1
1
.TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2
2
.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
3
3
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
4
.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapd.8,v 1.64.2.10 2009/02/02 22:39:08 quanah Exp $
4
.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapd.8,v 1.64.2.11 2009/06/03 01:42:01 quanah Exp $
6
6
slapd \- Stand-alone LDAP Daemon
10
.B [\-T {acl|add|auth|cat|dn|index|passwd|test}]
12
.B [\-f slapd\-config\-file]
13
.B [\-F slapd\-config\-directory]
15
.B [\-n service\-name] [\-s syslog\-level] [\-l syslog\-local\-user]
16
.B [\-o option[=value]]
18
.B [\-u user] [\-g group]
12
.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\|
13
.BR d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| s [ chema ]\||\| t [ est ]}]
15
.BI \-d \ debug-level\fR]
17
.BI \-f \ slapd-config-file\fR]
19
.BI \-F \ slapd-config-directory\fR]
23
.BI \-n \ service-name\fR]
25
.BI \-s \ syslog-level\fR]
27
.BI \-l \ syslog-local-user\fR]
29
.BI \-o \ option\fR[ = value\fR]]
31
.BI \-r \ directory\fR]
23
41
is the stand-alone LDAP daemon. It listens for LDAP connections on
24
any number of ports (default 389), responding
42
any number of ports (default \fB389\fP), responding
25
43
to the LDAP operations it receives over these connections.
27
45
is typically invoked at boot time, usually out of
57
75
Listen on IPv6 addresses only.
59
.B \-T {a|c|d|i|p|t|acl|auth}
60
Run in Tool mode. The additional argument selects whether to run as
61
slapadd, slapcat, slapdn, slapindex, slappasswd, or slaptest
62
(slapacl and slapauth need the entire "\fIacl\fP" and "\fIauth\fP"
63
option value to be spelled out, as "\fIa\fP" is reserved to
78
Run in Tool mode. The \fItool\fP argument selects whether to run as
87
(\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP
88
option value to be spelled out, as \fBa\fP is reserved to
65
90
This option should be the first option specified when it is used;
66
91
any remaining options will be interpreted by the corresponding
67
92
slap tool program, according to the respective man pages.
68
Note that these tool programs will usually be symbolic links to slapd.
93
Note that these tool programs will usually be symbolic links to
69
95
This option is provided for situations where symbolic links
70
96
are not provided or not usable.
72
.BI \-d " debug\-level"
73
99
Turn on debugging as defined by
75
101
If this option is specified, even with a zero argument,
77
103
will not fork or disassociate from the invoking terminal. Some general
78
operation and status messages are printed for any value of \fIdebug\-level\fP.
79
\fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a
104
operation and status messages are printed for any value of \fIdebug-level\fP.
105
\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
80
106
different kind of debugging information. See <ldap_log.h> for details.
81
107
Comma-separated arrays of friendly names can be specified to select
82
108
debugging output of the corresponding debugging information.
83
109
All the names recognized by the \fIloglevel\fP directive
84
110
described in \fBslapd.conf\fP(5) are supported.
85
If \fIdebug\-level\fP is \fB?\fP, a list of installed levels is printed,
111
If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
88
114
Remember that if you turn on packet logging, packets containing bind passwords
89
115
will be output, so if you redirect the log to a logfile, that file should
90
116
be read-protected.
92
.BI \-s " syslog\-level"
118
.BI \-s \ syslog-level
95
at what level debugging statements should be logged to the
121
at what debug-level debugging statements should be logged to the
98
The value "syslog\-level" can be set to any value or combination
99
allowed by the "-d" switch.
100
Slapd logs all messages selected by "syslog\-level"
101
at the syslog(3) severity level "DEBUG",
102
on the unit specified with "-l".
124
The value \fIsyslog-level\fP can be set to any value or combination
125
allowed by the \fB\-d\fP switch.
126
Slapd logs all messages selected by \fIsyslog-leveli\fP
129
severity debug-level \fBDEBUG\fP,
130
on the unit specified with \fB\-l\fP.
104
.BI \-n " service\-name"
132
.BI \-n \ service-name
105
133
Specifies the service name for logging and other purposes. Defaults
106
134
to basename of argv[0], i.e.: "slapd".
108
.BI \-l " syslog\-local\-user"
136
.BI \-l \ syslog-local-user
109
137
Selects the local user of the
111
139
facility. Value can be
122
150
local users with the
125
Logging to syslog(8) occurs at the "DEBUG" severity level.
153
Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
127
.BI \-f " slapd\-config\-file"
155
.BI \-f \ slapd-config-file
128
156
Specifies the slapd configuration file. The default is
129
157
.BR ETCDIR/slapd.conf .
131
.BI \-F " slapd\-config\-directory"
159
.BI \-F \ slapd-config-directory
132
160
Specifies the slapd configuration directory. The default is
133
161
.BR ETCDIR/slapd.d .
138
166
are specified, the config file will be read and converted to
139
167
config directory format and written to the specified directory.
140
168
If neither option is specified, slapd will attempt to read the
162
190
without a DN or other optional parameters (excepting as discussed below).
163
191
Support for the latter two schemes depends on selected configuration
164
192
options. Hosts may be specified by name or IPv4 and IPv6 address formats.
165
Ports, if specified, must be numeric. The default ldap:// port is 389
166
and the default ldaps:// port is 636.
193
Ports, if specified, must be numeric. The default ldap:// port is \fB389\fP
194
and the default ldaps:// port is \fB636\fP.
168
196
The listener permissions are indicated by
169
"x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any
170
of the "rwx" can be "-" to suppress the related permission, while any
197
"x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any
198
of the "rwx" can be "\-" to suppress the related permission, while any
171
199
of the "7" can be any legal octal digit, according to chmod(1).
172
The listeners can take advantage of the "x-mod"
200
The listeners can take advantage of the "x\-mod"
173
201
extension to apply rough limitations to operations, e.g. allow read operations
174
202
("r", which applies to search and compare), write operations ("w",
175
203
which applies to add, delete, modify and modrdn), and execute operations
176
204
("x", which means bind is required).
177
205
"User" permissions apply to authenticated users, while "other" apply
178
206
to anonymous users; "group" permissions are ignored.
179
For example, "ldap:///????x-mod=-rw-------" means that read and write is only allowed
207
For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed
180
208
for authenticated connections, and bind is required for all operations.
181
209
This feature is experimental, and requires to be manually enabled
182
210
at configure time.
185
213
Specifies a directory to become the root directory. slapd will
186
214
change the current working directory to this directory and
189
217
to this directory. This is done after opening listeners but before
190
218
reading any configuration file or initializing any backend. When
191
219
used as a security mechanism, it should be used in conjunction with
199
227
will run slapd with the specified user name or id, and that user's
200
228
supplementary group access list as set with initgroups(3). The group ID
201
is also changed to this user's gid, unless the -g option is used to
229
is also changed to this user's gid, unless the \fB\-g\fP option is used to
202
230
override. Note when used with
204
232
slapd will use the user database in the change root environment.
206
234
Note that on some systems, running as a non-privileged user will prevent
207
235
passwd back-ends from accessing the encrypted passwords. Note also that
208
236
any shell back-ends will run as the specified non-privileged user.
212
240
will run with the specified group name or id. Note when used with
214
242
slapd will use the group database in the change root environment.
217
245
This option provides a cookie for the syncrepl replication consumer.
218
246
The cookie is a comma separated list of \fIname=value\fP pairs.
219
247
Currently supported syncrepl cookie fields are
245
273
part to force a full reload.
247
.BI \-o " option[=value]"
275
.BI \-o \ option\fR[ = value\fR]
248
276
This option provides a generic means to specify options without the need to reserve
249
277
a separate letter for them.
251
279
It supports the following options:
254
slp={\fBon\fP|\fBoff\fP|\fIslp\-attrs\fP}
255
When SLP support is compiled into slapd, disable it (
257
), enable it by registering at SLP DAs without specific SLP attributes (
259
), or with specific SLP attributes
282
.BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
283
When SLP support is compiled into slapd, disable it (\fBoff\fP),
284
enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
285
or with specific SLP attributes
261
287
that must be an SLP attribute list definition according to the SLP standard.
263
For example, "-o slp=(tree=production),(server-type=OpenLDAP),(server-version=2.3.20)"
289
For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
264
290
registers at SLP DAs with the three SLP attributes tree, server-type and server-version
265
291
that have the values given above.
266
292
This allows to specifically query the SLP DAs for LDAP servers holding the