upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-02-16 00:58:02 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#6023 minor formatting tweaks

Browse source
This commit is contained in:
Howard Chu 2009-06-03 00:43:44 +00:00
parent 2be7cb3b16
commit 7af319a571
96 changed files with 1175 additions and 1080 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
doc/man/man1/ldapcompare.1
View file

@ -13,7 +13,7 @@ ldapcompare \- LDAP compare tool
[\c
.BR \-z ]
[\c
.BR \-M[M] ]
.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
@ -31,9 +31,9 @@ ldapcompare \- LDAP compare tool
[\c
.BI \-p \ ldapport\fR]
[\c
.BI \-P \ 2\fR\||\|\fI3\fR]
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-O \ security-properties ]
.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
@ -49,10 +49,12 @@ ldapcompare \- LDAP compare tool
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
.IR DN \ <
.BR attr:value \ |
.BR attr::b64value \ >
.BR \-Z [ Z ]]
.IR DN
{\c
.BI attr: value
|
.BI attr:: b64value\fR}
.SH DESCRIPTION
.I ldapcompare
is a shell-accessible interface to the
@ -66,14 +68,14 @@ name in the directory. \fIAttr\fP should be a known attribute. If
followed by one colon, the assertion \fIvalue\fP should be provided
as a string. If followed by two colons, the base64 encoding of the
value is provided. The result code of the compare is provided as
the exit code and, unless ran with -z, the program prints
the exit code and, unless ran with \fB\-z\fP, the program prints
TRUE, FALSE, or UNDEFINED on standard output.
.LP
.SH OPTIONS
.TP
.B \-n
Show what would be done, but don't actually perform the compare. Useful for
debugging in conjunction with -v.
debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Run in verbose mode, with many diagnostics written to standard output.
@ -82,7 +84,7 @@ Run in verbose mode, with many diagnostics written to standard output.
Run in quiet mode, no output is written. You must check the return
status. Useful in shell scripts.
.TP
.B \-M[M]
.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
@ -97,7 +99,7 @@ Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
For SASL Binds, the server is expected to ignore this value.
For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
@ -120,7 +122,7 @@ by default appends a trailing newline to the echoed string.
The recommended portable way to store a cleartext password in a file
for use with this option is to use
.BR slappasswd (8)
with \fI{CLEARTEXT}\fP as hash and the option \fI\-n\fP.
with \fI{CLEARTEXT}\fP as hash and the option \fB\-n\fP.
.TP
.BI \-H \ ldapuri
Specify URI(s) referring to the ldap server(s); only the protocol/host/port
@ -129,13 +131,13 @@ is expected.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-P \ 2\fR\||\|\fI3
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.BI \-O \ security-properties
@ -160,20 +162,17 @@ depends on the actual SASL mechanism used.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.B dn:\c
.I <distinguished name>
.BI dn: "<distinguished name>"
or
.B u:\c
.I <username>
.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.B \-ZZ\c
, the command will require the operation to be successful.
\fB\-ZZ\fP, the command will require the operation to be successful.
.SH EXAMPLES
.nf
ldapcompare "uid=babs,dc=example,dc=com" sn:Jensen

39
doc/man/man1/ldapdelete.1
View file

@ -13,7 +13,7 @@ ldapdelete \- LDAP delete entry tool
[\c
.BR \-c ]
[\c
.BR \-M[M] ]
.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
@ -31,11 +31,11 @@ ldapdelete \- LDAP delete entry tool
[\c
.BI \-h \ ldaphost\fR]
[\c
.BI \-P \ 2\fR\||\|\fI3\fR]
.BR \-P \ { 2 \||\| 3 }]
[\c
.BI \-p \ ldapport\fR]
[\c
.BR \-O \ security-properties ]
.BI \-O \ security-properties\fR]
[\c
.BI \-U \ authcid\fR]
[\c
@ -55,9 +55,9 @@ ldapdelete \- LDAP delete entry tool
[\c
.BI \-z \ sizelimit\fR]
[\c
.BR \-Z[Z] ]
.BR \-Z [ Z ]]
[\c
.IR dn ]...
.IR DN \ [ ... ]]
.SH DESCRIPTION
.I ldapdelete
is a shell-accessible interface to the
@ -69,14 +69,14 @@ opens a connection to an LDAP server, binds, and deletes one or more
entries. If one or more \fIDN\fP arguments are provided, entries with
those Distinguished Names are deleted. Each \fIDN\fP should be provided
using the LDAPv3 string representation as defined in RFC 4514.
If no \fIdn\fP arguments
If no \fIDN\fP arguments
are provided, a list of DNs is read from standard input (or from
\fIfile\fP if the -f flag is used).
\fIfile\fP if the \fB\-f\fP flag is used).
.SH OPTIONS
.TP
.B \-n
Show what would be done, but don't actually delete entries. Useful for
debugging in conjunction with -v.
debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Use verbose mode, with many diagnostics written to standard output.
@ -87,7 +87,7 @@ Continuous operation mode. Errors are reported, but
will continue with deletions. The default is to exit after
reporting an error.
.TP
.B \-M[M]
.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
@ -106,7 +106,7 @@ Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
For SASL Binds, the server is expected to ignore this value.
For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
@ -126,13 +126,13 @@ is expected.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-P \ 2\fR\||\|\fI3
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.B \-r
@ -144,7 +144,7 @@ happily delete large portions of your tree. Use with care.
.BI \-z \ sizelimit
Use \fIsizelimit\fP when searching for children DN to delete,
to circumvent any server-side size limit. Only useful in conjunction
with \-r.
with \fB\-r\fP.
.TP
.BI \-O \ security-properties
Specify SASL security properties.
@ -168,20 +168,17 @@ depends on the actual SASL mechanism used.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.B dn:\c
.I <distinguished name>
.BI dn: "<distinguished name>"
or
.B u:\c
.I <username>
.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.B \-ZZ\c
, the command will require the operation to be successful.
\fB\-ZZ\fP, the command will require the operation to be successful.
.SH EXAMPLE
The following command:
.LP

35
doc/man/man1/ldapexop.1
View file

@ -24,7 +24,7 @@ ldapexop
[\c
.BI \-D \ binddn\fR]
[\c
.BI \-e \ [!]ext[=extparam]\fR]
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-f \ file\fR]
[\c
@ -40,7 +40,7 @@ ldapexop
[\c
.BI \-O \ security-properties\fR]
[\c
.BI \-o \ [!]ext[=extparam]\fR]
.BI \-o \ opt\fR[\fP = optparam\fR]]
[\c
.BI \-p \ port\fR]
[\c
@ -66,8 +66,8 @@ ldapexop
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
\ {
.BR \-Z [ Z ]]
{\c
.I oid
|
.BI oid: data
@ -78,8 +78,7 @@ ldapexop
|
.BI cancel \ cancel-id
|
.BI refresh \ DN \ \fR[\fIttl\fR]
}
.BI refresh \ DN \ \fR[\fIttl\fR]}
.SH DESCRIPTION
ldapexop issues the LDAP extended operation specified by \fBoid\fP
@ -128,7 +127,7 @@ Set the LDAP debugging level to \fIlevel\fP.
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
.TP
.BI \-e \ [!]ext[=extparam]
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
Specify general extensions. \'!\' indicates criticality.
.nf
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
@ -152,7 +151,7 @@ Read operations from \fIfile\fP.
.TP
.BI \-h \ host
Specify the host on which the ldap server is running.
Deprecated in favor of \fB-H\fP.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-H \ URI
Specify URI(s) referring to the ldap server(s); only the protocol/host/port
@ -165,7 +164,7 @@ only as needed.
.TP
.BI \-n
Show what would be done but don't actually do it.
Useful for debugging in conjunction with \fB-v\fP.
Useful for debugging in conjunction with \fB\-v\fP.
.TP
.BI \-N
Do not use reverse DNS to canonicalize SASL host name.
@ -173,7 +172,7 @@ Do not use reverse DNS to canonicalize SASL host name.
.BI \-O \ security-properties
Specify SASL security properties.
.TP
.BI \-o \ opt[=optparam]
.BI \-o \ opt\fR[\fP = optparam\fR]
Specify general options:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
@ -181,7 +180,7 @@ Specify general options:
.TP
.BI \-p \ port
Specify the TCP port where the ldap server is listening.
Deprecated in favor of \fB-H\fP.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-Q
Enable SASL Quiet mode. Never prompt.
@ -199,7 +198,7 @@ Run in verbose mode, with many diagnostics written to standard output.
.TP
.BI \-V
Print version info and usage message.
If\fB-VV\fP is given, only the version information is printed.
If\fB\-VV\fP is given, only the version information is printed.
.TP
.BI \-w \ passwd
Use \fIpasswd\fP as the password for simple authentication.
@ -215,11 +214,9 @@ Use simple authentication instead of SASL.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.B dn:\c
.I <distinguished name>
.BI dn: "<distinguished name>"
or
.B u:\c
.I <username>
.BI u: <username>
.TP
.BI \-y \ file
Use complete contents of \fIfile\fP as the password for
@ -229,9 +226,9 @@ simple authentication.
Specify the SASL mechanism to be used for authentication.
Without this option, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation.
Giving it twice (\fB-ZZ\fP) will require the operation to be successful.
Giving it twice (\fB\-ZZ\fP) will require the operation to be successful.
.SH DIAGNOSTICS
Exit status is zero if no errors occur.
@ -248,5 +245,5 @@ with \fBldapexop\fP.
Do not expect it to be complete or absolutely correct.
.SH ACKNOWLEDGEMENTS
The OpenLDAP Project <http://www.openldap.org/>
.so ../Project

58
doc/man/man1/ldapmodify.1
View file

@ -17,7 +17,7 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BR \-v ]
[\c
.BR \-M[M] ]
.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
@ -35,9 +35,9 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-p \ ldapport\fR]
[\c
.BI \-P \ 2\fR\||\|\fI3\fR]
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-O \ security-properties ]
.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
@ -53,7 +53,7 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
.BR \-Z [ Z ]]
[\c
.BI \-f \ file\fR]
.LP
@ -67,7 +67,7 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BR \-v ]
[\c
.BR \-M[M] ]
.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
@ -85,9 +85,9 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-p \ ldapport\fR]
[\c
.BI \-P \ 2\fR\||\|\fI3\fR]
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-O \ security-properties ]
.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
@ -103,7 +103,7 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
.BR \-Z [ Z ]]
[\c
.BI \-f \ file\fR]
.SH DESCRIPTION
@ -118,12 +118,12 @@ library calls.
.B ldapadd
is implemented as a hard link to the ldapmodify tool. When invoked as
.B ldapadd
the -a (add new entry) flag is turned on automatically.
the \fB\-a\fP (add new entry) flag is turned on automatically.
.LP
.B ldapmodify
opens a connection to an LDAP server, binds, and modifies or adds entries.
The entry information is read from standard input or from \fIfile\fP through
the use of the -f option.
the use of the \fB\-f\fP option.
.SH OPTIONS
.TP
.B \-a
@ -142,16 +142,16 @@ reporting an error.
.BI \-S \ file
Add or change records which where skipped due to an error are written to \fIfile\fP
and the error message returned by the server is added as a comment. Most useful in
conjunction with -c.
conjunction with \fB\-c\fP.
.TP
.B \-n
Show what would be done, but don't actually modify entries. Useful for
debugging in conjunction with -v.
debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Use verbose mode, with many diagnostics written to standard output.
.TP
.B \-M[M]
.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
@ -170,7 +170,7 @@ Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
For SASL Binds, the server is expected to ignore this value.
For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
@ -190,13 +190,13 @@ is expected.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-P \ 2\fR\||\|\fI3
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.BI \-O \ security-properties
@ -221,22 +221,20 @@ depends on the actual SASL mechanism used.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.B dn:\c
.I <distinguished name>
.BI dn: "<distinguished name>"
or
.B u:\c
.I <username>
.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.B \-ZZ\c
, the command will require the operation to be successful.
.SH INPUT FORMAT
The contents of \fIfile\fP (or standard input if no \-f flag is given on
The contents of \fIfile\fP (or standard input if no \fB\-f\fP flag is given on
the command line) must conform to the format defined in
.BR ldif (5)
(LDIF as defined in RFC 2849).
@ -250,21 +248,21 @@ exists and has the contents:
changetype: modify
replace: mail
mail: modme@example.com
-
\-
add: title
title: Grand Poobah
-
\-
add: jpegPhoto
jpegPhoto:< file:///tmp/modme.jpeg
-
\-
delete: description
-
\-
.fi
.LP
the command:
.LP
.nf
ldapmodify -f /tmp/entrymods
ldapmodify \-f /tmp/entrymods
.fi
.LP
will replace the contents of the "Modify Me" entry's
@ -296,7 +294,7 @@ exists and has the contents:
the command:
.LP
.nf
ldapadd -f /tmp/newentry
ldapadd \-f /tmp/newentry
.fi
.LP
will add a new entry for Babs Jensen, using the values from the
@ -315,7 +313,7 @@ exists and has the contents:
the command:
.LP
.nf
ldapmodify -f /tmp/entrymods
ldapmodify \-f /tmp/entrymods
.fi
.LP
will remove Babs Jensen's entry.

45
doc/man/man1/ldapmodrdn.1
View file

@ -17,7 +17,7 @@ ldapmodrdn \- LDAP rename entry tool
[\c
.BR \-c ]
[\c
.BR \-M[M] ]
.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
@ -35,9 +35,9 @@ ldapmodrdn \- LDAP rename entry tool
[\c
.BI \-p \ ldapport\fR]
[\c
.BI \-P \ 2\fR\||\|\fI3\fR]
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-O \ security-properties ]
.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
@ -53,7 +53,7 @@ ldapmodrdn \- LDAP rename entry tool
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
.BR \-Z [ Z ]]
[\c
.BI \-f \ file\fR]
[\c
@ -82,7 +82,7 @@ child of the new superior.) This option is not supported in LDAPv2.
.TP
.B \-n
Show what would be done, but don't actually change entries. Useful for
debugging in conjunction with -v.
debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Use verbose mode, with many diagnostics written to standard output.
@ -92,33 +92,33 @@ Continuous operation mode. Errors are reported, but ldapmodrdn
will continue with modifications. The default is to exit after
reporting an error.
.TP
.B \-M[M]
.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
.TP
.B \-d debuglevel
.BI \-d \ debuglevel
Set the LDAP debugging level to \fIdebuglevel\fP.
.B ldapmodrdn
must be
compiled with LDAP_DEBUG defined for this option to have any effect.
.TP
.B \-f file
.BI \-f \ file
Read the entry modification information from \fIfile\fP instead of from
standard input or the command-line.
.TP
.B \-x
Use simple authentication instead of SASL.
.TP
.B \-D binddn
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
For SASL Binds, the server is expected to ignore this value.
For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
This is used instead of specifying the password on the command line.
.TP
.B \-w passwd
.BI \-w \ passwd
Use \fIpasswd\fP as the password for simple authentication.
.TP
.BI \-y \ passwdfile
@ -132,13 +132,13 @@ is expected.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-P \ 2\fR\||\|\fI3
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.BI \-O \ security-properties
@ -163,28 +163,23 @@ depends on the actual SASL mechanism used.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.B dn:\c
.I <distinguished name>
.BI dn: "<distinguished name>"
or
.B u:\c
.I <username>
.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.B \-ZZ\c
, the command will require the operation to be successful.
\fB\-ZZ\fP, the command will require the operation to be successful.
.SH INPUT FORMAT
If the command-line arguments \fIdn\fP and \fIrdn\fP are given, \fIrdn\fP
will replace the RDN of the entry specified by the DN, \fIdn\fP.
.LP
Otherwise, the contents of \fIfile\fP (or standard input if
no
.RI \- f
flag is given) should consist of one or more entries.
no \fB\-f\fP flag is given) should consist of one or more entries.
.LP
.nf
Distinguished Name (DN)
@ -205,7 +200,7 @@ exists and has the contents:
the command:
.LP
.nf
ldapmodrdn -r -f /tmp/entrymods
ldapmodrdn \-r \-f /tmp/entrymods
.fi
.LP
will change the RDN of the "Modify Me" entry from "Modify Me" to

20
doc/man/man1/ldappasswd.1
View file

@ -39,7 +39,7 @@ ldappasswd \- change the password of an LDAP entry
[\c
.BI \-y \ passwdfile\fR]
[\c
.BR \-O \ security-properties ]
.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
@ -55,7 +55,7 @@ ldappasswd \- change the password of an LDAP entry
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
.BR \-Z [ Z ]]
[\c
.IR user ]
.SH DESCRIPTION
@ -94,7 +94,7 @@ Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
For SASL Binds, the server is expected to ignore this value.
For SASL binds, the server is expected to ignore this value.
.TP
.BI \-d \ debuglevel
Set the LDAP debugging level to \fIdebuglevel\fP.
@ -108,16 +108,15 @@ is expected.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.B \-n
Do not set password. (Can be useful when used in conjunction with
.BR \-v \ or
.BR \-d )
\fB\-v\fP or \fB\-d\fP)
.TP
.BI \-S
Prompt for new password.
@ -165,7 +164,7 @@ depends on the actual SASL mechanism used.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.BI dn: <distinguished name>
.BI dn: "<distinguished name>"
or
.BI u: <username>\fP.
.TP
@ -173,10 +172,9 @@ or
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.BR \-ZZ ,
the command will require the operation to be successful
\fB\-ZZ\fP, the command will require the operation to be successful
.SH SEE ALSO
.BR ldap_sasl_bind (3),
.BR ldap_extended_operation (3),

126
doc/man/man1/ldapsearch.1
View file

@ -15,7 +15,7 @@ ldapsearch \- LDAP search tool
[\c
.BR \-v ]
[\c
.BR \-t[t] ]
.BR \-t [ t ]]
[\c
.BI \-T \ path\fR]
[\c
@ -23,9 +23,9 @@ ldapsearch \- LDAP search tool
[\c
.BR \-A ]
[\c
.BR \-L[L[L]] ]
.BR \-L [ L [ L ]]]
[\c
.BR \-M[M] ]
.BR \-M [ M ]]
[\c
.BI \-S \ attribute\fR]
[\c
@ -51,21 +51,21 @@ ldapsearch \- LDAP search tool
[\c
.BI \-b \ searchbase\fR]
[\c
.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren\fR]
.BR \-s \ { base \||\| one \||\| sub \||\| children }]
[\c
.BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind\fR]
.BR \-a \ { never \||\| always \||\| search \||\| find }]
[\c
.BI \-P \ 2\fR\||\|\fI3\fR]
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [!]ext[=extparam]]
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BR \-E \ [!]ext[=extparam]]
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-l \ timelimit\fR]
[\c
.BI \-z \ sizelimit\fR]
[\c
.BR \-O \ security-properties ]
.BI \-O \ security-properties\fR]
[\c
.BR \-I ]
[\c
@ -79,7 +79,7 @@ ldapsearch \- LDAP search tool
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
.BR \-Z [ Z ]]
.I filter
[\c
.IR attrs... ]
@ -123,19 +123,19 @@ in the output.
.B \-v
Run in verbose mode, with many diagnostics written to standard output.
.TP
.B \-t[t]
A single -t writes retrieved non-printable values to a set of temporary
.BR \-t [ t ]
A single \fB\-t\fP writes retrieved non-printable values to a set of temporary
files. This is useful for dealing with values containing non-character
data such as jpegPhoto or audio. A second -t writes all retrieved values to
data such as jpegPhoto or audio. A second \fB\-t\fP writes all retrieved values to
files.
.TP
.BI \-T \ path
Write temporary files to directory specified by \fIpath\fP (default:
/var/tmp/)
\fB/var/tmp/\fP)
.TP
.BI \-F \ prefix
URL prefix for temporary files. Default is file://\fIpath\fP/ where
\fIpath\fP is /var/tmp/ or specified with -T.
URL prefix for temporary files. Default is \fBfile://\fIpath\fP where
\fIpath\fP is \fB/var/tmp/\fP or specified with \fB\-T\fP.
.TP
.B \-A
Retrieve attributes only (no values). This is useful when you just want to
@ -145,12 +145,12 @@ specific values.
.B \-L
Search results are display in LDAP Data Interchange Format detailed in
.BR ldif (5).
A single -L restricts the output to LDIFv1.
A second -L disables comments.
A third -L disables printing of the LDIF version.
A single \fB\-L\fP restricts the output to LDIFv1.
A second \fB\-L\fP disables comments.
A third \fB\-L\fP disables printing of the LDIF version.
The default is to use an extended version of LDIF.
.TP
.B \-M[M]
.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
@ -162,8 +162,7 @@ the entries are sorted by the components of their Distinguished Name. See
.BR ldap_sort (3)
for more details. Note that
.B ldapsearch
normally prints out entries as it receives them. The use of the
.B \-S
normally prints out entries as it receives them. The use of the \fB\-S\fP
option defeats this behavior, causing all entries to be retrieved,
then sorted, then printed.
.TP
@ -181,17 +180,17 @@ the \fB%\fP character in the pattern will be regarded as an error.
Where it is desired that the search filter include a \fB%\fP character,
the character should be encoded as \fB\\25\fP (see RFC 4515).
If \fIfile\fP is a single
\fI-\fP character, then the lines are read from standard input.
\fB\-\fP character, then the lines are read from standard input.
.B ldapsearch
will exit when the first non-successful search result is returned,
unless -c is used.
unless \fB\-c\fP is used.
.TP
.B \-x
Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
For SASL Binds, the server is expected to ignore this value.
For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
@ -216,50 +215,50 @@ and must be escaped according to RFC 2396.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-b \ searchbase
Use \fIsearchbase\fP as the starting point for the search instead of
the default.
.TP
.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren
.BR \-s \ { base \||\| one \||\| sub \||\| children }
Specify the scope of the search to be one of
.IR base ,
.IR one ,
.IR sub ,
.BR base ,
.BR one ,
.BR sub ,
or
.I children
.B children
to specify a base object, one-level, subtree, or children search.
The default is
.IR sub .
.BR sub .
Note:
.I children
scope requires LDAPv3 subordinate feature extension.
.TP
.BI \-a \ never\fR\||\|\fIalways\fR\||\|\fIsearch\fR\||\|\fIfind
.BR \-a \ { never \||\| always \||\| search \||\| find }
Specify how aliases dereferencing is done. Should be one of
.IR never ,
.IR always ,
.IR search ,
.BR never ,
.BR always ,
.BR search ,
or
.I find
.B find
to specify that aliases are never dereferenced, always dereferenced,
dereferenced when searching, or dereferenced only when locating the
base object for the search. The default is to never dereference aliases.
.TP
.BI \-P \ 2\fR\||\|\fI3
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
.B \-e \fI[!]ext[=extparam]\fP
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
.TP
.B \-E \fI[!]ext[=extparam]\fP
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
Specify general extensions with -e and search extensions with -E.
\'!\' indicates criticality.
Specify general extensions with \fB\-e\fP and search extensions with \fB\-E\fP.
\'\fB!\fP\' indicates criticality.
General extensions:
.nf
@ -278,7 +277,7 @@ Search extensions:
[!]domainScope (domain scope)
[!]mv=<filter> (matched values filter)
[!]pr=<size>[/prompt|noprompt] (paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...] (server side sorting)
[!]sss=[\-]<attr[:OID]>[/[\-]<attr[:OID]>...] (server side sorting)
[!]subentries[=true|false] (subentries)
[!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
@ -332,20 +331,17 @@ depends on the actual SASL mechanism used.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.B dn:\c
.I <distinguished name>
.BI dn: "<distinguished name>"
or
.B u:\c
.I <username>
.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.B \-ZZ\c
, the command will require the operation to be successful.
\fB\-ZZ\fP, the command will require the operation to be successful.
.SH OUTPUT FORMAT
If one or more entries are found, each entry is written to standard
output in LDAP Data Interchange Format or
@ -364,14 +360,14 @@ output in LDAP Data Interchange Format or
...
.fi
.LP
If the -t option is used, the URI of a temporary file
is used in place of the actual value. If the -A option
If the \fB\-t\fP option is used, the URI of a temporary file
is used in place of the actual value. If the \fB\-A\fP option
is given, only the "attributename" part is written.
.SH EXAMPLE
The following command:
.LP
.nf
ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber
ldapsearch \-LLL "(sn=smith)" cn sn telephoneNumber
.fi
.LP
will perform a subtree search (using the default search base and
@ -387,23 +383,23 @@ The output might look something like this if two entries are found:
cn: John Smith
cn: John T. Smith
sn: Smith
sn;lang-en: Smith
sn;lang-de: Schmidt
telephoneNumber: 1 555 123-4567
sn;lang\-en: Smith
sn;lang\-de: Schmidt
telephoneNumber: 1 555 123\-4567
dn: uid=sss,dc=example,dc=com
cn: Steve Smith
cn: Steve S. Smith
sn: Smith
sn;lang-en: Smith
sn;lang-de: Schmidt
telephoneNumber: 1 555 765-4321
sn;lang\-en: Smith
sn;lang\-de: Schmidt
telephoneNumber: 1 555 765\-4321
.fi
.LP
The command:
.LP
.nf
ldapsearch -LLL -u -t "(uid=xyz)" jpegPhoto audio
ldapsearch \-LLL \-u \-t "(uid=xyz)" jpegPhoto audio
.fi
.LP
will perform a subtree search using the default search base for entries
@ -416,14 +412,14 @@ requested attributes is found:
.nf
dn: uid=xyz,dc=example,dc=com
ufn: xyz, example, com
audio:< file:///tmp/ldapsearch-audio-a19924
jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a19924
audio:< file:///tmp/ldapsearch\-audio\-a19924
jpegPhoto:< file:///tmp/ldapsearch\-jpegPhoto\-a19924
.fi
.LP
This command:
.LP
.nf
ldapsearch -LLL -s one -b "c=US" "(o=University*)" o description
ldapsearch \-LLL \-s one \-b "c=US" "(o=University*)" o description
.fi
.LP
will perform a one-level search at the c=US level for all entries
@ -446,7 +442,7 @@ and printed to standard output, resulting in output similar to this:
o: University of Colorado at Denver
o: UCD
o: CU/Denver
o: CU-Denver
o: CU\-Denver
description: Institute for Higher Learning and Research
dn: o=University of Florida,c=US

48
doc/man/man1/ldapurl.1
View file

@ -11,7 +11,7 @@ ldapurl \- LDAP URL formatting tool
[\c
.BI \-b \ searchbase\fR]
[\c
.BR \-E \ [!]ext[=extparam]]
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-f \ filter\fR]
[\c
@ -21,14 +21,14 @@ ldapurl \- LDAP URL formatting tool
[\c
.BI \-p \ ldapport\fR]
[\c
.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren\fR]
.BR \-s \ { base \||\| one \||\| sub \||\| children }]
[\c
.BI \-S \ scheme\fR]
.SH DESCRIPTION
.I ldapurl
is a command that allows to either compose or decompose LDAP URIs.
.LP
When invoked with the \fI-H\fP option,
When invoked with the \fB\-H\fP option,
.B ldapurl
extracts the components of the \fIldapuri\fP option argument,
unescaping hex-escaped chars as required.
@ -37,17 +37,17 @@ It basically acts as a frontend to the
call.
Otherwise, it builds an LDAP URI based on the components
passed with the appropriate options, performing the inverse operation.
Option \fI-H\fP is incompatible with options
.IR \-a ,
.IR \-b ,
.IR \-E ,
.IR \-f ,
.IR \-H ,
.IR \-h ,
.IR \-p ,
.IR \-S ,
Option \fB\-H\fP is incompatible with options
.BR \-a ,
.BR \-b ,
.BR \-E ,
.BR \-f ,
.BR \-H ,
.BR \-h ,
.BR \-p ,
.BR \-S ,
and
.IR \-s .
.BR \-s .
.SH OPTIONS
.TP
.TP
@ -57,7 +57,7 @@ Set a comma-separated list of attribute selectors.
.BI \-b \ searchbase
Set the \fIsearchbase\fP.
.TP
.B \-E \fI[!]ext[=extparam]\fP
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
Set URL extensions; \'!\' indicates criticality.
.TP
.BI \-f \ filter
@ -77,22 +77,22 @@ Set the TCP port.
Set the URL scheme. Defaults for other fields, like \fIldapport\fP,
may depend on the value of \fIscheme\fP.
.TP
.BI \-s \ base\fR\||\|\fIone\fR\||\|\fIsub\fR\||\|\fIchildren
.BR \-s \ { base \||\| one \||\| sub \||\| children }
Specify the scope of the search to be one of
.IR base ,
.IR one ,
.IR sub ,
.BR base ,
.BR one ,
.BR sub ,
or
.I children
.B children
to specify a base object, one-level, subtree, or children search.
The default is
.IR sub .
.BR sub .
Note:
.I children
.B children
scope requires LDAPv3 subordinate feature extension.
.SH OUTPUT FORMAT
If the \fI-H\fP option is used, the \fIldapuri\fP supplied
If the \fB\-H\fP option is used, the \fIldapuri\fP supplied
is exploded in its components, which are printed to standard output
in an LDIF-like form.
.LP
@ -102,7 +102,7 @@ is printed to standard output.
The following command:
.LP
.nf
ldapuri -h ldap.example.com -b dc=example,dc=com -s sub -f (cn=Some One)
ldapuri \-h ldap.example.com \-b dc=example,dc=com \-s sub \-f "(cn=Some One)"
.fi
.LP
returns
@ -114,7 +114,7 @@ returns
The command:
.LP
.nf
ldapuri -H ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One)
ldapuri \-H ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One)
.fi
.LP
returns

26
doc/man/man1/ldapwhoami.1
View file

@ -45,7 +45,7 @@ ldapwhoami \- LDAP who am i? tool
[\c
.BI \-Y \ mech\fR]
[\c
.BR \-Z[Z] ]
.BR \-Z [ Z ]]
.SH DESCRIPTION
.I ldapwhoami
implements the LDAP "Who Am I?" extended operation.
@ -58,7 +58,7 @@ operation.
.B \-n
Show what would be done, but don't actually perform the whoami operation.
Useful for
debugging in conjunction with -v.
debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Run in verbose mode, with many diagnostics written to standard output.
@ -73,7 +73,7 @@ Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
For SASL Binds, the server is expected to ignore this value.
For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
@ -93,14 +93,11 @@ is expected.
.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
Deprecated in favor of -H.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
Deprecated in favor of -H.
.TP
.BI \-P \ 2\fR\||\|\fI3
Specify the LDAP protocol version to use.
Deprecated in favor of \fB\-H\fP.
.TP
.BI \-O \ security-properties
Specify SASL security properties.
@ -124,23 +121,20 @@ depends on the actual SASL mechanism used.
Specify the requested authorization ID for SASL bind.
.I authzid
must be one of the following formats:
.B dn:\c
.I <distinguished name>
.BI dn: "<distinguished name>"
or
.B u:\c
.I <username>
.BI u: <username>
.TP
.BI \-Y \ mech
Specify the SASL mechanism to be used for authentication. If it's not
specified, the program will choose the best mechanism the server knows.
.TP
.B \-Z[Z]
.BR \-Z [ Z ]
Issue StartTLS (Transport Layer Security) extended operation. If you use
.B \-ZZ\c
, the command will require the operation to be successful.
\fB\-ZZ\fP, the command will require the operation to be successful.
.SH EXAMPLE
.nf
ldapwhoami -x -D "cn=Manager,dc=example,dc=com" -W
ldapwhoami \-x \-D "cn=Manager,dc=example,dc=com" \-W
.fi
.SH "SEE ALSO"
.BR ldap.conf (5),

2
doc/man/man3/lber-decode.3
View file

@ -5,7 +5,7 @@
.SH NAME
ber_get_next, ber_skip_tag, ber_peek_tag, ber_scanf, ber_get_int, ber_get_enum, ber_get_stringb, ber_get_stringa, ber_get_stringal, ber_get_stringbv, ber_get_null, ber_get_boolean, ber_get_bitstring, ber_first_element, ber_next_element \- OpenLDAP LBER simplified Basic Encoding Rules library routines for decoding
.SH LIBRARY
OpenLDAP LBER (liblber, -llber)
OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP

6
doc/man/man3/lber-encode.3
View file

@ -5,7 +5,7 @@
.SH NAME
ber_alloc_t, ber_flush, ber_flush2, ber_printf, ber_put_int, ber_put_enum, ber_put_ostring, ber_put_string, ber_put_null, ber_put_boolean, ber_put_bitstring, ber_start_seq, ber_start_set, ber_put_seq, ber_put_set \- OpenLDAP LBER simplified Basic Encoding Rules library routines for encoding
.SH LIBRARY
OpenLDAP LBER (liblber, -llber)
OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP
@ -266,14 +266,14 @@ can be achieved like so:
rc = ber_printf( ber, "{siiiib{v}}", dn, scope, ali,
size, time, attrsonly, attrs );
if( rc == -1 ) {
if( rc == \-1 ) {
/* error */
} else {
/* success */
}
.fi
.SH ERRORS
If an error occurs during encoding, generally these routines return -1.
If an error occurs during encoding, generally these routines return \-1.
.LP
.SH NOTES
.LP

2
doc/man/man3/lber-memory.3
View file

@ -5,7 +5,7 @@
.SH NAME
ber_memalloc, ber_memcalloc, ber_memrealloc, ber_memfree, ber_memvfree \- OpenLDAP LBER memory allocators
.SH LIBRARY
OpenLDAP LBER (liblber, -llber)
OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP

6
doc/man/man3/lber-sockbuf.3
View file

@ -5,7 +5,7 @@
.SH NAME
ber_sockbuf_alloc, ber_sockbuf_free, ber_sockbuf_ctrl, ber_sockbuf_add_io, ber_sockbuf_remove_io, Sockbuf_IO \- OpenLDAP LBER I/O infrastructure
.SH LIBRARY
OpenLDAP LBER (liblber, -llber)
OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP
@ -83,7 +83,7 @@ Retrieves the file descriptor associated to the
.B arg
must be a
.BR "ber_socket_t *" .
The return value will be 1 if a valid descriptor was present, -1 otherwise.
The return value will be 1 if a valid descriptor was present, \-1 otherwise.
.TP
.B LBER_SB_OPT_SET_FD
Sets the file descriptor of the
@ -101,7 +101,7 @@ the
.BR Sockbuf .
.B arg
should be NULL to disable and non-NULL to enable the non-blocking state.
The return value will be 1 for success, -1 otherwise.
The return value will be 1 for success, \-1 otherwise.
.TP
.B LBER_SB_OPT_DRAIN
Flush (read and discard) all available input on the

2
doc/man/man3/lber-types.3
View file

@ -5,7 +5,7 @@
.SH NAME
ber_int_t, ber_uint_t, ber_len_t, ber_slen_t, ber_tag_t, struct berval, BerValue, BerVarray, BerElement, ber_bvfree, ber_bvecfree, ber_bvecadd, ber_bvarray_free, ber_bvarray_add, ber_bvdup, ber_dupbv, ber_bvstr, ber_bvstrdup, ber_str2bv, ber_alloc_t, ber_init, ber_init2, ber_free \- OpenLDAP LBER types and allocation functions
.SH LIBRARY
OpenLDAP LBER (liblber, -llber)
OpenLDAP LBER (liblber, \-llber)
.SH SYNOPSIS
.B #include <lber.h>
.LP

8
doc/man/man3/ldap.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap \- OpenLDAP Lightweight Directory Access Protocol API
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
@ -77,15 +77,15 @@ should use
to select version 3. The library manual pages assume version 3
has been selected.
.SH INPUT and OUTPUT PARAMETERS
All character string input/output is expected to be/is UTF\-8
All character string input/output is expected to be/is UTF-8
encoded Unicode (version 3.2).
.LP
Distinguished names (DN) (and relative distinguished names (RDN) to
be passed to the LDAP routines should conform to RFC 4514 UTF\-8
be passed to the LDAP routines should conform to RFC 4514 UTF-8
string representation.
.LP
Search filters to be passed to the search routines are to be
constructed by hand and should conform to RFC 4515 UTF\-8
constructed by hand and should conform to RFC 4515 UTF-8
string representation.
.LP
LDAP URLs to be passed to routines are expected to conform

2
doc/man/man3/ldap_abandon.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_abandon_ext \- Abandon an LDAP operation in progress
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B

2
doc/man/man3/ldap_add.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_add_ext, ldap_add_ext_s \- Perform an LDAP add operation
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.ft B
#include <ldap.h>

4
doc/man/man3/ldap_bind.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_sasl_bind, ldap_sasl_bind_s, ldap_sasl_interactive_bind_s, ldap_parse_sasl_bind_result, ldap_unbind, ldap_unbind_s, ldap_unbind_ext, ldap_unbind_ext_s, ldap_set_rebind_proc \- LDAP bind routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B #include <ldap.h>
@ -267,7 +267,7 @@ and
.B ldap_unbind_ext_s()
allows the operations to specify controls.
.SH ERRORS
Asynchronous routines will return -1 in case of error, setting the
Asynchronous routines will return \-1 in case of error, setting the
\fIld_errno\fP parameter of the \fIld\fP structure. Synchronous
routines return whatever \fIld_errno\fP is set to. See
.BR ldap_error (3)

2
doc/man/man3/ldap_compare.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_compare, ldap_compare_s, ldap_compare_ext, ldap_compare_ext_s \- Perform an LDAP compare operation.
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_controls.3
View file

@ -7,7 +7,7 @@ ldap_control_create, ldap_control_find, ldap_control_dup,
ldap_controls_dup, ldap_control_free, ldap_controls_free
\- LDAP control manipulation routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.B #include <ldap.h>
.LP

4
doc/man/man3/ldap_delete.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_delete, ldap_delete_s, ldap_delete_ext, ldap_delete_ext_s \- Perform an LDAP delete operation.
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
@ -74,7 +74,7 @@ by calling one of
.BR ldap_perror (3)
and friends.
.B ldap_delete()
returns -1 if something went wrong initiating the request. It returns the
returns \-1 if something went wrong initiating the request. It returns the
non-negative message id of the request if things went ok.
.LP
.B ldap_delete_ext()

2
doc/man/man3/ldap_error.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_perror, ld_errno, ldap_result2error, ldap_errlist, ldap_err2string \- LDAP protocol error handling routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_extended_operation.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_extended_operation, ldap_extended_operation_s \- Extends the LDAP operations to the LDAP server.
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_first_attribute.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_first_attribute, ldap_next_attribute \- step through LDAP entry attributes
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_first_entry.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_first_entry, ldap_next_entry, ldap_count_entries \- LDAP result entry parsing and counting routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_first_message.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_first_message, ldap_next_message, ldap_count_messages \- Stepping through messages in a result chain
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_first_reference.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_first_reference, ldap_next_reference, ldap_count_references \- Stepping through continuation references in a result chain
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_get_dn.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_get_dn, ldap_explode_dn, ldap_explode_rdn, ldap_dn2ufn \- LDAP DN handling routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

6
doc/man/man3/ldap_get_option.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_get_option, ldap_set_option \- LDAP option handling routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B #include <ldap.h>
@ -66,7 +66,7 @@ and
.B invalue
must be a
.BR "struct timeval *" ,
and they cannot be NULL. Using a struct with seconds set to -1 results
and they cannot be NULL. Using a struct with seconds set to \-1 results
in an infinite timeout, which is the default.
.TP
.B LDAP_OPT_NETWORK_TIMEOUT
@ -84,7 +84,7 @@ and
.B invalue
must be a
.BR "struct timeval *" ,
and they cannot be NULL. Using a struct with seconds set to -1 results
and they cannot be NULL. Using a struct with seconds set to \-1 results
in an infinite timeout, which is the default.
.TP
.B LDAP_OPT_DEREF

2
doc/man/man3/ldap_get_values.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_get_values, ldap_get_values_len, ldap_count_values \- LDAP attribute value handling routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_memory.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_memfree, ldap_memvfree, ldap_memalloc, ldap_memcalloc, ldap_memrealloc, ldap_strdup \- LDAP memory allocation routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.B #include <ldap.h>
.LP

2
doc/man/man3/ldap_modify.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_modify_ext, ldap_modify_ext_s \- Perform an LDAP modify operation
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

4
doc/man/man3/ldap_modrdn.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_modrdn, ldap_modrdn_s, ldap_modrdn2, ldap_modrdn2_s \- Perform an LDAP modify RDN operation
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
@ -68,7 +68,7 @@ the entry or not.
.SH ERRORS
The synchronous (_s) versions of these routines return an LDAP error
code, either LDAP_SUCCESS or an error if there was trouble.
The asynchronous versions return -1 in case
The asynchronous versions return \-1 in case
of trouble, setting the
.B ld_errno
field of \fIld\fP. See

2
doc/man/man3/ldap_open.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_init, ldap_initialize, ldap_open \- Initialize the LDAP library and open a connection to an LDAP server
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_parse_reference.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_parse_reference \- Extract referrals and controls from a reference message
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_parse_result.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_parse_result \- Parsing results
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_parse_sort_control.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_parse_sort_control \- Decode the information returned from a search operation that used a server-side sort control
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_parse_vlv_control.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_parse_vlv_control \- Decode the information returned from a search operation that used a VLV (virtual list view) control
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

4
doc/man/man3/ldap_rename.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_rename, ldap_rename_s \- Renames the specified entry.
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
@ -54,7 +54,7 @@ it initiated. The result of this operation can be obtained by calling
.BR ldap_result(3).
.SH ERRORS
.B ldap_rename()
returns -1 in case of error initiating the request, and
returns \-1 in case of error initiating the request, and
will set the \fIld_errno\fP field in the \fIld\fP parameter to
indicate the error.
.BR ldap_rename_s()

8
doc/man/man3/ldap_result.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_result \- Wait for the result of an LDAP operation
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B
@ -29,7 +29,7 @@ an operation previously initiated by one of the LDAP asynchronous
operation routines (e.g.,
.BR ldap_search_ext (3),
.BR ldap_modify_ext (3),
etc.). Those routines all return -1 in case of error, and an
etc.). Those routines all return \-1 in case of error, and an
invocation identifier upon successful initiation of the operation. The
invocation identifier is picked by the library and is guaranteed to be
unique across the LDAP session. It can be used to request the result
@ -118,12 +118,12 @@ The
routine returns the message id of a message.
.SH ERRORS
.B ldap_result()
returns -1 if something bad happens, and zero if the
returns \-1 if something bad happens, and zero if the
timeout specified was exceeded.
.B ldap_msgtype()
and
.B ldap_msgid()
return -1 on error.
return \-1 on error.
.SH SEE ALSO
.BR ldap (3),
.BR ldap_first_message (3),

2
doc/man/man3/ldap_schema.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_str2syntax, ldap_syntax2str, ldap_syntax2name, ldap_syntax_free, ldap_str2matchingrule, ldap_matchingrule2str, ldap_matchingrule2name, ldap_matchingrule_free, ldap_str2attributetype, ldap_attributetype2str, ldap_attributetype2name, ldap_attributetype_free, ldap_str2objectclass, ldap_objectclass2str, ldap_objectclass2name, ldap_objectclass_free, ldap_scherr2str \- Schema definition handling routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_search.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_search, ldap_search_s, ldap_search_st, ldap_search_ext, ldap_search_ext_s \- Perform an LDAP search operation
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

2
doc/man/man3/ldap_sort.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_sort_entries, ldap_sort_values, ldap_sort_strcasecmp \- LDAP sorting routines (deprecated)
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH DESCRIPTION
The
.BR ldap_sort_entries (),

8
doc/man/man3/ldap_sync.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_sync_init, ldap_sync_init_refresh_only, ldap_sync_init_refresh_and_persist, ldap_sync_poll \- LDAP sync routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.B #include <ldap.h>
@ -98,7 +98,7 @@ to indicate no limit.
The desired timeout during polling with
.BR ldap_sync_poll (3).
A value of
.BR -1
.BR \-1
means that polling is blocking, so
.BR ldap_sync_poll (3)
will not return until a message is received; a value of
@ -218,7 +218,7 @@ the regular client API routines, like
.BR ldap_parse_result (3).
The
.BR refreshDeletes
argument is not relevant in this case; it should always be -1.
argument is not relevant in this case; it should always be \-1.
.TP
.BI "void *" ls_private
A pointer to private data. The client may register here
@ -291,7 +291,7 @@ in this case, it might be appropriate to set
.BR ls_timeout
to 0, or to set it to a finite, small value.
Otherwise, if the client's main purpose consists in waiting for
responses, a timeout of -1 is most suitable, so that the function
responses, a timeout of \-1 is most suitable, so that the function
only returns after some data has been received and handled.
.SH ERRORS

2
doc/man/man3/ldap_tls.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_start_tls, ldap_start_tls_s, ldap_tls_inplace, ldap_install_tls \- LDAP TLS initialization routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.B #include <ldap.h>
.LP

2
doc/man/man3/ldap_url.3
View file

@ -5,7 +5,7 @@
.SH NAME
ldap_is_ldap_url, ldap_url_parse, ldap_free_urldesc \- LDAP Uniform Resource Locator routines
.SH LIBRARY
OpenLDAP LDAP (libldap, -lldap)
OpenLDAP LDAP (libldap, \-lldap)
.SH SYNOPSIS
.nf
.ft B

20
doc/man/man5/ldap.conf.5
View file

@ -40,7 +40,7 @@ The name of the variable is the option name with an added prefix of \fBLDAP\fP.
For example, to define \fBBASE\fP via the environment, set the variable
\fBLDAPBASE\fP to the desired value.
.LP
Some options are user\-only. Such options are ignored if present
Some options are user-only. Such options are ignored if present
in the
.I ldap.conf
(or file specified by
@ -127,7 +127,7 @@ The base must be specified as a Distinguished Name in LDAP format.
.B BINDDN <dn>
Specifies the default bind DN to use when performing ldap operations.
The bind DN must be specified as a Distinguished Name in LDAP format.
.B This is a user\-only option.
.B This is a user-only option.
.TP
.B DEREF <when>
Specifies how alias dereferencing is done when performing a search. The
@ -211,19 +211,19 @@ there are more options you can specify.
.TP
.B SASL_MECH <mechanism>
Specifies the SASL mechanism to use.
.B This is a user\-only option.
.B This is a user-only option.
.TP
.B SASL_REALM <realm>
Specifies the SASL realm.
.B This is a user\-only option.
.B This is a user-only option.
.TP
.B SASL_AUTHCID <authcid>
Specifies the authentication identity.
.B This is a user\-only option.
.B This is a user-only option.
.TP
.B SASL_AUTHZID <authcid>
Specifies the proxy authorization identity.
.B This is a user\-only option.
.B This is a user-only option.
.TP
.B SASL_SECPROPS <properties>
Specifies Cyrus SASL security properties. The
@ -312,7 +312,7 @@ This parameter is ignored with GNUtls.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
.B This is a user\-only option.
.B This is a user-only option.
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
@ -320,7 +320,7 @@ stored in the
.B TLS_CERT
file. Currently, the private key must not be protected with a password, so
it is of critical importance that the key file is protected carefully.
.B This is a user\-only option.
.B This is a user-only option.
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
@ -330,13 +330,13 @@ e.g., HIGH:MEDIUM:+SSLv2.
To check what ciphers a given spec selects, use:
.nf
openssl ciphers -v <cipher-suite-spec>
openssl ciphers \-v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
gnutls-cli -l
gnutls-cli \-l
.fi
.TP
.B TLS_RANDFILE <filename>

14
doc/man/man5/ldif.5
View file

@ -136,7 +136,7 @@ of \fImodify\fP, the format is one or more of the following:
<attrdesc>: <value1>
<attrdesc>: <value2>
...
-
\-
.fi
.LP
Or, for a replace modification:
@ -146,7 +146,7 @@ Or, for a replace modification:
<attrdesc>: <value1>
<attrdesc>: <value2>
...
-
\-
.fi
.LP
If no \fIattributetype\fP lines are given to replace,
@ -159,7 +159,7 @@ Or, for a delete modification:
<attrdesc>: <value1>
<attrdesc>: <value2>
...
-
\-
.fi
.LP
If no \fIattributetype\fP lines are given to delete,
@ -215,13 +215,13 @@ of each type of change.
add: givenName
givenName: Barbara
givenName: babs
-
\-
replace: description
description: the fabulous babs
-
\-
delete: sn
sn: jensen
-
\-
dn: cn=Babs Jensen,dc=example,dc=com
changetype: modrdn
@ -270,7 +270,7 @@ commands.
.BR ldapmodify (1),
.BR slapadd (8),
.BR slapcat (8),
.BR slapd-ldif (5),
.BR slapd\-ldif (5),
.BR slapd.replog (5).
.LP
"LDAP Data Interchange Format," Good, G., RFC 2849.

8
doc/man/man5/slapd-bdb.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-bdb, slapd-hdb \- Berkeley DB backends to slapd
slapd\-bdb, slapd\-hdb \- Berkeley DB backends to slapd
.SH SYNOPSIS
.B ETCDIR/slapd.conf
.SH DESCRIPTION
@ -83,7 +83,7 @@ or
.B cryptfile
may be configured.
.TP
.BI dbconfig \ <Berkeley\-DB\-setting>
.BI dbconfig \ <Berkeley-DB-setting>
Specify a configuration directive to be placed in the
.B DB_CONFIG
file of the database directory. The
@ -123,7 +123,7 @@ file is 16, the default for all other files depends on the size of the
underlying filesystem's block size (typically 4 or 8).
The maximum that BerkeleyDB supports is 64. This
setting usually should not need to be changed, but if BerkeleyDB's
"db_stat -d" shows a large amount of overflow pages in use in a file,
"db_stat \-d" shows a large amount of overflow pages in use in a file,
setting a larger size may increase performance at the expense of
data integrity. This setting only takes effect when a database is
being newly created. See the Berkeley DB reference guide for more details.
@ -133,7 +133,7 @@ Specify the directory where the BDB files containing this database and
associated indexes live.
A separate directory must be specified for each database.
The default is
.BR LOCALSTATEDIR/openldap-data .
.BR LOCALSTATEDIR/openldap\-data .
.TP
.B dirtyread
Allow reads of modified but not yet committed data.

64
doc/man/man5/slapd-config.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-config \- configuration backend to slapd
slapd\-config \- configuration backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.d
.SH DESCRIPTION
@ -109,7 +109,7 @@ reading the attribute via LDAP, the items will be returned as individual
attribute values.
Backend-specific options are discussed in the
.B slapd-<backend>(5)
.B slapd\-<backend>(5)
manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
details on configuring slapd.
.SH GLOBAL CONFIGURATION OPTIONS
@ -148,26 +148,26 @@ server's command line (program name and options).
.TP
.B olcAttributeOptions: <option-name>...
Define tagging attribute options or option tag/range prefixes.
Options must not end with `-', prefixes must end with `-'.
The `lang-' prefix is predefined.
Options must not end with `\-', prefixes must end with `\-'.
The `lang\-' prefix is predefined.
If you use the
.B olcAttributeOptions
directive, `lang-' will no longer be defined and you must specify it
directive, `lang\-' will no longer be defined and you must specify it
explicitly if you want it defined.
An attribute description with a tagging option is a subtype of that
attribute description without the option.
Except for that, options defined this way have no special semantics.
Prefixes defined this way work like the `lang-' options:
Prefixes defined this way work like the `lang\-' options:
They define a prefix for tagging options starting with the prefix.
That is, if you define the prefix `x-foo-', you can use the option
`x-foo-bar'.
That is, if you define the prefix `x\-foo\-', you can use the option
`x\-foo\-bar'.
Furthermore, in a search or compare, a prefix or range name (with
a trailing `-') matches all options starting with that name, as well
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
a trailing `\-') matches all options starting with that name, as well
as the option with the range name sans the trailing `\-'.
That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
RFC 4520 reserves options beginning with `x-' for private experiments.
RFC 4520 reserves options beginning with `x\-' for private experiments.
Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
@ -436,7 +436,7 @@ A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
have closed their connections (if they ever do), or \- as before \-
have closed their connections (if they ever do), or - as before -
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
@ -601,7 +601,7 @@ or as a list of the names that are shown between brackets, such that
are equivalent.
The keyword
.B any
can be used as a shortcut to enable logging at all levels (equivalent to -1).
can be used as a shortcut to enable logging at all levels (equivalent to \-1).
The keyword
.BR none ,
or the equivalent integer representation, causes those messages
@ -652,7 +652,7 @@ If multiple values are specified, each url is provided.
.B olcReverseLookup: TRUE | FALSE
Enable/disable client name unverified reverse lookup (default is
.BR FALSE
if compiled with --enable-rlookups).
if compiled with \-\-enable\-rlookups).
.TP
.B olcRootDSE: <file>
Specify the name of an LDIF(5) file containing user defined attributes
@ -663,7 +663,7 @@ The root DSE is an entry with information about the server and its
capabilities, in operational attributes.
It has the empty DN, and can be read with e.g.:
.ti +4
ldapsearch -x -b "" -s base "+"
ldapsearch \-x \-b "" \-s base "+"
.br
See RFC 4512 section 5.1 for details.
.TP
@ -776,13 +776,13 @@ olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
To check what ciphers a given spec selects in OpenSSL, use:
.nf
openssl ciphers -v <cipher-suite-spec>
openssl ciphers \-v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
gnutls-cli -l
gnutls-cli \-l
.fi
.TP
.B olcTLSCACertificateFile: <filename>
@ -893,7 +893,7 @@ is only valid when using GNUtls.
.SH DYNAMIC MODULE OPTIONS
If
.B slapd
is compiled with --enable-modules then the module-related entries will
is compiled with \-\-enable\-modules then the module-related entries will
be available. These entries are named
.B cn=module{x},cn=config
and
@ -1023,7 +1023,7 @@ and must have the olcDatabaseConfig objectClass. Normally the config
engine generates the "{x}" index in the RDN automatically, so it
can be omitted when initially loading these entries.
The special frontend database is always numbered "{-1}" and the config
The special frontend database is always numbered "{\-1}" and the config
database is always numbered "{0}".
.SH GLOBAL DATABASE OPTIONS
@ -1615,7 +1615,7 @@ attribute.
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
.B [network-timeout=<seconds>]
.B [network\-timeout=<seconds>]
.B [timeout=<seconds>]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
@ -1720,7 +1720,7 @@ consumer site by turning on the
parameter. The default is off.
The
.B network-timeout
.B network\-timeout
parameter sets how long the consumer will wait to establish a
network connection to the provider. Once a connection is
established, the
@ -1755,7 +1755,7 @@ The
.B authzid
parameter may be used to specify an authorization identity.
Specific security properties (as with the
.B sasl-secprops
.B sasl\-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
@ -1786,7 +1786,7 @@ and
parameters must be set appropriately for the log that will be used. The
.B syncdata
parameter must be set to either "accesslog" if the log conforms to the
.BR slapo-accesslog (5)
.BR slapo\-accesslog (5)
log format, or "changelog" if the log conforms
to the obsolete \fIchangelog\fP format. If the
.B syncdata
@ -1846,7 +1846,7 @@ dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: LOCALSTATEDIR/run/slapd.pid
olcAttributeOptions: x-hidden lang-
olcAttributeOptions: x\-hidden lang\-
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
@ -1859,9 +1859,9 @@ objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# Subtypes of "name" (e.g. "cn" and "ou") with the
# option ";x-hidden" can be searched for/compared,
# option ";x\-hidden" can be searched for/compared,
# but are not shown. See \fBslapd.access\fP(5).
olcAccess: to attrs=name;x-hidden by * =cs
olcAccess: to attrs=name;x\-hidden by * =cs
# Protect passwords. See \fBslapd.access\fP(5).
olcAccess: to attrs=userPassword by * auth
# Read access to other attributes and entries.
@ -1879,11 +1879,11 @@ dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcSuffix: "dc=our-domain,dc=com"
olcSuffix: "dc=our\-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 0700 recommended.
olcDbDirectory: LOCALSTATEDIR/openldap-data
olcDbDirectory: LOCALSTATEDIR/openldap\-data
# Indices to maintain
olcDbIndex: objectClass eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
@ -1895,7 +1895,7 @@ objectClass: olcDatabaseConfig
objectClass: olcLdapConfig
olcDatabase: ldap
olcSuffix: ""
olcDbUri: ldap://ldap.some-server.com/
olcDbUri: ldap://ldap.some\-server.com/
.fi
.RE
.LP
@ -1904,7 +1904,7 @@ ETCDIR/slapd.d directory has been created, this command will initialize
the configuration:
.RS
.nf
slapadd -F ETCDIR/slapd.d -n 0 -l config.ldif
slapadd \-F ETCDIR/slapd.d \-n 0 \-l config.ldif
.fi
.RE
@ -1916,7 +1916,7 @@ Alternatively, an existing slapd.conf file can be converted to the new
format using slapd or any of the slap tools:
.RS
.nf
slaptest -f ETCDIR/slapd.conf -F ETCDIR/slapd.d
slaptest \-f ETCDIR/slapd.conf \-F ETCDIR/slapd.d
.fi
.RE

2
doc/man/man5/slapd-dnssrv.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-dnssrv \- DNS SRV referral backend to slapd
slapd\-dnssrv \- DNS SRV referral backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION

120
doc/man/man5/slapd-ldap.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-ldap \- LDAP backend to slapd
slapd\-ldap \- LDAP backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -28,7 +28,7 @@ in some modified form.
For this purpose, the proxy binds to the remote server with some
administrative identity, and, if required, authorizes the asserted identity.
See the
.IR idassert- *
.IR idassert\- *
rules below.
The administrative identity of the proxy, on the remote server, must be
allowed to authorize by means of appropriate
@ -53,7 +53,7 @@ each connection requires a new thread; as a consequence,
.BR slapd (8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, one may consider using
.BR slapd-relay (5)
.BR slapd\-relay (5)
instead, which performs the relayed operation
internally and thus reuses the same connection.
@ -94,7 +94,7 @@ LDAP server to use. Multiple URIs can be set in a single
argument, resulting in the underlying library automatically
call the first server of the list that responds, e.g.
\fBuri "ldap://host/ ldap://backup-host/"\fP
\fBuri "ldap://host/ ldap://backup\-host/"\fP
The URI list is space- or comma-separated.
Whenever the server that responds is not the first one in the list,
@ -103,7 +103,7 @@ so that it will be first contacted the next time a connection
needs be created.
.HP
.hy 0
.B acl-bind
.B acl\-bind
.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
@ -131,8 +131,8 @@ The default is to use
.BR simple
bind, with empty \fIbinddn\fP and \fIcredentials\fP,
which means that the related operations will be performed anonymously.
If not set, and if \fBidassert-bind\fP is defined, this latter identity
is used instead. See \fBidassert-bind\fP for details.
If not set, and if \fBidassert\-bind\fP is defined, this latter identity
is used instead. See \fBidassert\-bind\fP for details.
The connection between the proxy database and the remote server
associated to this identity is cached regardless of the lifespan
@ -141,13 +141,13 @@ of the client-proxy connection that first established it.
.B This identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
.B idassert-bind
.B idassert\-bind
feature, instead, in some cases can be crafted to implement that behavior,
which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
.BR acl-authcDN ,
.BR acl\-authcDN ,
and
.BR acl-passwd .
.BR acl\-passwd .
The TLS settings default to the same as the main slapd TLS settings,
except for
@ -156,7 +156,7 @@ which defaults to "demand".
.RE
.TP
.B cancel {ABANDON|ignore|exop[-discover]}
.B cancel {ABANDON|ignore|exop[\-discover]}
Defines how to handle operation cancellation.
By default,
.B abandon
@ -166,9 +166,9 @@ If set to
no action is taken and any further response is ignored; this may result
in further response messages to be queued for that connection, so it is
recommended that long lasting connections are timed out either by
.I idle-timeout
.I idle\-timeout
or
.IR conn-ttl ,
.IR conn\-ttl ,
so that resources eventually get released.
If set to
.BR exop ,
@ -180,24 +180,24 @@ of the current operation; the
operation waits for remote server response, so its use
may not be recommended.
If set to
.BR exop-discover ,
.BR exop\-discover ,
support of the
.I cancel
extended operation is detected by reading the remote server's root DSE.
.TP
.B chase-referrals {YES|no}
.B chase\-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
\fBrebind\-as\-user\fP directive is used. The default is to chase referrals.
.TP
.B conn-ttl <time>
.B conn\-ttl <time>
This directive causes a cached connection to be dropped an recreated
after a given ttl, regardless of being idle or not.
.TP
.B idassert-authzFrom <authz-regexp>
.B idassert\-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
@ -209,12 +209,12 @@ attribute.
See
.BR slapd.conf (5),
section related to
.BR authz-policy ,
.BR authz\-policy ,
for details on the syntax of this field.
.HP
.hy 0
.B idassert-bind
.B idassert\-bind
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
@ -241,7 +241,7 @@ This requires to have
privileges on a wide set of DNs, e.g.
.BR authzTo=dn.subtree:"" ,
and the remote server to have
.B authz-policy
.B authz\-policy
set to
.B to
or
@ -310,7 +310,7 @@ as the
or a SASL bind as the
.IR authcID ,
unless restricted by
.BR idassert-authzFrom
.BR idassert\-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
@ -341,7 +341,7 @@ useful when the asserted identities do not exist on the remote server.
Flags can be
\fBoverride,[non-]prescriptive\fP
\fBoverride,[non\-]prescriptive\fP
When the
.B override
@ -356,13 +356,13 @@ When the
flag is used (the default), operations fail with
\fIinappropriateAuthentication\fP
for those identities whose assertion is not allowed by the
.B idassert-authzFrom
.B idassert\-authzFrom
patterns.
If the
.B non-prescriptive
.B non\-prescriptive
flag is used, operations are performed anonymously for those identities
whose assertion is not allowed by the
.B idassert-authzFrom
.B idassert\-authzFrom
patterns.
The TLS settings default to the same as the main slapd TLS settings,
@ -371,31 +371,31 @@ except for
which defaults to "demand".
The identity associated to this directive is also used for privileged
operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
is not. See \fBacl-bind\fP for details.
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
is not. See \fBacl\-bind\fP for details.
This directive obsoletes
.BR idassert-authcDN ,
.BR idassert-passwd ,
.BR idassert-mode ,
.BR idassert\-authcDN ,
.BR idassert\-passwd ,
.BR idassert\-mode ,
and
.BR idassert-method .
.BR idassert\-method .
.RE
.TP
.B idle-timeout <time>
.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.TP
.B network-timeout <time>
.B network\-timeout <time>
Sets the network timeout value after which
.BR poll (2)/ select (2)
following a
.BR connect (2)
returns in case of no activity.
The value is in seconds, and it can be specified as for
.BR idle-timeout .
.BR idle\-timeout .
.TP
.B norefs <NO|yes>
@ -452,11 +452,11 @@ The process can be restarted by resetting the \fIolcDbQuarantine\fP
attribute of the database entry in the configuration backend.
.TP
.B rebind-as-user {NO|yes}
.B rebind\-as\-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds, when trying to re-establish a broken connection,
or when chasing a referral, if
.B chase-referrals
.B chase\-referrals
is set to
.IR yes .
@ -472,7 +472,7 @@ This directive is incompatible with setting \fIprotocol\-version\fP to 2.
Discards current cached connection when the client rebinds.
.TP
.B t-f-support {NO|yes|discover}
.B t\-f\-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
@ -510,13 +510,13 @@ is destroyed, according to RFC4511.
Note: in some cases, this backend may issue binds prior
to other operations (e.g. to bind anonymously or with some prescribed
identity according to the \fBidassert-bind\fP directive).
identity according to the \fBidassert\-bind\fP directive).
In this case, the timeout of the operation that resulted in the bind
is used.
.HP
.hy 0
.B tls {[try-]start|[try-]propagate|ldaps}
.B tls {[try\-]start|[try\-]propagate|ldaps}
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
@ -531,7 +531,7 @@ scheme is \fBldaps://\fP. In that case this keyword may only be
set to "ldaps" and the StartTLS operation will not be used.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
The \fBtry\-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is \fBnot\fP recommended.
The TLS settings default to the same as the main slapd TLS settings,
@ -541,7 +541,7 @@ which defaults to "demand".
.RE
.TP
.B use-temporary-conn {NO|yes}
.B use\-temporary\-conn {NO|yes}
when set to
.BR yes ,
create a temporary connection whenever competing with other threads
@ -555,7 +555,7 @@ deprecated and should be no longer used, as they might disappear
in future releases.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
.B acl\-authcDN "<administrative DN for access control purposes>"
Formerly known as the
.BR binddn ,
it is the DN that is used to query the target server for acl checking;
@ -564,70 +564,70 @@ on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
.B idassert-*
.B idassert\-*
feature can be used (at own risk) for that purpose instead.
This directive is obsoleted by the
.B binddn
arg of
.B acl-bind
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B acl-passwd <password>
.B acl\-passwd <password>
Formerly known as the
.BR bindpw ,
it is the password used with the above
.B acl-authcDN
.B acl\-authcDN
directive.
This directive is obsoleted by the
.B credentials
arg of
.B acl-bind
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert-authcDN "<administrative DN for proxyAuthz purposes>"
.B idassert\-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by the
.B binddn
arg of
.BR idassert-bind
.BR idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert-passwd <password>
.B idassert\-passwd <password>
Password used with the
.B idassert-authcDN
.B idassert\-authcDN
above.
This directive is obsoleted by the
.B crendentials
arg of
.B idassert-bind
.B idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert-mode <mode> [<flags>]
.B idassert\-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
This directive is obsoleted by the
.B mode
arg of
.BR idassert-bind ,
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B idassert-method <method> [<saslargs>]
.B idassert\-method <method> [<saslargs>]
This directive is obsoleted by the
.B bindmethod
arg of
.BR idassert-bind ,
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
@ -652,10 +652,10 @@ overlay. Essentially, add a statement
.B overlay rwm
first, and prefix all rewrite/map statements with
.B rwm-
.B rwm\-
to obtain the original behavior.
See
.BR slapo-rwm (5)
.BR slapo\-rwm (5)
for details.
.\" However, to ease update from existing configurations, back-ldap still
.\" recognizes them and automatically instantiates the

4
doc/man/man5/slapd-ldbm.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-ldbm \- Discontinued LDBM backend to slapd
slapd\-ldbm \- Discontinued LDBM backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -14,7 +14,7 @@ It has been superseded by the more robust BDB and HDB backends.
.SH SEE ALSO
.BR slapd (8),
.BR slapd-bdb (5),
.BR slapd\-bdb (5),
.BR slapd.backends (5).
.SH ACKNOWLEDGEMENTS
.so ../Project

2
doc/man/man5/slapd-ldif.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-ldif \- LDIF backend to slapd
slapd\-ldif \- LDIF backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION

90
doc/man/man5/slapd-meta.5
View file

@ -8,7 +8,7 @@
.\" and maybe manual pages for librewrite.
.\"
.SH NAME
slapd-meta \- metadirectory backend to slapd
slapd\-meta \- metadirectory backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -52,13 +52,13 @@ Note: When looping back to the same instance of \fBslapd\fP(8),
each connection requires a new thread; as a consequence, \fBslapd\fP(8)
must be compiled with thread support, and the \fBthreads\fP parameter
may need some tuning; in those cases, unless the multiple target feature
is required, one may consider using \fBslapd-relay\fP(5) instead,
is required, one may consider using \fBslapd\-relay\fP(5) instead,
which performs the relayed operation internally and thus reuses
the same connection.
.SH EXAMPLES
There are examples in various places in this document, as well as in the
slapd/back-meta/data/ directory in the OpenLDAP source tree.
slapd/back\-meta/data/ directory in the OpenLDAP source tree.
.SH CONFIGURATION
These
.B slapd.conf
@ -96,12 +96,12 @@ to all backends.
They are:
.TP
.B conn-ttl <time>
.B conn\-ttl <time>
This directive causes a cached connection to be dropped an recreated
after a given ttl, regardless of being idle or not.
.TP
.B default-target none
.B default\-target none
This directive forces the backend to reject all those operations
that must resolve to a single target in case none or multiple
targets are selected.
@ -113,14 +113,14 @@ This directive can also be used when processing targets to mark a
specific target as default.
.TP
.B dncache-ttl {DISABLED|forever|<ttl>}
.B dncache\-ttl {DISABLED|forever|<ttl>}
This directive sets the time-to-live of the DN cache.
This caches the target that holds a given DN to speed up target
selection in case multiple targets would result from an uncached
search; forever means cache never expires; disabled means no DN
caching; otherwise a valid ( > 0 ) ttl is required, in the format
illustrated for the
.B idle-timeout
.B idle\-timeout
directive.
.TP
@ -170,7 +170,7 @@ If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B pseudoroot-bind-defer {YES|no}
.B pseudoroot\-bind\-defer {YES|no}
This directive, when set to
.BR yes ,
causes the authentication to the remote servers with the pseudo-root
@ -196,11 +196,11 @@ This directive must appear before any target specification;
it affects all targets with the same pattern.
.TP
.B rebind-as-user {NO|yes}
.B rebind\-as\-user {NO|yes}
If this option is given, the client's bind credentials are remembered
for rebinds, when trying to re-establish a broken connection,
or when chasing a referral, if
.B chase-referrals
.B chase\-referrals
is set to
.IR yes .
@ -218,7 +218,7 @@ overridden by any per-target directive.
Discards current cached connection when the client rebinds.
.TP
.B use-temporary-conn {NO|yes}
.B use\-temporary\-conn {NO|yes}
when set to
.BR yes ,
create a temporary connection whenever competing with other threads
@ -271,54 +271,54 @@ the last URI that succeeded.
.RE
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
.B acl\-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
as in the LDAP backend; it is supposed to have read access
on the target server to attributes used on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
.TP
.B acl-passwd <password>
.B acl\-passwd <password>
Password used with the
.B
acl-authcDN
acl\-authcDN
above.
.TP
.B bind-timeout <microseconds>
.B bind\-timeout <microseconds>
This directive defines the timeout, in microseconds, used when polling
for response after an asynchronous bind connection. The initial call
to ldap_result(3) is performed with a trade-off timeout of 100000 us;
if that results in a timeout exceeded, subsequent calls use the value
provided with
.BR bind-timeout .
.BR bind\-timeout .
The default value is used also for subsequent calls if
.B bind-timeout
.B bind\-timeout
is not specified.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B chase-referrals {YES|no}
.B chase\-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
\fBrebind\-as\-user\fP directive is used. The default is to chase referrals.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B default-target [<target>]
The "default-target" directive can also be used during target specification.
.B default\-target [<target>]
The "default\-target" directive can also be used during target specification.
With no arguments it marks the current target as the default.
The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B idassert-authzFrom <authz-regexp>
.B idassert\-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
@ -330,12 +330,12 @@ attribute.
See
.BR slapd.conf (5),
section related to
.BR authz-policy ,
.BR authz\-policy ,
for details on the syntax of this field.
.HP
.hy 0
.B idassert-bind
.B idassert\-bind
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
@ -362,7 +362,7 @@ This requires to have
privileges on a wide set of DNs, e.g.
.BR authzTo=dn.subtree:"" ,
and the remote server to have
.B authz-policy
.B authz\-policy
set to
.B to
or
@ -431,7 +431,7 @@ as the
or a SASL bind as the
.IR authcID ,
unless restricted by
.BR idassert-authzFrom
.BR idassert\-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
@ -462,7 +462,7 @@ useful when the asserted identities do not exist on the remote server.
Flags can be
\fBoverride,[non-]prescriptive\fP
\fBoverride,[non\-]prescriptive\fP
When the
.B override
@ -477,13 +477,13 @@ When the
flag is used (the default), operations fail with
\fIinappropriateAuthentication\fP
for those identities whose assertion is not allowed by the
.B idassert-authzFrom
.B idassert\-authzFrom
patterns.
If the
.B non-prescriptive
.B non\-prescriptive
flag is used, operations are performed anonymously for those identities
whose assertion is not allowed by the
.B idassert-authzFrom
.B idassert\-authzFrom
patterns.
The TLS settings default to the same as the main slapd TLS settings,
@ -492,12 +492,12 @@ except for
which defaults to "demand".
The identity associated to this directive is also used for privileged
operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
is not. See \fBacl-bind\fP for details.
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
is not. See \fBacl\-bind\fP for details.
.RE
.TP
.B idle-timeout <time>
.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
The value can be specified as
@ -513,17 +513,17 @@ overridden by any per-target directive.
.B map "{attribute|objectclass} [<local name>|*] {<foreign name>|*}"
This maps object classes and attributes as in the LDAP backend.
See
.BR slapd-ldap (5).
.BR slapd\-ldap (5).
.TP
.B network-timeout <time>
.B network\-timeout <time>
Sets the network timeout value after which
.BR poll (2)/ select (2)
following a
.BR connect (2)
returns in case of no activity.
The value is in seconds, and it can be specified as for
.BR idle-timeout .
.BR idle\-timeout .
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
@ -558,12 +558,12 @@ using the pseudorootdn/pseudorootpw directives is inherently unsafe.
The rewrite options are described in the "REWRITING" section.
.TP
.B subtree-exclude "<DN>"
.B subtree\-exclude "<DN>"
This directive instructs back-meta to ignore the current target
for operations whose requestDN is subordinate to
.BR DN .
There may be multiple occurrences of the
.B subtree-exclude
.B subtree\-exclude
directive for each of the targets.
.TP
@ -580,7 +580,7 @@ massaging. See the "REWRITING" section for a detailed list
of the rewrite rules it implies.
.TP
.B t-f-support {NO|yes|discover}
.B t\-f\-support {NO|yes|discover}
enable if the remote server supports absolute filters
(see \fIdraft-zeilenga-ldap-t-f\fP for details).
If set to
@ -621,12 +621,12 @@ In case the timeout is exceeded during a bind operation, the connection
is destroyed, according to RFC4511.
.TP
.B tls {[try-]start|[try-]propagate}
.B tls {[try\-]start|[try\-]propagate}
execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
The \fBtry\-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is highly deprecated.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
@ -957,7 +957,7 @@ Each basic server operation is associated to a rewrite context;
they are divided in two main groups: client \-> server and
server \-> client rewriting.
.LP
client -> server:
client \-> server:
.LP
.RS
.nf
@ -980,7 +980,7 @@ exopPasswdDN password modify extended operation DN if proxy
.fi
.RE
.LP
server -> client:
server \-> client:
.LP
.RS
.nf
@ -1199,7 +1199,7 @@ operation is honored, which is performed by the frontend.
The proxy cache overlay
allows caching of LDAP search requests (queries) in a local database.
See
.BR slapo-pcache (5)
.BR slapo\-pcache (5)
for details.
.SH FILES
.TP

4
doc/man/man5/slapd-monitor.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-monitor \- Monitor backend to slapd
slapd\-monitor \- Monitor backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -72,7 +72,7 @@ The usage is:
.LP
.RS
.nf
configure --enable-monitor
configure \-\-enable\-monitor
.fi
.RE
.TP

2
doc/man/man5/slapd-ndb.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-ndb \- MySQL NDB backend to slapd
slapd\-ndb \- MySQL NDB backend to slapd
.SH SYNOPSIS
.B ETCDIR/slapd.conf
.SH DESCRIPTION

2
doc/man/man5/slapd-null.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-null \- Null backend to slapd
slapd\-null \- Null backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION

2
doc/man/man5/slapd-passwd.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-passwd \- /etc/passwd backend to slapd
slapd\-passwd \- /etc/passwd backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION

4
doc/man/man5/slapd-perl.5
View file

@ -1,7 +1,7 @@
.TH SLAPD-PERL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-perl \- Perl backend to slapd
slapd\-perl \- Perl backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -160,7 +160,7 @@ Search results are candidates that need to be filtered (with the
filter in the search request), rather than search results to be
returned directly to the client.
.SH EXAMPLE
There is an example Perl module `SampleLDAP' in the slapd/back-perl/
There is an example Perl module `SampleLDAP' in the slapd/back\-perl/
directory in the OpenLDAP source tree.
.SH ACCESS CONTROL
The

36
doc/man/man5/slapd-relay.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-relay \- relay backend to slapd
slapd\-relay \- relay backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -15,7 +15,7 @@ running in the same
instance into a virtual naming context, with attributeType
and objectClass manipulation, if required.
It requires the
.BR slapo-rwm (5)
.BR slapo\-rwm (5)
overlay.
.LP
This backend and the above mentioned overlay are experimental.
@ -47,11 +47,11 @@ The
database does not automatically rewrite the naming context
of requests and responses.
For this purpose, the
.BR slapo-rwm (5)
.BR slapo\-rwm (5)
overlay must be explicitly instantiated, and configured
as appropriate.
Usually, the
.B rwm-suffixmassage
.B rwm\-suffixmassage
directive suffices if only naming context rewriting is required.
.SH ACCESS RULES
@ -61,7 +61,7 @@ After massaging from the virtual to the real naming context, the
frontend sees the operation as performed by the identity in the
real naming context.
Moreover, since
.B back-relay
.B back\-relay
bypasses the real database frontend operations by short-circuiting
operations through the internal backend API, the original database
access rules do not apply but in selected cases, i.e. when the
@ -103,7 +103,7 @@ that refers to a single database, use
suffix "dc=virtual,dc=naming,dc=context"
relay "dc=real,dc=naming,dc=context"
overlay rwm
rwm-suffixmassage "dc=real,dc=naming,dc=context"
rwm\-suffixmassage "dc=real,dc=naming,dc=context"
.fi
.LP
To implement a plain virtual naming context mapping
@ -113,7 +113,7 @@ that looks up the real naming context for each operation, use
database relay
suffix "dc=virtual,dc=naming,dc=context"
overlay rwm
rwm-suffixmassage "dc=real,dc=naming,dc=context"
rwm\-suffixmassage "dc=real,dc=naming,dc=context"
.fi
.LP
This is useful, for instance, to relay different databases that
@ -129,21 +129,21 @@ back from the real to the virtual naming context, use
suffix "dc=virtual,dc=naming,dc=context"
relay "dc=real,dc=naming,dc=context"
overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext default
rwm-rewriteRule "dc=virtual,dc=naming,dc=context"
rwm\-rewriteEngine on
rwm\-rewriteContext default
rwm\-rewriteRule "dc=virtual,dc=naming,dc=context"
"dc=real,dc=naming,dc=context" ":@"
rwm-rewriteContext searchFilter
rwm-rewriteContext searchEntryDN
rwm-rewriteContext searchAttrDN
rwm-rewriteContext matchedDN
rwm\-rewriteContext searchFilter
rwm\-rewriteContext searchEntryDN
rwm\-rewriteContext searchAttrDN
rwm\-rewriteContext matchedDN
.fi
.LP
Note that the
.BR slapo-rwm (5)
.BR slapo\-rwm (5)
overlay is instantiated, but the rewrite rules are written explicitly,
rather than automatically as with the
.B rwm-suffixmassage
.B rwm\-suffixmassage
statement, to map all the virtual to real naming context data flow,
but none of the real to virtual.
.LP
@ -161,7 +161,7 @@ Access rules:
suffix "o=Example,c=US"
relay "dc=example,dc=com"
overlay rwm
rwm-suffixmassage "dc=example,dc=com"
rwm\-suffixmassage "dc=example,dc=com"
# skip ...
access to dn.subtree="o=Example,c=US"
by dn.exact="cn=Supervisor,dc=example,dc=com" write
@ -203,5 +203,5 @@ default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapo-rwm (5),
.BR slapo\-rwm (5),
.BR slapd (8).

8
doc/man/man5/slapd-shell.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-shell \- Shell backend to slapd
slapd\-shell \- Shell backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -78,7 +78,7 @@ dn: <DN>
<repeat {
<"add"/"delete"/"replace">: <attribute>
<repeat { <attribute>: <value> }>
-
\-
}>
.fi
.TP
@ -219,14 +219,14 @@ pseudo_attribute of the searchBase;
access to the attributes and values used in the filter is not checked.
.SH EXAMPLE
There is an example search script in the slapd/back-shell/ directory
There is an example search script in the slapd/back\-shell/ directory
in the OpenLDAP source tree.
.SH LIMITATIONS
The shell backend does not support threaded environments.
When using the shell backend,
.BR slapd (8)
should be built
.IR --without-threads .
.IR \-\-without\-threads .
.SH FILES
.TP
ETCDIR/slapd.conf

10
doc/man/man5/slapd-sock.5
View file

@ -3,14 +3,14 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-sock \- Socket backend to slapd
slapd\-sock \- Socket backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Socket backend to
.BR slapd (8)
uses an external program to handle queries, similarly to
.BR slapd-shell (5).
.BR slapd\-shell (5).
However, in this case the external program listens on a Unix domain socket.
This makes it possible to have a pool of processes, which persist between
requests. This allows multithreaded operation and a higher level of
@ -40,7 +40,7 @@ Gives the path to a Unix domain socket to which the commands will
be sent and from which replies are received.
.SH PROTOCOL
The protocol is essentially the same as
.BR slapd-shell (5)
.BR slapd\-shell (5)
with the addition of a newline to terminate the command parameters. The
following commands are sent:
.RS
@ -96,7 +96,7 @@ dn: <DN>
<repeat {
<"add"/"delete"/"replace">: <attribute>
<repeat { <attribute>: <value> }>
-
\-
}>
<blank line>
.fi
@ -235,7 +235,7 @@ pseudo_attribute of the searchBase;
access to the attributes and values used in the filter is not checked.
.SH EXAMPLE
There is an example script in the slapd/back-sock/ directory
There is an example script in the slapd/back\-sock/ directory
in the OpenLDAP source tree.
.SH FILES
.TP

12
doc/man/man5/slapd-sql.5
View file

@ -1,7 +1,7 @@
.TH SLAPD-SQL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
.SH NAME
slapd-sql \- SQL backend to slapd
slapd\-sql \- SQL backend to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -23,7 +23,7 @@ of BerkeleyDB (as the standard BDB backend does), though it can be
used as such with several limitations.
You can take a look at
.B http://www.openldap.org/faq/index.cgi?file=378
(OpenLDAP FAQ-O-Matic/General LDAP FAQ/Directories vs. conventional
(OpenLDAP FAQ\-O\-Matic/General LDAP FAQ/Directories vs. conventional
databases) to find out more on this point.
.LP
The idea (detailed below) is to use some meta-information to translate
@ -110,7 +110,7 @@ These options specify SQL query templates for loading schema mapping
meta-information, adding and deleting entries to ldap_entries, etc.
All these and subtree_cond should have the given default values.
For the current value it is recommended to look at the sources,
or in the log output when slapd starts with "-d 5" or greater.
or in the log output when slapd starts with "\-d 5" or greater.
Note that the parameter number and order must not be changed.
.TP
@ -340,7 +340,7 @@ The API of the layers is not frozen yet, so it is unpublished.
.LP
Almost everything mentioned later is illustrated in examples located
in the
.B servers/slapd/back-sql/rdbms_depend/
.B servers/slapd/back\-sql/rdbms_depend/
directory in the OpenLDAP source tree, and contains scripts for
generating sample database for Oracle, MS SQL Server, mySQL and more
(including PostgreSQL and IBM db2).
@ -672,10 +672,10 @@ no matter if valid or not.
The proxy cache overlay
allows caching of LDAP search requests (queries) in a local database.
See
.BR slapo-pcache (5)
.BR slapo\-pcache (5)
for details.
.SH EXAMPLES
There are example SQL modules in the slapd/back-sql/rdbms_depend/
There are example SQL modules in the slapd/back\-sql/rdbms_depend/
directory in the OpenLDAP source tree.
.SH ACCESS CONTROL
The

16
doc/man/man5/slapd.access.5
View file

@ -196,7 +196,7 @@ as detailed in
and/or
.BR re_format (7),
matching a normalized string representation of the entry's DN.
The regex form of the pattern does not (yet) support UTF\-8.
The regex form of the pattern does not (yet) support UTF-8.
.LP
The statement
.B filter=<ldapfilter>
@ -722,7 +722,7 @@ Its component are defined as
.LP
.nf
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
<priv> ::= {=|+|\-}{0|d|x|c|s|r|{w|a|z}|m}+
.fi
.LP
The modifier
@ -798,7 +798,7 @@ access privileges will be only those defined by the clause.
The
.B +
and
.B -
.B \-
signs add/remove access privileges to the existing ones.
The privileges are
.B m
@ -927,7 +927,7 @@ Add content ACL checking has been configured on
the database (see the
.BR slapd.conf (5)
or
.BR slapd-config (5)
.BR slapd\-config (5)
manual page),
.B add (=a)
will be required on all of the attributes being added.
@ -1067,12 +1067,12 @@ Access control to search entries is checked by the frontend,
so it is fully honored by all backends; for all other operations
and for the discovery phase of the search operation,
full ACL semantics is only supported by the primary backends, i.e.
.BR back-bdb (5),
.BR back\-bdb (5),
and
.BR back-hdb (5).
.BR back\-hdb (5).
Some other backend, like
.BR back-sql (5),
.BR back\-sql (5),
may fully support them; others may only support a portion of the
described semantics, or even differ in some aspects.
The relevant details are described in the backend-specific man pages.
@ -1155,7 +1155,7 @@ ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
.BR slapd-* (5),
.BR slapd\-* (5),
.BR slapacl (8),
.BR regex (7),
.BR re_format (7)

4
doc/man/man5/slapd.backends.5
View file

@ -16,7 +16,7 @@ slapd server.
Configuration options for each backend are documented separately in the
corresponding
.BR slapd-<backend> (5)
.BR slapd\-<backend> (5)
manual pages.
.TP
.B bdb
@ -98,7 +98,7 @@ in the same server, based on the naming context of the request.
Its use requires the
.B rwm
overlay (see
.BR slapo-rwm (5)
.BR slapo\-rwm (5)
for details) to rewrite the naming context of the request.
It is primarily intended to implement virtual views on databases
that actually store data.

92
doc/man/man5/slapd.conf.5
View file

@ -68,7 +68,7 @@ backslash character.
The specific configuration options available are discussed below in the
Global Configuration Options, General Backend Options, and General Database
Options. Backend-specific options are discussed in the
.B slapd-<backend>(5)
.B slapd\-<backend>(5)
manual pages. Refer to the "OpenLDAP Administrator's Guide" for more
details on the slapd configuration file.
.SH GLOBAL CONFIGURATION OPTIONS
@ -114,26 +114,26 @@ server's command line (program name and options).
.TP
.B attributeoptions [option-name]...
Define tagging attribute options or option tag/range prefixes.
Options must not end with `-', prefixes must end with `-'.
The `lang-' prefix is predefined.
Options must not end with `\-', prefixes must end with `\-'.
The `lang\-' prefix is predefined.
If you use the
.B attributeoptions
directive, `lang-' will no longer be defined and you must specify it
directive, `lang\-' will no longer be defined and you must specify it
explicitly if you want it defined.
An attribute description with a tagging option is a subtype of that
attribute description without the option.
Except for that, options defined this way have no special semantics.
Prefixes defined this way work like the `lang-' options:
Prefixes defined this way work like the `lang\-' options:
They define a prefix for tagging options starting with the prefix.
That is, if you define the prefix `x-foo-', you can use the option
`x-foo-bar'.
That is, if you define the prefix `x\-foo\-', you can use the option
`x\-foo\-bar'.
Furthermore, in a search or compare, a prefix or range name (with
a trailing `-') matches all options starting with that name, as well
as the option with the range name sans the trailing `-'.
That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'.
a trailing `\-') matches all options starting with that name, as well
as the option with the range name sans the trailing `\-'.
That is, `x\-foo\-bar\-' matches `x\-foo\-bar' and `x\-foo\-bar\-baz'.
RFC 4520 reserves options beginning with `x-' for private experiments.
RFC 4520 reserves options beginning with `x\-' for private experiments.
Other options should be registered with IANA, see RFC 4520 section 3.5.
OpenLDAP also has the `binary' option built in, but this is a transfer
option, not a tagging option.
@ -162,7 +162,7 @@ attribute syntax OID.
description.)
.RE
.TP
.B authz-policy <policy>
.B authz\-policy <policy>
Used to specify which rules to use for Proxy Authorization. Proxy
authorization allows a client to authenticate to the server using one
user's credentials, but specify a different identity to use for authorization
@ -311,7 +311,7 @@ and
can impact security, users are strongly encouraged
to explicitly set the type of identity specification that is being used.
A subset of these rules can be used as third arg in the
.B authz-regexp
.B authz\-regexp
statement (see below); significantly, the
.IR URI ,
provided it results in exactly one entry,
@ -320,7 +320,7 @@ and the
forms.
.RE
.TP
.B authz-regexp <match> <replace>
.B authz\-regexp <match> <replace>
Used by the authentication framework to convert simple user names,
such as provided by SASL subsystem, or extracted from certificates
in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
@ -381,7 +381,7 @@ Note that this search is subject to access controls. Specifically,
the authentication identity must have "auth" access in the subject.
Multiple
.B authz-regexp
.B authz\-regexp
options can be given in the configuration file to allow for multiple matching
and replacement patterns. The matching patterns are checked in the order they
appear in the file, stopping at the first successful match.
@ -458,7 +458,7 @@ A SIGHUP signal will only cause a 'gentle' shutdown-attempt:
will stop listening for new connections, but will not close the
connections to the current clients. Future write operations return
unwilling-to-perform, though. Slapd terminates when all clients
have closed their connections (if they ever do), or \- as before \-
have closed their connections (if they ever do), or - as before -
if it receives a SIGTERM signal. This can be useful if you wish to
terminate the server and start a new
.B slapd
@ -522,7 +522,7 @@ depend on these parameters and recreating them with
.hy 0
.B ldapsyntax "(\ <oid>\
[DESC\ <description>]\
[X-SUBST <substitute\-syntax>]\ )"
[X\-SUBST <substitute-syntax>]\ )"
.RS
Specify an LDAP syntax using the LDAPv3 syntax defined in RFC 4512.
The slapd parser extends the RFC 4512 definition by allowing string
@ -531,20 +531,20 @@ forms as well as numeric OIDs to be used for the syntax OID.
.B objectidentifier
description.)
The slapd parser also honors the
.B X-SUBST
.B X\-SUBST
extension (an OpenLDAP-specific extension), which allows to use the
.B ldapsyntax
statement to define a non-implemented syntax along with another syntax,
the extension value
.IR substitute\-syntax ,
.IR substitute-syntax ,
as its temporary replacement.
The
.I substitute\-syntax
.I substitute-syntax
must be defined.
This allows to define attribute types that make use of non-implemented syntaxes
using the correct syntax OID.
Unless
.B X-SUBST
.B X\-SUBST
is used, this configuration statement would result in an error,
since no handlers would be associated to the resulting syntax structure.
.RE
@ -658,7 +658,7 @@ or as a list of the names that are shown between brackets, such that
are equivalent.
The keyword
.B any
can be used as a shortcut to enable logging at all levels (equivalent to -1).
can be used as a shortcut to enable logging at all levels (equivalent to \-1).
The keyword
.BR none ,
or the equivalent integer representation, causes those messages
@ -680,7 +680,7 @@ are searched for in the directories specified by the
.B modulepath
option. This option and the
.B modulepath
option are only usable if slapd was compiled with --enable-modules.
option are only usable if slapd was compiled with \-\-enable\-modules.
.TP
.B modulepath <pathspec>
Specify a list of directories to search for loadable modules. Typically
@ -710,7 +710,7 @@ in place of the numeric OID in objectclass and attribute definitions. The
name can also be used with a suffix of the form ":xx" in which case the
value "oid.xx" will be used.
.TP
.B password-hash <hash> [<hash>...]
.B password\-hash <hash> [<hash>...]
This option configures one or more hashes to be used in generation of user
passwords stored in the userPassword attribute during processing of
LDAP Password Modify Extended Operations (RFC 3062).
@ -798,10 +798,10 @@ may be used to require no conditions (useful to clear out globally
set conditions within a particular database); it must occur first
in the list of conditions.
.TP
.B reverse-lookup on | off
.B reverse\-lookup on | off
Enable/disable client name unverified reverse lookup (default is
.BR off
if compiled with --enable-rlookups).
if compiled with \-\-enable\-rlookups).
.TP
.B rootDSE <file>
Specify the name of an LDIF(5) file containing user defined attributes
@ -812,22 +812,22 @@ The root DSE is an entry with information about the server and its
capabilities, in operational attributes.
It has the empty DN, and can be read with e.g.:
.ti +4
ldapsearch -x -b "" -s base "+"
ldapsearch \-x \-b "" \-s base "+"
.br
See RFC 4512 section 5.1 for details.
.TP
.B sasl-auxprops <plugin> [...]
.B sasl\-auxprops <plugin> [...]
Specify which auxprop plugins to use for authentication lookups. The
default is empty, which just uses slapd's internal support. Usually
no other auxprop plugins are needed.
.TP
.B sasl-host <fqdn>
.B sasl\-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
.TP
.B sasl-realm <realm>
.B sasl\-realm <realm>
Specify SASL realm. Default is empty.
.TP
.B sasl-secprops <properties>
.B sasl\-secprops <properties>
Used to specify Cyrus SASL security properties.
The
.B none
@ -878,7 +878,7 @@ controls the entries on this server. The default is "cn=Subschema".
.B security <factors>
Specify a set of security strength factors (separated by white space)
to require (see
.BR sasl-secprops 's
.BR sasl\-secprops 's
.B minssf
option for a description of security strength factors).
The directive may be specified globally and/or per-database.
@ -978,7 +978,7 @@ See
.BR limits
for an explanation of the different flags.
.TP
.B tool-threads <integer>
.B tool\-threads <integer>
Specify the maximum number of threads to use in tool mode.
This should not be greater than the number of CPUs in the system.
The default is 1.
@ -1008,13 +1008,13 @@ TLSCipherSuite HIGH:MEDIUM:+SSLv2
To check what ciphers a given spec selects, use:
.nf
openssl ciphers -v <cipher-suite-spec>
openssl ciphers \-v <cipher-suite-spec>
.fi
To obtain the list of ciphers in GNUtls use:
.nf
gnutls-cli -l
gnutls-cli \-l
.fi
.TP
@ -1523,7 +1523,7 @@ password can only be set if the rootdn is within the namingContext
(suffix) of the database.
This option accepts all RFC 2307 userPassword formats known to
the server (see
.B password-hash
.B password\-hash
description) as well as cleartext.
.BR slappasswd (8)
may be used to generate a hash of a password. Cleartext
@ -1604,7 +1604,7 @@ in order to work over all of the glued databases. E.g.
.B [sizelimit=<limit>]
.B [timelimit=<limit>]
.B [schemachecking=on|off]
.B [network-timeout=<seconds>]
.B [network\-timeout=<seconds>]
.B [timeout=<seconds>]
.B [bindmethod=simple|sasl]
.B [binddn=<dn>]
@ -1721,7 +1721,7 @@ As a consequence, schema checking should be \fBoff\fP when partial
replication is used.
The
.B network-timeout
.B network\-timeout
parameter sets how long the consumer will wait to establish a
network connection to the provider. Once a connection is
established, the
@ -1757,7 +1757,7 @@ The
.B authzid
parameter may be used to specify an authorization identity.
Specific security properties (as with the
.B sasl-secprops
.B sasl\-secprops
keyword above) for a SASL bind can be set with the
.B secprops
option. A non default SASL realm can be set with the
@ -1793,7 +1793,7 @@ and
parameters must be set appropriately for the log that will be used. The
.B syncdata
parameter must be set to either "accesslog" if the log conforms to the
.BR slapo-accesslog (5)
.BR slapo\-accesslog (5)
log format, or "changelog" if the log conforms
to the obsolete \fIchangelog\fP format. If the
.B syncdata
@ -1833,10 +1833,10 @@ include SYSCONFDIR/schema/core.schema
pidfile LOCALSTATEDIR/run/slapd.pid
# Subtypes of "name" (e.g. "cn" and "ou") with the
# option ";x-hidden" can be searched for/compared,
# option ";x\-hidden" can be searched for/compared,
# but are not shown. See \fBslapd.access\fP(5).
attributeoptions x-hidden lang-
access to attrs=name;x-hidden by * =cs
attributeoptions x\-hidden lang\-
access to attrs=name;x\-hidden by * =cs
# Protect passwords. See \fBslapd.access\fP(5).
access to attrs=userPassword by * auth
@ -1844,11 +1844,11 @@ access to attrs=userPassword by * auth
access to * by * read
database bdb
suffix "dc=our-domain,dc=com"
suffix "dc=our\-domain,dc=com"
# The database directory MUST exist prior to
# running slapd AND should only be accessible
# by the slapd/tools. Mode 0700 recommended.
directory LOCALSTATEDIR/openldap-data
directory LOCALSTATEDIR/openldap\-data
# Indices to maintain
index objectClass eq
index cn,sn,mail pres,eq,approx,sub
@ -1857,7 +1857,7 @@ index cn,sn,mail pres,eq,approx,sub
# so handle remote lookups on their behalf.
database ldap
suffix ""
uri ldap://ldap.some-server.com/
uri ldap://ldap.some\-server.com/
lastmod off
.fi
.RE

12
doc/man/man5/slapd.overlays.5
View file

@ -16,7 +16,7 @@ may also be configured globally.
Configuration options for each overlay are documented separately in the
corresponding
.BR slapo-<overlay> (5)
.BR slapo\-<overlay> (5)
manual pages.
.TP
.B accesslog
@ -61,9 +61,9 @@ This overlay allows expansion of dynamic groups and more.
Proxycache.
This overlay allows caching of LDAP search requests in a local database.
It is most often used with the
.BR slapd-ldap (5)
.BR slapd\-ldap (5)
or
.BR slapd-meta (5)
.BR slapd\-meta (5)
backends.
.TP
.B ppolicy
@ -75,7 +75,7 @@ password resets, etc.
.B refint
Referential Integrity.
This overlay can be used with a backend database such as
.BR slapd-bdb (5)
.BR slapd\-bdb (5)
to maintain the cohesiveness of a schema which utilizes reference
attributes.
.TP
@ -99,7 +99,7 @@ replication, including persistent search functionality.
.B translucent
Translucent Proxy.
This overlay can be used with a backend database such as
.BR slapd-bdb (5)
.BR slapd\-bdb (5)
to create a "translucent proxy".
Content of entries retrieved from a remote LDAP server can be partially
overridden by the database.
@ -107,7 +107,7 @@ overridden by the database.
.B unique
Attribute Uniqueness.
This overlay can be used with a backend database such as
.BR slapd-bdb (5)
.BR slapd\-bdb (5)
to enforce the uniqueness of some or all attributes within a subtree.
.TP
.B valsort

2
doc/man/man5/slapd.plugin.5
View file

@ -38,7 +38,7 @@ is as follows:
...
.fi
.LP
If slapd is compiled with \fI--enable-slapi\fP, support for plugins
If slapd is compiled with \fI\-\-enable\-slapi\fP, support for plugins
according to \fINetscape's Directory Server Plug-Ins\fP.
Version 4 of the API is currently implemented, with some extensions
from version 5.

6
doc/man/man5/slapo-accesslog.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-accesslog \- Access Logging overlay to slapd
slapo\-accesslog \- Access Logging overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -256,11 +256,11 @@ performed.) The values are formatted as
.RS
.PD 0
.TP
attribute:<+|-|=|#> [ value]
attribute:<+|\-|=|#> [ value]
.RE
.RE
.PD
Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace,
Where '+' indicates an Add of a value, '\-' for Delete, '=' for Replace,
and '#' for Increment. In an Add operation, all of the reqMod values will
have the '+' designator.
.P

4
doc/man/man5/slapo-auditlog.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-auditlog \- Audit Logging overlay to slapd
slapo\-auditlog \- Audit Logging overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.TP
@ -57,4 +57,4 @@ ETCDIR/slapd.d
default slapd configuration directory
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd-config(5).
.BR slapd\-config(5).

46
doc/man/man5/slapo-chain.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-chain \- chain overlay to slapd
slapo\-chain \- chain overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -18,7 +18,7 @@ If operations are performed with an identity (i.e. after a bind),
that identity can be asserted while chasing the referrals
by means of the \fIidentity assertion\fP feature of back-ldap
(see
.BR slapd-ldap (5)
.BR slapd\-ldap (5)
for details), which is essentially based on the
.B proxied authorization
control [RFC 4370].
@ -39,7 +39,7 @@ There are very few chain overlay specific directives; however, directives
related to the instances of the \fIldap\fP backend that may be implicitly
instantiated by the overlay may assume a special meaning when used
in conjunction with this overlay. They are described in
.BR slapd-ldap (5),
.BR slapd\-ldap (5),
and they also need to be prefixed by
.BR chain\- .
.TP
@ -47,21 +47,21 @@ and they also need to be prefixed by
This directive adds the chain overlay to the current backend.
The chain overlay may be used with any backend, but it is mainly
intended for use with local storage backends that may return referrals.
It is useless in conjunction with the \fIslapd-ldap\fP and \fIslapd-meta\fP
It is useless in conjunction with the \fIslapd\-ldap\fP and \fIslapd\-meta\fP
backends because they already exploit the libldap specific referral chase
feature.
[Note: this may change in the future, as the \fBldap\fP(5) and
\fBmeta\fP(5) backends might no longer chase referrals on their own.]
.TP
.B chain-cache-uri {FALSE|true}
.B chain\-cache\-uri {FALSE|true}
This directive instructs the \fIchain\fP overlay to cache
connections to URIs parsed out of referrals that are not predefined,
to be reused for later chaining.
These URIs inherit the properties configured for the underlying
\fBslapd-ldap\fP(5) before any occurrence of the \fBchain-uri\fP
\fBslapd\-ldap\fP(5) before any occurrence of the \fBchain\-uri\fP
directive; basically, they are chained anonymously.
.TP
.B chain-chaining [resolve=<r>] [continuation=<c>] [critical]
.B chain\-chaining [resolve=<r>] [continuation=<c>] [critical]
This directive enables the \fIchaining\fP control
(see \fIdraft-sermersheim-ldap-chaining\fP for details)
with the desired resolve and continuation behaviors and criticality.
@ -79,12 +79,12 @@ The values \fBr\fP and \fBc\fP can be any of
If the \fBcritical\fP flag affects the control criticality if provided.
[This control is experimental and its support may change in the future.]
.TP
.B chain-max-depth <n>
.B chain\-max\-depth <n>
In case a referral is returned during referral chasing, further chasing
occurs at most \fB<n>\fP levels deep. Set to \fB1\fP (the default)
to disable further referral chasing.
.TP
.B chain-return-error {FALSE|true}
.B chain\-return\-error {FALSE|true}
In case referral chasing fails, the real error is returned instead
of the original referral. In case multiple referral URIs are present,
only the first error is returned. This behavior may not be always
@ -92,12 +92,12 @@ appropriate nor desirable, since failures in referral chasing might be
better resolved by the client (e.g. when caused by distributed
authentication issues).
.TP
.B chain-uri <ldapuri>
.B chain\-uri <ldapuri>
This directive instantiates a new underlying \fIldap\fP database
and instructs it about which URI to contact to chase referrals.
As opposed to what stated in \fBslapd-ldap\fP(5), only one URI
can appear after this directive; all subsequent \fBslapd-ldap\fP(5)
directives prefixed by \fBchain-\fP refer to this specific instance
As opposed to what stated in \fBslapd\-ldap\fP(5), only one URI
can appear after this directive; all subsequent \fBslapd\-ldap\fP(5)
directives prefixed by \fBchain\-\fP refer to this specific instance
of a remote server.
.LP
@ -107,17 +107,17 @@ be required, as shown in this example:
.RS
.nf
overlay chain
chain-rebind-as-user FALSE
chain\-rebind\-as\-user FALSE
chain-uri "ldap://ldap1.example.com"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
chain\-uri "ldap://ldap1.example.com"
chain\-rebind\-as\-user TRUE
chain\-idassert\-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
chain-uri "ldap://ldap2.example.com"
chain-idassert-bind bindmethod="simple"
chain\-uri "ldap://ldap2.example.com"
chain\-idassert\-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="none"
@ -126,14 +126,14 @@ chain-idassert-bind bindmethod="simple"
.RE
.LP
Any valid directives for the ldap database may be used; see
.BR slapd-ldap (5)
.BR slapd\-ldap (5)
for details.
Multiple occurrences of the \fBchain-uri\fP directive may appear,
Multiple occurrences of the \fBchain\-uri\fP directive may appear,
to define multiple "trusted" URIs where operations with
\fIidentity assertion\fP are chained.
All URIs not listed in the configuration are chained anonymously.
All \fBslapd-ldap\fP(5) directives appearing before the first
occurrence of \fBchain-uri\fP are inherited by all URIs,
All \fBslapd\-ldap\fP(5) directives appearing before the first
occurrence of \fBchain\-uri\fP are inherited by all URIs,
unless specifically overridden inside each URI configuration.
.SH FILES
.TP

4
doc/man/man5/slapo-collect.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-collect \- Collective attributes overlay to slapd
slapo\-collect \- Collective attributes overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -43,7 +43,7 @@ default slapd configuration file
.BR slapd.conf (5),
.BR slapd\-config (5),
The
.BR slapo-collect (5)
.BR slapo\-collect (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS

2
doc/man/man5/slapo-constraint.5
View file

@ -4,7 +4,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-constraint \- Attribute Constraint Overlay to slapd
slapo\-constraint \- Attribute Constraint Overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION

4
doc/man/man5/slapo-dds.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-dds \- Dynamic Directory Services overlay to slapd
slapo\-dds \- Dynamic Directory Services overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -131,7 +131,7 @@ run-queue size) that are used by dynamic objects.
By default, no limit is set.
.TP
.B dds-state {TRUE|false}
.B dds\-state {TRUE|false}
Specifies if the Dynamic Directory Services feature is enabled or not.
By default it is; however, a proxy does not need to keep track of dynamic
objects itself, it only needs to inform the frontend that support for

2
doc/man/man5/slapo-dyngroup.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-dyngroup \- Dynamic Group overlay to slapd
slapo\-dyngroup \- Dynamic Group overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION

14
doc/man/man5/slapo-dynlist.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-dynlist \- Dynamic List overlay to slapd
slapo\-dynlist \- Dynamic List overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -20,7 +20,7 @@ entry.
No recursion is allowed, to avoid potential infinite loops.
The resulting entry must comply with the LDAP data model, so constraints
are enforced.
For example, if a \fISINGLE-VALUE\fP attribute is listed,
For example, if a \fISINGLE\-VALUE\fP attribute is listed,
only the first value results in the final entry.
The above described behavior is disabled when the \fImanageDSAit\fP
control (RFC 3296) is used.
@ -50,9 +50,9 @@ occurrences, and it must appear after the
.B overlay
directive.
.TP
.B dynlist-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...]
.B dynlist\-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...]
The value
.B group-oc
.B group\-oc
is the name of the objectClass that triggers the dynamic expansion of the
data.
@ -141,7 +141,7 @@ entry; first of all, make sure that slapd.conf contains the directives:
# ...
overlay dynlist
dynlist-attrset groupOfURLs memberURL
dynlist\-attrset groupOfURLs memberURL
.fi
.LP
and that slapd loads dynlist.la, if compiled as a run-time module;
@ -170,7 +170,7 @@ attribute:
# ...
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
dynlist\-attrset groupOfURLs memberURL member
.fi
.LP
@ -195,7 +195,7 @@ default slapd configuration file
.BR slapd\-config (5),
.BR slapd (8).
The
.BR slapo-dynlist (5)
.BR slapo\-dynlist (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS

20
doc/man/man5/slapo-memberof.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-memberof \- Reverse Group Membership overlay to slapd
slapo\-memberof \- Reverse Group Membership overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -36,7 +36,7 @@ The following
configuration options are defined for the memberofoverlay.
.TP
.BI memberof-group-oc \ <group-oc>
.BI memberof\-group\-oc \ <group-oc>
The value
.I <group-oc>
is the name of the objectClass that triggers the reverse group membership
@ -44,7 +44,7 @@ update.
It defaults to \fIgroupOfNames\fP.
.TP
.BI memberof-member-ad \ <member-ad>
.BI memberof\-member\-ad \ <member-ad>
The value
.I <member-ad>
is the name of the attribute that contains the names of the members
@ -52,7 +52,7 @@ in the group objects; it must be DN-valued.
It defaults to \fImember\fP.
.TP
.BI memberof-memberof-ad \ <memberof-ad>
.BI memberof\-memberof\-ad \ <memberof-ad>
The value
.I <memberof-ad>
is the name of the attribute that contains the names of the groups
@ -61,7 +61,7 @@ automatically updated by the overlay.
It defaults to \fImemberOf\fP.
.TP
.BI memberof-dn \ <dn>
.BI memberof\-dn \ <dn>
The value
.I <dn>
contains the DN that is used as \fImodifiersName\fP for internal
@ -69,7 +69,7 @@ modifications performed to update the reverse group membership.
It defaults to the \fIrootdn\fP of the underlying database.
.TP
.BI "memberof-dangling {" ignore ", " drop ", " error "}"
.BI "memberof\-dangling {" ignore ", " drop ", " error "}"
This option determines the behavior of the overlay when, during
a modification, it encounters dangling references.
The default is
@ -84,9 +84,9 @@ which causes modifications that would result in dangling references
to fail.
.TP
.BI memberof-dangling-error \ <error-code>
.BI memberof\-dangling\-error \ <error-code>
If
.BR memberof-dangling
.BR memberof\-dangling
is set to
.IR error ,
this configuration parameter can be used to modify the response code
@ -94,7 +94,7 @@ returned in case of violation. It defaults to "constraint violation",
but other implementations are known to return "no such object" instead.
.TP
.BI "memberof-refint {" true "|" FALSE "}"
.BI "memberof\-refint {" true "|" FALSE "}"
This option determines whether the overlay will try to preserve
referential integrity or not.
If set to
@ -116,7 +116,7 @@ default slapd configuration file
.BR slapd\-config (5),
.BR slapd (8).
The
.BR slapo-memberof (5)
.BR slapo\-memberof (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS

12
doc/man/man5/slapo-pcache.5
View file

@ -4,7 +4,7 @@
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
.\" $OpenLDAP$
.SH NAME
slapo-pcache \- proxycache overlay to slapd
slapo\-pcache \- proxycache overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -71,7 +71,7 @@ proxycache \fBbdb 10000 1 50 100\fP
.TP
.B proxyattrset <index> <attrs...>
Used to associate a set of attributes <attrs..> with an <index>. Each attribute
set is associated with an integer from 0 to <numattrsets>-1. These indices are
set is associated with an integer from 0 to <numattrsets>\-1. These indices are
used by the \fBproxytemplate\fP directive to define cacheable templates.
A set of attributes cannot be empty. A set of attributes can contain the
special attributes "*" (all user attributes), "+" (all operational attributes)
@ -121,7 +121,7 @@ hitting a sizelimit should also be cached for the specified amount of time.
Results hitting a sizelimit are not cached by default (<limitttl> set to 0).
.TP
.B response-callback { head | tail }
.B response\-callback { head | tail }
Specifies whether the response callback should be placed at the
.B tail
(the default) or at the
@ -219,11 +219,11 @@ For this reason, it is suggested that, when using
proxy caching be used in conjunction with the
.I identity assertion
feature of
.BR slapd-ldap (5)
.BR slapd\-ldap (5)
(see the
.B idassert-bind
.B idassert\-bind
and the
.B idassert-authz
.B idassert\-authz
statements), so that remote server interrogation occurs with a vanilla identity
that has some relatively high
.B search

56
doc/man/man5/slapo-ppolicy.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-ppolicy \- Password Policy overlay to slapd
slapo\-ppolicy \- Password Policy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -17,7 +17,7 @@ decodes and applies specific password policy controls to overall
use of a backend database, changes to user password fields, etc.
.P
The overlay provides a variety of password control mechanisms. They
include password aging--both minimum and maximum ages, password
include password aging -- both minimum and maximum ages, password
reuse and duplication control, account time-outs, mandatory password
resets, acceptable password content, and even grace logins.
Different groups of users may be associated with different password
@ -159,7 +159,7 @@ modified whenever and however often is desired).
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdMaxAge
@ -173,7 +173,7 @@ value is zero (0), then passwords will not expire.
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdInHistory
@ -196,7 +196,7 @@ although the password is saved in the history.
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdCheckQuality
@ -217,7 +217,7 @@ error refusing the password.
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdMinLength
@ -245,7 +245,7 @@ is two (2)).
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdExpireWarning
@ -261,7 +261,7 @@ present, or if the value is zero (0), no warnings will be sent.
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdGraceAuthnLimit
@ -277,7 +277,7 @@ directory.
NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdLockout
@ -303,7 +303,7 @@ attempts have been made.
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdLockoutDuration
@ -327,7 +327,7 @@ again until it is reset by an administrator.
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdMaxFailure
@ -351,7 +351,7 @@ and
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdFailureCountInterval
@ -369,7 +369,7 @@ counter will only be reset by a successful authentication.
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdMustChange
@ -391,7 +391,7 @@ the administrator sets or resets the password.
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdAllowUserChange
@ -408,7 +408,7 @@ users will not be allowed to change their own passwords.
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdSafeModify
@ -426,7 +426,7 @@ along with the new password.
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.B pwdCheckModule
@ -473,7 +473,7 @@ be free()'d by slapd.
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.P
Note:
@ -546,8 +546,8 @@ policy rules will be enforced.
this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
NO-USER-MODIFICATION
SINGLE\-VALUE
NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
@ -567,8 +567,8 @@ does not exist, the user's password will not expire.
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
NO-USER-MODIFICATION
SINGLE\-VALUE
NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
@ -588,8 +588,8 @@ and may only be unlocked by an administrator.
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
NO-USER-MODIFICATION
SINGLE\-VALUE
NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
@ -623,7 +623,7 @@ will be cleansed of entries.
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
NO-USER-MODIFICATION
NO\-USER\-MODIFICATION
USAGE directoryOperation )
.RE
@ -677,7 +677,7 @@ field is in GMT format.
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
NO-USER-MODIFICATION
NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
@ -701,7 +701,7 @@ attribute.
DESC 'The timestamps of the grace login once the password has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
NO-USER-MODIFICATION
NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
@ -723,7 +723,7 @@ administrative reset.
been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
SINGLE\-VALUE
USAGE directoryOperation)
.RE
@ -733,7 +733,7 @@ administrative reset.
.nf
database bdb
suffix dc=example,dc=com
\...
\|...
overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
.fi

4
doc/man/man5/slapo-refint.5
View file

@ -3,12 +3,12 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-refint \- Referential Integrity overlay to slapd
slapo\-refint \- Referential Integrity overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Referential Integrity overlay can be used with a backend database such as
.BR slapd-bdb (5)
.BR slapd\-bdb (5)
to maintain the cohesiveness of a schema which utilizes reference attributes.
.LP
Integrity is maintained by updating database records which contain the named

32
doc/man/man5/slapo-retcode.5
View file

@ -4,7 +4,7 @@
.\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
.\" $OpenLDAP$
.SH NAME
slapo-retcode \- return code overlay to slapd
slapo\-retcode \- return code overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -58,7 +58,7 @@ If not defined, the suffix of the database is used.
.hy 0
.B retcode\-item <RDN> <errCode> [op=<oplist>] [text=<message>]
.B [ref=<referral>] [sleeptime=<sec>] [matched=<DN>]
.B [unsolicited=<OID>[:<data>]] [flags=[{pre|post}-]disconnect[,...]]
.B [unsolicited=<OID>[:<data>]] [flags=[{pre|post}\-]disconnect[,...]]
.RS
A dynamically generated entry, located below \fBretcode\-parent\fP.
The \fBerrCode\fP is the number of the response code;
@ -79,9 +79,9 @@ The \fBunsolicited\fP field can be used to cause the return
of an RFC 4511 unsolicited response message; if \fBOID\fP
is not "0", an extended response is generated, with the optional
\fBdata\fP appended.
If \fBflags\fP contains \fBdisconnect\fP, or \fBpre-disconnect\fP,
If \fBflags\fP contains \fBdisconnect\fP, or \fBpre\-disconnect\fP,
.BR slapd (8)
disconnects abruptly, without notice; \fBpost-disconnect\fP
disconnects abruptly, without notice; \fBpost\-disconnect\fP
causes disconnection right after sending response as appropriate.
.RE
.TP
@ -89,7 +89,7 @@ causes disconnection right after sending response as appropriate.
Enables exploitation of in-directory stored errAbsObject.
May result in a lot of unnecessary overhead.
.TP
.B retcode\-sleep [-]<n>
.B retcode\-sleep [\-]<n>
Defines a sleep time in seconds that is spent before actually handling
any operation.
If negative, a random time between 0 and the absolute value of the argument
@ -119,7 +119,7 @@ The error code:
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.LP
The operations that trigger the response code:
@ -140,7 +140,7 @@ The text message:
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.LP
The sleep time before the response is actually returned to the client:
@ -150,7 +150,7 @@ The sleep time before the response is actually returned to the client:
DESC 'Time to wait before returning the error'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.LP
The matched DN returned to the client:
@ -160,7 +160,7 @@ The matched DN returned to the client:
DESC 'Value to be returned as matched DN'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.LP
The OID to be returned as extended response OID
@ -172,7 +172,7 @@ in RFC 4511 unsolicited responses
DESC 'OID to be returned within unsolicited response'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.LP
The octet string to be returned as extended response data
@ -182,7 +182,7 @@ in RFC 4511 unsolicited response:
NAME ( 'errUnsolicitedData' )
DESC 'Data to be returned within unsolicited response'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.LP
If TRUE,
@ -194,7 +194,7 @@ after sending response as appropriate:
NAME ( 'errDisconnect' )
DESC 'Disconnect without notice'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
SINGLE\-VALUE )
.RE
.LP
The abstract class that triggers the overlay:
@ -226,15 +226,15 @@ The auxiliary objectclass to alter the behavior of existing objects:
.RS
.nf
overlay retcode
retcode-parent "ou=RetCodes,dc=example,dc=com"
retcode\-parent "ou=RetCodes,dc=example,dc=com"
# retcode.conf is found in tests/data/ of the source tree
include ./retcode.conf
# Wait 10 seconds, then return success (0x00)
retcode-item "cn=Success after 10 seconds" 0x00 sleeptime=10
retcode\-item "cn=Success after 10 seconds" 0x00 sleeptime=10
# Wait 10 seconds, then return timelimitExceeded (0x03)
retcode-item "cn=Timelimit after 10 seconds" 0x03 sleeptime=10
retcode\-item "cn=Timelimit after 10 seconds" 0x03 sleeptime=10
.fi
.RE
.LP
@ -249,7 +249,7 @@ default slapd configuration file
.BR slapd\-config (5),
.BR slapd (8).
The
.BR slapo-retcode (5)
.BR slapo\-retcode (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS

134
doc/man/man5/slapo-rwm.5
View file

@ -8,7 +8,7 @@
.\" and maybe manual pages for librewrite.
.\"
.SH NAME
slapo-rwm \- rewrite/remap overlay to slapd
slapo\-rwm \- rewrite/remap overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -19,9 +19,9 @@ overlay to
performs basic DN/data rewrite and objectClass/attributeType mapping.
Its usage is mostly intended to provide virtual views of existing data
either remotely, in conjunction with the proxy backend described in
.BR slapd-ldap (5),
.BR slapd\-ldap (5),
or locally, in conjunction with the relay backend described in
.BR slapd-relay (5).
.BR slapd\-relay (5).
.LP
This overlay is experimental.
.SH MAPPING
@ -30,10 +30,10 @@ An important feature of the
overlay is the capability to map objectClasses and attributeTypes
from the local set (or a subset of it) to a foreign set, and vice versa.
This is accomplished by means of the
.B rwm-map
.B rwm\-map
directive.
.TP
.B rwm-map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
.B rwm\-map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
Map attributeTypes and objectClasses from the foreign server to
different values on the local slapd.
The reason is that some attributes might not be part of the local
@ -51,8 +51,8 @@ and
must be defined in the local schema; the foreign ones do not have to,
but users are encouraged to explicitly define the remote attributeTypes
and the objectClasses they intend to map. All in all, when remapping
a remote server via back-ldap (\fBslapd-ldap\fP(5))
or back-meta (\fBslapd-meta\fP(5))
a remote server via back-ldap (\fBslapd\-ldap\fP(5))
or back-meta (\fBslapd\-meta\fP(5))
their definition can be easily obtained by querying the \fIsubschemaSubentry\fP
of the remote server; the problem should not exist when remapping a local
database.
@ -80,10 +80,10 @@ when the
overlay is used together with e.g. the
.B pcache
overlay. This normalization can be enabled by means of the
.B rwm-normalize-mapped-attrs
.B rwm\-normalize\-mapped\-attrs
directive.
.TP
.B rwm-normalize-mapped-attrs {yes|no}
.B rwm\-normalize\-mapped\-attrs {yes|no}
Set this to "yes", if the
.B rwm
overlay should try to normalize the values of attributes that are mapped from
@ -107,14 +107,14 @@ A basic feature of the
.B rwm
overlay is the capability to perform suffix massaging between a virtual
and a real naming context by means of the
.B rwm-suffixmassage
.B rwm\-suffixmassage
directive.
This, in conjunction with proxy backends,
.BR slapd-ldap (5)
.BR slapd\-ldap (5)
and
.BR slapd-meta (5),
.BR slapd\-meta (5),
or with the relay backend,
.BR slapd-relay (5),
.BR slapd\-relay (5),
allows to create virtual views of databases.
A distinguishing feature of this overlay is that, when instantiated
before any database, it can modify the DN of requests
@ -124,7 +124,7 @@ For this reason, rules that rewrite the empty DN ("")
or the subschemaSubentry DN (usually "cn=subschema"),
would prevent clients from reading the root DSE or the DSA's schema.
.TP
.B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
.B rwm\-suffixmassage "[<virtual naming context>]" "<real naming context>"
Shortcut to implement naming context rewriting; the trailing part
of the DN is rewritten from the virtual to the real naming context
in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
@ -135,14 +135,14 @@ By default no rewriting occurs for the searchFilter
and for the referralAttrDN and referralDN rewrite contexts.
If no \fI<virtual naming context>\fP is given, the first suffix of the
database is used; this requires the
.B rwm-suffixmassage
.B rwm\-suffixmassage
directive be defined \fIafter\fP the database
.B suffix
directive.
The
.B rwm-suffixmassage
.B rwm\-suffixmassage
directive automatically sets the
.B rwm-rewriteEngine
.B rwm\-rewriteEngine
to
.BR ON .
.LP
@ -183,7 +183,7 @@ Each rule is executed recursively, unless altered by specific action
flags; see "Action Flags" for details.
A default limit on the recursion level is set, and can be altered
by the
.B rwm-rewriteMaxPasses
.B rwm\-rewriteMaxPasses
directive, as detailed in the "Additional Configuration Syntax" section.
The substitution pattern allows map resolution of substrings.
A map is a generic object that maps a substitution pattern to a value.
@ -350,7 +350,7 @@ Each basic server operation is associated to a rewrite context;
they are divided in two main groups: client \-> server and
server \-> client rewriting.
.LP
client -> server:
client \-> server:
.LP
.RS
.nf
@ -376,7 +376,7 @@ exopPasswdDN password modify extended operation DN
.fi
.RE
.LP
server -> client:
server \-> client:
.LP
.RS
.nf
@ -394,20 +394,20 @@ referralDN all ops (only if applicable; defaults
.LP
.SH "Basic Configuration Syntax"
All rewrite/remap directives start with the prefix
.BR rwm- ;
.BR rwm\- ;
for backwards compatibility with the historical
.BR slapd-ldap (5)
.BR slapd\-ldap (5)
and
.BR slapd-meta (5)
.BR slapd\-meta (5)
builtin rewrite/remap capabilities, the prefix may be omitted,
but this practice is strongly discouraged.
.TP
.B rwm-rewriteEngine { on | off }
.B rwm\-rewriteEngine { on | off }
If `on', the requested rewriting is performed; if `off', no
rewriting takes place (an easy way to stop rewriting without
altering too much the configuration file).
.TP
.B rwm-rewriteContext <context name> "[ alias <aliased context name> ]"
.B rwm\-rewriteContext <context name> "[ alias <aliased context name> ]"
<Context name> is the name that identifies the context, i.e. the name
used by the application to refer to the set of rules it contains.
It is used also to reference sub contexts in string rewriting.
@ -415,21 +415,21 @@ A context may alias another one.
In this case the alias context contains no rule, and any reference to
it will result in accessing the aliased one.
.TP
.B rwm-rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
.B rwm\-rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
Determines how a string can be rewritten if a pattern is matched.
Examples are reported below.
.SH "Additional Configuration Syntax"
.TP
.B rwm-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
.B rwm\-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
Allows to define a map that transforms substring rewriting into
something else.
The map is referenced inside the substitution pattern of a rule.
.TP
.B rwm-rewriteParam <param name> <param value>
.B rwm\-rewriteParam <param name> <param value>
Sets a value with global scope, that can be dereferenced by the
command `${$paramName}'.
.TP
.B rwm-rewriteMaxPasses <number of passes> [<number of passes per rule>]
.B rwm\-rewriteMaxPasses <number of passes> [<number of passes per rule>]
Sets the maximum number of total rewriting passes that can be
performed in a single rewrite operation (to avoid loops).
A safe default is set to 100; note that reaching this limit is still
@ -501,51 +501,51 @@ a multi-valued attribute is used, only the first value is considered.
.SH "REWRITE CONFIGURATION EXAMPLES"
.nf
# set to `off' to disable rewriting
rwm-rewriteEngine on
rwm\-rewriteEngine on
# the rules the "suffixmassage" directive implies
rwm-rewriteEngine on
rwm\-rewriteEngine on
# all dataflow from client to server referring to DNs
rwm-rewriteContext default
rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
rwm\-rewriteContext default
rwm\-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
# empty filter rule
rwm-rewriteContext searchFilter
rwm\-rewriteContext searchFilter
# all dataflow from server to client
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
rwm-rewriteContext searchAttrDN alias searchEntryDN
rwm-rewriteContext matchedDN alias searchEntryDN
rwm\-rewriteContext searchEntryDN
rwm\-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
rwm\-rewriteContext searchAttrDN alias searchEntryDN
rwm\-rewriteContext matchedDN alias searchEntryDN
# misc empty rules
rwm-rewriteContext referralAttrDN
rwm-rewriteContext referralDN
rwm\-rewriteContext referralAttrDN
rwm\-rewriteContext referralDN
# Everything defined here goes into the `default' context.
# This rule changes the naming context of anything sent
# to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
rwm\-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
"$1dc=OpenLDAP, dc=org" ":"
# since a pretty/normalized DN does not include spaces
# after rdn separators, e.g. `,', this rule suffices:
rwm-rewriteRule "(.+,)?dc=home,dc=net$"
rwm\-rewriteRule "(.+,)?dc=home,dc=net$"
"$1dc=OpenLDAP,dc=org" ":"
# Start a new context (ends input of the previous one).
# This rule adds blanks between DN parts if not present.
rwm-rewriteContext addBlanks
rwm-rewriteRule "(.*),([^ ].*)" "$1, $2"
rwm\-rewriteContext addBlanks
rwm\-rewriteRule "(.*),([^ ].*)" "$1, $2"
# This one eats blanks
rwm-rewriteContext eatBlanks
rwm-rewriteRule "(.*), (.*)" "$1,$2"
rwm\-rewriteContext eatBlanks
rwm\-rewriteRule "(.*), (.*)" "$1,$2"
# Here control goes back to the default rewrite
# context; rules are appended to the existing ones.
# anything that gets here is piped into rule `addBlanks'
rwm-rewriteContext default
rwm-rewriteRule ".*" "${>addBlanks($0)}" ":"
rwm\-rewriteContext default
rwm\-rewriteRule ".*" "${>addBlanks($0)}" ":"
.\" # Anything with `uid=username' is looked up in
.\" # /etc/passwd for gecos (I know it's nearly useless,
@ -554,29 +554,29 @@ rwm-rewriteRule ".*" "${>addBlanks($0)}" ":"
.\" # Note the `I' flag that leaves `uid=username' in place
.\" # if `username' does not have a valid account, and the
.\" # `:' that forces the rule to be processed exactly once.
.\" rwm-rewriteContext uid2Gecos
.\" rwm-rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
.\" rwm\-rewriteContext uid2Gecos
.\" rwm\-rewriteRule "(.*)uid=([a\-z0\-9]+),(.+)"
.\" "$1cn=$2{xpasswd},$3" "I:"
.\"
.\" # Finally, in a bind, if one uses a `uid=username' DN,
.\" # it is rewritten in `cn=name surname' if possible.
.\" rwm-rewriteContext bindDN
.\" rwm-rewriteRule ".*" "${>addBlanks(${>uid2Gecos($0)})}" ":"
.\" rwm\-rewriteContext bindDN
.\" rwm\-rewriteRule ".*" "${>addBlanks(${>uid2Gecos($0)})}" ":"
.\"
# Rewrite the search base according to `default' rules.
rwm-rewriteContext searchDN alias default
rwm\-rewriteContext searchDN alias default
# Search results with OpenLDAP DN are rewritten back with
# `dc=home,dc=net' naming context, with spaces eaten.
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
rwm\-rewriteContext searchEntryDN
rwm\-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
"${>eatBlanks($1)}dc=home,dc=net" ":"
# Bind with email instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# argument used when invoking the map is appended to
# the URI and acts as the filter portion)
rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
rwm\-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
# Then we need to detect DN made up of a single email,
# e.g. `mail=someone@example.com'; note that the rule
@ -585,8 +585,8 @@ rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDN
# rewrite context overrides the default definition.
rwm-rewriteContext bindDN
rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
rwm\-rewriteContext bindDN
rwm\-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
# This is a rather sophisticated example. It massages a
# search filter in case who performs the search has
@ -594,8 +594,8 @@ rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
# track of the bind DN of the incoming request, which is
# stored in a variable called `binddn' with session scope,
# and left in place to allow regular binding:
rwm-rewriteContext bindDN
rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"
rwm\-rewriteContext bindDN
rwm\-rewriteRule ".+" "${&&binddn($0)}$0" ":"
# A search filter containing `uid=' is rewritten only
# if an appropriate DN is bound.
@ -610,13 +610,13 @@ rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"
# module to authenticate users with both `uid' and
# `cn', but only if the request comes from a possible
# `cn=Web auth,ou=admin,dc=home,dc=net' user.
rwm-rewriteContext searchFilter
rwm-rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
rwm\-rewriteContext searchFilter
rwm\-rewriteRule "(.*\e\e()uid=([a\-z0\-9_]+)(\e\e).*)"
"${**binddn}<>${&prefix($1)}${&arg($2)}${&suffix($3)}"
":I"
rwm-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
rwm\-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
"${*prefix}|(uid=${*arg})(cn=${*arg})${*suffix}" ":@I"
rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
rwm\-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
# This example shows how to strip unwanted DN-valued
# attribute values from a search result; the first rule
@ -624,9 +624,9 @@ rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
# in case of match the rewriting exits successfully.
# The second rule matches everything else and causes
# the value to be rejected.
rwm-rewriteContext searchEntryDN
rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
rwm-rewriteRule ".*" "" "#"
rwm\-rewriteContext searchEntryDN
rwm\-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
rwm\-rewriteRule ".*" "" "#"
.fi
.SH "MAPPING EXAMPLES"
The following directives map the object class `groupOfNames' to

12
doc/man/man5/slapo-syncprov.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-syncprov \- Sync Provider overlay to slapd
slapo\-syncprov \- Sync Provider overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -31,7 +31,7 @@ They should appear after the
.B overlay
directive.
.TP
.B syncprov-checkpoint <ops> <minutes>
.B syncprov\-checkpoint <ops> <minutes>
After a write operation has succeeded, write the contextCSN to the underlying
database if
.B <ops>
@ -40,7 +40,7 @@ write operations or more than
time have passed
since the last checkpoint. Checkpointing is disabled by default.
.TP
.B syncprov-sessionlog <ops>
.B syncprov\-sessionlog <ops>
Configures an in-memory session log for recording information about write
operations made on the database. The
.B <ops>
@ -49,13 +49,13 @@ operations (except Adds) are recorded in the log.
When using the session log, it is helpful to set an eq index on the
entryUUID attribute in the underlying database.
.TP
.B syncprov-nopresent TRUE | FALSE
.B syncprov\-nopresent TRUE | FALSE
Specify that the Present phase of refreshing should be skipped. This value
should only be set TRUE for a syncprov instance on top of a log database
(such as one managed by the accesslog overlay).
The default is FALSE.
.TP
.B syncprov-reloadhint TRUE | FALSE
.B syncprov\-reloadhint TRUE | FALSE
Specify that the overlay should honor the reloadHint flag in the Sync
Control. In OpenLDAP releases 2.3.11 and earlier the syncrepl consumer did
not properly set this flag, so the overlay must ignore it. This option
@ -69,7 +69,7 @@ default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapo-accesslog (5).
.BR slapo\-accesslog (5).
OpenLDAP Administrator's Guide.
.SH ACKNOWLEDGEMENTS
.so ../Project

10
doc/man/man5/slapo-translucent.5
View file

@ -3,12 +3,12 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-translucent \- Translucent Proxy overlay to slapd
slapo\-translucent \- Translucent Proxy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Translucent Proxy overlay can be used with a backend database such as
.BR slapd-bdb (5)
.BR slapd\-bdb (5)
to create a "translucent proxy". Entries retrieved from a remote LDAP
server may have some or all attributes overridden, or new attributes
added, by entries in the local database before being presented to the
@ -33,8 +33,8 @@ remote database.
.SH CONFIGURATION
The Translucent Proxy overlay uses a proxied database,
typically a (set of) remote LDAP server(s), which is configured with the options shown in
.BR slapd-ldap (5),
.BR slapd-meta (5)
.BR slapd\-ldap (5),
.BR slapd\-meta (5)
or similar.
These
.B slapd.conf
@ -130,4 +130,4 @@ default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd-ldap (5).
.BR slapd\-ldap (5).

17
doc/man/man5/slapo-unique.5
View file

@ -3,12 +3,12 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-unique \- Attribute Uniqueness overlay to slapd
slapo\-unique \- Attribute Uniqueness overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The Attribute Uniqueness overlay can be used with a backend database such as
.BR slapd-bdb (5)
.BR slapd\-bdb (5)
to enforce the uniqueness of some or all attributes within a
scope. This subtree defaults to all objects within the subtree of the
database for which the Uniqueness overlay is configured.
@ -41,11 +41,13 @@ directive.
.TP
.B unique_uri <[strict ][ignore ]URI[URI...]...>
Configure the base, attributes, scope, and filter for uniqueness
checking. Multiple URIs may be specified within a domain, allowing complex selections of objects. Multiple
checking. Multiple URIs may be specified within a domain,
allowing complex selections of objects. Multiple
.B unique_uri
statements or
.B olcUniqueURI
attributes will create independent domains, each with their own independent lists of URIs and ignore/strict settings.
attributes will create independent domains, each with their own
independent lists of URIs and ignore/strict settings.
The LDAP URI syntax is a subset of
.B RFC-4516,
@ -55,7 +57,8 @@ ldap:///[base dn]?[attributes...]?scope[?filter]
The
.B base dn
defaults to that of the back-end database. Specified base dns must be within the subtree of the back-end database.
defaults to that of the back-end database.
Specified base dns must be within the subtree of the back-end database.
If no
.B attributes
@ -111,7 +114,9 @@ that only one attribute within a subtree will be allowed to have a
null value. Strictness applies to all URIs within a uniqueness
domain, but some domains may be strict while others are not.
.LP
It is not possible to set both URIs and legacy slapo-unique configuration parameters simultaneously. In general, the legacy configuration options control pieces of a single unfiltered subtree domain.
It is not possible to set both URIs and legacy slapo\-unique configuration
parameters simultaneously. In general, the legacy configuration options
control pieces of a single unfiltered subtree domain.
.TP
.B unique_base <basedn>
This legacy configuration parameter should be converted to the

14
doc/man/man5/slapo-valsort.5
View file

@ -3,7 +3,7 @@
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-valsort \- Value Sorting overlay to slapd
slapo\-valsort \- Value Sorting overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
@ -29,7 +29,7 @@ They should appear after the
.B overlay
directive.
.TP
valsort-attr <\fIattribute\fP> <\fIbaseDN\fP> (<\fIsort-method\fP> | weighted [<\fIsort-method\fP>])
valsort\-attr <\fIattribute\fP> <\fIbaseDN\fP> (<\fIsort-method\fP> | weighted [<\fIsort-method\fP>])
Configure a sorting method for the specified
.I attribute
in the subtree rooted at
@ -37,11 +37,11 @@ in the subtree rooted at
The
.I sort-method
may be one of
.BR alpha-ascend ,
.BR alpha-descend ,
.BR numeric-ascend ,
.BR alpha\-ascend ,
.BR alpha\-descend ,
.BR numeric\-ascend ,
or
.BR numeric-descend .
.BR numeric\-descend .
If the special
.B weighted
method is specified, a secondary
@ -60,7 +60,7 @@ for an attribute with a syntax other than Integer or NumericString.
suffix dc=example,dc=com
...
overlay valsort
valsort-attr member ou=groups,dc=example,dc=com alpha-ascend
valsort\-attr member ou=groups,dc=example,dc=com alpha\-ascend
.fi
.SH FILES

96
doc/man/man8/slapacl.8
View file

@ -6,16 +6,27 @@
slapacl \- Check access to a list of attributes.
.SH SYNOPSIS
.B SBINDIR/slapacl
.B \-b DN
.B [\-d level]
.B [\-D authcDN | \-U authcID]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-o name[=value]]
.B [\-u]
.B [\-v]
.B [\-X authzID | \-o authzDN=DN]
.B [attr[/access][:value]] [...]
.BI \-b \ DN
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-D \ authcDN\ \fR|
.BI \-U \ authcID\fR]
[\c
.BI \-f \ slapd.conf\fR]
[\c
.BI \-F \ confdir\fR]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BR \-u ]
[\c
.BR \-v ]
[\c
.BI \-X \ authzID\ \fR|
.BI "\-o \ authzDN=" DN\fR]
[\c
.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]
.LP
.SH DESCRIPTION
.LP
@ -28,9 +39,9 @@ directives defined in its configuration.
It opens the
.BR slapd.conf (5)
configuration file or the
.BR slapd-config (5)
.BR slapd\-config (5)
backend, reads in the
.B access/olcAccess
.BR access / olcAccess
directives, and then parses the
.B attr
list given on the command-line; if none is given, access to the
@ -39,39 +50,41 @@ pseudo-attribute is tested.
.LP
.SH OPTIONS
.TP
.BI \-b " DN"
.BI \-b \ DN
specify the
.B DN
.I DN
which access is requested to; the corresponding entry is fetched
from the database, and thus it must exist.
The DN is also used to determine what rules apply; thus, it must be
The
.I DN
is also used to determine what rules apply; thus, it must be
in the naming context of a configured database. See also
.BR \-u .
.TP
.BI \-d " level"
.BI \-d \ debug-level
enable debugging messages as defined by the specified
.IR level ;
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-D " authcDN"
.BI \-D \ authcDN
specify a DN to be used as identity through the test session
when selecting appropriate
.B <by>
clauses in access lists.
.TP
.BI \-f " slapd.conf"
.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
.BI \-F \ confdir
specify a config directory.
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
@ -79,17 +92,17 @@ default config directory will be made before trying to use the default
config file. If a valid config directory exists then the
default config file is ignored.
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
Specify an
.BR option
.I option
with a(n optional)
.BR value .
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.RS
@ -118,26 +131,29 @@ for details.
.TP
.BI \-u
do not fetch the entry from the database.
In this case, if the entry does not exist, a fake entry with the DN
In this case, if the entry does not exist, a fake entry with the
.I DN
given with the
.B \-b
option is used, with no attributes.
As a consequence, those rules that depend on the contents
of the target object will not behave as with the real object.
The DN given with the
The
.I DN
given with the
.B \-b
option is still used to select what rules apply; thus, it must be
in the naming context of a configured database.
See also
.BR \-b .
.TP
.BI \-U " authcID"
.BI \-U \ authcID
specify an ID to be mapped to a
.B DN
as by means of
.B authz-regexp
.B authz\-regexp
or
.B authz-rewrite
.B authz\-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with
@ -146,23 +162,23 @@ for details); mutually exclusive with
.B \-v
enable verbose mode.
.TP
.BI \-X " authzID"
.BI \-X \ authzID
specify an authorization ID to be mapped to a
.B DN
as by means of
.B authz-regexp
.B authz\-regexp
or
.B authz-rewrite
.B authz\-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.
.SH EXAMPLES
The command
.LP
.nf
.ft tt
SBINDIR/slapacl -f ETCDIR/slapd.conf -v \\
-U bjorn -b "o=University of Michigan,c=US" \\
SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\
\-U bjorn \-b "o=University of Michigan,c=US" \\
"o/read:University of Michigan"
.ft
@ -178,8 +194,8 @@ at
level.
.SH "SEE ALSO"
.BR ldap (3),
.BR slapd (8)
.BR slaptest (8)
.BR slapd (8),
.BR slaptest (8),
.BR slapauth (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

96
doc/man/man8/slapadd.8
View file

@ -6,22 +6,38 @@
slapadd \- Add entries to a SLAPD database
.SH SYNOPSIS
.B SBINDIR/slapadd
.B [\-b suffix]
.B [\-c]
.B [\-d level]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-g]
.B [\-j lineno]
.B [\-l ldif-file]
.B [\-n dbnum]
.B [\-o name[=value]]
.B [\-q]
.B [\-s]
.B [\-S SID]
.B [\-u]
.B [\-v]
.B [\-w]
[\c
.BI \-b \ suffix\fR]
[\c
.BR \-c ]
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-f \ slapd.conf\fR]
[\c
.BI \-F \ confdir\fR]
[\c
.BR \-g ]
[\c
.BI \-j \ lineno\fR]
[\c
.BI \-l \ ldif-file\fR]
[\c
.BI \-n \ dbnum\fR]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BR \-q ]
[\c
.BR \-s ]
[\c
.BI \-S \ SID\fR]
[\c
.BR \-u ]
[\c
.BR \-v ]
[\c
.BR \-w ]
.SH DESCRIPTION
.LP
.B Slapadd
@ -34,7 +50,7 @@ suffix and adds entries corresponding to the provided LDIF to
the database.
Databases configured as
.B subordinate
of this one are also updated, unless \fB-g\fP is specified.
of this one are also updated, unless \fB\-g\fP is specified.
The LDIF input is read from standard input or the specified file.
All files eventually created by
@ -53,9 +69,9 @@ or change file ownership before running
.BR slapd (8).
.SH OPTIONS
.TP
.BI \-b " suffix"
.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
add entries to. The \-b cannot be used in conjunction
add entries to. The \fB\-b\fP cannot be used in conjunction
with the
.B \-n
option.
@ -63,69 +79,69 @@ option.
.B \-c
enable continue (ignore errors) mode.
.TP
.BI \-d " level"
.BI \-d \ debug-level
enable debugging messages as defined by the specified
.IR level ;
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-f " slapd.conf"
.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
.BI \-F \ confdir
specify a config directory.
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
default config directory will be made before trying to use the default
config file. If a valid config directory exists then the
default config file is ignored. If dryrun mode is also specified,
default config file is ignored. If dry-run mode is also specified,
no conversion will occur.
.TP
.B \-g
disable subordinate gluing. Only the specified database will be
processed, and not its glued subordinates (if any).
.TP
.BI \-j " lineno"
.BI \-j \ lineno
Jump to the specified line number in the LDIF file before processing
any entries. This allows a load that was aborted due to errors in the
input LDIF to be resumed after the errors are corrected.
.TP
.BI \-l " ldif-file"
.BI \-l \ ldif-file
Read LDIF from the specified file instead of standard input.
.TP
.BI \-n " dbnum"
Add entries to the \fIdbnum\fR\-th database listed in the
.BI \-n \ dbnum
Add entries to the \fIdbnum\fR-th database listed in the
configuration file. The
.B \-n
cannot be used in conjunction with the
.B \-b
option.
To populate the config database
.BR slapd-config (5),
.BR slapd\-config (5),
use
.B \-n 0
as it is always the first database. It must physically exist
on the filesystem prior to this, however.
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
Specify an
.BR option
.I option
with a(n optional)
.BR value .
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
@ -135,15 +151,15 @@ on the input data, and no consistency checks when writing the database.
Improves the load time but if any errors or interruptions occur the resulting
database will be unusable.
.TP
.B -s
.B \-s
disable schema checking. This option is intended to be used when loading
databases containing special objects, such as fractional objects on a
partial replica. Loading normal objects which do not conform to
schema may result in unexpected and ill behavior.
.TP
.B \-S " SID"
.BI \-S \ SID
Server ID to use in generated entryCSN. Also used for contextCSN
if `\-w' is set as well. Defaults to 0.
if \fB\-w\fP is set as well. Defaults to \fB0\fP.
.TP
.B \-u
enable dry-run (don't write to backend) mode.
@ -175,7 +191,7 @@ database give the command:
.LP
.nf
.ft tt
SBINDIR/slapadd -l ldif
SBINDIR/slapadd \-l ldif
.ft
.fi
.SH "SEE ALSO"

85
doc/man/man8/slapauth.8
View file

@ -6,16 +6,25 @@
slapauth \- Check a list of string-represented IDs for LDAP authc/authz
.SH SYNOPSIS
.B SBINDIR/slapauth
.B [\-d level]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-M mech]
.B [\-o name[=value]]
.B [\-R realm]
.B [\-U authcID]
.B [\-v]
.B [\-X authzID]
.B ID [...]
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-f \ slapd.conf\fR]
[\c
.BI \-F \ confdir\fR]
[\c
.BI \-M \ mech\fR]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BI \-R \ realm\fR]
[\c
.BI \-U \ authcID\fR]
[\c
.BR \-v ]
[\c
.BI \-X \ authzID\fR]
.IR ID \ [ ... ]
.LP
.SH DESCRIPTION
.LP
@ -26,35 +35,35 @@ for authentication and authorization purposes, as specified in
It opens the
.BR slapd.conf (5)
configuration file or the
.BR slapd-config (5)
.BR slapd\-config (5)
backend, reads in the
.B authz-policy/olcAuthzPolicy
.BR authz\-policy / olcAuthzPolicy
and
.B authz-regexp/olcAuthzRegexp
.BR authz\-regexp / olcAuthzRegexp
directives, and then parses the
.B ID
.I ID
list given on the command-line.
.LP
.SH OPTIONS
.TP
.BI \-d " level"
.BI \-d \ debug-level
enable debugging messages as defined by the specified
.IR level ;
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-f " slapd.conf"
.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
.BI \-F \ confdir
specify a config directory.
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
@ -62,43 +71,43 @@ default config directory will be made before trying to use the default
config file. If a valid config directory exists then the
default config file is ignored.
.TP
.BI \-M " mech"
.BI \-M \ mech
specify a mechanism.
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
Specify an
.BR option
.I option
with a(n optional)
.BR value .
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
.BI \-R " realm"
.BI \-R \ realm
specify a realm.
.TP
.BI \-U " authcID"
.BI \-U \ authcID
specify an ID to be used as
.I authcID
throughout the test session.
If present, and if no
.B authzID
.I authzID
is given, the IDs in the ID list are treated as
.BR authzID .
.IR authzID .
.TP
.BI \-X " authzID"
.BI \-X \ authzID
specify an ID to be used as
.I authzID
throughout the test session.
If present, and if no
.B authcID
.I authcID
is given, the IDs in the ID list are treated as
.BR authcID .
.IR authcID .
If both
.I authcID
and
@ -112,8 +121,8 @@ The command
.LP
.nf
.ft tt
SBINDIR/slapauth -f /ETCDIR/slapd.conf -v \\
-U bjorn -X u:bjensen
SBINDIR/slapauth \-f /ETCDIR/slapd.conf \-v \\
\-U bjorn \-X u:bjensen
.ft
.fi
@ -125,8 +134,8 @@ provided the directives
.LP
.nf
.ft tt
authz-policy from
authz-regexp "^uid=([^,]+).*,cn=auth$"
authz\-policy from
authz\-regexp "^uid=([^,]+).*,cn=auth$"
"ldap:///dc=example,dc=net??sub?uid=$1"
.ft
@ -135,7 +144,7 @@ are defined in
.BR slapd.conf (5).
.SH "SEE ALSO"
.BR ldap (3),
.BR slapd (8)
.BR slapd (8),
.BR slaptest (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

89
doc/man/man8/slapcat.8
View file

@ -6,19 +6,30 @@
slapcat \- SLAPD database to LDIF utility
.SH SYNOPSIS
.B SBINDIR/slapcat
.B [\-a filter]
.B [\-b suffix]
.B [\-c]
.B [\-d level]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-g]
.B [\-l ldif-file]
.B [\-n dbnum]
.B [\-o name[=value]]
.B [\-s subtree-dn]
.B [\-v]
.B
[\c
.BI \-a filter\fR]
[\c
.BI \-b suffix\fR]
[\c
.BR \-c ]
[\c
.BI \-d debug-level\fR]
[\c
.BI \-f slapd.conf\fR]
[\c
.BI \-F confdir\fR]
[\c
.BR \-g ]
[\c
.BI \-l ldif-file\fR]
[\c
.BI \-n dbnum\fR]
[\c
.BI \-o option\fR[ = value\fR]]
[\c
.BI \-s subtree-dn\fR]
[\c
.BR \-v ]
.LP
.SH DESCRIPTION
.LP
@ -32,7 +43,7 @@ suffix and writes the corresponding LDIF to standard output or
the specified file.
Databases configured as
.B subordinate
of this one are also output, unless \fB-g\fP is specified.
of this one are also output, unless \fB\-g\fP is specified.
.LP
The entry records are presented in database order, not superior first
order. The entry records will include all (user and operational)
@ -49,19 +60,19 @@ into superior first order and removing no-user-modification
operational attributes.
.SH OPTIONS
.TP
.BI \-a " filter"
.BI \-a \ filter
Only dump entries matching the asserted filter.
For example
slapcat -a \\
slapcat \-a \\
"(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"
will dump all but the "ou=People,dc=example,dc=com" subtree
of the "dc=example,dc=com" database.
.TP
.BI \-b " suffix"
.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
generate output for. The \-b cannot be used in conjunction
generate output for. The \fB\-b\fP cannot be used in conjunction
with the
.B \-n
option.
@ -69,24 +80,24 @@ option.
.B \-c
Enable continue (ignore errors) mode.
.TP
.BI \-d " level"
.BI \-d \ debug-level
Enable debugging messages as defined by the specified
.IR level ;
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-f " slapd.conf"
.BI \-f \ slapd.conf
Specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
.BI \-F \ confdir
specify a config directory.
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
@ -98,13 +109,13 @@ default config file is ignored.
disable subordinate gluing. Only the specified database will be
processed, and not its glued subordinates (if any).
.TP
.BI \-l " ldif-file"
.BI \-l \ ldif-file
Write LDIF to specified file instead of standard output.
.TP
.BI \-n " dbnum"
Generate output for the \fIdbnum\fR\-th database listed in the
.BI \-n \ dbnum
Generate output for the \fIdbnum\fR-th database listed in the
configuration file. The config database
.BR slapd-config (5),
.BR slapd\-config (5),
is always the first database, so use
.B \-n 0
@ -114,23 +125,23 @@ cannot be used in conjunction with the
.B \-b
option.
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
Specify an
.BR option
.I option
with a(n optional)
.BR value .
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
.BI \-s " subtree-dn"
.BI \-s \ subtree-dn
Only dump entries in the subtree specified by this DN.
Implies `-b subtree-dn' if no
Implies \fB\-b\fP \fIsubtree-dn\fP if no
.B \-b
or
.B \-n
@ -146,10 +157,10 @@ mode) when you do this to ensure consistency of the database. It is
always safe to run
.B slapcat
with the
.BR slapd-bdb (5),
.BR slapd-hdb (5),
.BR slapd\-bdb (5),
.BR slapd\-hdb (5),
and
.BR slapd-null (5)
.BR slapd\-null (5)
backends.
.SH EXAMPLES
To make a text backup of your SLAPD database and put it in a file called
@ -158,7 +169,7 @@ give the command:
.LP
.nf
.ft tt
SBINDIR/slapcat -l ldif
SBINDIR/slapcat \-l ldif
.ft
.fi
.SH "SEE ALSO"

156
doc/man/man8/slapd.8
View file

@ -6,22 +6,39 @@
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
.B LIBEXECDIR/slapd
.B [\-[4|6]]
.B [\-T {acl|add|auth|cat|dn|index|passwd|test}]
.B [\-d debug\-level]
.B [\-f slapd\-config\-file]
.B [\-F slapd\-config\-directory]
.B [\-h URLs]
.B [\-n service\-name] [\-s syslog\-level] [\-l syslog\-local\-user]
.B [\-o option[=value]]
.B [\-r directory]
.B [\-u user] [\-g group]
.B [\-c cookie]
[\c
.BR \-4 | \-6 ]
[\c
.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\| d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| t [ est ]}]
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-f \ slapd-config-file\fR]
[\c
.BI \-F \ slapd-config-directory\fR]
[\c
.BI \-h \ URLs\fR]
[\c
.BI \-n \ service-name\fR]
[\c
.BI \-s \ syslog-level\fR]
[\c
.BI \-l \ syslog-local-user\fR]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BI \-r \ directory\fR]
[\c
.BI \-u \ user\fR]
[\c
.BI \-g \ group\fR]
[\c
.BI \-c \ cookie\fR]
.SH DESCRIPTION
.LP
.B Slapd
is the stand-alone LDAP daemon. It listens for LDAP connections on
any number of ports (default 389), responding
any number of ports (default \fB389\fP), responding
to the LDAP operations it receives over these connections.
.B slapd
is typically invoked at boot time, usually out of
@ -56,56 +73,65 @@ Listen on IPv4 addresses only.
.B \-6
Listen on IPv6 addresses only.
.TP
.B \-T {a|c|d|i|p|t|acl|auth}
.BR \-T \ { acl \||\| a [ dd ]\||\| auth \||\| c [ at ]\||\| d [ n ]\||\| i [ ndex ]\||\| p [ asswd ]\||\| t [ est ]}
Run in Tool mode. The additional argument selects whether to run as
slapadd, slapcat, slapdn, slapindex, slappasswd, or slaptest
(slapacl and slapauth need the entire "\fIacl\fP" and "\fIauth\fP"
option value to be spelled out, as "\fIa\fP" is reserved to
.BR slapadd ).
.IR slapadd ,
.IR slapcat ,
.IR slapdn ,
.IR slapindex ,
.IR slappasswd ,
or
.I slaptest
(\fIslapacl\fP and \fIslapauth\fP need the entire \fBacl\fP and \fBauth\fP
option value to be spelled out, as \fBa\fP is reserved to
.IR slapadd ).
This option should be the first option specified when it is used;
any remaining options will be interpreted by the corresponding
slap tool program, according to the respective man pages.
Note that these tool programs will usually be symbolic links to slapd.
Note that these tool programs will usually be symbolic links to
.BR slapd .
This option is provided for situations where symbolic links
are not provided or not usable.
.TP
.BI \-d " debug\-level"
.BI \-d \ debug-level
Turn on debugging as defined by
.IR debug\-level .
.IR debug-level .
If this option is specified, even with a zero argument,
.B slapd
will not fork or disassociate from the invoking terminal. Some general
operation and status messages are printed for any value of \fIdebug\-level\fP.
\fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a
operation and status messages are printed for any value of \fIdebug-level\fP.
\fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
different kind of debugging information. See <ldap_log.h> for details.
Comma-separated arrays of friendly names can be specified to select
debugging output of the corresponding debugging information.
All the names recognized by the \fIloglevel\fP directive
described in \fBslapd.conf\fP(5) are supported.
If \fIdebug\-level\fP is \fB?\fP, a list of installed levels is printed,
If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
and slapd exits.
Remember that if you turn on packet logging, packets containing bind passwords
will be output, so if you redirect the log to a logfile, that file should
be read-protected.
.TP
.BI \-s " syslog\-level"
.BI \-s \ syslog-level
This option tells
.B slapd
at what level debugging statements should be logged to the
at what debug-level debugging statements should be logged to the
.BR syslog (8)
facility.
The value "syslog\-level" can be set to any value or combination
allowed by the "-d" switch.
Slapd logs all messages selected by "syslog\-level"
at the syslog(3) severity level "DEBUG",
on the unit specified with "-l".
The value \fIsyslog-level\fP can be set to any value or combination
allowed by the \fB\-d\fP switch.
Slapd logs all messages selected by \fIsyslog-leveli\fP
at the
.BR syslog (3)
severity debug-level \fBDEBUG\fP,
on the unit specified with \fB\-l\fP.
.TP
.BI \-n " service\-name"
.BI \-n \ service-name
Specifies the service name for logging and other purposes. Defaults
to basename of argv[0], i.e.: "slapd".
.TP
.BI \-l " syslog\-local\-user"
.BI \-l \ syslog-local-user
Selects the local user of the
.BR syslog (8)
facility. Value can be
@ -122,19 +148,19 @@ However, this option is only permitted on systems that support
local users with the
.BR syslog (8)
facility.
Logging to syslog(8) occurs at the "DEBUG" severity level.
Logging to syslog(8) occurs at the "DEBUG" severity debug-level.
.TP
.BI \-f " slapd\-config\-file"
.BI \-f \ slapd-config-file
Specifies the slapd configuration file. The default is
.BR ETCDIR/slapd.conf .
.TP
.BI \-F " slapd\-config\-directory"
.BI \-F \ slapd-config-directory
Specifies the slapd configuration directory. The default is
.BR ETCDIR/slapd.d .
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, slapd will attempt to read the
@ -143,12 +169,12 @@ config file. If a valid config directory exists then the
default config file is ignored. All of the slap tools that
use the config options observe this same behavior.
.TP
.BI \-h " URLlist"
.BI \-h \ URLlist
.B slapd
will by default serve
.B ldap:///
(LDAP over TCP on all interfaces on default LDAP port). That is,
it will bind using INADDR_ANY and port 389.
it will bind using INADDR_ANY and port \fB389\fP.
The
.B \-h
option may be used to specify LDAP (and other scheme) URLs to serve.
@ -162,26 +188,26 @@ the LDAP, LDAPS, or LDAPI schemes, and generally
without a DN or other optional parameters (excepting as discussed below).
Support for the latter two schemes depends on selected configuration
options. Hosts may be specified by name or IPv4 and IPv6 address formats.
Ports, if specified, must be numeric. The default ldap:// port is 389
and the default ldaps:// port is 636.
Ports, if specified, must be numeric. The default ldap:// port is \fB389\fP
and the default ldaps:// port is \fB636\fP.
The listener permissions are indicated by
"x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any
of the "rwx" can be "-" to suppress the related permission, while any
"x\-mod=\-rwxrwxrwx", "x\-mod=0777" or "x\-mod=777", where any
of the "rwx" can be "\-" to suppress the related permission, while any
of the "7" can be any legal octal digit, according to chmod(1).
The listeners can take advantage of the "x-mod"
The listeners can take advantage of the "x\-mod"
extension to apply rough limitations to operations, e.g. allow read operations
("r", which applies to search and compare), write operations ("w",
which applies to add, delete, modify and modrdn), and execute operations
("x", which means bind is required).
"User" permissions apply to authenticated users, while "other" apply
to anonymous users; "group" permissions are ignored.
For example, "ldap:///????x-mod=-rw-------" means that read and write is only allowed
For example, "ldap:///????x\-mod=\-rw\-\-\-\-\-\-\-" means that read and write is only allowed
for authenticated connections, and bind is required for all operations.
This feature is experimental, and requires to be manually enabled
at configure time.
.TP
.BI \-r " directory"
.BI \-r \ directory
Specifies a directory to become the root directory. slapd will
change the current working directory to this directory and
then
@ -189,31 +215,31 @@ then
to this directory. This is done after opening listeners but before
reading any configuration file or initializing any backend. When
used as a security mechanism, it should be used in conjunction with
.B -u
.B \-u
and
.B -g
.B \-g
options.
.TP
.BI \-u " user"
.BI \-u \ user
.B slapd
will run slapd with the specified user name or id, and that user's
supplementary group access list as set with initgroups(3). The group ID
is also changed to this user's gid, unless the -g option is used to
is also changed to this user's gid, unless the \fB\-g\fP option is used to
override. Note when used with
.BR -r ,
.BR \-r ,
slapd will use the user database in the change root environment.
Note that on some systems, running as a non-privileged user will prevent
passwd back-ends from accessing the encrypted passwords. Note also that
any shell back-ends will run as the specified non-privileged user.
.TP
.BI \-g " group"
.BI \-g \ group
.B slapd
will run with the specified group name or id. Note when used with
.BR -r ,
.BR \-r ,
slapd will use the group database in the change root environment.
.TP
.BI \-c " cookie"
.BI \-c \ cookie
This option provides a cookie for the syncrepl replication consumer.
The cookie is a comma separated list of \fIname=value\fP pairs.
Currently supported syncrepl cookie fields are
@ -226,7 +252,7 @@ identifies a replication thread within the consumer server
and is used to find the syncrepl specification in
.BR slapd.conf (5)
or
.BR slapd-config (5)
.BR slapd\-config (5)
having the matching replication identifier in its definition. The
.B rid
must be provided in order for any other specified values to be used.
@ -244,23 +270,21 @@ Use only the
.B rid
part to force a full reload.
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
This option provides a generic means to specify options without the need to reserve
a separate letter for them.
It supports the following options:
.RS
.TP
slp={\fBon\fP|\fBoff\fP|\fIslp\-attrs\fP}
When SLP support is compiled into slapd, disable it (
.B off
), enable it by registering at SLP DAs without specific SLP attributes (
.B on
), or with specific SLP attributes
.I slp\-attrs
.BR slp= { on \||\| off \||\| \fIslp-attrs\fP }
When SLP support is compiled into slapd, disable it (\fBoff\fP),
enable it by registering at SLP DAs without specific SLP attributes (\fBon\fP),
or with specific SLP attributes
.I slp-attrs
that must be an SLP attribute list definition according to the SLP standard.
For example, "-o slp=(tree=production),(server-type=OpenLDAP),(server-version=2.3.20)"
For example, \fB"slp=(tree=production),(server-type=OpenLDAP),(server\-version=2.4.15)"\fP
registers at SLP DAs with the three SLP attributes tree, server-type and server-version
that have the values given above.
This allows to specifically query the SLP DAs for LDAP servers holding the
@ -286,7 +310,7 @@ on voluminous debugging which will be printed on standard error, type:
.LP
.nf
.ft tt
LIBEXECDIR/slapd -f /var/tmp/slapd.conf -d 255
LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
.ft
.fi
.LP
@ -294,7 +318,7 @@ To test whether the configuration file is correct or not, type:
.LP
.nf
.ft tt
LIBEXECDIR/slapd -Tt
LIBEXECDIR/slapd \-Tt
.ft
.fi
.LP

54
doc/man/man8/slapdn.8
View file

@ -6,13 +6,19 @@
slapdn \- Check a list of string-represented LDAP DNs based on schema syntax
.SH SYNOPSIS
.B SBINDIR/slapdn
.B [\-d level]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-N | \-P]
.B [\-o name[=value]]
.B [\-v]
.B DN [...]
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-f \ slapd.conf\fR]
[\c
.BI \-F \ confdir\fR]
[\c
.BR \-N | \-P ]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BR \-v ]
.IR DN \ [...]
.LP
.SH DESCRIPTION
.LP
@ -24,31 +30,31 @@ and that loaded via
.BR slapd.conf (5).
It opens the
.BR slapd.conf (5)
configuration file or the slapd-config (5) backend, reads in the schema definitions, and then
configuration file or the slapd\-config (5) backend, reads in the schema definitions, and then
parses the
.B DN
.I DN
list given on the command-line.
.LP
.SH OPTIONS
.TP
.BI \-d " level"
.BI \-d \ debug-level
enable debugging messages as defined by the specified
.IR level ;
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-f " slapd.conf"
.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
.BI \-F \ confdir
specify a config directory.
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
@ -57,26 +63,26 @@ config file. If a valid config directory exists then the
default config file is ignored.
.TP
.BI \-N
only output a normalized form of the DN, suitable to be used
only output a normalized form of the \fIDN\fP, suitable to be used
in a normalization tool; incompatible with
.BR \-P .
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
Specify an
.BR option
.I option
with a(n optional)
.BR value .
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
.BI \-P
only output a prettified form of the DN, suitable to be used
only output a prettified form of the \fIDN\fP, suitable to be used
in a check and beautification tool; incompatible with
.BR \-N .
.TP
@ -89,12 +95,12 @@ give the command:
.LP
.nf
.ft tt
SBINDIR/slapdn -f /ETCDIR/slapd.conf -v DN
SBINDIR/slapdn \-f /ETCDIR/slapd.conf \-v DN
.ft
.fi
.SH "SEE ALSO"
.BR ldap (3),
.BR slapd (8)
.BR slapd (8),
.BR slaptest (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

70
doc/man/man8/slapindex.8
View file

@ -6,18 +6,30 @@
slapindex \- Reindex entries in a SLAPD database
.SH SYNOPSIS
.B SBINDIR/slapindex
.B [\-b suffix]
.B [\-c]
.B [\-d level]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-g]
.B [\-n dbnum]
.B [\-o name[=value]]
.B [\-q]
.B [\-t]
.B [\-v]
.B [attr] [...]
[\c
.BI \-b \ suffix\fR]
[\c
.BR \-c ]
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-f \ slapd.conf\fR]
[\c
.BI \-F \ confdir\fR]
[\c
.BR \-g ]
[\c
.BI \-n \ dbnum\fR]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BR \-q ]
[\c
.BR \-t ]
[\c
.BR \-v ]
[\c
.IR attr [ ... ]]
.B
.LP
.SH DESCRIPTION
@ -33,7 +45,7 @@ on the command line, only the indices for those attributes will
be regenerated.
Databases configured as
.B subordinate
of this one are also re-indexed, unless \fB-g\fP is specified.
of this one are also re-indexed, unless \fB\-g\fP is specified.
All files eventually created by
.BR slapindex
@ -51,9 +63,9 @@ or change file ownership before running
.BR slapd (8).
.SH OPTIONS
.TP
.BI \-b " suffix"
.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
generate output for. The \-b cannot be used in conjunction
generate output for. The \fB\-b\fP cannot be used in conjunction
with the
.B \-n
option.
@ -61,24 +73,24 @@ option.
.B \-c
enable continue (ignore errors) mode.
.TP
.BI \-d " level"
.BI \-d \ debug-level
enable debugging messages as defined by the specified
.IR level ;
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-f " slapd.conf"
.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
.BI \-F \ confdir
specify a config directory.
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
@ -90,10 +102,10 @@ default config file is ignored.
disable subordinate gluing. Only the specified database will be
processed, and not its glued subordinates (if any).
.TP
.BI \-n " dbnum"
Generate output for the \fIdbnum\fR\-th database listed in the
.BI \-n \ dbnum
Generate output for the \fIdbnum\fR-th database listed in the
configuration file. The config database
.BR slapd-config (5),
.BR slapd\-config (5),
is always the first database, so use
.B \-n 0
@ -103,17 +115,17 @@ cannot be used in conjunction with the
.B \-b
option.
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
Specify an
.BR option
.I option
with a(n optional)
.BR value .
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP

77
doc/man/man8/slappasswd.8
View file

@ -6,12 +6,18 @@
slappasswd \- OpenLDAP password utility
.SH SYNOPSIS
.B SBINDIR/slappasswd
.B [\-v]
.B [\-u]
.B [\-g|\-s secret|\-T file]
.B [\-h hash]
.B [\-c salt-format]
.B [\-n]
[\c
.BR \-v ]
[\c
.BR \-u ]
[\c
.BR \-g \||\| \-s \ \fIsecret\fR \||\| \fB\-T \ \fIfile\fR]
[\c
.BI \-h \ hash\fR]
[\c
.BI \-c \ salt-format\fR]
[\c
.BR \-n ]
.B
.LP
.SH DESCRIPTION
@ -23,7 +29,7 @@ suitable for use with
.BR slapd.conf (5)
.I rootpw
configuration directive or the
.BR slapd-config (5)
.BR slapd\-config (5)
.I olcRootPW
configuration directive.
.
@ -37,7 +43,7 @@ Generate RFC 2307 userPassword values (the default). Future
versions of this program may generate alternative syntaxes
by default. This option is provided for forward compatibility.
.TP
.BI \-s " secret"
.BI \-s \ secret
The secret to hash.
If this,
.B \-g
@ -48,7 +54,7 @@ are absent, the user will be prompted for the secret to hash.
.B \-g
and
.B \-T
and mutually exclusive flags.
are mutually exclusive flags.
.TP
.BI \-g
Generate the secret.
@ -61,7 +67,7 @@ are absent, the user will be prompted for the secret to hash.
.B \-g
and
.B \-T
and mutually exclusive flags.
are mutually exclusive flags.
If this is present,
.I {CLEARTEXT}
is used as scheme.
@ -70,7 +76,7 @@ and
.B \-h
are mutually exclusive flags.
.TP
.BI \-T " file"
.BI \-T \ "file"
Hash the contents of the file.
If this,
.B \-g
@ -83,16 +89,16 @@ and
.B \-T
and mutually exclusive flags.
.TP
.BI \-h " scheme"
If -h is specified, one of the following RFC 2307 schemes may
.BI \-h \ "scheme"
If \fB\-h\fP is specified, one of the following RFC 2307 schemes may
be specified:
.IR {CRYPT} ,
.IR {MD5} ,
.IR {SMD5} ,
.IR {SSHA} ", and"
.IR {SHA} .
.BR {CRYPT} ,
.BR {MD5} ,
.BR {SMD5} ,
.BR {SSHA} ", and"
.BR {SHA} .
The default is
.IR {SSHA} .
.BR {SSHA} .
Note that scheme names may need to be protected, due to
.B {
@ -119,22 +125,31 @@ indicates that the new password should be added to userPassword as
clear text.
Unless
.I {CLEARTEXT}
is used, this flag is incompatible with
is used, this flag is incompatible with option
.BR \-g .
.TP
.BI \-c " crypt-salt-format"
.BI \-c \ crypt-salt-format
Specify the format of the salt passed to
.BR crypt (3)
when generating {CRYPT} passwords.
This string needs to be in
.BR sprintf (3)
format and may include one (and only one) %s conversion.
This conversion will be substituted with a string random
characters from [A\-Za\-z0\-9./]. For example, '%.2s'
provides a two character salt and '$1$%.8s' tells some
versions of crypt(3) to use an MD5 algorithm and provides
8 random characters of salt. The default is '%s', which
provides 31 characters of salt.
format and may include one (and only one)
.B %s
conversion.
This conversion will be substituted with a string of random
characters from [A\-Za\-z0\-9./]. For example,
.RB ' %.2s '
provides a two character salt and
.RB ' $1$%.8s '
tells some
versions of
.BR crypt (3)
to use an MD5 algorithm and provides
8 random characters of salt.
The default is
.RB ' %s ' ,
which provides 31 characters of salt.
.TP
.BI \-n
Omit the trailing newline; useful to pipe the credentials
@ -153,7 +168,7 @@ is platform specific.
.SH "SECURITY CONSIDERATIONS"
Use of hashed passwords does not protect passwords during
protocol transfer. TLS or other eavesdropping protections
should be in\-place before using LDAP simple bind.
should be in-place before using LDAP simple bind.
.LP
The hashed password values should be protected as if they
were clear text passwords.
@ -163,8 +178,8 @@ were clear text passwords.
.BR slapd (8),
.BR slapd.conf (5),
.BR slapd\-config (5),
.B RFC 2307
.B RFC 4519
.B RFC 2307\fP,
.B RFC 4519\fP,
.B RFC 3112
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

57
doc/man/man8/slaptest.8
View file

@ -6,13 +6,20 @@
slaptest \- Check the suitability of the OpenLDAP slapd.conf file
.SH SYNOPSIS
.B SBINDIR/slaptest
.B [\-d level]
.B [\-f slapd.conf]
.B [\-F confdir]
.B [\-o name[=value]]
.B [\-Q]
.B [\-u]
.B [\-v]
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-f \ slapd.conf\fR]
[\c
.BI \-F \ confdir\fR]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BR \-Q ]
[\c
.BR \-u ]
[\c
.BR \-v ]
.LP
.SH DESCRIPTION
.LP
@ -23,49 +30,49 @@ configuration file.
It opens the
.BR slapd.conf (5)
configuration file or the
.BR slapd-config (5)
.BR slapd\-config (5)
backend, and parses it according to the general and the backend-specific
rules, checking its sanity.
.LP
.SH OPTIONS
.TP
.BI \-d " level"
.BI \-d \ debug-level
enable debugging messages as defined by the specified
.IR level ;
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-f " slapd.conf"
.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F " confdir"
.BI \-F \ confdir
specify a config directory.
If both
.B -f
.B \-f
and
.B -F
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, slaptest will attempt to read the
default config directory before trying to use the default
config file. If a valid config directory exists then the
default config file is ignored. If dryrun mode is also specified,
default config file is ignored. If dry-run mode is also specified,
no conversion will occur.
.TP
.BI \-o " option[=value]"
.BI \-o \ option\fR[ = value\fR]
Specify an
.BR option
.I option
with a(n optional)
.BR value .
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog-level=<level> (see `\-S' in slapd(8))
syslog-user=<user> (see `\-l' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.TP
@ -73,11 +80,11 @@ Possible generic options/values are:
Be extremely quiet: only the exit code indicates success (0) or not
(any other value).
.TP
.BI \-u
enable dryrun mode (i.e. don't fail if databases cannot be opened,
.B \-u
enable dry-run mode (i.e. don't fail if databases cannot be opened,
but config is fine).
.TP
.BI \-v
.B \-v
enable verbose mode.
.SH EXAMPLES
To check a
@ -86,12 +93,12 @@ give the command:
.LP
.nf
.ft tt
SBINDIR/slaptest -f /ETCDIR/slapd.conf -v
SBINDIR/slaptest \-f /ETCDIR/slapd.conf \-v
.ft
.fi
.SH "SEE ALSO"
.BR ldap (3),
.BR slapd (8)
.BR slapd (8),
.BR slapdn (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)