diff options
Diffstat (limited to 'doc/man/man8')
| -rw-r--r-- | doc/man/man8/Makefile.in | 16 | ||||
| -rw-r--r-- | doc/man/man8/lloadd.8 | 341 | ||||
| -rw-r--r-- | doc/man/man8/slapacl.8 | 205 | ||||
| -rw-r--r-- | doc/man/man8/slapadd.8 | 218 | ||||
| -rw-r--r-- | doc/man/man8/slapauth.8 | 152 | ||||
| -rw-r--r-- | doc/man/man8/slapcat.8 | 203 | ||||
| -rw-r--r-- | doc/man/man8/slapd.8 | 379 | ||||
| -rw-r--r-- | doc/man/man8/slapdn.8 | 108 | ||||
| -rw-r--r-- | doc/man/man8/slapindex.8 | 178 | ||||
| -rw-r--r-- | doc/man/man8/slapmodify.8 | 222 | ||||
| -rw-r--r-- | doc/man/man8/slappasswd.8 | 203 | ||||
| -rw-r--r-- | doc/man/man8/slapschema.8 | 193 | ||||
| -rw-r--r-- | doc/man/man8/slaptest.8 | 117 |
13 files changed, 2535 insertions, 0 deletions
diff --git a/doc/man/man8/Makefile.in b/doc/man/man8/Makefile.in new file mode 100644 index 0000000..30f21e0 --- /dev/null +++ b/doc/man/man8/Makefile.in @@ -0,0 +1,16 @@ +# man8 Makefile.in for OpenLDAP +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +MANSECT=8 diff --git a/doc/man/man8/lloadd.8 b/doc/man/man8/lloadd.8 new file mode 100644 index 0000000..3bd4f0e --- /dev/null +++ b/doc/man/man8/lloadd.8 @@ -0,0 +1,341 @@ +.TH LLOADD 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2017-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +lloadd \- LDAP Load Balancer Daemon +.SH SYNOPSIS +.B LIBEXECDIR/lloadd +[\c +.BR \-4 | \-6 ] +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ lloadd-config-file\fR] +[\c +.BI \-h \ URLs\fR] +[\c +.BI \-n \ service-name\fR] +[\c +.BI \-s \ syslog-level\fR] +[\c +.BI \-l \ syslog-local-user\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BI \-r \ directory\fR] +[\c +.BI \-u \ user\fR] +[\c +.BI \-g \ group\fR] +.SH DESCRIPTION +.LP +.B Lloadd +is the stand-alone LDAP daemon. It listens for LDAP connections on +any number of ports (default \fB389\fP), forwarding the LDAP operations +it receives over these connections to be handled by the configured +backends. +.B lloadd +is typically invoked at boot time, usually out of +.BR /etc/rc.local . +Upon startup, +.B lloadd +normally forks and disassociates itself from the invoking tty. +If configured in the config file, the +.B lloadd +process will print its process ID (see +.BR getpid (2)) +to a +.B .pid +file, as well as the command line options during invocation to an +.B .args +file (see +.BR lloadd.conf (5)). +If the +.B \-d +flag is given, even with a zero argument, +.B lloadd +will not fork and disassociate from the invoking tty. +.LP +See the "OpenLDAP Administrator's Guide" for more details on +.BR lloadd . +.SH OPTIONS +.TP +.B \-4 +Listen on IPv4 addresses only. +.TP +.B \-6 +Listen on IPv6 addresses only. +.TP +.BI \-d \ debug-level +Turn on debugging as defined by +.IR debug-level . +If this option is specified, even with a zero argument, +.B lloadd +will not fork or disassociate from the invoking terminal. Some general +operation and status messages are printed for any value of \fIdebug-level\fP. +\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a +different kind of debugging information. See <ldap_log.h> for details. +Comma-separated arrays of friendly names can be specified to select +debugging output of the corresponding debugging information. +All the names recognized by the \fIloglevel\fP directive +described in \fBlloadd.conf\fP(5) are supported. +If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed, +and lloadd exits. + +Remember that if you turn on packet logging, packets containing bind passwords +will be output, so if you redirect the log to a logfile, that file should +be read-protected. +.TP +.BI \-s \ syslog-level +This option tells +.B lloadd +at what debug-level debugging statements should be logged to the +.BR syslog (8) +facility. +The value \fIsyslog-level\fP can be set to any value or combination +allowed by the \fB\-d\fP switch. +Lloadd logs all messages selected by \fIsyslog-level\fP +at the +.BR syslog (3) +severity debug-level \fBDEBUG\fP, +on the unit specified with \fB\-l\fP. +.TP +.BI \-n \ service-name +Specifies the service name for logging and other purposes. Defaults +to basename of argv[0], i.e.: "lloadd". +.TP +.BI \-l \ syslog-local-user +Selects the local user of the +.BR syslog (8) +facility. Value can be +.BR LOCAL0 , +through +.BR LOCAL7 , +as well as +.B USER +and +.BR DAEMON . +The default is +.BR LOCAL4 . +However, this option is only permitted on systems that support +local users with the +.BR syslog (8) +facility. +Logging to syslog(8) occurs at the "DEBUG" severity debug-level. +.TP +.BI \-f \ lloadd-config-file +Specifies the lloadd configuration file. The default is +.BR ETCDIR/lloadd.conf . +.TP +.BI \-h \ URLlist +.B lloadd +will by default serve +.B ldap:/// +(LDAP over TCP on all interfaces on default LDAP port). That is, +it will bind using INADDR_ANY and port \fB389\fP. +The +.B \-h +option may be used to specify LDAP (and other scheme) URLs to serve. +For example, if lloadd is given +.BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" , +it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS, +and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents +INADDR_ANY (any interface). +A space separated list of URLs is expected. The URLs should be of the LDAP, +PLDAP, LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or other +optional parameters (excepting as discussed below). Support for the latter +three schemes depends on selected configuration options. Hosts may be specified +by name or IPv4 and IPv6 address formats. Ports, if specified, must be +numeric. The default ldap:// port is \fB389\fP and the default ldaps:// port +is \fB636\fP, same for the proxy enabled variants. + +The PLDAP and PLDAPS URL schemes provide support for the HAProxy proxy protocol +version 2, which allows a load balancer or proxy server to provide the remote +client IP address to slapd to be used for access control or logging. Ports +configured for PLDAP or PLDAPS will only accept connections that include the +necessary proxy protocol header. Connections to these ports should be +restricted at the network level to only trusted load balancers or proxies to +avoid spoofing of client IP addresses by third parties. + +At the moment, the load balancer does not act on the recorded address in any +way. + +For LDAP over IPC, +.B name +is the name of the socket, and no +.B port +is required, nor allowed; note that directory separators must be +URL-encoded, like any other characters that are special to URLs; +so the socket + + /usr/local/var/ldapi + +must be specified as + + ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi + +The default location for the IPC socket is LOCALSTATEDIR/run/ldapi +.TP +.BI \-r \ directory +Specifies a directory to become the root directory. lloadd will +change the current working directory to this directory and +then +.BR chroot (2) +to this directory. This is done after opening listeners but before +reading any configuration file or initializing any backend. When +used as a security mechanism, it should be used in conjunction with +.B \-u +and +.B \-g +options. +.TP +.BI \-u \ user +.B lloadd +will run lloadd with the specified user name or id, and that user's +supplementary group access list as set with initgroups(3). The group ID +is also changed to this user's gid, unless the \fB\-g\fP option is used to +override. Note when used with +.BR \-r , +lloadd will use the user database in the change root environment. +.TP +.BI \-g \ group +.B lloadd +will run with the specified group name or id. Note when used with +.BR \-r , +lloadd will use the group database in the change root environment. +.TP +.BI \-o \ option\fR[ = value\fR] +This option provides a generic means to specify options without the need to reserve +a separate letter for them. + +It supports the following options: +.RS +.TP +.BR slp= { on \||\| off \||\| \fIslp-attrs\fP } +When SLP support is compiled into lloadd, disable it (\fBoff\fP), + enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP), +or with specific SLP attributes +.I slp-attrs +that must be an SLP attribute list definition according to the SLP standard. + +For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP +registers at SLP DAs with the three SLP attributes tree, server-type and server-version +that have the values given above. +This allows one to specifically query the SLP DAs for LDAP servers holding the +.I production +tree in case multiple trees are available. +.RE + +.SH RELATION TO SLAPD(8) +.B Lloadd +can be compiled as a +.B slapd +loadable module. In that case, it can be loaded as such: +.LP +.nf +.ft tt + moduleload path/to/lloadd.la + backend lload + listen "listening URLs" +.ft +.fi + +This enables +.B lloadd +to provide additional features through the host slapd process like access to +run-time statistics in +.B cn=monitor +and dynamic configuration from +.BR cn=config . + +The listening sockets specified will be under direct control of +.B lloadd +and need to be different from the sockets slapd is configured to listen on. +Clients connecting to these are completely separate from regular LDAP clients +connecting to the usual +.B slapd +sockets - +.B lloadd +clients have no access to slapd databases, similarly, +.B slapd +client traffic does not propagate to the +.B lloadd +backend servers in any way. + +.SH CN=MONITOR INTERFACE +As part of +.BR lloadd 's +.B cn=monitor +interface it is possible to close a client connection it manages by writing to +the corresponding entry, +.B replacing +the +.B olmConnectionState +attribute with the value +.BR closing . +This is subject to ACLs configured on the monitor database. The server will +send a +.B Notice of Disconnection +to the client, refuse any new operations and once all pending operations have +finished, close the connection. + +For example, to close connection number 42: + +.LP +.nf +.ft tt + dn: cn=connection 42,cn=incoming connections,cn=load balancer,cn=backends,cn=monitor + changetype: modify + replace: olmConnectionState + olmConnectionState: closing +.ft +.fi + +.SH EXAMPLES +To start +.I lloadd +and have it fork and detach from the terminal and start load-balancing +the LDAP servers defined in the default config file, just type: +.LP +.nf +.ft tt + LIBEXECDIR/lloadd +.ft +.fi +.LP +To start +.B lloadd +with an alternate configuration file, and turn +on voluminous debugging which will be printed on standard error, type: +.LP +.nf +.ft tt + LIBEXECDIR/lloadd \-f /var/tmp/lloadd.conf \-d 255 +.ft +.fi +.LP +To start +.B lloadd +as a module inside a slapd process listening on ldap://:1389 and ldaps://, +put the following in your slapd.conf (or its equivalent in cn=config): +.LP +.nf +.ft tt + moduleload lloadd.la + backend lload + listen "ldap://:1389 ldaps://" +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR lloadd.conf (5), +.BR slapd-config (5), +.BR slapd-monitor (5), +.BR slapd (8). +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH BUGS +See http://www.openldap.org/its/ +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapacl.8 b/doc/man/man8/slapacl.8 new file mode 100644 index 0000000..c283f11 --- /dev/null +++ b/doc/man/man8/slapacl.8 @@ -0,0 +1,205 @@ +.TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapacl \- Check access to a list of attributes. +.SH SYNOPSIS +.B SBINDIR/slapacl +.BI \-b \ DN +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-D \ authcDN\ \fR| +.BI \-U \ authcID\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BR \-u ] +[\c +.BR \-v ] +[\c +.BI \-X \ authzID\ \fR| +.BI "\-o \ authzDN=" DN\fR] +[\c +.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...] +.LP +.SH DESCRIPTION +.LP +.B slapacl +is used to check the behavior of +.BR slapd (8) +by verifying access to directory data according to the access control list +directives defined in its configuration. +. +It opens the +.BR slapd.conf (5) +configuration file or the +.BR slapd\-config (5) +backend, reads in the +.BR access / olcAccess +directives, and then parses the +.B attr +list given on the command-line; if none is given, access to the +.B entry +pseudo-attribute is tested. +.LP +.SH OPTIONS +.TP +.BI \-b \ DN +specify the +.I DN +which access is requested to; the corresponding entry is fetched +from the database, and thus it must exist. +The +.I DN +is also used to determine what rules apply; thus, it must be +in the naming context of a configured database. By default, the first +database that supports the requested operation is used. See also +.BR \-u . + +.TP +.BI \-d \ debug-level +enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-D \ authcDN +specify a DN to be used as identity through the test session +when selecting appropriate +.B <by> +clauses in access lists. +.TP +.BI \-f \ slapd.conf +specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + +.fi +.RS +Possible options/values specific to +.B slapacl +are: +.RE +.nf + + authzDN + domain + peername + sasl_ssf + sockname + sockurl + ssf + tls_ssf + transport_ssf + +.fi +.RS +See the related fields in +.BR slapd.access (5) +for details. +.RE +.TP +.BI \-u +do not fetch the entry from the database. +In this case, if the entry does not exist, a fake entry with the +.I DN +given with the +.B \-b +option is used, with no attributes. +As a consequence, those rules that depend on the contents +of the target object will not behave as with the real object. +The +.I DN +given with the +.B \-b +option is still used to select what rules apply; thus, it must be +in the naming context of a configured database. +See also +.BR \-b . +.TP +.BI \-U \ authcID +specify an ID to be mapped to a +.B DN +as by means of +.B authz\-regexp +or +.B authz\-rewrite +rules (see +.BR slapd.conf (5) +for details); mutually exclusive with +.BR \-D . +.TP +.B \-v +enable verbose mode. +.TP +.BI \-X \ authzID +specify an authorization ID to be mapped to a +.B DN +as by means of +.B authz\-regexp +or +.B authz\-rewrite +rules (see +.BR slapd.conf (5) +for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR. +.SH EXAMPLES +The command +.LP +.nf +.ft tt + SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\ + \-U bjorn \-b "o=University of Michigan,c=US" \\ + "o/read:University of Michigan" + +.ft +.fi +tests whether the user +.I bjorn +can access the attribute +.I o +of the entry +.I o=University of Michigan,c=US +at +.I read +level. +.SH "SEE ALSO" +.BR ldap (3), +.BR slapd (8), +.BR slaptest (8), +.BR slapauth (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapadd.8 b/doc/man/man8/slapadd.8 new file mode 100644 index 0000000..d31d440 --- /dev/null +++ b/doc/man/man8/slapadd.8 @@ -0,0 +1,218 @@ +.TH SLAPADD 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapadd \- Add entries to a SLAPD database +.SH SYNOPSIS +.B SBINDIR/slapadd +[\c +.BI \-b \ suffix\fR] +[\c +.BR \-c ] +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BR \-g ] +[\c +.BI \-j \ lineno\fR] +[\c +.BI \-l \ ldif-file\fR] +[\c +.BI \-n \ dbnum\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BR \-q ] +[\c +.BR \-s ] +[\c +.BI \-S \ SID\fR] +[\c +.BR \-u ] +[\c +.BR \-v ] +[\c +.BR \-w ] +.SH DESCRIPTION +.LP +.B Slapadd +is used to add entries specified in LDAP Directory Interchange Format +(LDIF) to a +.BR slapd (8) +database. +It opens the given database determined by the database number or +suffix and adds entries corresponding to the provided LDIF to +the database. +Databases configured as +.B subordinate +of this one are also updated, unless \fB\-g\fP is specified. +The LDIF input is read from standard input or the specified file. + +All files eventually created by +.BR slapadd +will belong to the identity +.BR slapadd +is run as, so make sure you either run +.BR slapadd +with the same identity +.BR slapd (8) +will be run as (see option +.B \-u +in +.BR slapd (8)), +or change file ownership before running +.BR slapd (8). + +Note: slapadd will also perform the relevant indexing whilst adding the database if +any are configured. For specific details, please see +.BR slapindex (8). +.SH OPTIONS +.TP +.BI \-b \ suffix +Use the specified \fIsuffix\fR to determine which database to +add entries to. By default, the first database that supports the requested +operation is used. The \fB\-b\fP cannot be used in conjunction with the +.B \-n +option. +.TP +.B \-c +enable continue (ignore errors) mode. +.TP +.BI \-d \ debug-level +enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. If dry-run mode is also specified, +no conversion will occur. +.TP +.B \-g +disable subordinate gluing. Only the specified database will be +processed, and not its glued subordinates (if any). +.TP +.BI \-j \ lineno +Jump to the specified line number in the LDIF file before processing +any entries. This allows a load that was aborted due to errors in the +input LDIF to be resumed after the errors are corrected. +.TP +.BI \-l \ ldif-file +Read LDIF from the specified file instead of standard input. +.TP +.BI \-n \ dbnum +Add entries to the \fIdbnum\fR-th database listed in the +configuration file. The +.B \-n +cannot be used in conjunction with the +.B \-b +option. +To populate the config database +.BR slapd\-config (5), +use +.B \-n 0 +as it is always the first database. It must physically exist +on the filesystem prior to this, however. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + + schema-check={yes|no} + value-check={yes|no} + +.in +The \fIschema\-check\fR option toggles schema checking (default on); +the \fIvalue\-check\fR option toggles value checking (default off). +The latter is incompatible with \fB-q\fR. +.TP +.B \-q +enable quick (fewer integrity checks) mode. Does fewer consistency checks +on the input data, and no consistency checks when writing the database. +Improves the load time but if any errors or interruptions occur the resulting +database will be unusable. +.TP +.B \-s +disable schema checking. This option is intended to be used when loading +databases containing special objects, such as fractional objects on a +partial consumer. Loading normal objects which do not conform to +schema may result in unexpected and ill behavior. +.TP +.BI \-S \ SID +Server ID to use in generated entryCSN. Also used for contextCSN +if \fB\-w\fP is set as well. Defaults to \fB0\fP. +.TP +.B \-u +enable dry-run (don't write to backend) mode. +.TP +.B \-v +enable verbose mode. +.TP +.BI \-w +write syncrepl context information. +After all entries are added, the contextCSN +will be updated with the greatest CSN in the database. +.SH LIMITATIONS +Your +.BR slapd (8) +should not be running +when you do this to ensure consistency of the database. +.LP +.B slapadd +may not provide naming or schema checks. It is advisable to +use +.BR ldapadd (1) +when adding new entries into an existing directory. +.SH EXAMPLES +To import the entries specified in file +.B ldif +into your +.BR slapd (8) +database give the command: +.LP +.nf +.ft tt + SBINDIR/slapadd \-l ldif +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR ldif (5), +.BR slapcat (8), +.BR slapindex (8), +.BR slapmodify (8), +.BR ldapadd (1), +.BR slapd (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapauth.8 b/doc/man/man8/slapauth.8 new file mode 100644 index 0000000..17e529e --- /dev/null +++ b/doc/man/man8/slapauth.8 @@ -0,0 +1,152 @@ +.TH SLAPAUTH 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapauth \- Check a list of string-represented IDs for LDAP authc/authz +.SH SYNOPSIS +.B SBINDIR/slapauth +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BI \-M \ mech\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-U \ authcID\fR] +[\c +.BR \-v ] +[\c +.BI \-X \ authzID\fR] +.IR ID \ [ ... ] +.LP +.SH DESCRIPTION +.LP +.B Slapauth +is used to check the behavior of the slapd in mapping identities +for authentication and authorization purposes, as specified in +.BR slapd.conf (5). +It opens the +.BR slapd.conf (5) +configuration file or the +.BR slapd\-config (5) +backend, reads in the +.BR authz\-policy / olcAuthzPolicy +and +.BR authz\-regexp / olcAuthzRegexp +directives, and then parses the +.I ID +list given on the command-line. +.LP +.SH OPTIONS +.TP +.BI \-d \ debug-level +enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. +.TP +.BI \-M \ mech +specify a mechanism. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + +.fi +.TP +.BI \-R \ realm +specify a realm. +.TP +.BI \-U \ authcID +specify an ID to be used as +.I authcID +throughout the test session. +If present, and if no +.I authzID +is given, the IDs in the ID list are treated as +.IR authzID . +.TP +.BI \-X \ authzID +specify an ID to be used as +.I authzID +throughout the test session. +If present, and if no +.I authcID +is given, the IDs in the ID list are treated as +.IR authcID . +If both +.I authcID +and +.I authzID +are given via command line switch, the ID list cannot be present. +.TP +.B \-v +enable verbose mode. +.SH EXAMPLES +The command +.LP +.nf +.ft tt + SBINDIR/slapauth \-f /ETCDIR/slapd.conf \-v \\ + \-U bjorn \-X u:bjensen + +.ft +.fi +tests whether the user +.I bjorn +can assume the identity of the user +.I bjensen +provided the directives +.LP +.nf +.ft tt + authz\-policy from + authz\-regexp "^uid=([^,]+).*,cn=auth$" + "ldap:///dc=example,dc=net??sub?uid=$1" + +.ft +.fi +are defined in +.BR slapd.conf (5). +.SH "SEE ALSO" +.BR ldap (3), +.BR slapd (8), +.BR slaptest (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8 new file mode 100644 index 0000000..c836a04 --- /dev/null +++ b/doc/man/man8/slapcat.8 @@ -0,0 +1,203 @@ +.TH SLAPCAT 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapcat \- SLAPD database to LDIF utility +.SH SYNOPSIS +.B SBINDIR/slapcat +[\c +.BI \-a filter\fR] +[\c +.BI \-b suffix\fR] +[\c +.BR \-c ] +[\c +.BI \-d debug-level\fR] +[\c +.BI \-f slapd.conf\fR] +[\c +.BI \-F confdir\fR] +[\c +.BR \-g ] +[\c +.BI \-H URI\fR] +[\c +.BI \-l ldif-file\fR] +[\c +.BI \-n dbnum\fR] +[\c +.BI \-o option\fR[ = value\fR]] +[\c +.BI \-s subtree-dn\fR] +[\c +.BR \-v ] +.LP +.SH DESCRIPTION +.LP +.B Slapcat +is used to generate an LDAP Directory Interchange Format +(LDIF) output based upon the contents of a +.BR slapd (8) +database. +It opens the given database determined by the database number or +suffix and writes the corresponding LDIF to standard output or +the specified file. +Databases configured as +.B subordinate +of this one are also output, unless \fB\-g\fP is specified. +.LP +The entry records are presented in database order, not superior first +order. The entry records will include all (user and operational) +attributes stored in the database. The entry records will not include +dynamically generated attributes (such as subschemaSubentry). +.LP +The output of slapcat is intended to be used as input to +.BR slapadd (8). +The output of slapcat cannot generally be used as input to +.BR ldapadd (1) +or other LDAP clients without first editing the output. +This editing would normally include reordering the records +into superior first order and removing no-user-modification +operational attributes. +.SH OPTIONS +.TP +.BI \-a \ filter +Only dump entries matching the asserted filter. +For example + +slapcat \-a \\ + "(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))" + +will dump all but the "ou=People,dc=example,dc=com" subtree +of the "dc=example,dc=com" database. +Deprecated; use \fB-H\fP \fIldap:///???(filter)\fP instead. +.TP +.BI \-b \ suffix +Use the specified \fIsuffix\fR to determine which database to +generate output for. By default, the first database that supports the requested +operation is used. The \fB\-b\fP cannot be used in conjunction with the +.B \-n +option. +.TP +.B \-c +Enable continue (ignore errors) mode. +Multiple occurrences of +.B \-c +make +.BR slapcat (8) +try harder. +.TP +.BI \-d \ debug-level +Enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +Specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. +.TP +.B \-g +disable subordinate gluing. Only the specified database will be +processed, and not its glued subordinates (if any). +.TP +.B \-H \ URI +use dn, scope and filter from URI to only handle matching entries. +.TP +.BI \-l \ ldif-file +Write LDIF to specified file instead of standard output. +.TP +.BI \-n \ dbnum +Generate output for the \fIdbnum\fR-th database listed in the +configuration file. The config database +.BR slapd\-config (5), +is always the first database, so use +.B \-n 0 +to select it. + +The +.B \-n +cannot be used in conjunction with the +.B \-b +option. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + + ldif_wrap={no|<n>} + +.in +\fIn\fP is the number of columns allowed for the LDIF output +(\fIn\fP equal to \fI0\fP uses the default, corresponding to 78). +The minimum is 2, leaving space for one character and one +continuation character. +Use \fIno\fP for no wrap. +.TP +.BI \-s \ subtree-dn +Only dump entries in the subtree specified by this DN. +Implies \fB\-b\fP \fIsubtree-dn\fP if no +.B \-b +or +.B \-n +option is given. +Deprecated; use \fB-H\fP \fIldap:///subtree-dn\fP instead. +.TP +.B \-v +Enable verbose mode. +.SH LIMITATIONS +For some backend types, your +.BR slapd (8) +should not be running (at least, not in read-write +mode) when you do this to ensure consistency of the database. It is +always safe to run +.B slapcat +with the +.BR slapd\-mdb (5), +and +.BR slapd\-null (5) +backends. +.SH EXAMPLES +To make a text backup of your SLAPD database and put it in a file called +.BR ldif , +give the command: +.LP +.nf +.ft tt + SBINDIR/slapcat \-l ldif +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR ldif (5), +.BR slapadd (8), +.BR ldapadd (1), +.BR slapd (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 new file mode 100644 index 0000000..809f9e7 --- /dev/null +++ b/doc/man/man8/slapd.8 @@ -0,0 +1,379 @@ +.TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd \- Stand-alone LDAP Daemon +.SH SYNOPSIS +.B LIBEXECDIR/slapd +[\c +.BR \-V [ V [ V ]] +[\c +.BR \-4 | \-6 ] +[\c +.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\| +.BR d [ n ]\||\| i [ ndex ]\||\| m [ odify ]\||\| p [ asswd ]\||\| s [ chema ]\||\| t [ est ]}] +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ slapd-config-file\fR] +[\c +.BI \-F \ slapd-config-directory\fR] +[\c +.BI \-h \ URLs\fR] +[\c +.BI \-n \ service-name\fR] +[\c +.BI \-s \ syslog-level\fR] +[\c +.BI \-l \ syslog-local-user\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BI \-r \ directory\fR] +[\c +.BI \-u \ user\fR] +[\c +.BI \-g \ group\fR] +[\c +.BI \-c \ cookie\fR] +.SH DESCRIPTION +.LP +.B Slapd +is the stand-alone LDAP daemon. It listens for LDAP connections on +any number of ports (default \fB389\fP), responding +to the LDAP operations it receives over these connections. +.B slapd +is typically invoked at boot time, usually out of +.BR /etc/rc.local . +Upon startup, +.B slapd +normally forks and disassociates itself from the invoking tty. +If configured in the config file (or config directory), +the +.B slapd +process will print its process ID (see +.BR getpid (2)) +to a +.B .pid +file, as well as the command line options during invocation to an +.B .args +file (see +.BR slapd.conf (5)). +If the +.B \-d +flag is given, even with a zero argument, +.B slapd +will not fork and disassociate from the invoking tty. +.LP +See the "OpenLDAP Administrator's Guide" for more details on +.BR slapd . +.SH OPTIONS +.TP +.BR \-V [ V [ V ]] +Print version info and proceed with startup. +If \fB\-VV\fP is given, exit after providing version info. If \fB\-VVV\fP is +given, additionally provide information on static overlays and backends. +.TP +.B \-4 +Listen on IPv4 addresses only. +.TP +.B \-6 +Listen on IPv6 addresses only. +.TP +.BI \-T \ tool +Run in Tool mode. The \fItool\fP argument selects whether to run as +.IR slapadd , +.IR slapcat , +.IR slapdn , +.IR slapindex , +.IR slapmodify , +.IR slappasswd , +.IR slapschema , +or +.I slaptest +(\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP +option value to be spelled out, as \fBa\fP is reserved to +.IR slapadd ). +This option should be the first option specified when it is used; +any remaining options will be interpreted by the corresponding +slap tool program, according to the respective man pages. +Note that these tool programs will usually be symbolic links to +.BR slapd . +This option is provided for situations where symbolic links +are not provided or not usable. +.TP +.BI \-d \ debug-level +Turn on debugging as defined by +.IR debug-level . +If this option is specified, even with a zero argument, +.B slapd +will not fork or disassociate from the invoking terminal. Some general +operation and status messages are printed for any value of \fIdebug-level\fP. +\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a +different kind of debugging information. See <ldap_log.h> for details. +Comma-separated arrays of friendly names can be specified to select +debugging output of the corresponding debugging information. +All the names recognized by the \fIloglevel\fP directive +described in \fBslapd.conf\fP(5) are supported. +If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed, +and slapd exits. + +Remember that if you turn on packet logging, packets containing bind passwords +will be output, so if you redirect the log to a logfile, that file should +be read-protected. +.TP +.BI \-s \ syslog-level +This option tells +.B slapd +at what debug-level debugging statements should be logged to the +.BR syslog (8) +facility. +The value \fIsyslog-level\fP can be set to any value or combination +allowed by the \fB\-d\fP switch. +Slapd logs all messages selected by \fIsyslog-level\fP +at the +.BR syslog (3) +severity debug-level \fBDEBUG\fP, +on the unit specified with \fB\-l\fP. +.TP +.BI \-n \ service-name +Specifies the service name for logging and other purposes. Defaults +to basename of argv[0], i.e.: "slapd". +.TP +.BI \-l \ syslog-local-user +Selects the local user of the +.BR syslog (8) +facility. Value can be +.BR LOCAL0 , +through +.BR LOCAL7 , +as well as +.B USER +and +.BR DAEMON . +The default is +.BR LOCAL4 . +However, this option is only permitted on systems that support +local users with the +.BR syslog (8) +facility. +Logging to syslog(8) occurs at the "DEBUG" severity debug-level. +.TP +.BI \-f \ slapd-config-file +Specifies the slapd configuration file. The default is +.BR ETCDIR/slapd.conf . +.TP +.BI \-F \ slapd-config-directory +Specifies the slapd configuration directory. The default is +.BR ETCDIR/slapd.d . +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, slapd will attempt to read the +default config directory before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. All of the slap tools that +use the config options observe this same behavior. +.TP +.BI \-h \ URLlist +.B slapd +will by default serve +.B ldap:/// +(LDAP over TCP on all interfaces on default LDAP port). That is, +it will bind using INADDR_ANY and port \fB389\fP. +The +.B \-h +option may be used to specify LDAP (and other scheme) URLs to serve. +For example, if slapd is given +.BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" , +it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS, +and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents +INADDR_ANY (any interface). +A space separated list of URLs is expected. The URLs should be of the LDAP, +PLDAP, LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or other +optional parameters (excepting as discussed below). Support for the latter +three schemes depends on selected configuration options. Hosts may be specified +by name or IPv4 and IPv6 address formats. Ports, if specified, must be +numeric. The default ldap:// port is \fB389\fP and the default ldaps:// port +is \fB636\fP, same for the proxy enabled variants. + +The PLDAP and PLDAPS URL schemes provide support for the HAProxy proxy protocol +version 2, which allows a load balancer or proxy server to provide the remote +client IP address to slapd to be used for access control or logging. Ports +configured for PLDAP or PLDAPS will only accept connections that include the +necessary proxy protocol header. Connections to these ports should be +restricted at the network level to only trusted load balancers or proxies to +avoid spoofing of client IP addresses by third parties. + +For LDAP over IPC, +.B name +is the name of the socket, and no +.B port +is required, nor allowed; note that directory separators must be +URL-encoded, like any other characters that are special to URLs; +so the socket + + /usr/local/var/ldapi + +must be specified as + + ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi + +The default location for the IPC socket is LOCALSTATEDIR/run/ldapi + +The listener permissions are indicated by +"x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any +of the "rwx" can be "\-" to suppress the related permission, while any +of the "7" can be any legal octal digit, according to chmod(1). +The listeners can take advantage of the "x\-mod" +extension to apply rough limitations to operations, e.g. allow read operations +("r", which applies to search and compare), write operations ("w", +which applies to add, delete, modify and modrdn), and execute operations +("x", which means bind is required). +"User" permissions apply to authenticated users, while "other" apply +to anonymous users; "group" permissions are ignored. +For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed +for authenticated connections, and bind is required for all operations. +This feature is experimental, and requires to be manually enabled +at configure time. +.TP +.BI \-r \ directory +Specifies a directory to become the root directory. slapd will +change the current working directory to this directory and +then +.BR chroot (2) +to this directory. This is done after opening listeners but before +reading any configuration file or initializing any backend. When +used as a security mechanism, it should be used in conjunction with +.B \-u +and +.B \-g +options. +.TP +.BI \-u \ user +.B slapd +will run slapd with the specified user name or id, and that user's +supplementary group access list as set with initgroups(3). The group ID +is also changed to this user's gid, unless the \fB\-g\fP option is used to +override. Note when used with +.BR \-r , +slapd will use the user database in the change root environment. + +Note that on some systems, running as a non-privileged user will prevent +passwd back-ends from accessing the encrypted passwords. Note also that +any shell back-ends will run as the specified non-privileged user. +.TP +.BI \-g \ group +.B slapd +will run with the specified group name or id. Note when used with +.BR \-r , +slapd will use the group database in the change root environment. +.TP +.BI \-c \ cookie +This option provides a cookie for the syncrepl replication consumer. +The cookie is a comma separated list of \fIname=value\fP pairs. +Currently supported syncrepl cookie fields are +.BR rid , +.BR sid , +and +.BR csn . +.B rid +identifies a replication thread within the consumer server +and is used to find the syncrepl specification in +.BR slapd.conf (5) +or +.BR slapd\-config (5) +having the matching replication identifier in its definition. The +.B rid +must be provided in order for any other specified values to be used. +.B sid +is the server id in a multi-provider configuration. +.B csn +is the commit sequence number received by a previous synchronization +and represents the state of the consumer content which the +syncrepl engine will synchronize to the current provider content. +In case of \fImulti-provider\fP replication agreement, +multiple +.B csn +values, semicolon separated, can appear. +Use only the +.B rid +part to force a full reload. +.TP +.BI \-o \ option\fR[ = value\fR] +This option provides a generic means to specify options without the need to reserve +a separate letter for them. + +It supports the following options: +.RS +.TP +.BR slp= { on \||\| off \||\| \fIslp-attrs\fP } +When SLP support is compiled into slapd, disable it (\fBoff\fP), + enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP), +or with specific SLP attributes +.I slp-attrs +that must be an SLP attribute list definition according to the SLP standard. + +For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP +registers at SLP DAs with the three SLP attributes tree, server-type and server-version +that have the values given above. +This allows one to specifically query the SLP DAs for LDAP servers holding the +.I production +tree in case multiple trees are available. +.RE +.SH EXAMPLES +To start +.I slapd +and have it fork and detach from the terminal and start serving +the LDAP databases defined in the default config file, just type: +.LP +.nf +.ft tt + LIBEXECDIR/slapd +.ft +.fi +.LP +To start +.B slapd +with an alternate configuration file, and turn +on voluminous debugging which will be printed on standard error, type: +.LP +.nf +.ft tt + LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 +.ft +.fi +.LP +To test whether the configuration file is correct or not, type: +.LP +.nf +.ft tt + LIBEXECDIR/slapd \-Tt +.ft +.fi +.LP +.SH "SEE ALSO" +.BR ldap (3), +.BR slapd.conf (5), +.BR slapd\-config (5), +.BR slapd.access (5), +.BR slapacl (8), +.BR slapadd (8), +.BR slapauth (8), +.BR slapcat (8), +.BR slapdn (8), +.BR slapindex (8), +.BR slapmodify (8), +.BR slappasswd (8), +.BR slapschema (8), +.BR slaptest (8). +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH BUGS +See http://www.openldap.org/its/ +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapdn.8 b/doc/man/man8/slapdn.8 new file mode 100644 index 0000000..424bf83 --- /dev/null +++ b/doc/man/man8/slapdn.8 @@ -0,0 +1,108 @@ +.TH SLAPDN 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapdn \- Check a list of string-represented LDAP DNs based on schema syntax +.SH SYNOPSIS +.B SBINDIR/slapdn +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BR \-N | \-P ] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BR \-v ] +.IR DN \ [...] +.LP +.SH DESCRIPTION +.LP +.B Slapdn +is used to check the conformance of a DN based on the schema +defined in +.BR slapd (8) +and that loaded via +.BR slapd.conf (5). +It opens the +.BR slapd.conf (5) +configuration file or the slapd\-config (5) backend, reads in the schema definitions, and then +parses the +.I DN +list given on the command-line. +.LP +.SH OPTIONS +.TP +.BI \-d \ debug-level +enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. +.TP +.BI \-N +only output a normalized form of the \fIDN\fP, suitable to be used +in a normalization tool; incompatible with +.BR \-P . +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + +.fi +.TP +.BI \-P +only output a prettified form of the \fIDN\fP, suitable to be used +in a check and beautification tool; incompatible with +.BR \-N . +.TP +.B \-v +enable verbose mode. +.SH EXAMPLES +To check a +.B DN +give the command: +.LP +.nf +.ft tt + SBINDIR/slapdn \-f /ETCDIR/slapd.conf \-v DN +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR slapd (8), +.BR slaptest (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapindex.8 b/doc/man/man8/slapindex.8 new file mode 100644 index 0000000..9cadb64 --- /dev/null +++ b/doc/man/man8/slapindex.8 @@ -0,0 +1,178 @@ +.TH SLAPINDEX 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapindex \- Reindex entries in a SLAPD database +.SH SYNOPSIS +.B SBINDIR/slapindex +[\c +.BI \-b \ suffix\fR] +[\c +.BR \-c ] +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BR \-g ] +[\c +.BI \-n \ dbnum\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BR \-q ] +[\c +.BR \-t ] +[\c +.BR \-v ] +[\c +.IR attr [ ... ]] +.B +.LP +.SH DESCRIPTION +.LP +.B Slapindex +is used to regenerate +.BR slapd (8) +indices based upon the current contents of a database. +It opens the given database determined by the database number or +suffix and updates the indices for all values of all attributes +of all entries. If a list of specific attributes is provided +on the command line, only the indices for those attributes will +be regenerated. +Databases configured as +.B subordinate +of this one are also re-indexed, unless \fB\-g\fP is specified. + +All files eventually created by +.BR slapindex +will belong to the identity +.BR slapindex +is run as, so make sure you either run +.BR slapindex +with the same identity +.BR slapd (8) +will be run as (see option +.B \-u +in +.BR slapd (8)), +or change file ownership before running +.BR slapd (8). +.SH OPTIONS +.TP +.BI \-b \ suffix +Use the specified \fIsuffix\fR to determine which database to +generate output for. By default, the first database that supports the requested +operation is used. The \fB\-b\fP cannot be used in conjunction with the +.B \-n +option. +.TP +.B \-c +enable continue (ignore errors) mode. +.TP +.BI \-d \ debug-level +enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. +.TP +.B \-g +disable subordinate gluing. Only the specified database will be +processed, and not its glued subordinates (if any). +.TP +.BI \-n \ dbnum +Generate output for the \fIdbnum\fR-th database listed in the +configuration file. The config database +.BR slapd\-config (5), +is always the first database, so use +.B \-n 0 + +The +.B \-n +cannot be used in conjunction with the +.B \-b +option. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + +.fi +.TP +.B \-q +enable quick (fewer integrity checks) mode. Performs no consistency checks +when writing the database. Improves indexing time, +.B however +the database will most likely be unusable if any errors or +interruptions occur. +.TP +.B \-t +enable truncate mode. Truncates (empties) an index database before indexing +any entries. May only be used with back-mdb. +.TP +.B \-v +enable verbose mode. +.SH LIMITATIONS +Your +.BR slapd (8) +should not be running (at least, not in read-write +mode) when you do this to ensure consistency of the database. +.LP +This command provides ample opportunity for the user to obtain +and drink their favorite beverage. +.SH EXAMPLES +To reindex your SLAPD database, give the command: +.LP +.nf +.ft tt + SBINDIR/slapindex +.ft +.fi +To regenerate the index for only a specific attribute, e.g. "uid", +give the command: +.LP +.nf +.ft tt + SBINDIR/slapindex uid +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR ldif (5), +.BR slapadd (8), +.BR ldapadd (1), +.BR slapd (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapmodify.8 b/doc/man/man8/slapmodify.8 new file mode 100644 index 0000000..98069be --- /dev/null +++ b/doc/man/man8/slapmodify.8 @@ -0,0 +1,222 @@ +.TH SLAPMODIFY 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapmodify \- Modify entries in a SLAPD database +.SH SYNOPSIS +.B SBINDIR/slapmodify +[\c +.BI \-b \ suffix\fR] +[\c +.BR \-c ] +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BR \-g ] +[\c +.BI \-j \ lineno\fR] +[\c +.BI \-l \ ldif-file\fR] +[\c +.BI \-n \ dbnum\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BR \-q ] +[\c +.BR \-s ] +[\c +.BI \-S \ SID\fR] +[\c +.BR \-u ] +[\c +.BR \-v ] +[\c +.BR \-w ] +.SH DESCRIPTION +.LP +.B Slapmodify +is used to apply modifications specified in LDAP Directory Interchange Format +(LDIF) to a +.BR slapd (8) +database. +It opens the given database determined by the database number or +suffix and performs modifications corresponding to the provided LDIF to +the database. +Databases configured as +.B subordinate +of this one are also updated, unless \fB\-g\fP is specified. +The LDIF input is read from standard input or the specified file. + +All files eventually created by +.BR slapmodify +will belong to the identity +.BR slapmodify +is run as, so make sure you either run +.BR slapmodify +with the same identity +.BR slapd (8) +will be run as (see option +.B \-u +in +.BR slapd (8)), +or change file ownership before running +.BR slapd (8). + +Note: slapmodify will also perform the relevant indexing whilst modifying the database if +any are configured. For specific details, please see +.BR slapindex (8). +.SH OPTIONS +.TP +.BI \-b \ suffix +Use the specified \fIsuffix\fR to determine which database to +add entries to. The \fB\-b\fP cannot be used in conjunction +with the +.B \-n +option. +.TP +.B \-c +enable continue (ignore errors) mode. +.TP +.BI \-d \ debug-level +enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. If dry-run mode is also specified, +no conversion will occur. +.TP +.B \-g +disable subordinate gluing. Only the specified database will be +processed, and not its glued subordinates (if any). +.TP +.BI \-j \ lineno +Jump to the specified line number in the LDIF file before processing +any entries. This allows a modification that was aborted due to errors in the +input LDIF to be resumed after the errors are corrected. +.TP +.BI \-l \ ldif-file +Read LDIF from the specified file instead of standard input. +.TP +.BI \-n \ dbnum +Perform changes on the \fIdbnum\fR-th database listed in the +configuration file. The +.B \-n +cannot be used in conjunction with the +.B \-b +option. +To manipulate the config database +.BR slapd\-config (5), +use +.B \-n 0 +as it is always the first database. It must physically exist +on the filesystem prior to this, however. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + + schema-check={yes|no} + value-check={yes|no} + +.in +The \fIschema\-check\fR option toggles schema checking (default on); +the \fIvalue\-check\fR option toggles value checking (default off). +The latter is incompatible with \fB-q\fR. +.TP +.B \-q +enable quick (fewer integrity checks) mode. Does fewer consistency checks +on the input data, and no consistency checks when writing the database. +Improves the run time but if any errors or interruptions occur the resulting +database will be unusable. +.TP +.B \-s +disable schema checking. This option is intended to be used when +manipulating databases containing special objects, such as fractional +objects on a partial replica. Creating normal objects which do not +conform to schema may result in unexpected and ill behavior. +.TP +.BI \-S \ SID +Server ID to use in generated entryCSN. Also used for contextCSN +if \fB\-w\fP is set as well. Defaults to \fB0\fP. +.TP +.B \-u +enable dry-run (don't write to backend) mode. +.TP +.B \-v +enable verbose mode. +.TP +.BI \-w +write syncrepl context information. +After all entries are added, the contextCSN +will be updated with the greatest CSN in the database. +.SH LIMITATIONS +Your +.BR slapd (8) +should not be running +when you do this to ensure consistency of the database. +.LP +Not all backends support all types of modification, \fImodrdn\fR +changetype in particular is not implemented for any of the current +backends. +.LP +.B slapmodify +may not provide naming or schema checks. It is advisable to +use +.BR ldapmodify (1) +when possible. +.SH EXAMPLES +To make modifications specified in file +.B ldif +into your +.BR slapd (8) +database give the command: +.LP +.nf +.ft tt + SBINDIR/slapmodify \-l ldif +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR ldif (5), +.BR slapcat (8), +.BR slapadd (8), +.BR slapindex (8), +.BR ldapmodify (1), +.BR slapd (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8 new file mode 100644 index 0000000..7bca21d --- /dev/null +++ b/doc/man/man8/slappasswd.8 @@ -0,0 +1,203 @@ +.TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slappasswd \- OpenLDAP password utility +.SH SYNOPSIS +.B SBINDIR/slappasswd +[\c +.BR \-v ] +[\c +.BR \-u ] +[\c +.BR \-g \||\| \-s \ \fIsecret\fR \||\| \fB\-T \ \fIfile\fR] +[\c +.BI \-h \ hash\fR] +[\c +.BI \-c \ salt-format\fR] +[\c +.BR \-n ] +[\c +.BI \-o \ option\fR[ = value\fR]] +.LP +.SH DESCRIPTION +.LP +.B Slappasswd +is used to generate an userPassword value +suitable for use with +.BR ldapmodify (1), +.BR slapd.conf (5) +.I rootpw +configuration directive or the +.BR slapd\-config (5) +.I olcRootPW +configuration directive. +. +.SH OPTIONS +.TP +.B \-v +enable verbose mode. +.TP +.B \-u +Generate RFC 2307 userPassword values (the default). Future +versions of this program may generate alternative syntaxes +by default. This option is provided for forward compatibility. +.TP +.BI \-s \ secret +The secret to hash. +If this, +.B \-g +and +.B \-T +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +are mutually exclusive flags. +.TP +.BI \-g +Generate the secret. +If this, +.B \-s +and +.B \-T +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +are mutually exclusive flags. +If this is present, +.I {CLEARTEXT} +is used as scheme. +.B \-g +and +.B \-h +are mutually exclusive flags. +.TP +.BI \-T \ "file" +Hash the contents of the file. +If this, +.B \-g +and +.B \-s +are absent, the user will be prompted for the secret to hash. +.BR \-s , +.B \-g +and +.B \-T +and mutually exclusive flags. +.TP +.BI \-h \ "scheme" +If \fB\-h\fP is specified, one of the following RFC 2307 schemes may +be specified: +.BR {CRYPT} , +.BR {MD5} , +.BR {SMD5} , +.BR {SSHA} ", and" +.BR {SHA} . +The default is +.BR {SSHA} . + +Note that scheme names may need to be protected, due to +.B { +and +.BR } , +from expansion by the user's command interpreter. + +.B {SHA} +and +.B {SSHA} +use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. + +.B {MD5} +and +.B {SMD5} +use the MD5 algorithm (RFC 1321), the latter with a seed. + +.B {CRYPT} +uses the +.BR crypt (3). + +.B {CLEARTEXT} +indicates that the new password should be added to userPassword as +clear text. +Unless +.I {CLEARTEXT} +is used, this flag is incompatible with option +.BR \-g . +.TP +.BI \-c \ crypt-salt-format +Specify the format of the salt passed to +.BR crypt (3) +when generating {CRYPT} passwords. +This string needs to be in +.BR sprintf (3) +format and may include one (and only one) +.B %s +conversion. +This conversion will be substituted with a string of random +characters from [A\-Za\-z0\-9./]. For example, +.RB ' %.2s ' +provides a two character salt and +.RB ' $1$%.8s ' +tells some +versions of +.BR crypt (3) +to use an MD5 algorithm and provides +8 random characters of salt. +The default is +.RB ' %s ' , +which provides 31 characters of salt. +.TP +.BI \-n +Omit the trailing newline; useful to pipe the credentials +into a command. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + module\-path=<pathspec> (see `\fBmodulepath\fP' in slapd.conf(5)) + module\-load="<filename> [<arguments>...]" (see `\fBmoduleload\fP' in slapd.conf(5)) + +.in +You can load a dynamically loadable password hash module by +using this option. +.SH LIMITATIONS +The practice of storing hashed passwords in userPassword violates +Standard Track (RFC 4519) schema specifications and may hinder +interoperability. A new attribute type, authPassword, to hold +hashed passwords has been defined (RFC 3112), but is not yet +implemented in +.BR slapd (8). +.LP +It should also be noted that the behavior of +.BR crypt (3) +is platform specific. +.SH "SECURITY CONSIDERATIONS" +Use of hashed passwords does not protect passwords during +protocol transfer. TLS or other eavesdropping protections +should be in-place before using LDAP simple bind. +.LP +The hashed password values should be protected as if they +were clear text passwords. +.SH "SEE ALSO" +.BR ldappasswd (1), +.BR ldapmodify (1), +.BR slapd (8), +.BR slapd.conf (5), +.BR slapd\-config (5), +.B RFC 2307\fP, +.B RFC 4519\fP, +.B RFC 3112 +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slapschema.8 b/doc/man/man8/slapschema.8 new file mode 100644 index 0000000..8b91f8a --- /dev/null +++ b/doc/man/man8/slapschema.8 @@ -0,0 +1,193 @@ +.TH SLAPSCHEMA 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapschema \- SLAPD in-database schema checking utility +.SH SYNOPSIS +.B SBINDIR/slapschema +[\c +.BI \-a filter\fR] +[\c +.BI \-b suffix\fR] +[\c +.BR \-c ] +[\c +.BI \-d debug-level\fR] +[\c +.BI \-f slapd.conf\fR] +[\c +.BI \-F confdir\fR] +[\c +.BR \-g ] +[\c +.BI \-H URI\fR] +[\c +.BI \-l error-file\fR] +[\c +.BI \-n dbnum\fR] +[\c +.BI \-o option\fR[ = value\fR]] +[\c +.BI \-s subtree-dn\fR] +[\c +.BR \-v ] +.LP +.SH DESCRIPTION +.LP +.B Slapschema +is used to check schema compliance of the contents of a +.BR slapd (8) +database. +It opens the given database determined by the database number or +suffix and checks the compliance of its contents with the corresponding +schema. Errors are written to standard output or the specified file. +Databases configured as +.B subordinate +of this one are also output, unless \fB\-g\fP is specified. +.LP +Administrators may need to modify existing schema items, including +adding new required attributes to objectClasses, +removing existing required or allowed attributes from objectClasses, +entirely removing objectClasses, +or any other change that may result in making perfectly valid entries +no longer compliant with the modified schema. +The execution of the +.B slapschema +tool after modifying the schema can point out +inconsistencies that would otherwise surface only when +inconsistent entries need to be modified. + +.LP +The entry records are checked in database order, not superior first +order. The entry records will be checked considering all +(user and operational) attributes stored in the database. +Dynamically generated attributes (such as subschemaSubentry) +will not be considered. +.SH OPTIONS +.TP +.BI \-a \ filter +Only check entries matching the asserted filter. +For example + +slapschema \-a \\ + "(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))" + +will check all but the "ou=People,dc=example,dc=com" subtree +of the "dc=example,dc=com" database. +Deprecated; use \fB-H\fP \fIldap:///???(filter)\fP instead. +.TP +.BI \-b \ suffix +Use the specified \fIsuffix\fR to determine which database to +check. By default, the first database that supports the requested operation is +used. The \fB\-b\fP cannot be used in conjunction with the +.B \-n +option. +.TP +.B \-c +Enable continue (ignore errors) mode. +.TP +.BI \-d \ debug-level +Enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +Specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. +.TP +.B \-g +disable subordinate gluing. Only the specified database will be +processed, and not its glued subordinates (if any). +.TP +.B \-H \ URI +use dn, scope and filter from URI to only handle matching entries. +.TP +.BI \-l \ error-file +Write errors to specified file instead of standard output. +.TP +.BI \-n \ dbnum +Check the \fIdbnum\fR\-th database listed in the +configuration file. The config database +.BR slapd\-config (5), +is always the first database, so use +.B \-n 0 + +The +.B \-n +cannot be used in conjunction with the +.B \-b +option. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + +.fi +.TP +.BI \-s \ subtree-dn +Only check entries in the subtree specified by this DN. +Implies \fB\-b\fP \fIsubtree-dn\fP if no +.B \-b +nor +.B \-n +option is given. +Deprecated; use \fB-H\fP \fIldap:///subtree-dn\fP instead. +.TP +.B \-v +Enable verbose mode. +.SH LIMITATIONS +For some backend types, your +.BR slapd (8) +should not be running (at least, not in read-write +mode) when you do this to ensure consistency of the database. It is +always safe to run +.B slapschema +with the +.BR slapd\-mdb (5), +and +.BR slapd\-null (5) +backends. +.SH EXAMPLES +To check the schema compliance of your SLAPD database after modifications +to the schema, and put any error in a file called +.BR errors.ldif , +give the command: +.LP +.nf +.ft tt + SBINDIR/slapschema \-l errors.ldif +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR ldif (5), +.BR slapd (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man8/slaptest.8 b/doc/man/man8/slaptest.8 new file mode 100644 index 0000000..9effa9f --- /dev/null +++ b/doc/man/man8/slaptest.8 @@ -0,0 +1,117 @@ +.TH SLAPTEST 8C "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slaptest \- Check the suitability of the OpenLDAP slapd configuration +.SH SYNOPSIS +.B SBINDIR/slaptest +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BI \-n dbnum\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BR \-Q ] +[\c +.BR \-u ] +[\c +.BR \-v ] +.LP +.SH DESCRIPTION +.LP +.B Slaptest +is used to check the conformance of the +.BR slapd (8) +configuration. +It opens the +.BR slapd.conf (5) +configuration file or the +.BR slapd\-config (5) +backend, and parses it according to the general and the backend-specific +rules, checking its sanity. +.LP +.SH OPTIONS +.TP +.BI \-d \ debug-level +enable debugging messages as defined by the specified +.IR debug-level ; +see +.BR slapd (8) +for details. +.TP +.BI \-f \ slapd.conf +specify an alternative +.BR slapd.conf (5) +file. +.TP +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, slaptest will attempt to read the +default config directory before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. If dry-run mode is also specified, +no conversion will occur. +.TP +.BI \-n \ dbnum +Just open and test the \fIdbnum\fR-th database listed in the +configuration file. +To only test the config database +.BR slapd\-config (5), +use +.B \-n 0 +as it is always the first database. +.TP +.BI \-o \ option\fR[ = value\fR] +Specify an +.I option +with a(n optional) +.IR value . +Possible generic options/values are: +.LP +.nf + syslog=<subsystems> (see `\-s' in slapd(8)) + syslog\-level=<level> (see `\-S' in slapd(8)) + syslog\-user=<user> (see `\-l' in slapd(8)) + +.fi +.TP +.BI \-Q +Be extremely quiet: only the exit code indicates success (0) or not +(any other value). +.TP +.B \-u +enable dry-run mode (i.e. don't fail if databases cannot be opened, +but config is fine). +.TP +.B \-v +enable verbose mode. +.SH EXAMPLES +To check a +.BR slapd.conf (5) +give the command: +.LP +.nf +.ft tt + SBINDIR/slaptest \-f /ETCDIR/slapd.conf \-v +.ft +.fi +.SH "SEE ALSO" +.BR ldap (3), +.BR slapd (8), +.BR slapdn (8) +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.SH ACKNOWLEDGEMENTS +.so ../Project |