SLAPD(8C)                                                            SLAPD(8C)


       slapd - Stand-alone LDAP Daemon


       /usr/sbin/slapd [-[4|6]] [-T (a|c|i|p)] [-d debug-level] [-f slapd-con-
       fig-file] [-h  URLs]  [-n  service-name]  [-s  syslog-level]  [-l  sys-
       log-local-user] [-r directory] [-u user] [-g group] [-t] [-c cookie]


       Slapd  is  the stand-alone LDAP daemon. It listens for LDAP connections
       on any number of ports (default 389), responding to the LDAP operations
       it receives over these connections.  slapd is typically invoked at boot
       time, usually out of /etc/rc.local.  Upon startup, slapd normally forks
       and  disassociates  itself  from  the  invoking  tty.  If configured in
       /etc/openldap/slapd.conf, the slapd process will print its  process  ID
       (see  getpid(2))  to  a  .pid file, as well as the command line options
       during invocation to an .args file (see slapd.conf(5)).  If the -d flag
       is given, even with a zero argument, slapd will not fork and disassoci-
       ate from the invoking tty.

       Slapd can be configured to provide replicated service  for  a  database
       with the help of slurpd, the standalone LDAP update replication daemon.
       See slurpd(8) for details.

       See the "OpenLDAP Administrator’s Guide" for more details on slapd.


       -4     Listen on IPv4 addresses only.

       -6     Listen on IPv6 addresses only.

       -T (a|c|i|p)
              Run in Tool mode. The additional argument selects whether to run
              as  slapadd,  slapcat,  slapindex,  or  slappasswd.  This option
              should be the first  option  specified  when  it  is  used.  Any
              remaining  options will be interpreted by the corresponding slap
              tool program. Note that these tool programs will usually be sym-
              bolic  links  to  slapd.  This option is provided for situations
              where symbolic links are not provided or not usable.

       -d debug-level
              Turn on debugging as defined by debug-level.  If this option  is
              specified,  even  with  a  zero argument, slapd will not fork or
              disassociate from the invoking terminal.  Some general operation
              and  status  messages  are printed for any value of debug-level.
              debug-level is taken as a bit string, with each bit  correspond-
              ing  to a different kind of debugging information.  See <ldap.h>
              for details.  Remember that if you turn on packet logging, pack-
              ets containing bind passwords will be output, so if you redirect
              the log to a logfile, that file should be read-protected.

       -s syslog-level
              This option tells  slapd  at  what  level  debugging  statements
              should be logged to the syslog(8) facility.

       -n service-name
              Specifies  the  service  name  for  logging  and other purposes.
              Defaults to basename of argv[0], i.e.: "slapd".

       -l syslog-local-user
              Selects the local user of the syslog(8) facility. Values can  be
              LOCAL0, LOCAL1, and so on, up to LOCAL7.  The default is LOCAL4.
              However, this option is only permitted on systems  that  support
              local users with the syslog(8) facility.

       -f slapd-config-file
              Specifies   the   slapd   configuration  file.  The  default  is

       -h URLlist
              slapd will by default serve  ldap:///  (LDAP  over  TCP  on  all
              interfaces  on  default LDAP port).  That is, it will bind using
              INADDR_ANY and port 389.  The -h option may be used  to  specify
              LDAP (and other scheme) URLs to serve.  For example, if slapd is
              given -h "ldap:// ldaps:/// ldapi:///" , It  will
              bind for LDAP, for LDAP over TLS, and
              LDAP over IPC (Unix domain sockets).   Host  represents
              INADDR_ANY.   A  space  separated list of URLs is expected.  The
              URLs should be of the LDAP, LDAPS, or LDAPI schemes, and  gener-
              ally  without  a  DN  or other optional parameters (excepting as
              discussed below).  Support for the latter two schemes depends on
              selected  configuration options.  Hosts may be specified by name
              or IPv4 and IPv6 address formats.  Ports, if specified, must  be
              numeric.   The  default  ldap://  port  is  389  and the default
              ldaps:// port is 636.  The socket permissions for LDAP over  IPC
              are   indicated   by  "x-mod=-rwxrwxrwx",  "x-mod=0777"  or  "x-
              mod=777", where any of the "rwx" can  be  "-"  to  suppress  the
              related  permission  (note, however, that sockets only honor the
              "w" permission), while any of the "7" can  be  any  legal  octal
              digit,  according  to  chmod(1).   While  LDAP over IPC requires
              write permissions on the socket  to  allow  any  operation,  the
              other  listeners  can take advantage of the "x-mod" extension to
              apply rough limitations to users,  e.g.  allow  read  operations
              ("r",  which  applies  to  search and compare), write operations
              ("w", which applies to add, delete, modify and modrdn), and exe-
              cute  operations  ("x",  which  means bind is required).  "User"
              permissions apply to bound users, while "other" apply to  anony-
              mous users.

       -r directory
              Specifies  a  chroot "jail" directory.  slapd will chdir(2) then
              chroot(2) to this directory after opening listeners  but  before
              reading any configuration file or initializing any backend.

       -u user
              slapd  will  run  slapd  with the specified user name or id, and
              that user’s supplementary group access list as  set  with  init-
              groups(3).   The  group  ID  is also changed to this user’s gid,
              unless the -g option is used to override.

       -g group
              slapd will run with the specified group name or id.

       Note that on some systems, running as a non-privileged user  will  pre-
       vent  passwd  back-ends  from  accessing the encrypted passwords.  Note
       also that any shell back-ends will run as the specified  non-privileged

       -t     slapd  will  read the configuration file (the default if none is
              given with the -f switch) and check its syntax, without  opening
              any listener or database.

       -c cookie
              This  option provides a cookie for the syncrepl replication con-
              sumer.  The cookie is  a  comma  separated  list  of  name=value
              pairs.  Currently supported syncrepl cookie fields are csn, sid,
              and rid.  csn is the commit sequence number received by a previ-
              ous  synchronization  and  represents  the state of the consumer
              replica content which the syncrepl engine  will  synchronize  to
              the  current  provider content.  sid is the identity of the per-
              scope session log with which the  provider  server  can  process
              this  syncrepl  request  to reduce synchronization traffic.  rid
              identifies a replication thread within the consumer  server  and
              is used to find the syncrepl specification in slapd.conf(5) hav-
              ing the matching replication identifier in its definition.


       To start slapd and have it fork and detach from the terminal and  start
       serving  the  LDAP  databases  defined in the default config file, just


       To start slapd with an alternate configuration file, and turn on  volu-
       minous debugging which will be printed on standard error, type:

            /usr/sbin/slapd -f /var/tmp/slapd.conf -d 255

       To test whether the configuration file is correct or not, type:

            /usr/sbin/slapd -t


       ldap(3),   slapd.conf(5),   slapd.access(5),   slapadd(8),  slapcat(8),
       slapindex(8), slappasswd(8), slurpd(8)

       "OpenLDAP Administrator’s Guide" (




       OpenLDAP  is  developed  and  maintained  by   The   OpenLDAP   Project
       (   OpenLDAP  is  derived  from University of
       Michigan LDAP 3.3 Release.

OpenLDAP 2.2.29                   2005/10/04                         SLAPD(8C)

Man(1) output converted with man2html