1. photon
  2. Commit 73f092b16632570a365f25500186371e673305fa
Browse code

openldap: upgrade to v2.6.3

Change-Id: I24c6e4e83efda86116245317464ef145e991d8ea
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/16474
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Tapas Kundu <tkundu@vmware.com>

Shreenidhi Shedi authored on 2022/05/26 21:46:59
Showing 20 changed files
SPECS/apr-util/apr-util.spec
History View file @ 73f092b
... ... 
@@ -3,7 +3,7 @@
3 3 
 Summary:    The Apache Portable Runtime Utility Library
4 4 
 Name:       apr-util
5 5 
 Version:    1.6.1
6 
-Release:    9%{?dist}
6 
+Release:    10%{?dist}
7 7 
 License:    Apache License 2.0
8 8 
 URL:        https://apr.apache.org
9 9 
 Group:      System Environment/Libraries
... ... 
@@ -18,7 +18,7 @@ BuildRequires:   sqlite-devel
18 18 
 BuildRequires:   openssl-devel
19 19 
 BuildRequires:   nss-devel
20 20 
 BuildRequires:   expat-devel
21 
-BuildRequires:   openldap
21 
+BuildRequires:   openldap-devel
22 22 
 BuildRequires:   postgresql15-devel
23 23
24 24 
 Requires:   apr
... ... 
@@ -126,6 +126,8 @@ rm -rf %{buildroot}
126 126 
 %{_libdir}/%{name}-%{apuver}/apr_dbd_sqlite*
127 127
128 128 
 %changelog
129 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 1.6.1-10
130 
+- Bump version as a part of openldap upgrade
129 131 
 * Fri Jan 20 2023 Shreenidhi Shedi <sshedi@vmware.com> 1.6.1-9
130 132 
 - Remove pgsql-12 dependency
131 133 
 * Wed Jan 11 2023 Oliver Kurth <okurth@vmware.com> 1.6.1-8
SPECS/audit/audit.spec
History View file @ 73f092b
... ... 
@@ -3,27 +3,27 @@
3 3 
 Summary:        Kernel Audit Tool
4 4 
 Name:           audit
5 5 
 Version:        3.0.9
6 
-Release:        5%{?dist}
6 
+Release:        6%{?dist}
7 7 
 License:        GPLv2+
8 8 
 Group:          System Environment/Security
9 9 
 URL:            http://people.redhat.com/sgrubb/audit
10 10 
 Vendor:         VMware, Inc.
11 11 
 Distribution:   Photon
12 12
13 
-Source0:        http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
14 
-%define sha512  %{name}=5219eb0b41746eca3406008a97731c0083e7be50ec88563a39537de22cb69fe88490f5fe5a11535930f360b11a62538e2ff6cbe39e059cd760038363954ef4d6
13 
+Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
14 
+%define sha512 %{name}=5219eb0b41746eca3406008a97731c0083e7be50ec88563a39537de22cb69fe88490f5fe5a11535930f360b11a62538e2ff6cbe39e059cd760038363954ef4d6
15 15
16 16 
 # patches for audit workaround for linux-headers >= 5.17
17 17 
 # https://github.com/linux-audit/audit-userspace/issues/252
18 18 
 # https://github.com/linux-audit/audit-userspace/issues/236
19 19 
 # https://listman.redhat.com/archives/linux-audit/2022-February/msg00085.html
20 20 
 # patch source: https://src.fedoraproject.org/rpms/audit/blob/rawhide/f/audit-3.0.8-flex-array-workaround.patch
21 
-Patch0:         audit-3.0.8-flex-array-workaround.patch
21 
+Patch0: audit-3.0.8-flex-array-workaround.patch
22 22 
 # patch source: https://src.fedoraproject.org/rpms/audit/blob/rawhide/f/audit-3.0.8-undo-flex-array.patch
23 
-Patch1:         audit-3.0.8-undo-flex-array.patch
23 
+Patch1: audit-3.0.8-undo-flex-array.patch
24 24
25 25 
 BuildRequires:  krb5-devel
26 
-BuildRequires:  openldap
26 
+BuildRequires:  openldap-devel
27 27 
 BuildRequires:  tcp_wrappers-devel
28 28 
 BuildRequires:  libcap-ng-devel
29 29 
 BuildRequires:  swig
... ... 
@@ -55,20 +55,20 @@ Requires:       %{name} = %{version}-%{release}
55 55 
 %description    devel
56 56 
 The libraries and header files needed for audit development.
57 57
58 
-%package  -n    python3-audit
58 
+%package  -n    python3-%{name}
59 59 
 Summary:        Python3 bindings for libaudit
60 60 
 License:        LGPLv2+
61 61 
 Requires:       %{name} = %{version}-%{release}
62 62 
 Requires:       python3
63 63
64 
-%description -n python3-audit
64 
+%description -n python3-%{name}
65 65 
 The python3-audit package contains the python2 bindings for libaudit
66 66 
 and libauparse.
67 67
68 68 
 %prep
69 69 
 # Using autosetup is not feasible
70 70 
 %setup -q
71 
-cp /usr/include/linux/audit.h lib/
71 
+cp %{_includedir}/linux/%{name}.h lib/
72 72 
 %patch0 -p1
73 73
74 74 
 %build
... ... 
@@ -90,25 +90,27 @@ cp /usr/include/linux/audit.h lib/
90 90 
 %make_build
91 91
92 92 
 %install
93 
-mkdir -p %{buildroot}/{etc/audispd/plugins.d,etc/audit/rules.d}
94 
-mkdir -p %{buildroot}/%{_var}/opt/audit/log
95 
-mkdir -p %{buildroot}/%{_var}/log
96 
-mkdir -p %{buildroot}/%{_var}/spool/audit
97 
-ln -sfv %{_var}/opt/audit/log %{buildroot}/%{_var}/log/audit
98 
-%make_install
93 
+mkdir -p %{buildroot}/{etc/audispd/plugins.d,etc/%{name}/rules.d} \
94 
+         %{buildroot}/%{_var}/opt/%{name}/log \
95 
+         %{buildroot}/%{_var}/log \
96 
+         %{buildroot}/%{_var}/spool/%{name}
97 
+ln -sfrv %{buildroot}%{_var}/opt/%{name}/log %{buildroot}%{_var}/log/%{name}
99 98
100 
-install -vdm755 %{buildroot}%{_libdir}/systemd/system-preset
101 
-echo "disable auditd.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-auditd.preset
99 
+%make_install %{?_smp_mflags}
100 
+
101 
+install -vdm755 %{buildroot}%{_presetdir}
102 
+echo "disable auditd.service" > %{buildroot}%{_presetdir}/50-auditd.preset
102 103
103 104 
 # undo the workaround
104 
-cur=`pwd`
105 
-cd %{buildroot}
105 
+pushd %{buildroot}
106 106 
 patch --fuzz=1 -p0 < %{PATCH1}
107 107 
 find . -name '*.orig' -delete
108 
-cd $cur
108 
+popd
109 109
110 
+%if 0%{?with_check}
110 111 
 %check
111 112 
 make %{?_smp_mflags} check
113 
+%endif
112 114
113 115 
 %post
114 116 
 /sbin/ldconfig
... ... 
@@ -132,23 +134,23 @@ make %{?_smp_mflags} check
132 132 
 %{_mandir}/man5/*
133 133 
 %{_mandir}/man7/*
134 134 
 %{_mandir}/man8/*
135 
-%dir %{_var}/opt/audit/log
136 
-%{_var}/log/audit
137 
-%{_var}/spool/audit
138 
-%attr(750,root,root) %dir %{_sysconfdir}/audit
139 
-%attr(750,root,root) %dir %{_sysconfdir}/audit/rules.d
135 
+%dir %{_var}/opt/%{name}/log
136 
+%{_var}/log/%{name}
137 
+%{_var}/spool/%{name}
138 
+%attr(750,root,root) %dir %{_sysconfdir}/%{name}
139 
+%attr(750,root,root) %dir %{_sysconfdir}/%{name}/rules.d
140 140
141 141 
 %attr(750,root,root) %dir %{_sysconfdir}/audispd
142 142 
 %attr(750,root,root) %dir %{_sysconfdir}/audispd/plugins.d
143 
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
144 
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf
145 
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf
146 
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/*.conf
147 
-%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
148 
-%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit.rules
149 
-%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
150 
-%ghost %config(noreplace) %attr(640,root,root) %{_datadir}/audit/sample-rules/*.rules
151 
-%ghost %config(noreplace) %attr(640,root,root) %{_datadir}/audit/sample-rules/README-rules
143 
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/%{name}/auditd.conf
144 
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/%{name}/audisp-remote.conf
145 
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/%{name}/zos-remote.conf
146 
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/%{name}/plugins.d/*.conf
147 
+%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/%{name}/rules.d/%{name}.rules
148 
+%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/%{name}/%{name}.rules
149 
+%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/%{name}/%{name}-stop.rules
150 
+%ghost %config(noreplace) %attr(640,root,root) %{_datadir}/%{name}/sample-rules/*.rules
151 
+%ghost %config(noreplace) %attr(640,root,root) %{_datadir}/%{name}/sample-rules/README-rules
152 152 
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/libaudit.conf
153 153
154 154 
 %files devel
... ... 
@@ -160,13 +162,15 @@ make %{?_smp_mflags} check
160 160 
 %endif
161 161 
 %{_includedir}/*.h
162 162 
 %{_mandir}/man3/*
163 
-%{_datadir}/aclocal/audit.m4
163 
+%{_datadir}/aclocal/%{name}.m4
164 164
165 
-%files -n python3-audit
165 
+%files -n python3-%{name}
166 166 
 %defattr(-,root,root,-)
167 167 
 %{python3_sitelib}/*
168 168
169 169 
 %changelog
170 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 3.0.9-6
171 
+- Bump version as a part of openldap upgrade
170 172 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 3.0.9-5
171 173 
 - Bump version as a part of krb5 upgrade
172 174 
 * Thu Jan 12 2023 Him Kalyan Bordoloi <bordoloih@vmware.com> 3.0.9-4
SPECS/elixir/elixir.spec
History View file @ 73f092b
... ... 
@@ -3,7 +3,7 @@
3 3 
 Name:            elixir
4 4 
 Summary:         A modern approach to programming for the Erlang VM
5 5 
 Version:         1.14.2
6 
-Release:         1%{?dist}
6 
+Release:         2%{?dist}
7 7 
 License:         ASL 2.0
8 8 
 URL:             http://elixir-lang.org
9 9 
 Vendor:          VMware, Inc.
... ... 
@@ -16,7 +16,6 @@ Source0: https://github.com/elixir-lang/%{name}/archive/v%{version}/%{name}-%{ve
16 16 
 BuildRequires:   git
17 17 
 BuildRequires:   sed
18 18 
 BuildRequires:   erlang
19 
-BuildRequires:   openldap
20 19
21 20 
 Requires:        erlang
22 21
... ... 
@@ -34,20 +33,23 @@ fault-tolerant, non-stop applications with hot code swapping.
34 34 
 export LANG="en_US.UTF-8"
35 35 
 make compile %{?_smp_mflags}
36 36
37 
-%check
38 
-export LANG="en_US.UTF-8"
39 
-make test %{?_smp_mflags}
40 
-
41 37 
 %install
42 38 
 mkdir -p %{buildroot}%{_datadir}/%{name}/%{version}
43 
-cp -ra bin lib %{buildroot}%{_datadir}/%{name}/%{version}
39 
+cp -pra bin lib %{buildroot}%{_datadir}/%{name}/%{version}
44 40
45 41 
 mkdir -p %{buildroot}%{_bindir}
46 
-ln -s %{_datadir}/%{name}/%{version}/bin/{elixir,elixirc,iex,mix} %{buildroot}%{_bindir}/
42 
+# don't create relative symlinks, this must be absolute symlink
43 
+# or else some builds fail with weird errors (rabbimq for example)
44 
+ln -sfv %{_datadir}/%{name}/%{version}/bin/{elixir,elixirc,iex,mix} %{buildroot}%{_bindir}
45 
+
46 
+%if 0%{?with_check}
47 
+%check
48 
+export LANG="en_US.UTF-8"
49 
+make test %{?_smp_mflags}
50 
+%endif
47 51
48 52 
 %files
49 53 
 %defattr(-,root,root)
50 
-%license LICENSE
51 54 
 %{_bindir}/elixir
52 55 
 %{_bindir}/elixirc
53 56 
 %{_bindir}/iex
... ... 
@@ -55,6 +57,8 @@ ln -s %{_datadir}/%{name}/%{version}/bin/{elixir,elixirc,iex,mix} %{buildroot}%{
55 55 
 %{_datadir}/%{name}
56 56
57 57 
 %changelog
58 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 1.14.2-2
59 
+- Bump version as a part of openldap upgrade
58 60 
 * Tue Dec 13 2022 Gerrit Photon <photon-checkins@vmware.com> 1.14.2-1
59 61 
 - Automatic Version Bump
60 62 
 * Fri Oct 28 2022 Gerrit Photon <photon-checkins@vmware.com> 1.14.1-1
SPECS/gssntlmssp/gssntlmssp.spec
History View file @ 73f092b
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        GSSAPI NTLMSSP Mechanism
2 2 
 Name:           gssntlmssp
3 3 
 Version:        1.1.0
4 
-Release:        6%{?dist}
4 
+Release:        7%{?dist}
5 5 
 Vendor:         VMware, Inc.
6 6 
 Distribution:   Photon
7 7 
 License:        LGPLv3+
... ... 
@@ -30,16 +30,16 @@ BuildRequires: docbook-xsl
30 30 
 BuildRequires: doxygen
31 31 
 BuildRequires: gettext
32 32 
 BuildRequires: pkg-config
33 
-BuildRequires: krb5-devel >= 1.11.2
33 
+BuildRequires: krb5-devel
34 34 
 BuildRequires: libunistring-devel
35 35 
 BuildRequires: openssl-devel
36 
-BuildRequires: gnutls-devel >= 3.4.7
36 
+BuildRequires: gnutls-devel
37 37 
 BuildRequires: libtasn1-devel
38 38 
 BuildRequires: libtirpc-devel
39 
-BuildRequires: openldap
39 
+BuildRequires: openldap-devel
40 40 
 BuildRequires: Linux-PAM-devel
41 41 
 BuildRequires: jansson-devel
42 
-BuildRequires: gnutls-devel >= 3.4.7
42 
+BuildRequires: gnutls-devel
43 43 
 BuildRequires: samba-client-libs
44 44 
 BuildRequires: libwbclient
45 45 
 BuildRequires: libwbclient-devel
... ... 
@@ -88,13 +88,14 @@ rm -rf %{buildroot}/*
88 88 
 %defattr(-,root,root)
89 89 
 %config(noreplace) %{_sysconfdir}/gss/mech.d/ntlmssp.conf
90 90 
 %{_libdir}/%{name}/%{name}.so
91 
-%doc COPYING
92 91
93 92 
 %files devel
94 93 
 %defattr(-,root,root)
95 94 
 %{_includedir}/gssapi/gssapi_ntlmssp.h
96 95
97 96 
 %changelog
97 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 1.1.0-7
98 
+- Bump version as a part of openldap upgrade
98 99 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 1.1.0-6
99 100 
 - Bump version as a part of krb5 upgrade
100 101 
 * Sat Jan 14 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 1.1.0-5
SPECS/httpd/httpd.spec
History View file @ 73f092b
... ... 
@@ -1,28 +1,26 @@
1 1 
 Summary:        The Apache HTTP Server
2 2 
 Name:           httpd
3 3 
 Version:        2.4.55
4 
-Release:        1%{?dist}
4 
+Release:        2%{?dist}
5 5 
 License:        Apache License 2.0
6 6 
 URL:            http://httpd.apache.org
7 7 
 Group:          Applications/System
8 8 
 Vendor:         VMware, Inc.
9 9 
 Distribution:   Photon
10 10
11 
-Source0:        https://dlcdn.apache.org/%{name}/%{name}-%{version}.tar.bz2
12 
-%define sha512  %{name}=94982f7a1fedac8961fc17b5a22cf763ac28cb27ee6facab2e6a15b249b927773667493fd3f7354fb13fcb34a6f1afc1bdd5cf4b7be030cba1dfb523e40d43fb
11 
+Source0: https://dlcdn.apache.org/%{name}/%{name}-%{version}.tar.bz2
12 
+%define sha512 %{name}=94982f7a1fedac8961fc17b5a22cf763ac28cb27ee6facab2e6a15b249b927773667493fd3f7354fb13fcb34a6f1afc1bdd5cf4b7be030cba1dfb523e40d43fb
13 13
14 14 
 # Patch0 is taken from:
15 15 
 # https://www.linuxfromscratch.org/patches/blfs/svn
16 
-Patch0:         %{name}-%{version}-blfs_layout-1.patch
17 
-Patch1:         %{name}-uncomment-ServerName.patch
16 
+Patch0: %{name}-%{version}-blfs_layout-1.patch
17 
+Patch1: %{name}-uncomment-ServerName.patch
18 18
19 
-BuildRequires:  openssl >= 1.1.1
20 
-BuildRequires:  openssl-devel >= 1.1.1
19 
+BuildRequires:  openssl-devel
21 20 
 BuildRequires:  pcre-devel
22 21 
 BuildRequires:  apr
23 
-BuildRequires:  apr-util
24 22 
 BuildRequires:  apr-util-devel
25 
-BuildRequires:  openldap
23 
+BuildRequires:  openldap-devel
26 24 
 BuildRequires:  expat-devel
27 25 
 BuildRequires:  lua-devel
28 26 
 BuildRequires:  nghttp2-devel
... ... 
@@ -31,7 +29,7 @@ BuildRequires:  systemd-devel
31 31 
 Requires:       nghttp2
32 32 
 Requires:       pcre
33 33 
 Requires:       apr-util
34 
-Requires:       openssl >= 1.1.1
34 
+Requires:       openssl
35 35 
 Requires:       openldap
36 36 
 Requires:       lua
37 37 
 Requires(pre):  /usr/sbin/useradd /usr/sbin/groupadd
... ... 
@@ -97,13 +95,13 @@ sh ./configure --host=%{_host} --build=%{_build} \
97 97
98 98 
 $(dirname $(gcc -print-prog-name=cc1))/install-tools/mkheaders
99 99
100 
-make %{?_smp_mflags}
100 
+%make_build
101 101
102 102 
 %install
103 
-make DESTDIR=%{buildroot} install %{?_smp_mflags}
103 
+%make_install %{?_smp_mflags}
104 104
105 105 
 install -vdm755 %{buildroot}%{_unitdir}
106 
-install -vdm755 %{buildroot}/etc/%{name}/logs
106 
+install -vdm755 %{buildroot}%{_sysconfdir}/%{name}/logs
107 107
108 108 
 cat << EOF >> %{buildroot}%{_unitdir}/%{name}.service
109 109 
 [Unit]
... ... 
@@ -124,8 +122,8 @@ EOF
124 124 
 install -vdm755 %{buildroot}%{_presetdir}
125 125 
 echo "disable %{name}.service" > %{buildroot}%{_presetdir}/50-%{name}.preset
126 126
127 
-ln -sfv %{_sbindir}/%{name} %{buildroot}%{_sbindir}/apache2
128 
-ln -sfv /etc/%{name}/conf/%{name}.conf %{buildroot}/etc/%{name}/%{name}.conf
127 
+ln -sfrv %{buildroot}%{_sbindir}/%{name} %{buildroot}%{_sbindir}/apache2
128 
+ln -sfrv %{buildroot}%{_sysconfdir}/%{name}/conf/%{name}.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
129 129
130 130 
 mkdir -p %{buildroot}%{_tmpfilesdir}
131 131 
 cat >> %{buildroot}%{_tmpfilesdir}/%{name}.conf << EOF
... ... 
@@ -145,12 +143,12 @@ if [ $1 -eq 1 ]; then
145 145 
         -s /bin/false -u 25 apache
146 146 
   fi
147 147
148 
-  if [ -h /etc/mime.types ]; then
149 
-    mv /etc/mime.types /etc/mime.types.orig
148 
+  if [ -h %{_sysconfdir}/mime.types ]; then
149 
+    mv %{_sysconfdir}/mime.types %{_sysconfdir}/mime.types.orig
150 150 
   fi
151 151 
 fi
152 152
153 
-ln -sf /etc/%{name}/conf/mime.types /etc/mime.types
153 
+ln -sfr %{_sysconfdir}/%{name}/conf/mime.types %{_sysconfdir}/mime.types
154 154 
 systemd-tmpfiles --create %{name}.conf
155 155 
 %systemd_post %{name}.service
156 156
... ... 
@@ -160,8 +158,8 @@ systemd-tmpfiles --create %{name}.conf
160 160 
 %postun
161 161 
 /sbin/ldconfig
162 162 
 if [ $1 -eq 0 ]; then
163 
-  if [ -f /etc/mime.types.orig ]; then
164 
-    mv /etc/mime.types.orig /etc/mime.types
163 
+  if [ -f %{_sysconfdir}/mime.types.orig ]; then
164 
+    mv %{_sysconfdir}/mime.types.orig %{_sysconfdir}/mime.types
165 165 
   fi
166 166 
 fi
167 167 
 %systemd_postun_with_restart %{name}.service
... ... 
@@ -204,6 +202,8 @@ fi
204 204 
 %{_bindir}/dbmmanage
205 205
206 206 
 %changelog
207 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 2.4.55-2
208 
+- Bump version as a part of openldap upgrade
207 209 
 * Mon Jan 30 2023 Nitesh Kumar <kunitesh@vmware.com> 2.4.55-1
208 210 
 - Upgrade to v2.4.55 to fix following CVE's:
209 211 
 - CVE-2006-20001, CVE-2022-37436, and CVE-2022-36760
SPECS/nss-pam-ldapd/nslcd.service
History View file @ 73f092b
... ... 
@@ -5,7 +5,7 @@ Documentation=man:nslcd(8) man:nslcd.conf(5)
5 5
6 6 
 [Service]
7 7 
 Type=forking
8 
-PIDFile=/var/run/nslcd/nslcd.pid
8 
+PIDFile=/run/nslcd/nslcd.pid
9 9 
 ExecStart=/usr/sbin/nslcd
10 10 
 RestartSec=10s
11 11 
 Restart=on-failure
SPECS/nss-pam-ldapd/nslcd.tmpfiles
History View file @ 73f092b
... ... 
@@ -1,2 +1,2 @@
1 
-# nslcd needs a directory in /var/run to store its pid file and socket
2 
-d /var/run/nslcd 0775 nslcd root
1 
+# nslcd needs a directory in /run to store its pid file and socket
2 
+d /run/nslcd 0775 nslcd root
SPECS/nss-pam-ldapd/nss-pam-ldapd.spec
History View file @ 73f092b
... ... 
@@ -1,9 +1,8 @@
1 
-%global nssdir %{_lib}
2 
-%global pamdir %{_lib}/security
1 
+%global pamdir %{_libdir}/security
3 2
4 3 
 Name:           nss-pam-ldapd
5 4 
 Version:        0.9.12
6 
-Release:        2%{?dist}
5 
+Release:        3%{?dist}
7 6 
 Summary:        nsswitch module which uses directory servers
8 7 
 License:        LGPLv2+
9 8 
 URL:            https://github.com/arthurdejong/nss-pam-ldapd
... ... 
@@ -11,16 +10,20 @@ Group:          System Environment/Security
11 11 
 Vendor:         VMware, Inc.
12 12 
 Distribution:   Photon
13 13
14 
-Source0:        http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz
15 
-%define sha512  %{name}=da154303ba2f86b8653d978acfbba4633d0190afd353b6a57386391078c531bf7b11195fbabbe53cf6f36545c6f1c71b9567fd042892a73251bf0016c5f018ee
14 
+Source0: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz
15 
+%define sha512 %{name}=da154303ba2f86b8653d978acfbba4633d0190afd353b6a57386391078c531bf7b11195fbabbe53cf6f36545c6f1c71b9567fd042892a73251bf0016c5f018ee
16 
+
16 17 
 Source1:        nslcd.tmpfiles
17 18 
 Source2:        nslcd.service
18 19
19 
-BuildRequires:  openldap, krb5-devel
20 
-BuildRequires:  autoconf, automake
20 
+BuildRequires:  openldap-devel
21 
+BuildRequires:  krb5-devel
22 
+BuildRequires:  automake
23 
+BuildRequires:  autoconf
21 24 
 BuildRequires:  Linux-PAM-devel
22 25 
 %{?systemd_requires}
23 26
27 
+Requires:       systemd
24 28 
 Requires:       openldap
25 29 
 Requires:       krb5
26 30 
 Requires:       Linux-PAM
... ... 
@@ -32,47 +35,39 @@ nsswitch module.
32 32
33 33 
 %prep
34 34 
 %autosetup -p1
35 
-autoreconf -f -i
36 35
37 36 
 %build
38 
-%configure --libdir=%{nssdir} \
37 
+autoreconf -f -i
38 
+%configure --libdir=%{_libdir} \
39 39 
            --disable-utils \
40 40 
            --with-pam-seclib-dir=%{pamdir}
41 
-%make_build
42 41
43 
-%check
44 
-make check %{?_smp_mflags}
42 
+%make_build
45 43
46 44 
 %install
47 
-rm -rf %{buildroot}
48 
-make install DESTDIR=%{buildroot} %{?_smp_mflags}
49 
-mkdir -p %{buildroot}/{%{_libdir},%{_unitdir}}
50 
-install -p -m644 %{SOURCE2} %{buildroot}/%{_unitdir}/
45 
+%make_install %{?_smp_mflags}
46 
+mkdir -p %{buildroot}{%{_libdir},%{_unitdir}} \
47 
+         %{buildroot}/run/nslcd \
48 
+         %{buildroot}%{_tmpfilesdir}
49 
+
50 
+install -p -m644 %{SOURCE2} %{buildroot}%{_unitdir}/
51 51
52 
-ln -s libnss_ldap.so.2 %{buildroot}/%{nssdir}/libnss_ldap.so
52 
+ln -sfrv %{buildroot}%{_libdir}/libnss_ldap.so.2 %{buildroot}%{_libdir}/libnss_ldap.so
53 53
54 54 
 sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \
55 
-        %{buildroot}/%{_sysconfdir}/nslcd.conf
55 
+        %{buildroot}%{_sysconfdir}/nslcd.conf
56 56
57 
-mkdir -p -m 0755 %{buildroot}/var/run/nslcd
58 
-mkdir -p -m 0755 %{buildroot}/%{_tmpfilesdir}
59 
-install -p -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
57 
+install -p -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
60 58
61 
-%files
62 
-%defattr(-,root,root)
63 
-%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO
64 
-%{_sbindir}/*
65 
-%{nssdir}/*.so*
66 
-%{pamdir}/pam_ldap.so
67 
-%attr(0600,root,root) %config(noreplace) /etc/nslcd.conf
68 
-%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf
69 
-%{_unitdir}/nslcd.service
70 
-%attr(0775,nslcd,root) /var/run/nslcd
59 
+%if 0%{?with_check}
60 
+%check
61 
+make check %{?_smp_mflags}
62 
+%endif
71 63
72 64 
 %pre
73 
-%{_bindir}/getent group ldap >/dev/null || %{_sbindir}/groupadd -r ldap
74 
-%{_bindir}/getent passwd nslcd >/dev/null || \
75 
-  %{_sbindir}/useradd -r -g ldap -d / -s %{_sbindir}/nologin -c "nslcd ldap user" nslcd
65 
+getent group ldap >/dev/null || groupadd -r ldap
66 
+getent passwd nslcd >/dev/null || \
67 
+  useradd -r -g ldap -d / -s %{_sbindir}/nologin -c "nslcd ldap user" nslcd
76 68
77 69 
 %post
78 70 
 /sbin/ldconfig
... ... 
@@ -84,15 +79,23 @@ install -p -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
84 84 
 %postun
85 85 
 /sbin/ldconfig
86 86 
 %systemd_postun_with_restart nslcd.service
87 
-if [ $1 -eq 0 ]; then
88 
-  %{_bindir}/getent passwd nslcd > /dev/null && %{_sbindir}/userdel -f nslcd
89 
-  %{_bindir}/getent group ldap > /dev/null && %{_sbindir}/groupdel -f ldap
90 
-fi
91 87
92 88 
 %clean
93 89 
 rm -rf %{buildroot}/*
94 90
91 
+%files
92 
+%defattr(-,root,root)
93 
+%{_sbindir}/*
94 
+%{_libdir}/*.so*
95 
+%{pamdir}/pam_ldap.so
96 
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/nslcd.conf
97 
+%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf
98 
+%{_unitdir}/nslcd.service
99 
+%attr(0775,nslcd,root) /run/nslcd
100 
+
95 101 
 %changelog
102 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 0.9.12-3
103 
+- Bump version as a part of openldap upgrade
96 104 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 0.9.12-2
97 105 
 - Bump version as a part of krb5 upgrade
98 106 
 * Mon May 30 2022 Gerrit Photon <photon-checkins@vmware.com> 0.9.12-1
SPECS/openldap/openldap-2.4.51-consolidated-2.patch
History View file @ 73f092b
99 107 
deleted file mode 100644
... ... 
@@ -1,376 +0,0 @@
1 
-Submitted by:            Bruce Dubbs <bdubbs at linuxfromscratch.org>
2 
-Date:                    2012-03-26
3 
-Initial Package Version: 2.4.40
4 
-Upstream Status:         BLFS Specific
5 
-Origin:                  Armin K. <krejzi at email dot com> and Debian
6 
-Comment:                 Rediffed by Fernando de Oliveira <famobr at yahoo dot
7 
-                         com dot br> for version 2.4.44 - 2016.02.06
8 
-                         Rediffed by Pierre Labastie <pierre dot labastie at
9 
-                         neuf dot fr> to add mdb backend and slapd.ldif. See
10 
-                         ticket #7394 - 2016.02.24
11 
-                         Rediffed by Douglas R. Reno <renodr at linuxfromscratch
12 
-                         dot org> to function on 2.4.51. - 2020-08-13
13 
-                         Fixed the rediff to use a .c file instead of a .s, fixing
14 
-                         the test by Douglas R. Reno - 2020-08-13
15 
-Description:             Consolidate earlier patches to:
16 
- 1. Update various installation options, such as ldap database path,
17 
-    configuration file options, slapd install location, etc.
18 
- 2. Remove reference to bdb module
19 
- 3. Enables symbol versioning in ldap libraries. Without these changes
20 
-    some applications might generate a warning about missing symbol versions.
21 
-
22 
-diff -Naurp openldap-2.4.51.orig/build/openldap.m4 openldap-2.4.51/build/openldap.m4
23 
-+++ openldap-2.4.51/build/openldap.m4	2020-08-13 20:37:46.287773696 -0500
24 
-@@ -1115,3 +1115,54 @@ AC_DEFUN([OL_SSL_COMPAT],
25 
- #endif
26 
- 	], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
27 
- ])
28 
-+
29 
-+dnl ====================================================================
30 
-+dnl check for symbol versioning support
31 
-+AC_DEFUN([OL_SYMBOL_VERSIONING],
32 
-+[AC_CACHE_CHECK([for .symver assembler directive],
33 
-+        [ol_cv_asm_symver_directive],[
34 
-+cat > conftest.s <<EOF
35 
-+${libc_cv_dot_text}
36 
-+_sym:
37 
-+.symver _sym,sym@VERS
38 
-+EOF
39 
-+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
40 
-+   ol_cv_asm_symver_directive=yes
41 
-+else
42 
-+   ol_cv_asm_symver_directive=no
43 
-+fi
44 
-+rm -f conftest*])
45 
-+AC_CACHE_CHECK([for ld --version-script],
46 
-+        [ol_cv_ld_version_script_option],[
47 
-+if test $ol_cv_asm_symver_directive = yes; then
48 
-+  cat > conftest.s <<EOF
49 
-+${libc_cv_dot_text}
50 
-+_sym:
51 
-+.symver _sym,sym@VERS
52 
-+EOF
53 
-+  cat > conftest.map <<EOF
54 
-+VERS_1 {
55 
-+         global: sym;
56 
-+};
57 
-+
58 
-+VERS_2 {
59 
-+         global: sym;
60 
-+} VERS_1;
61 
-+EOF
62 
-+   if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
63 
-+      if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS --shared
64 
-+                                                   -o conftest.so conftest.o
65 
-+                                                   -Wl,--version-script,conftest.map
66 
-+                         1>&AS_MESSAGE_LOG_FD]);
67 
-+      then
68 
-+        ol_cv_ld_version_script_option=yes
69 
-+      else
70 
-+        ol_cv_ld_version_script_option=no
71 
-+      fi
72 
-+   else
73 
-+      ol_cv_ld_version_script_option=no
74 
-+   fi
75 
-+else
76 
-+   ol_cv_version_script_option=no
77 
-+fi
78 
-+rm -f conftest*])])
79 
-diff -Naurp openldap-2.4.51.orig/build/top.mk openldap-2.4.51/build/top.mk
80 
-+++ openldap-2.4.51/build/top.mk	2020-08-13 17:05:06.758224238 -0500
81 
-@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD)
82 
- # LINK_LIBS referenced in library and module link commands.
83 
- LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
84 
-
85 
-+# option to pass to $(CC) to support library symbol versioning, if any
86 
-+VERSION_OPTION = @VERSION_OPTION@
87 
-+
88 
- LTSTATIC = @LTSTATIC@
89 
-
90 
- LTLINK   = $(LIBTOOL) --mode=link \
91 
-@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB)
92 
- 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
93 
-
94 
- LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
95 
--	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
96 
-+	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)
97 
-
98 
- LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
99 
- 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
100 
-diff -Naurp openldap-2.4.51.orig/configure.in openldap-2.4.51/configure.in
101 
-+++ openldap-2.4.51/configure.in	2020-08-13 17:06:23.965221512 -0500
102 
-@@ -1921,6 +1921,13 @@ else
103 
- fi
104 
- AC_SUBST(LTSTATIC)dnl
105 
-
106 
-+VERSION_OPTION=""
107 
-+OL_SYMBOL_VERSIONING
108 
-+if test $ol_cv_ld_version_script_option = yes; then
109 
-+   VERSION_OPTION="-Wl,--version-script="
110 
-+fi
111 
-+AC_SUBST(VERSION_OPTION)
112 
-+
113 
- dnl ----------------------------------------------------------------
114 
- if test $ol_enable_wrappers != no ; then
115 
- 	AC_CHECK_HEADERS(tcpd.h,[
116 
-diff -Naurp openldap-2.4.51.orig/doc/man/man5/slapd-bdb.5 openldap-2.4.51/doc/man/man5/slapd-bdb.5
117 
-+++ openldap-2.4.51/doc/man/man5/slapd-bdb.5	2020-08-13 17:06:49.002220627 -0500
118 
-@@ -135,7 +135,7 @@ Specify the directory where the BDB file
119 
- associated indexes live.
120 
- A separate directory must be specified for each database.
121 
- The default is
122 
--.BR LOCALSTATEDIR/openldap\-data .
123 
-+.BR LOCALSTATEDIR/lib/openldap .
124 
- .TP
125 
- .B dirtyread
126 
- Allow reads of modified but not yet committed data.
127 
-diff -Naurp openldap-2.4.51.orig/doc/man/man5/slapd.conf.5 openldap-2.4.51/doc/man/man5/slapd.conf.5
128 
-+++ openldap-2.4.51/doc/man/man5/slapd.conf.5	2020-08-13 17:08:39.869216713 -0500
129 
-@@ -2037,7 +2037,7 @@ suffix    "dc=our\-domain,dc=com"
130 
- # The database directory MUST exist prior to
131 
- # running slapd AND should only be accessible
132 
- # by the slapd/tools. Mode 0700 recommended.
133 
--directory LOCALSTATEDIR/openldap\-data
134 
-+directory LOCALSTATEDIR/lib/openldap
135 
- # Indices to maintain
136 
- index     objectClass  eq
137 
- index     cn,sn,mail   pres,eq,approx,sub
138 
-diff -Naurp openldap-2.4.51.orig/doc/man/man5/slapd-config.5 openldap-2.4.51/doc/man/man5/slapd-config.5
139 
-+++ openldap-2.4.51/doc/man/man5/slapd-config.5	2020-08-13 17:07:57.079218224 -0500
140 
-@@ -2067,7 +2067,7 @@ olcSuffix: "dc=our\-domain,dc=com"
141 
- # The database directory MUST exist prior to
142 
- # running slapd AND should only be accessible
143 
- # by the slapd/tools. Mode 0700 recommended.
144 
--olcDbDirectory: LOCALSTATEDIR/openldap\-data
145 
-+olcDbDirectory: LOCALSTATEDIR/lib/openldap
146 
- # Indices to maintain
147 
- olcDbIndex:     objectClass  eq
148 
- olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
149 
-diff -Naurp openldap-2.4.51.orig/include/ldap_defaults.h openldap-2.4.51/include/ldap_defaults.h
150 
-+++ openldap-2.4.51/include/ldap_defaults.h	2020-08-13 17:10:11.297213484 -0500
151 
-@@ -39,7 +39,7 @@
152 
- #define LDAP_ENV_PREFIX "LDAP"
153 
-
154 
- /* default ldapi:// socket */
155 
--#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
156 
-+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"
157 
-
158 
- /*
159 
-  * SLAPD DEFINITIONS
160 
-@@ -47,7 +47,7 @@
161 
- 	/* location of the default slapd config file */
162 
- #define SLAPD_DEFAULT_CONFIGFILE	LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
163 
- #define SLAPD_DEFAULT_CONFIGDIR		LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
164 
--#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
165 
-+#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"
166 
- #define SLAPD_DEFAULT_DB_MODE		0600
167 
- #define SLAPD_DEFAULT_UCDATA		LDAP_DATADIR LDAP_DIRSEP "ucdata"
168 
- 	/* default max deref depth for aliases */
169 
-diff -Naurp openldap-2.4.51.orig/libraries/liblber/liblber.map openldap-2.4.51/libraries/liblber/liblber.map
170 
-+++ openldap-2.4.51/libraries/liblber/liblber.map	2020-08-13 17:11:56.589209766 -0500
171 
-@@ -0,0 +1,8 @@
172 
-+OPENLDAP_2.4_2 {
173 
-+   global:
174 
-+      ber_*;
175 
-+      der_alloc;
176 
-+      lutil_*;
177 
-+   local:
178 
-+      *;
179 
-+};
180 
-diff -Naurp openldap-2.4.51.orig/libraries/liblber/Makefile.in openldap-2.4.51/libraries/liblber/Makefile.in
181 
-+++ openldap-2.4.51/libraries/liblber/Makefile.in	2020-08-13 17:11:02.505211676 -0500
182 
-@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A)
183 
- XXLIBS =
184 
- NT_LINK_LIBS = $(AC_LIBS)
185 
- UNIX_LINK_LIBS = $(AC_LIBS)
186 
-+ifneq (,$(VERSION_OPTION))
187 
-+	VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"
188 
-+endif
189 
-
190 
- dtest:    $(XLIBS) dtest.o
191 
- 	$(LTLINK) -o $@ dtest.o $(LIBS)
192 
-@@ -48,6 +51,6 @@ idtest:  $(XLIBS) idtest.o
193 
-
194 
- install-local: FORCE
195 
- 	-$(MKDIR) $(DESTDIR)$(libdir)
196 
--	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
197 
-+	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
198 
- 	$(LTFINISH) $(DESTDIR)$(libdir)
199 
-
200 
-diff -Naurp openldap-2.4.51.orig/libraries/libldap/libldap.map openldap-2.4.51/libraries/libldap/libldap.map
201 
-+++ openldap-2.4.51/libraries/libldap/libldap.map	2020-08-13 17:13:03.469207405 -0500
202 
-@@ -0,0 +1,7 @@
203 
-+OPENLDAP_2.4_2 {
204 
-+   global:
205 
-+      ldap_*;
206 
-+      ldif_*;
207 
-+   local:
208 
-+      *;
209 
-+};
210 
-diff -Naurp openldap-2.4.51.orig/libraries/libldap/Makefile.in openldap-2.4.51/libraries/libldap/Makefile.in
211 
-+++ openldap-2.4.51/libraries/libldap/Makefile.in	2020-08-13 17:12:40.847208204 -0500
212 
-@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
213 
- XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
214 
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
215 
- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
216 
-+ifneq (,$(VERSION_OPTION))
217 
-+	VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
218 
-+endif
219 
-
220 
- apitest:	$(XLIBS) apitest.o
221 
- 	$(LTLINK) -o $@ apitest.o $(LIBS)
222 
-@@ -68,7 +71,7 @@ CFFILES=ldap.conf
223 
-
224 
- install-local: $(CFFILES) FORCE
225 
- 	-$(MKDIR) $(DESTDIR)$(libdir)
226 
--	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
227 
-+	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
228 
- 	$(LTFINISH) $(DESTDIR)$(libdir)
229 
- 	-$(MKDIR) $(DESTDIR)$(sysconfdir)
230 
- 	@for i in $(CFFILES); do \
231 
-diff -Naurp openldap-2.4.51.orig/libraries/libldap_r/Makefile.in openldap-2.4.51/libraries/libldap_r/Makefile.in
232 
-+++ openldap-2.4.51/libraries/libldap_r/Makefile.in	2020-08-13 17:14:46.760203758 -0500
233 
-@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
234 
- XXXLIBS = $(LTHREAD_LIBS)
235 
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
236 
- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
237 
-+ifneq (,$(VERSION_OPTION))
238 
-+	VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
239 
-+endif
240 
-
241 
- .links : Makefile
242 
- 	@for i in $(XXSRCS); do \
243 
-@@ -83,6 +86,6 @@ ltest:	$(XLIBS) test.o
244 
-
245 
- install-local: $(CFFILES) FORCE
246 
- 	-$(MKDIR) $(DESTDIR)$(libdir)
247 
--	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
248 
-+	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
249 
- 	$(LTFINISH) $(DESTDIR)$(libdir)
250 
-
251 
-diff -Naurp openldap-2.4.51.orig/servers/slapd/Makefile.in openldap-2.4.51/servers/slapd/Makefile.in
252 
-+++ openldap-2.4.51/servers/slapd/Makefile.in	2020-08-13 17:16:03.270201056 -0500
253 
-@@ -376,10 +376,10 @@ install-local-srv: install-slapd install
254 
- 	install-conf install-dbc-maybe install-schema install-tools
255 
-
256 
- install-slapd: FORCE
257 
--	-$(MKDIR) $(DESTDIR)$(libexecdir)
258 
-+	-$(MKDIR) $(DESTDIR)$(sbindir)
259 
- 	-$(MKDIR) $(DESTDIR)$(localstatedir)/run
260 
- 	$(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \
261 
--		slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
262 
-+		slapd$(EXEEXT) $(DESTDIR)$(sbindir)
263 
- 	@for i in $(SUBDIRS); do \
264 
- 	    if test -d $$i && test -f $$i/Makefile ; then \
265 
- 		echo; echo "  cd $$i; $(MAKE) $(MFLAGS) install"; \
266 
-@@ -445,9 +445,9 @@ install-conf: FORCE
267 
-
268 
- install-db-config: FORCE
269 
- 	@-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
270 
--	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
271 
-+	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap
272 
- 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
273 
--		$(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
274 
-+		$(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example
275 
- 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
276 
- 		$(DESTDIR)$(sysconfdir)/DB_CONFIG.example
277 
-
278 
-@@ -455,6 +455,6 @@ install-tools: FORCE
279 
- 	-$(MKDIR) $(DESTDIR)$(sbindir)
280 
- 	for i in $(SLAPTOOLS); do \
281 
- 		$(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
282 
--		$(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
283 
-+		$(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
284 
- 	done
285 
-
286 
-diff -Naurp openldap-2.4.51.orig/servers/slapd/slapd.conf openldap-2.4.51/servers/slapd/slapd.conf
287 
-+++ openldap-2.4.51/servers/slapd/slapd.conf	2020-08-13 17:17:01.239199009 -0500
288 
-@@ -10,12 +10,12 @@ include		%SYSCONFDIR%/schema/core.schema
289 
- # service AND an understanding of referrals.
290 
- #referral	ldap://root.openldap.org
291 
-
292 
--pidfile		%LOCALSTATEDIR%/run/slapd.pid
293 
--argsfile	%LOCALSTATEDIR%/run/slapd.args
294 
-+pidfile		%LOCALSTATEDIR%/run/openldap/slapd.pid
295 
-+argsfile	%LOCALSTATEDIR%/run/openldap/slapd.args
296 
-
297 
- # Load dynamic backend modules:
298 
--# modulepath	%MODULEDIR%
299 
--# moduleload	back_mdb.la
300 
-+modulepath	%MODULEDIR%
301 
-+moduleload	back_mdb.la
302 
- # moduleload	back_ldap.la
303 
-
304 
- # Sample security restrictions
305 
-@@ -60,6 +60,6 @@ rootpw		secret
306 
- # The database directory MUST exist prior to running slapd AND
307 
- # should only be accessible by the slapd and slap tools.
308 
- # Mode 700 recommended.
309 
--directory	%LOCALSTATEDIR%/openldap-data
310 
-+directory	%LOCALSTATEDIR%/lib/openldap
311 
- # Indices to maintain
312 
- index	objectClass	eq
313 
-diff -Naurp openldap-2.4.51.orig/servers/slapd/slapd.ldif openldap-2.4.51/servers/slapd/slapd.ldif
314 
-+++ openldap-2.4.51/servers/slapd/slapd.ldif	2020-08-13 17:18:00.106196931 -0500
315 
-@@ -9,8 +9,8 @@ cn: config
316 
- #
317 
- # Define global ACLs to disable default read access.
318 
- #
319 
--olcArgsFile: %LOCALSTATEDIR%/run/slapd.args
320 
--olcPidFile: %LOCALSTATEDIR%/run/slapd.pid
321 
-+olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args
322 
-+olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid
323 
- #
324 
- # Do not enable referrals until AFTER you have a working directory
325 
- # service AND an understanding of referrals.
326 
-@@ -26,11 +26,11 @@ olcPidFile: %LOCALSTATEDIR%/run/slapd.pi
327 
- #
328 
- # Load dynamic backend modules:
329 
- #
330 
--#dn: cn=module,cn=config
331 
--#objectClass: olcModuleList
332 
--#cn: module
333 
--#olcModulepath:	%MODULEDIR%
334 
--#olcModuleload:	back_mdb.la
335 
-+dn: cn=module,cn=config
336 
-+objectClass: olcModuleList
337 
-+cn: module
338 
-+olcModulepath:	%MODULEDIR%
339 
-+olcModuleload:	back_mdb.la
340 
- #olcModuleload:	back_bdb.la
341 
- #olcModuleload:	back_hdb.la
342 
- #olcModuleload:	back_ldap.la
343 
-@@ -91,6 +91,6 @@ olcRootPW: secret
344 
- # The database directory MUST exist prior to running slapd AND
345 
- # should only be accessible by the slapd and slap tools.
346 
- # Mode 700 recommended.
347 
--olcDbDirectory:	%LOCALSTATEDIR%/openldap-data
348 
-+olcDbDirectory:	%LOCALSTATEDIR%/lib/openldap
349 
- # Indices to maintain
350 
- olcDbIndex: objectClass eq
351 
-diff -Naurp openldap-2.4.51.orig/servers/slapd/slapi/Makefile.in openldap-2.4.51/servers/slapd/slapi/Makefile.in
352 
-+++ openldap-2.4.51/servers/slapd/slapi/Makefile.in	2020-08-13 17:18:16.643196347 -0500
353 
-@@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@
354 
- install-local: FORCE
355 
- 	if test "$(BUILD_MOD)" = "yes"; then \
356 
- 		$(MKDIR) $(DESTDIR)$(libdir); \
357 
--		$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \
358 
-+		$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \
359 
- 	fi
360 
-
SPECS/openldap/openldap-2.6.3-consolidated-1.patch
History View file @ 73f092b
361 1 
new file mode 100644
... ... 
@@ -0,0 +1,4640 @@
0 
+diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd.conf.5 openldap-2.6.2/doc/man/man5/slapd.conf.5
1 
+--- openldap-2.6.2.orig/doc/man/man5/slapd.conf.5	2022-05-04 16:55:23.000000000 +0200
2 
+@@ -2122,7 +2122,7 @@ suffix    "dc=our\-domain,dc=com"
3 
+ # The database directory MUST exist prior to
4 
+ # running slapd AND should only be accessible
5 
+ # by the slapd/tools. Mode 0700 recommended.
6 
+-directory LOCALSTATEDIR/openldap\-data
7 
++directory LOCALSTATEDIR/lib/openldap
8 
+ # Indices to maintain
9 
+ index     objectClass  eq
10 
+ index     cn,sn,mail   pres,eq,approx,sub
11 
+diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd.conf.5.orig openldap-2.6.2/doc/man/man5/slapd.conf.5.orig
12 
+--- openldap-2.6.2.orig/doc/man/man5/slapd.conf.5.orig	1970-01-01 01:00:00.000000000 +0100
13 
+@@ -0,0 +1,2167 @@
14 
++.TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
15 
++.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
16 
++.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
17 
++.\" $OpenLDAP$
18 
++.SH NAME
19 
++slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
20 
++.SH SYNOPSIS
21 
++ETCDIR/slapd.conf
22 
++.SH DESCRIPTION
23 
++The file
24 
++.B ETCDIR/slapd.conf
25 
++contains configuration information for the
26 
++.BR slapd (8)
27 
++daemon.  This configuration file is also used by the SLAPD tools
28 
++.BR slapacl (8),
29 
++.BR slapadd (8),
30 
++.BR slapauth (8),
31 
++.BR slapcat (8),
32 
++.BR slapdn (8),
33 
++.BR slapindex (8),
34 
++.BR slapmodify (8),
35 
++and
36 
++.BR slaptest (8).
37 
++.LP
38 
++The
39 
++.B slapd.conf
40 
++file consists of a series of global configuration options that apply to
41 
++.B slapd
42 
++as a whole (including all backends), followed by zero or more database
43 
++backend definitions that contain information specific to a backend
44 
++instance.
45 
++The configuration options are case-insensitive;
46 
++their value, on a case by case basis, may be case-sensitive.
47 
++.LP
48 
++The general format of
49 
++.B slapd.conf
50 
++is as follows:
51 
++.LP
52 
++.nf
53 
++    # comment - these options apply to every database
54 
++    <global configuration options>
55 
++    # first database definition & configuration options
56 
++    database <backend 1 type>
57 
++    <configuration options specific to backend 1>
58 
++    # subsequent database definitions & configuration options
59 
++    ...
60 
++.fi
61 
++.LP
62 
++As many backend-specific sections as desired may be included.  Global
63 
++options can be overridden in a backend (for options that appear more
64 
++than once, the last appearance in the
65 
++.B slapd.conf
66 
++file is used).
67 
++.LP
68 
++If a line begins with white space, it is considered a continuation
69 
++of the previous line.  No physical line should be over 2000 bytes
70 
++long.
71 
++.LP
72 
++Blank lines and comment lines beginning with
73 
++a `#' character are ignored.  Note: continuation lines are unwrapped
74 
++before comment processing is applied.
75 
++.LP
76 
++Arguments on configuration lines are separated by white space. If an
77 
++argument contains white space, the argument should be enclosed in
78 
++double quotes.  If an argument contains a double quote (`"') or a
79 
++backslash character (`\\'), the character should be preceded by a
80 
++backslash character.
81 
++.LP
82 
++The specific configuration options available are discussed below in the
83 
++Global Configuration Options, General Backend Options, and General Database
84 
++Options.  Backend-specific options are discussed in the
85 
++.B slapd\-<backend>(5)
86 
++manual pages.  Refer to the "OpenLDAP Administrator's Guide" for more
87 
++details on the slapd configuration file.
88 
++.SH GLOBAL CONFIGURATION OPTIONS
89 
++Options described in this section apply to all backends, unless specifically
90 
++overridden in a backend definition. Arguments that should be replaced by
91 
++actual text are shown in brackets <>.
92 
++.TP
93 
++.B access to <what> "[ by <who> <access> <control> ]+"
94 
++Grant access (specified by <access>) to a set of entries and/or
95 
++attributes (specified by <what>) by one or more requestors (specified
96 
++by <who>).
97 
++If no access controls are present, the default policy
98 
++allows anyone and everyone to read anything but restricts
99 
++updates to rootdn.  (e.g., "access to * by * read").
100 
++The rootdn can always read and write EVERYTHING!
101 
++See
102 
++.BR slapd.access (5)
103 
++and the "OpenLDAP's Administrator's Guide" for details.
104 
++.TP
105 
++.B allow <features>
106 
++Specify a set of features (separated by white space) to
107 
++allow (default none).
108 
++.B bind_v2
109 
++allows acceptance of LDAPv2 bind requests.  Note that
110 
++.BR slapd (8)
111 
++does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
112 
++.B bind_anon_cred
113 
++allows anonymous bind when credentials are not empty (e.g.
114 
++when DN is empty).
115 
++.B bind_anon_dn
116 
++allows unauthenticated (anonymous) bind when DN is not empty.
117 
++.B update_anon
118 
++allows unauthenticated (anonymous) update operations to be processed
119 
++(subject to access controls and other administrative limits).
120 
++.B proxy_authz_anon
121 
++allows unauthenticated (anonymous) proxy authorization control to be processed
122 
++(subject to access controls, authorization and other administrative limits).
123 
++.TP
124 
++.B argsfile <filename>
125 
++The (absolute) name of a file that will hold the
126 
++.B slapd
127 
++server's command line (program name and options).
128 
++.TP
129 
++.B attributeoptions [option-name]...
130 
++Define tagging attribute options or option tag/range prefixes.
131 
++Options must not end with `\-', prefixes must end with `\-'.
132 
++The `lang\-' prefix is predefined.
133 
++If you use the
134 
++.B attributeoptions
135 
++directive, `lang\-' will no longer be defined and you must specify it
136 
++explicitly if you want it defined.
137 
++
138 
++An attribute description with a tagging option is a subtype of that
139 
++attribute description without the option.
140 
++Except for that, options defined this way have no special semantics.
141 
++Prefixes defined this way work like the `lang\-' options:
142 
++They define a prefix for tagging options starting with the prefix.
143 
++That is, if you define the prefix `x\-foo\-', you can use the option
144 
++`x\-foo\-bar'.
145 
++Furthermore, in a search or compare, a prefix or range name (with
146 
++a trailing `\-') matches all options starting with that name, as well
147 
++as the option with the range name sans the trailing `\-'.
148 
++That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
149 
++
150 
++RFC 4520 reserves options beginning with `x\-' for private experiments.
151 
++Other options should be registered with IANA, see RFC 4520 section 3.5.
152 
++OpenLDAP also has the `binary' option built in, but this is a transfer
153 
++option, not a tagging option.
154 
++.HP
155 
++.hy 0
156 
++.B attributetype "(\ <oid>\
157 
++ [NAME\ <name>]\
158 
++ [DESC\ <description>]\
159 
++ [OBSOLETE]\
160 
++ [SUP\ <oid>]\
161 
++ [EQUALITY\ <oid>]\
162 
++ [ORDERING\ <oid>]\
163 
++ [SUBSTR\ <oid>]\
164 
++ [SYNTAX\ <oidlen>]\
165 
++ [SINGLE\-VALUE]\
166 
++ [COLLECTIVE]\
167 
++ [NO\-USER\-MODIFICATION]\
168 
++ [USAGE\ <attributeUsage>]\ )"
169 
++.RS
170 
++Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
171 
++The slapd parser extends the RFC 4512 definition by allowing string
172 
++forms as well as numeric OIDs to be used for the attribute OID and
173 
++attribute syntax OID.
174 
++(See the
175 
++.B objectidentifier
176 
++description.)
177 
++.RE
178 
++.TP
179 
++.B authid\-rewrite<cmd> <args>
180 
++Used by the authentication framework to convert simple user names
181 
++to an LDAP DN used for authorization purposes.
182 
++Its purpose is analogous to that of
183 
++.BR authz-regexp
184 
++(see below).
185 
++The prefix \fIauthid\-\fP is followed by a set of rules analogous
186 
++to those described in
187 
++.BR slapo\-rwm (5)
188 
++for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP).
189 
++.B authid\-rewrite<cmd>
190 
++and
191 
++.B authz\-regexp
192 
++rules should not be intermixed.
193 
++.TP
194 
++.B authz\-policy <policy>
195 
++Used to specify which rules to use for Proxy Authorization.  Proxy
196 
++authorization allows a client to authenticate to the server using one
197 
++user's credentials, but specify a different identity to use for authorization
198 
++and access control purposes. It essentially allows user A to login as user
199 
++B, using user A's password.
200 
++The
201 
++.B none
202 
++flag disables proxy authorization. This is the default setting.
203 
++The
204 
++.B from
205 
++flag will use rules in the
206 
++.I authzFrom
207 
++attribute of the authorization DN.
208 
++The
209 
++.B to
210 
++flag will use rules in the
211 
++.I authzTo
212 
++attribute of the authentication DN.
213 
++The
214 
++.B any
215 
++flag, an alias for the deprecated value of
216 
++.BR both ,
217 
++will allow any of the above, whatever succeeds first (checked in
218 
++.BR to ,
219 
++.B from
220 
++sequence.
221 
++The
222 
++.B all
223 
++flag requires both authorizations to succeed.
224 
++.LP
225 
++.RS
226 
++The rules are mechanisms to specify which identities are allowed
227 
++to perform proxy authorization.
228 
++The
229 
++.I authzFrom
230 
++attribute in an entry specifies which other users
231 
++are allowed to proxy login to this entry. The
232 
++.I authzTo
233 
++attribute in
234 
++an entry specifies which other users this user can authorize as.  Use of
235 
++.I authzTo
236 
++rules can be easily
237 
++abused if users are allowed to write arbitrary values to this attribute.
238 
++In general the
239 
++.I authzTo
240 
++attribute must be protected with ACLs such that
241 
++only privileged users can modify it.
242 
++The value of
243 
++.I authzFrom
244 
++and
245 
++.I authzTo
246 
++describes an
247 
++.B identity
248 
++or a set of identities; it can take five forms:
249 
++.RS
250 
++.TP
251 
++.B ldap:///<base>??[<scope>]?<filter>
252 
++.RE
253 
++.RS
254 
++.B dn[.<dnstyle>]:<pattern>
255 
++.RE
256 
++.RS
257 
++.B u[.<mech>[/<realm>]]:<pattern>
258 
++.RE
259 
++.RS
260 
++.B group[/objectClass[/attributeType]]:<pattern>
261 
++.RE
262 
++.RS
263 
++.B <pattern>
264 
++.RE
265 
++.RS
266 
++
267 
++.B <dnstyle>:={exact|onelevel|children|subtree|regex}
268 
++
269 
++.RE
270 
++The first form is a valid LDAP
271 
++.B URI
272 
++where the
273 
++.IR <host>:<port> ,
274 
++the
275 
++.I <attrs>
276 
++and the
277 
++.I <extensions>
278 
++portions must be absent, so that the search occurs locally on either
279 
++.I authzFrom
280 
++or
281 
++.IR authzTo .
282 
++
283 
++.LP
284 
++The second form is a
285 
++.BR DN .
286 
++The optional
287 
++.B dnstyle
288 
++modifiers
289 
++.IR exact ,
290 
++.IR onelevel ,
291 
++.IR children ,
292 
++and
293 
++.I subtree
294 
++provide exact, onelevel, children and subtree matches, which cause
295 
++.I <pattern>
296 
++to be normalized according to the DN normalization rules.
297 
++The special
298 
++.B dnstyle
299 
++modifier
300 
++.I regex
301 
++causes the
302 
++.I <pattern>
303 
++to be treated as a POSIX (''extended'') regular expression, as
304 
++discussed in
305 
++.BR regex (7)
306 
++and/or
307 
++.BR re_format (7).
308 
++A pattern of
309 
++.I *
310 
++means any non-anonymous DN.
311 
++
312 
++.LP
313 
++The third form is a SASL
314 
++.BR id .
315 
++The optional fields
316 
++.I <mech>
317 
++and
318 
++.I <realm>
319 
++allow specification of a SASL
320 
++.BR mechanism ,
321 
++and eventually a SASL
322 
++.BR realm ,
323 
++for those mechanisms that support one.
324 
++The need to allow the specification of a mechanism is still debated,
325 
++and users are strongly discouraged to rely on this possibility.
326 
++
327 
++.LP
328 
++The fourth form is a group specification.
329 
++It consists of the keyword
330 
++.BR group ,
331 
++optionally followed by the specification of the group
332 
++.B objectClass
333 
++and
334 
++.BR attributeType .
335 
++The
336 
++.B objectClass
337 
++defaults to
338 
++.IR groupOfNames .
339 
++The
340 
++.B attributeType
341 
++defaults to
342 
++.IR member .
343 
++The group with DN
344 
++.B <pattern>
345 
++is searched with base scope, filtered on the specified
346 
++.BR objectClass .
347 
++The values of the resulting
348 
++.B attributeType
349 
++are searched for the asserted DN.
350 
++
351 
++.LP
352 
++The fifth form is provided for backwards compatibility.  If no identity
353 
++type is provided, i.e. only
354 
++.B <pattern>
355 
++is present, an
356 
++.I exact DN
357 
++is assumed; as a consequence,
358 
++.B <pattern>
359 
++is subjected to DN normalization.
360 
++
361 
++.LP
362 
++Since the interpretation of
363 
++.I authzFrom
364 
++and
365 
++.I authzTo
366 
++can impact security, users are strongly encouraged
367 
++to explicitly set the type of identity specification that is being used.
368 
++A subset of these rules can be used as third arg in the
369 
++.B authz\-regexp
370 
++statement (see below); significantly, the
371 
++.IR URI ,
372 
++provided it results in exactly one entry,
373 
++and the
374 
++.I dn.exact:<dn>
375 
++forms.
376 
++.RE
377 
++.TP
378 
++.B authz\-regexp <match> <replace>
379 
++Used by the authentication framework to convert simple user names,
380 
++such as provided by SASL subsystem, or extracted from certificates
381 
++in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
382 
++"proxied authorization" control, to an LDAP DN used for
383 
++authorization purposes.  Note that the resulting DN need not refer
384 
++to an existing entry to be considered valid.  When an authorization
385 
++request is received from the SASL subsystem, the SASL
386 
++.BR USERNAME ,
387 
++.BR REALM ,
388 
++and
389 
++.B MECHANISM
390 
++are taken, when available, and combined into a name of the form
391 
++.RS
392 
++.RS
393 
++.TP
394 
++.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
395 
++
396 
++.RE
397 
++This name is then compared against the
398 
++.B match
399 
++POSIX (''extended'') regular expression, and if the match is successful,
400 
++the name is replaced with the
401 
++.B replace
402 
++string.  If there are wildcard strings in the
403 
++.B match
404 
++regular expression that are enclosed in parenthesis, e.g.
405 
++.RS
406 
++.TP
407 
++.B UID=([^,]*),CN=.*
408 
++
409 
++.RE
410 
++then the portion of the name that matched the wildcard will be stored
411 
++in the numbered placeholder variable $1. If there are other wildcard strings
412 
++in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
413 
++placeholders can then be used in the
414 
++.B replace
415 
++string, e.g.
416 
++.RS
417 
++.TP
418 
++.B UID=$1,OU=Accounts,DC=example,DC=com
419 
++
420 
++.RE
421 
++The replaced name can be either a DN, i.e. a string prefixed by "dn:",
422 
++or an LDAP URI.
423 
++If the latter, the server will use the URI to search its own database(s)
424 
++and, if the search returns exactly one entry, the name is
425 
++replaced by the DN of that entry.   The LDAP URI must have no
426 
++hostport, attrs, or extensions components, but the filter is mandatory,
427 
++e.g.
428 
++.RS
429 
++.TP
430 
++.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
431 
++
432 
++.RE
433 
++The protocol portion of the URI must be strictly
434 
++.BR ldap .
435 
++Note that this search is subject to access controls.  Specifically,
436 
++the authentication identity must have "auth" access in the subject.
437 
++
438 
++Multiple
439 
++.B authz\-regexp
440 
++options can be given in the configuration file to allow for multiple matching
441 
++and replacement patterns. The matching patterns are checked in the order they
442 
++appear in the file, stopping at the first successful match.
443 
++
444 
++.\".B Caution:
445 
++.\"Because the plus sign + is a character recognized by the regular expression engine,
446 
++.\"and it will appear in names that include a REALM, be careful to escape the
447 
++.\"plus sign with a backslash \\+ to remove the character's special meaning.
448 
++.RE
449 
++.TP
450 
++.B concurrency <integer>
451 
++Specify a desired level of concurrency.  Provided to the underlying
452 
++thread system as a hint.  The default is not to provide any hint. This setting
453 
++is only meaningful on some platforms where there is not a one to one
454 
++correspondence between user threads and kernel threads.
455 
++.TP
456 
++.B conn_max_pending <integer>
457 
++Specify the maximum number of pending requests for an anonymous session.
458 
++If requests are submitted faster than the server can process them, they
459 
++will be queued up to this limit. If the limit is exceeded, the session
460 
++is closed. The default is 100.
461 
++.TP
462 
++.B conn_max_pending_auth <integer>
463 
++Specify the maximum number of pending requests for an authenticated session.
464 
++The default is 1000.
465 
++.TP
466 
++.B defaultsearchbase <dn>
467 
++Specify a default search base to use when client submits a
468 
++non-base search request with an empty base DN.
469 
++Base scoped search requests with an empty base DN are not affected.
470 
++.TP
471 
++.B disallow <features>
472 
++Specify a set of features (separated by white space) to
473 
++disallow (default none).
474 
++.B bind_anon
475 
++disables acceptance of anonymous bind requests.  Note that this setting
476 
++does not prohibit anonymous directory access (See "require authc").
477 
++.B bind_simple
478 
++disables simple (bind) authentication.
479 
++.B tls_2_anon
480 
++disables forcing session to anonymous status (see also
481 
++.BR tls_authc )
482 
++upon StartTLS operation receipt.
483 
++.B tls_authc
484 
++disallows the StartTLS operation if authenticated (see also
485 
++.BR tls_2_anon ).
486 
++.B proxy_authz_non_critical
487 
++disables acceptance of the proxied authorization control (RFC4370)
488 
++with criticality set to FALSE.
489 
++.B dontusecopy_non_critical
490 
++disables acceptance of the dontUseCopy control (a work in progress)
491 
++with criticality set to FALSE.
492 
++.HP
493 
++.hy 0
494 
++.B ditcontentrule "(\ <oid>\
495 
++ [NAME\ <name>]\
496 
++ [DESC\ <description>]\
497 
++ [OBSOLETE]\
498 
++ [AUX\ <oids>]\
499 
++ [MUST\ <oids>]\
500 
++ [MAY\ <oids>]\
501 
++ [NOT\ <oids>]\ )"
502 
++.RS
503 
++Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
504 
++The slapd parser extends the RFC 4512 definition by allowing string
505 
++forms as well as numeric OIDs to be used for the attribute OID and
506 
++attribute syntax OID.
507 
++(See the
508 
++.B objectidentifier
509 
++description.)
510 
++.RE
511 
++.TP
512 
++.B gentlehup { on | off }
513 
++A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
514 
++.B Slapd
515 
++will stop listening for new connections, but will not close the
516 
++connections to the current clients.  Future write operations return
517 
++unwilling-to-perform, though.  Slapd terminates when all clients
518 
++have closed their connections (if they ever do), or \- as before \-
519 
++if it receives a SIGTERM signal.  This can be useful if you wish to
520 
++terminate the server and start a new
521 
++.B slapd
522 
++server
523 
++.B with another database,
524 
++without disrupting the currently active clients.
525 
++The default is off.  You may wish to use
526 
++.B idletimeout
527 
++along with this option.
528 
++.TP
529 
++.B idletimeout <integer>
530 
++Specify the number of seconds to wait before forcibly closing
531 
++an idle client connection.  A setting of 0 disables this
532 
++feature.  The default is 0. You may also want to set the
533 
++.B writetimeout
534 
++option.
535 
++.TP
536 
++.B include <filename>
537 
++Read additional configuration information from the given file before
538 
++continuing with the next line of the current file.
539 
++.TP
540 
++.B index_hash64 { on | off }
541 
++Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
542 
++These hashes are used for equality and substring indexing. The 64 bit
543 
++version may be needed to avoid index collisions when the number of
544 
++indexed values exceeds ~64 million. (Note that substring indexing
545 
++generates multiple index values per actual attribute value.)
546 
++Indices generated with 32 bit hashes are incompatible with the 64 bit
547 
++version, and vice versa. Any existing databases must be fully reloaded
548 
++when changing this setting. This directive is only supported on 64 bit CPUs.
549 
++.TP
550 
++.B index_intlen <integer>
551 
++Specify the key length for ordered integer indices. The most significant
552 
++bytes of the binary integer will be used for index keys. The default
553 
++value is 4, which provides exact indexing for 31 bit values.
554 
++A floating point representation is used to index too large values.
555 
++.TP
556 
++.B index_substr_if_maxlen <integer>
557 
++Specify the maximum length for subinitial and subfinal indices. Only
558 
++this many characters of an attribute value will be processed by the
559 
++indexing functions; any excess characters are ignored. The default is 4.
560 
++.TP
561 
++.B index_substr_if_minlen <integer>
562 
++Specify the minimum length for subinitial and subfinal indices. An
563 
++attribute value must have at least this many characters in order to be
564 
++processed by the indexing functions. The default is 2.
565 
++.TP
566 
++.B index_substr_any_len <integer>
567 
++Specify the length used for subany indices. An attribute value must have
568 
++at least this many characters in order to be processed. Attribute values
569 
++longer than this length will be processed in segments of this length. The
570 
++default is 4. The subany index will also be used in subinitial and
571 
++subfinal index lookups when the filter string is longer than the
572 
++.I index_substr_if_maxlen
573 
++value.
574 
++.TP
575 
++.B index_substr_any_step <integer>
576 
++Specify the steps used in subany index lookups. This value sets the offset
577 
++for the segments of a filter string that are processed for a subany index
578 
++lookup. The default is 2. For example, with the default values, a search
579 
++using this filter "cn=*abcdefgh*" would generate index lookups for
580 
++"abcd", "cdef", and "efgh".
581 
++
582 
++.LP
583 
++Note: Indexing support depends on the particular backend in use. Also,
584 
++changing these settings will generally require deleting any indices that
585 
++depend on these parameters and recreating them with
586 
++.BR slapindex (8).
587 
++
588 
++.HP
589 
++.hy 0
590 
++.B ldapsyntax "(\ <oid>\
591 
++ [DESC\ <description>]\
592 
++ [X\-SUBST <substitute-syntax>]\ )"
593 
++.RS
594 
++Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
595 
++The slapd parser extends the RFC 4512 definition by allowing string
596 
++forms as well as numeric OIDs to be used for the syntax OID.
597 
++(See the
598 
++.B objectidentifier
599 
++description.)
600 
++The slapd parser also honors the
601 
++.B X\-SUBST
602 
++extension (an OpenLDAP-specific extension), which allows one to use the
603 
++.B ldapsyntax
604 
++statement to define a non-implemented syntax along with another syntax,
605 
++the extension value
606 
++.IR substitute-syntax ,
607 
++as its temporary replacement.
608 
++The
609 
++.I substitute-syntax
610 
++must be defined.
611 
++This allows one to define attribute types that make use of non-implemented syntaxes
612 
++using the correct syntax OID.
613 
++Unless
614 
++.B X\-SUBST
615 
++is used, this configuration statement would result in an error,
616 
++since no handlers would be associated to the resulting syntax structure.
617 
++.RE
618 
++
619 
++.TP
620 
++.B listener-threads <integer>
621 
++Specify the number of threads to use for the connection manager.
622 
++The default is 1 and this is typically adequate for up to 16 CPU cores.
623 
++The value should be set to a power of 2.
624 
++.TP
625 
++.B localSSF <SSF>
626 
++Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
627 
++such as those to the ldapi:// listener.  For a description of SSF values,
628 
++see
629 
++.BR sasl-secprops 's
630 
++.B minssf
631 
++option description.  The default is 71.
632 
++.TP
633 
++.B logfile <filename>
634 
++Specify a file for recording slapd debug messages. By default these messages
635 
++only go to stderr, are not recorded anywhere else, and are unrelated to
636 
++messages exposed by the
637 
++.B loglevel
638 
++configuration parameter. Specifying a logfile copies messages to both stderr
639 
++and the logfile.
640 
++.TP
641 
++.B logfile-format debug | syslog-utc | syslog-localtime
642 
++Specify the prefix format for messages written to the logfile. The debug
643 
++format is the normal format used for slapd debug messages, with a timestamp
644 
++in hexadecimal, followed by a thread ID.  The other options are to
645 
++use syslog(3) style prefixes, with timestamps either in UTC or in the
646 
++local timezone. The default is debug format.
647 
++.TP
648 
++.B logfile-only on | off
649 
++Specify that debug messages should only go to the configured logfile, and
650 
++not to stderr.
651 
++.TP
652 
++.B logfile-rotate <max> <Mbytes> <hours>
653 
++Specify automatic rotation for the configured logfile as the maximum
654 
++number of old logfiles to retain, a maximum size in megabytes to allow a
655 
++logfile to grow before rotation, and a maximum age in hours for a logfile
656 
++to be used before rotation. The maximum number must be in the range 1-99.
657 
++Setting Mbytes or hours to zero disables the size or age check, respectively.
658 
++At least one of Mbytes or hours must be non-zero. By default no automatic
659 
++rotation will be performed.
660 
++.TP
661 
++.B loglevel <integer> [...]
662 
++Specify the level at which debugging statements and operation
663 
++statistics should be syslogged (currently logged to the
664 
++.BR syslogd (8)
665 
++LOG_LOCAL4 facility).
666 
++They must be considered subsystems rather than increasingly verbose
667 
++log levels.
668 
++Some messages with higher priority are logged regardless
669 
++of the configured loglevel as soon as any logging is configured.
670 
++Log levels are additive, and available levels are:
671 
++.RS
672 
++.RS
673 
++.PD 0
674 
++.TP
675 
++.B 1
676 
++.B (0x1 trace)
677 
++trace function calls
678 
++.TP
679 
++.B 2
680 
++.B (0x2 packets)
681 
++debug packet handling
682 
++.TP
683 
++.B 4
684 
++.B (0x4 args)
685 
++heavy trace debugging (function args)
686 
++.TP
687 
++.B 8
688 
++.B (0x8 conns)
689 
++connection management
690 
++.TP
691 
++.B 16
692 
++.B (0x10 BER)
693 
++print out packets sent and received
694 
++.TP
695 
++.B 32
696 
++.B (0x20 filter)
697 
++search filter processing
698 
++.TP
699 
++.B 64
700 
++.B (0x40 config)
701 
++configuration file processing
702 
++.TP
703 
++.B 128
704 
++.B (0x80 ACL)
705 
++access control list processing
706 
++.TP
707 
++.B 256
708 
++.B (0x100 stats)
709 
++connections, LDAP operations, results (recommended)
710 
++.TP
711 
++.B 512
712 
++.B (0x200 stats2)
713 
++stats2 log entries sent
714 
++.TP
715 
++.B 1024
716 
++.B (0x400 shell)
717 
++print communication with shell backends
718 
++.TP
719 
++.B 2048
720 
++.B (0x800 parse)
721 
++entry parsing
722 
++\".TP
723 
++\".B 4096
724 
++\".B (0x1000 cache)
725 
++\"caching (unused)
726 
++\".TP
727 
++\".B 8192
728 
++\".B (0x2000 index)
729 
++\"data indexing (unused)
730 
++.TP
731 
++.B 16384
732 
++.B (0x4000 sync)
733 
++LDAPSync replication
734 
++.TP
735 
++.B 32768
736 
++.B (0x8000 none)
737 
++only messages that get logged whatever log level is set
738 
++.PD
739 
++.RE
740 
++The desired log level can be input as a single integer that combines
741 
++the (ORed) desired levels, both in decimal or in hexadecimal notation,
742 
++as a list of integers (that are ORed internally),
743 
++or as a list of the names that are shown between parentheses, such that
744 
++.LP
745 
++.nf
746 
++    loglevel 129
747 
++    loglevel 0x81
748 
++    loglevel 128 1
749 
++    loglevel 0x80 0x1
750 
++    loglevel acl trace
751 
++.fi
752 
++.LP
753 
++are equivalent.
754 
++The keyword
755 
++.B any
756 
++can be used as a shortcut to enable logging at all levels (equivalent to \-1).
757 
++The keyword
758 
++.BR none ,
759 
++or the equivalent integer representation, causes those messages
760 
++that are logged regardless of the configured loglevel to be logged.
761 
++In fact, if loglevel is set to 0, no logging occurs,
762 
++so at least the
763 
++.B none
764 
++level is required to have high priority messages logged.
765 
++
766 
++Note that the
767 
++.BR packets ,
768 
++.BR BER ,
769 
++and
770 
++.B parse
771 
++levels are only available as debug output on stderr, and are not
772 
++sent to syslog.
773 
++
774 
++The loglevel defaults to \fBstats\fP.
775 
++This level should usually also be included when using other loglevels, to
776 
++help analyze the logs.
777 
++.RE
778 
++.TP
779 
++.B maxfilterdepth <integer>
780 
++Specify the maximum depth of nested filters in search requests.
781 
++The default is 1000.
782 
++.TP
783 
++.B moduleload <filename> [<arguments>...]
784 
++Specify the name of a dynamically loadable module to load and any
785 
++additional arguments if supported by the module. The filename
786 
++may be an absolute path name or a simple filename. Non-absolute names
787 
++are searched for in the directories specified by the
788 
++.B modulepath
789 
++option. This option and the
790 
++.B modulepath
791 
++option are only usable if slapd was compiled with \-\-enable\-modules.
792 
++.TP
793 
++.B modulepath <pathspec>
794 
++Specify a list of directories to search for loadable modules. Typically
795 
++the path is colon-separated but this depends on the operating system.
796 
++The default is MODULEDIR, which is where the standard OpenLDAP install
797 
++will place its modules.
798 
++.HP
799 
++.hy 0
800 
++.B objectclass "(\ <oid>\
801 
++ [NAME\ <name>]\
802 
++ [DESC\ <description>]\
803 
++ [OBSOLETE]\
804 
++ [SUP\ <oids>]\
805 
++ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
806 
++ [MUST\ <oids>] [MAY\ <oids>] )"
807 
++.RS
808 
++Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
809 
++The slapd parser extends the RFC 4512 definition by allowing string
810 
++forms as well as numeric OIDs to be used for the object class OID.
811 
++(See the
812 
++.B
813 
++objectidentifier
814 
++description.)  Object classes are "STRUCTURAL" by default.
815 
++.RE
816 
++.TP
817 
++.B objectidentifier <name> "{ <oid> | <name>[:<suffix>] }"
818 
++Define a string name that equates to the given OID. The string can be used
819 
++in place of the numeric OID in objectclass and attribute definitions. The
820 
++name can also be used with a suffix of the form ":xx" in which case the
821 
++value "oid.xx" will be used.
822 
++.TP
823 
++.B password\-hash <hash> [<hash>...]
824 
++This option configures one or more hashes to be used in generation of user
825 
++passwords stored in the userPassword attribute during processing of
826 
++LDAP Password Modify Extended Operations (RFC 3062).
827 
++The <hash> must be one of
828 
++.BR {SSHA} ,
829 
++.BR {SHA} ,
830 
++.BR {SMD5} ,
831 
++.BR {MD5} ,
832 
++.BR {CRYPT} ,
833 
++and
834 
++.BR {CLEARTEXT} .
835 
++The default is
836 
++.BR {SSHA} .
837 
++
838 
++.B {SHA}
839 
++and
840 
++.B {SSHA}
841 
++use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
842 
++
843 
++.B {MD5}
844 
++and
845 
++.B {SMD5}
846 
++use the MD5 algorithm (RFC 1321), the latter with a seed.
847 
++
848 
++.B {CRYPT}
849 
++uses the
850 
++.BR crypt (3).
851 
++
852 
++.B {CLEARTEXT}
853 
++indicates that the new password should be
854 
++added to userPassword as clear text.
855 
++
856 
++Note that this option does not alter the normal user applications
857 
++handling of userPassword during LDAP Add, Modify, or other LDAP operations.
858 
++.TP
859 
++.B password\-crypt\-salt\-format <format>
860 
++Specify the format of the salt passed to
861 
++.BR crypt (3)
862 
++when generating {CRYPT} passwords (see
863 
++.BR password\-hash )
864 
++during processing of LDAP Password Modify Extended Operations (RFC 3062).
865 
++
866 
++This string needs to be in
867 
++.BR sprintf (3)
868 
++format and may include one (and only one) %s conversion.
869 
++This conversion will be substituted with a string of random
870 
++characters from [A\-Za\-z0\-9./].  For example, "%.2s"
871 
++provides a two character salt and "$1$%.8s" tells some
872 
++versions of crypt(3) to use an MD5 algorithm and provides
873 
++8 random characters of salt.  The default is "%s", which
874 
++provides 31 characters of salt.
875 
++.TP
876 
++.B pidfile <filename>
877 
++The (absolute) name of a file that will hold the
878 
++.B slapd
879 
++server's process ID (see
880 
++.BR getpid (2)).
881 
++.TP
882 
++.B pluginlog: <filename>
883 
++The ( absolute ) name of a file that will contain log
884 
++messages from
885 
++.B SLAPI
886 
++plugins. See
887 
++.BR slapd.plugin (5)
888 
++for details.
889 
++.TP
890 
++.B referral <url>
891 
++Specify the referral to pass back when
892 
++.BR slapd (8)
893 
++cannot find a local database to handle a request.
894 
++If specified multiple times, each url is provided.
895 
++.TP
896 
++.B require <conditions>
897 
++Specify a set of conditions (separated by white space) to
898 
++require (default none).
899 
++The directive may be specified globally and/or per-database;
900 
++databases inherit global conditions, so per-database specifications
901 
++are additive.
902 
++.B bind
903 
++requires bind operation prior to directory operations.
904 
++.B LDAPv3
905 
++requires session to be using LDAP version 3.
906 
++.B authc
907 
++requires authentication prior to directory operations.
908 
++.B SASL
909 
++requires SASL authentication prior to directory operations.
910 
++.B strong
911 
++requires strong authentication prior to directory operations.
912 
++The strong keyword allows protected "simple" authentication
913 
++as well as SASL authentication.
914 
++.B none
915 
++may be used to require no conditions (useful to clear out globally
916 
++set conditions within a particular database); it must occur first
917 
++in the list of conditions.
918 
++.TP
919 
++.B reverse\-lookup on | off
920 
++Enable/disable client name unverified reverse lookup (default is
921 
++.BR off
922 
++if compiled with \-\-enable\-rlookups).
923 
++.TP
924 
++.B rootDSE <file>
925 
++Specify the name of an LDIF(5) file containing user defined attributes
926 
++for the root DSE.  These attributes are returned in addition to the
927 
++attributes normally produced by slapd.
928 
++
929 
++The root DSE is an entry with information about the server and its
930 
++capabilities, in operational attributes.
931 
++It has the empty DN, and can be read with e.g.:
932 
++.ti +4
933 
++ldapsearch \-x \-b "" \-s base "+"
934 
++.br
935 
++See RFC 4512 section 5.1 for details.
936 
++.TP
937 
++.B sasl\-auxprops <plugin> [...]
938 
++Specify which auxprop plugins to use for authentication lookups. The
939 
++default is empty, which just uses slapd's internal support. Usually
940 
++no other auxprop plugins are needed.
941 
++.TP
942 
++.B sasl\-auxprops\-dontusecopy <attr> [...]
943 
++Specify which attribute(s) should be subject to the don't use copy control. This
944 
++is necessary for some SASL mechanisms such as OTP to work in a replicated
945 
++environment. The attribute "cmusaslsecretOTP" is the default value.
946 
++.TP
947 
++.B sasl\-auxprops\-dontusecopy\-ignore on | off
948 
++Used to disable replication of the attribute(s) defined by
949 
++sasl-auxprops-dontusecopy and instead use a local value for the attribute. This
950 
++allows the SASL mechanism to continue to work if the provider is offline. This can
951 
++cause replication inconsistency. Defaults to off.
952 
++.TP
953 
++.B sasl\-host <fqdn>
954 
++Used to specify the fully qualified domain name used for SASL processing.
955 
++.TP
956 
++.B sasl\-realm <realm>
957 
++Specify SASL realm.  Default is empty.
958 
++.TP
959 
++.B sasl\-cbinding none | tls-unique | tls-endpoint
960 
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
961 
++Default is none.
962 
++.TP
963 
++.B sasl\-secprops <properties>
964 
++Used to specify Cyrus SASL security properties.
965 
++The
966 
++.B none
967 
++flag (without any other properties) causes the flag properties
968 
++default, "noanonymous,noplain", to be cleared.
969 
++The
970 
++.B noplain
971 
++flag disables mechanisms susceptible to simple passive attacks.
972 
++The
973 
++.B noactive
974 
++flag disables mechanisms susceptible to active attacks.
975 
++The
976 
++.B nodict
977 
++flag disables mechanisms susceptible to passive dictionary attacks.
978 
++The
979 
++.B noanonymous
980 
++flag disables mechanisms which support anonymous login.
981 
++The
982 
++.B forwardsec
983 
++flag require forward secrecy between sessions.
984 
++The
985 
++.B passcred
986 
++require mechanisms which pass client credentials (and allow
987 
++mechanisms which can pass credentials to do so).
988 
++The
989 
++.B minssf=<factor>
990 
++property specifies the minimum acceptable
991 
++.I security strength factor
992 
++as an integer approximate to effective key length used for
993 
++encryption.  0 (zero) implies no protection, 1 implies integrity
994 
++protection only, 128 allows RC4, Blowfish and other similar ciphers,
995 
++256 will require modern ciphers.  The default is 0.
996 
++The
997 
++.B maxssf=<factor>
998 
++property specifies the maximum acceptable
999 
++.I security strength factor
1000 
++as an integer (see minssf description).  The default is INT_MAX.
1001 
++The
1002 
++.B maxbufsize=<size>
1003 
++property specifies the maximum security layer receive buffer
1004 
++size allowed.  0 disables security layers.  The default is 65536.
1005 
++.TP
1006 
++.B schemadn <dn>
1007 
++Specify the distinguished name for the subschema subentry that
1008 
++controls the entries on this server.  The default is "cn=Subschema".
1009 
++.TP
1010 
++.B security <factors>
1011 
++Specify a set of security strength factors (separated by white space)
1012 
++to require (see
1013 
++.BR sasl\-secprops 's
1014 
++.B minssf
1015 
++option for a description of security strength factors).
1016 
++The directive may be specified globally and/or per-database.
1017 
++.B ssf=<n>
1018 
++specifies the overall security strength factor.
1019 
++.B transport=<n>
1020 
++specifies the transport security strength factor.
1021 
++.B tls=<n>
1022 
++specifies the TLS security strength factor.
1023 
++.B sasl=<n>
1024 
++specifies the SASL security strength factor.
1025 
++.B update_ssf=<n>
1026 
++specifies the overall security strength factor to require for
1027 
++directory updates.
1028 
++.B update_transport=<n>
1029 
++specifies the transport security strength factor to require for
1030 
++directory updates.
1031 
++.B update_tls=<n>
1032 
++specifies the TLS security strength factor to require for
1033 
++directory updates.
1034 
++.B update_sasl=<n>
1035 
++specifies the SASL security strength factor to require for
1036 
++directory updates.
1037 
++.B simple_bind=<n>
1038 
++specifies the security strength factor required for
1039 
++.I simple
1040 
++username/password authentication.
1041 
++Note that the
1042 
++.B transport
1043 
++factor is measure of security provided by the underlying transport,
1044 
++e.g. ldapi:// (and eventually IPSEC).  It is not normally used.
1045 
++.TP
1046 
++.B serverID <integer> [<URL>]
1047 
++Specify an integer ID from 0 to 4095 for this server. The ID may also be
1048 
++specified as a hexadecimal ID by prefixing the value with "0x".
1049 
++Non-zero IDs are required when using multi-provider replication and each
1050 
++provider must have a unique non-zero ID. Note that this requirement also
1051 
++applies to separate providers contributing to a glued set of databases.
1052 
++If the URL is provided, this directive may be specified
1053 
++multiple times, providing a complete list of participating servers
1054 
++and their IDs. The fully qualified hostname of each server should be
1055 
++used in the supplied URLs. The IDs are used in the "replica id" field
1056 
++of all CSNs generated by the specified server. The default value is zero, which
1057 
++is only valid for single provider replication.
1058 
++Example:
1059 
++.LP
1060 
++.nf
1061 
++	serverID 1 ldap://ldap1.example.com
1062 
++	serverID 2 ldap://ldap2.example.com
1063 
++.fi
1064 
++.TP
1065 
++.B sizelimit {<integer>|unlimited}
1066 
++.TP
1067 
++.B sizelimit size[.{soft|hard}]=<integer> [...]
1068 
++Specify the maximum number of entries to return from a search operation.
1069 
++The default size limit is 500.
1070 
++Use
1071 
++.B unlimited
1072 
++to specify no limits.
1073 
++The second format allows a fine grain setting of the size limits.
1074 
++If no special qualifiers are specified, both soft and hard limits are set.
1075 
++Extra args can be added on the same line.
1076 
++Additional qualifiers are available; see
1077 
++.BR limits
1078 
++for an explanation of all of the different flags.
1079 
++.TP
1080 
++.B sockbuf_max_incoming <integer>
1081 
++Specify the maximum incoming LDAP PDU size for anonymous sessions.
1082 
++The default is 262143.
1083 
++.TP
1084 
++.B sockbuf_max_incoming_auth <integer>
1085 
++Specify the maximum incoming LDAP PDU size for authenticated sessions.
1086 
++The default is 4194303.
1087 
++.TP
1088 
++.B sortvals <attr> [...]
1089 
++Specify a list of multi-valued attributes whose values will always
1090 
++be maintained in sorted order. Using this option will allow Modify,
1091 
++Compare, and filter evaluations on these attributes to be performed
1092 
++more efficiently. The resulting sort order depends on the
1093 
++attributes' syntax and matching rules and may not correspond to
1094 
++lexical order or any other recognizable order.
1095 
++.TP
1096 
++.B tcp-buffer [listener=<URL>] [{read|write}=]<size>
1097 
++Specify the size of the TCP buffer.
1098 
++A global value for both read and write TCP buffers related to any listener
1099 
++is defined, unless the listener is explicitly specified,
1100 
++or either the read or write qualifiers are used.
1101 
++See
1102 
++.BR tcp (7)
1103 
++for details.
1104 
++Note that some OS-es implement automatic TCP buffer tuning.
1105 
++.TP
1106 
++.B threads <integer>
1107 
++Specify the maximum size of the primary thread pool.
1108 
++The default is 16; the minimum value is 2.
1109 
++.TP
1110 
++.B threadqueues <integer>
1111 
++Specify the number of work queues to use for the primary thread pool.
1112 
++The default is 1 and this is typically adequate for up to 8 CPU cores.
1113 
++The value should not exceed the number of CPUs in the system.
1114 
++.TP
1115 
++.B timelimit {<integer>|unlimited}
1116 
++.TP
1117 
++.B timelimit time[.{soft|hard}]=<integer> [...]
1118 
++Specify the maximum number of seconds (in real time)
1119 
++.B slapd
1120 
++will spend answering a search request.  The default time limit is 3600.
1121 
++Use
1122 
++.B unlimited
1123 
++to specify no limits.
1124 
++The second format allows a fine grain setting of the time limits.
1125 
++Extra args can be added on the same line.  See
1126 
++.BR limits
1127 
++for an explanation of the different flags.
1128 
++.TP
1129 
++.B tool\-threads <integer>
1130 
++Specify the maximum number of threads to use in tool mode.
1131 
++This should not be greater than the number of CPUs in the system.
1132 
++The default is 1.
1133 
++.TP
1134 
++.B writetimeout <integer>
1135 
++Specify the number of seconds to wait before forcibly closing
1136 
++a connection with an outstanding write. This allows recovery from
1137 
++various network hang conditions.  A writetimeout of 0 disables this
1138 
++feature.  The default is 0.
1139 
++.SH TLS OPTIONS
1140 
++If
1141 
++.B slapd
1142 
++is built with support for Transport Layer Security, there are more options
1143 
++you can specify.
1144 
++.TP
1145 
++.B TLSCipherSuite <cipher-suite-spec>
1146 
++Permits configuring what ciphers will be accepted and the preference order.
1147 
++<cipher-suite-spec> should be a cipher specification for the TLS library
1148 
++in use (OpenSSL or GnuTLS).
1149 
++Example:
1150 
++.RS
1151 
++.RS
1152 
++.TP
1153 
++.I OpenSSL:
1154 
++TLSCipherSuite HIGH:MEDIUM:+SSLv2
1155 
++.TP
1156 
++.I GnuTLS:
1157 
++TLSCiphersuite SECURE256:!AES-128-CBC
1158 
++.RE
1159 
++
1160 
++To check what ciphers a given spec selects in OpenSSL, use:
1161 
++
1162 
++.nf
1163 
++	openssl ciphers \-v <cipher-suite-spec>
1164 
++.fi
1165 
++
1166 
++With GnuTLS the available specs can be found in the manual page of
1167 
++.BR gnutls\-cli (1)
1168 
++(see the description of the
1169 
++option
1170 
++.BR \-\-priority ).
1171 
++
1172 
++In older versions of GnuTLS, where gnutls\-cli does not support the option
1173 
++\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
1174 
++
1175 
++.nf
1176 
++	gnutls\-cli \-l
1177 
++.fi
1178 
++.RE
1179 
++.TP
1180 
++.B TLSCACertificateFile <filename>
1181 
++Specifies the file that contains certificates for all of the Certificate
1182 
++Authorities that
1183 
++.B slapd
1184 
++will recognize.  The certificate for
1185 
++the CA that signed the server certificate must(GnuTLS)/may(OpenSSL) be included among
1186 
++these certificates. If the signing CA was not a top-level (root) CA,
1187 
++certificates for the entire sequence of CA's from the signing CA to
1188 
++the top-level CA should be present. Multiple certificates are simply
1189 
++appended to the file; the order is not significant.
1190 
++.TP
1191 
++.B TLSCACertificatePath <path>
1192 
++Specifies the path of directories that contain Certificate Authority
1193 
++certificates in separate individual files. Usually only one of this
1194 
++or the TLSCACertificateFile is used. If both are specified, both
1195 
++locations will be used. Multiple directories may be specified,
1196 
++separated by a semi-colon.
1197 
++.TP
1198 
++.B TLSCertificateFile <filename>
1199 
++Specifies the file that contains the
1200 
++.B slapd
1201 
++server certificate.
1202 
++
1203 
++When using OpenSSL that file may also contain any number of intermediate
1204 
++certificates after the server certificate.
1205 
++.TP
1206 
++.B TLSCertificateKeyFile <filename>
1207 
++Specifies the file that contains the
1208 
++.B slapd
1209 
++server private key that matches the certificate stored in the
1210 
++.B TLSCertificateFile
1211 
++file.  Currently, the private key must not be protected with a password, so
1212 
++it is of critical importance that it is protected carefully.
1213 
++.TP
1214 
++.B TLSDHParamFile <filename>
1215 
++This directive specifies the file that contains parameters for Diffie-Hellman
1216 
++ephemeral key exchange.  This is required in order to use a DSA certificate on
1217 
++the server, or an RSA certificate missing the "key encipherment" key usage.
1218 
++Note that setting this option may also enable
1219 
++Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
1220 
++Anonymous key exchanges should generally be avoided since they provide no
1221 
++actual client or server authentication and provide no protection against
1222 
++man-in-the-middle attacks.
1223 
++You should append "!ADH" to your cipher suites to ensure that these suites
1224 
++are not used.
1225 
++.TP
1226 
++.B TLSECName <name>
1227 
++Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
1228 
++ephemeral key exchange.  This option is only used for OpenSSL.
1229 
++This option is not used with GnuTLS; the curves may be
1230 
++chosen in the GnuTLS ciphersuite specification.
1231 
++.TP
1232 
++.B TLSProtocolMin <major>[.<minor>]
1233 
++Specifies minimum SSL/TLS protocol version that will be negotiated.
1234 
++If the server doesn't support at least that version,
1235 
++the SSL handshake will fail.
1236 
++To require TLS 1.x or higher, set this option to 3.(x+1),
1237 
++e.g.,
1238 
++
1239 
++.nf
1240 
++	TLSProtocolMin 3.2
1241 
++.fi
1242 
++
1243 
++would require TLS 1.1.
1244 
++Specifying a minimum that is higher than that supported by the
1245 
++OpenLDAP implementation will result in it requiring the
1246 
++highest level that it does support.
1247 
++This directive is ignored with GnuTLS.
1248 
++.TP
1249 
++.B TLSRandFile <filename>
1250 
++Specifies the file to obtain random bits from when /dev/[u]random
1251 
++is not available.  Generally set to the name of the EGD/PRNGD socket.
1252 
++The environment variable RANDFILE can also be used to specify the filename.
1253 
++This directive is ignored with GnuTLS.
1254 
++.TP
1255 
++.B TLSVerifyClient <level>
1256 
++Specifies what checks to perform on client certificates in an
1257 
++incoming TLS session, if any.
1258 
++The
1259 
++.B <level>
1260 
++can be specified as one of the following keywords:
1261 
++.RS
1262 
++.TP
1263 
++.B never
1264 
++This is the default.
1265 
++.B slapd
1266 
++will not ask the client for a certificate.
1267 
++.TP
1268 
++.B allow
1269 
++The client certificate is requested.  If no certificate is provided,
1270 
++the session proceeds normally.  If a bad certificate is provided,
1271 
++it will be ignored and the session proceeds normally.
1272 
++.TP
1273 
++.B try
1274 
++The client certificate is requested.  If no certificate is provided,
1275 
++the session proceeds normally.  If a bad certificate is provided,
1276 
++the session is immediately terminated.
1277 
++.TP
1278 
++.B demand | hard | true
1279 
++These keywords are all equivalent, for compatibility reasons.
1280 
++The client certificate is requested.  If no certificate is provided,
1281 
++or a bad certificate is provided, the session is immediately terminated.
1282 
++
1283 
++Note that a valid client certificate is required in order to use the
1284 
++SASL EXTERNAL authentication mechanism with a TLS session.  As such,
1285 
++a non-default
1286 
++.B TLSVerifyClient
1287 
++setting must be chosen to enable SASL EXTERNAL authentication.
1288 
++.RE
1289 
++.TP
1290 
++.B TLSCRLCheck <level>
1291 
++Specifies if the Certificate Revocation List (CRL) of the CA should be
1292 
++used to verify if the client certificates have not been revoked. This
1293 
++requires
1294 
++.B TLSCACertificatePath
1295 
++parameter to be set. This directive is ignored with GnuTLS.
1296 
++.B <level>
1297 
++can be specified as one of the following keywords:
1298 
++.RS
1299 
++.TP
1300 
++.B none
1301 
++No CRL checks are performed
1302 
++.TP
1303 
++.B peer
1304 
++Check the CRL of the peer certificate
1305 
++.TP
1306 
++.B all
1307 
++Check the CRL for a whole certificate chain
1308 
++.RE
1309 
++.TP
1310 
++.B TLSCRLFile <filename>
1311 
++Specifies a file containing a Certificate Revocation List to be used
1312 
++for verifying that certificates have not been revoked. This directive is
1313 
++only valid when using GnuTLS.
1314 
++.SH GENERAL BACKEND OPTIONS
1315 
++Options in this section only apply to the configuration file section
1316 
++of all instances of the specified backend.  All backends may support
1317 
++this class of options, but currently only back-mdb does.
1318 
++.TP
1319 
++.B backend <databasetype>
1320 
++Mark the beginning of a backend definition. <databasetype>
1321 
++should be one of
1322 
++.BR asyncmeta ,
1323 
++.BR config ,
1324 
++.BR dnssrv ,
1325 
++.BR ldap ,
1326 
++.BR ldif ,
1327 
++.BR mdb ,
1328 
++.BR meta ,
1329 
++.BR monitor ,
1330 
++.BR null ,
1331 
++.BR passwd ,
1332 
++.BR perl ,
1333 
++.BR relay ,
1334 
++.BR sock ,
1335 
++.BR sql ,
1336 
++or
1337 
++.BR wt .
1338 
++At present, only back-mdb implements any options of this type, so this
1339 
++setting is not needed for any other backends.
1340 
++
1341 
++.SH GENERAL DATABASE OPTIONS
1342 
++Options in this section only apply to the configuration file section
1343 
++for the database in which they are defined.  They are supported by every
1344 
++type of backend.  Note that the
1345 
++.B database
1346 
++and at least one
1347 
++.B suffix
1348 
++option are mandatory for each database.
1349 
++.TP
1350 
++.B database <databasetype>
1351 
++Mark the beginning of a new database instance definition. <databasetype>
1352 
++should be one of
1353 
++.BR asyncmeta ,
1354 
++.BR config ,
1355 
++.BR dnssrv ,
1356 
++.BR ldap ,
1357 
++.BR ldif ,
1358 
++.BR mdb ,
1359 
++.BR meta ,
1360 
++.BR monitor ,
1361 
++.BR null ,
1362 
++.BR passwd ,
1363 
++.BR perl ,
1364 
++.BR relay ,
1365 
++.BR sock ,
1366 
++.BR sql ,
1367 
++or
1368 
++.BR wt ,
1369 
++depending on which backend will serve the database.
1370 
++
1371 
++LDAP operations, even subtree searches, normally access only one
1372 
++database.
1373 
++That can be changed by gluing databases together with the
1374 
++.B subordinate
1375 
++keyword.
1376 
++Access controls and some overlays can also involve multiple databases.
1377 
++.TP
1378 
++.B add_content_acl on | off
1379 
++Controls whether Add operations will perform ACL checks on
1380 
++the content of the entry being added. This check is off
1381 
++by default. See the
1382 
++.BR slapd.access (5)
1383 
++manual page for more details on ACL requirements for
1384 
++Add operations.
1385 
++.TP
1386 
++.B extra_attrs <attrlist>
1387 
++Lists what attributes need to be added to search requests.
1388 
++Local storage backends return the entire entry to the frontend.
1389 
++The frontend takes care of only returning the requested attributes
1390 
++that are allowed by ACLs.
1391 
++However, features like access checking and so may need specific
1392 
++attributes that are not automatically returned by remote storage
1393 
++backends, like proxy backends and so on.
1394 
++.B <attrlist>
1395 
++is a list of attributes that are needed for internal purposes
1396 
++and thus always need to be collected, even when not explicitly
1397 
++requested by clients.
1398 
++.TP
1399 
++.B hidden on | off
1400 
++Controls whether the database will be used to answer
1401 
++queries. A database that is hidden will never be
1402 
++selected to answer any queries, and any suffix configured
1403 
++on the database will be ignored in checks for conflicts
1404 
++with other databases. By default, hidden is off.
1405 
++.TP
1406 
++.B lastmod on | off
1407 
++Controls whether
1408 
++.B slapd
1409 
++will automatically maintain the
1410 
++modifiersName, modifyTimestamp, creatorsName, and
1411 
++createTimestamp attributes for entries. It also controls
1412 
++the entryCSN and entryUUID attributes, which are needed
1413 
++by the syncrepl provider. By default, lastmod is on.
1414 
++.TP
1415 
++.B lastbind on | off
1416 
++Controls whether
1417 
++.B slapd
1418 
++will automatically maintain the pwdLastSuccess attribute for
1419 
++entries. By default, lastbind is off.
1420 
++.TP
1421 
++.B lastbind-precision <integer>
1422 
++If lastbind is enabled, specifies how frequently pwdLastSuccess
1423 
++will be updated. More than
1424 
++.B integer
1425 
++seconds must have passed since the last successful bind. In a
1426 
++replicated environment with frequent bind activity it may be
1427 
++useful to set this to a large value.
1428 
++.TP
1429 
++.B limits <selector> <limit> [<limit> [...]]
1430 
++Specify time and size limits based on the operation's initiator or
1431 
++base DN.
1432 
++The argument
1433 
++.B <selector>
1434 
++can be any of
1435 
++.RS
1436 
++.RS
1437 
++.TP
1438 
++anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
1439 
++
1440 
++.RE
1441 
++with
1442 
++.RS
1443 
++.TP
1444 
++<dnspec> ::= dn[.<type>][.<style>]
1445 
++.TP
1446 
++<type>  ::= self | this
1447 
++.TP
1448 
++<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
1449 
++
1450 
++.RE
1451 
++DN type
1452 
++.B self
1453 
++is the default and means the bound user, while
1454 
++.B this
1455 
++means the base DN of the operation.
1456 
++The term
1457 
++.B anonymous
1458 
++matches all unauthenticated clients.
1459 
++The term
1460 
++.B users
1461 
++matches all authenticated clients;
1462 
++otherwise an
1463 
++.B exact
1464 
++dn pattern is assumed unless otherwise specified by qualifying
1465 
++the (optional) key string
1466 
++.B dn
1467 
++with
1468 
++.B exact
1469 
++or
1470 
++.B base
1471 
++(which are synonyms), to require an exact match; with
1472 
++.BR onelevel ,
1473 
++to require exactly one level of depth match; with
1474 
++.BR subtree ,
1475 
++to allow any level of depth match, including the exact match; with
1476 
++.BR children ,
1477 
++to allow any level of depth match, not including the exact match;
1478 
++.BR regex
1479 
++explicitly requires the (default) match based on POSIX (''extended'')
1480 
++regular expression pattern.
1481 
++Finally,
1482 
++.B anonymous
1483 
++matches unbound operations; the
1484 
++.B pattern
1485 
++field is ignored.
1486 
++The same behavior is obtained by using the
1487 
++.B anonymous
1488 
++form of the
1489 
++.B <selector>
1490 
++clause.
1491 
++The term
1492 
++.BR group ,
1493 
++with the optional objectClass
1494 
++.B oc
1495 
++and attributeType
1496 
++.B at
1497 
++fields, followed by
1498 
++.BR pattern ,
1499 
++sets the limits for any DN listed in the values of the
1500 
++.B at
1501 
++attribute (default
1502 
++.BR member )
1503 
++of the
1504 
++.B oc
1505 
++group objectClass (default
1506 
++.BR groupOfNames )
1507 
++whose DN exactly matches
1508 
++.BR pattern .
1509 
++
1510 
++The currently supported limits are
1511 
++.B size
1512 
++and
1513 
++.BR time .
1514 
++
1515 
++The syntax for time limits is
1516 
++.BR time[.{soft|hard}]=<integer> ,
1517 
++where
1518 
++.I integer
1519 
++is the number of seconds slapd will spend answering a search request.
1520 
++If no time limit is explicitly requested by the client, the
1521 
++.BR soft
1522 
++limit is used; if the requested time limit exceeds the
1523 
++.BR hard
1524 
++.\"limit, an
1525 
++.\".I "Administrative limit exceeded"
1526 
++.\"error is returned.
1527 
++limit, the value of the limit is used instead.
1528 
++If the
1529 
++.BR hard
1530 
++limit is set to the keyword
1531 
++.IR soft ,
1532 
++the soft limit is used in either case; if it is set to the keyword
1533 
++.IR unlimited ,
1534 
++no hard limit is enforced.
1535 
++Explicit requests for time limits smaller or equal to the
1536 
++.BR hard
1537 
++limit are honored.
1538 
++If no limit specifier is set, the value is assigned to the
1539 
++.BR soft
1540 
++limit, and the
1541 
++.BR hard
1542 
++limit is set to
1543 
++.IR soft ,
1544 
++to preserve the original behavior.
1545 
++
1546 
++The syntax for size limits is
1547 
++.BR size[.{soft|hard|unchecked}]=<integer> ,
1548 
++where
1549 
++.I integer
1550 
++is the maximum number of entries slapd will return answering a search
1551 
++request.
1552 
++If no size limit is explicitly requested by the client, the
1553 
++.BR soft
1554 
++limit is used; if the requested size limit exceeds the
1555 
++.BR hard
1556 
++.\"limit, an
1557 
++.\".I "Administrative limit exceeded"
1558 
++.\"error is returned.
1559 
++limit, the value of the limit is used instead.
1560 
++If the
1561 
++.BR hard
1562 
++limit is set to the keyword
1563 
++.IR soft ,
1564 
++the soft limit is used in either case; if it is set to the keyword
1565 
++.IR unlimited ,
1566 
++no hard limit is enforced.
1567 
++Explicit requests for size limits smaller or equal to the
1568 
++.BR hard
1569 
++limit are honored.
1570 
++The
1571 
++.BR unchecked
1572 
++specifier sets a limit on the number of candidates a search request is allowed
1573 
++to examine.
1574 
++The rationale behind it is that searches for non-properly indexed
1575 
++attributes may result in large sets of candidates, which must be
1576 
++examined by
1577 
++.BR slapd (8)
1578 
++to determine whether they match the search filter or not.
1579 
++The
1580 
++.B unchecked
1581 
++limit provides a means to drop such operations before they are even
1582 
++started.
1583 
++If the selected candidates exceed the
1584 
++.BR unchecked
1585 
++limit, the search will abort with
1586 
++.IR "Unwilling to perform" .
1587 
++If it is set to the keyword
1588 
++.IR unlimited ,
1589 
++no limit is applied (the default).
1590 
++If it is set to
1591 
++.IR disabled ,
1592 
++the search is not even performed; this can be used to disallow searches
1593 
++for a specific set of users.
1594 
++If no limit specifier is set, the value is assigned to the
1595 
++.BR soft
1596 
++limit, and the
1597 
++.BR hard
1598 
++limit is set to
1599 
++.IR soft ,
1600 
++to preserve the original behavior.
1601 
++
1602 
++In case of no match, the global limits are used.
1603 
++The default values are the same as for
1604 
++.B sizelimit
1605 
++and
1606 
++.BR timelimit ;
1607 
++no limit is set on
1608 
++.BR unchecked .
1609 
++
1610 
++If
1611 
++.B pagedResults
1612 
++control is requested, the
1613 
++.B hard
1614 
++size limit is used by default, because the request of a specific page size
1615 
++is considered an explicit request for a limitation on the number
1616 
++of entries to be returned.
1617 
++However, the size limit applies to the total count of entries returned within
1618 
++the search, and not to a single page.
1619 
++Additional size limits may be enforced; the syntax is
1620 
++.BR size.pr={<integer>|noEstimate|unlimited} ,
1621 
++where
1622 
++.I integer
1623 
++is the max page size if no explicit limit is set; the keyword
1624 
++.I noEstimate
1625 
++inhibits the server from returning an estimate of the total number
1626 
++of entries that might be returned
1627 
++(note: the current implementation does not return any estimate).
1628 
++The keyword
1629 
++.I unlimited
1630 
++indicates that no limit is applied to the pagedResults control page size.
1631 
++The syntax
1632 
++.B size.prtotal={<integer>|hard|unlimited|disabled}
1633 
++allows one to set a limit on the total number of entries that the pagedResults
1634 
++control will return.
1635 
++By default it is set to the
1636 
++.B hard
1637 
++limit which will use the size.hard value.
1638 
++When set,
1639 
++.I integer
1640 
++is the max number of entries that the whole search with pagedResults control
1641 
++can return.
1642 
++Use
1643 
++.I unlimited
1644 
++to allow unlimited number of entries to be returned, e.g. to allow
1645 
++the use of the pagedResults control as a means to circumvent size
1646 
++limitations on regular searches; the keyword
1647 
++.I disabled
1648 
++disables the control, i.e. no paged results can be returned.
1649 
++Note that the total number of entries returned when the pagedResults control
1650 
++is requested cannot exceed the
1651 
++.B hard
1652 
++size limit of regular searches unless extended by the
1653 
++.B prtotal
1654 
++switch.
1655 
++
1656 
++The \fBlimits\fP statement is typically used to let an unlimited
1657 
++number of entries be returned by searches performed
1658 
++with the identity used by the consumer for synchronization purposes
1659 
++by means of the RFC 4533 LDAP Content Synchronization protocol
1660 
++(see \fBsyncrepl\fP for details).
1661 
++
1662 
++When using subordinate databases, it is necessary for any limits that
1663 
++are to be applied across the parent and its subordinates to be defined in
1664 
++both the parent and its subordinates. Otherwise the settings on the
1665 
++subordinate databases are not honored.
1666 
++.RE
1667 
++.TP
1668 
++.B maxderefdepth <depth>
1669 
++Specifies the maximum number of aliases to dereference when trying to
1670 
++resolve an entry, used to avoid infinite alias loops. The default is 15.
1671 
++.TP
1672 
++.B multiprovider on | off
1673 
++This option puts a consumer database into Multi-Provider mode.  Update
1674 
++operations will be accepted from any user, not just the updatedn.  The
1675 
++database must already be configured as a syncrepl consumer
1676 
++before this keyword may be set. This mode also requires a
1677 
++.B serverID
1678 
++(see above) to be configured.
1679 
++By default, multiprovider is off.
1680 
++.TP
1681 
++.B monitoring on | off
1682 
++This option enables database-specific monitoring in the entry related
1683 
++to the current database in the "cn=Databases,cn=Monitor" subtree
1684 
++of the monitor database, if the monitor database is enabled.
1685 
++Currently, only the MDB database provides database-specific monitoring.
1686 
++If monitoring is supported by the backend it defaults to on, otherwise
1687 
++off.
1688 
++.TP
1689 
++.B overlay <overlay-name>
1690 
++Add the specified overlay to this database. An overlay is a piece of
1691 
++code that intercepts database operations in order to extend or change
1692 
++them. Overlays are pushed onto
1693 
++a stack over the database, and so they will execute in the reverse
1694 
++of the order in which they were configured and the database itself
1695 
++will receive control last of all. See the
1696 
++.BR slapd.overlays (5)
1697 
++manual page for an overview of the available overlays.
1698 
++Note that all of the database's
1699 
++regular settings should be configured before any overlay settings.
1700 
++.TP
1701 
++.B readonly on | off
1702 
++This option puts the database into "read-only" mode.  Any attempts to
1703 
++modify the database will return an "unwilling to perform" error.  By
1704 
++default, readonly is off.
1705 
++.TP
1706 
++.B restrict <oplist>
1707 
++Specify a whitespace separated list of operations that are restricted.
1708 
++If defined inside a database specification, restrictions apply only
1709 
++to that database, otherwise they are global.
1710 
++Operations can be any of
1711 
++.BR add ,
1712 
++.BR bind ,
1713 
++.BR compare ,
1714 
++.BR delete ,
1715 
++.BR extended[=<OID>] ,
1716 
++.BR modify ,
1717 
++.BR rename ,
1718 
++.BR search ,
1719 
++or the special pseudo-operations
1720 
++.B read
1721 
++and
1722 
++.BR write ,
1723 
++which respectively summarize read and write operations.
1724 
++The use of
1725 
++.I restrict write
1726 
++is equivalent to
1727 
++.I readonly on
1728 
++(see above).
1729 
++The
1730 
++.B extended
1731 
++keyword allows one to indicate the OID of the specific operation
1732 
++to be restricted.
1733 
++.TP
1734 
++.B rootdn <dn>
1735 
++Specify the distinguished name that is not subject to access control
1736 
++or administrative limit restrictions for operations on this database.
1737 
++This DN may or may not be associated with an entry.  An empty root
1738 
++DN (the default) specifies no root access is to be granted.  It is
1739 
++recommended that the rootdn only be specified when needed (such as
1740 
++when initially populating a database).  If the rootdn is within
1741 
++a namingContext (suffix) of the database, a simple bind password
1742 
++may also be provided using the
1743 
++.B rootpw
1744 
++directive. Many optional features, including syncrepl, require the
1745 
++rootdn to be defined for the database.
1746 
++.TP
1747 
++.B rootpw <password>
1748 
++Specify a password (or hash of the password) for the rootdn.  The
1749 
++password can only be set if the rootdn is within the namingContext
1750 
++(suffix) of the database.
1751 
++This option accepts all RFC 2307 userPassword formats known to
1752 
++the server (see
1753 
++.B password\-hash
1754 
++description) as well as cleartext.
1755 
++.BR slappasswd (8)
1756 
++may be used to generate a hash of a password.  Cleartext
1757 
++and \fB{CRYPT}\fP passwords are not recommended.  If empty
1758 
++(the default), authentication of the root DN is by other means
1759 
++(e.g. SASL).  Use of SASL is encouraged.
1760 
++.TP
1761 
++.B suffix <dn suffix>
1762 
++Specify the DN suffix of queries that will be passed to this
1763 
++backend database.  Multiple suffix lines can be given and at least one is
1764 
++required for each database definition.
1765 
++
1766 
++If the suffix of one database is "inside" that of another, the database
1767 
++with the inner suffix must come first in the configuration file.
1768 
++You may also want to glue such databases together with the
1769 
++.B subordinate
1770 
++keyword.
1771 
++.TP
1772 
++.B subordinate [advertise]
1773 
++Specify that the current backend database is a subordinate of another
1774 
++backend database. A subordinate  database may have only one suffix. This
1775 
++option may be used to glue multiple databases into a single namingContext.
1776 
++If the suffix of the current database is within the namingContext of a
1777 
++superior database, searches against the superior database will be
1778 
++propagated to the subordinate as well. All of the databases
1779 
++associated with a single namingContext should have identical rootdns.
1780 
++Behavior of other LDAP operations is unaffected by this setting. In
1781 
++particular, it is not possible to use moddn to move an entry from
1782 
++one subordinate to another subordinate within the namingContext.
1783 
++
1784 
++If the optional \fBadvertise\fP flag is supplied, the naming context of
1785 
++this database is advertised in the root DSE. The default is to hide this
1786 
++database context, so that only the superior context is visible.
1787 
++
1788 
++If the slap tools
1789 
++.BR slapcat (8),
1790 
++.BR slapadd (8),
1791 
++.BR slapmodify (8),
1792 
++or
1793 
++.BR slapindex (8)
1794 
++are used on the superior database, any glued subordinates that support
1795 
++these tools are opened as well.
1796 
++
1797 
++Databases that are glued together should usually be configured with the
1798 
++same indices (assuming they support indexing), even for attributes that
1799 
++only exist in some of these databases. In general, all of the glued
1800 
++databases should be configured as similarly as possible, since the intent
1801 
++is to provide the appearance of a single directory.
1802 
++
1803 
++Note that the \fIsubordinate\fP functionality is implemented internally
1804 
++by the \fIglue\fP overlay and as such its behavior will interact with other
1805 
++overlays in use. By default, the glue overlay is automatically configured as
1806 
++the last overlay on the superior backend. Its position on the backend
1807 
++can be explicitly configured by setting an \fBoverlay glue\fP directive
1808 
++at the desired position. This explicit configuration is necessary e.g.
1809 
++when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
1810 
++in order to work over all of the glued databases. E.g.
1811 
++.RS
1812 
++.nf
1813 
++	database mdb
1814 
++	suffix dc=example,dc=com
1815 
++	...
1816 
++	overlay glue
1817 
++	overlay syncprov
1818 
++.fi
1819 
++.RE
1820 
++.TP
1821 
++.B sync_use_subentry
1822 
++Store the syncrepl contextCSN in a subentry instead of the context entry
1823 
++of the database. The subentry's RDN will be "cn=ldapsync". By default
1824 
++the contextCSN is stored in the context entry.
1825 
++.HP
1826 
++.hy 0
1827 
++.B syncrepl rid=<replica ID>
1828 
++.B provider=ldap[s]://<hostname>[:port]
1829 
++.B searchbase=<base DN>
1830 
++.B [type=refreshOnly|refreshAndPersist]
1831 
++.B [interval=dd:hh:mm:ss]
1832 
++.B [retry=[<retry interval> <# of retries>]+]
1833 
++.B [filter=<filter str>]
1834 
++.B [scope=sub|one|base|subord]
1835 
++.B [attrs=<attr list>]
1836 
++.B [exattrs=<attr list>]
1837 
++.B [attrsonly]
1838 
++.B [sizelimit=<limit>]
1839 
++.B [timelimit=<limit>]
1840 
++.B [schemachecking=on|off]
1841 
++.B [network\-timeout=<seconds>]
1842 
++.B [timeout=<seconds>]
1843 
++.B [tcp\-user\-timeout=<milliseconds>]
1844 
++.B [bindmethod=simple|sasl]
1845 
++.B [binddn=<dn>]
1846 
++.B [saslmech=<mech>]
1847 
++.B [authcid=<identity>]
1848 
++.B [authzid=<identity>]
1849 
++.B [credentials=<passwd>]
1850 
++.B [realm=<realm>]
1851 
++.B [secprops=<properties>]
1852 
++.B [keepalive=<idle>:<probes>:<interval>]
1853 
++.B [starttls=yes|critical]
1854 
++.B [tls_cert=<file>]
1855 
++.B [tls_key=<file>]
1856 
++.B [tls_cacert=<file>]
1857 
++.B [tls_cacertdir=<path>]
1858 
++.B [tls_reqcert=never|allow|try|demand]
1859 
++.B [tls_reqsan=never|allow|try|demand]
1860 
++.B [tls_cipher_suite=<ciphers>]
1861 
++.B [tls_ecname=<names>]
1862 
++.B [tls_crlcheck=none|peer|all]
1863 
++.B [tls_protocol_min=<major>[.<minor>]]
1864 
++.B [suffixmassage=<real DN>]
1865 
++.B [logbase=<base DN>]
1866 
++.B [logfilter=<filter str>]
1867 
++.B [syncdata=default|accesslog|changelog]
1868 
++.B [lazycommit]
1869 
++.RS
1870 
++Specify the current database as a consumer which is kept up-to-date with the
1871 
++provider content by establishing the current
1872 
++.BR slapd (8)
1873 
++as a replication consumer site running a
1874 
++.B syncrepl
1875 
++replication engine.
1876 
++The consumer content is kept synchronized to the provider content using
1877 
++the LDAP Content Synchronization protocol. Refer to the
1878 
++"OpenLDAP Administrator's Guide" for detailed information on
1879 
++setting up a replicated
1880 
++.B slapd
1881 
++directory service using the
1882 
++.B syncrepl
1883 
++replication engine.
1884 
++
1885 
++.B rid
1886 
++identifies the current
1887 
++.B syncrepl
1888 
++directive within the replication consumer site.
1889 
++It is a non-negative integer not greater than 999 (limited
1890 
++to three decimal digits).
1891 
++
1892 
++.B provider
1893 
++specifies the replication provider site containing the provider content
1894 
++as an LDAP URI. If <port> is not given, the standard LDAP port number
1895 
++(389 or 636) is used.
1896 
++
1897 
++The content of the
1898 
++.B syncrepl
1899 
++consumer is defined using a search
1900 
++specification as its result set. The consumer
1901 
++.B slapd
1902 
++will send search requests to the provider
1903 
++.B slapd
1904 
++according to the search specification. The search specification includes
1905 
++.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
1906 
++and
1907 
++.B timelimit
1908 
++parameters as in the normal search specification. The
1909 
++.B exattrs
1910 
++option may also be used to specify attributes that should be omitted
1911 
++from incoming entries.
1912 
++The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
1913 
++\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
1914 
++\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
1915 
++attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
1916 
++The \fBsizelimit\fP and \fBtimelimit\fP only
1917 
++accept "unlimited" and positive integers, and both default to "unlimited".
1918 
++The \fBsizelimit\fP and \fBtimelimit\fP parameters define
1919 
++a consumer requested limitation on the number of entries that can be returned
1920 
++by the LDAP Content Synchronization operation; these should be left unchanged
1921 
++from the default otherwise replication may never succeed.
1922 
++Note, however, that any provider-side limits for the replication identity
1923 
++will be enforced by the provider regardless of the limits requested
1924 
++by the LDAP Content Synchronization operation, much like for any other
1925 
++search operation.
1926 
++
1927 
++The LDAP Content Synchronization protocol has two operation types.
1928 
++In the
1929 
++.B refreshOnly
1930 
++operation, the next synchronization search operation
1931 
++is periodically rescheduled at an interval time (specified by
1932 
++.B interval
1933 
++parameter; 1 day by default)
1934 
++after each synchronization operation finishes.
1935 
++In the
1936 
++.B refreshAndPersist
1937 
++operation, a synchronization search remains persistent in the provider slapd.
1938 
++Further updates to the provider will generate
1939 
++.B searchResultEntry
1940 
++to the consumer slapd as the search responses to the persistent
1941 
++synchronization search. If the initial search fails due to an error, the
1942 
++next synchronization search operation is periodically rescheduled at an
1943 
++interval time (specified by
1944 
++.B interval
1945 
++parameter; 1 day by default)
1946 
++
1947 
++If an error occurs during replication, the consumer will attempt to
1948 
++reconnect according to the
1949 
++.B retry
1950 
++parameter which is a list of the <retry interval> and <# of retries> pairs.
1951 
++For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
1952 
++for the first 10 times and then retry every 300 seconds for the next 3
1953 
++times before stop retrying. The `+' in <# of retries> means indefinite
1954 
++number of retries until success.
1955 
++If no
1956 
++.B retry
1957 
++is specified, by default syncrepl retries every hour forever.
1958 
++
1959 
++The schema checking can be enforced at the LDAP Sync
1960 
++consumer site by turning on the
1961 
++.B schemachecking
1962 
++parameter. The default is \fBoff\fP.
1963 
++Schema checking \fBon\fP means that replicated entries must have
1964 
++a structural objectClass, must obey to objectClass requirements
1965 
++in terms of required/allowed attributes, and that naming attributes
1966 
++and distinguished values must be present.
1967 
++As a consequence, schema checking should be \fBoff\fP when partial
1968 
++replication is used.
1969 
++
1970 
++The
1971 
++.B network\-timeout
1972 
++parameter sets how long the consumer will wait to establish a
1973 
++network connection to the provider. Once a connection is
1974 
++established, the
1975 
++.B timeout
1976 
++parameter determines how long the consumer will wait for the initial
1977 
++Bind request to complete. The defaults for these parameters come
1978 
++from
1979 
++.BR ldap.conf (5).
1980 
++The
1981 
++.B tcp\-user\-timeout
1982 
++parameter, if non-zero, corresponds to the
1983 
++.B TCP_USER_TIMEOUT
1984 
++set on the target connections, overriding the operating system setting.
1985 
++Only some systems support the customization of this parameter, it is
1986 
++ignored otherwise and system-wide settings are used.
1987 
++
1988 
++A
1989 
++.B bindmethod
1990 
++of
1991 
++.B simple
1992 
++requires the options
1993 
++.B binddn
1994 
++and
1995 
++.B credentials
1996 
++and should only be used when adequate security services
1997 
++(e.g. TLS or IPSEC) are in place.
1998 
++.B REMEMBER: simple bind credentials must be in cleartext!
1999 
++A
2000 
++.B bindmethod
2001 
++of
2002 
++.B sasl
2003 
++requires the option
2004 
++.B saslmech.
2005 
++Depending on the mechanism, an authentication identity and/or
2006 
++credentials can be specified using
2007 
++.B authcid
2008 
++and
2009 
++.B credentials.
2010 
++The
2011 
++.B authzid
2012 
++parameter may be used to specify an authorization identity.
2013 
++Specific security properties (as with the
2014 
++.B sasl\-secprops
2015 
++keyword above) for a SASL bind can be set with the
2016 
++.B secprops
2017 
++option. A non default SASL realm can be set with the
2018 
++.B realm
2019 
++option.
2020 
++The identity used for synchronization by the consumer should be allowed
2021 
++to receive an unlimited number of entries in response to a search request.
2022 
++The provider, other than allowing authentication of the syncrepl identity,
2023 
++should grant that identity appropriate access privileges to the data
2024 
++that is being replicated (\fBaccess\fP directive), and appropriate time
2025 
++and size limits.
2026 
++This can be accomplished by either allowing unlimited \fBsizelimit\fP
2027 
++and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
2028 
++in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
2029 
++for details).
2030 
++
2031 
++The
2032 
++.B keepalive
2033 
++parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
2034 
++used to check whether a socket is alive;
2035 
++.I idle
2036 
++is the number of seconds a connection needs to remain idle before TCP
2037 
++starts sending keepalive probes;
2038 
++.I probes
2039 
++is the maximum number of keepalive probes TCP should send before dropping
2040 
++the connection;
2041 
++.I interval
2042 
++is interval in seconds between individual keepalive probes.
2043 
++Only some systems support the customization of these values;
2044 
++the
2045 
++.B keepalive
2046 
++parameter is ignored otherwise, and system-wide settings are used.
2047 
++
2048 
++The
2049 
++.B starttls
2050 
++parameter specifies use of the StartTLS extended operation
2051 
++to establish a TLS session before Binding to the provider. If the
2052 
++.B critical
2053 
++argument is supplied, the session will be aborted if the StartTLS request
2054 
++fails. Otherwise the syncrepl session continues without TLS. The
2055 
++.B tls_reqcert
2056 
++setting defaults to "demand", the
2057 
++.B tls_reqsan
2058 
++setting defaults to "allow", and the other TLS settings
2059 
++default to the same as the main slapd TLS settings.
2060 
++
2061 
++The
2062 
++.B suffixmassage
2063 
++parameter allows the consumer to pull entries from a remote directory
2064 
++whose DN suffix differs from the local directory. The portion of the
2065 
++remote entries' DNs that matches the \fIsearchbase\fP will be replaced
2066 
++with the suffixmassage DN.
2067 
++
2068 
++Rather than replicating whole entries, the consumer can query logs of
2069 
++data modifications. This mode of operation is referred to as \fIdelta
2070 
++syncrepl\fP. In addition to the above parameters, the
2071 
++.B logbase
2072 
++and
2073 
++.B logfilter
2074 
++parameters must be set appropriately for the log that will be used. The
2075 
++.B syncdata
2076 
++parameter must be set to either "accesslog" if the log conforms to the
2077 
++.BR slapo\-accesslog (5)
2078 
++log format, or "changelog" if the log conforms
2079 
++to the obsolete \fIchangelog\fP format. If the
2080 
++.B syncdata
2081 
++parameter is omitted or set to "default" then the log parameters are
2082 
++ignored.
2083 
++
2084 
++The
2085 
++.B lazycommit
2086 
++parameter tells the underlying database that it can store changes without
2087 
++performing a full flush after each change. This may improve performance
2088 
++for the consumer, while sacrificing safety or durability.
2089 
++.RE
2090 
++.TP
2091 
++.B updatedn <dn>
2092 
++This option is only applicable in a replica
2093 
++database.
2094 
++It specifies the DN permitted to update (subject to access controls)
2095 
++the replica.  It is only needed in certain push-mode
2096 
++replication scenarios.  Generally, this DN
2097 
++.I should not
2098 
++be the same as the
2099 
++.B rootdn
2100 
++used at the provider.
2101 
++.TP
2102 
++.B updateref <url>
2103 
++Specify the referral to pass back when
2104 
++.BR slapd (8)
2105 
++is asked to modify a replicated local database.
2106 
++If specified multiple times, each url is provided.
2107 
++
2108 
++.SH DATABASE-SPECIFIC OPTIONS
2109 
++Each database may allow specific configuration options; they are
2110 
++documented separately in the backends' manual pages. See the
2111 
++.BR slapd.backends (5)
2112 
++manual page for an overview of available backends.
2113 
++.SH EXAMPLES
2114 
++.LP
2115 
++Here is a short example of a configuration file:
2116 
++.LP
2117 
++.RS
2118 
++.nf
2119 
++include   SYSCONFDIR/schema/core.schema
2120 
++pidfile   LOCALSTATEDIR/run/slapd.pid
2121 
++
2122 
++# Subtypes of "name" (e.g. "cn" and "ou") with the
2123 
++# option ";x\-hidden" can be searched for/compared,
2124 
++# but are not shown.  See \fBslapd.access\fP(5).
2125 
++attributeoptions x\-hidden lang\-
2126 
++access to attrs=name;x\-hidden by * =cs
2127 
++
2128 
++# Protect passwords.  See \fBslapd.access\fP(5).
2129 
++access    to attrs=userPassword  by * auth
2130 
++# Read access to other attributes and entries.
2131 
++access    to *  by * read
2132 
++
2133 
++database  mdb
2134 
++suffix    "dc=our\-domain,dc=com"
2135 
++# The database directory MUST exist prior to
2136 
++# running slapd AND should only be accessible
2137 
++# by the slapd/tools. Mode 0700 recommended.
2138 
++directory LOCALSTATEDIR/openldap\-data
2139 
++# Indices to maintain
2140 
++index     objectClass  eq
2141 
++index     cn,sn,mail   pres,eq,approx,sub
2142 
++
2143 
++# We serve small clients that do not handle referrals,
2144 
++# so handle remote lookups on their behalf.
2145 
++database  ldap
2146 
++suffix    ""
2147 
++uri       ldap://ldap.some\-server.com/
2148 
++lastmod   off
2149 
++.fi
2150 
++.RE
2151 
++.LP
2152 
++"OpenLDAP Administrator's Guide" contains a longer annotated
2153 
++example of a configuration file.
2154 
++The original ETCDIR/slapd.conf is another example.
2155 
++.SH FILES
2156 
++.TP
2157 
++ETCDIR/slapd.conf
2158 
++default slapd configuration file
2159 
++.SH SEE ALSO
2160 
++.BR ldap (3),
2161 
++.BR gnutls\-cli (1),
2162 
++.BR slapd\-config (5),
2163 
++.BR slapd.access (5),
2164 
++.BR slapd.backends (5),
2165 
++.BR slapd.overlays (5),
2166 
++.BR slapd.plugin (5),
2167 
++.BR slapd (8),
2168 
++.BR slapacl (8),
2169 
++.BR slapadd (8),
2170 
++.BR slapauth (8),
2171 
++.BR slapcat (8),
2172 
++.BR slapdn (8),
2173 
++.BR slapindex (8),
2174 
++.BR slapmodify (8),
2175 
++.BR slappasswd (8),
2176 
++.BR slaptest (8).
2177 
++.LP
2178 
++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
2179 
++.SH ACKNOWLEDGEMENTS
2180 
++.so ../Project
2181 
+diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd-config.5 openldap-2.6.2/doc/man/man5/slapd-config.5
2182 
+--- openldap-2.6.2.orig/doc/man/man5/slapd-config.5	2022-05-04 16:55:23.000000000 +0200
2183 
+@@ -2233,7 +2233,7 @@ olcSuffix: "dc=our\-domain,dc=com"
2184 
+ # The database directory MUST exist prior to
2185 
+ # running slapd AND should only be accessible
2186 
+ # by the slapd/tools. Mode 0700 recommended.
2187 
+-olcDbDirectory: LOCALSTATEDIR/openldap\-data
2188 
++olcDbDirectory: LOCALSTATEDIR/lib/openldap
2189 
+ # Indices to maintain
2190 
+ olcDbIndex:     objectClass  eq
2191 
+ olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
2192 
+diff -Naurp openldap-2.6.2.orig/doc/man/man5/slapd-config.5.orig openldap-2.6.2/doc/man/man5/slapd-config.5.orig
2193 
+--- openldap-2.6.2.orig/doc/man/man5/slapd-config.5.orig	1970-01-01 01:00:00.000000000 +0100
2194 
+@@ -0,0 +1,2302 @@
2195 
++.TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2196 
++.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
2197 
++.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
2198 
++.\" $OpenLDAP$
2199 
++.SH NAME
2200 
++slapd\-config \- configuration backend to slapd
2201 
++.SH SYNOPSIS
2202 
++ETCDIR/slapd.d
2203 
++.SH DESCRIPTION
2204 
++The
2205 
++.B config
2206 
++backend manages all of the configuration information for the
2207 
++.BR slapd (8)
2208 
++daemon.  This configuration information is also used by the SLAPD tools
2209 
++.BR slapacl (8),
2210 
++.BR slapadd (8),
2211 
++.BR slapauth (8),
2212 
++.BR slapcat (8),
2213 
++.BR slapdn (8),
2214 
++.BR slapindex (8),
2215 
++.BR slapmodify (8),
2216 
++and
2217 
++.BR slaptest (8).
2218 
++.LP
2219 
++The
2220 
++.B config
2221 
++backend is backward compatible with the older
2222 
++.BR slapd.conf (5)
2223 
++file but provides the ability to change the configuration dynamically
2224 
++at runtime. If slapd is run with only a
2225 
++.B slapd.conf
2226 
++file dynamic changes will be allowed but they will not persist across
2227 
++a server restart. Dynamic changes are only saved when slapd is running
2228 
++from a
2229 
++.B slapd.d
2230 
++configuration directory.
2231 
++.LP
2232 
++
2233 
++Unlike other backends, there can only be one instance of the
2234 
++.B config
2235 
++backend, and most of its structure is predefined. The root of the
2236 
++database is hardcoded to
2237 
++.B "cn=config"
2238 
++and this root entry contains
2239 
++global settings for slapd. Multiple child entries underneath the
2240 
++root entry are used to carry various other settings:
2241 
++.RS
2242 
++.TP
2243 
++.B cn=Module
2244 
++dynamically loaded modules
2245 
++.TP
2246 
++.B cn=Schema
2247 
++schema definitions
2248 
++.TP
2249 
++.B olcBackend=xxx
2250 
++backend-specific settings
2251 
++.TP
2252 
++.B olcDatabase=xxx
2253 
++database-specific settings
2254 
++.RE
2255 
++
2256 
++The
2257 
++.B cn=Module
2258 
++entries will only appear in configurations where slapd
2259 
++was built with support for dynamically loaded modules. There can be
2260 
++multiple entries, one for each configured module path. Within each
2261 
++entry there will be values recorded for each module loaded on a
2262 
++given path. These entries have no children.
2263 
++
2264 
++The
2265 
++.B cn=Schema
2266 
++entry contains all of the hardcoded schema elements.
2267 
++The children of this entry contain all user-defined schema elements.
2268 
++In schema that were loaded from include files, the child entry will
2269 
++be named after the include file from which the schema was loaded.
2270 
++Typically the first child in this subtree will be
2271 
++.BR cn=core,cn=schema,cn=config .
2272 
++
2273 
++.B olcBackend
2274 
++entries are for storing settings specific to a single
2275 
++backend type (and thus global to all database instances of that type).
2276 
++At present, only back-mdb implements any options of this type, so this
2277 
++setting is not needed for any other backends.
2278 
++
2279 
++.B olcDatabase
2280 
++entries store settings specific to a single database
2281 
++instance. These entries may have
2282 
++.B olcOverlay
2283 
++child entries corresponding
2284 
++to any overlays configured on the database. The olcDatabase and
2285 
++olcOverlay entries may also have miscellaneous child entries for
2286 
++other settings as needed. There are two special database entries
2287 
++that are predefined \- one is an entry for the config database itself,
2288 
++and the other is for the "frontend" database. Settings in the
2289 
++frontend database are inherited by the other databases, unless
2290 
++they are explicitly overridden in a specific database.
2291 
++.LP
2292 
++The specific configuration options available are discussed below in the
2293 
++Global Configuration Options, General Backend Options, and General Database
2294 
++Options. Options are set by defining LDAP attributes with specific values.
2295 
++In general the names of the LDAP attributes are the same as the corresponding
2296 
++.B slapd.conf
2297 
++keyword, with an "olc" prefix added on.
2298 
++
2299 
++The parser for many of these attributes is the same as used for parsing
2300 
++the slapd.conf keywords. As such, slapd.conf keywords that allow multiple
2301 
++items to be specified on one line, separated by whitespace, will allow
2302 
++multiple items to be specified in one attribute value. However, when
2303 
++reading the attribute via LDAP, the items will be returned as individual
2304 
++attribute values.
2305 
++
2306 
++Backend-specific options are discussed in the
2307 
++.B slapd\-<backend>(5)
2308 
++manual pages.  Refer to the "OpenLDAP Administrator's Guide" for more
2309 
++details on configuring slapd.
2310 
++.SH GLOBAL CONFIGURATION OPTIONS
2311 
++Options described in this section apply to the server as a whole.
2312 
++Arguments that should be replaced by
2313 
++actual text are shown in brackets <>.
2314 
++
2315 
++These options may only be specified in the
2316 
++.B cn=config
2317 
++entry. This entry must have an objectClass of
2318 
++.BR olcGlobal .
2319 
++
2320 
++.TP
2321 
++.B olcAllows: <features>
2322 
++Specify a set of features to allow (default none).
2323 
++.B bind_v2
2324 
++allows acceptance of LDAPv2 bind requests.  Note that
2325 
++.BR slapd (8)
2326 
++does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
2327 
++.B bind_anon_cred
2328 
++allows anonymous bind when credentials are not empty (e.g.
2329 
++when DN is empty).
2330 
++.B bind_anon_dn
2331 
++allows unauthenticated (anonymous) bind when DN is not empty.
2332 
++.B update_anon
2333 
++allows unauthenticated (anonymous) update operations to be processed
2334 
++(subject to access controls and other administrative limits).
2335 
++.B proxy_authz_anon
2336 
++allows unauthenticated (anonymous) proxy authorization control to be processed
2337 
++(subject to access controls, authorization and other administrative limits).
2338 
++.TP
2339 
++.B olcArgsFile: <filename>
2340 
++The (absolute) name of a file that will hold the
2341 
++.B slapd
2342 
++server's command line (program name and options).
2343 
++.TP
2344 
++.B olcAttributeOptions: <option-name>...
2345 
++Define tagging attribute options or option tag/range prefixes.
2346 
++Options must not end with `\-', prefixes must end with `\-'.
2347 
++The `lang\-' prefix is predefined.
2348 
++If you use the
2349 
++.B olcAttributeOptions
2350 
++directive, `lang\-' will no longer be defined and you must specify it
2351 
++explicitly if you want it defined.
2352 
++
2353 
++An attribute description with a tagging option is a subtype of that
2354 
++attribute description without the option.
2355 
++Except for that, options defined this way have no special semantics.
2356 
++Prefixes defined this way work like the `lang\-' options:
2357 
++They define a prefix for tagging options starting with the prefix.
2358 
++That is, if you define the prefix `x\-foo\-', you can use the option
2359 
++`x\-foo\-bar'.
2360 
++Furthermore, in a search or compare, a prefix or range name (with
2361 
++a trailing `\-') matches all options starting with that name, as well
2362 
++as the option with the range name sans the trailing `\-'.
2363 
++That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
2364 
++
2365 
++RFC 4520 reserves options beginning with `x\-' for private experiments.
2366 
++Other options should be registered with IANA, see RFC 4520 section 3.5.
2367 
++OpenLDAP also has the `binary' option built in, but this is a transfer
2368 
++option, not a tagging option.
2369 
++.TP
2370 
++.B olcAuthIDRewrite: <rewrite\-rule>
2371 
++Used by the authentication framework to convert simple user names
2372 
++to an LDAP DN used for authorization purposes.
2373 
++Its purpose is analogous to that of
2374 
++.BR olcAuthzRegexp
2375 
++(see below).
2376 
++The
2377 
++.B rewrite\-rule
2378 
++is a set of rules analogous to those described in
2379 
++.BR slapo\-rwm (5)
2380 
++for data rewriting (after stripping the \fIrwm\-\fP prefix).
2381 
++.B olcAuthIDRewrite
2382 
++and
2383 
++.B olcAuthzRegexp
2384 
++should not be intermixed.
2385 
++.TP
2386 
++.B olcAuthzPolicy: <policy>
2387 
++Used to specify which rules to use for Proxy Authorization.  Proxy
2388 
++authorization allows a client to authenticate to the server using one
2389 
++user's credentials, but specify a different identity to use for authorization
2390 
++and access control purposes. It essentially allows user A to login as user
2391 
++B, using user A's password.
2392 
++The
2393 
++.B none
2394 
++flag disables proxy authorization. This is the default setting.
2395 
++The
2396 
++.B from
2397 
++flag will use rules in the
2398 
++.I authzFrom
2399 
++attribute of the authorization DN.
2400 
++The
2401 
++.B to
2402 
++flag will use rules in the
2403 
++.I authzTo
2404 
++attribute of the authentication DN.
2405 
++The
2406 
++.B any
2407 
++flag, an alias for the deprecated value of
2408 
++.BR both ,
2409 
++will allow any of the above, whatever succeeds first (checked in
2410 
++.BR to ,
2411 
++.B from
2412 
++sequence.
2413 
++The
2414 
++.B all
2415 
++flag requires both authorizations to succeed.
2416 
++.LP
2417 
++.RS
2418 
++The rules are mechanisms to specify which identities are allowed
2419 
++to perform proxy authorization.
2420 
++The
2421 
++.I authzFrom
2422 
++attribute in an entry specifies which other users
2423 
++are allowed to proxy login to this entry. The
2424 
++.I authzTo
2425 
++attribute in
2426 
++an entry specifies which other users this user can authorize as.  Use of
2427 
++.I authzTo
2428 
++rules can be easily
2429 
++abused if users are allowed to write arbitrary values to this attribute.
2430 
++In general the
2431 
++.I authzTo
2432 
++attribute must be protected with ACLs such that
2433 
++only privileged users can modify it.
2434 
++The value of
2435 
++.I authzFrom
2436 
++and
2437 
++.I authzTo
2438 
++describes an
2439 
++.B identity
2440 
++or a set of identities; it can take five forms:
2441 
++.RS
2442 
++.TP
2443 
++.B ldap:///<base>??[<scope>]?<filter>
2444 
++.RE
2445 
++.RS
2446 
++.B dn[.<dnstyle>]:<pattern>
2447 
++.RE
2448 
++.RS
2449 
++.B u[.<mech>[<realm>]]:<pattern>
2450 
++.RE
2451 
++.RS
2452 
++.B group[/objectClass[/attributeType]]:<pattern>
2453 
++.RE
2454 
++.RS
2455 
++.B <pattern>
2456 
++.RE
2457 
++.RS
2458 
++
2459 
++.B <dnstyle>:={exact|onelevel|children|subtree|regex}
2460 
++
2461 
++.RE
2462 
++The first form is a valid LDAP
2463 
++.B URI
2464 
++where the
2465 
++.IR <host>:<port> ,
2466 
++the
2467 
++.I <attrs>
2468 
++and the
2469 
++.I <extensions>
2470 
++portions must be absent, so that the search occurs locally on either
2471 
++.I authzFrom
2472 
++or
2473 
++.IR authzTo .
2474 
++
2475 
++.LP
2476 
++The second form is a
2477 
++.BR DN ,
2478 
++with the optional style modifiers
2479 
++.IR exact ,
2480 
++.IR onelevel ,
2481 
++.IR children ,
2482 
++and
2483 
++.I subtree
2484 
++for exact, onelevel, children and subtree matches, which cause
2485 
++.I <pattern>
2486 
++to be normalized according to the DN normalization rules, or the special
2487 
++.I regex
2488 
++style, which causes the
2489 
++.I <pattern>
2490 
++to be treated as a POSIX (''extended'') regular expression, as
2491 
++discussed in
2492 
++.BR regex (7)
2493 
++and/or
2494 
++.BR re_format (7).
2495 
++A pattern of
2496 
++.I *
2497 
++means any non-anonymous DN.
2498 
++
2499 
++.LP
2500 
++The third form is a SASL
2501 
++.BR id ,
2502 
++with the optional fields
2503 
++.I <mech>
2504 
++and
2505 
++.I <realm>
2506 
++that allow to specify a SASL
2507 
++.BR mechanism ,
2508 
++and eventually a SASL
2509 
++.BR realm ,
2510 
++for those mechanisms that support one.
2511 
++The need to allow the specification of a mechanism is still debated,
2512 
++and users are strongly discouraged to rely on this possibility.
2513 
++
2514 
++.LP
2515 
++The fourth form is a group specification.
2516 
++It consists of the keyword
2517 
++.BR group ,
2518 
++optionally followed by the specification of the group
2519 
++.B objectClass
2520 
++and
2521 
++.BR attributeType .
2522 
++The
2523 
++.B objectClass
2524 
++defaults to
2525 
++.IR groupOfNames .
2526 
++The
2527 
++.B attributeType
2528 
++defaults to
2529 
++.IR member .
2530 
++The group with DN
2531 
++.B <pattern>
2532 
++is searched with base scope, filtered on the specified
2533 
++.BR objectClass .
2534 
++The values of the resulting
2535 
++.B attributeType
2536 
++are searched for the asserted DN.
2537 
++
2538 
++.LP
2539 
++The fifth form is provided for backwards compatibility.  If no identity
2540 
++type is provided, i.e. only
2541 
++.B <pattern>
2542 
++is present, an
2543 
++.I exact DN
2544 
++is assumed; as a consequence,
2545 
++.B <pattern>
2546 
++is subjected to DN normalization.
2547 
++
2548 
++.LP
2549 
++Since the interpretation of
2550 
++.I authzFrom
2551 
++and
2552 
++.I authzTo
2553 
++can impact security, users are strongly encouraged
2554 
++to explicitly set the type of identity specification that is being used.
2555 
++A subset of these rules can be used as third arg in the
2556 
++.B olcAuthzRegexp
2557 
++statement (see below); significantly, the
2558 
++.IR URI ,
2559 
++provided it results in exactly one entry,
2560 
++and the
2561 
++.I dn.exact:<dn>
2562 
++forms.
2563 
++.RE
2564 
++.TP
2565 
++.B olcAuthzRegexp: <match> <replace>
2566 
++Used by the authentication framework to convert simple user names,
2567 
++such as provided by SASL subsystem, or extracted from certificates
2568 
++in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
2569 
++"proxied authorization" control, to an LDAP DN used for
2570 
++authorization purposes.  Note that the resulting DN need not refer
2571 
++to an existing entry to be considered valid.  When an authorization
2572 
++request is received from the SASL subsystem, the SASL
2573 
++.BR USERNAME ,
2574 
++.BR REALM ,
2575 
++and
2576 
++.B MECHANISM
2577 
++are taken, when available, and combined into a name of the form
2578 
++.RS
2579 
++.RS
2580 
++.TP
2581 
++.B UID=<username>[[,CN=<realm>],CN=<mechanism>],CN=auth
2582 
++
2583 
++.RE
2584 
++This name is then compared against the
2585 
++.B match
2586 
++POSIX (''extended'') regular expression, and if the match is successful,
2587 
++the name is replaced with the
2588 
++.B replace
2589 
++string.  If there are wildcard strings in the
2590 
++.B match
2591 
++regular expression that are enclosed in parenthesis, e.g.
2592 
++.RS
2593 
++.TP
2594 
++.B UID=([^,]*),CN=.*
2595 
++
2596 
++.RE
2597 
++then the portion of the name that matched the wildcard will be stored
2598 
++in the numbered placeholder variable $1. If there are other wildcard strings
2599 
++in parenthesis, the matching strings will be in $2, $3, etc. up to $9. The
2600 
++placeholders can then be used in the
2601 
++.B replace
2602 
++string, e.g.
2603 
++.RS
2604 
++.TP
2605 
++.B UID=$1,OU=Accounts,DC=example,DC=com
2606 
++
2607 
++.RE
2608 
++The replaced name can be either a DN, i.e. a string prefixed by "dn:",
2609 
++or an LDAP URI.
2610 
++If the latter, the server will use the URI to search its own database(s)
2611 
++and, if the search returns exactly one entry, the name is
2612 
++replaced by the DN of that entry.   The LDAP URI must have no
2613 
++hostport, attrs, or extensions components, but the filter is mandatory,
2614 
++e.g.
2615 
++.RS
2616 
++.TP
2617 
++.B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1)
2618 
++
2619 
++.RE
2620 
++The protocol portion of the URI must be strictly
2621 
++.BR ldap .
2622 
++Note that this search is subject to access controls.  Specifically,
2623 
++the authentication identity must have "auth" access in the subject.
2624 
++
2625 
++Multiple
2626 
++.B olcAuthzRegexp
2627 
++values can be specified to allow for multiple matching
2628 
++and replacement patterns. The matching patterns are checked in the order they
2629 
++appear in the attribute, stopping at the first successful match.
2630 
++
2631 
++.\".B Caution:
2632 
++.\"Because the plus sign + is a character recognized by the regular expression engine,
2633 
++.\"and it will appear in names that include a REALM, be careful to escape the
2634 
++.\"plus sign with a backslash \\+ to remove the character's special meaning.
2635 
++.RE
2636 
++.TP
2637 
++.B olcConcurrency: <integer>
2638 
++Specify a desired level of concurrency.  Provided to the underlying
2639 
++thread system as a hint.  The default is not to provide any hint. This setting
2640 
++is only meaningful on some platforms where there is not a one to one
2641 
++correspondence between user threads and kernel threads.
2642 
++.TP
2643 
++.B olcConnMaxPending: <integer>
2644 
++Specify the maximum number of pending requests for an anonymous session.
2645 
++If requests are submitted faster than the server can process them, they
2646 
++will be queued up to this limit. If the limit is exceeded, the session
2647 
++is closed. The default is 100.
2648 
++.TP
2649 
++.B olcConnMaxPendingAuth: <integer>
2650 
++Specify the maximum number of pending requests for an authenticated session.
2651 
++The default is 1000.
2652 
++.TP
2653 
++.B olcDisallows: <features>
2654 
++Specify a set of features to disallow (default none).
2655 
++.B bind_anon
2656 
++disables acceptance of anonymous bind requests.  Note that this setting
2657 
++does not prohibit anonymous directory access (See "require authc").
2658 
++.B bind_simple
2659 
++disables simple (bind) authentication.
2660 
++.B tls_2_anon
2661 
++disables forcing session to anonymous status (see also
2662 
++.BR tls_authc )
2663 
++upon StartTLS operation receipt.
2664 
++.B tls_authc
2665 
++disallows the StartTLS operation if authenticated (see also
2666 
++.BR tls_2_anon ).
2667 
++.B proxy_authz_non_critical
2668 
++disables acceptance of the proxied authorization control (RFC4370)
2669 
++with criticality set to FALSE.
2670 
++.B dontusecopy_non_critical
2671 
++disables acceptance of the dontUseCopy control (a work in progress)
2672 
++with criticality set to FALSE.
2673 
++.TP
2674 
++.B olcGentleHUP: { TRUE | FALSE }
2675 
++A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
2676 
++.B Slapd
2677 
++will stop listening for new connections, but will not close the
2678 
++connections to the current clients.  Future write operations return
2679 
++unwilling-to-perform, though.  Slapd terminates when all clients
2680 
++have closed their connections (if they ever do), or \- as before \-
2681 
++if it receives a SIGTERM signal.  This can be useful if you wish to
2682 
++terminate the server and start a new
2683 
++.B slapd
2684 
++server
2685 
++.B with another database,
2686 
++without disrupting the currently active clients.
2687 
++The default is FALSE.  You may wish to use
2688 
++.B olcIdleTimeout
2689 
++along with this option.
2690 
++.TP
2691 
++.B olcIdleTimeout: <integer>
2692 
++Specify the number of seconds to wait before forcibly closing
2693 
++an idle client connection.  A setting of 0 disables this
2694 
++feature.  The default is 0. You may also want to set the
2695 
++.B olcWriteTimeout
2696 
++option.
2697 
++.TP
2698 
++.B olcIndexHash64: { on | off }
2699 
++Use a 64 bit hash for indexing. The default is to use 32 bit hashes.
2700 
++These hashes are used for equality and substring indexing. The 64 bit
2701 
++version may be needed to avoid index collisions when the number of
2702 
++indexed values exceeds ~64 million. (Note that substring indexing
2703 
++generates multiple index values per actual attribute value.)
2704 
++Indices generated with 32 bit hashes are incompatible with the 64 bit
2705 
++version, and vice versa. Any existing databases must be fully reloaded
2706 
++when changing this setting. This directive is only supported on 64 bit CPUs.
2707 
++.TP
2708 
++.B olcIndexIntLen: <integer>
2709 
++Specify the key length for ordered integer indices. The most significant
2710 
++bytes of the binary integer will be used for index keys. The default
2711 
++value is 4, which provides exact indexing for 31 bit values.
2712 
++A floating point representation is used to index too large values.
2713 
++.TP
2714 
++.B olcIndexSubstrIfMaxlen: <integer>
2715 
++Specify the maximum length for subinitial and subfinal indices. Only
2716 
++this many characters of an attribute value will be processed by the
2717 
++indexing functions; any excess characters are ignored. The default is 4.
2718 
++.TP
2719 
++.B olcIndexSubstrIfMinlen: <integer>
2720 
++Specify the minimum length for subinitial and subfinal indices. An
2721 
++attribute value must have at least this many characters in order to be
2722 
++processed by the indexing functions. The default is 2.
2723 
++.TP
2724 
++.B olcIndexSubstrAnyLen: <integer>
2725 
++Specify the length used for subany indices. An attribute value must have
2726 
++at least this many characters in order to be processed. Attribute values
2727 
++longer than this length will be processed in segments of this length. The
2728 
++default is 4. The subany index will also be used in subinitial and
2729 
++subfinal index lookups when the filter string is longer than the
2730 
++.I olcIndexSubstrIfMaxlen
2731 
++value.
2732 
++.TP
2733 
++.B olcIndexSubstrAnyStep: <integer>
2734 
++Specify the steps used in subany index lookups. This value sets the offset
2735 
++for the segments of a filter string that are processed for a subany index
2736 
++lookup. The default is 2. For example, with the default values, a search
2737 
++using this filter "cn=*abcdefgh*" would generate index lookups for
2738 
++"abcd", "cdef", and "efgh".
2739 
++
2740 
++.LP
2741 
++Note: Indexing support depends on the particular backend in use. Also,
2742 
++changing these settings will generally require deleting any indices that
2743 
++depend on these parameters and recreating them with
2744 
++.BR slapindex (8).
2745 
++
2746 
++.TP
2747 
++.B olcListenerThreads: <integer>
2748 
++Specify the number of threads to use for the connection manager.
2749 
++The default is 1 and this is typically adequate for up to 16 CPU cores.
2750 
++The value should be set to a power of 2.
2751 
++.TP
2752 
++.B olcLocalSSF: <SSF>
2753 
++Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
2754 
++such as those to the ldapi:// listener.  For a description of SSF values,
2755 
++see
2756 
++.BR olcSaslSecProps 's
2757 
++.B minssf
2758 
++option description.  The default is 71.
2759 
++.TP
2760 
++.B olcLogFile: <filename>
2761 
++Specify a file for recording slapd debug messages. By default these messages
2762 
++only go to stderr, are not recorded anywhere else, and are unrelated to
2763 
++messages exposed by the
2764 
++.B olcLogLevel
2765 
++configuration parameter. Specifying a logfile copies messages to both stderr
2766 
++and the logfile.
2767 
++.TP
2768 
++.B olcLogFileFormat: debug | syslog-utc | syslog-localtime
2769 
++Specify the prefix format for messages written to the logfile. The debug
2770 
++format is the normal format used for slapd debug messages, with a timestamp
2771 
++in hexadecimal, followed by a thread ID.  The other options are to
2772 
++use syslog(3) style prefixes, with timestamps either in UTC or in the
2773 
++local timezone. The default is debug format.
2774 
++.TP
2775 
++.B olcLogFileOnly: TRUE | FALSE
2776 
++Specify that debug messages should only go to the configured logfile, and
2777 
++not to stderr.
2778 
++.TP
2779 
++.B olcLogFileRotate: <max> <Mbytes> <hours>
2780 
++Specify automatic rotation for the configured logfile as the maximum
2781 
++number of old logfiles to retain, a maximum size in megabytes to allow a
2782 
++logfile to grow before rotation, and a maximum age in hours for a logfile
2783 
++to be used before rotation. The maximum number must be in the range 1-99.
2784 
++Setting Mbytes or hours to zero disables the size or age check, respectively.
2785 
++At least one of Mbytes or hours must be non-zero. By default no automatic
2786 
++rotation will be performed.
2787 
++.TP
2788 
++.B olcLogLevel: <integer> [...]
2789 
++Specify the level at which debugging statements and operation
2790 
++statistics should be syslogged (currently logged to the
2791 
++.BR syslogd (8)
2792 
++LOG_LOCAL4 facility).
2793 
++They must be considered subsystems rather than increasingly verbose
2794 
++log levels.
2795 
++Some messages with higher priority are logged regardless
2796 
++of the configured loglevel as soon as any logging is configured.
2797 
++Log levels are additive, and available levels are:
2798 
++.RS
2799 
++.RS
2800 
++.PD 0
2801 
++.TP
2802 
++.B 1
2803 
++.B (0x1 trace)
2804 
++trace function calls
2805 
++.TP
2806 
++.B 2
2807 
++.B (0x2 packets)
2808 
++debug packet handling
2809 
++.TP
2810 
++.B 4
2811 
++.B (0x4 args)
2812 
++heavy trace debugging (function args)
2813 
++.TP
2814 
++.B 8
2815 
++.B (0x8 conns)
2816 
++connection management
2817 
++.TP
2818 
++.B 16
2819 
++.B (0x10 BER)
2820 
++print out packets sent and received
2821 
++.TP
2822 
++.B 32
2823 
++.B (0x20 filter)
2824 
++search filter processing
2825 
++.TP
2826 
++.B 64
2827 
++.B (0x40 config)
2828 
++configuration file processing
2829 
++.TP
2830 
++.B 128
2831 
++.B (0x80 ACL)
2832 
++access control list processing
2833 
++.TP
2834 
++.B 256
2835 
++.B (0x100 stats)
2836 
++connections, LDAP operations, results (recommended)
2837 
++.TP
2838 
++.B 512
2839 
++.B (0x200 stats2)
2840 
++stats2 log entries sent
2841 
++.TP
2842 
++.B 1024
2843 
++.B (0x400 shell)
2844 
++print communication with shell backends
2845 
++.TP
2846 
++.B 2048
2847 
++.B (0x800 parse)
2848 
++entry parsing
2849 
++\".TP
2850 
++\".B 4096
2851 
++\".B (0x1000 cache)
2852 
++\"caching (unused)
2853 
++\".TP
2854 
++\".B 8192
2855 
++\".B (0x2000 index)
2856 
++\"data indexing (unused)
2857 
++.TP
2858 
++.B 16384
2859 
++.B (0x4000 sync)
2860 
++LDAPSync replication
2861 
++.TP
2862 
++.B 32768
2863 
++.B (0x8000 none)
2864 
++only messages that get logged whatever log level is set
2865 
++.PD
2866 
++.RE
2867 
++The desired log level can be input as a single integer that combines
2868 
++the (ORed) desired levels, both in decimal or in hexadecimal notation,
2869 
++as a list of integers (that are ORed internally),
2870 
++or as a list of the names that are shown between parenthesis, such that
2871 
++.LP
2872 
++.nf
2873 
++    olcLogLevel: 129
2874 
++    olcLogLevel: 0x81
2875 
++    olcLogLevel: 128 1
2876 
++    olcLogLevel: 0x80 0x1
2877 
++    olcLogLevel: acl trace
2878 
++.fi
2879 
++.LP
2880 
++are equivalent.
2881 
++The keyword
2882 
++.B any
2883 
++can be used as a shortcut to enable logging at all levels (equivalent to \-1).
2884 
++The keyword
2885 
++.BR none ,
2886 
++or the equivalent integer representation, causes those messages
2887 
++that are logged regardless of the configured olcLogLevel to be logged.
2888 
++In fact, if no olcLogLevel (or a 0 level) is defined, no logging occurs,
2889 
++so at least the
2890 
++.B none
2891 
++level is required to have high priority messages logged.
2892 
++
2893 
++Note that the
2894 
++.BR packets ,
2895 
++.BR BER ,
2896 
++and
2897 
++.B parse
2898 
++levels are only available as debug output on stderr, and are not
2899 
++sent to syslog.
2900 
++
2901 
++This setting defaults to \fBstats\fP.
2902 
++This level should usually also be included when using other loglevels, to
2903 
++help analyze the logs.
2904 
++.RE
2905 
++.TP
2906 
++.B olcMaxFilterDepth: <integer>
2907 
++Specify the maximum depth of nested filters in search requests.
2908 
++The default is 1000.
2909 
++.TP
2910 
++.B olcPasswordCryptSaltFormat: <format>
2911 
++Specify the format of the salt passed to
2912 
++.BR crypt (3)
2913 
++when generating {CRYPT} passwords (see
2914 
++.BR olcPasswordHash )
2915 
++during processing of LDAP Password Modify Extended Operations (RFC 3062).
2916 
++
2917 
++This string needs to be in
2918 
++.BR sprintf (3)
2919 
++format and may include one (and only one) %s conversion.
2920 
++This conversion will be substituted with a string of random
2921 
++characters from [A\-Za\-z0\-9./].  For example, "%.2s"
2922 
++provides a two character salt and "$1$%.8s" tells some
2923 
++versions of crypt(3) to use an MD5 algorithm and provides
2924 
++8 random characters of salt.  The default is "%s", which
2925 
++provides 31 characters of salt.
2926 
++.TP
2927 
++.B olcPidFile: <filename>
2928 
++The (absolute) name of a file that will hold the
2929 
++.B slapd
2930 
++server's process ID (see
2931 
++.BR getpid (2)).
2932 
++.TP
2933 
++.B olcPluginLogFile: <filename>
2934 
++The ( absolute ) name of a file that will contain log
2935 
++messages from
2936 
++.B SLAPI
2937 
++plugins. See
2938 
++.BR slapd.plugin (5)
2939 
++for details.
2940 
++.TP
2941 
++.B olcReferral: <url>
2942 
++Specify the referral to pass back when
2943 
++.BR slapd (8)
2944 
++cannot find a local database to handle a request.
2945 
++If multiple values are specified, each url is provided.
2946 
++.TP
2947 
++.B olcReverseLookup: TRUE | FALSE
2948 
++Enable/disable client name unverified reverse lookup (default is
2949 
++.BR FALSE
2950 
++if compiled with \-\-enable\-rlookups).
2951 
++.TP
2952 
++.B olcRootDSE: <file>
2953 
++Specify the name of an LDIF(5) file containing user defined attributes
2954 
++for the root DSE.  These attributes are returned in addition to the
2955 
++attributes normally produced by slapd.
2956 
++
2957 
++The root DSE is an entry with information about the server and its
2958 
++capabilities, in operational attributes.
2959 
++It has the empty DN, and can be read with e.g.:
2960 
++.ti +4
2961 
++ldapsearch \-x \-b "" \-s base "+"
2962 
++.br
2963 
++See RFC 4512 section 5.1 for details.
2964 
++.TP
2965 
++.B olcSaslAuxprops: <plugin> [...]
2966 
++Specify which auxprop plugins to use for authentication lookups. The
2967 
++default is empty, which just uses slapd's internal support. Usually
2968 
++no other auxprop plugins are needed.
2969 
++.TP
2970 
++.B olcSaslAuxpropsDontUseCopy: <attr> [...]
2971 
++Specify which attribute(s) should be subject to the don't use copy control. This
2972 
++is necessary for some SASL mechanisms such as OTP to work in a replicated
2973 
++environment. The attribute "cmusaslsecretOTP" is the default value.
2974 
++.TP
2975 
++.B olcSaslAuxpropsDontUseCopyIgnore TRUE | FALSE
2976 
++Used to disable replication of the attribute(s) defined by
2977 
++olcSaslAuxpropsDontUseCopy and instead use a local value for the attribute. This
2978 
++allows the SASL mechanism to continue to work if the provider is offline. This can
2979 
++cause replication inconsistency. Defaults to FALSE.
2980 
++.TP
2981 
++.B olcSaslHost: <fqdn>
2982 
++Used to specify the fully qualified domain name used for SASL processing.
2983 
++.TP
2984 
++.B olcSaslRealm: <realm>
2985 
++Specify SASL realm.  Default is empty.
2986 
++.TP
2987 
++.B olcSaslCbinding: none | tls-unique | tls-endpoint
2988 
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
2989 
++Default is none.
2990 
++.TP
2991 
++.B olcSaslSecProps: <properties>
2992 
++Used to specify Cyrus SASL security properties.
2993 
++The
2994 
++.B none
2995 
++flag (without any other properties) causes the flag properties
2996 
++default, "noanonymous,noplain", to be cleared.
2997 
++The
2998 
++.B noplain
2999 
++flag disables mechanisms susceptible to simple passive attacks.
3000 
++The
3001 
++.B noactive
3002 
++flag disables mechanisms susceptible to active attacks.
3003 
++The
3004 
++.B nodict
3005 
++flag disables mechanisms susceptible to passive dictionary attacks.
3006 
++The
3007 
++.B noanonymous
3008 
++flag disables mechanisms which support anonymous login.
3009 
++The
3010 
++.B forwardsec
3011 
++flag require forward secrecy between sessions.
3012 
++The
3013 
++.B passcred
3014 
++require mechanisms which pass client credentials (and allow
3015 
++mechanisms which can pass credentials to do so).
3016 
++The
3017 
++.B minssf=<factor>
3018 
++property specifies the minimum acceptable
3019 
++.I security strength factor
3020 
++as an integer approximate to effective key length used for
3021 
++encryption.  0 (zero) implies no protection, 1 implies integrity
3022 
++protection only, 128 allows RC4, Blowfish and other similar ciphers,
3023 
++256 will require modern ciphers.  The default is 0.
3024 
++The
3025 
++.B maxssf=<factor>
3026 
++property specifies the maximum acceptable
3027 
++.I security strength factor
3028 
++as an integer (see minssf description).  The default is INT_MAX.
3029 
++The
3030 
++.B maxbufsize=<size>
3031 
++property specifies the maximum security layer receive buffer
3032 
++size allowed.  0 disables security layers.  The default is 65536.
3033 
++.TP
3034 
++.B olcServerID: <integer> [<URL>]
3035 
++Specify an integer ID from 0 to 4095 for this server. The ID may also be
3036 
++specified as a hexadecimal ID by prefixing the value with "0x".
3037 
++Non-zero IDs are required when using multi-provider replication and each
3038 
++provider must have a unique non-zero ID. Note that this requirement also
3039 
++applies to separate providers contributing to a glued set of databases.
3040 
++If the URL is provided, this directive may be specified
3041 
++multiple times, providing a complete list of participating servers
3042 
++and their IDs. The fully qualified hostname of each server should be
3043 
++used in the supplied URLs. The IDs are used in the "replica id" field
3044 
++of all CSNs generated by the specified server. The default value is zero, which
3045 
++is only valid for single provider replication.
3046 
++Example:
3047 
++.LP
3048 
++.nf
3049 
++	olcServerID: 1 ldap://ldap1.example.com
3050 
++	olcServerID: 2 ldap://ldap2.example.com
3051 
++.fi
3052 
++.TP
3053 
++.B olcSockbufMaxIncoming: <integer>
3054 
++Specify the maximum incoming LDAP PDU size for anonymous sessions.
3055 
++The default is 262143.
3056 
++.TP
3057 
++.B olcSockbufMaxIncomingAuth: <integer>
3058 
++Specify the maximum incoming LDAP PDU size for authenticated sessions.
3059 
++The default is 4194303.
3060 
++.TP
3061 
++.B olcTCPBuffer [listener=<URL>] [{read|write}=]<size>
3062 
++Specify the size of the TCP buffer.
3063 
++A global value for both read and write TCP buffers related to any listener
3064 
++is defined, unless the listener is explicitly specified,
3065 
++or either the read or write qualifiers are used.
3066 
++See
3067 
++.BR tcp (7)
3068 
++for details.
3069 
++Note that some OS-es implement automatic TCP buffer tuning.
3070 
++.TP
3071 
++.B olcThreads: <integer>
3072 
++Specify the maximum size of the primary thread pool.
3073 
++The default is 16; the minimum value is 2.
3074 
++.TP
3075 
++.B olcThreadQueues: <integer>
3076 
++Specify the number of work queues to use for the primary thread pool.
3077 
++The default is 1 and this is typically adequate for up to 8 CPU cores.
3078 
++The value should not exceed the number of CPUs in the system.
3079 
++.TP
3080 
++.B olcToolThreads: <integer>
3081 
++Specify the maximum number of threads to use in tool mode.
3082 
++This should not be greater than the number of CPUs in the system.
3083 
++The default is 1.
3084 
++.TP
3085 
++.B olcWriteTimeout: <integer>
3086 
++Specify the number of seconds to wait before forcibly closing
3087 
++a connection with an outstanding write.  This allows recovery from
3088 
++various network hang conditions.  A setting of 0 disables this
3089 
++feature.  The default is 0.
3090 
++.SH TLS OPTIONS
3091 
++If
3092 
++.B slapd
3093 
++is built with support for Transport Layer Security, there are more options
3094 
++you can specify.
3095 
++.TP
3096 
++.B olcTLSCipherSuite: <cipher-suite-spec>
3097 
++Permits configuring what ciphers will be accepted and the preference order.
3098 
++<cipher-suite-spec> should be a cipher specification for the TLS library
3099 
++in use (OpenSSL or GnuTLS).
3100 
++Example:
3101 
++.RS
3102 
++.RS
3103 
++.TP
3104 
++.I OpenSSL:
3105 
++olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
3106 
++.TP
3107 
++.I GnuTLS:
3108 
++olcTLSCiphersuite: SECURE256:!AES-128-CBC
3109 
++.RE
3110 
++
3111 
++To check what ciphers a given spec selects in OpenSSL, use:
3112 
++
3113 
++.nf
3114 
++	openssl ciphers \-v <cipher-suite-spec>
3115 
++.fi
3116 
++
3117 
++With GnuTLS the available specs can be found in the manual page of
3118 
++.BR gnutls\-cli (1)
3119 
++(see the description of the
3120 
++option
3121 
++.BR \-\-priority ).
3122 
++
3123 
++In older versions of GnuTLS, where gnutls\-cli does not support the option
3124 
++\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
3125 
++
3126 
++.nf
3127 
++	gnutls\-cli \-l
3128 
++.fi
3129 
++.RE
3130 
++.TP
3131 
++.B olcTLSCACertificateFile: <filename>
3132 
++Specifies the file that contains certificates for all of the Certificate
3133 
++Authorities that
3134 
++.B slapd
3135 
++will recognize.  The certificate for
3136 
++the CA that signed the server certificate must be included among
3137 
++these certificates. If the signing CA was not a top-level (root) CA,
3138 
++certificates for the entire sequence of CA's from the signing CA to
3139 
++the top-level CA should be present. Multiple certificates are simply
3140 
++appended to the file; the order is not significant.
3141 
++.TP
3142 
++.B olcTLSCACertificatePath: <path>
3143 
++Specifies the path of directories that contain Certificate Authority
3144 
++certificates in separate individual files. Usually only one of this
3145 
++or the olcTLSCACertificateFile is defined. If both are specified, both
3146 
++locations will be used. Multiple directories may be specified,
3147 
++separated by a semi-colon.
3148 
++.TP
3149 
++.B olcTLSCertificateFile: <filename>
3150 
++Specifies the file that contains the
3151 
++.B slapd
3152 
++server certificate.
3153 
++
3154 
++When using OpenSSL that file may also contain any number of intermediate
3155 
++certificates after the server certificate.
3156 
++.TP
3157 
++.B olcTLSCertificateKeyFile: <filename>
3158 
++Specifies the file that contains the
3159 
++.B slapd
3160 
++server private key that matches the certificate stored in the
3161 
++.B olcTLSCertificateFile
3162 
++file. If the private key is protected with a password, the password must
3163 
++be manually typed in when slapd starts.  Usually the private key is not
3164 
++protected with a password, to allow slapd to start without manual
3165 
++intervention, so
3166 
++it is of critical importance that the file is protected carefully.
3167 
++.TP
3168 
++.B olcTLSDHParamFile: <filename>
3169 
++This directive specifies the file that contains parameters for Diffie-Hellman
3170 
++ephemeral key exchange.  This is required in order to use a DSA certificate on
3171 
++the server, or an RSA certificate missing the "key encipherment" key usage.
3172 
++Note that setting this option may also enable
3173 
++Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
3174 
++Anonymous key exchanges should generally be avoided since they provide no
3175 
++actual client or server authentication and provide no protection against
3176 
++man-in-the-middle attacks.
3177 
++You should append "!ADH" to your cipher suites to ensure that these suites
3178 
++are not used.
3179 
++.TP
3180 
++.B olcTLSECName: <name>
3181 
++Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
3182 
++ephemeral key exchange.  This option is only used for OpenSSL.
3183 
++This option is not used with GnuTLS; the curves may be
3184 
++chosen in the GnuTLS ciphersuite specification.
3185 
++.TP
3186 
++.B olcTLSProtocolMin: <major>[.<minor>]
3187 
++Specifies minimum SSL/TLS protocol version that will be negotiated.
3188 
++If the server doesn't support at least that version,
3189 
++the SSL handshake will fail.
3190 
++To require TLS 1.x or higher, set this option to 3.(x+1),
3191 
++e.g.,
3192 
++
3193 
++.nf
3194 
++	olcTLSProtocolMin: 3.2
3195 
++.fi
3196 
++
3197 
++would require TLS 1.1.
3198 
++Specifying a minimum that is higher than that supported by the
3199 
++OpenLDAP implementation will result in it requiring the
3200 
++highest level that it does support.
3201 
++This directive is ignored with GnuTLS.
3202 
++.TP
3203 
++.B olcTLSRandFile: <filename>
3204 
++Specifies the file to obtain random bits from when /dev/[u]random
3205 
++is not available.  Generally set to the name of the EGD/PRNGD socket.
3206 
++The environment variable RANDFILE can also be used to specify the filename.
3207 
++This directive is ignored with GnuTLS.
3208 
++.TP
3209 
++.B olcTLSVerifyClient: <level>
3210 
++Specifies what checks to perform on client certificates in an
3211 
++incoming TLS session, if any.
3212 
++The
3213 
++.B <level>
3214 
++can be specified as one of the following keywords:
3215 
++.RS
3216 
++.TP
3217 
++.B never
3218 
++This is the default.
3219 
++.B slapd
3220 
++will not ask the client for a certificate.
3221 
++.TP
3222 
++.B allow
3223 
++The client certificate is requested.  If no certificate is provided,
3224 
++the session proceeds normally.  If a bad certificate is provided,
3225 
++it will be ignored and the session proceeds normally.
3226 
++.TP
3227 
++.B try
3228 
++The client certificate is requested.  If no certificate is provided,
3229 
++the session proceeds normally.  If a bad certificate is provided,
3230 
++the session is immediately terminated.
3231 
++.TP
3232 
++.B demand | hard | true
3233 
++These keywords are all equivalent, for compatibility reasons.
3234 
++The client certificate is requested.  If no certificate is provided,
3235 
++or a bad certificate is provided, the session is immediately terminated.
3236 
++
3237 
++Note that a valid client certificate is required in order to use the
3238 
++SASL EXTERNAL authentication mechanism with a TLS session.  As such,
3239 
++a non-default
3240 
++.B olcTLSVerifyClient
3241 
++setting must be chosen to enable SASL EXTERNAL authentication.
3242 
++.RE
3243 
++.TP
3244 
++.B olcTLSCRLCheck: <level>
3245 
++Specifies if the Certificate Revocation List (CRL) of the CA should be
3246 
++used to verify if the client certificates have not been revoked. This
3247 
++requires
3248 
++.B olcTLSCACertificatePath
3249 
++parameter to be set. This parameter is ignored with GnuTLS.
3250 
++.B <level>
3251 
++can be specified as one of the following keywords:
3252 
++.RS
3253 
++.TP
3254 
++.B none
3255 
++No CRL checks are performed
3256 
++.TP
3257 
++.B peer
3258 
++Check the CRL of the peer certificate
3259 
++.TP
3260 
++.B all
3261 
++Check the CRL for a whole certificate chain
3262 
++.RE
3263 
++.TP
3264 
++.B olcTLSCRLFile: <filename>
3265 
++Specifies a file containing a Certificate Revocation List to be used
3266 
++for verifying that certificates have not been revoked. This parameter is
3267 
++only valid when using GnuTLS.
3268 
++.SH DYNAMIC MODULE OPTIONS
3269 
++If
3270 
++.B slapd
3271 
++is compiled with \-\-enable\-modules then the module-related entries will
3272 
++be available. These entries are named
3273 
++.B cn=module{x},cn=config
3274 
++and
3275 
++must have the olcModuleList objectClass. One entry should be created
3276 
++per
3277 
++.B olcModulePath.
3278 
++Normally the config engine generates the "{x}" index in the RDN
3279 
++automatically, so it can be omitted when initially loading these entries.
3280 
++.TP
3281 
++.B olcModuleLoad: <filename> [<arguments>...]
3282 
++Specify the name of a dynamically loadable module to load and any
3283 
++additional arguments if supported by the module. The filename
3284 
++may be an absolute path name or a simple filename. Non-absolute names
3285 
++are searched for in the directories specified by the
3286 
++.B olcModulePath
3287 
++option.
3288 
++.TP
3289 
++.B olcModulePath: <pathspec>
3290 
++Specify a list of directories to search for loadable modules. Typically
3291 
++the path is colon-separated but this depends on the operating system.
3292 
++The default is MODULEDIR, which is where the standard OpenLDAP install
3293 
++will place its modules.
3294 
++.SH SCHEMA OPTIONS
3295 
++Schema definitions are created as entries in the
3296 
++.B cn=schema,cn=config
3297 
++subtree. These entries must have the olcSchemaConfig objectClass.
3298 
++As noted above, the actual
3299 
++.B cn=schema,cn=config
3300 
++entry is predefined and any values specified for it are ignored.
3301 
++
3302 
++.HP
3303 
++.hy 0
3304 
++.B olcAttributetypes: "(\ <oid>\
3305 
++ [NAME\ <name>]\
3306 
++ [DESC\ <description>]\
3307 
++ [OBSOLETE]\
3308 
++ [SUP\ <oid>]\
3309 
++ [EQUALITY\ <oid>]\
3310 
++ [ORDERING\ <oid>]\
3311 
++ [SUBSTR\ <oid>]\
3312 
++ [SYNTAX\ <oidlen>]\
3313 
++ [SINGLE\-VALUE]\
3314 
++ [COLLECTIVE]\
3315 
++ [NO\-USER\-MODIFICATION]\
3316 
++ [USAGE\ <attributeUsage>]\ )"
3317 
++.RS
3318 
++Specify an attribute type using the LDAPv3 syntax defined in RFC 4512.
3319 
++The slapd parser extends the RFC 4512 definition by allowing string
3320 
++forms as well as numeric OIDs to be used for the attribute OID and
3321 
++attribute syntax OID.
3322 
++(See the
3323 
++.B olcObjectIdentifier
3324 
++description.)
3325 
++.RE
3326 
++
3327 
++.HP
3328 
++.hy 0
3329 
++.B olcDitContentRules: "(\ <oid>\
3330 
++ [NAME\ <name>]\
3331 
++ [DESC\ <description>]\
3332 
++ [OBSOLETE]\
3333 
++ [AUX\ <oids>]\
3334 
++ [MUST\ <oids>]\
3335 
++ [MAY\ <oids>]\
3336 
++ [NOT\ <oids>]\ )"
3337 
++.RS
3338 
++Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512.
3339 
++The slapd parser extends the RFC 4512 definition by allowing string
3340 
++forms as well as numeric OIDs to be used for the attribute OID and
3341 
++attribute syntax OID.
3342 
++(See the
3343 
++.B olcObjectIdentifier
3344 
++description.)
3345 
++.RE
3346 
++
3347 
++.HP
3348 
++.hy 0
3349 
++.B olcLdapSyntaxes "(\ <oid>\
3350 
++ [DESC\ <description>]\
3351 
++ [X\-SUBST <substitute-syntax>]\ )"
3352 
++.RS
3353 
++Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
3354 
++The slapd parser extends the RFC 4512 definition by allowing string
3355 
++forms as well as numeric OIDs to be used for the syntax OID.
3356 
++(See the
3357 
++.B objectidentifier
3358 
++description.)
3359 
++The slapd parser also honors the
3360 
++.B X\-SUBST
3361 
++extension (an OpenLDAP-specific extension), which allows one to use the
3362 
++.B olcLdapSyntaxes
3363 
++attribute to define a non-implemented syntax along with another syntax,
3364 
++the extension value
3365 
++.IR substitute-syntax ,
3366 
++as its temporary replacement.
3367 
++The
3368 
++.I substitute-syntax
3369 
++must be defined.
3370 
++This allows one to define attribute types that make use of non-implemented syntaxes
3371 
++using the correct syntax OID.
3372 
++Unless
3373 
++.B X\-SUBST
3374 
++is used, this configuration statement would result in an error,
3375 
++since no handlers would be associated to the resulting syntax structure.
3376 
++.RE
3377 
++
3378 
++.HP
3379 
++.hy 0
3380 
++.B olcObjectClasses: "(\ <oid>\
3381 
++ [NAME\ <name>]\
3382 
++ [DESC\ <description>]\
3383 
++ [OBSOLETE]\
3384 
++ [SUP\ <oids>]\
3385 
++ [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\
3386 
++ [MUST\ <oids>] [MAY\ <oids>] )"
3387 
++.RS
3388 
++Specify an objectclass using the LDAPv3 syntax defined in RFC 4512.
3389 
++The slapd parser extends the RFC 4512 definition by allowing string
3390 
++forms as well as numeric OIDs to be used for the object class OID.
3391 
++(See the
3392 
++.B
3393 
++olcObjectIdentifier
3394 
++description.)  Object classes are "STRUCTURAL" by default.
3395 
++.RE
3396 
++.TP
3397 
++.B olcObjectIdentifier: <name> "{ <oid> | <name>[:<suffix>] }"
3398 
++Define a string name that equates to the given OID. The string can be used
3399 
++in place of the numeric OID in objectclass and attribute definitions. The
3400 
++name can also be used with a suffix of the form ":xx" in which case the
3401 
++value "oid.xx" will be used.
3402 
++
3403 
++.SH GENERAL BACKEND OPTIONS
3404 
++Options in these entries only apply to the configuration of a single
3405 
++type of backend. All backends may support this class of options, but
3406 
++currently only back-mdb does.
3407 
++The entry must be named
3408 
++.B olcBackend=<databasetype>,cn=config
3409 
++and must have the olcBackendConfig objectClass.
3410 
++<databasetype>
3411 
++should be one of
3412 
++.BR asyncmeta ,
3413 
++.BR config ,
3414 
++.BR dnssrv ,
3415 
++.BR ldap ,
3416 
++.BR ldif ,
3417 
++.BR mdb ,
3418 
++.BR meta ,
3419 
++.BR monitor ,
3420 
++.BR null ,
3421 
++.BR passwd ,
3422 
++.BR perl ,
3423 
++.BR relay ,
3424 
++.BR sock ,
3425 
++.BR sql ,
3426 
++or
3427 
++.BR wt .
3428 
++At present, only back-mdb implements any options of this type, so this
3429 
++entry should not be used for any other backends.
3430 
++
3431 
++.SH DATABASE OPTIONS
3432 
++Database options are set in entries named
3433 
++.B olcDatabase={x}<databasetype>,cn=config
3434 
++and must have the olcDatabaseConfig objectClass. Normally the config
3435 
++engine generates the "{x}" index in the RDN automatically, so it
3436 
++can be omitted when initially loading these entries.
3437 
++
3438 
++The special frontend database is always numbered "{\-1}" and the config
3439 
++database is always numbered "{0}".
3440 
++
3441 
++.SH GLOBAL DATABASE OPTIONS
3442 
++Options in this section may be set in the special "frontend" database
3443 
++and inherited in all the other databases. These options may be altered
3444 
++by further settings in each specific database. The frontend entry must
3445 
++be named
3446 
++.B olcDatabase=frontend,cn=config
3447 
++and must have the olcFrontendConfig objectClass.
3448 
++.TP
3449 
++.B olcAccess: to <what> "[ by <who> <access> <control> ]+"
3450 
++Grant access (specified by <access>) to a set of entries and/or
3451 
++attributes (specified by <what>) by one or more requestors (specified
3452 
++by <who>).
3453 
++If no access controls are present, the default policy
3454 
++allows anyone and everyone to read anything but restricts
3455 
++updates to rootdn.  (e.g., "olcAccess: to * by * read").
3456 
++See
3457 
++.BR slapd.access (5)
3458 
++and the "OpenLDAP Administrator's Guide" for details.
3459 
++
3460 
++Access controls set in the frontend are appended to any access
3461 
++controls set on the specific databases.
3462 
++The rootdn of a database can always read and write EVERYTHING
3463 
++in that database.
3464 
++
3465 
++Extra special care must be taken with the access controls on the
3466 
++config database. Unlike other databases, the default policy for the
3467 
++config database is to only allow access to the rootdn. Regular users
3468 
++should not have read access, and write access should be granted very
3469 
++carefully to privileged administrators.
3470 
++
3471 
++.TP
3472 
++.B olcDefaultSearchBase: <dn>
3473 
++Specify a default search base to use when client submits a
3474 
++non-base search request with an empty base DN.
3475 
++Base scoped search requests with an empty base DN are not affected.
3476 
++This setting is only allowed in the frontend entry.
3477 
++.TP
3478 
++.B olcExtraAttrs: <attr>
3479 
++Lists what attributes need to be added to search requests.
3480 
++Local storage backends return the entire entry to the frontend.
3481 
++The frontend takes care of only returning the requested attributes
3482 
++that are allowed by ACLs.
3483 
++However, features like access checking and so may need specific
3484 
++attributes that are not automatically returned by remote storage
3485 
++backends, like proxy backends and so on.
3486 
++.B <attr>
3487 
++is an attribute that is needed for internal purposes
3488 
++and thus always needs to be collected, even when not explicitly
3489 
++requested by clients.
3490 
++This attribute is multi-valued.
3491 
++.TP
3492 
++.B olcPasswordHash: <hash> [<hash>...]
3493 
++This option configures one or more hashes to be used in generation of user
3494 
++passwords stored in the userPassword attribute during processing of
3495 
++LDAP Password Modify Extended Operations (RFC 3062).
3496 
++The <hash> must be one of
3497 
++.BR {SSHA} ,
3498 
++.BR {SHA} ,
3499 
++.BR {SMD5} ,
3500 
++.BR {MD5} ,
3501 
++.BR {CRYPT} ,
3502 
++and
3503 
++.BR {CLEARTEXT} .
3504 
++The default is
3505 
++.BR {SSHA} .
3506 
++
3507 
++.B {SHA}
3508 
++and
3509 
++.B {SSHA}
3510 
++use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
3511 
++
3512 
++.B {MD5}
3513 
++and
3514 
++.B {SMD5}
3515 
++use the MD5 algorithm (RFC 1321), the latter with a seed.
3516 
++
3517 
++.B {CRYPT}
3518 
++uses the
3519 
++.BR crypt (3).
3520 
++
3521 
++.B {CLEARTEXT}
3522 
++indicates that the new password should be
3523 
++added to userPassword as clear text.
3524 
++
3525 
++Note that this option does not alter the normal user applications
3526 
++handling of userPassword during LDAP Add, Modify, or other LDAP operations.
3527 
++This setting is only allowed in the frontend entry.
3528 
++.TP
3529 
++.B olcReadOnly: TRUE | FALSE
3530 
++This option puts the database into "read-only" mode.  Any attempts to
3531 
++modify the database will return an "unwilling to perform" error.  By
3532 
++default, olcReadOnly is FALSE. Note that when this option is set
3533 
++TRUE on the frontend, it cannot be reset without restarting the
3534 
++server, since further writes to the config database will be rejected.
3535 
++.TP
3536 
++.B olcRequires: <conditions>
3537 
++Specify a set of conditions to require (default none).
3538 
++The directive may be specified globally and/or per-database;
3539 
++databases inherit global conditions, so per-database specifications
3540 
++are additive.
3541 
++.B bind
3542 
++requires bind operation prior to directory operations.
3543 
++.B LDAPv3
3544 
++requires session to be using LDAP version 3.
3545 
++.B authc
3546 
++requires authentication prior to directory operations.
3547 
++.B SASL
3548 
++requires SASL authentication prior to directory operations.
3549 
++.B strong
3550 
++requires strong authentication prior to directory operations.
3551 
++The strong keyword allows protected "simple" authentication
3552 
++as well as SASL authentication.
3553 
++.B none
3554 
++may be used to require no conditions (useful to clear out globally
3555 
++set conditions within a particular database); it must occur first
3556 
++in the list of conditions.
3557 
++.TP
3558 
++.B olcRestrict: <oplist>
3559 
++Specify a list of operations that are restricted.
3560 
++Restrictions on a specific database override any frontend setting.
3561 
++Operations can be any of
3562 
++.BR add ,
3563 
++.BR bind ,
3564 
++.BR compare ,
3565 
++.BR delete ,
3566 
++.BR extended[=<OID>] ,
3567 
++.BR modify ,
3568 
++.BR rename ,
3569 
++.BR search ,
3570 
++or the special pseudo-operations
3571 
++.B read
3572 
++and
3573 
++.BR write ,
3574 
++which respectively summarize read and write operations.
3575 
++The use of
3576 
++.I restrict write
3577 
++is equivalent to
3578 
++.I olcReadOnly: TRUE
3579 
++(see above).
3580 
++The
3581 
++.B extended
3582 
++keyword allows one to indicate the OID of the specific operation
3583 
++to be restricted.
3584 
++.TP
3585 
++.B olcSchemaDN: <dn>
3586 
++Specify the distinguished name for the subschema subentry that
3587 
++controls the entries on this server.  The default is "cn=Subschema".
3588 
++.TP
3589 
++.B olcSecurity: <factors>
3590 
++Specify a set of security strength factors (separated by white space)
3591 
++to require (see
3592 
++.BR olcSaslSecprops 's
3593 
++.B minssf
3594 
++option for a description of security strength factors).
3595 
++The directive may be specified globally and/or per-database.
3596 
++.B ssf=<n>
3597 
++specifies the overall security strength factor.
3598 
++.B transport=<n>
3599 
++specifies the transport security strength factor.
3600 
++.B tls=<n>
3601 
++specifies the TLS security strength factor.
3602 
++.B sasl=<n>
3603 
++specifies the SASL security strength factor.
3604 
++.B update_ssf=<n>
3605 
++specifies the overall security strength factor to require for
3606 
++directory updates.
3607 
++.B update_transport=<n>
3608 
++specifies the transport security strength factor to require for
3609 
++directory updates.
3610 
++.B update_tls=<n>
3611 
++specifies the TLS security strength factor to require for
3612 
++directory updates.
3613 
++.B update_sasl=<n>
3614 
++specifies the SASL security strength factor to require for
3615 
++directory updates.
3616 
++.B simple_bind=<n>
3617 
++specifies the security strength factor required for
3618 
++.I simple
3619 
++username/password authentication.
3620 
++Note that the
3621 
++.B transport
3622 
++factor is measure of security provided by the underlying transport,
3623 
++e.g. ldapi:// (and eventually IPSEC).  It is not normally used.
3624 
++.TP
3625 
++.B olcSizeLimit: {<integer>|unlimited}
3626 
++.TP
3627 
++.B olcSizeLimit: size[.{soft|hard}]=<integer> [...]
3628 
++Specify the maximum number of entries to return from a search operation.
3629 
++The default size limit is 500.
3630 
++Use
3631 
++.B unlimited
3632 
++to specify no limits.
3633 
++The second format allows a fine grain setting of the size limits.
3634 
++If no special qualifiers are specified, both soft and hard limits are set.
3635 
++Extra args can be added in the same value.
3636 
++Additional qualifiers are available; see
3637 
++.BR olcLimits
3638 
++for an explanation of all of the different flags.
3639 
++.TP
3640 
++.B olcSortVals: <attr> [...]
3641 
++Specify a list of multi-valued attributes whose values will always
3642 
++be maintained in sorted order. Using this option will allow Modify,
3643 
++Compare, and filter evaluations on these attributes to be performed
3644 
++more efficiently. The resulting sort order depends on the
3645 
++attributes' syntax and matching rules and may not correspond to
3646 
++lexical order or any other recognizable order.
3647 
++This setting is only allowed in the frontend entry.
3648 
++.TP
3649 
++.B olcTimeLimit: {<integer>|unlimited}
3650 
++.TP
3651 
++.B olcTimeLimit: time[.{soft|hard}]=<integer> [...]
3652 
++Specify the maximum number of seconds (in real time)
3653 
++.B slapd
3654 
++will spend answering a search request.  The default time limit is 3600.
3655 
++Use
3656 
++.B unlimited
3657 
++to specify no limits.
3658 
++The second format allows a fine grain setting of the time limits.
3659 
++Extra args can be added in the same value. See
3660 
++.BR olcLimits
3661 
++for an explanation of the different flags.
3662 
++
3663 
++.SH GENERAL DATABASE OPTIONS
3664 
++Options in this section only apply to the specific database for
3665 
++which they are defined.  They are supported by every
3666 
++type of backend. All of the Global Database Options may also be
3667 
++used here.
3668 
++.TP
3669 
++.B olcAddContentAcl: TRUE | FALSE
3670 
++Controls whether Add operations will perform ACL checks on
3671 
++the content of the entry being added. This check is off
3672 
++by default. See the
3673 
++.BR slapd.access (5)
3674 
++manual page for more details on ACL requirements for
3675 
++Add operations.
3676 
++.TP
3677 
++.B olcHidden: TRUE | FALSE
3678 
++Controls whether the database will be used to answer
3679 
++queries. A database that is hidden will never be
3680 
++selected to answer any queries, and any suffix configured
3681 
++on the database will be ignored in checks for conflicts
3682 
++with other databases. By default, olcHidden is FALSE.
3683 
++.TP
3684 
++.B olcLastMod: TRUE | FALSE
3685 
++Controls whether
3686 
++.B slapd
3687 
++will automatically maintain the
3688 
++modifiersName, modifyTimestamp, creatorsName, and
3689 
++createTimestamp attributes for entries. It also controls
3690 
++the entryCSN and entryUUID attributes, which are needed
3691 
++by the syncrepl provider. By default, olcLastMod is TRUE.
3692 
++.TP
3693 
++.B olcLastBind: TRUE | FALSE
3694 
++Controls whether
3695 
++.B slapd
3696 
++will automatically maintain the pwdLastSuccess attribute for
3697 
++entries. By default, olcLastBind is FALSE.
3698 
++.TP
3699 
++.B olcLastBindPrecision: <integer>
3700 
++If olcLastBind is enabled, specifies how frequently pwdLastSuccess
3701 
++will be updated. More than
3702 
++.B integer
3703 
++seconds must have passed since the last successful bind. In a
3704 
++replicated environment with frequent bind activity it may be
3705 
++useful to set this to a large value.
3706 
++.TP
3707 
++.B olcLimits: <selector> <limit> [<limit> [...]]
3708 
++Specify time and size limits based on the operation's initiator or
3709 
++base DN.
3710 
++The argument
3711 
++.B <selector>
3712 
++can be any of
3713 
++.RS
3714 
++.RS
3715 
++.TP
3716 
++anonymous | users | [<dnspec>=]<pattern> | group[/oc[/at]]=<pattern>
3717 
++
3718 
++.RE
3719 
++with
3720 
++.RS
3721 
++.TP
3722 
++<dnspec> ::= dn[.<type>][.<style>]
3723 
++.TP
3724 
++<type>  ::= self | this
3725 
++.TP
3726 
++<style> ::= exact | base | onelevel | subtree | children | regex | anonymous
3727 
++
3728 
++.RE
3729 
++DN type
3730 
++.B self
3731 
++is the default and means the bound user, while
3732 
++.B this
3733 
++means the base DN of the operation.
3734 
++The term
3735 
++.B anonymous
3736 
++matches all unauthenticated clients.
3737 
++The term
3738 
++.B users
3739 
++matches all authenticated clients;
3740 
++otherwise an
3741 
++.B exact
3742 
++dn pattern is assumed unless otherwise specified by qualifying
3743 
++the (optional) key string
3744 
++.B dn
3745 
++with
3746 
++.B exact
3747 
++or
3748 
++.B base
3749 
++(which are synonyms), to require an exact match; with
3750 
++.BR onelevel ,
3751 
++to require exactly one level of depth match; with
3752 
++.BR subtree ,
3753 
++to allow any level of depth match, including the exact match; with
3754 
++.BR children ,
3755 
++to allow any level of depth match, not including the exact match;
3756 
++.BR regex
3757 
++explicitly requires the (default) match based on POSIX (''extended'')
3758 
++regular expression pattern.
3759 
++Finally,
3760 
++.B anonymous
3761 
++matches unbound operations; the
3762 
++.B pattern
3763 
++field is ignored.
3764 
++The same behavior is obtained by using the
3765 
++.B anonymous
3766 
++form of the
3767 
++.B <selector>
3768 
++clause.
3769 
++The term
3770 
++.BR group ,
3771 
++with the optional objectClass
3772 
++.B oc
3773 
++and attributeType
3774 
++.B at
3775 
++fields, followed by
3776 
++.BR pattern ,
3777 
++sets the limits for any DN listed in the values of the
3778 
++.B at
3779 
++attribute (default
3780 
++.BR member )
3781 
++of the
3782 
++.B oc
3783 
++group objectClass (default
3784 
++.BR groupOfNames )
3785 
++whose DN exactly matches
3786 
++.BR pattern .
3787 
++
3788 
++The currently supported limits are
3789 
++.B size
3790 
++and
3791 
++.BR time .
3792 
++
3793 
++The syntax for time limits is
3794 
++.BR time[.{soft|hard}]=<integer> ,
3795 
++where
3796 
++.I integer
3797 
++is the number of seconds slapd will spend answering a search request.
3798 
++If no time limit is explicitly requested by the client, the
3799 
++.BR soft
3800 
++limit is used; if the requested time limit exceeds the
3801 
++.BR hard
3802 
++.\"limit, an
3803 
++.\".I "Administrative limit exceeded"
3804 
++.\"error is returned.
3805 
++limit, the value of the limit is used instead.
3806 
++If the
3807 
++.BR hard
3808 
++limit is set to the keyword
3809 
++.IR soft ,
3810 
++the soft limit is used in either case; if it is set to the keyword
3811 
++.IR unlimited ,
3812 
++no hard limit is enforced.
3813 
++Explicit requests for time limits smaller or equal to the
3814 
++.BR hard
3815 
++limit are honored.
3816 
++If no limit specifier is set, the value is assigned to the
3817 
++.BR soft
3818 
++limit, and the
3819 
++.BR hard
3820 
++limit is set to
3821 
++.IR soft ,
3822 
++to preserve the original behavior.
3823 
++
3824 
++The syntax for size limits is
3825 
++.BR size[.{soft|hard|unchecked}]=<integer> ,
3826 
++where
3827 
++.I integer
3828 
++is the maximum number of entries slapd will return answering a search
3829 
++request.
3830 
++If no size limit is explicitly requested by the client, the
3831 
++.BR soft
3832 
++limit is used; if the requested size limit exceeds the
3833 
++.BR hard
3834 
++.\"limit, an
3835 
++.\".I "Administrative limit exceeded"
3836 
++.\"error is returned.
3837 
++limit, the value of the limit is used instead.
3838 
++If the
3839 
++.BR hard
3840 
++limit is set to the keyword
3841 
++.IR soft ,
3842 
++the soft limit is used in either case; if it is set to the keyword
3843 
++.IR unlimited ,
3844 
++no hard limit is enforced.
3845 
++Explicit requests for size limits smaller or equal to the
3846 
++.BR hard
3847 
++limit are honored.
3848 
++The
3849 
++.BR unchecked
3850 
++specifier sets a limit on the number of candidates a search request is allowed
3851 
++to examine.
3852 
++The rationale behind it is that searches for non-properly indexed
3853 
++attributes may result in large sets of candidates, which must be
3854 
++examined by
3855 
++.BR slapd (8)
3856 
++to determine whether they match the search filter or not.
3857 
++The
3858 
++.B unchecked
3859 
++limit provides a means to drop such operations before they are even
3860 
++started.
3861 
++If the selected candidates exceed the
3862 
++.BR unchecked
3863 
++limit, the search will abort with
3864 
++.IR "Unwilling to perform" .
3865 
++If it is set to the keyword
3866 
++.IR unlimited ,
3867 
++no limit is applied (the default).
3868 
++If it is set to
3869 
++.IR disabled ,
3870 
++the search is not even performed; this can be used to disallow searches
3871 
++for a specific set of users.
3872 
++If no limit specifier is set, the value is assigned to the
3873 
++.BR soft
3874 
++limit, and the
3875 
++.BR hard
3876 
++limit is set to
3877 
++.IR soft ,
3878 
++to preserve the original behavior.
3879 
++
3880 
++In case of no match, the global limits are used.
3881 
++The default values are the same as for
3882 
++.B olcSizeLimit
3883 
++and
3884 
++.BR olcTimeLimit ;
3885 
++no limit is set on
3886 
++.BR unchecked .
3887 
++
3888 
++If
3889 
++.B pagedResults
3890 
++control is requested, the
3891 
++.B hard
3892 
++size limit is used by default, because the request of a specific page size
3893 
++is considered an explicit request for a limitation on the number
3894 
++of entries to be returned.
3895 
++However, the size limit applies to the total count of entries returned within
3896 
++the search, and not to a single page.
3897 
++Additional size limits may be enforced; the syntax is
3898 
++.BR size.pr={<integer>|noEstimate|unlimited} ,
3899 
++where
3900 
++.I integer
3901 
++is the max page size if no explicit limit is set; the keyword
3902 
++.I noEstimate
3903 
++inhibits the server from returning an estimate of the total number
3904 
++of entries that might be returned
3905 
++(note: the current implementation does not return any estimate).
3906 
++The keyword
3907 
++.I unlimited
3908 
++indicates that no limit is applied to the pagedResults control page size.
3909 
++The syntax
3910 
++.B size.prtotal={<integer>|hard|unlimited|disabled}
3911 
++allows one to set a limit on the total number of entries that the pagedResults
3912 
++control will return.
3913 
++By default it is set to the
3914 
++.B hard
3915 
++limit which will use the size.hard value.
3916 
++When set,
3917 
++.I integer
3918 
++is the max number of entries that the whole search with pagedResults control
3919 
++can return.
3920 
++Use
3921 
++.I unlimited
3922 
++to allow unlimited number of entries to be returned, e.g. to allow
3923 
++the use of the pagedResults control as a means to circumvent size
3924 
++limitations on regular searches; the keyword
3925 
++.I disabled
3926 
++disables the control, i.e. no paged results can be returned.
3927 
++Note that the total number of entries returned when the pagedResults control
3928 
++is requested cannot exceed the
3929 
++.B hard
3930 
++size limit of regular searches unless extended by the
3931 
++.B prtotal
3932 
++switch.
3933 
++
3934 
++The \fBolcLimits\fP statement is typically used to let an unlimited
3935 
++number of entries be returned by searches performed
3936 
++with the identity used by the consumer for synchronization purposes
3937 
++by means of the RFC 4533 LDAP Content Synchronization protocol
3938 
++(see \fBolcSyncrepl\fP for details).
3939 
++
3940 
++When using subordinate databases, it is necessary for any limits that
3941 
++are to be applied across the parent and its subordinates to be defined in
3942 
++both the parent and its subordinates. Otherwise the settings on the
3943 
++subordinate databases are not honored.
3944 
++.RE
3945 
++.TP
3946 
++.B olcMaxDerefDepth: <depth>
3947 
++Specifies the maximum number of aliases to dereference when trying to
3948 
++resolve an entry, used to avoid infinite alias loops. The default is 15.
3949 
++.TP
3950 
++.B olcMultiProvider: TRUE | FALSE
3951 
++This option puts a consumer database into Multi-Provider mode.  Update
3952 
++operations will be accepted from any user, not just the updatedn.  The
3953 
++database must already be configured as a syncrepl consumer
3954 
++before this keyword may be set. This mode also requires a
3955 
++.B olcServerID
3956 
++(see above) to be configured.
3957 
++By default, this setting is FALSE.
3958 
++.TP
3959 
++.B olcMonitoring: TRUE | FALSE
3960 
++This option enables database-specific monitoring in the entry related
3961 
++to the current database in the "cn=Databases,cn=Monitor" subtree
3962 
++of the monitor database, if the monitor database is enabled.
3963 
++Currently, only the MDB database provides database-specific monitoring.
3964 
++If monitoring is supported by the backend it defaults to TRUE, otherwise
3965 
++FALSE.
3966 
++.TP
3967 
++.B olcPlugin: <plugin_type> <lib_path> <init_function> [<arguments>]
3968 
++Configure a SLAPI plugin. See the
3969 
++.BR slapd.plugin (5)
3970 
++manpage for more details.
3971 
++.TP
3972 
++.B olcRootDN: <dn>
3973 
++Specify the distinguished name that is not subject to access control
3974 
++or administrative limit restrictions for operations on this database.
3975 
++This DN may or may not be associated with an entry.  An empty root
3976 
++DN (the default) specifies no root access is to be granted.  It is
3977 
++recommended that the rootdn only be specified when needed (such as
3978 
++when initially populating a database).  If the rootdn is within
3979 
++a namingContext (suffix) of the database, a simple bind password
3980 
++may also be provided using the
3981 
++.B olcRootPW
3982 
++directive. Many optional features, including syncrepl, require the
3983 
++rootdn to be defined for the database.
3984 
++The
3985 
++.B olcRootDN
3986 
++of the
3987 
++.B cn=config
3988 
++database defaults to
3989 
++.B cn=config
3990 
++itself.
3991 
++.TP
3992 
++.B olcRootPW: <password>
3993 
++Specify a password (or hash of the password) for the rootdn.  The
3994 
++password can only be set if the rootdn is within the namingContext
3995 
++(suffix) of the database.
3996 
++This option accepts all RFC 2307 userPassword formats known to
3997 
++the server (see
3998 
++.B olcPasswordHash
3999 
++description) as well as cleartext.
4000 
++.BR slappasswd (8)
4001 
++may be used to generate a hash of a password.  Cleartext
4002 
++and \fB{CRYPT}\fP passwords are not recommended.  If empty
4003 
++(the default), authentication of the root DN is by other means
4004 
++(e.g. SASL).  Use of SASL is encouraged.
4005 
++.TP
4006 
++.B olcSubordinate: [TRUE | FALSE | advertise]
4007 
++Specify that the current backend database is a subordinate of another
4008 
++backend database. A subordinate  database may have only one suffix. This
4009 
++option may be used to glue multiple databases into a single namingContext.
4010 
++If the suffix of the current database is within the namingContext of a
4011 
++superior database, searches against the superior database will be
4012 
++propagated to the subordinate as well. All of the databases
4013 
++associated with a single namingContext should have identical rootdns.
4014 
++Behavior of other LDAP operations is unaffected by this setting. In
4015 
++particular, it is not possible to use moddn to move an entry from
4016 
++one subordinate to another subordinate within the namingContext.
4017 
++
4018 
++If the optional \fBadvertise\fP flag is supplied, the naming context of
4019 
++this database is advertised in the root DSE. The default is to hide this
4020 
++database context, so that only the superior context is visible.
4021 
++
4022 
++If the slap tools
4023 
++.BR slapcat (8),
4024 
++.BR slapadd (8),
4025 
++.BR slapmodify (8),
4026 
++or
4027 
++.BR slapindex (8)
4028 
++are used on the superior database, any glued subordinates that support
4029 
++these tools are opened as well.
4030 
++
4031 
++Databases that are glued together should usually be configured with the
4032 
++same indices (assuming they support indexing), even for attributes that
4033 
++only exist in some of these databases. In general, all of the glued
4034 
++databases should be configured as similarly as possible, since the intent
4035 
++is to provide the appearance of a single directory.
4036 
++
4037 
++Note that the subordinate functionality is implemented internally
4038 
++by the \fIglue\fP overlay and as such its behavior will interact with other
4039 
++overlays in use. By default, the glue overlay is automatically configured as
4040 
++the last overlay on the superior database. Its position on the database
4041 
++can be explicitly configured by setting an \fBoverlay glue\fP directive
4042 
++at the desired position. This explicit configuration is necessary e.g.
4043 
++when using the \fIsyncprov\fP overlay, which needs to follow \fIglue\fP
4044 
++in order to work over all of the glued databases. E.g.
4045 
++.RS
4046 
++.nf
4047 
++	dn: olcDatabase={1}mdb,cn=config
4048 
++	olcSuffix: dc=example,dc=com
4049 
++	...
4050 
++
4051 
++	dn: olcOverlay={0}glue,olcDatabase={1}mdb,cn=config
4052 
++	...
4053 
++
4054 
++	dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
4055 
++	...
4056 
++.fi
4057 
++.RE
4058 
++See the Overlays section below for more details.
4059 
++.TP
4060 
++.B olcSuffix: <dn suffix>
4061 
++Specify the DN suffix of queries that will be passed to this
4062 
++backend database.  Multiple suffix lines can be given and at least one is
4063 
++required for each database definition.
4064 
++
4065 
++If the suffix of one database is "inside" that of another, the database
4066 
++with the inner suffix must come first in the configuration file.
4067 
++You may also want to glue such databases together with the
4068 
++.B olcSubordinate
4069 
++attribute.
4070 
++.TP
4071 
++.B olcSyncUseSubentry: TRUE | FALSE
4072 
++Store the syncrepl contextCSN in a subentry instead of the context entry
4073 
++of the database. The subentry's RDN will be "cn=ldapsync". The default is
4074 
++FALSE, meaning the contextCSN is stored in the context entry.
4075 
++.HP
4076 
++.hy 0
4077 
++.B olcSyncrepl: rid=<replica ID>
4078 
++.B provider=ldap[s]://<hostname>[:port]
4079 
++.B searchbase=<base DN>
4080 
++.B [type=refreshOnly|refreshAndPersist]
4081 
++.B [interval=dd:hh:mm:ss]
4082 
++.B [retry=[<retry interval> <# of retries>]+]
4083 
++.B [filter=<filter str>]
4084 
++.B [scope=sub|one|base|subord]
4085 
++.B [attrs=<attr list>]
4086 
++.B [exattrs=<attr list>]
4087 
++.B [attrsonly]
4088 
++.B [sizelimit=<limit>]
4089 
++.B [timelimit=<limit>]
4090 
++.B [schemachecking=on|off]
4091 
++.B [network\-timeout=<seconds>]
4092 
++.B [timeout=<seconds>]
4093 
++.B [tcp\-user\-timeout=<milliseconds>]
4094 
++.B [bindmethod=simple|sasl]
4095 
++.B [binddn=<dn>]
4096 
++.B [saslmech=<mech>]
4097 
++.B [authcid=<identity>]
4098 
++.B [authzid=<identity>]
4099 
++.B [credentials=<passwd>]
4100 
++.B [realm=<realm>]
4101 
++.B [secprops=<properties>]
4102 
++.B [keepalive=<idle>:<probes>:<interval>]
4103 
++.B [starttls=yes|critical]
4104 
++.B [tls_cert=<file>]
4105 
++.B [tls_key=<file>]
4106 
++.B [tls_cacert=<file>]
4107 
++.B [tls_cacertdir=<path>]
4108 
++.B [tls_reqcert=never|allow|try|demand]
4109 
++.B [tls_reqsan=never|allow|try|demand]
4110 
++.B [tls_cipher_suite=<ciphers>]
4111 
++.B [tls_ecname=<names>]
4112 
++.B [tls_crlcheck=none|peer|all]
4113 
++.B [tls_protocol_min=<major>[.<minor>]]
4114 
++.B [suffixmassage=<real DN>]
4115 
++.B [logbase=<base DN>]
4116 
++.B [logfilter=<filter str>]
4117 
++.B [syncdata=default|accesslog|changelog]
4118 
++.B [lazycommit]
4119 
++.RS
4120 
++Specify the current database as a consumer which is kept up-to-date with the
4121 
++provider content by establishing the current
4122 
++.BR slapd (8)
4123 
++as a replication consumer site running a
4124 
++.B syncrepl
4125 
++replication engine.
4126 
++The consumer content is kept synchronized to the provider content using
4127 
++the LDAP Content Synchronization protocol. Refer to the
4128 
++"OpenLDAP Administrator's Guide" for detailed information on
4129 
++setting up a replicated
4130 
++.B slapd
4131 
++directory service using the
4132 
++.B syncrepl
4133 
++replication engine.
4134 
++
4135 
++.B rid
4136 
++identifies the current
4137 
++.B syncrepl
4138 
++directive within the replication consumer site.
4139 
++It is a non-negative integer not greater than 999 (limited
4140 
++to three decimal digits).
4141 
++
4142 
++.B provider
4143 
++specifies the replication provider site containing the provider content
4144 
++as an LDAP URI. If <port> is not given, the standard LDAP port number
4145 
++(389 or 636) is used.
4146 
++
4147 
++The content of the
4148 
++.B syncrepl
4149 
++consumer is defined using a search
4150 
++specification as its result set. The consumer
4151 
++.B slapd
4152 
++will send search requests to the provider
4153 
++.B slapd
4154 
++according to the search specification. The search specification includes
4155 
++.BR searchbase ", " scope ", " filter ", " attrs ", " attrsonly ", " sizelimit ", "
4156 
++and
4157 
++.B timelimit
4158 
++parameters as in the normal search specification. The
4159 
++.B exattrs
4160 
++option may also be used to specify attributes that should be omitted
4161 
++from incoming entries.
4162 
++The \fBscope\fP defaults to \fBsub\fP, the \fBfilter\fP defaults to
4163 
++\fB(objectclass=*)\fP, and there is no default \fBsearchbase\fP. The
4164 
++\fBattrs\fP list defaults to \fB"*,+"\fP to return all user and operational
4165 
++attributes, and \fBattrsonly\fP and \fBexattrs\fP are unset by default.
4166 
++The \fBsizelimit\fP and \fBtimelimit\fP only
4167 
++accept "unlimited" and positive integers, and both default to "unlimited".
4168 
++The \fBsizelimit\fP and \fBtimelimit\fP parameters define
4169 
++a consumer requested limitation on the number of entries that can be returned
4170 
++by the LDAP Content Synchronization operation; these should be left unchanged
4171 
++from the default otherwise replication may never succeed.
4172 
++Note, however, that any provider-side limits for the replication identity
4173 
++will be enforced by the provider regardless of the limits requested
4174 
++by the LDAP Content Synchronization operation, much like for any other
4175 
++search operation.
4176 
++
4177 
++The LDAP Content Synchronization protocol has two operation types.
4178 
++In the
4179 
++.B refreshOnly
4180 
++operation, the next synchronization search operation
4181 
++is periodically rescheduled at an interval time (specified by
4182 
++.B interval
4183 
++parameter; 1 day by default)
4184 
++after each synchronization operation finishes.
4185 
++In the
4186 
++.B refreshAndPersist
4187 
++operation, a synchronization search remains persistent in the provider slapd.
4188 
++Further updates to the provider will generate
4189 
++.B searchResultEntry
4190 
++to the consumer slapd as the search responses to the persistent
4191 
++synchronization search. If the initial search fails due to an error, the
4192 
++next synchronization search operation is periodically rescheduled at an
4193 
++interval time (specified by
4194 
++.B interval
4195 
++parameter; 1 day by default)
4196 
++
4197 
++If an error occurs during replication, the consumer will attempt to
4198 
++reconnect according to the
4199 
++.B retry
4200 
++parameter which is a list of the <retry interval> and <# of retries> pairs.
4201 
++For example, retry="60 10 300 3" lets the consumer retry every 60 seconds
4202 
++for the first 10 times and then retry every 300 seconds for the next 3
4203 
++times before stop retrying. The `+' in <# of retries> means indefinite
4204 
++number of retries until success.
4205 
++If no
4206 
++.B retry
4207 
++is specified, by default syncrepl retries every hour forever.
4208 
++
4209 
++The schema checking can be enforced at the LDAP Sync
4210 
++consumer site by turning on the
4211 
++.B schemachecking
4212 
++parameter. The default is \fBoff\fP.
4213 
++Schema checking \fBon\fP means that replicated entries must have
4214 
++a structural objectClass, must obey to objectClass requirements
4215 
++in terms of required/allowed attributes, and that naming attributes
4216 
++and distinguished values must be present.
4217 
++As a consequence, schema checking should be \fBoff\fP when partial
4218 
++replication is used.
4219 
++
4220 
++The
4221 
++.B network\-timeout
4222 
++parameter sets how long the consumer will wait to establish a
4223 
++network connection to the provider. Once a connection is
4224 
++established, the
4225 
++.B timeout
4226 
++parameter determines how long the consumer will wait for the initial
4227 
++Bind request to complete. The defaults for these parameters come
4228 
++from
4229 
++.BR ldap.conf (5).
4230 
++The
4231 
++.B tcp\-user\-timeout
4232 
++parameter, if non-zero, corresponds to the
4233 
++.B TCP_USER_TIMEOUT
4234 
++set on the target connections, overriding the operating system setting.
4235 
++Only some systems support the customization of this parameter, it is
4236 
++ignored otherwise and system-wide settings are used.
4237 
++
4238 
++A
4239 
++.B bindmethod
4240 
++of
4241 
++.B simple
4242 
++requires the options
4243 
++.B binddn
4244 
++and
4245 
++.B credentials
4246 
++and should only be used when adequate security services
4247 
++(e.g. TLS or IPSEC) are in place.
4248 
++.B REMEMBER: simple bind credentials must be in cleartext!
4249 
++A
4250 
++.B bindmethod
4251 
++of
4252 
++.B sasl
4253 
++requires the option
4254 
++.B saslmech.
4255 
++Depending on the mechanism, an authentication identity and/or
4256 
++credentials can be specified using
4257 
++.B authcid
4258 
++and
4259 
++.B credentials.
4260 
++The
4261 
++.B authzid
4262 
++parameter may be used to specify an authorization identity.
4263 
++Specific security properties (as with the
4264 
++.B sasl\-secprops
4265 
++keyword above) for a SASL bind can be set with the
4266 
++.B secprops
4267 
++option. A non default SASL realm can be set with the
4268 
++.B realm
4269 
++option.
4270 
++The identity used for synchronization by the consumer should be allowed
4271 
++to receive an unlimited number of entries in response to a search request.
4272 
++The provider, other than allowing authentication of the syncrepl identity,
4273 
++should grant that identity appropriate access privileges to the data
4274 
++that is being replicated (\fBaccess\fP directive), and appropriate time
4275 
++and size limits.
4276 
++This can be accomplished by either allowing unlimited \fBsizelimit\fP
4277 
++and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
4278 
++in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
4279 
++for details).
4280 
++
4281 
++The
4282 
++.B keepalive
4283 
++parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
4284 
++used to check whether a socket is alive;
4285 
++.I idle
4286 
++is the number of seconds a connection needs to remain idle before TCP
4287 
++starts sending keepalive probes;
4288 
++.I probes
4289 
++is the maximum number of keepalive probes TCP should send before dropping
4290 
++the connection;
4291 
++.I interval
4292 
++is interval in seconds between individual keepalive probes.
4293 
++Only some systems support the customization of these values;
4294 
++the
4295 
++.B keepalive
4296 
++parameter is ignored otherwise, and system-wide settings are used.
4297 
++
4298 
++The
4299 
++.B starttls
4300 
++parameter specifies use of the StartTLS extended operation
4301 
++to establish a TLS session before Binding to the provider. If the
4302 
++.B critical
4303 
++argument is supplied, the session will be aborted if the StartTLS request
4304 
++fails. Otherwise the syncrepl session continues without TLS. The
4305 
++.B tls_reqcert
4306 
++setting defaults to "demand", the
4307 
++.B tls_reqsan
4308 
++setting defaults to "allow", and the other TLS settings
4309 
++default to the same as the main slapd TLS settings.
4310 
++
4311 
++The
4312 
++.B suffixmassage
4313 
++parameter allows the consumer to pull entries from a remote directory
4314 
++whose DN suffix differs from the local directory. The portion of the
4315 
++remote entries' DNs that matches the \fIsearchbase\fP will be replaced
4316 
++with the suffixmassage DN.
4317 
++
4318 
++Rather than replicating whole entries, the consumer can query logs of
4319 
++data modifications. This mode of operation is referred to as \fIdelta
4320 
++syncrepl\fP. In addition to the above parameters, the
4321 
++.B logbase
4322 
++and
4323 
++.B logfilter
4324 
++parameters must be set appropriately for the log that will be used. The
4325 
++.B syncdata
4326 
++parameter must be set to either "accesslog" if the log conforms to the
4327 
++.BR slapo\-accesslog (5)
4328 
++log format, or "changelog" if the log conforms
4329 
++to the obsolete \fIchangelog\fP format. If the
4330 
++.B syncdata
4331 
++parameter is omitted or set to "default" then the log parameters are
4332 
++ignored.
4333 
++
4334 
++The
4335 
++.B lazycommit
4336 
++parameter tells the underlying database that it can store changes without
4337 
++performing a full flush after each change. This may improve performance
4338 
++for the consumer, while sacrificing safety or durability.
4339 
++.RE
4340 
++.TP
4341 
++.B olcUpdateDN: <dn>
4342 
++This option is only applicable in a replica
4343 
++database.
4344 
++It specifies the DN permitted to update (subject to access controls)
4345 
++the replica.  It is only needed in certain push-mode
4346 
++replication scenarios.  Generally, this DN
4347 
++.I should not
4348 
++be the same as the
4349 
++.B rootdn
4350 
++used at the provider.
4351 
++.TP
4352 
++.B olcUpdateRef: <url>
4353 
++Specify the referral to pass back when
4354 
++.BR slapd (8)
4355 
++is asked to modify a replicated local database.
4356 
++If multiple values are specified, each url is provided.
4357 
++
4358 
++.SH DATABASE-SPECIFIC OPTIONS
4359 
++Each database may allow specific configuration options; they are
4360 
++documented separately in the backends' manual pages. See the
4361 
++.BR slapd.backends (5)
4362 
++manual page for an overview of available backends.
4363 
++.SH OVERLAYS
4364 
++An overlay is a piece of
4365 
++code that intercepts database operations in order to extend or change
4366 
++them. Overlays are pushed onto
4367 
++a stack over the database, and so they will execute in the reverse
4368 
++of the order in which they were configured and the database itself
4369 
++will receive control last of all.
4370 
++
4371 
++Overlays must be configured as child entries of a specific database. The
4372 
++entry's RDN must be of the form
4373 
++.B olcOverlay={x}<overlaytype>
4374 
++and the entry must have the olcOverlayConfig objectClass. Normally the
4375 
++config engine generates the "{x}" index in the RDN automatically, so
4376 
++it can be omitted when initially loading these entries.
4377 
++
4378 
++See the
4379 
++.BR slapd.overlays (5)
4380 
++manual page for an overview of available overlays.
4381 
++.SH EXAMPLES
4382 
++.LP
4383 
++Here is a short example of a configuration in LDIF suitable for use with
4384 
++.BR slapadd (8)
4385 
++:
4386 
++.LP
4387 
++.RS
4388 
++.nf
4389 
++dn: cn=config
4390 
++objectClass: olcGlobal
4391 
++cn: config
4392 
++olcPidFile: LOCALSTATEDIR/run/slapd.pid
4393 
++olcAttributeOptions: x\-hidden lang\-
4394 
++
4395 
++dn: cn=schema,cn=config
4396 
++objectClass: olcSchemaConfig
4397 
++cn: schema
4398 
++
4399 
++include: file://SYSCONFDIR/schema/core.ldif
4400 
++
4401 
++dn: olcDatabase=frontend,cn=config
4402 
++objectClass: olcDatabaseConfig
4403 
++objectClass: olcFrontendConfig
4404 
++olcDatabase: frontend
4405 
++# Subtypes of "name" (e.g. "cn" and "ou") with the
4406 
++# option ";x\-hidden" can be searched for/compared,
4407 
++# but are not shown.  See \fBslapd.access\fP(5).
4408 
++olcAccess: to attrs=name;x\-hidden by * =cs
4409 
++# Protect passwords.  See \fBslapd.access\fP(5).
4410 
++olcAccess: to attrs=userPassword  by * auth
4411 
++# Read access to other attributes and entries.
4412 
++olcAccess: to * by * read
4413 
++
4414 
++# set a rootpw for the config database so we can bind.
4415 
++# deny access to everyone else.
4416 
++dn: olcDatabase=config,cn=config
4417 
++objectClass: olcDatabaseConfig
4418 
++olcDatabase: config
4419 
++olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
4420 
++olcAccess: to * by * none
4421 
++
4422 
++dn: olcDatabase=mdb,cn=config
4423 
++objectClass: olcDatabaseConfig
4424 
++objectClass: olcMdbConfig
4425 
++olcDatabase: mdb
4426 
++olcSuffix: "dc=our\-domain,dc=com"
4427 
++# The database directory MUST exist prior to
4428 
++# running slapd AND should only be accessible
4429 
++# by the slapd/tools. Mode 0700 recommended.
4430 
++olcDbDirectory: LOCALSTATEDIR/openldap\-data
4431 
++# Indices to maintain
4432 
++olcDbIndex:     objectClass  eq
4433 
++olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
4434 
++
4435 
++# We serve small clients that do not handle referrals,
4436 
++# so handle remote lookups on their behalf.
4437 
++dn: olcDatabase=ldap,cn=config
4438 
++objectClass: olcDatabaseConfig
4439 
++objectClass: olcLdapConfig
4440 
++olcDatabase: ldap
4441 
++olcSuffix: ""
4442 
++olcDbUri: ldap://ldap.some\-server.com/
4443 
++.fi
4444 
++.RE
4445 
++.LP
4446 
++Assuming the above data was saved in a file named "config.ldif" and the
4447 
++ETCDIR/slapd.d directory has been created, this command will initialize
4448 
++the configuration:
4449 
++.RS
4450 
++.nf
4451 
++slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
4452 
++.fi
4453 
++.RE
4454 
++
4455 
++.LP
4456 
++"OpenLDAP Administrator's Guide" contains a longer annotated
4457 
++example of a slapd configuration.
4458 
++
4459 
++Alternatively, an existing slapd.conf file can be converted to the new
4460 
++format using slapd or any of the slap tools:
4461 
++.RS
4462 
++.nf
4463 
++slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
4464 
++.fi
4465 
++.RE
4466 
++
4467 
++.SH FILES
4468 
++.TP
4469 
++ETCDIR/slapd.conf
4470 
++default slapd configuration file
4471 
++.TP
4472 
++ETCDIR/slapd.d
4473 
++default slapd configuration directory
4474 
++.SH SEE ALSO
4475 
++.BR ldap (3),
4476 
++.BR ldif (5),
4477 
++.BR gnutls\-cli (1),
4478 
++.BR slapd.access (5),
4479 
++.BR slapd.backends (5),
4480 
++.BR slapd.conf (5),
4481 
++.BR slapd.overlays (5),
4482 
++.BR slapd.plugin (5),
4483 
++.BR slapd (8),
4484 
++.BR slapacl (8),
4485 
++.BR slapadd (8),
4486 
++.BR slapauth (8),
4487 
++.BR slapcat (8),
4488 
++.BR slapdn (8),
4489 
++.BR slapindex (8),
4490 
++.BR slapmodify (8),
4491 
++.BR slappasswd (8),
4492 
++.BR slaptest (8).
4493 
++.LP
4494 
++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
4495 
++.SH ACKNOWLEDGEMENTS
4496 
++.so ../Project
4497 
+diff -Naurp openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h
4498 
+--- openldap-2.6.2.orig/include/ldap_defaults.h	2022-05-04 16:55:23.000000000 +0200
4499 
+@@ -40,7 +40,8 @@
4500 
+
4501 
+ /* default ldapi:// socket */
4502 
+ #ifndef LDAPI_SOCK
4503 
+-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
4504 
++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"
4505 
++
4506 
+ #endif
4507 
+
4508 
+ /*
4509 
+@@ -54,7 +55,8 @@
4510 
+ #define SLAPD_DEFAULT_CONFIGDIR		LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
4511 
+ #endif
4512 
+ #ifndef SLAPD_DEFAULT_DB_DIR
4513 
+-#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
4514 
++#define SLAPD_DEFAULT_DB_DIR        LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"
4515 
++
4516 
+ #endif
4517 
+ #define SLAPD_DEFAULT_DB_MODE		0600
4518 
+ 	/* default max deref depth for aliases */
4519 
+diff -Naurp openldap-2.6.2.orig/libraries/liblber/Makefile.in openldap-2.6.2/libraries/liblber/Makefile.in
4520 
+--- openldap-2.6.2.orig/libraries/liblber/Makefile.in	2022-05-04 16:55:23.000000000 +0200
4521 
+@@ -51,6 +51,6 @@ idtest:  $(XLIBS) idtest.o
4522 
+
4523 
+ install-local: FORCE
4524 
+ 	-$(MKDIR) $(DESTDIR)$(libdir)
4525 
+-	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
4526 
++	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
4527 
+ 	$(LTFINISH) $(DESTDIR)$(libdir)
4528 
+
4529 
+diff -Naurp openldap-2.6.2.orig/libraries/libldap/Makefile.in openldap-2.6.2/libraries/libldap/Makefile.in
4530 
+--- openldap-2.6.2.orig/libraries/libldap/Makefile.in	2022-05-04 16:55:23.000000000 +0200
4531 
+@@ -82,7 +82,7 @@ CFFILES=ldap.conf
4532 
+
4533 
+ install-local: $(CFFILES) FORCE
4534 
+ 	-$(MKDIR) $(DESTDIR)$(libdir)
4535 
+-	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)
4536 
++	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)
4537 
+ 	$(LTFINISH) $(DESTDIR)$(libdir)
4538 
+ 	-$(MKDIR) $(DESTDIR)$(sysconfdir)
4539 
+ 	@for i in $(CFFILES); do \
4540 
+diff -Naurp openldap-2.6.2.orig/servers/slapd/Makefile.in openldap-2.6.2/servers/slapd/Makefile.in
4541 
+--- openldap-2.6.2.orig/servers/slapd/Makefile.in	2022-05-04 16:55:23.000000000 +0200
4542 
+@@ -374,9 +374,10 @@ install-local-srv: install-slapd install
4543 
+
4544 
+ install-slapd: FORCE
4545 
+ 	-$(MKDIR) $(DESTDIR)$(libexecdir)
4546 
++	-$(MKDIR) $(DESTDIR)$(sbindir)
4547 
+ 	-$(MKDIR) $(DESTDIR)$(localstatedir)/run
4548 
+ 	$(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \
4549 
+-		slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
4550 
++		slapd$(EXEEXT) $(DESTDIR)$(sbindir)
4551 
+ 	@for i in $(SUBDIRS); do \
4552 
+ 	    if test -d $$i && test -f $$i/Makefile ; then \
4553 
+ 		echo; echo "  cd $$i && $(MAKE) $(MFLAGS) install"; \
4554 
+@@ -452,9 +453,9 @@ install-conf: FORCE
4555 
+
4556 
+ install-db-config: FORCE
4557 
+ 	@-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
4558 
+-	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
4559 
++	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap
4560 
+ 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
4561 
+-		$(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
4562 
++		$(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example
4563 
+ 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
4564 
+ 		$(DESTDIR)$(sysconfdir)/DB_CONFIG.example
4565 
+
4566 
+@@ -462,6 +463,6 @@ install-tools: FORCE
4567 
+ 	-$(MKDIR) $(DESTDIR)$(sbindir)
4568 
+ 	for i in $(SLAPTOOLS); do \
4569 
+ 		$(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
4570 
+-		$(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
4571 
++		$(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \
4572 
+ 	done
4573 
+
4574 
+diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.conf openldap-2.6.2/servers/slapd/slapd.conf
4575 
+--- openldap-2.6.2.orig/servers/slapd/slapd.conf	2022-05-04 16:55:23.000000000 +0200
4576 
+@@ -10,8 +10,9 @@ include		%SYSCONFDIR%/schema/core.schema
4577 
+ # service AND an understanding of referrals.
4578 
+ #referral	ldap://root.openldap.org
4579 
+
4580 
+-pidfile		%LOCALSTATEDIR%/run/slapd.pid
4581 
+-argsfile	%LOCALSTATEDIR%/run/slapd.args
4582 
++pidfile		%LOCALSTATEDIR%/run/openldap/slapd.pid
4583 
++argsfile	%LOCALSTATEDIR%/run/openldap/slapd.args
4584 
++
4585 
+
4586 
+ # Load dynamic backend modules:
4587 
+ modulepath	%MODULEDIR%
4588 
+@@ -69,7 +70,7 @@ rootpw		secret
4589 
+ # The database directory MUST exist prior to running slapd AND
4590 
+ # should only be accessible by the slapd and slap tools.
4591 
+ # Mode 700 recommended.
4592 
+-directory	%LOCALSTATEDIR%/openldap-data
4593 
++directory	%LOCALSTATEDIR%/lib/openldap
4594 
+ # Indices to maintain
4595 
+ index	objectClass	eq
4596 
+
4597 
+diff -Naurp openldap-2.6.2.orig/servers/slapd/slapd.ldif openldap-2.6.2/servers/slapd/slapd.ldif
4598 
+--- openldap-2.6.2.orig/servers/slapd/slapd.ldif	2022-05-04 16:55:23.000000000 +0200
4599 
+@@ -9,8 +9,8 @@ cn: config
4600 
+ #
4601 
+ # Define global ACLs to disable default read access.
4602 
+ #
4603 
+-olcArgsFile: %LOCALSTATEDIR%/run/slapd.args
4604 
+-olcPidFile: %LOCALSTATEDIR%/run/slapd.pid
4605 
++olcArgsFile: %LOCALSTATEDIR%/run/openldap/slapd.args
4606 
++olcPidFile: %LOCALSTATEDIR%/run/openldap/slapd.pid
4607 
+ #
4608 
+ # Do not enable referrals until AFTER you have a working directory
4609 
+ # service AND an understanding of referrals.
4610 
+@@ -88,7 +88,7 @@ olcRootPW: secret
4611 
+ # The database directory MUST exist prior to running slapd AND
4612 
+ # should only be accessible by the slapd and slap tools.
4613 
+ # Mode 700 recommended.
4614 
+-olcDbDirectory:	%LOCALSTATEDIR%/openldap-data
4615 
++olcDbDirectory:	%LOCALSTATEDIR%/lib/openldap
4616 
+ # Indices to maintain
4617 
+ olcDbIndex: objectClass eq
4618 
+
4619 
+diff -Naurp openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in openldap-2.6.2/servers/slapd/slapi/Makefile.in
4620 
+--- openldap-2.6.2.orig/servers/slapd/slapi/Makefile.in	2022-05-04 16:55:23.000000000 +0200
4621 
+@@ -46,6 +46,6 @@ BUILD_MOD = @BUILD_SLAPI@
4622 
+ install-local: FORCE
4623 
+ 	if test "$(BUILD_MOD)" = "yes"; then \
4624 
+ 		$(MKDIR) $(DESTDIR)$(libdir); \
4625 
+-		$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \
4626 
++		$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \
4627 
+ 	fi
4628 
+
SPECS/openldap/openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
History View file @ 73f092b
0 4629 
new file mode 100644
... ... 
@@ -0,0 +1,37 @@
0 
+From 6779e56fafb0aa8ae5efa7068da34a630b51b530 Mon Sep 17 00:00:00 2001
1 
+From: Simon Pichugin <spichugi@redhat.com>
2 
+Date: Fri, 5 Aug 2022 13:23:52 -0700
3 
+Subject: [PATCH] Add export symbols related to LDAP_CONNECTIONLESS
4 
+
5 
+---
6 
+ libraries/liblber/lber.map | 1 +
7 
+ libraries/libldap/ldap.map | 1 +
8 
+ 2 files changed, 2 insertions(+)
9 
+
10 
+diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map
11 
+index 9a4094b0f..083cd1f32 100644
12 
+--- a/libraries/liblber/lber.map
13 
+@@ -121,6 +121,7 @@ OPENLDAP_2.200
14 
+     ber_sockbuf_io_fd;
15 
+     ber_sockbuf_io_readahead;
16 
+     ber_sockbuf_io_tcp;
17 
++    ber_sockbuf_io_udp;
18 
+     ber_sockbuf_remove_io;
19 
+     ber_sos_dump;
20 
+     ber_start;
21 
+diff --git a/libraries/libldap/ldap.map b/libraries/libldap/ldap.map
22 
+index b28c9c21e..021aaba63 100644
23 
+--- a/libraries/libldap/ldap.map
24 
+@@ -200,6 +200,7 @@ OPENLDAP_2.200
25 
+     ldap_is_ldap_url;
26 
+     ldap_is_ldapi_url;
27 
+     ldap_is_ldaps_url;
28 
++    ldap_is_ldapc_url;
29 
+     ldap_is_read_ready;
30 
+     ldap_is_write_ready;
31 
+     ldap_ld_free;
32 
+--
33 
+2.37.1
34 
+
SPECS/openldap/openldap.spec
History View file @ 73f092b
... ... 
@@ -1,10 +1,10 @@
1 1 
 %global _default_patch_fuzz 2
2 
-%global debug_package %{nil}
2 
+%global debug_package       %{nil}
3 3
4 4 
 Summary:        OpenLdap-2.4.43
5 5 
 Name:           openldap
6 
-Version:        2.4.58
7 
-Release:        2%{?dist}
6 
+Version:        2.6.3
7 
+Release:        1%{?dist}
8 8 
 License:        OpenLDAP
9 9 
 URL:            https://www.openldap.org
10 10 
 Group:          System Environment/Security
... ... 
@@ -12,20 +12,23 @@ Vendor:         VMware, Inc.
12 12 
 Distribution:   Photon
13 13
14 14 
 Source0: https://www.openldap.org/software/download/OpenLDAP/openldap-release/%{name}-%{version}.tgz
15 
-%define sha512 %{name}=2fa2aa36117692eca44e55559f162c8c796f78469e6c2aee91b06d46f2b755d416979c913a3d89bbf9db14cc84881ecffee69af75b48e1d16b7aa9d2e3873baa
15 
+%define sha512 %{name}=56efbbfc68779ad635d2c25228eb9c4f1553b107b96e8a438029b1c5d2f2647cf4d437770554392b436718ea44a4813e17f5195049f67fc09d063a981096cd85
16 16
17 
-Patch0:         openldap-2.4.51-consolidated-2.patch
17 
+# Patch0 is downloaded from:
18 
+# https://www.linuxfromscratch.org/patches/blfs/svn
19 
+Patch0: %{name}-%{version}-consolidated-1.patch
20 
+Patch2: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
18 21
19 
-Requires:       openssl >= 1.0.1
20 
-Requires:       cyrus-sasl >= 2.1
21 
-Requires:       systemd
22 
+Requires: openssl
23 
+Requires: cyrus-sasl
24 
+Requires: systemd
22 25
23 
-BuildRequires:  cyrus-sasl-devel >= 2.1
24 
-BuildRequires:  openssl-devel >= 1.0.1
25 
-BuildRequires:  groff
26 
-BuildRequires:  e2fsprogs-devel
27 
-BuildRequires:  libtool
28 
-BuildRequires:  systemd-devel
26 
+BuildRequires: cyrus-sasl-devel
27 
+BuildRequires: openssl-devel
28 
+BuildRequires: groff
29 
+BuildRequires: e2fsprogs-devel
30 
+BuildRequires: libtool
31 
+BuildRequires: systemd-devel
29 32
30 33 
 %description
31 34 
 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
... ... 
@@ -36,51 +39,54 @@ similar to the way DNS (Domain Name System) information is propagated
36 36 
 over the Internet. The openldap package contains configuration files,
37 37 
 libraries, and documentation for OpenLDAP.
38 38
39 
+%package devel
40 
+Summary: LDAP development libraries and header files
41 
+Requires: %{name} = %{version}-%{release}
42 
+Requires: cyrus-sasl-devel
43 
+
44 
+%description devel
45 
+The openldap-devel package includes the development libraries and
46 
+header files needed for compiling applications that use LDAP
47 
+(Lightweight Directory Access Protocol) internals. LDAP is a set of
48 
+protocols for enabling directory services over the Internet. Install
49 
+this package only if you plan to develop or will need to compile
50 
+customized LDAP clients.
51 
+
39 52 
 %prep
40 53 
 %autosetup -p1
41 54
42 55 
 %build
43 
-autoconf
44 
-sed -i '/6.0.20/ a\\t__db_version_compat' configure
45 
-export CPPFLAGS="-D_REENTRANT -DLDAP_CONNECTIONLESS -D_GNU_SOURCE -D_AVL_H"
56 
+export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS"
46 57 
 %configure \
47 58 
          $(test %{_host} != %{_build} && echo "CC=%{_host}-gcc --with-yielding-select=yes --with-sysroot=/target-%{_arch}") \
48 
-        --disable-static     \
49 
-        --disable-slapd      \
50 
-        --with-tls=openssl   \
51 
-        --enable-debug       \
52 
-        --enable-dynamic     \
53 
-        --enable-syslog      \
54 
-        --enable-ipv6        \
55 
-        --enable-local       \
56 
-        --enable-crypt       \
57 
-        --enable-spasswd     \
58 
-        --enable-modules     \
59 
-        --enable-backends    \
60 
-        --disable-ndb --enable-overlays=mod \
61 
-        --with-cyrus-sasl    \
62 
-        --with-threads
63 
-sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
59 
+        --disable-static \
60 
+        --disable-slapd \
61 
+        --disable-ndb \
62 
+        --with-tls=openssl \
63 
+        --enable-debug \
64 
+        --enable-dynamic \
65 
+        --enable-syslog \
66 
+        --enable-ipv6 \
67 
+        --enable-local \
68 
+        --enable-crypt \
69 
+        --enable-spasswd \
70 
+        --enable-modules \
71 
+        --enable-backends \
72 
+        --enable-overlays=mod \
73 
+        --with-cyrus-sasl \
74 
+        --with-threads \
75 
+        --with-pic \
76 
+        --with-gnu-ld
64 77
65 78 
 if [ %{_host} != %{_build} ]; then
66 79 
  sed -i '/#define NEED_MEMCMP_REPLACEMENT 1/d' include/portable.h
67 80 
 fi
68 
-%make_build depend
69 81 
 %make_build
70 82
71 83 
 %install
72 84 
 %make_install %{?_smp_mflags}
73 85 
 %{_fixperms} %{buildroot}/*
74 86
75 
-pushd %{buildroot}%{_libdir}
76 
-v=%{version}
77 
-version=$(echo ${v%.[0-9]*})
78 
-for lib in liblber libldap libldap_r libslapi; do
79 
-  rm -f ${lib}.so
80 
-  ln -s ${lib}-${version}.so.2 ${lib}.so
81 
-done
82 
-popd
83 
-
84 87 
 %if 0%{?with_check}
85 88 
 %check
86 89 
 make %{?_smp_mflags} test
... ... 
@@ -96,16 +102,24 @@ rm -rf %{buildroot}/*
96 96 
 %files
97 97 
 %defattr(-,root,root)
98 98 
 %{_bindir}/*
99 
-%{_includedir}/*
100 99 
 %dir %{_sysconfdir}/%{name}
101 
-%{_sysconfdir}/%{name}/*
102 
-%{_libdir}/*
100 
+%{_sysconfdir}/%{name}/ldap.conf.default
101 
+%config(noreplace) %{_sysconfdir}/%{name}/ldap.conf
102 
+%{_libdir}/*.so.*
103 
+
104 
+%files devel
105 
+%defattr(-,root,root)
106 
+%{_includedir}/*
107 
+%{_libdir}/*.so
108 
+%{_libdir}/pkgconfig/*.pc
103 109 
 %{_mandir}/man1/*
104 110 
 %{_mandir}/man3/*
105 111 
 %{_mandir}/man5/*
106 112 
 %{_mandir}/man8/*
107 113
108 114 
 %changelog
115 
+* Fri Feb 10 2023 Shreenidhi Shedi <sshedi@vmware.com> 2.6.3-1
116 
+- Upgrade to v2.6.3
109 117 
 * Wed Aug 04 2021 Satya Naga Vasamsetty <svasamsetty@vmware.com> 2.4.58-2
110 118 
 - Bump up release for openssl
111 119 
 * Tue Apr 13 2021 Gerrit Photon <photon-checkins@vmware.com> 2.4.58-1
SPECS/postgresql/postgresql13.spec
History View file @ 73f092b
... ... 
@@ -12,7 +12,7 @@
12 12 
 Summary:        PostgreSQL database engine
13 13 
 Name:           postgresql13
14 14 
 Version:        13.8
15 
-Release:        11%{?dist}
15 
+Release:        12%{?dist}
16 16 
 License:        PostgreSQL
17 17 
 URL:            www.postgresql.org
18 18 
 Group:          Applications/Databases
... ... 
@@ -37,7 +37,7 @@ BuildRequires:  libxslt-devel
37 37 
 BuildRequires:  linux-api-headers
38 38 
 BuildRequires:  Linux-PAM-devel
39 39 
 BuildRequires:  llvm-devel
40 
-BuildRequires:  openldap
40 
+BuildRequires:  openldap-devel
41 41 
 BuildRequires:  perl
42 42 
 BuildRequires:  perl-IPC-Run
43 43 
 BuildRequires:  python3-devel
... ... 
@@ -644,6 +644,8 @@ rm -rf %{buildroot}/*
644 644 
 %{_pglibdir}/plpython3.so
645 645
646 646 
 %changelog
647 
+* Fri Feb 10 2023 Shreenidhi Shedi <sshedi@vmware.com> 13.8-12
648 
+- Bump version as a part of openldap upgrade
647 649 
 * Thu Feb 09 2023 Shreenidhi Shedi <sshedi@vmware.com> 13.8-11
648 650 
 - Fix CVE-2022-41862
649 651 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 13.8-10
SPECS/postgresql/postgresql14.spec
History View file @ 73f092b
... ... 
@@ -12,7 +12,7 @@
12 12 
 Summary:        PostgreSQL database engine
13 13 
 Name:           postgresql14
14 14 
 Version:        14.5
15 
-Release:        11%{?dist}
15 
+Release:        12%{?dist}
16 16 
 License:        PostgreSQL
17 17 
 URL:            www.postgresql.org
18 18 
 Group:          Applications/Databases
... ... 
@@ -38,7 +38,7 @@ BuildRequires:  linux-api-headers
38 38 
 BuildRequires:  Linux-PAM-devel
39 39 
 BuildRequires:  llvm-devel
40 40 
 BuildRequires:  lz4-devel
41 
-BuildRequires:  openldap
41 
+BuildRequires:  openldap-devel
42 42 
 BuildRequires:  perl
43 43 
 BuildRequires:  perl-IPC-Run
44 44 
 BuildRequires:  python3-devel
... ... 
@@ -660,6 +660,8 @@ rm -rf %{buildroot}/*
660 660 
 %{_pglibdir}/plpython3.so
661 661
662 662 
 %changelog
663 
+* Fri Feb 10 2023 Shreenidhi Shedi <sshedi@vmware.com> 14.5-12
664 
+- Bump version as a part of openldap upgrade
663 665 
 * Thu Feb 09 2023 Shreenidhi Shedi <sshedi@vmware.com> 14.5-11
664 666 
 - Fix CVE-2022-41862
665 667 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 14.5-10
SPECS/postgresql/postgresql15.spec
History View file @ 73f092b
... ... 
@@ -12,7 +12,7 @@
12 12 
 Summary:        PostgreSQL database engine
13 13 
 Name:           postgresql15
14 14 
 Version:        15.1
15 
-Release:        3%{?dist}
15 
+Release:        4%{?dist}
16 16 
 License:        PostgreSQL
17 17 
 URL:            www.postgresql.org
18 18 
 Group:          Applications/Databases
... ... 
@@ -37,7 +37,7 @@ BuildRequires:  linux-api-headers
37 37 
 BuildRequires:  Linux-PAM-devel
38 38 
 BuildRequires:  llvm-devel
39 39 
 BuildRequires:  lz4-devel
40 
-BuildRequires:  openldap
40 
+BuildRequires:  openldap-devel
41 41 
 BuildRequires:  perl
42 42 
 BuildRequires:  perl-IPC-Run
43 43 
 BuildRequires:  python3-devel
... ... 
@@ -663,6 +663,8 @@ rm -rf %{buildroot}/*
663 663 
 %{_pglibdir}/plpython3.so
664 664
665 665 
 %changelog
666 
+* Fri Feb 10 2023 Shreenidhi Shedi <sshedi@vmware.com> 15.1-4
667 
+- Bump version as a part of openldap upgrade
666 668 
 * Thu Feb 09 2023 Shreenidhi Shedi <sshedi@vmware.com> 15.1-3
667 669 
 - Fix CVE-2022-41862
668 670 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 15.1-2
SPECS/samba-client/samba-client.spec
History View file @ 73f092b
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        Samba Client Programs
2 2 
 Name:           samba-client
3 3 
 Version:        4.14.4
4 
-Release:        8%{?dist}
4 
+Release:        9%{?dist}
5 5 
 License:        GPLv3+ and LGPLv3+
6 6 
 Group:          Productivity/Networking
7 7 
 Vendor:         VMware, Inc.
... ... 
@@ -11,9 +11,9 @@ URL:            https://www.samba.org
11 11 
 Source0: https://www.samba.org/ftp/samba/stable/samba-%{version}.tar.gz
12 12 
 %define sha512 samba=200b2b2b08b369915e045f22ee993d5deea7a2533c6c582d4b88c614adcad5529109d449e843a2a1f292e5cfb1877d66421b5b0801ad988896cbe5413717e4dc
13 13
14 
-Source1:        smb.conf.vendor
14 
+Source1: smb.conf.vendor
15 15
16 
-Patch0:         rename_dcerpc_to_smbdcerpc_%{version}.patch
16 
+Patch0: rename_dcerpc_to_smbdcerpc_%{version}.patch
17 17
18 18 
 %define samba_ver %{version}-%{release}
19 19
... ... 
@@ -29,11 +29,11 @@ BuildRequires: libxslt-devel
29 29 
 BuildRequires: docbook-xsl
30 30 
 BuildRequires: docbook-xml
31 31 
 BuildRequires: gcc
32 
-BuildRequires: gnutls-devel >= 3.4.7
32 
+BuildRequires: gnutls-devel
33 33 
 BuildRequires: jansson-devel
34 34 
 BuildRequires: libxml2-devel
35 35 
 BuildRequires: lmdb
36 
-BuildRequires: openldap
36 
+BuildRequires: openldap-devel
37 37 
 BuildRequires: perl-Parse-Yapp
38 38 
 BuildRequires: dbus-devel
39 39
... ... 
@@ -108,7 +108,7 @@ echo "^samba4.rpc.echo.*on.*ncacn_np.*with.*object.*nt4_dc" >> selftest/knownfai
108 108 
 %global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4
109 109 
 %global _samba_modules %{_samba_pdb_modules}
110 110
111 
-export CFLAGS="-I/usr/include/tirpc"
111 
+export CFLAGS="-I%{_includedir}/tirpc"
112 112 
 export LDFLAGS="-ltirpc"
113 113
114 114 
 %configure \
... ... 
@@ -339,7 +339,6 @@ rm -rf %{buildroot}/*
339 339 
 # Samba Client
340 340 
 %files
341 341 
 %defattr(-,root,root,-)
342 
-%doc source3/client/README.smbspool
343 342 
 %{_bindir}/cifsdd
344 343 
 %{_bindir}/dbwrap_tool
345 344 
 %{_bindir}/dumpmscat
... ... 
@@ -567,6 +566,8 @@ rm -rf %{buildroot}/*
567 567 
 %{_libdir}/pkgconfig/wbclient.pc
568 568
569 569 
 %changelog
570 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 4.14.4-9
571 
+- Bump version as a part of openldap upgrade
570 572 
 * Thu Dec 08 2022 Dweep Advani <dadvani@vmware.com> 4.14.4-8
571 573 
 - Rebuild for perl version upgrade to 5.36.0
572 574 
 * Tue Dec 06 2022 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 4.14.4-7
SPECS/sendmail/sendmail.spec
History View file @ 73f092b
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:          Commonly used Mail transport agent (MTA)
2 2 
 Name:             sendmail
3 3 
 Version:          8.17.1
4 
-Release:          5%{?dist}
4 
+Release:          6%{?dist}
5 5 
 URL:              http://www.sendmail.org
6 6 
 License:          BSD and CDDL1.1 and MIT
7 7 
 Group:            Email/Server/Library
... ... 
@@ -14,7 +14,7 @@ Source0: https://ftp.sendmail.org/sendmail.%{version}.tar.gz
14 14 
 Patch0: fix-compatibility-with-openssl-3.0.patch
15 15
16 16 
 BuildRequires:    systemd-devel
17 
-BuildRequires:    openldap
17 
+BuildRequires:    openldap-devel
18 18 
 BuildRequires:    openssl-devel
19 19 
 BuildRequires:    shadow
20 20 
 BuildRequires:    tinycdb-devel
... ... 
@@ -132,8 +132,8 @@ if ! getent passwd smmsp >/dev/null; then
132 132 
   useradd -c "Sendmail Daemon" -g smmsp -d /dev/null -s /bin/false -u 26 smmsp
133 133 
 fi
134 134
135 
-chmod -v 1775 /var/mail
136 
-install -v -m700 -d /var/spool/mqueue
135 
+chmod -v 1775 %{_var}/mail
136 
+install -v -m700 -d %{_var}/spool/mqueue
137 137
138 138 
 %post
139 139 
 if [ $1 -eq 1 ] ; then
... ... 
@@ -149,8 +149,8 @@ EOF
149 149 
   m4 m4/cf.m4 submit.mc > submit.cf
150 150 
 fi
151 151
152 
-chmod 700 /var/spool/clientmqueue
153 
-chown smmsp:smmsp /var/spool/clientmqueue
152 
+chmod 700 %{_var}/spool/clientmqueue
153 
+chown smmsp:smmsp %{_var}/spool/clientmqueue
154 154
155 155 
 %systemd_post %{name}.service
156 156
... ... 
@@ -193,6 +193,8 @@ fi
193 193 
 %exclude %{_sysconfdir}/mail/cf/*
194 194
195 195 
 %changelog
196 
+* Fri Feb 10 2023 Shreenidhi Shedi <sshedi@vmware.com> 8.17.1-6
197 
+- Bump version as a part of openldap upgrade
196 198 
 * Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 8.17.1-5
197 199 
 - Add cyrus-sasl to requires
198 200 
 * Thu Nov 17 2022 Nitesh Kumar <kunitesh@vmware.com> 8.17.1-4
SPECS/serf/serf.spec
History View file @ 73f092b
... ... 
@@ -1,22 +1,26 @@
1 1 
 Summary:        A high performance C-based HTTP client library built upon the Apache Portable Runtime (APR) library
2 2 
 Name:           serf
3 3 
 Version:        1.3.9
4 
-Release:        6%{?dist}
4 
+Release:        7%{?dist}
5 5 
 License:        Apache License 2.0
6 
-URL:            https://serf.apache.org/
6 
+URL:            https://serf.apache.org
7 7 
 Group:          System Environment/Libraries
8 8 
 Vendor:         VMware, Inc.
9 9 
 Distribution:   Photon
10 
-Source0:        https://www.apache.org/dist/serf/%{name}-%{version}.tar.bz2
11 
-%define sha512  serf=9f5418d991840a08d293d1ecba70cd9534a207696d002f22dbe62354e7b005955112a0d144a76c89c7f7ad3b4c882e54974441fafa0c09c4aa25c49c021ca75d
12 
-Patch0:         0001-openssl-3.0.0-compatibility.patch
10 
+
11 
+Source0: https://www.apache.org/dist/serf/%{name}-%{version}.tar.bz2
12 
+%define sha512 serf=9f5418d991840a08d293d1ecba70cd9534a207696d002f22dbe62354e7b005955112a0d144a76c89c7f7ad3b4c882e54974441fafa0c09c4aa25c49c021ca75d
13 
+
14 
+Patch0: 0001-openssl-3.0.0-compatibility.patch
15 
+
13 16 
 Requires:       openldap
17 
+
14 18 
 BuildRequires:  python3-setuptools
15 19 
 BuildRequires:  apr-devel
16 20 
 BuildRequires:  apr-util-devel
17 21 
 BuildRequires:  scons
18 22 
 BuildRequires:  openssl-devel
19 
-BuildRequires:  openldap
23 
+BuildRequires:  openldap-devel
20 24
21 25 
 %description
22 26 
 The Apache Serf library is a C-based HTTP client library built upon the Apache
... ... 
@@ -34,19 +38,20 @@ It contains the libraries and header files to create serf applications.
34 34 
 %autosetup -p1
35 35
36 36 
 %build
37 
-ln -sf /usr/bin/python3 /usr/bin/python
38 
-sed -i "/Append/s:RPATH=libdir,::"          SConstruct &&
39 
-sed -i "/Default/s:lib_static,::"           SConstruct &&
40 
-sed -i "/Alias/s:install_static,::"         SConstruct &&
41 
-sed -i "/  print/{s/print/print(/; s/$/)/}" SConstruct &&
42 
-sed -i "/get_contents()/s/,/.decode()&/"    SConstruct &&
37 
+sed -i "/Append/s:RPATH=libdir,::" SConstruct
38 
+sed -i "/Default/s:lib_static,::" SConstruct
39 
+sed -i "/Alias/s:install_static,::" SConstruct
40 
+sed -i "/  print/{s/print/print(/; s/$/)/}" SConstruct
41 
+sed -i "/get_contents()/s/,/.decode()&/" SConstruct
43 42 
 scons PREFIX=%{_prefix}
44 43
45 44 
 %install
46 45 
 scons PREFIX=%{buildroot}%{_prefix} install
47 46
47 
+%if 0%{?with_check}
48 48 
 %check
49 49 
 scons check
50 
+%endif
50 51
51 52 
 %files
52 53 
 %defattr(-,root,root)
... ... 
@@ -58,6 +63,8 @@ scons check
58 58 
 %{_libdir}/pkgconfig/*
59 59
60 60 
 %changelog
61 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 1.3.9-7
62 
+- Bump version as a part of openldap upgrade
61 63 
 * Tue Dec 06 2022 Prashant S Chauhan <psinghchauha@vmware.com> 1.3.9-6
62 64 
 - Update release to compile with python 3.11
63 65 
 * Sun Aug 01 2021 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.3.9-5
SPECS/squid/squid.spec
History View file @ 73f092b
... ... 
@@ -1,7 +1,10 @@
1 
+%define _confdir %{_sysconfdir}
2 
+%define _squiddatadir %{_datadir}/%{name}
3 
+
1 4 
 Summary:        Caching and forwarding HTTP web proxy
2 5 
 Name:           squid
3 6 
 Version:        5.7
4 
-Release:        3%{?dist}
7 
+Release:        4%{?dist}
5 8 
 License:        GPL-2.0-or-later
6 9 
 URL:            http://www.squid-cache.org
7 10 
 Group:          Networking/Web/Proxy
... ... 
@@ -28,7 +31,7 @@ BuildRequires:  libecap-devel
28 28 
 BuildRequires:  libgpg-error-devel
29 29 
 BuildRequires:  libxml2-devel
30 30 
 BuildRequires:  nettle-devel
31 
-BuildRequires:  openldap
31 
+BuildRequires:  openldap-devel
32 32 
 BuildRequires:  openssl-devel
33 33 
 BuildRequires:  systemd-devel
34 34 
 BuildRequires:  systemd-rpm-macros
... ... 
@@ -60,9 +63,6 @@ lookup program (dnsserver), a program for retrieving FTP data
60 60 
 %prep
61 61 
 %autosetup -p1
62 62
63 
-%define _confdir %{_sysconfdir}
64 
-%define _squiddatadir %{_datadir}/%{name}
65 
-
66 63 
 %build
67 64 
 %define _lto_cflags %{nil}
68 65
... ... 
@@ -158,15 +158,15 @@ d /run/%{name} 0755 %{name} %{name} - -
158 158 
 EOF
159 159
160 160 
 %pre
161 
-if ! getent group %{name} >/dev/null 2>&1; then
162 
-  /usr/sbin/groupadd -g 53 %{name}
161 
+if ! getent group %{name} &> /dev/null; then
162 
+  groupadd -g 53 %{name} &> /dev/null
163 163 
 fi
164 164
165 
-if ! getent passwd %{name} >/dev/null 2>&1 ; then
166 
-  /usr/sbin/useradd -g 53 -u 53 -d /var/spool/%{name} -r -s /sbin/nologin %{name} >/dev/null 2>&1 || exit 1
165 
+if ! getent passwd %{name} &> /dev/null; then
166 
+  useradd -g 53 -u 53 -d %{_var}/spool/%{name} -r -s /sbin/nologin %{name} &>/dev/null || exit 1
167 167 
 fi
168 168
169 
-for i in /var/log/%{name} /var/spool/%{name}; do
169 
+for i in %{_var}/log/%{name} %{_var}/spool/%{name}; do
170 170 
   if [ -d $i ]; then
171 171 
     for adir in $(find $i -maxdepth 0 \! -user %{name}); do
172 172 
       chown -R %{name}:%{name} $adir
... ... 
@@ -188,10 +188,7 @@ rm -rf %{buildroot}
188 188
189 189 
 %files
190 190 
 %defattr(-,root,root)
191 
-%license COPYING
192 
-%doc CONTRIBUTORS README ChangeLog QUICKSTART src/%{name}.conf.documented
193 191 
 %doc contrib/url-normalizer.pl contrib/user-agents.pl
194 
-
195 192 
 %{_unitdir}/%{name}.service
196 193 
 %attr(755,root,root) %dir %{_libexecdir}/%{name}
197 194 
 %attr(755,root,root) %{_libexecdir}/%{name}/cache_swap.sh
... ... 
@@ -226,6 +223,8 @@ rm -rf %{buildroot}
226 226 
 %{_libdir}/%{name}/*
227 227
228 228 
 %changelog
229 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 5.7-4
230 
+- Bump version as a part of openldap upgrade
229 231 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 5.7-3
230 232 
 - Bump version as a part of krb5 upgrade
231 233 
 * Thu Dec 22 2022 Guruswamy Basavaiah <bguruswamy@vmware.com> 5.7-2
SPECS/uwsgi/uwsgi.spec
History View file @ 73f092b
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        Application Container Server for Networked/Clustered Web Applications
2 2 
 Name:           uwsgi
3 3 
 Version:        2.0.21
4 
-Release:        4%{?dist}
4 
+Release:        5%{?dist}
5 5 
 License:        GPLv2 with exceptions
6 6 
 Group:          Productivity/Networking/Web/Servers
7 7 
 Vendor:         VMware, Inc.
... ... 
@@ -31,7 +31,7 @@ BuildRequires:  libcap-devel
31 31 
 BuildRequires:  httpd-devel
32 32 
 BuildRequires:  curl-libs
33 33 
 BuildRequires:  libstdc++-devel
34 
-BuildRequires:  openldap
34 
+BuildRequires:  openldap-devel
35 35 
 BuildRequires:  boost-devel
36 36 
 BuildRequires:  attr-devel
37 37 
 BuildRequires:  libxslt-devel
... ... 
@@ -96,8 +96,8 @@ This package contains support for Python 3 applications via the WSGI protocol.
96 96 
 cp -p %{SOURCE1} buildconf/
97 97
98 98 
 %build
99 
-%{__python3} uwsgiconfig.py --verbose --build photon.ini
100 
-%{__python3} uwsgiconfig.py --verbose --plugin plugins/python core
99 
+%{python3} uwsgiconfig.py --verbose --build photon.ini
100 
+%{python3} uwsgiconfig.py --verbose --plugin plugins/python core
101 101
102 102 
 %install
103 103 
 install -d %{buildroot}%{_sysconfdir}/%{name}.d
... ... 
@@ -116,15 +116,12 @@ cat >> %{buildroot}%{_tmpfilesdir}/%{name}.conf << EOF
116 116 
 d /run/%{name} 0775 %{name} %{name}
117 117 
 EOF
118 118
119 
-%if 0%{?with_check}
120 
-%check
121 
-%endif
122 
-
123 119 
 %pre
124 
-getent group %{name} >/dev/null || groupadd -r %{name}
125 
-getent passwd %{name} >/dev/null || \
120 
+getent group %{name} &> /dev/null || groupadd -r %{name} &> /dev/null || exit 1
121 
+getent passwd %{name} &> /dev/null || \
126 122 
     useradd -c "uWSGI daemon user" -d /run/%{name} -g %{name} \
127 
-        -s /sbin/nologin -M -r %{name}
123 
+        -s /sbin/nologin -M -r %{name} &> /dev/null || exit 1
124 
+
128 125 
 %post
129 126 
 %systemd_post %{name}.service
130 127
... ... 
@@ -144,8 +141,6 @@ rm -rf %{buildroot}/*
144 144 
 %{_unitdir}/%{name}.service
145 145 
 %{_tmpfilesdir}/%{name}.conf
146 146 
 %dir %{_sysconfdir}/%{name}.d
147 
-%doc README
148 
-%license LICENSE
149 147
150 148 
 %files devel
151 149 
 %defattr(-,root,root,-)
... ... 
@@ -239,6 +234,8 @@ rm -rf %{buildroot}/*
239 239 
 %{python3_sitelib}/uwsgidecorators.py*
240 240
241 241 
 %changelog
242 
+* Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 2.0.21-5
243 
+- Bump version as a part of openldap upgrade
242 244 
 * Tue Jan 31 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 2.0.21-4
243 245 
 - Bump version as a part of krb5 upgrade
244 246 
 * Mon Jan 30 2023 Nitesh Kumar <kunitesh@vmware.com> 2.0.21-3