Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
IndexSoft

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 175 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

slapd.conf




SYNOPSIS

       /etc/openldap/slapd.conf


DESCRIPTION

       The file /etc/openldap/slapd.conf  contains  configuration
       information  for  the slapd(8) daemon.  This configuration
       file is also used by the slurpd(8) replication daemon  and
       by  the  SLAPD  tools  slapadd(8), slapcat(8), and slapin­
       dex(8).

       The slapd.conf file consists of a series of global config­
       uration  options that apply to slapd as a whole (including
       all backends), followed by zero or more  database  backend
       definitions that contain information specific to a backend
       instance.

       The general format of slapd.conf is as follows:

           # comment - these options apply to every database
           <global configuration options>
           # first database definition & configuration options
           database   <backend 1 type>
           <configuration options specific to backend 1>
           # subsequent database definitions & configuration options
           ...

       As  many  backend-specific  sections  as  desired  may  be
       included.   Global  options can be overridden in a backend
       (for options that appear more than once, the last  appear­
       ance  in  the  slapd.conf  file is used).  Blank lines and
       comment lines beginning with a `#' character are  ignored.
       If a line begins with white space, it is considered a con­
       tinuation of the previous line.

       Arguments on configuration lines are  separated  by  white
       space.  If  an argument contains white space, the argument
       should be enclosed in double quotes.  If an argument  con­
       tains a double quote (`"') or a backslash character (`\'),
       the character should be preceded by a backslash character.

       The specific configuration options available are discussed
       below in the Global Configuration Options, General Backend
       Options,  and  General Database Options.  Backend-specific
       options are discussed  in  the  slapd-<backend>(5)  manual
       pages.   Refer to the "OpenLDAP Administrator's Guide" for
       more details on the slapd configuration file.


GLOBAL CONFIGURATION OPTIONS

       Options described in this section apply to  all  backends,
       unless  specifically  overridden  in a backend definition.
       Arguments that should be replaced by actual text are shown
              1777),  now  Historic  (RFC  3494).  bind_anon_cred
              allows anonymous  bind  when  credentials  are  not
              empty  (e.g.   when  DN  is  empty).   bind_anon_dn
              allows unauthenticated (anonymous) bind when DN  is
              not   empty.    update_anon  allow  unauthenticated
              (anonymous) update operations to be processed (sub­
              ject  to  access  controls and other administrative
              limits).

       argsfile <filename>
              The ( absolute ) name of a file that will hold  the
              slapd  server's  command  line  options  if started
              without the debugging command line option.

       attributeoptions [option-name]...
              Define  tagging   attribute   options   or   option
              tag/range prefixes.  Options must not end with `-',
              prefixes must end with `-'.  The `lang-' prefix  is
              predefined.  If you use the attributeoptions direc­
              tive, `lang-' will no longer  be  defined  and  you
              must  specify it explicitly if you want it defined.

              An attribute description with a tagging option is a
              subtype  of  that attribute description without the
              option.  Except for that, options defined this  way
              have  no  special semantics.  Prefixes defined this
              way work like the `lang-' options:  They  define  a
              prefix  for  tagging options starting with the pre­
              fix.  That is, if you define the  prefix  `x-foo-',
              you  can  use the option `x-foo-bar'.  Furthermore,
              in a search or compare,  a  prefix  or  range  name
              (with  a trailing `-') matches all options starting
              with that name, as well  as  the  option  with  the
              range name sans the trailing `-'.  That is, `x-foo-
              bar-' matches `x-foo-bar' and `x-foo-bar-baz'.

              RFC2251 reserves options beginning  with  `x-'  for
              private  experiments.  Other options should be reg­
              istered with IANA, see RFC3383 section 3.4.  OpenL­
              DAP also has the `binary' option built in, but this
              is a transfer option, not a tagging option.

       attributetype     ( <oid>     [NAME <name>]     [OBSOLETE]
              [DESC <description>]  [SUP <oid>]  [EQUALITY <oid>]
              [ORDERING <oid>]  [SUBSTR <oid>]  [SYNTAX <oidlen>]
              [SINGLE-VALUE]  [COLLECTIVE] [NO-USER-MODIFICATION]
              [USAGE <attributeUsage>] )
              Specify an attribute type using the  LDAPv3  syntax
              defined  in RFC 2252.  The slapd parser extends the
              RFC 2252 definition by  allowing  string  forms  as
              well  as  numeric OIDs to be used for the attribute
              OID   and   attribute   syntax   OID.    (See   the

       conn_max_pending_auth <integer>
              Specify the maximum number of pending requests  for
              an authenticated session.  The default is 1000.

       defaultsearchbase <dn>
              Specify  a  default  search base to use when client
              submits a non-base search  request  with  an  empty
              base DN.

       disallow <features>
              Specify  a  set  of  features  (separated  by white
              space)  to  disallow  (default  none).    bind_anon
              disables  acceptance  of  anonymous  bind requests.
              bind_simple disables simple (bind)  authentication.
              bind_krbv4     disables    Kerberos    V4    (bind)
              authentication.  tls_2_anon disables Start TLS from
              forcing  session  to  anonymous  status  (see  also
              tls_authc).    tls_authc   disables   StartTLS   if
              authenticated (see also tls_2_anon).

       gentlehup { on | off }
              A   SIGHUP   signal  will  only  cause  a  'gentle'
              shutdown-attempt: Slapd will stop listening for new
              connections,  but will not close the connections to
              the  current  clients.   Future  write   operations
              return    unwilling-to-perform,    though.    Slapd
              terminates  when  all  clients  have  closed  their
              connections  (if they ever do), or - as before - if
              it receives a SIGTERM signal.  This can  be  useful
              if you wish to terminate the server and start a new
              slapd  server  with   another   database,   without
              disrupting   the  currently  active  clients.   The
              default is off.  You may wish  to  use  idletimeout
              along with this option.

       idletimeout <integer>
              Specify  the  number  of  seconds  to  wait  before
              forcibly closing  an  idle  client  connection.   A
              idletimeout   of  0  disables  this  feature.   The
              default is 0.

       include <filename>
              Read additional configuration information from  the
              given  file before continuing with the next line of
              the current file.

       limits <who> <limit> [<limit> [...]]
              Specify time and size limits based on who initiated
              an operation.  The argument who can be any of

                     anonymous | users | [dn[.<style>]=]<pattern>

              allow any level of depth match, including the exact
              match; with children, to allow any level  of  depth
              match,   not   including  the  exact  match;  regex
              explicitly requires the (default)  match  based  on
              regular   expression   pattern,   as   detailed  in
              regex(7).   Finally,  anonymous   matches   unbound
              operations; the pattern field is ignored.  The same
              behavior is obtained by using the anonymous form of
              the who clause.

              The currently supported limits are size and time.

              The      syntax      for     time     limits     is
              time[.{soft|hard}]=<integer>, where integer is  the
              number  of  seconds  slapd  will  spend answering a
              search request.  If no  time  limit  is  explicitly
              requested by the client, the soft limit is used; if
              the requested time limit exceedes the  hard  limit,
              an "Administrative limit exceeded" is returned.  If
              the hard limit is  set  to  0  or  to  the  keyword
              "soft",  the  soft limit is used in either case; if
              it is set to -1 or to the keyword "none",  no  hard
              limit  is  enforced.   Explicit  requests  for time
              limits smaller or  equal  to  the  hard  limit  are
              honored.   If no flag is set, the value is assigned
              to the soft limit, and the hard  limit  is  set  to
              zero, to preserve the original behavior.

              The      syntax      for     size     limits     is
              size[.{soft|hard|unchecked}]=<integer>,       where
              integer is the maximum number of entries slapd will
              return answering a  search  request.   If  no  size
              limit  is  explicitly  requested by the client, the
              soft limit is used; if  the  requested  size  limit
              exceedes  the  hard limit, an "Administrative limit
              exceeded" is returned.  If the hard limit is set to
              0  or to the keyword "soft", the soft limit is used
              in either case; if it  is  set  to  -1  or  to  the
              keyword   "none",   no   hard  limit  is  enforced.
              Explicit requests for size limits smaller or  equal
              to  the hard limit are honored.  The unchecked flag
              sets a limit on the number of candidates  a  search
              request  is  allowed  to  examine.  If the selected
              candidates exceed the unchecked limit,  the  search
              will  abort  with "Unwilling to perform".  If it is
              set to -1 or to the keyword  "none",  no  limit  is
              applied  (the  default).   If  no  flag is set, the
              value is assigned to the soft limit, and  the  hard
              limit  is  set  to  zero,  to preserve the original
              behavior.

              In case of no match, the global  limits  are  used.
                      64     configuration file processing
                      128    access control list processing
                      256    stats                            log
                             connections/operations/results
                      512    stats log entries sent
                      1024   print   communication   with   shell
                             backends
                      2048   entry parsing

       moduleload <filename>
              Specify  the  name of a dynamically loadable module
              to load. The filename may be an absolute path  name
              or   a  simple  filename.  Non-absolute  names  are
              searched for in the directories  specified  by  the
              modulepath  option.  This option and the modulepath
              option are only usable if slapd was  compiled  with
              --enable-modules.

       modulepath <pathspec>
              Specify   a  list  of  directories  to  search  for
              loadable modules.  Typically  the  path  is  colon-
              separated but this depends on the operating system.

       objectclass (  <oid>  [NAME  <name>]  [DESC  <description]
              [OBSOLETE]  [SUP <oids>] [{ ABSTRACT | STRUCTURAL |
              AUXILIARY }] [MUST <oids>] [MAY <oids>] )
              Specify an  objectclass  using  the  LDAPv3  syntax
              defined  in RFC 2252.  The slapd parser extends the
              RFC 2252 definition by  allowing  string  forms  as
              well  as  numeric  OIDs  to  be used for the object
              class OID.  (See the objectidentifier description.)
              Object classes are "STRUCTURAL" by default.

       objectidentifier <name> { <oid> | <name>[:<suffix>] }
              Define a string name that equates to the given OID.
              The string can be used in place of the numeric  OID
              in  objectclass and attribute definitions. The name
              can also be used with a suffix of the form ":xx" in
              which case the value "oid.xx" will be used.

       password-hash <hash>
              This  option sets the hash to be used in generation
              of user passwords, stored in  userPassword,  during
              processing   of   LDAP   Password  Modify  Extended
              Operations (RFC 3052).  The <hash> must be  one  of
              {SSHA},   {SHA},   {SMD5},   {MD5},   {CRYPT},  and
              {CLEARTEXT}.  The default is {SSHA}.

              {SHA} and {SSHA}  use  the  SHA-1  algorithm  (FIPS
              160-1), the latter with a seed.

              {MD5}  and {SMD5} use the MD5 algorithm (RFC 1321),
              password-hash)  during  processing of LDAP Password
              Modify Extended Operations (RFC 3062).

              This string needs to be in  sprintf(3)  format  and
              may include one (and only one) %s conversion.  This
              conversion will be substituted with a string random
              characters from [A-Za-z0-9./].  For example, "%.2s"
              provides a two character salt and  "$1$%.8s"  tells
              some  versions  of crypt(3) to use an MD5 algorithm
              and provides 8  random  characters  of  salt.   The
              default  is  "%s",  which provides 31 characters of
              salt.

       pidfile <filename>
              The ( absolute ) name of a file that will hold  the
              slapd  server's  process  ID  (  see getpid(2) ) if
              started without the debugging command line  option.

       referral <url>
              Specify  the  referral  to  pass back when slapd(8)
              cannot find a local database to handle  a  request.
              If  specified multiple times, each url is provided.

       require <conditions>
              Specify a set of  conditions  (separated  by  white
              space)  to  require  (default none).  The directive
              may  be  specified  globally  and/or  per-database.
              bind  requires  bind  operation  prior to directory
              operations.  LDAPv3 requires session  to  be  using
              LDAP  version  3.   authc  requires  authentication
              prior to directory operations.  SASL requires  SASL
              authentication   prior   to  directory  operations.
              strong  requires  strong  authentication  prior  to
              directory  operations.   The  strong keyword allows
              protected "simple" authentication as well  as  SASL
              authentication.   none  may  be  used to require no
              conditions  (useful  for   clearly   globally   set
              conditions within a particular database).

       reverse-lookup on | off
              Enable/disable   client   name  unverified  reverse
              lookup (default is off if compiled  with  --enable-
              rlookups).

       rootDSE <file>
              Specify the name of an LDIF(5) file containing user
              defined  attributes  for  the  root   DSE.    These
              attributes   are   returned   in  addition  to  the
              attributes normally produced by slapd.

       sasl-authz-policy <policy>
              Used to specify which rules to use for  SASL  Proxy
              attribute  in  an entry specifies which other users
              are allowed to  proxy  login  to  this  entry.  The
              saslAuthzTo  attribute  in an entry specifies which
              other users this user can  authorize  as.   Use  of
              saslAuthzTo rules can be easily abused if users are
              allowed  to  write   arbitrary   values   to   this
              attribute.   In  general  the saslAuthzTo attribute
              must  be  protected  with  ACLs  such   that   only
              privileged users can modify it.

       sasl-host <fqdn>
              Used  to  specify  the  fully qualified domain name
              used for SASL processing.

       sasl-realm <realm>
              Specify SASL realm.  Default is empty.

       sasl-regexp <match> <replace>
              Used by the SASL authorization mechanism to convert
              a  SASL  authenticated username to an LDAP DN. When
              an authorization  request  is  received,  the  SASL
              USERNAME,  REALM,  and  MECHANISM  are  taken, when
              available, and combined into a  SASL  name  of  the
              form

                     uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth

              This  SASL  name is then compared against the match
              regular expression, and if the match is successful,
              the  SASL name is replaced with the replace string.
              If there are wildcard strings in the match  regular
              expression that are enclosed in parenthesis, e.g.

                             uid=(.*),cn=.*

              then  the portion of the SASL name that matched the
              wildcard will be stored in the numbered placeholder
              variable $1. If there are other wildcard strings in
              parenthesis, the matching strings will  be  in  $2,
              $3,  etc.  up  to  $9. The placeholders can then be
              used in the replace string, e.g.

                             cn=$1,ou=Accounts,dc=$2,dc=$4.

              The replaced SASL name can be either  a  DN  or  an
              LDAP  URI. If the latter, the slapd server will use
              the URI to search its  own  database,  and  if  the
              search  returns exactly one entry, the SASL name is
              replaced by the DN of that entry.   Multiple  sasl-
              regexp  options  can  be given in the configuration
              file to allow for multiple matching and replacement
              patterns.  The matching patterns are checked in the
              disables mechanisms which support anonymous  login.
              The forwardsec flag require forward secrecy between
              sessions.  The passcred  require  mechanisms  which
              pass client credentials (and allow mechanisms which
              can   pass   credentials   to    do    so).     The
              minssf=<factor>   property  specifies  the  minimum
              acceptable security strength factor as  an  integer
              approximate   to  effective  key  length  used  for
              encryption.  0  (zero)  implies  no  protection,  1
              implies integrity protection only, 56 allows DES or
              other weak ciphers, 112 allows triple DES and other
              strong  ciphers, 128 allows RC4, Blowfish and other
              modern strong ciphers.   The  default  is  0.   The
              maxssf=<factor>   property  specifies  the  maximum
              acceptable security strength factor as  an  integer
              (see  minssf description).  The default is INT_MAX.
              The  maxbufsize=<size>   property   specifies   the
              maximum security layer receive buffer size allowed.
              0 disables security layers.  The default is  65536.

       schemadn <dn>
              Specify  the  distinguished  name for the subschema
              subentry that controls the entries on this  server.
              The default is "cn=Subschema".

       security <factors>
              Specify a set of factors (separated by white space)
              to require.  An integer value  is  associated  with
              each  factor  and  is  roughly  equivalent  of  the
              encryption key length to require.  A value  of  112
              is  equivalent to 3DES, 128 to Blowfish, etc..  The
              directive may be  specified  globally  and/or  per-
              database.   ssf=<n>  specifies the overall security
              strength  factor.   transport=<n>   specifies   the
              transport   security   strength   factor.   tls=<n>
              specifies  the  TLS   security   strength   factor.
              sasl=<n>   specifies  the  SASL  security  strength
              factor.   update_ssf=<n>  specifies   the   overall
              security  strength  factor to require for directory
              updates.    update_transport=<n>   specifies    the
              transport  security  strength factor to require for
              directory updates.   update_tls=<n>  specifies  the
              TLS   security   strength  factor  to  require  for
              directory updates.  update_sasl=<n>  specifies  the
              SASL   security  strength  factor  to  require  for
              directory updates.  simple_bind=<n>  specifies  the
              security   strength   factor  required  for  simple
              username/password authentication.   Note  that  the
              transport factor is measure of security provided by
              the  underlying  transport,  e.g.   ldapi://   (and
              eventually IPSEC).  It is not normally used.


       sockbuf_max_incoming_auth <integer>
              Specify the maximum  incoming  LDAP  PDU  size  for
              authenticated sessions.  The default is 4194303.

       srvtab <filename>
              Specify  the srvtab file in which the kerberos keys
              necessary for authenticating clients using kerberos
              can be found. This option is only meaningful if you
              are using Kerberos authentication.

       threads <integer>
              Specify the maximum  size  of  the  primary  thread
              pool.  The default is 16.

       timelimit {<integer>|unlimited}

       timelimit time[.{soft|hard}]=<integer> [...]
              Specify  the  maximum  number  of  seconds (in real
              time) slapd will spend answering a search  request.
              The   default  time  limit  is  3600.   Use  -1  or
              unlimited to specify no limits.  The second  format
              allows  a  fine  grain  setting of the time limits.
              Extra args can be added  on  the  same  line.   See
              limits for an explanation of the different flags.

       ucdata-path <path>
              Specify  the  path  to the directory containing the
              Unicode  character  tables.  The  default  path  is
              /var/run/slapd/ucdata.


TLS OPTIONS

       If  slapd  is  built  with  support  for  Transport  Layer
       Security, there are more options you can specify.

       TLSCipherSuite <cipher-suite-spec>
              Permits configuring what ciphers will  be  accepted
              and   the  preference  order.   <cipher-suite-spec>
              should  be  a  cipher  specification  for  OpenSSL.
              Example:

              TLSCipherSuite HIGH:MEDIUM:+SSLv2

              To check what ciphers a given spec selects, use:

              openssl ciphers -v <cipher-suite-spec>

       TLSCACertificateFile <filename>
              Specifies  the  file that contains certificates for
              all of the Certificate Authorities that slapd  will
              recognize.

              private key must not be protected with a  password,
              so   it  is  of  critical  importance  that  it  is
              protected carefully.

       TLSRandFile <filename>
              Specifies the file to obtain random bits from  when
              /dev/[u]random  is not available.  Generally set to
              the name of the EGD/PRNGD socket.  The  environment
              variable  RANDFILE  can also be used to specify the
              filename.

       TLSVerifyClient <level>
              Specifies  what  checks  to   perform   on   client
              certificates  in  an  incoming TLS session, if any.
              The  <level>  can  be  specified  as  one  of   the
              following keywords:

              never  This is the default.  slapd will not ask the
                     client for a certificate.

              allow  The client certificate is requested.  If  no
                     certificate   is   provided,   the   session
                     proceeds normally.  If a bad certificate  is
                     provided, it will be ignored and the session
                     proceeds normally.

              try    The client certificate is requested.  If  no
                     certificate   is   provided,   the   session
                     proceeds normally.  If a bad certificate  is
                     provided,   the   session   is   immediately
                     terminated.

              demand | hard | true
                     These  keywords  are  all  equivalent,   for
                     compatibility     reasons.     The    client
                     certificate is requested.  If no certificate
                     is   provided,   or  a  bad  certificate  is
                     provided,   the   session   is   immediately
                     terminated.

                     Note  that  a  valid  client  certificate is
                     required in order to use the  SASL  EXTERNAL
                     authentication mechanism with a TLS session.
                     As  such,  a   non-default   TLSVerifyClient
                     setting   must  be  chosen  to  enable  SASL
                     EXTERNAL authentication.


GENERAL BACKEND OPTIONS

       Options in this section only apply  to  the  configuration
       file   section   for  the  specified  backend.   They  are
       supported by every type of backend.


       database <databasetype>
              Mark the  beginning  of  a  new  database  instance
              definition.  <databasetype>  should  be one of bdb,
              dnssrv, ldap, ldbm, meta,  monitor,  null,  passwd,
              perl,  shell,  sql,  or  tcl,  depending  on  which
              backend will serve the database.

       lastmod on | off
              Controls whether slapd will automatically  maintain
              the  modifiersName,  modifyTimestamp, creatorsName,
              and createTimestamp  attributes  for  entries.   By
              default, lastmod is on.

       maxderefdepth <depth>
              Specifies   the   maximum   number  of  aliases  to
              dereference when trying to resolve an  entry,  used
              to avoid inifinite alias loops. The default is 1.

       readonly on | off
              This  option  puts  the  database  into "read-only"
              mode.  Any attempts to  modify  the  database  will
              return   an   "unwilling  to  perform"  error.   By
              default, readonly is off.

       replica     host=<hostname>[:port]      [tls=yes|critical]
              [suffix=<suffix>   [...]]    bindmethod=simple|sasl
              [binddn=<simple      DN>]      [credentials=<simple
              password>]          [saslmech=<SASL          mech>]
              [secprops=<properties>]             [realm=<realm>]
              [authcId=<authentication                       ID>]
              [authzId=<authorization ID>] [attr[!]=<attr list>]
              Specify  a  replication  site  for  this  database.
              Refer  to  the "OpenLDAP Administrator's Guide" for
              detailed information on  setting  up  a  replicated
              slapd   directory  service.  Zero  or  more  suffix
              instances can be used to select the  subtrees  that
              will  be replicated (defaults to all the database).
              A bindmethod of simple requires the options  binddn
              and  credentials  and  should  only  be  used  when
              adequate security services (e.g TLS or  IPSEC)  are
              in  place. A bindmethod of sasl requires the option
              saslmech.  Specific security  properties  (as  with
              the  sasl-secprops  keyword  above) for a SASL bind
              can be set with the secprops option. A  non-default
              SASL  realm  can  be set with the realm option.  If
              the  mechanism  will  use  Kerberos,   a   kerberos
              instance  should be given in authcId.  An attr list
              can be given after the attr keyword  to  allow  the
              selective  replication  of  the  listed  attributes
              only; if the optional !  mark is used, the list  is
              considered  exclusive,  i.e.  the listed attributes
              Specify  the distinguished name that is not subject
              to   access   control   or   administrative   limit
              restrictions for operations on this database.  This
              DN may or may not be associated with an entry.   An
              empty  root  DN  (the  default)  specifies  no root
              access is to be granted.  It  is  recommended  that
              the  rootdn  only be specified when needed (such as
              when initially  populating  a  database).   If  the
              rootdn  is  within  a namingContext (suffix) of the
              database,  a  simple  bind  password  may  also  be
              provided using the rootpw directive.

       rootpw <password>
              Specify  a  password  (or hash of the password) for
              the rootdn.  The password can only be  set  if  the
              rootdn  is within the namingContext (suffix) of the
              database.   This  option  accepts  all   RFC   2307
              userPassword  formats  known  to  the  server  (see
              password-hash desription)  as  well  as  cleartext.
              slappasswd(8)  may  be used to generate a hash of a
              password.  Cleartext and {CRYPT} passwords are  not
              recommended.      If     empty    (the    default),
              authentication of the root DN  is  by  other  means
              (e.g. SASL).  Use of SASL is encouraged.

       suffix <dn suffix>
              Specify  the  DN  suffix  of  queries  that will be
              passed to this backend database.   Multiple  suffix
              lines can be given and at least one is required for
              each database definition.  If  the  suffix  of  one
              database  is "inside" that of another, the database
              with the  inner  suffix  must  come  first  in  the
              configuration file.

       subordinate
              Specify  that  the  current  backend  database is a
              subordinate  of   another   backend   database.   A
              subordinate database may have only one suffix. This
              option may be used to glue multiple databases  into
              a  single  namingContext.   If  the  suffix  of the
              current database is within the namingContext  of  a
              superior  database,  searches  against the superior
              database will be propagated to the  subordinate  as
              well. All of the databases associated with a single
              namingContext  should   have   identical   rootdns.
              Behavior  of other LDAP operations is unaffected by
              this setting. In particular, it is not possible  to
              use  moddn to move an entry from one subordinate to
              another subordinate within the namingContext.

       updatedn <dn>
              This option is only applicable in  a  slave  slapd.


EXAMPLES

       Here is a short example of a configuration file:

              include   /etc/openldap/schema/core.schema
              pidfile   /var/run/slapd/slapd.pid

              # Subtypes of "name" (e.g. "cn" and "ou") with the
              # option ";x-hidden" can be searched for/compared,
              # but are not shown.  See slapd.access(5).
              attributeoptions x-hidden lang-
              access to attr=name;x-hidden by * =cs

              database  bdb
              suffix    "dc=our-domain,dc=com"
              # The database directory MUST exist prior to
              # running slapd AND should only be accessible
              # by the slapd/tools. Mode 700 recommended.
              directory /var/run/slapd/openldap-data
              # Indices to maintain
              index     objectClass  eq
              index     cn,sn,mail   pres,eq,approx,sub

              # We serve small clients that do not handle referrals,
              # so handle remote lookups on their behalf.
              database  ldap
              suffix    ""
              uri       ldap://ldap.some-server.com/
              lastmod   off

       "OpenLDAP   Administrator's   Guide"   contains  a  longer
       annotated example of a configuration file.   The  original
       /etc/openldap/slapd.conf is another example.


FILES

       /etc/openldap/slapd.conf
              default slapd configuration file


SEE ALSO

       ldap(3),   slapd-bdb(5),  slapd-dnssrv(5),  slapd-ldap(5),
       slapd-ldbm(5),   slapd-meta(5),   slapd-null(5),    slapd-
       passwd(5),  slapd-perl(5),  slapd-shell(5),  slapd-sql(5),
       slapd-tcl(5), slapd.replog(5), slapd.access(5), locale(5),
       slapd(8),     slapadd(8),     slapcat(8),    slapindex(8),
       slappassword(8), slurpd(8),

       "OpenLDAP              Administrator's              Guide"
       (http://www.OpenLDAP.org/doc/admin/)


ACKNOWLEDGEMENTS

       OpenLDAP  is  developed  and  maintained  by  The OpenLDAP
       Project (http://www.openldap.org/).  OpenLDAP  is  derived
       from University of Michigan LDAP 3.3 Release.

An undefined database error occurred. SELECT distinct pages.pagepath,pages.pageid FROM pages, page2command WHERE pages.pageid = page2command.pageid AND commandid =


  

There are several different ways to navigate the tutorial.


Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
You can help in many different ways.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.04 Seconds