1# $OpenLDAP$ 2# Copyright 1999-2021 The OpenLDAP Foundation, All Rights Reserved. 3# COPYING RESTRICTIONS APPLY, see COPYRIGHT. 4H1: Running slapd 5 6{{slapd}}(8) is designed to be run as a standalone service. This 7allows the server to take advantage of caching, manage concurrency 8issues with underlying databases, and conserve system resources. 9Running from {{inetd}}(8) is {{NOT}} an option. 10 11 12H2: Command-Line Options 13 14{{slapd}}(8) supports a number of command-line options as detailed 15in the manual page. This section details a few commonly used options. 16 17> -f <filename> 18 19This option specifies an alternate configuration file for slapd. 20The default is normally {{F:/usr/local/etc/openldap/slapd.conf}}. 21 22> -F <slapd-config-directory> 23 24Specifies the slapd configuration directory. The default is {{F:/usr/local/etc/openldap/slapd.d}}. 25 26If both {{EX:-f}} and {{EX:-F}} are specified, the config file will be read and converted 27to config directory format and written to the specified directory. 28If neither option is specified, slapd will attempt to read the default config 29directory before trying to use the default config file. If a valid config 30directory exists then the default config file is ignored. All of the slap tools 31that use the config options observe this same behavior. 32 33> -h <URLs> 34 35This option specifies alternative listener configurations. The 36default is {{EX:ldap:///}} which implies {{TERM:LDAP}} over 37{{TERM:TCP}} on all interfaces on the default LDAP port 389. You 38can specify specific host-port pairs or other protocol schemes (such 39as {{EX:ldaps://}} or {{EX:ldapi://}}). slapd supports the HAProxy 40proxy protocol version 2, which allows a load balancer or proxy 41server to provide the remote client IP address to slapd to be used 42for access control or logging. Listeners configured using either 43{{EX:pldap:///}} or {{EX:pldaps:///}} URLS will only accept 44connections that include the necessary proxy protocol header. 45Connections to the ports used by these listeners should be restricted 46at the network level to only trusted load balancers or proxies to 47avoid spoofing of client IP addresses by third parties. 48 49!block table 50URL Protocol Transport 51ldap:/// LDAP TCP port 389 52pldap:/// proxied LDAP TCP port 389 53ldaps:/// LDAP over SSL TCP port 636 54pldaps:/// proxied LDAP over SSL TCP port 636 55ldapi:/// LDAP IPC (Unix-domain socket) 56!endblock 57 58For example, {{EX:-h 59"ldaps:// ldap://127.0.0.1:666"}} will create two listeners: one 60for the (non-standard) {{EX:ldaps://}} scheme on all interfaces on 61the default {{EX:ldaps://}} port 636, and one for the standard 62{{EX:ldap://}} scheme on the {{EX:localhost}} ({{loopback}}) interface 63on port 666. Hosts may be specified using using hostnames or 64{{TERM:IPv4}} or {{TERM:IPv6}} addresses. Port values must be 65numeric. 66 67For LDAP over IPC, the pathname of the Unix-domain socket can be encoded 68in the URL. Note that directory separators must be 69URL-encoded, like any other characters that are special to URLs. 70Thus the socket {{EX:/usr/local/var/ldapi}} must be encoded as 71 72> ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi 73 74ldapi: is described in detail in {{Using LDAP Over IPC Mechanisms}} [{{REF:Chu-LDAPI}}] 75 76Note that the ldapi:/// transport is not widely implemented: non-OpenLDAP clients 77may not be able to use it. 78 79> -n <service-name> 80 81This option specifies the service name used for logging and 82other purposes. The default service name is {{EX:slapd}}. 83 84> -l <syslog-local-user> 85 86This option specifies the local user for the {{syslog}}(8) 87facility. Values can be {{EX:LOCAL0}}, {{EX:LOCAL1}}, {{EX:LOCAL2}}, ..., 88and {{EX:LOCAL7}}. The default is {{EX:LOCAL4}}. This option 89may not be supported on all systems. 90 91> -u user -g group 92 93These options specify the user and group, respectively, to run 94as. {{EX:user}} can be either a user name or uid. {{EX:group}} 95can be either a group name or gid. 96 97> -r directory 98 99This option specifies a run-time directory. slapd will 100{{chroot}}(2) to this directory after opening listeners but 101before reading any configuration files or initializing 102any backends. 103. 104 105> -d <level> | ? 106 107This option sets the slapd debug level to <level>. When level is a 108`?' character, the various debugging levels are printed and slapd 109exits, regardless of any other options you give it. Current 110debugging levels are 111 112!block table; colaligns="RL"; align=Center; \ 113 title="Table 7.1: Debugging Levels" 114Level Keyword Description 115-1 any enable all debugging 1160 no debugging 1171 (0x1 trace) trace function calls 1182 (0x2 packets) debug packet handling 1194 (0x4 args) heavy trace debugging 1208 (0x8 conns) connection management 12116 (0x10 BER) print out packets sent and received 12232 (0x20 filter) search filter processing 12364 (0x40 config) configuration processing 124128 (0x80 ACL) access control list processing 125256 (0x100 stats) stats log connections/operations/results 126512 (0x200 stats2) stats log entries sent 1271024 (0x400 shell) print communication with shell backends 1282048 (0x800 parse) print entry parsing debugging 12916384 (0x4000 sync) syncrepl consumer processing 13032768 (0x8000 none) only messages that get logged whatever log level is set 131!endblock 132 133You may enable multiple levels by specifying the debug option once for each desired level. Or, since debugging levels are additive, you can do the math yourself. That is, if you want to trace function calls and watch the config file being processed, you could set level to the sum of those two levels (in this case, {{EX: -d 65}}). Or, you can let slapd do the math, (e.g. {{EX: -d 1 -d 64}}). Consult {{F: <ldap_log.h>}} for more details. 134 135Note: slapd must have been compiled with {{EX:--enable-debug}}, which is the default, 136for any debugging information other than the stats and stats2 levels to be available as options. 137 138 139H2: Starting slapd 140 141In general, slapd is run like this: 142 143> /usr/local/libexec/slapd [<option>]* 144 145where {{F:/usr/local/libexec}} is determined by {{EX:configure}} 146and <option> is one of the options described above (or in {{slapd}}(8)). 147Unless you have specified a debugging level (including level {{EX:0}}), 148slapd will automatically fork and detach itself from its controlling 149terminal and run in the background. 150 151H2: Stopping slapd 152 153To kill off {{slapd}}(8) safely, you should give a command like this 154 155> kill -INT `cat /usr/local/var/slapd.pid` 156 157where {{F:/usr/local/var}} is determined by {{EX:configure}}. 158 159Killing slapd by a more drastic method may cause information loss or 160database corruption. 161