Seth Woolley's Man Viewer

Manual for slapd - man 8 slapd

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

SLAPD(8C)                                                            SLAPD(8C)

       slapd(5,8) - Stand-alone LDAP Daemon

       LIBEXECDIR/slapd(5,8)   [-[4|6]]   [-T   (a|c|i|p)]   [-d  debug-level]  [-f
       slapd-config-file] [-h URLs] [-n service-name]  [-s  syslog-level]  [-l
       syslog-local-user] [-r directory] [-u user] [-g group] [-t] [-c cookie]

       Slapd is the stand-alone LDAP daemon. It listens for  LDAP  connections
       on any number of ports (default 389), responding to the LDAP operations
       it receives over these connections.  slapd(5,8) is typically invoked at boot
       time(1,2,n), usually out of /etc/rc.local.  Upon startup, slapd(5,8) normally forks
       and disassociates itself from  the  invoking  tty.   If  configured  in(1,8)
       ETCDIR/slapd.conf,  the  slapd(5,8)  process  will print its process ID (see
       getpid(2)) to a .pid file(1,n), as well as the command line  options  during
       invocation  to  an  .args  file(1,n) (see slapd.conf(5)).  If the -d flag is
       given, even with a zero argument, slapd(5,8) will not fork and  disassociate
       from the invoking tty.

       Slapd  can  be  configured to provide replicated service for a database
       with the help of slurpd, the standalone LDAP update(7,n) replication daemon.
       See slurpd(8) for details.

       See the "OpenLDAP Administrator's Guide" for more details on slapd(5,8).

       -4     Listen on IPv4 addresses only.

       -6     Listen on IPv6 addresses only.

       -T (a|c|i|p)
              Run in(1,8) Tool mode. The additional argument selects whether to run
              as slapadd,  slapcat,  slapindex,  or  slappasswd.  This  option
              should  be  the  first  option  specified  when  it is used. Any
              remaining options will be interpreted by the corresponding  slap
              tool program. Note that these tool programs will usually be sym-
              bolic links to slapd. This option  is  provided  for  situations
              where symbolic links are not provided or not usable.

       -d debug-level
              Turn  on debugging as defined by debug-level.  If this option is
              specified, even with a zero argument, slapd(5,8)  will  not  fork  or
              disassociate from the invoking terminal.  Some general operation
              and status messages are printed for any  value  of  debug-level.
              debug-level  is taken as a bit string(3,n), with each bit correspond-
              ing to a different kind of debugging information.  See  <ldap.h>
              for details.  Remember that if(3,n) you turn on packet logging, pack-
              ets containing bind(2,n,1 builtins) passwords will be output, so if(3,n) you redirect
              the log to a logfile, that file(1,n) should be read-protected.

       -s syslog-level
              This  option  tells  slapd(5,8)  at  what  level debugging statements
              should be logged to the syslog(2,3,5,3 Sys::Syslog)(8) facility.

       -n service-name
              Specifies the service  name  for  logging  and  other  purposes.
              Defaults to basename(1,3,3 File::Basename) of argv[0], i.e.: "slapd(5,8)".

       -l syslog-local-user
              Selects  the local user of the syslog(2,3,5,3 Sys::Syslog)(8) facility. Values can be
              LOCAL0, LOCAL1, and so on, up to LOCAL7.  The default is LOCAL4.
              However,  this  option is only permitted on systems that support
              local users(1,5) with the syslog(2,3,5,3 Sys::Syslog)(8) facility.

       -f slapd-config-file
              Specifies  the  slapd(5,8)  configuration  file.   The   default   is

       -h URLlist
              slapd(5,8)  will  by  default  serve  ldap:///  (LDAP over TCP on all
              interfaces on default LDAP port).  That is, it will  bind(2,n,1 builtins)  using
              INADDR_ANY  and  port 389.  The -h option may be used to specify
              LDAP (and other scheme) URLs to serve.  For example, if(3,n) slapd(5,8) is
              given  -h "ldap:// ldaps:/// ldapi:///" , It will
              bind(2,n,1 builtins) for LDAP, for LDAP over TLS, and
              LDAP  over  IPC  (Unix domain sockets).  Host represents
              INADDR_ANY.  A space separated list of URLs  is  expected.   The
              URLs  should be of the LDAP, LDAPS, or LDAPI schemes, and gener-
              ally without a DN or other  optional  parameters  (excepting  as
              discussed below).  Support for the latter two schemes depends on
              selected configuration options.  Hosts may be specified by  name
              or  IPv4 and IPv6 address formats.  Ports, if(3,n) specified, must be
              numeric.  The default  ldap://  port  is  389  and  the  default
              ldaps://  port is 636.  The socket(2,7,n) permissions for LDAP over IPC
              are  indicated  by  "x-mod=-rwxrwxrwx",  "x-mod=0777"   or   "x-
              mod=777",  where  any  of  the  "rwx" can be "-" to suppress the
              related permission (note, however, that sockets only  honor  the
              "w"  permission),  while  any  of the "7" can be any legal octal
              digit, according to chmod(1,2)(1).   While  LDAP  over  IPC  requires
              write(1,2)  permissions  on  the  socket(2,7,n)  to allow any operation, the
              other listeners can take advantage of the "x-mod"  extension  to
              apply  rough  limitations  to  users(1,5), e.g. allow read(2,n,1 builtins) operations
              ("r", which applies to search  and  compare),  write(1,2)  operations
              ("w", which applies to add, delete, modify and modrdn), and exe-
              cute operations ("x", which means  bind(2,n,1 builtins)  is  required).   "User"
              permissions  apply to bound users(1,5), while "other" apply to anony-
              mous users.

       -r directory
              Specifies a chroot(1,2) "jail" directory.  slapd(5,8) will  chdir(2)  then
              chroot(1,2)(2)  to  this directory after opening listeners but before
              reading any configuration file(1,n) or initializing any backend.

       -u user
              slapd(5,8) will run slapd(5,8) with the specified user  name  or  id,  and
              that  user's  supplementary  group access(2,5) list as set(7,n,1 builtins) with init-
              groups(3).  The group ID is also changed  to  this  user's  gid,
              unless the -g option is used to override.

       -g group
              slapd(5,8) will run with the specified group name or id.

       Note  that  on some systems, running as a non-privileged user will pre-
       vent passwd(1,5) back-ends from accessing  the  encrypted  passwords.   Note
       also  that any shell back-ends will run as the specified non-privileged

       -t     slapd(5,8) will read(2,n,1 builtins) the configuration file(1,n) (the default if(3,n)  none  is
              given  with the -f switch(1,n)) and check its syntax, without opening
              any listener or database.

       -c cookie
              This option provides a cookie for the syncrepl replication  con-
              sumer.   The  cookie  is  a  comma  separated list of name=value
              pairs.  Currently supported syncrepl cookie fields are csn, sid,
              and rid.  csn is the commit sequence number received by a previ-
              ous synchronization and represents the  state  of  the  consumer
              replica  content  which  the syncrepl engine will synchronize to
              the current provider content.  sid is the identity of  the  per-
              scope  session  log  with  which the provider server can process
              this syncrepl request to reduce  synchronization  traffic.   rid
              identifies  a  replication thread within the consumer server and
              is used to find the syncrepl specification in(1,8) slapd.conf(5) hav-
              ing the matching replication identifier in(1,8) its definition.

       To  start slapd(5,8) and have it fork and detach from the terminal and start
       serving the LDAP databases defined in(1,8) the  default  config(1,5)  file(1,n),  just


       To  start slapd(5,8) with an alternate configuration file(1,n), and turn on volu-
       minous debugging which will be printed on standard error(8,n), type:

            LIBEXECDIR/slapd(5,8) -f /var/tmp/slapd.conf -d 255

       To test whether the configuration file(1,n) is correct or not, type:

            LIBEXECDIR/slapd(5,8) -t

       ldap(3,5,n)(3),  slapd.conf(5),   slapd.access(5),   slapadd(8),   slapcat(8),
       slapindex(8), slappasswd(8), slurpd(8)

       "OpenLDAP Administrator's Guide" (


       OpenLDAP   is   developed   and  maintained  by  The  OpenLDAP  Project
       (  OpenLDAP is  derived  from  University  of
       Michigan LDAP 3.3 Release.

OpenLDAP LDVERSION                RELEASEDATE                        SLAPD(8C)

References for this manual (incoming links)