Provided by: ultrapossum-slapd_0.0.4+2.2.20sb3-1_i386 bug


       slapd - Stand-alone LDAP Daemon


       /usr/lib/ultrapossum/slapd/libexec/slapd  [-[4|6]]  [-T  (a|c|i|p)] [-d
       debug-level] [-f slapd-config-file] [-h  URLs]  [-n  service-name]  [-s
       syslog-level]  [-l  syslog-local-user]  [-r  directory]  [-u  user] [-g
       group] [-t] [-c cookie]


       Slapd is the stand-alone LDAP daemon. It listens for  LDAP  connections
       on any number of ports (default 389), responding to the LDAP operations
       it receives over these connections.  slapd is typically invoked at boot
       time, usually out of /etc/rc.local.  Upon startup, slapd normally forks
       and disassociates itself from  the  invoking  tty.   If  configured  in
       /etc/ultrapossum/slapd/openldap/slapd.conf,   the  slapd  process  will
       print its process ID (see getpid(2)) to a .pid file,  as  well  as  the
       command   line   options  during  invocation  to  an  .args  file  (see
       slapd.conf(5)).  If the -d flag is given, even with  a  zero  argument,
       slapd will not fork and disassociate from the invoking tty.

       Slapd  can  be  configured to provide replicated service for a database
       with the help of slurpd, the standalone LDAP update replication daemon.
       See slurpd(8) for details.

       See the "OpenLDAP Administrator’s Guide" for more details on slapd.


       -4     Listen on IPv4 addresses only.

       -6     Listen on IPv6 addresses only.

       -T (a|c|i|p)
              Run in Tool mode. The additional argument selects whether to run
              as slapadd,  slapcat,  slapindex,  or  slappasswd.  This  option
              should  be  the  first  option  specified  when  it is used. Any
              remaining options will be interpreted by the corresponding  slap
              tool  program.  Note  that  these  tool programs will usually be
              symbolic links to slapd. This option is provided for  situations
              where symbolic links are not provided or not usable.

       -d debug-level
              Turn  on debugging as defined by debug-level.  If this option is
              specified, even with a zero argument, slapd  will  not  fork  or
              disassociate from the invoking terminal.  Some general operation
              and status messages are printed for any  value  of  debug-level.
              debug-level   is   taken   as   a  bit  string,  with  each  bit
              corresponding to a different kind of debugging information.  See
              <ldap.h>  for  details.   Remember  that  if  you turn on packet
              logging, packets containing bind passwords will be output, so if
              you  redirect  the  log  to a logfile, that file should be read-

       -s syslog-level
              This option tells  slapd  at  what  level  debugging  statements
              should be logged to the syslog(8) facility.

       -n service-name
              Specifies  the  service  name  for  logging  and other purposes.
              Defaults to basename of argv[0], i.e.: "slapd".

       -l syslog-local-user
              Selects the local user of the syslog(8) facility. Values can  be
              LOCAL0, LOCAL1, and so on, up to LOCAL7.  The default is LOCAL4.
              However, this option is only permitted on systems  that  support
              local users with the syslog(8) facility.

       -f slapd-config-file
              Specifies   the   slapd   configuration  file.  The  default  is

       -h URLlist
              slapd will by default serve  ldap:///  (LDAP  over  TCP  on  all
              interfaces  on  default LDAP port).  That is, it will bind using
              INADDR_ANY and port 389.  The -h option may be used  to  specify
              LDAP (and other scheme) URLs to serve.  For example, if slapd is
              given -h "ldap:// ldaps:/// ldapi:///" , It  will
              bind for LDAP, for LDAP over TLS, and
              LDAP over IPC (Unix domain sockets).   Host  represents
              INADDR_ANY.   A  space  separated list of URLs is expected.  The
              URLs should be of LDAP (ldap://) or LDAP over TLS (ldaps://)  or
              LDAP  over  IPC (ldapi://) scheme without a DN or other optional
              parameters, except an experimental  extension  to  indicate  the
              permissions of the underlying listeners.  Support for the latter
              two schemes depends on selected  configuration  options.   Hosts
              may  be  specified  by  name  or  IPv4 and IPv6 address formats.
              Ports, if specified, must be numeric.  The default ldap://  port
              is  389  and  the  default  ldaps://  port  is  636.  The socket
              permissions  for  LDAP   over   IPC   are   indicated   by   "x-
              mod=-rwxrwxrwx",  "x-mod=0777"  or "x-mod=777", where any of the
              "rwx" can be "-"  to  suppress  the  related  permission  (note,
              however,  that sockets only honor the "w" permission), while any
              of the "7" can be any legal octal digit, according to  chmod(1).
              While  LDAP over IPC requires write permissions on the socket to
              allow any operation, the other listeners can take  advantage  of
              the  "x-mod" extension to apply rough limitations to users, e.g.
              allow  read  operations  ("r",  which  applies  to  search   and
              compare),  write  operations ("w", which applies to add, delete,
              modify and modrdn), and execute  operations  ("x",  which  means
              bind  is  required).   "User"  permissions apply to bound users,
              while "other" apply to anonymous users.

       -r directory
              Specifies a chroot "jail" directory.  slapd will  chdir(2)  then
              chroot(2)  to  this directory after opening listeners but before
              reading any configuration file or initializing any backend.

       -u user
              slapd will run slapd with the specified user  name  or  id,  and
              that   user’s  supplementary  group  access  list  as  set  with
              initgroups(3).  The group ID is also changed to this user’s gid,
              unless the -g option is used to override.

       -g group
              slapd will run with the specified group name or id.

       Note  that  on  some  systems,  running  as  a non-privileged user will
       prevent passwd back-ends from accessing the encrypted passwords.   Note
       also  that any shell back-ends will run as the specified non-privileged

       -t     slapd will read the configuration file (the default if  none  is
              given  with the -f switch) and check its syntax, without opening
              any listener or database.

       -c cookie
              This option provides  a  cookie  for  the  syncrepl  replication
              consumer.   The  cookie  is a comma separated list of name=value
              pairs.  Currently supported syncrepl cookie fields are csn, sid,
              and  rid.   csn  is  the  commit  sequence  number received by a
              previous  synchronization  and  represents  the  state  of   the
              consumer   replica   content  which  the  syncrepl  engine  will
              synchronize  to  the  current  provider  content.   sid  is  the
              identity  of  the  per-scope session log with which the provider
              server   can   process   this   syncrepl   request   to   reduce
              synchronization  traffic.   rid  identifies a replication thread
              within the consumer server and is  used  to  find  the  syncrepl
              specification  in  slapd.conf(5) having the matching replication
              identifier in its definition.


       To start slapd and have it fork and detach from the terminal and  start
       serving  the  LDAP  databases  defined in the default config file, just


       To start slapd with  an  alternate  configuration  file,  and  turn  on
       voluminous debugging which will be printed on standard error, type:

            /usr/lib/ultrapossum/slapd/libexec/slapd -f /var/tmp/slapd.conf -d 255

       To test whether the configuration file is correct or not, type:

            /usr/lib/ultrapossum/slapd/libexec/slapd -t


       ldap(3),   slapd.conf(5),   slapd.access(5),   slapadd(8),  slapcat(8),
       slapindex(8), slappasswd(8), slurpd(8)

       "OpenLDAP Administrator’s Guide" (




       OpenLDAP  is  developed  and  maintained  by   The   OpenLDAP   Project
       (   OpenLDAP  is  derived  from University of
       Michigan LDAP 3.3 Release.