=== begin access-control.html === 304c304 <

This directive allows the user to modify their entry, allows anonymous to authentication against these entries, and allows all others to read these entries. Note that only the first by <who> clause which matches applies. Hence, the anonymous users are granted auth, not read. The last clause could just as well have been "by users read".

--- >

This directive allows the user to modify their entry, allows anonymous to authenticate against these entries, and allows all others to read these entries. Note that only the first by <who> clause which matches applies. Hence, the anonymous users are granted auth, not read. The last clause could just as well have been "by users read".

327c327 < by peername.regex=IP:10\..+ read --- > by peername.regex=IP=10\..+ read 636c636 < by peername.regex=IP:10\..+ read --- > by peername.regex=IP=10\..+ read 704c704 < access to attr=userPassword --- > access to attrs=userPassword === end access-control.html === === begin appendix-changes.html === 56c56 < olcDatabase={1}bdb,cn=config --- > olcDatabase={1}mdb,cn=config 61c61 < olcDatabase={1}bdb,cn=config --- > olcDatabase={1}mdb,cn=config 64c64 <

This will insert a new BDB database in slot 1 and bump all following databases down one, so the original BDB database will now be named:

--- >

This will insert a new back-mdb database in slot 1 and bump all following databases down one, so the original back-mdb database will now be named:

66c66 < olcDatabase={2}bdb,cn=config --- > olcDatabase={2}mdb,cn=config === end appendix-changes.html === === begin appendix-common-errors.html === === end appendix-common-errors.html === === begin appendix-configs.html === === end appendix-configs.html === === begin appendix-contrib.html === === end appendix-contrib.html === === begin appendix-deployments.html === === end appendix-deployments.html === === begin appendix-ldap-result-codes.html === === end appendix-ldap-result-codes.html === === begin appendix-recommended-versions.html === === end appendix-recommended-versions.html === === begin appendix-upgrading.html === === end appendix-upgrading.html === === begin autoconf.html === === end autoconf.html === === begin backends.html === === end backends.html === === begin config.html === === end config.html === === begin copyright.html === === end copyright.html === === begin dbtools.html === === end dbtools.html === === begin glossary.html === === end glossary.html === === begin index.html === 26c26 <
5 February 2016
--- >
1 June 2017
=== end index.html === === begin install.html === === end install.html === === begin intro.html === === end intro.html === === begin license.html === === end license.html === === begin limits.html === 61c61 < limits <who> <limit> [<limit> [...]] --- > limits <selector> <limit> [<limit> [...]] 63c63 <

The limits clause can be specified multiple times to apply different limits to different initiators. The server examines each clause in turn until it finds one that matches the ID that requested the operation. If no match is found, the global limits will be used.

--- >

The limits clause can be specified multiple times to apply different limits to different initiators. The server examines each clause in turn until it finds one that matches the operation's initiator or base DN. If no match is found, the global limits will be used.

65c65 <

The <who> part of the limits clause can take any of these values:

--- >

The <selector> part of the limits clause can take any of these values:

67c67 < Table ZZZ.ZZZ: Entity Specifiers --- > Table 9.1: Limits Entity Specifiers 102c102 < self --- > dn[.<type>][.<style>]=<pattern>] 105,121c105 < User associated with target entry < < < < < dn[.<basic-style>]=<regex> < < < Users matching a regular expression < < < < < dn.<scope-style>=<DN> < < < Users within scope of a DN --- > Entry or entries within a scope that match <pattern> 134c118,121 <

The rules for specifying <who> are the same as those used in access-control rules.

--- >

Where

>

type can be one of self or this and

>

style can be one of exact, base, onelevel, subtree, children, regex, or anonymous

>

More information can be found in the slapd.conf(5) or slapd-config(5) manual pages.

=== end limits.html === === begin maintenance.html === === end maintenance.html === === begin monitoringslapd.html === 57c57 <

As previously discussed, when enabled, the monitor backend dynamically generates and returns objects in response to search requests in the cn=Monitor subtree. Each object contains information about a particular aspect of the server. The information is held in a combination of user applications and operational attributes. This information can be access with ldapsearch(1), with any general-purpose LDAP browser, or with specialized monitoring tools.

--- >

As previously discussed, when enabled, the monitor backend dynamically generates and returns objects in response to search requests in the cn=Monitor subtree. Each object contains information about a particular aspect of the server. The information is held in a combination of user applications and operational attributes. This information can be accessed with ldapsearch(1), with any general-purpose LDAP browser, or with specialized monitoring tools.

=== end monitoringslapd.html === === begin overlays.html === 58a59,61 >

> Note: An accesslog database is unique to a given master. It should never be replicated. >

151c154 < dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config --- > dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config 276c279 < dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config --- > dn: olcOverlay=constraint,olcDatabase={1}mdb,cn=config 543,544c546,547 < dn: olcDatabase={0}hdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config < objectClass: olcHdbConfig --- > dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config > objectClass: olcMdbConfig 546c549 < olcDatabase: {0}hdb --- > olcDatabase: {0}mdb === end overlays.html === === begin preface.html === === end preface.html === === begin quickstart.html === 166c166 < su root -c /usr/local/sbin/slapadd -F /usr/local/etc/cn=config -l /usr/local/etc/openldap/slapd.ldif --- > su root -c /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/slapd.d -l /usr/local/etc/openldap/slapd.ldif 172c172 < su root -c /usr/local/libexec/slapd -F /usr/local/etc/cn=config --- > su root -c /usr/local/libexec/slapd -F /usr/local/etc/slapd.d === end quickstart.html === === begin referrals.html === === end referrals.html === === begin replication.html === 52c52 <

The syncrepl engine, which is a consumer-side replication engine, can work with any backends. The LDAP Sync provider can be configured as an overlay on any backend, but works best with the back-bdb back-hdb, or back-mdb backends.

--- >

The syncrepl engine, which is a consumer-side replication engine, can work with any backends. The LDAP Sync provider can be configured as an overlay on any backend, but works best with the back-bdb, back-hdb, or back-mdb backends.

146c146,147 <

The provider is implemented as an overlay, so the overlay itself must first be configured in slapd.conf(5) before it can be used. The provider has only two configuration directives, for setting checkpoints on the contextCSN and for configuring the session log. Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated content.

--- >

The provider is implemented as an overlay, so the overlay itself must first be configured in slapd.conf(5) before it can be used. The provider has two primary configuration directives and two secondary directives for when delta-syncrepl is being used. Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated content.

>

The two primary options to configure are the checkpoint and sessionlog behaviors.

151c152 <

directive. Checkpoints are only tested after successful write operations. If <ops> operations or more than <minutes> time has passed since the last checkpoint, a new checkpoint is performed.

--- >

directive. Checkpoints are only tested after successful write operations. If <ops> operations or more than <minutes> time has passed since the last checkpoint, a new checkpoint is performed. Checkpointing is disabled by default.

154c155 < syncprov-sessionlog <size> --- > syncprov-sessionlog <ops> 156c157 <

directive, where <size> is the maximum number of session log entries the session log can record. When a session log is configured, it is automatically used for all LDAP Sync searches within the database.

--- >

directive, where <ops> is the maximum number of session log entries the session log can record. All write operations (except Adds) are recorded in the log.

157a159,169 >

The reloadhint option is configured by the

> 
>         syncprov-reloadhint <TRUE|FALSE>
>
>

directive. It must be set TRUE when using the accesslog overlay for delta-based syncrepl replication support. The default is FALSE.

>

The nonpresent option should only be configured if the overlay is being placed on top of a log database, such as when used with delta-syncrepl.

>

The nonpresent option is configured by the

> 
>         syncprov-nopresent <TRUE|FALSE>
>
>

directive. This value should only be set TRUE for a syncprov instance on top of a log database (such as one managed by the accesslog overlay). The default is FALSE.

172c184 <

The syncrepl replication is specified in the database section of slapd.conf(5) for the replica context. The syncrepl engine is backend independent and the directive can be defined with any database type.

--- >

The syncrepl replication is specified in the database section of slapd.conf(5) for the replica context. The syncrepl engine is backend independent and the directive can be defined with any database type.

296a309,311 >

> Note: An accesslog database is unique to a given master. It should never be replicated. >

=== end replication.html === === begin runningslapd.html === === end runningslapd.html === === begin sasl.html === === end sasl.html === === begin schema.html === 246c246 < DESC 'common name(s) assciated with the object' --- > DESC 'common name(s) associated with the object' === end schema.html === === begin security.html === === end security.html === === begin slapdconf2.html === 408c408 < Berkeley DB transactional backend --- > Berkeley DB transactional backend (deprecated) 432c432 < Hierarchical variant of bdb backend --- > Hierarchical variant of bdb backend (deprecated) 452a453,460 > mdb > > > Memory-Mapped DB backend > > > > 532c540 <

This directive puts the database into "read-only" mode. Any attempts to modify the database will return an "unwilling to perform" error.

--- >

This directive puts the database into "read-only" mode. Any attempts to modify the database will return an "unwilling to perform" error. If set on a consumer, modifications sent by syncrepl will still occur.

606c614 < [tls_ciphersuite=<ciphers>] --- > [tls_cipher_suite=<ciphers>] 626c634 <

The syncrepl replication mechanism is supported by the bdb and hdb backends.

--- >

The syncrepl replication mechanism is supported by the bdb, hdb, and mdb backends.

=== end slapdconf2.html === === begin slapdconfig.html === 311c311 <

See the Limits section of this guide and slapd.conf(5) for more details.

--- >

See the Limits section of this guide and slapd.conf(5) for more details.

318c318 <

See the Limits section of this guide and slapd.conf(5) for more details.

--- >

See the Limits section of this guide and slapd.conf(5) for more details.

338c338 < Berkeley DB transactional backend --- > Berkeley DB transactional backend (deprecated) 354c354 < Hierarchical variant of bdb backend --- > Hierarchical variant of bdb backend (deprecated) 366a367,374 > mdb > > > Memory-Mapped DB backend > > > > 429,431c437,439 <

6.2.3.2. limits <who> <limit> [<limit> [...]]

<

Specify time and size limits based on who initiated an operation.

<

See the Limits section of this guide and slapd.conf(5) for more details.

--- >

6.2.3.2. limits <selector> <limit> [<limit> [...]]

>

Specify time and size limits based on the operation's initiator or base DN.

>

See the Limits section of this guide and slapd.conf(5) for more details.

433c441 <

This directive puts the database into "read-only" mode. Any attempts to modify the database will return an "unwilling to perform" error.

--- >

This directive puts the database into "read-only" mode. Any attempts to modify the database will return an "unwilling to perform" error. If set on a consumer, modifications sent by syncrepl will still occur.

474a483 > searchbase=<base DN> 478d486 < searchbase=<base DN> 481a490 > [exattrs=<attr list>] 485a495,496 > [network-timeout=<seconds>] > [timeout=<seconds>] 493a505 > [keepalive=<idle>:<probes>:<interval>] 500c512 < [tls_ciphersuite=<ciphers>] --- > [tls_cipher_suite=<ciphers>] 501a514,515 > [tls_protocol_min=<major>[.<minor>]] > [suffixmassage=<real DN>] 509c523 <

The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes searchbase, scope, filter, attrs, attrsonly, sizelimit, and timelimit parameters as in the normal search specification. The searchbase parameter has no default value and must always be specified. The scope defaults to sub, the filter defaults to (objectclass=*), attrs defaults to "*,+" to replicate all user and operational attributes, and attrsonly is unset by default. Both sizelimit and timelimit default to "unlimited", and only positive integers or "unlimited" may be specified.

--- >

The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes searchbase, scope, filter, attrs, exattrs, attrsonly, sizelimit, and timelimit parameters as in the normal search specification. The searchbase parameter has no default value and must always be specified. The scope defaults to sub, the filter defaults to (objectclass=*), attrs defaults to "*,+" to replicate all user and operational attributes, and attrsonly is unset by default. Both sizelimit and timelimit default to "unlimited", and only positive integers or "unlimited" may be specified. The exattrs option may also be used to specify attributes that should be omitted from incoming entries.

512a527 >

The network-timeout parameter sets how long the consumer will wait to establish a network connection to the provider. Once a connection is established, the timeout parameter determines how long the consumer will wait for the initial Bind request to complete. The defaults for these parameters come from ldap.conf(5).

517a533 >

The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle is the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before dropping the connection; interval is interval in seconds between individual keepalive probes. Only some systems support the customization of these values; the keepalive parameter is ignored otherwise, and system-wide settings are used. For example, keepalive="240:10:30" will send a keepalive probe 10 times, every 30 seconds, after 240 seconds of idle activity. If no response to the probes is received, the connection will be dropped.

518a535 >

The suffixmassage parameter allows the consumer to pull entries from a remote directory whose DN suffix differs from the local directory. The portion of the remote entries' DNs that matches the searchbase will be replaced with the suffixmassage DN.

=== end slapdconfig.html === === begin tls.html === 102,103c102,103 <

16.2.1.7. TLSEphemeralDHParamFile <filename>

<

This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on the server side (i.e. TLSCertificateKeyFile points to a DSA key). Multiple sets of parameters can be included in the file; all of them will be processed. Parameters can be generated using the following command

--- >

16.2.1.7. TLSDHParamFile <filename>

>

This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use DHE-based cipher suites, including all DSA-based suites (i.e. TLSCertificateKeyFile points to a DSA key), and RSA when the 'key encipherment' key usage is not specified in the certificate. Parameters can be generated using the following command

105c105,106 < openssl dhparam [-dsaparam] -out <filename> <numbits> --- > openssl dhparam [-dsaparam] -out <filename> <numbits> or > certtool --generate-dh-params --bits <numbits> --outfile <filename> 107c108 <

This directive is ignored with GnuTLS and Mozilla NSS.

--- >

This directive is ignored with Mozilla NSS.

=== end tls.html === === begin troubleshooting.html === === end troubleshooting.html === === begin tuning.html === 67c67 <

See the Logging section below on what to watch our for if you have a frequently searched for attribute that is unindexed.

--- >

See the Logging section below on what to watch out for if you have a frequently searched for attribute that is unindexed.

=== end tuning.html ===