summaryrefslogtreecommitdiffstats
path: root/doc/man/man8
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/man/man8/Makefile.in16
-rw-r--r--doc/man/man8/lloadd.8341
-rw-r--r--doc/man/man8/slapacl.8205
-rw-r--r--doc/man/man8/slapadd.8218
-rw-r--r--doc/man/man8/slapauth.8152
-rw-r--r--doc/man/man8/slapcat.8203
-rw-r--r--doc/man/man8/slapd.8379
-rw-r--r--doc/man/man8/slapdn.8108
-rw-r--r--doc/man/man8/slapindex.8178
-rw-r--r--doc/man/man8/slapmodify.8222
-rw-r--r--doc/man/man8/slappasswd.8203
-rw-r--r--doc/man/man8/slapschema.8193
-rw-r--r--doc/man/man8/slaptest.8117
13 files changed, 2535 insertions, 0 deletions
diff --git a/doc/man/man8/Makefile.in b/doc/man/man8/Makefile.in
new file mode 100644
index 0000000..30f21e0
--- /dev/null
+++ b/doc/man/man8/Makefile.in
@@ -0,0 +1,16 @@
+# man8 Makefile.in for OpenLDAP
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+MANSECT=8
diff --git a/doc/man/man8/lloadd.8 b/doc/man/man8/lloadd.8
new file mode 100644
index 0000000..3bd4f0e
--- /dev/null
+++ b/doc/man/man8/lloadd.8
@@ -0,0 +1,341 @@
+.TH LLOADD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2017-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+lloadd \- LDAP Load Balancer Daemon
+.SH SYNOPSIS
+.B LIBEXECDIR/lloadd
+[\c
+.BR \-4 | \-6 ]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ lloadd-config-file\fR]
+[\c
+.BI \-h \ URLs\fR]
+[\c
+.BI \-n \ service-name\fR]
+[\c
+.BI \-s \ syslog-level\fR]
+[\c
+.BI \-l \ syslog-local-user\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BI \-r \ directory\fR]
+[\c
+.BI \-u \ user\fR]
+[\c
+.BI \-g \ group\fR]
+.SH DESCRIPTION
+.LP
+.B Lloadd
+is the stand-alone LDAP daemon. It listens for LDAP connections on
+any number of ports (default \fB389\fP), forwarding the LDAP operations
+it receives over these connections to be handled by the configured
+backends.
+.B lloadd
+is typically invoked at boot time, usually out of
+.BR /etc/rc.local .
+Upon startup,
+.B lloadd
+normally forks and disassociates itself from the invoking tty.
+If configured in the config file, the
+.B lloadd
+process will print its process ID (see
+.BR getpid (2))
+to a
+.B .pid
+file, as well as the command line options during invocation to an
+.B .args
+file (see
+.BR lloadd.conf (5)).
+If the
+.B \-d
+flag is given, even with a zero argument,
+.B lloadd
+will not fork and disassociate from the invoking tty.
+.LP
+See the "OpenLDAP Administrator's Guide" for more details on
+.BR lloadd .
+.SH OPTIONS
+.TP
+.B \-4
+Listen on IPv4 addresses only.
+.TP
+.B \-6
+Listen on IPv6 addresses only.
+.TP
+.BI \-d \ debug-level
+Turn on debugging as defined by
+.IR debug-level .
+If this option is specified, even with a zero argument,
+.B lloadd
+will not fork or disassociate from the invoking terminal. Some general
+operation and status messages are printed for any value of \fIdebug-level\fP.
+\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+different kind of debugging information. See <ldap_log.h> for details.
+Comma-separated arrays of friendly names can be specified to select
+debugging output of the corresponding debugging information.
+All the names recognized by the \fIloglevel\fP directive
+described in \fBlloadd.conf\fP(5) are supported.
+If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+and lloadd exits.
+
+Remember that if you turn on packet logging, packets containing bind passwords
+will be output, so if you redirect the log to a logfile, that file should
+be read-protected.
+.TP
+.BI \-s \ syslog-level
+This option tells
+.B lloadd
+at what debug-level debugging statements should be logged to the
+.BR syslog (8)
+facility.
+The value \fIsyslog-level\fP can be set to any value or combination
+allowed by the \fB\-d\fP switch.
+Lloadd logs all messages selected by \fIsyslog-level\fP
+at the
+.BR syslog (3)
+severity debug-level \fBDEBUG\fP,
+on the unit specified with \fB\-l\fP.
+.TP
+.BI \-n \ service-name
+Specifies the service name for logging and other purposes. Defaults
+to basename of argv[0], i.e.: "lloadd".
+.TP
+.BI \-l \ syslog-local-user
+Selects the local user of the
+.BR syslog (8)
+facility. Value can be
+.BR LOCAL0 ,
+through
+.BR LOCAL7 ,
+as well as
+.B USER
+and
+.BR DAEMON .
+The default is
+.BR LOCAL4 .
+However, this option is only permitted on systems that support
+local users with the
+.BR syslog (8)
+facility.
+Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
+.TP
+.BI \-f \ lloadd-config-file
+Specifies the lloadd configuration file. The default is
+.BR ETCDIR/lloadd.conf .
+.TP
+.BI \-h \ URLlist
+.B lloadd
+will by default serve
+.B ldap:///
+(LDAP over TCP on all interfaces on default LDAP port). That is,
+it will bind using INADDR_ANY and port \fB389\fP.
+The
+.B \-h
+option may be used to specify LDAP (and other scheme) URLs to serve.
+For example, if lloadd is given
+.BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" ,
+it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
+and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
+INADDR_ANY (any interface).
+A space separated list of URLs is expected. The URLs should be of the LDAP,
+PLDAP, LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or other
+optional parameters (excepting as discussed below). Support for the latter
+three schemes depends on selected configuration options. Hosts may be specified
+by name or IPv4 and IPv6 address formats. Ports, if specified, must be
+numeric. The default ldap:// port is \fB389\fP and the default ldaps:// port
+is \fB636\fP, same for the proxy enabled variants.
+
+The PLDAP and PLDAPS URL schemes provide support for the HAProxy proxy protocol
+version 2, which allows a load balancer or proxy server to provide the remote
+client IP address to slapd to be used for access control or logging. Ports
+configured for PLDAP or PLDAPS will only accept connections that include the
+necessary proxy protocol header. Connections to these ports should be
+restricted at the network level to only trusted load balancers or proxies to
+avoid spoofing of client IP addresses by third parties.
+
+At the moment, the load balancer does not act on the recorded address in any
+way.
+
+For LDAP over IPC,
+.B name
+is the name of the socket, and no
+.B port
+is required, nor allowed; note that directory separators must be
+URL-encoded, like any other characters that are special to URLs;
+so the socket
+
+ /usr/local/var/ldapi
+
+must be specified as
+
+ ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
+
+The default location for the IPC socket is LOCALSTATEDIR/run/ldapi
+.TP
+.BI \-r \ directory
+Specifies a directory to become the root directory. lloadd will
+change the current working directory to this directory and
+then
+.BR chroot (2)
+to this directory. This is done after opening listeners but before
+reading any configuration file or initializing any backend. When
+used as a security mechanism, it should be used in conjunction with
+.B \-u
+and
+.B \-g
+options.
+.TP
+.BI \-u \ user
+.B lloadd
+will run lloadd with the specified user name or id, and that user's
+supplementary group access list as set with initgroups(3). The group ID
+is also changed to this user's gid, unless the \fB\-g\fP option is used to
+override. Note when used with
+.BR \-r ,
+lloadd will use the user database in the change root environment.
+.TP
+.BI \-g \ group
+.B lloadd
+will run with the specified group name or id. Note when used with
+.BR \-r ,
+lloadd will use the group database in the change root environment.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+This option provides a generic means to specify options without the need to reserve
+a separate letter for them.
+
+It supports the following options:
+.RS
+.TP
+.BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
+When SLP support is compiled into lloadd, disable it (\fBoff\fP),
+ enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
+or with specific SLP attributes
+.I slp-attrs
+that must be an SLP attribute list definition according to the SLP standard.
+
+For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
+registers at SLP DAs with the three SLP attributes tree, server-type and server-version
+that have the values given above.
+This allows one to specifically query the SLP DAs for LDAP servers holding the
+.I production
+tree in case multiple trees are available.
+.RE
+
+.SH RELATION TO SLAPD(8)
+.B Lloadd
+can be compiled as a
+.B slapd
+loadable module. In that case, it can be loaded as such:
+.LP
+.nf
+.ft tt
+ moduleload path/to/lloadd.la
+ backend lload
+ listen "listening URLs"
+.ft
+.fi
+
+This enables
+.B lloadd
+to provide additional features through the host slapd process like access to
+run-time statistics in
+.B cn=monitor
+and dynamic configuration from
+.BR cn=config .
+
+The listening sockets specified will be under direct control of
+.B lloadd
+and need to be different from the sockets slapd is configured to listen on.
+Clients connecting to these are completely separate from regular LDAP clients
+connecting to the usual
+.B slapd
+sockets -
+.B lloadd
+clients have no access to slapd databases, similarly,
+.B slapd
+client traffic does not propagate to the
+.B lloadd
+backend servers in any way.
+
+.SH CN=MONITOR INTERFACE
+As part of
+.BR lloadd 's
+.B cn=monitor
+interface it is possible to close a client connection it manages by writing to
+the corresponding entry,
+.B replacing
+the
+.B olmConnectionState
+attribute with the value
+.BR closing .
+This is subject to ACLs configured on the monitor database. The server will
+send a
+.B Notice of Disconnection
+to the client, refuse any new operations and once all pending operations have
+finished, close the connection.
+
+For example, to close connection number 42:
+
+.LP
+.nf
+.ft tt
+ dn: cn=connection 42,cn=incoming connections,cn=load balancer,cn=backends,cn=monitor
+ changetype: modify
+ replace: olmConnectionState
+ olmConnectionState: closing
+.ft
+.fi
+
+.SH EXAMPLES
+To start
+.I lloadd
+and have it fork and detach from the terminal and start load-balancing
+the LDAP servers defined in the default config file, just type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/lloadd
+.ft
+.fi
+.LP
+To start
+.B lloadd
+with an alternate configuration file, and turn
+on voluminous debugging which will be printed on standard error, type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/lloadd \-f /var/tmp/lloadd.conf \-d 255
+.ft
+.fi
+.LP
+To start
+.B lloadd
+as a module inside a slapd process listening on ldap://:1389 and ldaps://,
+put the following in your slapd.conf (or its equivalent in cn=config):
+.LP
+.nf
+.ft tt
+ moduleload lloadd.la
+ backend lload
+ listen "ldap://:1389 ldaps://"
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR lloadd.conf (5),
+.BR slapd-config (5),
+.BR slapd-monitor (5),
+.BR slapd (8).
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH BUGS
+See http://www.openldap.org/its/
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapacl.8 b/doc/man/man8/slapacl.8
new file mode 100644
index 0000000..c283f11
--- /dev/null
+++ b/doc/man/man8/slapacl.8
@@ -0,0 +1,205 @@
+.TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapacl \- Check access to a list of attributes.
+.SH SYNOPSIS
+.B SBINDIR/slapacl
+.BI \-b \ DN
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-D \ authcDN\ \fR|
+.BI \-U \ authcID\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+[\c
+.BI \-X \ authzID\ \fR|
+.BI "\-o \ authzDN=" DN\fR]
+[\c
+.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]
+.LP
+.SH DESCRIPTION
+.LP
+.B slapacl
+is used to check the behavior of
+.BR slapd (8)
+by verifying access to directory data according to the access control list
+directives defined in its configuration.
+.
+It opens the
+.BR slapd.conf (5)
+configuration file or the
+.BR slapd\-config (5)
+backend, reads in the
+.BR access / olcAccess
+directives, and then parses the
+.B attr
+list given on the command-line; if none is given, access to the
+.B entry
+pseudo-attribute is tested.
+.LP
+.SH OPTIONS
+.TP
+.BI \-b \ DN
+specify the
+.I DN
+which access is requested to; the corresponding entry is fetched
+from the database, and thus it must exist.
+The
+.I DN
+is also used to determine what rules apply; thus, it must be
+in the naming context of a configured database. By default, the first
+database that supports the requested operation is used. See also
+.BR \-u .
+
+.TP
+.BI \-d \ debug-level
+enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-D \ authcDN
+specify a DN to be used as identity through the test session
+when selecting appropriate
+.B <by>
+clauses in access lists.
+.TP
+.BI \-f \ slapd.conf
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.RS
+Possible options/values specific to
+.B slapacl
+are:
+.RE
+.nf
+
+ authzDN
+ domain
+ peername
+ sasl_ssf
+ sockname
+ sockurl
+ ssf
+ tls_ssf
+ transport_ssf
+
+.fi
+.RS
+See the related fields in
+.BR slapd.access (5)
+for details.
+.RE
+.TP
+.BI \-u
+do not fetch the entry from the database.
+In this case, if the entry does not exist, a fake entry with the
+.I DN
+given with the
+.B \-b
+option is used, with no attributes.
+As a consequence, those rules that depend on the contents
+of the target object will not behave as with the real object.
+The
+.I DN
+given with the
+.B \-b
+option is still used to select what rules apply; thus, it must be
+in the naming context of a configured database.
+See also
+.BR \-b .
+.TP
+.BI \-U \ authcID
+specify an ID to be mapped to a
+.B DN
+as by means of
+.B authz\-regexp
+or
+.B authz\-rewrite
+rules (see
+.BR slapd.conf (5)
+for details); mutually exclusive with
+.BR \-D .
+.TP
+.B \-v
+enable verbose mode.
+.TP
+.BI \-X \ authzID
+specify an authorization ID to be mapped to a
+.B DN
+as by means of
+.B authz\-regexp
+or
+.B authz\-rewrite
+rules (see
+.BR slapd.conf (5)
+for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.
+.SH EXAMPLES
+The command
+.LP
+.nf
+.ft tt
+ SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\
+ \-U bjorn \-b "o=University of Michigan,c=US" \\
+ "o/read:University of Michigan"
+
+.ft
+.fi
+tests whether the user
+.I bjorn
+can access the attribute
+.I o
+of the entry
+.I o=University of Michigan,c=US
+at
+.I read
+level.
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR slapd (8),
+.BR slaptest (8),
+.BR slapauth (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapadd.8 b/doc/man/man8/slapadd.8
new file mode 100644
index 0000000..d31d440
--- /dev/null
+++ b/doc/man/man8/slapadd.8
@@ -0,0 +1,218 @@
+.TH SLAPADD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapadd \- Add entries to a SLAPD database
+.SH SYNOPSIS
+.B SBINDIR/slapadd
+[\c
+.BI \-b \ suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-j \ lineno\fR]
+[\c
+.BI \-l \ ldif-file\fR]
+[\c
+.BI \-n \ dbnum\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-q ]
+[\c
+.BR \-s ]
+[\c
+.BI \-S \ SID\fR]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+[\c
+.BR \-w ]
+.SH DESCRIPTION
+.LP
+.B Slapadd
+is used to add entries specified in LDAP Directory Interchange Format
+(LDIF) to a
+.BR slapd (8)
+database.
+It opens the given database determined by the database number or
+suffix and adds entries corresponding to the provided LDIF to
+the database.
+Databases configured as
+.B subordinate
+of this one are also updated, unless \fB\-g\fP is specified.
+The LDIF input is read from standard input or the specified file.
+
+All files eventually created by
+.BR slapadd
+will belong to the identity
+.BR slapadd
+is run as, so make sure you either run
+.BR slapadd
+with the same identity
+.BR slapd (8)
+will be run as (see option
+.B \-u
+in
+.BR slapd (8)),
+or change file ownership before running
+.BR slapd (8).
+
+Note: slapadd will also perform the relevant indexing whilst adding the database if
+any are configured. For specific details, please see
+.BR slapindex (8).
+.SH OPTIONS
+.TP
+.BI \-b \ suffix
+Use the specified \fIsuffix\fR to determine which database to
+add entries to. By default, the first database that supports the requested
+operation is used. The \fB\-b\fP cannot be used in conjunction with the
+.B \-n
+option.
+.TP
+.B \-c
+enable continue (ignore errors) mode.
+.TP
+.BI \-d \ debug-level
+enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored. If dry-run mode is also specified,
+no conversion will occur.
+.TP
+.B \-g
+disable subordinate gluing. Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
+.BI \-j \ lineno
+Jump to the specified line number in the LDIF file before processing
+any entries. This allows a load that was aborted due to errors in the
+input LDIF to be resumed after the errors are corrected.
+.TP
+.BI \-l \ ldif-file
+Read LDIF from the specified file instead of standard input.
+.TP
+.BI \-n \ dbnum
+Add entries to the \fIdbnum\fR-th database listed in the
+configuration file. The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+To populate the config database
+.BR slapd\-config (5),
+use
+.B \-n 0
+as it is always the first database. It must physically exist
+on the filesystem prior to this, however.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+ schema-check={yes|no}
+ value-check={yes|no}
+
+.in
+The \fIschema\-check\fR option toggles schema checking (default on);
+the \fIvalue\-check\fR option toggles value checking (default off).
+The latter is incompatible with \fB-q\fR.
+.TP
+.B \-q
+enable quick (fewer integrity checks) mode. Does fewer consistency checks
+on the input data, and no consistency checks when writing the database.
+Improves the load time but if any errors or interruptions occur the resulting
+database will be unusable.
+.TP
+.B \-s
+disable schema checking. This option is intended to be used when loading
+databases containing special objects, such as fractional objects on a
+partial consumer. Loading normal objects which do not conform to
+schema may result in unexpected and ill behavior.
+.TP
+.BI \-S \ SID
+Server ID to use in generated entryCSN. Also used for contextCSN
+if \fB\-w\fP is set as well. Defaults to \fB0\fP.
+.TP
+.B \-u
+enable dry-run (don't write to backend) mode.
+.TP
+.B \-v
+enable verbose mode.
+.TP
+.BI \-w
+write syncrepl context information.
+After all entries are added, the contextCSN
+will be updated with the greatest CSN in the database.
+.SH LIMITATIONS
+Your
+.BR slapd (8)
+should not be running
+when you do this to ensure consistency of the database.
+.LP
+.B slapadd
+may not provide naming or schema checks. It is advisable to
+use
+.BR ldapadd (1)
+when adding new entries into an existing directory.
+.SH EXAMPLES
+To import the entries specified in file
+.B ldif
+into your
+.BR slapd (8)
+database give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapadd \-l ldif
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR ldif (5),
+.BR slapcat (8),
+.BR slapindex (8),
+.BR slapmodify (8),
+.BR ldapadd (1),
+.BR slapd (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapauth.8 b/doc/man/man8/slapauth.8
new file mode 100644
index 0000000..17e529e
--- /dev/null
+++ b/doc/man/man8/slapauth.8
@@ -0,0 +1,152 @@
+.TH SLAPAUTH 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapauth \- Check a list of string-represented IDs for LDAP authc/authz
+.SH SYNOPSIS
+.B SBINDIR/slapauth
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-M \ mech\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-U \ authcID\fR]
+[\c
+.BR \-v ]
+[\c
+.BI \-X \ authzID\fR]
+.IR ID \ [ ... ]
+.LP
+.SH DESCRIPTION
+.LP
+.B Slapauth
+is used to check the behavior of the slapd in mapping identities
+for authentication and authorization purposes, as specified in
+.BR slapd.conf (5).
+It opens the
+.BR slapd.conf (5)
+configuration file or the
+.BR slapd\-config (5)
+backend, reads in the
+.BR authz\-policy / olcAuthzPolicy
+and
+.BR authz\-regexp / olcAuthzRegexp
+directives, and then parses the
+.I ID
+list given on the command-line.
+.LP
+.SH OPTIONS
+.TP
+.BI \-d \ debug-level
+enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.BI \-M \ mech
+specify a mechanism.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.TP
+.BI \-R \ realm
+specify a realm.
+.TP
+.BI \-U \ authcID
+specify an ID to be used as
+.I authcID
+throughout the test session.
+If present, and if no
+.I authzID
+is given, the IDs in the ID list are treated as
+.IR authzID .
+.TP
+.BI \-X \ authzID
+specify an ID to be used as
+.I authzID
+throughout the test session.
+If present, and if no
+.I authcID
+is given, the IDs in the ID list are treated as
+.IR authcID .
+If both
+.I authcID
+and
+.I authzID
+are given via command line switch, the ID list cannot be present.
+.TP
+.B \-v
+enable verbose mode.
+.SH EXAMPLES
+The command
+.LP
+.nf
+.ft tt
+ SBINDIR/slapauth \-f /ETCDIR/slapd.conf \-v \\
+ \-U bjorn \-X u:bjensen
+
+.ft
+.fi
+tests whether the user
+.I bjorn
+can assume the identity of the user
+.I bjensen
+provided the directives
+.LP
+.nf
+.ft tt
+ authz\-policy from
+ authz\-regexp "^uid=([^,]+).*,cn=auth$"
+ "ldap:///dc=example,dc=net??sub?uid=$1"
+
+.ft
+.fi
+are defined in
+.BR slapd.conf (5).
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR slapd (8),
+.BR slaptest (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
new file mode 100644
index 0000000..c836a04
--- /dev/null
+++ b/doc/man/man8/slapcat.8
@@ -0,0 +1,203 @@
+.TH SLAPCAT 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapcat \- SLAPD database to LDIF utility
+.SH SYNOPSIS
+.B SBINDIR/slapcat
+[\c
+.BI \-a filter\fR]
+[\c
+.BI \-b suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d debug-level\fR]
+[\c
+.BI \-f slapd.conf\fR]
+[\c
+.BI \-F confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-H URI\fR]
+[\c
+.BI \-l ldif-file\fR]
+[\c
+.BI \-n dbnum\fR]
+[\c
+.BI \-o option\fR[ = value\fR]]
+[\c
+.BI \-s subtree-dn\fR]
+[\c
+.BR \-v ]
+.LP
+.SH DESCRIPTION
+.LP
+.B Slapcat
+is used to generate an LDAP Directory Interchange Format
+(LDIF) output based upon the contents of a
+.BR slapd (8)
+database.
+It opens the given database determined by the database number or
+suffix and writes the corresponding LDIF to standard output or
+the specified file.
+Databases configured as
+.B subordinate
+of this one are also output, unless \fB\-g\fP is specified.
+.LP
+The entry records are presented in database order, not superior first
+order. The entry records will include all (user and operational)
+attributes stored in the database. The entry records will not include
+dynamically generated attributes (such as subschemaSubentry).
+.LP
+The output of slapcat is intended to be used as input to
+.BR slapadd (8).
+The output of slapcat cannot generally be used as input to
+.BR ldapadd (1)
+or other LDAP clients without first editing the output.
+This editing would normally include reordering the records
+into superior first order and removing no-user-modification
+operational attributes.
+.SH OPTIONS
+.TP
+.BI \-a \ filter
+Only dump entries matching the asserted filter.
+For example
+
+slapcat \-a \\
+ "(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"
+
+will dump all but the "ou=People,dc=example,dc=com" subtree
+of the "dc=example,dc=com" database.
+Deprecated; use \fB-H\fP \fIldap:///???(filter)\fP instead.
+.TP
+.BI \-b \ suffix
+Use the specified \fIsuffix\fR to determine which database to
+generate output for. By default, the first database that supports the requested
+operation is used. The \fB\-b\fP cannot be used in conjunction with the
+.B \-n
+option.
+.TP
+.B \-c
+Enable continue (ignore errors) mode.
+Multiple occurrences of
+.B \-c
+make
+.BR slapcat (8)
+try harder.
+.TP
+.BI \-d \ debug-level
+Enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+Specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.B \-g
+disable subordinate gluing. Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
+.B \-H \ URI
+use dn, scope and filter from URI to only handle matching entries.
+.TP
+.BI \-l \ ldif-file
+Write LDIF to specified file instead of standard output.
+.TP
+.BI \-n \ dbnum
+Generate output for the \fIdbnum\fR-th database listed in the
+configuration file. The config database
+.BR slapd\-config (5),
+is always the first database, so use
+.B \-n 0
+to select it.
+
+The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+ ldif_wrap={no|<n>}
+
+.in
+\fIn\fP is the number of columns allowed for the LDIF output
+(\fIn\fP equal to \fI0\fP uses the default, corresponding to 78).
+The minimum is 2, leaving space for one character and one
+continuation character.
+Use \fIno\fP for no wrap.
+.TP
+.BI \-s \ subtree-dn
+Only dump entries in the subtree specified by this DN.
+Implies \fB\-b\fP \fIsubtree-dn\fP if no
+.B \-b
+or
+.B \-n
+option is given.
+Deprecated; use \fB-H\fP \fIldap:///subtree-dn\fP instead.
+.TP
+.B \-v
+Enable verbose mode.
+.SH LIMITATIONS
+For some backend types, your
+.BR slapd (8)
+should not be running (at least, not in read-write
+mode) when you do this to ensure consistency of the database. It is
+always safe to run
+.B slapcat
+with the
+.BR slapd\-mdb (5),
+and
+.BR slapd\-null (5)
+backends.
+.SH EXAMPLES
+To make a text backup of your SLAPD database and put it in a file called
+.BR ldif ,
+give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapcat \-l ldif
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR ldif (5),
+.BR slapadd (8),
+.BR ldapadd (1),
+.BR slapd (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
new file mode 100644
index 0000000..809f9e7
--- /dev/null
+++ b/doc/man/man8/slapd.8
@@ -0,0 +1,379 @@
+.TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapd \- Stand-alone LDAP Daemon
+.SH SYNOPSIS
+.B LIBEXECDIR/slapd
+[\c
+.BR \-V [ V [ V ]]
+[\c
+.BR \-4 | \-6 ]
+[\c
+.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\|
+.BR d [ n ]\||\| i [ ndex ]\||\| m [ odify ]\||\| p [ asswd ]\||\| s [ chema ]\||\| t [ est ]}]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd-config-file\fR]
+[\c
+.BI \-F \ slapd-config-directory\fR]
+[\c
+.BI \-h \ URLs\fR]
+[\c
+.BI \-n \ service-name\fR]
+[\c
+.BI \-s \ syslog-level\fR]
+[\c
+.BI \-l \ syslog-local-user\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BI \-r \ directory\fR]
+[\c
+.BI \-u \ user\fR]
+[\c
+.BI \-g \ group\fR]
+[\c
+.BI \-c \ cookie\fR]
+.SH DESCRIPTION
+.LP
+.B Slapd
+is the stand-alone LDAP daemon. It listens for LDAP connections on
+any number of ports (default \fB389\fP), responding
+to the LDAP operations it receives over these connections.
+.B slapd
+is typically invoked at boot time, usually out of
+.BR /etc/rc.local .
+Upon startup,
+.B slapd
+normally forks and disassociates itself from the invoking tty.
+If configured in the config file (or config directory),
+the
+.B slapd
+process will print its process ID (see
+.BR getpid (2))
+to a
+.B .pid
+file, as well as the command line options during invocation to an
+.B .args
+file (see
+.BR slapd.conf (5)).
+If the
+.B \-d
+flag is given, even with a zero argument,
+.B slapd
+will not fork and disassociate from the invoking tty.
+.LP
+See the "OpenLDAP Administrator's Guide" for more details on
+.BR slapd .
+.SH OPTIONS
+.TP
+.BR \-V [ V [ V ]]
+Print version info and proceed with startup.
+If \fB\-VV\fP is given, exit after providing version info. If \fB\-VVV\fP is
+given, additionally provide information on static overlays and backends.
+.TP
+.B \-4
+Listen on IPv4 addresses only.
+.TP
+.B \-6
+Listen on IPv6 addresses only.
+.TP
+.BI \-T \ tool
+Run in Tool mode. The \fItool\fP argument selects whether to run as
+.IR slapadd ,
+.IR slapcat ,
+.IR slapdn ,
+.IR slapindex ,
+.IR slapmodify ,
+.IR slappasswd ,
+.IR slapschema ,
+or
+.I slaptest
+(\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP
+option value to be spelled out, as \fBa\fP is reserved to
+.IR slapadd ).
+This option should be the first option specified when it is used;
+any remaining options will be interpreted by the corresponding
+slap tool program, according to the respective man pages.
+Note that these tool programs will usually be symbolic links to
+.BR slapd .
+This option is provided for situations where symbolic links
+are not provided or not usable.
+.TP
+.BI \-d \ debug-level
+Turn on debugging as defined by
+.IR debug-level .
+If this option is specified, even with a zero argument,
+.B slapd
+will not fork or disassociate from the invoking terminal. Some general
+operation and status messages are printed for any value of \fIdebug-level\fP.
+\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+different kind of debugging information. See <ldap_log.h> for details.
+Comma-separated arrays of friendly names can be specified to select
+debugging output of the corresponding debugging information.
+All the names recognized by the \fIloglevel\fP directive
+described in \fBslapd.conf\fP(5) are supported.
+If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+and slapd exits.
+
+Remember that if you turn on packet logging, packets containing bind passwords
+will be output, so if you redirect the log to a logfile, that file should
+be read-protected.
+.TP
+.BI \-s \ syslog-level
+This option tells
+.B slapd
+at what debug-level debugging statements should be logged to the
+.BR syslog (8)
+facility.
+The value \fIsyslog-level\fP can be set to any value or combination
+allowed by the \fB\-d\fP switch.
+Slapd logs all messages selected by \fIsyslog-level\fP
+at the
+.BR syslog (3)
+severity debug-level \fBDEBUG\fP,
+on the unit specified with \fB\-l\fP.
+.TP
+.BI \-n \ service-name
+Specifies the service name for logging and other purposes. Defaults
+to basename of argv[0], i.e.: "slapd".
+.TP
+.BI \-l \ syslog-local-user
+Selects the local user of the
+.BR syslog (8)
+facility. Value can be
+.BR LOCAL0 ,
+through
+.BR LOCAL7 ,
+as well as
+.B USER
+and
+.BR DAEMON .
+The default is
+.BR LOCAL4 .
+However, this option is only permitted on systems that support
+local users with the
+.BR syslog (8)
+facility.
+Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
+.TP
+.BI \-f \ slapd-config-file
+Specifies the slapd configuration file. The default is
+.BR ETCDIR/slapd.conf .
+.TP
+.BI \-F \ slapd-config-directory
+Specifies the slapd configuration directory. The default is
+.BR ETCDIR/slapd.d .
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, slapd will attempt to read the
+default config directory before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored. All of the slap tools that
+use the config options observe this same behavior.
+.TP
+.BI \-h \ URLlist
+.B slapd
+will by default serve
+.B ldap:///
+(LDAP over TCP on all interfaces on default LDAP port). That is,
+it will bind using INADDR_ANY and port \fB389\fP.
+The
+.B \-h
+option may be used to specify LDAP (and other scheme) URLs to serve.
+For example, if slapd is given
+.BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" ,
+it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
+and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
+INADDR_ANY (any interface).
+A space separated list of URLs is expected. The URLs should be of the LDAP,
+PLDAP, LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or other
+optional parameters (excepting as discussed below). Support for the latter
+three schemes depends on selected configuration options. Hosts may be specified
+by name or IPv4 and IPv6 address formats. Ports, if specified, must be
+numeric. The default ldap:// port is \fB389\fP and the default ldaps:// port
+is \fB636\fP, same for the proxy enabled variants.
+
+The PLDAP and PLDAPS URL schemes provide support for the HAProxy proxy protocol
+version 2, which allows a load balancer or proxy server to provide the remote
+client IP address to slapd to be used for access control or logging. Ports
+configured for PLDAP or PLDAPS will only accept connections that include the
+necessary proxy protocol header. Connections to these ports should be
+restricted at the network level to only trusted load balancers or proxies to
+avoid spoofing of client IP addresses by third parties.
+
+For LDAP over IPC,
+.B name
+is the name of the socket, and no
+.B port
+is required, nor allowed; note that directory separators must be
+URL-encoded, like any other characters that are special to URLs;
+so the socket
+
+ /usr/local/var/ldapi
+
+must be specified as
+
+ ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
+
+The default location for the IPC socket is LOCALSTATEDIR/run/ldapi
+
+The listener permissions are indicated by
+"x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any
+of the "rwx" can be "\-" to suppress the related permission, while any
+of the "7" can be any legal octal digit, according to chmod(1).
+The listeners can take advantage of the "x\-mod"
+extension to apply rough limitations to operations, e.g. allow read operations
+("r", which applies to search and compare), write operations ("w",
+which applies to add, delete, modify and modrdn), and execute operations
+("x", which means bind is required).
+"User" permissions apply to authenticated users, while "other" apply
+to anonymous users; "group" permissions are ignored.
+For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed
+for authenticated connections, and bind is required for all operations.
+This feature is experimental, and requires to be manually enabled
+at configure time.
+.TP
+.BI \-r \ directory
+Specifies a directory to become the root directory. slapd will
+change the current working directory to this directory and
+then
+.BR chroot (2)
+to this directory. This is done after opening listeners but before
+reading any configuration file or initializing any backend. When
+used as a security mechanism, it should be used in conjunction with
+.B \-u
+and
+.B \-g
+options.
+.TP
+.BI \-u \ user
+.B slapd
+will run slapd with the specified user name or id, and that user's
+supplementary group access list as set with initgroups(3). The group ID
+is also changed to this user's gid, unless the \fB\-g\fP option is used to
+override. Note when used with
+.BR \-r ,
+slapd will use the user database in the change root environment.
+
+Note that on some systems, running as a non-privileged user will prevent
+passwd back-ends from accessing the encrypted passwords. Note also that
+any shell back-ends will run as the specified non-privileged user.
+.TP
+.BI \-g \ group
+.B slapd
+will run with the specified group name or id. Note when used with
+.BR \-r ,
+slapd will use the group database in the change root environment.
+.TP
+.BI \-c \ cookie
+This option provides a cookie for the syncrepl replication consumer.
+The cookie is a comma separated list of \fIname=value\fP pairs.
+Currently supported syncrepl cookie fields are
+.BR rid ,
+.BR sid ,
+and
+.BR csn .
+.B rid
+identifies a replication thread within the consumer server
+and is used to find the syncrepl specification in
+.BR slapd.conf (5)
+or
+.BR slapd\-config (5)
+having the matching replication identifier in its definition. The
+.B rid
+must be provided in order for any other specified values to be used.
+.B sid
+is the server id in a multi-provider configuration.
+.B csn
+is the commit sequence number received by a previous synchronization
+and represents the state of the consumer content which the
+syncrepl engine will synchronize to the current provider content.
+In case of \fImulti-provider\fP replication agreement,
+multiple
+.B csn
+values, semicolon separated, can appear.
+Use only the
+.B rid
+part to force a full reload.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+This option provides a generic means to specify options without the need to reserve
+a separate letter for them.
+
+It supports the following options:
+.RS
+.TP
+.BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
+When SLP support is compiled into slapd, disable it (\fBoff\fP),
+ enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
+or with specific SLP attributes
+.I slp-attrs
+that must be an SLP attribute list definition according to the SLP standard.
+
+For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
+registers at SLP DAs with the three SLP attributes tree, server-type and server-version
+that have the values given above.
+This allows one to specifically query the SLP DAs for LDAP servers holding the
+.I production
+tree in case multiple trees are available.
+.RE
+.SH EXAMPLES
+To start
+.I slapd
+and have it fork and detach from the terminal and start serving
+the LDAP databases defined in the default config file, just type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/slapd
+.ft
+.fi
+.LP
+To start
+.B slapd
+with an alternate configuration file, and turn
+on voluminous debugging which will be printed on standard error, type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+.ft
+.fi
+.LP
+To test whether the configuration file is correct or not, type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/slapd \-Tt
+.ft
+.fi
+.LP
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR slapd.conf (5),
+.BR slapd\-config (5),
+.BR slapd.access (5),
+.BR slapacl (8),
+.BR slapadd (8),
+.BR slapauth (8),
+.BR slapcat (8),
+.BR slapdn (8),
+.BR slapindex (8),
+.BR slapmodify (8),
+.BR slappasswd (8),
+.BR slapschema (8),
+.BR slaptest (8).
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH BUGS
+See http://www.openldap.org/its/
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapdn.8 b/doc/man/man8/slapdn.8
new file mode 100644
index 0000000..424bf83
--- /dev/null
+++ b/doc/man/man8/slapdn.8
@@ -0,0 +1,108 @@
+.TH SLAPDN 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapdn \- Check a list of string-represented LDAP DNs based on schema syntax
+.SH SYNOPSIS
+.B SBINDIR/slapdn
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BR \-N | \-P ]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-v ]
+.IR DN \ [...]
+.LP
+.SH DESCRIPTION
+.LP
+.B Slapdn
+is used to check the conformance of a DN based on the schema
+defined in
+.BR slapd (8)
+and that loaded via
+.BR slapd.conf (5).
+It opens the
+.BR slapd.conf (5)
+configuration file or the slapd\-config (5) backend, reads in the schema definitions, and then
+parses the
+.I DN
+list given on the command-line.
+.LP
+.SH OPTIONS
+.TP
+.BI \-d \ debug-level
+enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.BI \-N
+only output a normalized form of the \fIDN\fP, suitable to be used
+in a normalization tool; incompatible with
+.BR \-P .
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.TP
+.BI \-P
+only output a prettified form of the \fIDN\fP, suitable to be used
+in a check and beautification tool; incompatible with
+.BR \-N .
+.TP
+.B \-v
+enable verbose mode.
+.SH EXAMPLES
+To check a
+.B DN
+give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapdn \-f /ETCDIR/slapd.conf \-v DN
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR slapd (8),
+.BR slaptest (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapindex.8 b/doc/man/man8/slapindex.8
new file mode 100644
index 0000000..9cadb64
--- /dev/null
+++ b/doc/man/man8/slapindex.8
@@ -0,0 +1,178 @@
+.TH SLAPINDEX 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapindex \- Reindex entries in a SLAPD database
+.SH SYNOPSIS
+.B SBINDIR/slapindex
+[\c
+.BI \-b \ suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-n \ dbnum\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-q ]
+[\c
+.BR \-t ]
+[\c
+.BR \-v ]
+[\c
+.IR attr [ ... ]]
+.B
+.LP
+.SH DESCRIPTION
+.LP
+.B Slapindex
+is used to regenerate
+.BR slapd (8)
+indices based upon the current contents of a database.
+It opens the given database determined by the database number or
+suffix and updates the indices for all values of all attributes
+of all entries. If a list of specific attributes is provided
+on the command line, only the indices for those attributes will
+be regenerated.
+Databases configured as
+.B subordinate
+of this one are also re-indexed, unless \fB\-g\fP is specified.
+
+All files eventually created by
+.BR slapindex
+will belong to the identity
+.BR slapindex
+is run as, so make sure you either run
+.BR slapindex
+with the same identity
+.BR slapd (8)
+will be run as (see option
+.B \-u
+in
+.BR slapd (8)),
+or change file ownership before running
+.BR slapd (8).
+.SH OPTIONS
+.TP
+.BI \-b \ suffix
+Use the specified \fIsuffix\fR to determine which database to
+generate output for. By default, the first database that supports the requested
+operation is used. The \fB\-b\fP cannot be used in conjunction with the
+.B \-n
+option.
+.TP
+.B \-c
+enable continue (ignore errors) mode.
+.TP
+.BI \-d \ debug-level
+enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.B \-g
+disable subordinate gluing. Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
+.BI \-n \ dbnum
+Generate output for the \fIdbnum\fR-th database listed in the
+configuration file. The config database
+.BR slapd\-config (5),
+is always the first database, so use
+.B \-n 0
+
+The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.TP
+.B \-q
+enable quick (fewer integrity checks) mode. Performs no consistency checks
+when writing the database. Improves indexing time,
+.B however
+the database will most likely be unusable if any errors or
+interruptions occur.
+.TP
+.B \-t
+enable truncate mode. Truncates (empties) an index database before indexing
+any entries. May only be used with back-mdb.
+.TP
+.B \-v
+enable verbose mode.
+.SH LIMITATIONS
+Your
+.BR slapd (8)
+should not be running (at least, not in read-write
+mode) when you do this to ensure consistency of the database.
+.LP
+This command provides ample opportunity for the user to obtain
+and drink their favorite beverage.
+.SH EXAMPLES
+To reindex your SLAPD database, give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapindex
+.ft
+.fi
+To regenerate the index for only a specific attribute, e.g. "uid",
+give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapindex uid
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR ldif (5),
+.BR slapadd (8),
+.BR ldapadd (1),
+.BR slapd (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapmodify.8 b/doc/man/man8/slapmodify.8
new file mode 100644
index 0000000..98069be
--- /dev/null
+++ b/doc/man/man8/slapmodify.8
@@ -0,0 +1,222 @@
+.TH SLAPMODIFY 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapmodify \- Modify entries in a SLAPD database
+.SH SYNOPSIS
+.B SBINDIR/slapmodify
+[\c
+.BI \-b \ suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-j \ lineno\fR]
+[\c
+.BI \-l \ ldif-file\fR]
+[\c
+.BI \-n \ dbnum\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-q ]
+[\c
+.BR \-s ]
+[\c
+.BI \-S \ SID\fR]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+[\c
+.BR \-w ]
+.SH DESCRIPTION
+.LP
+.B Slapmodify
+is used to apply modifications specified in LDAP Directory Interchange Format
+(LDIF) to a
+.BR slapd (8)
+database.
+It opens the given database determined by the database number or
+suffix and performs modifications corresponding to the provided LDIF to
+the database.
+Databases configured as
+.B subordinate
+of this one are also updated, unless \fB\-g\fP is specified.
+The LDIF input is read from standard input or the specified file.
+
+All files eventually created by
+.BR slapmodify
+will belong to the identity
+.BR slapmodify
+is run as, so make sure you either run
+.BR slapmodify
+with the same identity
+.BR slapd (8)
+will be run as (see option
+.B \-u
+in
+.BR slapd (8)),
+or change file ownership before running
+.BR slapd (8).
+
+Note: slapmodify will also perform the relevant indexing whilst modifying the database if
+any are configured. For specific details, please see
+.BR slapindex (8).
+.SH OPTIONS
+.TP
+.BI \-b \ suffix
+Use the specified \fIsuffix\fR to determine which database to
+add entries to. The \fB\-b\fP cannot be used in conjunction
+with the
+.B \-n
+option.
+.TP
+.B \-c
+enable continue (ignore errors) mode.
+.TP
+.BI \-d \ debug-level
+enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored. If dry-run mode is also specified,
+no conversion will occur.
+.TP
+.B \-g
+disable subordinate gluing. Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
+.BI \-j \ lineno
+Jump to the specified line number in the LDIF file before processing
+any entries. This allows a modification that was aborted due to errors in the
+input LDIF to be resumed after the errors are corrected.
+.TP
+.BI \-l \ ldif-file
+Read LDIF from the specified file instead of standard input.
+.TP
+.BI \-n \ dbnum
+Perform changes on the \fIdbnum\fR-th database listed in the
+configuration file. The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+To manipulate the config database
+.BR slapd\-config (5),
+use
+.B \-n 0
+as it is always the first database. It must physically exist
+on the filesystem prior to this, however.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+ schema-check={yes|no}
+ value-check={yes|no}
+
+.in
+The \fIschema\-check\fR option toggles schema checking (default on);
+the \fIvalue\-check\fR option toggles value checking (default off).
+The latter is incompatible with \fB-q\fR.
+.TP
+.B \-q
+enable quick (fewer integrity checks) mode. Does fewer consistency checks
+on the input data, and no consistency checks when writing the database.
+Improves the run time but if any errors or interruptions occur the resulting
+database will be unusable.
+.TP
+.B \-s
+disable schema checking. This option is intended to be used when
+manipulating databases containing special objects, such as fractional
+objects on a partial replica. Creating normal objects which do not
+conform to schema may result in unexpected and ill behavior.
+.TP
+.BI \-S \ SID
+Server ID to use in generated entryCSN. Also used for contextCSN
+if \fB\-w\fP is set as well. Defaults to \fB0\fP.
+.TP
+.B \-u
+enable dry-run (don't write to backend) mode.
+.TP
+.B \-v
+enable verbose mode.
+.TP
+.BI \-w
+write syncrepl context information.
+After all entries are added, the contextCSN
+will be updated with the greatest CSN in the database.
+.SH LIMITATIONS
+Your
+.BR slapd (8)
+should not be running
+when you do this to ensure consistency of the database.
+.LP
+Not all backends support all types of modification, \fImodrdn\fR
+changetype in particular is not implemented for any of the current
+backends.
+.LP
+.B slapmodify
+may not provide naming or schema checks. It is advisable to
+use
+.BR ldapmodify (1)
+when possible.
+.SH EXAMPLES
+To make modifications specified in file
+.B ldif
+into your
+.BR slapd (8)
+database give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapmodify \-l ldif
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR ldif (5),
+.BR slapcat (8),
+.BR slapadd (8),
+.BR slapindex (8),
+.BR ldapmodify (1),
+.BR slapd (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8
new file mode 100644
index 0000000..7bca21d
--- /dev/null
+++ b/doc/man/man8/slappasswd.8
@@ -0,0 +1,203 @@
+.TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slappasswd \- OpenLDAP password utility
+.SH SYNOPSIS
+.B SBINDIR/slappasswd
+[\c
+.BR \-v ]
+[\c
+.BR \-u ]
+[\c
+.BR \-g \||\| \-s \ \fIsecret\fR \||\| \fB\-T \ \fIfile\fR]
+[\c
+.BI \-h \ hash\fR]
+[\c
+.BI \-c \ salt-format\fR]
+[\c
+.BR \-n ]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+.LP
+.SH DESCRIPTION
+.LP
+.B Slappasswd
+is used to generate an userPassword value
+suitable for use with
+.BR ldapmodify (1),
+.BR slapd.conf (5)
+.I rootpw
+configuration directive or the
+.BR slapd\-config (5)
+.I olcRootPW
+configuration directive.
+.
+.SH OPTIONS
+.TP
+.B \-v
+enable verbose mode.
+.TP
+.B \-u
+Generate RFC 2307 userPassword values (the default). Future
+versions of this program may generate alternative syntaxes
+by default. This option is provided for forward compatibility.
+.TP
+.BI \-s \ secret
+The secret to hash.
+If this,
+.B \-g
+and
+.B \-T
+are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
+are mutually exclusive flags.
+.TP
+.BI \-g
+Generate the secret.
+If this,
+.B \-s
+and
+.B \-T
+are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
+are mutually exclusive flags.
+If this is present,
+.I {CLEARTEXT}
+is used as scheme.
+.B \-g
+and
+.B \-h
+are mutually exclusive flags.
+.TP
+.BI \-T \ "file"
+Hash the contents of the file.
+If this,
+.B \-g
+and
+.B \-s
+are absent, the user will be prompted for the secret to hash.
+.BR \-s ,
+.B \-g
+and
+.B \-T
+and mutually exclusive flags.
+.TP
+.BI \-h \ "scheme"
+If \fB\-h\fP is specified, one of the following RFC 2307 schemes may
+be specified:
+.BR {CRYPT} ,
+.BR {MD5} ,
+.BR {SMD5} ,
+.BR {SSHA} ", and"
+.BR {SHA} .
+The default is
+.BR {SSHA} .
+
+Note that scheme names may need to be protected, due to
+.B {
+and
+.BR } ,
+from expansion by the user's command interpreter.
+
+.B {SHA}
+and
+.B {SSHA}
+use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
+
+.B {MD5}
+and
+.B {SMD5}
+use the MD5 algorithm (RFC 1321), the latter with a seed.
+
+.B {CRYPT}
+uses the
+.BR crypt (3).
+
+.B {CLEARTEXT}
+indicates that the new password should be added to userPassword as
+clear text.
+Unless
+.I {CLEARTEXT}
+is used, this flag is incompatible with option
+.BR \-g .
+.TP
+.BI \-c \ crypt-salt-format
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one)
+.B %s
+conversion.
+This conversion will be substituted with a string of random
+characters from [A\-Za\-z0\-9./]. For example,
+.RB ' %.2s '
+provides a two character salt and
+.RB ' $1$%.8s '
+tells some
+versions of
+.BR crypt (3)
+to use an MD5 algorithm and provides
+8 random characters of salt.
+The default is
+.RB ' %s ' ,
+which provides 31 characters of salt.
+.TP
+.BI \-n
+Omit the trailing newline; useful to pipe the credentials
+into a command.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ module\-path=<pathspec> (see `\fBmodulepath\fP' in slapd.conf(5))
+ module\-load="<filename> [<arguments>...]" (see `\fBmoduleload\fP' in slapd.conf(5))
+
+.in
+You can load a dynamically loadable password hash module by
+using this option.
+.SH LIMITATIONS
+The practice of storing hashed passwords in userPassword violates
+Standard Track (RFC 4519) schema specifications and may hinder
+interoperability. A new attribute type, authPassword, to hold
+hashed passwords has been defined (RFC 3112), but is not yet
+implemented in
+.BR slapd (8).
+.LP
+It should also be noted that the behavior of
+.BR crypt (3)
+is platform specific.
+.SH "SECURITY CONSIDERATIONS"
+Use of hashed passwords does not protect passwords during
+protocol transfer. TLS or other eavesdropping protections
+should be in-place before using LDAP simple bind.
+.LP
+The hashed password values should be protected as if they
+were clear text passwords.
+.SH "SEE ALSO"
+.BR ldappasswd (1),
+.BR ldapmodify (1),
+.BR slapd (8),
+.BR slapd.conf (5),
+.BR slapd\-config (5),
+.B RFC 2307\fP,
+.B RFC 4519\fP,
+.B RFC 3112
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slapschema.8 b/doc/man/man8/slapschema.8
new file mode 100644
index 0000000..8b91f8a
--- /dev/null
+++ b/doc/man/man8/slapschema.8
@@ -0,0 +1,193 @@
+.TH SLAPSCHEMA 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapschema \- SLAPD in-database schema checking utility
+.SH SYNOPSIS
+.B SBINDIR/slapschema
+[\c
+.BI \-a filter\fR]
+[\c
+.BI \-b suffix\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-d debug-level\fR]
+[\c
+.BI \-f slapd.conf\fR]
+[\c
+.BI \-F confdir\fR]
+[\c
+.BR \-g ]
+[\c
+.BI \-H URI\fR]
+[\c
+.BI \-l error-file\fR]
+[\c
+.BI \-n dbnum\fR]
+[\c
+.BI \-o option\fR[ = value\fR]]
+[\c
+.BI \-s subtree-dn\fR]
+[\c
+.BR \-v ]
+.LP
+.SH DESCRIPTION
+.LP
+.B Slapschema
+is used to check schema compliance of the contents of a
+.BR slapd (8)
+database.
+It opens the given database determined by the database number or
+suffix and checks the compliance of its contents with the corresponding
+schema. Errors are written to standard output or the specified file.
+Databases configured as
+.B subordinate
+of this one are also output, unless \fB\-g\fP is specified.
+.LP
+Administrators may need to modify existing schema items, including
+adding new required attributes to objectClasses,
+removing existing required or allowed attributes from objectClasses,
+entirely removing objectClasses,
+or any other change that may result in making perfectly valid entries
+no longer compliant with the modified schema.
+The execution of the
+.B slapschema
+tool after modifying the schema can point out
+inconsistencies that would otherwise surface only when
+inconsistent entries need to be modified.
+
+.LP
+The entry records are checked in database order, not superior first
+order. The entry records will be checked considering all
+(user and operational) attributes stored in the database.
+Dynamically generated attributes (such as subschemaSubentry)
+will not be considered.
+.SH OPTIONS
+.TP
+.BI \-a \ filter
+Only check entries matching the asserted filter.
+For example
+
+slapschema \-a \\
+ "(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"
+
+will check all but the "ou=People,dc=example,dc=com" subtree
+of the "dc=example,dc=com" database.
+Deprecated; use \fB-H\fP \fIldap:///???(filter)\fP instead.
+.TP
+.BI \-b \ suffix
+Use the specified \fIsuffix\fR to determine which database to
+check. By default, the first database that supports the requested operation is
+used. The \fB\-b\fP cannot be used in conjunction with the
+.B \-n
+option.
+.TP
+.B \-c
+Enable continue (ignore errors) mode.
+.TP
+.BI \-d \ debug-level
+Enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+Specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.B \-g
+disable subordinate gluing. Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
+.B \-H \ URI
+use dn, scope and filter from URI to only handle matching entries.
+.TP
+.BI \-l \ error-file
+Write errors to specified file instead of standard output.
+.TP
+.BI \-n \ dbnum
+Check the \fIdbnum\fR\-th database listed in the
+configuration file. The config database
+.BR slapd\-config (5),
+is always the first database, so use
+.B \-n 0
+
+The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.TP
+.BI \-s \ subtree-dn
+Only check entries in the subtree specified by this DN.
+Implies \fB\-b\fP \fIsubtree-dn\fP if no
+.B \-b
+nor
+.B \-n
+option is given.
+Deprecated; use \fB-H\fP \fIldap:///subtree-dn\fP instead.
+.TP
+.B \-v
+Enable verbose mode.
+.SH LIMITATIONS
+For some backend types, your
+.BR slapd (8)
+should not be running (at least, not in read-write
+mode) when you do this to ensure consistency of the database. It is
+always safe to run
+.B slapschema
+with the
+.BR slapd\-mdb (5),
+and
+.BR slapd\-null (5)
+backends.
+.SH EXAMPLES
+To check the schema compliance of your SLAPD database after modifications
+to the schema, and put any error in a file called
+.BR errors.ldif ,
+give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slapschema \-l errors.ldif
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR ldif (5),
+.BR slapd (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man8/slaptest.8 b/doc/man/man8/slaptest.8
new file mode 100644
index 0000000..9effa9f
--- /dev/null
+++ b/doc/man/man8/slaptest.8
@@ -0,0 +1,117 @@
+.TH SLAPTEST 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slaptest \- Check the suitability of the OpenLDAP slapd configuration
+.SH SYNOPSIS
+.B SBINDIR/slaptest
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-n dbnum\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-Q ]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+.LP
+.SH DESCRIPTION
+.LP
+.B Slaptest
+is used to check the conformance of the
+.BR slapd (8)
+configuration.
+It opens the
+.BR slapd.conf (5)
+configuration file or the
+.BR slapd\-config (5)
+backend, and parses it according to the general and the backend-specific
+rules, checking its sanity.
+.LP
+.SH OPTIONS
+.TP
+.BI \-d \ debug-level
+enable debugging messages as defined by the specified
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.
+.TP
+.BI \-f \ slapd.conf
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F \ confdir
+specify a config directory.
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, slaptest will attempt to read the
+default config directory before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored. If dry-run mode is also specified,
+no conversion will occur.
+.TP
+.BI \-n \ dbnum
+Just open and test the \fIdbnum\fR-th database listed in the
+configuration file.
+To only test the config database
+.BR slapd\-config (5),
+use
+.B \-n 0
+as it is always the first database.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+Specify an
+.I option
+with a(n optional)
+.IR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.TP
+.BI \-Q
+Be extremely quiet: only the exit code indicates success (0) or not
+(any other value).
+.TP
+.B \-u
+enable dry-run mode (i.e. don't fail if databases cannot be opened,
+but config is fine).
+.TP
+.B \-v
+enable verbose mode.
+.SH EXAMPLES
+To check a
+.BR slapd.conf (5)
+give the command:
+.LP
+.nf
+.ft tt
+ SBINDIR/slaptest \-f /ETCDIR/slapd.conf \-v
+.ft
+.fi
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR slapd (8),
+.BR slapdn (8)
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH ACKNOWLEDGEMENTS
+.so ../Project