Provided by: slapd_2.4.42+dfsg-2ubuntu3.13_amd64 bug

NAME

       slapd-shell - Shell backend to slapd

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The  Shell  backend to slapd(8) executes external programs to implement operations, and is
       designed to make it easy to tie an existing database to the slapd front-end.

       This backend is primarily intended to be used in prototypes.

WARNING

       The abandon shell command has been removed since OpenLDAP 2.1.

CONFIGURATION

       These slapd.conf options apply to the SHELL backend database.  That is, they must follow a
       "database shell" line and come before any subsequent "backend" or "database" lines.  Other
       database options are described in the slapd.conf(5) manual page.

       These options specify the pathname and arguments of the program to execute in response  to
       the  given  LDAP  operation.   Each option is followed by the input lines that the program
       receives:

       add <pathname> <argument>...
              ADD
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              <entry in LDIF format>

       bind <pathname> <argument>...
              BIND
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              method: <method number>
              credlen: <length of <credentials>>
              cred: <credentials>

       compare <pathname> <argument>...
              COMPARE
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <attribute>: <value>

       delete <pathname> <argument>...
              DELETE
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>

       modify <pathname> <argument>...
              MODIFY
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              <repeat {
                  <"add"/"delete"/"replace">: <attribute>
                  <repeat { <attribute>: <value> }>
                  -
              }>

       modrdn <pathname> <argument>...
              MODRDN
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <DN>
              newrdn: <new RDN>
              deleteoldrdn: <0 or 1>
              <if new superior is specified: "newSuperior: <DN>">

       search <pathname> <argument>...
              SEARCH
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              base: <base DN>
              scope: <0-2, see ldap.h>
              deref: <0-3, see ldap.h>
              sizelimit: <size limit>
              timelimit: <time limit>
              filter: <filter>
              attrsonly: <0 or 1>
              attrs: <"all" or space-separated attribute list>

       unbind <pathname> <argument>...
              UNBIND
              msgid: <message id>
              <repeat { "suffix:" <database suffix DN> }>
              dn: <bound DN>

       Note that you need only supply configuration lines for those commands you want the backend
       to  handle.   Operations  for  which  a  command  is  not supplied will be refused with an
       "unwilling to perform" error.

       The search command should output the entries in LDIF format,  each  entry  followed  by  a
       blank line, and after these the RESULT below.

       All commands except unbind should then output:
              RESULT
              code: <integer>
              matched: <matched DN>
              info: <text>
       where only the RESULT line is mandatory.  Lines starting with `#' or `DEBUG:' are ignored.

ACCESS CONTROL

       The  shell  backend  does not honor all ACL semantics as described in slapd.access(5).  In
       general, access to objects is checked by using a dummy object that contains only  the  DN,
       so access rules that rely on the contents of the object are not honored.  In detail:

       The  add  operation does not require write (=w) access to the children pseudo-attribute of
       the parent entry.

       The bind operation requires auth (=x) access to the entry pseudo-attribute  of  the  entry
       whose  identity is being assessed; auth (=x) access to the credentials is not checked, but
       rather delegated to the underlying shell script.

       The compare operation requires read (=r) access (FIXME: wouldn't compare (=c)  be  a  more
       appropriate  choice?)   to  the  entry pseudo-attribute of the object whose value is being
       asserted; compare (=c) access to the attribute  whose  value  is  being  asserted  is  not
       checked.

       The  delete  operation does not require write (=w) access to the children pseudo-attribute
       of the parent entry.

       The modify operation requires write (=w) access to the entry pseudo-attribute; write  (=w)
       access to the specific attributes that are modified is not checked.

       The  modrdn  operation does not require write (=w) access to the children pseudo-attribute
       of the parent entry, nor to that of the new parent, if different; write (=w) access to the
       distinguished values of the naming attributes is not checked.

       The  search operation does not require search (=s) access to the entry pseudo_attribute of
       the searchBase; search (=s) access to the attributes and values used in the filter is  not
       checked.

EXAMPLE

       There  is  an  example  search  script  in the slapd/back-shell/ directory in the OpenLDAP
       source tree.

LIMITATIONS

       The shell backend does not support threaded environments.  When using the  shell  backend,
       slapd(8) should be built --without-threads.

FILES

       /etc/ldap/slapd.conf
              default slapd configuration file

SEE ALSO

       slapd.conf(5), slapd(8), sh(1).