The LDAP configuration file

Global options

Options described in this topic apply to all backends, unless specifically overridden in a backend definition.

access

access to what [ by who accesslevel ]+

This option grants access (specified by accesslevel) to a set of entries and/or attributes (specified by what) by one or more requesters (specified by who). See ``Access control'' on access control for more details and examples.

attribute

   attribute name [name] { bin | ces | cis | tel | dn }

This option associates a syntax with an attribute name. By default, an attribute is assumed to have syntax cis. An optional alternate name can be given for an attribute. The possible syntaxes and their meanings are as follows:

bin: binary
ces: case exact string (case must match during comparisons)
cis: case ignore string (case is ignored during comparisons)
tel: telephone number string (like cis but blanks and dashes (-) are ignored during comparisons)
dn: distinguished name

config_dn

config_dn dn

This option specifies the distinguished name to be used for the retrieval of configuration information.

For example:

config_dn  cn=local_slapd_config

This entry can then be used to retrieve information (see ``Monitoring slapd''). For example:

ldapsearch -s base -b cn=local_slapd_config 'objectclass='

Default: no config_dn set

defaultaccess

defaultaccess { none | compare | search | read | write }

This option specifies the default access to grant requesters not matched by any other access line (see ``Access control''). Note that an access level implies all lesser access levels (for example, write access implies read, search and compare).

Default: defaultaccess read

include

include filename

This option specifies that slapd should read additional configuration information from the given file before continuing with the next line of the current file. The included file should follow the normal slapd configuration file format. Note that you should be careful when using this option; there is no small limit on the number of nested include options, and no loop detection is done.

loglevel

loglevel integer

This option specifies the level at which debugging statements and operation statistics should be logged (currently to the LOG_LOCAL4 facility of syslogd(1M)). Log levels are additive. The possible values for integer are as follows:

1: trace function calls
2: debug packet handling
4: heavy trace debugging
8: connection management
16: print out packets sent and received
32: search filter processing
64: configuration file processing
128: access control list processing
256: stats log connections/operations/results
512: stats log entries sent
1024: print communication with shell backends
2048: print entry parsing debugging

For example:

loglevel 255

This will cause lots debugging information to be logged.

Default: loglevel 256.

monitor_dn

monitor_dn  dn

This option specifies a distinguished name to be used in the retrieval of monitoring information. See ``Monitoring interface attributes'' for details of the attributes accessed by the slapd monitoring interface.

For example:

monitor_dn  cn=local_slapd_monitor

This entry can then be used to retrieve information (see ``Monitoring slapd''). For example:

ldapsearch -s base -b cn=local_slapd_monitor 'objectclass='

Default: no monitor_dn set

objectclass

objectclass name
            [ requires attrs ]
            [ allows attrs ]

This option defines the schema rules for the given object class. Used in conjunction with the schemacheck option. See ``Schema enforcement'' for more details.

phonetic

phonetic { metaphone | soundex }

This option specifies the phonetic algorithm used by slapd when doing approximate searches. There is a choice between the metaphone and soundex algorithms.

Default: phonetic metaphone

referral

referral url

This option specifies the referral to pass back when slapd cannot find a local database to handle a request.

For example:

referral ldap://ldap.itd.antbear.com

This will refer non-local queries to the LDAP server at Antbear, Lucid & Popp. Smart LDAP clients can re-ask their query at that server, but note that most of these clients are only going to know how to handle simple LDAP URLs that contain a host part and optionally a distinguished name part.

schemacheck

schemacheck { on | off }

This option turns schema checking on or off. If schema checking is on, entries added or modified will be checked to ensure they obey the schema rules implied by their object class(es) as defined by the corresponding objectclass option(s). If schema checking is off this check is not done.

Default: schemacheck off

sizelimit

sizelimit integer

This option specifies the maximum number of entries to return from a search operation.

Default: sizelimit 500

timelimit

timelimit integer

This option specifies the maximum number of seconds (in real time) slapd will spend answering a search request. If a request is not finished in this time, a result indicating an exceeded timelimit will be returned.

Default: timelimit 3600

Monitoring interface attributes

The slapd monitoring interface may access any of the following attributes:

version

version: slapd version (date)

This attribute identifies the slapd server software by name, version, and build date, for example, ``slapd 3.3.1.21 (Thu May 21 14:19:03 EDT 1997)''.

threads

threads: integer

This attribute indicates the number of threads (operations) currently outstanding in slapd.

connection

connection: fd : opentime : opsinitiated :
            opscompleted : binddn : [ rw ]

This multi-valued attribute summarizes information for each open connection. The information given is fd, the file descriptor; opentime, the time the connection was opened in UTC format; opsinitiated, the number of operations initiated over the connection; opscompleted, the number of operations completed over the connection; binddn, the DN currently bound to the connection; and, optionally, rw, indicating whether the connection is currently blocked for read or write.

currentconnections

currentconnections: integer

The current number of connections.

totalconnections

totalconnections: integer

The total number of connections handled by slapd since it started.

dtablesize

dtablesize: integer

The size of slapd's file descriptor table.

writewaiters

writewaiters: integer

The number of threads blocked waiting to write data to a client.

readwaiters

readwaiters: integer

The number of threads blocked waiting to read data from a client.

opsinitiated

opsinitiated: integer

The total number of operations initiated by slapd since it started.

opscompleted

opscompleted: integer

The total number of operations completed by slapd since it started.

entriessent

entriessent: integer

The total number of entries sent to clients by slapd since it started.

bytessent

bytessent: integer

The total number of bytes sent to clients by slapd since it started.

currenttime

currenttime: UTC time

slapd's idea of the current time.

starttime

starttime: integer

The time slapd was started.

nbackends

nbackends: integer

The number of backends currently being served by slapd.

Note that slapd takes a snapshot of this information and returns it to you. No attempt is made to ensure that the information is consistent (that is, if an operation thread is modifying one of these things when the monitor thread is reading it, strange results could be returned).

You should be able to use any LDAP client to retrieve this information. The following is an example of how you might do it using the ldapsearch(1ldap) client:

ldapsearch -s base -b cn=monitor_dn 'objectclass='