AS_MESSAGE_LOG_FD]);
-+ then
-+ ol_cv_ld_version_script_option=yes
-+ else
-+ ol_cv_ld_version_script_option=no
-+ fi
-+ else
-+ ol_cv_ld_version_script_option=no
-+ fi
-+else
-+ ol_cv_ld_version_script_option=no
-+fi
-+rm -f conftest*])])
-diff -Naur openldap-2.4.40.orig/build/top.mk openldap-2.4.40/build/top.mk
---- openldap-2.4.40.orig/build/top.mk 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/build/top.mk 2015-03-26 15:37:39.801077750 -0500
-@@ -104,6 +104,9 @@
- # LINK_LIBS referenced in library and module link commands.
- LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
-
-+# option to pass to $(CC) to support library symbol versioning, if any
-+VERSION_OPTION = @VERSION_OPTION@
-+
- LTSTATIC = @LTSTATIC@
-
- LTLINK = $(LIBTOOL) --mode=link \
-@@ -113,7 +116,7 @@
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
-
- LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
-- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
-+ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)
-
- LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
-diff -Naur openldap-2.4.40.orig/configure.in openldap-2.4.40/configure.in
---- openldap-2.4.40.orig/configure.in 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/configure.in 2015-03-26 15:37:39.801077750 -0500
-@@ -1916,6 +1916,13 @@
- fi
- AC_SUBST(LTSTATIC)dnl
-
-+VERSION_OPTION=""
-+OL_SYMBOL_VERSIONING
-+if test $ol_cv_ld_version_script_option = yes ; then
-+ VERSION_OPTION="-Wl,--version-script="
-+fi
-+AC_SUBST(VERSION_OPTION)
-+
- dnl ----------------------------------------------------------------
- if test $ol_enable_wrappers != no ; then
- AC_CHECK_HEADERS(tcpd.h,[
-diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd-bdb.5 openldap-2.4.40/doc/man/man5/slapd-bdb.5
---- openldap-2.4.40.orig/doc/man/man5/slapd-bdb.5 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/doc/man/man5/slapd-bdb.5 2015-03-26 15:36:59.637464038 -0500
-@@ -135,7 +135,7 @@
- associated indexes live.
- A separate directory must be specified for each database.
- The default is
--.BR LOCALSTATEDIR/openldap\-data .
-+.BR LOCALSTATEDIR/lib/openldap .
- .TP
- .B dirtyread
- Allow reads of modified but not yet committed data.
-diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd-config.5 openldap-2.4.40/doc/man/man5/slapd-config.5
---- openldap-2.4.40.orig/doc/man/man5/slapd-config.5 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/doc/man/man5/slapd-config.5 2015-03-26 15:36:59.638464004 -0500
-@@ -2051,7 +2051,7 @@
- # The database directory MUST exist prior to
- # running slapd AND should only be accessible
- # by the slapd/tools. Mode 0700 recommended.
--olcDbDirectory: LOCALSTATEDIR/openldap\-data
-+olcDbDirectory: LOCALSTATEDIR/lib/openldap
- # Indices to maintain
- olcDbIndex: objectClass eq
- olcDbIndex: cn,sn,mail pres,eq,approx,sub
-diff -Naur openldap-2.4.40.orig/doc/man/man5/slapd.conf.5 openldap-2.4.40/doc/man/man5/slapd.conf.5
---- openldap-2.4.40.orig/doc/man/man5/slapd.conf.5 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/doc/man/man5/slapd.conf.5 2015-03-26 15:36:59.638464004 -0500
-@@ -2021,7 +2021,7 @@
- # The database directory MUST exist prior to
- # running slapd AND should only be accessible
- # by the slapd/tools. Mode 0700 recommended.
--directory LOCALSTATEDIR/openldap\-data
-+directory LOCALSTATEDIR/lib/openldap
- # Indices to maintain
- index objectClass eq
- index cn,sn,mail pres,eq,approx,sub
-diff -Naur openldap-2.4.40.orig/include/ldap_defaults.h openldap-2.4.40/include/ldap_defaults.h
---- openldap-2.4.40.orig/include/ldap_defaults.h 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/include/ldap_defaults.h 2015-03-26 15:36:59.638464004 -0500
-@@ -39,7 +39,7 @@
- #define LDAP_ENV_PREFIX "LDAP"
-
- /* default ldapi:// socket */
--#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
-+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"
-
- /*
- * SLAPD DEFINITIONS
-@@ -47,7 +47,7 @@
- /* location of the default slapd config file */
- #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
- #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
--#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
-+#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"
- #define SLAPD_DEFAULT_DB_MODE 0600
- #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata"
- /* default max deref depth for aliases */
-diff -Naur openldap-2.4.40.orig/libraries/liblber/Makefile.in openldap-2.4.40/libraries/liblber/Makefile.in
---- openldap-2.4.40.orig/libraries/liblber/Makefile.in 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/libraries/liblber/Makefile.in 2015-03-26 15:37:39.801077750 -0500
-@@ -38,6 +38,9 @@
- XXLIBS =
- NT_LINK_LIBS = $(AC_LIBS)
- UNIX_LINK_LIBS = $(AC_LIBS)
-+ifneq (,$(VERSION_OPTION))
-+ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"
-+endif
-
- dtest: $(XLIBS) dtest.o
- $(LTLINK) -o $@ dtest.o $(LIBS)
-@@ -48,6 +51,6 @@
-
- install-local: FORCE
- -$(MKDIR) $(DESTDIR)$(libdir)
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
- $(LTFINISH) $(DESTDIR)$(libdir)
-
-diff -Naur openldap-2.4.40.orig/libraries/liblber/liblber.map openldap-2.4.40/libraries/liblber/liblber.map
---- openldap-2.4.40.orig/libraries/liblber/liblber.map 1969-12-31 18:00:00.000000000 -0600
-+++ openldap-2.4.40/libraries/liblber/liblber.map 2015-03-26 15:37:39.801077750 -0500
-@@ -0,0 +1,8 @@
-+OPENLDAP_2.4_2 {
-+ global:
-+ ber_*;
-+ der_alloc;
-+ lutil_*;
-+ local:
-+ *;
-+};
-diff -Naur openldap-2.4.40.orig/libraries/libldap/Makefile.in openldap-2.4.40/libraries/libldap/Makefile.in
---- openldap-2.4.40.orig/libraries/libldap/Makefile.in 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/libraries/libldap/Makefile.in 2015-03-26 15:37:39.802077716 -0500
-@@ -52,6 +52,9 @@
- XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
-+ifneq (,$(VERSION_OPTION))
-+ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
-+endif
-
- apitest: $(XLIBS) apitest.o
- $(LTLINK) -o $@ apitest.o $(LIBS)
-@@ -68,7 +71,7 @@
-
- install-local: $(CFFILES) FORCE
- -$(MKDIR) $(DESTDIR)$(libdir)
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
- $(LTFINISH) $(DESTDIR)$(libdir)
- -$(MKDIR) $(DESTDIR)$(sysconfdir)
- @for i in $(CFFILES); do \
-diff -Naur openldap-2.4.40.orig/libraries/libldap/libldap.map openldap-2.4.40/libraries/libldap/libldap.map
---- openldap-2.4.40.orig/libraries/libldap/libldap.map 1969-12-31 18:00:00.000000000 -0600
-+++ openldap-2.4.40/libraries/libldap/libldap.map 2015-03-26 15:37:39.802077716 -0500
-@@ -0,0 +1,7 @@
-+OPENLDAP_2.4_2 {
-+ global:
-+ ldap_*;
-+ ldif_*;
-+ local:
-+ *;
-+};
-diff -Naur openldap-2.4.40.orig/libraries/libldap_r/Makefile.in openldap-2.4.40/libraries/libldap_r/Makefile.in
---- openldap-2.4.40.orig/libraries/libldap_r/Makefile.in 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/libraries/libldap_r/Makefile.in 2015-03-26 15:37:39.802077716 -0500
-@@ -61,6 +61,9 @@
- XXXLIBS = $(LTHREAD_LIBS)
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
-+ifneq (,$(VERSION_OPTION))
-+ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
-+endif
-
- .links : Makefile
- @for i in $(XXSRCS); do \
-@@ -83,6 +86,6 @@
-
- install-local: $(CFFILES) FORCE
- -$(MKDIR) $(DESTDIR)$(libdir)
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
- $(LTFINISH) $(DESTDIR)$(libdir)
-
-diff -Naur openldap-2.4.40.orig/servers/slapd/Makefile.in openldap-2.4.40/servers/slapd/Makefile.in
---- openldap-2.4.40.orig/servers/slapd/Makefile.in 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/servers/slapd/Makefile.in 2015-03-26 15:36:59.639463969 -0500
-@@ -376,10 +376,10 @@
- install-conf install-dbc-maybe install-schema install-tools
-
- install-slapd: FORCE
-- -$(MKDIR) $(DESTDIR)$(libexecdir)
-+ -$(MKDIR) $(DESTDIR)$(sbindir)
- -$(MKDIR) $(DESTDIR)$(localstatedir)/run
- $(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \
-- slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
-+ slapd$(EXEEXT) $(DESTDIR)$(sbindir)
- @for i in $(SUBDIRS); do \
- if test -d $$i && test -f $$i/Makefile ; then \
- echo; echo " cd $$i; $(MAKE) $(MFLAGS) install"; \
-@@ -445,9 +445,9 @@
-
- install-db-config: FORCE
- @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
-- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
-+ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap
- $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
-- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
-+ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example
- $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
- $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
-
-@@ -455,6 +455,6 @@
- -$(MKDIR) $(DESTDIR)$(sbindir)
- for i in $(SLAPTOOLS); do \
- $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
-- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
-+ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
- done
-
-diff -Naur openldap-2.4.44.orig/servers/slapd/slapd.conf openldap-2.4.44/servers/slapd/slapd.conf
---- openldap-2.4.44.orig/servers/slapd/slapd.conf 2016-02-06 00:57:45.000000000 +0100
-+++ openldap-2.4.44/servers/slapd/slapd.conf 2016-02-22 23:01:47.681372594 +0100
-@@ -10,12 +10,12 @@
- # service AND an understanding of referrals.
- #referral ldap://root.openldap.org
-
--pidfile %LOCALSTATEDIR%/run/slapd.pid
--argsfile %LOCALSTATEDIR%/run/slapd.args
-+pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid
-+argsfile %LOCALSTATEDIR%/run/openldap/slapd.args
-
- # Load dynamic backend modules:
--# modulepath %MODULEDIR%
--# moduleload back_mdb.la
-+modulepath %MODULEDIR%
-+moduleload back_mdb.la
- # moduleload back_ldap.la
-
- # Sample security restrictions
-@@ -60,6 +60,6 @@
- # The database directory MUST exist prior to running slapd AND
- # should only be accessible by the slapd and slap tools.
- # Mode 700 recommended.
--directory %LOCALSTATEDIR%/openldap-data
-+directory %LOCALSTATEDIR%/lib/openldap
- # Indices to maintain
- index objectClass eq
-diff -Naur openldap-2.4.44.orig/servers/slapd/slapd.ldif openldap-2.4.44/servers/slapd/slapd.ldif
---- openldap-2.4.44.orig/servers/slapd/slapd.ldif 2016-02-06 00:57:45.000000000 +0100
-+++ openldap-2.4.44/servers/slapd/slapd.ldif 2016-02-22 22:59:57.824364446 +0100
-@@ -9,8 +9,8 @@
- #
- # Define global ACLs to disable default read access.
- #
--olcArgsFile: %LOCALSTATEDIR%/run/slapd.args
--olcPidFile: %LOCALSTATEDIR%/run/slapd.pid
-+olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args
-+olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid
- #
- # Do not enable referrals until AFTER you have a working directory
- # service AND an understanding of referrals.
-@@ -26,10 +26,11 @@
- #
- # Load dynamic backend modules:
- #
--#dn: cn=module,cn=config
--#objectClass: olcModuleList
--#cn: module
--#olcModulepath: %MODULEDIR%
-+dn: cn=module,cn=config
-+objectClass: olcModuleList
-+cn: module
-+olcModulepath: %MODULEDIR%
-+olcModuleload: back_mdb.la
- #olcModuleload: back_bdb.la
- #olcModuleload: back_hdb.la
- #olcModuleload: back_ldap.la
-@@ -90,6 +91,6 @@
- # The database directory MUST exist prior to running slapd AND
- # should only be accessible by the slapd and slap tools.
- # Mode 700 recommended.
--olcDbDirectory: %LOCALSTATEDIR%/openldap-data
-+olcDbDirectory: %LOCALSTATEDIR%/lib/openldap
- # Indices to maintain
- olcDbIndex: objectClass eq
-diff -Naur openldap-2.4.40.orig/servers/slapd/slapi/Makefile.in openldap-2.4.40/servers/slapd/slapi/Makefile.in
---- openldap-2.4.40.orig/servers/slapd/slapi/Makefile.in 2014-09-18 20:48:49.000000000 -0500
-+++ openldap-2.4.40/servers/slapd/slapi/Makefile.in 2015-03-26 15:36:59.639463969 -0500
-@@ -46,6 +46,6 @@
- install-local: FORCE
- if test "$(BUILD_MOD)" = "yes"; then \
- $(MKDIR) $(DESTDIR)$(libdir); \
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \
- fi
-
new file mode 100644
@@ -0,0 +1,4689 @@
+Submitted by: Bruce Dubbs <bdubbs at linuxfromscratch.org>
+Date: 2012-03-26
+Initial Package Version: 2.4.40
+Upstream Status: BLFS Specific
+Origin: Armin K. <krejzi at email dot com> and Debian
+Comment: Rediffed by Fernando de Oliveira <famobr at yahoo dot
+ com dot br> for version 2.4.44 - 2016.02.06
+ Rediffed by Pierre Labastie <pierre dot labastie at
+ neuf dot fr> to add mdb backend and slapd.ldif. See
+ ticket #7394 - 2016.02.24
+ Rediffed by Douglas R. Reno <renodr at linuxfromscratch
+ dot org> to function on 2.4.51. - 2020-08-13
+ Fixed the rediff to use a .c file instead of a .s, fixing
+ the test by Douglas R. Reno - 2020-08-13
+ Rediffed by Tim Tassonis <stuff at decentral.ch> to
+ remove now integrated symbol versioning stuff and
+ remove changes to now non-existent slapd-bdb.5 file - 2021-05-03
+ Rediffed by Douglas R. Reno - 2022-02-13 - updated man
+ pages for lloadd.8 and slapd.8 to use the proper path.
+Description: Consolidate earlier patches to:
+ 1. Update various installation options, such as ldap database path,
+ configuration file options, slapd install location, etc.
+ 2. Remove reference to bdb module
+
+
+diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 openldap-2.6.1/doc/man/man5/slapd.conf.5
+--- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/doc/man/man5/slapd.conf.5 2022-02-13 15:54:13.654979570 -0600
+@@ -2123,7 +2123,7 @@ suffix "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-directory LOCALSTATEDIR/openldap\-data
++directory LOCALSTATEDIR/lib/openldap
+ # Indices to maintain
+ index objectClass eq
+ index cn,sn,mail pres,eq,approx,sub
+diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig openldap-2.6.1/doc/man/man5/slapd.conf.5.orig
+--- openldap-2.6.1.orig/doc/man/man5/slapd.conf.5.orig 1969-12-31 18:00:00.000000000 -0600
++++ openldap-2.6.1/doc/man/man5/slapd.conf.5.orig 2022-01-19 12:32:34.000000000 -0600
+@@ -0,0 +1,2168 @@
++.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
++.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
++.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
++.\" $OpenLDAP$
++.SH NAME
++slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
++.SH SYNOPSIS
++ETCDIR/slapd.conf
++.SH DESCRIPTION
++The file
++.B ETCDIR/slapd.conf
++contains configuration information for the
++.BR slapd (8)
++daemon. This configuration file is also used by the SLAPD tools
++.BR slapacl (8),
++.BR slapadd (8),
++.BR slapauth (8),
++.BR slapcat (8),
++.BR slapdn (8),
++.BR slapindex (8),
++.BR slapmodify (8),
++and
++.BR slaptest (8).
++.LP
++The
++.B slapd.conf
++file consists of a series of global configuration options that apply to
++.B slapd
++as a whole (including all backends), followed by zero or more database
++backend definitions that contain information specific to a backend
++instance.
++The configuration options are case-insensitive;
++their value, on a case by case basis, may be case-sensitive.
++.LP
++The general format of
++.B slapd.conf
++is as follows:
++.LP
++.nf
++ # comment - these options apply to every database
++ <global configuration options>
++ # first database definition & configuration options
++ database <backend 1 type>
++ <configuration options specific to backend 1>
++ # subsequent database definitions & configuration options
++ ...
++.fi
++.LP
++As many backend-specific sections as desired may be included. Global
++options can be overridden in a backend (for options that appear more
++than once, the last appearance in the
++.B slapd.conf
++file is used).
++.LP
++If a line begins with white space, it is considered a continuation
++of the previous line. No physical line should be over 2000 bytes
++long.
++.LP
++Blank lines and comment lines beginning with
++a `#' character are ignored. Note: continuation lines are unwrapped
++before comment processing is applied.
++.LP
++Arguments on configuration lines are separated by white space. If an
++argument contains white space, the argument should be enclosed in
++double quotes. If an argument contains a double quote (`"') or a
++backslash character (`\\'), the character should be preceded by a
++backslash character.
++.LP
++The specific configuration options available are discussed below in the
++Global Configuration Options, General Backend Options, and General Database
++Options. Backend-specific options are discussed in the
++.B slapd\-<backend>(5)
++manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
++details on the slapd configuration file.
++.SH GLOBAL CONFIGURATION OPTIONS
++Options described in this section apply to all backends, unless specifically
++overridden in a backend definition. Arguments that should be replaced by
++actual text are shown in brackets <>.
++.TP
++.B access to <what> "[ by <who> <access> <control> ]+"
++Grant access (specified by <access>) to a set of entries and/or
++attributes (specified by <what>) by one or more requestors (specified
++by <who>).
++If no access controls are present, the default policy
++allows anyone and everyone to read anything but restricts
++updates to rootdn. (e.g., "access to * by * read").
++The rootdn can always read and write EVERYTHING!
++See
++.BR slapd.access (5)
++and the "OpenLDAP's Administrator's Guide" for details.
++.TP
++.B allow <features>
++Specify a set of features (separated by white space) to
++allow (default none).
++.B bind_v2
++allows acceptance of LDAPv2 bind requests. Note that
++.BR slapd (8)
++does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
++.B bind_anon_cred
++allows anonymous bind when credentials are not empty (e.g.
++when DN is empty).
++.B bind_anon_dn
++allows unauthenticated (anonymous) bind when DN is not empty.
++.B update_anon
++allows unauthenticated (anonymous) update operations to be processed
++(subject to access controls and other administrative limits).
++.B proxy_authz_anon
++allows unauthenticated (anonymous) proxy authorization control to be processed
++(subject to access controls, authorization and other administrative limits).
++.TP
++.B argsfile <filename>
++The (absolute) name of a file that will hold the
++.B slapd
++server's command line (program name and options).
++.TP
++.B attributeoptions [option-name]...
++Define tagging attribute options or option tag/range prefixes.
++Options must not end with `\-', prefixes must end with `\-'.
++The `lang\-' prefix is predefined.
++If you use the
++.B attributeoptions
++directive, `lang\-' will no longer be defined and you must specify it
++explicitly if you want it defined.
++
++An attribute description with a tagging option is a subtype of that
++attribute description without the option.
++Except for that, options defined this way have no special semantics.
++Prefixes defined this way work like the `lang\-' options:
++They define a prefix for tagging options starting with the prefix.
++That is, if you define the prefix `x\-foo\-', you can use the option
++`x\-foo\-bar'.
++Furthermore, in a search or compare, a prefix or range name (with
++a trailing `\-') matches all options starting with that name, as well
++as the option with the range name sans the trailing `\-'.
++That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
++
++RFC 4520 reserves options beginning with `x\-' for private experiments.
++Other options should be registered with IANA, see RFC 4520 section 3.5.
++OpenLDAP also has the `binary' option built in, but this is a transfer
++option, not a tagging option.
++.HP
++.hy 0
++.B attributetype "(\ <oid>\
++ [NAME\ <name>]\
++ [DESC\ <description>]\
++ [OBSOLETE]\
++ [SUP\ <oid>]\
++ [EQUALITY\ <oid>]\
++ [ORDERING\ <oid>]\
++ [SUBSTR\ <oid>]\
++ [SYNTAX\ <oidlen>]\
++ [SINGLE\-VALUE]\
++ [COLLECTIVE]\
++ [NO\-USER\-MODIFICATION]\
++ [USAGE\ <attributeUsage>]\ )"
++.RS
++Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the attribute OID and
++attribute syntax OID.
++(See the
++.B objectidentifier
++description.)
++.RE
++.TP
++.B authid\-rewrite<cmd> <args>
++Used by the authentication framework to convert simple user names
++to an LDAP DN used for authorization purposes.
++Its purpose is analogous to that of
++.BR authz-regexp
++(see below).
++The prefix \fIauthid\-\fP is followed by a set of rules analogous
++to those described in
++.BR slapo\-rwm (5)
++for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP).
++.B authid\-rewrite<cmd>
++and
++.B authz\-regexp
++rules should not be intermixed.
++.TP
++.B authz\-policy <policy>
++Used to specify which rules to use for Proxy Authorization. Proxy
++authorization allows a client to authenticate to the server using one
++user's credentials, but specify a different identity to use for authorization
++and access control purposes. It essentially allows user A to login as user
++B, using user A's password.
++The
++.B none
++flag disables proxy authorization. This is the default setting.
++The
++.B from
++flag will use rules in the
++.I authzFrom
++attribute of the authorization DN.
++The
++.B to
++flag will use rules in the
++.I authzTo
++attribute of the authentication DN.
++The
++.B any
++flag, an alias for the deprecated value of
++.BR both ,
++will allow any of the above, whatever succeeds first (checked in
++.BR to ,
++.B from
++sequence.
++The
++.B all
++flag requires both authorizations to succeed.
++.LP
++.RS
++The rules are mechanisms to specify which identities are allowed
++to perform proxy authorization.
++The
++.I authzFrom
++attribute in an entry specifies which other users
++are allowed to proxy login to this entry. The
++.I authzTo
++attribute in
++an entry specifies which other users this user can authorize as. Use of
++.I authzTo
++rules can be easily
++abused if users are allowed to write arbitrary values to this attribute.
++In general the
++.I authzTo
++attribute must be protected with ACLs such that
++only privileged users can modify it.
++The value of
++.I authzFrom
++and
++.I authzTo
++describes an
++.B identity
++or a set of identities; it can take five forms:
++.RS
++.TP
++.B ldap:///<base>??[<scope>]?<filter>
++.RE
++.RS
++.B dn[.<dnstyle>]:<pattern>
++.RE
++.RS
++.B u[.<mech>[/<realm>]]:<pattern>
++.RE
++.RS
++.B group[/objectClass[/attributeType]]:<pattern>
++.RE
++.RS
++.B <pattern>
++.RE
++.RS
++
++.B <dnstyle>:={exact|onelevel|children|subtree|regex}
++
++.RE
++The first form is a valid LDAP
++.B URI
++where the
++.IR <host>:<port> ,
++the
++.I <attrs>
++and the
++.I <extensions>
++portions must be absent, so that the search occurs locally on either
++.I authzFrom
++or
++.IR authzTo .
++
++.LP
++The second form is a
++.BR DN .
++The optional
++.B dnstyle
++modifiers
++.IR exact ,
++.IR onelevel ,
++.IR children ,
++and
++.I subtree
++provide exact, onelevel, children and subtree matches, which cause
++.I <pattern>
++to be normalized according to the DN normalization rules.
++The special
++.B dnstyle
++modifier
++.I regex
++causes the
++.I <pattern>
++to be treated as a POSIX (''extended'') regular expression, as
++discussed in
++.BR regex (7)
++and/or
++.BR re_format (7).
++A pattern of
++.I *
++means any non-anonymous DN.
++
++.LP
++The third form is a SASL
++.BR id .
++The optional fields
++.I <mech>
++and
++.I <realm>
++allow specification of a SASL
++.BR mechanism ,
++and eventually a SASL
++.BR realm ,
++for those mechanisms that support one.
++The need to allow the specification of a mechanism is still debated,
++and users are strongly discouraged to rely on this possibility.
++
++.LP
++The fourth form is a group specification.
++It consists of the keyword
++.BR group ,
++optionally followed by the specification of the group
++.B objectClass
++and
++.BR attributeType .
++The
++.B objectClass
++defaults to
++.IR groupOfNames .
++The
++.B attributeType
++defaults to
++.IR member .
++The group with DN
++.B <pattern>
++is searched with base scope, filtered on the specified
++.BR objectClass .
++The values of the resulting
++.B attributeType
++are searched for the asserted DN.
++
++.LP
++The fifth form is provided for backwards compatibility. If no identity
++type is provided, i.e. only
++.B <pattern>
++is present, an
++.I exact DN
++is assumed; as a consequence,
++.B <pattern>
++is subjected to DN normalization.
++
++.LP
++Since the interpretation of
++.I authzFrom
++and
++.I authzTo
++can impact security, users are strongly encouraged
++to explicitly set the type of identity specification that is being used.
++A subset of these rules can be used as third arg in the
++.B authz\-regexp
++statement (see below); significantly, the
++.IR URI ,
++provided it results in exactly one entry,
++and the
++.I dn.exact:<dn>
++forms.
++.RE
++.TP
++.B authz\-regexp <match> <replace>
++Used by the authentication framework to convert simple user names,
++such as provided by SASL subsystem, or extracted from certificates
++in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
++"proxied authorization" control, to an LDAP DN used for
++authorization purposes. Note that the resulting DN need not refer
++to an existing entry to be considered valid. When an authorization
++request is received from the SASL subsystem, the SASL
++.BR USERNAME ,
++.BR REALM ,
++and
++.B MECHANISM
++are taken, when available, and combined into a name of the form
++.RS
++.RS
++.TP
++.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
++
++.RE
++This name is then compared against the
++.B match
++POSIX (''extended'') regular expression, and if the match is successful,
++the name is replaced with the
++.B replace
++string. If there are wildcard strings in the
++.B match
++regular expression that are enclosed in parenthesis, e.g.
++.RS
++.TP
++.B UID=([^,]*),CN=.*
++
++.RE
++then the portion of the name that matched the wildcard will be stored
++in the numbered placeholder variable $1. If there are other wildcard strings
++in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
++placeholders can then be used in the
++.B replace
++string, e.g.
++.RS
++.TP
++.B UID=$1,OU=Accounts,DC=example,DC=com
++
++.RE
++The replaced name can be either a DN, i.e. a string prefixed by "dn:",
++or an LDAP URI.
++If the latter, the server will use the URI to search its own database(s)
++and, if the search returns exactly one entry, the name is
++replaced by the DN of that entry. The LDAP URI must have no
++hostport, attrs, or extensions components, but the filter is mandatory,
++e.g.
++.RS
++.TP
++.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
++
++.RE
++The protocol portion of the URI must be strictly
++.BR ldap .
++Note that this search is subject to access controls. Specifically,
++the authentication identity must have "auth" access in the subject.
++
++Multiple
++.B authz\-regexp
++options can be given in the configuration file to allow for multiple matching
++and replacement patterns. The matching patterns are checked in the order they
++appear in the file, stopping at the first successful match.
++
++.\".B Caution:
++.\"Because the plus sign + is a character recognized by the regular expression engine,
++.\"and it will appear in names that include a REALM, be careful to escape the
++.\"plus sign with a backslash \\+ to remove the character's special meaning.
++.RE
++.TP
++.B concurrency <integer>
++Specify a desired level of concurrency. Provided to the underlying
++thread system as a hint. The default is not to provide any hint. This setting
++is only meaningful on some platforms where there is not a one to one
++correspondence between user threads and kernel threads.
++.TP
++.B conn_max_pending <integer>
++Specify the maximum number of pending requests for an anonymous session.
++If requests are submitted faster than the server can process them, they
++will be queued up to this limit. If the limit is exceeded, the session
++is closed. The default is 100.
++.TP
++.B conn_max_pending_auth <integer>
++Specify the maximum number of pending requests for an authenticated session.
++The default is 1000.
++.TP
++.B defaultsearchbase <dn>
++Specify a default search base to use when client submits a
++non-base search request with an empty base DN.
++Base scoped search requests with an empty base DN are not affected.
++.TP
++.B disallow <features>
++Specify a set of features (separated by white space) to
++disallow (default none).
++.B bind_anon
++disables acceptance of anonymous bind requests. Note that this setting
++does not prohibit anonymous directory access (See "require authc").
++.B bind_simple
++disables simple (bind) authentication.
++.B tls_2_anon
++disables forcing session to anonymous status (see also
++.BR tls_authc )
++upon StartTLS operation receipt.
++.B tls_authc
++disallows the StartTLS operation if authenticated (see also
++.BR tls_2_anon ).
++.B proxy_authz_non_critical
++disables acceptance of the proxied authorization control (RFC4370)
++with criticality set to FALSE.
++.B dontusecopy_non_critical
++disables acceptance of the dontUseCopy control (a work in progress)
++with criticality set to FALSE.
++.HP
++.hy 0
++.B ditcontentrule "(\ <oid>\
++ [NAME\ <name>]\
++ [DESC\ <description>]\
++ [OBSOLETE]\
++ [AUX\ <oids>]\
++ [MUST\ <oids>]\
++ [MAY\ <oids>]\
++ [NOT\ <oids>]\ )"
++.RS
++Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the attribute OID and
++attribute syntax OID.
++(See the
++.B objectidentifier
++description.)
++.RE
++.TP
++.B gentlehup { on | off }
++A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
++.B Slapd
++will stop listening for new connections, but will not close the
++connections to the current clients. Future write operations return
++unwilling-to-perform, though. Slapd terminates when all clients
++have closed their connections (if they ever do), or \- as before \-
++if it receives a SIGTERM signal. This can be useful if you wish to
++terminate the server and start a new
++.B slapd
++server
++.B with another database,
++without disrupting the currently active clients.
++The default is off. You may wish to use
++.B idletimeout
++along with this option.
++.TP
++.B idletimeout <integer>
++Specify the number of seconds to wait before forcibly closing
++an idle client connection. A setting of 0 disables this
++feature. The default is 0. You may also want to set the
++.B writetimeout
++option.
++.TP
++.B include <filename>
++Read additional configuration information from the given file before
++continuing with the next line of the current file.
++.TP
++.B index_hash64 { on | off }
++Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
++These hashes are used for equality and substring indexing. The 64 bit
++version may be needed to avoid index collisions when the number of
++indexed values exceeds ~64 million. (Note that substring indexing
++generates multiple index values per actual attribute value.)
++Indices generated with 32 bit hashes are incompatible with the 64 bit
++version, and vice versa. Any existing databases must be fully reloaded
++when changing this setting. This directive is only supported on 64 bit CPUs.
++.TP
++.B index_intlen <integer>
++Specify the key length for ordered integer indices. The most significant
++bytes of the binary integer will be used for index keys. The default
++value is 4, which provides exact indexing for 31 bit values.
++A floating point representation is used to index too large values.
++.TP
++.B index_substr_if_maxlen <integer>
++Specify the maximum length for subinitial and subfinal indices. Only
++this many characters of an attribute value will be processed by the
++indexing functions; any excess characters are ignored. The default is 4.
++.TP
++.B index_substr_if_minlen <integer>
++Specify the minimum length for subinitial and subfinal indices. An
++attribute value must have at least this many characters in order to be
++processed by the indexing functions. The default is 2.
++.TP
++.B index_substr_any_len <integer>
++Specify the length used for subany indices. An attribute value must have
++at least this many characters in order to be processed. Attribute values
++longer than this length will be processed in segments of this length. The
++default is 4. The subany index will also be used in subinitial and
++subfinal index lookups when the filter string is longer than the
++.I index_substr_if_maxlen
++value.
++.TP
++.B index_substr_any_step <integer>
++Specify the steps used in subany index lookups. This value sets the offset
++for the segments of a filter string that are processed for a subany index
++lookup. The default is 2. For example, with the default values, a search
++using this filter "cn=*abcdefgh*" would generate index lookups for
++"abcd", "cdef", and "efgh".
++
++.LP
++Note: Indexing support depends on the particular backend in use. Also,
++changing these settings will generally require deleting any indices that
++depend on these parameters and recreating them with
++.BR slapindex (8).
++
++.HP
++.hy 0
++.B ldapsyntax "(\ <oid>\
++ [DESC\ <description>]\
++ [X\-SUBST <substitute-syntax>]\ )"
++.RS
++Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the syntax OID.
++(See the
++.B objectidentifier
++description.)
++The slapd parser also honors the
++.B X\-SUBST
++extension (an OpenLDAP-specific extension), which allows one to use the
++.B ldapsyntax
++statement to define a non-implemented syntax along with another syntax,
++the extension value
++.IR substitute-syntax ,
++as its temporary replacement.
++The
++.I substitute-syntax
++must be defined.
++This allows one to define attribute types that make use of non-implemented syntaxes
++using the correct syntax OID.
++Unless
++.B X\-SUBST
++is used, this configuration statement would result in an error,
++since no handlers would be associated to the resulting syntax structure.
++.RE
++
++.TP
++.B listener-threads <integer>
++Specify the number of threads to use for the connection manager.
++The default is 1 and this is typically adequate for up to 16 CPU cores.
++The value should be set to a power of 2.
++.TP
++.B localSSF <SSF>
++Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
++such as those to the ldapi:// listener. For a description of SSF values,
++see
++.BR sasl-secprops 's
++.B minssf
++option description. The default is 71.
++.TP
++.B logfile <filename>
++Specify a file for recording slapd debug messages. By default these messages
++only go to stderr, are not recorded anywhere else, and are unrelated to
++messages exposed by the
++.B loglevel
++configuration parameter. Specifying a logfile copies messages to both stderr
++and the logfile.
++.TP
++.B logfile-format debug | syslog-utc | syslog-localtime
++Specify the prefix format for messages written to the logfile. The debug
++format is the normal format used for slapd debug messages, with a timestamp
++in hexadecimal, followed by a thread ID. The other options are to
++use syslog(3) style prefixes, with timestamps either in UTC or in the
++local timezone. The default is debug format.
++.TP
++.B logfile-only on | off
++Specify that debug messages should only go to the configured logfile, and
++not to stderr.
++.TP
++.B logfile-rotate <max> <Mbytes> <hours>
++Specify automatic rotation for the configured logfile as the maximum
++number of old logfiles to retain, a maximum size in megabytes to allow a
++logfile to grow before rotation, and a maximum age in hours for a logfile
++to be used before rotation. The maximum number must be in the range 1-99.
++Setting Mbytes or hours to zero disables the size or age check, respectively.
++At least one of Mbytes or hours must be non-zero. By default no automatic
++rotation will be performed.
++.TP
++.B loglevel <integer> [...]
++Specify the level at which debugging statements and operation
++statistics should be syslogged (currently logged to the
++.BR syslogd (8)
++LOG_LOCAL4 facility).
++They must be considered subsystems rather than increasingly verbose
++log levels.
++Some messages with higher priority are logged regardless
++of the configured loglevel as soon as any logging is configured.
++Log levels are additive, and available levels are:
++.RS
++.RS
++.PD 0
++.TP
++.B 1
++.B (0x1 trace)
++trace function calls
++.TP
++.B 2
++.B (0x2 packets)
++debug packet handling
++.TP
++.B 4
++.B (0x4 args)
++heavy trace debugging (function args)
++.TP
++.B 8
++.B (0x8 conns)
++connection management
++.TP
++.B 16
++.B (0x10 BER)
++print out packets sent and received
++.TP
++.B 32
++.B (0x20 filter)
++search filter processing
++.TP
++.B 64
++.B (0x40 config)
++configuration file processing
++.TP
++.B 128
++.B (0x80 ACL)
++access control list processing
++.TP
++.B 256
++.B (0x100 stats)
++connections, LDAP operations, results (recommended)
++.TP
++.B 512
++.B (0x200 stats2)
++stats2 log entries sent
++.TP
++.B 1024
++.B (0x400 shell)
++print communication with shell backends
++.TP
++.B 2048
++.B (0x800 parse)
++entry parsing
++\".TP
++\".B 4096
++\".B (0x1000 cache)
++\"caching (unused)
++\".TP
++\".B 8192
++\".B (0x2000 index)
++\"data indexing (unused)
++.TP
++.B 16384
++.B (0x4000 sync)
++LDAPSync replication
++.TP
++.B 32768
++.B (0x8000 none)
++only messages that get logged whatever log level is set
++.PD
++.RE
++The desired log level can be input as a single integer that combines
++the (ORed) desired levels, both in decimal or in hexadecimal notation,
++as a list of integers (that are ORed internally),
++or as a list of the names that are shown between parentheses, such that
++.LP
++.nf
++ loglevel 129
++ loglevel 0x81
++ loglevel 128 1
++ loglevel 0x80 0x1
++ loglevel acl trace
++.fi
++.LP
++are equivalent.
++The keyword
++.B any
++can be used as a shortcut to enable logging at all levels (equivalent to \-1).
++The keyword
++.BR none ,
++or the equivalent integer representation, causes those messages
++that are logged regardless of the configured loglevel to be logged.
++In fact, if loglevel is set to 0, no logging occurs,
++so at least the
++.B none
++level is required to have high priority messages logged.
++
++Note that the
++.BR packets ,
++.BR BER ,
++and
++.B parse
++levels are only available as debug output on stderr, and are not
++sent to syslog.
++
++The loglevel defaults to \fBstats\fP.
++This level should usually also be included when using other loglevels, to
++help analyze the logs.
++.RE
++.TP
++.B maxfilterdepth <integer>
++Specify the maximum depth of nested filters in search requests.
++The default is 1000.
++.TP
++.B moduleload <filename> [<arguments>...]
++Specify the name of a dynamically loadable module to load and any
++additional arguments if supported by the module. The filename
++may be an absolute path name or a simple filename. Non-absolute names
++are searched for in the directories specified by the
++.B modulepath
++option. This option and the
++.B modulepath
++option are only usable if slapd was compiled with \-\-enable\-modules.
++.TP
++.B modulepath <pathspec>
++Specify a list of directories to search for loadable modules. Typically
++the path is colon-separated but this depends on the operating system.
++The default is MODULEDIR, which is where the standard OpenLDAP install
++will place its modules.
++.HP
++.hy 0
++.B objectclass "(\ <oid>\
++ [NAME\ <name>]\
++ [DESC\ <description>]\
++ [OBSOLETE]\
++ [SUP\ <oids>]\
++ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
++ [MUST\ <oids>] [MAY\ <oids>] )"
++.RS
++Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the object class OID.
++(See the
++.B
++objectidentifier
++description.) Object classes are "STRUCTURAL" by default.
++.RE
++.TP
++.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }"
++Define a string name that equates to the given OID. The string can be used
++in place of the numeric OID in objectclass and attribute definitions. The
++name can also be used with a suffix of the form ":xx" in which case the
++value "oid.xx" will be used.
++.TP
++.B password\-hash <hash> [<hash>...]
++This option configures one or more hashes to be used in generation of user
++passwords stored in the userPassword attribute during processing of
++LDAP Password Modify Extended Operations (RFC 3062).
++The <hash> must be one of
++.BR {SSHA} ,
++.BR {SHA} ,
++.BR {SMD5} ,
++.BR {MD5} ,
++.BR {CRYPT} ,
++and
++.BR {CLEARTEXT} .
++The default is
++.BR {SSHA} .
++
++.B {SHA}
++and
++.B {SSHA}
++use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
++
++.B {MD5}
++and
++.B {SMD5}
++use the MD5 algorithm (RFC 1321), the latter with a seed.
++
++.B {CRYPT}
++uses the
++.BR crypt (3).
++
++.B {CLEARTEXT}
++indicates that the new password should be
++added to userPassword as clear text.
++
++Note that this option does not alter the normal user applications
++handling of userPassword during LDAP Add, Modify, or other LDAP operations.
++.TP
++.B password\-crypt\-salt\-format <format>
++Specify the format of the salt passed to
++.BR crypt (3)
++when generating {CRYPT} passwords (see
++.BR password\-hash )
++during processing of LDAP Password Modify Extended Operations (RFC 3062).
++
++This string needs to be in
++.BR sprintf (3)
++format and may include one (and only one) %s conversion.
++This conversion will be substituted with a string of random
++characters from [A\-Za\-z0\-9./]. For example, "%.2s"
++provides a two character salt and "$1$%.8s" tells some
++versions of crypt(3) to use an MD5 algorithm and provides
++8 random characters of salt. The default is "%s", which
++provides 31 characters of salt.
++.TP
++.B pidfile <filename>
++The (absolute) name of a file that will hold the
++.B slapd
++server's process ID (see
++.BR getpid (2)).
++.TP
++.B pluginlog: <filename>
++The ( absolute ) name of a file that will contain log
++messages from
++.B SLAPI
++plugins. See
++.BR slapd.plugin (5)
++for details.
++.TP
++.B referral <url>
++Specify the referral to pass back when
++.BR slapd (8)
++cannot find a local database to handle a request.
++If specified multiple times, each url is provided.
++.TP
++.B require <conditions>
++Specify a set of conditions (separated by white space) to
++require (default none).
++The directive may be specified globally and/or per-database;
++databases inherit global conditions, so per-database specifications
++are additive.
++.B bind
++requires bind operation prior to directory operations.
++.B LDAPv3
++requires session to be using LDAP version 3.
++.B authc
++requires authentication prior to directory operations.
++.B SASL
++requires SASL authentication prior to directory operations.
++.B strong
++requires strong authentication prior to directory operations.
++The strong keyword allows protected "simple" authentication
++as well as SASL authentication.
++.B none
++may be used to require no conditions (useful to clear out globally
++set conditions within a particular database); it must occur first
++in the list of conditions.
++.TP
++.B reverse\-lookup on | off
++Enable/disable client name unverified reverse lookup (default is
++.BR off
++if compiled with \-\-enable\-rlookups).
++.TP
++.B rootDSE <file>
++Specify the name of an LDIF(5) file containing user defined attributes
++for the root DSE. These attributes are returned in addition to the
++attributes normally produced by slapd.
++
++The root DSE is an entry with information about the server and its
++capabilities, in operational attributes.
++It has the empty DN, and can be read with e.g.:
++.ti +4
++ldapsearch \-x \-b "" \-s base "+"
++.br
++See RFC 4512 section 5.1 for details.
++.TP
++.B sasl\-auxprops <plugin> [...]
++Specify which auxprop plugins to use for authentication lookups. The
++default is empty, which just uses slapd's internal support. Usually
++no other auxprop plugins are needed.
++.TP
++.B sasl\-auxprops\-dontusecopy <attr> [...]
++Specify which attribute(s) should be subject to the don't use copy control. This
++is necessary for some SASL mechanisms such as OTP to work in a replicated
++environment. The attribute "cmusaslsecretOTP" is the default value.
++.TP
++.B sasl\-auxprops\-dontusecopy\-ignore on | off
++Used to disable replication of the attribute(s) defined by
++sasl-auxprops-dontusecopy and instead use a local value for the attribute. This
++allows the SASL mechanism to continue to work if the provider is offline. This can
++cause replication inconsistency. Defaults to off.
++.TP
++.B sasl\-host <fqdn>
++Used to specify the fully qualified domain name used for SASL processing.
++.TP
++.B sasl\-realm <realm>
++Specify SASL realm. Default is empty.
++.TP
++.B sasl\-cbinding none | tls-unique | tls-endpoint
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
++Default is none.
++.TP
++.B sasl\-secprops <properties>
++Used to specify Cyrus SASL security properties.
++The
++.B none
++flag (without any other properties) causes the flag properties
++default, "noanonymous,noplain", to be cleared.
++The
++.B noplain
++flag disables mechanisms susceptible to simple passive attacks.
++The
++.B noactive
++flag disables mechanisms susceptible to active attacks.
++The
++.B nodict
++flag disables mechanisms susceptible to passive dictionary attacks.
++The
++.B noanonymous
++flag disables mechanisms which support anonymous login.
++The
++.B forwardsec
++flag require forward secrecy between sessions.
++The
++.B passcred
++require mechanisms which pass client credentials (and allow
++mechanisms which can pass credentials to do so).
++The
++.B minssf=<factor>
++property specifies the minimum acceptable
++.I security strength factor
++as an integer approximate to effective key length used for
++encryption. 0 (zero) implies no protection, 1 implies integrity
++protection only, 128 allows RC4, Blowfish and other similar ciphers,
++256 will require modern ciphers. The default is 0.
++The
++.B maxssf=<factor>
++property specifies the maximum acceptable
++.I security strength factor
++as an integer (see minssf description). The default is INT_MAX.
++The
++.B maxbufsize=<size>
++property specifies the maximum security layer receive buffer
++size allowed. 0 disables security layers. The default is 65536.
++.TP
++.B schemadn <dn>
++Specify the distinguished name for the subschema subentry that
++controls the entries on this server. The default is "cn=Subschema".
++.TP
++.B security <factors>
++Specify a set of security strength factors (separated by white space)
++to require (see
++.BR sasl\-secprops 's
++.B minssf
++option for a description of security strength factors).
++The directive may be specified globally and/or per-database.
++.B ssf=<n>
++specifies the overall security strength factor.
++.B transport=<n>
++specifies the transport security strength factor.
++.B tls=<n>
++specifies the TLS security strength factor.
++.B sasl=<n>
++specifies the SASL security strength factor.
++.B update_ssf=<n>
++specifies the overall security strength factor to require for
++directory updates.
++.B update_transport=<n>
++specifies the transport security strength factor to require for
++directory updates.
++.B update_tls=<n>
++specifies the TLS security strength factor to require for
++directory updates.
++.B update_sasl=<n>
++specifies the SASL security strength factor to require for
++directory updates.
++.B simple_bind=<n>
++specifies the security strength factor required for
++.I simple
++username/password authentication.
++Note that the
++.B transport
++factor is measure of security provided by the underlying transport,
++e.g. ldapi:// (and eventually IPSEC). It is not normally used.
++.TP
++.B serverID <integer> [<URL>]
++Specify an integer ID from 0 to 4095 for this server. The ID may also be
++specified as a hexadecimal ID by prefixing the value with "0x".
++Non-zero IDs are required when using multi-provider replication and each
++provider must have a unique non-zero ID. Note that this requirement also
++applies to separate providers contributing to a glued set of databases.
++If the URL is provided, this directive may be specified
++multiple times, providing a complete list of participating servers
++and their IDs. The fully qualified hostname of each server should be
++used in the supplied URLs. The IDs are used in the "replica id" field
++of all CSNs generated by the specified server. The default value is zero, which
++is only valid for single provider replication.
++Example:
++.LP
++.nf
++ serverID 1 ldap://ldap1.example.com
++ serverID 2 ldap://ldap2.example.com
++.fi
++.TP
++.B sizelimit {<integer>|unlimited}
++.TP
++.B sizelimit size[.{soft|hard}]=<integer> [...]
++Specify the maximum number of entries to return from a search operation.
++The default size limit is 500.
++Use
++.B unlimited
++to specify no limits.
++The second format allows a fine grain setting of the size limits.
++If no special qualifiers are specified, both soft and hard limits are set.
++Extra args can be added on the same line.
++Additional qualifiers are available; see
++.BR limits
++for an explanation of all of the different flags.
++.TP
++.B sockbuf_max_incoming <integer>
++Specify the maximum incoming LDAP PDU size for anonymous sessions.
++The default is 262143.
++.TP
++.B sockbuf_max_incoming_auth <integer>
++Specify the maximum incoming LDAP PDU size for authenticated sessions.
++The default is 4194303.
++.TP
++.B sortvals <attr> [...]
++Specify a list of multi-valued attributes whose values will always
++be maintained in sorted order. Using this option will allow Modify,
++Compare, and filter evaluations on these attributes to be performed
++more efficiently. The resulting sort order depends on the
++attributes' syntax and matching rules and may not correspond to
++lexical order or any other recognizable order.
++.TP
++.B tcp-buffer [listener=<URL>] [{read|write}=]<size>
++Specify the size of the TCP buffer.
++A global value for both read and write TCP buffers related to any listener
++is defined, unless the listener is explicitly specified,
++or either the read or write qualifiers are used.
++See
++.BR tcp (7)
++for details.
++Note that some OS-es implement automatic TCP buffer tuning.
++.TP
++.B threads <integer>
++Specify the maximum size of the primary thread pool.
++The default is 16; the minimum value is 2.
++.TP
++.B threadqueues <integer>
++Specify the number of work queues to use for the primary thread pool.
++The default is 1 and this is typically adequate for up to 8 CPU cores.
++The value should not exceed the number of CPUs in the system.
++.TP
++.B timelimit {<integer>|unlimited}
++.TP
++.B timelimit time[.{soft|hard}]=<integer> [...]
++Specify the maximum number of seconds (in real time)
++.B slapd
++will spend answering a search request. The default time limit is 3600.
++Use
++.B unlimited
++to specify no limits.
++The second format allows a fine grain setting of the time limits.
++Extra args can be added on the same line. See
++.BR limits
++for an explanation of the different flags.
++.TP
++.B tool\-threads <integer>
++Specify the maximum number of threads to use in tool mode.
++This should not be greater than the number of CPUs in the system.
++The default is 1.
++.TP
++.B writetimeout <integer>
++Specify the number of seconds to wait before forcibly closing
++a connection with an outstanding write. This allows recovery from
++various network hang conditions. A writetimeout of 0 disables this
++feature. The default is 0.
++.SH TLS OPTIONS
++If
++.B slapd
++is built with support for Transport Layer Security, there are more options
++you can specify.
++.TP
++.B TLSCipherSuite <cipher-suite-spec>
++Permits configuring what ciphers will be accepted and the preference order.
++<cipher-suite-spec> should be a cipher specification for the TLS library
++in use (OpenSSL or GnuTLS).
++Example:
++.RS
++.RS
++.TP
++.I OpenSSL:
++TLSCipherSuite HIGH:MEDIUM:+SSLv2
++.TP
++.I GnuTLS:
++TLSCiphersuite SECURE256:!AES-128-CBC
++.RE
++
++To check what ciphers a given spec selects in OpenSSL, use:
++
++.nf
++ openssl ciphers \-v <cipher-suite-spec>
++.fi
++
++With GnuTLS the available specs can be found in the manual page of
++.BR gnutls\-cli (1)
++(see the description of the
++option
++.BR \-\-priority ).
++
++In older versions of GnuTLS, where gnutls\-cli does not support the option
++\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
++
++.nf
++ gnutls\-cli \-l
++.fi
++.RE
++.TP
++.B TLSCACertificateFile <filename>
++Specifies the file that contains certificates for all of the Certificate
++Authorities that
++.B slapd
++will recognize. The certificate for
++the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among
++these certificates. If the signing CA was not a top-level (root) CA,
++certificates for the entire sequence of CA's from the signing CA to
++the top-level CA should be present. Multiple certificates are simply
++appended to the file; the order is not significant.
++.TP
++.B TLSCACertificatePath <path>
++Specifies the path of directories that contain Certificate Authority
++certificates in separate individual files. Usually only one of this
++or the TLSCACertificateFile is used. If both are specified, both
++locations will be used. Multiple directories may be specified,
++separated by a semi-colon.
++.TP
++.B TLSCertificateFile <filename>
++Specifies the file that contains the
++.B slapd
++server certificate.
++
++When using OpenSSL that file may also contain any number of intermediate
++certificates after the server certificate.
++.TP
++.B TLSCertificateKeyFile <filename>
++Specifies the file that contains the
++.B slapd
++server private key that matches the certificate stored in the
++.B TLSCertificateFile
++file. Currently, the private key must not be protected with a password, so
++it is of critical importance that it is protected carefully.
++.TP
++.B TLSDHParamFile <filename>
++This directive specifies the file that contains parameters for Diffie-Hellman
++ephemeral key exchange. This is required in order to use a DSA certificate on
++the server, or an RSA certificate missing the "key encipherment" key usage.
++Note that setting this option may also enable
++Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
++Anonymous key exchanges should generally be avoided since they provide no
++actual client or server authentication and provide no protection against
++man-in-the-middle attacks.
++You should append "!ADH" to your cipher suites to ensure that these suites
++are not used.
++.TP
++.B TLSECName <name>
++Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This option is only used for OpenSSL.
++This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification.
++.TP
++.B TLSProtocolMin <major>[.<minor>]
++Specifies minimum SSL/TLS protocol version that will be negotiated.
++If the server doesn't support at least that version,
++the SSL handshake will fail.
++To require TLS 1.x or higher, set this option to 3.(x+1),
++e.g.,
++
++.nf
++ TLSProtocolMin 3.2
++.fi
++
++would require TLS 1.1.
++Specifying a minimum that is higher than that supported by the
++OpenLDAP implementation will result in it requiring the
++highest level that it does support.
++This directive is ignored with GnuTLS.
++.TP
++.B TLSRandFile <filename>
++Specifies the file to obtain random bits from when /dev/[u]random
++is not available. Generally set to the name of the EGD/PRNGD socket.
++The environment variable RANDFILE can also be used to specify the filename.
++This directive is ignored with GnuTLS.
++.TP
++.B TLSVerifyClient <level>
++Specifies what checks to perform on client certificates in an
++incoming TLS session, if any.
++The
++.B <level>
++can be specified as one of the following keywords:
++.RS
++.TP
++.B never
++This is the default.
++.B slapd
++will not ask the client for a certificate.
++.TP
++.B allow
++The client certificate is requested. If no certificate is provided,
++the session proceeds normally. If a bad certificate is provided,
++it will be ignored and the session proceeds normally.
++.TP
++.B try
++The client certificate is requested. If no certificate is provided,
++the session proceeds normally. If a bad certificate is provided,
++the session is immediately terminated.
++.TP
++.B demand | hard | true
++These keywords are all equivalent, for compatibility reasons.
++The client certificate is requested. If no certificate is provided,
++or a bad certificate is provided, the session is immediately terminated.
++
++Note that a valid client certificate is required in order to use the
++SASL EXTERNAL authentication mechanism with a TLS session. As such,
++a non-default
++.B TLSVerifyClient
++setting must be chosen to enable SASL EXTERNAL authentication.
++.RE
++.TP
++.B TLSCRLCheck <level>
++Specifies if the Certificate Revocation List (CRL) of the CA should be
++used to verify if the client certificates have not been revoked. This
++requires
++.B TLSCACertificatePath
++parameter to be set. This directive is ignored with GnuTLS.
++.B <level>
++can be specified as one of the following keywords:
++.RS
++.TP
++.B none
++No CRL checks are performed
++.TP
++.B peer
++Check the CRL of the peer certificate
++.TP
++.B all
++Check the CRL for a whole certificate chain
++.RE
++.TP
++.B TLSCRLFile <filename>
++Specifies a file containing a Certificate Revocation List to be used
++for verifying that certificates have not been revoked. This directive is
++only valid when using GnuTLS.
++.SH GENERAL BACKEND OPTIONS
++Options in this section only apply to the configuration file section
++of all instances of the specified backend. All backends may support
++this class of options, but currently only back-mdb does.
++.TP
++.B backend <databasetype>
++Mark the beginning of a backend definition. <databasetype>
++should be one of
++.BR asyncmeta ,
++.BR config ,
++.BR dnssrv ,
++.BR ldap ,
++.BR ldif ,
++.BR mdb ,
++.BR meta ,
++.BR monitor ,
++.BR null ,
++.BR passwd ,
++.BR perl ,
++.BR relay ,
++.BR sock ,
++.BR sql ,
++or
++.BR wt .
++At present, only back-mdb implements any options of this type, so this
++setting is not needed for any other backends.
++
++.SH GENERAL DATABASE OPTIONS
++Options in this section only apply to the configuration file section
++for the database in which they are defined. They are supported by every
++type of backend. Note that the
++.B database
++and at least one
++.B suffix
++option are mandatory for each database.
++.TP
++.B database <databasetype>
++Mark the beginning of a new database instance definition. <databasetype>
++should be one of
++.BR asyncmeta ,
++.BR config ,
++.BR dnssrv ,
++.BR ldap ,
++.BR ldif ,
++.BR mdb ,
++.BR meta ,
++.BR monitor ,
++.BR null ,
++.BR passwd ,
++.BR perl ,
++.BR relay ,
++.BR sock ,
++.BR sql ,
++or
++.BR wt ,
++depending on which backend will serve the database.
++
++LDAP operations, even subtree searches, normally access only one
++database.
++That can be changed by gluing databases together with the
++.B subordinate
++keyword.
++Access controls and some overlays can also involve multiple databases.
++.TP
++.B add_content_acl on | off
++Controls whether Add operations will perform ACL checks on
++the content of the entry being added. This check is off
++by default. See the
++.BR slapd.access (5)
++manual page for more details on ACL requirements for
++Add operations.
++.TP
++.B extra_attrs <attrlist>
++Lists what attributes need to be added to search requests.
++Local storage backends return the entire entry to the frontend.
++The frontend takes care of only returning the requested attributes
++that are allowed by ACLs.
++However, features like access checking and so may need specific
++attributes that are not automatically returned by remote storage
++backends, like proxy backends and so on.
++.B <attrlist>
++is a list of attributes that are needed for internal purposes
++and thus always need to be collected, even when not explicitly
++requested by clients.
++.TP
++.B hidden on | off
++Controls whether the database will be used to answer
++queries. A database that is hidden will never be
++selected to answer any queries, and any suffix configured
++on the database will be ignored in checks for conflicts
++with other databases. By default, hidden is off.
++.TP
++.B lastmod on | off
++Controls whether
++.B slapd
++will automatically maintain the
++modifiersName, modifyTimestamp, creatorsName, and
++createTimestamp attributes for entries. It also controls
++the entryCSN and entryUUID attributes, which are needed
++by the syncrepl provider. By default, lastmod is on.
++.TP
++.B lastbind on | off
++Controls whether
++.B slapd
++will automatically maintain the pwdLastSuccess attribute for
++entries. By default, lastbind is off.
++.TP
++.B lastbind-precision <integer>
++If lastbind is enabled, specifies how frequently pwdLastSuccess
++will be updated. More than
++.B integer
++seconds must have passed since the last successful bind. In a
++replicated environment with frequent bind activity it may be
++useful to set this to a large value.
++.TP
++.B limits <selector> <limit> [<limit> [...]]
++Specify time and size limits based on the operation's initiator or
++base DN.
++The argument
++.B <selector>
++can be any of
++.RS
++.RS
++.TP
++anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
++
++.RE
++with
++.RS
++.TP
++<dnspec> ::= dn[.<type>][.<style>]
++.TP
++<type> ::= self | this
++.TP
++<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
++
++.RE
++DN type
++.B self
++is the default and means the bound user, while
++.B this
++means the base DN of the operation.
++The term
++.B anonymous
++matches all unauthenticated clients.
++The term
++.B users
++matches all authenticated clients;
++otherwise an
++.B exact
++dn pattern is assumed unless otherwise specified by qualifying
++the (optional) key string
++.B dn
++with
++.B exact
++or
++.B base
++(which are synonyms), to require an exact match; with
++.BR onelevel ,
++to require exactly one level of depth match; with
++.BR subtree ,
++to allow any level of depth match, including the exact match; with
++.BR children ,
++to allow any level of depth match, not including the exact match;
++.BR regex
++explicitly requires the (default) match based on POSIX (''extended'')
++regular expression pattern.
++Finally,
++.B anonymous
++matches unbound operations; the
++.B pattern
++field is ignored.
++The same behavior is obtained by using the
++.B anonymous
++form of the
++.B <selector>
++clause.
++The term
++.BR group ,
++with the optional objectClass
++.B oc
++and attributeType
++.B at
++fields, followed by
++.BR pattern ,
++sets the limits for any DN listed in the values of the
++.B at
++attribute (default
++.BR member )
++of the
++.B oc
++group objectClass (default
++.BR groupOfNames )
++whose DN exactly matches
++.BR pattern .
++
++The currently supported limits are
++.B size
++and
++.BR time .
++
++The syntax for time limits is
++.BR time[.{soft|hard}]=<integer> ,
++where
++.I integer
++is the number of seconds slapd will spend answering a search request.
++If no time limit is explicitly requested by the client, the
++.BR soft
++limit is used; if the requested time limit exceeds the
++.BR hard
++.\"limit, an
++.\".I "Administrative limit exceeded"
++.\"error is returned.
++limit, the value of the limit is used instead.
++If the
++.BR hard
++limit is set to the keyword
++.IR soft ,
++the soft limit is used in either case; if it is set to the keyword
++.IR unlimited ,
++no hard limit is enforced.
++Explicit requests for time limits smaller or equal to the
++.BR hard
++limit are honored.
++If no limit specifier is set, the value is assigned to the
++.BR soft
++limit, and the
++.BR hard
++limit is set to
++.IR soft ,
++to preserve the original behavior.
++
++The syntax for size limits is
++.BR size[.{soft|hard|unchecked}]=<integer> ,
++where
++.I integer
++is the maximum number of entries slapd will return answering a search
++request.
++If no size limit is explicitly requested by the client, the
++.BR soft
++limit is used; if the requested size limit exceeds the
++.BR hard
++.\"limit, an
++.\".I "Administrative limit exceeded"
++.\"error is returned.
++limit, the value of the limit is used instead.
++If the
++.BR hard
++limit is set to the keyword
++.IR soft ,
++the soft limit is used in either case; if it is set to the keyword
++.IR unlimited ,
++no hard limit is enforced.
++Explicit requests for size limits smaller or equal to the
++.BR hard
++limit are honored.
++The
++.BR unchecked
++specifier sets a limit on the number of candidates a search request is allowed
++to examine.
++The rationale behind it is that searches for non-properly indexed
++attributes may result in large sets of candidates, which must be
++examined by
++.BR slapd (8)
++to determine whether they match the search filter or not.
++The
++.B unchecked
++limit provides a means to drop such operations before they are even
++started.
++If the selected candidates exceed the
++.BR unchecked
++limit, the search will abort with
++.IR "Unwilling to perform" .
++If it is set to the keyword
++.IR unlimited ,
++no limit is applied (the default).
++If it is set to
++.IR disabled ,
++the search is not even performed; this can be used to disallow searches
++for a specific set of users.
++If no limit specifier is set, the value is assigned to the
++.BR soft
++limit, and the
++.BR hard
++limit is set to
++.IR soft ,
++to preserve the original behavior.
++
++In case of no match, the global limits are used.
++The default values are the same as for
++.B sizelimit
++and
++.BR timelimit ;
++no limit is set on
++.BR unchecked .
++
++If
++.B pagedResults
++control is requested, the
++.B hard
++size limit is used by default, because the request of a specific page size
++is considered an explicit request for a limitation on the number
++of entries to be returned.
++However, the size limit applies to the total count of entries returned within
++the search, and not to a single page.
++Additional size limits may be enforced; the syntax is
++.BR size.pr={<integer>|noEstimate|unlimited} ,
++where
++.I integer
++is the max page size if no explicit limit is set; the keyword
++.I noEstimate
++inhibits the server from returning an estimate of the total number
++of entries that might be returned
++(note: the current implementation does not return any estimate).
++The keyword
++.I unlimited
++indicates that no limit is applied to the pagedResults control page size.
++The syntax
++.B size.prtotal={<integer>|hard|unlimited|disabled}
++allows one to set a limit on the total number of entries that the pagedResults
++control will return.
++By default it is set to the
++.B hard
++limit which will use the size.hard value.
++When set,
++.I integer
++is the max number of entries that the whole search with pagedResults control
++can return.
++Use
++.I unlimited
++to allow unlimited number of entries to be returned, e.g. to allow
++the use of the pagedResults control as a means to circumvent size
++limitations on regular searches; the keyword
++.I disabled
++disables the control, i.e. no paged results can be returned.
++Note that the total number of entries returned when the pagedResults control
++is requested cannot exceed the
++.B hard
++size limit of regular searches unless extended by the
++.B prtotal
++switch.
++
++The \fBlimits\fP statement is typically used to let an unlimited
++number of entries be returned by searches performed
++with the identity used by the consumer for synchronization purposes
++by means of the RFC 4533 LDAP Content Synchronization protocol
++(see \fBsyncrepl\fP for details).
++
++When using subordinate databases, it is necessary for any limits that
++are to be applied across the parent and its subordinates to be defined in
++both the parent and its subordinates. Otherwise the settings on the
++subordinate databases are not honored.
++.RE
++.TP
++.B maxderefdepth <depth>
++Specifies the maximum number of aliases to dereference when trying to
++resolve an entry, used to avoid infinite alias loops. The default is 15.
++.TP
++.B multiprovider on | off
++This option puts a consumer database into Multi-Provider mode. Update
++operations will be accepted from any user, not just the updatedn. The
++database must already be configured as a syncrepl consumer
++before this keyword may be set. This mode also requires a
++.B serverID
++(see above) to be configured.
++By default, multiprovider is off.
++.TP
++.B monitoring on | off
++This option enables database-specific monitoring in the entry related
++to the current database in the "cn=Databases,cn=Monitor" subtree
++of the monitor database, if the monitor database is enabled.
++Currently, only the MDB database provides database-specific monitoring.
++If monitoring is supported by the backend it defaults to on, otherwise
++off.
++.TP
++.B overlay <overlay-name>
++Add the specified overlay to this database. An overlay is a piece of
++code that intercepts database operations in order to extend or change
++them. Overlays are pushed onto
++a stack over the database, and so they will execute in the reverse
++of the order in which they were configured and the database itself
++will receive control last of all. See the
++.BR slapd.overlays (5)
++manual page for an overview of the available overlays.
++Note that all of the database's
++regular settings should be configured before any overlay settings.
++.TP
++.B readonly on | off
++This option puts the database into "read-only" mode. Any attempts to
++modify the database will return an "unwilling to perform" error. By
++default, readonly is off.
++.TP
++.B restrict <oplist>
++Specify a whitespace separated list of operations that are restricted.
++If defined inside a database specification, restrictions apply only
++to that database, otherwise they are global.
++Operations can be any of
++.BR add ,
++.BR bind ,
++.BR compare ,
++.BR delete ,
++.BR extended[=<OID>] ,
++.BR modify ,
++.BR rename ,
++.BR search ,
++or the special pseudo-operations
++.B read
++and
++.BR write ,
++which respectively summarize read and write operations.
++The use of
++.I restrict write
++is equivalent to
++.I readonly on
++(see above).
++The
++.B extended
++keyword allows one to indicate the OID of the specific operation
++to be restricted.
++.TP
++.B rootdn <dn>
++Specify the distinguished name that is not subject to access control
++or administrative limit restrictions for operations on this database.
++This DN may or may not be associated with an entry. An empty root
++DN (the default) specifies no root access is to be granted. It is
++recommended that the rootdn only be specified when needed (such as
++when initially populating a database). If the rootdn is within
++a namingContext (suffix) of the database, a simple bind password
++may also be provided using the
++.B rootpw
++directive. Many optional features, including syncrepl, require the
++rootdn to be defined for the database.
++.TP
++.B rootpw <password>
++Specify a password (or hash of the password) for the rootdn. The
++password can only be set if the rootdn is within the namingContext
++(suffix) of the database.
++This option accepts all RFC 2307 userPassword formats known to
++the server (see
++.B password\-hash
++description) as well as cleartext.
++.BR slappasswd (8)
++may be used to generate a hash of a password. Cleartext
++and \fB{CRYPT}\fP passwords are not recommended. If empty
++(the default), authentication of the root DN is by other means
++(e.g. SASL). Use of SASL is encouraged.
++.TP
++.B suffix <dn suffix>
++Specify the DN suffix of queries that will be passed to this
++backend database. Multiple suffix lines can be given and at least one is
++required for each database definition.
++
++If the suffix of one database is "inside" that of another, the database
++with the inner suffix must come first in the configuration file.
++You may also want to glue such databases together with the
++.B subordinate
++keyword.
++.TP
++.B subordinate [advertise]
++Specify that the current backend database is a subordinate of another
++backend database. A subordinate database may have only one suffix. This
++option may be used to glue multiple databases into a single namingContext.
++If the suffix of the current database is within the namingContext of a
++superior database, searches against the superior database will be
++propagated to the subordinate as well. All of the databases
++associated with a single namingContext should have identical rootdns.
++Behavior of other LDAP operations is unaffected by this setting. In
++particular, it is not possible to use moddn to move an entry from
++one subordinate to another subordinate within the namingContext.
++
++If the optional \fBadvertise\fP flag is supplied, the naming context of
++this database is advertised in the root DSE. The default is to hide this
++database context, so that only the superior context is visible.
++
++If the slap tools
++.BR slapcat (8),
++.BR slapadd (8),
++.BR slapmodify (8),
++or
++.BR slapindex (8)
++are used on the superior database, any glued subordinates that support
++these tools are opened as well.
++
++Databases that are glued together should usually be configured with the
++same indices (assuming they support indexing), even for attributes that
++only exist in some of these databases. In general, all of the glued
++databases should be configured as similarly as possible, since the intent
++is to provide the appearance of a single directory.
++
++Note that the \fIsubordinate\fP functionality is implemented internally
++by the \fIglue\fP overlay and as such its behavior will interact with other
++overlays in use. By default, the glue overlay is automatically configured as
++the last overlay on the superior backend. Its position on the backend
++can be explicitly configured by setting an \fBoverlay glue\fP directive
++at the desired position. This explicit configuration is necessary e.g.
++when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
++in order to work over all of the glued databases. E.g.
++.RS
++.nf
++ database mdb
++ suffix dc=example,dc=com
++ ...
++ overlay glue
++ overlay syncprov
++.fi
++.RE
++.TP
++.B sync_use_subentry
++Store the syncrepl contextCSN in a subentry instead of the context entry
++of the database. The subentry's RDN will be "cn=ldapsync". By default
++the contextCSN is stored in the context entry.
++.HP
++.hy 0
++.B syncrepl rid=<replica ID>
++.B provider=ldap[s]://<hostname>[:port]
++.B searchbase=<base DN>
++.B [type=refreshOnly|refreshAndPersist]
++.B [interval=dd:hh:mm:ss]
++.B [retry=[<retry interval> <# of retries>]+]
++.B [filter=<filter str>]
++.B [scope=sub|one|base|subord]
++.B [attrs=<attr list>]
++.B [exattrs=<attr list>]
++.B [attrsonly]
++.B [sizelimit=<limit>]
++.B [timelimit=<limit>]
++.B [schemachecking=on|off]
++.B [network\-timeout=<seconds>]
++.B [timeout=<seconds>]
++.B [tcp\-user\-timeout=<milliseconds>]
++.B [bindmethod=simple|sasl]
++.B [binddn=<dn>]
++.B [saslmech=<mech>]
++.B [authcid=<identity>]
++.B [authzid=<identity>]
++.B [credentials=<passwd>]
++.B [realm=<realm>]
++.B [secprops=<properties>]
++.B [keepalive=<idle>:<probes>:<interval>]
++.B [starttls=yes|critical]
++.B [tls_cert=<file>]
++.B [tls_key=<file>]
++.B [tls_cacert=<file>]
++.B [tls_cacertdir=<path>]
++.B [tls_reqcert=never|allow|try|demand]
++.B [tls_reqsan=never|allow|try|demand]
++.B [tls_cipher_suite=<ciphers>]
++.B [tls_ecname=<names>]
++.B [tls_crlcheck=none|peer|all]
++.B [tls_protocol_min=<major>[.<minor>]]
++.B [suffixmassage=<real DN>]
++.B [logbase=<base DN>]
++.B [logfilter=<filter str>]
++.B [syncdata=default|accesslog|changelog]
++.B [lazycommit]
++.RS
++Specify the current database as a consumer which is kept up-to-date with the
++provider content by establishing the current
++.BR slapd (8)
++as a replication consumer site running a
++.B syncrepl
++replication engine.
++The consumer content is kept synchronized to the provider content using
++the LDAP Content Synchronization protocol. Refer to the
++"OpenLDAP Administrator's Guide" for detailed information on
++setting up a replicated
++.B slapd
++directory service using the
++.B syncrepl
++replication engine.
++
++.B rid
++identifies the current
++.B syncrepl
++directive within the replication consumer site.
++It is a non-negative integer not greater than 999 (limited
++to three decimal digits).
++
++.B provider
++specifies the replication provider site containing the provider content
++as an LDAP URI. If <port> is not given, the standard LDAP port number
++(389 or 636) is used.
++
++The content of the
++.B syncrepl
++consumer is defined using a search
++specification as its result set. The consumer
++.B slapd
++will send search requests to the provider
++.B slapd
++according to the search specification. The search specification includes
++.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
++and
++.B timelimit
++parameters as in the normal search specification. The
++.B exattrs
++option may also be used to specify attributes that should be omitted
++from incoming entries.
++The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
++\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
++\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
++attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
++The \fBsizelimit\fP and \fBtimelimit\fP only
++accept "unlimited" and positive integers, and both default to "unlimited".
++The \fBsizelimit\fP and \fBtimelimit\fP parameters define
++a consumer requested limitation on the number of entries that can be returned
++by the LDAP Content Synchronization operation; as such, it is intended
++to implement partial replication based on the size of the replicated database
++and on the time required by the synchronization.
++Note, however, that any provider-side limits for the replication identity
++will be enforced by the provider regardless of the limits requested
++by the LDAP Content Synchronization operation, much like for any other
++search operation.
++
++The LDAP Content Synchronization protocol has two operation types.
++In the
++.B refreshOnly
++operation, the next synchronization search operation
++is periodically rescheduled at an interval time (specified by
++.B interval
++parameter; 1 day by default)
++after each synchronization operation finishes.
++In the
++.B refreshAndPersist
++operation, a synchronization search remains persistent in the provider slapd.
++Further updates to the provider will generate
++.B searchResultEntry
++to the consumer slapd as the search responses to the persistent
++synchronization search. If the initial search fails due to an error, the
++next synchronization search operation is periodically rescheduled at an
++interval time (specified by
++.B interval
++parameter; 1 day by default)
++
++If an error occurs during replication, the consumer will attempt to
++reconnect according to the
++.B retry
++parameter which is a list of the <retry interval> and <# of retries> pairs.
++For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
++for the first 10 times and then retry every 300 seconds for the next 3
++times before stop retrying. The `+' in <# of retries> means indefinite
++number of retries until success.
++If no
++.B retry
++is specified, by default syncrepl retries every hour forever.
++
++The schema checking can be enforced at the LDAP Sync
++consumer site by turning on the
++.B schemachecking
++parameter. The default is \fBoff\fP.
++Schema checking \fBon\fP means that replicated entries must have
++a structural objectClass, must obey to objectClass requirements
++in terms of required/allowed attributes, and that naming attributes
++and distinguished values must be present.
++As a consequence, schema checking should be \fBoff\fP when partial
++replication is used.
++
++The
++.B network\-timeout
++parameter sets how long the consumer will wait to establish a
++network connection to the provider. Once a connection is
++established, the
++.B timeout
++parameter determines how long the consumer will wait for the initial
++Bind request to complete. The defaults for these parameters come
++from
++.BR ldap.conf (5).
++The
++.B tcp\-user\-timeout
++parameter, if non-zero, corresponds to the
++.B TCP_USER_TIMEOUT
++set on the target connections, overriding the operating system setting.
++Only some systems support the customization of this parameter, it is
++ignored otherwise and system-wide settings are used.
++
++A
++.B bindmethod
++of
++.B simple
++requires the options
++.B binddn
++and
++.B credentials
++and should only be used when adequate security services
++(e.g. TLS or IPSEC) are in place.
++.B REMEMBER: simple bind credentials must be in cleartext!
++A
++.B bindmethod
++of
++.B sasl
++requires the option
++.B saslmech.
++Depending on the mechanism, an authentication identity and/or
++credentials can be specified using
++.B authcid
++and
++.B credentials.
++The
++.B authzid
++parameter may be used to specify an authorization identity.
++Specific security properties (as with the
++.B sasl\-secprops
++keyword above) for a SASL bind can be set with the
++.B secprops
++option. A non default SASL realm can be set with the
++.B realm
++option.
++The identity used for synchronization by the consumer should be allowed
++to receive an unlimited number of entries in response to a search request.
++The provider, other than allowing authentication of the syncrepl identity,
++should grant that identity appropriate access privileges to the data
++that is being replicated (\fBaccess\fP directive), and appropriate time
++and size limits.
++This can be accomplished by either allowing unlimited \fBsizelimit\fP
++and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
++in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
++for details).
++
++The
++.B keepalive
++parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
++used to check whether a socket is alive;
++.I idle
++is the number of seconds a connection needs to remain idle before TCP
++starts sending keepalive probes;
++.I probes
++is the maximum number of keepalive probes TCP should send before dropping
++the connection;
++.I interval
++is interval in seconds between individual keepalive probes.
++Only some systems support the customization of these values;
++the
++.B keepalive
++parameter is ignored otherwise, and system-wide settings are used.
++
++The
++.B starttls
++parameter specifies use of the StartTLS extended operation
++to establish a TLS session before Binding to the provider. If the
++.B critical
++argument is supplied, the session will be aborted if the StartTLS request
++fails. Otherwise the syncrepl session continues without TLS. The
++.B tls_reqcert
++setting defaults to "demand", the
++.B tls_reqsan
++setting defaults to "allow", and the other TLS settings
++default to the same as the main slapd TLS settings.
++
++The
++.B suffixmassage
++parameter allows the consumer to pull entries from a remote directory
++whose DN suffix differs from the local directory. The portion of the
++remote entries' DNs that matches the \fIsearchbase\fP will be replaced
++with the suffixmassage DN.
++
++Rather than replicating whole entries, the consumer can query logs of
++data modifications. This mode of operation is referred to as \fIdelta
++syncrepl\fP. In addition to the above parameters, the
++.B logbase
++and
++.B logfilter
++parameters must be set appropriately for the log that will be used. The
++.B syncdata
++parameter must be set to either "accesslog" if the log conforms to the
++.BR slapo\-accesslog (5)
++log format, or "changelog" if the log conforms
++to the obsolete \fIchangelog\fP format. If the
++.B syncdata
++parameter is omitted or set to "default" then the log parameters are
++ignored.
++
++The
++.B lazycommit
++parameter tells the underlying database that it can store changes without
++performing a full flush after each change. This may improve performance
++for the consumer, while sacrificing safety or durability.
++.RE
++.TP
++.B updatedn <dn>
++This option is only applicable in a replica
++database.
++It specifies the DN permitted to update (subject to access controls)
++the replica. It is only needed in certain push-mode
++replication scenarios. Generally, this DN
++.I should not
++be the same as the
++.B rootdn
++used at the provider.
++.TP
++.B updateref <url>
++Specify the referral to pass back when
++.BR slapd (8)
++is asked to modify a replicated local database.
++If specified multiple times, each url is provided.
++
++.SH DATABASE-SPECIFIC OPTIONS
++Each database may allow specific configuration options; they are
++documented separately in the backends' manual pages. See the
++.BR slapd.backends (5)
++manual page for an overview of available backends.
++.SH EXAMPLES
++.LP
++Here is a short example of a configuration file:
++.LP
++.RS
++.nf
++include SYSCONFDIR/schema/core.schema
++pidfile LOCALSTATEDIR/run/slapd.pid
++
++# Subtypes of "name" (e.g. "cn" and "ou") with the
++# option ";x\-hidden" can be searched for/compared,
++# but are not shown. See \fBslapd.access\fP(5).
++attributeoptions x\-hidden lang\-
++access to attrs=name;x\-hidden by * =cs
++
++# Protect passwords. See \fBslapd.access\fP(5).
++access to attrs=userPassword by * auth
++# Read access to other attributes and entries.
++access to * by * read
++
++database mdb
++suffix "dc=our\-domain,dc=com"
++# The database directory MUST exist prior to
++# running slapd AND should only be accessible
++# by the slapd/tools. Mode 0700 recommended.
++directory LOCALSTATEDIR/openldap\-data
++# Indices to maintain
++index objectClass eq
++index cn,sn,mail pres,eq,approx,sub
++
++# We serve small clients that do not handle referrals,
++# so handle remote lookups on their behalf.
++database ldap
++suffix ""
++uri ldap://ldap.some\-server.com/
++lastmod off
++.fi
++.RE
++.LP
++"OpenLDAP Administrator's Guide" contains a longer annotated
++example of a configuration file.
++The original ETCDIR/slapd.conf is another example.
++.SH FILES
++.TP
++ETCDIR/slapd.conf
++default slapd configuration file
++.SH SEE ALSO
++.BR ldap (3),
++.BR gnutls\-cli (1),
++.BR slapd\-config (5),
++.BR slapd.access (5),
++.BR slapd.backends (5),
++.BR slapd.overlays (5),
++.BR slapd.plugin (5),
++.BR slapd (8),
++.BR slapacl (8),
++.BR slapadd (8),
++.BR slapauth (8),
++.BR slapcat (8),
++.BR slapdn (8),
++.BR slapindex (8),
++.BR slapmodify (8),
++.BR slappasswd (8),
++.BR slaptest (8).
++.LP
++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
++.SH ACKNOWLEDGEMENTS
++.so ../Project
+diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd-config.5 openldap-2.6.1/doc/man/man5/slapd-config.5
+--- openldap-2.6.1.orig/doc/man/man5/slapd-config.5 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/doc/man/man5/slapd-config.5 2022-02-13 15:54:13.654979570 -0600
+@@ -2234,7 +2234,7 @@ olcSuffix: "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-olcDbDirectory: LOCALSTATEDIR/openldap\-data
++olcDbDirectory: LOCALSTATEDIR/lib/openldap
+ # Indices to maintain
+ olcDbIndex: objectClass eq
+ olcDbIndex: cn,sn,mail pres,eq,approx,sub
+diff -Naurp openldap-2.6.1.orig/doc/man/man5/slapd-config.5.orig openldap-2.6.1/doc/man/man5/slapd-config.5.orig
+--- openldap-2.6.1.orig/doc/man/man5/slapd-config.5.orig 1969-12-31 18:00:00.000000000 -0600
++++ openldap-2.6.1/doc/man/man5/slapd-config.5.orig 2022-01-19 12:32:34.000000000 -0600
+@@ -0,0 +1,2303 @@
++.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
++.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
++.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
++.\" $OpenLDAP$
++.SH NAME
++slapd\-config \- configuration backend to slapd
++.SH SYNOPSIS
++ETCDIR/slapd.d
++.SH DESCRIPTION
++The
++.B config
++backend manages all of the configuration information for the
++.BR slapd (8)
++daemon. This configuration information is also used by the SLAPD tools
++.BR slapacl (8),
++.BR slapadd (8),
++.BR slapauth (8),
++.BR slapcat (8),
++.BR slapdn (8),
++.BR slapindex (8),
++.BR slapmodify (8),
++and
++.BR slaptest (8).
++.LP
++The
++.B config
++backend is backward compatible with the older
++.BR slapd.conf (5)
++file but provides the ability to change the configuration dynamically
++at runtime. If slapd is run with only a
++.B slapd.conf
++file dynamic changes will be allowed but they will not persist across
++a server restart. Dynamic changes are only saved when slapd is running
++from a
++.B slapd.d
++configuration directory.
++.LP
++
++Unlike other backends, there can only be one instance of the
++.B config
++backend, and most of its structure is predefined. The root of the
++database is hardcoded to
++.B "cn=config"
++and this root entry contains
++global settings for slapd. Multiple child entries underneath the
++root entry are used to carry various other settings:
++.RS
++.TP
++.B cn=Module
++dynamically loaded modules
++.TP
++.B cn=Schema
++schema definitions
++.TP
++.B olcBackend=xxx
++backend-specific settings
++.TP
++.B olcDatabase=xxx
++database-specific settings
++.RE
++
++The
++.B cn=Module
++entries will only appear in configurations where slapd
++was built with support for dynamically loaded modules. There can be
++multiple entries, one for each configured module path. Within each
++entry there will be values recorded for each module loaded on a
++given path. These entries have no children.
++
++The
++.B cn=Schema
++entry contains all of the hardcoded schema elements.
++The children of this entry contain all user-defined schema elements.
++In schema that were loaded from include files, the child entry will
++be named after the include file from which the schema was loaded.
++Typically the first child in this subtree will be
++.BR cn=core,cn=schema,cn=config .
++
++.B olcBackend
++entries are for storing settings specific to a single
++backend type (and thus global to all database instances of that type).
++At present, only back-mdb implements any options of this type, so this
++setting is not needed for any other backends.
++
++.B olcDatabase
++entries store settings specific to a single database
++instance. These entries may have
++.B olcOverlay
++child entries corresponding
++to any overlays configured on the database. The olcDatabase and
++olcOverlay entries may also have miscellaneous child entries for
++other settings as needed. There are two special database entries
++that are predefined \- one is an entry for the config database itself,
++and the other is for the "frontend" database. Settings in the
++frontend database are inherited by the other databases, unless
++they are explicitly overridden in a specific database.
++.LP
++The specific configuration options available are discussed below in the
++Global Configuration Options, General Backend Options, and General Database
++Options. Options are set by defining LDAP attributes with specific values.
++In general the names of the LDAP attributes are the same as the corresponding
++.B slapd.conf
++keyword, with an "olc" prefix added on.
++
++The parser for many of these attributes is the same as used for parsing
++the slapd.conf keywords. As such, slapd.conf keywords that allow multiple
++items to be specified on one line, separated by whitespace, will allow
++multiple items to be specified in one attribute value. However, when
++reading the attribute via LDAP, the items will be returned as individual
++attribute values.
++
++Backend-specific options are discussed in the
++.B slapd\-<backend>(5)
++manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
++details on configuring slapd.
++.SH GLOBAL CONFIGURATION OPTIONS
++Options described in this section apply to the server as a whole.
++Arguments that should be replaced by
++actual text are shown in brackets <>.
++
++These options may only be specified in the
++.B cn=config
++entry. This entry must have an objectClass of
++.BR olcGlobal .
++
++.TP
++.B olcAllows: <features>
++Specify a set of features to allow (default none).
++.B bind_v2
++allows acceptance of LDAPv2 bind requests. Note that
++.BR slapd (8)
++does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
++.B bind_anon_cred
++allows anonymous bind when credentials are not empty (e.g.
++when DN is empty).
++.B bind_anon_dn
++allows unauthenticated (anonymous) bind when DN is not empty.
++.B update_anon
++allows unauthenticated (anonymous) update operations to be processed
++(subject to access controls and other administrative limits).
++.B proxy_authz_anon
++allows unauthenticated (anonymous) proxy authorization control to be processed
++(subject to access controls, authorization and other administrative limits).
++.TP
++.B olcArgsFile: <filename>
++The (absolute) name of a file that will hold the
++.B slapd
++server's command line (program name and options).
++.TP
++.B olcAttributeOptions: <option-name>...
++Define tagging attribute options or option tag/range prefixes.
++Options must not end with `\-', prefixes must end with `\-'.
++The `lang\-' prefix is predefined.
++If you use the
++.B olcAttributeOptions
++directive, `lang\-' will no longer be defined and you must specify it
++explicitly if you want it defined.
++
++An attribute description with a tagging option is a subtype of that
++attribute description without the option.
++Except for that, options defined this way have no special semantics.
++Prefixes defined this way work like the `lang\-' options:
++They define a prefix for tagging options starting with the prefix.
++That is, if you define the prefix `x\-foo\-', you can use the option
++`x\-foo\-bar'.
++Furthermore, in a search or compare, a prefix or range name (with
++a trailing `\-') matches all options starting with that name, as well
++as the option with the range name sans the trailing `\-'.
++That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
++
++RFC 4520 reserves options beginning with `x\-' for private experiments.
++Other options should be registered with IANA, see RFC 4520 section 3.5.
++OpenLDAP also has the `binary' option built in, but this is a transfer
++option, not a tagging option.
++.TP
++.B olcAuthIDRewrite: <rewrite\-rule>
++Used by the authentication framework to convert simple user names
++to an LDAP DN used for authorization purposes.
++Its purpose is analogous to that of
++.BR olcAuthzRegexp
++(see below).
++The
++.B rewrite\-rule
++is a set of rules analogous to those described in
++.BR slapo\-rwm (5)
++for data rewriting (after stripping the \fIrwm\-\fP prefix).
++.B olcAuthIDRewrite
++and
++.B olcAuthzRegexp
++should not be intermixed.
++.TP
++.B olcAuthzPolicy: <policy>
++Used to specify which rules to use for Proxy Authorization. Proxy
++authorization allows a client to authenticate to the server using one
++user's credentials, but specify a different identity to use for authorization
++and access control purposes. It essentially allows user A to login as user
++B, using user A's password.
++The
++.B none
++flag disables proxy authorization. This is the default setting.
++The
++.B from
++flag will use rules in the
++.I authzFrom
++attribute of the authorization DN.
++The
++.B to
++flag will use rules in the
++.I authzTo
++attribute of the authentication DN.
++The
++.B any
++flag, an alias for the deprecated value of
++.BR both ,
++will allow any of the above, whatever succeeds first (checked in
++.BR to ,
++.B from
++sequence.
++The
++.B all
++flag requires both authorizations to succeed.
++.LP
++.RS
++The rules are mechanisms to specify which identities are allowed
++to perform proxy authorization.
++The
++.I authzFrom
++attribute in an entry specifies which other users
++are allowed to proxy login to this entry. The
++.I authzTo
++attribute in
++an entry specifies which other users this user can authorize as. Use of
++.I authzTo
++rules can be easily
++abused if users are allowed to write arbitrary values to this attribute.
++In general the
++.I authzTo
++attribute must be protected with ACLs such that
++only privileged users can modify it.
++The value of
++.I authzFrom
++and
++.I authzTo
++describes an
++.B identity
++or a set of identities; it can take five forms:
++.RS
++.TP
++.B ldap:///<base>??[<scope>]?<filter>
++.RE
++.RS
++.B dn[.<dnstyle>]:<pattern>
++.RE
++.RS
++.B u[.<mech>[<realm>]]:<pattern>
++.RE
++.RS
++.B group[/objectClass[/attributeType]]:<pattern>
++.RE
++.RS
++.B <pattern>
++.RE
++.RS
++
++.B <dnstyle>:={exact|onelevel|children|subtree|regex}
++
++.RE
++The first form is a valid LDAP
++.B URI
++where the
++.IR <host>:<port> ,
++the
++.I <attrs>
++and the
++.I <extensions>
++portions must be absent, so that the search occurs locally on either
++.I authzFrom
++or
++.IR authzTo .
++
++.LP
++The second form is a
++.BR DN ,
++with the optional style modifiers
++.IR exact ,
++.IR onelevel ,
++.IR children ,
++and
++.I subtree
++for exact, onelevel, children and subtree matches, which cause
++.I <pattern>
++to be normalized according to the DN normalization rules, or the special
++.I regex
++style, which causes the
++.I <pattern>
++to be treated as a POSIX (''extended'') regular expression, as
++discussed in
++.BR regex (7)
++and/or
++.BR re_format (7).
++A pattern of
++.I *
++means any non-anonymous DN.
++
++.LP
++The third form is a SASL
++.BR id ,
++with the optional fields
++.I <mech>
++and
++.I <realm>
++that allow to specify a SASL
++.BR mechanism ,
++and eventually a SASL
++.BR realm ,
++for those mechanisms that support one.
++The need to allow the specification of a mechanism is still debated,
++and users are strongly discouraged to rely on this possibility.
++
++.LP
++The fourth form is a group specification.
++It consists of the keyword
++.BR group ,
++optionally followed by the specification of the group
++.B objectClass
++and
++.BR attributeType .
++The
++.B objectClass
++defaults to
++.IR groupOfNames .
++The
++.B attributeType
++defaults to
++.IR member .
++The group with DN
++.B <pattern>
++is searched with base scope, filtered on the specified
++.BR objectClass .
++The values of the resulting
++.B attributeType
++are searched for the asserted DN.
++
++.LP
++The fifth form is provided for backwards compatibility. If no identity
++type is provided, i.e. only
++.B <pattern>
++is present, an
++.I exact DN
++is assumed; as a consequence,
++.B <pattern>
++is subjected to DN normalization.
++
++.LP
++Since the interpretation of
++.I authzFrom
++and
++.I authzTo
++can impact security, users are strongly encouraged
++to explicitly set the type of identity specification that is being used.
++A subset of these rules can be used as third arg in the
++.B olcAuthzRegexp
++statement (see below); significantly, the
++.IR URI ,
++provided it results in exactly one entry,
++and the
++.I dn.exact:<dn>
++forms.
++.RE
++.TP
++.B olcAuthzRegexp: <match> <replace>
++Used by the authentication framework to convert simple user names,
++such as provided by SASL subsystem, or extracted from certificates
++in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
++"proxied authorization" control, to an LDAP DN used for
++authorization purposes. Note that the resulting DN need not refer
++to an existing entry to be considered valid. When an authorization
++request is received from the SASL subsystem, the SASL
++.BR USERNAME ,
++.BR REALM ,
++and
++.B MECHANISM
++are taken, when available, and combined into a name of the form
++.RS
++.RS
++.TP
++.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
++
++.RE
++This name is then compared against the
++.B match
++POSIX (''extended'') regular expression, and if the match is successful,
++the name is replaced with the
++.B replace
++string. If there are wildcard strings in the
++.B match
++regular expression that are enclosed in parenthesis, e.g.
++.RS
++.TP
++.B UID=([^,]*),CN=.*
++
++.RE
++then the portion of the name that matched the wildcard will be stored
++in the numbered placeholder variable $1. If there are other wildcard strings
++in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
++placeholders can then be used in the
++.B replace
++string, e.g.
++.RS
++.TP
++.B UID=$1,OU=Accounts,DC=example,DC=com
++
++.RE
++The replaced name can be either a DN, i.e. a string prefixed by "dn:",
++or an LDAP URI.
++If the latter, the server will use the URI to search its own database(s)
++and, if the search returns exactly one entry, the name is
++replaced by the DN of that entry. The LDAP URI must have no
++hostport, attrs, or extensions components, but the filter is mandatory,
++e.g.
++.RS
++.TP
++.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
++
++.RE
++The protocol portion of the URI must be strictly
++.BR ldap .
++Note that this search is subject to access controls. Specifically,
++the authentication identity must have "auth" access in the subject.
++
++Multiple
++.B olcAuthzRegexp
++values can be specified to allow for multiple matching
++and replacement patterns. The matching patterns are checked in the order they
++appear in the attribute, stopping at the first successful match.
++
++.\".B Caution:
++.\"Because the plus sign + is a character recognized by the regular expression engine,
++.\"and it will appear in names that include a REALM, be careful to escape the
++.\"plus sign with a backslash \\+ to remove the character's special meaning.
++.RE
++.TP
++.B olcConcurrency: <integer>
++Specify a desired level of concurrency. Provided to the underlying
++thread system as a hint. The default is not to provide any hint. This setting
++is only meaningful on some platforms where there is not a one to one
++correspondence between user threads and kernel threads.
++.TP
++.B olcConnMaxPending: <integer>
++Specify the maximum number of pending requests for an anonymous session.
++If requests are submitted faster than the server can process them, they
++will be queued up to this limit. If the limit is exceeded, the session
++is closed. The default is 100.
++.TP
++.B olcConnMaxPendingAuth: <integer>
++Specify the maximum number of pending requests for an authenticated session.
++The default is 1000.
++.TP
++.B olcDisallows: <features>
++Specify a set of features to disallow (default none).
++.B bind_anon
++disables acceptance of anonymous bind requests. Note that this setting
++does not prohibit anonymous directory access (See "require authc").
++.B bind_simple
++disables simple (bind) authentication.
++.B tls_2_anon
++disables forcing session to anonymous status (see also
++.BR tls_authc )
++upon StartTLS operation receipt.
++.B tls_authc
++disallows the StartTLS operation if authenticated (see also
++.BR tls_2_anon ).
++.B proxy_authz_non_critical
++disables acceptance of the proxied authorization control (RFC4370)
++with criticality set to FALSE.
++.B dontusecopy_non_critical
++disables acceptance of the dontUseCopy control (a work in progress)
++with criticality set to FALSE.
++.TP
++.B olcGentleHUP: { TRUE | FALSE }
++A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
++.B Slapd
++will stop listening for new connections, but will not close the
++connections to the current clients. Future write operations return
++unwilling-to-perform, though. Slapd terminates when all clients
++have closed their connections (if they ever do), or \- as before \-
++if it receives a SIGTERM signal. This can be useful if you wish to
++terminate the server and start a new
++.B slapd
++server
++.B with another database,
++without disrupting the currently active clients.
++The default is FALSE. You may wish to use
++.B olcIdleTimeout
++along with this option.
++.TP
++.B olcIdleTimeout: <integer>
++Specify the number of seconds to wait before forcibly closing
++an idle client connection. A setting of 0 disables this
++feature. The default is 0. You may also want to set the
++.B olcWriteTimeout
++option.
++.TP
++.B olcIndexHash64: { on | off }
++Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
++These hashes are used for equality and substring indexing. The 64 bit
++version may be needed to avoid index collisions when the number of
++indexed values exceeds ~64 million. (Note that substring indexing
++generates multiple index values per actual attribute value.)
++Indices generated with 32 bit hashes are incompatible with the 64 bit
++version, and vice versa. Any existing databases must be fully reloaded
++when changing this setting. This directive is only supported on 64 bit CPUs.
++.TP
++.B olcIndexIntLen: <integer>
++Specify the key length for ordered integer indices. The most significant
++bytes of the binary integer will be used for index keys. The default
++value is 4, which provides exact indexing for 31 bit values.
++A floating point representation is used to index too large values.
++.TP
++.B olcIndexSubstrIfMaxlen: <integer>
++Specify the maximum length for subinitial and subfinal indices. Only
++this many characters of an attribute value will be processed by the
++indexing functions; any excess characters are ignored. The default is 4.
++.TP
++.B olcIndexSubstrIfMinlen: <integer>
++Specify the minimum length for subinitial and subfinal indices. An
++attribute value must have at least this many characters in order to be
++processed by the indexing functions. The default is 2.
++.TP
++.B olcIndexSubstrAnyLen: <integer>
++Specify the length used for subany indices. An attribute value must have
++at least this many characters in order to be processed. Attribute values
++longer than this length will be processed in segments of this length. The
++default is 4. The subany index will also be used in subinitial and
++subfinal index lookups when the filter string is longer than the
++.I olcIndexSubstrIfMaxlen
++value.
++.TP
++.B olcIndexSubstrAnyStep: <integer>
++Specify the steps used in subany index lookups. This value sets the offset
++for the segments of a filter string that are processed for a subany index
++lookup. The default is 2. For example, with the default values, a search
++using this filter "cn=*abcdefgh*" would generate index lookups for
++"abcd", "cdef", and "efgh".
++
++.LP
++Note: Indexing support depends on the particular backend in use. Also,
++changing these settings will generally require deleting any indices that
++depend on these parameters and recreating them with
++.BR slapindex (8).
++
++.TP
++.B olcListenerThreads: <integer>
++Specify the number of threads to use for the connection manager.
++The default is 1 and this is typically adequate for up to 16 CPU cores.
++The value should be set to a power of 2.
++.TP
++.B olcLocalSSF: <SSF>
++Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
++such as those to the ldapi:// listener. For a description of SSF values,
++see
++.BR olcSaslSecProps 's
++.B minssf
++option description. The default is 71.
++.TP
++.B olcLogFile: <filename>
++Specify a file for recording slapd debug messages. By default these messages
++only go to stderr, are not recorded anywhere else, and are unrelated to
++messages exposed by the
++.B olcLogLevel
++configuration parameter. Specifying a logfile copies messages to both stderr
++and the logfile.
++.TP
++.B olcLogFileFormat: debug | syslog-utc | syslog-localtime
++Specify the prefix format for messages written to the logfile. The debug
++format is the normal format used for slapd debug messages, with a timestamp
++in hexadecimal, followed by a thread ID. The other options are to
++use syslog(3) style prefixes, with timestamps either in UTC or in the
++local timezone. The default is debug format.
++.TP
++.B olcLogFileOnly: TRUE | FALSE
++Specify that debug messages should only go to the configured logfile, and
++not to stderr.
++.TP
++.B olcLogFileRotate: <max> <Mbytes> <hours>
++Specify automatic rotation for the configured logfile as the maximum
++number of old logfiles to retain, a maximum size in megabytes to allow a
++logfile to grow before rotation, and a maximum age in hours for a logfile
++to be used before rotation. The maximum number must be in the range 1-99.
++Setting Mbytes or hours to zero disables the size or age check, respectively.
++At least one of Mbytes or hours must be non-zero. By default no automatic
++rotation will be performed.
++.TP
++.B olcLogLevel: <integer> [...]
++Specify the level at which debugging statements and operation
++statistics should be syslogged (currently logged to the
++.BR syslogd (8)
++LOG_LOCAL4 facility).
++They must be considered subsystems rather than increasingly verbose
++log levels.
++Some messages with higher priority are logged regardless
++of the configured loglevel as soon as any logging is configured.
++Log levels are additive, and available levels are:
++.RS
++.RS
++.PD 0
++.TP
++.B 1
++.B (0x1 trace)
++trace function calls
++.TP
++.B 2
++.B (0x2 packets)
++debug packet handling
++.TP
++.B 4
++.B (0x4 args)
++heavy trace debugging (function args)
++.TP
++.B 8
++.B (0x8 conns)
++connection management
++.TP
++.B 16
++.B (0x10 BER)
++print out packets sent and received
++.TP
++.B 32
++.B (0x20 filter)
++search filter processing
++.TP
++.B 64
++.B (0x40 config)
++configuration file processing
++.TP
++.B 128
++.B (0x80 ACL)
++access control list processing
++.TP
++.B 256
++.B (0x100 stats)
++connections, LDAP operations, results (recommended)
++.TP
++.B 512
++.B (0x200 stats2)
++stats2 log entries sent
++.TP
++.B 1024
++.B (0x400 shell)
++print communication with shell backends
++.TP
++.B 2048
++.B (0x800 parse)
++entry parsing
++\".TP
++\".B 4096
++\".B (0x1000 cache)
++\"caching (unused)
++\".TP
++\".B 8192
++\".B (0x2000 index)
++\"data indexing (unused)
++.TP
++.B 16384
++.B (0x4000 sync)
++LDAPSync replication
++.TP
++.B 32768
++.B (0x8000 none)
++only messages that get logged whatever log level is set
++.PD
++.RE
++The desired log level can be input as a single integer that combines
++the (ORed) desired levels, both in decimal or in hexadecimal notation,
++as a list of integers (that are ORed internally),
++or as a list of the names that are shown between parenthesis, such that
++.LP
++.nf
++ olcLogLevel: 129
++ olcLogLevel: 0x81
++ olcLogLevel: 128 1
++ olcLogLevel: 0x80 0x1
++ olcLogLevel: acl trace
++.fi
++.LP
++are equivalent.
++The keyword
++.B any
++can be used as a shortcut to enable logging at all levels (equivalent to \-1).
++The keyword
++.BR none ,
++or the equivalent integer representation, causes those messages
++that are logged regardless of the configured olcLogLevel to be logged.
++In fact, if no olcLogLevel (or a 0 level) is defined, no logging occurs,
++so at least the
++.B none
++level is required to have high priority messages logged.
++
++Note that the
++.BR packets ,
++.BR BER ,
++and
++.B parse
++levels are only available as debug output on stderr, and are not
++sent to syslog.
++
++This setting defaults to \fBstats\fP.
++This level should usually also be included when using other loglevels, to
++help analyze the logs.
++.RE
++.TP
++.B olcMaxFilterDepth: <integer>
++Specify the maximum depth of nested filters in search requests.
++The default is 1000.
++.TP
++.B olcPasswordCryptSaltFormat: <format>
++Specify the format of the salt passed to
++.BR crypt (3)
++when generating {CRYPT} passwords (see
++.BR olcPasswordHash )
++during processing of LDAP Password Modify Extended Operations (RFC 3062).
++
++This string needs to be in
++.BR sprintf (3)
++format and may include one (and only one) %s conversion.
++This conversion will be substituted with a string of random
++characters from [A\-Za\-z0\-9./]. For example, "%.2s"
++provides a two character salt and "$1$%.8s" tells some
++versions of crypt(3) to use an MD5 algorithm and provides
++8 random characters of salt. The default is "%s", which
++provides 31 characters of salt.
++.TP
++.B olcPidFile: <filename>
++The (absolute) name of a file that will hold the
++.B slapd
++server's process ID (see
++.BR getpid (2)).
++.TP
++.B olcPluginLogFile: <filename>
++The ( absolute ) name of a file that will contain log
++messages from
++.B SLAPI
++plugins. See
++.BR slapd.plugin (5)
++for details.
++.TP
++.B olcReferral: <url>
++Specify the referral to pass back when
++.BR slapd (8)
++cannot find a local database to handle a request.
++If multiple values are specified, each url is provided.
++.TP
++.B olcReverseLookup: TRUE | FALSE
++Enable/disable client name unverified reverse lookup (default is
++.BR FALSE
++if compiled with \-\-enable\-rlookups).
++.TP
++.B olcRootDSE: <file>
++Specify the name of an LDIF(5) file containing user defined attributes
++for the root DSE. These attributes are returned in addition to the
++attributes normally produced by slapd.
++
++The root DSE is an entry with information about the server and its
++capabilities, in operational attributes.
++It has the empty DN, and can be read with e.g.:
++.ti +4
++ldapsearch \-x \-b "" \-s base "+"
++.br
++See RFC 4512 section 5.1 for details.
++.TP
++.B olcSaslAuxprops: <plugin> [...]
++Specify which auxprop plugins to use for authentication lookups. The
++default is empty, which just uses slapd's internal support. Usually
++no other auxprop plugins are needed.
++.TP
++.B olcSaslAuxpropsDontUseCopy: <attr> [...]
++Specify which attribute(s) should be subject to the don't use copy control. This
++is necessary for some SASL mechanisms such as OTP to work in a replicated
++environment. The attribute "cmusaslsecretOTP" is the default value.
++.TP
++.B olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE
++Used to disable replication of the attribute(s) defined by
++olcSaslAuxpropsDontUseCopy and instead use a local value for the attribute. This
++allows the SASL mechanism to continue to work if the provider is offline. This can
++cause replication inconsistency. Defaults to FALSE.
++.TP
++.B olcSaslHost: <fqdn>
++Used to specify the fully qualified domain name used for SASL processing.
++.TP
++.B olcSaslRealm: <realm>
++Specify SASL realm. Default is empty.
++.TP
++.B olcSaslCbinding: none | tls-unique | tls-endpoint
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
++Default is none.
++.TP
++.B olcSaslSecProps: <properties>
++Used to specify Cyrus SASL security properties.
++The
++.B none
++flag (without any other properties) causes the flag properties
++default, "noanonymous,noplain", to be cleared.
++The
++.B noplain
++flag disables mechanisms susceptible to simple passive attacks.
++The
++.B noactive
++flag disables mechanisms susceptible to active attacks.
++The
++.B nodict
++flag disables mechanisms susceptible to passive dictionary attacks.
++The
++.B noanonymous
++flag disables mechanisms which support anonymous login.
++The
++.B forwardsec
++flag require forward secrecy between sessions.
++The
++.B passcred
++require mechanisms which pass client credentials (and allow
++mechanisms which can pass credentials to do so).
++The
++.B minssf=<factor>
++property specifies the minimum acceptable
++.I security strength factor
++as an integer approximate to effective key length used for
++encryption. 0 (zero) implies no protection, 1 implies integrity
++protection only, 128 allows RC4, Blowfish and other similar ciphers,
++256 will require modern ciphers. The default is 0.
++The
++.B maxssf=<factor>
++property specifies the maximum acceptable
++.I security strength factor
++as an integer (see minssf description). The default is INT_MAX.
++The
++.B maxbufsize=<size>
++property specifies the maximum security layer receive buffer
++size allowed. 0 disables security layers. The default is 65536.
++.TP
++.B olcServerID: <integer> [<URL>]
++Specify an integer ID from 0 to 4095 for this server. The ID may also be
++specified as a hexadecimal ID by prefixing the value with "0x".
++Non-zero IDs are required when using multi-provider replication and each
++provider must have a unique non-zero ID. Note that this requirement also
++applies to separate providers contributing to a glued set of databases.
++If the URL is provided, this directive may be specified
++multiple times, providing a complete list of participating servers
++and their IDs. The fully qualified hostname of each server should be
++used in the supplied URLs. The IDs are used in the "replica id" field
++of all CSNs generated by the specified server. The default value is zero, which
++is only valid for single provider replication.
++Example:
++.LP
++.nf
++ olcServerID: 1 ldap://ldap1.example.com
++ olcServerID: 2 ldap://ldap2.example.com
++.fi
++.TP
++.B olcSockbufMaxIncoming: <integer>
++Specify the maximum incoming LDAP PDU size for anonymous sessions.
++The default is 262143.
++.TP
++.B olcSockbufMaxIncomingAuth: <integer>
++Specify the maximum incoming LDAP PDU size for authenticated sessions.
++The default is 4194303.
++.TP
++.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
++Specify the size of the TCP buffer.
++A global value for both read and write TCP buffers related to any listener
++is defined, unless the listener is explicitly specified,
++or either the read or write qualifiers are used.
++See
++.BR tcp (7)
++for details.
++Note that some OS-es implement automatic TCP buffer tuning.
++.TP
++.B olcThreads: <integer>
++Specify the maximum size of the primary thread pool.
++The default is 16; the minimum value is 2.
++.TP
++.B olcThreadQueues: <integer>
++Specify the number of work queues to use for the primary thread pool.
++The default is 1 and this is typically adequate for up to 8 CPU cores.
++The value should not exceed the number of CPUs in the system.
++.TP
++.B olcToolThreads: <integer>
++Specify the maximum number of threads to use in tool mode.
++This should not be greater than the number of CPUs in the system.
++The default is 1.
++.TP
++.B olcWriteTimeout: <integer>
++Specify the number of seconds to wait before forcibly closing
++a connection with an outstanding write. This allows recovery from
++various network hang conditions. A setting of 0 disables this
++feature. The default is 0.
++.SH TLS OPTIONS
++If
++.B slapd
++is built with support for Transport Layer Security, there are more options
++you can specify.
++.TP
++.B olcTLSCipherSuite: <cipher-suite-spec>
++Permits configuring what ciphers will be accepted and the preference order.
++<cipher-suite-spec> should be a cipher specification for the TLS library
++in use (OpenSSL or GnuTLS).
++Example:
++.RS
++.RS
++.TP
++.I OpenSSL:
++olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
++.TP
++.I GnuTLS:
++olcTLSCiphersuite: SECURE256:!AES-128-CBC
++.RE
++
++To check what ciphers a given spec selects in OpenSSL, use:
++
++.nf
++ openssl ciphers \-v <cipher-suite-spec>
++.fi
++
++With GnuTLS the available specs can be found in the manual page of
++.BR gnutls\-cli (1)
++(see the description of the
++option
++.BR \-\-priority ).
++
++In older versions of GnuTLS, where gnutls\-cli does not support the option
++\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
++
++.nf
++ gnutls\-cli \-l
++.fi
++.RE
++.TP
++.B olcTLSCACertificateFile: <filename>
++Specifies the file that contains certificates for all of the Certificate
++Authorities that
++.B slapd
++will recognize. The certificate for
++the CA that signed the server certificate must be included among
++these certificates. If the signing CA was not a top-level (root) CA,
++certificates for the entire sequence of CA's from the signing CA to
++the top-level CA should be present. Multiple certificates are simply
++appended to the file; the order is not significant.
++.TP
++.B olcTLSCACertificatePath: <path>
++Specifies the path of directories that contain Certificate Authority
++certificates in separate individual files. Usually only one of this
++or the olcTLSCACertificateFile is defined. If both are specified, both
++locations will be used. Multiple directories may be specified,
++separated by a semi-colon.
++.TP
++.B olcTLSCertificateFile: <filename>
++Specifies the file that contains the
++.B slapd
++server certificate.
++
++When using OpenSSL that file may also contain any number of intermediate
++certificates after the server certificate.
++.TP
++.B olcTLSCertificateKeyFile: <filename>
++Specifies the file that contains the
++.B slapd
++server private key that matches the certificate stored in the
++.B olcTLSCertificateFile
++file. If the private key is protected with a password, the password must
++be manually typed in when slapd starts. Usually the private key is not
++protected with a password, to allow slapd to start without manual
++intervention, so
++it is of critical importance that the file is protected carefully.
++.TP
++.B olcTLSDHParamFile: <filename>
++This directive specifies the file that contains parameters for Diffie-Hellman
++ephemeral key exchange. This is required in order to use a DSA certificate on
++the server, or an RSA certificate missing the "key encipherment" key usage.
++Note that setting this option may also enable
++Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
++Anonymous key exchanges should generally be avoided since they provide no
++actual client or server authentication and provide no protection against
++man-in-the-middle attacks.
++You should append "!ADH" to your cipher suites to ensure that these suites
++are not used.
++.TP
++.B olcTLSECName: <name>
++Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This option is only used for OpenSSL.
++This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification.
++.TP
++.B olcTLSProtocolMin: <major>[.<minor>]
++Specifies minimum SSL/TLS protocol version that will be negotiated.
++If the server doesn't support at least that version,
++the SSL handshake will fail.
++To require TLS 1.x or higher, set this option to 3.(x+1),
++e.g.,
++
++.nf
++ olcTLSProtocolMin: 3.2
++.fi
++
++would require TLS 1.1.
++Specifying a minimum that is higher than that supported by the
++OpenLDAP implementation will result in it requiring the
++highest level that it does support.
++This directive is ignored with GnuTLS.
++.TP
++.B olcTLSRandFile: <filename>
++Specifies the file to obtain random bits from when /dev/[u]random
++is not available. Generally set to the name of the EGD/PRNGD socket.
++The environment variable RANDFILE can also be used to specify the filename.
++This directive is ignored with GnuTLS.
++.TP
++.B olcTLSVerifyClient: <level>
++Specifies what checks to perform on client certificates in an
++incoming TLS session, if any.
++The
++.B <level>
++can be specified as one of the following keywords:
++.RS
++.TP
++.B never
++This is the default.
++.B slapd
++will not ask the client for a certificate.
++.TP
++.B allow
++The client certificate is requested. If no certificate is provided,
++the session proceeds normally. If a bad certificate is provided,
++it will be ignored and the session proceeds normally.
++.TP
++.B try
++The client certificate is requested. If no certificate is provided,
++the session proceeds normally. If a bad certificate is provided,
++the session is immediately terminated.
++.TP
++.B demand | hard | true
++These keywords are all equivalent, for compatibility reasons.
++The client certificate is requested. If no certificate is provided,
++or a bad certificate is provided, the session is immediately terminated.
++
++Note that a valid client certificate is required in order to use the
++SASL EXTERNAL authentication mechanism with a TLS session. As such,
++a non-default
++.B olcTLSVerifyClient
++setting must be chosen to enable SASL EXTERNAL authentication.
++.RE
++.TP
++.B olcTLSCRLCheck: <level>
++Specifies if the Certificate Revocation List (CRL) of the CA should be
++used to verify if the client certificates have not been revoked. This
++requires
++.B olcTLSCACertificatePath
++parameter to be set. This parameter is ignored with GnuTLS.
++.B <level>
++can be specified as one of the following keywords:
++.RS
++.TP
++.B none
++No CRL checks are performed
++.TP
++.B peer
++Check the CRL of the peer certificate
++.TP
++.B all
++Check the CRL for a whole certificate chain
++.RE
++.TP
++.B olcTLSCRLFile: <filename>
++Specifies a file containing a Certificate Revocation List to be used
++for verifying that certificates have not been revoked. This parameter is
++only valid when using GnuTLS.
++.SH DYNAMIC MODULE OPTIONS
++If
++.B slapd
++is compiled with \-\-enable\-modules then the module-related entries will
++be available. These entries are named
++.B cn=module{x},cn=config
++and
++must have the olcModuleList objectClass. One entry should be created
++per
++.B olcModulePath.
++Normally the config engine generates the "{x}" index in the RDN
++automatically, so it can be omitted when initially loading these entries.
++.TP
++.B olcModuleLoad: <filename> [<arguments>...]
++Specify the name of a dynamically loadable module to load and any
++additional arguments if supported by the module. The filename
++may be an absolute path name or a simple filename. Non-absolute names
++are searched for in the directories specified by the
++.B olcModulePath
++option.
++.TP
++.B olcModulePath: <pathspec>
++Specify a list of directories to search for loadable modules. Typically
++the path is colon-separated but this depends on the operating system.
++The default is MODULEDIR, which is where the standard OpenLDAP install
++will place its modules.
++.SH SCHEMA OPTIONS
++Schema definitions are created as entries in the
++.B cn=schema,cn=config
++subtree. These entries must have the olcSchemaConfig objectClass.
++As noted above, the actual
++.B cn=schema,cn=config
++entry is predefined and any values specified for it are ignored.
++
++.HP
++.hy 0
++.B olcAttributetypes: "(\ <oid>\
++ [NAME\ <name>]\
++ [DESC\ <description>]\
++ [OBSOLETE]\
++ [SUP\ <oid>]\
++ [EQUALITY\ <oid>]\
++ [ORDERING\ <oid>]\
++ [SUBSTR\ <oid>]\
++ [SYNTAX\ <oidlen>]\
++ [SINGLE\-VALUE]\
++ [COLLECTIVE]\
++ [NO\-USER\-MODIFICATION]\
++ [USAGE\ <attributeUsage>]\ )"
++.RS
++Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the attribute OID and
++attribute syntax OID.
++(See the
++.B olcObjectIdentifier
++description.)
++.RE
++
++.HP
++.hy 0
++.B olcDitContentRules: "(\ <oid>\
++ [NAME\ <name>]\
++ [DESC\ <description>]\
++ [OBSOLETE]\
++ [AUX\ <oids>]\
++ [MUST\ <oids>]\
++ [MAY\ <oids>]\
++ [NOT\ <oids>]\ )"
++.RS
++Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the attribute OID and
++attribute syntax OID.
++(See the
++.B olcObjectIdentifier
++description.)
++.RE
++
++.HP
++.hy 0
++.B olcLdapSyntaxes "(\ <oid>\
++ [DESC\ <description>]\
++ [X\-SUBST <substitute-syntax>]\ )"
++.RS
++Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the syntax OID.
++(See the
++.B objectidentifier
++description.)
++The slapd parser also honors the
++.B X\-SUBST
++extension (an OpenLDAP-specific extension), which allows one to use the
++.B olcLdapSyntaxes
++attribute to define a non-implemented syntax along with another syntax,
++the extension value
++.IR substitute-syntax ,
++as its temporary replacement.
++The
++.I substitute-syntax
++must be defined.
++This allows one to define attribute types that make use of non-implemented syntaxes
++using the correct syntax OID.
++Unless
++.B X\-SUBST
++is used, this configuration statement would result in an error,
++since no handlers would be associated to the resulting syntax structure.
++.RE
++
++.HP
++.hy 0
++.B olcObjectClasses: "(\ <oid>\
++ [NAME\ <name>]\
++ [DESC\ <description>]\
++ [OBSOLETE]\
++ [SUP\ <oids>]\
++ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
++ [MUST\ <oids>] [MAY\ <oids>] )"
++.RS
++Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
++The slapd parser extends the RFC 4512 definition by allowing string
++forms as well as numeric OIDs to be used for the object class OID.
++(See the
++.B
++olcObjectIdentifier
++description.) Object classes are "STRUCTURAL" by default.
++.RE
++.TP
++.B olcObjectIdentifier: <name> "{ <oid> | <name>[:<suffix>] }"
++Define a string name that equates to the given OID. The string can be used
++in place of the numeric OID in objectclass and attribute definitions. The
++name can also be used with a suffix of the form ":xx" in which case the
++value "oid.xx" will be used.
++
++.SH GENERAL BACKEND OPTIONS
++Options in these entries only apply to the configuration of a single
++type of backend. All backends may support this class of options, but
++currently only back-mdb does.
++The entry must be named
++.B olcBackend=<databasetype>,cn=config
++and must have the olcBackendConfig objectClass.
++<databasetype>
++should be one of
++.BR asyncmeta ,
++.BR config ,
++.BR dnssrv ,
++.BR ldap ,
++.BR ldif ,
++.BR mdb ,
++.BR meta ,
++.BR monitor ,
++.BR null ,
++.BR passwd ,
++.BR perl ,
++.BR relay ,
++.BR sock ,
++.BR sql ,
++or
++.BR wt .
++At present, only back-mdb implements any options of this type, so this
++entry should not be used for any other backends.
++
++.SH DATABASE OPTIONS
++Database options are set in entries named
++.B olcDatabase={x}<databasetype>,cn=config
++and must have the olcDatabaseConfig objectClass. Normally the config
++engine generates the "{x}" index in the RDN automatically, so it
++can be omitted when initially loading these entries.
++
++The special frontend database is always numbered "{\-1}" and the config
++database is always numbered "{0}".
++
++.SH GLOBAL DATABASE OPTIONS
++Options in this section may be set in the special "frontend" database
++and inherited in all the other databases. These options may be altered
++by further settings in each specific database. The frontend entry must
++be named
++.B olcDatabase=frontend,cn=config
++and must have the olcFrontendConfig objectClass.
++.TP
++.B olcAccess: to <what> "[ by <who> <access> <control> ]+"
++Grant access (specified by <access>) to a set of entries and/or
++attributes (specified by <what>) by one or more requestors (specified
++by <who>).
++If no access controls are present, the default policy
++allows anyone and everyone to read anything but restricts
++updates to rootdn. (e.g., "olcAccess: to * by * read").
++See
++.BR slapd.access (5)
++and the "OpenLDAP Administrator's Guide" for details.
++
++Access controls set in the frontend are appended to any access
++controls set on the specific databases.
++The rootdn of a database can always read and write EVERYTHING
++in that database.
++
++Extra special care must be taken with the access controls on the
++config database. Unlike other databases, the default policy for the
++config database is to only allow access to the rootdn. Regular users
++should not have read access, and write access should be granted very
++carefully to privileged administrators.
++
++.TP
++.B olcDefaultSearchBase: <dn>
++Specify a default search base to use when client submits a
++non-base search request with an empty base DN.
++Base scoped search requests with an empty base DN are not affected.
++This setting is only allowed in the frontend entry.
++.TP
++.B olcExtraAttrs: <attr>
++Lists what attributes need to be added to search requests.
++Local storage backends return the entire entry to the frontend.
++The frontend takes care of only returning the requested attributes
++that are allowed by ACLs.
++However, features like access checking and so may need specific
++attributes that are not automatically returned by remote storage
++backends, like proxy backends and so on.
++.B <attr>
++is an attribute that is needed for internal purposes
++and thus always needs to be collected, even when not explicitly
++requested by clients.
++This attribute is multi-valued.
++.TP
++.B olcPasswordHash: <hash> [<hash>...]
++This option configures one or more hashes to be used in generation of user
++passwords stored in the userPassword attribute during processing of
++LDAP Password Modify Extended Operations (RFC 3062).
++The <hash> must be one of
++.BR {SSHA} ,
++.BR {SHA} ,
++.BR {SMD5} ,
++.BR {MD5} ,
++.BR {CRYPT} ,
++and
++.BR {CLEARTEXT} .
++The default is
++.BR {SSHA} .
++
++.B {SHA}
++and
++.B {SSHA}
++use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
++
++.B {MD5}
++and
++.B {SMD5}
++use the MD5 algorithm (RFC 1321), the latter with a seed.
++
++.B {CRYPT}
++uses the
++.BR crypt (3).
++
++.B {CLEARTEXT}
++indicates that the new password should be
++added to userPassword as clear text.
++
++Note that this option does not alter the normal user applications
++handling of userPassword during LDAP Add, Modify, or other LDAP operations.
++This setting is only allowed in the frontend entry.
++.TP
++.B olcReadOnly: TRUE | FALSE
++This option puts the database into "read-only" mode. Any attempts to
++modify the database will return an "unwilling to perform" error. By
++default, olcReadOnly is FALSE. Note that when this option is set
++TRUE on the frontend, it cannot be reset without restarting the
++server, since further writes to the config database will be rejected.
++.TP
++.B olcRequires: <conditions>
++Specify a set of conditions to require (default none).
++The directive may be specified globally and/or per-database;
++databases inherit global conditions, so per-database specifications
++are additive.
++.B bind
++requires bind operation prior to directory operations.
++.B LDAPv3
++requires session to be using LDAP version 3.
++.B authc
++requires authentication prior to directory operations.
++.B SASL
++requires SASL authentication prior to directory operations.
++.B strong
++requires strong authentication prior to directory operations.
++The strong keyword allows protected "simple" authentication
++as well as SASL authentication.
++.B none
++may be used to require no conditions (useful to clear out globally
++set conditions within a particular database); it must occur first
++in the list of conditions.
++.TP
++.B olcRestrict: <oplist>
++Specify a list of operations that are restricted.
++Restrictions on a specific database override any frontend setting.
++Operations can be any of
++.BR add ,
++.BR bind ,
++.BR compare ,
++.BR delete ,
++.BR extended[=<OID>] ,
++.BR modify ,
++.BR rename ,
++.BR search ,
++or the special pseudo-operations
++.B read
++and
++.BR write ,
++which respectively summarize read and write operations.
++The use of
++.I restrict write
++is equivalent to
++.I olcReadOnly: TRUE
++(see above).
++The
++.B extended
++keyword allows one to indicate the OID of the specific operation
++to be restricted.
++.TP
++.B olcSchemaDN: <dn>
++Specify the distinguished name for the subschema subentry that
++controls the entries on this server. The default is "cn=Subschema".
++.TP
++.B olcSecurity: <factors>
++Specify a set of security strength factors (separated by white space)
++to require (see
++.BR olcSaslSecprops 's
++.B minssf
++option for a description of security strength factors).
++The directive may be specified globally and/or per-database.
++.B ssf=<n>
++specifies the overall security strength factor.
++.B transport=<n>
++specifies the transport security strength factor.
++.B tls=<n>
++specifies the TLS security strength factor.
++.B sasl=<n>
++specifies the SASL security strength factor.
++.B update_ssf=<n>
++specifies the overall security strength factor to require for
++directory updates.
++.B update_transport=<n>
++specifies the transport security strength factor to require for
++directory updates.
++.B update_tls=<n>
++specifies the TLS security strength factor to require for
++directory updates.
++.B update_sasl=<n>
++specifies the SASL security strength factor to require for
++directory updates.
++.B simple_bind=<n>
++specifies the security strength factor required for
++.I simple
++username/password authentication.
++Note that the
++.B transport
++factor is measure of security provided by the underlying transport,
++e.g. ldapi:// (and eventually IPSEC). It is not normally used.
++.TP
++.B olcSizeLimit: {<integer>|unlimited}
++.TP
++.B olcSizeLimit: size[.{soft|hard}]=<integer> [...]
++Specify the maximum number of entries to return from a search operation.
++The default size limit is 500.
++Use
++.B unlimited
++to specify no limits.
++The second format allows a fine grain setting of the size limits.
++If no special qualifiers are specified, both soft and hard limits are set.
++Extra args can be added in the same value.
++Additional qualifiers are available; see
++.BR olcLimits
++for an explanation of all of the different flags.
++.TP
++.B olcSortVals: <attr> [...]
++Specify a list of multi-valued attributes whose values will always
++be maintained in sorted order. Using this option will allow Modify,
++Compare, and filter evaluations on these attributes to be performed
++more efficiently. The resulting sort order depends on the
++attributes' syntax and matching rules and may not correspond to
++lexical order or any other recognizable order.
++This setting is only allowed in the frontend entry.
++.TP
++.B olcTimeLimit: {<integer>|unlimited}
++.TP
++.B olcTimeLimit: time[.{soft|hard}]=<integer> [...]
++Specify the maximum number of seconds (in real time)
++.B slapd
++will spend answering a search request. The default time limit is 3600.
++Use
++.B unlimited
++to specify no limits.
++The second format allows a fine grain setting of the time limits.
++Extra args can be added in the same value. See
++.BR olcLimits
++for an explanation of the different flags.
++
++.SH GENERAL DATABASE OPTIONS
++Options in this section only apply to the specific database for
++which they are defined. They are supported by every
++type of backend. All of the Global Database Options may also be
++used here.
++.TP
++.B olcAddContentAcl: TRUE | FALSE
++Controls whether Add operations will perform ACL checks on
++the content of the entry being added. This check is off
++by default. See the
++.BR slapd.access (5)
++manual page for more details on ACL requirements for
++Add operations.
++.TP
++.B olcHidden: TRUE | FALSE
++Controls whether the database will be used to answer
++queries. A database that is hidden will never be
++selected to answer any queries, and any suffix configured
++on the database will be ignored in checks for conflicts
++with other databases. By default, olcHidden is FALSE.
++.TP
++.B olcLastMod: TRUE | FALSE
++Controls whether
++.B slapd
++will automatically maintain the
++modifiersName, modifyTimestamp, creatorsName, and
++createTimestamp attributes for entries. It also controls
++the entryCSN and entryUUID attributes, which are needed
++by the syncrepl provider. By default, olcLastMod is TRUE.
++.TP
++.B olcLastBind: TRUE | FALSE
++Controls whether
++.B slapd
++will automatically maintain the pwdLastSuccess attribute for
++entries. By default, olcLastBind is FALSE.
++.TP
++.B olcLastBindPrecision: <integer>
++If olcLastBind is enabled, specifies how frequently pwdLastSuccess
++will be updated. More than
++.B integer
++seconds must have passed since the last successful bind. In a
++replicated environment with frequent bind activity it may be
++useful to set this to a large value.
++.TP
++.B olcLimits: <selector> <limit> [<limit> [...]]
++Specify time and size limits based on the operation's initiator or
++base DN.
++The argument
++.B <selector>
++can be any of
++.RS
++.RS
++.TP
++anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
++
++.RE
++with
++.RS
++.TP
++<dnspec> ::= dn[.<type>][.<style>]
++.TP
++<type> ::= self | this
++.TP
++<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
++
++.RE
++DN type
++.B self
++is the default and means the bound user, while
++.B this
++means the base DN of the operation.
++The term
++.B anonymous
++matches all unauthenticated clients.
++The term
++.B users
++matches all authenticated clients;
++otherwise an
++.B exact
++dn pattern is assumed unless otherwise specified by qualifying
++the (optional) key string
++.B dn
++with
++.B exact
++or
++.B base
++(which are synonyms), to require an exact match; with
++.BR onelevel ,
++to require exactly one level of depth match; with
++.BR subtree ,
++to allow any level of depth match, including the exact match; with
++.BR children ,
++to allow any level of depth match, not including the exact match;
++.BR regex
++explicitly requires the (default) match based on POSIX (''extended'')
++regular expression pattern.
++Finally,
++.B anonymous
++matches unbound operations; the
++.B pattern
++field is ignored.
++The same behavior is obtained by using the
++.B anonymous
++form of the
++.B <selector>
++clause.
++The term
++.BR group ,
++with the optional objectClass
++.B oc
++and attributeType
++.B at
++fields, followed by
++.BR pattern ,
++sets the limits for any DN listed in the values of the
++.B at
++attribute (default
++.BR member )
++of the
++.B oc
++group objectClass (default
++.BR groupOfNames )
++whose DN exactly matches
++.BR pattern .
++
++The currently supported limits are
++.B size
++and
++.BR time .
++
++The syntax for time limits is
++.BR time[.{soft|hard}]=<integer> ,
++where
++.I integer
++is the number of seconds slapd will spend answering a search request.
++If no time limit is explicitly requested by the client, the
++.BR soft
++limit is used; if the requested time limit exceeds the
++.BR hard
++.\"limit, an
++.\".I "Administrative limit exceeded"
++.\"error is returned.
++limit, the value of the limit is used instead.
++If the
++.BR hard
++limit is set to the keyword
++.IR soft ,
++the soft limit is used in either case; if it is set to the keyword
++.IR unlimited ,
++no hard limit is enforced.
++Explicit requests for time limits smaller or equal to the
++.BR hard
++limit are honored.
++If no limit specifier is set, the value is assigned to the
++.BR soft
++limit, and the
++.BR hard
++limit is set to
++.IR soft ,
++to preserve the original behavior.
++
++The syntax for size limits is
++.BR size[.{soft|hard|unchecked}]=<integer> ,
++where
++.I integer
++is the maximum number of entries slapd will return answering a search
++request.
++If no size limit is explicitly requested by the client, the
++.BR soft
++limit is used; if the requested size limit exceeds the
++.BR hard
++.\"limit, an
++.\".I "Administrative limit exceeded"
++.\"error is returned.
++limit, the value of the limit is used instead.
++If the
++.BR hard
++limit is set to the keyword
++.IR soft ,
++the soft limit is used in either case; if it is set to the keyword
++.IR unlimited ,
++no hard limit is enforced.
++Explicit requests for size limits smaller or equal to the
++.BR hard
++limit are honored.
++The
++.BR unchecked
++specifier sets a limit on the number of candidates a search request is allowed
++to examine.
++The rationale behind it is that searches for non-properly indexed
++attributes may result in large sets of candidates, which must be
++examined by
++.BR slapd (8)
++to determine whether they match the search filter or not.
++The
++.B unchecked
++limit provides a means to drop such operations before they are even
++started.
++If the selected candidates exceed the
++.BR unchecked
++limit, the search will abort with
++.IR "Unwilling to perform" .
++If it is set to the keyword
++.IR unlimited ,
++no limit is applied (the default).
++If it is set to
++.IR disabled ,
++the search is not even performed; this can be used to disallow searches
++for a specific set of users.
++If no limit specifier is set, the value is assigned to the
++.BR soft
++limit, and the
++.BR hard
++limit is set to
++.IR soft ,
++to preserve the original behavior.
++
++In case of no match, the global limits are used.
++The default values are the same as for
++.B olcSizeLimit
++and
++.BR olcTimeLimit ;
++no limit is set on
++.BR unchecked .
++
++If
++.B pagedResults
++control is requested, the
++.B hard
++size limit is used by default, because the request of a specific page size
++is considered an explicit request for a limitation on the number
++of entries to be returned.
++However, the size limit applies to the total count of entries returned within
++the search, and not to a single page.
++Additional size limits may be enforced; the syntax is
++.BR size.pr={<integer>|noEstimate|unlimited} ,
++where
++.I integer
++is the max page size if no explicit limit is set; the keyword
++.I noEstimate
++inhibits the server from returning an estimate of the total number
++of entries that might be returned
++(note: the current implementation does not return any estimate).
++The keyword
++.I unlimited
++indicates that no limit is applied to the pagedResults control page size.
++The syntax
++.B size.prtotal={<integer>|hard|unlimited|disabled}
++allows one to set a limit on the total number of entries that the pagedResults
++control will return.
++By default it is set to the
++.B hard
++limit which will use the size.hard value.
++When set,
++.I integer
++is the max number of entries that the whole search with pagedResults control
++can return.
++Use
++.I unlimited
++to allow unlimited number of entries to be returned, e.g. to allow
++the use of the pagedResults control as a means to circumvent size
++limitations on regular searches; the keyword
++.I disabled
++disables the control, i.e. no paged results can be returned.
++Note that the total number of entries returned when the pagedResults control
++is requested cannot exceed the
++.B hard
++size limit of regular searches unless extended by the
++.B prtotal
++switch.
++
++The \fBolcLimits\fP statement is typically used to let an unlimited
++number of entries be returned by searches performed
++with the identity used by the consumer for synchronization purposes
++by means of the RFC 4533 LDAP Content Synchronization protocol
++(see \fBolcSyncrepl\fP for details).
++
++When using subordinate databases, it is necessary for any limits that
++are to be applied across the parent and its subordinates to be defined in
++both the parent and its subordinates. Otherwise the settings on the
++subordinate databases are not honored.
++.RE
++.TP
++.B olcMaxDerefDepth: <depth>
++Specifies the maximum number of aliases to dereference when trying to
++resolve an entry, used to avoid infinite alias loops. The default is 15.
++.TP
++.B olcMultiProvider: TRUE | FALSE
++This option puts a consumer database into Multi-Provider mode. Update
++operations will be accepted from any user, not just the updatedn. The
++database must already be configured as a syncrepl consumer
++before this keyword may be set. This mode also requires a
++.B olcServerID
++(see above) to be configured.
++By default, this setting is FALSE.
++.TP
++.B olcMonitoring: TRUE | FALSE
++This option enables database-specific monitoring in the entry related
++to the current database in the "cn=Databases,cn=Monitor" subtree
++of the monitor database, if the monitor database is enabled.
++Currently, only the MDB database provides database-specific monitoring.
++If monitoring is supported by the backend it defaults to TRUE, otherwise
++FALSE.
++.TP
++.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
++Configure a SLAPI plugin. See the
++.BR slapd.plugin (5)
++manpage for more details.
++.TP
++.B olcRootDN: <dn>
++Specify the distinguished name that is not subject to access control
++or administrative limit restrictions for operations on this database.
++This DN may or may not be associated with an entry. An empty root
++DN (the default) specifies no root access is to be granted. It is
++recommended that the rootdn only be specified when needed (such as
++when initially populating a database). If the rootdn is within
++a namingContext (suffix) of the database, a simple bind password
++may also be provided using the
++.B olcRootPW
++directive. Many optional features, including syncrepl, require the
++rootdn to be defined for the database.
++The
++.B olcRootDN
++of the
++.B cn=config
++database defaults to
++.B cn=config
++itself.
++.TP
++.B olcRootPW: <password>
++Specify a password (or hash of the password) for the rootdn. The
++password can only be set if the rootdn is within the namingContext
++(suffix) of the database.
++This option accepts all RFC 2307 userPassword formats known to
++the server (see
++.B olcPasswordHash
++description) as well as cleartext.
++.BR slappasswd (8)
++may be used to generate a hash of a password. Cleartext
++and \fB{CRYPT}\fP passwords are not recommended. If empty
++(the default), authentication of the root DN is by other means
++(e.g. SASL). Use of SASL is encouraged.
++.TP
++.B olcSubordinate: [TRUE | FALSE | advertise]
++Specify that the current backend database is a subordinate of another
++backend database. A subordinate database may have only one suffix. This
++option may be used to glue multiple databases into a single namingContext.
++If the suffix of the current database is within the namingContext of a
++superior database, searches against the superior database will be
++propagated to the subordinate as well. All of the databases
++associated with a single namingContext should have identical rootdns.
++Behavior of other LDAP operations is unaffected by this setting. In
++particular, it is not possible to use moddn to move an entry from
++one subordinate to another subordinate within the namingContext.
++
++If the optional \fBadvertise\fP flag is supplied, the naming context of
++this database is advertised in the root DSE. The default is to hide this
++database context, so that only the superior context is visible.
++
++If the slap tools
++.BR slapcat (8),
++.BR slapadd (8),
++.BR slapmodify (8),
++or
++.BR slapindex (8)
++are used on the superior database, any glued subordinates that support
++these tools are opened as well.
++
++Databases that are glued together should usually be configured with the
++same indices (assuming they support indexing), even for attributes that
++only exist in some of these databases. In general, all of the glued
++databases should be configured as similarly as possible, since the intent
++is to provide the appearance of a single directory.
++
++Note that the subordinate functionality is implemented internally
++by the \fIglue\fP overlay and as such its behavior will interact with other
++overlays in use. By default, the glue overlay is automatically configured as
++the last overlay on the superior database. Its position on the database
++can be explicitly configured by setting an \fBoverlay glue\fP directive
++at the desired position. This explicit configuration is necessary e.g.
++when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
++in order to work over all of the glued databases. E.g.
++.RS
++.nf
++ dn: olcDatabase={1}mdb,cn=config
++ olcSuffix: dc=example,dc=com
++ ...
++
++ dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config
++ ...
++
++ dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
++ ...
++.fi
++.RE
++See the Overlays section below for more details.
++.TP
++.B olcSuffix: <dn suffix>
++Specify the DN suffix of queries that will be passed to this
++backend database. Multiple suffix lines can be given and at least one is
++required for each database definition.
++
++If the suffix of one database is "inside" that of another, the database
++with the inner suffix must come first in the configuration file.
++You may also want to glue such databases together with the
++.B olcSubordinate
++attribute.
++.TP
++.B olcSyncUseSubentry: TRUE | FALSE
++Store the syncrepl contextCSN in a subentry instead of the context entry
++of the database. The subentry's RDN will be "cn=ldapsync". The default is
++FALSE, meaning the contextCSN is stored in the context entry.
++.HP
++.hy 0
++.B olcSyncrepl: rid=<replica ID>
++.B provider=ldap[s]://<hostname>[:port]
++.B searchbase=<base DN>
++.B [type=refreshOnly|refreshAndPersist]
++.B [interval=dd:hh:mm:ss]
++.B [retry=[<retry interval> <# of retries>]+]
++.B [filter=<filter str>]
++.B [scope=sub|one|base|subord]
++.B [attrs=<attr list>]
++.B [exattrs=<attr list>]
++.B [attrsonly]
++.B [sizelimit=<limit>]
++.B [timelimit=<limit>]
++.B [schemachecking=on|off]
++.B [network\-timeout=<seconds>]
++.B [timeout=<seconds>]
++.B [tcp\-user\-timeout=<milliseconds>]
++.B [bindmethod=simple|sasl]
++.B [binddn=<dn>]
++.B [saslmech=<mech>]
++.B [authcid=<identity>]
++.B [authzid=<identity>]
++.B [credentials=<passwd>]
++.B [realm=<realm>]
++.B [secprops=<properties>]
++.B [keepalive=<idle>:<probes>:<interval>]
++.B [starttls=yes|critical]
++.B [tls_cert=<file>]
++.B [tls_key=<file>]
++.B [tls_cacert=<file>]
++.B [tls_cacertdir=<path>]
++.B [tls_reqcert=never|allow|try|demand]
++.B [tls_reqsan=never|allow|try|demand]
++.B [tls_cipher_suite=<ciphers>]
++.B [tls_ecname=<names>]
++.B [tls_crlcheck=none|peer|all]
++.B [tls_protocol_min=<major>[.<minor>]]
++.B [suffixmassage=<real DN>]
++.B [logbase=<base DN>]
++.B [logfilter=<filter str>]
++.B [syncdata=default|accesslog|changelog]
++.B [lazycommit]
++.RS
++Specify the current database as a consumer which is kept up-to-date with the
++provider content by establishing the current
++.BR slapd (8)
++as a replication consumer site running a
++.B syncrepl
++replication engine.
++The consumer content is kept synchronized to the provider content using
++the LDAP Content Synchronization protocol. Refer to the
++"OpenLDAP Administrator's Guide" for detailed information on
++setting up a replicated
++.B slapd
++directory service using the
++.B syncrepl
++replication engine.
++
++.B rid
++identifies the current
++.B syncrepl
++directive within the replication consumer site.
++It is a non-negative integer not greater than 999 (limited
++to three decimal digits).
++
++.B provider
++specifies the replication provider site containing the provider content
++as an LDAP URI. If <port> is not given, the standard LDAP port number
++(389 or 636) is used.
++
++The content of the
++.B syncrepl
++consumer is defined using a search
++specification as its result set. The consumer
++.B slapd
++will send search requests to the provider
++.B slapd
++according to the search specification. The search specification includes
++.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
++and
++.B timelimit
++parameters as in the normal search specification. The
++.B exattrs
++option may also be used to specify attributes that should be omitted
++from incoming entries.
++The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
++\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
++\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
++attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
++The \fBsizelimit\fP and \fBtimelimit\fP only
++accept "unlimited" and positive integers, and both default to "unlimited".
++The \fBsizelimit\fP and \fBtimelimit\fP parameters define
++a consumer requested limitation on the number of entries that can be returned
++by the LDAP Content Synchronization operation; as such, it is intended
++to implement partial replication based on the size of the replicated database
++and on the time required by the synchronization.
++Note, however, that any provider-side limits for the replication identity
++will be enforced by the provider regardless of the limits requested
++by the LDAP Content Synchronization operation, much like for any other
++search operation.
++
++The LDAP Content Synchronization protocol has two operation types.
++In the
++.B refreshOnly
++operation, the next synchronization search operation
++is periodically rescheduled at an interval time (specified by
++.B interval
++parameter; 1 day by default)
++after each synchronization operation finishes.
++In the
++.B refreshAndPersist
++operation, a synchronization search remains persistent in the provider slapd.
++Further updates to the provider will generate
++.B searchResultEntry
++to the consumer slapd as the search responses to the persistent
++synchronization search. If the initial search fails due to an error, the
++next synchronization search operation is periodically rescheduled at an
++interval time (specified by
++.B interval
++parameter; 1 day by default)
++
++If an error occurs during replication, the consumer will attempt to
++reconnect according to the
++.B retry
++parameter which is a list of the <retry interval> and <# of retries> pairs.
++For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
++for the first 10 times and then retry every 300 seconds for the next 3
++times before stop retrying. The `+' in <# of retries> means indefinite
++number of retries until success.
++If no
++.B retry
++is specified, by default syncrepl retries every hour forever.
++
++The schema checking can be enforced at the LDAP Sync
++consumer site by turning on the
++.B schemachecking
++parameter. The default is \fBoff\fP.
++Schema checking \fBon\fP means that replicated entries must have
++a structural objectClass, must obey to objectClass requirements
++in terms of required/allowed attributes, and that naming attributes
++and distinguished values must be present.
++As a consequence, schema checking should be \fBoff\fP when partial
++replication is used.
++
++The
++.B network\-timeout
++parameter sets how long the consumer will wait to establish a
++network connection to the provider. Once a connection is
++established, the
++.B timeout
++parameter determines how long the consumer will wait for the initial
++Bind request to complete. The defaults for these parameters come
++from
++.BR ldap.conf (5).
++The
++.B tcp\-user\-timeout
++parameter, if non-zero, corresponds to the
++.B TCP_USER_TIMEOUT
++set on the target connections, overriding the operating system setting.
++Only some systems support the customization of this parameter, it is
++ignored otherwise and system-wide settings are used.
++
++A
++.B bindmethod
++of
++.B simple
++requires the options
++.B binddn
++and
++.B credentials
++and should only be used when adequate security services
++(e.g. TLS or IPSEC) are in place.
++.B REMEMBER: simple bind credentials must be in cleartext!
++A
++.B bindmethod
++of
++.B sasl
++requires the option
++.B saslmech.
++Depending on the mechanism, an authentication identity and/or
++credentials can be specified using
++.B authcid
++and
++.B credentials.
++The
++.B authzid
++parameter may be used to specify an authorization identity.
++Specific security properties (as with the
++.B sasl\-secprops
++keyword above) for a SASL bind can be set with the
++.B secprops
++option. A non default SASL realm can be set with the
++.B realm
++option.
++The identity used for synchronization by the consumer should be allowed
++to receive an unlimited number of entries in response to a search request.
++The provider, other than allowing authentication of the syncrepl identity,
++should grant that identity appropriate access privileges to the data
++that is being replicated (\fBaccess\fP directive), and appropriate time
++and size limits.
++This can be accomplished by either allowing unlimited \fBsizelimit\fP
++and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
++in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
++for details).
++
++The
++.B keepalive
++parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
++used to check whether a socket is alive;
++.I idle
++is the number of seconds a connection needs to remain idle before TCP
++starts sending keepalive probes;
++.I probes
++is the maximum number of keepalive probes TCP should send before dropping
++the connection;
++.I interval
++is interval in seconds between individual keepalive probes.
++Only some systems support the customization of these values;
++the
++.B keepalive
++parameter is ignored otherwise, and system-wide settings are used.
++
++The
++.B starttls
++parameter specifies use of the StartTLS extended operation
++to establish a TLS session before Binding to the provider. If the
++.B critical
++argument is supplied, the session will be aborted if the StartTLS request
++fails. Otherwise the syncrepl session continues without TLS. The
++.B tls_reqcert
++setting defaults to "demand", the
++.B tls_reqsan
++setting defaults to "allow", and the other TLS settings
++default to the same as the main slapd TLS settings.
++
++The
++.B suffixmassage
++parameter allows the consumer to pull entries from a remote directory
++whose DN suffix differs from the local directory. The portion of the
++remote entries' DNs that matches the \fIsearchbase\fP will be replaced
++with the suffixmassage DN.
++
++Rather than replicating whole entries, the consumer can query logs of
++data modifications. This mode of operation is referred to as \fIdelta
++syncrepl\fP. In addition to the above parameters, the
++.B logbase
++and
++.B logfilter
++parameters must be set appropriately for the log that will be used. The
++.B syncdata
++parameter must be set to either "accesslog" if the log conforms to the
++.BR slapo\-accesslog (5)
++log format, or "changelog" if the log conforms
++to the obsolete \fIchangelog\fP format. If the
++.B syncdata
++parameter is omitted or set to "default" then the log parameters are
++ignored.
++
++The
++.B lazycommit
++parameter tells the underlying database that it can store changes without
++performing a full flush after each change. This may improve performance
++for the consumer, while sacrificing safety or durability.
++.RE
++.TP
++.B olcUpdateDN: <dn>
++This option is only applicable in a replica
++database.
++It specifies the DN permitted to update (subject to access controls)
++the replica. It is only needed in certain push-mode
++replication scenarios. Generally, this DN
++.I should not
++be the same as the
++.B rootdn
++used at the provider.
++.TP
++.B olcUpdateRef: <url>
++Specify the referral to pass back when
++.BR slapd (8)
++is asked to modify a replicated local database.
++If multiple values are specified, each url is provided.
++
++.SH DATABASE-SPECIFIC OPTIONS
++Each database may allow specific configuration options; they are
++documented separately in the backends' manual pages. See the
++.BR slapd.backends (5)
++manual page for an overview of available backends.
++.SH OVERLAYS
++An overlay is a piece of
++code that intercepts database operations in order to extend or change
++them. Overlays are pushed onto
++a stack over the database, and so they will execute in the reverse
++of the order in which they were configured and the database itself
++will receive control last of all.
++
++Overlays must be configured as child entries of a specific database. The
++entry's RDN must be of the form
++.B olcOverlay={x}<overlaytype>
++and the entry must have the olcOverlayConfig objectClass. Normally the
++config engine generates the "{x}" index in the RDN automatically, so
++it can be omitted when initially loading these entries.
++
++See the
++.BR slapd.overlays (5)
++manual page for an overview of available overlays.
++.SH EXAMPLES
++.LP
++Here is a short example of a configuration in LDIF suitable for use with
++.BR slapadd (8)
++:
++.LP
++.RS
++.nf
++dn: cn=config
++objectClass: olcGlobal
++cn: config
++olcPidFile: LOCALSTATEDIR/run/slapd.pid
++olcAttributeOptions: x\-hidden lang\-
++
++dn: cn=schema,cn=config
++objectClass: olcSchemaConfig
++cn: schema
++
++include: file://SYSCONFDIR/schema/core.ldif
++
++dn: olcDatabase=frontend,cn=config
++objectClass: olcDatabaseConfig
++objectClass: olcFrontendConfig
++olcDatabase: frontend
++# Subtypes of "name" (e.g. "cn" and "ou") with the
++# option ";x\-hidden" can be searched for/compared,
++# but are not shown. See \fBslapd.access\fP(5).
++olcAccess: to attrs=name;x\-hidden by * =cs
++# Protect passwords. See \fBslapd.access\fP(5).
++olcAccess: to attrs=userPassword by * auth
++# Read access to other attributes and entries.
++olcAccess: to * by * read
++
++# set a rootpw for the config database so we can bind.
++# deny access to everyone else.
++dn: olcDatabase=config,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: config
++olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
++olcAccess: to * by * none
++
++dn: olcDatabase=mdb,cn=config
++objectClass: olcDatabaseConfig
++objectClass: olcMdbConfig
++olcDatabase: mdb
++olcSuffix: "dc=our\-domain,dc=com"
++# The database directory MUST exist prior to
++# running slapd AND should only be accessible
++# by the slapd/tools. Mode 0700 recommended.
++olcDbDirectory: LOCALSTATEDIR/openldap\-data
++# Indices to maintain
++olcDbIndex: objectClass eq
++olcDbIndex: cn,sn,mail pres,eq,approx,sub
++
++# We serve small clients that do not handle referrals,
++# so handle remote lookups on their behalf.
++dn: olcDatabase=ldap,cn=config
++objectClass: olcDatabaseConfig
++objectClass: olcLdapConfig
++olcDatabase: ldap
++olcSuffix: ""
++olcDbUri: ldap://ldap.some\-server.com/
++.fi
++.RE
++.LP
++Assuming the above data was saved in a file named "config.ldif" and the
++ETCDIR/slapd.d directory has been created, this command will initialize
++the configuration:
++.RS
++.nf
++slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
++.fi
++.RE
++
++.LP
++"OpenLDAP Administrator's Guide" contains a longer annotated
++example of a slapd configuration.
++
++Alternatively, an existing slapd.conf file can be converted to the new
++format using slapd or any of the slap tools:
++.RS
++.nf
++slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
++.fi
++.RE
++
++.SH FILES
++.TP
++ETCDIR/slapd.conf
++default slapd configuration file
++.TP
++ETCDIR/slapd.d
++default slapd configuration directory
++.SH SEE ALSO
++.BR ldap (3),
++.BR ldif (5),
++.BR gnutls\-cli (1),
++.BR slapd.access (5),
++.BR slapd.backends (5),
++.BR slapd.conf (5),
++.BR slapd.overlays (5),
++.BR slapd.plugin (5),
++.BR slapd (8),
++.BR slapacl (8),
++.BR slapadd (8),
++.BR slapauth (8),
++.BR slapcat (8),
++.BR slapdn (8),
++.BR slapindex (8),
++.BR slapmodify (8),
++.BR slappasswd (8),
++.BR slaptest (8).
++.LP
++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
++.SH ACKNOWLEDGEMENTS
++.so ../Project
+diff -Naurp openldap-2.6.1.orig/doc/man/man8/lloadd.8 openldap-2.6.1/doc/man/man8/lloadd.8
+--- openldap-2.6.1.orig/doc/man/man8/lloadd.8 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/doc/man/man8/lloadd.8 2022-02-13 15:55:12.222721830 -0600
+@@ -5,7 +5,7 @@
+ .SH NAME
+ lloadd \- LDAP Load Balancer Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/lloadd
++.B SBINDIR/lloadd
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+diff -Naurp openldap-2.6.1.orig/doc/man/man8/slapd.8 openldap-2.6.1/doc/man/man8/slapd.8
+--- openldap-2.6.1.orig/doc/man/man8/slapd.8 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/doc/man/man8/slapd.8 2022-02-13 15:55:00.466773546 -0600
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd
++.B SBINDIR/slapd
+ [\c
+ .BR \-V [ V [ V ]]
+ [\c
+diff -Naurp openldap-2.6.1.orig/include/ldap_defaults.h openldap-2.6.1/include/ldap_defaults.h
+--- openldap-2.6.1.orig/include/ldap_defaults.h 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/include/ldap_defaults.h 2022-02-13 15:54:13.654979570 -0600
+@@ -39,7 +39,7 @@
+ #define LDAP_ENV_PREFIX "LDAP"
+
+ /* default ldapi:// socket */
+-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"
+
+ /*
+ * SLAPD DEFINITIONS
+@@ -47,7 +47,7 @@
+ /* location of the default slapd config file */
+ #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
+ #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
+-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"
+ #define SLAPD_DEFAULT_DB_MODE 0600
+ #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata"
+ /* default max deref depth for aliases */
+diff -Naurp openldap-2.6.1.orig/libraries/liblber/Makefile.in openldap-2.6.1/libraries/liblber/Makefile.in
+--- openldap-2.6.1.orig/libraries/liblber/Makefile.in 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/libraries/liblber/Makefile.in 2022-02-13 15:54:13.654979570 -0600
+@@ -51,6 +51,6 @@ idtest: $(XLIBS) idtest.o
+
+ install-local: FORCE
+ -$(MKDIR) $(DESTDIR)$(libdir)
+- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
+ $(LTFINISH) $(DESTDIR)$(libdir)
+
+diff -Naurp openldap-2.6.1.orig/libraries/libldap/Makefile.in openldap-2.6.1/libraries/libldap/Makefile.in
+--- openldap-2.6.1.orig/libraries/libldap/Makefile.in 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/libraries/libldap/Makefile.in 2022-02-13 15:54:13.654979570 -0600
+@@ -82,7 +82,7 @@ CFFILES=ldap.conf
+
+ install-local: $(CFFILES) FORCE
+ -$(MKDIR) $(DESTDIR)$(libdir)
+- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
+ $(LTFINISH) $(DESTDIR)$(libdir)
+ -$(MKDIR) $(DESTDIR)$(sysconfdir)
+ @for i in $(CFFILES); do \
+diff -Naurp openldap-2.6.1.orig/servers/slapd/Makefile.in openldap-2.6.1/servers/slapd/Makefile.in
+--- openldap-2.6.1.orig/servers/slapd/Makefile.in 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/servers/slapd/Makefile.in 2022-02-13 15:54:13.655979565 -0600
+@@ -374,9 +374,10 @@ install-local-srv: install-slapd install
+
+ install-slapd: FORCE
+ -$(MKDIR) $(DESTDIR)$(libexecdir)
++ -$(MKDIR) $(DESTDIR)$(sbindir)
+ -$(MKDIR) $(DESTDIR)$(localstatedir)/run
+ $(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \
+- slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
++ slapd$(EXEEXT) $(DESTDIR)$(sbindir)
+ @for i in $(SUBDIRS); do \
+ if test -d $$i && test -f $$i/Makefile ; then \
+ echo; echo " cd $$i && $(MAKE) $(MFLAGS) install"; \
+@@ -452,9 +453,9 @@ install-conf: FORCE
+
+ install-db-config: FORCE
+ @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
+- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
++ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+ $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
+
+@@ -462,6 +463,6 @@ install-tools: FORCE
+ -$(MKDIR) $(DESTDIR)$(sbindir)
+ for i in $(SLAPTOOLS); do \
+ $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
+- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
++ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
+ done
+
+diff -Naurp openldap-2.6.1.orig/servers/slapd/slapd.conf openldap-2.6.1/servers/slapd/slapd.conf
+--- openldap-2.6.1.orig/servers/slapd/slapd.conf 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/servers/slapd/slapd.conf 2022-02-13 15:54:13.655979565 -0600
+@@ -10,8 +10,9 @@ include %SYSCONFDIR%/schema/core.schema
+ # service AND an understanding of referrals.
+ #referral ldap://root.openldap.org
+
+-pidfile %LOCALSTATEDIR%/run/slapd.pid
+-argsfile %LOCALSTATEDIR%/run/slapd.args
++pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid
++argsfile %LOCALSTATEDIR%/run/openldap/slapd.args
++
+
+ # Load dynamic backend modules:
+ modulepath %MODULEDIR%
+@@ -69,7 +70,7 @@ rootpw secret
+ # The database directory MUST exist prior to running slapd AND
+ # should only be accessible by the slapd and slap tools.
+ # Mode 700 recommended.
+-directory %LOCALSTATEDIR%/openldap-data
++directory %LOCALSTATEDIR%/lib/openldap
+ # Indices to maintain
+ index objectClass eq
+
+diff -Naurp openldap-2.6.1.orig/servers/slapd/slapd.ldif openldap-2.6.1/servers/slapd/slapd.ldif
+--- openldap-2.6.1.orig/servers/slapd/slapd.ldif 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/servers/slapd/slapd.ldif 2022-02-13 15:54:13.655979565 -0600
+@@ -9,8 +9,8 @@ cn: config
+ #
+ # Define global ACLs to disable default read access.
+ #
+-olcArgsFile: %LOCALSTATEDIR%/run/slapd.args
+-olcPidFile: %LOCALSTATEDIR%/run/slapd.pid
++olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args
++olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid
+ #
+ # Do not enable referrals until AFTER you have a working directory
+ # service AND an understanding of referrals.
+@@ -88,7 +88,7 @@ olcRootPW: secret
+ # The database directory MUST exist prior to running slapd AND
+ # should only be accessible by the slapd and slap tools.
+ # Mode 700 recommended.
+-olcDbDirectory: %LOCALSTATEDIR%/openldap-data
++olcDbDirectory: %LOCALSTATEDIR%/lib/openldap
+ # Indices to maintain
+ olcDbIndex: objectClass eq
+
+diff -Naurp openldap-2.6.1.orig/servers/slapd/slapi/Makefile.in openldap-2.6.1/servers/slapd/slapi/Makefile.in
+--- openldap-2.6.1.orig/servers/slapd/slapi/Makefile.in 2022-01-19 12:32:34.000000000 -0600
++++ openldap-2.6.1/servers/slapd/slapi/Makefile.in 2022-02-13 15:54:13.655979565 -0600
+@@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@
+ install-local: FORCE
+ if test "$(BUILD_MOD)" = "yes"; then \
+ $(MKDIR) $(DESTDIR)$(libdir); \
+- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \
++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \
+ fi
+
deleted file mode 100644
@@ -1,31 +0,0 @@
---- include/ldap_pvt_thread.h~ 2008-11-12 07:37:16.000000000 +0000
-+++ include/ldap_pvt_thread.h 2008-11-12 08:01:45.000000000 +0000
-@@ -59,12 +59,12 @@
-
- #ifndef LDAP_PVT_THREAD_H_DONE
- #define LDAP_PVT_THREAD_SET_STACK_SIZE
--#ifndef LDAP_PVT_THREAD_STACK_SIZE
-- /* LARGE stack. Will be twice as large on 64 bit machine. */
--#define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) )
- /* May be explicitly defined to zero to disable it */
--#elif LDAP_PVT_THREAD_STACK_SIZE == 0
-+#if LDAP_PVT_THREAD_STACK_SIZE == 0
- #undef LDAP_PVT_THREAD_SET_STACK_SIZE
-+#elif !defined(LDAP_PVT_THREAD_STACK_SIZE)
-+ /* LARGE stack. Will be twice as large on 64 bit machine. */
-+#define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) )
- #endif
- #endif /* !LDAP_PVT_THREAD_H_DONE */
-
---- libraries/libldap/os-ip.c~ 2008-11-12 07:33:10.000000000 +0000
-+++ libraries/libldap/os-ip.c 2008-11-12 07:33:31.000000000 +0000
-@@ -690,7 +690,7 @@
- char *herr;
- #ifdef NI_MAXHOST
- char hbuf[NI_MAXHOST];
--#elif defined( MAXHOSTNAMELEN
-+#elif defined( MAXHOSTNAMELEN )
- char hbuf[MAXHOSTNAMELEN];
- #else
- char hbuf[256];
-