Provided by: slapd_2.4.28-1.1ubuntu4_i386 bug


       slapd-sock - Socket backend/overlay to slapd




       The  Socket  backend  to  slapd(8)  uses  an external program to handle
       queries, similarly  to  slapd-shell(5).   However,  in  this  case  the
       external  program  listens  on  a  Unix  domain  socket.  This makes it
       possible to have a pool of processes, which persist  between  requests.
       This  allows  multithreaded operation and a higher level of efficiency.
       The external program must have  been  started  independently;  slapd(8)
       itself will not start it.

       This  module  may  also  be  used  as  an  overlay on top of some other
       database.  Use as an overlay allows external actions to be triggered in
       response to operations on the main database.


       These  slapd.conf options apply to the SOCK backend database.  That is,
       they must follow a "database sock" line and come before any  subsequent
       "backend" or "database" lines.  Other database options are described in
       the slapd.conf(5) manual page.

       Alternatively, to use this module as an overlay, these directives  must
       follow an "overlay sock" line within an existing database definition.

       extensions [ binddn | peername | ssf | connid ]*
              Enables  the  sending  of  additional  meta-attributes with each
              binddn: <bound DN>
              peername: IP=<address>:<port>
              ssf: <SSF value>
              connid: <connection ID>

       socketpath <pathname>
              Gives the path to a Unix domain socket  to  which  the  commands
              will be sent and from which replies are received.

              When  used  as  an  overlay,  these  additional  directives  are

       sockops   [ bind | unbind | search | compare | modify | modrdn | add  |
       delete ]*
              Specify which request types to send to the external program. The
              default is empty (no requests are sent).

       sockresps [ result | search ]*
              Specify which response types to send to  the  external  program.
              "result"  sends just the results of an operation. "search" sends
              all entries that the database returned for a search request. The
              default is empty (no responses are sent).


       The  protocol  is  essentially  the  same  as  slapd-shell(5)  with the
       addition  of  a  newline  to  terminate  the  command  parameters.  The
       following commands are sent:
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              <entry in LDIF format>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              method: <method number>
              credlen: <length of <credentials>>
              cred: <credentials>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <attribute>: <value>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <repeat {
                  <"add"/"delete"/"replace">: <attribute>
                  <repeat { <attribute>: <value> }>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              newrdn: <new RDN>
              deleteoldrdn: <0 or 1>
              <if new superior is specified: "newSuperior: <DN>">
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              base: <base DN>
              scope: <0-2, see ldap.h>
              deref: <0-3, see ldap.h>
              sizelimit: <size limit>
              timelimit: <time limit>
              filter: <filter>
              attrsonly: <0 or 1>
              attrs: <"all" or space-separated attribute list>
              <blank line>

              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              <blank line>

       The commands - except unbind - should output:
              code: <integer>
              matched: <matched DN>
              info: <text>
       where  only RESULT is mandatory, and then close the socket.  The search
       RESULT should be preceded by the entries in  LDIF  format,  each  entry
       followed  by  a  blank  line.   Lines starting with `#' or `DEBUG:' are

       When used as an overlay, the external program should return a  CONTINUE
       response  if  request processing should continue normally, or a regular
       RESULT response if the external program wishes to bypass the underlying

       If  the overlay is configured to send response messages to the external
       program, they will appear as an extended RESULT message or as an  ENTRY
       message, defined below. The RESULT message is similar to the one above,
       but also includes the msgid and any configured extensions:
              msgid: <message id>
              code: <integer>
              matched: <matched DN>
              info: <text>
              <blank line>

       Typically both the msgid and the connid  will  be  needed  to  match  a
       result message to a request. The ENTRY message has the form
              msgid: <message id>
              <entry in LDIF format>
              <blank line>


       The  sock  backend  does  not  honor  all ACL semantics as described in
       slapd.access(5).  In general, access to objects is checked by  using  a
       dummy  object  that  contains only the DN, so access rules that rely on
       the contents of the object are not honored.  In detail:

       The add operation does not require write (=w) access  to  the  children
       pseudo-attribute of the parent entry.

       The  bind  operation  requires  auth  (=x)  access to the entry pseudo-
       attribute of the entry whose identity  is  being  assessed;  auth  (=x)
       access  to  the credentials is not checked, but rather delegated to the
       underlying program.

       The compare operation requires compare (=c) access to the entry pseudo-
       attribute  of  the  object  whose value is being asserted; compare (=c)
       access to the attribute whose value is being asserted is not checked.

       The delete operation does not require write (=w) access to the children
       pseudo-attribute of the parent entry.

       The  modify  operation  requires write (=w) access to the entry pseudo-
       attribute; write (=w)  access  to  the  specific  attributes  that  are
       modified is not checked.

       The modrdn operation does not require write (=w) access to the children
       pseudo-attribute of the parent entry, nor to that of the new parent, if
       different;  write (=w) access to the distinguished values of the naming
       attributes is not checked.

       The search operation does not require search (=s) access to  the  entry
       pseudo_attribute   of   the  searchBase;  search  (=s)  access  to  the
       attributes and values used in the filter is not checked.


       There is an example script in the  slapd/back-sock/  directory  in  the
       OpenLDAP source tree.


              default slapd configuration file


       slapd.conf(5), slapd-config(5), slapd(8).


       Brian Candler, with enhancements by Howard Chu