summaryrefslogtreecommitdiffstats
path: root/doc/man/man8/slapd.8
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/man8/slapd.8')
-rw-r--r--doc/man/man8/slapd.8377
1 files changed, 377 insertions, 0 deletions
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
new file mode 100644
index 0000000..a93fcbc
--- /dev/null
+++ b/doc/man/man8/slapd.8
@@ -0,0 +1,377 @@
+.TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapd \- Stand-alone LDAP Daemon
+.SH SYNOPSIS
+.B LIBEXECDIR/slapd
+[\c
+.BR \-V [ V [ V ]]
+[\c
+.BR \-4 | \-6 ]
+[\c
+.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\|
+.BR d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| s [ chema ]\||\| t [ est ]}]
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-f \ slapd-config-file\fR]
+[\c
+.BI \-F \ slapd-config-directory\fR]
+[\c
+.BI \-h \ URLs\fR]
+[\c
+.BI \-n \ service-name\fR]
+[\c
+.BI \-s \ syslog-level\fR]
+[\c
+.BI \-l \ syslog-local-user\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BI \-r \ directory\fR]
+[\c
+.BI \-u \ user\fR]
+[\c
+.BI \-g \ group\fR]
+[\c
+.BI \-c \ cookie\fR]
+.SH DESCRIPTION
+.LP
+.B Slapd
+is the stand-alone LDAP daemon. It listens for LDAP connections on
+any number of ports (default \fB389\fP), responding
+to the LDAP operations it receives over these connections.
+.B slapd
+is typically invoked at boot time, usually out of
+.BR /etc/rc.local .
+Upon startup,
+.B slapd
+normally forks and disassociates itself from the invoking tty.
+If configured in the config file (or config directory),
+the
+.B slapd
+process will print its process ID (see
+.BR getpid (2))
+to a
+.B .pid
+file, as well as the command line options during invocation to an
+.B .args
+file (see
+.BR slapd.conf (5)).
+If the
+.B \-d
+flag is given, even with a zero argument,
+.B slapd
+will not fork and disassociate from the invoking tty.
+.LP
+See the "OpenLDAP Administrator's Guide" for more details on
+.BR slapd .
+.SH OPTIONS
+.TP
+.BR \-V [ V [ V ]]
+Print version info and proceed with startup.
+If \fB\-VV\fP is given, exit after providing version info. If \fB\-VVV\fP is
+given, additionally provide information on static overlays and backends.
+.TP
+.B \-4
+Listen on IPv4 addresses only.
+.TP
+.B \-6
+Listen on IPv6 addresses only.
+.TP
+.BI \-T \ tool
+Run in Tool mode. The \fItool\fP argument selects whether to run as
+.IR slapadd ,
+.IR slapcat ,
+.IR slapdn ,
+.IR slapindex ,
+.IR slappasswd ,
+.IR slapschema ,
+or
+.I slaptest
+(\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP
+option value to be spelled out, as \fBa\fP is reserved to
+.IR slapadd ).
+This option should be the first option specified when it is used;
+any remaining options will be interpreted by the corresponding
+slap tool program, according to the respective man pages.
+Note that these tool programs will usually be symbolic links to
+.BR slapd .
+This option is provided for situations where symbolic links
+are not provided or not usable.
+.TP
+.BI \-d \ debug-level
+Turn on debugging as defined by
+.IR debug-level .
+If this option is specified, even with a zero argument,
+.B slapd
+will not fork or disassociate from the invoking terminal. Some general
+operation and status messages are printed for any value of \fIdebug-level\fP.
+\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+different kind of debugging information. See <ldap_log.h> for details.
+Comma-separated arrays of friendly names can be specified to select
+debugging output of the corresponding debugging information.
+All the names recognized by the \fIloglevel\fP directive
+described in \fBslapd.conf\fP(5) are supported.
+If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+and slapd exits.
+
+Remember that if you turn on packet logging, packets containing bind passwords
+will be output, so if you redirect the log to a logfile, that file should
+be read-protected.
+.TP
+.BI \-s \ syslog-level
+This option tells
+.B slapd
+at what debug-level debugging statements should be logged to the
+.BR syslog (8)
+facility.
+The value \fIsyslog-level\fP can be set to any value or combination
+allowed by the \fB\-d\fP switch.
+Slapd logs all messages selected by \fIsyslog-level\fP
+at the
+.BR syslog (3)
+severity debug-level \fBDEBUG\fP,
+on the unit specified with \fB\-l\fP.
+.TP
+.BI \-n \ service-name
+Specifies the service name for logging and other purposes. Defaults
+to basename of argv[0], i.e.: "slapd".
+.TP
+.BI \-l \ syslog-local-user
+Selects the local user of the
+.BR syslog (8)
+facility. Value can be
+.BR LOCAL0 ,
+through
+.BR LOCAL7 ,
+as well as
+.B USER
+and
+.BR DAEMON .
+The default is
+.BR LOCAL4 .
+However, this option is only permitted on systems that support
+local users with the
+.BR syslog (8)
+facility.
+Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
+.TP
+.BI \-f \ slapd-config-file
+Specifies the slapd configuration file. The default is
+.BR ETCDIR/slapd.conf .
+.TP
+.BI \-F \ slapd-config-directory
+Specifies the slapd configuration directory. The default is
+.BR ETCDIR/slapd.d .
+If both
+.B \-f
+and
+.B \-F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, slapd will attempt to read the
+default config directory before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored. All of the slap tools that
+use the config options observe this same behavior.
+.TP
+.BI \-h \ URLlist
+.B slapd
+will by default serve
+.B ldap:///
+(LDAP over TCP on all interfaces on default LDAP port). That is,
+it will bind using INADDR_ANY and port \fB389\fP.
+The
+.B \-h
+option may be used to specify LDAP (and other scheme) URLs to serve.
+For example, if slapd is given
+.BR "\-h \(dqldap://127.0.0.1:9009/ ldaps:/// ldapi:///\(dq" ,
+it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
+and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
+INADDR_ANY (any interface).
+A space separated list of URLs is expected. The URLs should be of the LDAP,
+PLDAP, LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or other
+optional parameters (excepting as discussed below). Support for the latter
+three schemes depends on selected configuration options. Hosts may be specified
+by name or IPv4 and IPv6 address formats. Ports, if specified, must be
+numeric. The default ldap:// port is \fB389\fP and the default ldaps:// port
+is \fB636\fP, same for the proxy enabled variants.
+
+The PLDAP and PLDAPS URL schemes provide support for the HAProxy proxy protocol
+version 2, which allows a load balancer or proxy server to provide the remote
+client IP address to slapd to be used for access control or logging. Ports
+configured for PLDAP or PLDAPS will only accept connections that include the
+necessary proxy protocol header. Connections to these ports should be
+restricted at the network level to only trusted load balancers or proxies to
+avoid spoofing of client IP addresses by third parties.
+
+For LDAP over IPC,
+.B name
+is the name of the socket, and no
+.B port
+is required, nor allowed; note that directory separators must be
+URL-encoded, like any other characters that are special to URLs;
+so the socket
+
+ /usr/local/var/ldapi
+
+must be specified as
+
+ ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
+
+The default location for the IPC socket is LOCALSTATEDIR/run/ldapi
+
+The listener permissions are indicated by
+"x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any
+of the "rwx" can be "\-" to suppress the related permission, while any
+of the "7" can be any legal octal digit, according to chmod(1).
+The listeners can take advantage of the "x\-mod"
+extension to apply rough limitations to operations, e.g. allow read operations
+("r", which applies to search and compare), write operations ("w",
+which applies to add, delete, modify and modrdn), and execute operations
+("x", which means bind is required).
+"User" permissions apply to authenticated users, while "other" apply
+to anonymous users; "group" permissions are ignored.
+For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed
+for authenticated connections, and bind is required for all operations.
+This feature is experimental, and requires to be manually enabled
+at configure time.
+.TP
+.BI \-r \ directory
+Specifies a directory to become the root directory. slapd will
+change the current working directory to this directory and
+then
+.BR chroot (2)
+to this directory. This is done after opening listeners but before
+reading any configuration file or initializing any backend. When
+used as a security mechanism, it should be used in conjunction with
+.B \-u
+and
+.B \-g
+options.
+.TP
+.BI \-u \ user
+.B slapd
+will run slapd with the specified user name or id, and that user's
+supplementary group access list as set with initgroups(3). The group ID
+is also changed to this user's gid, unless the \fB\-g\fP option is used to
+override. Note when used with
+.BR \-r ,
+slapd will use the user database in the change root environment.
+
+Note that on some systems, running as a non-privileged user will prevent
+passwd back-ends from accessing the encrypted passwords. Note also that
+any shell back-ends will run as the specified non-privileged user.
+.TP
+.BI \-g \ group
+.B slapd
+will run with the specified group name or id. Note when used with
+.BR \-r ,
+slapd will use the group database in the change root environment.
+.TP
+.BI \-c \ cookie
+This option provides a cookie for the syncrepl replication consumer.
+The cookie is a comma separated list of \fIname=value\fP pairs.
+Currently supported syncrepl cookie fields are
+.BR rid ,
+.BR sid ,
+and
+.BR csn .
+.B rid
+identifies a replication thread within the consumer server
+and is used to find the syncrepl specification in
+.BR slapd.conf (5)
+or
+.BR slapd\-config (5)
+having the matching replication identifier in its definition. The
+.B rid
+must be provided in order for any other specified values to be used.
+.B sid
+is the server id in a multi-provider configuration.
+.B csn
+is the commit sequence number received by a previous synchronization
+and represents the state of the consumer content which the
+syncrepl engine will synchronize to the current provider content.
+In case of \fImulti-provider\fP replication agreement,
+multiple
+.B csn
+values, semicolon separated, can appear.
+Use only the
+.B rid
+part to force a full reload.
+.TP
+.BI \-o \ option\fR[ = value\fR]
+This option provides a generic means to specify options without the need to reserve
+a separate letter for them.
+
+It supports the following options:
+.RS
+.TP
+.BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
+When SLP support is compiled into slapd, disable it (\fBoff\fP),
+ enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
+or with specific SLP attributes
+.I slp-attrs
+that must be an SLP attribute list definition according to the SLP standard.
+
+For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
+registers at SLP DAs with the three SLP attributes tree, server-type and server-version
+that have the values given above.
+This allows one to specifically query the SLP DAs for LDAP servers holding the
+.I production
+tree in case multiple trees are available.
+.RE
+.SH EXAMPLES
+To start
+.I slapd
+and have it fork and detach from the terminal and start serving
+the LDAP databases defined in the default config file, just type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/slapd
+.ft
+.fi
+.LP
+To start
+.B slapd
+with an alternate configuration file, and turn
+on voluminous debugging which will be printed on standard error, type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+.ft
+.fi
+.LP
+To test whether the configuration file is correct or not, type:
+.LP
+.nf
+.ft tt
+ LIBEXECDIR/slapd \-Tt
+.ft
+.fi
+.LP
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR slapd.conf (5),
+.BR slapd\-config (5),
+.BR slapd.access (5),
+.BR slapacl (8),
+.BR slapadd (8),
+.BR slapauth (8),
+.BR slapcat (8),
+.BR slapdn (8),
+.BR slapindex (8),
+.BR slappasswd (8),
+.BR slapschema (8),
+.BR slaptest (8).
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.SH BUGS
+See http://www.openldap.org/its/
+.SH ACKNOWLEDGEMENTS
+.so ../Project