Provided by: slapd_2.4.11-0ubuntu6_i386 bug


       slapd-sock - Socket backend to slapd




       The  Socket  backend  to  slapd(8)  uses  an external program to handle
       queries, similarly  to  slapd-shell(5).   However,  in  this  case  the
       external  program  listens  on  a  Unix  domain  socket.  This makes it
       possible to have a pool of processes, which persist  between  requests.
       This  allows  multithreaded operation and a higher level of efficiency.
       The external program must have  been  started  independently;  slapd(8)
       itself will not start it.


       These  slapd.conf options apply to the SOCK backend database.  That is,
       they must follow a "database sock" line and come before any  subsequent
       "backend" or "database" lines.  Other database options are described in
       the slapd.conf(5) manual page.

       extensions [ binddn | peername | ssf ]*
              Enables the sending  of  additional  meta-attributes  with  each
              binddn: <bound DN>
              peername: IP=<address>:<port>
              ssf: <SSF value>

       socketpath <pathname>
              Gives  the  path  to  a Unix domain socket to which the commands
              will be sent and from which replies are received.


       The protocol  is  essentially  the  same  as  slapd-shell(5)  with  the
       addition  of  a  newline  to  terminate  the  command  parameters.  The
       following commands are sent:
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              <entry in LDIF format>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              method: <method number>
              credlen: <length of <credentials>>
              cred: <credentials>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <attribute>: <value>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <repeat {
                  <"add"/"delete"/"replace">: <attribute>
                  <repeat { <attribute>: <value> }>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              newrdn: <new RDN>
              deleteoldrdn: <0 or 1>
              <if new superior is specified: "newSuperior: <DN>">
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              base: <base DN>
              scope: <0-2, see ldap.h>
              deref: <0-3, see ldap.h>
              sizelimit: <size limit>
              timelimit: <time limit>
              filter: <filter>
              attrsonly: <0 or 1>
              attrs: <"all" or space-separated attribute list>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              <blank line>

       The commands - except unbind - should output:
              code: <integer>
              matched: <matched DN>
              info: <text>
       where only RESULT is mandatory, and then close the socket.  The  search
       RESULT  should  be  preceded  by the entries in LDIF format, each entry
       followed by a blank line.  Lines starting  with  ‘#’  or  ‘DEBUG:’  are


       The  sock  backend  does  not  honor  all ACL semantics as described in
       slapd.access(5).  In general, access to objects is checked by  using  a
       dummy  object  that  contains only the DN, so access rules that rely on
       the contents of the object are not honored.  In detail:

       The add operation does not require write (=w) access  to  the  children
       pseudo-attribute of the parent entry.

       The  bind  operation  requires  auth  (=x)  access to the entry pseudo-
       attribute of the entry whose identity  is  being  assessed;  auth  (=x)
       access  to  the credentials is not checked, but rather delegated to the
       underlying program.

       The compare operation requires compare (=c) access to the entry pseudo-
       attribute  of  the  object  whose value is being asserted; compare (=c)
       access to the attribute whose value is being asserted is not checked.

       The delete operation does not require write (=w) access to the children
       pseudo-attribute of the parent entry.

       The  modify  operation  requires write (=w) access to the entry pseudo-
       attribute; write (=w)  access  to  the  specific  attributes  that  are
       modified is not checked.

       The modrdn operation does not require write (=w) access to the children
       pseudo-attribute of the parent entry, nor to that of the new parent, if
       different;  write (=w) access to the distinguished values of the naming
       attributes is not checked.

       The search operation does not require search (=s) access to  the  entry
       pseudo_attribute   of   the  searchBase;  search  (=s)  access  to  the
       attributes and values used in the filter is not checked.


       There is an example script in the  slapd/back-sock/  directory  in  the
       OpenLDAP source tree.


              default slapd configuration file


       slapd.conf(5), slapd(8).


       Brian Candler